According to Cenzic ‘s Application Vulnerability Trends Report: 2014, “While the majority of corporations have the important security building blocks, such as firewalls and intrusion protection systems needed for their security infrastructure, not enough organizations have comprehensive tools and practices in place for securing applications.” Faced with a worldwide shortage of Cyber Security professionals (Cyber Security has only recently become a discipline one may major in!), and companies unable to afford the overhead necessary for the requisite training, this situation is not surprising. Bad news for you. Good news for hackers.

Still think you can go it alone? Do you really understand the sheer magnitude of possible vulnerabilities? Here’s a sobering thought: Everything on the network is hackable. Everything—from your corporate computers to a 3rd party vendor to your employees’ Smartphones. Add to this the risky behaviors employees can engage in—sharing passwords, inappropriate web browsing, copying sensitive data onto mobile devices—and you’ve got exposure. Lots of it.

An objective Cyber Security assessment can assist with evaluation and establishment of controls to:

• Implement an information risk management program
• Ensure network security is adequate, including boundary and internal
• Guide user education and awareness
• Verify malware protection and prevention
• Deal with secure configuration and patch management for devices (network, servers, PCs)
• Manage user access and privileges
• Handle incident management
• Assist with home and mobile working

If you feel you aren’t ready to tackle all the items above, you should at least undertake a basic evaluation to consider only the most foundational building blocks for cyber security.

In a survey of its 3,400 global members, Information Systems Audit and Control Association (ISACA) found that although 83% of the respondents recognized Cyber Attacks as among their “top three threats,” only 38% felt prepared to endure one. Make sure you are part of that 38%. If you do nothing else, purchase cyber insurance. If you are ready to take additional steps, we can help.

P.S. On our C4C blog we recently wrote about the fallacy of thinking you are too small to garner a hacker’s attention. I can’t stress the following enough: While big companies more often make the news by getting breached for millions of records, they also have the financial resources to dig out of that hole. Small companies aren’t as lucky. A data breach at a small company can mean closing the doors, for good. Don’t let that happen.

Why is Cyber/Computer Security so far down on your to-do list? If your reasons are any of the following, you might want to reconsider your priorities.

• Because you live under a mushroom or live off the grid.
• Because your environment is in such disarray that if someone did breach it, the chances of him or her finding anything of value would be remote.
• Because you believe that you are only a little fish in a big pond and hackers have much bigger companies to go after.
• Because no one has requested it and you have more than enough other problems to handle right now.
• Because you don’t know where to start.

Let’s address each of these points in turn.

They can’t find you.  On a recent episode of 60 Minutes, Dave DeWalt, CEO of cyber security company FireEye, asserted that 97% of all companies are being breached. Ninety-Seven percent. So, unless you truly live off the grid, you have likely had a breach already. The real question is how bad is the damage?

They can’t find your valuables.  These criminals are very sophisticated and have the knowledge, tools and patience to find your sensitive data and exploit it.  Hacking has evolved from the lone geek making mischief to an actual profession and, as Lance Cottrell, Chief Scientist at Ntrepid and expert on security and privacy writes, “In most breaches, it turns out the hacker has been inside the network for months.”

Your valuables aren’t worth it.  Wrong again. They aren’t always interested in your data; often they are interested in your financial partner, investor, supplier and customer. Anything sensitive they can sell or make profit from.

You have other priorities.  You will always have other priorities. But believe me, if the hackers come—and they will—you will have to deal with the fallout and that will become your new priority.  With several methodologies at hackers’ disposal such as viruses, malware, botnets and ransomware, cleaning up the damage will be more involved than you think.

You don’t know where to start. Improving your security begins with having a prioritized list of actions based on risks to your company.  A risk assessment will accomplish that and, at the same time, help you raise awareness and understanding with your executives of possible threats and the cost of inaction. It will also demonstrate confidence that you and your team are pro-actively dealing with the today’s cyber security reality: it’s not a question of if, but when.

What is your reason for not having an information security and risk assessment performed ASAP?

If the real reason is you don’t know how, that is where we can help.

The truth is change is coming to a theater near you and soon, but how it comes is entirely up to you. That is the measure of control you do possess. Change can come incrementally or manifest itself as the Big Bang!, and the latter will be much more disruptive than the former, we promise you.

Very often in our line of work we’ll hear someone in IT / IS or Corporate services say, Thank goodness that project is finally finished, as if one particularly pesky piece of business is behind them and it’s smooth sailing ahead. Well, no. If you don’t want to go through the Big Bang! experience (otherwise known as when the wheels fall off), this is not the mindset you should cultivate. Each and every day we at TAG spend considerable energy helping organizations become comfortable with the concept of incremental or continuous improvement. Why? Because if you’re constantly improving, you rarely suddenly arrive at the Big Bang! crossroad.

You can either be the Changer or the Changed, but it is better to be the actor than the acted upon. Change will not be denied. If you choose internal stasis through passivity or inertia, external agents will force you to change because the competition and market won’t take your everlasting comfort into consideration. . .and then what? Right. You’ve got the Big Bang! to survive, because staying where you were allowed the competition and the world to pass you by.

We know change is difficult, so we won’t belabor the point. Nevertheless, if you put the following conditions in place, it won’t be quite so arduous:

Mary Shelley, author of Frankenstein said, “Nothing is so painful to the human mind as a great and sudden change.”  Since change is (ironically) a permanent state of being, leading an adaptable organization focused on steady, incremental improvement is vital. If change is anticipated and implemented without fanfare on an ongoing basis, the hysteria of the Big Bang! will be kept in check.

First, inventory ALL projects and activities that require any kind of IT resources, making sure to include non-obvious ones like SMEs and user training time. According to Gartner, 60% of IT’s budget is spent on operational, “keep the light on” activities, so it is important that these are included to ensure correct allocation of project resources. Projects that pull resources from core operations can create business risk.

Second, decide who will comprise a governance committee, i.e., who will make decisions concerning the portfolio. This should be a mix of IT and business leaders with the authority to make decisions for the organization. The governance committee will determine which projects should continue, which should be delayed, and which should be terminated. These decisions will be made based on determining which projects have the potential to create the most value for the company. Each project in the portfolio should align with business goals and be ranked on the strength of its business case outlining benefits, costs and risk. Keep this simple, but also be on the lookout for project interdependencies. You certainly don’t want a critical project bungled because it relied on deliverables from another project that was killed or delayed.

The importance of strong governance in the portfolio process cannot be overstated. Projects that are nice but not essential drain away resources that could be used more productively. Focus on cutting unnecessary demand and don’t start new projects until you know for certain that existing projects can be completed and meet expected deliverables. This won’t be easy. Every project is “owned” by someone who thinks it is the most important project in the portfolio, so it is essential to let the business case data drive the decision, and not emotions or politics. We can all relate. This time of year I can see myself riding around on a John Deere with 4-wheel steering, a zero turn radius, and a 48-inch mowing deck. Grass cutting would be so much easier (okay, and a little fun). But, with financial resources being what they are, I can’t make the case for its purchase because it will not really provide any material benefit. It’s just a “nice to have.” So, back to my 21” push mower. Sorry, John Deere dealer.

Half the year is gone. As you look at how you will finish out the year and also prepare for next year’s portfolio of projects, the summer months are a great time to review your project portfolio and get the pruning shears out. Since 80% of the benefit usually comes from 20% of the projects, in portfolio management, less is always more.

So, how do you take this paradigm and apply it to the biggest time guzzler in most people’s day—the inefficient meeting?

Here’s how. Every meeting should have an agenda and specific objectives. This information should be communicated to participants well in advance so they arrive prepared. Your meeting should also be run by a facilitator who brings well-formed questions to the table; these are considered time-management “gold.” Every item on your agenda should have specific, corresponding questions that are used to elicit information and move you on to the next item. For example, if your project has the agenda item Risk Planning, some questions might include:

• What are the top risks having the greatest impact to the business? What is the likelihood of occurrence?
• What are the mitigation strategies for each of these high risks? If mitigation is not viable, what is the contingency plan?
• Has every potential risk area been identified (technology, business, project, resource, customer, operational)?

An interesting thing occurs when the objectives and agenda are clear, the participants come prepared, and the facilitator keeps the discussion reined-in through the use of thoughtful questions: meeting objectives are met and meetings are adjourned on-time or early. Participants think, Wow! We finished everything on the agenda and I’ve even got some spare time to put back into my day…I love it. As the meeting owner or facilitator, you might even find participants actually look forward to your meetings as the most productive time of their workday. How cool is that?

– See more at: http://www.transaccelgroup.com/blog/2011/11/15/terminate-the-time-guzzler-inefficient-meetings-2/#sthash.A0bkSWDv.dpuf

1. Understand and communicate the business case for your project.
   This starts with understanding the business strategy and business drivers that prompted your project in the first place. If you don’t understand what the business is trying to accomplish, you have very little chance of your project hitting the mark.Once the business strategy and drivers are clear, identify very specifically—and quantitatively where possible—exactly how your project will provide benefit relative to the business drivers and business strategy.
   • Work with key people in the business area to develop and review the business case to ensure that it is sound and strong.

   Creating a solid, strong business case is the most important factor in not only getting the project approved, but also in ensuring that the project team clearly understands what is to be accomplished, why, and how it will help the business.

2. Identify resourcing needs by role.
   Resources, especially people, are always in high demand, and you need to be very clear about the resources that your project will require (people, facilities, equipment, etc.). Clearly identify your resource needs by being specific. Assuming that your request for two technical analysts you will get you what you actually need might be a mistake. Having the right skills, expertise and individuals detailed on a project can greatly improve the probability of project success.
3. Identify project interdependencies.
   As a good project manager, I expect that you will have identified dependencies within your project as part of your project schedule. With the complex business environment that exists today, you also need to identify dependencies that are outside of your project to make sure that external factors do not inhibit your project’s ability to succeed. For example, if your project requires customer master data to be available—and that is a key deliverable from a different project—you have to identify that interdependency and evaluate the risk to your project if that deliverable does not occur as planned. This allows both projects to understand the dependency and provides greater visibility and increased opportunity to manage and mitigate the risk. The Project Management Office (PMO) will know your project is likely to be well managed when they see the project interdependencies identified.

Additionally, all projects will require identification of project costs, timetables, risks, etc., as is normally requested by governance committees. The above points are not extensive, but are meant to help you differentiate your project from other projects being evaluated.

If you go to the governance committee with these items ready for review, you will not only put yourself in the best position for project approval, but you may also become the model for how other projects should be packaged for governance review.

– See more at: http://www.transaccelgroup.com/blog/2011/10/17/mark-that-project-approved/#sthash.miOosk0N.dpuf

Unfortunately, October is also a time of enormous pressure, as both IT and the Business push hard to achieve MBO deliverables before the end of the year. Too often, the competing time constraints of completing existing projects while planning new ones causes Business to default on the planning side, leaving IT to design new projects on its own. This lack of input from Business leads to “silo” thinking: “We know what they [the Business] really want or need.”

Now, in a perfect world, Business would remain engaged with the IT Account Manager—the one who not only has the best vantage point from which to understand and articulate Business’s needs, but is also well-equipped to offer ideas and solutions to address those needs holistically (end-to-end) rather than piecemeal. But, if Business opts out and IT can’t get it back to the table, or IT believes it actually can do the planning on its own, the next step needs to be the creation of a business case, or multiple business cases, depending on the number of initiatives IT believes are necessary for the coming year. In this situation, the account management teams should lead the business case process.

What Your Business Case(s) Should Focus On:

• Quantitative business benefits: ROI that can be tracked, and the forecasted payback over the next 12 or 18 months
• Risk assessment: what is probability of success when the following variables are considered: processes needed, organizational and infrastructure requirements, bandwith capacity, timing, information and skills necessary, competing business initiatives or conflicts, etc.
• Funding: Project costs (both operating expenses and capital expenditures) for all phases of the project; these costs should also include transition and post go-live support.
• Business alignment: clear alignment with business drivers, strategies, and objectives, taking into consideration the impact of the timing of each implementation event.
• Total cost of ownership (TCO): over lifecycle of project (ideally, this includes ALL costs associated on both the IT and the Business sides).
• Sponsorship: The name of the person or organization with “skin in the game,” who will help obtain project funding or resources, advocate for the project, etc. In short, someone who has a vested interest in the successful outcome of the project.

Once you have thoroughly assessed the viability of the project, your business case is ready to be presented to the Business. If both IT and the Business are in agreement, the commitment then is to investing in the funding, people, and amount of time necessary to undertake the project.

During the business case assessment process, be sure someone on the account side works with the service delivery partners to develop an overall review of the current operations. This will help you understand what capacity is available (people, technology, funding), or conversely, what capacity is already committed and unavailable.

This capacity review really shines a light on the 60-80% of the “operational support” work that comprises the bottom segment of your typical IT Portfolio Pyramid—work some refer to as “keeping the lights on.” At most companies, operational support is a made up of three things:

1. Service Level Agreements: Services and capabilities are aligned to fulfillment of SLAs, i.e., mutually defined agreements between IT and Business. Costs associated with each transaction and response/resolution times are tracked and monitored. These agreements are critical for the IT Account Director or IT Relationship Manager to represent the total cost of service to their Business partner. In a chargeback world, fees for these services are crucial to those IT departments operating solely as cost centers, providing, as they do, the funding for new projects. This is the only operational support activity in which you should invest.
2. Phase 2 & 3 Hiding Place: This is project work or “stuff” that didn’t really get done after the implementation of phase 1, can’t operate as a stand-alone, and thus is very hard to justify on its own merits. Ergo, it is categorized as operational support.
3. Unnecessary demand stuff: This is the “stuff” that should have been decommissioned years ago, but no one has the resources (funding/man-hours) to invest in getting rid of it and tossing it out of the environment. (Picture that box of moldy college textbooks you’ve been lugging around for years.)This “waste” is what I refer to as the “slow death of IT,” and it is my number one place to begin to restore capacity. In ridding IT of this old baggage, you will create the capacity that IT desperately needs for delivering on current Business needs. I have studied this dilemma for years, and many companies have tried to address it by taxing new projects or building it into the (TCO), but, like “training,” getting rid of it never seems to be the necessity it is, and it always seems to get cut.

Every dollar spent needs to be viewed as an investment. “Keeping the lights on” consumes a majority of IT’s budget, and yet, undergoes the least amount of scrutiny during planning. Why? Because:

1. It’s hard. If you haven’t done a good job of writing cogent SLAs with your Business partners or been diligent about tracking costs, unraveling the mess will take time and effort.
2. No one gets a bonus or a promotion for cleaning up someone else’s mess.
3. IT leadership has not done a good job of educating their Business partners on TCO.
4. IT Account Managers would much rather be working on the new blockbuster than talking about maintenance on last year’s project.

Many smarter than I thought that with Shared Services the CFOs would get more involved, and unnecessary demand costs would be reeled-in. Surprisingly, I have seen only a few CFOs willing to invest in “consolidation and rationalization,” even during these tough economic times.

Back to planning:
By mid or end of October, you will need an aggregate view of your total next year’s plan that should include:

• Innovation projects (short, 4-6 week sprints to learn and de-risk future larger projects
• New projects (i.e., Business and IT)
• Phase 2+ functionality improvement projects
• Service investments (otherwise referred to as “Keep the lights on” investments)

To ensure success, new projects need to have an estimated funding of +/- 20%; Phase 2 should come in at +/-10%; and service costs need to be aligned to the service agreements and appropriate funding model. All projects should have clear business cases.

November is all about prioritization based on guidance from Executive and Finance. The better you plan in October, the more successful you will be when the new guidance comes—and, yes, it will come.

Putting your investments into a portfolio tool is something we can help you with, and will allow you to manage your investments and make the right tradeoff decisions.

Most maturity level 1 and 2 companies still optimize by divisional silo, but there are new processes, tools and governances that can help you and your company to make cross functional tradeoffs and ensure you are returning the most value for your IT investment…surely something your CEO and CFO would want to know.

Enjoy October. The hard decisions are coming, and those of you who are prepared will enjoy Thanksgiving much better.