SCAM: PayPal-UK Account under review “UKReview”

Another scam text message, avoid the link if you can people. “Your PayPal-UK account is currently under review. Please complete the following security form to avoid restriction:”

If you have clicked the link, change your Paypal password immediately and inform Paypal if you think you have been compromised. Go to the Paypal web site and search for reporting fraud, they can help.

Update on the thin IT model

Moving the core IT team from doing too managing has certainly been a stretch for some in the IT world. The expectation that day to day responsibilities could be handed over to 3rd parties scares some – the data loss risk, the loss of corporate knowledge, the loss of hands on skill.  So what became of the move, did it succeed?

It sure did.

Cloud provisioning has largely taken the physical from the IT world, moving it into services purchased, delivered and managed in the cloud.  Local data centres are now communications cupboards.

Offices have also changed, not just because of Covid, but cloud provisioned services are not bound to a location.  Freedom not only to work from home, but from any location on any device at any time.

The fears of data loss rationalised as lower risk than personal data loss from Facebook, online shopping and the risks accepted readily with all personal things online.  After all, should work be more important that the volume of data on your personal life, your friends and your family?

The thin, everything as a service model has provided an opportunity for those that have adopted it.  Freedom from physical constraints, bespoke skills and bespoke applications.  The ability to adapt 24×7, to adjust size, scale and budget, and to provide clear cost IT provision.

Is Microsoft Teams the future of collaboration?

It seems that just about any question around collaboration pointed at Microsoft mentions or references Teams.  The unified comms platform, the replacement for SharePoint, video and audio meetings, file storage, chat and apps.  All revolving around Office 365 with eventual integration into Office online and the world of web according to Microsoft.

It has to be better than Skype for Business, it has to be better than boring SharePoint sites, and it has to be better than the unification between products that is so hampering Microsoft at the moment.  Now if Microsoft could make this free to all, it would be so compelling for large and small alike.

My bet – this will be a central and pivotal USP for Microsoft in the post email world and something all organisations should look to adopt asap.

How far are UK businesses along the digital transformation journey?

Once it is recognised that each type of business has a different motivator for their digital journey, one can step back and see the relative organisation effort that has been attributed to the change.

Continue reading

Is WannaCry Ransomware or Mayhemware?

WannaCry impacted a large number of computers world-wide, it appeared to exploit random Windows computers world-wide in a cascade fashion.  Exploiting the human element along with some known, though not patched, vulnerabilities in Microsoft Windows code (SMB).  The question of should Microsoft have patched the code or more importantly, why they didn’t, is something that I’m guessing history will understand.  As is the question about how extensive Microsoft has been exploited by the NSA and others for use in times of war or other state/syndicate needs.

However, despite the widespread distribution of the WannaCry malware, it appears that the authors have not collected their bounty in Bitcoins.  This could be because it was more successful than expected, or that it was just not their intent.  I can’t help feeling that this was mayhemware and not malware – something designed to cause disruption to perhaps test the potential to expose the risks posed by the NSA code.

Either way it is a wake up call to CISO’s and cyber security professionals all over the world – the old way of protecting the ‘edge’ of the network is dead.  Everything needs to be untrusted and managed as levels of managed risk – people included.

More technical detail can be found on WannaCry on Wikipedia.


28th June 2017 Update: NotPetya is running rampant too.  It appears to use a tweaked version of the open-source Minikatz code combined with the NSA leaked EternalBlue SMB exploit used by WannaCry.  The key difference with WannaCry appears to be the use of the ‘administrator’ credentials to gain access to more vital areas of the hard disk’s file structure improving the potency of the encryption and rendering devices unusable unless decrypted with the paid for key.

Is this a sign that Malware extortion is actually growing breed of mayhemware with the coders perfecting their art?

ICO fine lawyer £1000 for keeping personal information on their home computer

As a lawyer suffers an ICO fine of £1000 for keeping personal information on their home computer, we all need to think again about how home working, BYOD and pervasive computing is going to work.  With over 725 unencrypted documents from 250 people (including vulnerable adults), this is likely to be just the tip of an iceberg that will require everyone to think a little more about how they keep their data (and the information within) safe.

Continue reading

An architect is only as good as the builder

Just a little bit of humour, I know this has done the rounds on various internet sites, but remember all, no matter how good an architect you are, you are always limited by the builders that interpret your plans.

PCI DSS and Data Protection: It is everyones responsibility

Lack of PCI DSS awareness is not an excuse

For an organisation like Evans Halshaw, you would expect PCI DSS compliance and data standards that keep your credit card and personal safe.  Yet they are part of a hidden problem where people just don’t understand the legal and moral obligations that they represent on behalf of their organisations.

I have a wonderful email from their “sales manager” Mike Spooner and team who state that “PCI DSS will not allow us to store credit card information”.  With this gap in PCI DSS knowledge, it is likely that there is also a gap in how to handle general data protection.  Therein lies the concern.  They are taking credit card, loan,  payment and personal plan details and what are they doing with them?

Continue reading

Can and should you trust your ISP?

We pass our data and our information through our ISP’s.  They have the ability to sweep data about us, inject adverts and code into our browsing.  The have the ability to censor and limit what they think is right and appropriate.  But how far should we allow this trust to go?

Sure, there are some legislative regulations to which they must comply (snoopers charter stuff), but they have the ability to make money out of your clicks, artificially promote information in their own interests and track your very lives.

Yet on the whole we trust these people, trust them to listen into our lives and to help us on our journey around the web (suggested sites and redirects).  But should we?

Continue reading

Tech Innovation: Mayflower Autonomous Ship

Just once in a while you see an idea and think “that’s just impossible, improbable and expensive”.  Then you think, but how cool would that be.  Think of the engineering, the skills required, the innovation and then think of the potential.


Here is just one:  the Mayflower Autonomous Ship.  A Plymouth to Plymouth (UK-US) sailing of an autonomous ship.  I would argue this is more difficult technical proposition than an automated plane (see BAE systems for that) as most of the technology does not exist in a connected way and the numbers and complexities of the environments sensed around it are far more complex.

What amazing potential this technology has – water taxi’s automated, automated harbour entry systems, and a world connected shipping system. Those interconnected systems and sensors could publish weather, barometric, temperature, current, density and more from all around the world.  All live, all part of the internet of things.

They have launched a crowd funding campaign to get things off the ground, which with a rather modest ambition of 100K looks like they are getting close.  So I urge any like-minded innovators in technology, to go look at their site and help out where you can.

Skype for Business Mac (MacOS or OSX) quick review

Finally, it’s here – Skype for Business running on a Mac.  Well OK, some legacy versions have been around for a while, but the new version at 105Mb of code brings your Mac closer to the Windows platform.

Skype for Business on a Mac

Find Skype for Business for MacOS or OSX on the Microsoft website here.

Continue reading

Cultural fear of IaaS

There is general fear around the use of cloud based infrastructure-as-a-service.  A cultural fear of the change it implies: the movement of IT from power to service provider, the perception that management will lose control, and the organisational structure changes and more.

Let us just recap first on the difference between traditional infrastructure and IaaS:

Traditional infrastructure, bought and installed on site, is expensive and takes upfront capital expenditure, requires the purchase of all associated supporting software and hardware (such as monitoring and management) and requires a team of people to run and manage it.

By moving to the cloud, there is less upfront cost, lower optional expense and has fast delivery times.  This is a cultural challenge though:

big old IT projects -> dynamic procurements that are reliant upon 3rd parties

But where is the IT team with this approach?

Not known for their ability to evolve over time, IT teams traditionally are quite static, risk adverse and cost centric.  Their challenges revolve around two key fundamental changes:

  1. IT needs to be able to let go and let their services run elsewhere
  2. Business owners need to feel comfortable that IT can keep their data safe on 3rd party services

Both are a question of ownership.  IT needs to feel that it owns the services provided by 3rd parties and the business needs to feel comfortable that IT are keeping their information safe and secure.  Both are reliant upon the other, but IT should be leading the way and facilitating change.


The fix to IT-as-a-Project?

The focus of IT though is wrong.  In fearing the cloud providers, IT are alienating themselves from the business need for cost control, rapid change and flexibility.  IT are becoming the problem and not the solution.

Cloud providers run IaaS systems in vast numbers.  Security is their number 1 priority.  Without a secure environment in which to run the services, their market and customer base would soon dry up.  That’s not to say that the services hosted on IaaS are secure, but the base layer of the service must be secure.

So whilst IaaS focus their efforts on security, reliability and availability, internal IT teams focus on the next project.  These projects are often at the expense of the maintenance of infrastructure and base level services.

Moving into the cloud, removes the risks of IT-as-a-project, giving IT a stable platform on which to work.  As such it should be celebrated as a position that will enable IT to maintain a modern technology platform.


The IaaS budget problem

People are used to capital based procurements.  It’s the traditional way of buying IT things.  Big boxes turn up, they get plugged in and someone plays with them for six months to get them working.  Finance get to depreciate an asset and on the books you see just a proportion of the actual cost.

Procurement of infrastructure-as-a-service is by its very nature different.  There is no ownership of hardware, of flashing lights, of big data centres; you are procuring a service.  With no depreciable value, the service is a line in the Opex column in finance and often operation costs are considered bad and something to be cut.

So, it is not just IT that need to change, procurement and finance need to realise that the way of doing business in the IT world is changing.

  • IaaS prices are dynamic, going up and down in value
  • IaaS has frequent repurchasing of shorter term contracts (2-3 years not 4-5 years)
  • IaaS relies upon 3rd parties
  • IaaS 3rd parties are likely to be leading edge


Summary of cultural problem of IaaS

This is a more complex subject than summarised, here, but as a starting point, think about these key areas of cultural change required to support IaaS:

  1. IT needs to embrace as-a-service and use it as an enabler for rapid change
  2. IT needs to adapt away from IT-as-a-project and embrace buying commodity IT as-a-service
  3. IT and finance need to move from Capex to Opex purchasing models
  4. IT and finance need to accept and manage the risk of as-a-service


Read more about thoughts on Cloud and everything-as-a-service.

Outcome based procurement

Across all industries, organisations are under an increasing amount of pressure to achieve and deliver more value within a constrained budget. This has resulted in organisations turning towards an Outcome Based Procurement model for a solution.


Outcome Based Procurement is significantly different from other more traditional procurement models. The contracts derived from this model focus more on the ‘What’ than on the traditional ‘How’, this means that organisations can focus on defining to a service provider what they want instead of trying to provide that themselves and thinking of the how to provide it.

This procurement model works by the organisation providing outcomes that they want met. This removes the need for the organisation itself to come up with a solution, instead the organisation transfers this responsibility to a service provider. Continue reading

The benefits of an Agile Enterprise Architecture

It is perhaps true to say that the effectiveness of Enterprise Architecture varies from organisation to organisation, and it would appear that the differentiating factor in the success of practices is the level of acceptance from senior management teams.  Organisations which value the contributions enterprise architecture can make in aiding business decisions where IT is a contributing factor, can reap the benefits of a joined up approach when realising institutional goals and ambitions.  Let us not forget that enterprise architecture is not just about IT, it’s about bridging the gap between the services which IT can provide with the needs of the wider organisation and the strategic direction it is taking.  Continue reading

Interim IT strategies: IT-as-a-project

The phrase ‘IT-as-a-project’ doesn’t naturally come to mind when you think of how to go about managing IT.  It has been born out of the experience of project managers as they have progressed through organisations.  It has become an almost religious experience for those caught in its grip.  The ethos revolves around the need for all change to be a project.  Projects become the IT organisation, its life, actions and structure.


IT-as-a-project has benefits:  a known cost, a direction of travel (though simple) and an approach generally agreed with finance and the business.  It also allows costs to be understood and fixed annually.

This can be useful:  during transitions of senior staff, or as temporary constructs when moving IT to 3rd parties.  Long term though, it has some serious constraints:

  • Each project, as a temporary construct, is inherently selfish.  Using Agile badly increases this selfishness.  Selfish behaviour within a business is rarely sustainable.
  • Your organisational maturity may not allow or expect over-running projects and project costs.  Projects, especially poorly run Agile projects, are running risk around cost vs scope.  It’s common for projects to just stop when the funding finishes.
  • The medium and long term cost of IT becomes uncertain.  Projects seem to take over the IT day job and the function of IT seems to get lost.
  • A form of Ponzi scheme is often formed.  New projects feed the legacy and failings of older projects and the interoperability, security and governance problems selfishness causes.
  • Significant loss of competitive edge.  As a selfish construct, IT-as-a-project is not looking at the bigger picture, not looking at doing the right thing overall, just what is right for each project individually.

So, should you take IT-as-a-project as your IT strategy?  It comes down to two simple thoughts:

  • Are you looking for a simple strategy that only needs to be effective short-term ?
  • Are you prepared to accept the cost and risk of the medium/long-term impact?


Read about the everything-as-a-service model here.

Trust overt or covert challenge?

Is it better to trust someone that you can see openly challenging you or is it better to trust those that hide the same actions?

It’s quite a simple question with some very interesting observations.  I’ve seen a range of approaches and it’s fascinating to see how many people are trapped trusting those who are covertly campaigning against them.  They seem to do this because they fear challenge and don’t observe or recognize the covert action.  They can not or do not see how people can be manipulated to ensure that the perpetrator is not obviously the instigator and how deflection is the gift of a deceiver.

Perhaps this is the accepted nature of politics; but it does not have to be so.  It is perpetuated by the thirst for power or influence; and the perceived need to prevent challenge, to prevent criticism and a very real fear of failure.

But I have had the privilege of working with some very intellectual and very wise Continue reading

EU-US (not quite enough) Privacy Shield

The EU-US Privacy Shield agreement is due to replace Safe Harbour. The agreement intends to provide Europeans with a level of protection against exploitation of personal information, but with the basic premise based on American companies self-certifying their compliance with the agreement, many Europeans have a right to be skeptical.

EU-US Privacy Shield

There was great hope that the self certification elements of the old Safe Harbour agreement would be dropped in favour of an audit and assessment carried out by the EU, but in the proposal to date, it looks like any audit of a self certification would have to be done jointly between the EU, the ombudsman and the US FTC. Not an easy task and likely to put off all but the largest cases of breach or compromise of personal European information.

Continue reading

Bimodal IT – the future of the IT service?

It’s the latest buzz word to hit IT – Bimodal – and yet it perfectly described the problems faced by most modern and digital orientated businesses:  the ability to be agile and innovative whilst providing all those standard services that are required to keep the IT world running.

I’ve discussed a number of models with a recent focus on everything-as-a-service (XaaS), but the catchier and more complete Bimodal model brings together both my thoughts on buying as-a-service (for the BAU and keep the lights on functions) as well as the creation of innovation units dedicated to providing the business change and creativity to be competitive.

I certainly watch with fascination as the momentum behind Bimodal IT builds to become the standard functioning model of any modern IT service.

End Game: final gasps of the American Empire?

Is this another marker of the end of end of neoliberalism or the end of an empire? The American Empire? Like Rome and London, the final years of empire were highlighted by religious and political extremism pushed forward as the demand for change overtook the old ways.
Romes spiral of destruction started with ever more extreme political actions to keep the population and the wealthy in under control; and the evangelical embrace of Christianity whilst retaining devotion to expired gods.

In the UK, socialism and solidarity threatened the political elite. They were forced to embrace things that were good for people and not just the few; and a fiercely Christian system to had to concede that population gave up on religion – perhaps preferring science and logic.

So now in America, the quasi democratic system that allows you to choose between two parties of almost similar views promoting people from the same pool of political Continue reading

It is easy to be deceived in business – are you trapped in a bubble of unreality?

Just a muse today:  I do seem to be meeting a stream of false prophets at the moment.  People dedicated to saying ‘yes’ to whatever you say, people dedicated to making you think that you are right and that the world is amazing because of you.  Often with scant regard for the real world their goal is to elevate you into a bubble of unreality.  From this position you can do no harm to them (but also no good for you).

Some of these false prophets think they are politicians – spending their lives spinning yarns to the point of disbelief; some are light-hearted and are interested in you; but many are using this as a deception to cover their own troubles and limitations and to defraud you of the opportunity to help the real world (and yourself).

In business it is so easy to be enticed into these good news messages.  Seriously good managers are able to spot and mitigate against these people, but others suck it up and pat themselves on the back and worship these people as idols.

So my tip for the day: Take a step back and think about your business environment. Is it all as rosy or bad as you think? And what incentivises your team: your customer, the future, innovation; or is it padding nests, personal agenda or political ambition.

What size wiper blades for Discovery 1 300TDI or V8?

I got fed up of attempting to search the web for the size of wiper blades after another muddy bath destroyed the rubbers on mine, so thought it would be worthy of note.

Landrover Discovery 1 uses 18″ for both front wiper blades and 13″ for the rear wiper blade. I’ve tried various sorts, but nothing seems to beat the original style wiper blades.

These are the ones I purchased: Bosch SP18 Super Plus () and for the rear you need 13″ ones ().

Bury Castle Circular Walk #bodminmoor #cornwall

Fantastic walk covering starting on the southern edge of Bodmin Moor, walking through high banked single track roads, woodlands, upper reaches of the River Warleggan and up to the spectacular Bury Castle.

Woodland Walking to Bury Castle

Continue reading

Cloud First Strategy: being an intelligent customer

The Cloud First Strategy

Part 4 – Being an intelligent customer

It’s a long time since IT underwent any real structural change.  Like many other administrative parts of the business, they are formed into a self contained unit based on one of a number of very similar organisational building blocks.  It’s like looking through a book of 1980’s housing plans – all very similar, all designed without the context of whats around them and all without concern for a sustainable future.

These copybook IT structures work for the old powerhouses of IT demand but are distant from the dreams of dynamic and flexible digital businesses.

Poor quality, low value

bitternessThe jokes about poor quality, low value, cheap IT provided by in-house teams are a result of a culture of pushing down price at the expense of quality and value; and the business often reduces budgets in line with their perception of the service.  It is a self fulfilling prophecy that IT seems to be determined to perpetuate.

Moving the culture

The difficulty now is that people spend more of their lives in the digital world.  They know how to use the digital world, they know how it works for them and they know what would help them.  Long gone are the days where IT knows best.

Imagine just the simple things – you want to get hold of someone.  Depending on how close you fit into the ‘digital native’ stereotype, the chances are you would send a message – text, Facebook, Skype, iMessage.  Your conversation would be disconnected and you would pop-in and out of interacting with it.

In business through we still seem to assume that the telephone, face to face meetings and email is the only answer.  We do this partly because we like to divide work and personal life and clear separation helps, but also because there is a control culture coming from IT inspired by the cost/value/quality argument and the need for a quantitive evidential trail.

The legend goes that to control cost you must actively manage the value and quality; and if you own all the knowledge no one can question you through fear of being shot down by an evidential trail of ‘I told you so’.

This culture of fear, accountability and control appear in the digital world, but they are self and peer managed.  Knowledge loosing it’s power.  Freedom of expression, innovation and sharing become the seat of power.  Look at the power of WikiLeaks: highly valuable and classified information became worthless overnight.

The requirement to share as part of the digital business world is a great threat to the old power bases within IT (and other parts of the organisation).  Traditionally these power bases have relied upon their knowledge being locked away into a ‘dark art’.

However, there is no place for this in digital business.  Everything-As-A-Service is the enabler to change the culture of old traditional locked-in IT.  Those services with dark art documentation (or lack of) and even more dark art maintenance (with overtime) are moved into the cloud.  Provided by professionals, documented by professionals, managed by professionals.

The opportunity of change

Changing the profile of the in-house team is also an opportunity to reinforce this cultural change.  A move is required from hands-on to a shared knowledge model.  The move is often called the ‘intelligent customer’.

Despite moving into a world that embraces revolutionary change, everything-as-a-service also requires a level of interpretation.  Not only to allow the business to choose wisely, but also to manage the supplier base and support business change.  The focus shifts to the relationships, to better understanding the business and to ensuring that sustainable business can be created in the digital world.

org chat for service led it

The example organisation chart for everything-as-a-service appears to remove ops, help desk and many of the traditional part of IT; but they do still exist.  They are provided by 3rd parties under the guidance and support of the in house team.

The in-house team guides and steers the direction of the suppliers to best meet the needs of the business.  They introduce targets for suppliers that are mutually beneficial, achievable and allow the business to flex and change.  They create an atmosphere of IT being guided by the business and not the technology.

This is stepping back from the coal face and focusing on what actually matters:  making business work in the digital world.

Know what to keep and what to move

Be caution though, poor quality managers often move the difficult things to 3rd parties.  They do this because it’s easier than attempting to solve the problem themselves (often the motivation behind outsourcing).

The foundation of everything-as-a-service is based on moving out the commodity IT elements but keeping the highest institutional value items.  This is where IT add their real value to the business.

By moving the commodity elements of the IT service to 3rd parties, the shackles of old IT are gone and IT is released to work with the business for the business.

Simple rule of thumb:  if it’s a commodity IT element, then get a 3rd party to do it; if it is requires high levels of organisational or customer knowledge then it’s going to be better done with in-house teams.

Key targets when moving to create an intelligent customer function:

* Move from fear, blame and power led cultures
* Knowledge is something to be shared not hidden
* The business knows how to do business, so let IT facilitate business needs
* No fear of failure, innovation or sharing

Working practice
* Customer first
* Taking ownership, listening and spending time understanding
* Embrace change and innovation

Cost vs Value
* Understand the impact of low cost on quality and value
* Let the business choose and let them be honestly informed
* Create a clear and open cost model with no hidden costs and no fake savings



Cloud First Strategy: Read the next article Part 5 – How to measure success, go to the  INDEX or go back to  Part 3 – Moving from legacy support to supplier management

Boxcryptor Review – safer cloud storage?

With the demise of Safe Harbour rulings, your online life has become a little less secure – is Boxcryptor the answer to the security needs of Cloud based storage?

With cloud storage, files are easily available to you where ever you may be and at any time of day.  They are backed up, replicated and made highly available by servers and services all around the world.  But in this one of the key problems of ownership of information is surfaced.  If the US has your data, it can see read and profile it.

Of course, many other countries do this too, but the vast investment from the US government in profiling and the location of many of the technology companies within the US puts the conspiracy theorists on high alert.

I much prefer a world where information has little value, shared to the point of openness and respected for the betterment of us all.  But this is not a shared view at the moment and for those on that journey, they want to keep parts of their digital lives as secure as they can.  For business too, information may be critical to the money needed to fund and sustain the business.

So for this group there is technology that helps to keep personal information secure.  In this review, I am looking at how to secure files stored in the cloud.  This could be as simple as payslips or as personal as a journal, either way putting them into the could opens them to a higher risk of compromise or personal profiling.

boxcryptor review

Of the cloud storage providers, some say they are more secure (such as Box) and others security at rest and in transit; none of which protects you from the loss of Safe Harbour and the potential for the US to just take your data.

So if the cloud storage providers can’t help, where else can you turn?  There are a newer generation of ‘on disk’ encryption products that aim to provide an additional level of security on-top of the files shared in the cloud.  Boxcryptor is one of these and thankfully is based within the EU.

Quite simply, the product takes files stored in cloud locations and encrypts them (and optionally their file name) to stop general snooping of sensitive files.  It uses AES-256 and RSA encryption algorithms and offers ‘personal’ and ‘enterprise’ versions.

Term Description
File key AES encryption key used to encrypt or decrypt a file. Every file has its own unique and random file key.
User keys Every user has its own pair of RSA-4096 keys (private and public) and additional AES-256 keys.
Password key An AES encryption key derived from a password using the key stretching and strengthening function PBKDF2 with HMACSHA512, 10.000 iterations and a 24 byte salt.
Group key Similar to users, every group has also its own pair of RSA-4096 keys (private and public) and additional AES-256 keys. Furthermore every group has its own unique and randomly generated membership key.
Company keys A company can have its own pair of RSA-4096 keys (private and public) in case the master key policy is used.

For the enterprise version there is centralised master key and password change facilities, for personal and company versions there are no routes to recover lost keys and passwords (which is a very good thing).  Impressive is what Boxcryptor claim to keep on their key server:

  • General information (email, first name, last name, country, etc.)
  • Private RSA key (encrypted with the user’s password)
  • Public RSA key
  • AES keys (encrypted with the user’s password / wrapping key)
  • Hash of the password hash
  • Number of KDF iterations used in the key derivation functions
  • Salt
  • If a company uses the master key: Password Key (encrypted with the company’s public RSA key)

There are client apps for just about every platform, starting from Windows and Mac OSX, to iOS, Android, Chrome, Blackberry and even Windows Mobile (now that is showing commitment).  I’ve tried all but the Blackberry client and they all offer the same, simple interface with little fuss and little complexity.

First time set up is simple, install, select the cloud platforms to encrypt and depending on the version turn on filename encryption (something not available to the free version). New files stored on the Boxcryptor drive are automatically encrypted and existing files can be encrypted by right clicking on the files in Explorer or Finder.

boxcryptor review - encrypt filenames

Boxcryptor supports just about every cloud storage provider I can think of:  Google Drive, One Drive, One Drive Business, Dropbox, Box, Amazon S3, CloudMe, iCloud, SugarSync, Yandex to mention just the obvious names.

Whilst the standard encryption makes the contents more secure, the additional filename encryption scrambles the file names making it impossible to see the original names.  Viewing through a normal finder window shows the following:

boxcryptor review - encrypted filenames

Viewing through the Boxcryptor drive or app however looks completely normal.

This is perhaps the easiest and most convenient security app I have ever used.  If there is a single thing you do to secure your digital world, it should be to buy this app or use the free version and see how easy it is to provide a good level of security for your personal or sensitive files.

My recommendation:  this is the must have security app for cloud storage.  If you have not tried it download Boxcryptor (affiliate link) now.

Cloud First Strategy: Support and supplier management



The Cloud First Strategy

Part 3 – Moving from legacy support to supplier management

Hardware and software become largely irrelevant as the key question becomes, “does this service meet the business need?”  The burden of complex supporting systems is moved to 3rd parties as part of the service they provide.  Help desk/technical support for the product also moves to the 3rd party.


With XaaS IT, ‘service management’ becomes a much less complex place to be. IT must move to act as the intermediary between the customer and the suppliers.

  • Manage multiple small suppliers and contracts
  • Maintain compliance and regulatory integrity of the IT service
  • Be trusted by the business, the IT team and the supplier community

Traditional IT teams must change.  They must transition from ‘service management’ to become ‘supplier management’, they must move away from their focus on technology to contract compliance and supplier relationships.

Example of the differences

Traditionalist IT people struggle to understand this concept, so let’s kick off with an example from a traditional service management function:

  • Help desk, call handling and 1st line support
    • Purchased for millions and supported by legions of staff.  Vast hidden quantities of money and effort are poured into bespoke and unique help desk systems.   All this for those ‘important’ help desk stats.
    • IT seems unable to work without its help desk and the unfathomable way people are expected to interact with it.
  • System monitoring
    • Another area tainted by the bespoke.
    • Multiple monitoring systems, plugged into master monitoring systems reporting to other monitoring systems.
    • Usually visually impressive, the stats and thresholds used are tweaked by IT who spend endless hours perfecting the meaning of red, green and amber.
  • Configuration management
    • Caught in a legacy trap, where IT consider people as a liability and risk.
    • People often go out of their way to remove monitoring, auditing software from their devices due to privacy concerns or because the tools stop people working effectively.

Now, compare that to the XaaS world:

  • Contracts include support and maintenance
    • Point services and solutions will include the whole life cost including the cost of support and maintenance
  • Pay by results
    • 3rd parties paid on results.  The business should not select based on the background technology.  The supplier should be chosen on merit and ability to meet the business need – technology is their problem.
    • Results = what your business values
    • Little point defining metrics that are irrelevant, unachievable or introduce undesirable behaviours.
  • Contracts designed to be flexible
    • Scale up and down; match peek times of demand, reduce at lower times of demand.
    • Agile.  Stick to 2 + 2 years.
  • Clear costs, known risk

XaaS Org Chart

The often traditionally bloated supplier management function does not even appear in the everything-as-a-service XaaS IT org chart.

org chat for service led it

Clearly this is a idealistic interpretation, as the need for help desk type services still exists, but they are provisioned by 3rd party experts and work for the supplier management function.

Is Xaas Outsourcing?

Outsourcing has sat in this territory for quite some time.  But the aims and goals of outsourcing are different to those of XaaS.  You can see my thoughts on the difference here.  Suffice to say, XaaS is surgical in nature, outsourcing is, by comparison, a shotgun approach.

It is likely that outsourcing is chosen by default as it resolves, in one hit, many of the problems experienced by poorly performing IT teams.  This though is created by an accidental slight of hand from IT:

IT support tend to work under the illusion that their IT service is unique and requires unique systems for support.  They talk about, document and create bespoke systems to maintain the mystery (their job and role).  This naivety helps to perpetuate the deception that IT is complex, impenetrable and poor value.

The more difficult the problem the more likely outsourcing is used to solve it; the more likely outsourcing is the more complex and bespoke IT make their systems; it’s a vicious circle that only culture can change.

There are plenty of reasons to keep internal teams, not least for the latent organisational knowledge; but often poor or out-of-date IT management skills push outsourcing as a quick fix.

Cultural change

One core aim of this approach is to fix the overly bureaucratic systems installed by management to create statistics, measurements, and controls.  The culture created by these systems often pushes the business to question why ‘help’ is included in ‘help desk’ and pushes IT staff to close calls as quickly as possible.

There is no need to create an IT team that everyone hates.  It is possible to design a service that meets the needs of the business in an affordable and sustainable way.

The goals of supplier management in XaaS

So you’ve decided the everything-as-a-service XaaS is the way to go, how do you convince your existing service management staff that supplier management is the way to go?

That’s not an easy one.  Those that embrace change are likely to be evangelised by the opportunities presented; others will struggle and may need to stay in their comfort zone through TUPE to 3rd parties.  TUPE may sound cold, but in the surgical world of XaaS IT, people can be moved into organisations that best fit their skills or ambitions.  This is no outsource shotgun.

Something you should do for every part of your organisation is to set key goals.  These should compliment and reinforce your vision for your IT organisation and should help people understand your intent and strategy.

Top 5 goals for XaaS supplier management:

  • Enable the digital workplace
  • Engage with customers, listen and take ownership
  • Form a sustainable relationship with the suppliers
  • Provide feedback to suppliers and customers
  • Create a sustainable and open financial model for IT services

Take note of the keywords here:

  • Ownership: alone taking ownership will increase the positive perception of IT.  It will create a shared sense of purpose, a shared need and a shared driver to help the business.
  • Sustainable: emphasises the need for practical and maintainable relationships, finances and business services.  This reduces the knee jerk IT management style prevalent in some areas.


Key take away points

Whilst brief, the paper aims to discuss the theory of everything-as-a-service IT and it’s impact on a traditional service management function.  The proposed move away from service management will scare most IT traditionalists and excite the visionaries, so please take these few points with you:

  • Service management in its current format is not sustainable and requires significant revision
  • Move to engage, listen and take ownership
  • Form a sustainable working relationship between business, customers and 3rd parties
  • Create a culture of change, innovation and partnership


Cloud First Strategy: Head to the INDEX, try the next Part 4 – being an Intelligent Customer or go back to Part 2 – How to manage change


Plymouth University apprentice shortlisted for IT Apprentice of the Year award

Scott WalkerI’ve pushed the apprenticeship scheme at Plymouth University for some time and took on Scott Walker to work in my IT Architecture team.  A former car mechanic, Scott moved from Carlisle down to Plymouth.  For Scott to be short listed for IT Apprentice of the Year is great news!

  • Scott’s has created over £650,000 of potential savings for Plymouth University and averted £7million of potential risk
  • Scott excelled in driving forwards a city-wide project to connect 100 businesses to super-fast broadband in collaboration with Plymouth City Council
  • Completed 2 Year NVQ Level 3 in less than 1 year
  • Heading for a Distinction in BTEC

The recruitment process for is often tricky, but from the first moment that the panel met Scott, it was obvious that we’d found someone special…  his motivation, confidence and professionalism far exceed his years.

Over the past 18 months, we’ve seen Scott’s ability grow exponentially.  It will be a bittersweet day (for his colleagues) when Scott’s Apprenticeship is complete.

He is a trusted colleague and an inspirational person. I wish him every success for not only this but every venture that he undertakes in his career.  I have no doubt in his continued success.


Strategy & Architecture apprentice shortlisted for an award

Adrian Hollister, Head of Strategy and Architecture, Plymouth University

Congratulations to Scott Walker who has been has been shortlisted for IT Apprentice of the Year at the UK IT Industry Awards.

The UK IT Industry Awards 2015 benchmark outstanding performance throughout the UK computer industry and focus on the contribution of individuals, projects, organisations and technologies that have excelled in the use, development and deployment of IT in the past 12 months.

Being shortlisted for one of these prestigious awards from Computing and BCS, The Chartered Institute for IT, is a major boost for Scott’s career prospects and the IT apprenticeship scheme.

Scott has to attend a Finalists Judging Day in Reading on 25 September and the winners will be announced at an awards dinner on 18 November.”


So congratulations Scott Walker and all fingers crossed for a win!  To find a little more from Scott himself, head on over to the Plymouth University Strategy and Architecture blog.

Everything-as-a-service XaaS vs Outsourcing

XaaS vs Outsourcing: It’s a theme brought up at alt-c this week and something that most people are confused about: Outsourcing and everything-as-a-service XaaS are not the same things.

They may be used to achieve the same results but when you compare the intent of each they clearly show their differences.

Whats the difference between XaaS and Outsourcing?

XaaS is granular, focused and can be applied surgically to key areas that need attention.  Outsourcing is expensive to negotiate and apply.  It takes time, introduces additional cost of purchase and sale and implies a reduction in flexibility – details are lost or hidden in contractural obligations, service level agreements, the transfer of assets, liabilities and risk.

  • Outsourcing tends to apply to larger elements of business.  Whole teams or departments moved.  The impact to IT itself is structurally significant.
  • XaaS tends to apply to surgical strikes.  Moving clearly defined elements to a 3rd party.  The impact to IT is small and can be managed over time.
Which is best? XaaS vs Outsourcing

That’s going to depend on your organisation, neither may be suitable.  To help you decide in the XaaS vs Outsourcing debate, think about the following Top 6 reasons…

Top 6 reasons to go XaaS
  • Focus on business need
  • Speed and Flexibility
  • Standardised, transparent pricing
  • Access to global high skill resource pools
  • Improvement in image
  • Increase in competitiveness
Top 6 reasons to Outsource
  • Pass risk/staff to 3rd party
  • Create a structured framework of IT services
  • Focus on core business
  • Long term stability
  • Access global high skill resource pools
  • Known cost framework


Find out more about Everything-as-a-service XaaS or look me up on LinkedIn.

£3K grant for high speed Business Broadband

If you have a business (even home based) you can get connection vouchers for up to £3,000 to cover the cost of installing high speed business broadband.  The voucher scheme can be used against a package from one of the registered suppliers in the area.

If I read it right, you can put multiple vouchers together from businesses on the same premises.  This could enable business parks or multi-occupancy offices the ability to collaborate on the cost of a much bigger internet pipe.

business broadband PCC logoThere is a page for Plymouth with the specialist providers listed.

Seems to be a rather overlooked opportunity for business to make the most of some free money to give them high speed business broadband.  So, make the most of it now and apply as soon as you can!


Cloud First Strategy: How do you manage change in XaaS?

The Cloud First Strategy

Part 2 – How to manage change

General change and projects need to be self funded.  I’m going to say that again – they need to be self funded.  The cost of IT should be the cost of the provision of the known service.  The unknown cost of change is given to the business to empower them to choose the priorities and provide the flexibility to select services not provided by IT.

IT should not be scaled to provide endless change and project support, but should be scaled to be the technical conscience of the business: facilitating change, translating business need to technical deliverables, engaging 3rd parties and providing an oversight into the IT elements of change.

Think SME not 3rd Party

Engaging with a 3rd party for delivery does not force you down the consultancy route.  Think of the SME approach – dynamic, agile, best of breed skills to best of breed solutions. 

Suppliers will thrive in this environment if they are allowed to part of the team and part of the journey.  The relationship with suppliers must be sustainable and based on trust between both parties.  Suppliers must be able to make a viable and sustainable profit and should run open book integrated into the IT accounts.

Remember: there is little point engaging with a supplier based on the lowest possible cost.   Underbidding suppliers run the risk of attempting to make up the money with change control, delivering a valueless service, or withdrawing from the contract.

It may even be viable to export any existing delivery team via special purpose vehicle (SPV) to allow them to work more dynamically, realistically with efficiency and energy.

Moving to an SPV could also be a quick enterprise that moves money around the balance sheet and reduces the headcount numbers.   An outsource may also achieve the same result, but costs will need to be carefully controlled and understood – change is often used as a source of profit in such enterprises.

Move away from bespoke code

Poorly executed Agile and similar methodologies often create swathes of poorly documented bespoke code.  With projects being self funding the sustainability of the solution must include on-going run costs.  Bespoke may be cheap to write, but it’s not cheap to maintain or support.

In the SPV model, the SPV is incentivised to pursue efficient, sustainable delivery models by owning the maintenance of the code and solutions.  Inefficient, undocumented, or poorly designed solutions will be financially and materially expensive to support and maintain.  The SPV will quickly have to become more efficient or loose contracts to 3rd parties.

The back catalogue of legacy and bespoke code created using agile or similar methodologies is likely to follow this SPV.  A contract for maintenance and support must be provided and at a fixed, but sustainable cost.  The risk owned by the SPV with clear incentive to reduce and remove the costly bespoke code elements.

Compensations drives behaviour

The move to SPV or outsource must have effective incentives for the staff and SPV.  The business may need consistency for a number of years after the structural change or the business may require immediate cost savings, either way, the team moved into the SPV must be motivated to achieve these goals.  The SPV route is a great way to move constrained exec’s out of the core and give them the flexibility to excel as a commercially driven arms length body. 

What about general day-to-day change?

It would be fair to assume that in the everything-as-a-service model there is strong reliance upon the need for the contracts with 3rd parties to include the cost of maintenance and support change.  These elements are needed to ensure that services are compliant with regulatory and security standards and to ensure that services can continue to interoperate.

The contractual obligations of 3rd parties should also be extended to allow the IT team to plan and organise change between the various solutions and 3rd parties.  This is standard IT practice, but here the intelligent customer becomes more relevant.  It requires a strong understanding of enterprise architecture, governance, the contractual commitments and a timetable of key business events and priorities.

Remember that purchasing on cost alone will fail in this model.  Whilst this is not unique to this model, purchases do need to be made on value to the business and support the everything-as-a-service model.  Excellence is required in supplier and contract life cycle.

Allow the business to change direction

Once in a while the business will need to change direction.  To scale up or down.  To create a new branch or brand; or to remove a few.  IT should not constrain the business from doing what it needs to do.  The contracts put in place with 3rd parties should be designed to allow the business high flexibility.  

Services procured could be based on metrics key to the business:  the number of products, staff or turnover.  This variation of the standard usage model often applied by suppliers may require significant negotiation and contractual skills.  Not all 3rd parties will be keen to work differently, so careful and pragmatic selection is required. 

Key take away points

Change is embraced as part of the everything-as-a-service IT model through the use of 3rd parties that are incentivised to be more performant, flexible and cost efficient. 

How to manage change in XaaS IT:

  • Cost of change is given to the business to empower them to set priorities
  • IT must not constrain the business from doing what it needs to do
  • Use dynamic and agile 3rd parties for delivery
  • Remove bespoke code by accounting for whole life cost of services


There is an opportunity to move existing delivery teams into a special purpose vehicle (SPV):

  • Allow radical reduction in delivery headcount
  • Allow constrained exec’s to flex their wings
  • Facilitate cost reduction through the removal of bespoke code
  • Facilitate competition with 3rd parties


Cloud First Strategy: Read the next article Part 3 – Moving from legacy support to supplier management go to the  INDEX or go back to Part 1 – Impact on the IT organisation