BI

I have received an invitation to do a guest lecture on information security at the Norwegian school of management BI again this year. You may recall that I did this last year too (more, and more).

As I did last time, I would love to have your ideas and inputs as to what I should focus on. Last year, I made it an interactive workshop around the TJX case. It worked great, and I got great feedback. This year I was thinking along the lines of black PR, and how to deal with it from a company view.

What are your thoughts on that? Is it a viable security issue from a company view? Are there any well known cases out there?

Bruce Schneier covers corporate spying today - you know, when your employer or your shop uses spying methodology to learn to know you better. I only wish this was new - government trained security specialists have crossed over to private business since the dawn of time.

Since you do not have to work for the government to have a license to kill - it is enough to be a hired gun - and the number of specialists increases, it is only natural that some accepts tempting offers from the corporate world.

What is more - there is nothing strange in a company - big or small; to protect itself. The challenge is to be able to draw the line - where do you stop? Is it OK to have Wall-Mart or HP to install wiretaps on you (or someone else)? If not - when would it be OK? If you think it is just fine, when would it NOT be OK anymore?

We know that most companies today use computers to track everything related to it's production, logistics and sales. Why is it so chocking to read that they are using computers to analyze and track that information too? After all, Business Intelligent and Data warehousing is nothing new under the sky.

From the article:


The fact that they let you know some of their thresholds may raise a few eyebrows, but again - if you are a smart criminal, you would not use a clean ID to buy your batch of prepaid phones, now would you? Most likely you would use someone else's CC?

When your company is large enough, you start spending money on security. And security in this sense means you put into action counter-measures and information gathering. When your company is larger than some countries, it would be quite expected that you use some of the same measures to protect your assets.

I think it is unavoidable. We keep introducing tools that facilitate the collection, storing and analyzing of data. Obviously some will collect and analyze more data than others. Surely this will continue. And most importantly, most people do not care.

I promissed you a report from my guest lecture at the Norwegian school of Management BI.

First, thank you to all of you who gave me ideas and input to the workshop! Invaluable! And I thank a great deal of the success to you! You all know who you are!

 

On to the report then.

 

I was given the opportunity to host a guest lecture for the third year bachelor students at the Norwegian school of management BI. The study is a bachelor in IT management – i.e. these students are going to be the next generation CIO's, IT-managers and IT-directors out there.

 

Some of you might scream;

 

“Oah – what the hang glider – white-collars to be the IT-managers??? What about the nerdy-ness required? What about their technical knowhow? Do they even know how to configure a firewall?”

 

First of all – the CIO, the IT-director and the IT-manager – those are managerial jobs. Those are there to handle the business side of ICT. Those are there to execute the business strategy of ICT. The sooner you realize that, the better.

Secondly – the study is very interesting indeed. Agreed, they do not dwelve deeply into firewall administration – but they do dig into technology, ICT and the students are genuinely interested in the geeky side of things.

Thirdly – they bring business understanding and value to the table. They have been thought budgeting, reporting and economical analysis. They understand the relation between business goals, and the relevance those has to ICT.

 

So IMO, this study is very important and relevant. It provides the market with IT-managers with a sound combination of business understanding AND ICT-interest. These boys and girls can set up a network, while discussing implementation of business strategy with the CEO.

 

Now that is out of the hat, and I can move on :)

 

I got approval from Renny – the lecturer of the class – to run my guest lecture as a workshop. The purpose was simple – to actually have the students working instead of just listening or surfing.

 

I based the workshop upon the TJX case. I took some of the facts, without telling them that this was a true case of course. The facts I gave them included the size and time frame of the breach, and then I asked them to discuss the possibility of this being true or not.

 

As expected, discussion was on.

 

I then added some more details, and they where to role play being the the company, and decide what they should have done to prevent this to happen. They had to incorporate some theory that they where supposed to have studied too. This exercise was in groups of 4, and they spent some time finding the answers. A healthy discussion and plenum summary followed. Many great ideas and they realized the complexity of such a case.

 

Their last task was given them after I told the truth, and some more details. The task was to be the upper management, in the days after the breach was publicly known. They would have to decide what to do now – and the focus is of course to make the best business possible.

 

Taking into consideration that they where students, with no or little knowledge of running such huge operations as TJX are, they did very well indeed. Most importantly, I think they learned that business is about making a profit, while reducing risks.

 

According to the feedback after the session, the students enjoyed the workshop.

 

I know I loved the opportunity, and had great fun.

The largest conference within IT, e-business, BI, security and CRM - the CNIT in Paris, is cancelled. 

I used to be there back in 2000, talking about the importance of multilingual e-business solutions in Europe. According to the press release below, the cancellation is due to technical security problems at the Paris Expo conference center.

The complete press release (French) is below:

 

 

As I have informed about earlier, I will be a guest lecturer at BI (Norwegian school of management) this autumn. And as I hate boring "read-the-manuscript" type lectures, I will do a two hour case study workshop with the students.

I want to take one or two security scenarios that are relevant for business managers and middle management, and have the students work in groups as the imaginary management of a corporation. The point is to teach them how security can and will impact their future job, and to prepare them to be proactive and resourceful when disaster strikes.

I would love to hear about relevant scenarios from my readers. I know there are many resourceful people among my readers with great stories to share. I also know that some of those stories might be even more relevant and exciting than the more local cases I have.

So, please post your stories as comments - or if you prefer, use the contact page.

Thanks you kindly :)