Welcome to the SJ+/PRC blog. Commentary on general IT Governance and software development issues as well as musings and information about PRC.
Subscribe (on the main page) to the newsletter if you’d like a little commentary about the state of cyber security, IT governance, Pick/MultiValue and all things ‘SDLC’.
Remember when you were a kid and all you wanted was to be a “grown up”? Everyone told you not to rush it. “It’s not as great as you think it will be”, they would say, knowingly. The situation is not so different for those of us in the MultiValue community. We have been talking for years about wanting to be more mainstream and more recognized, but as we extend our reach we may find that, just like being a grown-up, being mainstream isn’t all it is cracked up to be. This is particularly true as it relates to security.
For years we’ve been able to crouch behind ‘security by obscurity’ as cover. Unfortunately, even if our flexible database remains fairly obscure, we are all busy pushing our data out to SQL and widely used reporting databases and web interfaces.
We are moving stuff around through very mainstream methods – and lauding the fact that we are doing so.
Our user interfaces, networking and generally data in motion are NOT unique to the MultiValue world.
There are some general security issues and ideas that are the same no matter what the platform, the threat or the year. The details between these guideposts are the specific vulnerabilities in MultiValue and secure coding practices for the environment.
(to be continued.)
Everything old is new again
 |
|
Ah, the 80s. So many smart, young innnovators in this space that we eponymously called Pick. Dozens of vendors and thousands of users filled convention centers. (The parties were epic.)
Like a Big Bang, this phenomenon flung software, people and money to the far reaches of the business galaxy.
Does this analogy mean that now we are orbiting a dead star, winding ignomiously into a black hole? No, it does not. Every acquisition, consolidation, spin-off and repeat has the hand-wringers insisting that this time it is the end. MultiValue prevails against determined efforts to quash it and, at best, a benign neglect at the top. Not merely endures, as Faulkner would say, but prevails.
“We can’t hire young people.”
“Why not?”, I ask.
“Oh, well, we haven’t tried. We need experienced help.”
This is not unique to our industry. Experience and aging happen at the same time. Younger hires will need training. Despite this latest in the long line of reasons to worry, we have lots of reasons to rejoice.
There is such renewed enthusiasm right now. Grab your vitamins and let’s go BACK TO THE FUTURE.
In the first article of this series we introduced IT Governance in general, some of its history and some of the regulations that compel us to embrace it. We’ve acknowledged that it is, for many of us, an unpopular necessity. But we’ve also seen the golden promise of good that can come from it. In the second article we talked about some of the specific legislation, their common underlying IT Governance requirements, the two widely accepted frameworks for guidance and how that guidance specifically deals in controls. We talked about what controls are, and how there are preventive and detective controls, as well as manual and automated controls. And we have posited a persuasive argument for why automated controls are better. In many cases the automated controls require a greater initial effort, while the benefits are reaped over time. Because of this, companies often opt for manual controls initially. That initial period can stretch out to eternity, and end up being costly. The reality is that while it is probably necessary to take things one step at a time, it is important to have a plan for the next step and to stay motivated. That motivation can come from having a clear of understanding of what can be gained by implementing automated controls and overall IT Governance. Even if there were no direct, tangible return on investment, having good practices in IT governance is still a good idea. We can all agree on the long-term, perhaps less direct, tangible or financially obvious benefits of a more productive, responsive and transparent IT infrastructure. But SHOW ME THE MONEY!, right? There is real money to be found in this effort – savings, efficiencies. Actual, calculable financial benefit. A couple of examples found in a Tech Republic article:
So what holds us back? The number one thing is that we – as IT professionals – are already stretched pretty thin. And we don’t know where to start.And if we can get started, how do we get a clear roadmap of how to get where we are trying to go in manageable steps?And we don’t know how to measure the benefit if we did gain any.
<more to follow>
Last issue we introduced IT Governance in general, some of its history and some of the regulations that compel us to embrace it. We’ve acknowledged that it is, for many of us, an unpopular necessity. But we’ve also seen the golden promise of good that can
The Law
Are any of the new regulations going to affect you and your company? In a word: yes. It is very likely that these – or other regulations that impact IT governance – will affect you.One of the most far-reaching ones is the Payment Card Industry Data Security Standard or PCI DSS. This one applies to anyone that accepts payment cards (credit or debit). The requirements impact fees and rates – the better the compliance, the lower the fees and rates. Money is a great motivator! Prison can be a great motivator, too – the Sarbanes-Oxley act in the US has opened avenues for criminal prosecution along with whistle-blower protections. From securities and banking to health privacy and credit cards, regulations are being created or tightened that have to do with protecting data and controlling IT access and change. If your industry doesn’t have requirements – yet – you won’t have to feel left out for long. If you are not a publicly traded company in the US your country is bringing similar requirements to you. Not publicly traded at all? Not to worry, the definitions are broadening to include most companies that even do business with any publicly traded companies. One way or another, sooner or later, regulations that impact IT Governance are going to touch your organization.
Gilda Radner as Emily Litella
The United States first came up with the Sarbanes–Oxley ACT of 2002. It was introduced as an attempt to prevent the type of financial fraud that occurred at a number of large publicly traded US and global companies. The headliners were, of course, Enron, Tyco and Worldcom but there were many others. The congressional act was immediately nicknamed SOX and proceeded to create havoc at publicly traded companies in the US and to a lesser extent, abroad. Then, because SOX exists (and for almost no other reason) it began to be adopted in other countries. And the nick-names just won’t quit – Japan has J-SOX, the EU has E-SOX. Meanwhile there has been some refinement back in the US. A seam loosened here, a nip and a tuck there. More importantly, with experience came some published guidelines. There is nothing to be done about the time and money wasted by the largest companies in the US which were first – but things have gotten better for those that are coming along later. Other government-specific and industry-specific regulations have followed SOX and still more are on their way.