FINANCIAL_COST: Creating negative feedback loops

Time after time, I see Business and IT Leaderships struggle with changing organization behavior.

But they FAIL to use “cost recovery” to affect change.

When I had a severely understaffed InfoSec group and THREE people who did nothing but change passwords, I pitch an idea to my boss at how to eliminate stupidity, laziness, and make work.

It was basically a two pronged attack to reduce the approximately 9,000 password resets we were doing annually in a 5,000 person company. I swagged up a number at how much each one of those password resets cost him — 17$ each in labor. We needed those folks to do other work, but password resets took time away from other more important work. So IT charged back to the individual’s cost center 20$ for each password reset AND an individual could not call in for a password reset, their Boss did. We’d then call back the individual and reset it. We went from 9,000 per year to about 30 per year. 

(And, I was rewarded at bonus time for an excellent idea.)

From this, I formulate the idea of using “cost recovery” as part of a negative feedback loop.

I see meeting with color copies. I see runaway B&W printing from stupidity. And, I see personal printing galore at shared printers.

Seems like an area that’s ripe for cost recovery.

— 30 — 

SME_ITDR: The interesting part about ITDR is timing

Different types of measures can be included in disaster recovery plan (DRP). Disaster recovery planning is a subset of a larger process known as business continuity planning and includes planning for resumption of applications, data, hardware, electronic communications (such as networking) and other IT infrastructure.
Disaster recovery – Wikipedia, the free encyclopedia

# – # – # – # – # 

The interesting part of splitting this into parts is there is no holistic view of a recovery.

The timing of a recovery is essential to success. It really doesn’t matter if one can “turn the lights on” (i.e., power up back up components and get the parts running). What matters is to resync the whole “mess”.

From my first assignment in ITDR to my latest, no one seems to understand that.

From the internal job schedulers, to the external third parties, and in all the intra-system interfaces — everything must be set to common point in time. 

And, the “real world” keeps on going without you. So that makes “catching up” even harder.

So, “recovery” must be automated. Push that “big red easy button”, with apologies to Staples, and the systems must “automagically” on command: instantiate the recovery environment, fall back to a known good restart point, replay all the transaction “book” between the recovery point and the disaster, and present systems for acceptance by Business Users.

That’s a tall order.

In my first assignment, the arithmetic worked out that regardless of when during the processing week a disaster occurred, the environment would always be ready on the following Monday. (Quite a novel discovery. And shook the Business and IT Leadership awake. “Hey we need a better BCP for Monday disaster!”.)

Unfortunately, without the holistic view, everyone sees “trees”, but not the “forest”.

It’s a good thing that disasters are relatively rare. Most corporations don’t survive them.

— 30 —

QUALITY: 2014 Return problems predicted 2015 Turbo Tz problems


*** begin quote ***

TurboTaxChristine , ManagerModerator 6 days ago
I can understand the though of your account being compromised is deeply concerning. Safeguarding your information is very serious for TurboTax.

The tax preparation industry, including Intuit, is actively engaged with IRS to fight fraud. We are deeply concerned about any instance where identity thieves steal names and social security numbers outside of the tax filing process and then use tax software to file fraudulent tax returns.

We have a proactive fraud risk management process in place to prevent, detect and respond to suspicious and fraudulent activity. We apply rigorous practices to detect, investigate and respond to fraudulent activity, and collaborate with others in government and the financial services industries to continuously improve our fraud controls.

Unfortunately, identity thieves steal names and other personal information outside of TurboTax and share them in the black market of information. A common way thieves obtain personal information is through the use of Phishing Sites. When you suspect you are being phished :

1. Do not click on a link in a suspicious email, but rather go to the company site and view the information. Even if a suspicious email is not requesting personal information, it may contain viruses that can retrieve personal information off of a computer.

2. Report any suspicious emails to the institution they are claiming to be. If you have any suspicious TurboTax emails, you may send them to, and we can confirm for you.

3. Be wary of any email requesting personal information or offers that appear to be too good to be true, especially in social networking environments.

If you believe you or a family member is already a victim of identity theft, you will want to check out the resources we have pooled together for you at the below link. While they are more specifically designed around tax-related identity theft the core principles within are a good guideline for you to follow:

*** end quote ***

Interesting that the same problems reoccured a year later.

This seems to indicate that their “Quality Improvement” program is lacking to say the least.

It’s interesting that of the complaints posted, the fraudulent return is point to an American Express Bank.

Guess they need some quality help too.


— 30 —

SMENET: How does the IT pro think about the next internet


Should we favor “net neutrality”? 

And the challenges of the next internet.

Richard Bennett, a visiting fellow of the American Enterprise Institute, is an expert on Internet technology and public policy. He co-invented Ethernet over Twisted Pair, the Wi-Fi MAC protocol, and miscellaneous network enhancements such as the MPDU Aggregation system for 802.11n, the Distributed Reservation Protocol for UWB, and various tweaks and hacks to the Internet and OSI protocols.

# – # – # – # – # 

The Governments of the world seek to throttle and control the internet for their own purposes.

In actuality, the consumer controls the levers of control. What will they pay for and what will they not pay for are the puppet’s strings.

He reinforces that change is unavoidable. Better to plan for it and “surf the wave”. Rather than be sunk by it.

Email really needs encryption. 

# – # – # – # – # 



Health Insurer Anthem Is Hacked, Exposing Millions of Patients’ Data
BY KIM ZETTER   02.05.15  |   8:28 AM  

*** begin quote ***

“Safeguarding your personal, financial and medical information is one of our top priorities,” the company said in a statement posted online, “and because of that, we have state-of-the-art information security systems to protect your data.”

It seems that state-of-the-art security system didn’t involve encrypting Social Security numbers and birth dates—two pieces of information that are highly valuable to identity thieves.

The company said it would provide credit monitoring and identity protection services free of charge to those who were affected. Anthem discovered the breach last week and is still investigating the number of people whose data was accessed, but a spokeswoman told USA Today that she believes it numbers in the “tens of millions.”

*** end quote ***

Bet the coverage is only for a year.

And, isn’t there a disconnect between what they say and what they do?

We know that SSN is a disaster, and it was never “sold to the people” as an identification number.

But it has become one de facto.

So how do we analyze this “problem”?

Simple, don’t use SSN in corporate systems as an individual’s identifier. Create your own Customer Identification Number (i.e., CIN).

Seems simple enough.

Should a cross reference be required, keep that safe and tightly controlled.

But, what do I know, I remember when corporate systems at AT&T didn’t use SSN.


— 30 —

SME_INFOSEC: Why Banks skate on infosec?

Here’s Why Your Bank Account Is Less Secure Than Your Gmail
Mario Aguilar
Yesterday 4:33pm

*** begin quote ***

In other words, the banks aren’t doing more because they don’t have to. And so as long as they maintain zero-loss guarantees against fraud, and the amount lost to fraud remains relatively small compared to their deep pockets, the banks won’t do anything more to protect you.

*** end quote ***

So while the end-user MAY not care — although the Banks could renege on their fraud guarantee — probably with help from the CoC, SEC, FED, FDIC, and DoJ — the IT professionals should care.

Remember ENRON?

After that, it was hard for finance folks to get a job with that on their resume.

I’d imagine it’s the same for an IT executive — or an infused person — from Target now.

If you’re unable to meet your duties of care and loyalty to act in the best interests of the organization for WHATEVER reason, then you have a duty to resign.

When I was on Wall Street, I was always told that I couldn’t use “lack of funding to excuse failure” because I should have been able to convince higher ups about the need.

So too, professionals have a similar duty.

— 30 — 



The IBM débâcle

Massive Worldwide Layoff Underway At IBM
By Tekla Perry
Posted 3 Feb 2015 | 17:00 GMT

*** begin quote ***

Project Chrome, a massive layoff that IBM is pretending is not a massive layoff, is underway. First reported by Robert X. Cringely (a pen name) in Forbes, about 26 percent of the company’s global workforce is being shown the door. At more than 100,000 people, that makes it the largest mass layoff at any U.S. corporation in at least 20 years. Cringely wrote that notices have started going out, and most of the hundred-thousand-plus will likely be gone by the end of February.

*** end quote ***

It’s hard to imagine a more demoralizing “resource action”.

And, the long term damage is incalculable.

Would anyone go to work for them now? And trust them — never.

I think they have irreparably damaged their brand.

If I had a contract for services with IBM, then I’d treat it as a high risk now.

— 30 —