Category Archives: Technology

It’s Not Risk Management If You Just Trade One Risk for Another!

Especially if the second risk is just as risky, or, even worse, more risky than the first.

After reading a number of articles that claim IT Outsourcing reduces cost AND risk, including this recent piece over on Global Services on “Operational Risk, IT, and Outsourcing”, I am getting nervous about the mad dash to the cloud that these articles are directly or indirectly promoting.

While SaaS is often the best choice for many SMEs and large scale industries without a lot of technical know-how, it’s not always the best choice, and some systems are a lot safer to outsource than others. It’s one thing to outsource an ERP/MRP, especially if you don’t store your bank account access information in the ERP/MRP, but another thing to outsource user account management if such management contains credit card information and/or detailed financial profiles that are sufficient for an average criminal to commit identify fraud in his sleep. In the first case, just about any SaaS provider will do. In the latter, you need one who not only hosts in a secure data centre, but understands security and built security (and encryption) into the application (and database) from the ground up — especially if they are hosting in a shared data centre that uses a true multi-tenant architecture. Otherwise, a hacker could break in through a weakness in the application layer, dump the database, and get unencrypted credit card numbers, bank account numbers, SINs, etc. if the application wasn’t designed right from the bottom up. This could be financially devastating to you and your customers (who, for starters, would never buy from you again and who would probably take you to court).

The requirements for outsourcing and maintaining financial systems are much greater than for Supply Chain and Inventory Management. So what if they get your inventory database. Unless you’re storing nuclear material, who cares if they know for sure that you have 250 outdated PCs, 100 rolls of steel, and a warehouse full of binders. If they were doing a competitive intelligence project and really wanted to know that much about you, they’d check one of the import/export trade data monitoring services (or just watch what went in and out of your warehouse from across the street) and know it anyway.

Before you outsource financial systems, you have to be sure that the provider and the hosted application is at least as secure as the applications and environment you’d build in house, or the outsourcing effort will come at the expense of increased risk. And if risk increases, the decrease in cost may be inconsequential.

And if you don’t have the technical savvy to make a fully informed decision, bring in a consultant who has that knowledge. Trust me when I say it will be one of the best investments you ever make.

Share This on Linked In

Is MDM A Pipe Dream for the Average Organization?

With few exceptions, the most notable one being Oracle (which is the only IT organization I know of that eats its own premium dog food and never varies from the menu), MDM (Master Data Management) is a bigger myth in the modern enterprise than the Lost City of Atlantis (which never existed, by the way, and if you did your research you’d know it was a fictional metropolis introduced by Plato so that Socrates would have something to say). It’s been a problem ever since the first enterprise used one system for accounting and a second system for inventory, and it has only worsened over time. And now that we’re cloud-crazy, it’s only going to get even worse.

Instead of having data residing in dozens of databases accessed by dozens and dozens of applications in your server room, you’ll now have data residing in dozens of internal databases and in dozens of external databases on half a dozen different clouds, which is physically distributing and replicating these database instances over a few dozen instances for fault tolerance and reliability. Your data is now everywhere and nowhere at the same time. It’s more global than you are. And thanks to dynamic routing (and IP hacking and spoofing), it’s seamlessly crossing borders that you can’t. How can you ever hope to get a handle on it?

Well, according to this recent article in Information Week, you can start by following “three guidelines for implementing MDM”. These guidelines are a good way to wrap your mind around the problem, but they don’t really solve it.

Consider the guidelines:

  • Primary business drivers determine the methods of use.
    Well, duh! This should be the case for every system you use, not just MDM. If there is no business need, why do you have a system? Considering that all systems require hardware, software, and technical resources to maintain them, it’s just dumb to have systems you don’t need.
  • Data volatility determines the implementation styles.
    This is fairly obvious too. If you have a database that only updates once a week, and your MDM approach is to dump replicate all of your data in all of your disparate databases into one central database for MDM-driven BI, then you’re only going to have to update the central database once a week. If you have a database that updates every second, then you’ll need to grab updated data as often as you need it for analysis.
  • Scope determines the number of domains.
    This was the only really useful guideline. MDM doesn’t always mean centralizing all of the data into one central repository accessed through one domain. MDM is about gathering all of the related and relevant data into one schema, which may or may not be in one database, that permits the analyses the organization needs to run.

And now we get to the heart of the problem. Where and how should the data be stored, and how should it be accessed for the analytics that the MDM system is to support. (There’s no need for MDM if you’re not doing analytics!)

To this end, the article suggests you look at three types of MDM — Collaborative (CMDM), Operational (OMDM), and Analytical (AMDM) — and three styles — registry, coexistence, and transaction — but the first doesn’t solve the problem at all (as it just helps you figure out what you need to include under MDM, not how you represent it) and the second only deals with what data is managed and how often it is refreshed.

The fundamental problem is that of architecture — what is the schema, where is the data stored, and how is it federated? And what do you do if some of the data is not accessible when you need it? If you have terabytes of data distributed between internal databases and external clouds, then to centralize it you will need terabytes of storage and some big internet pipes to handle the petabytes of data that will need to be sent back and forth over the course of a year to keep the central data store up to date. So centralization is not the answer in this scenario. You need to keep the data in its home location and simply access what you need when you need it. But if an application is down, or inaccessible because of a temporary internet-related failure, the data won’t be accessible. So what do you do? Do you run the analysis without that data? Do you use the most recently cached data? Do you estimate the missing data based on time-series projections? Do you run a partial analysis, return a partial report, queue the remainder of the request and then run the remaining analysis when the data source becomes available again? Until you can answer these questions, architect a distributed, fault-tolerant, robust MDM solution, and implement it — which is where even the best organizations tend to fail and give up before the effort is complete — you don’t have MDM.

So is MDM a pipe dream for the average organization? Or will next generation technology deliver us a solution. It’s an important question, because you’ll never have true BI (Business Intelligence) if your data is out of control.

Share This on Linked In

Keeping Your Industrial Control System Secure

Recently, the evil hackers have stepped up their assault with the design of viruses designed specifically to attack and exploit industrial control systems, including the Stuxnet worm specifically written to attack Supervisory Control and Data Acquisition (SCADA) systems, and, according to reports, Siemens control systems in particular.

As a result, you need to step up your efforts to secure your systems. How do you go about it? Start with the advice in this recent article in Industry Week that gives you “five keys to keep your industrial control system secure”.

  • Develop Security Awareness
    Viruses don’t just come from the internet. They also come from flash & USB drives that were infected on another computer. Be sure to install end-to-end anti-virus solutions and only copy / run new software after it has been scanned and determined to be virus free.
  • Do a Risk Assessment
    Determine the risk posed by each organizational system and lock it down appropriately. Mission critical systems or systems that control dangerous process or use dangerous materials should be locked down, and, if at all possible, taken completely off the internet.
  • Find the Legacy Systems
    Some of these systems might be so old that they are no longer supported. As a result, they’ll be especially vulnerable to new exploits as there will be no future patches to plug the holes and newer AV products will not support the legacy systems.
  • Triple Lock-down the Wireless Networks
    Now that Blackberries, iPhones, and Android devices can be used to control your network, the last thing you want is an open network that anyone with the right software and a mobile smartphone can use to log in locally and take control.
  • Communicate
    Talk to the IT people and keep abreast of the emerging security issues and have a plan to deal with them before they have their way with you.

Then do the following:

  • Lock down any output/display-only devices tighter than Fort Knox.
    Disable the USB / external drives, prevent installation of unauthorized programs downloaded over the internet, and make sure the approved anti-virus/anti-spyware programs can’t be disabled. It won’t prevent every threat, but it will prevent known threats from getting in and making more holes that other threats could exploit.
  • Do a regular security audit at least quarterly.
    You can’t just update your anti-virus programs once a year and assume everything is A-OK. Every install, every update, every new machine and new device is a risk. While you don’t need to go psycho and lock everything down and run a level 5 security threat assessment every week, you should run a basic set of scans and penetration tests once a quarter to make sure you or your staff haven’t inadvertently opened the back door wide open.

 

Share This on Linked In

DnB’s Mobile Capability is Good But …

… it’s no substitute for the real thing.

There’s been a lot of hype recently about Dunn & Bradstreet’s new Supplier Risk Manager Mobile functionality, and a lot of coverage on the blogs. I’m not going to say it’s undeserved, as it is one of the first enterprise applications in the supply chain space to make an effort to embrace mobile computing, but I’m not going to hype it either.

The reality is that while D&B are advertising three capabilities, there is really only one real use for the offering (and I’m pleased to say that, when grilled, they readily admitted it), which is:

determining whether or not an alert needs to be acted on now, or later.

A properly configured Supplier Risk Management System will be configured to send out alerts anytime something might need to be looked at — as the system will be ignored otherwise. When an alert is sent out, the first thing that a recipient needs to do is determine how serious the alert is and whether or not more research needs to be done and/or an action needs to be taken. With the mobile platform, that works on ‘Berries, ‘Droids, and iPhones, a risk manager can drill into the alert and see why it was issued (reduced credit score, late shipments, plant shutdown, etc.) and then drill into the supplier profile to determine what effect the reason for the alert could have on the supplier and/or the relationship. The manager can then determine if the alert needs to be followed-up on or not, and if the follow-up (whether additional research, a call, or another action) has to happen now or later. This is useful if the manager is on the road and doesn’t have easy access to the regular application or if the manager is just enjoying personal time and doesn’t want to drop everything to run to the [home] office to figure out whether or not something needs to be done — which could be the situation if the alert is for a major supplier of critical inventory.

The mobile app also allows you to search for suppliers and look up (random) company profiles, but let’s face it, that’s not something you’re going to be doing when you’re on the road or on personal time — especially when it’s so much easier on the full application. It’s neat, but you’re only going to be doing it when conduction sourcing events back at the [home/hotel] office. In short, it’s good, but don’t place unreasonable expectations on it, or they’ll be dashed.