<![CDATA[AVAINTCON Consulting

<![CDATA[AVAINTCON Consulting - BLOG]]>Sun, 20 May 2012 03:44:38 -0500Weebly<![CDATA[What does the new Bill C-30 mean "Protecting Children from Internet Predators Act"]]>Mon, 20 Feb 2012 20:17:25 -0500http://www.avaintcon.com/1/post/2012/02/what-does-the-new-bill-c-30-mean-protecting-children-from-internet-predators-act.htmlIf passed, law enforcement will be able to access internet company's (Bell, Videotron, Rogers) customer information such as:

client's name.
phone number.
IP address.
web data.

With this one can find out:

what web sites an individual has gone to.
someone's surfing habits online.
what videos they're viewing.
what content they read.

They will not be able to:

Read your email.
Access data on your computer

I know there is already a lot of controversy around this, but if you take a closer look at Google, and there ADs technology, Google already does this.
]]><![CDATA[How To Block Facebook's Face Recognition And Tighten Other Privacy Settings ]]>Mon, 04 Jul 2011 14:37:08 -0500http://www.avaintcon.com/1/post/2011/07/how-to-block-facebooks-face-recognition-and-tighten-other-privacy-settings.htmlHere is how to turn Face Recognition off, and make your profile as safe as you'd like it to be.

By adjusting its interface, Facebook has now enabled "tag suggestions" to many more of its users around the world, which means your friends will get an alert if someone uploads a photo that Facebook thinks contains your image. They'll be invited to tag it, and then your ID's associated with that image. Sounds neat in some ways, and there are a few privacy nods thrown in--Facebook notes that only friends can tag you, you'll get notified of the tag, you can remove tags and so on. But the system is actually turned on by default--which is Facebook's privacy boundary creep in action. Here's how to turn it off, with a reminder of how to enable other privacy measures.

Face Recognition

Under the "Account" drop-down menu at the top-right of Facebook's title bar, click "Privacy settings." On the bottom half of the next window, under "Sharing on Facebook" click "Custom." Then at the bottom, click on the little blue pencil and its "customize settings label." In the next window scroll down to the "Things others share" section and the third list item, "Suggest photos of me to friends." Click on the "Edit Settings" button, and scan to the middle right of the new pop-up window, which has little pics of your friends to remind you how friendly Facebook is. See the facility is enabled? Click on this button, select "Disabled." And then click on "OK" to make the pop-up go away.

Easy, wasn't it? Just nine click/scroll maneuvers required to burrow through multiple layers of windows.

While you're there on the privacy page, check a few other things too:

Things you share

Check this list, which starts with "Posts by me" and ends with "Places you check in to" and verify that the status is "Friends only," which is as tight as you can set these (although you can customize the settings to prevent particular friends from accessing each of the shred items on a granular level). Disable the "Include me in 'People here now' after I check in" button to make sure you don't appear associated with a Facebook Place.

Then click through to "Edit privacy settings for existing photos and videos" to double check you're not sharing pics and videos with everyone--I found that I had been, even though I wasn't aware of the fact, so it's worth a check.

Things others share

Same trick here for the shorter list that starts with "Photos and videos you're tagged in," ends with "Friends can check me in to places" and includes the new Face Recognition trick. All of these can be restricted to Friends only, and you may want to pay attention to the "Friends can check me in..." button if you're protective of your location data. If you like, you can lock your wall so friends can't write on it.

Contact information

This may be one that you'd most like to protect. Double check the settings for your address, IM screen name, and email addresses say "Friends only," and note that by selecting "custom" from each button's drop-down menu you can set it to "Only me" for highest privacy.

You're all done! Sort of. Click "back to privacy settings" to make more changes.

Connecting on Facebook

This page controls how your information is searchable on Facebook--it's worth checking that each item in the list corresponds to how open or locked-down you want to be. Check "search for you on Facebook" and restrict it to "friends only" if you want to control how many friend requests you get. And double check other items like "see you current city..." and "see your likes..." are correctly set. Several of mine weren't, and I'd not visited this page in a while.

Click "back to privacy" for yet more changes...

Apps and websites

This is where you manage which parts of your data the apps you use can access and share automatically, what info about you your friend's friends can see, and how much of your Facebook profile is shown up when people Google for your name. Check all of these (it gets laborious if you want to go into each app's settings) and pay special attention to "public search," which is where you give search engines permission to crawl your data.

Block lists

From the main Privacy settings page, here's where you can target specific Facebook users and limit their access to you.

Done and somewhat more secure :) ]]><![CDATA[What is a Security Audit]]>Mon, 20 Jun 2011 14:20:50 -0500http://www.avaintcon.com/1/post/2011/06/what-is-a-security-audit2.htmlWhat is Security Audit?
There is no formal definition for a security audit; and there is no legal requirement for a specified function called a security audit. Nevertheless, you need to do it; and the bigger you are, the more likely it is that there is effectively if not quite explicitly a legal requirement to do it.

Defining Security Audit

If you search on the internet you'll find many different definitions. And now we're going to add another. A security audit is the final step in the implementation of your security defenses. First you undertake a risk analysis to discover your assets and your risks. Then you develop a security policy to define what you are going to defend and how you are going to defend it. Then you use various methods, including information security products, to enforce that policy. And finally, you undertake a security audit to check the efficiency of those methods. (But then, of course, you start the whole process again.)

So a security audit is the process of testing and ensuring that your company assets are fully protected - nothing more, and nothing less.

Why do I need Security Audit?
Put very simply, you need a security audit in order to ensure that your security systems are working. Not only is there no point in having security that doesn't work, it is probably worse than having no security - at least with no security, you know that you have no security. Also, a good security audit, if undertaken by an outside consultancy, will point out gaps in your existing defenses.

But the best way to understand the need for a security audit is with real-life examples. At the time of writing this, there have been two major new reports. The first is "Network Attacks: Analysis of Department of Justice Prosecutions 1999 - 2006", August 28, 2006, A study by Trusted Strategies, L.L.C. commissioned by Phoenix Technologies, Ltd. This is a report well-worth reading. It states "Unauthorized access of privileged logon accounts caused by far the greatest financial losses to individual companies of all crimes analyzed. These were not sophisticated hacks; they were relatively simple crimes committed by attackers obtaining valid user IDs and passwords and using that information to logon to protected resources." The report also states: "These crimes could have been prevented if penetrated systems had checked the computer’s identification as well as the individual’s identification during logon." Well, it would, because that's what Phoenix sells. But the simple fact is that these crimes would also have been prevented if the victim companies had sufficiently audited their ID and password security to ensure an adequate level of protection. So go get audited.

The second report is a genuine audit report. It is a report by the Auditor General, State of Arizona, on Arizona Department of Education–Information Management. It concludes "Sensitive information, such as social security numbers, has been exposed because of security weaknesses in ADE’s Web-based applications." That's why you need to audit - to find the flaws before they find you. And remember this also, again at the time of writing this, there has been a flurry of senior executive departures (walked or pushed?) from companies such as AOL and organizations such as the VA because the security for which they were responsible was found to be lacking. That's why you need security audits - to ensure that your own security isn't lacking.

But there is another reason for you to undertake security audits. The increasing incidence and complexity of legislation designed to counter cyber terrorism and protect personal privacy throughout the world simply means that the only way you can prove compliance with some these laws is through documented security audits. Think of HIPAA, SOX and the European Data Protection Laws...

Where do I get Security Audit?
There's a simple choice: do it yourself, or buy in. The first involves either developing your own security tests or acquiring software that will do the tests for you. The latter involves the use of external security consultants.

There is no hard and fast rule over which is best. If you are a small company, you may well have less at risk and can less afford to employ expensive consultants. At the same time, you are unlikely to have the in-house expertise to develop your own auditing software. Small companies may well be obliged to rely on free and low cost audit software.

Larger companies are more likely to have the ability to develop their own software, but little time to do so. At the same time, the complexity of large company systems makes it less likely that off-the-shelf software can fully audit all the systems. Larger companies may well feel obliged to employ external security auditors.

How can I evaluate Security Audit?
This is the conundrum of information security. Just because you haven't had a security breach doesn't mean you're secure: you can never prove that you are secure; you can only prove (by bitter experience) that you are not secure.

So how can you evaluate a security audit? Well, your security audit will tell you how effective your security is against what it is meant to be securing; that is, the audit will enable you to measure the effectiveness of your security policy enforcement. This, in turn, requires that you have a detailed and effective security policy in place; and that your security policy has been directed by a thorough risk management exercise.

You should then take the 'deliverables' (that is, the full reports) from your auditor (either software of audit company) and relate them to every aspect of your security policy. For example, if your security policy is to include strong passwords that are changed every two months, make sure that the audit report confirms that all of this actually happens and that users have no way of bypassing the policy.

Provided that your audit report covers every aspect of your policy, then the auditors have done a complete job. Notice that I haven't said a 'good' job - that's more difficult to evaluate. Your audit can only be as good as your auditors. So if you do the job in-house, you will never know what you might have missed - and there's no-one to blame. If you use an external consultancy, there is possibly someone to blame if things go wrong. Hopefully, if you choose the auditor well and implement all the recommendations, you will have had a successful security audit. And you will be more secure for it.

]]><![CDATA[Passwords and Password Managers]]>Mon, 20 Jun 2011 14:16:51 -0500http://www.avaintcon.com/1/post/2011/06/passwords-and-password-managers.htmlThere are much more than 5, but I will start with these main points:

You are human… never mind, no one is perfect.
We live in modern world with its cons and pros
We live in the era of globalization, just admit it
We live in the era of internet, Do you understand what this means?
There are bad guys there in the web, beware

Do I have to explain? OK, let’s make it clearer.
1. You are human, aren’t you?
You may forget anything, – your keys, your eyeglasses, your documents and your wallet. You DO forget your passwords. And even if you do remember your password, you can mistype it. “To err is human”. If you type it wrong several times – your account is blocked, and you have to ask administrator to reset it. And how often are you required to change your password to your bank account, web access, corporate VPN, etc? You wish there were no passwords at all. Just open the webpage and you are in.

2. We live in 21st century, aren’t we?
We have MANY accounts. We are using computers. We are working hard in the web. Therefore we have LOTS of passwords to remember. But we are still humans after all. And we do forget. Do you want to bet that you cannot remember 5 strings in a row? Just give it a try. Please remember the following:

mLUafc$eMJm_

IR_^Z7R(F8zH

Bp}Ea4O7Xk*s

p#VnD4}B}Z^}

@Bu&KG}N0n[X

Yes, maybe YOU can remember these 5 passwords. Then you are a genius and maybe this reason will not urge you to use these products, but let us look to the next reason.

3. We live in the era of globalization.
You can find yourself tomorrow in Milano, drinking a tiny cup of strong espresso in the internet café on the Via Corsa Di Porta Romano and trying to type your password for your Gmail account, but… you cannot find necessary letters, symbols are in the wrong place and the whole keyboard is somehow different… What a mess! And the very next day you appear in Russian beautiful city of Snt. Petersburg and find out that the keyboard is Cyrillic. You wish you could enter your password automatically, just like that – open the webpage and you are in, but at the moment you even do not know how to switch a keyboard to Latin layout. Ha?!

4. We live in the era of the Internet.
We keep information there. We purchase goods and services. We look for a partner or a spouse. We watch movies, we listen to music. We… Everywhere we go there in the web we need to prove our identity (the same username/password). Someone can guess it. Someone can spy it. Someone can get access to our money, documents, entire life. We are exposed to risks! Oh, my god!

What is even more alarming -
5. There are bad guys in the web.
Do you know what identity theft is? Did you ever receive some message from your bank that was never sent? Did you ever get an e-mail, requiring resetting password to your account? These messages are called phishing. If you ever followed their instructions – you’ve lost something. You’ve lost money or information or something even more valuable, like identity. Identity is not virginity, you never enjoy loosing it!

Is there a way to be safe, portable, light-hearted? Is there a way to make it convenient? Is there some automatic, simple, user-friendly and clear solution, working in the background and doing hard work for me? Maybe there is some solution that is not using much recourses of computer working on any PC without installation? Maybe there is some solution that I can take with me wherever I go?
Yes! There is an ultimate, convenient and secure solution. Use password manager. Use password manager that fills forms automatically and does not require from you any additional actions. Use password management system that is convenient and user-friendly. Use the one that keeps your private data in encrypted database. Use n-Pass! This is my personal advice.

You, whoever you are, wherever you are, whatever you do, you need:

Password management
You need it to be portable
You need it to be secure
You need it to be simple, convenient and automatic
You need it to be n-Pass!

Forget your passwords!
Give away your Stick-It notes!
Delete your text files you used to keep your passwords in!

]]><![CDATA[What is a Cyber Attack]]>Mon, 20 Jun 2011 11:31:43 -0500http://www.avaintcon.com/1/post/2011/06/what-is-a-cyber-attack.htmlA cyberattack is an attempt to undermine or compromise the function of a computer-based system, or attempt to track the online movements of individuals without their permission. Attacks of this type may be undetectable to the end user or network administrator, or lead to such a total disruption of the network that none of the users can perform even the most rudimentary of tasks. Because of the increasing sophistication of these kinds of network attacks, the development of effective software defenses is an ongoing process.

It is important to understand that a cyberattack can be relatively innocuous and not cause any type of damage to equipment or systems. This is the case with the clandestine downloading of spyware onto a server or hard drive without the knowledge or consent of the owner of the equipment. With this type of cyberattack, the main goal is usually to gather information that ranges from tracking the general movements and searches conducted by authorized users to copying and forwarding key documents or information that is saved on the hard drive or server. While the ultimate goal is to capture and transmit information that will help the recipient achieve some sort of financial gain, the spyware runs quietly in the background and is highly unlikely to prevent any of the usual functions of the system from taking place.

However, a cyberattack can be malevolent in its intent. This is true with viruses that are designed to disable the functionality of a network or even a single computer that is connected to the Internet. In situations of this nature, the purpose is not to gather information without anyone noticing, but to create problems for anyone who uses the attacked network or computers connected with that network. The end result can be loss of time and revenue and possibly the disruption of the delivery of goods and services to customers of the company impacted by the attack. Many businesses today take steps to ensure network security is constantly being enhanced to prevent these types of malicious computer attacks.

Attempts by cyberterrorists to interfere with the function of power grids and other means of delivering public services are also classified as cyberattacks. Because attacks of this kind can quickly cripple the infrastructure of a country, they are considered an ideal means of weakening a nation. A strategy utilizing a series of cyberattacks timed to simultaneously disrupt several different key systems can, in theory, render a nation unable to successfully overcome any of the attacks before a great deal of damage has taken place. Fortunately, many nations recognize the very real threat of cyberterrorism and take steps to protect government and public service systems from any type of Internet attack, as well as the manual introduction of software that could disrupt the systems.

Just as governments and corporations must be aware of the potential for a cyberattack to occur, individuals must also take steps to protect their home computers and related equipment from sustaining an attack. A basic preventive measure is to secure high quality anti-virus and anti-spyware software, and update it on a regular basis. End users should also make sure to scan and files or programs that are stored on a CDR or similar remote storage system before loading them onto a hard drive.

]]><![CDATA[11 tips for social networking safety]]>Wed, 15 Jun 2011 06:45:26 -0500http://www.avaintcon.com/1/post/2011/06/11-tips-for-social-networking-safety.htmlSocial networking websites like MySpace, Facebook, Twitter, and Windows Live Spaces are services people can use to connect with others to share information like photos, videos, and personal messages.

As the popularity of these social sites grows, so do the risks of using them. Hackers, spammers, virus writers, identity thieves, and other criminals follow the traffic.

Read these tips to help protect yourself when you use social networks.

Use caution when you click links that you receive in messages from your friends on your social website. Treat links in messages on these sites as you would links in email messages.
Know what you've posted about yourself. A common way that hackers break into financial or other accounts is by clicking the "Forgot your password?" link on the account login page. To break into your account, they search for the answers to your security questions, such as your birthday, home town, high school class, or mother's middle name. If the site allows, make up your own password questions, and don't draw them from material anyone could find with a quick search.
Don't trust that a message is really from who it says it's from. Hackers can break into accounts and send messages that look like they're from your friends, but aren't. If you suspect that a message is fraudulent, use an alternate method to contact your friend to find out. This includes invitations to join new social networks. For more information.
To avoid giving away email addresses of your friends, do not allow social networking services to scan your email address book. When you join a new social network, you might receive an offer to enter your email address and password to find out if your contacts are on the network. The site might use this information to send email messages to everyone in your contact list or even everyone you've ever sent an email message to with that email address. Social networking sites should explain that they're going to do this, but some do not.
Type the address of your social networking site directly into your browser or use your personal bookmarks. If you click a link to your site through email or another website, you might be entering your account name and password into a fake site where your personal information could be stolen. For more tips about how to avoid phishing scams.
Be selective about who you accept as a friend on a social network. Identity thieves might create fake profiles in order to get information from you.
Choose your social network carefully. Evaluate the site that you plan to use and make sure you understand the privacy policy. Find out if the site monitors content that people post. You will be providing personal information to this website, so use the same criteria that you would to select a site where you enter your credit card.
Assume that everything you put on a social networking site is permanent. Even if you can delete your account, anyone on the Internet can easily print photos or text or save images and videos to a computer.
Be careful about installing extras on your site. Many social networking sites allow you to download third-party applications that let you do more with your personal page. Criminals sometimes use these applications to steal your personal information. To download and use third-party applications safely, take the same safety precautions that you take with any other program or file you download from the web.

]]><![CDATA[Tips on creating a Google optimized site. ]]>Thu, 10 Feb 2011 15:17:57 -0500http://www.avaintcon.com/1/post/2011/02/tips-on-creating-a-google-optimized-site.htmlAlways create unique & accurate Page Titles - Page title should accurately describe the page’s content. Webmasters should make sure that their titles are unique for each page. The Title should be descriptive but not extremely lengthy. Don’t stuff your title with only Keywords – write a title that will benefit both the user and the search engines.

Make use of the “description” meta tag – Google clearly states that Meta tags such as (Meta Description) is not dead! Meta description should accurately summarize the page’s content. Webmasters should write a description that would both inform and interest users if they saw the description meta tag as a snippet in a search result. Don’t fill up your meta description tag with only keywords and avoid writing a description meta tag that has no relation to the content on the page. Try writing unique descriptions for each page, if your site is really big try to generate description meta tags based on each page’s content automatically.

Improve the structure of your URLs – Try to use words in your URL. – URLs with words that are relevant to your site’s content and structure are friendlier for visitors navigating your site. Visitors remember them better and might be more willing to link to them. Don’t use lengthy URLs with unnecessary parameters and session IDs. Avoid choosing generic page names and using excessive keywords. Provide only one version of your document, if you accidently happen to have multiple version of the same page, do a 301 redirect from non-preferred URLs to the dominant URL

Make your site easier to navigate - Create a naturally flowing hierarchy – Make it as easy as possible for users to go from general content to the more specific content they want on your site. Try to use text for navigation and its a good practice to put an HTML sitemap page on your site, and use an XML Sitemap file. Have a 404 page that is user friendly.

Offer quality content and services - Practice writing easy-to-read text as users enjoy content that is well written and easy to follow. Break your content into logical parts so that the users find the content they want faster. Use relevant keywords in your content and take help of the Google Keyword Tool where necessary. Write fresh, unique content and avoid re-writing or copying existing content from the web. Always create content primarily for your users, not search engines

Write better anchor text - Always write descriptive anchor text, The anchor text you use for a link should provide at least a basic idea of what the page linked to is about. Use keywords in your anchor text and use anchor text for your internal links too.
Use heading tags appropriately - Take advantage of the HTML Header tags H1, H2, H3 to break down your content for easy scanning by your readers. Give some thought into what the main points and sub-points of the content on the page will be and decide where to use those heading tags appropriately.

Optimize your use of images - Use brief, but descriptive filenames and alt text for all images. Avoid using generic filenames and stuffing in excessive keywords in the alt tag.

Make effective use of robots.txt - Robots.txt is not enough to block your sensitive or confidential material. So take appropriate security measures for your confidential information.

Be aware of rel=”nofollow” for links - Setting the value of the “rel” attribute of a link to “nofollow” will tell Google that certain links on your site shouldn’t be followed or pass your page’s reputation to the pages linked to. Avoid using no follow for links in blog comments or other sites that you don’t trust. You can nofollow all of the links on a page by using “nofollow” in your
robots meta tag, which is placed inside the tag of that page’s HTML.

Promote your website in the right ways - Blog about your new content or services to get your users excited. Use appropriate offline promotion, social media to promote your content. Add your business to Google’s Local Business Center.

Make use of free webmaster tools - Google provides a lot of free tools for webmasters inside Google Webmaster Tools to help webmasters better control how Google interacts with their websites and get useful information from Google about their site.

Take advantage of web analytics services – Use Web analytics programs like Google Analytics that can be a valuable source for identifying your users, the content that they are reading, the source of traffic etc.

Read more: http://www.saadkamal.com/google/official-google-seo-guide/#ixzz1DaYvzlEf

search-engine-optimization-starter-guide.pdf
File Size:	4318 kb
File Type:	pdf

Download File

]]><![CDATA[Portfolio Management Done Right]]>Thu, 03 Feb 2011 15:56:12 -0500http://www.avaintcon.com/1/post/2011/02/portfolio-management-done-right.htmlRon Kifer, vice president of program management at DHL Americas, is a veteran of the typical project and portfolio planning or lack of planning?process in many companies. "The last three organizations I’ve been in had the same scenario. They didn’t have defined processes for reviewing project proposals; projects were pretty much recommended by senior vice presidents in each business area," he says. "They were attempting to do many more projects than they had the capacity to do. Bad projects squeezed out good projects. There was no visibility of what was being done throughout the organization."
That’s a recipe for disaster. At a time when CEOs are demanding that technology investments return value, CIOs who don’t have control

over their IT project portfolios are fighting losing battles. Surprisingly, that’s a good number of you: A recent report by AMR Research contends that as many as 75 percent of IT organizations have little oversight over their project portfolios and employ nonrepeatable, chaotic planning processes.

But if you’re not doing it already, portfolio management can help you gain control of your IT projects and deliver meaningful value to the business. Portfolio management takes a holistic view of a company’s overall IT strategy. Both IT and business leaders vet project proposals by matching them with the company’s strategic objectives. The IT portfolio is managed like a financial portfolio; riskier strategic investments (high-growth stocks) are balanced with more conservative investments (cash funds), and the mix is constantly monitored to assess which projects are on track, which need help and which should be shut down.

But it’s all in the execution. Jeff Chasney, executive vice president of strategic planning and CIO at CKE Restaurants, notes that "some companies do it poorly and some do it well." The companies profiled in this story reveal their best practices for doing it well.

Why You Need Portfolio Management
Think about how IT investments are managed in your company; do any of the following scenarios ring true? Million-dollar projects, which may or may not match the company’s objectives, are awarded to business units headed by the squeakiest executives; weak IT governance structures mean that business executives don’t have clear ideas of what they’re approving and why; the CIO ends up selling projects that should be generated and sold by line-of-business heads; the company doesn’t build good business cases for IT projects or it doesn’t do them at all; and there are redundant projects.

A strong portfolio management program can turn all that around and do the following:

Maximize value of IT investments while minimizing the risk
Improve communication and alignment between IS and business leaders
Encourage business leaders to think "team," not "me," and to take responsibility for projects
Allow planners to schedule resources more efficiently
Reduce the number of redundant projects and make it easier to kill projects
All that means more pennies in your piggy bank. Dennis S. Callahan, executive vice president and CIO of Guardian Insurance, and Rick Omartian, CFO of Guardian’s IT group and chief of staff, claim that portfolio management has reduced their companies’ overall IT applications expenditures by 20 percent and that, within that spending reduction, maintenance costs have gone from 30 percent to 18 percent. Eric Austvold, a research director at AMR Research, says companies doing portfolio management report saving 2 percent to 5 percent annually in their IT budgets.

There’s no single right way to do IT portfolio management. Vendors, consulting companies and academics offer many models, and often companies develop their own methodologies. Off-the-shelf software is available from a variety of vendors (see "Tools of the Trade," this page). But there are plenty of hurdles to doing it well. There are, however, best practices and key logical steps that can be gleaned from organizations such as Brigham Young University (BYU), DHL Americas and Eli Lilly, which have integrated portfolio management into the fabric of IT management, as you’ll see in this story.

Here are the key steps in creating and managing your IT investment portfolio.

Gather: Do a Project Inventory
Portfolio management begins with gathering a detailed inventory of all the projects in your company, ideally in a single database, including name, length, estimated cost, business objective, ROI and business benefits. Merrill Lynch maintains a global database of all its IT projects using software from Business Engine.

In addition to project plan information, Merrill Lynch’s users?almost 8,000 from Asia, Europe, India and the United States?add weekly updates on how much time they spend working on projects. "We use that as our internal cost assignment tool back to the business, so that the business is paying for every technology dollar monthly," says Marvin Balliet, CFO of global technology and services.

When Kifer joined DHL Americas as vice president of program management in 2001, one of his first tasks was getting control of project portfolio activities. He created an inventory, put that into a master project schedule, gained an understanding of the resource requirements of all the projects, then did a reconciliation of the projects and reduced the schedule to a manageable level.

Creating a project portfolio inventory can be painstaking but is well worth the effort. For many companies, it may be their first holistic view of the entire IT portfolio and any redundancies. A good inventory is the foundation for developing the projects that best meet strategic objectives.

Evaluate: Identify Projects That Match Strategic Objectives
The next steps involve establishing a portfolio process. The heads of business units, in conjunction with the senior IT leaders in each of those units, compile a list of projects during the annual planning cycle and support them with good business cases that show estimated costs, ROI, business benefit and risk assessment. The leadership team vets those projects and sifts out the ones with questionable business value. At Eli Lilly, a senior business ownership council comprising the information officer and senior business leaders in each business unit takes on this role.

Next, a senior-level IT steering committee made up of business unit heads, IT leaders and perhaps other senior executives meets to review the project proposals; a good governance structure is central to making this work. "Portfolio management without governance is an empty concept," says Howard A. Rubin, executive vice president at Meta Group. Conversely, putting portfolio management in place can force companies with weak governance structures to improve them. (For more on governance, read "The Powers That Should Be," at www.cio.com/printlinks.)

One of the core criteria for which projects get funded is how closely a project meets a company’s strategic objectives for the upcoming year. At clinical diagnostics company Dade Behring, an executive leadership team, which includes the CEO, creates five strategic initiatives, such as CRM or organizational excellence. The IT governance council, made up of business leaders and senior IT leaders, then evaluates projects based on how well they map against those initiatives. "We also try to assess risk from a technology point of view, a change-management point of view, the number of people that a project will impact and whether it will involve huge reengineering," says Dave Edelstein, CIO and senior vice president of regulatory affairs, quality systems, and health, safety and environment. Using methodology borrowed from the product development group (modified for IS, but keeping terminology that business executives are familiar with), projects are placed "above the line"?those that should be funded?or "below the line"?those that shouldn’t.

At DHL Americas, a project portfolio review board evaluates the one-page project opportunity assessment for every proposal. Membership on the board includes IS and 12 vice presidents from across all areas of the business. "Those vice presidents are not the senior vice presidents?they’re the next level down, the lieutenants," Kifer says. "Portfolio management doesn’t work at the senior vice president level; they don’t have time to commit to portfolio management."

A good evaluation process can help companies detect overlapping project proposals up front, cut off projects with poor business cases earlier, and strengthen alignment between IS and business execs.

Prioritize: Score and Categorize Your Projects
After evaluating projects, most companies will still have more than they can actually fund. The beauty of portfolio management is that ultimately, the prioritization process will allow you to fund the projects that most closely align with your company’s strategic objectives.

Ernie Nielsen, managing director of enterprise project management at Brigham Young University, is a frequent lecturer on portfolio management and a founding director of Stanford University’s Advanced Project Management Program. He instituted an extremely thorough prioritization and scoring methodology at BYU.

Under his plan, projects are placed into portfolios?Nielsen thinks multiple portfolios are a good idea in many companies because they allow like projects to be pooled together. In his case, the IT department uses four: large technology projects (more than $50K), small technology projects (less than $50K), infrastructure technology projects, and one covering executive initiatives. Think of the first three as peer portfolios; the executive one is a slightly different animal. The main job of the executive portfolio management team (each portfolio has its own team) is to distribute funds appropriately to the other three. (There are plenty of other ways to categorize initiatives; see "Powerful Portfolios," Page 58.)

In the case of the large tech portfolio, its management team?made up of project sponsors, function managers (for example, representatives from engineering, financial services and operations, and Nielsen himself) and product portfolio managers (people with long-term project leadership responsibilities in areas such as student services or data management)?vetted projects and came up with a list of 150 for the portfolio team to score. (Nielsen uses Microsoft Project and Pacific Edge’s Project Office to plan and prioritize.)

They then prioritized them using a model that has four key tenets:

Identify four to seven strategies. BYU’s Office of Information Technology does this yearly (for example, limiting technology risk, increasing the reliability of the infrastructure).
Decide on one criterion per strategy. For example, the team decided the criterion for limiting technology risk would be whether the technology had been implemented in a comparable organization and the benefits could be translated to BYU easily.
Weigh the criteria.
Keep the scoring scale simple. BYU uses a scale of one to five. For the technology risk strategy, five might mean that it has been used in a comparable organization and the benefits could be transferred easily; three could mean it’s hard to do because it would require changing processes; one might mean they haven’t seen it work anywhere else.
Following the scoring, the team drew a line based on how many projects it could do with existing resources. In the case of the large technology portfolio, the line was calculated where demand (the list of projects) met supply (resources?in this case, the cumulative dollar value of available application engineers plus overhead); the line was a little less than halfway down the list. Those projects above the line could be done in 2003. The team then presented that list to the president’s council, which approved it in an hour and a half, a process that used to take weeks, according to Nielsen.

There is no one method to categorize your IT investment portfolio. One approach is to categorize it as you would your own financial portfolio, balancing riskier, higher reward strategic investments with safer categories, such as infrastructure. Meta Group’s Rubin recommends a portfolio divided into three investment categories: running (keeping the lights on), growing (supporting organic growth) and transforming the business (finding new ways of doing business using technology). Those categories can then be cross-tabulated with four to five value-focused categories, such as how those investments support revenue growth, reduce costs or grow market share.

Since 1999, Eli Lilly has used Peter Weill’s model to categorize its IT investments (see "Powerful Portfolios," Page 58, for a closer look at the model offered by Weill, director of the Sloan Center for Information Systems Research and senior research scientist at MIT’s Sloan School of Management). Under the Weill model, companies view their IT portfolios on multiple levels and at different stages, by visualizing their investments in aggregate and placing them in four categories, with the percent of IT expenditures apportioned across each. "We tend to want to have 5 percent [of our projects] in strategic areas, 15 percent to 20 percent in the informational category, and the remaining percentage split between the infrastructure and transaction modules," says Sheldon Ort, Lilly’s information officer for business operations. He says that at the enterprise level, those percentages have remained fairly consistent. That model allows Lilly to balance the risk and reward of its IT investments. (The average percentage of annual IT spend of the 57 companies in Weill’s 2002 survey breaks down as follows: infrastructure, 54 percent; transactional, 13 percent; informational, 20 percent; strategic, 13 percent.)

The payoffs that come from a thorough evaluation and prioritization process is the primary reason portfolio management is so effective. First, communication between IS and business leaders improves. And portfolio management gives business leaders a valuable, newfound skill?the ability to understand how IT initiatives impact their companies.

Second, business leaders think "team," not "me," and take responsibility for projects. One tried-and-true method for how a business leader got money for his unit’s projects was to scream louder than everyone else. Portfolio management throws that practice out the corner office window; decisions are made based on the best interests of the company. At BYU, Nielsen observes that after its portfolio process was implemented, "instead of vice presidents fighting for their own lists of projects, they noticed projects below the line, not in their areas. They said to one another, ’I could provide some funds for you to get [your project] above the line.’"

Third, portfolio management gives business leaders responsibility for IT projects. "I’m no longer in a position where I have to sell these projects to the business," says Dade Behring’s Edelstein. "If I’m doing a project for marketing, it’s the marketing exec who has to sell the project to the rest of the team." Merrill Lynch’s Balliet says, "When we started, the technology people were proposing the projects. Now the businesspeople propose the projects and [take responsibility] for risk profiling, ongoing operational costs and timeliness of delivery."

Finally, everybody knows where the dollars are flowing and why, which is especially important to CEOs and CFOs who are increasingly demanding that technology investments deliver value and support strategic objectives.

Review: Actively Manage Your Portfolio
A top-notch evaluation and prioritization process is emasculated rather quickly if the portfolio is not actively managed following approval of the project list. Doing that involves monitoring projects at frequent intervals, at least quarterly. At Blue Cross and Blue Shield of Massachusetts, a project management office, which reports directly to Senior Vice President and CIO Carl Ascenzo, has that responsibility. Once or twice a month, the project management office gets financial and work progress perspective updates from project leaders. That information goes into a database, and Ascenzo reports to the entire company monthly, giving the project inventory and its status. He assigns project status?green (good), yellow (caution) or red (help!)?and includes an explanation of the key driver causing a yellow or red condition. The IT steering committee meets once a month to make decisions to continue or stop initiatives, assess funding levels and resolve resource issues.

At CKE Restaurants, the IT steering committee meets monthly to review at least three of the initiatives under way. "In my opinion, quarterly is too long," says Chasney. CKE, under the Carl’s Jr., Hardee’s and La Salsa Fresh Mexican Grill brand names, operates approximately 3,300 restaurants worldwide. Frequent reviews allow Chasney to redirect resources more quickly.

Monitoring project portfolios regularly also means projects that have run off the rails can be killed more easily. "People have an aversion to stopping projects, but the majority of projects I cancel are done because there’s a change in company strategy?a change in priority or direction," says Chasney. For example, if there’s a strategy decision to focus on SAP, then it makes sense to cancel a new system that interfaces with PeopleSoft, he says. Chasney states another simple but powerful principle that eludes many companies: "You can’t complete projects just because you started them."

Hurdles to Portfolio Management
Yes, portfolio management is a good thing. But getting to nirvana requires a serious commitment from both the business and IS sides, as well as a whole lot of sweat equity. Here are some of the pitfalls and ways to overcome them.

Democracy ain’t easy. Taking power away from business leaders accustomed to calling the shots will not always go smoothly.

"Business leaders who didn’t have decisions scrutinized previously now are [having] decisions decided by group consensus," says DHL’s Kifer. But Kifer says that quickly "people realize it does work and that 12 people can make better decisions than one or two making unilateral decisions."

There’s no single software that does everything. "There are really good budget packages, resource management packages and fairly good portfolio management packages, but no package that ties it all together," says Gordon Steele, CIO and vice president of IT at Nike, who is in the process of implementing portfolio management. (See "Tools of the Trade," Page 62, for a list of some leading portfolio management vendors.) Steele is currently exploring a partnership with a portfolio management vendor to see if such a software tool can be developed.
Do you need to buy portfolio software? There’s no right answer. Some say it’s a necessity. "It’s a better investment now to buy rather than build," says Meta Group’s Rubin. Gopal Kapur, founder and president of the Center for Project Management, begs to differ. "Far too often people get the software and say they have portfolio management. But they don’t?they don’t have the foundation for portfolio management," he says. Microsoft Excel and Project are commonly used by companies to track and manage projects; some companies build their own tools.

Getting good information isn’t easy. Take, for example, the transparency of your cost structure. "You need good information around all technology costs and investments," says Merrill Lynch’s Balliet. In 1999 and 2000, he and his team looked hard at all the IT dollars and categorized them into service "buckets," then put them in chargeback buckets related to those activities. For example, Balliet says that they created a phone monitoring tool and told some units, "You pay for the calls you make."

In addition, you must update the database regularly. "You need to have the constant status of each project so you can react quickly to market changes," says Balliet.

It’s still hard to make tough decisions on whether to undertake?or cancel?projects. Kifer, no slouch at portfolio management, says DHL Americas currently has 20 percent more projects in its portfolio than it can support. "We won’t probably start half of those," he says. "[But] an organization has a tendency to say, You’ll figure out a way to make those work."

It’s an additional time constraint on busy executives. Good portfolio management means good IT governance means regular IT governance committee meetings. "Just about every company today has its people stretched," says Chasney. As noted earlier in the story, that concern is addressed at DHL Americas, where the lieutenants of time-constrained senior vice presidents serve on the project portfolio review board.

In the grand scheme, however, the challenges of implementing portfolio management pale in comparison to the value it brings to your IT investments. "It forces IT and businesspeople to talk about investments from a business perspective," says Weill. "That’s its most powerful feature."

]]><![CDATA[99 Great Business Books]]>Thu, 03 Feb 2011 15:52:17 -0500http://www.avaintcon.com/1/post/2011/02/99-great-business-books.html
This is a great list we found from www.personalmba.com

Productivity & Effectiveness

10 Days to Faster Reading by Abby Marks-Beale
StrengthsFinder 2.0 by Tom Rath
Getting Things Done by David Allen
The Power of Less by Leo Babauta
The 80/20 Principle by Richard Koch
Bit Literacy by Mark Hurst
The Power of Full Engagement by Jim Loehr & Tony Schwartz

The Human Mind

Brain Rules by John Medina
Making Sense of Behavior by William T. Powers
Driven by Paul Lawrence and Nitin Nohria
Deep Survival by Laurence Gonzales

Communication

On Writing Well by William Zinsser
Presentation Zen by Garr Reynolds
Made to Stick by Chip and Dan Heath
The Copywriter’s Handbook by Robert Bly
Show Me The Numbers by Stephen Few

Influence

How to Win Friends and Influence People by Dale Carnegie
Influence: The Psychology of Persuasion by Robert B. Cialdini
Crucial Conversations by Kerry Patterson et al
The 48 Laws of Power by Robert Greene

Decision-Making

Sources of Power: How People Make Decisions by Gary Klein
Smart Choices by John S. Hammond et al
The Path of Least Resistance by Robert Fritz
Ethics for the Real World by Ronald Howard & Clinton Korver

Creativity & Innovation

The Creative Habit by Twyla Tharp
Myths of Innovation by Scott Berkun
Innovation and Entrepreneurship by Peter F. Drucker

Project Management

Making Things Happen by Scott Berkun
Results Without Authority by Tom Kendrick

Opportunity Identification

The New Business Road Test by John Mullins
How to Make Millions with Your Ideas by Dan Kennedy

Entrepreneurship

Ready, Fire, Aim by Michael Masterson
The Art of the Start by Guy Kawasaki
The Knack by Norm Brodsky & Bo Burlingham
The 4-Hour Workweek by Timothy Ferriss
Escape from Cubicle Nation by Pamela Slim
Bankable Business Plans by Edward Rogoff

Value-Creation & Design

Rework by Jason Fried and David Heinemeier Hansson
Four Steps to the Epiphany by Steve Blank
The Design of Everyday Things by Donald Norman
Universal Principles of Design by William Lidwell, Kritina Holden, and Jill Butler

Marketing

All Marketers Are Liars by Seth Godin
Permission Marketing by Seth Godin
The 22 Immutable Laws of Marketing by Al Ries & Jack Trout
Getting Everything You Can Out of All You’ve Got by Jay Abraham

Sales

The Ultimate Sales Machine by Chet Holmes
Value-Based Fees by Alan Weiss
SPIN Selling by Neil Rackham
The Sales Bible by Jeffrey Gitomer

Value-Delivery

Indispensable by Joe Calloway
The Goal by Eliyahu Goldratt
Lean Thinking by James Womack and Daniel Jones

Negotiation

Bargaining For Advantage by G. Richard Shell
3-D Negotiation by David A. Lax and James K. Sebenius
The Partnership Charter by David Gage

Management

First, Break All The Rules by Marcus Buckingham & Curt Coffman
12: The Elements of Great Managing by Rodd Wagner & James Harter
Growing Great Employees by Erika Andersen
Hiring Smart by Pierre Mornell
The Essential Drucker by Peter F. Drucker

Leadership

Tribes by Seth Godin
Total Leadership by Stewart Friedman
What Got You Here Won’t Get You There by Marshall Goldsmith
The New Leader’s 100-Day Action Plan by George Bradt et al
The Halo Effect by Phil Rosenzweig

Finance & Accounting

Accounting Made Simple by Mike Piper
Essentials of Accounting (9th Edition) by Robert N. Anthony and Leslie K. Breitner
The McGraw-Hill 36-Hour Course in Finance by Robert A. Cooke
How to Read a Financial Report by John A. Tracy

Systems

Thinking in Systems by Donella Meadows
Work the System by Sam Carpenter
Learning from the Future by Liam Fahey & Robert Randall

Analysis

Turning Numbers Into Knowledge by Jonathan Koomey
Marketing Metrics by Paul W. Farris et al
Web Analytics: An Hour a Day by Avinash Kaushik
The Economist Numbers Guide by Richard Stuteley

Statistics

How to Lie with Statistics by Darrell Huff
Principles of Statistics by M.G. Bulmer

Corporate Skills

The Unwritten Laws of Business by W.J. King
The Effective Executive by Peter Drucker
The Simplicity Survival Handbook by Bill Jensen

Corporate Strategy

Purpose: The Starting Point of Great Companies by Nikos Mourkogiannis
Competitive Strategy by Michael Porter
Blue Ocean Strategy by W. Chan Kim and Renée Mauborgne
Green to Gold by Daniel Esty & Andrew Winston
Seeing What’s Next by Clayton M. Christensen, Erik A. Roth, Scott D. Anthony

Consulting

Getting Started in Consulting by Alan Weiss
Secrets of Consulting by Gerald M. Weinberg

Personal Finance

Your Money or Your Life by Joel Dominguez & Vicki Robin
I Will Teach You To Be Rich by Ramit Sethi
The Millionaire Next Door by Thomas Stanley & William Danko
Fail-Safe Investing by Harry Browne
It’s Not About The Money by Brent Kessel
Work Less, Live More by Bob Clyatt

Personal Development

Self-Directed Behavior by David L. Watson & Roland G. Tharp
Personal Development for Smart People by Steve Pavlina
Re-Create Your Life by Morty Lefkoe
Lead the Field by Earl Nightingale
The Art of Exceptional Living by Jim Rohn

]]><![CDATA[When users won't accept change, maybe your approach is wrong]]>Thu, 03 Feb 2011 15:49:26 -0500http://www.avaintcon.com/1/post/2011/02/when-users-wont-accept-change-maybe-your-approach-is-wrong.htmlAsk anyone in IT management about change, and you will likely hear some tired bromides about how people inherently resist change, how change must be “managed,” or perhaps how those darn users just won’t “embrace change.” You will also likely get some amateur psychology or allusion to the latest business book that discussed how deep within our DNA we inherently fear change.

It doesn’t take a medical degree to realize that people don’t inherently “fear” change. Should I offer to inflict some change on your life by giving you a check for one million dollars, I would imagine fear would be one of the last emotions you would feel. Rather than having an innate fear of change, the human race has evolved to constantly make the evolutionary equivalent of very rapid cost/benefit decisions. In the case of IT-driven change, the high cost of attending training sessions, learning about a new system, and adapting ones’ daily routine to the new way of working usually outweighs the benefit an individual perceives they will receive. The user community on the whole is not a group of cowering curmudgeons; rather they resist change because you haven’t done a compelling job of selling it on an individual basis!

Not only must you provide compelling benefits, but these must be presented at an individualized level, especially to key players who can shape opinion about the new system or process. While one or two people get excited about the litany of benefits and cost savings targeted toward the corporation as a whole, most take what seems like a more cynical approach, asking in effect: “What’s in it for me?”

Traditional “change management” efforts lack the magic bullet of focusing their appeal to users on an individual basis. These efforts treat the community as a gelatinous mass, to be slowly coalesced and pushed in a single direction. When operating in this way, change is something you “do” to people, rather than an individualized appeal performed on a personal level. While at the end of the day, users have little choice as to whether they use a new system–without a personal appeal you are always on an adversarial footing. This nebulous blob rarely has a personal stake in an implementation’s success and, as such, tends to hold the system to an unrealistic standard and, in some cases, relish each missed objective and secretly root for the implementation’s failure.

While detailing the high-level benefits of a system is great and key to a successful business case, producing targeted, personal appeals to key stakeholders and your largest groups of users is far more important to successfully implementing change. No fancy books or methodologies are necessary here; the simple act of having ongoing individual conversations with key stakeholders, followed by spending personal time with each segment of the user community, will help you determine what individualized appeals are necessary, not to mention build trust that each group’s needs are being listened to.

The latter is an underemphasized point within IT. We are perceived as “experts” tasked with implementing a new system or process and often don’t see the need to spend a day or two in the shoes of those we are going to affect. Spend a half day in the call center listening to calls or jockeying the cash register at one of your retail outlets, and you will quickly learn what kinds of appeals are likely to sway each user group.

When you make a successful personal appeal, a magical thing happens: Users become personally invested in the success of your new system or process, as they now see themselves as individually involved and accountable for its success. The inevitable errors and omissions are disregarded or met with far more understanding than would be expected by an uninterested user being beaten into submitting to a new system. When the majority of your IT department starts presenting its activities in terms of the personal appeal, “change management” becomes embedded in your organization. The quality of your implementations also improves, since IT personnel are more able to understand, relate to, and address users’ concerns.

At the end of the day, when your users see you as a collaborator with their best interests at heart, they embrace and run toward the new system. Change no longer is something to be “managed,” but something your users relish and look forward to.

]]>