Robin “Roblimo” Miller: We are here in Clearwater Beach Florida with Jerry Irvine, who is the CIO of Prescient Solutions and a member of the National Cyber Security Task Force and he has some things to tell us, specifically the top five reasons organizations go over their IT budgets and how to prevent those problems. So, take it away Jerry.
Jerry Irvine: Thank you, Robin. Well, we do a lot of work with small to mid-sized corporations. And the number one issue that they have is their failure to plan. The problem is, they’ll come in and their IT doesn’t get any money, right, nobody wants to give IT any money because it’s a cost basis. They’re not making any revenues off of it. So, they let their IT go to heck, everything gets old, falls apart, and then they have to come in and do a complete forklift upgrade of their system.
So, they have no way to budget what they’re going to spend on an annual basis and then when they do need it, they’re in trouble. The systems have already failed, so they end up spending a lot more than they would have if they just planned over a two- or three-year time period to do standard refresh programs, workstation refresh programs, infrastructure devices and servers. So, the number one issue is just failing to plan.
Number two I guess you want me to go down one through five.
Robin Miller: Just go right ahead.
Jerry Irvine: Yeah. Number two is over-consulting. As a consulting company, I have to admit that not all vendors are out there for the betterment of their companies or their clients. And it’s easy to have a number of consultant companies coming and pretty much doing the exact same thing and each of them getting paid independently.
So, by not really having a strategic plan in their IT environment, knowing what the objectives of their business are, and how those business objectives should directly tie into your IT objectives, it really causes a lot of unnecessary expenditures. And even on internal employees, it’s not just on paying external consultants, but you may have three or four senior level infrastructure guys and the reality is you need one or two. So, by not having a strategic plan and knowing what you are doing, you can over pay significantly on IT resources.
Robin Miller: Let me ask this
Jerry Irvine: Sure.
Robin Miller: A friend of mine who is also a consultant of sorts in South Florida, he says the thing to do is to hook up with somebody when you don’t need them. He says, find a consultant whether it’s through people you know or chamber of commerce or whatever it might be, find somebody and check him out when you don’t need them, and that way when you do need them, you know who to go to. Does that make sense?
Jerry Irvine: Yeah, that’s absolutely common sense and pretty much everything, right. You don’t want to be looking when you are in a dire situation. You’re going to make decisions in a haphazard way because you’re under duress and so, it’s lot better to go out and do a study, find out the different types of resources you’re going to need, have them available. So that you can give them a call and have a contract with them beforehand, so that you can put service level agreements in there when they don’t have you hanging over a fire as it were.
Robin Miller: Oh, yes. The tow truck guy late at night... a poor bargaining situation.
Jerry Irvine: That’s right. Exactly, it’s better to have a contract beforehand. So, that’s great sense. It’s pretty much the same thing back to our budgeting, for a number one problem, right. If you budget for things when you don’t need them, now you can look at multiple different types of devices and look at the specifications of each of those individual devices, you’re going to get a better price. All right. You don’t have to go out and buy the first thing that you see because your system is down.
Robin Miller: And on the email exchange before this conversation, you’d also mentioned, I think, lack of backups and negligence, just not routine updates. Yeah.
Jerry Irvine: Yeah. Well, and those kind all go together, right. Malicious activity happens when your systems are not up-to-date. And so keeping your systems whether it is with service packs or system updates, critical infrastructure updates, keeping those current will keep you from falling down and keep your systems from failing. So, getting that done is very important. And no matter what you do, no matter how many updates you do, and no matter how often you look at your system logs to see if you have any errors or anything, something is always going to fail.
So, having a good solid backup, that’s the number one disaster recovery plan, right, is a good backup. After that, you can do a restore and get moving. Without that, recreating your data is going to cause a lot of money because you have to pay your employees to re-enter everything or because you have to go through and search multiple tapes and multiple systems and try to do a restore manually.
Robin Miller: Which I had to do and I think, I hate to say this, but let’s face it, Jerry, tell me if you think this is true. If those of us who do backups and updates routinely and slavishly, only do it after we had that one horrible lesson, is that so or what?
Jerry Irvine: That’s a motivating factor, right. The first time you get bit, you realize you don’t want to get bit again. So, people’s processes become more automated, development of automated reoccurring events. The really interesting thing is, people will go on and create a great backup strategy. They’ll install an application which is the number one in the industry and then they’ll set it there and they won’t touch it for a year, for two years, for three years and then when they have a failure and the system is broke, they go to try to do a restore while they haven’t looked at in three years and they go, well, wait a minute I have a backup.
So, it’s not just a matter of implementing it, but it’s maintaining it, making sure that you are doing the updates for your backup system as well, making sure that you’re doing a selective restore minimally on a weekly basis to make sure that you can restore some files and then doing an actual full restore of certain partitions at least once a year, to make sure that you have the capability to doing and looking at the media as well. I mean tapes, some people are saying, tapes are obsolete, but I’ll tell you what. Having a good tape is very important. You may be able to backup everything to disk and backup everything offsite, but when everything else fails having a tape doesn’t suck, you know.
Robin Miller: That’s not a bad point. And, ______07:12 next point, which is near and dear to by heart because you said how we are relying on unknown technologies and leading-edge and untested technologies. Now I am a devotee of trailing edge technologies. I like things when they are for sale cheap on Overstock.com or TigerDirect.com is selling them for one-fifth the new price because by then we know they work, right?
Jerry Irvine: Sure, yeah, absolutely. Again, you don’t have to go out and buy the newest, fastest, most expensive piece of equipment to have a system that’s going to be stable and running. And in fact, as you mentioned, you buy the newest and the fastest, it’s probably going to break. There’s a lot of people that are really, as you mentioned, interested in having the newest technology, we call it the bleeding edge, right. I much prefer it like you. Let’s find something that works, maybe a little bit older, but it’s stable and it’s going to do it.
So tape backups, being able to fall back on those. Disc drive backups, absolutely. The thing when you’re doing backups or when you’re doing standard builds and ghost images and things, is to have multiple copies. You don’t just have one tape backup. If that media fails, you are in trouble. You don’t just have one set of disc drives that you are backing up, so you have multiples. You have something onsite, so you can do it quickly, you have your tape backup as your final medium, and you have offsite storage that you do periodic across your multiple locations. So that everything is there for you and you always have backups to your backups and do it on an equipment that you know is going to work.
I have a very smart client who went out and bought everybody these 8 gig thumb drives. He said, you know what, it’s new technology, just backup all your PCs to this. Nobody has more than 8 gig worth of important data, backing up all this to this. So now he had 150 people in his company with their data and flash drives that they’re losing, that you get corrupted, they take home and use it as well and it gets a virus on it and they bring it back and it infects the entire company.
Let’s go back to a standard reliable system, centralized backup, store everything at a server level, do a backup from there and then decentralize your data in a disaster recovery type of manner, business continuity planning.
Robin Miller: Well, I speak with people all the time who are in the backup business and not necessarily guys who are talking about small businesses, like the people who do it for like the credit reporting, credit bureaus and others who have billions of fields in their databases.
Jerry Irvine: Yeah, the most difficult to backup because it’s always changing, right.
Robin Miller: Yeah. ______10:07 but that’s what they’re doing. They’re just saving discs all the time, pretty much. Like you say, every year or so they take a new image, that’s yeah, you got to do it, I mean, the stock exchange can’t play.
Jerry Irvine: That’s right.
Robin Miller: And you mentioned over engineering, tell us about that because I think see a lot of it.
Jerry Irvine: Yeah, over engineering can be both from an infrastructure side and an application side, right? We have a lot of clients will go out and get a new ERP solution. They will go out and get some type of new financial application. And, when they get it, first off, the companies they are buying from generally are selling them hardware as well. So they’ll try to tell them that they need a new server. Well, probably don’t. Today in an era of virtualization, you can spin up another virtual image and you can have the system up and running on your existing virtual farm for next to nothing.
So, clients will listen to their vendors, their application vendors and go out and purchase new hardware, purchase new infrastructure devices. We’ve got clients who are going into VoIP solutions now and they’re saying, well, we have to have all new switches for our VoIP solution. If their switches are less than a year old or less than two years old, they support POS. There’s no reason to go out and buy new stuff.
Heck, they’re doing VoIP solutions, VoIP solutions now out to homes. So, the technology is there in the devices you already have. You don’t have to go out and spend money on new devices just because you’re getting a new system. Look and do a study to see if your existing one will do it, same thing as software.
We get a lot of clients who are saying, well, we’ve got this old system and we want to go to a new environment. Well, that’s a great idea, but why, why are you going? Is there new features and functions that you require based on your business objectives? I don’t know, we’re just kind of tired of this one. Really? And you have a lot of extra money to throw out the window. Let’s see if there’s some way that we can update the existing system that you have, add the new features and functions that come with it. See if that provides you what you need for your business objectives.
If you’re doing it just to install the latest and greatest, again, you’re going to spend a lot of money. Now you do have to make sure that you are adhering to regulatory and compliance issues and that the security is there, especially in a publicly facing environment. We’ve got clients who as well have old Linux systems or old DB systems, old Glass systems that they were running on their PLC controllers and their scatter devices.
And that was fine as long as they were a totally segmented network, right, but as soon as you plug those things into your local area network and they are accessible to the outside world, they are accessible to your internal devices that may have some viruses or some types of malicious applications on them, now you are in trouble. And so your ability to secure your supply chain and your production of your product is at risk, so it’s real important that you keep things updated, and make sure that you’re always running a secure environment, but don’t just update them for the sake of updating them.