I came across an article recently by one of the pioneers of the Internet, Larry Roberts, for whom I worked many years ago. Larry's article was insightful and pointed out that there are some reasons to believe that there should be classes of service for those accessing the Internet. Larry is a visionary in network protocols and has started yet another provider organization, this time to provide Internet traffic carriers with the ability to throttle traffic "flows" based on class of service.
In reading the article it struck me as odd that Larry would advocate using bit rate to determine class of service and therefore the fees associated with Internet access. I have a relatively slow broadband access rate in my home office and pay a modest rate for the service I receive. Power users on the other hand might pay a larger fee for their higher grade of service. My thought was that I would rather pay for the grade of service the information I requested gets from my ISP rather than just the bit rate I am able to get from the carrier. This "Contracted Information Rate" would allow agreement between me and my service provider on what grade of service they would be willing to provide as measured over a set period of time. This would allow me to be assured of receiving a set service level regardless of the bit rate of my access link, realizing that there would be a limit to the service I could receive if I continue to have a relatively slow access path. Measuring this access would be relatively easy over a longer period of time rather than just complaining about not achieving peak bit rates on my link over a very short span of time.
It is very clear that the more bandwidth demanding applications that are developed and delivered over the Internet the more likely we are to have occasional slowdowns. The service providers have every right to charge for the grade of service delivered to end users but at the same time the end users have a right to receive a quality of service that is appropriate to their use and applications. Restricting rate flows is OK as long as it is being done in a way that achieves the agreed to objectives of both parties involved. Also, I do not want to pay for poor performance from a carrier based on bit rates when what I really care about is getting or transmitting the information I am interested in. It is also clear that we can not expect to be able to continue to simply "fill the pipe" with information and expect performance to be at link speeds at all times. Networks do not work that way in the long run. Maximize the utilization of the network asset, yes, but do not expect to fill it 24/7 and achieve any acceptable performance.
This may all seem to be an argument over the same thing but I feel that there is a very fine difference. The technology solution that offers a way for me to send or receive information within a certain time frame "absolutely, positively" will win my business and ultimately allow everyone involved to win as well.
Thursday, July 31, 2008
Monday, July 21, 2008
Network Administrator gone bad-Told you so
Back on May 20th I posed the question whether network administrators, or anyone with Admin rights to a resource for that matter, should be licensed. The premise was that if the person is a professional then they should be willing to submit to a background check, and to operate under a code of ethics in their daily work.
As of last week we have now seen the worst case scenario play out. A network admin for the City of San Francisco created a super user for himself for the network resources and locked out the other admins from the network. He then proceeded to hold the network hostage in order to ensure that his employer would not take action on a performance compliant they were building. What information that is being released now makes this story even more unbelievable.
It would appear that the city of San Francisco hired a person previously convicted of aggravated burglary to maintain part of the city's IT infrastructure with the full knowledge of this past criminal history. He is now sitting in jail and the city still does not have it's network back in full operation. Under the concept risk management and good security practices this hire would not have been viewed as a wise move. Under the previously suggested practice of licensing system administrators this person would not have been allowed to have admin rights at all. All that said, who was watching the store on this one? Were there no configuration audits during this person's tenure in this ill advised position? How about automating that audit function? Immediate notification of an unauthorized change to the network environment would have been advised don't you think?
This type of transgression should have never taken place and was very easily prevented. Answer-if a hiring decision seems like a bad idea, it probably is. In this case, I am 100% sure it was a bad idea. No license for this guy.
As of last week we have now seen the worst case scenario play out. A network admin for the City of San Francisco created a super user for himself for the network resources and locked out the other admins from the network. He then proceeded to hold the network hostage in order to ensure that his employer would not take action on a performance compliant they were building. What information that is being released now makes this story even more unbelievable.
It would appear that the city of San Francisco hired a person previously convicted of aggravated burglary to maintain part of the city's IT infrastructure with the full knowledge of this past criminal history. He is now sitting in jail and the city still does not have it's network back in full operation. Under the concept risk management and good security practices this hire would not have been viewed as a wise move. Under the previously suggested practice of licensing system administrators this person would not have been allowed to have admin rights at all. All that said, who was watching the store on this one? Were there no configuration audits during this person's tenure in this ill advised position? How about automating that audit function? Immediate notification of an unauthorized change to the network environment would have been advised don't you think?
This type of transgression should have never taken place and was very easily prevented. Answer-if a hiring decision seems like a bad idea, it probably is. In this case, I am 100% sure it was a bad idea. No license for this guy.
Saturday, July 5, 2008
IT Security Spending- Is it enough?
On average an enterprise organization spends anywhere from 3% to 6% of its IT budget on security infrastructure. This budget amount is divided between operating expeses (nearly 70% of an IT budget which just keeps the wheels on) and capital expenditures intended to improve things and meet new user requirements (making up the other 30%). Is it enough?
I would say that it depends upon the organization and the vaule of the information assets the enterprise is looking to protect. A good example is a financial services firm. This organization is entrusted with information that could litterally change the course of the lives of millions of people should it fall victim to a security breach. In this instance I would hope that such an organization was devoting more than say 5% to keep my money safe. Speaking of which I got a phone call recently from a rather large financial services organization indicating that an account I have with them was subject to an attempted fraudulent act. All was well and I was pleased with the proactive nature of the call. I make it a point to thank the caller every time even though I realize they may be trying to save their company pain and financial loss more than they are trying to save me.
Just another example of how it all depends upon the vaule of the asset and the organization's tolerance for risk,
I would say that it depends upon the organization and the vaule of the information assets the enterprise is looking to protect. A good example is a financial services firm. This organization is entrusted with information that could litterally change the course of the lives of millions of people should it fall victim to a security breach. In this instance I would hope that such an organization was devoting more than say 5% to keep my money safe. Speaking of which I got a phone call recently from a rather large financial services organization indicating that an account I have with them was subject to an attempted fraudulent act. All was well and I was pleased with the proactive nature of the call. I make it a point to thank the caller every time even though I realize they may be trying to save their company pain and financial loss more than they are trying to save me.
Just another example of how it all depends upon the vaule of the asset and the organization's tolerance for risk,
Thursday, July 3, 2008
Making the leap
So you're thinking you are ready to make the leap into IT management. You have held down a technology job for a few years and you are tired of working for someone else. You have more hands on experience than those you have worked for in the past and you are thinking "so what is the big deal? I can handle it." Maybe yes, and maybe no.
I have had the pleasure of mentoring a number of technical people making the move into their first management position in IT. It has always been fun and interesting to see them succeed beyond the level they thought they would achieve. Not to say that there have not been bumps in the road along the way. Having assisted in this transition a fair bit I have come to the conclusion that there are a few qualities that are essential to making the transition a success.
I have had the pleasure of mentoring a number of technical people making the move into their first management position in IT. It has always been fun and interesting to see them succeed beyond the level they thought they would achieve. Not to say that there have not been bumps in the road along the way. Having assisted in this transition a fair bit I have come to the conclusion that there are a few qualities that are essential to making the transition a success.
- The person has to really want the job.
Like with most things in life if the desire is genuine then things tend to work out. If you are the slightest bit hesitant about taking on a management "challenge" then perhaps it is not for you. There is a difference between being nervous about your first position and not being fully committed to the task. I look for a genuine commitment before promoting someone to be responsible for the work of others.
- Life and work experience is essential.
If you are going to be supervising the work done by others then you had better done some of the work yourself. This means having served on some project teams doing some of the tasks you will be supervising in your new position. If you have not done this then get yourself assigned to a team that is actively doing a relevant project. Get your hands dirty. Along with that, get some experience interviewing and mentoring others. Be prepared to make a decision or have input on the hiring of others to do work for your organization. You could be making selections on contractors or full time staff, either one is fine for now. It will help in the long run if you have had to gather information about people and make a choice based on your efforts. Living with your choices can be hard.
- Do not think that you can learn management from a book.
Do not make the mistake in thinking that all management techniques can be learned from an MBA course. If it was only that easy we would all have MBAs. Don't get me wrong, book learning is great and I try to do a lot of it myself but in a different way. I read a lot of materials about others successes and failures ( the Harvard MBA program does this same thing). Corporate histories are a great source of information about what do to and what not to do in management situations. Learning from others mistakes is a good thing in most cases.
- Learn from everyone, both good and bad.
Everyone has had good bosses and bad ones. I contend that you can learn a lot from both. Clearly you want the good ones to provide you with lots of guidance on how to manage people and projects. Taking lessons from the bad ones is a bit trickier but essentially involves applying "I would never say or do that to someone" test. Recognizing the bad and filing the experience away for later recall is some of the best lessons available.
- Find a good mentor
Having a good mentor during your early management experience is invaluable. Access to someone who can answer questions, be a sounding board for ideas, and offering gentle corrections when needed can help to ensure success. The trick is how to find a mentor and perhaps this is a good place to start your management career. More on this one next time.
Subscribe to:
Posts (Atom)