Economist | Virtualisation - a Way to Combat Hackers and Viruses?

HACKING used to be done by kids for kicks or bragging rights. Nowadays, it’s big business for organised crime, often out of reach of the law, on the far side of the world. Connect an unprotected personal computer to the internet for more than 15 seconds and it will almost certainly be attacked by a virus or worse. That’s how ruthlessly effective the army of malicious robots, dispatched by criminals to scour the net for vulnerable computers, has become.

Security firms reckon some 2.3m “bots” are currently on the prowl. While suppliers of anti-virus (A-V) software have every reason to magnify the claim, the fact remains that only four out of five computers connected to the internet have A-V software installed. And less than half those have their software bang up to date.

Even among those that do, the software typically catches no more than 70% of the viruses, worms, Trojan horses and key-stroke loggers probing them continuously. Malware—MALicious softWARE designed to take over computers—mutates faster than A-V software. Insiders reckon protection is generally one to two months behind.

Protection against spyware is no better. Until recently, however, the problem was more of an annoyance than a threat. But spyware is morphing into something more ominous—with identity theft being the main objective. Meanwhile, protection against phishing attacks—fraudulent e-mails purporting to come from trusted organizations that try to get users to divulge passwords and other crucial data—is even less effective. By one estimate, phishing scams cost Americans between $500m and $1 billion annually.

One answer, of course, is to disconnect your computer from the internet completely, and never to accept any form of portable media from anyone. That way, your computer will never get infected, nor will it be turned into a zombie ready to do the illicit bidding of some scam artist, identity thief, mail spammer or child pornographer. But it will also be next to useless.

A better idea is to adopt something called virtualisation—a technique that’s been around for ages, but has only lately come back into fashion. Virtualisation provides a way of hiding a computer’s resources—its central processor, operating system, internal memory, network controller, and storage devices—behind a software curtain. The idea is to give users (not to mention nefarious strangers) the impression they have control of the machine, when really they are dealing with a simulacrum created entirely in software.

The technique was invented by IBM back in the 1960s, when software was relatively cheap and hardware incredibly expensive. By using virtualisation, one costly mainframe could be partitioned so as to run many different applications all at the same time—each within its own “virtual machine” in a layer of software running on top of the physical machine’s actual operating system.

With modern hardware so cheap, Intel-based servers that dish out applications and data have proliferated like rabbits. In most cases, only 10% to 15% of their resources are actually used. VMware, a company based in Palo Alto, California, was founded in the late 1990s to capitalise on this waste of resources. Helping companies get the most out of their hardware has made VMware one of the fastest growing software firms in decades.

And it’s not just servers in the back office that can benefit from virtualisation. Modern desktop and even laptop computers have more than enough power these days to run virtualisation software. Both the VMWare Server and Microsoft’s Virtual PC 2007 are ideal for installing virtual machines on an Intel- or AMD-based PC.

Either will allow you to run a “guest” operating system inside one of the virtual machines. The guest can be another copy of Windows, which can then be left exposed to attack by viruses and other malware circulating around the internet, while the actual computer remains hidden behind the curtain, free from infection. After you’ve finished surfing the web, the virtual machine and its copy of the operating system can be discarded and a fresh set re-established the next time you switch on the computer.

The smart thing to do is run a version of the free Linux operating system—like Knoppix or Kubuntu—in a virtual machine facing the outside world. Linux is not immune to infection, but it is much more robust than Windows, and is the target of far fewer attacks.

Now, a niftier way still of defending web-surfers from attack is about to become available. At a trade show in San Diego earlier this week, ZoneAlarm—a company that has won many plaudits for its computer firewalls—demonstrated its latest thinking about how to protect people browsing the internet. The ZoneAlarm ForceField puts a virtual cloak around a Microsoft Internet Explorer or Mozilla Firefox browser. (Sadly, no Macintosh version is available yet.)

Your correspondent cannot recommend the current beta version of ZoneAlarm ForceField. This trial version is still too slow, has too many rough edges, and crashes too often for daily use. But, no question, when all the pre-launch bugs have been ironed out, it will be a killer program. Expect the finished version to be available in early 2008. By putting the computer’s internet browser into a virtual machine, the protection program will let web users venture into the darkest corners of the internet without fear of contamination.

Link: Tech.view | Virtually clean | Economist.com.

TechCrunch | LongJump’s Library Of Customizable Business Apps

We last wrote about LongJump back in June when their business application platform launched. Like Coghead, DabbleDB, Zoho Creator, WyaWorks, and SalesForce’s Force.com, LongJump lets programming novices design their own applications. To do so, LongJump provides a visual application creator and directory where users can share the apps they develop. Since launch, they have over 100 enterprise level customers.

Unless you already have a large audience like SalesForece, relying on users to create applications on your platform makes the service is somewhat useless until someone creates one. So, as promised earlier, LongJump has seeded their platform with a suite of applications that can be remixed by their users. The suite consists of 13 business applications that will be free to use through the end of the year. The applications include a collaboration suite and tools for customer management, sales, HR, and Finance.

Applications can be customized by anyone else. Customizations include adding or modifying new data objects such as creating a contact object or triggering new actions when information enters the system. For instance, if a contact is added, email the sales team about it. These modifications fork the application into your own private copy, which you can keep for yourself or share with others.

The collaboration suite, OfficeSpace, is the most complex of the applications and lets users share personal and group calendars, assign tasks, store documents, and collaborate through wikis. Each of the functions is organized under its own tab, with a master dashboard where each user can puts widgets of the pieces they’re interested in.

Link: LongJump’s Library Of Customizable Business Apps.

VentureBeat | Social Networks and Business: OnForce, Freelance, PlanHQ and Salesforce

Earlier this week, Forrester released two reports about social software, and how it is getting adopted within companies

Blogs, wikis, social networks, sharing — it’s all giving IT departments a major migraine.

Here’s a summary of the findings, plus a listing of recent fundings and other news in IT and business software.

IT departments have not stopped worrying about the many “risks” that employees introduce through using social web services, one of the Forrester reports says: Security hacks, intellectual property leaks, noncompliance with regulation, and other problems. Still, it goes on to say that IT managers, along with the rest of the employees at many companies, recognize that these services offer more efficent ways to create and share information than current software. Many employees are already using web services at work without IT’s permission, the other report says, making these employees the “gateways” for web 2.0 companies to get their wares adopted then sold within a business. In between the lines of the reports: IT departments are afraid web services will make their own roles less important.

Meanwhile, here are the latest companies targeting IT, and the money chasing them:

OnForce, an IT services marketplace, raises $6.75 million — The company’s web site connects IT professionals with businesses who want on-site help with their computers, local networks and other office technology. OnForce and its competitors can help businesses take care of one-time problems without having to bring an IT person on staff or enter into a longer-term contract with an IT services company.

OnForce says 5,000 businesses are using the service to find help, with more than 10,000 IT workers available for hire. It say says businesses have used the site successfully over half a million times with strong growth in the last year. The company [DROP: currently] does most of its business in the US, and is looking to expand internationally. Accel Partners led the investment. Earlier investors include General Catalyst Partners.

Free-lance.ru, a Russia-based online marketplace for software development, raises $400,000 — The company connects freelance software developers, designers, product managers and others with clients looking to build software. It has up to 15,000 freelancers and clients on the site per day, with a total of 100,000 people signed up on the site, it says. It will use the funds to seek more work with large companies in other countries. (Tip from Yakov)

PlanHQ, software for business planning, raises $250,000 — The New Zealand company offers a guided planning process for entrepreneurs looking to start a company. It walks you through creating team goals, financial projections, marketing and other aspects of starting a business. Once you start your company, it measures your ongoing progress against your plan, showing you valuable information like your financial performance. A sort of Basecamp, but customized for businesses — it even has a similar-looking interface to Basecamp. The software, which starts with a free 30-day trial, costs $9 to $49 per month. The company will officially launch at the DEMO conference next week, although the site is in public beta now.

Salesforce introduces developer platform for building customized applications — The provider of web-based services for businesses has launched Force.com, designed for companies, especially large companies, to build their own Salesforce-based applications for managing internal processes. Many startups offer ways for people to create customized databases — DabbleDB, Zoho Creator and Coghead are but a few of many. It’s not clear if this move will hurt their businesses.

Salesforce + Facebook = FaceForce — This application connects the fun of Facebook with the business-focused utility of Salesforce, a good example of how Facebook’s developer platform can be used to connect with other applications outside of Facebook.

If you’re using Salesforce to keep track of customers, and you’re also friends with them in Facebook, you can use FaceForce to see their Facebook profiles within Salesforce, alongside their Salesforce contact records. You can even message, poke and send gifts to your Salesforce contacts through Facebook. You can also search Facebook for possible leads, and link your Salesforce data to them. You can see also see all of your Facebook friends within a specific company. More here.

Link: VentureBeat » IT roundup: OnForce, Freelance, PlanHQ and Salesforce.

WSJ | SAP for Small Businesses - Business By Design

FRANKFURT (Dow Jones)--German software maker SAP AG's (SAP) Internet-based software program for small and medium-sized businesses will be called Business ByDesign and is now available for slected customers in the U.S. and Germany, the company said at a press conference in New York Wednesday. The new software program targets small to medium-sized businesses, for which SAP sees a market potential of more than $15 billion.

SAP Chief Executive Henning Kagermann said by adding a new business to SAP's established ones, the company is on track to double the addressable market and serve 100,000 customers by 2010.

He said the software's market potential justifies the company's accelerated investments of EUR300 million to EUR400 million in the next eight quarters.

Previously, the company said that profitability of Business ByDesign could surpass the profit margin it generates on its traditional business.

The product, previously known internally as A1S, helps companies manage back-office work. Instead of paying large licensing fees up front, customers pay a monthly subscription per employee using the system.

In the U.S., pricing for initial customers will start at $149 per user, per month with a minimum of 25 users to be licensed per customer.

Currently, pilot customers are using the product in the U.S. and Germany, while the product is being validated by customers in the U.K. and China with further expansion planned for 2008 and 2009.

Walldorf-based SAP is the world's largest business-software maker by sales, ahead of U.S.-based rivals Oracle Corp. and Microsoft Corp. (MSFT).

Link: Article - WSJ.com.

Economist | Microsoft and Europe - A Matter of Sovereignty

“YOU asked for it, now live with it.” That was, in essence, the message spread by Microsoft's lobbyists after the European Court of First Instance upheld a landmark antitrust ruling against the world's largest software firm on September 17th, dealing it the most stinging defeat in nearly a decade of antitrust litigation. Emboldened by this decision, Europe's anti-monopoly squad will now go after other technology firms with high market shares, the lobbyists warn, forcing them to give up valuable intellectual property and curbing the incentive to innovate.

Yet it is unlikely that that Neelie Kroes, the European Union (EU) competition commissioner, will now “be leading a prison march of the world's most successful firms through her Brussels doors”, as one lobbyist put it. The judgment's consequences are far-reaching, but in a different way. If it is not overturned—as The Economist went to press, Microsoft had not said whether it would make a final appeal—the firm will, in effect, lose much of its sovereignty over the virtual territory staked out by its Windows operating system.

Microsoft ended up in the dock in both Europe and America because it tried to protect and extend its Windows monopoly in two ways. One was by bundling other types of software along with Windows, notably its web browser, a move that triggered the antitrust action in America. Its other approach, which lay at the heart of the European case, was to withhold information from rivals that would have allowed their software to “interoperate” well with Windows over a network.

With a new Republican president in power, America's competition authorities decided in 2002 not to pursue the case championed by the Clinton White House and instead negotiated a settlement with Microsoft. This “consent decree”, large parts of which will expire in November, amounted to little more than a slap on the wrist. It failed to administer any penalty and let Microsoft add new software elements to Windows so long as PC-makers were allowed to add rival products too. The provision regarding interoperability was also limited: the requirement to provide the necessary “communication protocols” applied only to the version of Windows that runs on individual PCs, and not the one running on the servers that dish up data on corporate networks.

The European Commission's initial ruling against Microsoft in 2004 can be seen as an attempt to address these shortcomings. The commission ordered Microsoft to sell a version of Windows without its media-player software, the bone of contention in Europe when it comes to bundling. It ruled that the firm had to provide information on how to interoperate with Windows servers. The commission also imposed a fine of €497m ($613m), which has since grown to €777m ($990m) because it determined that Microsoft was not fully complying with its decision.

The European court has now upheld these remedies. Even more importantly, it largely endorsed the commission's legal reasoning. It argued, for instance, that withholding information that is needed for PCs and servers to work together constitutes an abuse of a dominant position if it keeps others from developing rival software for which there is potential consumer demand. In such cases, the information cannot be refused even if it is protected by intellectual-property rights, as Microsoft had argued.

With its ruling, the court has set a precedent that means Windows is no longer simply private property with which Microsoft can do as it pleases. And this will certainly apply to any other firm that manages to build a similarly crucial and long-lasting digital monopoly. Even today, with software increasingly delivered as a service over the internet, Windows is protected by something known as the “application barrier to entry”, meaning that so many programs run on it that rivals have a hard time getting users and software developers to switch.

Yet, whatever the lobbyists say, European regulators are unlikely to go after every technology firm with a big market share. There are not many similarly dominant computer platforms. What is more, most of the potential investigations that may follow are different in kind from the action against Microsoft. In the case of Qualcomm, for instance, competitors have complained that it is charging excessive royalties for its patents on mobile-phone technologies. In the case of Apple, commission officials have already said that they are wary of proposals to force the firm to open iTunes, its online music store, to music-players other than its iPod; a separate investigation into iTunes concerns variations in pricing between European countries, rather than technological lock-in. Even the continuing investigation of Intel is not directly comparable to the Microsoft case. The world's biggest chipmaker, the commission charges, has used abusive tactics such as offering rebates to prevent computer-makers from using chips made by its rival, AMD.

For the time being, the commission can apply the precedents set by the Microsoft ruling in only one case: Google, the world's leading web-search and online-advertising firm. Just as America's Federal Trade Commission is now doing, the EU's competition authorities will look closely at Google's planned takeover of DoubleClick, another leader in online advertising. And if Google becomes a central storage vault for data such as users' location and identity, as some fear, European regulators may one day try to compel the firm to give rivals open access to this information—rather as they have now forced Microsoft to release its communication protocols.

Microsoft itself is not out of legal trouble, even if it chooses not to appeal. The commission has yet to determine whether the information the firm has supplied will really ensure interoperability. Still open, too, is the issue of how much Microsoft can charge firms that want to license its protocols. Then there is the question of whether Microsoft should be forced to license the information to makers of open-source software. The firm argues that this would be tantamount to giving away the shop, but the commission thinks it would promote competition by advancing open-source rivals to Microsoft's products. And further investigations may yet follow into Office, Microsoft's dominant suite of business software, and Vista, the latest version of Windows.

No wonder Microsoft is stoking fears that the commission plans to go on an antitrust rampage. It has prompted a political backlash that may discourage the EU from staying on the case. In America the talk is of a “new form of protectionism”. After the European court's decision Thomas Barnett, the head of the antitrust division of the Department of Justice, warned that it “may have the unfortunate consequence of harming consumers by chilling innovation and discouraging competition”.

With this judgment Europe and America have clearly moved further apart in antitrust matters. But whether, as some fear, these differences turn into a full-blown transatlantic conflict remains to be seen. After all, the administration in Washington will probably have changed several more times before the Microsoft case finally draws to a close.

Link: Microsoft | A matter of sovereignty | Economist.com.

SAP | SAP to Debut On-Demand Business Software for Midsize Companies: A1S ...

NEW YORK - September 17, 2007 - Press and analysts are invited to a live online feed of the press conference highlighting the debut of SAP’s new midmarket offering, with the codename “A1S.” The conference is being held in New York City, September 19, 2007.

At the event, SAP will reveal a comprehensive snapshot of this new business software specifically designed to meet the needs of midsize companies in an untapped $15 billion market.

The Webcast will feature live demonstrations of the innovative new solution. Early customers will discuss how the software helps them meet the challenges they face in their businesses.

The conference will feature:

• Keynote speech by Henning Kagermann, CEO, SAP AG
• Keynote speech including demonstrations - Peter Zencke, member of the executive board, SAP AG
• Panel discussion with Hans-Peter Klaey, president SME, SAP AG, together with early customers
• Keynote speech by Léo Apotheker, deputy CEO and president of Global Customer Solutions and Operations, SAP AG
• Q&A with SAP executives, early customers and partners

SAP Press Conference

Wednesday September 19, 2007 11:00 a.m. – 12:30 p.m. EDT / 5:00 p.m. – 6:30 p.m. CET The Webcast will be broadcast at www.sap.com/press Questions can be submitted to press@sap.com Listen-in, toll-free from USA: +1 (888) 635-9300 Listen-in, international callers: +1 (651) 291-7662 Access Code: 885760 A replay of the conference will be available as of Sept. 19 at 6:00 p.m., until Sept. 26 at 11:59 p.m. EDT: From USA: +1 (800) 475-6701 International: +1 (320) 365-3844 Access Code: 885760

Link: SAP - SAP to Debut On-Demand Business Software for Midsize Companies, Code Name “A1S,” via Press Conference Webcast on September 19.

ZDNet.com | Microsoft offers its take on CapGemini-Google deal

Microsoft has been noticeably quiet whenever we bloggers/press folk ask them for comments on Google various announcements. Today’s CapGemini-Google partnership to sell Google Apps Premier Edition (GAPE) must have struck a nerve, as Microsoft sent out a lengthy and unsolicited response on the deal.

Here’s what Microsoft said via an emailed statement, attributable to a “corporate spokesperson:

“We believe competition is good for customers and the industry. That said, customers tell us that our solutions deliver the ease of use, reliability and security that enterprises need. This is validated in the strong reception we’ve seen to 2007 adoption and usage and by having achieved more than 90% enterprise agreement renewal in the fourth quarter of our last fiscal year. Our long history in meeting the complex needs of enterprise customers, a partner ecosystem that has grown 43% on the Office platform since last year and our current and future investments in the software + services arena will deliver even more flexibility to customers.”

That was the “official” statement. Microsoft also suggested a list of “top questions that enterprises should ask when considering the switch to GAPE. Microsoft’s suggested list:

“1. Google touts having enterprise level customers but how many “USERS” of their applications truly exist within the enterprise?

“2. Google has a history of releasing incomplete products, calling them beta software, and issuing updates on a “known only to Google” schedule – this flies in the face of what enterprises want and need in their technology partners – what is Google doing that indicates they are in lock step with customer needs?

“3. Google touts the low cost of their apps –not only price but the absence of need for hardware, storage or maintenance for Google Apps. BUT if GAPE is indeed a complement to MSFT Office, the costs actually become greater for a company as they now have two IT systems to run and manage and maintain. Doesn’t this result in increased complexity and increased costs?

“4. Google’s primary focus is on ad funded search. Their enterprise focus and now apps exist on the very fringe and in combination with other fringe services only account for 1% of the company’s revenue. What happens if Google executes poorly? Do they shut down given it will them in a minimal and short term way? Should customers trust that this won’t happen?

“5. Google’s apps only work if an enterprise has no power users, employees are always online, enterprises haven’t built custom Office apps – doesn’t this equal a very small % of global information workers today? –On a feature comparison basis, it’s not surprising that Microsoft has a huge lead.

“6. Google apps don’t have essential document creation features like support for headers, footers, tables of content, footnotes, etc. Additionally, while customers can collaborate on basic docs without the above noted features, to collaborate on detailed docs, a company must implement a two part process – work together on the basic doc, save it to Word or Excel and then send via email for final edits. Yes they have a $50 price tag, but with the inefficiencies created by just this one cycle, how much do GAPE really cost – and can you afford the fidelity loss?

“7. Enterprise companies have to constantly think about government regulations and standards – while Google can store a lot of data for enterprises on Google servers, there is no easy to use, automated way for enterprises to regularly delete data, issue a legal hold for specific docs or bring copies into the corp. What happens if a company needs to respond to government regulations bodies? Google touts 99.9% uptime for their apps but what few people realize that promise is for Gmail only. Equally alarming is the definition Google has for “downtime” – ten consecutive minutes of downtime. What happens if throughout the day Google is down 7 minutes each hour? What does 7 minutes each hour for a full work day that cost an enterprise?

“8. In the world of business, it is always on and always connected. As such, having access to technical support 24/7 is essential. If a company deploys Google Apps and there is a technical issue at 8pm PST, Sorry. Google’s tech support is open M-F 1AM-6PM PST – are these the new hours of global business? And if a customer’s “designated administrator” is not available (a requirement) does business just stop?

“9. Google says that enterprise customers use only 10% of the features in today’s productivity applications which implies that EVERYONE needs the SAME 10% of the feature when in fact it is very clear that in each company there are specific roles people play that demands access to specific information – how does Google’s generic strategy address role specific needs?

“10. With Google apps in perpetual beta and Google controlling when and if they rollout specific features and functionality, customers have minimal if any control over the timing of product rollouts and features – how do 1) I know how to strategically plan and train and 2) get the features and functionality I have specifically requested? How much money does not knowing cost?

“I invite you to speak with customers, partners and analysts who can validate Office’s business model.”

Link: » Microsoft offers its take on CapGemini-Google deal | All about Microsoft | ZDNet.com.

ebizQ | SOA Software Extends SOA Governance to Microsoft BizTalk

SOA Software, a provider of comprehensive Service-Oriented Architecture (SOA) and Web Services governance, security, mediation and management solutions, today announced that it has extended its Workbench product with a comprehensive governance solution for Microsoft BizTalk Server.

ebizQ received the following:

Working closely with Microsoft Corp. to deliver a closed-loop governance solution for BizTalk Server 2006 R2, SOA Software allows customers to confidently use BizTalk Server to automate mission critical business process, ensuring that the resulting applications are secure, reliable, and comply with enterprise and regulatory policies. By leveraging SOA Software’s Workbench in conjunction with BizTalk Server 2006 R2, customers can consistently govern, secure, mediate and manage the policy and lifecycle of any type of SOA service deployed and accessed on any transport.

BizTalk Server is quickly becoming one of the most important service platforms for enterprise business process management and automation. Companies deploying BizTalk Server have to ensure that it fits into their overarching enterprise SOA governance strategy as a governed service platform. SOA Software’s Workbench is deeply integrated with Microsoft’s ESB Guidance Toolkit and offers essential governance capabilities for BizTalk Server:

• Closed-loop Governance – define, manage, and govern policies through a central registry/repository, enforce them through distributed service platforms such as BizTalk Server, and audit that the policies are being enforced.
  
• Uniform Policy Management – Workbench ensures that service consumed and provided by BizTalk Server enforce, implement, and comply with a common set of centrally defined and governed policies.
  
• Heterogeneous Governance Automation – Workbench provides comprehensive lifecycle management, policy management, and consumer management workflow capabilities to automate the governance processes for services exposed and consumed by BizTalk Server and any other enterprise service platform.
  
• Dynamic Policy Enforcement and Implementation – BizTalk Server, through Microsoft ESB Guidance, leverages Workbench’s WS-MEX interfaces enabling dynamic policy discovery and implementation, as well as dynamic binding and end-point resolution
  
• Trust Mediation and Bridging – Workbench ensures seamless interoperability between the various security mechanisms used by the different platforms throughout the enterprise. It allows users to leverage desktop authentication mechanisms like Kerberos and smartcards, providing a mediation solution that ensures end-to-end single-sign-on with backend services provided by a wide range of enterprise platforms.
  

Workbench provides an integrated Service Management, Registry/Repository and Policy management solution, allowing Microsoft to respond to a customer’s end-to-end SOA Governance requirements. By integrating with BizTalk Server as a pipeline, it provides full service lifecycle management along with features such as design-time compliance testing, service discovery via a UDDI v2/v3 interface, service provisioning, WS-S security and service monitoring regardless of protocol.

Features include:

• “Last Mile” Policy Enforcement for security, monitoring, mediation, and management
  
• Authentication, authorization, encryption/decryption, signature
  
• Usage, performance, message data collection
  
• Syntactic, standards, and message exchange pattern mediation for interoperability
  
• Web Service Monitoring and QOS alerting
  
• SLA Management
  
• Web Services Service Auto-Discovery and Auto-Management
  

“The combination of SOA Software’s SOA Governance solution and Microsoft’s BizTalk Server 2006 R2 provides customers with an enterprise-class solution for SOA Governance, security, mediation, and management,” said Steven Martin, Director of the Connected Systems Division at Microsoft. “SOA Software’s integration with BizTalk Server drives additional security, reliability, and performance of the services consumed and exposed by BizTalk Server.”

“We see the rapid adoption of BizTalk Server for enterprise business process automation as an indicator of the coming of age of SOA,” said Frank Martinez, SOA Software executive vice president of product strategy. “Our strategic relationship with Microsoft has allowed us to deliver a solution that gives enterprise customers the ability to confidently deploy BizTalk Server as a governed service platform, ensuring the security, reliability, and policy compliance of their applications.”

Link: SOA Software Extends SOA Governance to Microsoft BizTalk - ebizQ.

BPM Today | Taking a Risk-Based Approach to SOX Compliance

Five years after the Sarbanes-Oxley Act became law, many companies are still struggling to meet regulatory compliance requirements. Indeed, SOX and other regulations are time-consuming, costly, and, for some, a stressful reality of doing business in a post-Enron world.

Public companies have spent billions of dollars in efforts to comply with new government regulations over the past five years. This year alone, according to AMR Research, companies will spend $6 billion on technology products for compliance.

There is at least some relief in sight, though. Thanks to the recent changes to SOX, companies and auditors alike now have more flexibility to reassess and even redesign existing compliance practices. It's an opportunity to ease the burden, according to compliance gurus, by taking a risk-based approach.

Taking a risk-based approach involves determining which aspects of a business need to be included in an audit versus just trying to find everything that could possibly go wrong and including it in SOX controls.

SOX Basics

For those not yet familiar with the Sarbanes-Oxley Act, a quick review is in order. The Enron and Worldcom accounting scandals led the government to implement a new regulation, one that would forever change the corporate landscape in the United States. That regulation was SOX, which is also known as the Public Company Accounting Reform and Investor Protection Act of 2002.

SOX went into effect in July 2002, mandating new rules in financial reporting and auditing for publicly traded companies. The Securities and Exchange Commission administers SOX to regulate corporate financial records and assign penalties for noncompliance. SOX outlines the types of data that must be recorded and for how long. It also deals with issues such as falsifying data.

In July 2007, the SEC voted unanimously in favor of a new auditing standard and other measures to increase the accuracy of financial reports while reducing unnecessary costs, especially for smaller public companies. Auditing Standard 5 will make Section 404 audits and management evaluations more risk-based and scalable to company size and complexity, according to the SEC's own estimations.

A Risk-Based Approach

So where do you begin? Corporations attempting to leverage Auditing Standard 5's flexibility need to be able to identify what components of the corporate SOX compliance program are going to result in material weakness, according to David Smith, senior compliance analyst at Symantec.

The process starts with a risk assessment that takes into account the impacts of threats and vulnerabilities -- and the controls used to mitigate them -- on systems that directly relate to financials. "Audit Standard 5 tells auditors to scope two areas that either by themselves or when aggregated with other controls would result in or could potentially result in material weaknesses," Smith explained. (continued...)

Link: BPM Today | Taking a Risk-Based Approach to SOX Compliance.

Guy Kawasaki | Leadership and The Ego - Egonomics

1. Question: Which comes first: big ego or success? That is, it takes a big ego to be successful or you start with a normal ego, somehow achieve success, and then get a big ego?

2. Answer: First, there’s a vital difference between “big ego” and big ambition. Successful people usually start with big ambition/big ideas, and a “normal” or healthy ego. That combination of ambition, ideas, and healthy ego drives their success. If they’re not careful though, their success creates the illusion that it was them alone that achieved that success. And the more publicly visible they are, the more they believe the headlines that attribute their success to just them.

   Once they assign all of that success to themselves, their ego whispers how great they are, and anything else they think or do will be equally great. That’s when healthy ego becomes “big” ego, and it’s hard to convince ourselves it’s not just us because our self-written history reinforces that we’re the one that did it.

3. Question: The opening line of your book is, “Ego is the invisible line item on every company’s profit and loss statement.” Why is it invisible?

   Answer: Because it hasn’t been measured, and yet people know the costs are there. Over half of all businesspeople estimate ego costs their company six to fifteen percent of annual revenue; many believe that estimate is too conservative. But even if ego were only costing six percent of revenue, the annual cost of ego would be nearly $1.1 billion to the average Fortune 500 company.

   The reason ego stays invisible is because we don’t talk about it—we talk about everything else—like numbers. It’s also easier to talk about lighter topics like “communication,” “decision-making,” “leadership,” or “teamwork.” But the most sensitive, yet most powerful topic, is ego.

   We think people should look at management capabilities in the same way Dmitry Mendeleyev looked at the periodic table of elements. He was the first person to organize the elements by weight—lightest to heaviest. The same thing is true in business—each capability has different weights; some lighter, some heavier. The “atomic weight” of the ability to manage the human element of ego is greater than all of them.

   There are other important elements on the leadership “table,” but ego has the most weight—in large part because of the affect it has on everything else. And yet it’s the most avoided. People have been afraid to talk about ego because they don’t understand how it works, especially at work. And the conversations they do have about it are usually at the water cooler and in private. More importantly, it’s almost always seen as someone else’s problem, and that needs to change.

4. Question: What are the telltale signs of an over-inflated ego?

   Answer: First, let’s be clear that most people—99% of us—don’t have over inflated egos all the time; just some of the time. When ego over inflates, there are four early warning signs:

   1. Being defensive: defending ideas turns into being defensive.

   2. Being comparative: being too competitive actually makes you less competitive.

   3. Seeking acceptance: desiring respect and recognition interferes with success.

   4. Showcasing brilliance: ideas can be overshadowed by your own intelligence and talent.

   Let’s take just one that gets a lot of people in business, and usually triggers the other three warning signs, being comparative or too competitive. Here are some things you can watch for.

   1. Seeing someone you work with as a rival and think about how to “beat” them.

   2. Taking disagreement with your ideas personally.

   3. Compulsively following a competitors “lead” so they’re not doing anything you’re not.

   4. Criticizing competitor’s strategies and prematurely discard them as irrelevant.

   5. Believing you don’t ever deserve to lose; a game, a conversation, a debate, a promotion, a raise, etc. and you’re not gracious in defeat.

   6. Disagreeing with someone’s point just because they’re the one who said it.

   7. Feeling worse about where you are when you see what others achieve.

5. Question: Then what is a “healthy” ego?

   Answer: Genuine confidence; confidence that doesn’t have to exert itself to “prove” it’s confidence. Healthy ego keeps us from thinking too highly or too little of ourselves and reminds us how far we have come while at the same time helping us see how far short we are of what we can be. But to understand what healthy ego is, you have to understand the relationship between ego and humility. For most people, tradition holds that the opposite of excessive ego is humility, when in fact having too little ego is just as dangerous and unproductive as having too much.

   When we strike the right balance between ego and humility, we’re genuinely confident. We call that the “ego equilibrium” in the book. But since there’s a natural tendency to deviate from the equilibrium, when we move just right or left of center, we get false confidence, and ego manages us rather than the other way around. As a result, our strengths morph into counterfeit weaknesses, like someone who’s passionate now becomes overzealous, or if we’re strong-willed, now we become inflexible. We think it’s the same thing, but it’s not and everyone around us notices the difference.

   Imagine that the spectrum of ego is magnetic, with the strongest pull coming from the two ends. At the center, the magnetic pull on either side has little effect on us. But the closer we move to the extremes, the more the magnetic pull affects us and the harder it is to make our way back. The longer we stay off-center, the more comfortable we become being off-center. If we don’t quickly recover, we’re more likely to develop bad ego habits.

6. Question: How can humility survive in a capitalistic, “dog-eat-dog” market?

   Answer: That’s the cool thing we discovered in our work, and the perceived “weakness” of humility is the assumption even in a question like this one. Humility is the only real way to become great, everything else being equal. As a trait, humility is the point of equilibrium between too much ego and not enough. Humility has a reputation of being the polar opposite of excessive ego.

   In fact, the exact opposite of excessive ego is no confidence at all. Humility provides the crucial balance between the two extremes. When Jim Collins did his work in Good to Great, humility was one of only two characteristics he discovered that separated leaders capable of leading good—even very good—performing companies, and leaders who made their companies great performers. And all of those leaders who lifted their companies to greatness and sustained them for over fifteen years did it in the same dog-eat-dog world everyone else was in. Humility was custom made for the dog-eat-dog business world.

7. Question: Is there such a thing as not enough ego?

   Answer: Definitely. In fact, more people and company cultures suffer from this than you might think. We call it the “Junior High” side of ego; that we need the approval and acceptance of others so much that we make decisions we wouldn’t make if we felt more genuinely confident about who we are.

   That lack of enough ego puts others in the driver’s seat of our self-confidence, and people start to shape their thoughts and actions to what they believe will be endorsed by others; they become “pleasers” and don’t offer what’s on their minds. Companies then get “good” ideas from people—but sadly, not their best. Ironically, when they don’t get our best, they’re less likely to give us the acceptance we deserve.

   When our desire for acceptance is healthy, acceptance and respect are still important to us, but they aren’t our solitary goal. We can want acceptance without letting it affect our self-worth or authenticity. When our desire for recognition and respect is balanced, we draw a clear distinction between who we are and what we do.

8. Question: What is your analysis of Steve Jobs?

   Answer: Steve’s gone through a metamorphosis in how he works. He’s always been exceptionally gifted as a creator and designer, but he used those gifts in a way that drove people away from his company and minimized the talent and creative IQ of the people around him. Once he was kicked out of Apple, life began to humble him through his own health challenges, his reputation, losing what he created, etc. Interestingly, Steve came out of that time of his life with a healthier ego, because life had humbled him and he accepted the lessons.

   At his commencement speech at Stanford a couple of years ago he said, “I’m pretty sure none of this [NeXT, Pixar, his return to Apple, the iPod and iTunes] would have happened if I hadn’t been fired from Apple. It was awful tasting medicine, but I guess the patient needed it.”

   Humility is a powerful antidote to unhealthy ego, and we can either humble ourselves, or wait for life to humble us. There was a Fortune cover about one year ago that had Steve on the cover, but the two-page spread inside had six or seven people sitting next to him. We thought that picture said it all; he’s no longer in this by himself, and it appears that he recognizes that. As a result, he’s a much better leader.

9. Question: How does an egotist “reform” himself or herself?

   Answer: Therapy! The truth is, true egotists rarely reform. egonomics isn’t for the small percentage of egotists in the population who need therapy. In terms of reformation, we all need some. Maybe it’s the way we present our ideas, defend our positions, think about ourselves, share our talent and expertise, motivate people, etc. But the first step in any kind of reformation is awareness because where there is no awareness, there is no choice.

   And that awareness can’t only come from ourselves. Get feedback, ask people how you’re doing, and watch for any of the four early warning signs. We give companies who read egonomics free access to an assessment that measures how healthy the culture’s collective ego is.

10. Question: What should you do if you work for an egotist?

    Answer: Run to the nearest exit and find somewhere else to work, but if that’s not an option, then fighting their ego with your own isn’t the answer. Egotists rarely win unless they’re in positional power, then you can’t do much. But if they’re not your boss, then sit down and talk to them about what you’re noticing, and make sure it’s not your own ego.

    Sometimes we assign other people the worst of what we’re seeing in ourselves. We also talk a lot in the book about how to communicate to get someone else to open their mind, back off a locked position, or change the way they’re working with you. Bob Sutton at Stanford wrote a very good book called The No Asshole Rule that deals more with the pure egotists. Our work is focused on the rest of us who aren’t assholes, but lack just enough humility to reach our real potential.

11. Question: Which of the presidential candidates do you think does the best job of managing his or her ego?

    Answer: Rather than answer what we think, we’ll let a survey answer that question. We web surveyed about 1,200 people and asked questions about how voters would rank the humility, curiosity, and veracity of each candidate; things like how would handle making mistakes; what kinds of people they would put in their cabinet, how open-minded and forthcoming they are, how curious they are about policies they don’t understand, how diplomatic they would be internationally, etc.

    About two-thirds of the people who responded were Republican. Not sure how to explain that. But what’s interesting is that a Republican didn’t win what we called the “presidential egonomics” survey. A democrat, Barack Obama, was the clear winner with a score of 80.3 out of 100. This means that the respondents saw Obama as the most open-minded, curious, intellectually honest, collaborative, and genuinely confident candidate.

    The worst? Edwards, Giuliani, Romney, and McCain all came in at about the same score—all about six points behind Obama. Hillary Clinton was clearly last at 68.4.

12. Question: How would we change if we did a better job of managing ego?

    Answer: We would be more open-minded about views that don’t agree with ours, and less rigid in making changes when we’re challenged with them. Closed minds and fixed positions may be the most prevalent outcomes of mismanaged ego. Good leaders keep their minds open. But great leaders open the minds of others in the most intense circumstances, even against the odds of prejudice, politics, and habit.

    But in those circumstances ego can trip anyone, at any time, momentarily if they confuse their identity—who they are—with their ideas—what they think and believe. When we slip, we stop defending our ideas and we get defensive. We stop sharing our brilliance, and try to dominate the conversation with it. Or rather than let ideas compete with each other to let the best one win, we start to compete with each other. All of which has the net result of closing minds and the opportunity or innovation or change in a company. After all, if people’s minds are closed—even partially—there isn’t much innovation or change happening in the company.

If this topic is too threatening to buy the book, at least read this whitepaper. You can also print it and drop it on the desk of the egomaniac you work with. :-)

Link: How to Change the World: Are You an Egomaniac? Ten Questions with Steven Smith.