Welcome to the blog

Featured

Welcome to the SJ+/PRC blog. Commentary on general IT Governance and software development issues as well as musings and information about PRC.

Subscribe (on the main page) to the newsletter if you’d like a little commentary about the state of cyber security, IT governance, Pick/MultiValue and all things ‘SDLC’.

Secure Coding (for MultiValue)

Remember when you were a kid and all you wanted was to be a “grown up”? Everyone told you not to rush it. “It’s not as great as you think it will be”, they would say, knowingly. The situation is not so different for those of us in the MultiValue community.  We have been talking for years about wanting to be more mainstream and more recognized, but as we extend our reach we may find that, just like being a grown-up, being mainstream isn’t all it is cracked up to be. This is particularly true as it relates to security.

For years we’ve been able to crouch behind ‘security by obscurity’ as cover.  Unfortunately, even if our flexible database remains fairly obscure, we are all busy pushing our data out to SQL and widely used reporting databases and web interfaces.

We are moving stuff around through very mainstream methods – and lauding the fact that we are doing so.

Our user interfaces, networking and generally data in motion are NOT unique to the MultiValue world.

There are some general security issues and ideas that are the same no matter what the platform, the threat or the year.  The details between these guideposts are the specific vulnerabilities in MultiValue and secure coding practices for the environment.

(to be continued.)

Back to the Future

Everything old is new again

Ah, the 80s.  So many smart, young innnovators in this space that we eponymously called Pick. Dozens of vendors and thousands of users filled convention centers. (The parties were epic.)

Like a Big Bang, this phenomenon flung software, people and money to the far reaches of the business galaxy. 

Does this analogy mean that now we are orbiting a dead star, winding ignomiously into a black hole? No, it does not. Every acquisition, consolidation, spin-off and repeat has the hand-wringers insisting that this time it is the end. MultiValue prevails against determined efforts to quash it and, at best, a benign neglect at the top. Not merely endures, as Faulkner would say, but prevails.

“We can’t hire young people.”
“Why not?”, I ask.
“Oh, well, we haven’t tried. We need experienced help.”

This is not unique to our industry. Experience and aging happen at the same time. Younger hires will need training. Despite this latest in the long line of reasons to worry, we have lots of reasons to rejoice.

  • College-level and tech school programs for MultiValue are springing up (contact Zumasys!)
  • If you do hire young folks and need to train them, we have incredible trainers in our marketplace.
    (Ask me for recommendations)
  • Successful companies are renewing their commitment to MultiValue like crazy. (You are seeing it.)
  • Software vendors may resort to Road-Runner-cartoon-like methods of crow-bars, anvils and dynamite to move their customers away from MultiValue, but continue to gain little momentum. (Trust me on this.)
  • The technology we use is easy to learn and super-cool. (You know this is true.)
  • Millenials in the industry love working in this environment. More than that, they love working. (Let’s let everyone involved see for themselves!)

There is such renewed enthusiasm right now. Grab your vitamins and let’s go BACK TO THE FUTURE.

What’s all this … part 3 of 3 “Getting started and measuring benefits”

In the first article of this series we introduced IT Governance in general, some of its history and some of the regulations that compel us to embrace it.  We’ve acknowledged that it is, for many of us, an unpopular necessity. But we’ve also seen the golden promise of good that can come from it. In the second article we talked about some of the specific legislation, their common underlying IT Governance requirements, the two widely accepted frameworks for guidance and how that guidance specifically deals in controls.  We talked about what controls are, and how there are preventive and detective controls, as well as manual and automated controls.  And we have posited a persuasive argument for why automated controls are better.  In many cases the automated controls require a greater initial effort, while the benefits are reaped over time.  Because of this, companies often opt for manual controls initially.  That initial period can stretch out to eternity, and end up being costly.  The reality is that while it is probably necessary to take things one step at a time, it is important to have a plan for the next step and to stay motivated.  That motivation can come from having a clear of understanding of what can be gained by implementing automated controls and overall IT Governance. Even if there were no direct, tangible return on investment,  having good practices in IT governance is still a good idea. We can all agree on the long-term, perhaps less direct, tangible or financially obvious benefits of a more productive, responsive and transparent IT infrastructure.  But SHOW ME THE MONEY!, right?  There is real money to be found in this effort – savings, efficiencies. Actual, calculable financial benefit.  A couple of examples found in a Tech Republic article:

  • Proctor & Gamble US$500m over 4 years, savings.
    Morton Cohen, P&G manager of global service management, said, “When IT processes are done by 5000 people consistently across one company, service management can deliver tremendous savings.”
  • Ontario, Canada government – by adopting ITIL, the government created a virtual service desk that not only improved response time and reduced trouble tickets but also decreased support costs by 40 percent.
  • Dell Computer includes CobiT best practices as part of its Control Self Assessment (CSA) corporate policy, a set of auditing checks and balances that helps the company maintain its high quality.

So what holds us back?  The number one thing is that we – as IT professionals – are already stretched pretty thin. And we don’t know where to start.And if we can get started, how do we get a clear roadmap of how to get where we are trying to go in manageable steps?And we don’t know how to measure the benefit if we did gain any.

<more to follow>

Getting to Compliance (IT Governance, Part 2)

Last issue we introduced IT Governance in general, some of its history and some of the regulations that compel us to embrace it.  We’ve acknowledged that it is, for many of us, an unpopular necessity. But we’ve also seen the golden promise of good that can

The Law

Are any of the new regulations going to affect you and your company?  In a word: yes. It is very likely that these – or other regulations that impact IT governance – will affect you.One of the most far-reaching ones is the Payment Card Industry Data Security Standard or PCI DSS. This one applies to anyone that accepts payment cards (credit or debit). The requirements impact fees and rates – the better the compliance, the lower the fees and rates. Money is a great motivator!  Prison can be a great motivator, too – the Sarbanes-Oxley act in the US has opened avenues for criminal prosecution along with whistle-blower protections. From securities and banking to health privacy and credit cards,  regulations are being created or tightened that have to do with protecting data and controlling IT access and change. If your industry doesn’t have requirements – yet – you won’t have to feel left out for long. If you are not a publicly traded company in the US your country is bringing similar requirements to you. Not publicly traded at all? Not to worry, the definitions are broadening to include most companies that even do business with any publicly traded companies. One way or another, sooner or later,  regulations that impact IT Governance are going to touch your organization.

Continue reading

What’s all this I hear about IT Governance?

Gilda Radner as Emily Litella

 

The United States first came up with the Sarbanes–Oxley ACT of 2002. It was introduced as an attempt to prevent the type of financial fraud that occurred at a number of large publicly traded US and global companies. The headliners were, of course, Enron, Tyco and Worldcom but there were many others. The congressional act was immediately nicknamed SOX and proceeded to create havoc at publicly traded companies in the US and to a lesser extent, abroad. Then, because SOX exists (and for almost no other reason) it began to be adopted in other countries. And the nick-names just won’t quit – Japan has J-SOX, the EU has E-SOX. Meanwhile there has been some refinement back in the US. A seam loosened here, a nip and a tuck there. More importantly, with experience came some published guidelines. There is nothing to be done about the time and money wasted by the largest companies in the US which were first – but things have gotten better for those that are coming along later. Other government-specific and industry-specific regulations have followed SOX and still more are on their way.

Continue reading