Almost a month ago I told you about the cover story Bob Charette wrote for IEEE Spectrum on the problems in defense acquisition. Today, Robin Young of the NPR show Here & Now interviewed Bob about the article. You can listen to it here. The part with Bob begins about 5 minutes in, and lasts about 10 minutes.

Cutter’s Bob Charette has written the cover story, “What’s Wrong With Weapons Acquisitions?,” for this month’s IEEE Spectrum. The article highlights the problems in defense acquisition: spiraling costs, extremely lengthy project delays, politics trumping technology, a lack of skilled workers, and a dearth of institutional knowledge as a result of outsourcing. Sound familiar? The scope of the projects and of the failures Bob reports is immense, but the issues are surely ones you can identify with, regardless of which industry you’re in or where you’re based.

Bob interviewed dozens of industry and government defense-acquisition experts over the course of a year and a half to support this piece. When we talked about it, Bob remarked, “everybody I interviewed believes the acquisition process is in dire straights and desperately Read more …

We were saddened to learn that a former member of Cutter Consortium’s Enterprise Risk Management & Governance advisory service, Art Gemmer, passed away in his sleep. Art helped pioneer project and program risk management at Rockwell Collins, where he worked for 27 years before leaving and starting his own consulting company. His obituary can be found in The Gazette Online. Services will be held Friday, 28 March.

The financial community recently seems to have added a new twist to the advice given in Shakespeare’s Henry VI (Part 2) with regard to lawyers in the wake of the US $130-billion-plus write-offs that are increasing daily due to the subprime mortgage debacle.

The Canadian Imperial Bank of Commerce recently fired its chief risk manager after that bank faced write-downs of CDN $2 billion on top of the previous CDN $978 million quarterly write-offs related to its holdings in subprime mortgage debt in the US. The expectation by financial analysts is that the subprime losses for the bank will continue to grow throughout this year.

The risk management units at Citigroup (which had to take $23.2 billion in write-offs in the past six months) and Merrill Lynch (a firm only one-third the size of Citigroup but which also had to Read more …

Beat ‘em up. Knock ‘em down. Slap ‘em around. Keep them on a short leash. Teach them a lesson. Make ‘em behave. Vendors, that is.

This phrase has recently seeped into common IT parlance. I’ve even heard vendors, typically large ones, say that the reason we should buy their wares is that they can then provide us with this pugilistic benefit. Fascinating. A value proposition predicated on giving customers the right to beat up the vendor! Where do I sign?

This idiom reflects elided thinking regarding risk. Managers seeking throats to choke, I believe, are simply displacing anger or carrying around naïve ideas about risk. Hopefully it is the latter since that is more easily remediated.

Risk has only two options (excluding unabated growth which I will ignore for now since it is too painful to think about for too Read more …

In the last year or two, I’ve become very interested in cyberflexing. Because I’m a member of a National Academy of Sciences study (in progress) on the subject of “Ethical and Political Implications of Offensive Information Operations,” I must mention that what I’m saying here are personal opinions on many of the issues and not conclusions of the study group.

Some of the bigger unsolved issues in these areas include:

The botnet problem

Why can botnets be so easily assembled? Mainly because there are bazillions of unpatched Windows machines on always-on connections, and everyone with a clue disclaims responsibility for them. “Unpatched” means they have known, exploitable security vulnerabilities and can be abused by kiddies running scripts prepared by their more intelligent peers.

Many of those machines can never be patched because Microsoft has walked away from fixing flaws Read more …

I just found out that Middlesex University Emeritus Professor Colin Tully, an influential British computer scientist and a long-time friend, passed away on the 26th of December.

Colin and I first met over twenty years ago when I used to live in the UK, and we had many a lively discussion on information systems and technology risks and their management over the intervening years. Our latest conversations, the last of which was just a few weeks ago, have been about the risks surrounding the NHS National Program for IT (NPfIT), which Colin was deeply concerned about.

Colin was also a long-time Senior Consultant with Cutter Consortium’s Agile Product & Project Management Practice and a contributor to the Agile Product & Project Management Read more …

When I read Steve Andriole’s recent post (via Cindy Swain), What Are the Rules, I looked at the calendar…no, this was not April 1st.

What a thought-provoking post!

Yes, as some of the comments to Steve’s post indicate, there are definitely some controversial “rules” put forth. To put it mildly. Writing about them all would fill a book. I will just comment on a couple of the proposed rules.

“1. CIOs should come from the business, not the technology ranks: technology-rooted CIOs will never really understand the importance of business as the technology driver. When prospective CIOs start talking about network latency and virtualization, it’s time to get the hook out; go with the professional talking about up-selling and cross-selling every time.”

It can also be said that business leaders will never understand the depth and nuances involved with Read more …

Speaking of disasters…

I had the great opportunity to provide analysis for this month’s newly published Cutter Benchmark Review; “Wake Up and Be Prepared: Preventing a Full-Blown Crisis.”

You would think that in this day and age that all organizations would have a documented emergency and disaster plan, wouldn’t you? Well, this survey demonstrates that this is not the case.

For years we’ve heard from industry lobbyists that there should be less laws forcing businesses to do certain information assurance activities and allow businesses to be self-governing with their information assurance responsibilities. However, my analysis of the survey results reveals that an alarming number of organizations do not have documented plans. Those that don’t are overwhelmingly within industries with no legal or regulatory requirements for such plans, or countries with no such legal requirements. So is self-governance truly Read more …

“Data leak” is one of the hot catch-phrases today. And it is no wonder.

Every day, almost literally, there are news stories published about companies losing personally identifiable information (PII) and other types of sensitive information. The data can leak out of a company in about as many ways as you can store or transmit information.

* Through email messages * Intercepting wireless transmissions * Improper disposal of printed paper * Improper disposal of electronic storage devices * Improper disposal and/or reuse of computing devices * Metadata within electronic documents * Poor access control configurations * Lack of awareness and knowledge by users * Malicious insiders with trusted access * And the list goes on and on

These data leaks not only can result in costly security incidents, they can expose PII to identity theft and fraud, and can put Read more …