As we head into the heart of the holiday season, our thoughts and prayers still turn towards the families and devastated communities following the horrible events in Newtown, Connecticut, on December 14, 2012.

As expressed so well in the comforting speech by President Obama, our hearts go out to everyone impacted.

“… Here in Newtown, I come to offer the love and prayers of a nation. I am very mindful that mere words cannot match the depths of your sorrow, nor can they heal your wounded hearts.

I can only hope it helps for you to know that you're not alone in your grief, that our world, too, has been torn apart, that all across this land of ours, we have wept with you. We've pulled our children tight.

And you must know that whatever measure of comfort we can provide, we will provide. Whatever portion of sadness that we can share with you to ease this heavy load, we will gladly bear it. Newtown, you are not alone….”

Since that speech, there has been a steady stream of articles discussing various aspects of gun violence and the need for better school security following the tragic events in Connecticut. The stories of the families and children have dominated the news, as they should. But as we head into 2013, many are starting to ask about next steps.

Everyone wants to know: Can we make our schools safe? How far should we go towards metal detectors, armed guards and more?

 What seems different is that this new discussion is occurring regarding schools that were considered safe havens by many. Few thought Newtown, a quiet community, would become a target. For this reason and many others, I suspect real change is coming for school security across America.

 But I’d like to pose a related question: what about local and state government buildings? Is new or added security needed for these workplaces as well? How about private companies? How will they react?

Change After 9/11

I remember the changes that occurred in Michigan after 9/11. We went from virtually no physical security in state office buildings to guards, cameras and much more over the past decade. Security changes were seen all over the nation from airports to subways to federal government buildings. 

 Earlier this year, The New York Times asked: How resilient is post-9/11 America? Here’s an excerpt:

“Federal law enforcement and homeland security experts are advising corporate America to build better security into their business practices — to safeguard their goods and services, to recover from attack and, from the companies’ perspective, to boost their brand. ‘When you think of El Al, it’s not for on-time performance, it’s that you’re safe,’ said a senior law enforcement official, referring to the Israeli airline renowned for its security procedures.”

There is little doubt that many things have already changed regarding state and local government building security. Emergency Management Divisions around the nation are familiar with raising threat levels and the readiness state for state emergencies of all types. 

Is Workplace Violence on the Agenda?

In addition, a new level of attention has been directed towards workplace violence. Here’s an excerpt from the US Department of Labor website:

“Nearly 2 million American workers report having been victims of workplace violence each year. Unfortunately, many more cases go unreported. The truth is, workplace violence can strike anywhere, anytime, and no one is immune. Research has identified factors that may increase the risk of violence for some workers at certain worksites. Such factors include exchanging money with the public and working with volatile, unstable people. Working alone or in isolated areas may also contribute to the potential for violence. Providing services and care, and working where alcohol is served may also impact the likelihood of violence. Additionally, time of day and location of work, such as working late at night or in areas with high crime rates, are also risk factors that should be considered when addressing issues of workplace violence. Among those with higher risk are workers who exchange money with the public, delivery drivers, healthcare professionals, public service workers, customer service agents, law enforcement personnel, and those who work alone or in small groups.”

Moving Forward

As all of the attention (rightfully) addresses school security following Newtown, we need to remember that schools are only one part of this vital discussion in America. How much is too much? Will we lose our national character by over-reacting? What about mental illness and other related topics that can lead to tragic events such as this?

At the same time, we need to be addressing a much wider list of potential government security threats – from cyberattacks to critical infrastructure protection. No doubt, the schools will certainly come first, as we struggle with the tough questions regarding what we can afford.

What are your thoughts on physical security topics at school and work as we head into 2013?  

Ever since the Western States Contracting Alliance (WSCA) was formed in the October 1993 by the state purchasing directors from fifteen states, governments have been saving millions of dollars through cooperative purchasing. By working together on developing contracts with a lead state, the savings can be huge. Joint purchases, on items such as laptop and desktop computers and much more, can ultimately save time and resources by working together with other like-minded government officials from around the country.

Many of these excellent contracting relationships and procurement opportunities have developed over the years at meetings held by the National Association of Purchasing Officers (NASPO). WSCA is now used by many states besides the initial fifteen members. For example, this chart shows over 50% savings on desktop PCs when you use the discounts from the “Premium Savings Packages” available to certain WSCA-participating states from numerous vendors.

And while you are looking at these charts and adding up the savings possibilities, you will see a change in the names that resemble a marriage. That’s right, the graphics for “WSCA” have now become “WSCA/NASPO” on most of their websites.  In fact, this development was explained to me this week when I was on a teleconference which discussed multi-state opportunities to save money and be more efficient in our contracting work.

A Huge Infrastructure Opportunity

So why bring up this contracting topic in an infrastructure blog?  Because evaulatings vendors and contracts, developing statements of work (SOWs), and managing provisions is a big part of what we do and how well we do it!

On topics ranging from smartphones, byod and mobile device management to cloud computing to consolidating data centers, contracts wording is vital. Of course, we all want to get the best deal possible, while at the same time taking advantage of the experiences of those who have gone before us. There is certainly wisdom with a multitude of advisors, and working with other states to understand their requirements is usually a best practice.

In addition, more and more states are working to provide shared technology services across traditional government boundaries. As we heard at the National Association of Chief Information Officers (NASCIO) conference in October, states are jointly offering services in such areas as cybersecurity, disaster recovery, GIS and more.  

What Can You Do Now?

My understanding is that details for specific contracts still need to be worked out with WSCA/NASPO on a case by case basis. This fact sheet on their cooperative purchasing services is a great place to start to learn more about ways to engage WSCA.

Additionally, here is some wording from their FAQ website, if your state has chosen not to participate so far:

“WHAT IF MY HOME STATE HAS CHOSEN NOT TO PARTICIPATE, BUT WE WANT TO USE A WSCA CONTRACT?  That question is not as easy to answer.  Each state and governmental entity has different statutory, legal and procedural requirements.  WSCA contracts are solicited to allow the broadest possible participation, but the real answer depends on your individual legal and procedural requirements.  You should check with the Lead State contact listed on the contract page or contact Paul Stembler (contact information below) if you have questions.”

Wrap-up

 In conclusion, times are changing, and state procurement practices are changing as well. Partnering with WSCA/NASPO on large contracts (and even on some small purchases) makes a lot of sense. Hopefully, the joint buying power of all of the states can make a substantial difference and enable even better products and services to be delivered at lower prices moving forward.

Just as important, CIOs, CTOs, CISOs, IT Directors and other technology professionals need to be aware of what is going on around the country in regards to contract terms and conditions, the latest security and privacy wording in contracts, provisions for getting in (and out) of the cloud and how we can work together to influence vendor product and service roadmaps.

Over the years, we have often heard sales executives from major corporations ask me: Have you looked at what WSCA has to offer?

Now we can answer: I think you mean the cooperative purchasing arm of NASPO. And yes, we’ll give them a call.   

More and more companies and governments are implementing technology policies that allow their staff to bring your own device to work (or BYOD). This means those shiny new Christmas presents, like iPads, iPhones and Droid-enabled devices can access company and government data. Some experts estimate that BYOD will become the predominant technology approach to access mobile apps in coming years – with almost 60% of offices already implementing some type of BYOD.

Recently, I covered some of the good, the bad and the ugly regarding BYOD in this presentation for auditors in Lansing, Michigan. But beyond the implementation headaches, security concerns and topics such as Mobile Device Management (MDM), there is an emerging debate surrounding a series of cost-saving statements and claims.

I have spoken with government technology leaders in several states that say they are saving money now with BYOD by offering staff that have state-owned devices the ability to bring their own device into work. They save money overall on the cost of the hardware purchase, on the monthly telecom subscription charges and on helpdesk support calls. Many industry analysts say that this new approach can save significant budget dollars, given the right conditions. Consider these BYOD, money-saving, articles:

 Encourage BYOD Policies in Agencies to Save Money – “Given the power, availability, and relative affordability of today's smartphones and tablets, the Federal government cannot keep up on technology and shouldn't have to. Instead, provide standard mobile data management (MDM) security protocols to allow employees to use their own, privately owned devices. Agencies should provide a monthly stipend to defer the cost of wireless services.”

 2012 Survey Reveals Top Cities Save Money With BYOD, New Wireless Facilities and Shared Services – “Top-ranked cities in the survey reduced overtime with new technology, embraced BYOD to reduce hardware costs and developed an app that will keep track of what users are doing to reduce power and fuel consumption.”

California's budget crisis sparks controversial 'BYOD' plan to save money – “Because of the state's ongoing fiscal crisis, he, like other agency managers, last year was told to cut use of state-issued cellphones by 50% as a cost-saving measure. Cruz decided one way to hold down costs at DHCS, which was using BlackBerries, was to have agency employees use their own smartphones instead -- without any subsidy.”

But Some Say BYOD Costs More

On the other side of the fence, consider these stories:

Asian companies resisting BYOD due to cost – “Companies will need to fork out for device management and individual mobile and data plans to enable BYOD initiatives, but the extra costs mean they're holding back from implementation.”

Most IT Directors (73%) Say BYOD Will Lead To Uncontrolled Costs Not Savings – “One major reason for potentially uncontrolled expenses boils down companies losing bargaining power with carriers as employees begin purchasing their own iPhones or Android handsets. While the cost of the device isn’t likely to be passed on to an employer, monthly costs for voice and data service may be a different story. With unlimited data plans slowly going the way of the dodo, many workers may not want to shoulder data bills associated with their jobs, which may lead to a shared expense model.

More importantly, nearly the same amount of IT directors (69%) said that cost savings around lower support costs are “non-existent” despite the perception that personal devices will reduce the workload of IT staff. The survey found that IT staffers expect to remained the first place BYOD users call for technical support.”

Blackpool ICT boss: BYOD doesn't save money – “Since starting its BYOD scheme, the council has realised that it is costing more to allow staff to use their own devices than corporate ones once additional requirements such as mobile device management and help-desk support are factored in, Doyle said.

‘I don't believe the right reason to introduce a BYOD policy is to make cost savings. My sense at the moment is that it's costing us more because of the extra burden on the helpdesk, and the cost of software to manage the devices,’ he told the InfoSec conference in London.

‘I also think you've got to factor in that if it all goes wrong, the local authority may fall foul of the information commissioner for a breach and get a £500,000 fine.’

However, the council is reaping other benefits from BYOD, such as office space rationalisation, including a reduction in the number of desks it provides, the introduction of hotdesking, and flexible working.”

Study: Just one in ten enterprises have saved money through BYOD schemes – “Mobile expense management company Xigo commissioned telecom industry association CCMI to carry out the study, which found that only 9% of businesses have been able to cut expenditure by deploying some kind of BYOD program.

Another 67% saw no difference with expenditure, while 24% somehow saw an increase in spending after putting a BYOD plan in place. More than half of enterprises (60%) are still in charge of purchasing, managing and securing smartphones and tablets for their employees, while also paying the monthly network fees.”

Hidden Costs Can Hamper BYOD Programs – “If BYOD programs are not kept on a short leash, they can in fact be very expensive, up to 30% more than what an agency or company might spend on a non-BYOD mobile program…”

What About Productivity Increases?

Some industry experts proclaim productivity increases with BYOD. For example: 

There's only one business case for BYOD -- Productivity – “Whether a company is a Fortune 500 firm or a little startup, there is really only one reason to allow employees to BYOD. Increased productivity from workers using their own precious gadgets is the only reason to do it.”

The argument goes that employees will be happier, easier to train and just do more with their own smartphones and tablet-PCs.  Happier employees usually stay with your company, and BYOD is viewed as a way to attract and retain young talent. Of course, these productivity gains can be difficult to measure and justify than hard savings on the bottom line.

What’s My View on BYOD’s Business Case?

So which is it? Does BYOD cost more or less for enterprises?

My opinion: it depends on your answers to key questions. Also, this is a moving target, and it is difficult to do an apples-to-apples comparison between today and where you will be three years from now. There will be new apps, other devices taken away or added and a long list of other changes. BYOD may become a new cost of doing business for some enterprises.

Here are some key determining factors: Do you offer BYOD to all employees or just those who had smartphones before? In Michigan, we over 47,000 employees, but less than 10,000 currently have government-provided smartphones or Blackberries. Who gets to have an MDM-protected BYOD device? This will be decided by the agency business areas.

Also, who gets a stipend? If employees are fully reimbursed for their personal device(s), the savings may disappear. Only time will tell how many employees elect to bring their device to work.

There are many other questions that must be answered before you determine if BYOD is cheaper. What data plans are allowed? How many calls come into the helpdesk? How many different device models are allowed? How many staff will be deployed for this function? Is that an increase or decrease from today? How does billing work? The list goes on.

My view is that we will start to see BYOD implementation tools (return on investment calculators) soon that will help you figure out the business case for BYOD in your company or government office, based upon your answers to about 30-50 questions.  

In the meantime, the BYOD parade continues, but don’t spend the savings just yet.

The impact of Tropical Storm Sandy is being felt far and wide.

Here are just four of the hundreds of articles describing the widespread damage and storm impact:

Sandy slams mobile, wired and cable networks as far west as Michigan

"Post-Tropical Cyclone Sandy knocked out mobile, phone and cable service in many parts of the eastern U.S. on Monday, with about one in four cell sites affected in the hardest-hit band of the country between Virginia and Massachusetts, according to an FCC estimate.

About 25 percent of the cell sites in the 10-state area were out of service at 10 a.m. Eastern on Tuesday, the U.S. Federal Communications Commission estimated. Due to the floods, high winds and snow brought by the storm, there were reports of outages as far west as Michigan, the agency said. The situation could become worse in some areas as backup power supplies for affected cell sites run out, it warned."

Sandy's impact: State by state

“A running CNN tally reflects a steady restoration of power to affected areas, but early Wednesday, nearly 6.2 million customers were still without power in 15 states and Washington.

Here's a look at how Sandy has affected the United States and Canada….”

Storm forces Internet hubs to run on generator power

"Two monolithic buildings in lower Manhattan that serve as major network hubs for the U.S. are operating on generator power, thanks to Hurricane Sandy.

The buildings, known as carrier hotels, are a 2.9 million square foot structure at 111 8th Ave., and a 1.8 million square foot facility at 60 Hudson St."

Sandy's damage done

“Power could be out for a week — a fact noted by some New Yorkers who packed their bags and headed for the exits.

The storm was blamed for 51 deaths up and down the East Coast, according to the Associated Press. The tempest played havoc with the power grid, knocking out electricity to 7.5 million people. More than 16,000 airline flights have been canceled so far. Eqecat, a firm that models the costs of catastrophes for insurance companies, estimated Sandy’s economic impact on the country at $10 billion to $20 billion.”

I found the coverage of Sandy to be very interesting across the major networks this morning. Obviously, the devastation is huge – especially in New York and in New Jersey. Several news outlets were also warning people in other parts of the country about Sandy related scams.

Our thoughts and prayers go out to those affected by the storm.

Another Patch Tuesday is just around the corner, and I feel an urge to rant.

In reality, the actual day each month is just a part of an ongoing cycle. Like a coach’s preparation for the next football game on the schedule. We even tell our rookies, “Don’t worry, we’ve got this down to a science. Just study the playbook and learn the system.”  

We scout, breakdown the patch details, analyze the impact, discuss strategy, watch film, highlight strengths and weaknesses, suggest alternatives and finally build a game plan. Actually, I’m exaggerating – but only on the film part.

Here’s the routine… During the first week of the month, we realize that our infrastructure is coming up on that time of the month again. We typically ask: How many patches in this round?

As we approach the big day, we read up on this month’s patches. Are they critical? What if we wait? Should we test them first or just trust the fixes? We call-in to the MS-ISAC’s (or other organization’s) monthly call on patches and check their dashboard for potential critical alerts.

After “the game,” we heal-up as we get ready for next team – I mean patch.  That is, unless an emergency update comes along.

Our Network History According To Patch Tuesday           

Almost like forecasting the weather and/or analyzing the results after a big storm, Patch Tuesday is an ongoing topic for computer infrastructure support teams. Veteran security pros remember the good, the bad and the ugly regarding viruses, malware and Patch Tuesday. We tell new interns to gather round and we’ll share stories from the past. We could probably create a “Patch Tuesday Hall of Fame” to remember from where we have come.

Do these headlines ring a bell?

Updates galore in Microsoft's biggest ever Patch Tuesday

Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

Microsoft Patch Causes System Crashes on Infected Computers

Microsoft to patch Word critical security flaw next Patch Tuesday

Going back a bit further, I remember the fixes for Code Red and responding to the 10 worst computer viruses in history. This has been going on since… well, we can hardly remember a time without it.

Actually, Wikipedia claims that Microsoft officially began Patch Tuesday in October 2003, although regularly scheduled patches have been released on the second Tuesday of each month since the launch of Windows 98.

And this is so much fun, other vendors, like Adobe, have occasionally decided to join in on the Patch Tuesday action. Vendors like Symantec and McAfee are constantly updating their anti-virus signatures, and our teams often ask what zero days attacks can be stopped by different versions of antivirus protection mixed with various operating system patches.

Will there be a new YouTube Channel for Patches in the future? Could this become Reality TV for geeks?

Necessary Disclaimer

After getting this far, some readers will no doubt think that I am just bashing Microsoft. Actually, that’s not my purpose. I am a fan of Microsoft, Bill Gates, Steve Ballmer and most things coming out of Redmond, Washington. I am lifetime user – from MS DOS to Windows 95 to Windows NT to Windows 7. My family has owned dozens of computers and laptops running Microsoft software over the past three decades in the UK and USA.  

I’ve come to think of Patch Tuesday (and other software and operating system updates and upgrades) as a necessary part of life – like cleaning the garage. Somebody has to do this work. Someone has to configure everything when the new PCs get unpacked. I have fond memories of my first Windows-based PC, and I’ve never second-guessed my decision to NOT move to a MAC.

Nor do I want to get dozens of emails from companies telling me that they have a better way for the Michigan government enterprise or my family to apply patches easier (been there and done that) –or- that we need to move to Open Source or convert to all Apple or Google or some other software for all of our computing needs.  (Yes – I have an iPad and an iPhone.)

Actually, I appreciate all the work that goes into keeping us safe online - fixing bugs, sounding alarms and upgrading functionality. I know that the bad guys will always try to break into our PCs and servers no matter what. When you’re a long-standing top dog, like Microsoft has been over many years, everyone is shooting at you. I am thankful that they do what they do. Like Hadrian’s Wall from Ancient Roman times, Microsoft has usually protected us on the digital frontier since the early days of the global Internet. Truth be told, cybersecurity challenges as well as support of operating systems are getting more complex and the problems more daunting in 2012. Patch Tuesday is just an industry poster-child for all of this front-line effort.

Nevertheless, it doesn’t mean that I can’t hope that someday…., perhaps…, things will be different. I won’t get that sinking feeling when I see that my PC needs to download and install 20 new updates over the next 30 minutes before my PC is happy again or my shutdown is complete. Our bulletins to systems admins, database admins, security pros and others will be a little less frequent.

Our Future: Window 8 and Windows RT?

Lately, the headlines have declared that PC sales are dropping sharply.  It remains to be seen if this is because people are just waiting for Windows 8 or moving away from the laptop and desktops entirely. Some may be moving to Google or Apple or Microsoft’s new Surface RT tablet. Or, is the global economy a factor?

Regardless, as we prepare for the next rollout (at home and work), I’ve started to ponder the age-old question: Will Patch Tuesday ever end?  I doubt it, since Microsoft has already announced a massive patch prior to the public release of Windows 8. Of course, they can always change the name of Patch Tuesday, but not the ongoing work. I’m not predicting the end of an era either, since many IT managers prefer Microsoft technology.

I also realize that an entire industry has developed from Patch Tuesday. I suspect that this part of infrastructure support life will continue for many years to come. Every major vendor has vulnerabilities, fixes, new releases, mistakes and just plain upgrades with new features. For most of us, it is just a part of online life – like changing oil in your (real-world) car.

Still, I think no regular event is more of an ongoing support headache for the tech industry than Patch Tuesday.  Our enterprises follow, study, refine, fear, talk-about and act on Patch Tuesday more than many other areas of infrastructure, month after month, year after year. Sure other “sexier” topics grab the headlines temporarily, but Patch Tuesday is always waiting for us like the next game on the schedule.

And no CIO, CTO or CSO would mind hitting the delete button – if only the problems would go away with the patches. What’s your experience with Patch Tuesday?