Infraguard: Protected Voices Videos…

FBI’s volunteer organization InfraGuard is a wonderful resource for cyber security.  Connectivity is not just federal, but a community of people who contribute to this group.  Highly recommended.

The FBI released videos on YouTube covering the gamut of security topics.  Although, targeted specifically on organizations running political campaigns, much of the content is applicable to any organization.

Protected Voices Video Links

Social Engineering


Patching, Firewalls, and Anti-Virus Software




Information Security (InfoSec)


Browser and App Safety


Safer Campaign Communications




Router Hardening


Cloud-Based Services


Virtual Private Networks


Have You Been Hacked?


Incident Response



Does Network Cabling Matter ?

Cabling is important. Its need to be good enough. The problem I have with cabling is that people spend way to much time fussing, fretting and fooling themselves that having nice cabling actually has value.

You should be spending time in meetings, writing scripts or buffing up your excel skills to work out the software subscription licensing costs.

Q. Want your advice on a cabling colour scheme for our new data centre ?

From Blog Ethermind, June 2018

I read Greg Ferro. I have read his blog for many years. I feel his pain and acknowledge it.  And, although this argument is well written, it is worthy of comment for those who choose to think different.

You see, I do fall in the camp that cabling is important. It’s representative of many things that exist in Information Technology that are under the covers.  Cabling determines how serious you are, how disciplined your IT show is, and the attention to detail your team has.  Yes, cabling says all that.  And when you invite me over to see your data center, it’s what I am thinking when you show off your hard work.

“Network cabling usually only represents 10% of the total technology spend.” – Bill Atkins, during his time at Panduit

Yet, we run the production IT show on that cabling.

“Sometimes you have to do IT two or three times to get it right.” – Former CTO (Name Witheld)

Ouch.  Doing the same things two or three times is not cost efficient and often indicative of culture.  Did you hire the right people and put them in the right seats?  Did we listen to our wiring experts or follow the misguided advice of “this is how we’ve done it for 20 years”?  Two or three times in the wire business is great for the manufacturer and installer, bad for the organization writing the check.

Why Cabling Should Be Important To IT People

I didn’t say critical.  But there should be a standard to hit, as IT craftsmen.  A guide to follow.  Here is my top 5 things I recommend peers to consider when cabling.

#1.  Wiring should be easy to understand.  Color codes and design.  BICSI.  ANSI/TIA/EIA-606-A, Administration Standard for the Telecommunications Infrastructure of Commercial Buildings, or the updated ANSI/TIA/EIA-606-B documents these standards.

#2.  Wiring should be easy to troubleshoot.  As-Builts in all data centers and cable plants.  Consistent labeling throughout the facility.  Velcro over zip-ties.  Basket tray versus cable tray.  Combined wire with slack vs. just letting it hang.

#3.  Quality versus Crap.  Mid-grade wire versus minimally compliant.  Wire for the 20 year plan vs. no plan.  1GB is often plenty.  10GB is overkill if your back end can’t support it.  Think hard about plenum vs. non-plenum.

#4.  Manufacturer and installer proud.  When the manufacturer wants to show your work to their prospects, that’s a good sign they’ve done it right.  Choose certified installers.  Ask the question.  Then choose quality products that align with your team’s standards.

#5.  Wire once.  Your ROI is far better achieved when the installer comes out to do the big job versus coming out multiple times over 2-3 years.  Multiple times often equates to two times the labor cost.  Your not saving money and the chances of mistakes are actually higher.  Wire once, if at all possible.  And then ask the manufacturer to QA your job during your walk through.

\\ JMM

Why You Are Being Asked To Be in CAB

Today’s blog is from the mailbag of notables.  The context of this email is when I was “leading by walking around” and overhearing a few employes not wanting to go to CAB.  Not wanting is putting it nicely.  CAB is “Change Approval Board”, which is mostly a call to talk about the changes happening to the production environment.

From: Jonathan Merrill
Sent: From My Desk
Subject: Why You Are Being Asked To Be in CAB
Importance: High

Just overheard “Why do I need to be at CAB. I don’t have changes”. Not the first time this has been said. And it’s not unnoticed those team members who don’t show up. Before you say, “busy”, I know everyone is busy. We are all busy. Nevertheless, here is why I encourage you to be at CAB every time:

1. If you do have a change, you need to explain to CAB what the change is, what it will impact, and allow architects and SMEs to chime in. We’ve had one over-ride since we started CAB, which saved us from an embarrassing situation.

2. You listen in on what’s changing in our environment. Operations teams must have the pulse on what’s going on. If you don’t know, how can you react? Putting things together is a skill, just like listening and comprehending. All three should be applied in CAB.

3. Opportunities to sharpen your saw putting in changes. Once we get some consistent muscle memory on non-standard changes, let’s talk about standard changes. Until then, let’s learn from each other and ensure we understand the why about change management. I’ll need your help to train other teams once they get incorporated into our change system.

If you’re working on a critical ticket, production outage in flight, or anything affecting a client ability to process, then your at least armed with what changed.

If your actively engaged in a production issue, clear it with your manager and let him or another team member represent your change in CAB.

Any other reason… eh, no. Knowledge culture, folks. Root word is “Know”. We need you to know. I need you to know. This is the culture we are building. Please participate. Everyone…

\\ JMM

Constraints, Asking for Money, and Kristin Cox…

“Everyone runs to technology for the answer” – Kristin Cox, Executive Director of the Governor’s Office of Management and Budget

I don’t think she meant that in a good way… Maybe if we used our brain versus technology to solve our problems.  Wow!  That’s crazy talk!

Nevertheless, I stumbled across her articles and posts in my Linkedin thread.  An “Expert at Constraints”, here is the highlights on her video, which I would recommend you go watch:  Kristin Cox’s “How to Ask for Money”.

Four questions:

1. What do you do? What services do I produce?
2. How well do you do that? (Quality – Couple of things: Faster, Outcomes better, etc.)
3. What is your operating expense? (What does it cost to make it)
4. What is my ambitious target? (What % quality for I want? Better Outcomes)
– Get clear on what we are really focused on.

Government is lucky to have her.

\\ JMM

Spinning plates as hard as I can…

Routinely, it’s easy to get into deep water with tickets and projects.  Here is an email exchange between one of my team members, JC Foster, and I.

Jon Foster

Where does this fall on my priority list?

  • Tickets
  • AD Project
  • PBX Project
  • Office 365 Project
  • Visual Studio Project
  • Teams rollout

I am spinning plates as hard as I can here.

Jonathan Merrill

Thank you for asking.  My own list is overwhelming.  The organization is hustling.  Projects are piling up and plates are falling as only so much can be done to keep those spun.  Let me turn you onto a recent EntreLeadership podcast, #263 – Thriving in the Age of Overload.  Skip to the Daniel Tardy’s talk about, “The Tyranny of the Urgent”.

Questions Needing Answered When Looking At Your Workload

  1. Does it have to be done?  Can we eliminate it?
  2. If I can’t eliminate, can I automate it?  ß This is where I feel the most work needs to be done.
  3. If I can’t automate it, can I delegate it?  Let someone else do it.
  4. If I can’t delegate it, is it urgent?  Is it a fire?
  5. If it is urgent, how do we approach, getting the right people in the room?   Most often, someone’s fire is not a fire to the organization.

Our temptation is everything is on the list is a fire.  We need to prioritize on impact and urgency based on the most impact to the most people.

If you’ve listened to the pod cast, tasks (or WIP) should be limited 3.  So, looking at this list, here is my recommendation where your head should be at:

  1. Tickets – I agree.  Although take care against this taking up 100% of your day.  Handle Critical and Highs only.  Sometimes, that means contacting customers, negotiating and adjusting the criticality.
  2. Visual Studio Project – Most impact.  Most urgent.  Key to our business.
  3. Office 365 Project  – Most impact.  Most urgent.

This is an exercise everyone can do.  And should be aligned to what is on our team Kanban.

\\ JMM

137 Security Questions …

“As Albert Einstein is often quoted as saying, ‘If I had 20 days to solve a problem, I would spend 19 days to define it.’  So the first question you need to be asking is, ‘are you asking the right questions’? – 137 Security Questions Every Leader Should Ask. (2013, September 9). In SecurityIntelligence

As we finish up our SOC2 audit, these security questions run concurrent with everything we do as a security practice and a security leader.  This is one of those articles I refresh upon every now again because it’s exactly on message.

Check the link:

\\ JMM

Using Social Security Number as a Bank ID…

SSN is not for IDThere are no laws preventing a bank or credit union of using the SS# as a bank ID. (The government remved the verbiage indicating that the SS# cannot be used as identification sometime in the 70’s.) It is just a bad idea… for a few reasons, based on a conversation I was in with legal experts.  Here are those notes:

1) It is considered personal identifiable information (PII).  PII could include:

  • Name: full name, maiden name, mother’s maiden name or alias
  • Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number or credit card number
  • Personal address information: street address or email address
  • Personal telephone numbers
  • Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
  • Biometric data: retina scans, voice signatures, or facial geometry
  • Information identifying personally owned property: VIN number or title number
  • Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person

Using the SS# as the customer identifier makes this information more accessible to contractors, vendors, and others that require access to the account but not the PII. (Thin about how you are accessing your bill payment vendor. You will be passing the customer identification number. Hence you are now providing a SS# to a third party vendor.)

2) Speaking of third party vendors…you must consider how they use the customer identification number. Fiserv sometimes embeds the ID in the transaction number. Now the SS# is exposed elsewhere. I have seen other payments transfer vendors do similar things. Customers get a little sensitive about this sort of thing.

3) You now have the SS# is two places on your system. While you may contain your PII differently, the customer number is generally not considered PII. You will be forced to consider this with every interaction – printed reports, statements, etc.

4) It’s not unique, and its not even a very good identifier. The most infamous case of that was 078-05-1120, which was used on a sample Social Security card by a wallet manufacturer. At one point, more than 5,700 people were using that number as their SSN.


\\ JMM

Bringing Us Together…

This is an excerpt of an email I sent to our employees.  I am proud to be a part of this organization change and milestone with Lanvera’s IT department.

We Are All ITO

Historically, “IT Operations” was one department, one team, all functions.  This model hasn’t made sense and wasn’t positioning this department to scale to the next level.  Since May 2017, we’ve seen more than a few organizational changes, restructuring functions, and changing of personnel roles.  Now the dust has settled, it’s a good time to mention our brand and mission for this year.

My team’s theme for 2018 is NIHIL SINE MAGNO LABORE.  Latin translation is “Nothing Without Great Effort”.  Steve talks a lot about our IT transformation, having achieved much, but have more ground to go.  The phoenix seen here is representative of our transformational journey.  I would like to extend this theme to all IT teams as we pull together.

To this aim, all teams fall under the department “ITO” and break out into three separate teams:  Infrastructure, DevOps, and QA.  Moving forward, teams will be identified as “ITO – Infrastructure”, “ITO – DevOps”, and “ITO – Quality Assurance”, respectively.  The goal is unification of technology services and support.

Bringing us together.

\\ JMM

Cross Training Teams in a Knowledge Culture

“Learning is a treasure that will follow its owner everywhere.”
— Chinese Proverb

There is so many things IT people need to know these days.  Gone are specializations in many organizations.  Yep, IT pros must know 20 to 30 different types of technologies to remain relevant and competitive.  In fact, as I interview younger candidates, there is evidence the new generation of IT people already have these skills and more.

And that’s just infrastructure.  All organizations expect IT people to know core business applications.  Specifically, how they relate to the organization and customer, technical work flows, monitoring, and on and on.  How does an organization tackle it all while keeping IT pros at least tuned into the periphery?

How I’ve done this historically is this idea of knowledge culture and DevOps’ “Sharing” idea, where team members present material via a TED talk.  Below is my deck on peer learning.  I hope you find it applicable.

\\ JMM

Lanvera Update: January 2018

“If you fail to plan, you are planning to fail!” – Benjamin Franklin

January marks the six months and our progress is moving rapidly on multiple fronts.

1. Developed and publicize IT’s strategic plan for 2018. This is our road map for the year, developed in December and approved by senior leadership.

2. Workstation Technology Refresh is in full swing. Moving to Windows 10 has been fairly uneventful and user satisfaction is high with the hardware decision. Although we’ve made a conscious decision to stay with legacy software productivity platforms so we can have more time considering Office 365.

3. VMWARE NSX progessing slowly. Primarily, due to difficulties with our network provider, a subject for a future blog. Mobius has been fantastic and working with my local team. Concurrently, team members are spinning up on NSX via VMWARE’s training classes.

4. SOC2: AICPA’s Service Organization Control 2. SOC 2 is considered a technical audit, but goes beyond that. SOC 2 requires companies to establish and follow strict information security policies and procedures, encompassing the security, availability, processing, integrity, and confidentiality of customer data.

5. Knowledge Management and ORC. Hard push getting Operations Readiness Checklists for all production systems to serve as the foundation of our KM system.

\\ JMM

+++ If you read this far, you may be wondering if this is an old post. Yes. It was never published, along with the other 30+ posts in various stages.