Deborah Galea, Co-Founder and COO of Red Earth Software

In recent years, companies began facing the question of deploying a cloud-based email platform. The cloud model has been hailed for its cost saving and flexibility benefits. On the flipside, keeping email on-premise allows for greater control and security. Companies that do decide to move their email to the cloud face another important question: Which hosted platform should we deploy?

A commonly chosen hosted email platform is Google Apps. Now, Microsoft has introduced a newcomer to the market, Office 365, to go head-to-head with Google Apps. Compared to its predecessor, Microsoft Business Productivity Suite (BPOS), Office 365 now includes online Office Web Apps, allowing for online real-time editing of documents and spreadsheets, similar to Google Apps. Office 365 has two product lines—one geared for small businesses and another for enterprises.

Microsoft is the traditional leader in the market, and companies continue to turn to the computing giant because of shared trust built over time. Office 365 has beefed up its storage space to 25 GB to match that of Google Apps. And with the amount of emails companies produce, many need all the storage space they can find. Microsoft also touts that users can continue to benefit from Office’s familiar interfaces.

However, Google is gaining traction. For Office 365, a major drawback according to a recent article in InformationWeek is the lack of online collaboration and its lack of creative and social media apps like those that Google offers. In addition, only users of smartphones based on Microsoft Windows Phone 7 are able to access Office documents in their native format. iPhone, Android and Blackberry users will have to make do with editing Office documents in a web browser.

If your business relies on online collaboration and has no need for advanced Excel and Word capabilities and integrations, and it relies heavily on the latest tablets and smartphones, Google Apps has a solid edge and a cost advantage over Office 365. If your business has hybrid deployment scenarios, unified IT management, offline operation, and needs integration with Word and Excel documents, Office 365 offers an attractive combination of capabilities that will keep most existing customers in the Microsoft camp. Do diligent research to find out which service would be best for your business and do not be afraid to ask for the best deal possible. www.policypatrol.com

A serious discussion about the value and sequencing of a college education is long overdue.

by Rick Bauer

As the class of 2010 graduates into the deepest economic downturn since the Great Depression, the prospects for employment are bleaker than in anytime I can remember. For high school graduates under 25 and not in college, the average unemployment rate is 22.8%, according to recent data.

The solution, we are told, is to send more of these high school graduates to college, where, having spent in many cases well over $100,000 for a degree, they face an unemployment rate of “only 9%.” Something tells me that the pundits are not paying the bill for Junior’s college education.

Leaving aside the question as to why the colleges and universities in our country can’t control their spending (as a parent of two boys who have graduated from top-flight universities in the past three years, I was continually mystified that while the number of official schools days grew shorter, the tuition rates continue to rise, even faster than medical care expenses), it’s time to talk about the collective wisdom in assuring our youth that prosperity is better assured by accumulating massive debt that will take decades to erase. I know, the overall prospects for college graduates are often hundreds of thousands of dollars—as much as a million dollars in some surveys—higher over a career than for their high-school graduate counterparts, but perhaps it’s time to rethink the when and the how of college education.

It’s a conversation that America needs to have, and we won’t see it started from our universities.

Don’t get me wrong; I’m all in favor of a good college education (most of my friends call me a permanent student; I’m still in school these days, working on another graduate-level degree), but I wonder if right out of high school is the best time, and the four-year slog is the best manner in which to receive this education.

When we read about the pervasive imprint of technology on our economy, and how over 400,000 IT positions in America are unfilled today, and with electronic health care, green technology, and automation in virtually every information-related task in our society growing with near-exponential rates, tell me again why a four-year degree right after high school makes sense?

I know, this is a tough discussion, and the answers are still not clear. There are far too many moving pieces in the equation for us to make broad pronouncements about what Junior should do for a job and a career. We need high schools to produce graduates who can think critically, communicate clearly, analyze thoughtfully, and work collaboratively on meaningful projects that reflect the real-life demands of today’s (and tomorrow’s) workplace. Instead of years of social studies or electives of dubious economic (or even educational) value, perhaps it’s time to re-think the vocational education tracks we discarded in many of our schools. In some countries, it’s not a matter of class warfare if a student’s aptitude tests reveal superior talent in information technology, or some other craft. It’s not a bad thing to be a person with a craft, a skill, a set of professional experiences that sets he or she apart from others. So for those who so choose, entry into an apprenticeship program after the junior year of high school (surely we can get them up to speed in their reading and math skills in three years). Instead of the half-year of wasted time after the college application game is played in the first semester of senior year, high school students who desire careers in technology can begin their fourth year in intensive, IT-centered training programs (along with core courses in writing, reading, and critical thinking) that equip them with skills that employers want on day one.

For progressive companies seeking longer-term employees (remember, we have this whole boomer population that will soon retire, and a predicted worker shortage) willing to stay with a company, there can be educational incentives that reward longevity and productivity with options for continued and/or higher education. Now Junior finds himself at age 28 with a college degree earned at a slower, more focused pace, a career where his prospects are validated, his salary at or higher than his college-graduated colleagues, and little of the educational debt that the present system appears all too eager for Junior’s parents to embrace.

It’s a departure from our expectations, and no doubt there will be some who argue that this is a class-driven agenda. Indeed, a recent letter to the NY Times, responding to a thoughtful op-ed piece suggesting that the 4-year college program might be delayed or even skipped (see “Plan B: Skip College, by Jacques Steinberg), lamented that it would “sanction class distinctions that have accelerated in the wake of the recession.”

I think not. Let’s get Junior (and his sister Sally) into the best situation possible. If it takes breaking a mold controlled by those whose vested interests (and income stream) does not synch with America’s families, America’s future, and America’s workforce needs, as they say, something’s gotta give—and it doesn’t have to always be the budget of our nation’s youth and their families.

Let’s keep talking about this, ok?

I’d like to hear some of your own suggestions about how to solve this difficult challenge. Our kids deserve our best thinking—after all, they will be driving the IT engine in the next generation.

Rick Bauer serves as Director of Product Management at CompTIA, the world leader in vendor-neutral certifications for IT professionals. You can reach him at [email protected]

The IT Summit brings together technology buyers and sellers in tightly focused events.  If you are a CIO and would like to participate is setting direction for The IT Summit events, please contact Wes Sherman.  Wes can be reached at [email protected]

Steven Porter, CIO

Touchstone Behavioral Health

There are only two types of connected organizations: those who are currently remediating a security breach, and those who are actively under attack. The “script-kiddies” have grown up, and skills honed penetrating networks 10 years ago are now being used to harvest confidential data streams for financial gain. Buffer-overflows, remote code execution, phishing, pharming, worms and Trojan Horses are just a few of the exploits used to gain unauthorized entry into our networks, looking for information that can be sold to the highest bidder. When you consider that all of these tools can be automated to run from thousands of previously-compromised consumer computers 24/7, it is no wonder that the truly determined will eventually find their way in.

As “Defenders of the Realm”, we counter these threats by locking down all but the most-essential services on our firewalls; installing intrusion prevention and detection devices; religiously patching our application, operating system, and anti-virus solutions – and fervently hoping that we’ve sufficiently hardened our perimeter that the marauders will move on to easier prey. Still, they come – wave after wave – probing our defenses, picking at the edges, trying to wriggle their way between the cracks of our overlapping layers of protection. As the attacks evolve, so do our responses. They intercept our wireless traffic, so we encrypt it. They add malicious code to websites we visit; we add malware inspection and behavior-based threat mitigation. As our users become mobile, we extended multi-layered protection out to the endpoint.

At the end of the day, we play to a draw and call ourselves HIPAA compliant.

Our “moat-and-castle” mentality has locked down data systems to a level of least-privilege, yet has ignored the human interface. As behavioral health providers, our caring, believing, skilled, and sometimes forgetful staff – the greatest single resource in our daily mission – also represents the single greatest threat to data security within our organizations. We install and maintain systems to minimize the inappropriate material that reaches their mailbox, encrypt confidential email, automate processes and procedures to update and secure software, and enforce policies that limit access to sensitive data. We teach users to question email claims that slip through our filters, not to open attachments they aren’t expecting, and that not every statement on the Internet is factual. We devise and deliver awareness programs focusing on the dangers of social engineering. We show videos, post flyers, beg, plead, badger and cajole – all to protect them from themselves – but we still haven’t addressed how to protect our data once it is out of our control.

For Information Technology, the devil is in the duality of our mission. We are tasked with providing both productivity tools and access to highly sensitive data in order to enhance the quality of care our clients receive. Laptops, wireless broadband Internet cards, and a secure, web-enabled EMR system add up to care-givers having access to charts regardless of their physical location. Tangible benefits include timely, accurate documentation, and a level of coordinated care previously unavailable in a geographically dispersed service environment. With each requisite form at their fingertips, administrative time is reduced, freeing staff to encounter more. From an IT perspective, what could possibly be more satisfying than knowing your technical solution allows each provider to see at least one additional client per week?

And therein resides the dilemma. Our other primary task is to protect the integrity of all electronic personally identifiable information, regardless of where it resides within our systems. How do we reconcile the simple fact that our intricately planned and exquisitely executed network defense offers no protection for data on a $3.00 thumb drive lost in the parking lot? Notes stored contrary to existing policy on a hard drive stolen from a parked car have more street value than the laptop itself. The same tools we so eagerly deploy, empowering our providers to work anywhere and anytime, are counterintuitive to the sanctity of our institutional grail. Office-bound workers with desktop computers are no more secure than their mobile counterparts. Records copied to portable media for use at other locations are just as vulnerable, and the machines themselves are prized targets during office burglaries. Our challenge is to walk the tightrope between usability and security, seeking a balance that will satisfy our regulatory obligations without creating an undue burden on our practitioners.

Closing the security loop requires that we protect data at rest, regardless of where it is stored. Encryption is an essential weapon in our arsenal – a last line of defense for data integrity, even in the most adverse conditions. Our business side needs to encourage and enable users to capture and store information under a wide variety of circumstances, even as our compliance side cringes at the thought of data in the wild. Users will exercise their creativity, particularly when it comes to transferring data between sites, so protection needs to extend beyond the physical disk to include any USB device as well as the CD/DVD drive. Eventually these devices will be misplaced or stolen. Once gone, we need assurance that the information they hold is still protected.

How We’re Doing It

Security is a journey, not a destination. Each business decision made, every process implemented, guides an organization down the specific path that best serves their individual requirements. For Touchstone Behavioral Health, the die was cast when we opted for a hosted Electronic Medical Records system.  The mobile solution we’ve adopted enhances our business model of providing service wherever our client is most comfortable, but carries its’ own inherent risks. We leveraged our EMR launch to quietly evolve the agency’s security culture toward an untethered workforce.

TBH is in the business of modifying behavior in others, but we don’t necessarily embrace change ourselves.  To the casual observer it may appear that we followed the path of most resistance – over a period of 30 days we deployed laptops to our care-givers, and mandated that all documentation and billing be performed in the new system. Underlying this wholesale transformation, however, is an iterative design for data integrity, enthusiastically supported by Management and coordinated across all departments. Without careful and thorough planning, the weeks following July 1st could have been an unmitigated disaster.

Pre-launch tasks revolved around getting back to basics – analyzing our current security stance and reaching consensus on where we needed to be. Human Resources, Quality Assurance and Information Technology reviewed and collaborated on updating policies regarding everything from acceptable use to passwords, keeping in mind that users would spend much of their time outside of our facilities. Impromptu groups were formed across the agency to find the proper balance between security and usability in the “real-world”. Priorities established, available tools and existing processes were reworked to provide both reporting and enforcement, keeping with current and anticipated standards. Finally, the remaining requirements provided the basis for working with a number of vendors to find the perfect fit for the missing pieces of our Phase 1 deployment.

Early conversations included consideration for the implications of misplaced, lost, or stolen hardware. In accordance with HIPAA guidelines we performed a risk assessment, and concluded that mitigation would be cost-prohibitive for immediate implementation, but agreed to revisit the issue quarterly while investigating possible solutions. The administrative overhead of touching approximately 200 machines, spread from Flagstaff to Tucson, eliminated the machine-level offerings of our hardware and OS vendors. Device recovery systems provide some satisfaction in knowing that the hardware will disclose its’ location and notify the authorities, but only once it has connected to the Internet… attractive, but there remains a level of vulnerability if the hard drive is slaved specifically to harvest data. We ultimately selected a partner who not only met our technical specifications (device-agnostic encryption with minimal machine overhead, no user intervention, and global administration capabilities), but also appreciates and supports our mission within the communities we serve.

None of this works without the underpinning of an ongoing and pervasive security awareness program. Our users didn’t grow up wanting to be computer users, and they don’t intuitively understand the security ramifications of surfing the web, responding to email, or even the risks associated with leaving a computer screen unattended. It is our duty to educate, ingrain, and reinforce our policies at every opportunity, yet in a manner that doesn’t seem overbearing (on our laptops, Ctrl + Alt + ↓ will rotate the display 180 degrees – not enough to harm anything, but a great reminder to lock your machine before walking away). The road goes on forever… Phase 3 will be followed by Phase 4. Security is not a technology, nor is it an IT project – it is the foundation of our continued success.

Considerations

Like every other technology, encryption comes in flavors – full disk and file. Each has pros and cons, and there are multiple vendors to choose from on either side of the aisle. Still, there are a few universal factors, regardless of the direction that works best for you. In my experience, the most important consideration revolves around the end-user. Ideally, the solution has no apparent impact on their daily operations. There are no additional passwords to remember, no special locations to save to, and most importantly, no performance degradation. Nothing will kill a technology quicker than unhappy users.

Unless you have time to spare, the system also requires a central administration console to provide granular control over the enterprise. You need the ability to manage and modify accessibility at the user level, and a means to recover data at the admin level.  “Phone home” capabilities provide an additional level of oversight, allowing you to modify policies regardless of whether the machine is attached to the local network.

Vendor selection is another key ingredient. You need a supplier who will take the time to understand your unique requirements, and work within your comfort zone. Make your selection carefully – you want a partner who will be there to support their product for years to come.

The third prong of the equation is fiscal responsibility. HIPAA says that we need to assess risk potential against the cost of mitigation, so I offer a couple of questions for your consideration. How likely are you to lose control of a device used to access or store sensitive data? How many clients are in your database, and how much will it cost to contact each of them? Finally, can your organization survive the adverse publicity, lack of consumer confidence, and potential litigation expenses? Ultimately, encryption is insurance against the inevitable.

Steven’s credentials include business major; boilermaker; TV producer; IT exec… He still hasn’t decided what he wants to be when he grows up, but odds are he’ll have a slightly different perspective on it. When playtime comes, look for him on the open road with the top down and the music up, or maybe pretending to play golf – cigar (and tongue) firmly in cheek.

Touchstone Behavioral Health, based in Glendale, Arizona, is a national leader in providing positive outcome, evidence-based behavioral health services to youth and their families through prevention and outpatient therapy. Founded in 1968, Touchstone has five offices throughout Arizona. The agency was recognized in 2008 as a Computerworld Honors Program Laureate for the project “Secure EMR for Remote Providers”.

The IT Summit brings together technology buyers and sellers in tightly focused events.  If you are a CIO and would like to participate is setting direction for The IT Summit events, please contact Wes Sherman.  Wes can be reached at [email protected]

Ty Howard, CIO

Biz-Nova

“Clouds of Change”

In the mist of one of the greatest economic crisis faced since the Great Depression, and the collapse of businesses and financial industries that once stood firmly rooted in the past and tradition, IT moved quietly and further into the shadows of the back office.  In attempt to save money and cut cost, companies were quick to reduce IT spending and eliminate project managers, business analyst, and anything that during more normal times would be considered “non-core.”

In the defense of IT Executives, when executives are forced to cut cost, they are stuck with little time and become caught up violently executing on measures that had they had time or the wherewithal, they would have done things much differently—consider the long-term needs in addition to the short-term and make the right blend of cuts.

However, hindsight is twenty-twenty, the clouds of change (and cloud computing) have set in where the landscape has become globally competitive. Education and skill development is increasingly becoming the new currency, and many organizations are lost and not sure where to go from here and what to invest in. Furthermore, institutional knowledge and IT staff reductions will have further implications downstream when companies attempt to rehire.

Questions that must be asked by IT Leaders: What has been lost in the process? And will I be able to buy that same talent back, should the IT market become competitive for talent as it did years prior to the real-estate boom. If you recall, after the Dot.com bust, many of the highly paid IT professionals went into real-estate and mortgages…is there an inverse relationship between IT and real-estate? If there is then perhaps there will be increased demand for IT over the next several months. All of these questions need to be answered regarding the business needs as technology leaders do their part to lead the way back to organizational recovery: Ergo the new IT Executive Reformatted with a business-minded operating system, that is capable of interpreting the language of the business and resolving complex problems with strategic solutions (not Technical).

“The Worlds is Flat”

As a CIO, and through talking with peers, the days of pursuing “Tech for Tech Sake” is indeed a thing of the past and that IT spending should have an ROI that can be quantifiable whether as a savings or as increased profitability that converts to dollars and sense. Let’s face it, budgets are smaller, and much like Thomas Friedman’s theory, “The World is Flat” everyone is a simple Google search away of being knowledgeable of what their options are and what technology could solve their problems. The true value is becoming the translator and integrator of these solutions.

Generally speaking, IT professionals have had the comfort and ability to talk over the heads of the business units in the room, over the past decade there has been a great shift. The business is no longer challenged with speaking IT, rather, IT is challenged with speaking “business”—a skill that is assumed, yet is extremely difficult if you have spent most of your professional years in the back-office or did not actively obtain the educational underpinnings required to understand business strategy, sales, procurement, contracts, portfolio management, businesses analysis and project management.

What are the skills that will be in demand?

Linda Leung wrote about the Global Knowledge/TechRepublic 2010 Salary Survey, conducted at that end of last year, one of the questions put to respondents was “What skill set will your company be looking to add in 2010?” In her write up, she discussed the heavy emphasis on business. Her top ten included Project Manager, Business Analysis, Business Process Improvement, and Security, all of which reflect the strong emphasis and the “Reformatting of IT Leadership”.

1. PROJECT MANAGEMENT: *Must understand the business

10. DESKTOP SUPPORT:

New Version of IT Leadership 2.0

Given the need for IT to move away from the days of “Tech for Tech Sake,” the new IT Executive will be not taking a techno-centric view of the world, rather they will be focused on the universal language of business. We are indeed in a global market, and business is universal. In order to be successful, the new IT leader must be willing to reformat their thinking and move more towards interfacing with the business units in a more user-friendly manner.

What this means to IT leaders, is that they (all levels) are actively involved in having whiteboard sessions in which the marker is past around from IT to the Business, and from the Business to IT?  After all, although prehistoric, drawing and sketching is arguably our most universal language.

Conversely, public speaking is ranked ahead of people’s fear of dying—and communications has been identified as the cornerstone of moving up the career ladder. With all of this considered, it is clear that IT leaders become facilitators, project managers and “friends of the business.” These are no longer “nice to have skills,” rather they are “must have skills!”

These skills can only be done through training of staff, reaching out to identify problems, calculated risk taking and an intense curiosity to study and examine the business with a scientific curiosity. Additionally, new IT leaders should have the ability to become one of the arts: that is fluent in blending all of colors (markers), tools, words, emotions, shapes, drawings (diagramming), creative thought, and merge them into one romantic-holistic view of the organization as a living-breathing-organism, that appreciates poetry in motion.

Ty Howard is the founder of Biz-Nova Consulting and has several years experience as a Senior IT Leader and CIO. Mr. Howard has been recognized by both CIO and Computer World magazine for his leadership. He is a Project Management Professional (PMP), a professional facilitator, trainer and can be reached at [email protected] or 877 494 8342.

The IT Summit brings together technology buyers and sellers in tightly focused events.  If you are a CIO and would like to participate is setting direction for The IT Summit events, please contact Wes Sherman.  Wes can be reached at [email protected]