The strategy would be to analyze servers, buildings, energy use, water use, and waste for the entire online effort, the space, the servers and the people in the online group. How did I go about that?
I started by contacting the manager of our corporate responsibility office. I let him know that I had a significant effort, but didn’t outline specifics.
I itemized all of the servers involved in online banking. I got the models, listed the power supplies in each, and documented average operating loads for those power supplies.
I itemized people – developers, project managers, web managers, online security, administrators, and application engineers. I got a fairly comprehensive overview of the business, and I contacted The Green Office to get an estimate of cost. They don’t really have any templates that account for geographically distributed efforts, but I still tried to compute a combination of emission reduction credits and renewable energy credits (green tags) that would neutralize our online banking carbon footprint.
It was important to account for buildings, technology, furniture, janitorial, commuting, electricity, water, and waste.
The aggregate was surprising, and extremely significant. It was also economically difficult to justify in a period of expense management. (expense reduction)
Harvard business, like everyone else, is trying to find value, to find competitive advantage in all things green. They have an online section that covers enough topics to make it very very worthwhile.
Dreamhost already has competitive advantage in its hosting. If nothing else, they get it from the “trust and confidence” accorded to companies that find the “relationship between eco-orientation and company performance.” They also get it from customers and potential customers. Customers find the eco-orientation as a point for retention. Potential customers see it as a simple way to make a difference.
These two principles, building better retention with current customers and providing potential customers reasons to choose a company – these principles drive economic decisions. They are worthy goals and admirable accomplishments.
Replicating that would require various focus areas:
1) Committment – is there sufficient executive and leadership committment to do it properly?
2) Segmentation – what pieces of the business can be greened in a cost-effective manner?
3) Timing – when can it be done, when should it be done.
4) Benefits – how can benefits be smart? (i.e. specific, measurable attainable, relevant, timely)
5) A stream of continuous improvement, a philosophy of continuous involvement.
How can a company do that?
The key is finding money and environmental syngergy. Find ways in which business objectives and environmental objectives align, and ways in which they can be encouraged or forced to align.
The key is the same as any other accomplishment – it is simply in deciding to do it, planning to do it, doing it, and monitoring how it is done.
Paul Venezia has continued his fantastic coverage of the Terry Childs case from San Francisco. Terry was accused of a denial of service attack when he withheld access to network resources last year.
It is worth reading everything that Paul has written on the Terry Childs case. His work has been thorough and extremely well thought out. You can read his latest article here. http://www.infoworld.com/t/insider-threat/terry-childs-back-in-court-516
Given what Terry Childs has done, and the relevant California laws, I predict that Terry Childs will go free.
Here’s why. California Code 502 states: “‘Computer services’ includes, but is not limited to, computer time, data processing, or storage functions, or other uses of a computer, computer system, or computer network.”
Paul points out that the code also says in “Subdivision (c) (that it) does not apply to punish any acts which are committed by a person within the scope of his or her lawful employment.I think the combination of those two elements of the California law ensure that Terry Childs is going free. Either charges will be dropped, OR, he will be found not guilty.
A quick recap of of the case facts: Terry Childs is a certified technical expert. He was working in limited-access computer area, and a person who he did not know should have access to the network asked him for a sort of blank check of administrative access. Terry felt that his responsibility was to protect that access - he denied access to that person. He also called to let others know of what he considered an attempted security breach. Subsequently, Terry denied access to other people, who also had inadequate expertise. Eventually he gave those passwords and that access to the cities mayor. Although the mayor also lacked technical expertise, Terry thought that the Mayor was the only person with sufficient authority and responsibility. That was Terry’s duty, as he saw fit.
Paul wrote “It’s been proven that Childs had no technical peers within the IT department; thus, essentially everyone he worked with could pose a threat to the network from his perspective.”
So – Terry Childs did what he thought was his job. He knew his job better than anyone else in his company. Given the California code, and the amazing mistakes in all areas of the prosecution of this case – Terry going to go free. (as an example, in publishing details of the case, prosecutors published and posted online a large number of valid/accurate usernames and passwords, comprimising security, and perhaps underscoring the reasons why Childs was so careful.) Terry Childs will be exonerated or charges will be dropped.
In most cases it would be great for charges to be dropped, for the accused to be released. In Terry’s case, he will go free at an enormous cost. Terry will be branded for the rest of his life, fairly or unfairly, as a rogue administrator. It is a tag that he will not be able to escape. Given that label, that brand – it won’t matter that his income was 6 figures in the past. I suspect this case will likely cost him the rest of his career. Nobody wants to hire a rogue – nobody wants a person who served a year in jail for being ACCUSED of computer crimes. The job market is getting tighter for everyone, but for Terry Childs, this case is going to shrink it so much further.
What Terry did not show the best judgment, but I understand it. Computer security is always a tricky risk-management balance that is comprised of access granting and access limitation. The best risk management principles are always based on the concept of ”deny all access, and grant only the most limited access that is absolutely required.” The second half of that principle is – “if greater than necessary access is requested, always have appropriate and informed executives execute an acceptance of that additional risk” If he thought that all of the Information Management executives were incapable of being informed due to their inadequate depth of knowledge – it is understandable that he only gave access to the person who he KNEW had the authority and responsibility. So what he did was completely understandable. His actions and intent were neither good judgment nor convictable crime.
The harder issues will come when this case is resolved. A large percentage of the dangerous, detrimental and malicious computer hacks come from insiders. Another large percentage of dangerous, detrimental and malicious acts come via social engineering, which is essentially convincing someone that you really need a certain access.
Properly managing risk with regard to access control, even to employees, requires smart policies, intelligence, and good judgment – and even with all those, it is an extremely difficult challenge. If the case establishes precedent that technology managers and experts must open access, that will have 3 simultaneous negative effects.
1) It will make security and risk management more challenging.
2) It will make dangerous acts much easier
3) It will increase information technology costs.
That will be great cost to everyone.