Sunday evening my wife and I took in the musical “Chicago,” a sensational tale of sin, corruption and all that jazz, set in prohibition era Chicago, my hometown. The story is a sizzling satire on corruption in the administration of criminal justice and the concept of the “celebrity criminal.” Listening to the lyrics sung by the hapless character Amos, I suspected that even the most confident of us might empathize with him as he sings ‘Mr. Cellophane’:

“If someone stood up in a crowd And raised his voice up way out loud And waved his arm and shook his leg You’d notice him

If someone in the movie show Yelled “Fire in the second row This whole place is a powder keg!” You’d notice him

And even without clucking like a hen Everyone gets Read more …

We seem to invest heavily in IT service management solutions that are highly dependent upon agent technologies for the visibility needed to “drive” (i.e. access, secure, manage and control) the desktops, laptops and servers within our IT infrastructure.  Are these applications so compelling that we trust traditional agent-based management models which are inherently vulnerable to the same risks as the endpoints they manage? Is it wisdom to introduce the resultant IT operational handicaps of being unable to identify over 15-20% of our infrastructure’s endpoints1 due to issues of hidden, missing, outdated, or misconfigured agents required for anti-virus, inventory and patches?

Given the significance of the functionality of these mission critical IT management and security applications, I would venture that the answer is ‘yes’  …but with the qualifier that agentless technology be an essential component to many IT service management tasks Read more …

Large, complex organizations regularly struggle with the pros and cons on each side of the centralization/ decentralization argument — and then they reorganize, usually to the opposite extreme. If you are looking at decentralization, the argument is that business unit executives need IT resources under their direct control to better achieve their business goals. Under this approach, the organization will typically maintain a small central IT group with limited responsibility, perhaps related to architecture and standards. If looking to centralize control, the argument is that this is the only way to ensure economic efficiency, and it may be absolute. These arguments have merit, but not absolutely, in either case. Both extremes create an environment for dissatisfaction in some part of the organization, and there often isn’t any mechanism for relieving that dissatisfaction other than another broad reorganization.

So what’s the Read more …

Some argue that a cyber-Armageddon — or a “digital Pearl Harbor” — may be just around the corner, while others counter that while cybersecurity needs to be taken seriously, the overall cyberthreat and its consequences are vastly overblown and are merely a convenient excuse to sell over-priced security software and consulting.

The May 2011 Cutter IT Journal will try to separate the wheat from the chaff as pertains to security threats from current and potential cyberweapons. Proposals of interest are due 2 March 2011. To respond, please visit http://www.cutter.com/content-and-analysis/journals-and-reports/cutter-it-journal/callforpapers02.html

Risk management is a formal process owned by senior executives responsible for keeping everyone safe and sound day and night. They report to internal and external audit committees or, actually, prefer to avoid any and all interaction with audit folks since even a casual discussion with auditors can result in a boatload of work for entire teams of already overworked professionals.

So what do they audit and how is risk assessed? Most risks are the standard fare. If the audit tells you that your disaster recovery plans are inadequate, then the company will be placed at risk. If your wireless networks are insecure, then the risk bells will go off. If your change-control processes are weak, then the audit will identify some major risks for you to address, reduce, and eliminate.

All the standard questions should be asked — and Read more …

Here at Cutter HQ, as we fondly call it, we’re in full Summit mode: printing badges, packing boxes, tweaking the final menus – getting all the behind-the-scenes stuff done. But that’s certainly not the exciting stuff! What is exciting is the program.

As always (this is the 14th Summit we’ve held here in the Boston area), there’s nothing theoretical about the program or sessions. It’s all about creating and discovering business-technology strategies that pave the way for success. And since there are no vendor sponsors, there are no pitches, subtle or otherwise, about silver bullet-type solutions.

Here’s a peek at Monday’s sessions:

We’re addressing cloud computing. Lou Mazzucchelli’s tackling this topic. If you’ve ever heard him speak before, you know that Lou (1) is incredibly experienced and knowledgeable, (2) hones in on the “ah-ha” Read more …

With large global firms depending on suppliers and business partners in many locations around the world, it is pretty likely that all organizations will at some point be disrupted by some sort of crisis. And it is also pretty likely in this event that some aspect of IT will come into play — either as a source of or in response to the crisis.

What is IT’s role in both crisis prevention and crisis mitigation? What kinds of tools, applications, strategies, and infrastructures work best to facilitate crisis response?

The January 2011 Cutter IT Journal seeks to shed some light on this pressing issue. Proposals of interest are due 22 October. To respond, please visit http://www.cutter.com/content-and-analysis/journals-and-reports/cutter-it-journal/callforpapers03.html

There are no computer systems that are “too important to fail.” Failure, as any competent engineer will tell you, is always an option. Yet modern societies increasingly depend on systems to be foolproof. Electrical grids, air traffic control, automobile control, and medical equipment are all life-critical systems, and none of us wants to depend on life-critical systems with a high failure rate. Nobody wants to trust a large portion of his life savings to a financial trading system that is subject to unpredictable failure either. The same is true of the Internet itself. What we need to do is take a step back and study the design, architecture, and feedback control of these systems. Without such a discussion, we will experience more of these trillion-dollar flash crashes.

It is clear that interfacing in native mode (i.e., IP) over the Internet Read more …

The worst mistake is not telling the boss.

Or so said an article a few years ago in the Washington Post about the importance of immediately disclosing problems or mistakes to your boss.1

I am a great believer in this idea as well, which is part of what the late management theorist and practitioner Peter Drucker called “information responsibility.” Without knowing the true state of play, it is pretty difficult to manage enterprise risk effectively.2

This Washington Post article came to mind again as I read a Bloomberg News article last week dealing with the roots of the financial meltdown,3 as well as from a recent coincidental conversation I had with a friend of mine responsible for helping organizations role out enterprise risk management (ERM).

The Bloomberg article described US Federal Reserve Chairman Ben Bernanke’s error of omission regarding whether Read more …

A few years ago, Cutter Fellow Bob Charette wrote about the travails of BP in this ERM&G E-Mail Advisor, and warned that, “if any more bad news erupts in the near future, BP’s current crisis of hubris will be perceived instead as being cynical, self-serving organizational hypocrisy. And once tarred with that brush, the time required for rehabilitation will be counted in decades, not months or years.”

Bob may have been optimistic, given what has happened and what has come out in the way of BP’s abject risk mismanagement of the whole affair.

“Tarred” indeed.

We think Bob’s piece is remarkably prophetic, and worth republishing.

Don’t Make Out Checks You Can’t Cash

31 August 2006 by Robert N. Charette, Fellow and Director, Enterprise Risk Management & Governance Practice, Cutter Consortium

There must be a certain amount of schadenfreude in Read more …