Jon DiPietro is Domesticating IT

Thinking about ways to expand and improve the Society

The ISA (International Society of Automation) is facing a challenging time.  As I prepare to attend the Fall Leaders’ Meeting and ISA Expo in a few days, I know that major cuts and dramatic changes are in store.  Depending upon how you look at it, I am personally either blessed or cursed not be part of the most important and far reaching decisions that will be inevitably be announced in the coming weeks. I understand that many of these changes are necessary due to shortfalls in revenue resulting from the same economic conditions facing everyone.  However, I want to put forth a few ideas that will no doubt sound crazy to some and may even brand me as a “heretic.”  Incidentally, I would take that as a compliment and if you’re curious as to why, you should watch this Seth Godin video.  The ideas are too lengthy to include a single post, so I present them in summary here and will link them to sub-articles, where more detail is provided for those who are interested.

Sell Scarcity, Give Away Abundance

Many thanks to Jim Pinto for bringing this into focus for me with his recent InTech article, “Sell scarcities, not abundance.” I’ve taken the liberty of expanding on his thesis by leveraging the concepts of “freeconomics.” I am intrigued by the possibility of making ISA membership free. Yes, I said it – free.

I go into more detail in “Sell Scarcity, Give Away Abundance”

Build a free army equipped with web 2.0 tools

Build an Army Using the Long Tail

Making membership free will not, in and of itself, build an effective army. First, they must be recruited. This is where the long tail comes into play. Next, they must be equipped with the latest technology, afforded competent and inspiring leaders, and trained in effective tactics. The “Long Tail” is a phrase attributed to Wired magazine editor Chris Anderson, who wrote an article in 2004 about “Why the Future of Business is Selling Less of More.” Engineers and economists would already be familiar with the numerical component of this phenomenon, known as the power law distribution curve or more colloquially the “80/20” rule. I think the current strategies are more focused on maintaining the 20% than pulling in the other 80%. Once free membership and the long tail begin filling the membership hopper, the next step is to “arm” them with the latest web 2.0 technologies.

I go into more detail in “Build an Army Using the Long Tail”

Switch from Filter/Distribute to Distribute/Filter

Content is the fuel for this new paradigm’s engine. A wide variety of interesting, thought provoking, authoritative, and even mundane content will increase member engagement and improve search engine results, driving more and more web search results to ISA. However, under the current publication infrastructure this is difficult if not impossible to realize. That’s because the current approach is to filter, then publish. The alternative is to distribute, then filter. In other words, the long tail of the membership should be enabled to become content providers.

I go into more detail in “Members as Content Providers”

Be Respectful in Our Marketing

Let’s talk about email. This has been a controversial subject for many years and for several reasons. The mistake here is that ISA has been wrestling with the best way to interrupt people, sort of like looking for the friendliest way to insult somebody. The solution is, once again, permission-based or opt-in marketing.

I go into more detail in “Be Respectful in Our Marketing”

The Elephant in the Room

This may sound like implementing these ideas requires the current web site to be blown up and rebuilt from scratch, which will cost a fortune. Yes and no. The current framework will not support these tools and tactics for a reasonable cost. However, the revolution in open source web content management systems (CMS) allows the rapid development of extremely powerful web sites by non-professionals for zero or little licensing cost. These CMS have enormous commercial third party add on markets that provide extensibility for very low cost – we’re talking less than $10k.

There is no getting around the fact that it would be a time consuming task to migrate all of the existing content to a new platform. However, it can be done by any mildly computer savvy user after about an hour’s worth of training. The job could be outsourced to the membership in large part and I am willing to bet the call to arms would be well received.

Don’t Panic!

These thoughts are meant to provide food for thought, not necessarily a road map. It is a momentary cross over from the way it was to the way it could be. The way it is unsustainable. Applying a tourniquet may stop the bleeding, but that is not a solution. I believe that ISA can not only survive but thrive if we can recognize and embrace the trends that will define how professional institutions organize their members for the next fifty years.

My hope is to provoke conversations that lead to innovation and positive change.  To that end, please use the comments section below and provide your thoughts.  As Linda Richman on Saturday Night Live’s “Coffee Talk” skit would say, “I’ve given you a topic. Talk amongst yourselves.”

Continue Reading

Is cyber security a technology problem or a people problem?

Cyber security is complex, highly technical subject that is best left to the Asperger-nerd in the computer room battling against the pimply-faced hacker sucking down Mountain Dew in his mother’s basement, right?  It’s a cat and mouse game that pits the white hats against the black hats, the antivirus computer scientists against the hackers, right?  It’s certainly not the realm of the average small business owner, right?  Wrong, wrong, and wrong!

What if I told you that human error was more responsible for data breaches in 2008 than hacking?  What if I told you that hacking was third on the Identity Theft Resource Center’s (ITRC) categorized list of data loss methods?  The reality is that cyber security is a people problem first and a technology problem second.

More Awareness, Less Reliance

I’ve come to a remarkable, if not depressing realization in my information technology career.  Over the last 20 years of consulting, I’ve visited scores of clients in hundreds of facilities and I can easily count the number of times I was ever given any sort of cyber security orientation – exactly once.  I’ve walked into propped-open back doors of more manufacturing facilities than you can shake a stick at, and more often than not waltzed right up to a machine control panel, hooked up my laptop, and started pounding away at the keyboard while smiling and waving at trusting operators I had never before met in my life.  The realization is this; the vast majority of companies, large and small alike, is completely oblivious to the weakest link in the security chain; people.

The misperception that cyber security is all about technology is a serious mistake that is made by both small and large businesses.  The small businesses often believe that they are not sophisticated enough to employ their own cyber security programs and, therefore, either ignore it altogether or simply outsource it to an IT subcontractor.  The large businesses spend millions of dollars on intrusion prevention systems, biometric security, and other sophisticated technological countermeasures.

Hopefully by now I’ve made the point that cyber security is about much more than firewalls, Trojans, and keyboard loggers.  So without further delay, here is a list of five no-cost practices every organization can implement that will go a long way toward securing their data.

Use Passwords, Use Them Well

OK, show of hands… how many of you are rolling your eyes?  It sounds obvious, but password laziness and ignorance is still the number one vulnerability for computer systems.  I understand how painful it is these days to maintain all of the user names and passwords in our lives these days.  However, it is the world we live in and we must accept it and follow these bare minimum password practices:

• No shared passwords:  This is especially common in process automation where there are many users of the same machine.  Everyone must have their own unique user name and password.
• Complex passwords:  Use combinations of letters and numbers, preferably composed of one or more words that are not in the dictionary.  Why?  Read this article about Dictionary Attacks.
• Change passwords:  This is probably the most annoying of these three practices, and I confess that it aggravates me to have to do.  However, changing passwords periodically is one of the best ways to prevent misuse of a password that is unknowingly (or even deliberately) disclosed.

Utilize Automatic Updates

Unpatched operating systems and out of date virus definitions are like the gimpy prey of a flock; they are the first to be targeted by the hunter.  Many computer viruses and other exploits rely on software vulnerabilities that are typically patched within days or weeks.  However, it is not at all unusual for me to see network servers out of date by more than a year.  Another common problem is for antivirus subscriptions to expire, preventing the virus definitions from updating.

Clean House

Every program loaded on a computer is a potential vulnerability.  The fewer of them there are, the better.  A typical Windows PC has loads of “crap-ware” installed on them that can and should be removed using the Add/Remove Programs option in Control Panel.  Additionally, there are Windows Components (e.g. Messenger, Media Player) that should be removed if not used.  Finally, there are usually Windows Services running by default that are not used.  This particular cleanup is generally left to computer professionals, as it is not always obvious which of these is required and disabling the wrong service can lead to “unexpected behavior.”

Create Policies

There are many reasons for establishing written computer and internet policies for employees.  One, of course, is legal liability for the employer.  The other is (or at least should be) educational.  It’s not enough to write up these policies; they need to be presented and explained in an open environment to ensure that they are understood and appreciated.  These policies go far beyond telling users they can’t surf porn on the company’s computers.  They need to include things like proper care and usage of portable storage devices, remote access procedures and policies, e-mail policies, etc…  You can find a list of templates at the SANS Security Policy Project web site.

Protect Sensitive Information

Insiders and subcontractors are another major vulnerability and care must be taken to provide information necessary for them to do their jobs, but no more.  This is especially true of subcontractors, of which I am one, who are frequently given and/or create sensitive documents, diagrams, lists, and other data.  It is important to establish guidelines for its use to ensure that the information is handled with care and returned or disposed of when the job is complete.  As incredible as it sounds, a subcontractor published a complete schematic of Pearl Harbor Naval Base’s power monitoring control system in a white paper available publically on the Internet (I just checked and the information has apparently been removed).

The Bonus Round

What is the hacker’s #1 tool of the trade?  I’ll give you a hint; it has nothing to do with computers.  It’s called Social Engineering and you can read more of it in my blog, “The Hacker as a Magician.”

Feel free to share your own anecdotes and pearls of wisdom on the subject.  What are some of the head-shaking moments you’ve witnessed?  Are there any “doh!” moments you care to share?

Credits and citations:

• Office thief cartoon by michael molenda
• Mr Oblivious photo by San Diego Shooter
• Data breach report from “2008 Data Breach Totals Soar”, Jan 5, 2009, Identity Theft Resource Center

Continue Reading