+1 812 868 ROSS (7677)

Financial Stewardship and the Church

Ok, so I sent a Twitter post last Sunday while my wife and I were sitting in the final class of Dave Ramsey’s Financial Peace University, and he was talking about the notion of "stewardship" campaigns in the church. He points out, and as I’m sure you’re familiar with as am I, that the term "stewardship" usually equates to "fund raising" drive.

Now, I’m all about fund raising, and certainly giving money to worthy causes and tithing to your church should be, and FPU teaches, the very first lines in your budget, before anything else.

That said, as Dave was talking about "the great misunderstanding" about charitable donating, he mentioned something that I found interesting. Dave said, what if more churches taught stewardship, not in the form of donating and asking for money from the body, but stewardship as it was really meant, teaching lessons in managing the abundance given to us.

This has nothing to do with Christians, Jews, Muslims, Hindus or Buddhists. It has nothing to do with Churches, Synagogues, Mosques, or Temples. This has to do with teaching humanity to be good managers of the gifts that have been placed in to our lives.

Now, before I come across as sounding too self-righteous, I’ll be the first one to stand up and say I haven’t been a good steward of the abundance in my life. But I do work on it daily, and get a little bit better every day. But I digress.

The whole point of the lesson is that if the Church (or whatever) began teaching their respective bodies on HOW to be good stewards, there is a VERY GOOD possibility, that the body will respond by GIVING more abundance to the Church.

Of co-location and fiduciary responsibility of services…

I’ve been
thinking about something the last several days, you know I sit on the board of
a couple of non-profit organizations, and we’ve been looking at outsourcing
services to other organizations. I also had a discussion about outsourcing with
a lunch partner today, and this thought cropped up again.

As outsourcing
of mission critical services becomes more and more commonplace, especially in
small business where business owners don’t have the means to maintain a
dedicated technology staff, I have a question about how service organizations mitigate financial risk from service failures.

In
businesses that build and sell widgets, you would typically carry a warranty
reserve as a liability on the balance sheet to compensate for the cost of
returns from the field. But that doesn’t work in a services business that hosts
and maintains mission critical
applications (and quite often sensitive private information). What happens if there is a failure that causes a service outage
for a length of time (which in many cases isn’t very long) creating a financial
impact on the business that relies on the service?

I mean,
I’m sure the company backs up, and I’m sure they co-locate their sites.

I’m
talking from a financial responsibility perspective, how they carry a loss of
service/information liability on their books.Even a publically held company’s
10Q mentions service disruption risks as part of their operating model, go ask
your CFO if your financial processes account for those service disruption risks
on the balance sheet.

Here’s
the reason why; any business that provides goods or services has some type of
reserve on their balance sheet to cover the liability of a failure in either
goods or services.

As part
of the T&C of the service agreement, they will make some claim regarding
confidentiality, integrity and availability of the information and service. If
they fail to meet those T&Cs they’re going to experience a liability. How
do they carry that liability (and how much) on their balance sheet?

It’s
important to know because we’re entrusting our very private and critical
information to a service outside of our control. I’m sure they do their due
diligence on backups, but it’s easy in a fast growing business to not keep up
with the controls necessary to protect the C/I/A of the information (both from
a process and infrastructure perspective).

 The single failure cost of loss to a small business could be
catastrophic (think loss of either information or unintentional divulgence of
information). The company you contract with has some financial responsibility
to make you whole (at least in part) because you have the SAME responsibility
to your community (think about it this way, if your credit card information was
left out on someone’s desk, the cleaning crew came by, took it and ran up
thousands of dollars on www.myporn.com, you’d expect the company to attempt to
fix the problem, wouldn’t you?).

So the
question is how does the company mitigate that risk? In similar cases the way
to transfer the risk is through the purchase of insurance, but you can’t insure
against that. So the company has to self-insure by carrying a liability reserve
account on their balance sheet. Ok, so now, the company has thousands of
clients, right? *IF* there is a failure (in service or process) and *IF* the
company doesn’t carry enough of a reserve on their books to compensate their
clients for a claim, they can’t (or won’t) attempt to make things right without
a fight.

Now, I’m
not so naive to think that we’re going to change anybody’s mind about how any company
does their internal risk mitigation or accounting. But if a company has shown
enough foresight to put internal controls in place to mitigate financial
liability against these types of risks, then there is a good chance that they
have enough foresight to place control in other parts of their corporate
governance. And, if they’re a publically held company, then SOX applies, and
they’re being audited on GCC anyway.

Now
before all y’all think that this makes no difference, and that I’m tilting at
windmills, consider that just in the last couple of weeks, that Home Depot had
a laptop stolen with "the names, home addresses and Social Security
numbers of 10,000 employees," AND Iron Mountain a DATA PROTECTION SERVICES
COMPANY admitted it lost a decade’s worth of bank account data and Social
Security numbers for almost all Louisiana college applicants and their parents
during a move when a driver apparently failed to follow company security
procedures.

All of
these weren’t malicious attempts at terrorism, they were simply part of the
category of sh** happens.

At the
end of the day how a company’s internal processes address these types of risks
is a barometer of where their focus sits.

 

Home Depot and Iron Mountain report missing data

Link: Home Depot and Iron Mountain report missing data.

Ok, I was
looking in to
Iron Mountain’s Live Vault online backup service when I ran across this story from searchsecurity.com.

Apparently,
in two separate incidents, home improvement Goliath Home Depot has lost
information, including social security numbers, on some 10,000 employees when
the notebook computer was stolen from the car of a company manager. 

Then in a
separate incident, data protection megalith
Iron Mountain lost a decade worth of data from the state of Louisiana,
including social security numbers, of almost every state college applicant for
the last decade.

In both
incidents, lax security practices were to blame including the lack of
encryption of the data lost. This brings us to the whole point of this post;
with the capacity of media (tapes, disk, USB drives, etc.) becoming almost
cavernous, the ability to transport multi-gigabytes of personal information for
entire organizations becomes trivial. I personally have a USB drive on my key
chain that has a capacity of 16GB.  

This
entire large capacity media presents an enormous security risk for information
theft of people and organizations. The need for data encryption of media is
critically important. We can no longer rely on information being secure within
the organizational perimeter; the simple loss of a laptop, the loss of a USB
drive or backup tapes creates an opportunity for theft of identity and loss of
confidentiality.

This isn’t
about garrisoning the organization either; management of a PKI in most
organizations is difficult to manage. Pareto was right, and the 80/20 rule goes
a long way to mitigating risk. Solutions for removable media include simple
open source applications like TrueCrypt
(an great open source tool) that provides 256 bit AES
encryption, this application can be used for creating secured virtual disks on laptop
drives and USB drives.  

For other
types of removable media, tapes and so forth, most backup tools, ArcServe, etc.
provide means of encryption of tapes.

You can
find more information of commercial and open source encryption software at this
Wikipedia
article.

Storm worm strikes back at security pros – Network World

Link: Storm worm strikes back at security pros – Network World.

Ok, you saw me post an
article earlier that compute cycles on the Storm
Worm botnet network
appear to be for sale. Now it appears that Storm Worm
network is fighting back against attempts to do reconnaissance on its internal
architecture.

In an article today posted
both on Slashdot
and Network
World
, the worm can “figure out which users are trying to probe
its command-and-control servers,
and it retaliates by launching DDoS attacks
against them” notes Network World senior editor and story author Tim Greene.

 

When I read the story the
first time through, I got a cold chill down my spine. It’s not that things like
this haven’t happened before, but honestly, this is the first time I’ve seen
something as wide spread as a malicious botnet retaliating against users.
Flashes of Skynet from the Terminator
movies and Colossus: the Forbin Project
immediately came to mind.

This has more to do with what’s
next? Is it possible that we are too clever for our own good? I hate fear
mongering, I really do. We look around at the amount of state sponsored
terrorism in the world, and yes don’t be naïve, we do it too, building
technological infrastructures such as what we’ve been reading about here is positively
chilling.

Bringing ‘Lean’ Principles to Service Industries — HBS Working Knowledge

Link: Bringing ‘Lean’ Principles to Service Industries — HBS Working Knowledge.

In his book "The Machine That Changed the World," Jim Womack, et al. discusses the inception of "Toyota Production System," eventually to become known as lean manufacturing.

The basic concept is simple (ok, for all you lean experts, I know this is an oversimplification, but give me a break), figure out how long it would take to make something and how much material is needed, if everything went according to plan; no delays in assembly, no part shortages, no rework, and so forth. Whatever happens to make that ideal time take longer and use more material is called waste (or muda in Japanese). For example, if I’m making a red Swingline stapler, and I can’t finish an order for a customer because either the red plastic housings were late, or I had to pay an expedite charge to get them on time, or I had to throw a bunch of them out because I ran over them with a forklift, all of that is considered waste.

Waste in a process, any process, is bad; it doesn’t contribute in the least adding any type of value to the thing you’re making. Waste is also inevitable; you simply can’t get around it. So, the basic notion of lean manufacturing is to remove as much waste from a process as is possible. It’s a balancing act, between capacity, quality, and efficiency.

Ok, I said all of that to say this… Over the last 20 years tremendous strides have been made in implementing lean manufacturing concepts in a number of manufacturing settings. What have been lagging behind, dramatically, are similar concepts in “soft” or office processes. Office processes are notoriously wrought with all sorts of waste. When was the last time you had waited on a reply to an email on some issue that required an answer prior to completing some other task? I’m not being self-righteous, I engage in waste myself, and waste is unavoidable because we are human and flawed.

That said small incremental improvements (called kaizen in Japanese) is what is required to move forward. We’re talking evolutionary, not revolutionary. You can’t fix the world all at one time, so how do you, as the cliché goes, eat an elephant? The answer is one bite at a time. That’s what kaizen is all about making small incremental and measurable improvements in processes.

In the referenced article from the Havard Business School, the author Julia Hanna discusses the ideas of bringing lean principles to the office process and services industries. There are so many sectors that need this kind of help, the social services and non-profit sectors are prime candidates for this type of assistance. The non-profit sectors are often overworked, but have people with a passion for what they’re doing, and they’re often doing and re-doing tasks over and over again. I’m involved as a board member of two non-profits and see this as an ongoing problem, and for these organizations to succeed, simplifying processes to minimize labor, material, in short waste, is a key business concept.

Trying to make the connection for the office folks is another story though, it’s often the case that conveying the need for this type of improvement is difficult to effectively communicate if the individuals involved don’t really have a background for it. Also, not all lean principles translate into lean office concepts; some creativity in plying the lean concepts is in order.

This is an excellent article discussing some of the research in implementing lean in an office, and perhaps we’ll see more of it in the social and NPO sectors.

Here are some good references to read:

Wikipedia: Lean Production

SME: Lean Office

Now, I’m off to Poke Yoke a purchasing process.

Slashdot | Storm Worm Botnet Partitions May Be Up For Sale

Link: Slashdot | Storm Worm Botnet Partitions May Be Up For Sale.

Holy BOTNET Batman!

Having JUST posted a message about the NVD from US-CERT, I’m trying
to get back to work and read this feed from Slashdot. It seems that Joe
Stewart, an information security research specialist with SecureWorks
has seen evidence that the massive Storm Worm botnet is being broken up
and the resulting compute cycles are up for sale to the highest bidder.

Not just for pimple faced teens anymore, this represents one of the
first trends of mercenary computing I’ve seen. The Storm Worm network
has been described as the worlds most powerful supercomputer in this
ZDNet article: (Storm Worm botnet could be world’s most powerful supercomputer).
So what does this mean? It means that this isn’t about hacking anymore,
cyber-terrorism is a real threat to government and commercial
enterprise.