The Future of IT Services

I’ve been working on this piece for a while. The challenge has always been keeping up with the trends and shifts occuring every 90 days. Generally, the focus of IT support services is changing. This change is happening faster Fortune 5000 companies but will eventially find its way down to all organizations, in one form or another. Overall, here’s our take on how things appear to be heading:

For years IT has understood itself as strictly a support service that responds to, instead of enacts, innovative change. In the future, IT leaders will face a host of multi-dimensional challenges as global business increases in technological complexity. Some of the challenges include harnessing mobilization and employees’ use of social media for business, developing both employee- and customer-facing business applications, streamlined analysis of big data, increased adoption of virtualized servers and storage, and streamlining cloud support, to name a few.   A number of analysts believe that the nut-and-bolts programming and easy to document support jobs will go to third-party providers outside the U.S. In its wake will be a need for IT workers with versatile skill sets not normally found within IT. Abilities such as project management (for intricate, multi-tiered IT projects), public speaking (for interfacing both with corporate business and clients), and mathematical expertise (for engineering and development tasks) are just some of the IT skills that will be in demand in the near future.

It will not only be a diversity of necessary skills, but where those skills can be used that will be crucial. For example, application development skills will be instrumental for those working in the service provider sector, software development area, or on IT teams within large or small organizations.

In the future, IT will be outward focused, business-centric, and business-enabling instead of simply a stop-gap, support service. IT will become a multi-pronged enabler for clients as well as an active agent for marshalling the power of technological innovation toward increasing a company’s ROI to gain a competitive advantage. In this regard, business-facing expertise and skills will be on equal footing with tech-based knowledge.

Today, there’s a huge amount of focus on getting more efficiency using virtualization, the cloud, Web 2.0, networking, and mobility. Better efficiency and innovation will reduce the number of technicians needed for certain tasks within the datacenter. Going forward, IT teams and organizations within mid-size and larger corporations will be smaller in size. This will all be due in equal measure to automation; trends such as virtualizing servers, storage, and desktops; access to cloud-based services; outsourcing beyond the U.S.; and the migration away from IT-based occupations.   It’s safe to bet that the pure technology positions will steadily diversify as complexity within the datacenter increases. This will include roles such as business-enterprise architects, business technologists, systems analysts, network designers, systems auditing, and project managers, including more rounded skills that expand knowledge bases and challenge traditional IT comfort zones.

The following are some of the key areas where traditional IT administration skill requirements will be changing and where some skills will become obsolete.   I. Programming   While coding and basic programming will be outsourced beyond the U.S., essentially for software that can run only on the PC, mobile programming is poised to take huge strides. This includes writing code specific to the operating systems for Android, Apple, and Windows Phone 7, among others. In the near future, the mobile market is set to dwarf the PC market in sales. This means traditional programming languages, such as Cobol, Delphi/Object Pascal, and Transact-SQL ColdFusion, are examples of older languages being phased out. Even tried-and-true Flash development is being eliminated. Taking their place, skills in languages such as the following will be increasingly in demand:, Python, Ruby, HTML5, RESTful Web Services, Javascript, and JQuery.   II. Datacenter   In terms of basic networking, a number of traditional IT operations will be superseded by higher-level skills or eliminated altogether. Typical network administrator tasks such as wiring and coupling blade servers, updating and installing patches, or provisioning storage will be outmoded skills due to new advancements that are already taking place. These include cloud sourcing for additional CPU power and storage allocation. Server and desktop virtualization will reduce the need for multiple administrators because automation and centralized management will enable a single individual to handle the tasks. This has already begun taking place, but we will see it occurring on a much greater level as these processes take a firmer hold in every datacenter.   In the area of communications, the consolidation trend continues. Instead of traditional telephony, Unified Communications (UC) represents a paradigm shift similar to what’s occurring in other technologies. UC combines presence, VoIP, IM, email, and conferencing into a single comprehensive service. Gone are the service technicians responsible for rewiring and maintenance. UC makes those skills unnecessary. In the future, one or two systems analysts will centrally handle communication implementation and flow from within the datacenter.

III. Data Technology

The exponential increase in data in the future has often been commented on. With the rise in mobilization, and all its attending media features, we will not only be producing more data, but companies’ demand for that data will increase as well. Business success will hinge on an organization’s ability to make sense of their accrued data and using it to achieve key strategic goals. With that will be the need for analysts who can identify and predict trends ahead of the competition as well as defining what data is needed and where to get it. This is just one example of technical capabilities being combined with business savvy and know-how to produce actionable results. Gone are the SQL database administrative duties. The ability to blend the unstructured (big data) with the structured (business interests) represents a unique skill set that illustrates that convergence of abilities that will be in greater demand.

An IT professional who has the technology background to offer abstract skills (math, engineering) as well as an ability to interact effectively with the business and service sector (public speaking, interpersonal skills) combined with the intangible (imaging and visualization, imagination) represents key attributes for the successful data technologist. These technicians can build meaningful, structured results out of often incoherent piles of data.

IV. Security

The 24/7 business cycle requires company infrastructures to always be up. Losing a day in transactions due to a security breach can be substantial in dollars, not just in the loss of credibility. Add to the mix the increase in mobile workers accessing company networks and the increase in the number of surface vectors has serious repercussions. Distributed Denial of Service (DDoS) attacks, malware run amok (Stuxnet, Flame), and cyber criminal concerns require the right security infrastructure architects to build alerting technologies, in-line defense tools, and systems designs that can repel such attacks. A number of companies will resort to third-party security providers as well as rely on cloud-based security services.

While security management skills will become increasingly important, these providers of cloud-based SaaS services will inherently provide efficient protection features, and mobile platforms will also offer better security. Within organizations, gone are the traditional back-up and recovery skill sets which will be relegated to third-party providers. According to David Foote, president and CEO of research firm Foote Partners LLC., “Securing information.will change in 2020, when companies will cast an even wider net over data security-including the data center, Internet connectivity, and remote access.”

Gone are the technicians who relied on security standardization, procedures, and auditing. Moving forward, security will be less about constructing layers of standardized controls within the perimeter. It will demand a careful, nuanced approach and smart solutions. New skills include those such as virtualization technologies, centralized managing capabilities via maturing dashboard tools, data mining, and the ability to implement management tools in a company’s public or private cloud.


Keeper Password & Data Vault

This app was recommended by one of our clients. It was interesting enough to pass on the information and give you a review.

Remember back in the good old days when you could make your password be “password” and no automated system could deny you this unalienable right? Nowadays it’s all about capitals, numbers, symbols, and whatnot. I can barely remember my usernames, let alone all these military encryptions.

The app is Keeper Password & Data Vault, an app that saves all your passwords onto your mobile phone. At first, this seemed a bit too much like putting all your eggs in one basket. However, the program is guarded by a master password, which I recommend not being “password”. If you get the password wrong five times depending on your setting, the program destructs your secrete data on your device and your passwords safe… is in a twisted sort of way.

The layout of Keeper is as simplistic as its purpose. Keeper requires you to put each entry into a folder, which is nice, but I would rather it not be mandatory. After selecting a folder, you need to add a title for each entry, together with other data such as login ID, password (duh), login URL, and notes. When imputing your ID and password, you can choose to have Keeper make a randomized credential. This code is complicated enough you would certainly need this app to remember it.

Once the code is input, it is saved to your local storage. When viewing your app page, merely touching the ID or password will save it to your clipboard, which is nice since selecting words on a touchpad can sometimes be finicky.

There is not much else to this app. While Keeper only functions within narrow tasks, it does those tasks well. Keeper can back up your passwords to a protected server, but sadly this feature and other advanced options are available only on the paid version.


Microsoft Purchases Yammer – what it may mean for you…

Many employees at the junior (and now senior) end of the workforce live aspects of their personal lives through Facebook and Twitter, so the idea of introducing similar kinds of tools into the workplace seems to make sense from a communication and collaboration point of view. It’s not just Microsoft eyeing-up the opportunities afforded by the Facebook-led social paradigm shift. Established enterprise IT vendors, such as IBM, Oracle,, and SAP, are all busy bringing social capabilities to the workplace via a variety of ways and means.

Microsoft already has a product that touts social capabilities – SharePoint Server, but this was designed and built in the pre-Facebook, pre-cloud era. Launched in 2008, Yammer is a new breed of enterprise collaboration solution, designed from the ground-up to exploit social, mobile, and cloud technologies, and would sit neatly alongside Skype, the communication product that Microsoft acquired this time last year for $8.5 billion.

Microsoft’s acquisition of Yammer is the latest in a wave of high profile acquisitions and consolidations in the social software space. We’ve already seen VMware acquire Socialcast, Jive Software snap up Offisync, Oracle scoop up Collective Intellect, and Yammer purchase OneDrum. And these represent just a small snapshot of activity over the last few years.

The Microsoft / Yammer deal provides further validation of the increasing importance of enterprise social software. Technology that supports the new ways in which people are sharing information and working together is no longer a ‘nice to have’ for businesses. Companies that fail to use innovative social and mobile tools to make the best use of information in today’s knowledge economy will simply get left behind their competitors.

By buying up social enterprise vendors, technology goliaths such as Microsoft and Oracle have obviously woken up to the fact that this really is the future of working. They are now racing to plug the gaps in their own social offerings so that they can respond to increasing demand from businesses and government organizations alike.

The Cost of Cloud Computing Failures

As of late many pundits have been professing the benefits of cloud computing such as; reduced capital equipment purchase, scale ability, reduced management costs and having fixed costs.

The International Working Group on Cloud Computing Resiliency has reported,

“total of 568 hours of downtime at 13 well-known cloud services since 2007 had an economic impact of more than $71.7 million dollars”

Although this isn’t a staggering number over 5 years, this number would more than likely increase as the adoption of cloud computing increased.

According to IWGCCR, the average unavailability of cloud services is 7.5 hours per year, amounting to an availability rate of 99.9%. For mission critical systems an expected uptime is %99.999. A typical electrical grid in the US has down time of less than 15 minutes per year. ”It is extremely far from the expected reliability of mission critical system (99.999%). As a comparison, the service average unavailability for electricity in a modern capital is less than 15 minutes per year,” the researchers noted in their paper.

This is the first paper the IWGCCR has publish on the Availability Ranking of World Cloud Computing (ARWC).  As cloud computing grows and increases in use both by governments and globally,  it is important to understand how reliable cloud computing is especially as it takes on ‘mission critical roles’ in healthcare and other sectors.

The research of cloud outages was conducting using some of the biggest users of cloud computing in the world such Twitter, Facebook, Amazon, Microsoft, Google, Yahoo and Paypal to name a few.

The group admitted that the methodology used is far from perfect and plans to use a better method for the next report.  IWGCCR felt that outages were under reported as well they did not have an accurate assessment of the economic impact of the outages.

It wasn’t discussed, but I would imagine there may be a difference in outages depending on the vendor.

As companies are considering cloud computing, up-time considerations and a solid track record of the vendor must be looked at as well.  This may hurt some of the newer cloud computing service providers as they wouldn’t have an established track record or history to demonstrate to prospective clients.

Preventing Cybercrime: An unusual study

“The cost of protecting ourselves against cybercrime can far exceed the cost of the threat itself … [therefore] we should spend less in anticipation of cybercrime and more on catching the perpetrators.”

That is the controversial conclusion of a new University of Cambridge IT security research study called “Measuring the Cost of Cybercrime” being released today. The study, conducted at the request of the UK Ministry of Defense which was concerned that cybercrime was being over-hyped, is claimed in a press release to be “the first systematic estimate of the direct costs, indirect costs and defence costs of different types of cybercrime for the UK and the world.”

Of course, in studies like this, it is important to look at what the study authors defined as being a “true cybercrime” which is one “unique to electronic networks, e.g., attacks against information systems, denial of service and hacking.” As noted in the paper,

“We distinguish carefully between traditional crimes that are now ‘cyber’ because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly.”

“As far as direct costs are concerned, we find that traditional offences such as tax and welfare fraud cost the typical citizen in the low hundreds of pounds/Euros/dollars a year; transitional frauds cost a few pounds/Euros/dollars; while the new computer crimes cost [only] in the tens of pence/cents.”

However, the societal costs for protecting against new computer crimes are far out of proportion with what the new crimes net, the researchers argue, whereas the cost of protecting  against more traditional crimes is more in line with their direct costs imposed upon society. For example, the UK is said to be spending some $1 billion on efforts to protect against or clean-up after a threat, including $170 million on antivirus measures, but only $15 million is being spent on law enforcement to pursue cyber criminals. A better approach is to “perhaps spend less in anticipation of computer crime (on antivirus, firewalls etc.) but we should certainly spend an awful lot more on catching and punishing the perpetrators.”

The argument seems premised on the assumption that a small number of cybercriminals are responsible for the vast majority of the cybercrimes  and that business will make the requisite investment to keep their IT systems secure.

The researchers don’t give much in the way of advice on how much less we should spend on anti-virus software (or how individuals should decide to forego it), or how much more funding should be spent on law enforcement. Would quadrupling to $60 million the amount of money spent on UK cybercrime law enforcement make a serious dent on UK cybercrime, for instance? Would that amount allow UK citizens to pitch their anti-virus software? Or would that increase in spending be a wasted effort unless similar increases in law enforcement spending happened around the world as well?

Time to reset your Password (again!)

We’ve see a lot of change your password announcements this week, and firms that have admitted to having their password security breached have tumbled like dominos.

It started big with the news that 6.5 million passwords had found their way out of Linkedin, and then spread to other web sites like dating place Eharmony and music service

This might be just the tip of the iceberg, too. There are rumours in the wild about other web sites that might also be affected, meaning that other users could also be at risk. Over the course of this past week online passwords, the way they are stored and the way they are protected, have been proven to be something of a joke.

Linkedin was found to be using encrypted but unsalted passwords, something that earned it the response from the security community -“It is not enough,” and “You goofed” and finally “If they had consulted with anyone that knows anything about password security, this would not have happened.”

The passwords, even though they are protected in some way, are being cracked right now, and the unsalted bag of 6.5 million login credentials is falling day by day.

The message from the victim firms is that they do treat security seriously. For example, they won’t be emailing any links to password changing web pages, in order to thwart phishers. But do they really have good security? And isn’t it too late anyway?

They’ve chosen to spin out the same old messages about how important the users’ choice of a password is. It should be long, complicated, changed regurlarly, uncrackable, and memorable.

It’s the last part that is a problem. If you can remember a password then someone can probably guess it. Most people can’t remember their own mobile phone numbers these days, nevermind a complex string of capital and lower-case letters, punctation marks and numbers.

One solution to this, and one that I am considering trying, is to write a password on a rock and throw it into the sea. That way no one will stumble upon it, and you will know where it is when you need it.

Well that’s not really a solution.

Another staggeringly complex solution would be to give your password to a friend, but not tell them what it was for. Under this system a friend, we’ll call him John, would have your login to Twitter for example, but not know what it was for.

You would have to assume that he would not be curious enough to try it on any of the big web sites, and rely on him to tell you what it is every and any time that you need it.

This would work like the automated password request option you find on most web sites, but would not require you to rely on a third party provider that has better things to do with your data, like sell it for example.

The “John System” as I am temporarily calling it, relies on you staying friends with your friends.

In the meantime, the more random a password you use the better. If we can’t rely on companies to encrypt them properly then it is up to us to do as much as we can to make them into the sort of cryptic puzzles that keep mathematicians drinking coffee.

Random password generators are good for this, because they remove any trace of personality from your choice of password, making it harder for people to guess them using social engineering.

Or you could chose to only join those web sites that you think you can trust. This might only be a small list, but hey, that’s the nature of the internet. You can moan all you want about what happens to your data after a security breach, but if you’ve chosen to use a weak password on a crappy web site then you are doomed from the start.

The internet isn’t a theme park, it’s the Wild West


Just how easy is it to become a spammer in 2012? Too easy to be true.

Especially in times when everything needed to become a spammer, starting for a managed spam appliance, DIY email harvesters, and millions of harvested emails, are available for sale within the cybercrime ecosystem. Despite the numerous botnet take downs we’ve seen in recent years, spam and phishing attacks continue plaguing millions of end and corporate users, potentially exposing them to malicious links, malicious payloads and fraudulent propositions.

In this post, I’ll profile a Russian managed spam service that’s been in operation for 5 years, allowing novice cybercriminals an easy entry into the world of spamming.

What’s particularly interesting about the service, is that it’s currently advertised at a dozen of cybercrime-friendly underground communities, in an attempt by its owners to increase the clients base.

How does the service differentiate itself from the rest of the propositions within the cybercrime ecosystem? By emphasizing on key core competencies such as managed QA (quality assurance) ensuring that the message about the get spammed will successfully bypass anti-spam  filters. Next to this option, the service also offers the availability of graphic designers capable of producing custom layouts on request. Not surprisingly, thanks to the fact that the service is build around the concept of anonymity, a customer could easily request the design of spam templates impersonating Google, Facebook, USPS, LinkedIn, U.S Airways, or Verizon Wireless.

Security tip: Since spammers constantly crawl the public Web looking for emails, including micro-blogging services as Twitter for instance, make sure that you’re not publicly sharing your email address in an easy to crawl way, if you don’t want to have it become part of a spammer’s arsenal.

For customers who don’t have their own databases of harvested emails, the managed spam service will gladly offer them to take advantage of  the already harvested databases of publicly obtainable emails.

Databases of harvested email addresses on a per country/industry/type of email basis is available at the following prices:

  • Moscow region – 3,200,000 harvested emails – Price: 8,000 rubles ($256)
  • Moscow organizations and manufacturers – 800,000 harvested emails. Price – 4,000 rubles ($128)
  • Moscow citizens – 2,450,000 harvested emails – Price 5,500 rubles ($177)
  • Russian organizations and manufacturers – 3,280,000 – Price 7500 rubles ($241)
  • Russian citizens – 10,000,000 harvested emails – Price 13,000 rubles ($419)
  • St. Petersburg organizations and manufacturers – 270,000 harvested emails – Price 3,300 rubles ($106)
  • Kiev based companies – 480,000 harvested emails – Price $150
  • Ukraine based emails – 1,500,000 harvested emails – Price 5,000 rubles ($161)
  • Austria based emails – 185,000 harvested emails – Price $100
  • United Kingdom based emails – 130,000 harvested emails – Price $100
  • Germany based emails – 300,000 harvested emails – Price $100
  • Italy based emails – 210,000 harvested emails – $100
  • Estonia based emails – 20,000 harvested emails – Price $100
  • and the list goes on and on….

Among the key differentiation factors used by this vendor of managed spam service, is the ability to send spam on fax numbers, with an already obtained database consisting of 98,000 fax numbers. This and the recently exposed capability of managed MMS spam sending, indicate the vendor’s ongoing customerization of their business model.