Involve end-users in strategic planning

Involve end-users in strategic planning; Patch management: when less is more; J2EE and .net are development tools; Battling the...

Involve end-users in strategic planning

Shabbir Osman, UK managing director, Eclipse Computing

I agree with Arthur Murphy of PricewaterhouseCoopers that end-users need to be more involved in IT projects to ensure success. (Computer Weekly, 2 March).

Many companies are failing to approach systems implementations correctly because the employees who have to use the technology have not been involved in discussions about the strategic goals and objectives for the system.

Many companies are only providing employees with training on and access to specific parts of the system, and they are shielded from other areas not associated with their jobs.

This lack of awareness of the software's full capabilities means that many employees will continue to replicate manual processes rather than automate mundane admin functions.

Not only is their business perspective severely restricted but their development of broader IT skills - a fundamental requirement today - is also constrained.

Strategic expectations of technology cannot be realised if they are not communicated to those tasked with using the tools.

Patch management: when less is more

Avi Corfas, vice-president and managing director EMEA, Skybox Security

I could not agree more that "a pre-emptive process involving the identification and management of system vulnerabilities" is what is needed to move today's patch management to a proactive from a reactive state. (Computer Weekly, 2 March).

In fact, last month a Yankee Group study showed that if an organisation kept totally up to date, installing every Microsoft patch, it would cost £5,200 a year per desktop. And that does not take into account expenses incurred when a patch interferes with another function or fails altogether.

The real questions enterprises need to ask themselves are how much patching is enough? How can enterprises avoid over-patching, under-patching and, even worse, mis-patching?

A survey of our customers found that only 1% to 2% of the tens of thousands of vulnerabilities found by scanners for a typical large enterprise network represent critical business application exposures. Getting to this number manually can take weeks or even months.

The missing link to automating this process is attack simulation and analysis conducted on a virtual model of the IT environment. Through this new approach to vulnerability management enterprises can find the minimum set of attackers' actions, which, if prevented, would mitigate the entire attack.

"What-if" scenarios can help to simulate the effect of remedies before applying them to the IT infrastructure - finally allowing enterprises to know what, when and in what order they should patch.

It is always advisable to look at the bigger picture, and I agree that risk assessment begins with understanding the configuration of IT assets, and critically grading the level of patch protection afforded to business-critical and support resources. However, until enterprises are able to apply attack simulations and risk analytics to this integrated model, automation is unmanageable and patch management will never be more than pain management.

J2EE and .net are development tools

Clive Donaghue, alliance manager, Information Builders UK & iWay Software

I take issue with the assertion that businesses are being forced to choose between .net and J2EE architectures for web services (Computer Weekly, 2 March).

J2EE and .net are, one way or another, application development architectures, and clearly web service provision could be a deliverable of one of these "applications".

But this does not imply that businesses need to choose between .net and J2EE for the provision of a web services architecture across the business.

In fact, through standards-orientation and the decoupled nature of web services, their provision through the enablement of existing enterprise applications can be considered entirely separately from any corporate J2EE versus .net debate that may be raging within a business.

Coding-free software tools are available that create web services from existing applications and then deliver them to web service consumers built in .net or J2EE, inside or outside of the enterprise. This means that, for web services provision at least, the "where should we commit our resources?" question is resolved: in neither.

Battling the 'non-virus' is clogging up systems

Steve Brooks, ICT central services manager, London Borough of Barnet

A consequence of the huge volume of virus traffic that is around now is an equally huge volume of "blocked e-mail" notifications from company mail scanning systems.

But, as most mail viruses use cloned e-mail addresses, these notifications go back to people who did not send the mail in the first place and just cause confusion.

These notifications also consume network bandwidth and take time to deal with. It is getting to the point where more support staff time is spent on dealing with queries about these notifications, than on queries about attempted attacks themselves.

We understand that experts recommend that these notifications be switched off.

We have done this in our systems and we also try to encourage companies that send us notifications to do the same. But, we are a very small cog in a very big industry.

Secondment ideais unrealistic

Fraser Laing

So a secondment to the marketing department for a couple of years could make me a better IT director? (Computer Weekly, 2 March). Although it could probably improve my people skills, it would also cause me to lose touch with the IT arena and allow some young thruster to fill my shoes.

Your shout >>

Read more on CW500 and IT leadership skills