MEDELLO  CONSULTING

Delivering Results You Can Count On

Strategy and Operations - Business Continuity Management - Security, Privacy, and Compliance - Content / Records Management - Information Life-Cycle Management (ILM) - IT Service Management (ITIL) - IT Infrastructure Consolidation - Technology Planning and Execution



"Perception is strong and sight weak.  In strategy it is important to see distant things as if they were close and to take a distanced view of close things." - Miyamoto Musashi

There is a growing need for more formal technology planning as systems become more complex, require longer to implement, utilize common data bases, involve multiple functions, departments, operating companies, and/or countries of the world, cost more money, and have greater competitive impact.

The benefits from planning - improved decision-making, enhanced communication, and a firmer commitment of resources - generally outweigh the costs of the undertaking.

Formal planning approaches range from the "controlled reaction" tactics of formally evaluating and ranking known project ideas, to the strategic "top-down" scanning for high-potential application opportunities within the context of the overall organization's strategic plan.

The selection of a particular planning approach requires a careful balancing of such factors as the role of the IT organization, its degree of maturity, and the sophistication of the overall company and individual "user" executives.

Success in planning for IT hinges on three factors:  1) Previous credibility of the IT group in managing new project development and ongoing computer operations, 2) Maturity of the overall organization's management processes, such as methods for conducting business planning and making capital allocation decisions, and 3) Choice of an appropriate IT planning approach that suits the needs and constraints of the organization.

In those organizations most advanced in their planning, the IT planners have become an integral part of the management team of the organization.  And, in these companies IT strategies have a major impact on, and a corresponding interrelationship with, the longer-term business plans of the enterprise.

Good formal planning must complement, but cannot replace, the political sensitivity, entrepreneurship, conceptual contribution, and basic business leadership required of the successful IT executive.

We have, over the years, seen organizations spend sizable sums of money on technology investments that have yielded poor to average results.  And, by and large, we find that is so due to inattention to planning or employment of planning models that are inappropriate and unrealizable.

We offer a planning approach that is keenly in tune with the overall organizational ground realities, taking into consideration organizational readiness and communication as well as a robust assessment of current plan v. desired outcomes.

OfferingsBusiness Systems Planning, Marketing and Planning, Sales Support Infrastructure Assessment and Design, IT Managed Services Framework, M&A Systems Integration Strategy and Execution, Insource v. Outsource, Near-Shore v. Off-Shore, Change Leadership / Organizational Readiness




"If anything is certain, it is that change is certain.  The world we are planning for today will not exist in this form tomorrow." - Philip Crosby

Business continuity and disaster recovery are terms all too often used interchangeably when, in fact, they are two different aspects within the business continuity spectrum. 

The primary focus of business continuity planning is to provide robust resiliency to the enterprise's core business processes - whether they are aimed at generating revenue streams or support, as the case may be for organizations within the public sector, mission-critical activities that must go on.

Disaster recovery is, as the term suggests, focused upon restoring mission-critical activities post-disaster to a level that can sustain the enterprise until such time that normal operations resume.

Disasters, too, can be non-catastrophic.  A striking union, in an organization dependent upon union workers, can create a significant disruption.  Plans must be in place to deal with such and similar eventualities.  A power outage may debilitate the operations of a data center but may have little impact upon the core business processes of an organization for some time.  The question is:  What is the maximum allowable outage (MAO) an organization can sustain before the cost of disruption becomes too severe?

Unfortunately, many organizations - within both the public and private sectors - recognize the need for business continuity planning but make little effort and investment in doing so.  It is understandable since the mind-set is the same as one's who, never having been involved in an accident, views insurance (be it auto, flood, earthquake, medical) as an unnecessary and onerous expense.  Until, of course, that once-in-a-lifetime event occurs.

9/11 created a heightened awareness of the need for business continuity planning but, as Katrina amply demonstrated, as time passed, the awareness dissipated.  Then, with Katrina, came the realization yet again.  Those that were prepared (Sheraton New Orleans, for instance) managed to withstand the challenges resulting from Katrina.  And many suffered huge losses, some never to recover.

The likelihood of an organization suffering some level of business disruption is too high to be ignored.  Every organization needs to have a business continuity plan, the complexity, depth, and extent may differ.  "Right-sized" planning is required since there is no "one-size-fits-all" plan that makes sense.  It is about weighing costs against risks.  Knowing that balance is critical so adequate investments are made without "over-spending" or "under-insuring."

The map below is quite telling and should suffice to raise the awareness of the risks we all face, regardless of geography (the caption should not be confused with the disasters created by presidents!).



Source:  FEMA

It is also worth noting that during the period 1964-2007, 31% of the declared presidential disasters have occurred during the last decade (1998-2007).  This trend is particularly heightened in South Carolina, DC, Delaware, Kansas, Wyoming, Utah, Maine, North Dakota, Vermont, Virginia, and Florida where over 40% of the declared disasters occurred during the past 10 years.

Given the increased frequency and severity of disasters, it is obviously incumbent upon organizations to prepare themselves for the small and big events.  As mentioned earlier, there are numerous other disruptions - short of those necessitating presidential declarations - that can adversely impact the well-being of organizations.  For instance, a thunderstorm in the Philadelphia area knocked out power for 2 hours driving temperature in a company's data center to 97 degrees.  Each degree above 71 can halve the life of equipment.

Another compelling reason to formulate and implement a business continuity plan is the fact that your clients and/or strategic partners may require assurance that your organization can withstand the unexpected and can continue to provide core services or deliver needed products.  The extended enterprise can be adversely impacted if parts are demonstrably single points of failure.

Regulatory compliance is another driver for active business continuity management.  And if the organization is seeking to leverage external funding, providers will generally require that a business continuity plan not only be in place but is active.

Daunting as it may seem, embracing business continuity management is an imperative for all organizations, big and small.  The paths to delivery are numerous, the approaches many.  Adopting Disaster Recovery International Institute's (DRII) playbook is certainly workable; however, there are other options as well that focus on assessing your organization's readiness and, based on gaps and the potential impact of those, create a roadmap that is executable in chunks, with each chunk significantly mitigating risks.

Our approach and methodology is centered around organizational assets which are assessed from the perspective of key stakeholders in the organization.  The Readiness Assessment framework provides for the development of a discrete set of actions that can be executed in short timeframes and result in strengthening the organization's posture vis-a-vis business continuity.  A key element of our approach is a laser-like focus on identification of any opportunities that can drive cost out of the operations while meeting the Plan objectives.

Knowledge transfer is a fundamental principle of our approach.  We believe that any organization aspiring to put into place a BC plan must internalize the concepts and know the "business" of BC.  We can deliver a BC plan in its entirety, with minimal support and involvement from your organization but to be effective we encourage the use of the 80-20 rule whereby we provide the 20 (expertise, tools, experience) and you deliver the remaining 80.

OfferingsReadiness Assessment Workshop, Business Impact Analysis, Risk Assessment, IT Resilience Assessment / SPOF Remediation, Plan Development, Communications Planning and Collateral Development, Execution Testing



“Attacking is the only secret.  Dare and the world always yields, or if it beats you sometimes, dare it again and it will succumb.” William Makepeace Thackeray 

The nineteenth century English novelist, if not an inspiration for hackers the world around, could be. 

The exploding growth of digitized information has created formidable challenges for organizations in terms of ability to securely store, manage, and mine data.  Regulatory and other compliance requirements have added immensely to the already complex landscape.

Security-related technologies, by and large, have been quite effective:  Authentication technologies (biometric devices, electronic authentication devices), cryptography technologies (encryption), access control technologies (firewall, VPN, cameras, badges, virus scanner, password shadowing), electronic intrusion technologies (IDS, IPS, logging, monitoring, packet sniffing, firewall logs).

Most organizations have already invested significant sums on deploying security-related technologies.  Yet, the menace and threat of security breaches, often very costly, continues to grow.  And it is clear that the phenomena are not necessarily technology related; rather, they point towards weaknesses in planning and enforcement on the parts of organizations.

Some of the more recent security incidents are illustrative of loose organizational practices:

  • A senior-level employee of a subsidiary of a financial processing company stole 2.3 million consumer records containing credit card, bank account and other personally identifiable information.
  • By neglecting to encrypt data sent over the Internet, employees of a major government contractor put the sensitive information of more than 800,000 U.S. service members and their families at risk.
  • A computer storage device containing the names and Social Security numbers of every Ohio state worker was stolen from an intern’s vehicle.
  • Several laptops containing personal information—including about 130,500 Social Security numbers—were apparently stolen from the L.A. County Child Support Services Department’s office.
  • A national database containing sensitive data on about 26.5 million veterans was stolen after an employee brought the data home.

These are incidents that could have been avoided if implemented policies were monitored and enforced. 

Many organizations have not even developed policies.  And many have policies in place but the communication around them is inadequate.  A strong, vibrant communications framework is required to make security and privacy consciousness part of an organization’s make-up.

The SANS Institute provides templates for 35 policies on their web site, ranging from Acceptable Encryption Policy to Wireless Communication Policy and Standards.  These templates can be leveraged to create an appropriate one for practically any organization.

That is the easy part.  The challenge lies in communicating the policies and making sure that the essence of the policies is understood and adopted by employees who, of necessity, span a spectrum from administrative and clerical to management. The content and method of communication has to be tailored in ways that can keep the message alive during an employee’s employment life-cycle.  In fact, the extended enterprise (customers, employees, suppliers and service providers) must be kept in mind when developing and communicating policies.

Supporting the policies must be appropriate mechanisms that can drive compliance to high levels.  And metrics must be established that can substantiate that the policies, standards, and guidelines are being followed.

Periodic vulnerability assessments are a highly recommended practice as part of an overall vulnerability management program.  Ideally, these are a combination of tool-based facilities (QualysGuard, for instance, that is PCI compliant) and a review of policies and practices conducted by a third party to lend objectivity and credence to the outcome.  “Testing to fail” is a very useful approach (as in business continuity testing) since identification of “failures” or “soft spots” enables the organization to strengthen their security posture.

Our primary focus is to help clients address the Top 3 challenges security officers and CIOs face:

  • Budget constraints (5 to 7 per cent of IT budget typically)
  • Lack of senior management support
  • Lack of employee training and end-user awareness

Meeting these challenges requires:

  • Identification and prioritization of risks (where to spend and how to spend given funding limitations)
  • Leadership alignment (creating heightened awareness of the specific security and privacy related risks of their organization and approaches to mitigating such risks)
  • Organizational awareness (development of a program that leverages best practices and Intranet to promote a “security aware” organization)

Getting a solid grip on the Top 3 is a business imperative.  Not doing so is tantamount to leaving doors open for mischief-makers and cyber-thieves.  And besides, it is about good corporate governance.

Offerings:  (Assessment Workshop, PCI Compliance, IT Controls and SOX, NAC Deployment Planning, Identity Mapping, Security Policy Development, Organizational Readiness)




“Knowledge is of two kinds.  We know a subject ourselves, or we know where we can find information on it.” – Samuel Johnson

The advent of the Internet has opened up floodgates in terms of new and re-purposed content.  Between 2002 and 2007, a more than ten-fold increase in digitized content occurred reflecting the growing reliance on the many variations of the web.  Managing this dizzying escalation of content growth has become a major challenge for organizations, big and small.

Content management systems (CMS) have taken on greater appeal but, as with most popular technologies, the noise levels resulting from competing claims of vendors make it difficult for organizations to make sensible choices.  And, as with most technologies, CMS don’t provide the total answer.  How information is managed, the surrounding policies, the framework for usage and usage patterns all need to be understood to make CMS effective and provide payback.

Furthermore, confusion exists and is perpetuated by mixing terms:  Document management, knowledge management, content management, portals, web management, digital rights management, records management, digital asset management are all terms that are often interchangeably used.  All fall within the umbrella of enterprise content management systems but universal, one-size-fits-all solutions simply do not exist or are immature, contrary to vendor claims. 

Regulatory compliance has been the primary driver for organizations seeking to manage content.  But there are other reasons why organizations are embracing content management solutions.  

What are some of the business imperatives driving adoption of content management systems that enable content creation to management to publishing to presenting?

  • Marketing – The Web has become an indispensable channel for businesses.  Distribution of marketing collateral and supporting current brands and corporate identity through this medium is now commonplace.  The dynamic nature of today’s business environment necessitates management of changing content.
  • Information Management – The costs associated with information management and maintenance soar as duplication of information across business units and platforms occurs.  Error rates climb as well, adding to operational inefficiencies. When possible, information should be stored once, and reused multiple times.
  • Sales Support - E-commerce sales are growing rapidly, requiring a robust e-commerce infrastructure to manage both structured and unstructured data.
  • Product Development – Collaboration is essential to rapid and effective product development requiring an efficient mechanism to update internal corporate information and resources enabled through streamlined workflow.
  • Publishing -  Effective management and tracking of published content, coupled with greater transparency and accountability, is essential within the construct of good corporate governance today.
  • Legal Risk Mitigation – Businesses are increasingly susceptible to legal liability arising due to poorly managed skyrocketing volumes of information.  Establishment of controls and accountability over the review and publishing processes is a requirement as is the development and implementation of robust, traceable data retention processes and facilities.
  • Knowledge Management - The loss of key staff reduces the knowledge available within an organization.   Pooling knowledge in a controlled environment not only mitigates the risk of knowledge loss but also enriches the organization by providing a broader knowledge base facilitating direct communication and information sharing.
  • Information On-Demand – Lessening the burden of “information overload” requires powerful search, browsing and filtering capabilities, enabling search on-demand.  
  • Customer Service – Provision of accurate, timely, and comprehensive information to customers delivers many benefits including improved customer loyalty, retention, and decreased customer support costs.
  • Cost Reduction – Effective content management will invariably reduce operating costs in a variety of ways.  For instance, creation of information online does away with the need for printing manuals in paper form.  Reduced order-to-fulfillment cycles generate not only improved cash flow but savings as well in the form of efficiencies.

Organizations that have clearly defined business goals vis-à-vis content management are successful in deploying CMS.  Those that do not are finding CMS to be an albatross around their necks.  The former tend to be very business-centric in the development and deployment of CMS. The latter, all too often, jump to “solutions” without adequately defining the problem.  Such organizations are not helped by vendors and resellers who relentlessly encourage adoption of solutions (such as SharePoint a.k.a. MOSS) as antidotes to every content management affliction.

Our perspective: Determine your business requirements (every organization has unique requirements), establish an evaluation framework, and then comprehensively evaluate CMS products within that framework.

We leverage a reference model that can be adapted to create an organization-specific framework which will

  • Reduce the challenges associated with determining concrete business requirements,
  • Allow for flexibility in the face of uncertain future business directions,
  • Minimize implementation difficulties,
  • Prioritize and rationalize variable product capabilities,
  • Identify up front the do-ability or non do-ability of integration with other systems, and
  • Have a built-in allowance for organizationally induced complexities such as workflow and other people-related issues
Offerings:  CM / RM Scope Determination, Infrastructure / Architecture Review, Records and Policies Review, Standards Review, Requirements Validation, Requirements Classification

Copyright . Medello Consulting Services LLC. All rights reserved.