Archive for the ‘risk’ Category

Vetting pantomime

Thursday, 24th March, 2016

Hopefully you have heard the phrase coined by Bruce Schneier ‘security theatre’ to refer to a lot of the recent changes in travel security etc. The basic inference is that it looks like security but isn’t really.

I know this because I have had all sorts of things confiscated while trying to board a plane, but have never been arrested. Too much of a threat to take my plastic clamp on the plane but not enough for a life sentence at gitmo. At least I can take comfort knowing that none of the other passengers has a small plastic clamp with which to take over the plane (or the world).

I am now living through a vetting pantomime. I have been offered a (short term) contract at a UK bank, and now ‘just need to go through the security vetting process’.

I need a disclosure Scotland, can’t get one on line as I don’t have a uk address. One suggestion was that I use someone I knows’ address in the uk as my current residence. Hmm – false information?

They want a 5 year work history, which I have provided, but now they want the gaps explaining. Well derrr I’m a contractor, sometimes there are gaps…

No, they want me to send them bank statements for all the gaps! What the fuck for??? They haven’t specified which account so I guess I shouldn’t use the one with all those NSA/KGB payments for leaking vital information? Or at least I should ensure those payments do not fall in a month when I am not in a contract.

Someone suggested it is to see if I have ‘been away’, ie looking for lack of transactions whilst held at her Royal Britannic Majesty’s pleasure. Its a joint account – there are transaction all the time (me putting money in, wife taking it out :-))

What are they going to do with my bank information? How can it help their vetting? it can’t. its stupid. If they came to me with a list of all my accounts then maybe, but thats SC level stuff not mickey mouse 10 week contract stuff.

Why are banks wanting to recruit people that think its ok to spaff personal confidential information all over the interwebs??

That’s right they want me to email them my bank statements, no mention of a sFTP secure upload facility, no details on the usage of the information, the storage, or the expiry/deletion. they just want people who don’t give a shit about information security, incredible.

Leaving aside of course the irony that between me and this bank, only one of us has ever been found guilty of any fraud or criminality. and I don’t (mis) sell PPI or fix Libor rates.

I’m know I am too old and battle scarred for this shit but really…

You’re the bad guy, oh no I’m not you’re the bad guy, oh no I’m not etc etc. He’s behind you…

Aaaanyway if you need a grumpy old fart with just enough knowledge about security to be cantankerous then let me know. It looks like I may be having a gap opened up in my agenda for me…

Advertisements

Has Eusprig increased spreadsheet risk?

Tuesday, 10th December, 2013

The European Spreadsheet Risk Interest Group is a collection of academic and business people with an interest in the risks in spreadsheet based systems.

They raise awareness of the risks associated with spreadsheets. The annual conference gives a platform to people and organisations to propose their solutions to the issue, as well to researchers working in the area.

I’ve been to the conference a few times, I’ve spoken there a few times, its a great bunch of people.

But I am starting to feel their influence may be having unanticipated negative consequences.

Raising awareness of the dangers of spreadsheets seems like a noble pursuit, but what I see now is fear of spreadsheets in organisations. Which might be ok, except that what really happens is all that budget for well built professional tactical spreadsheet based solutions is diverted to strategic systems. That pressing short term need? The user throws something together in their own time, under the IT radar. So less process, less control, more risk.

Thanks to Eusprig, SOX, Frank Dodd, etc spreadsheets have a bad name. A technology is being blamed for poor usage practices. Like blaming the car when a driver driving too fast crashes..

Eusprig has done a lot of warning, highlighting failures etc, but has always as a matter of principle avoided proposing good practice. They have (deliberately) left that field open for others to address, by presenting at their conference for example.

Avoiding spreadsheets because of the risk is ok if you replace them with something with less risk. But you know what? that thing doesn’t exist.

No technology can deliver many working tools as fast as spreadsheets. So just changing technologies creates a delivery delay during which the organisation is exposed. Not the IT department, but the business department, If they don’t mitigate that exposure (with whatever tools they have to hand) they could be breaching professional codes of conduct even (eg. fiduciary duties for beancounters). not good.

Yes spreadsheets aren’t as stable as forms/browser based CRUD apps, but they are easier to adapt to changing business needs so more likely to be up to date. Try adding a field to a productions database in a large company, and comment on how long that takes. Days or weeks. Add column in a live spreaddie? seconds. Accidentally delete a critical column? seconds also :-)

So I think a big chunk of spreadsheet work has disappeared for now into IT department work queues, and is being worked around (‘temporarily’) by the business, in part due to misplaced and misunderstood fearmongering about spreadsheet danger.

So for me, yes, I think spreadsheet risk is increasing, and I am even more certain that overall organisation risk is increasing as requirements go into IT work backlog queues and/or quick and very dirty end user created temporary workarounds.

Are you seeing this fear of spreadsheets? What do you think is happening to organisational risk?

cheers

simon

Some of that Excel development

Friday, 6th December, 2013

At one place I worked, the IT department were, you might say, not massively responsive to user needs.

User needs being rapid response (hours or days, rather than months or years) systems development.

The RAD team I was in was a battleground, Users wanting us to rush stuff into production as soon as it compiled, IT wanting us to stop development and start documenting from scratch on new improved word templates. (The improvement being a more consistent theme and styling rather than anything of business value.)

Then  a funny thing happened – the users stopped calling us.

They had been recruiting assistants with strong Excel VBA dev skills and were bypassing the whole IT rigmarole.

This is where I think a fair chunk of Excel dev work has gone – under the radar, out of IT control, and off the IT job boards.

And when I say strong skills I mean on a business scale rather than a developer scale. ie crap naming, global variables, no design, no testing, lots of macro recorder pap, etc etc.

Overall, I doubt this move will have a positive impact on long term delivery ability, or quality (compared to decent RAD input – you can’t compare to mainstream IT as they wouldn’t have delivered anything, so sure, they would have less production defects).

Anyone else seen this rise of the super user?

cheers

simon

 

 

Good Spreadsheet practice

Wednesday, 27th November, 2013

Something a bit more realistic and less dramatic than ‘don’t use them’, from the ICAEW.

Please have a read and make some (constructive) comments on that site.

I can think of a counter example to all of their suggestions but I guess in general they are mostly fair enough, if perhaps a little woolly.

Some of them read a little like workarounds for poor fundamental design (eg protection – I’m never a fan!).

cheers

simon

 

 

In from the cold

Monday, 25th November, 2013

Hiiii!

So after a few months out I am back.

The cycle is fairly well established now – I do a contract, get frustrated, take a break, start looking for the next contract.

What is the frustration?

  • If I work in an IT department its their complete determination to do anything except deliver working software to the people who need it (and pay for it)
  • If I work in a business role its a. much less frustrating, b. more rewarding, c. bit of a niggle about not getting access to the best tools for the job.

Most recent contracts have been in IT departments.

I have had a great break over the summer, have been doing some teaching at a local college, but now its time to start the long painful search for a new contract.

The process was never fun, but gets even less funner every time. Clients with unrealistic skill set expectations (30 years .net 4.5, 100 years excel 2013 and 50 years Linux kernel debugging etc), and crashing pay rates (seem to be 60% of last year, which was 80% of the year before). Agents with even less knowledge of the business, the market or even IT. Too many alarm words: “prince2”, “visio”, even seen “waterfall” a few times last week!

The death of Excel as a client side target and the rise of its pale and pathetic arch-nemesis the browser, and all the the bullshit time wasting that represents. But having devs write thousands of lines of javascript to replicate 1 click actions in Excel sure cuts down the spreadsheet error rate.

So anyway I am brushing up my JQuery and Ajax skillz ready to bluff my way into that Useful Spreaddie to Pointless Web App migration project coming to a company near you soon. :-)

cheers

simon

Irony disconnect

Friday, 29th June, 2012

Still keeping an eye out for that elusive challenging role on reasonable terms…

Although I am keen to stay in Energy or commodity trading, I have also strayed into applying for bank type roles because of my financial services background.

Its pretty ironic to see their 50 page plus bullshit recruitment bullshit about trustworthiness, and creditworthiness.

Bank trust:

Banks miss-selling complex derivatives.

Banks manipulating LIBOR.

Bank creditworthiness:

UK banks bailout.

Euro banks bailout.

and don’t get me started on ‘must have experience of testing’:

Bank testing.

Probably best if I steer clear of banks really, I would hate to develop some of the traits they seem to reward.

The disconnect between the way some of these banks perceive themselves, versus the way these malpractice investigations demonstrate them to be is, I find, amusingly ironic.

cheers

simon

 

 

 

 

Academic and commercial spreadsheet errors

Thursday, 22nd December, 2011

[I just posted this on Eusprig – but I suspect it is too long to hold the interest in a list post]

I think there is a total chasm between
a. academic researchers whose main spreadsheet experience is the classic ‘student grades’ thing and
b. business spreadsheet jockeys who are in spreadsheets all day everyday.

group a think several hundred formulas is big, group b think several thousand is small.
group a think most commercial spreadsheets have material errors, group b rarely see any error effect.
a think b are over confident, b think a are inexperienced.

Within Eusprig I think we need to find a way to reconcile and explain these two completely opposed views of apparently the same thing. Otherwise neither side will ever gain any credibility from the other.

Personally I don’t believe many commercial spreadsheets have material errors, because most commercial spreadsheets are immaterial. They are a small piece of a bigger effort.

Yes I have seen spreadsheets wrong by millions, and 10+ % or whatever you want to call materiality. But did it change anything? no, not ever.

In a billion dollar, multi year, deal evaluation model, a multi million formula error can be dwarfed by inflation or interest rate assumptions. But whatever, if the price comes in at 1 billion and the client only wants to pay 900 million, then the whole analysis, errors and all, is largely irrelevant. Now the question is ‘are we prepared to take the risk that we can deliver this and survive for 900m?’ or slightly more cynically ‘will they ever tie cost overruns back to me and take back my bonus?’

In my experience spreadsheets are normally one of many inputs to important decisions, any inputs out of tune with the majority are either reviewed for credibility or rejected.

So I agree that most spreadsheets have defects, and I agree that very few lead to an erroneous outcome. And I agree that this is the Human element of spreadsheet interaction, ignored in much academic research. I also believe that the big issue is wasted time and effort, around ineffective spreadsheet use, not error impact.

Maybe we need some more holistic research that covers the whole person/spreadsheet system (in a commercial setting) rather than the spreadsheet in isolation.

I would highlight that in my experience when a spreadsheet changes hands (for holiday cover, job role change or whatever) there is a huge spike in wasted time and risk of nonsense outputs, and external support requests.

What’s is your experience? have you also found that the complete information system that includes these potentially erroneous spreadsheets is usually somewhat self healing? (and self learning – ‘x in reporting is useless, I now ignore everything they send me’)

cheers
simon

Eusprig 2011

Friday, 17th June, 2011

This years spreadsheet risk and quality extravaganza is almost upon us. 

It is exactly just less than a month away in mid July.

You can book here.

I am not presenting this year, as I thought I would let someone else have a turn speaking (and of course I missed the submission deadline).

In fact I probably wont be attending as I’m not sure where I will be working/holidaying then.

I would be expecting a good talk from Patrick as we worked together this year on a few spreadsheet related projects. Indeed he came face to face with the source of several of my formula horrors from previous years!

oh looks like he is not presenting this year, but on the bright side there is some more original research on the power (or not) of range names, amongst other interesting papers.

Here is the (current) draft outline schedule.

Are you going?

Cheers

simon

pure joy

Friday, 3rd June, 2011

I loooove this!

I might even apply for the job (it might be the only chance to get tickets…)

cheers

simon

Evil spreaddie fingered in RSA hack

Monday, 4th April, 2011

Dunno if you have been following the recent SecurID hack at RSA?

They fessed up then went quiet for a few weeks so a few people assumed the worst.

(If you dont know what SecurID is, is a little token (about 10mm by 30) that generates a new 6 digit number every minute. That number can be synched to a login server to ensure only people with the right physical token can login in.)

Anyway the latest news is that an Excel workbook was infected with a targeted, malicious flash swf containing a zero day.

It does appear to be a very clever attack, the spreadsheet had such an interesting name that one of the targets pulled it from the junk folder and opened it running the flash. I didn’t see anywhere whether the workbook had any VBA in or not.

One important point though is that it was a Flash vulnerability they exploited, Excel was merely the delivery mechanism. No Excel vuln was used, just its ability to act as a container.

I didn’t see how they were discovered either, but it sounds like the attackers pretty much got most of what they were after.

I wonder how many other orgs have been hit by this sort of attack, and either haven’t discovered it yet or haven’t admitted it in public?

Got any good links?

cheers

Simon