IT Leadership | Sten Vesterli's Blog

Which Snow do you Shovel?

February 16, 2021February 23, 2021IT LeadershipLeadership, Task management

Which snow should you shovel? We’ve just had a couple of inches of snow here in Denmark, which means that I will have to get out the snow shovel and clear the sidewalk. But I live on a small private road where the snowplough doesn’t go. Should I shovel the snow from the road as well? Should I clear the patio? There is always more snow I could shovel.

In any IT organization, there is an infinite amount of possible work. It is constantly snowing new tasks – security patches, new cloud services, new integrations, enhancement requests, bug reports. You can easily run out of space for more post-its on your Kanban board, but you will never run out of tasks. As Elton John sang in The Lion King: “There’s more to do than can ever be done.” As an IT leader, it is your job to decide what gets done. Do you have a policy for what gets done first? If you don’t, write one and distribute it to your team. That makes it easier for them to find and do the most important jobs first.

Hackers Almost Poisoned our Water Supply

February 15, 2021February 23, 2021IT LeadershipSecurity

What would be a truly scary computer intrusion? It would have to be something potentially lethal and something we weren’t expecting. Like hackers poisoning our water supply. But the water supply is highly secured, you say? Couldn’t happen, you say? Think again. It just did.

In a US city, hackers turned up the amount of sodium hydroxide that is added to the water. Adding a little is part of normal procedures, but the hackers turned it up to dangerous levels. Fortunately, operators immediately noticed, and countermanded the order.

Like in almost all disasters and near-disasters, there is a long chain of events that have to go wrong for the problem to occur. For example, you would have to be running an unsupported old Windows 7 installation. Check. You would need to keep remote access software running all the time. Check. You would need to have a widely shared common password. Check. You would need to have no firewall software in place. Check.

If you are a CIO, share the story of this almost-disaster. Security reviews are good, and would have caught most or all of these problems. But security awareness among users is better. Reminding people of the IT policy doesn’t work. But sharing a story of how it almost went wrong might change behavior.

Another Avoidable Disaster

February 11, 2021February 14, 2021IT LeadershipLeadership, Security

Today’s totally avoidable IT disaster is found in the Slack app for Android. It turns out the app stored the user password in unencrypted plain text. That means that every other app on your phone had access to it, and it might now lurk in various log files on your device. Slack is red-facedly asking users to update their app and change their password.

This is an example of what happens when developers operate under tight deadlines and without adult supervision. Any competent IT development organization has code review procedures. If you are a large, high-profile organization that release apps to millions of user, any new release should have a separate security review performed by a security professional. But Slack insisted on letting their team operate without any guardrails. That means it was a matter of time before they ran off the track.

If you are a CIO, take a look at your systems list. For every non-trivial or externally facing system, there should be a link to the latest security review with a date and a name of a real person – outside the development team – who performed the security audit.

Avoidable Disasters

February 10, 2021February 14, 2021IT LeadershipLeadership, Shortcuts

Humans keep causing avoidable disasters. I’m a pilot qualified to fly under Visual Flight Rules (VFR), and I am acutely aware that the number one cause of deadly crashes for pilots like me is to fly into clouds or fog. It turns out that it takes only 45 seconds for an untrained pilot to become completely disoriented in clouds. Professionals train long hours to learn to override their intuitive feeling of what is up and down and trust their instruments.

Nevertheless, a professional helicopter pilot who had only VFR training flew his helicopter into the ground after getting disoriented in a cloud, killing himself, basketball icon Kobe Bryant, and seven others.

In IT, we also know how to do things. As an industry, we have decades of experience building solid, user-friendly systems and running IT projects. But we mysteriously insist on doing it wrong, causing one IT disaster after another. We think we can take a shortcut in order to meet our deadline, just like the helicopter pilot taking the shortcut through a cloud. As the CIO, you need to make sure you have a process in place to prevent people working on critical systems from taking shortcuts.

Convenience vs Security

February 9, 2021February 14, 2021IT LeadershipAzure, Cloud, Leadership, Microsoft, Security

The convenience of Microsoft Azure come with some serious problems. It seemed like a good idea at the time to store your cloud service credentials in your on-premise identity management solution. With Microsoft Active Directory and Microsoft Azure, you got exactly that convenience.

The only problem is that when hackers get into your on-premise system, they own your cloud instances too. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about SolarWinds hackers using privilege escalation to gain access to the Microsoft Active Directory Federated Services (ADFS) and then producing OAuth tokens to move laterally to your cloud instances.

The SolarWinds hack shows that having intruders in your system is the new normal. You need to compartmentalize access, and storing all your access rights in one central place is a very dangerous convenience.

Looking into the Future

February 8, 2021February 14, 2021IT LeadershipFuture, Leadership, Wisdom

After 9/11, the US vowed never to be caught by surprise again. They created the Department of Homeland Security (DHS) to coordinate the intelligence gathering of a quarter of a million employees. On January 5th, the DHS intelligence summary said “Nothing significant to report.” On January 6th, a mob overwhelmed unprepared police at the Capitol and went rampaging through the building.

Companies are also regularly blindsided by events that in hindsight were obvious. You are gathering a lot of information, but it can be very hard to sift out actionable knowledge. Throwing a huge pile of data to a team of data scientists asking them to find the hidden patterns have rarely been successful.

For you as CIO to be able to peer into the future, you need to disengage from the daily running of the organization. It takes several days away from screens, news, email, and social media before the intuition you have can manifest itself, and generate new insights. Can you step away from your organization for several days? If not, your organization and procedures need some work.

https://www.wsj.com/articles/capitol-riot-warnings-werent-acted-on-as-system-failed-11612787596

Future IT Leaders

February 4, 2021February 14, 2021IT LeadershipAmazon, AWS, Cloud, Leadership

The future IT leaders are coming from the cloud business. Jeff Bezos just announced he is stepping down as CEO, and the new CEO is Andy Jassy, who was running their cloud business. That business is a small part of Amazon’s turnover, but more than half their profits. At Microsoft, Satya Nadella was running Azure before he became CEO of Microsoft.

The next CIO in your organization is also going to be someone with experience running successful cloud-based solutions. And if you are an IT leader and looking to move up to larger things, you will need some cloud successes under your belt, too.

Just be aware that your career doesn’t just need cloud, it needs cloud solutions that provide significant business benefits without loss of flexibility. It is easy to rack up large cloud bills without anything to show for it, or to get locked into an inflexible cloud solutions. It is not easy to create successful cloud solutions. That’s why those who can will get ahead.

Don’t Whine, Fix the Problem

February 3, 2021February 14, 2021IT LeadershipCustomer Service, Leadership

In a rare communication misstep, Tesla is on the wrong side of public opinion for once. The National Highway Traffic Safety Administration requested a recall of 158,000 cars because Tesla is using cheap memory chips that fail after a few years. That leaves one of the screens in the car blank, making the user unable to activate features like defrosting the windshield. Tesla has now grudgingly issued the recall, but whines that “It is economically … infeasible to expect that such components can or should be designed to last the vehicle’s entire useful life.”

If you have cut corners and delivered a defective product or service, and you are called out on it, the right way to communicate is not to whine that it’s too expensive to do it right. Steve Jobs was exceptionally charismatic and could get away with telling iPhone users “you’re holding it wrong.” Everybody else should just apologise and fix the problem.

Do you Really Need Blockchain?

February 2, 2021February 14, 2021IT LeadershipBlockchain, Cost/Benefit, Leader

It is reported that the IBM blockchain team has been gutted, even though IBM vehemently denies it. Enterprise blockchain seems to be in retreat across a wide range of industries.

Organizations with high value maturity have solid processes in place to calculate the business benefit of new technologies, and only a few of those invested in blockchain. But organizations with a lot of legacy technology who felt the need to jazz up their tech portfolio enthusiastically embraced blockchain and started vaguely defined projects

If you are a CIO, take a look at your project portfolio. If you have blockchain projects on the list, have an experienced analyst from outside the project team take a good look at the business case. If she reports back that it is based on overly optimistic assumptions, it should be re-evaluated. If that means the costs outweigh the benefits, the project should be cancelled.

Focus on the Mission

February 1, 2021February 14, 2021IT LeadershipLeadership, Motivation, Talent

Do you have a hard time finding the IT talent you are looking for? Spare a thought for the recruitment officers at the CIA. With an image that today is more waterboarding than James Bond, their approval rating among millennials is at an all-time low. Even though they have started running video ads, are on Instagram and post jobs on Linked, they have a hard time recruiting the talent they need.

As the CIO, you can’t do much for the general image of your organization in the public eye, but you can make sure you are communicating in a language and on a platform where your prospective employees are. It is hard and expensive to buy the best talent with compensation alone, so you need to explain how working for you will allow IT professionals to make a difference.

That’s why your job ads should have one thing in common with the CIA: Focus on the mission.