Just a quick note to let everyone know that I’ve been accepted into Microsoft Surface reseller program, so I can now supply the full range of Microsoft Surface devices! I’m very excited about this – it’s something that I’ve been working towards for a while. Continue reading
With the explosion of the WannaCrypt ransomware worm over the weekend, a lot of people’s thoughts have turned to protecting their information and systems from such attacks. It certainly was a doozy of a worm, that’s for sure, and has wreaked havoc across the globe in a very short timeframe. This morning, a lot of corporate IT Security teams will be having emergency meetings to talk about and review their current protection plans, and whether they need any changes or additional responses to protect their networks.
For more information, TheRegister has a very good wrap up (as usual), available here:
But what if you don’t have an IT Security Team? What if you’re just a small business?
Consider this a good excuse then to spend some time thinking about your IT systems and the technology that you have in place. Running a small business myself, I know that the demands on your time can be staggering, and you probably haven’t had an opportunity to stop and think about the security of the information that your business relies upon. But it’s certainly a very worthwhile way to spend an hour. You don’t need to come up with all the answers – in fact, you don’t need to come up with any answers. Just have a think about what information you have, what you need, and what you’d be really upset by if it just went away suddenly. You can then take that list and use it as the basis of a discussion with a security / IT expert, who can bring in their IT industry knowledge.
And that’s exactly how I started my morning today, with an email from a client that simply asked:
|Hi Matt, just wondering what I should be doing/checking to make sure we aren’t vulnerable to a ransomware attack, as unlikely as it may be?|
I’ve decided to paste in my response to them here, to demonstrate how good system design will already be protecting you from a number of internet nasties. Names have been changed to protect the innocent, as have certain details.
Great question! Especially in light of the news about the new WannaCrypt/WannaCry ransomware bug that was built from NSA exploit code. Ransomware attacks are getting more and more popular.
The most important things that you yourself can do are:
This is where the Cloud Managed Endpoint Security package that we spoke about a couple of months comes in – it gives a central spot where we can see the status of all your laptops, making sure that they’ve all got the security package installed and turned on, that they’ve all got the latest virus signatures, etc. That’s definitely the best option, but I’m confident from our discussions that you’ve got a good handle on your current anti-virus. Until we upgrade to the cloud-security, just having a quick walk around once a fortnight, say, to check that everyone’s antivirus app is running and happy would be a great start.
The IT systems and setup that we’ve built for your firm have been designed to be very resistant to any sort of attack, even ones like these Ransomware attacks. Your environment has also been built to be very resilient even if a successful breach did occur.
The ways we achieved the attack resistance is:
The ways we achieve the resilience if an attack was to occur is:
Same scenario if a disaster (natural, man-made or electronic) befell your Margaret St office – you could simply take your laptops and your mobiles home and work from there. There’s no server that we are reliant on.
Hopefully that gives you good confidence in the systems that you have.
As you can see from the above, there’s a lot of different approaches to information security. There’s no “one-size-fits-all” system that can solve all your problems – the best approach is to “layer up” different overlapping products, systems and approaches to build an overall security model for the team. I’m confident that we’ve built a very strong and resilient environment for you, commiserate with the value of the confidential information that you deal in.
The trick, as always, is to match the security systems with the user experience – no point having a completely locked down system if it means that the staff can’t actually do their work. But there’s A LOT of happy middle ground that we can pragmatically cover before we get to that extremity.
Security is a moving target. Technology continually advances (both good protection tech and bad attack tech), and your firm is growing and evolving as well. It’s important to stay up to date with the industry and contextualise that to your unique situation. There’s always additional things we can look at should you have either concerns, or should you just want to improve security for certain high-value people or certain confidential information. For instance, we could:
Happy to chat more about this if you’d like, especially with all the recent developments.
That’s a quick overview of how the various bits and pieces that we have designed for this firm all fit together, and how overall we get a good security environment. You can see how the various bit and pieces all work together to provide comprehensive coverage. It is very contextualised to this particular client’s environment through, so I want to go through and unpack some of the more general points that you can use in your business right now.
Information Security is an Onion
Hopefully from the reading the email above, you can get a feeling for the fact that Information Security isn’t a new firewall, and it’s not a fancy new Anti-Virus app (despite what the vendors of each will tell you). Security is the result of a lot of little decisions, and a lot of overlapping layers.
This is because of two things:
- Good security products will be targeted at doing one thing, and doing it extremely well. There is no “jack of all trade” here, nor do you want one. You want to couple together a number of different security systems that are all excellent at what they do. Working together, they provide you an effective umbrella.
- Any product or system, security or otherwise, will have holes in it. Some times these holes are put there by design, and sometimes these holes are accidental or as a result of an unexpected bug or failure condition. IE, an email system NEEDS to be able to talk to other unknown systems on the internet to work. An email system that couldn’t receive email from anyone isn’t very useful. We speak about two broad categories here:
- Known Unknowns – These are the holes that we know about, or suspect. These are the easy ones, because we can defend against them. We know that the email server needs to talk to the internet, and we suspect that someone might be able to send a malformed request to it to trip it up. So we stick a stateful inspection firewall in front of it, something that can “speak SMTP”, and can enforce strict protocol compliance on the conversation. It can detect if an internet-based system is trying to do something nasty, and terminate the conversation before the email server is broken or compromised.
- Unknown Unknowns – These are the things that we don’t even suspect. The ones that blind-side you at 4PM on some idle Tuesday. We don’t know about these vulnerabilities, but what’s worse is that we’re not even aware of the fact that we don’t know them – we’re blissfully ignorant (for now).
So how do you protect against the Unknown Unknowns, if you don’t even know that you don’t know what they are?
Aside – is your head spinning yet? It will be!
The simple answer is that you assume you don’t know anything, and work backwards. And this is where the layering of the security onion comes in.
In our email server example above, we know that it has to talk to other email servers, and we suspect that someone bad might use that to attack it. But the vendor has promised us that the system is very secure and unhackable. Do we believe the vendor?
NO! We certainly don’t.
The vendor may be being truthful when they say that, but the reality is that the vendor will have a bunch of unknown unknowns themselves. So when they say “our product is secure”, they truly do mean it – it’s just that they don’t yet realise how it might be compromised.
To protect against it, we “layer up”. Even though the email server shouldn’t be listening for anything other than incoming emails, we still stick a firewall in front of it anyway, just in case. If it did have an unknown vulnerability, we would still be safe because the firewall would stop it.
Is the firewall fool-proof? Probably not! That’s why the edge router in front of the firewall has basic packet filtering enabled.
Is the edge router fool-proof? Probably not! That’s why we have our carrier turn on some anti-DDoS systems on their end of the link, to filter junk out before it even comes to our gear.
And so on and so forth.
Or to put it another way:
- It’s fine in the dry weather, because it sits in the corner all folded up. It’s there, you’ve invested in it, and you’re happy with it because every time you wonder if it might rain, you can glance across and look at your umbrella. You feel good because you’re prepared.
- When it start to rain, you reach for your umbrella. After all, that’s why you have it.
- But when you open it up, you discover that it’s got holes all in it. Some big, some small. Some you knew about, some you didn’t.
- If you went out in the rain like this, you’d get wet.
What do you do?
- You pick up your second umbrella, and open it up.
- Much to your dismay, it’s also got a bunch of holes in it.
- Oh noes!
- What do?
This is where the layering comes in.
- The holes in Umbrella 1 are probably in different spots to the holes in Umbrella 2.
- If you were to stack Umbrella 1 on top of Umbrella 2, most of the holes would then be covered.
- Rain might still get through some of the overlapping holes, but the vast majority are now secured.
- And to protect yourself against the last few holes, you might put an overcoat on.
By layering up multiple levels of protection, like layers of an onion, you dramatically increase your security position even when dealing with systems and products that have both known unknowns, and unknown unknowns.
All That Sounds Complex and Expensive.
The important concept is to ensure that the security design you have is contextual to the organisation and the level of protection required.
Does a 3-person startup need multiple application-layer firewalls and carrier-side traffic sanitation? Of course not.
The important benefit here, especially for smaller firms, is not even to do with the systems that you deploy – it’s the fact that you’re starting to think about it. Because once you start to think about information security, you start to embed those questions into all the other little decisions and thoughts in your day to day life. It’s THOSE decisions that then pay off for you.
So if you’re thinking about which laptop to buy, and one is $500 more than the other one:
- Without a security mindset, your reaction might be “What a rip-off! This one’s $500 cheaper and just the same. I can save some money here.”
- With a security mindset, your reaction might be “Why is this one $500 more? It comes with a TPM encryption chip – I wonder what that is? Is it something that could help me, or not?”
The same thing happens with all the other decisions that you make.
What email system to use.
Where to host your website.
Do you use a free anti-virus app, or do you pay for one?
Once you start embedding information security as an attribute for evaluating options, you start to build up small increases in your security profile with every decision you make. And as we just explained, it’s this “layering” of security abilities that is what really raises your security environment.
Keeping Current vs “Good Enough”
One point that bears repeating over and over and over is this – Keeping Current is the most effective thing you can do for your business’s information security landscape.
In other words, update your things, people.
The PC that you’ve been using for 5 years is past it’s useful life.
The mobile phone that you’ve had for 6 years now (“and IS STILL working PERFECTLY”) isn’t working perfectly. It’s full of security holes, and the vendor hasn’t issued an update for it for 18 months now. What’s more, the latest security systems can’t work with it. I hope you don’t have any critical information on it, such as an internet banking app…
The brand new mobile phone that you’ve had for 6 months, but have never bothered to update – it’s just as bad.
KEEP YOUR STUFF CURRENT!
Vendors are constantly releasing security patches for their devices or their software. These are often-times in response to KNOWN vulnerabilities. IE, the maker of your shiny new iPhone KNOWS that someone can take over your data via this particular process. So they patch that bug. But if you don’t install the update on your phone, then you’re walking around with a device in your pocket that EVERYONE knows is insecure.
I spend a bit of my time meeting with business owners to review and audit their IT landscape. I see A LOT of old gear out there. Invariable, this comes down to an investment decision:
- The cost of buying a new PC when one is “still working”,
- The cost that you might incur when getting someone to re-install all your apps and data onto the new one PC
- The costs that you might incur if your crummy old core app won’t actually work on the latest Windows version (NB – this is a HUGE red flag on the core app!!!)
Unfortunately, the longer you put this decision off, the worse it gets, and the more expensive it gets.
Look, I know that when you’re running a small business, every dollar counts. However, you don’t need me to explain why you’re financially better off to update your technology on a shorter (say, a 4 year cycle) – you can figure out the maths around proactive investment in new IT equipment (which is tax-deductible anyway, and currently able to be deprecated instantly) vs the lost productivity and consulting costs to mop up after a breach. I’m not asking you to like it, just to think about it.
When you factor in the potential downsides, keeping up to date is quite often the best bang-for-your-buck approach to security, delivering a lot of value for a regular, planned outlay. The further behind the 8-ball you get, the more difficult it is to catch back up.
So what are some proactive, pragmatic steps you could start to plan for?
Big Progress eventuates from Small Steps
As I’ve harped on about, Information Security is a multi-layered solution. So lets look at some small steps that you can start to take, which will incrementally improve your security landscape. Remember that the whole is greater than the sum of the parts, so the more of this we can do, the better results we’ll see.
Windows Update and Microsoft Update.
Turn these on now. Can a rogue Windows Update muck up your PC? Yes – it can and has happened. However, the risk lately has been very low – this is not as big a problem as it was 10 years ago. I’m quite happy having automatic updates enabled for all my machines, and all my clients’ machines. The risk is worth the reward. People who were running Windows 10 with automatic updates enabled were already protected from this WannaCrypt worm, for instance.
While you’re in there, make sure you’ve ticked the box to enable Microsoft Update, so that you’ll also receive updates for other Microsoft products like Office (not just Windows updates).
The caveat here is around enterprises with more than a hundred or so PCs under management. You may have special requirements that dictate an alternative plan. But I’m hoping that at your size you’ve already invested in something like SCCM / InTune / etc that will be helping you with desktop management and patching. WSUS is still free.
If you don’t have any Anti-Virus or Internet Security, go and get some and install it. “But it slows down my PC too much!” – yes, it will have an impact on performance. Different products vary from almost-undetectable, to maple-syrup-on-a-cold-winters-day. Do a bit of research and upgrade your PC hardware if you need to.
Not having anti-virus because you have an old PC is not a good excuse to your customers when their credit card details end up published on some random Russian hacking forum.
If you can’t afford commercial AntiVirus, at least install one of the free packages. Some people swear by AVG, for instance, but I went away from it when they started to have ads pop up all the time. Honestly, basic Antivirus and Internet Security from any of the big names (Norton, Symantec, etc) is very affordable these days, especially if you buy a multi-device pack and install it on all your PCs at the same time.
If you’ve already got anti-virus, make sure it’s actually installed on each PC, is active, is updated, and is still within it’s subscription period.
If you’ve got over ~10 PCs, you really want something that’s centrally managed. There’s a LOT of options in this space, especially with vendors like Symantec moving into the cloud-hosted space with their Symantec Endpoint Protection Cloud.
If you’ve got a Mac, you need Antivirus too.
This about the age of your computers and other devices. Are they still running Windows XP? What are your plans to modernise your PC fleet to ensure that both your hardware and software is up to date and the most robust it can be?
You’ll probably pick up other benefits are part of this – increased productivity due to new, faster PCs. Mobility options by replacing PCs with laptops or tablets.
Before you go out buying new PCs willy-nilly though, you DO need to do some homework.
- Make sure your core line-of-business apps will work with the latest operating system version, and that the vendor will support you.
- This is particularly a big issue with people who have invested in very expensive hardware or software for their businesses – things like 3D drafting software or specialised industrial robots are often built to run on very specific versions and might not work on a newer version of Windows, or with newer PC hardware or interface cables.
- An engineering firm that invested $500k in drafting software 5 years ago might not feel like paying the upgrade fees for the new version, along with the user training costs and everything else that goes along with it.
- They need to work out whether it’s worth the extra spend.
- To do that, they’ll need to think about what the cost to the business would be if their draftsmen are unable to work for a week because of a Ransomware attack, and what impact that would have on their current contracts and delivery dates, as well as on their ability to win more contracts in the future.
- In that light, the $100k software upgrade fees might be a fraction of the cost whilst increasing employee satisfaction and positioning the business well with the latest toolset.
- Make sure you’re buying the right computers. Remember the example from above with the two laptops, one with the TPM chip and one without? Make sure that what you buy is the best value for you, even if it’s the more expensive option.
- Make sure that your peripherals and accessories will work with the new computers. With new standards for monitor connections, you might find that all your old VGA monitors won’t connect to your fancy new DisplayPort laptops, say. You don’t want to get half way through and have blown your original budget.
- Make sure you have a plan that captures all the touch-points and knock-on effects. How are you going to roll out new PCs? All at once, or over 3 years? What’s the impact to your Support team if they need to troubleshoot apps running on both Windows 7 and Windows 10?
- Make sure your people have the opportunity to receive the training that they need to be productive on their new PC. The new computer might be far-and-away better than the old one, but if it’s got the wrong colour background then it’ll just be the worst thing ever.
Benefits of Cloud Systems for Security
As you’ll have seen from my email response, a big part of the increased security landscape that this client enjoys is due to the selection and provision of key cloud services. Cloud services can come with advantages in this space vs traditional on-premise systems:
|Updates||You need to install all the updates yourself. You need to schedule the work out of hours, test the patches, install them, etc.||The vendor is responsible for updating the cloud system for you – that’s part of what you pay for each month.|
|Configuration||You need to configure the system to make sure it’s secure. You need to research what the vendor’s best practices are, and make sure you’ve ticked the right boxes, etc||The vendor is responsible for the configuration of their system, and THEY need to make sure that they’ve deployed it in a secure fashion, and that they’re adhering to all their policies.|
|Scale||You need to research new attacks and make sure that your configuration is still right.||The vendor probably has a dedicated team in charge of their security. For a large vendor like Microsoft, their Office365 system is used globally. This gives them access to a HUGE amount of insight and analytics to spot attacks before they are launched.|
|Features||If you want to increase the security of one of your apps, you need to research and deploy the additional functionality.||Progressive cloud vendors are always looking to increase the feature-set they provide to their customers. There is a steady stream of security features being developed by any proactive cloud vendor for their customers, from enhanced encryption or logon detection, to seamless 2 Factor Authentication options. All you need to do is tick the box to turn it on.|
There are more benefits around location independence and re-deployment or apps and data should a new device need to be provisioned. Cloud systems make it easy for your team to get back up and running quickly even if their computer is ransomed or damaged.
What you’re looking for in an IT Partner when you want to have Security discussions.
First of all, you want an IT Partner that you can actually talk to. Someone you can bounce questions off without being made to feel like you’re asking a stupid question. Someone that takes the time to understand your business and your information landscape.
Basically, the same things you’ll be looking for with any of your business partners.
Ideally, you want to be talking to someone who’s happy to come out and speak to you about your concerns, and to spend some time asking questions about your current IT setup as well as learning your business itself. In my experience, I find that designing an effective information security plan requires a good underlying knowledge of your client’s business – what they do, how they work, what sort of data they have and why. Otherwise you run the risk of designing a plan that doesn’t actually suit the business. And any plan that impedes people instead of enabling them will soon have the team working around your lovely plan and it’ll all be for naught.
You want to be talking to someone who will approach the security discussion in the same way as we’ve walked through it here – holistically, looking at all aspects of your network and systems to identify the weak points and the buttress them with complementary and overlapping umbrellas. You want to avoid any reliance on any single Big Security System that will make your dreams come true – big systems certainly do have their place, but they exist as part of the entire landscape.
Lastly, you want to make sure you can trust the advice of your partner. Someone who’s been around, who has a proven track record, and who has happy clients – they’re a good first start.
There are a lot of good Information Security partners out there, once you find the right one for you.
So if I do this, then I’ll be secure, right?
Sadly, Information Security is an arms-race between the baddies who want your data and the goodies who you pay to keep you safe. This is not going to change any time soon.
It’s the same as house security – you can never make your house completely safe from burglars – if someone wants what you have bad enough, they’re going to try very hard to get it. The effective approach is to make your house significantly difficult to break into, in the hope that the burglars will move on and try someone else’s house instead.
While that might seem like a defeatist approach, it’s anything but. You should definitely invest in Information Security systems that protect your valuable company IP as well as your client’s confidential information. However, do so with the knowledge that much smarter people that you exist out there, and they’re much better funded than you are. So we all do the best we can with the resources we’ve got, and we maximise the effectiveness of what we’ve got by layering it up.
Remember too another word I’ve been repeating through this article – “contextualised”.
- I don’t even have a roller door on my garage, because no one wants to steal my old 4WD. There is no payoff for them. I do keep it locked, and never leave any valuables in it in plain sight.
- However, would I take the same approach if I had a Porsche sitting in there?
- What about if I had a whole collection of vintage Porsches?
- Goodness no!
- Likewise, your Information Security approach will be contextualised to the business you’re in, and the amount and confidentiality of the information that you hold.
Let’s face it – there are enough people out there with old systems and no anti-virus that are much easier pickings. Make sure you’re not one of them.
Most importantly, any security plan needs to be regularly reviewed to ensure that it remains effective, that it remains appropriate for the organisation, and that it’s still using the best available products and solutions. As we’ve already spoken about today, the IT ecosystem is constantly evolving – make sure you take advantage of that and have it work in your favour.
It’s all too confusing – where to from here?
If you want to make sure YOU avoid the massive clean-up effort that comes from a virus or ransomware attack, get in touch and we can talk about your current IT environment and what risks that may expose you to.
A good first step would be to conduct a comprehensive IT Review & Roadmap generation exercise. During this engagement we’ll work closely with you to review and audit your current IT environment – something that’s generally really useful all by itself if you don’t have comprehensive IT design documentation. Once we know what we’re dealing with, we can formulate a Risk Register of the top business risks that your technology environment exposes you to. Then, working with you to understand your business vision, we can craft a long-term Strategic Roadmap that moves your business forward and protects you from the biggest risks currently facing you.
For medium-sized firms (anywhere from ~80 staff upwards), moving towards a proactive plan for your technology can deliver massive benefits. Your senior leadership or board members will love the fact that you have a costed, high-level roadmap to guide your investment and deliver business capability. Working to an overarching plan reduces any wastage or re-working that can be required when deploying systems or tech ad-hoc. The old “measure twice, cut once” maxim.
As always, feel free to get in touch if you’d like to sit down for a no obligation chat to see where we might be able to assist you in your business.
News today via CIO.com.au that Virgin has announced it will be trialling in-flight wifi on some of it’s Boeing 737 aircraft. While the trial will be free for passengers, I would expect to see it as an optional at-cost extra once the service launches properly. At the least, it would be nice if either loyalty program customers (of which I’m one, hence why I’d like it!) or Business class seating (of which I’ve only flown in once, as a free upgrade 😀 ) receive the service. For business customers heading into town for a day of meetings, a couple of hours to prepare on the plane would be very welcome.
Every year people publish lists of the hottest most in-demand IT skills. Some years it is new technologies like virtualization or containers, other years it’s understanding processes like ITIL or how to decipher compliance regulations.But there is a more important skill for IT Pros that transcends the hot technology of the moment or whatever the…
It really hit a nerve for me, because I think it’s something that a lot of professionals (IT or otherwise) miss when they look at the core of what they do.
If you haven’t already, hit the link above (it’ll open in a new tab), and read through. Then come back here and we’ll continue.
Right – back again? Comfy? Good.
I expect the question that most people will have after reading the article is simply “Is Orin right? Is ‘the skill of being able to reliably solve complex problems’ really the most important skill that an IT professional can have”?
I’m emphatically in the Yes camp. In fact, I’ve built my career around that simple concept.
And what’s more, I’d be willing to bet that if you think about the most successful people you know, they’ve done the same.
On Solving Problems
IT is a gigantic problem that needs to be solved. And most people getting into IT experience this first hand at the coalface. Most people enter a career in IT via two main pathways:
- IT Support Helpdesk. Your job is to answer the phone all day and talk to people who are currently hating their computer, any form of technology, and – by extension – you. They’re only calling you because YOU’VE (you’re all the same, you IT people) have done something to THEIR computer which has resulted in lost work, lost time, or the icon on their desktop third from the top changing colour slightly.
- Junior App Dev. Your job is to take a code outline, user story or function definition and code it up. Someone else has decided that this is the application architecture that you’re going to use, and this is the dev environment you’ve got. Someone else has decided that the function will take these inputs and (magically) produce these outputs in a reliable, fast fashion. And the code must be elegant. And it must be documented. And it must have no bugs. And it must be compact. And it needs to be done by last Friday.
In either case, what’s actually happening is that you’re being asked to solve someone else’s problem. HOW you do that is different (clean peanut butter out of their keyboard, or code an API function that does what it needs to do), but at the end of the day, all you’re doing is solving problems for people.
On Career Progression
In this light, you’ve got two choices when it comes to career progression. You can get REALLY GOOD at the *What*. You can be the best damn peanut butter keyboard cleaner that the world has ever seen.
If that’s how you think of yourself, you can probably craft a profitable career cleaning people’s keyboards. You’ll be able to really hone that skill and get very, very good at it. Possibly the best in the world. And you might even make a lot of money. Right up until someone invents a keyboard that doesn’t need cleaning, or peanut butter that’s not sticky. As soon as that happens, you’re sweet out of luck.
However, if you were to think of yourself as a Grade A Problem Solver (who just happens to currently assist people with sandwich-keyboard-related situations), then you recognise that your skill in cleaning keyboards is simply what you need now to solve the sort of problems that are getting thrown at you. When those problems change (as they invariably will), you recognise that to keep doing what you do (solving problems), you’ll need to learn a new skill that matches the new sorts of problems that you’re facing.
To give an example from my own career path:
- When I started my career in IT, I was a software dev. I solved problems for people by building bespoke software apps and databases.I also spent time on the HellDesk.
- I moved into IT Infrastructure. I solved problems for people by deploying new systems that ran faster and better, letting other focus on their jobs.
- I moved into Systems Architecture. I solved problems for people by designing new systems and integrations that enabled the business to grow quicker, and people to get more done during their day.
- I moved into my current role here. My team and I solve problems for our clients be designing and deploying tailored IT systems that make my client’s lives easier and help them do their best work.
On Non-IT Professionals
Does this apply to non-IT professionals?
I believe it does.
Think about it:
- The best CEO you know – are they great because they’re good with financial reports, etc? Or because they’re good at navigating their company through difficult decisions in a rapidly-changing landscape?
- The best Marketing creative that you know – are they great because they’re good at Facebook ads? Or because they’re good at positioning your product/brand/company in a challenging consumer environment to increase sales?
- The best Butcher you know – are they great because they carve up the meat really properly? Or because you can walk in there on a Saturday morning and say “I’m having friends around for lunch in a couple of hours and I don’t have anything to throw on the BBQ – what can you recommend?”
I would argue that for anyone who is interested in advancing their professional career, the best way to do that is to focus on solving problems for people. How you do that will change depending on your industry, your company, your client, the current available tools that you have, your budget, your client’s budget, and a million other variables. Some of them you control, but the vast majority of them you do not. So don’t focus on the technical side – focus on solving the problem.
Do Skills Not Matter?
Does this mean that technical aptitude doesn’t matter? Certainly not!
Your CEO friend wouldn’t last long as CEO if she/he couldn’t interpret the company’s financial reports. The Marketing pro would quickly get the boot from the agency if the campaigns that he/she produced didn’t result in any new sales. You would find another butcher if you asked for a lamb roast and you went home with a kilo of steaks instead.
My point is that skills can be learnt. They can be acquired and practised and you can get good at them. And you need to. Because they change so rapidly these days.
IT is often singled out for this – the rapid pace of change in the technology sphere is quick to render old skills obsolete.
But doesn’t this also reach out to other industries?
- The CEO is now having to position her/his company against not only the other incumbent competitors, but a raft of new startup companies looking to take parts of their client base. Instead of defending against big corporate takeovers and stock devaluations, she/he needs to now also think about how two university students might create a web-app that captures your core market.
- The Marketing pro is needing to learn how to market a company’s product into Snapchat. And Pinterest. And whatever new app/tech is just around the corner. Yes, you need to be good at TV and print advertising, but those skills aren’t enough these days. Marketing is an arms-race between advertisers and attention – a good marketer is constantly learning what opportunities are out there to position their client’s brand in front of their potential customers.
- The butcher still needs to know how to carve up a cow. But the butcher also needs to be on top of emerging trends that his/her clients might be interested in. A lot of butchers are getting onboard with current trends around the paddock-to-plate movement (mooooovement – sorry – couldn’t resist), and raising their own livestock in an ethical manner. Or providing internet ordering of meat for customers who may not be able to drop into the shop.
As the Beastie Boys so eloquently put it, you’ve got to have the skills to pay the bills. But the important thing is that you use those skills to solve problems for people.
Why Am I Reading About This Here?
So, what’s this have to do with my business, your business, or this whole Cloud thing?
Well – glad you asked.
I wanted to write about this for a couple of reasons:
- We keep hearing about how Digital Disruption is upending industries, and how the new breed of fast companies are eating the old, slow ones.
- We keep hearing about how The Cloud is coming to change IT methodologies across all industries, and that your old IT systems will be obsolete soon.
My point is that none of this is new.
What is new is that the rate of change has increased, definitely. And it will continue to increase. But I’m here to tell you it’s a good thing. ALL of us need to recognise that the skills we have today are a moving target, and the important thing is to focus on our unique How – How it is that we solve problems for our clients or customers. If we focus on that, and we ensure we have the right skills that we need at the right time to make the best calls, we’ll all deliver massive value for our customers or clients.
And that’s what separates the good from the great.
Also, it’s my damn site so I’ll write about what I please 😀
The Wrap Up
So what’s the take away from all this?
First up, I wanted to write about this because it’s something that’s close to my heart. It’s close to my Why. I see all the time that IT professionals pigeon-hole themselves as “the person who does X”, without realising how it maps to the bigger picture of solving problems. I see it limiting people, and their own mindset restricts their ability to grow. It’s one of the reasons I started this firm, to solve problems for people using technology, and I encourage my team to think about themselves in the same way. We are first and foremost problem solvers. Our clients come to us with business problems, and trust us to solve them via the smart, effective application of cutting-edge technology.
If you’re a client, it’s hopefully something that’s shone through in our interactions. Hopefully this explains why I use the language I do, and why I focus on the things I focus on (that aren’t typical IT things).
If you’re not yet a client, then hopefully this has given you some insight into the sort of people that my team and I are. How we approach things. Why we’re different.
But I also wanted to challenge everyone reading this to think about how you envisage yourself, and what your most valuable skill is.
Post a comment below, or reply to the facebook thread, and let me know whether you agree or disagree.
Overnight, Microsoft have announced the immediate availability of their new Microsoft To-Do service :
We are excited to introduce To-Do—a new, intelligent task management app that makes it easy to plan and manage your day.
I’ve got to admit though, it’s left me a little confused.
First though, some background:
- Back in 2015, Microsoft acquired Wunderlist, which had built a fantastic light-weight task management app.
- Wunderlist, if you’ve never used it, consisted of a web-based app as well as native apps for mobile devices. You could create tasks in various different categories, assign them to different people, and tick them off when completed. Everything synced back to their cloud, and it all worked really well.
- I used Wunderlist for a long time myself, and it was really a good system. It all *just worked*, which can be pretty rare these days 🙂 .
- The downside to Wunderlist, for me, was that it was another island of information with no integration to any other apps or systems.
- Microsoft’s plan was always to integrate Wunderlist’s core technology into the Office365 platform, and it seems that day has now come.
Microsoft To-Do is what the Wunderlist team have been working on since 2015 – building a new task management app inside the Office365 environment with all of the best bits that made the original Wunderlist app so appealing. With the power of the Office365 platform to build on top of, the team should be able to build a much more complete, integrated and functional product than before.
I’m always keen to try out new apps in the Office365 family, and it’s one of the biggest benefits to aligning your business to the Office365 system. However, in this instance, I’m getting thoroughly confused by Microsoft.
First up, they’ve announced To-Do as a new Office365 service available right now.
Except it’s not.
The blog says “For commercial users, IT professionals can now enable the To-Do Preview through the Office 365 admin center.“. But it’s not showing up in my Office365 Admin centre yet, and others are having the same problem. Further down in the comments, Simon Chan, a Microsoft team member, replies “…Sorry for the trouble here. We are in the process of rolling this out to you and it’s taking a little longer than expected. You should be seeing To-Do Preview in the Office 365 Admin Center shortly.“.
Wouldn’t you think, if you were launching a new product and you specifically said it’s available now, that you’d make sure it was actually available now?
Part of the problem, I suspect, is related to another comment from Simon further down. In reply to a question about signing in with Work Accounts (Office365 AzureAD accounts), Simon replies: “Hi Dave, We’ll be adding support for Work accounts in To-Do for Web in the coming weeks.”.
This peaked my interest.
Office365 accounts are a core part of the Office 365 system. It’s one of the main benefits of building an app like this on the Office365 platform – you get access to all these awesome things that other people have already built and you can use them in your app. In fact, I’d go so far as to say it would be HARD to build an app inside Office365 WITHOUT utilising Office365 accounts.
I’m left wondering if the reason it hasn’t been rolled out to Office365 tenants yet is because the app has been built on a different identify provider architecture to Office365/AzureAD? And if that’s the case, then it may well be weeks before we see it as Simon has seemed to suggest.
Which again begs the question – why would you announce a new app for Office365 when:
- It’s not available in Office365 yet,
- Office 365 users can’t log into it with their Office365 accounts, and
- It will be a number of weeks before the core customers you built the app for are able to access the app?
I don’t have an answer for you there I’m afraid.
Regardless of whether this constitutes a “botched launch” or not, the potentially bigger question here is “do we need another task management app in Office365”?
It’s no secret that I’m a big fan of the Planner app in Office365. As I’ve written about before, I keep a plan for each of my clients, which gives them their own Planner board as well as Sharepoint site (holds all the documents and resources for that client) and Onenote notebook (for scribbling in on the Surface Pro while in meetings, and arranging all that client’s notes).
Recently I’ve started to maintain a special Plan for my Kanban board. Kanban is a popular method for organising work, and I use it to plan out a week’s worth of work at a time. This works so well for me that I have my browser automatically open my KanBan board in it’s own tab every time I log in.
- On Monday morning I add all the important work that I want to accomplish that week to the left-most To Do column.
- As jobs come up through the week, I create a card for them in the To Do bucket.
- Planner cards can be assigned to different people, so an entire team’s work can be managed from one Kanban board.
- This way, I have an accurate view of my pending work in one spot – not spread across emails, jobs, notes, etc.
- When I start work on a job, I drag the job’s card to the centre “Doing” column. This helps me keep track of the jobs that I’m trying to juggle at the same time, as well as prompting me to only focus on one job at a time, until it’s done.
- When a job is complete, it gets moved to the Done bucket as a historical reference. This is amazingly good from a psychological perspective – we’ve all had those days where you get through to 5 and think “what did I even do all day? Did I accomplish anything?”. Having a record of all the jobs you’ve completed during the day, no matter how small, lets you see the progress that you have made.
- Every Friday afternoon, my last job is to clean out the Done bucket and reset the board for the next week.
For me, this has proven to be a really effective solution for tracking my time, proactively managing my work-in-progress, and celebrating the wins through the week.
But this is not the only way to organise work.
- As I mentioned above, I used to use Wunderlist in a similar fashion (focused on just today’s important jobs, which turned out to be too narrow a view for me).
- But some people use Outlook Tasks.
- There’s Tasks List available in Sharepoint as well.
- If you’re using Visual Studio (it’s free for up to 5 team members!), then you’ve got access to the Kanban boards in that system.
- If we want to expand out and look at other areas where people can have incoming work, there’s obviously your email, but within the Office365 ecosystem you’ve got access to Teams, Yammer, Office365 Groups, and a couple of others. All of these systems are built within Office365 and leverage common data models and systems. Yet none of them talk to any of the others.It’s crazy.
Where does this leave To Do?
To be honest, I’m not sure. And since I can’t enable it in my Office365 to test it out for you, I can’t even give you my impressions on it. I’ve logged into the web interface using my personal LiveID account, and it does look pretty. But is that enough?
I had hoped that To Do would be like Wunderlist on steroids. Integrated into the Office365 ecosystem, it would be a task management app that could reach out into all my channels and bring all my tasks together in one spot.
- An email that I’ve set a Due Date on? To Do could retrieve that and list it as a task to do on the date it was set to.
- A job card in Planner that has a due date? To Do could find that and list it so that it didn’t get missed.
- A Calendar item in Outlook could get bought through as a task for the day, so I don’t miss any meetings when I’m planning my day’s work.
- Integration with Flow would mean that when a new email came in, or a new entry hit my CRM, or any manner of triggers happened, Flow could automatically add a new task for me.
…and that’s just the start of it. Microsoft have built a number of very effective machine learning systems (Delve, for instance) that could be leaned upon to power this.
Unfortunately it looks like the Wunderlist team have just built another Wunderlist, this time with a Microsoft badge on it, and have missed the opportunity to really offer something that their competitors can’t. And in light of the plethora of other solutions that Microsoft currently offer for managing tasks, this smacks of just another Me Too! offering. And that’s a shame, because I think there’s a lot of untapped value here.
So, What’s the Wrap Up?
- Overnight Microsoft launched their new To Do service as part of Office356
- To Do has been built by the Wunderlist team
- You can’t actually access it now though
- And when you can, it doesn’t look like it provides anything that you’re not already doing through other apps (either inside Office 365 or outside on a standalone app)
And strangely, that’s about it for now. I’m as confused as you are.
For anyone contemplating how your business could navigate a move from traditional on-prem IT into a cloud-based environment, this is a good case study around how Aussie managed the transition.
There’s a couple of points that I wanted to highlight from the study. You can use these points to model your own plan:
1) Understand the business.
Every business is different, and has it’s own requirements. This is especially important when you’re working with technology partners to help you in your transformation – they need to understand your business, your model and your goals as well.
In Aussie’s case, they identified their points of difference around:
- Working one-on-one with their clients in a “trusted adviser” role, not just as a salesperson.
- Their workforce is largely comprised of independent contractors, not traditional in-house staff. They wanted to be able to securely deliver systems, information and services to their brokers whilst allowing their brokers to use their own tech & devices.
- Mobility – they didn’t want their brokers tied down to an office, where their clients had to come to them. From the outset they wanted to empower their brokers to go out to their clients in their homes.
2) Focus on the results, and then the tools.
The technology comes last.
- Aussie wanted to cement their position as the market leader, and ensure that they stayed there into the future. They have a good understanding of the results they want to provide for their clients, and how they want their business to engage and service their clients. This is their Why – their reason for existing.
- From there, they worked out what tools they would need to provide their brokers to achieve that. Security, mobility, reliability, ease of use – these were all attributes of the toolset that they wanted to provide to their brokers. This is their How – the way they are going to deliver their Why.
- Finally, they fitted the technology pieces into the puzzle that made sense for them. They rebuilt infrastructure into Azure to give enhanced uptime. They leveraged EMS and InTune for cloud-based security of information all the way from their central repositories down to individual devices out in the field. They restructured their IT team to be more reactive and customer-focused. This is their What – the nuts and bolts of it all.
3) Design for Innovation.
It’s simple to redesign what you currently have for a cloud environment if all you want to do is swap across like-for-like. It’s easier and it’s quicker. And you will get some benefits from that. Unfortunately, it also misses the point entirely.
By taking the time to look at the business drivers above, and work down to the technology, you have an opportunity to completely redesign the technology that you’re using in the business to take advantage of the opportunities that moving to the cloud brings. It’s apples vs oranges – there’s unique benefits and functionality available when you’re designing in a Cloud-based environment, and this is your opportunity to take advantage of those added hooks.
Aussie designed their new environment from the ground up for innovation. This ensures that not only are they taking advantage of all the extra cloud tricks, they’ve also designed a system that is adaptive, is agile, and is able to quickly be upgraded or added onto as they move forward. They can swap out SQL Servers running in a VM for the Azure SQL PaaS service. They’re taking advantage of OMS to monitor the health of their servers and systems. They’re easily able to A-B test upgrades and rapidly flight upgrades into the main Production environment.
Moving to a Cloud environment in this fashion is completely different to a traditional IT system upgrade. In that case, you plan, deploy and then go-live with the update, and you’re done. That’s it – you’ve go the new system, and you run it for the next however-many years until you achieve your ROI. By designing for innovation though, you don’t have a clear finish line. What you’re doing is building a system that is MEANT to constantly be adjusted, upgraded, changed and tweaked to support your business as it grows and changes. It’s never “done” – it’s simply a framework and a foundation that you can continually evolve – easily, cheaply and rapidly. And that adaptability – that agility – THAT’S what gives your business the edge.
Click here to read the case study from Microsoft:
If you’re contemplating a Cloud migration for your business, think about the points above to ensure you gain the most benefit from such a big transition.
Entrepreneur.com has published a nifty Use These 24 Tools to Run Your Business From Anywhere in the World article. Have a read through it if you’re interested.
As I was reading it, I thought “This is a really good list for people who are either just starting out, or who are looking to unshackle themselves from their current systems”. Continue reading
Microsoft have released the first official look at the new Dynamics 365 suite, and it looks brilliant.
Dynamics 365 is a combination of Dynamics CRM, Dynamics Marketing, and Dynamics AX, and is available for the first time as an integrated, out-of-the-box cloud solution.
While you could integrate CRM and AX previously (Thanks, Azure Service Bus!), they were still two separate products and platforms that simply synced certain data back and forth. Dynamics 365 is new in this regard – it comprises a variety of modules/apps, all integrated across the suite and leveraging a common data model. This allows a business to pick and choose which modules it wants to use (Sales, and Financials, maybe) based on functional business area, and expand later on (adding in Marketing and Operations, for instance).
Thanks to the simple per-app/per-user licensing model (which I’m a BIG fan of), all employees get access to all the data they need to do their job. This is a huge improvement from the old Dynamics AX / Dynamics CRM licensing position – it was almost impossible to calculate what licenses you needed (the license levels were difficult to understand across a large company), and they were all very expensive. Plus, there was the dependency licenses – Windows Server licenses to scale out the AOS cluster or the SQL or SSRS functions, SQL Server licenses (expensive Enterprise Edition ones if you wanted to deploy a highly-available AlwaysOn cluster), hot-spare provisions within Software Assurance which allowed for site failover, etc. Following the simple Office365 licensing model, Dynamics 365 should be very straightforward to license and budget for. And let’s face it, one of the most important decisions when looking at a new tool is “how much is this going to cost me?”. Now, you’ll be able to answer that question quickly and accurately.
The other huge improvement here (no surprises that I like this), is that the product is available as a complete cloud solution. No running up servers, no needing your own datacentre, no need to worry about backups and data security and all of that. This is a huge time saver firstly, but obviously also delivers a massive cost saving.
I’ve had a bit of experience in designing, building and deploying both Dynamics CRM (2011 and 2013) and Dynamics AX 2012, both as on-prem installs in our own datacentre, as well as building as on-prem installs in Azure’s Infrastructure-As-A-Service facilities. Microsoft have done some good work with LifeCycle Services and the ability to automatically deploy a scaled environment into Azure from template – it saves a lot of time and gets the basics right. But there’s still a lot of post-deployment configuration and tweaking to do. You still need an AX Technical Accountant to help out. And if you want your AX environment to use existing or consolidated resources (IE, if you want to use your existing SQL Server database cluster vs building and licensing a dedicated SQL just for AX) then you’ve got to be prepared to get your hands dirty. Getting the design alone right is a complex job, and it simply takes a lot of time to build, configure and customise the platform.
The biggest issue people will have with a cloud-hosted ERP is “how am I meant to integrate my other on-premise apps and data with it?”. Whilst I don’t know the specifics of Dynamics 365 yet, I expect my answer will be “the same way you used to when you deployed Dynamics on-prem”. And by that, I mean the Azure Service Bus. AX2012 had built in functionality to talk to a Service Bus. Dynamics CRM used the Service Bus to coordinate syncing between CRM (either on-prem or online flavours) and the online-only Dynamics Marketing app. The best bit was that you could build-in any integration you wanted using the Service Bus. So given that foundation, I expect integration between Dynamics365 and on-premise data silos should be reasonably straightforward.
On the topic of integration, Microsoft shows off the integration between Dynamics 365 and PowerBI, including the new embedded PowerBI charting. The natural language data manipulation of PowerBI will be a very welcome change for ERP reporting. Instead of needing a BI Designer on staff to create static SSRS or ManagementReporter reports, PowerBI will do all the heavy lifting for you, making every team member a data analytics expert. No delay, just simple, graphical and natural-language access to the data that you need to make better decisions.
This empowerment of every team member extends to the Cortana-based artificial intelligence built into the platform, which can proactively suggest actions for your team to take. This leverages Microsoft investments in both Azure Machine Learning and, more widely, their Cortana personal assistant. Personally, I’d be VERY surprised if we didn’t quickly gain Cortana-powered access into LinkedIn via Dynamics365, following Microsoft’s acquisition of LinkedIn earlier in the year. Imagine being a sales person on the road, heading to your next client meeting. Because you’re busy, you’ve just jumped into a taxi straight out of your last meeting, and have 10 minutes to get up to speed on your next one. Integrated with your Outlook / Office365 calendar, Dynamics365 can fill you in with the customer’s current order status, any outstanding customer support issues that haven’t yet been resolved, as well as an overall indicator on the health of your relationship with them. Meanwhile, Cortana can reach into LinkedIn to quickly bring you up to speed on the meeting attendees – what their titles are, what projects they’ve been working on recently, who has a birthday next month, etc.
The mobile apps shown off in the videos look very well polished, and I’d be surprised if they aren’t the final release code. The presenter makes mention of baked-in offline caching of data, so that when you wander out of wifi coverage you can keep working. This is a huge step up in capability, and draws on the experience Microsoft gained in building the Dynamics AX Modern apps for Windows 8. This seamless ease of use, without the user needing to worry about “Am I online? Am I offline? What happens if I walk out of range whilst completing this form? Can I save it, or do I need to start again?“, builds trust in the solution and is just Plain Good Design.
There’s a LOT more in this, of course. And I expect there will be more to see over the coming weeks are we move closer to GA.
For now, this is a very exciting peek at a very compelling product. I can see a lot of smaller companies will be able to leverage this platform to gain the benefits of a consolidated ERP, something which has traditionally been well beyond their ability or budget.
To watch all the videos (and I recommend the keynote, it’s worth the 90min investment), click here: