Understanding Which Software Updates Could Ruin The Day
Recent headlines have highlighted numerous data breaches and shown that software updates which can severely impact IT systems need to be controlled.
The Meeting With The CEO
CEO to CIO: Following on from the latest news about supply chain security, I have two queries:
1) The executives would like you to assure them that we won't be affected by a lack of update controls by our software suppliers?
2) If one of their updates introduced malware and disruption could we recover our key systems by the next working day? A simple yes to both questions is all we want...
CIO: I'm not sure I can give the simple answers you want.
CEO: Why?
CIO: Well its quite complex. It's not easy to know what we have, how it is used and the dependencies between systems. It would be a big job and we don't have the spare resources with all the projects the business wants delivered. If we did such a discovery project, who would keep it up to date? Many of our suppliers provide contracted services, but they won't let us see the detail on things like updates, as its confidential and sensitive. It's a complex ecosystem.
CEO: Well it sounds like we have to cross fingers and hope they are as good as you think. Can you show the board where you think our biggest IT risks are then if an update did go wrong - internal and external?
CIO: That's a big job and will take up a lot of time.
CEO: Well you better get started, as we now have to report in our annual company statement about IT risk awareness. There are new regulations across the USA and EU about the need to protect critical infrastructure and consumers from IT incidents. We have alloted time for you to present a progress report next month to us all. Keep it simple please.
The Next Day
The CIO meets with his senior managers to explain that board need reassurance that IT is in control, with all focused on how to do it. The conclusion is that all risk initiatives must integrate focus, understanding and presentation. Covering technical, business, people, hardware, software, supplier and cyber risks (both internal and external). To break it down and make it easier, the decision is made to concentrate on software updates and recovery capabilities in the event of an update failure or hack, aligning with the CEO’s key concerns. A project board is created and an experienced independent project manager is hired in, who is potentially the fall guy if the project fails to deliver. It is expected that there will be gaps in data, information, processes, methods and communication discovered as risks become clearer. The journey has started and the CEO has been quite clear that it will never finish, as the intention is that the project will deliver an operational risk system that is refreshed with changes.
Is it really that difficult to answer the 2 questions?
The Project Manager briefs everyone that he'll draw on the good points in existing industry standards and tailor them to the brief. The focus on software updates results in recovery capability of applications, data, systems and services to be included in the initial scope. It further expands into firmware, OS updates, hosted and cloud applications as well as 3rd party SaaS services. The Excel spreadsheets get bigger and bigger, just trying to list what people think should be an application, or sub application. The data recorded for each piece of software grows and is then split between internally developed, commercial, hybrid and cloud systems. Then they start mapping platforms and software to data, regulations, business processes and departments using more spreadsheets, mind maps, whiteboards, Visio and enterprise architecture tools. The journey has started and the team find both data management and presentation difficult. The drawing below shows what can happen in a short time.
Other methods are looked at gathering and categorising data. The differences in opinions, disagreements on the starting point and the best way to communicate the risks mean that delivering good answers are a long way away. Is it really that difficult to answer the 2 questions that probably most enterprises should already have the answers for?
The CIO looks at the picture, thinks of the CEO and the executive team and goes for the industry standard dashboard approach linked to Excel data to keep it simple. An approach we've seen commonly used is a landscape presentation which shows all applications with a mix of text, icons and colour coding - a standard feature of current versions of Visio . The same approach can be used for critical hardware where many of the same risk issues apply.
In this example the Payroll system is updated externally by the supplier and is currently supported. The supplier also is responsible for backups and recovery. There has never been a DR test to check recovery of the system, though there is a plan to do so. So an update that goes wrong can't be recovered by the customer as they have no backup data. Plus they would have to use a recovery and test method that wasn't proven while users were disrupted. Sobering thought. Just because we have a currently supported version doesn't mean that we can sleep easy, as we are so reliant on our supplier. If the payroll application is integrated with other systems such as payments, HR records, etc. then a different method such as dependency maps is better able to explain both business / service impacts as well as dependencies on supporting infrastructure and data sources.
This dependency information may already exist in a service desk CMDB (configuration management database) for change risks, so adding in drill down hyperlinks works very effectively. If applications, their risk information and dependencies are in the same CMDB, rather than Excel sheets, then it makes it easy to refresh and update for both high level dashboard views as well as day to day troubleshooting and recovery from the unexpected.
In Summary
In practice we find that you may have 100s of applications or instances to display so a combination of wall charts, interactive Visio diagrams and the ability to drill into more detail will help answer the two simple questions from the CEO.
领英推荐
Added into the dashboard are internally developed applications, legacy systems, cloud and hybrid systems so the application landscape is easier to understand and present. Its easy to focus as well as explain not just the status, but why certain reputable suppliers provide services so as to reduce the burden on internal IT resources. Keeping the dashboard up to date achieves what the CEO wanted - that risks are understood and will continue to be assessed with changes in products and suppliers.
In the meantime the CEO hopes that he will be able to uncross his fingers soon...
Dave's Pet Peeves
When writing this newsletter It brought back memories of the ways we've seen complex IT systems information presented where risk issues are presented. My peeve this time is how the difficulties of managing projects and changes to IT infrastructure and systems are often never addressed - resulting in gaps, problems, risks, stress, team politics and other issues which the business and IT management are not aware of. What looks or sounds good may be just a smokescreen that hides the facts. "Yes, all data is encrypted and backed up" is clear and sounds good, though in reality regular backup checks stopped months ago and no recovery test has ever been attempted on the new cloud system. But you won't see those issues listed on a dashboard.
Often project and operational dashboards show everything is green, which is good. But the data hasn't been updated, or maybe even guessed at as there isn't enough time to check. One application dashboard showed old systems that had been decommissioned 6 years ago, all with a green status including DR testing and recovery. Another dashboard had no date on it because it was 3 years since the last refresh. It was still used and referred to in meetings because there was no alternative. The same with a network diagram at one customer stuck on the wall with a refresh date of 2012 - in 2024!
Ask the users and IT teams what the reality is and you often get a different picture than that presented to senior management. While there will always be communication challenges between different levels and teams within every organisation, it really helps address risk issues if all are on the same page, seeing the same picture. Behind the scenes there is resources and processes needed which shouldn't be assumed in is place, unless proven.
Visio Corner
Displaying complex dashboards of IT systems status is one of the many capabilities of Visio, especially when driven from a data source such as Excel, or the AssetGen database. Data refresh is simplified, with the data graphics feature making one diagram able to show difference perspectives by user interaction. A status dashboard can use a combination of text, icons, colours and graphs to highlight differences and exceptions.
Visio shapes can be linked to one or more data sources so a single shape can show a consolidated view. Refreshing is simple, so changes in data are then reflected with the users selected text/icon/colour changes. As you can have multiple data graphic settings, it enables other views or perspectives of applications to be displayed using the same file. The dashboard can be laid out, grouped by different categories (business departments, regions, locations, suppliers, etc.) and put on different tabs/pages/files.
If you look as previous Visio newsletters you'll find other examples of showing IP addresses, capacity, and service type.
Creating Your Own Dashboard?
How long did it take us to create this Visio output from sample Excel data? A few seconds.
To layout and create the graphics? 60 minutes.
To refresh? 1 second.
If Visio data linking and data graphics are new to you, contact us on the link below and we'll be glad to talk you through on how to get started.
Upcoming Events - 2024
Sep 19th?? – Visio Tips and Tricks - Part 5 Building, Campus and Site Infrastructure Details & Registration 13:00 UK 08:00 US EDT
Oct 24th ??– ?Free Webinar, Designing and Costing Cabling Infrastructure Using Excel/Visio Integration. Introducing AssetGen Cabling Architect V2 Details & Registration 13:00 UK 08:00 US EDT
I hope you enjoyed this edition of this newsletter, make sure you subscribe by clicking the button at the top of the page to keep updated on future articles and events.