Imagine a water purity inspector not knowing the source of the water being inspected. Certainly the analysis tools do not care, but knowing the source of contaminated water is important to assure the contamination is eliminated. But in the data world, the Access Security system only knows if the person has received an authorization in order to allow access. The Access Security system usually has no idea which criteria the authorizing manager used. While this at first appears to be out of Information Security’s jurisdiction, this lack of information makes it very difficult to eliminate an authorization when these criteria are no longer met. If the person still works for the company, and works in the same department, they usually keep the authorization forever and ever. This was often thought to be OK in days before the Internet.
If the laws and regulations regarding access to specific information were not becoming more restrictive we would not consider this a problem. However, we face a legislative response to businesses losing and exposing millions upon millions of private, sensitive, and financially confidential records year after year. Thus, the logical response from those in charge has been to demand that corporations comply with data protection regulations.
The list is large: Sarbanes-Oxley, HIPAA, GLB, SEC, California statutes, European Privacy Directive, PCI, FISMA, FTC, SB 1386, Patriot Act, and numerous other laws regarding data collection and retention. These legal regulations and, in the case of PCI, contractual, requirements, all have three basic parts.
Write and follow a data protection plan.
Follow specific steps in the directive in order to protect specific data access.
Be able to audit this and prove that you protected the data according to your plan.
Corporations now have to know which systems and which user-views (entitlements) contain regulated information, and also the work status of the person who is entitled to have and authorization. The data combined with the user now make up the access allowable formula.
The Access Security system has to be aware of the sensitivity of the information systems and the status of the individual workers. Surprisingly, this is all documented.
Information system developers know all the data content because they need to define the technical metadata for all the data fields. Your Data Analysts know the actual business definition of the data so that it can be linked to the correct fields in screens and in transformational routines. All this was documented during the project and then put somewhere where nobody could find it. Obviously, nobody ever asked for it.
What is missing for regulatory compliance and intelligent Access Control is review of the data definitions at that precise point during new application implementation to identify which information is sensitive to a regulation, what security classification to give it, and where it is placed in tables in the database and fields in the application. The people who know with this are all in the same room together many times during the development process. If information governance and information security were to work with them at that point, the definition of sensitive data and where it was located could be determined and captured where it could be referenced in a Data Dictionary and in the Active Directory
The next step is to look at the data protection plan (You have one, right?) and see the protection requirements for each data type. You will discover that most regulations have a lot of overlap, and only a few families of compliance actions will take care of 80% of your information.
For example, HIPAA data is a subset of the Personally Private Information family. So if the protection rule for PPI is to encrypt the tables in the database holding it, you have also fulfilled most of the HIPAA protection. When it comes to individual user authorizations however, you need to examine the sensitivity content of each view produced by the application (available from the previous step) and then apply the “Allowed-to-Know” criteria to the Access Control process. When a worker in HR changes jobs to one that is not “allowed-to-know” according to HIPAA, the Access Control system can know it and end authorization. (This requirement is now in combination with “Need-to-Know”)
Since this control is automated, the Access Control system can produce a log of actions as the documented audit trail of your compliance to the regulation. Policy, action, enforcement, and audit are the criteria for compliance.
Numerous solutions can be implemented. The important point is that the people who know the definition of the data, the folks who know the regulation, and the people knowing the location of the data at rest and in user display, need to work together to define the access governance requirements to be enforced by Information Security’s Access Control system. I know this sounds crazy when it is easier to just buy some outrageously expensive equipment, but why not give consultation among professionals a try?
There is a story about a fellow who goes to a Doctor because of head pain. The General Practitioner sends him to see a specialist. The next day the fellow sees a specialist. The specialist tells him that he has a problem in his nose.
“Can you help me?” the fellow asks, and she says, “No, I only specialize in ears and throat. You need to go to a nose specialist.
So the next day the fellow goes to a nose specialist. The nose specialist looks at him and says, “You clearly have confabulation of the left nostril.” The fellow asks what can be done to treat it and the Doctor replies, “I don’t know, I’m a right nostril specialist myself.”
Sometimes I feel the same way when I see a presentation by the Data Privacy specialist in a company, or the Sarbanes-Oxley specialist, or the PCI specialist. The list goes on. They all seem unaware of each other.
Now, don’t get me wrong, this knowledge and these people are valuable, what drives me buggy is each working in isolation as if their issue was the only one that needed governance. All these regulations require attention in a balanced manner.
Consider the following possible example:
Let’s say I was in a traffic accident and the Emergency Room Paramedic can’t get access to my drug allergies because of overprotective privacy access restrictions. If I’m unconscious, all I care about is that my allergies be available. Privacy is a low priority for me at that time.
Worse, what if my records have been altered by some disgruntled person: in that case, what I care about includes data integrity! So, who in your company is in charge of data integrity? Most probably your data security people and your data quality people manage data integrity. Are they both part of the Data Privacy team?
Regulatory compliance likewise includes the good folks governing Insider Information (SEC Regs.), and other folks making sure data processes have appropriate Separation of Duties (GAAP), the group managing the confidentiality of NDA business information, and others overseeing the GLB laws, and don’t forget the guys in the basement doing backup so the data can be available even after the server dies and is replaced. Often, all these people operate separately. They report to different budget areas, and are rewarded for separate achievements.
Privacy is not an island. SOX and PCI are not nearby islands. The Data Quality effort you no doubt also have, possibly works isolated from information security. Lack of data governance integration is one root cause why millions of personal and sensitive records are lost or stolen each year. (http://datalossdb.org/statistics)
In an integrated system, all the specialists are part of one practice, and they rapidly review a case while consulting together. Splintering data management into myriad isolated interest groups, (often competing for budget), is a cause of corporate inconsistency as well as regulatory confusion. Separating these solutions slows down business response. We often don’t see it because of an incorrect belief that information can somehow take care of itself. Back when we could trust a carbon copy of a purchase order on a clipboard things were different. Now, the failure of your web system to reflect an inventory update by only an hour can lose thousands of online sales.
When the Information Management and Protection Team contains all the various specialists, and they develop an integrated approach to control and protect information, we’ll see less data loss and better regulatory compliance, as well as greater data accuracy. This increases corporate agility, because having trust in accurate, clearly defined, timely and secure information is a requirement for fast corporate decisions ( i.e. agility).
Deborah Galea, Co-Founder and COO of Red Earth Software
In recent years, companies began facing the question of deploying a cloud-based email platform. The cloud model has been hailed for its cost saving and flexibility benefits. On the flipside, keeping email on-premise allows for greater control and security. Companies that do decide to move their email to the cloud face another important question: Which hosted platform should we deploy?
A commonly chosen hosted email platform is Google Apps. Now, Microsoft has introduced a newcomer to the market, Office 365, to go head-to-head with Google Apps. Compared to its predecessor, Microsoft Business Productivity Suite (BPOS), Office 365 now includes online Office Web Apps, allowing for online real-time editing of documents and spreadsheets, similar to Google Apps. Office 365 has two product lines—one geared for small businesses and another for enterprises.
Microsoft is the traditional leader in the market, and companies continue to turn to the computing giant because of shared trust built over time. Office 365 has beefed up its storage space to 25 GB to match that of Google Apps. And with the amount of emails companies produce, many need all the storage space they can find. Microsoft also touts that users can continue to benefit from Office’s familiar interfaces.
However, Google is gaining traction. For Office 365, a major drawback according to a recent article in InformationWeek is the lack of online collaboration and its lack of creative and social media apps like those that Google offers. In addition, only users of smartphones based on Microsoft Windows Phone 7 are able to access Office documents in their native format. iPhone, Android and Blackberry users will have to make do with editing Office documents in a web browser.
If your business relies on online collaboration and has no need for advanced Excel and Word capabilities and integrations, and it relies heavily on the latest tablets and smartphones, Google Apps has a solid edge and a cost advantage over Office 365. If your business has hybrid deployment scenarios, unified IT management, offline operation, and needs integration with Word and Excel documents, Office 365 offers an attractive combination of capabilities that will keep most existing customers in the Microsoft camp. Do diligent research to find out which service would be best for your business and do not be afraid to ask for the best deal possible. www.policypatrol.com
To increase the awareness in the local market we cement ourselves into certain industries. This not only helps us with building our credibility, it also helps secure our reputation as the leader in the particular industry that we target.
We have a company philosophy that we want to “Create a Better Experience”. This is the same model we use when hiring new employees, working with our clients, and when breaking into new markets. We feel that when we are developing new strategies, services and programs either for our clients or simply new marketing campaigns that we want to put our best foot forward. We do this to make sure we are maximizing our success and maintaining the highest level of participation and standards that we can offer.
We used this approach when we decided that The IT Summit Conference in Denver, Colorado would be a good fit for us and so we agreed to move forward with sponsorship.
We feel that preparing and planning for the trade show is very important if you want to hold a successful event and to maximize the return on your investment. The costs associated with the events from the lowest level to the highest are not cheap, and we thought if we are going to involve ourselves and expose our company to our target market, then why would we simply have put together a booth, banner and a some business cards? Our brand is important to us just like most successful companies, and if we are going to put our name on something we want it done correctly.
It is important to dedicate a sufficient amount of time to be able to conduct proper advertising and planning before the event takes place. You also have to pay proper attention to the trade show booth and the displays. You cannot just put together the booth at the last minute since you will not have an effective trade show booth display. Planning it all out will be helpful for succeeding in your trade show foray. Here are some things that we did to increase the probabilities that our return on our investment is met.
First, we obviously wanted to make sure that we are joining a trade show that is relevant to the products and services that we offer. Also another factor for us was to make sure that the event is properly advertised.
Second, make sure that you prepare for the displays well before a week. We started planning for this event 2 months prior to the start date. Doing this gave us ample time to advertise during the weeks before the trade show starts and to market to our clients and prospects. We created marketing collaterals both electronically and print. We targeted our C level contacts in our current client base first, and then moved onto our prospects. We felt that our current clients deserved the opportunity to attend the event over folks who are currently not working with us. This approach helps to reinforce our relationships and reaffirms the decision that they made to start a relationship with Source Office Products.
We offer multiple lines of business to our clients; one of those lines is our Coffee Bar Service. I was thinking of ways, to increase our exposure without going over budget. So I reached out to Wes Sherman, and asked if we could provide all of the coffee for event and if we could, then could we setup more signage and marketing materials. He agreed, and now we have easily doubled our presence and exposure while maintaining our budget.
Finally, since we invested in a speaking spot for the event, we wanted to make sure that our theater was packed full of prospects. We strategically took the time slot over lunch. We figured, people may be more likely to sit down with a cheese burger, rather than a grumbling stomach. So to help drive the attendance into the theater, we invested a bit more money into prizes for folks that spent their time to listen to what we had to say. The entrees are going to be collected while people enter the theater and the iPad will be given away at the conclusion of the speech.
These are some of the things that you should do when preparing for your trade show participation. Preparing is always half the battle as they say. Never underestimate the value of good advertising and marketing. Think outside the box, and plan, plan, plan. Don’t just test the water. If you’re going to spend time and invest resources into events like this, go all the way. Remember, it’s your face out there, your company, your future success, go all in or don’t even bother. People forget things quickly. Differentiate yourself, plan, network, market and execute.
Why do you attend technology trade shows and conferences? For the education? Sure. To see new solutions? Of course. To develop business connections? EXACTLY! You need to prepare for each event to successfully develop business relationships. As Ty Howard, CIO of the Arizona Department of Water Resources says “Gone are the days of smash-and-grab sales. The CIO community wants to develop relationships with the vendor community. We want you to call us even when you don’t have anything to sell us. We want to stay in touch with you.” I constantly speak with CIOs who express the same sentiment. This applies particularly at high-level conferences and events. You’re going to spend the day in a room full of buyers who want to meet with you, and want to do business with you. Do you just show up and hope for the best, or do you prepare and plan to create deep relationships? STOP, plan for success, execute, follow up. Here are some strategies we’ve developed over the last 13 years to help you succeed:
Engage In Your Pre-Event Marketing Activities
Social media, e-mail campaigns, telephone campaigns, direct mail, in-person client invitations, press releases, etc, are critical for your success at IT events. You wouldn’t throw a party and hope your friends showed…you’d INVITE them. Same goes for professional business events. Invite your clients to attend…to visit your exhibit booth, to sit in on your presentation, to join you for lunch, to meet early and stay late. Invite your prospects to the party, too. How do you feel when you’re invited to a party? Honored? Special? Excited? Of course. Provide the same for your clients and prospects. They’ll appreciate the invitation and the event, and they’ll appreciate you for it. Use conferences and trade shows to entertain your clients and prospects. Create an experience for them at each event. Well thought-out, comprehensive pre-event marketing campaigns to your C-level clients and prospects, and to lists that you acquire prior to each event, can make the difference between moderate success and outstanding success…and they can be very low cost or FREE.
The IT Summit brings together technology buyers and sellers in tightly focused events. If you are a vendor of IT solutions, contact Wes Sherman to see if your company qualifies for participation in The IT Summit events. Wes can be reached at [email protected]
“What is in a name? That which we call a rose by any other name would smell as sweet.” – Shakespeare
I continue to be amused when I meet new people in the security industry who refer to themselves as Security Integrators. I don’t know why people feel the need to give themselves fancy sounding titles. For example, trash collectors are now called Waste Disposal Technicians or Sanitation Specialists. Maintenance personnel are commonly referred to as Building Engineers. Secretaries no longer exist for some reason, but have been replaced with Administrative Assistants. Mechanics are now automotive technicians, and salespeople everywhere are now consultants or account executives.
I noticed this trend 18 years ago when I first broke into the security industry. I thought I had just been hired as an alarm installer, but you can imagine my surprise when I got my first paycheck and it showed my title as Installation Technician. When I saw the title I asked one of my co-workers what their title was to see if their title was different since they had been with the company for about 6 months longer than me. To my surprise and amusement within the installation department we had 8 technicians with 6 different titles and in our service department we had 4 technicians, each with a different title. The amusing part to me was that there was actually very little, if any difference in what the 12 of us actually did on a day to day basis. When I moved into sales it was no different. I thought I was going to be a salesman, but instead I became a “Security Sales Consultant”. Within 6 months I had done so well that I was “promoted” to Security Account Executive. My job did not change, and my pay only changed when I sold more, but I kept getting new, better sounding titles. I guess some people felt awkward saying they were a salesperson, but I figured I just had not sold enough to qualify for such a prestigious title. J
The security industry has taken buzzword bingo to a whole new level though. If it wasn’t bad enough that many security salespeople are still calling themselves “security consultants” (my apologies to Security and Risk Managers everywhere) when most don’t know what a real risk assessment is, today’s most prevalent misnomer in the security industry is the term Security Integrator. Not all electronic security equipment installation and service companies are equal. Some are good at residential alarm installations, while others specialize in commercial, industrial or institutional systems including electronic access control, intrusion detection systems, networked video solutions and voice communication systems. While no two electronic security installation and service companies are the same, and their capabilities widely vary, they all now seem to call themselves security integrators. This begs the question, what does integration mean?
Residential alarm installation and service companies might argue that they “integrate” the alarm system with the house. But does this mean that the alarm systems are integrated by form, or by function? Likewise, most commercial electronic security providers would say that they are integrators because they have the ability to integrate certain access control systems with certain video systems. One example that is often used is when a card is presented to a card reader, the access control system is able to display associated video from the video system. In this example though, the ability of the access control system to display the associated video is dependent upon what drivers the access control manufacturer has written in their application. The “Integrator” is simply selecting the function from a predefined list of supported video manufacturers. In this scenario, wouldn’t the manufacturer be considered the integrator and the installation firm the… well… installation firm? Don’t be fooled by the titles.
Opinions vary, but a common definition of integration is “to bring together or incorporate parts into a whole”. For real security, this means ALL parts of a security program, not just some of the electronic tools that are used to control and monitor various areas within a facility or campus. This requires a true integrator to have a thorough understanding of an organizations security program. A real security integrator should be able to evaluate an organization’s emergency practices, personnel security, physical security and information security and then provide solutions that unite the various parts into a single collaborative program. This includes the ability to converge disparate systems, processes and procedures so that they work together to reduce risk, automate process and improve efficiency, with the ultimate goal of protecting lives, protecting property and maintaining continuity of the organization. One common example is the integration of personnel identity management systems. Many organizations are replicating personnel data across multiple systems due to the fact that these systems don’t intuitively communicate with each other. A new employee may have their first name and last name entered in to an HR/Payroll database, then again into an IT directory for logical access on a network, and yet a third time for an electronic access control system. When these three disparate systems are truly integrated, it not only saves time/cost by eliminating two thirds of the entry required, but it can also provide added security for the organization by automating the removal of access to critical areas and systems upon employment termination.
There are many other examples of what integration can do for an organization. The differentiator between real integrators should not be that of capabilities but rather the ability of the integrator to understand their customers systems and processes, and then use their imagination and innovation to make all the different parts work together to form a system that offers sustainable value for all stakeholders of the organization. Of course I could be wrong. After all, I’m just a security guy.
The IT Summit brings together technology buyers and sellers in tightly focused events. If you are a CIO and would like to participate in setting direction for The IT Summit events, please contact Wes Sherman. Wes can be reached at [email protected]
FRCP is the set of rules that govern and determine how and what is required during a civil litigation. It covers many aspects of litigation in great detail, including pleadings, motions, disclosures etc. More importantly, the amendments made in 2006 cover the topic of ‘ediscovery’ specifically. Email archiving is intended to solve the ediscovery requirements for organizations so that they can be in compliance with this law.
Do I need to archive my email?
Unless you are your own employee and your own customer, you’ll probably need to archive your emails properly. If you do any correspondence through email, all those discussions and agreements made in the email will be deemed discoverable by the courts. That means that the opposing litigants can ask for these relevant emails, and you will have to produce it or you may be fined. Some of the fines can be pretty hefty, as you’ll see on the next page where we explain some of the prior cases.
Do I need to keep every email I get?
No you do not. You can delete your emails routinely as set by your retention policy. But if you find out that you might be involved in litigation, then you have to suspend your email deletion and make sure you keep everything until the trial is over. This is commonly referred to as placing a “litigation hold.”
What is a retention policy?
A retention policy is an email deletion policy that allows you to delete emails that have been sitting in storage past a certain time. Storing any kind of electronic data can be expensive, depending on the volume. While the storage is only 20% of the total cost, the other 80% of expenditure goes to the IT support costs. So, deleting old emails and .pst files is a common practice to keep expenditures at a minimum, so that IT doesn’t have to spend an outrageous amount of time managing the data. Your policy can range from anywhere between one day to indefinitely. The typical retention policy is between 3 to 7 years, depending on what your organization is comfortable with and such considerations as the statute of limitations in effect. The typical retention policy establishes a retention period for education at 3 years and for corporations at 5 years. Legal counsel can provide sound advice in helping to establish a suitable retention policy.
Courts look at a litigant’s email retention policy to determine if data is being shared in good faith. An organization with a reasonable retention schedule and enforces litigation holds is looked upon as an entity with ‘good faith,’ and is looked upon favorably. Maintaining good faith is extremely important because of previous devious acts by Enron.
Email archiving: No Substitutions
Outlook archives my emails automatically
Outlook archives emails for each user by pulling the emails from the exchange server and storing it in the individual user’s hard drive. The data is no longer centrally stored, and the IT admin has to look through each user’s personal computer to retrieve data. If your organization has more than 10 users, this can be very time consuming. Not to forget that it is non-compliant with federal rules. Emails can be inadvertently edited by the user once they have been removed from the server. If these .pst files are located on multiple users’ computers, the data can not be searched from a single location, and is in violation of a compliant retention policy.
I’ll backup .pst files on a hard drive
Saving .pst files on a hard drive stores the files, but is not compliant with federal rules. Anyone with access can
edit the content. Regulations require that data is tamper-proof. In case of litigation, it would be difficult to verify that the content hasn’t been tampered with, which may prove costly.
Another challenge with backing up .pst files on a hard drive is that there is no search functionality. It will become expensive and time consuming to look through all the user emails and attachments to find relevant evidence for
The rules don’t apply to me
If your company is using email for communications, you should be archiving. Every organization should be prepared for litigation. If you are called into litigation, all emails pertinent to your case must be made available. Without a robust email archiving solution, it would be very costly to hire a consultant to index and find the required emails. Organizations are already familiar with archiving paper documents. Archiving emails is the same action, but for email communications.
I keep hard copies
Keeping hard copies is always a good idea. It provides a secondary or tertiary backup for important documents. Files will be at your disposal if your network crashes or is temporarily disabled. However, keeping hard copies alone is no longer sufficient. Litigation can request data in their preferred format, which quite often is electronic.
Reproducing electronic content from paper documents is timely and costly. An archiving solution allows you to quickly and easily retrieve data to meet litigation requirements.
In the event of a fire, paper documents may be destroyed. However, electronic files stored using a robust archiving solution remains safe.
8 features to look for in an email archiving solution
It’s important to make sure an archiver has the necessary functions that will help you find the information you require. With DataCove email archiving, emails can be found by searching through content, attachments, by user and by date. You can find emails and any type of attached documents that were sent by searching through each person, date, project name or some other custom content. Your system administrator will be able to find these emails throughout the entire organization without having to go through the hassle of interviewing and contacting each person involved.
There is no telling when and who in the organization may need to find certain relevant emails for either litigation or for other informational purposes. Consequently it’s very important for all end users to be able to access their emails from their mail clients as well. An archiving solution that allows access from multiple mail clients such as Outlook, I?Mail or Groupwise will allow users on different servers to be able to access the corporate archive of pertinent emails when required. DataCove allows end-user access , but also gives the administrator to determine the level of access that end users are granted within the archive. For example, the President will have access to everything while the end?users only have access the their own emails.
Tamper-Proof / Compliant
The device must be able to store information in a permanent, non?editable format. This non?editable format makes stored files tamper?proof. When the court requests to verify the legitimacy of data, the non?editable worm media provides irrefutable proof of your data compliance. Having a tamper?proof archiving solution facilitates SEC, NYSE, NSAD, HIPAA, SOX and FRCP compliance. Compliant email archival appliances will capture metadata and provide you with an audit log (chain of evidence) that functions as a compliance report.
As your email archiving appliance stores your emails over time, your organization may grow and expand. You may either need to add more users or more capacity. DataCove offers expandable storage capacity. With the ability to add new WORM storage tapes, you’ll have an unrestricted capacity to the archive your data instead of a limited capacity system.
In today’s economy, you can’t afford to get into costly litigations or spend too much money on new acquisitions. So, picking a cost effective product will not only ensure compliance but also help you keep your budget intact. DataCove is the most cost effective, expandable email archiving solution on the market.
A good archiver is compatible with multiple mail servers. An email archiver is a server that you keep running without much need for active human interaction. It’s also a long?term investment. Finding an archiving appliance that will handle a lot of servers is important so that it will accommodate any upgrades or changes you make to your mail servers. If you decide to change your mail server in the future, you only have to make minor settings alterations to the email archiving appliance to make sure it’s compatible with your new server.
Multiple Retention Policies
Simultaneously being able to have multiple retention policies serves numerous benefits, including retention by segmenting your users to saving storage space. Since some groups of people in your organization have more important business related emails, you can set either a longer or shorter retention periods for them. For instance end?user emails which are not that important can be stored for 1 year. Middle Management’s emails can be stored for 3 years and the President’s email can be stored for 7 years. On the DataCove, all of these retention periods are user customizable.
Simultaneous Archiving of Multiple Servers
If you are a medium to large sized organization, you might be operating multiple servers in different locations. Seamless archival of data from multiple sources to the main server becomes more of a need than convenience. By utilizing a good email archiver, you can archive emails from multiple servers simultaneously, and users will be able to access the collective knowledge without having to dig into multiple servers separately. DataCove archives multiple servers simultaneously into one back?end appliance without needing extra hardware.
For more information on the DataCove email archiving solution, please contact Tangent at 1-888-TANGENT x-4
A serious discussion about the value and sequencing of a college education is long overdue.
by Rick Bauer
As the class of 2010 graduates into the deepest economic downturn since the Great Depression, the prospects for employment are bleaker than in anytime I can remember. For high school graduates under 25 and not in college, the average unemployment rate is 22.8%, according to recent data.
The solution, we are told, is to send more of these high school graduates to college, where, having spent in many cases well over $100,000 for a degree, they face an unemployment rate of “only 9%.” Something tells me that the pundits are not paying the bill for Junior’s college education.
Leaving aside the question as to why the colleges and universities in our country can’t control their spending (as a parent of two boys who have graduated from top-flight universities in the past three years, I was continually mystified that while the number of official schools days grew shorter, the tuition rates continue to rise, even faster than medical care expenses), it’s time to talk about the collective wisdom in assuring our youth that prosperity is better assured by accumulating massive debt that will take decades to erase. I know, the overall prospects for college graduates are often hundreds of thousands of dollars—as much as a million dollars in some surveys—higher over a career than for their high-school graduate counterparts, but perhaps it’s time to rethink the when and the how of college education.
It’s a conversation that America needs to have, and we won’t see it started from our universities.
Don’t get me wrong; I’m all in favor of a good college education (most of my friends call me a permanent student; I’m still in school these days, working on another graduate-level degree), but I wonder if right out of high school is the best time, and the four-year slog is the best manner in which to receive this education.
When we read about the pervasive imprint of technology on our economy, and how over 400,000 IT positions in America are unfilled today, and with electronic health care, green technology, and automation in virtually every information-related task in our society growing with near-exponential rates, tell me again why a four-year degree right after high school makes sense?
I know, this is a tough discussion, and the answers are still not clear. There are far too many moving pieces in the equation for us to make broad pronouncements about what Junior should do for a job and a career. We need high schools to produce graduates who can think critically, communicate clearly, analyze thoughtfully, and work collaboratively on meaningful projects that reflect the real-life demands of today’s (and tomorrow’s) workplace. Instead of years of social studies or electives of dubious economic (or even educational) value, perhaps it’s time to re-think the vocational education tracks we discarded in many of our schools. In some countries, it’s not a matter of class warfare if a student’s aptitude tests reveal superior talent in information technology, or some other craft. It’s not a bad thing to be a person with a craft, a skill, a set of professional experiences that sets he or she apart from others. So for those who so choose, entry into an apprenticeship program after the junior year of high school (surely we can get them up to speed in their reading and math skills in three years). Instead of the half-year of wasted time after the college application game is played in the first semester of senior year, high school students who desire careers in technology can begin their fourth year in intensive, IT-centered training programs (along with core courses in writing, reading, and critical thinking) that equip them with skills that employers want on day one.
For progressive companies seeking longer-term employees (remember, we have this whole boomer population that will soon retire, and a predicted worker shortage) willing to stay with a company, there can be educational incentives that reward longevity and productivity with options for continued and/or higher education. Now Junior finds himself at age 28 with a college degree earned at a slower, more focused pace, a career where his prospects are validated, his salary at or higher than his college-graduated colleagues, and little of the educational debt that the present system appears all too eager for Junior’s parents to embrace.
It’s a departure from our expectations, and no doubt there will be some who argue that this is a class-driven agenda. Indeed, a recent letter to the NY Times, responding to a thoughtful op-ed piece suggesting that the 4-year college program might be delayed or even skipped (see “Plan B: Skip College, by Jacques Steinberg), lamented that it would “sanction class distinctions that have accelerated in the wake of the recession.”
I think not. Let’s get Junior (and his sister Sally) into the best situation possible. If it takes breaking a mold controlled by those whose vested interests (and income stream) does not synch with America’s families, America’s future, and America’s workforce needs, as they say, something’s gotta give—and it doesn’t have to always be the budget of our nation’s youth and their families.
Let’s keep talking about this, ok?
I’d like to hear some of your own suggestions about how to solve this difficult challenge. Our kids deserve our best thinking—after all, they will be driving the IT engine in the next generation.
Rick Bauer serves as Director of Product Management at CompTIA, the world leader in vendor-neutral certifications for IT professionals. You can reach him at [email protected]
The IT Summit brings together technology buyers and sellers in tightly focused events. If you are a CIO and would like to participate is setting direction for The IT Summit events, please contact Wes Sherman. Wes can be reached at [email protected]
Why are you in business? To deliver your products and services? To support your industry? To give back? To do good while doing well? Sure. There are plenty of reasons you’re in business. But the bottom line is your bottom line. You are in business to make a profit. Everything you have and do contributes to your profitability. Your IT group, R&D, your partners, your sales team, etc are all in place to help drive profits. What is the most direct driver of revenue? Everyone knows that marketing is. Your marketing efforts are, or should be, your highest priority when it comes to pushing sales numbers. Where should those marketing efforts be focused? TV? Radio? Billboards? Your logo on the side of a bus? Those are certainly options, but they’re sure difficult to measure. Your marketing programs need to produce measurable, quantifiable results. If I spend X, I need X++ in return, and I need to be able to support that spend with hard sales numbers. Where can you absolutely track and measure your marketing investment, and make the most of your investment? Trade shows and events.
Trade shows and events are absolutely essential to your sales success. Internationally acclaimed sales and business leader Chet Holmes lists events as one of the Seven Musts of Marketing. Events put you one-on-one with buyers of your solutions. When you work events correctly, you will come away with numerous new and potential business relationships. The effective use of events will propel your sales to new heights. I’ve been in sales since before I even graduated from college, and running event production companies since 1997. The following series is a course of study that will produce skyrocketing sales numbers, and make you stand out as the leader in your industry. Over the next few months I’ll share with you proven techniques that companies use to make trade show marketing successful; and what they do to remain consistently successful in trade show marketing.
The IT Summit brings together technology buyers and sellers in tightly focused events. If you are a CIO and would like to join the Executive Board and help set direction for The IT Summit events, please contact Wes Sherman. Wes can be reached at [email protected]
There are only two types of connected organizations: those who are currently remediating a security breach, and those who are actively under attack. The “script-kiddies” have grown up, and skills honed penetrating networks 10 years ago are now being used to harvest confidential data streams for financial gain. Buffer-overflows, remote code execution, phishing, pharming, worms and Trojan Horses are just a few of the exploits used to gain unauthorized entry into our networks, looking for information that can be sold to the highest bidder. When you consider that all of these tools can be automated to run from thousands of previously-compromised consumer computers 24/7, it is no wonder that the truly determined will eventually find their way in.
As “Defenders of the Realm”, we counter these threats by locking down all but the most-essential services on our firewalls; installing intrusion prevention and detection devices; religiously patching our application, operating system, and anti-virus solutions – and fervently hoping that we’ve sufficiently hardened our perimeter that the marauders will move on to easier prey. Still, they come – wave after wave – probing our defenses, picking at the edges, trying to wriggle their way between the cracks of our overlapping layers of protection. As the attacks evolve, so do our responses. They intercept our wireless traffic, so we encrypt it. They add malicious code to websites we visit; we add malware inspection and behavior-based threat mitigation. As our users become mobile, we extended multi-layered protection out to the endpoint.
At the end of the day, we play to a draw and call ourselves HIPAA compliant.
Our “moat-and-castle” mentality has locked down data systems to a level of least-privilege, yet has ignored the human interface. As behavioral health providers, our caring, believing, skilled, and sometimes forgetful staff – the greatest single resource in our daily mission – also represents the single greatest threat to data security within our organizations. We install and maintain systems to minimize the inappropriate material that reaches their mailbox, encrypt confidential email, automate processes and procedures to update and secure software, and enforce policies that limit access to sensitive data. We teach users to question email claims that slip through our filters, not to open attachments they aren’t expecting, and that not every statement on the Internet is factual. We devise and deliver awareness programs focusing on the dangers of social engineering. We show videos, post flyers, beg, plead, badger and cajole – all to protect them from themselves – but we still haven’t addressed how to protect our data once it is out of our control.
For Information Technology, the devil is in the duality of our mission. We are tasked with providing both productivity tools and access to highly sensitive data in order to enhance the quality of care our clients receive. Laptops, wireless broadband Internet cards, and a secure, web-enabled EMR system add up to care-givers having access to charts regardless of their physical location. Tangible benefits include timely, accurate documentation, and a level of coordinated care previously unavailable in a geographically dispersed service environment. With each requisite form at their fingertips, administrative time is reduced, freeing staff to encounter more. From an IT perspective, what could possibly be more satisfying than knowing your technical solution allows each provider to see at least one additional client per week?
And therein resides the dilemma. Our other primary task is to protect the integrity of all electronic personally identifiable information, regardless of where it resides within our systems. How do we reconcile the simple fact that our intricately planned and exquisitely executed network defense offers no protection for data on a $3.00 thumb drive lost in the parking lot? Notes stored contrary to existing policy on a hard drive stolen from a parked car have more street value than the laptop itself. The same tools we so eagerly deploy, empowering our providers to work anywhere and anytime, are counterintuitive to the sanctity of our institutional grail. Office-bound workers with desktop computers are no more secure than their mobile counterparts. Records copied to portable media for use at other locations are just as vulnerable, and the machines themselves are prized targets during office burglaries. Our challenge is to walk the tightrope between usability and security, seeking a balance that will satisfy our regulatory obligations without creating an undue burden on our practitioners.
Closing the security loop requires that we protect data at rest, regardless of where it is stored. Encryption is an essential weapon in our arsenal – a last line of defense for data integrity, even in the most adverse conditions. Our business side needs to encourage and enable users to capture and store information under a wide variety of circumstances, even as our compliance side cringes at the thought of data in the wild. Users will exercise their creativity, particularly when it comes to transferring data between sites, so protection needs to extend beyond the physical disk to include any USB device as well as the CD/DVD drive. Eventually these devices will be misplaced or stolen. Once gone, we need assurance that the information they hold is still protected.
How We’re Doing It
Security is a journey, not a destination. Each business decision made, every process implemented, guides an organization down the specific path that best serves their individual requirements. For Touchstone Behavioral Health, the die was cast when we opted for a hosted Electronic Medical Records system. The mobile solution we’ve adopted enhances our business model of providing service wherever our client is most comfortable, but carries its’ own inherent risks. We leveraged our EMR launch to quietly evolve the agency’s security culture toward an untethered workforce.
TBH is in the business of modifying behavior in others, but we don’t necessarily embrace change ourselves. To the casual observer it may appear that we followed the path of most resistance – over a period of 30 days we deployed laptops to our care-givers, and mandated that all documentation and billing be performed in the new system. Underlying this wholesale transformation, however, is an iterative design for data integrity, enthusiastically supported by Management and coordinated across all departments. Without careful and thorough planning, the weeks following July 1st could have been an unmitigated disaster.
Pre-launch tasks revolved around getting back to basics – analyzing our current security stance and reaching consensus on where we needed to be. Human Resources, Quality Assurance and Information Technology reviewed and collaborated on updating policies regarding everything from acceptable use to passwords, keeping in mind that users would spend much of their time outside of our facilities. Impromptu groups were formed across the agency to find the proper balance between security and usability in the “real-world”. Priorities established, available tools and existing processes were reworked to provide both reporting and enforcement, keeping with current and anticipated standards. Finally, the remaining requirements provided the basis for working with a number of vendors to find the perfect fit for the missing pieces of our Phase 1 deployment.
Early conversations included consideration for the implications of misplaced, lost, or stolen hardware. In accordance with HIPAA guidelines we performed a risk assessment, and concluded that mitigation would be cost-prohibitive for immediate implementation, but agreed to revisit the issue quarterly while investigating possible solutions. The administrative overhead of touching approximately 200 machines, spread from Flagstaff to Tucson, eliminated the machine-level offerings of our hardware and OS vendors. Device recovery systems provide some satisfaction in knowing that the hardware will disclose its’ location and notify the authorities, but only once it has connected to the Internet… attractive, but there remains a level of vulnerability if the hard drive is slaved specifically to harvest data. We ultimately selected a partner who not only met our technical specifications (device-agnostic encryption with minimal machine overhead, no user intervention, and global administration capabilities), but also appreciates and supports our mission within the communities we serve.
None of this works without the underpinning of an ongoing and pervasive security awareness program. Our users didn’t grow up wanting to be computer users, and they don’t intuitively understand the security ramifications of surfing the web, responding to email, or even the risks associated with leaving a computer screen unattended. It is our duty to educate, ingrain, and reinforce our policies at every opportunity, yet in a manner that doesn’t seem overbearing (on our laptops, Ctrl + Alt + ↓ will rotate the display 180 degrees – not enough to harm anything, but a great reminder to lock your machine before walking away). The road goes on forever… Phase 3 will be followed by Phase 4. Security is not a technology, nor is it an IT project – it is the foundation of our continued success.
Like every other technology, encryption comes in flavors – full disk and file. Each has pros and cons, and there are multiple vendors to choose from on either side of the aisle. Still, there are a few universal factors, regardless of the direction that works best for you. In my experience, the most important consideration revolves around the end-user. Ideally, the solution has no apparent impact on their daily operations. There are no additional passwords to remember, no special locations to save to, and most importantly, no performance degradation. Nothing will kill a technology quicker than unhappy users.
Unless you have time to spare, the system also requires a central administration console to provide granular control over the enterprise. You need the ability to manage and modify accessibility at the user level, and a means to recover data at the admin level. “Phone home” capabilities provide an additional level of oversight, allowing you to modify policies regardless of whether the machine is attached to the local network.
Vendor selection is another key ingredient. You need a supplier who will take the time to understand your unique requirements, and work within your comfort zone. Make your selection carefully – you want a partner who will be there to support their product for years to come.
The third prong of the equation is fiscal responsibility. HIPAA says that we need to assess risk potential against the cost of mitigation, so I offer a couple of questions for your consideration. How likely are you to lose control of a device used to access or store sensitive data? How many clients are in your database, and how much will it cost to contact each of them? Finally, can your organization survive the adverse publicity, lack of consumer confidence, and potential litigation expenses? Ultimately, encryption is insurance against the inevitable.
Steven’s credentials include business major; boilermaker; TV producer; IT exec… He still hasn’t decided what he wants to be when he grows up, but odds are he’ll have a slightly different perspective on it. When playtime comes, look for him on the open road with the top down and the music up, or maybe pretending to play golf – cigar (and tongue) firmly in cheek.
Touchstone Behavioral Health, based in Glendale, Arizona, is a national leader in providing positive outcome, evidence-based behavioral health services to youth and their families through prevention and outpatient therapy. Founded in 1968, Touchstone has five offices throughout Arizona. The agency was recognized in 2008 as a Computerworld Honors Program Laureate for the project “Secure EMR for Remote Providers”.
The IT Summit brings together technology buyers and sellers in tightly focused events. If you are a CIO and would like to participate is setting direction for The IT Summit events, please contact Wes Sherman. Wes can be reached at [email protected]