Israeli Software

For my Israeli readers – הדבר היחיד שיותר גרוע מלהיות לא רציני זה לצאת פרייר.

I’m collecting data for a couple of articles on data security in social networks and ad-hoc mobile networks so I’ve been a little slow on blogging lately – so I’m down to general management and risk management stuff.

I think that cutting and running as soon as possible from unreliable business partners is an exercise in sound risk management.  Let me know if you agree after reading the following story.

I have an acquaintance, Eran Lasser who is co-founder and joint GM of John Bryce Training.  Back when I ran Bynet Software (a Microsoft distributor and ACS – Authorized Support Center), we did some training projects with Eran as we were launching Windows NT and later Microsoft Backoffice.

I reached out to Eran last week with some ideas for management level training courses in areas where I have some personal expertise – data security and more recently using social software for B2B sales. He asked their VP Business development, Ori Lapid to meet with me – and within a day or two a secretary made an appointment.  The morning of the appointment – the secretary called to confirm – I came in a few minutes early and waited patiently for Ori to start the meeting.

After 5, 10 and 15 minutes went by with the secretary giving me the usual disclaimer of “he will be with you in a few minutes” – I told the secretary that Ori’s 15 minute academic grace period had expired and I left.  I thought it was significant and also a vindication of my decision to walk out that neither the secretary nor Ori Lapid bothered to contact me and apologize for wasting my time.

This is  the epitome of what Israelis call “not being serious” or as they say in Israel.

הדבר היחיד שיותר גרוע מלהיות לא רציני זה לצאת פרייר.

Is your 50-something IT manager the last one to know about the company getting acquired?

An extremely obvious yet perhaps unpleasant observation for over-40 IT managers is that under 30 employees know a lot more about technology and ways to bypass the company security safeguards than they do.

A young, hip, mobile and techology-facile workforce may be a significant, yet unacknowledged vulnerability for companies.   Your information security group is doing  security awareness training  and evaluating DLP solutions from companies like Symantec and Fidelis Security to block blogging and Facebook but the action has moved to Twitter.

Your physical security officer has installed security cameras to deter theft of equipment but how are they going to block smart cell phones with 16GB memory, cameras and modern Unix-based operating systems like OS/X (the OS on the Apple iPhone) that can run any nix* application.    How about this exploit – download some data to your phone from the PC and then ssh to a private sshd server somewhere on a virtual host.  Don’t want to be tracked down ?  No problem – just take down the virtual host after your’e finished – don’t neeed more than an hour or so.

What about data loss by text messaging?   True – it’s limited by the quantity – but not by the quality.

I’m waiting for commercial applications of cell-phone blocking technology to the workplace – in this down market – it might be critical for the guys and gals in the board room.

I was looking at the CSI 2008 security survey recently and noticed that the top three loss categories are fraud (number 1), viruses (number 2) and data loss (number 3).

I’m a little dubious about viruses landing up in the number 2 slot.  We haven’t even installed anti-virus software on our office workstations in the past 4 years and we haven’t had a single event.  It might be Symantec and McAfee gaming the numbers in order to prop up flagging anti-virus sales from people like me who use Google Applications and practice safe email and safe surfing.

However fraud and data loss are classic mainstream categories of operational risks.

I like the definitions in the Basel II regulation, which defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

Although originally designed for banks and protection of of the banking system and economy from large scale failure; a systematic approach to operational risk management is important for any kind of organization.  Operational risk is not about damage to the business from a bad strategic decision (like getting into a new market segment and losing your pants).

Read more…