PMI Global Congress 06

This week I attended the Project Management Institute’s annual Global Congress conference (http://congresses.pmi.org/) in Seattle. Thousands of the 200,000+ PMI organization’s members from around the work converged on the Washington State Conference Center Oct 21 – 27. To me, the growth in PMI membership and its annual conferences are signs of the increasing size and complexity of projects, especially information technology and information systems projects, the complexity of multinational organization, and the need for a common language and standards for project management.

Personally, I was a little disappointed with the conference. Although there was some good material and lots of vendors, many of the sessions I attended were poorly presented or the content was simply not detailed enough to be useful. I am a member of the local Puget Sound PMI chapter and have attended some good local meetings and seminars and so I was expecting more out of the Global Congress. In addition, there were very few really technical sessions pertaining to IT or IS. This was puzzling to me because the largest special interest group at PMI is the Information System SIG.

In my two days at the conference I attended sessions on risk management, work breakdown structures, business process optimization, healthcare IT organizations, earned value, and communications for dispersed teams. A few highlights below.

Monday’s Keynote: “Countdown to Leadership”, Astronaut Mike Mullane

Col. Mullane is a West Point grad and flew on the 12th shuttle space mission. He gave an interesting and inspirational talk about the fundamental traits of good teams. He spoke about the following things being part of the teamwork framework:

• Normalization of Deviance. The natural tendency of teams to accept lower and lower standards of quality and performance over time. Issues that arise are therefore “Predictable Surprises”. He gave the example of the 0-ring failure of the shuttle Challenger accident in 1986. It was actually a well known, well-documented problem that was in a way pushed aside (despite many protests) by the pressure to complete more shuttle missions. In general he suggest tools against this type of issue are to know your vulnerabilities, stick to your plan, consider your instincts, and learn from your mistakes.
• Responsibility. Col. Mullane talked about his very first mission on an F4 fighter plan where he and the other pilot ignored the procedure for determining your return flight fuel requirements and they ended ejecting from the cockpit as the jet crashed into the landing strip because they ran out of fuel. He explained that he failed his responsibility as a team member by bypassing protocol. He says this general phenomenon is because of people’s: reluctance to confront, need for acceptance, position and longevity inhabitants, assume other will take action, not my job, fear of boss. He recommends everyone has a Sacred Responsibility to maintain team presence and don’t become a passenger. He quoted Andrew Jackson: “One person with courage forms a majority”.
• Courageous Self Leadership. At age 33 Col. Mullane’s father got polio and spent the rest of his life in a wheel chair. His wife and he never game up raising their six kids and never lamented their situation. This has a huge impact on Col. Mullane. He said that although he was an unremarkable youth he always challenged himself and set lofty goals. He suggests: make corrections in your life, always do you best and educate yourself, never give up and stay focused.

“Risk Management as a Framework for Organization Success”, Dr. David Hillson (RiskDoctor.com)

Dr. Hillson’s talk focused on risk management as the key to bridging the gap between strategy and tactics. Its all about making objectives better aligned with business goals. In order to do this he recommends a hierarchical approach to risk management integrated at every level: corporate, strategic, program, project, and task. He defined total risk management as looking at not just the risks but also the opportunities and not just the from a tactical standpoint but also a strategic level. This is what many organizations miss he says. This integrated approach will implement risk managmenet processes at every level of the organization by different people.

Organizations that are “risk mature”:

• Have a common language and understanding of risk management
• Common processes (for raising and dealing with risk issues)
• Supportive, risk-aware culture
• Committed, competent, and professional people who want to understand and manage risk

“Setting Up a Project Management Office in a Healthcare IT Organization”, Laura Aziz, PhD

Dr. Aziz was one of the best speakers that I saw at the conference. She recounted her years of experience running IT project in healthcare institutions. Part of her discussion could be applicable to many IT projects but she did say that Healthcare IT was unique because you really had to know the healthcare industry to be successful because of:

• Regulations, cultures, and the technicalness of much of the business. ER, OR, Ambulatory care all have their own unique needs


• In order to be successful you must involve the organizations clinicians in the strategy and planning. Get a champion


• Your IT projects are really just enables for what the clinical side of the organization wants to do. Don’t forget this


• Relationships are critical. Reach out to clinicians and other parts of the organization


• Don’t forget about the “customers”—the patients and their families

“The Project Management Facilitator”, Tammy Adams and Jan Means

These two woman gave a good, basic review of tools that a facilitator should use to focus projects. They did note that a facilitator is a different role than a project manager. A project manager sometimes needs to be a facilitator, and sometimes needs to be a driver. The discussed the following focusing techniques:

• Objectives – all meetings should have them, make them clear, send them out ahead of time


• Action Items – Clear, assigned, and tracked by the project manager


• Parking Lot – Where you put items that are not directly relevant to the meeting. The PM tracks


• Agenda – have one, publish it, bring it to the meeting


• Ground rules – may be necessary to set operating rules for behavior and procedure


• Time boxing – only allow a certain amount of time to resolve issues


• Nominal group technique – for difficult issues, get written thoughts from participants. Like Delphi technique


• Scoping – it may be necessary to create a list of things as they come up and categorize them as out of scope of the project or meetings


• Glossary – publish and keep it up to date so there is a common language


• 5 Minute Rule – If someone is more than 5 minutes late, they can’t talk for 5 minutes. They need to get themselves up to speed somehow


• Exec Time – to handle execs who are constantly late and then derail a meeting, ask them to come at the end and allot time to fill them in

“Expedient Communications for Dispersed Teams”, Bryan McConachy

Mr. McConachy discussed how complex communications are and tools to use to expedite communications. He states that “Most problems in projects can be tracked to some kind of communication failure”. Part of this he says is the complexity of human communication. No only are there 3 parts to the brain and 2 sides there are multiple different communication channels (hearing, body language, etc) there are factors like culture, trust, emotion, stress, etc. He believes that “unless trust develops quickly [in a project], you many never develop trust at all”. As far as efficiency face-to-face communication is the most affective and text (esp abbreviated short hand cell phone text messages) are the most inefficient and the most likely to result in communication problems. Dispersed team communication is hard because there is less face to face interaction and informal communication goes down dramatically. Mr. McConachy recommends having policies around communications and especially usage for things like email and text messaging. He feels a code of conduct is critical and uses and mis-uses of emails should be spelled out clearly.

Gaia's Top Tips One Pagers

Over the past several months I have developed some one page documents that describe what I believe are some information technology best practices. They are meant to give customers an understanding of what Gaia’s approaches and philosophies are.

The following documents are currently available under the Resources section of the Businesses and Nonprofits portions of the website:

• Top Tips for Achieving Best Fit Technology Solutions


• Top Tips for Security within your organization

Feel free to download and distribute these PDF files and send me any feedback or suggestions that you may have.

SecureWorld Expo, Bellevue '06

I attended the SecureWorld Expo (www.secureworldexpo.com) conference at the Meydenbauer Center Oct 10 -11 of this week. SecureWorld is a security conference that occurs periodically throughout the year in cities in the region.

While there was no stated central theme for the conference featured prominently were the topics of regulatory compliance, holistic risk management, and the convergence of traditional, electronic, and information technology/information systems security.

Another personal take away, and constant Information Security (IS) industry theme, is the feeling that the IS security industry is behind the eight ball in the struggle against mountains of regulations, a growing powerful cyber crime industry that appears to be winning the current battle, and the constant struggle to educate, get resources, and make the case for IS within organizations.

Opening Keynote: "Cyber Security; A View from Washington, D.C.", Paul Kurtz, Executive Director of Cyber Security Industry Alliance

Paul was a Washington, D.C. insider before moving to his executive director position. He specializes in IS public policy and does a lot of testifying in front of congressional committees as well as working on IS issues with counterparts in the European Union. His presentation on the state of affairs in D.C. and across the country did not provide any great feelings of protection or future assurance but he did offer a call to action for IS professionals and the industry.

In Kurtz view, because of the rise in cybercrime and identity theft local, state, national, and international governments are starting to get involved in IS. Thirty US states now have laws for handling security and privacy theft and breaches. The bad news is that our federal government is very much behind and uneducated in IS and do not yet understand it well.

• He presented part of the quote from Senator Ted Stevens, R-Alaska, which he said he heard on the Daily Show. The quote was Senator Stevens attempt to describe the Internet in a June 28, 2006 speech about network neutrality. (Entire quote here) "Ten movies streaming across that, that internet, and what happens to your own personal internet? I just the other day got...an internet was sent by my staff at 10 o'clock in the morning on Friday, I got it yesterday. Why? [...] They want to deliver vast amounts of information over the Internet. And again, the Internet is not something you just dump something on. It's not a big truck. It's a series of tubes. And if you don't understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and it's going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material."
• There are jurisdictional battles, congressional committees battling for ownership, no one committee addressing (which actually may be a good think in the long run according to Mr. Kurtz)
• The Federal government is taking an Ad hoc response to security and privacy , as opposed to the EU which is taking more of a holistic approach
• Different philosophical strategies exist. For example, in the US we have typically supported an opt-out approach (ie. User data is collected by default) for the consumer while as in Europe it is more of an opt-in approach
• There are conflicting and redundant regulations which cause confusion and costs for businesses and organizations and distract industry from urgent issues
• There is no single driver for government action. Things like financial scandals, ID theft, counter terrorism, proactive state legislation, and increased awareness are all motivating government to act

There is good that can come from all the government attention however:

• Regulations can level the playing field within sectors
• Create common standards across sectors
• Enable the gathering of statistics on IS issues
• Improved security (i.e. Sarbanes-Oxley)

As far as the outlook of for the foreseeable future, government involvement will produce:

• No federal data security bill this year. Too much other stuff going on in politics. Maybe next year.
• Continued ad hoc approach to the problem.
• Expect more government regulation
• Increased enforcement of information security via litigation
• Increased government regulations

Mr. Kurtz' call to action for IS professionals was to:

• Take a holistic approach to information assurance: confidentiality, integrity, and availability.
• Advocate for a holistic view in your industry
• Build security into your business and financial planning
• Adopt best practices (many of the standards and regulations have good practices)
• See security as a competitive differentiator
• Be vocal with government authorities. Get involved. Now is the time to affect positive change!

Session: "The New e-Business Venture: Organized Crime", Ernest Hayden, Enterprise Info Security, Port of Seattle

Mr. Hayden explained that he broke his back and was in a body cast at the beginning of the year (amazingly he seemed to bare no visible effect from that). Bed-ridden he began intense research about a topic that interested him immensely: cyber crime. Evidently his presentation has become quite well regarded and he has reviewed it with members of CIA and other law enforcement agencies. Some high lights:

• Traditional crime is now taking advantage of the internet in a major way. In a sense our powerful information and commerce tool has become a weapon being used against us.
  Organized crime has embraced the internet in a major way, in many cases forcibly removing “old school� hackers from their space. They are also distributed and international. Fueled in part by low unemployment and low enforcement in places like Eastern Europe and Africa.
• Extortion occurs more frequently than we think: "Pay us or we will hack/attack your site"
• It is estimated that to date there has been 62 Billion dollars in cyber crime
• Organized cyber crime resembles traditional organized crime but it is more anonymous and work virtually using the net to communicate secretly about drop points, conduct online training and recruiting, etc.
• Phishing is expanding significantly and many people (especially seniors) are getting victimized
• Mac's are not safe despite what many say. They are as insecure and also hold what cyber criminals want: your personal information
• The large on-line game sites are becoming targets. Criminals hack in and get personal information from the gamers and the game providers
• Botnets (software robots, or bots, which run autonomously and form a connected network of agents) are becoming increasingly harmful
• Cyber criminals are investing in research and development to develop their own spyware, etc. Now they are actively stealing the info, not just buying it from other hackers or criminals
• 69% of vulnerabilities come from web applications. This means they are attacking the desktop.
• A trend is that hackers hack into a network of a large company and then sell or rent access to that company to others to enable them to collect info, send spam, etc. There are even package subscriptions available! "You can have Starbucks, Microsoft, and AT&T this month for $29.95!"

Some interesting anecdotes that Mr. Hayden shared with us:

• Some hackers are selling patches to hacks that they have found before they are announced to the world and companies like Microsoft have their patches ready
• "Skimmers" are devices that are readily available and fit on card swipe machines like ATMs and case stations. These devices are not easily detectable and are able to store up to 750 card swipes in memory. Criminals then set up a camera and record users type in their debit card numbers associated with the numbers.
• "Computer Alchemy" – Organized crime is getting increasingly sophisticated in how they use their stolen information. Based on real data in their databases they create new identities, acquire credit card, etc, buy stuff, sell it, and then sell the identity and the cards.

Mr. Hayden says that organized crime in growing in its size and sophistication. He offers the following action items:

• Keep working on the classic security things: patches, layered security, etc
• Understand your threats well and communicate with your management
• Integrate security into your day to day activities. When attacked understand what happened and fix the process. Don't just remove the virus, etc.
• Engage peers and law enforcement
• Look at new products from a hacker's perspective
• Support legislation that goes after and persecutes cyber crime

Data Leakage Sessions

There were several sessions that I attended on data leakage from organizations. These sessions covered everything from laptop theft to internal employee stealing corporate information. It was impressed upon the audience that the problem is getting worse because of the complexity of organizations today: outsourcing to vendors, vendors in other countries with different laws and norms, the proliferation of tiny devices and mobile computing, too much access/trust given to internal employees, telecommuniting, etc. In addition, a lot of data leakage is innocent and unintentional.

Quote from one of the panelists that seemed to be verified by the other three: "The average large corporation has 10,000 data leaks per week".

One story: an employee at a financial company was taking credit card applications and at the last minute modifying the home address in the database to have the applications sent to the employee's home. They would then change the address back in the database so once they fraudulently filled out the application and got the credit card all the bills would go to the intended recipient.

Here were some of the general recommendations that I extracted from these sessions:

• Start from the top. It must be en edict and company culture to categorize, track, and control your data. If you don't start high and in big chunks the task of understanding what and where your data is may never get completed. Generally data is: financial, intellectual property, company data, customer/consumer data
• Define the data that you really care about and assign value to it 1) Ask "What is the data collected at each part of our business/organization?", 2) Ask "What is the value and legal liability of this data? What are the risks and exposures?", 3) Understand compliance obligations
• Define where your data is and where it is going. What is in structured storage, what is in transit, what is on devices?
• Get metrics to qualify and quantify your data and track how good a job you are doing
• There is no one solution to this issue, but within your organization you need to have a uniform common language for how you talk and communicate about your data/information
• Using technology: Enforce mandatory access control, scan your network for data that shouldn't be there, encrypt everything, track and audit access and usage
• However: use technology tools only to assist you in your holist approach. Technology alone will not solve the problem and no-one tool will do the trick for your organization in most cases

Compliance Sessions

Compliance is a huge issue for all sorts of organizations right now. One presenter describes it as the "Alphabet Soup" of compliance regulations and standards. Regulations differ in how prescriptive and how flexible they are and they overlap with each other in multiple way. Few of them are created with each other in mind but they address similar topics of information security and privacy, plus they change from year to year!

The overwhelming trend is that 10 years ago security was optional and bottom up (ie. Firewalls, etc). Today security and privacy is the law and top down (management is responsible). In addition, security and legal departments are now closely aligned. They have to be because of legal ramifications of non-compliance.

Standards and compliance regulations that were discussed throughout the sessions included: HIPAA, Graham Leach Bliley Act, ISO 17799, ISO 27000, SOX, ITIL, and PCI.

In short, all the sessions recommended against starting with a standard or regulation and to then try to match or adapt your organization to it. All trumpeted a top down approach in which organizations should first start with their own best practices and requirements and make sure those are in good alignment with their mission, goals, and requirements. Then, build a table or matrix, based on your established requirements, and begin to work in other standards and regulations. The outcome should be a table of which has been specifically adapted to your organization that works in the requirements for any standards and regulations that you must or have chosen to comply with. This matrix becomes your one set of controls to control all your requirements. This is critical.

All stressed that this is not easy. It gets down to a lot of detailed diligent hard work. Several attendees said they had been working on their table for three years and it was in constant change. There are templates and standards that some have tried to start with (i.e. ITIL was mentioned by many) but there were many speakers and attendees that advised against this. One size does not fit all. One SOX implementation will look entirely different from one org to the next. In short, compliance is just plain hard work and it's not going to get any easier (There was a mention that the IT Compliance Institute was working on some tool to help, though).

From a technology standpoint, there are some tools out there to help but technology should be used cautiously. Only automate things that you do well manually (i.e. Inventory of hardware and software, tracking of data, gathering and reporting metrics). Use tools to help with change management, which is a huge part of compliance.

Finally, a good general take away: While there are key people who ultimately own and control the company data, everyone within an organization is responsible for protecting information. You cannot success without this being part of your organization's culture. And you get to this point by educating people, getting organizational buy in, knowing your business processes and requirements, getting the policy in place, good communication, and measurement.

In Short, Great Conference

This is a great two day conference. I paid about $115 after my discount for being an ISSA member for the full two day conference and all the sessions. Plus lunch included! The keynotes and sessions were very good on average, and lots of great IS professionals, and vendors. I definely recommend this conference to anyone interested in inforamtion security!

"The World is Flat" by Thomas Friedman

I read Thomas Friedman's best seller The World is Flat early this year. The book was recommended to me by Al Erisman, the Executive Director at the Institute for Business, Technology, and Ethics (www.ethix.org).

I thoroughly enjoyed the book. For me it was a fascinating read and greatly affected my perspective on business and technology.

Friedman describes flattening as the world becoming smaller and more connected through events and technology and as a result "creating a new global playing field for multiple forms of collaboration". He details 10 "flatteners" and three convergences that have occurred to make the world flat. He describes the convergence as the "triple convergence--of new players, on a new playing field, developing new processes and habits for horizontal collaboration."

Although one can see "flattening" happening around us in so many ways Friedman does an extraordinary job of synthesizing complex trends and developments; social, economic, political, and technical. Many have disagreed with Friedman's analysis of the benefits of flattening but he does make you realize the immediate and future potential impact that this phenomenon is having. In addition, his descriptions of things like Dell's manufacturing process, Wall Mart's inventory management, Bangalore call centers, and McDonald's program for virtual order taker are truly mind changing.

A few thoughts about the book:

• Strong Business Perspective. Both from a social change and a technology standpoint this is a very business centric analysis. IMHO, Friedman gives way too much credit to tech companies like Microsoft, Netscape, IBM, etc ("flatteners") and not nearly enough to the academics, scientists, NGOs, governments and others that have furthered the Internet and effected social change.


• Weak Government Role. I consider myself to be a centrist with regard to "free market economy" and Friedman admits to being very much a believer in the unrestricted marketplace. I was not convinced by his explanation for how everything will work out on the global stage and specifically how smaller businesses and workers within our own country fare. He does offer ideas on how our work force can stay educated, have some safeguards (insurance), and stay competitive. This is done in part through government programs according to Friedman.
• Social Responsibility and Ethics. While he does touch on these topics I don’t think he devotes enough time or makes a strong enough case for how we 1) ensure ethical corporate behavior, and 2) hold global businesses responsible for their impact on the environment and communities where they operate. Not to mention the fact that, as Jared Diamond points out in his book Collapse, if China realizes the American Dream, as Friedman feels they should, and becomes as big a consumer and polluter as the US the earth’s resources and environment will simply not support it.

All that said, I think it’s a marvelous piece of work. The World is Flat is truly a thought provoking and educational read even if you don’t agree with all of Mr. Friedman's premises and conclusions. The scary part for me is how flattening will impact our kids in how and who they will be competing with in the decades ahead.

Friedman, Thomas L. The World is Flat. New York: Farrar, Straus and Gioux, 2005. http://www.thomaslfriedman.com/worldisflat.htm

My Family

Richard W. Saunders, CISSP

After graduating with a combined degree in Business Administration and Computer Science from Western Washington University I worked for 17 years in software development at Microsoft Corporation. As a manager in quality assurance and later a senior program manager I worked on the Windows Operating System, Digital Media, and the Windows Media Player. All told I was involved in releasing over twenty retail software products at Microsoft.

My first product at Microsoft was Windows 2.0 (1987). Following that, I worked on the development of each version of Windows through Windows 95 and was involved with the Windows NT, WIndows 98, and Windows XP efforts as well as some Microsoft Office components. In the Windows Digital Media Division I worked on teams developing audio and video technologies and the Windows Media Player where I participated in dozens of product releases.

Throughout my career I have stayed very involved with nonprofit organizations and the community. Volunteering in both technical and managerial roles has been an important aspect of my life.
In my jobs at Microsoft I have gained some valuable experience. At Microsoft I was required to lead projects spanning multiple groups and multiple divisions. I have had to manage teams of peers who did not report to me and motivate them around a central mission. This entailed handling rapid change while coordinating specifications, schedules, resources and final product releases or events. I have hired and managed external independent contractors and dealt with legal contracts and budgeting through to completion. My experiences have taught me how to engage in different ways with different people. I have played the role of mediator and champion. I have worked in resource constrained environments and all my jobs required extensive multitasking.

After volunteering for several years at the Northshore Senior Center as a technology lead I spent four years on the board of directors at the 45th Street Clinic in Wallingford. There I served as board president for two years and was very active in board recruitment and development. More recently I have been a volunteer technology consultant for the Institute for Family Development (IFD). I made contact with IFD as a partner at Social Venture Partners. There I participated in the grant committee to identify partner organizations and began working directly with IFD consulting on the organization-wide email system and external web site implementation, in addition to the maintenance and needs assessment, product evaluation and eventual implementation of their computerized Client Management System.

What is probably hardest to communicate in my resume is my love of working with people, my ability to coordinate and lead many types of projects, and my desire to work hard and effectively for the greater good of the team, the organization, and the community. It is extremely important to me to bring hard work, high quality, honesty, and humor to every job I do.

Sincerely,
Richard W. Saunders
Richard@gaiaict.com