Is This Project Worth Doing? The Fit Matrix

I have a tool I use as a quick first check on any effort that someone is proposing. I call it the Fit Matrix.

Someone wants to see a new service, or a new piece of software. Maybe someone wants to bring in a vendor for an overview of a product line. Or the question might be whether we should keep doing something we’re already doing.

I’m writing this from an IT management perspective, but the tool is easily generalized for other areas.

The Fit Matrix is a two-by-two matrix:

Business Fit
Low High
IT Fit High Solution Looking for a Problem Do It!
Low Don’t Do It! Problem Looking for a Solution

It’s intended for a quick assessment. It’s not a substitute for a feasibility study, a cost analysis, a risk analysis, or strategic planning. You’d use this as a quick look before you get to those more involved assessments.

Business Fit: Does it serve the organization’s directions?

Business Fit looks outside the IT group to match up the work with what the organization as a whole is up to. You’ll rate Business Fit as High or Low. Neither assessment guarantees that the work will or won’t be pursued. You’re just stacking it up against the organization’s known directions.

The proposed work has High Business Fit if:

  • It directly supports a documented organizational goal.
  • It directly supports an important business process within the organization.
  • There’s a target audience that is likely to want something along these lines.

Otherwise, the proposed work has Low Business Fit. It doesn’t support documented organizational goals or important processes, or we don’t really have an audience for it.

What about a gray middle? Maybe there’s a request people often make, but nothing in the organization’s plans call for it. I’d usually call that a Low Business Fit. For Business Fit, we’re not (yet) asking whether the idea would be popular. We’re asking whether we can match it up with known organizational directions.

IT Fit: Does it fit with IT’s directions?

This is the internal view – how well the work fits in with the current or planned IT environment. Just like Business Fit, IT Fit will be judged as High or Low, and neither assessment guarantees what we’ll do with it.

The proposed work has High IT Fit if:

  • We have the technology to do it, or we’re already planning to acquire the technology.
  • We have the know-how, or we’re planning to get it. For this purpose, I’m not making a distinction between insourced work, outsourced work, or other approaches. The question is whether we do or don’t have a reasonable expectation that the necessary expertise will be in place, wherever and however we might come by it.
  • We expect it will integrate well with the existing or planned IT environment.

Otherwise, the work has Low IT Fit. We don’t have the technology, we can’t get the expertise, or we don’t see how it’ll work well with our intended environment. We’re not ready, not willing, or not able to do it.

The Four Outcomes, and What to Do With Them

Do It! (High Business Fit, High IT Fit): This is the ideal outcome. The organization needs it, and you can deliver it. You’ve got a case for taking a closer look. You’d still need to do appropriate levels of investigation, planning, and prioritization, but for now, you can say it’s a good candidate for such consideration.

Problem Looking for a Solution (High Business Fit, Low IT Fit): This is important, because the organization has a need, but somehow the idea in question is not a good fit with what you’re already doing. Either you need a better idea that will fit your IT directions, or you need to modify your IT directions to accommodate the solution. Or you don’t need a new solution because the current solutions are fine (for now).

Solution Looking for a Problem (Low Business Fit, High IT Fit): The idea seems cool, from a technology perspective, but you can’t tie it to organizational priorities. A Solution Looking for a Problem is less important than a Problem Looking for a Solution. Either you reject the idea altogether, or you allow it as an experimental side project with the hope that it may yet prove useful, at least as a learning exercise. But you don’t throw lots of resources at it.

Don’t Do It! (Low Business Fit, Low IT Fit): This idea isn’t a good fit for the organization or for IT. It’s not a good candidate for further pursuit, even as an experimental project. This situation will come up, and it’s not a personal failure for the person who suggested it. A good-faith suggestion that turns out not to be a good fit is still a Good Thing. You now have the opportunity to increase awareness of what is or isn’t a good fit, and you’ve handled the suggestion before much time was spent on it. If you want to send the message that you welcome suggestions, treat the person well even though the idea was rejected this time. Next time, they’ll be a little smarter about what’s going to fly.

What if you don’t have documented directions for the organization, or for IT?

You might find yourself in an organization that has no clear, documented directions. You don’t know what to match against. Or you might have inherited an IT group that hasn’t spelled out its own directions, or the directions have little to do with what the organization as a whole wants.

Make your best guesses, and use the Fit Matrix anyway. Give people something to react to. Maybe you’ll shake something out of the tree if you describe why you think something is or isn’t a good fit. You have a chance to learn something, and get greater clarity about the needed directions.

Foster Awareness

The Fit Matrix gives you your elevator pitch for any work you’ve assessed – why you are, or aren’t, pursuing a particular area of effort. The quick assessment of the Fit Matrix gives you a quick way to foster awareness of your activities and directions. Give it a try!

Time to Back Away From Telecommuting? Nope

Yahoo’s CEO Marissa Meyer announced the end of telecommuting at Yahoo. While some decry this as a step backward, the other side of the story is that there was widespread abuse of telecommuting and a lack of accountability. The move might be a de facto layoff, too, if some people would quit rather than work on premises.

But is Yahoo’s action a warning that telecommuting isn’t everything it’s cracked up to be? Nope.

The problem I have with all the arguing over whether telecommuting is worthwhile, or whether Yahoo made the right decision, is this: Your Mileage May Vary.

People keep talking like telecommuting is one thing that works one way, and that it has a consistent, specific set of benefits and disadvantages, for everyone, everywhere, all the time.

Are you more productive in the office or at home? Not everyone has the same answer, and often it’ll depend on the task. Your workplace has resources and distractions. Your home has resources and distractions. There’s no universal answer to say one is always better than the other, for every person, for every task. A report from the Bureau of Labor Statistics (“The hard truth about telecommuting“) says telecommuting “seems to boost productivity, decrease absenteeism, and increase retention.” That’s good news, but it’s a trend, not a universal truth. The BLS report also notes that telecommuters tend to work longer hours, and that telecommuting often falls short on offering a better work-life balance. Here too, a trend is a trend, not a universal rule. Your mileage may vary.

Does a company save money on office space when people are telecommuting? Only if the company removes or reassigns your office space when you switch to telecommuting, and only if the cost savings are greater than any cost increases associated with extensive telecommuting. Does Yahoo have plenty of empty office space and unused office resources sitting around, ready for the returning workers? If so, Yahoo has been wasting money maintaining an environment people weren’t using: heating and cooling, electricity, cleaning services, network connectivity, office supplies, and so on. If not, Yahoo is facing a sizable cost of getting the workplace ready for a big influx of workers. Your mileage may vary.

Ms. Meyer mentioned one area that really does differ between telecommuters and office workers: face time, or the lack thereof. There’s a lot of value and opportunity in the ad hoc communications that can occur when you’re with your colleagues. Communications benefit when you see facial expressions and body language. You lose out on all that when you’re working alone, physically isolated from your colleagues. One telecommuter’s lament (“17 Telecommuting Disadvantages“) is mostly about the lack of face time. Some research suggests that a lack of face time can affect your evaluations (“Why Showing Your Face at Work Matters“).

How do you handle the lack of face time for telecommuters? There are several ways to offset it:

  • In-office days: Arrange for periodic in-office days. Maybe one employee splits up each week by working three days in the office, two days at home; the employee gets some face time, and some isolated time. Maybe the employee comes in once a quarter, and you take full advantage of the opportunity with events or activities that would most benefit from having the person on site.
  • Video conferencing: Some meetings or conversations could work better if you can see the remote people on a screen.
  • Educating staff on audio conferencing: Mostly, problems on audio conferences are the result of people not being used to it. Tips and reminders, or just plain frequent usage, can help.
  • Make online conferencing the norm: Skip the meeting table with a speakerphone in the middle. Have everyone use online meeting tools, whether or not telecommuters are involved, so that your location is immaterial.
  • Acceptance: The offsets above can help reduce the problems of losing face time, but they won’t eliminate them. Another “offset,” therefore, is simply to accept that the reduction in face time is a cost of doing business. If the benefits of telecommuting outweigh the hassles, take a breath and accept it. There are potential disadvantages for those who show up on site, too, but we accept those as a normal cost of doing business.

It Depends: On the Person, the Place, and the Thing

The way to look at telecommuting is that it’s not a universal good or a universal evil. Handle it case by case.

It depends on the person. Is this employee reliable and trustworthy? experienced and resourceful? fully onboarded and acculturated? An employee who gets the organization’s culture and who can work unsupervised is a good candidate for telecommuting. An employee who’s still learning the job, or whose reliability is in question, might need more in-person attention.

It depends on the place. Does this employee have a home environment that’s suitable for telecommuting, including the necessary connectivity and equipment, and a reasonably distraction-free work space? I’d want to make sure telecommuters understand what’s expected.

It depends on the thing. Will the employee be performing “black box” tasks, for which all you care about are the outputs? Does the employee consistently have enough of a workload of such tasks?

Culturally, you might have a challenge convincing the staff that telecommuting isn’t for everyone. You might have a challenge if telecommuting appears to favor some groups over others.

In the end, not everyone gets to telecommute, and not every telecommuter is a 100% telecommuter. I’d rather handle abuses case by case instead of letting a few bad citizens ruin things for the good citizens, but if the abuse has become widespread enough among your telecommuters, it might indeed be time to pull the plug – and time to find out how the abuse got so bad before anyone took useful action.


Breaches Gonna Happen

Two simple tests tell me whether someone does or doesn’t get infosec.

The First Test: Do you think your systems will ever suffer a breach?

If you say yes, if you assume there’ll be a breach, sooner or later, because nobody is invincible, then in my book, you get infosec.

If you say no, because you think nobody could get past your infosec solutions, you don’t get it. You’re adding to the risk if you think you’re invincible.

The best infosec people assume a breach will occur. Certainly, they strive to prevent a breach, and to detect and contain a breach rapidly if one occurs, and to recover rapidly and thoroughly, but they never assume they’re invincible.

The people who worry me most about infosec are the ones who think that any breach means someone needs to be fired or something needs to be replaced. These are the people who play the blame game: if something goes wrong, there must be someone or something you can blame (other than yourself, of course).

Take, for example, the flap over Symantec anti-virus and the New York Times breach. The New York Times got hacked, and Symantec’s anti-virus tools didn’t stop it. One of the sure signs that someone doesn’t get infosec is that they think an anti-virus tool should make them invincible. I’ve never heard an anti-virus provider make that claim. If the Times thought an anti-virus tool should be 100% successful against 100% of attempts, shame on them for dangerously naive security planning. It’s like thinking that a lock on your front door should prevent all crime against you.

As reported so far, Symantec tools captured only one of the 45 pieces of malware that had invaded the Times – but was that because the malware was delivered where anti-virus tools weren’t deployed or involved? Were the anti-virus tools misconfigured or out of date? Was the malware customized not to match known virus signatures? Were there ways for the Times staff to bypass virus checking? Was it the only tool in the toolbox? Back to the door lock analogy: if there’s a crime in my house, I wouldn’t blame the front door lock until I determined that’s where the criminal got in, and that the lock had been properly locked. Even then, if the criminal got in through a locked front door, I wouldn’t declare it’s time to stop using door locks.

If it turns out that the anti-virus tools at the Times were thoroughly deployed and properly configured, and the attacks got through only because they didn’t match known anti-virus signatures, that confirms what people who get infosec understand very well – that anti-virus tools alone aren’t enough. If the anti-virus tools are indeed catching lots of other malware, they’re still serving a purpose, but failure to stop this breach doesn’t mean it’s time to throw out the anti-virus tools.

The Second Test: Do you think infosec decisions are business decisions or technology decisions?

My second test is as important as the first: Is infosec a business decision or a technology decision?

If you think it’s a business decision, you get infosec. If you think it’s a technology decision, you don’t. No tool is universally the right answer; business matters drive the selection and usage of tools.

The “IT knows best” crowd – or, one might say, the “shut up, it’s good for you” crowd – thinks technologists should decide which solutions to enact and how to configure them. Sometimes, IT people are the ones with this attitude, but sometimes it’s management: the managers who dismiss infosec discussions as icky techie stuff, so they wash their hands of it and leave it to the technologists to magically render the organization invincible.

Is this what happened at the New York Times? Did management fail to view infosec from a business perspective, and then they were astonished when the security tools in place didn’t match up with business needs? The fact that the Times is looking for someone or something to blame suggests to me that management at the Times doesn’t get infosec.

Infosec decisions are business decisions, based on impact and likelihood. The potential breaches that have the greatest impact – from the organization’s perspective – and the greatest likelihood, need the most thorough protections. The potential breaches that have the least impact and the least likelihood don’t need the most thorough or costliest solutions, and in fact you’re wasting your resources if you overdo the security in those areas.

You can pass the tests with or without an infosec or IT background

You can pass both of my tests whether or not you have an IT background, and whether or not you have an infosec background. You don’t need to be an expert to understand that breaches are always possible or that they should be driven by the organization’s needs, and not just by technical matters.

What really led to the breach at the New York Times? The reports so far don’t say, but there are multiple possibilities:

Management gets infosec Management doesn’t get infosec
Infosec staff gets infosec The infosec environment was good, but management and staff both understood that no solution would be 100% effective every time. They’ve got work to do to recover and adapt, but they understood a breach was always a possibility. They’re not blaming a tool failure until they find out that’s really the culprit. The staff did the best they could without much help from management, and they knew a breach was entirely possible, but now management is fishing for something or someone to blame.
Infosec staff doesn’t get infosec The staff did a poor job of delivering an infosec environment that matches business needs. This breach might have been preventable, if they had delivered a better environment. Management would get after the staff for poor execution, and wouldn’t single out one tool as the cause. It’s no wonder this breach occurred. Management and staff together thought that as long as they deployed some anti-virus tools, this kind of thing couldn’t happen. Of course they’d try to blame the anti-virus tool for their problems.

We may find out more later on, but for now, trying to blame the anti-virus tool at the New York Times suggests that somebody there doesn’t get infosec.

Job Seekers: Can This Company Pay You?

Calculate the current ratio to gauge whether a prospective employer will be able to pay you, says How to Tell if that Company Can Pay You (blog at Harvard Business Review).

current ratio = (current assets) / (current liabilities)

Good and Bad Values for Current Ratio

Good sign: roughly 1.5 to 3. The company’s in pretty good shape, for now. You’ll get paid. (The Wikipedia article says, “Acceptable current ratios vary from industry to industry and are generally between 1.5 and 3 for healthy businesses.”)

Warning sign: about 1.2 or lower. The company is facing some short-term problems in paying its debts. Your salary might be at risk. (The HBR blog says, “If it’s below 1.2, that’s a big red flag.”)

Warning sign: higher than 3. This might indicate an organization that’s just sitting on its money instead of putting it to good use.

As they say, your mileage may vary. Whatever the current ratio is, keep in mind that it’s a snapshot, a moment in time. The company’s fortunes could turn one way or the other. The company could weather a current storm, or it could snatch defeat from the jaws of victory. The current ratio is a hint, something for you to discuss with a prospective employer. Compare the ratios for similar organizations to see if one stands out as especially better or worse than the others.

Finding the Information (in the US)

To compute the current ratio, you need to know the company’s current assets and current liabilities. Where do you get that info? It depends on the type of organization.

Publicly traded company: Do a web search for “balance sheet” and the company’s name or stock ticker symbol. You should be able to find the current balance sheet online. Look for Total Current Assets and Total Current Liabilities, and then do the math: (total current assets) / (total current liabilities).

Non-profit organization: Search for the organization at and look at the organization’s latest Form 990. You’ll need to register a free Guidestar account to see the Form 990. On the Form 990, get the Total Assets and Total Liabilities in Part I – Summary, and then do the math: (total assets) / (total liabilities).

To be precise, this calculation for non-profits isn’t really the current ratio. The total assets and liabilities cover current items (short-term, within the next 12 months) as well as long-term items. If you look on the Form 990 at Part X – Balance Sheet, you’ll find more detail, but it doesn’t distinguish which items are current or long-term. A single line item could mix both together, like investments. Also, Guidestar warns that Ratios Aren’t the Last Word on non-profits, because they don’t tell you which organizations are well-managed or mismanaged, or which ones are fulfilling their missions well or poorly.

Private company: You may have to ask the company for its latest audited balance sheet. I mention “audited” in particular because that will be the latest official balance sheet, verified by an independent auditor. If the company hands you unaudited numbers, the info might not yet be accurate and complete. I’m not saying the company is dishonest, but I know from experience that the audited numbers aren’t necessarily the same as the preliminary unaudited numbers.


Let’s try a few…

Microsoft (stock ticker symbol MSFT): A web search quickly finds the latest Microsoft balance sheet. As of June 29, 2012, it shows Total Current Assets = $85,084,000 and Total Current Liabilities = $32,688,000. Microsoft’s current ratio is 2.6. As a prospective employer, Microsoft should be in good shape for issuing paychecks.

Apple (AAPL): The Apple balance sheet, as of September 29, 2012, shows Total Current Assets = $57,653,000 and Total Current Liabilities = $38,542,000. Apple’s current ratio is 1.5. Apple seems to be in decent shape for issuing paychecks.

Wal-Mart (WMT): The Wal-Mart balance sheet says that as of January 30, 2012, Total Current Assets = $54,975,000 and Total Current Liabilities = $62,300,000. Wal-Mart’s current ratio is 0.9. Ruh-roh! Is Wal-Mart at risk of not paying employees? How does it stack up against similar companies? If you’re looking at Wal-Mart as a prospective employer, this bears further exploration.

Feed the Children (nonprofit): The 2011 Form 990 found at Guidestar shows Total Assets = $185,587,243 and Total Liabilities = $9,072,846. As I said above, we’re not computing the current ratio because the Form 990 doesn’t distinguish current from long-term. If we compute the ratio of assets to liabilities anyway, we get a ratio of 20.5. That seems very high, but it’s also not really the current ratio. Let’s drill down into Part X – Balance Sheet. I’ll guess that lines 1-9 are current assets, and I’ll leave out lines 10-15 – $112,650,766 in current assets. I’ll guess that lines 17-22 are current liabilities, and I’ll leave out lines 23-25 – $8,298,371 in current liabilities. Result: estimated current ratio = 13.6. That still seems pretty high. On its own, as Guidestar warns, it doesn’t prove anything, but it gives me something to explore and consider. I’d want to compare similar organizations to see if their ratios are also that high.

PricewaterhouseCoopers (privately held): I wasn’t able to find a PwC balance sheet online, but this is no surprise because private companies aren’t required to publish that information. If I were looking at PwC as a prospective employer, I’d have to ask for their latest audited balance sheet if I wanted to compute a current ratio or otherwise see how they were doing financially.

Calculate the current ratio of prospective employers, and maybe you’ll get a constructive dialog out of it.



IT Security Trends From 2012

Kaspersky Security Bulletin 2012: The overall statistics for 2012” offers up some very interesting data. Online security threats have evolved, and some cherished myths have been shot to pieces. In particular, 2012 was a big year for attacks on Android devices and Macs.

Mobile Malware – Mostly Android

The report says “99% of all the mobile malware we detected every month was designed for Android.” Each month of 2012 saw thousands of new pieces of Android malware. The main type of Android malware was the SMS Trojan – malware hidden in some app you chose to download. The SMS Trojan quietly subscribes you to a premium-rate number, racking up charges for you and profits for the spammer. Android devices were also subject to adware, like software that redirects your browser. Androids were also attacked by malware that acquired root-level access to your Android’s operating system.

Kaspersky also reported a huge increase in spyware aimed at mobile devices, for tracking the phone’s location and activity, and for transmitting data without the user’s knowledge. They mentioned FinSpy as an example.

Macs – Debunking the Myths

The Kaspersky report says “2012 saw the comprehensive debunking of every myth about the security of Mac environments.” Macs were subject to botnets (especially Flashfake), DNS poisoning, and fake anti-virus software that extorts money from you to handle “detected” viruses.

Vulnerable Apps

Which apps were the most targeted? Java vulnerabilities were the big winner (or actually the big loser). Kaspersky reports that attacks on Java accounted for 50% of all attempts to exploit vulnerable apps. In other words, Java was attacked as much as all other apps combined, and it was attacked on Macs as well as PCs. As of last week, the Department of Homeland Security is still warning people to disable Java entirely.

In second place, with 28% of the attacks, was Adobe Reader. Kaspersky notes that Adobe has taken many steps to tighten up security in Adobe Reader.

Guess what got only 3% of the attacks: “Windows components and Internet Explorer.” Yep, only 3% of the attacks were specifically related to Microsoft. There goes another security myth.

What’s Next?

While attacks on mobile devices rise, because increased usage and lower prices have outpaced improvements in mobile security, my prediction is that the next big growth area for malware will be “connected” devices that didn’t used to be connected.

Examples include telehealth technology, like at-home monitoring of health. Timely, accurate data is a great thing for health care, but the newfound connectivity for protected health information opens new vistas for security problems.

Another example is increasing connectivity for your car, which leads to opportunities for malware in your car.

Iran hacked a GPS signal to capture a U.S. drone. Fictionally, an episode of the Monk TV series (“Mr. Monk Goes to the Ballgame,” 2003) featured a victim who drove to his attacker because his car’s GPS unit had been hacked – fictional, of course, but not inconceivable.

Now that every phone is a camera, there are new risks for spyware using your phone’s camera to see where you are.

Where there’s software and connectivity, there’s malware.

The coolness factor for new areas of connectivity pushes us down those paths faster than we’re securing them. Security that’s baked in from the start is a lot easier to add than security that’s strapped on later, but technology buyers want the latest features, and technology purveyors don’t want to be left behind.

Folk Hero or Wrong-Doer?

I don’t consider “Bob” the programmer a folk hero. He drew a salary for a job he didn’t perform, because he had outsourced his work to China. He goofed off and collected a paycheck, while the Chinese company did his work. Verizon describes how they uncovered the off-the-books outsourcing. “Bob” is the pseudonym Verizon assigned to the programmer.

Those who consider Bob a hero tend to cite two things. First, they claim he was only doing what corporate leaders do when they outsource work. He’s just doing to them what they might do to him some day. Second, they note that the guy got good evaluations. The company liked what his Chinese providers were doing.

Here’s why I don’t consider Bob a hero:

  • He’s been lying. He’s been deceiving his employer about who did the work. That’s unethical and dishonest. If he had been up front about it, and helped his employer arrange to get good results inexpensively, then he could be a hero. But he lied about it. In business as in romance, if you’re hiding a secret relationship and lying to cover it up, you’re cheating.
  • He’s been taking money for work he didn’t do. That’s unethical. If you’re an honest broker, the people who engage your services know it. If you pass off someone else’s work as your own, you’re dishonest.
  • He violated a basic security rule by sharing his login credentials. Just about every set of security guidelines on the planet tells you not to share your login credentials with others. Bob did it regularly and often, shipping his security tokens off to his Chinese provider.
  • He violated a confidentiality agreement, and might have put the US at risk. The Verizon write-up says the company was a US infrastructure provider, and “The implications [of the unauthorized access] were severe and could not be overstated.” Bob was routinely granting access on the sly to people who weren’t entitled to the information. This is bad enough in almost any company, but it’s even worse in this case because he was handing privileged access to a foreign power that might not have the purest of intentions toward US infrastructure.

A disturbing aspect of this is that it’s the reverse of the usual espionage scenario: Bob’s foreign handlers didn’t have to pay him to get insider access to US infrastructure. He paid them. Or you might say they paid him in services instead of money. I wonder if this is a new MO for espionage, getting the dupes to pay the handlers instead of the other way round.

No, I don’t consider Bob a hero.