ISACA announces global governance Report 2006

March 14, 2006

The Information systems audit and control association (ISACA) has released they 2nd (the first was in 2003) of IT governance. The report contains interesting information about the current “state of art” of IT governance. I’ve just take a look into it and it looks like pretty good (its for free 🙂 ). I’ll dig more deeper in the graphs but in my first cross-reading I have found this curious data:


CEOs consider IT more important for overall strategy of the organization than IT management! That is not what common sense tell us every day. But of course it’s a survey…. It stands for what it’s said not what it’s done.

Brazilian IT Metrics

March 12, 2006

There are not many information (public and free) about specific IT metrics for Brazilian markets. The Getulio Vargas Foundation provides one survey with a sound historical data and methodology. I’ve summarized some interesting information in the report into the following table:

Index 1998 2005 past 16 years past 8 years 1 year
Computer yearly Sales (Millions) 0,4 5 18% 18% 9%
Computers (Millions) 1 23 20% 23% 18%
Std. Computer price(US$ 1.000) 5 0,4 -15% -16% -10%
Annual cost per user (US$ 1.000) 9 8,9 0% -5% -2%
IT Spending / operating profit 1,30% 5,10% 9% 7% 4%
Number of employees/Keyboards 20 1,8 -14% -10% -4%

They are no great metrics but show a spectacular growth of installed computers (18% in a 180Mill population market) and of course a decrease of the cost per user ratio. Other interesting data is that in spite of the increase of computers (keyboards) the ratio of employees / Keyboards the is decreasing but slower than past references. That could mean that the growth of Brazilian economy and employment is taking place in areas that do not require computers (commodities for example).

Talk with your CEO

March 4, 2006

talking Sometimes CIOs and IT managers get frustrated trying to communicate with clients ,business managers and process owners. They are supposed to have answers and proposals for a wide range of issues within the organization . But ,as the matter of fact, our world is not perfect and they don’t! On the other hand, business managers do not always understand the challenges and complexity of IT projects and environments. This make both feel unpleasant and insecure poisoning the relationship or partnership between these two “worlds”. I’ve seen more than once IT colleagues trying to explain projects, budgets or other IT stuff to puzzled mangers, or IT personnel feeling uneasy because the didn’t catch what businessmen wanted.

There’s not a unique way to address this problems. But there are things that Business and IT people should aware:

  • Language sharing: Some may say that executives speak only money language. That’s not true. Money it’s only a measure, like others. A CFO could understand a IT portfolio but a lawyer maybe needs other means.
  • Risk alignment: Do not show tech/project risks alone try to link them to well-understood business risk. If possible to business objectives and they associated metrics.
  • Think at the margin: Utility is a marginal concept. Exchanges happen in marginal terms.
  • Set good metrics: How we measure results is complex matter, but how we interpret the metrics is even messier. We should expend more time in defining and clarifying what for the metrics stand and what does it mean. This is specially important when some divergences arise.
  • Win-Win: Good deals make always both parts better off. If anyone thinks that he is wore off it couldn’t be called a deal.

All above are only a bunch of different ways to say “Talk with them”. They are humans, they have specific incentives (as you have). If we discover how improve communications that will, maybe , not resolve all our disagreements but at lest we have better tools to manage them.

StrategIT Tip: Soft skills are commonly forgotten, communication is very heart of business processes. Improving it, will improve the overall organization performance. Do like with your wife/husband just try understand other’s needs.

Google Desktop Risk

March 1, 2006

GDesktopGoogle has announced the latest version of Google Desktop. I tested the previous versions of the product with satisfaction. The searches were fast, the documents, e-mails and files showed were also good and relevant for the search keys used and the indexing process was well designed acting only when the computer had idle times. The “missing” feature was the limitation of searching only in the local file space. This limitation has been removed in this new version and, in addition, Google stores a copy of the index on the company’s servers. The company argues that the index will be retained only for 30 days and it will be protected and encrypted and Google will not compromise the information on the indexes. What will be use of this information? Actually , I don’t know; but it wouldn’t be a surprise that it could be used within other services like Gmail, Google maps or Orkut or for other unspecified data mining purposes. As the matter of fact we must trust Google and trust that this information will be well protected within their complex network.

From my point of view, with this issue arise two important risks:

  • Although the information will be encrypted before it is transmitted to google’s servers it does not . Somehow the information could be intercepted by strangers.
  • When the information is stored in the servers it could be viewed by other (inside or outside Google) specially if it’s integrated with other services.

These risks are quite high not because the control in place are weak but because the information stored in our desktop. Individuals and organizations have the more sensitive information stored in personal folders and mail inboxes. That is the impact of an eventual data theft will affect this very information.

Recommendation: Asses if it worth it and consider the use of enterprise search solutions.

StrategIT Tip: Information and meta information should be controlled. Some desktop applications could undermine our protections. To monitor the security and privacy impact of this applications should be an intelligent habit of managers.

RFID privacy and more

February 22, 2006


Radio Frequency ID tags are wonderful! Hi-tech embedded in a thin plastic band. Cheap, flexible, powerful and useful for a wide-range of applications; but since its popularisation there is some controversy about the security and privacy issues. Civil rights groups and privacy-concerned public are claming against the use of this devices and demanding government regulations. The are right, but just partially. Some cases could be pretty sound like pharmaceutics –really I don’t want that someone knows that I’ve got Viagra in my briefcase!- , but if the company uses RFID to manage inventory, supply-chain or maintenance processes. It is affecting anybody’s privacy?

The privacy problems are mainly two, one technical and the other psychological:

  • They must be low-cost devices and therefore they can implement only a limited set of algorithms for encryption and authentication mechanisms. News like this one (Yes is the S from RSA!) show the reality of RFID security. Now it’s just an isolate experiment, but recent events in the security market .(A good example is the WEP encryption standard for WiFi networks, in only months the Wire-equivalent-Protection become synonymous of insecurity)
  • The fear to progress forces and technology changes. Politics and lobbing agents also matters, but, of course, they need some gas in form of public support. Here, unfortunately is messier to deal with.

In addition, some other managerial questions are also relevant. If some critical processes are relying on information gathered by RFID infrastructures, there some question we should answer (a first approach):

  • There is some concern and aware of RFID Risks?
  • Is your organization managing policies and procedures related to RFID and complying current regulation?
  • Are controls in place to assure that RFID tags are properly issued and scraped?
  • Are controls in place to assure that RFID infrastructure systems are tracking all items with reliability?
  • Are the RFID tags properly deactivate to safeguard clients or suppliers privacy?
  • Who is accountable of all this stuff?

Let me show a simple example: A regular task for financial auditors is to estimate inventory accounts based on physical inventories using samples. What if your systems provide a quasi-physical inventory based on RFID warehouse facility?. Should the auditor relay totally on this data? Should the auditor work if the were no RFID system?. I let the answer to the reader

Pending task: How about a good IT Audit program for RFID enviroments?

Strategy Tip: Don’t forget, new emerging technologies come together with “emerging” risks.

OS X Malware born

February 19, 2006

XOS WORMSooner or later markets reach equilibrium. Computer virus markets, like others, are not different indeed. Some users of Mac environments thought they were safe from viruses but it is now part of a myth. The past 16th November was discovered the 1st worm for Apple’s OSX. It is not much aggressive; it is just a proof of concept that malware is not only possible but a real menace on this platform.

Apple’s strategy of migrating their platform from Power PC to Intel could be a signal that OS X could become a much more popular OS in the future. If Apple’s countermeasures against copy and deployment of OS X on standard PC ( Today it’s possible but illegal) fails, the population of OSX-suited (or hybrid) malware will increase soon. Malware it’s not about technology it’s a market phenomenon.

On Human Machine Interfaces – Future or dream?

February 17, 2006

We’ve seen it before in comics and movies like Minority Report. This device developed at NYU is a dream for science fiction lovers and widget maniacs. Look at the new display! It’s fantastic!

For years I’ve seen experts, researchers and journalists announcing futurisctic interfaces and a revolution in how we communicate with machines. Is this revolution realy coming? Is it real o a dream?. I must recognise, I like the invention. I’d like to play with it, but, how about working ten hours a day with it?. History of human development shows us that improvements of productive processes are commonly(if not always) driven by some energetic efficiency. First of all, we try by all means to reduce our physical/manual labor. Finger pads, mouses, trackballs are finger adapted devices which save human energy, and indeed they are better (considering just energy consumed) than devices adapted for hand, arm or body movements. On the other hand of the equation is output. Only if the increase of output (usability, speed,…) of using these devices exceeds the value we lost (costs) – measured in energy or equivalents – then we’d see a revolution of Human-machine interfaces (HMI). I’m unable to foreseen the future, but for now I think that the benefits of using these gadgets are less than costs. So my forecast is that this revolution will not take place, at least for the moment. Some specific areas such CAD, home electronics or surveillance systems could have other surplus scenario and maybe this technologies might be adopted soon, but generally speaking, I don’t see a future with ubiquitous touch-screens.

Rumours: Apple is in the mood to release a new gadget with similar technology. The TPod?

To think about: Apple’s killer product, IPod. What HMI uses? The Thumb!

Strategy Tip: Think broader, take in account not just advantages of technologies but costs (not only money) too. They both are mirror images of the same thing.

Comments are open!