Tom Davenport raises a good question in his post on the democratization of healthcare costs and whether physicians should be online. Democratization of knowledge is basically a fancy word that means the knowledge is out there for us to find and use, all we have to do is search. Witness WebMD. You can get fairly indepth coverage of virtually all illnesses and diseases on their site. If we arrive at the physicians office with a good idea of what is wrong with us, why should we have to go into the office anyway…with the caveat that the physician has a medical history on us and has “seen” us previously.

…since you only get about 7 minutes on average of face-to-face time with your doc, it’s not as if we are giving up an intimate, in-depth relationship. No muss, no fuss, no bricks-and-mortar, and the insurance company gets by very cheaply” (Davenport, 2008, ¶ 7).

This is so true in today’s medical community. The insurance companies are constantly squeezing physicians (as well as other health care practitioners) in reimbursement rates. This seems a logical next step for the practice of medicine, provided the physician has a good medical history on any patient that is treated in this manner. I don’t know enough about the makeup of a traditional family practitioners day to know how many of those visits could be accomplished online, but if a nurse practitioner oversees most visits anyway and prescribes medication, why not let some of that interaction happen online?

This also seems to be a very good argument for electronic health records (EHR’s) that have languished in most implementations.

— Davenport, Tom. (2008, August 19). “Is It Time for Your Doctor to Get Online?” Harvard Business.

Amazon is definitely good at disruptive business practices. It’s first round of offering books over the Internet has changed book buying for many of us. But now, it’s offering a new way of buying that doesn’t involve the web at all. A NY Times article describes how you can now text-message the UPC or ISBN of an item to Amazon which responds with two prices for that item. If you want either one, you can text back a 1 or a 2, or you can text ‘M’ back and get more options.

Amazon TextBuyIt, which launched late Tuesday, lets people text the name of a product, its description or its UPC or ISBN to 262966 (that’s ”Amazon” on the keypad) from anywhere their cell phones work — including from inside physical stores” (¶ 2).

Retailers better look out, because now shoppers are going to be even more prepared to negotiate the price posted on an item when they go shopping. This situation reminded me of a previous article on NY Times about how people are negotiating pricing at large electronics stores, using quotes from web sites to get the best deal they can. Now people don’t even need to negotiate prior to showing up in the store. And retailers are going to have about 5 minutes to make a deal or lose it to Amazon. And I’m sure other internet sites will implement similar technology before too long…unless Amazon has a patent on it. 🙂

It also makes me wonder how many retailers are investigating the use of cellular disrupter technology today. 🙂

— Associated Press. (2008, April 2). Amazon Launches Text-Message Shopping. New York Times.

— Richtel, M. (2008, March 23). Even at Megastores, Hagglers Find No Price Is Set in Stone. New York Times.

This story is something IT departments should take to heart:

According to a report issued yesterday by WhiteHat Security, nine out of 10 Websites still have at least one vulnerability that attackers could exploit. On average, there are about seven flaws on each site studied” (¶ 2).

I have to wonder though if it is due to time-constrained employees, or the fact that technology is moving so fast that it is hard for the normal employee to keep up with work as well as learning about the new threats.

Cross-site scripting (XSS) is still the top category of vulnerabilities, appearing in approximately 70 percent of Websites, WhiteHat says. But the researchers are predicting that cross-site request forgery (CSRF) will eventually take the No. 2 spot behind XSS” (¶ 4).

This is why I absolutely NEVER use Internet Explorer and I have NoScript installed on every version of my Firefox browser. I’ve run across normal e-commerce sites that NoScript blocked. Whether the XSS script was there on purpose or the site had been hacked I never tried to find out, I just left the site.

— Wilson, T. (2008, March 25). 90% of Sites Still Vulnerable. Dark Reading.

In the book IT Risk by Westerman & Hunter, the authors define a framework for mitigating risk in a company related to IT. It revolves around four areas: availability, access, accuracy, and agility. Agility relates to the ability of IT assets to change fast enough to allow companies to take advantage of trends in the marketplace. If the IT department needs a year to make changes to the systems in order to support a new product or service that the company wants rushed to market, we aren’t talking an agile application.

A good example of this is an enterprise resource planning (ERP) application that still requires interfaces to legacy systems it was intended to replace. The more interconnections you build, the more complicated the system will be and the harder it will be to change. Rettig, quoting a research study of over 400 companies performed by MIT researchers, “In many companies, it takes the IT department one to two years to implement a new strategic initiative – hardly the agility companies are striving for … Legacy systems cobbled together to respond to each new business initiative create rigidity and excessive costs. Every change becomes a risky, expensive venture.” (p. 21). Not a prescription for mitigating agility risk in a company.

A number of ERP implementations did not go well, or the company is finding out that managing this behemoth of an application environment is impossible, and they are looking for the next big thing that will give their company a competitive edge in order to survive in the marketplace. And along comes Service Oriented Architecture (SOA). But make sure you know how the company is going to implement SOA. As Rettig says, “…to the extent that these service-oriented architectures use subsets of code from within ERP and other enterprise systems, they do not escape the mire of complexity built over the past 15 years…” (p. 26).

So the sales executive from XYZ Software convinces the CEO and CFO that the best approach is to leverage the company’s investment in their ERP application by adding on a service-oriented architecture on top of it which will let company respond to the pace of business more quickly. But wait, you just added a layer on a layer on a layer. How good can that be? “SOA’s become additional layers of code superimposed on the existing layers. That means it is possible that a process will fail at some point due to some fault in the layers below, and in order to understand and fix the problem, software engineers will need to deal with the layers of enterprise applications below the modular business processes” (Rettig, p. 26). That’s definitely not agile software!

Maybe it’s time we as IT managers need to sit back and rethink the whole process; how we organize data, how we access that data, how we write the applications, etc. Are we stuck in the rut we’ve dug, and don’t realize how bad the situation really is that we’ve made? As Rettig says, “… IT departments tend not to be innovative leaders within organizations, but rather conservative forces, viewed by business executives as cost sinks and liabilities” (p. 21). Ouch! “A recent study by Forrester Research…found that only 28% of CEO’s thought their CIO’s were proactive or creative in terms of business process improvement” (Rettig, p. 27).

Rather than thinking “outside the box,” maybe it’s time to get out of the box, throw it in the trash compactor, and start looking at our processes, applications, data, and other assets from totally different perspectives. If we don’t, we might find that our jobs have been outsourced to someone who will.

— Rettig, C. (2007, Fall). The Trouble with Enterprise Software. MIT Sloan Management Review.

— Westerman, G. & Hunter, R. (2007). IT Risk. Boston, MA: Harvard Business School Press.

I just can’t imagine using Twitter myself. I’ve joked with my friends about the fact that I don’t know any of them well enough that I want to know what they’re doing at any moment of the day. Although, if you want to be a hero to your executives, start mining Twitter for mentions of your company. You might just find out some problems before they start affecting sales, and earn some recognition that you know more than just IT.

Here’s a case in point: “…uses Twitter to eavesdrop on its customers. In January, it started hearing complaints there about one part of its service, a problem it quickly corrected” (p. 34).

— Kirkpatrick, D. (2008, March 31). Web 2.0 Gets Over Its Goofing-Off Phase. Fortune.

Is IT living up to its potential at your company? Why not? Is it your fault? I know at times it has been mine. Luckily, in my latest job, that wasn’t the case. According to Basu & Jarnigan, the reason is the proverbial glass ceiling or wall. IT is shut out of the decision-making circle. I’ve seen this from both sides of the situation, and I wholeheartedly agree. Many times I’ve seen businesses make decisions assuming it’s just a “quick fix” to change this piece of code so it will do this now instead of that. But most of us in IT know that it’s usually a lot more than just a few lines of code and voila!

The reason for the glass ceiling? Basu & Jarnigan point to these five causes:

  1. “Mind-set differences between management staff and IT,
  2. Language differences,
  3. Social influences,
  4. Flaws in IT governance,
  5. Difficulty managing rapidly changing technology” (¶ 7).

Comparing this article to the book IT Risk, I can see how IT governance is a critical mistake businesses make. “IT decisions are often made by the wrong people with insufficient input, and the resulting failures drive a wedge between senior managers and their IT colleagues” (Basu & Jarnigan, 2008, ¶ 12). “The risk governance process is the force that pulls otherwise fragmented, localized views of IT risk together into a comprehensive whole, allowing the enterprise to effectively set priorities and act. No centralized person or group has a wide enough perspective to fully understand and control all risks in even a moderate-sized organization” (Westerman & Hunter, 2007, p. 44).

Or, to put it in my words, in order for business managers to make informed decisions related to IT, we in IT have to translate the risks, and rewards, into dollars for the business side to understand and decide upon. And the only way to do that is to have a seat at the table when the decision is made.

But how do we get that seat? If you don’t have a seat there now, start working from behind the scenes. When management makes a decision, translate that decision into dollars and cents for their approach and other potential options. The more they see that you understand the business side of things as well as the technology side of things, the more they will listen, and the more they will come to you. Notice the emphasis in that sentence, YOU. It’s not up to them to come find out what you think is best, it’s up to you to show them that you have valid and worthy opinions that should be considered when making important decisions that affect IT.

That’s how I won my seat at the table, and that’s how you can too.

— Basu, A. & Jarnagin, C. (2008, March 10). How to Tap IT’s Hidden Potential. MIT Sloan Management Review.

Westerman, G. & Hunter, R. (2007). IT Risk. Boston, MA: Harvard Business School Press.

From the Internet Storm Center at, here is a really interesting paper on intrusion detection, but looking at it from a completely different angle. Grant Jacoby looked at battery usage of PDA-style devices both during an attack and while in a passive state. The result? Battery usage jumps while under the attack. This technique could be used as a warning that a threat is being attempted at that moment. The following image, borrowed from, shows the battery usage of an iPaq during an nmap port scan.

This makes me wonder how power consumption could be used in other devices as a warning of attack. If someone at one of the cellphone handset makers, cell phone companies, or a network management software company hasn’t snagged this guy yet, I would be surprised.

— Jacoby, G. A. (2005, April 12). Battery Based Intrusion Detection. Virginia Polytechnic Institute.

— Zeltser, L. (2008, March 17). The Battery and Security in Mobile Devices. Internet Storm Center,

Next Page »