Your shout: Combining risk and security in one post

In response to Robin Laidlaw's opinion (Computer Weekly, 6 April), where he said the balance of security and risk management needs to be carefully managed


Have your say at





Combining risk and security in one post

In response to Robin Laidlaw's opinion (Computer Weekly, 6 April), where he said the balance of security and risk management needs to be carefully managed

Since operational risk and information security people have so much in common, why not bring them together under the same management hierarchy?

I would encourage forward-thinking firms to consider the role of governance director. He or she would be the focus for managing and risk-related activities and be a point of liaison with bodies such as audit and industry regulators.

Board-level representation is vital to deal with pressures arising from legislation such as Sarbanes-Oxley and would help ensure that risks are properly analysed and controlled.

Who knows, maybe the governance director's position on governance and ethical matters might just have pricked the Enron board's conscience?

Gary Hinson, chief executive, IsecT

How part-time jobs stop women leaving IT

In response to Irene Dawson's article, about the reasons women are leaving IT (Computer Weekly, 6 April)

I suggest the problem is because few employers consider part-time working or job-sharing.

I have worked as an analyst programmer for 10 years, the past six months of which, since returning from maternity leave, I have worked part-time three days a week. The arrangement gives me a work/life balance I am happy with and gives my employer an employee who is enthusiastic and eager to work.

I now need to look for a new job and so far, I have not found a single programming job advertised as part-time or job-share. It seems all I can do is apply for jobs which are advertised as full-time and hope my CV lands on the desk of someone who will have the vision to see that I can still be an asset to their company.

Elisabeth Walker

Why Microsoft needs to issue so many patches

In response to a study by Forrester Research, which found that it took Microsoft 25 days to release a patch, compared to Debian, which took 57 days

In my opinion these studies are skewed. Look at the sheer volume of software packages for Debian, which is currently more than 14,000. I doubt Microsoft has anywhere near this number.

If Debian issues an average of one patch a day, the average patch rate for a single package is about once in every 38 years.

A typical Debian user runs a small subset of these 14,000 packages. The chances of even having a vulnerable package on your system are low. What are the chances of having a vulnerable package on Microsoft Windows?

Now, ask yourself who would need anti-virus software and why: a Microsoft Windows user or a Debian Linux user?

Name and address supplied

Cost-effective ways of managing print

In response to Julie Giera's article (Computer Weekly, 6 April), in which she explained how firms could save 30% of costs by outsourcing printing

It is worth pointing out that although the likes of Ford will undoubtedly enjoy benefits from its £55m-plus investment in Hewlett-Packard's outsourcing solutions, smaller firms can make savings on print costs without shelling out their IT budget on an outsourced system.

By understanding three core elements of business printing - who needs to print what, what hardware is right for what job, and the total cost of each piece of printed output - companies can ensure they are operating at the most effective level.

Suppliers have an opportunity to provide products around these elements. Sales teams can approach prospects with a tailor-made solution. Intelligent purchasing and well-implemented policies will be far more cost-effective than further investments down the line.

Robin Edwardes, UK managing director, TallyGenicom

Manchester fire shows firms must have a plan

The coverage of the Manchester BTcabling fire (Computer Weekly, 6 April) left me with mixed feelings.

It was reassuring to note that most of the companies affected by the disaster invoked a business continuity plan. However, it was disappointing to learn that some of those plans were outdated or had not been tested for some time. I was also concerned that one of the blue chip companies invoked a plan that seemingly had n0t been tested for two years.Ê

A business continuity plan is only as good as regular testing and training, and two years is a very long time in the context of business change.

In two years, business goals, staff, the economic climate and environmental factors will change - all of which influence the effectiveness of a business continuity plan. But despite numerous high-profile examples and continuous education through the media and the business continuity community, it seems organisations are still gambling their future on outdated plans.

On the surface it appears most companies "survived" the Manchester fire with the support of a business continuity partner. However, the medium- to long-term damage is as yet unquantifiable. Manchester Chamber of Commerce estimates that the disaster cost those companies affected £4.5m a day. This sum does not account for the damage to brand reputations and we may see the weakest fighting for survival.

The Manchester fire is yet another example of why business continuity must be built into the DNA of UK companies. How many more firms will suffer irreparable damage before UK business concedes that a comprehensive and up-to-date business continuity plan is a must-have, not a nice-to-have?

Dennis Thomas, director of business continuity, Synstar

Employers should keep job applicants informed

A considerable amount of press coverage has talked about the perceived lack of skilled workers in the UK. However, rather than look abroad, perhaps time should be given to looking into the behaviour of employers and recruitment agencies in the UK.

It would seem that it has become accepted practice that a job applicant who has failed to make it to the shortlist will not be informed. Since presumably all CVs have to be read to create a shortlist, would it really take that much effort to add the task of sending out a rejection letter to the unsuccessful applicants?

With recruitment agencies, this failure to respond is even worse, as the majority now keep their clients' details on some sort of database. In the IT industry in particular, this failure to respond to applicants is unforgivable.

Is it really that difficult to set up an e-mail with an auto-reply informing applicants that if they have not been contacted by a certain date, their application has been unsuccessful?

Name and address supplied

Memories of the early mainframes

The first IBM 360 in the UK may have been the 360/40 (Computer Weekly, 6 April) but it may not have been the first model in Europe.

I recall spending a week in Paris that summer to use what was said to be one of the first two 360s in Europe, where the machine we used was either a 360/25 or a 360/30. The operating system we used was known as BPS (Basic Programming Support). That was followed by Dos (not the one created some years later by Microsoft) and eventually by at least two flavours of the full OS/360.

At the time I was working for ICI at Wilton, developing a compiler so that we could transfer a large portfolio of programs that had originally been developed in Autocode for the Ferranti Mercury onto the new system. It kept me busy for several years, evolving to keep pace with the increasing power and facilities of the 360 range.

In the early years of OS/360 new releases had to be tailored to the customer's environment - a process that could take a whole weekend.

On one occasion an ICI systems programmer spent a Saturday and Sunday doing just that. When on Sunday evening, he had the new release up and running, he typed "Thank God" on the hard-copy console (no CRT monitors in those days), powered down the system and went home. On Monday morning the system would not start because the electricity supply to the building had failed. Then someone looked at the console. To "Thank God" the system had responded "God not verified" - a case of cause and effect?

Phil Brown, Stockport

XBRL is already an accounting standard

Eduardo Loigorri questions the use of XBRL (Computer Weekly, 20 March) as the taxonomy standard for Financial Services Authority-led electronic reporting. First, XBRL is a not-for-profit, international standard for defining and exchanging financial performance information. Unlike XML, it gives context to data and allows automated checking and validation.

Second, financial regulators around the world are now adopting XBRL as standard.

Loigorri also stated that XBRL is "proprietary". Although it is true that the standard has been developed by an international consortium, the FSA has ensured that it owns the UK regulatory reporting taxonomy and that software suppliers can incorporate the taxonomy into their products without licensing agreements or fees.

The UK has led the way in the introduction of XBRL-based reporting with a successful project approaching completion at the Inland Revenue and a further implementation being planned by Companies House (they will be interested to know they are "mired").

The FSA has not only taken a strong lead in driving electronic regulatory reporting, it also made sure it liaised with the industry through the Software Suppliers Advisory Panel, membership of which includes the Business Application Software Developers Association, where Loigorri is now chairman.

Ed Holt, managing director, Aqera, and chairman of the Software Suppliers Advisory Panel

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.