Open Port IT Community

Our New PC Delivery Process Cuts Employee Downtime

webadmin@intel.com — Wed, 15 May 2013 19:49:16 GMT

Getting a new PC used to take valuable time out of the workday. But as part of our focus on a user-centered model of delivering IT services, Intel IT recently optimized our PC delivery process, resulting in improved employee productivity, a better employee experience, and reduced operational costs. These process improvements allow our employees to return to work more quickly, reducing their downtime from an average of 4.5 hours to 1 hour, a 77-percent reduction. Read the paper "New PC Delivery Process Cuts Employee Downtime" to learn about the changes we made.

Enterprises Security Choices and Tradeoffs for BYOD

webadmin@intel.com — Mon, 13 May 2013 19:34:26 GMT

Bring Your Own Devices (BYOD) continues to gain momentum as users bring devices into work environments by the droves. Enterprises must make tricky security decisions to balance the tradeoffs of costs, user productivity, and security.

BYOD is effecting organizations both large and small. In our highly connected world, workers bring in familiar and favored smartphones, tablets, and other compute devices into work and expect to leverage them for convenience and to improve productivity. It can have a great positive effect on the business but also raises security concerns. Management can’t hide from taking a position, establishing boundaries, and understanding the tradeoffs.

In today’s responsible corporate environment, enterprises realize the danger of uncontrolled devices on their network and accessing business data. It introduces chaos to security and IT manageability, driving up risks and expenses. Organizations want to enable productivity of employees but must maintain a level of acceptable risks and keep costs flat, or at the very least justifiable. It is a tough balancing act between risks, costs, and user productivity.

Management has a number of high level choices, each with pro/cons and other tradeoffs. Before committing to a particular path, leaders must understand these options in order to select the best direction to set for their organization:

1. No personal devices allowed. Forbid personal smartphones, tablets, and non-managed computers from accessing work systems, networks, and data.
Pro: This stratagem manages security risks and keeps costs relatively flat. It has been the traditional solution.
Con: Not practical for 99.9% of the world. It’s like trying to hold back a tidal wave with a paper cup. Workers, starting with the tech savvy, will bring in devices and connect them, soon to be followed by the rest of the staff. Most likely they and the less technical community has already been doing this for some time. It starts with email forwarding, access to work calendars, meeting logistics, file sharing, instant messaging, etc. Implementing such a policy ignores the opportunity for significant worker productivity gains and stifles flexibility which is so desired by everyone. When employees have convenient access to such data, they are more effective, efficient, and happy.

2. Company provides mobile devices. Providing corporate managed devices in lieu of employees’ personal devices, allows vetting of systems before they access work networks and data.
Pro: Security standards, selective deployment, and the ability to enforce controls, allows the organization to manage risks and costs.
Con: Upfront expenses are high, user happiness tends to be low, and manageability costs slowly creeps up over time. The out-of-pocket equipment and service costs can be very expensive. To control costs, most organizations will not provide everyone a company device. So there emerges a “have” and “have-not’s” class system which spawns resentment. Those who are provided devices must manage their personal devices in addition to the company provided ones. If you have ever been forced to carry two phones, you know how much of a pain this becomes.

Even in a perfect environment with happy users, a different problem emerges. The comingling of personal and private data on employer managed devices. This can be a nightmare, fraught with legal and ethical pitfalls.

Each class, brand, and even model must be configured and secured. IT departments must support users trying to access services and data. The more types of devices, the more complex and expensive the support becomes. One of the keys to managing support costs is scalability. So, it is normal for an organization to settle on one or two to start. Which will not make everyone happy as people have their own preferences. Demand can grow to expand the list of supported configurations, especially as new options become available in the marketplace. Expanded support is great for users, but a nightmare for IT as it increases the legacy support of older configurations which are still in use. Over time the cost to support will steadily increase and the cost of refreshing old and damaged devices will be ever present.

From a productivity perspective, users get an initial boost from the latest equipment and software, but will soon see a degradation as the organization cannot keep up with the latest features coming to market.

3. BYOD of Any Device. All devices welcome with open arms! Users are able to bring in, connect, and use their favorite devices. Security controls are usually network based or via containerization technology on the device itself.
Pro: Initial hardware costs are very low for the organization, as the user absorbs initial out-of-pocket costs for the device. Productivity remains high, as users will continually install latest applications and refresh to current hardware as they see fit.
Con: Expensive to manage and secure. Costs skyrocket to provide and maintain security controls and connectivity support over a wide swath of different devices and applications. Security solutions, many with a high per-seat cost, is required. Not all devices are created or configured equally, adding to the cost and frustration of IT and security departments. The expenses continue to increase and never plateau as users follow the non-stop march of evolving technology, applications, and shiny devices

Challenges with co-mingling of users private data with enterprise oversight can still persist depending upon controls and access configurations

4. BYOD of Certain Devices. The middle ground, allowing users to front the initial costs and enterprises can focus on security and management of a much smaller subset of devices. Network, cloud, and device containerization technology provide security.
Pro: Low initial costs as users purchase the devices. It is a flexible model where the optimal balance of cost, productivity, and security can be adjusted as needed.
Con: Still costly, as the enterprise must invest in security solutions for allowed devices, but policy will limit the number of configurations and therefore help keep costs and risks more manageable. As new devices are supported costs will rise due to legacy support and other complexities. Security is managed based upon the vetting and controls mandated for approved configurations.

Productivity varies based upon the breadth and timeliness of support for new technologies. Satisfaction and productivity also follow this curve. The more devices and applications supported in a timely manner, the happier and more productive the users, but the costs skyrocket accordingly.

Sadly, the pesky problem of data comingling is still present.

There is no universal winning choice. It really depends on the organization, risk appetite, budget, worker productivity needs, and the sway of the most vocal users. A very small number of organizations can disallow all personal devices, mostly government types. Only companies willing to spend a tremendous amount of money on hardware or those which already have a strong caste systems to support a limited distribution will be interested in providing workers with such devices in addition to primary work PC’s. Organizations which have little need for confidentiality, integrity, and availability aspects of security might be able to live with openly connecting any BYOD their users may bring into the office. Although a significant number of organizations may try to dabble in this area before realizing the rapidly growing support costs and security issues before changing to a different strategy. In the end, I believe the majority of organizations will choose to embrace the last option of supporting only certain BYOD devices. They will select a mix of devices, software, and controls which satisfy a broad community while keeping costs and risks predictable. This is no small feat as these solutions are not yet mature.

Every organization must find their own path. They must consider the options and tradeoffs of costs, productivity, and risk. No perfect solution exists, but with forethought, collaboration with users, and solid execution, a manageable solution might be within grasp.

Maximizing IT Value by Using High-End Server Processors

webadmin@intel.com — Thu, 09 May 2013 19:31:34 GMT

Intel IT has standardized on Intel® Xeon® processors with a core frequency of 2.6 gigahertz (GHz) for two-socket servers to offer maximum IT value for design computing and enterprise server virtualization. Our analysis demonstrates that higher-end processors significantly enhance server performance throughput for a minimal increase in total cost of ownership (TCO). Our analysis demonstrated to Intel IT management and purchasing groups that software acquisition and licensing costs—which represent 3x to 6x the cost of the hardware platform—are the largest drivers of overall TCO for servers deployed at Intel. We concluded that standardizing on high-end processors is a cost-effective way for Intel IT to maximize server return on investment (ROI). You can find more information around our analysis in this recently released white paper Maximizing IT Value by Using High-End Server Processors.

Inside IT: Cloud Aware Applications "Code-a-Thon"

webadmin@intel.com — Thu, 09 May 2013 19:13:21 GMT

Earlier this year, Intel IT started conducting a series of Cloud Aware “Code-a-Thon’s”. These were created in response to a skills gap around applications that were being written in a traditional way and ones that needed to be developed to take advantage of the cloud. This event is an inventive way to bring application developers together, introduce them to concepts of programming applications for the cloud and think in new ways. The intent is to have developers experiment with the cloud and be immersed for an entire day. In this podcast we talk to Cathy Spence, an Enterprise Architect in Intel IT. Spence tells us how the Code-a-Thon came about and what it takes to create an app for cloud. We’ll also hear from participants in a recently held Code-a-Thon at Intel’s Santa Clara headquarters.

Why healthcare should be a team sport

webadmin@intel.com — Wed, 08 May 2013 12:52:09 GMT

Managing the Changing IT Landscape: Technology in Healthcare

The role of technology in healthcare today is undeniable. What’s really interesting, though, is that we still have a long, long way to go.

I wanted to share this powerful TED Talk featuring Intel Fellow and GM Eric Dishman. In his talk, Health Care Should Be a Team Sport, Dishman shares his story and his views on how our healthcare system must evolve.

In college, Dishman was diagnosed with a rare kidney disease and given only a few years to live. For 25 years, though, he was wrongly diagnosed. It took a genomic test and a coworker he had never met to save his life by donating her kidney. And he quickly learned to be a proactive participant in his own care.

In Dishman’s view, the future of personal care must be at home, which should be our default model. He proposes that today’s technologies—such as high-performance computing, big data, and mobile—make this possible, based on three pillars:

Care Anywhere – We invented hospitals and clinics in the 1780’s … it’s time for a change. The notion of traveling to brick-and-mortar healthcare facilities is dated. It’s also an expensive, risky model that is not sustainable.
Care Networking – We must move beyond isolated specialists treating “parts” to multi-disciplinary teams treating the person. “Uncoordinated care today is expensive at best, and is deadly at worst,” he says (and knows, from his own experience).
Care Customization – High-performance computing, analytics, and big data will help us build predictive models for each of us, as individual patients.

I’ll dig a little deeper in an upcoming blog to explore some of the mobile and social technologies that can enable this change. In the meantime, listen in to Eric’s story and proposal for healthcare transformation.

And check out what Intel is doing to enable better healthcare at the Intel in Healthcare page.

Chris
@chris_p_intel
#Consumerization #Healthcare #Innovation

http://www.intel.com/itcenter

NIST Developing New National Cyber Security Framework

webadmin@intel.com — Tue, 07 May 2013 23:53:54 GMT

Last February, President Obama issued Executive Order 13549: Improving Critical Infrastructure Cybersecurity. Its intent is to drive new levels of security into the critical infrastructure of the U.S., systems like dams, the power grid, transportation systems, etc. Many stakeholders, both public and private, had input into shaping the EO and its directives. It is controversial, but like it or not, it has created a lot of activity that could impact any business that uses the internet. For a good overview of the EO, see New rules for cybersecurity? Obama's executive order explained. You can read the EO itself here; the EO itself is only a few pages long.

In part, the EO charges the National Institute of Standards and Technology (NIST) with developing a national Cybersecurity Framework. The Framework will consist of standards, guidelines, and best practices to promote the protection of private information and information systems supporting U.S. critical infrastructure operations, while protecting business confidentiality, individual privacy and civil liberties. Adherence to the Framework will be voluntary—although there is deep skepticism by some that it will always remain so.

To kick off their efforts, in March NIST issued a public Request for Information (RFI) to industry, government agencies, standards-setting organizations, public-private partnerships, and other stakeholders, seeking information on how respondents currently manage cybersecurity risks within their organizations. Thankfully, NIST does not seem to be trying to re-create the wheel, instead they are cataloguing what’s already in use as the basis for the Framework.

I had the privilege of working on Intel’s response to the RFI, and spent six hectic weeks working with an incredibly talented team to formulate Intel’s corporate response to the huge RFI. At the same time, as an Intel representative to the Information Technology Sector Coordinating Committee (IT-SCC), a large public-private partnership, I also worked on their industry-based response with an equally talented group of industry peers. The experience has given me a lot of insight into how the Framework may develop, and along with many others I will be continuing to work with NIST throughout 2013 to build it.

The RFI consisted of 33 questions centered on three major areas: managing cybersecurity, current standards and guidelines already in use, and specific security practices. Some typical questions were, “How do organizations define and assess risk generally and cybersecurity risk specifically?” and, “Do organizations have a formal escalation process to address cybersecurity risks that suddenly increase in severity?” I was pleased to see privacy concerns were explicitly considered in several questions, such as, “What risks to privacy and civil liberties do commenters perceive in the application of these security practices?”

For the Intel response, we wanted to provide as much information as possible on what we know about cyber risk management, while of course also protecting Intel’s proprietary information. Depending on the topic, different experts were assigned to answer a question, then review their answers with a broader group of experts to ensure accuracy. Each answer also had to accurately reflect Intel’s key messages: Ever-changing cybersecurity risks call for flexible and nimble risk-management based solutions; international alignment and harmonization is essential; the Framework must comprehend global privacy and civil rights practices; it must be technology neutral and not proscriptive; and that cybersecurity is a shared responsibility, but industry should lead in developing cybersecurity standards and best practices.

Since most of us were fitting this work in with our regular jobs, it created quite a schedule crunch, but we completed the response by the aggressive deadline, April 8. You can read the Intel response in three parts: 1, 2, and 3. The IT-SCC response, which addresses broader IT industry concerns, can be found here.

The next NIST workshop will be held at Carnegie Mellon University in late May. At that workshop, contributors from all 18 critical U.S. infrastructure industries will see NIST’s first rough draft of what they gleaned from all the responses and what the Framework might look like. Should be an interesting discussion, to say the least. I am attending the workshop and will describe how it went in a future blog.

Turning Big Data into Big Answers

webadmin@intel.com — Wed, 01 May 2013 18:40:53 GMT

Talk live with an Intel IT Center expert: Sure, Big Data is a big deal. But with new sources and growing volumes of data flooding in daily, how do you turn all of that data into meaningful insights that give your business a competitive advantage? In this live interactive webinar, Intel IT experts Ajay Chandramouly and Ron Kasabian will distill what the Intel Big Data Solutions Group has learned about maximizing the value of big data analytics and the cloud. Bryce Olson, Business Strategist at Intel Corporation, will moderate the interactive discussion.

Based on three years of planning and hands-on experience, they will provide practical steps for guiding your Big Data and Cloud initiatives. The discussion will include:

How Intel is optimizing Apache Hadoop deployments
How Intel is using Big Data to bring new products to market faster
How predictive analytics are saving millions across the company

Join this live forum, ask questions, and learn how to turn Big Data into hugely beneficial information your company can act on. Live May 15th at 9am PDT. Register Here

It’s time to put users first

webadmin@intel.com — Wed, 01 May 2013 13:00:50 GMT

Managing the Changing IT Landscape: User-Centered Computing

Are you ready to let users determine what IT services you deliver? Like it or not, they’re already using their own devices, not to mention the cloud-based services they want. Wouldn't it be easier to include them right from the start?

I've been writing a lot on the importance of finding the right tool for the job. At the heart of that idea is user-centered computing—an inclusive approach to managing consumerization that puts all users’ needs first.

When I worked for Intel IT, we put this to action by moving away from the one-size-fits-all model to a customized approach that emphasizes the right fit and design for the job. We did this by:

Conducting segmentation studies to understand job roles and how people work
Inviting employees to participate in pilot studies and early adopter programs to improve and stabilize IT solutions before full deployment
Conducting surveys that help:
- Measure customer satisfaction with existing IT products and services
- Identify the services that are most important to employees
- Solicit input on gaps and unfulfilled needs in our service portfolio
Providing greater choice and flexibility by offering more options for primary computing devices
Establishing and supporting Bring Your Own Device (BYOD) and BYO-PC programs

This approach may seem radical, and it does involve changing the culture of IT. However, this change is necessary to fulfill the mission of IT: creating and delivering greater business value.

Chris
@chris_p_intel
#UserCenteredComputing #Consumerization

IT Center

Moving The Desktop PC Forward: Part 1

webadmin@intel.com — Wed, 24 Apr 2013 18:09:24 GMT

The Desktop PC has been the workhorse of the computer industry ever since the personal computer was first invented. It offers the highest performance and greatest configuration flexibility of any PC form factor (which is why it remains popular with the enthusiast community), but when compared with many of the sleek new devices available today it often falls short on style. The typical tower desktop PC, with a tangle of wires running out the back, has been relegated to the office cubicle or back room of the house – kept out of view of polite company. For those of us who like the configurability of the tower desktop PC it’s time that we look for ways to move the platform forward into the realm of stylish technologies that people expect today.

The good news is that many PC makers are actively working on solutions to this problem. One exciting development is the increased number of All-In-One (AIO) PCs available today (the Apple iMac* or HP Touchsmart* being two popular examples). These AIO PCs bring a sense of style that ends the desktop PC’s exile to the den and makes it a welcome addition to any area of the home or office. If you don’t need the mobility of a notebook then these AIO PCs can give you a large screen, solid performance, and the added security of a stationary PC – all in a sleek package.

But what if you still want the power and flexibility that comes from the traditional tower desktop PC? Are you forever relegated to the fashion-challenged corners of the PC world? I believe that there are some lessons we can learn from the PC enthusiast community that can bring modern style to the tower PC without sacrificing its core strengths.

PC Enthusiasts spend a great deal of effort designing and building their dream system, and they like to show off the end result. Unlike a poorly designed do-it-yourself PC where a tangle of wires connects the components inside, the PC Enthusiast community has become very adept at cable management. They combine groups of cables together – sometimes with an outer sheathing layer – and route them in such a way that they don’t spoil the aesthetics of the system interior. This technique is routinely used to solve cable issues inside of the case, but could easily be applied to the problem that exists outside a typical desktop PC.

To get your creative ideas flowing, here’s an example of how this could work. A basic configuration for a tower desktop PC would require a number of wires running between the tower base and the monitor. The exact number of wires depends on the connections being used. Here are two examples for consideration:

Starting with the basic principles of cable management, the first step to taming these configurations is to combine the multiple wires into a single cable – thereby eliminating the typical rat’s nest of wires. After combining the wires using commonly available wrapping materials, our examples then become:

Since the monitor I/O connections are located on the back side, this cable can be constructed so that the point where the cable divides into individual connectors is well hidden, and only a single cable appears to run to the monitor. Congratulations! You’ve just eliminated the mess of wires that we all just assumed was part of owning a desktop PC.

Ultrabook™ gets down to business

webadmin@intel.com — Wed, 24 Apr 2013 13:01:14 GMT

_Managing the Changing IT Landscape: Ultrabooks for Business

If you’ve been reading my blogs, you know that finding the right tool for the job is an ongoing theme. And it deserves the attention ... in a consumerized IT world, there are simply more choices for business computing users. And while users want to choose, they expect the business to provide and support the technology needed to get work done. It is IT’s role, in partnership with users, to find the right balance between security, form factor, and performance.

Today’s users want thinner, lighter, more responsive, touch-enabled PCs. Yet for the past year, Ultrabook™ devices—a new category of ultra-mobile PCs—have not met many of the requirements for business-class computing, leaving IT with few options.

Finally, great design that’s ready to work

The Intel® Core™ vPro™ processor-based Ultrabook device delivers on all counts. It provides embedded security that protects your data, devices, and access while keeping threats out. And it’s sleek and portable, at less than an inch thick, but with a hardened chassis and stronger hinges so it can withstand the rigors of business travel. It’s also ready when you are, with a quick tap to the touch screen to get started.

In response to the requests of our own employees, Intel IT has begun the transition from traditional notebooks to Ultrabook devices. Listen to the Intel IT Ultrabook podcast to learn more, and check out the latest options in Ultrabooks for business.

Chris
@chris_p_intel
#Consumerization #ultrabook #4biz #ultrabook4biz

intel.com/itcenter

Inside IT: Evaluating McAfee Deep Defender

webadmin@intel.com — Sat, 20 Apr 2013 04:27:10 GMT

The evolution of threats to the security of the enterprise has driven innovation in how that enterprise defends itself. New tools need to be developed to meet today’s threat landscape. McAfee has introduced such a tool, Deep Defender. It’s designed to detect kernel-based attacks that other traditional software security solutions would miss. In this podcast we talk with Intel IT Security Specialist Greg Bassett and Project Manager Stephanie Mahvi as they discuss the pilot study the company conducted to evaluate McAfee Deep Defender for the enterprise.

Intel vPro Technology: Built to fly business class

webadmin@intel.com — Wed, 17 Apr 2013 12:59:00 GMT

Managing the Changing IT Landscape: Business-Class Technology

I recently blogged about how I define business-class technology and what separates it from the pack. It’s no longer a luxury, but a necessity (unlike that upgrade from coach … definitely a “nice to have”).

IT professionals need to protect sensitive data while giving users the mobile tools they need to innovate and collaborate. Intel vPro technology has the chops as business-class technology that delivers this balance: It’s designed to strengthen security and increase productivity across your business.

An inside look: How Intel saves time, money

Intel IT has been using Intel vPro-based processors as the Intel corporate standard, and they recently revealed four specific use cases. The bottom line? With powerful remote management capabilities, they’ve cut costs and reduced downtime, resulting in greater productivity across the business—even though IT is present at only about one-third of Intel’s physical sites.

Consider this:

We’ve reduced the time to resolve password resets by 80 percent.
On average, we’re saving remote employees more than $100 (U.S. dollars) on shipping and more than 10 hours of employee downtime with Keyboard-Video-Mouse (KVM) Remote Control and ISO mounts.

Are you using Intel vPro technology in your business? If so, what benefits have you realized from this technology?

Chris
@chris_p_intel
#Consumerization #BusinessClass

Join me at the Intel IT Center Experts Tour in Folsom CA on June 13th 2013

webadmin@intel.com — Fri, 12 Apr 2013 18:40:32 GMT

Fellow security professionals, come join me at the Intel IT Center Experts tour in Folsom CA, June 13th 2013. I will be one of the many speakers discussing challenges and experiences gained by Intel's IT organization. This is an opportunity to ask questions and share insights.

Complete Tour Listing Link

Direct Registration Link for the Folsom 06/13/2013 session

https://secure1.regsvc.com/registration/index.aspx?TYPE=t&ID=4&LC=&LC=intel&PIN=&REF=&dbGUID=29D3CA22-240C-4BFF-80F3-4619CCFC83B0&

Folsom Event Details:

June 13th 2013 8:00 AM - 2:00 PM
Intel Corporation
1900 Prairie City Road Building FM-7
Folsom, CA 95630

Folsom Tour Event Topics:

The Future of Enterprise IT – Enabling New Uses, Trends and Technologies
     Presented by one of Intel IT’s Client Technology Evangelists
     IT organizations must define and drive the right balance between their
     employees’ expectations and their companies' business objectives, and then
     look for opportunities to implement solutions that address tomorrow's
     needs as well as today's challenges. What are the new disruptive
     technologies or mobility trends that IT needs to prepare for? How does
     security need to change to meet the needs of the new IT world? How are
     generational culture changes impacting the IT organization's response to
     IT consumerization? And finally what are the skill sets your IT shop
     should be focusing on moving forward? Models like BYOD and COPE are addressed
     as well as infrastructure impacts.

Intel IT Cloud Journey and Overview
     Presented by one of Intel IT’s Cloud Enterprise Architects
     Cloud technologies are moving at a rapid pace. Enterprises are wrestling
     with private vs. public vs. hybrid cloud solutions. The need for high
     levels of customizability, flexibility, and agility will drive many
     enterprises to the public cloud. The foundation for this vision will be
     defined by an open approach that delivers best of breed technologies +
     flexibility + choice from data center to client. This session will cover
     the cutting edge cloud progress that Intel has made internally within our
     own IT organization as well as what to expect in 2013.

Cybersecurity Briefing: Trends, Solutions and Opportunities
     Presented by one of Intel’s Enterprise Technologists
     Inadequate security remains the number-one concern about cloud computing.
     Find out what Intel is doing now to manage information security and risk,
     learn the rationale behind Intel’s 2011 acquisition of McAfee Inc., and
     discover the new opportunities this collaboration brings your company.

Deploying Microsoft Windows* 8 in the Enterprise
Presented by one of Intel IT’s Business Client Product Line Managers

Culture's impact on Innovation

webadmin@intel.com — Thu, 11 Apr 2013 22:32:24 GMT

In my initial overview, I stated that I felt that there were 3 items necessary for innovation. The first, the resources, I covered in my first entry. This one is geared towards the second which is the Culture to support innovation.

THE CULTURE

It is easy for many organizations to say that they support innovation. They discuss how they are going about it and how they are providing some resources towards the effort. But when you pull back the surface, you find that they are not really supporting it. Their reward systems that do not support innovation just stifle it. They have review systems designed to ensure only completed projects and programs are recognized and they only reward success. Lastly, they only look at today's results and not towards the future. The talk says "go innovate," but the walk clearly supports only taking risks that will ensure success.

By only supporting the incremental improvements within the organization, we take no risks. This will force teams to think about small next steps and will in turn hamper our organizations ability to drive innovative thinking. This keeps us away from the art of the possible. Here at Intel, we use possibility thinking in order to keep the innovation going. Possibility thinking is starting with a clear definition of where you want to be and then spending time trying to figure out what has to happen to make it true. Not focusing on the next single improvement, but rather the whole picture first. This frees us from the constraints of the current system and processes and allows for a more open field of possible routes to get to a solution. I like to think of it as the difference between a great sprint hurdler and a fair one...A great one focuses on the finish line and the hurdles are where they know them to be; a fair one only focuses on the next hurdle.

This helps set the mindset, but does not always lead to success. In order to drive towards innovative thinking, failure has to be an option. Understanding that the lessons that you learn from failure leads to success is the key to any learning organization. When you are a child, you do lots of things you should not, but through learning the hard way, you find the paths that work. Within companies, we need to do the same. If every project was exactly the same, every issue was exactly the same, all the same people were involved and no human error possible, then maybe we could follow exactly the same method to get to the same result. But in my experience, that is seldom the true. Budgets are different, new people come onto the projects, new businesses are being driven, new capabilities are desired, and these force us into coming up with new capabilities and solutions. Also, in my experience, any successful project or innovation is made up of lots of failure to achieve the results. Support of these failures is critical to their ultimate success. Innovation happens more frequently.

Support of failure does not mean that you need to build out a new reward system that provides monetary compensation for each failure Congratulations Bob that is your third failure this week, here is your bonus!" It means that you recognize it, don't spend time looking for who is at fault and penalize everyone, but focus on what was learned from the failure and how to overcome it. How can you avoid it in the future and strive for better results? This is one reason that small companies or newer companies can innovate faster in many cases. They do not have the time to search for all the guilty parties and punish them in their reviews, they have to continuously evolve and deliver quickly, which forces them to adapt and learn from these mistakes. They are also very focused on the goal and not always married to the path to deliver. This frees them from the constraints and allows for more dynamic approaches.

The third, and hardest part of innovation culture is to simply stop things. When innovations are not panning out, delivering the results expected, or driving to the capability you thought, you need to stop the work and simply move on. This is much harder for people and organizations to do as any innovation begins with a passionate individual or group that truly invests in the direction. Stopping this is a bit like stopping an aircraft carrier in that it takes time and much directed energy to stop. While very difficult, it is a critical step in managing those critical resources you have directed towards innovation.

Here in Intel IT, we build stage gates to manage our ability to stop things. We look at innovation in four steps:

1. Basic Research - Where we are scanning technologies, futurists, research companies and some universities for leading-edge thought on what we might want to work on next. (10% of our time in IT Labs, with no expectation of yield)

2. Proof of technology - Where we bring in capability and test our hypothesis on whether this will work to help us solve problems (30% of our time, with an expectation of about 50% yield)

3. Proof of concepts - This is where we know what we would like to solve based on the capabilities we discovered in the proof of technologies, and we assign goals to the business case and test in live situations (30% of our time, with an expectation of about 60-70% yield)

4. Pilot/transfer - This is where we work with our services delivery groups to do the final proof and production implementation of the capability (30% of our time, with about a 90% yield)

Our process is completely supported by our reward system and our culture to ensure that we focus on our big business problems and deliver solutions to help move us faster. We also are lucky that here at Intel, innovation is in our DNA. We keep in mind some wise words of one of our original founders, Robert Noyce.

Don't be encumbered by the past, go off and do something wonderful! - Robert Noyce

In my next entry, I will discuss the problems and how you need to think in order to guide any innovation process.

Information Security – it’s not only about the technical controls!

webadmin@intel.com — Thu, 11 Apr 2013 20:49:41 GMT

Security means many different things in different contexts. With Information Security, it should be about protection of an asset from a known threat. But many times there are biases to security solutions based on controls that are predetermined. The most important questions that should be asked before the how part is defined for a security solution are;

Why is there a need to establish security? It’s an important premise that you determine the value of information to your organization and to your adversaries.
Secondly, who are you protecting this information from? If one is to protect something, one has to identify what the threats are, so as to take appropriate steps to mitigate them.
Thirdly, protection or prevention is one aspect of security controls. Considere detective and corrective mitigating controls addition to preventative mechanisms that could fail.

Because of biases in specialty areas, there could be a tendency to emphasize specific technical controls in defining a security solution. This leaves a great deal of ambiguity and more fuel for fear, uncertainty, and doubt that plagues the field of protecting computer information systems. And as Matthew Rosenquist described in one of his blog posts last year when asked for one word to describe the biggest challenge in information security these days, he used the word ambiguity. While many security researchers are trying to find the latest security flaw, other security professionals are trying to determine how the next security tools provide better technical protection capabilities. But it’s important to realize that information security is not only about the technical solution, it should be a business decision first.

Information Security is not only about technical threats and so technical security controls should not be the first consideration for protection. Technology is often among several other countermeasures used to implement a security solution after defining what it is that needs protecting and from whom it needs protection. This is where administrative controls should be considered first so that the definition of what needs to protect can be defined through procedural controls. Some industries have policies, standards and guidelines that must be followed based on the type (classification) of information, but risk should be evaluated based on threats in context of the environment for which the information made available through processes, transferred, stored, or destroyed. A defense-in-depth strategy should be considered during the earliest stages of the development lifecycle but oftentimes there are changes to the environment that are made well after the deployment of a system or software solution that can introduce risk from new threats or greater exposure to existing ones. Before administrative controls are defined, a risk assessment should be completed to analyze the threats for which any system is vulnerable to.

The real value of a risk assessment is that some systems may process information that is not under industry regulations for protection but still have value to an organization. In many cases an organization will focus on risk from audit failures and apply most of the security dollars to mitigate risks defined by audit report because information classification levels require regulatory protection such as Sarbanes-Oxley Act (SOX), PCI Data Security Standard (DSS), or Health Insurance Portability and Accounting Act (HIPAA) just to name a few. But information of value does not only fall under classifications that have industry standards for protection levels. The risk assessment is a way to have dialog amongst the team and is helpful to communicate with management across the board for all information protection requirements becuase ultimately it is a business decision to implement security controls. Additionally, security controls can be protective but detective and corrective security controls should always be a consideration for a Defense-In-Depth security strategy. One strategy that is taking a more reasonable approach to increasing the level of information assurance is the focus on the threat rather than the vulnerability through the use of a Threat Agent Risk Assessment methodology developed by Intel. This approach places emphasis on what is reasonably possible from a threat perspective in order to address the most likely events.