IT Management News

Internet Misuse Concerns CIOs

When employees and enterprise associates misuse the Internet there are ramifications for and to your enterprise:

• Higher operating expenses and reduced productivity
• Exposure to security problems such as malware
• Exposure to legal risks due to inappropriate material  
• Wasted bandwidth to support the misuse
• Unlicensed software when users download and install software from the internet
• Reputation risk from social networking which can create opportunities for employees to leak confidential information or spread damaging rumors online

Expenditures Closely Watched by CIOs and CFOs

In today's economy, all purchases are carefully scrutinized to ensure that each new piece of hardware and software can produce a rapid return on investment (ROI). However, even attractive and accelerated paybacks are not enough to justify additional expenditures as cautious CIOs and CFOs must continue to slow their technology spending in order to ensure weathering the current economic conditions.

According to an annual survey of top CIOs from multinational Fortune 1000 companies conducted by Goldman Sachs & Co., networking equipment emerged as one of the greatest potential areas for cost reductions in 2009. The CIOs surveyed also indicated an intensified focus on projects involving total cost of ownership (TCO) reductions, such as server virtualization and server consolidation. Faced with severe budget constraints, many CIOs also are delaying product upgrades and technology refreshes, despite the fact that OEMs continue to release next-generation products in increasingly rapid-fire succession.

As a result, increasing numbers of corporations are embracing asset recovery strategies as part of their recession survival tactics. Corporate network budgets, in particular, can be willing recipients of a welcome boost from asset recovery since high-end routers and switches retain more value than many other types of hardware. The keys to maximizing the value of surplus technology in a down economy are determined by how, when and where to offload unwanted gear as well as identifying the partner that can offer top dollar for extraneous equipment along with unparalleled responsiveness and superior customer attention.

Metrics Key to CIO Success

CIOs frequently ask what IT should measure and report to business executives. The key to success is choosing a small number of metrics that are relevant to the business and have the most impact on business outcomes.  The basis for  metrics that work are that they meet the criteria for relevance and impact are investment alignment to business strategy, business value of IT investments, IT budget balance, service level excellence, and operational excellence.

Metrics should form the core of an IT performance scorecard and should center around:

• Alignment of IT initiatives, investments, and operational support to the strategy of the enterprise
• Value added that IT brings to the enterprise
• Cost of new initiatives versus the cost of maintenance of existing processes
• System availability and ease of use
• Health of systems and IT function

Easier to Cut Salaries than Lay-off Staff

Here's the good news: While companies certainly have laid off huge numbers of employees since the economy first started to implode, it appears many of them are doing everything they can to minimize the number. From the Challenger, Gray & Christmas, Inc. press release:

... employers announcing job cuts have initiated more cost-cutting measures than employers that have not cut payrolls. Companies that made permanent job cuts averaged an additional six cost-cutting measures. Meanwhile, companies that have avoided layoffs averaged less than three cost-cutting measures.

"There is a perception out there that some companies have not made sufficient efforts to avoid layoffs by making cutbacks in other areas. This perception is fueled, in part, by a handful of examples of companies announcing job cuts while, at the same time, rewarding top executives with large salaries, bonuses and extravagant perks. However, these examples represent the exception," said Challenger chief executive officer.

"It would also be a mistake to assume that companies avoiding layoffs are doing so out of kindness. While forging good will is certainly part of the decision for some companies, many have simply cut to the bone already or never fully ramped up after the last downturn. Other companies may have more workers than they need for current business levels but are reluctant to enact widespread layoffs, knowing that a recovery will mean recruiting and training all new workers.

"This may be why we have seen an increase in the number of companies cutting salaries and other perks. It is a lot easier to restore compensation and benefits than it is to re-hire and re-train workers when the economy improves."

PCI Compliance Has Benefits Beyond Mandated Requirements

PCI compliance is used as a basis for guidance on fulfilling management responsibility in relation to audits, and information on ensuring continual improvement of IT security efforts.  There is merchant confusion about all of the PCI DSS’s six main themes: Building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, monitoring and testing networks, and maintaining an information security policy.

PCI as a robust security standard has potential benefits beyond its immediate requirements. A generic application of its principles can fulfill other regulatory requirements for information security and privacy.  PCI compliance is mostly information security best practices. However, there is quite a bit of devil in the details of the PCI requirements. There are over 250 detailed testing procedures.

Penalties for noncompliance include higher transaction processing fees, fines, and, in extreme cases, denial of credit card processing capabilities. Violators also face legal fees, civil lawsuits, customer rejection and related revenue loss, and other costs and losses.  Understanding the PCI authority structure is important in maintaining control over PCI strategy and audits.

The PCI DSS security requirements apply to all "system components." A system component is defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (internet) applications.