CTO and CIO Toolkits

Salaries fall according to one suvey

webmaster — Thu, 18 Aug 2011 16:15:04 -0600

According to Foote Partners, the average market value for 265 noncertified skills dipped slightly (-0.2 percent) from April to June following consistent gains in the previous five calendar quarters, while pay premiums for 237 IT certifications continued their abysmal performance" for the 18th time in the last 19 quarters, posting an overall loss in market value of nearly 2 percent for the quarter.

Only one category of certifications - database - grew in overall market value (+2.6 percent) in the latest quarterly benchmark update from Foote, bolstered by gains in three Oracle certifications. For noncertified IT skills, four of eight skills categories showed improvement: management, methodology and process skills (+2.4 percent in pay premiums), messaging and communications skills (+1.7 percent), database skills (+0.6 percent) and SAP & enterprise business applications skills (+0.3 percent).

Declines were more widespread, with IT certifications taking the biggest hit, such as entry-level and training certs (-5.9 percent in pay premiums), Web development (-4.0 percent), IT security (-2.9 percent), systems administration and engineering (-2.5 percent), applications development and programming languages (-2.3 percent), and networking certifications (-0.2 percent). Only four of eight categories of noncertified skills recorded losses in market value, though these losses were not as steep as those recorded in the certifications groups.

Security Policies Required to Stop SPAM

webmaster — Sun, 14 Aug 2011 16:20:31 -0600

Security policies and audit procedures are required if enterprises look towards stopping spam. Courts and lawsuits do not help.

For example, spammers allegedly obtained the login credentials for Facebook accounts. The accounts were then used to send spam to those users' friends. The spam either linked to other phishing sites that sought to collect more Facebook account credentials or linked to other commercial Web sites that paid spammers for referrals.

The same spammer was found guilty of violating the CAN-SPAM act and was ordered to pay $230 million for spamming and phishing on MySpace. The spam led to gambling, ringtone and pornography sites.

Facebook may choose to close the file once the default judgment is entered against the spammer, the court filing said.

Why Disaster Recovery Plans Fail

webmaster — Mon, 08 Aug 2011 04:15:18 -0600

Because of their complexity and lack of standardization, traditional disaster recovery infrastructures often fail to meet enterprise requirements for recovery speed and integrity at a reasonable cost.

Downtime, whether planned or unplanned, often translates into lost opportunities and increased costsand for many enterprises today, any amount of downtime is unacceptable. Having an effective recovery strategy and a set of coherent disaster recovery plans is essential to helping avoid downtime during a crisis.

The need for enhanced quality, efficiency, and predictability for disaster recovery and business continuity has increased significantly, highlighting the necessity of a well-defined set of recovery plans and regular testing. However, as the required scope of critical processes, production applications, and enterprise demands increases, sustaining the timeliness and effectiveness of a recovery plan can become increasingly difficult. For most organizations, disaster recovery is extremely labor intensive, often requiring the manual coordination of hundreds of recovery tasks. So although the importance of having an effective disaster recovery plan is clear, organizations often find it difficult to achieve the level of protection they need.

Disaster recovery plans suffer in recession

webmaster — Fri, 29 Jul 2011 09:07:17 -0600

According to a HP survey of IT managers at small businesses across the United States, 93 percent of companies have placed cost concerns over the best IT solutions, leading 89 percent of those companies to experience IT-related problems.

The study found that the top three IT problems reported by cost-conscious companies are low-performing hardware (46 percent), out-of-date hardware (37 percent) and unreliable hardware (23 percent), leading to suboptimal computing efficiency and an overall loss of productivity.

The survey also revealed that 54 percent of small businesses cite summer as the peak season for working remotely. With 58 percent of IT managers stating that they have not invested in network security this year, companies will find they are adding pressure and potentially greater security risks to their already stressed IT networks.

The survey was conducted among 500 IT managers at small businesses, between May 31 and June 6, 2011, using an email invitation and an online survey.

Hackers attack "secure" servers

webmaster — Wed, 13 Jul 2011 08:13:36 -0600

The Anti Security hacking campaign announced July 11 that it has broken into an unsecured server at government contractor Booz Allen Hamilton, copied about 90,000 military e-mails and password hashes, and made them available for downloading.

The announcement gave no details of the exploit used to enter the system, but saidt, "we infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty."

The incident is the latest in a list of embarrassing and possibly connected breaches of government and contractor IT systems and Web sites, including the Senate, CIA, the Atlanta chapter of InfraGard and others.

Using its pirate-themed language, it described other "booty" as "maps and keys for various other treasure chests buried on the islands of government agencies, federal contractors and shady whitehat companies. This material surely will keep our blackhat friends busy for a while."

Who are the Million Dollar CIOs

webmaster — Wed, 13 Jul 2011 07:31:41 -0600

The numbers are in! Janco Associates has released its mid-year 2011 IT Salary Survey. The company uses information from submitted survey forms and public sources (SEC filings and the like), and while the overall mean for IT jobs is up a mere 1.13 percent over 2010, the survey reveals a baker's dozen CIOs who are doing just fine, thank you.

Million-Dollar CIOs

Name	Company	Salary	Total Compensation
Timothy Shack	PNC Financial Services	$510,000	$5,942,093
Gregor Bailar	Capital One Financial	$466,667	$4,522,681
Steven Sadoff	Knight Capital Group	$250,000	$1,993,434
Mahvash Yazdi	Edison International	$364,247	$1,878,848
Kenneth Tye	Total Systems Services	$375,000	$1,849,341
Byron C. Vielehr	Dun & Bradstreet	$325,000	$1,633,033
Karen Austin	Sears Holding Corp.	$454,744	$1,557,136
John J. Sullivan	Liz Claiborne	$491,666	$1,499,176
Gregory Tranter	Hanover Insurance Group	$330,385	$1,294,731
Richard Connell	Selective Insurance Group	$375,385	$1,268,134
Larry Thomas	Landstar System Inc.	$200,000	$1,251,925
Bruce Marcus	McGraw-Hill	$350,000	$1,239,883
Bobby Spaid	Beckman Coulter	$304,881	$1,100,079

Source: Janco Associates' Mid-Year 2011 IT Salary Survey

Cloud computing deploment

webmaster — Thu, 07 Jul 2011 14:18:30 -0600

Cloud computing is a flexible, cost-effective, and proven delivery platform for providing business or consumer IT services over the Internet. Cloud resources can be rapidly deployed and easily scaled, with all processes, applications, and services provisioned "on demand", regardless of user location or device. As a result, cloud computing gives organizations the opportunity to increase their service delivery efficiencies, streamline IT management, and better align IT services with dynamic business requirements. In many ways, cloud computing offers the "best of both worlds", providing solid support for core business functions along with the capacity to develop new and innovative services.

In addition to the usual challenges of developing secure IT systems, cloud computing presents an added level of risk, because essential services are often outsourced to a third party. The "externalized" aspect of outsourcing makes it harder to maintain data integrity and privacy, support data and service availability, and demonstrate compliance.

Who gets paid what?

webmaster — Wed, 06 Jul 2011 14:21:20 -0600

Different groups get paid differently and have different experiences at work. A survey from CareerBuilder shows wide disparities in pay, although it does not fully address the reasons for such disparities. Workers with disabilities, for example, make considerably less than their colleagues, while lesbian/gay/bisexual/transgender (LGBT) professionals are earning more than any other group.

The survey reveals other disparities with respect to career advancement and perceived discrimination, among other topics. "The U.S. workplace has experienced fundamental shifts over the last two decades," said a senior director of talent intelligence and consulting at CareerBuilder. "While companies have made strides in creating an inclusive workplace for all workers, there is still work to be done." Six diverse segments served as the prime focus of the research: African Americans, Hispanics, Asians, women, workers with disabilities and LGBT. More than 1,300 employees representing these groups took part.

Factors to Consider in a Disaster Recovery & Business Continuity Plan

webmaster — Fri, 01 Jul 2011 09:15:59 -0600

The Janco Disaster Recovery Plan & Business Continuity Template takes into consideration all of the items related to various layers of operations that most enterprises need to consider if they want to continue after a disaster occurs. These include:

Strategy - Items related to the strategies used by the business to complete day-to-day activities while enabling continuous operations. Examples include financial, manufacturing and disaster recovery strategies.
Organization - Items related to the structure, skills, communications and responsibilities of your employees. Examples include human resources, training, and internal and external communications.
Applications and data - Items related to the software necessary which enable business operations, as well as the method used to develop that software. Examples include customer relationship management (CRM) applications, enterprise resource planning (ERP) applications, databases and transaction processors.
Processes - Items related to the critical business processes necessary to run the business, as well as the IT processes used to ensure smooth operations. Examples include accounts receivable, accounts payable, change management and problem management.
Technology - Items related to the systems, network and industry-specific technology necessary to enable your applications and data. Examples include host systems, workstations and Internet Protocol (IP) networks.
Facilities- Items related to the buildings, factories and offices necessary to house your organization and your production or service technologies. Examples include data centers, office buildings and physical security operations.

Infrastructure impacted by globalization

webmaster — Sat, 18 Jun 2011 08:13:47 -0600

Implementing a cost effective IT Infrastructure that aligns with your organization's business strategy is essential to ensuring the success of the Information Technology function. For many IT professionals, the amount of time it takes to develop and implement such a infrastructure, and the unknown process required to complete it, makes infrastructure design and implementation a daunting task. Globalization makes it even more difficult.

Globalisation has stretched companies' supply chains and made them much more vulnerable to problems created by crumbling infrastructure around the world.
The cost worldwide of developing and maintaining infrastructure to meet growing demand over the next 20 years has been put at more than US$41 trillion. But to meet this target would require an enormous jump in spending on transport to 2030, which at the moment amounts to only $1 trillion globally each year.
It isn't only land links that are under increasing strain. In Brazil, ports are struggling to cope with the countrys increase in exports. Bottlenecks have caused goods to pile up on the quayside, while ships have to wait to be unloaded.
It is important for companies that export globally or rely on key raw materials and parts from overseas that they include infrastructure risk in their strategic planning.
The simplest way to assess your vulnerability is to ask how much would it cost in lost sales if one of your key suppliers fails to deliver or if your goods were held up in transit. You might be surprised by the results.

Sony Hacked Again - 1 Million Passwords Exposed

webmaster — Sat, 04 Jun 2011 10:27:00 -0600

A group of hackers behind the recent PBS website breach said they've now hacked into a Sony website. The hackers, who call themselves LulzSec or the Lulz Boat, said they exploited the Sony Pictures website via a SQL injection attack.

The group released 150,000 records gleaned during its attack, saying it didn't have time to copy more. Those records also include material taken from exploited databases for Sony BMG in the Netherlands and Belgium, which contained further information about website users as well as employees.

The takeaway for the average Internet users is clear. Don't trust that your password is being securely stored and be sure to use a unique password for every website to limit your exposure if hacks like these occur.

Businesses should likewise be prepared, by ensuring that they can't be breached via the types of vulnerabilities that have scuttled Sony websites. Sony seems to have been compromised in such a negative and severe way, I'm concerned that other organizations won't use this as a warning sign to analyze their defenses, and will instead adopt an 'it won't happen here' mentality. Many CIOs offer excuses that explain-away why Sony's issues don't affect their customers or employees--which is very alarming.

PCI 2 not a big change

webmaster — Tue, 31 May 2011 17:15:07 -0600

The Payment Card Industry Data Security Standard (PCI DSS) has developed into a workable approach for protecting the handling and processing of payment card transactions. Yet, there are also shortcomings in the PCI DSS, and like all standards, the PCI DSS periodically goes through updates. The latest version - PCI 2.0 released at the end of October 2010 - provides updates on virtualization, monitoring and other areas. Other than the explicit inclusion of virtualization (which had been sorely missing in the 1.2 version of the standard), there are no dramatic changes in PCI 2.0. The remainder of this new version should really be called an adjustment or refinement to policies and processes already in place.

However, the adjustments in PCI 2.0 do show that the PCI DSS can keep up with modern technologies. By explicitly allowing the use of virtualization, this resource-saving technology will no longer be called "out of compliance" simply because it is used in payment card applications. Another area in which the standards council is catching up is with payment application networks, which are now required to plug into a centralized logging solution under the simultaneously released Payment Application Data Security Standard (PA DSS).

Google lets 35 million profiles out with no security check

webmaster — Sun, 29 May 2011 16:52:41 -0600

A security researcher has assembled a single database containing 35 million people's Google Profiles information, including Twitter feeds, real names, and email addresses, among other data points.

Google builds profiles as a way to "decide what the world sees when it searches for you.

The resulting database contains whatever people have added to their own Google Profile, which potentially includes their real name, aliases, Twitter conversations, work experience and educational background, and links to Picasa photos. In addition, about 15 million profiles also have a username, which is the same as a person's Gmail address. Interestingly, he was able to assemble the data "without Google throttling, blocking, CAPTCHAing" or encountering any other form of security protection.

You can download the Table of Contents and some sample pages by clicking on the link below.

This policy is easily modified and defines how to treat Credit Card, Social Security, Employee, and Customer Data. The template is 34 pages in length and complies with Sarbanes Oxley Section 404, ISO 27000 (17799), and HIPAA. The PCI Audit Program that is

In the most recent update to this template, the Massachusetts and California mandated requirements were specifically included as part of the policy.

IT Jobs on the upswing

webmaster — Wed, 25 May 2011 08:11:53 -0600

eWeek - There are more technology job openings in a single day on Dice's career site than there are computer science grads ready to join American businesses, according to a report from Dice Holdings, which runs a career site for technology and engineering professionals. In California, that ratio is 3-to-1, the company noted, and the number of computer-related bachelor's degrees conferred has plummeted in nearly every state, creating a pipeline problem that leads from corporate America through college campuses to primary schools nationwide.

As outlined in their recent report "America's Tech Talent Crunch," 18 states and Washington, D.C., have shortages of local graduates when comparing job openings to associate's and bachelor's degrees conferred. Those states overlap critical tech markets, including Silicon Valley, Seattle, Dallas, Boston, New York, Washington, D.C., Los Angeles and Chicago.

These gaps have created a competition for talent, Dice said. Ann Hunter of the Massachusetts Institute of Technology explained there are easily two or three jobs for every computer science grad. Likewise, Dr. Tim Lindquist, a professor of computer science and engineering at Arizona State, said, "I can't tell you the last time I had a student, even some of our poorer students, tell me they had trouble finding a job."

Among the "shortage states," only Delaware, Virginia and Washington, D.C., awarded more computer-related bachelor's and associate's degrees in 2009 than they did in 2005. In the other "shortage states," degrees conferred have dropped anywhere from 14 to 68 percent, according to the report.

Now, an opportunity is upon the IT jobs market with technology recovering faster than the broader economy. An up cycle typically encourages more students to enter the field, similar to what was seen in the dot-com era, the report noted. The question is, can corporations, universities and K12 educators fulfill the long-term ambitions of America's budding technology professionals? the report questioned. 'America's Tech Talent Crunch' is a snapshot of how businesses, educational institutions and employees are dealing with palpable shortages in real time, the report stated.

An earlier report from Dice found technology professionals endured a second straight year of nearly flat salaries: Tech workers, on average, garnered salary increases of about 1 percent (0.7 percent) to $79,384 from $78,845 in 2009, after receiving a similar increase the previous year.

Tech professionals expressed slightly more satisfaction over pay than last year, with 50 percent "somewhat" or "very satisfied," an increase from 46 percent of respondents who felt that way last year. Still, nearly four out of 10 technology professionals anticipate they could make more money if they change employers in 2011. Those professionals (24 percent) who felt switching employers would not increase their pay earned, on average, nearly $13,000 more than those who anticipate finding higher salaries elsewhere.

"Companies can no longer get away with paltry salary increases for their technology staffs based on the demand we are seeing for talent," said Tom Silver, senior vice president of North America at Dice. "The moderate increases in satisfaction levels indicate that tech professionals concerns are being heard by some companies, but certainly not all. Retention is the key to driving additional contributions to the business from technology staffs. Employers that are reluctant to increase compensation or step up retention efforts will likely pay for their unsatisfactory ways."

Requirements for a fast recovery

webmaster — Thu, 19 May 2011 17:14:02 -0600

The best way to ensure a fast recovery is to have replacement equipment standing by at an off-site location with the necessary software and configuration to quickly transfer users and data. The best practice includes a remote data center with servers, storage, networking equipment, and Internet access. Restoring to this remote data center from backup tapes will likely take too long, assumes that the tapes were not affected by the original problem, and still leaves the risk of recovering only old data. Instead, replication software can be used to keep the backup systems constantly updated.

A four-hour RTO and RPO requires:

Off-site hardware and infrastructure to run servers and applications
Data updates to the DR site more often than every four hours, preferably real-time
Continual updates of the application and OS configuration (without this, recovery may fail after a patch or an upgrade)
A method to deal with any hardware differences between production and recovery environments

Protect IP Act - Goverment death sentence for web sites

webmaster — Fri, 13 May 2011 04:49:39 -0600

The U.S. Department of Justice would receive the power to seek a court order against an allegedly infringing Web site, and then serve that order on search engines, certain Domain Name System providers, and Internet advertising firms--which would in turn be required to "expeditiously" make the target Web site invisible. If that is done in error, the question is how does a company get its web site back into the search engines. And we all know that the goverment never is wrong is.

In the final version (PDF) refers instead to "information location tool." That's defined as a "directory, index, reference, pointer, or hypertext link," which would certainly sweep in Google, Yahoo, and search engines, and may also cover many other Web sites.

The Protect IP Act says that an "information location tool shall take technically feasible and reasonable measures, as expeditiously as possible, to remove or disable access to the Internet site associated with the domain name set forth in the order." In addition, it must delete all hyperlinks to the offending "Internet site."

In other words, the targeted Web site would start to vanish from the Internet in the United States.

Any copyright holder also could file a lawsuit and seek to levy a less dramatic form of Internet punishment, blocking only "financial transactions" and "Internet advertising services" from doing business with the suspected infringer.

This proposal permits law enforcement to "crack down on rogue Web sites dedicated to the sale of infringing or counterfeit goods." The actual bill text, however, doesn't require that the piratical Web site sell anything--meaning, for example, if WikiLeaks were accused of primarily distributing copyrighted internal bank documents, access from the United States could be curbed.

The Protect IP Act is a successor to last fall's bill known as COICA, for Combating Online Infringement and Counterfeits Act. That bill used different procedures, but also allowed the government to pull the plug on Web sites accused of aiding piracy.

Another bill introduced would make the illegal streaming of copyrighted works a federal felony, a proposal that follows a earlier White House recommendation.

Data center metrics

webmaster — Wed, 04 May 2011 09:28:46 -0600

Standard metrics that are used by many companies to measure data center size and operations include:

Physical server count
Storage capacity utilized and available (free)
Network bandwidth utilized and available (unused)
Budgets
Actual sepending - hardware, software
Staff hours available and used
Engery Consumption
Square footage
Excess capacity
Maintenance costs

Cloud computing wave expoding

webmaster — Wed, 27 Apr 2011 16:33:50 -0600

Cloud computing is changing everything we ever believed about information technology (IT). By essentially renting Web-based applications instead of purchasing software and servers, businesses are beginning to understand the implications of cloud computing for virtually on-demand scalability and reduced infrastructure and complexity as well as saving money.

And that's just the beginning. IT professionals and decision-makers had better be ready for the next generation of cloud computing.

Are you sure your cloud mission-critical business processes are protected?

webmaster — Fri, 15 Apr 2011 11:01:24 -0600

Whether your business is a one-man operation or it employs a thousand people, the starting point is the same: identify the processes critical to your success. To do this, you should first define what critical means in your business. Rank each process according to that definition, and then ask how long can your business survive without it, who performs it, and what IT resources support it.

Questions you need to have solutions for are:

Can you simply not survive without this process? This should be your primary priority. Your business continuity plan must protect all primary priorities when a disaster strikes.

Can you survive only a day or two without it? This should be a secondary priority. Your business continuity plan should address all secondary priorities after primary priorities are handled.

Can you survive a week or more without it? Add it to your list of low priorities.

Business Continuity / DRP Template Designed for CTO Released

webmaster — Fri, 15 Apr 2011 08:53:30 -0600

Janco contiues to update its Disaster Recovery / Business Continuity Template to meet the ever changing requirements of the business environment.

The updates to the template included:

1. Defined generic metrics for DR/BC success

2. Business & IT Impact Analysis Questionnaire Updated

3. Updated references to DRP card

4. Updated formatting to meet WORD 2007 requirements

The version history for updates to template can be seen at http://www.e-janco.com/drpversion.htm and the full Table of Contents with sample pages can be downloaded at http://www.e-janco.com/Register_drp.asp .

Mobile etiquette is getting worse

webmaster — Wed, 06 Apr 2011 09:27:36 -0600

Numerous studies and news reports demonstrate that the inappropriate use of mobile devices is more than annoying, it's risky.

An Intel sponsored survey found that 90 percent of respondents have witnessed poor mobile behavior firsthand, including texting while driving a vehicle and talking on a device while using a public restroom. The survey also found that only 19 percent of respondents admitted to engaging in poor mobile behavior themselves.

Among the findings were:

75 percent of U.S. adults say mobile manners are worse now than in 2009.
65 percent have encountered people talking loudly on a device in public places.
74 percent believe that poor mobile etiquette has created a new form of public rage/violence similar to road rage.
92 percent of adults say that they wish people would practice better etiquette when it comes to using their mobile devices in public areas.

Updating the Disaster Recovery Plan

webmaster — Wed, 23 Mar 2011 08:09:27 -0600

If your organization does not have a business-continuity strategy - and you plan on staying in business after an emergency situation has passed - then the first thing to do is to put a plan in place.

Even for organizations that have plans, this is the time to make adjustments and updates. Start by asking the question, what does business-continuity look like? An answer along the lines of everyone comes to work the next day and work continues as normal is almost as bad as I have no idea. Both indicate a lack of serious thought about dealing with a significant loss of reliable utility power and water, inaccessible roads, fuel scarcity, and injured or missing staff members. Start your planning with a goal such as getting to 50 percent 80 percent capability within one or two days of the damaging event.

Your disaster plan needs to account for the people who will carry it out. Do not be surprised if staff members choose their family responsibilities over work duties if your organization forces them to make a choice. Charge your human resources team with offering family-support services as a predefined benefit for crucial staff. Also, make sure your organization stocks food, drinking water and toileting supplies in areas where crucial recovery work must take place. It's no good knowing the passwords to your crucial systems if staff members are forced to forage for basic necessities away from the job site.

The cloud can play a crucial role in your disaster-recovery plan. However, recall that every single cloud service lives in a brick-and-mortar data center. Make it your business to know where the company's cloud lives and what plans are in place for its continued operation. Make sure you have a service-level agreement that defines how your cloud-based services will move from one physical location to another in an emergency. Keep in mind that you willneed to press providers for fairly detailed specifics. If you hear words to the effect that everything will function just as it did prior to the disaster event, then be suspicious. Re-housing an entire data center is a non-trivial effort that will have some impact on performance.

Over 70% of Lost Laptops are Never Recovered

webmaster — Tue, 01 Mar 2011 14:04:25 -0600

Laptops can and do get lost or stolen. In studies conducted by several security firms, it has been found that over 50% of all lost or stolen laptops disappear at airport security checkpoints an departure gates. Unfortunately almost 70% of these laptops are never recovered.

This policy has been updated to reflect the requirements of PCI-DSS, Sarbanes-Oxley, HIPAA, and ISO. The policy comes as both a WORD file and a PDF file utilizing a standard CSS style sheet.

Compression of Salaries is a Concern

webmaster — Sun, 27 Feb 2011 17:43:40 -0600

There is a narrow gap between the average pay of senior executives, midlevel managers and even IT staff. Considering the salaries some hot skills are commanding, that's not surprising. Money isn't necessarily the make-or-break issue in whether a worker leaves a job. Improving relationships between worker and boss, and more closely aligning the worker with the agency mission can "balance or even trump" the limits on monetary compensation.

Companies clearly can't ignore worker satisfaction with their salaries - not only those highly skilled IT workers, but also their bosses can surely make a statement with their feet.

UN says 2010 was worst year for disasters

webmaster — Sun, 13 Feb 2011 01:05:41 -0600

2010 was one of the worst years for deadly natural disasters and unless better preparations are put in place now, many more disasters can be expected in years to come, the UNs top disaster reduction official said yesterday (24th January).

Some 373 natural disasters claimed the lives of more than 296,800 people last year, affecting nearly 208 million and costing nearly $110 billion, according to annual data compiled by the Centre for Research on the Epidemiology of Disasters (CRED) of the Université catholique de Louvain in Belgium, and supported by the UN International Strategy for Disaster Reduction (UNISDR), the UN body charged with helping coordinate efforts to achieve substantive reduction in disaster losses and build resilient nations and communities.