X for Tax

March 26, 2006

SOXLast week I was invited to a IT Audit conference in Sao Paulo to give an speech on risk assessment methodologies applied to IT. There I’ve the opportunity to speak with many professionals from Internal audit, public accountant firms and consultant services. Their most common concern was the compliance with SOX Act (Non U.S. companies and subsidiaries listed SEC regulated stock markets must comply this year) and the associated costs (not only money but also knowledge and human capital) they are incurring. As two years ago in the US the Audit and risk consultancy markets are heating and overwhelmed, all want to be ready for internal control attestation derived from the law. There are no way out , they must make it!

 The last year I was involved in a SOX project and I must admit it, it was difficult to deal with some unclear and bureaucratic requisites of the Act. SOX implementation processes have many positive consequences(from IT’s point of view) but, of course, it is not perfect and satisfactory for all possible cases. Are the positive consequences of SOX more valuable than the negative? The answer is not straightforward in many aspects, and we haven’t sufficient historical data to measure the effects, and if we’d have it , it wouldn’t simple to do. The pertinent question is: What really this bill means?

Let suppose that I and some partners have a property in Hawaii, because we have not enough time to use it we decide to rent it. Taking care of the renting details (like dealing with tenants, maintenance, security…) requires time as well, so we decide to contract an administrator to manage the whole thing. The administrator contracts several services including a surveillance to ensure our(and tenants’s) assets are properly safe. Two year latter we visit the property and we discover that we were wrong. The property is devastated, the administrator in collusion with security services have bee stealing assets, the good tenants we have gone. The value we thought we’ve got, blew. Fraud was taking place. The case arises in the local media, the city major is concerned because the housing system of the city is based on properties like ours, and try to respond by creating a new local regulation to increase security (for example – buildings must have a 24h surveillance cameras, security teams, locks,…) free for the tenants. So we (and all other owners) must spend more money in security services to comply with the new regulations.

Economists who have researched this regulations conclude that the effect of them is the same as a tax. In this case, a tax, that transfers resources from property owners to security providers and tenants. The irony in this history is that the regulation set a premium for security firms who were involved in the fraud.

Enron and similar financial scandals are used to justify the issue of SOX Act by US Congress in order to protect stakeholders (an important part are owners). Like in the history above SOX is a tax imposed to owners and customers. Whether the tax is desirable or not is another question but the bottom-line is that we should be aware of the existence of it. Therefore, IT managers should consider the SOX tax as an additional cost when performing projects plans or estimating ROI drivers. Thus, avoiding or underestimating this cost could transform a profitable project into a unprofitable one. Actually the problem, is greater, Why the government (who ignores the real organization’s risks and strategy) has transform a profitable project into a unprofitable one?. But that’s is another history….

SUN grid under DoS attack

March 25, 2006

Bad news for those who saw SUN’s Grid project as a first global step toward IT comodisation. It show the intrinsic vulnerabilities of Internet based services, furthermore, it shows how weak are infrastructures we depend of. But I’m optimistic with this kind of projects and solutions because the sound economic logic they are founded.

Will keep an eye on this new born service.

Usability and the hidden side of system design

March 21, 2006

DummyIT Systems are tools and tools are used by humans in order to do something. Therefore, tools are always means not objectives. We use a tool because it is more effective and efficient to use it than to use other tools or simply no tools at all (if possible). Rationally thinking, the more usable tools the better the results we get. But is it this so straightforward?. Generally , yes. Although it was a tool-focused analysis. What If we see the problem from the human (human action) point of view?. Humans are driven by incentives, and these incentives are balanced among multiple things such outcome of action, costs and motivation. What happens when tools are more usable? Does a new tool change the set of incentives?

I’ll try to explain it using an example:
Automobiles are tools used by millions to transport themselves. Conventional wisdom tell us that bigger and heavier cars or trucks (like large pick-ups or SUVs) are safer (that is they make better tools for ground transportation). Facts show that it’s false. There are multiple reasons but one of them is behavioural; SVUs drivers are (on average) more aggressive drivers. Thus, the confidence and apparent security of these vehicles make drivers less careful and risky. One of my favourite american economists (David Friedman) has suggested that if we really want to reduce the crashes on our roads and streets we should better attach a hand grenade wired to a collision detector. It’s sounds crazy but, of course, we don’t have empirical data to probe it. On the other hand, the NHTSA statistics shown that safety regulations on safety had not a dramatic impact on car accidents(Regardless the ratios has decreased over the time).

Are information systems different? My point is that they aren’t. So, in absence of regulations imposed by governments, a system designer should take in account not only the usability, ergonomics or friendly interfaces, but also in terms of incentives of target users. The objective of systems (within an organization) is to improve the overall productivity and effectiveness. A simple-to-use system/interface (a for dummies system) could be suitable from a technological point of view but it could make users less productive, careful (as we saw in the SVU example) or omit some relevant control topics. Actully because most users are not dummies, specially those more productive and trained.

StrategIT Tip: When planning, evaluating or designing a system think first in the people and incentives from target users. Tools are only means not ends.

ISACA announces global governance Report 2006

March 14, 2006

The Information systems audit and control association (ISACA) has released they 2nd (the first was in 2003) of IT governance. The report contains interesting information about the current “state of art” of IT governance. I’ve just take a look into it and it looks like pretty good (its for free 🙂 ). I’ll dig more deeper in the graphs but in my first cross-reading I have found this curious data:


CEOs consider IT more important for overall strategy of the organization than IT management! That is not what common sense tell us every day. But of course it’s a survey…. It stands for what it’s said not what it’s done.

Brazilian IT Metrics

March 12, 2006

There are not many information (public and free) about specific IT metrics for Brazilian markets. The Getulio Vargas Foundation provides one survey with a sound historical data and methodology. I’ve summarized some interesting information in the report into the following table:

Index 1998 2005 past 16 years past 8 years 1 year
Computer yearly Sales (Millions) 0,4 5 18% 18% 9%
Computers (Millions) 1 23 20% 23% 18%
Std. Computer price(US$ 1.000) 5 0,4 -15% -16% -10%
Annual cost per user (US$ 1.000) 9 8,9 0% -5% -2%
IT Spending / operating profit 1,30% 5,10% 9% 7% 4%
Number of employees/Keyboards 20 1,8 -14% -10% -4%

They are no great metrics but show a spectacular growth of installed computers (18% in a 180Mill population market) and of course a decrease of the cost per user ratio. Other interesting data is that in spite of the increase of computers (keyboards) the ratio of employees / Keyboards the is decreasing but slower than past references. That could mean that the growth of Brazilian economy and employment is taking place in areas that do not require computers (commodities for example).

Talk with your CEO

March 4, 2006

talking Sometimes CIOs and IT managers get frustrated trying to communicate with clients ,business managers and process owners. They are supposed to have answers and proposals for a wide range of issues within the organization . But ,as the matter of fact, our world is not perfect and they don’t! On the other hand, business managers do not always understand the challenges and complexity of IT projects and environments. This make both feel unpleasant and insecure poisoning the relationship or partnership between these two “worlds”. I’ve seen more than once IT colleagues trying to explain projects, budgets or other IT stuff to puzzled mangers, or IT personnel feeling uneasy because the didn’t catch what businessmen wanted.

There’s not a unique way to address this problems. But there are things that Business and IT people should aware:

  • Language sharing: Some may say that executives speak only money language. That’s not true. Money it’s only a measure, like others. A CFO could understand a IT portfolio but a lawyer maybe needs other means.
  • Risk alignment: Do not show tech/project risks alone try to link them to well-understood business risk. If possible to business objectives and they associated metrics.
  • Think at the margin: Utility is a marginal concept. Exchanges happen in marginal terms.
  • Set good metrics: How we measure results is complex matter, but how we interpret the metrics is even messier. We should expend more time in defining and clarifying what for the metrics stand and what does it mean. This is specially important when some divergences arise.
  • Win-Win: Good deals make always both parts better off. If anyone thinks that he is wore off it couldn’t be called a deal.

All above are only a bunch of different ways to say “Talk with them”. They are humans, they have specific incentives (as you have). If we discover how improve communications that will, maybe , not resolve all our disagreements but at lest we have better tools to manage them.

StrategIT Tip: Soft skills are commonly forgotten, communication is very heart of business processes. Improving it, will improve the overall organization performance. Do like with your wife/husband just try understand other’s needs.

Google Desktop Risk

March 1, 2006

GDesktopGoogle has announced the latest version of Google Desktop. I tested the previous versions of the product with satisfaction. The searches were fast, the documents, e-mails and files showed were also good and relevant for the search keys used and the indexing process was well designed acting only when the computer had idle times. The “missing” feature was the limitation of searching only in the local file space. This limitation has been removed in this new version and, in addition, Google stores a copy of the index on the company’s servers. The company argues that the index will be retained only for 30 days and it will be protected and encrypted and Google will not compromise the information on the indexes. What will be use of this information? Actually , I don’t know; but it wouldn’t be a surprise that it could be used within other services like Gmail, Google maps or Orkut or for other unspecified data mining purposes. As the matter of fact we must trust Google and trust that this information will be well protected within their complex network.

From my point of view, with this issue arise two important risks:

  • Although the information will be encrypted before it is transmitted to google’s servers it does not . Somehow the information could be intercepted by strangers.
  • When the information is stored in the servers it could be viewed by other (inside or outside Google) specially if it’s integrated with other services.

These risks are quite high not because the control in place are weak but because the information stored in our desktop. Individuals and organizations have the more sensitive information stored in personal folders and mail inboxes. That is the impact of an eventual data theft will affect this very information.

Recommendation: Asses if it worth it and consider the use of enterprise search solutions.

StrategIT Tip: Information and meta information should be controlled. Some desktop applications could undermine our protections. To monitor the security and privacy impact of this applications should be an intelligent habit of managers.