Last week I had the opportunity to attend the CIO Forum held in conjunction with the Insight 2009 Annual Conference in Orlando, FL.  While being held adjacent to Disney’s theme park, the theme of this event was appropriately titled “Vision Voice Value”.




I spent two days discussing best practices, sharing lessons learned from Intel IT and comparing notes and strategies with leading CIOs, IT Directors, Managers and Administrators in the Health Care profession.  Our focus? ways to deliver and articulate the business value of IT. I had the opportunity to:



• participate in a roundtable discussion of ~15 Health Care CIOs titled “The value of IT in improving financial performance”
  
• present to 50-60 CIOs on the business value of server refresh
  
• present to 20-30 IT Directors and Administrators on using the Xeon ROI tool as a way to justify server investment




One of the most thought provoking questions at the CIO roundtable that has stuck with me is … “How does your CEO (or your business customers) view IT?”  … as a cost center (necessary evil) or as a value center (strategic enabler).  While no one directly answered this rhetorical question, it was clear that our collective mission is to migrate IT from cost center to value center.  This migration will not be immediate.  It happens over time.




To enable this transformation from cost center to value center, we concluded that the accountability remains with IT, as IT professionals and CIOs must individually and collectively demonstrate business value through our investments and establish are relationship of IT predictability, trust and credibility with our business partners.   These are core themes I have seen very visibly inside Intel IT as I began my journey to the center of IT a few short months ago.




My second observation from this event reinforces some personal experiences I have had working with many other IT professionals in the past several months.  With the global recession and it’s impacts to capital funding, the need to justify IT investment is greater than ever – and the competition internally for capital $ is very high.  We may never go back to the way it was.  We have seen this inside Intel IT’ organization as well and as a result, created at server refresh savings estimator tool to share what we learned in justifying our investment a proactive server refresh strategy in 2007 and staying committed to that investment in 2009.




I demonstrated the server refresh savings estimator tool at the event to both the CIOs and IT Directors / Administrators and the feedback was very positive (“session was well worth my time”).   Prior to the event, I also had the opportunity to work with Deborah Gash (CIO for Saint Luke’s Health Services) and her staff.  Debe provided a glowing endorsement of the tool (Thanks Debe !!) after demonstrating the business value from a project already completed and the in intent to use it for several future projects. I invite you to learn more about why we created this tool and how to use it.  If you have a question or want to give us feedback on how to enhance it – just let me know with a comment on this blog.




My final thought comes from a blog written by Don Sears at eweek.  Don discusses about the need for IT to be right, accurate, credible and trustworthy is so important whether you are working inside IT or with IT.  Credibility and Trust is something that is hard to gain and easy to lose … so it is easy to understand why being right is key to working with IT.  Getting it wrong can have huge consequences.




Join us at IT@Intel and share your insights on our shared journey to transform IT from a cost center to a value center for business.  I look forward to hearing from you.





Thanks, Chris

If you like this, follow me on twitter

I hate fixing the roof.  In fact, I have been postponing a roof repair over my garage for about 2 years now.  I recently read an article by Peter Kretzmen titled “IT, The CIO, and the Business Need for Roof Projects” and realized that while I can put off my roof repair, IT may not be able to postpone routine upgrades. 

For businesses, technology refresh is a standard business process (ie a roof fix).  The question for IT often boils down to WHEN I should upgrade, not IF. Why? … because hardware technology ages, maintenance costs rise, and software solutions can become unresponsive or obsolete as business needs change, user needs evolve and new technology and software become available. In this economy, cost is king and reducing IT costs has clearly become a critical imperative.

My colleagues in Intel IT recently conducted two separate and independent studies on how frequent we should refresh our PC fleet and data center servers.

PC Fleet Management:  John Mahvi and Avi Zarfaty from Intel IT recently wrote a paper titled “Using TCO to Determine PC Upgrade Cycles”.  The conclusion of this analysis showed that a 3.5 year refresh rate was optimal for total cost management in our IT environment.  Despite the fact that delaying PC refresh this year was initially seen as a cash conservation approach, the analysis showed that not refreshing older PCs increased the business’s overall costs.  As a beneficiary of PC refresh (I got a new laptop a month ago ), I can also personally attest that my productivity has gone up.

Data Center Efficiency:  Matt Beckert and Diane Boyington of Intel IT recently published a paper titled “Realizing Data Center Savings with an Accelerated Server Refresh Strategy”.  This paper discusses Intel IT’s movement to a proactive 4-year server refresh cadence in 2007 and illustrates both the long term savings (up to $250M over eight years) and immediate benefit to the corporate bottom line ($45M saved in 2008). After plans to refresh our servers was slowed earlier this year to preserve capital funds, a re-assessment was done that showed that Intel IT could save $19M by refreshing now vrs waiting until 2010.

Just like you shouldn’t sleep in a house with a leaking roof … it is prudent to not let old hardware create a hole in your IT budget. In today’s economic environment, Intel IT can’t afford a leaky roof and so we are moving forward with proactive business client PC and Server refresh, proven approaches to reduce TCO and boost business value.

Chris Peters, Intel IT

twitter @chris_p_intel

Optimal security must not only be attained, but also sustained over time.  A good security strategy must be forward thinking to understand how intervention and continual maintenance will be needed, then implement those capabilities as part of a complete service deployment.

'Optimal Security' is the right balance of security spending and losses prevented where business acceptable losses are achieved.  It changes often and likely maintains different targets for the dissimilar parts of the entity.

Organizations are likely to mandate security expectations which typically manifests in a set of configurations, specifications, and operating standards.  The risk is these security controls may be relatively static and entrenched.

Establishing a baseline security is a good practice, but in order to remain effective it must adapt to changes in the environment by remaining dynamic to keep in lock-step with rapidly changing threats, vulnerabilities, and resulting exposures.  It must be a fluid posture, able to rapidly change based upon different internal priorities and external changes.  Sustaining business structure must be designed to continually predict areas needing modification and support design and deployment of those changes.  Rigid security postures lack the ability to remain effective over time and are likely derived by an equally rigid infrastructure which will struggle to adapt to new threats and changes within the organization.  Design security to be flexible and you enable the service to keep up with the continual changes in the information branch of security.

I recently spoke with an organization who had established a security posture which relied heavily on a hardened OS and application build for their systems.  At the time, they deployed a platform which took into consideration all the best configurations for hardening.  They were so confident they had satisfied security requirements they considered the problem solved.  They integrated the security design into their normal platform refresh cycle of system replacement every few years.  They never comprehended the fact they would need to continually update the build to compensate for changes in threats, new vulnerabilities and malware, and evolving business usage models.

The platform’s security, which initially was strong, began to quickly erode.  With no internal mechanism to identify when changes needed to be made, nor the testing and distribution capability, they soon found themselves in a situation where they were responding to individual incidents and changing systems one at a time based upon particular end-user needs.  This created inconsistencies in the builds which was more difficult to support.  Without proper forethought, the security team turned themselves into a firefighting organization, losing the initiative in the war of security.

This is one simple technical example.  The same holds true for the expanse of automated solutions and behavioral security controls as well.  Highly effective and efficient security strategies are forward thinking and understand how intervention and continual maintenance will be needed, then implement those capabilities as part of a complete service deployment.  Overall, the concept of ‘optimal security’ is one of fluid adaptations of controls to meet an ever changing target for risk acceptance.

As a major global manufacturer Intel works constantly to improve its Supply Chain. Our ERP implementation and key projects are integral ingredients in the process of driving Supply Chain improvements. It was exciting that recently we saw Intel recognized as one of the top leading companies from a Supply Chain perspective. AMR Research published The AMR Research Supply Chain Top 25 for 2009.

Check out AMR’s Press release:

http://www.amrresearch.com/Content/View.aspx?compURI=tcm%3a7-43474&title=AMR+Research+Releases+Its+2009+Supply+Chain+Top+25

Everyone wants information security to be easy.  Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie?  Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense
I think the key to fortune cookie advice is ‘common sense’ in the context of security.  It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for May:

Fear and anxiety will lead to poor risk analysis conclusions

Stay focused on the available facts, use a dose of reality to fill in the gaps, and trust reliable risk models to generate analytical conclusions.

Excerpt from the Traps of Measuring Security Blog: In our world of information security, we must take a step back from the limitations and biases we possess and stay true to proper forms of analysis in order to see the truth.  It is far too easy for us to slip backwards and inaccurately measure risk of situations we don’t understand.  Let’s continue to remind each other of this fact and challenge risk assessments, especially in situations where concern is more prevalent than fact.

So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

Fortune Cookie Security Advice - April 2009

Fortune Cookie Security Advice - May 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - November 2008

Fortune Cookie Security Advice - August 2008

We naturally take comfort in being able to quantify the vagueness of challenges in our existence.  This past week, I was again reminded the cup of information security is filled partially with the complexities of human perception and ambiguity of emotions weighing our mental models of judgment.  These can be misleading.

This is not a revelation.  I thrive in the trenches of security measures and metrics, and learned this lesson many seasons past.  But it is so easy to fall back into the comfort of measuring, calculating, estimating, and even predicting risks with first impressions, and foregoing proper data collection and dispassionate analysis.

It is in our very nature to apply our big cognitive brains in an attempt to make sense of something which causes concern for our minds when we encounter situations we fail to grapple.  We default to familiar structures of logic and experience to give some insight, even if it is invalid.  If we cannot grasp a cloud, it makes us feel better to at least measure it.

I recently travelled to the beautiful city of Shanghai.  In the sprawling city of 19 million, getting about requires the use of a local taxi.  Drivers are aggressive by American standards.  They creatively use all lanes, including those of oncoming traffic, to weave in and out between pedestrians, other vehicles, and bicycles, all at high speed.  Roadway guides such as speed signs, stoplights, and lane markers are just cosmetic.  The concept of ‘right of way’ is defined by the vehicle which gets there first.  Tens of thousands of taxi drivers vie for pole positions at every light and traffic snarl.  I counted no less than half a dozen head-on near misses the first day.

Not surprisingly I was a bit concerned for my safety.  But what was the actual risk?  It seemed high, with all the jockeying, speed challenges, and lurching in front of other cars at a moment’s notice.  In formal terms, the security risk calculation was off the map.  Keeping it simple, risk can be defined as equaling the (threat) x (consequence) x (vulnerability).  Threats were abundant and vectoring from every angle.  Vulnerabilities were painfully obvious as the situation was an example of near uncontrolled chaos heavily dependent upon human judgment and intervention.  Lastly, the consequences registered as likely life threatening.  Vehicle safety measures are not equal to US standards, with no airbags and rarely a functioning seatbelt.  My brain began to do the rough math and formed a mental model where the conclusion was somewhere near the “I’m screwed” end of the spectrum.

Over time, I started to take a different perspective.  By the end of the week, and too many close calls to count, I observed the city’s taxi’s did not show damage which would be consistent with rampant numbers of collisions.  Although chaotic and unpredictable, they found a balance in avoiding impacts.  My drivers’ never appeared nervous.  Many were happy to take calls on their cell phones while racing into oncoming traffic and weaving back into our directional flow at the last second.  Yet, they were not worried.  The pedestrians who seemed intent on walking into direct paths of vehicles always looked up at the last possible moment and jumped out of the way of an untimely demise.

The dangers were still there.  Nothing changed but my perception.  The risks were high, controls were low, but it was the incident rate that was the telling measure.  Lack of vehicle accidents in such a tremendous population meant they operated in an efficient manner which my brain could not comprehend as safe.  But it was.  My initial evaluation misled me to a wrong conclusion: an inaccurate determination of risk.  I felt safer than before.  To this day, I cannot comprehend how they do it.

In our world of information security, we must take a step back from the limitations and biases we possess and stay true to proper forms of analysis in order to see the truth.  It is far too easy for us to slip backwards and inaccurately measure risk of situations we don’t understand.  Let’s continue to remind each other of this fact and challenge risk assessments, especially in situations where concern is more prevalent than fact.

ERP stands for Enterprise Resource Planning.  The term evolved from earlier terms such as Material Requirements Planning (MRP, sometimes referred to as little MRP to distinguish it from Manufacturing Resource Planning) and Manufacturing Resource Planning (sometimes referred to as big MRP or more generally MRPII).  Material Requirements Planning focused on time phased planning of materials required in support of manufactured items (based on a Bill of Material).  These could be finished products or components.  It ensures the right materials are at the right place at the right time in the appropriate quantity.  The techniques associated with MRP became feasible during the 1960's as computers became more available to businesses.  This approach enabled reductions in inventory while at the same time improving customer service, which had been thought unlikely with older inventory control theories.  Manufacturing Resource Planning, the next evoloution of MRP, kept Materials Requirements Planning and added to it, by including financials and marketing.  MRPII provided the coordination between production, finance, and marketing.  The idea was to create a closed loop system between these three key areas of a manufacturing enterprise.  With ERP the definition was further expanded to include additional business domains and also to support businesses/enterprises beyond just manufacturing companies.  MRP, MRPII, and ERP are a combination of both business process theory and the software application suites that enable these processes.  Today’s major ERP packages generally support finance, human resources, procurement, product development, sales and marketing, manufacturing and supply chain management.  This is not all inclusive as vendors have tended to extend their footprint to all areas of the enterprise.  Generally, application vendors aim to create integrated applications across these domains and provide a single database for one version of the truth, so to speak.  The other thing that is generally claimed is that the applications contain best practices which will help drive operational improvements as a result of implementing.

Intel started its ERP implementation effort over a decade ago.  As most large corporations, Intel has implemented elements of ERP throughout the company across this timeframe.  We did not implement all elements at once or at all our business groups.  Programs/projects were planned and launched based on business need, ROI, and business readiness.  Being an engineering and manufacturing company Intel has been able to leverage the original concepts of MRP/MRPII and the newer elements of ERP.  Moving forward I plan to relate some of my experiences and general thoughts on the ERP efforts I have been involved with here at Intel.

First, Happy Earth Day Everyone!

A couple of weeks ago, I told you about a small proof of concept we conducting to measure energy use in the office environment and to then use that established baseline to test different energy saving methods. This PoC is currently in a planning stage, but we hope to start physical metering within the next few weeks. Stay turned for more info.

Today, I’d like to quickly tell you about a little effort to increase awareness of energy use in the office. Often, we have little to no understanding of how much energy we are using, nor how much it is costing us. Awareness can positively influence behavior and reduce energy use. Several studies of energy use in the home have show awareness of real time whole house energy use resulted in the voluntary reduction of use by 10%-15%. To help increase awareness internally, IT measured the energy use of several items found in a typical office such as, desktops, laptops, LCD displays, and phone and headset chargers. This information will soon be published internally via a simple web page showing a photo of a typical office space. As the viewer moves their mouse over each device in the office, a pop-up will show how much energy that device uses in various states. Below the photo is a general summary of how much energy and money could be saved if various generalized behaviors were changed. Lastly, there is a link to more details. It’s very simple, but should greatly help increase awareness of energy use in the office.

How about you? Are you doing anything to help increase awareness of energy use in your office spaces? Would something like this work for you?

-Mike