Archive for the ‘GRC’ Category

Cyber Effectiveness and the CED KPI

Thursday, November 22nd, 2018

Cyber effectiveness and the CED KPI - and its Cyber Event Days Key Performance Indicator - are inextricably linked with one another.

Improving one improves the other - CED improvements result in better cyber effectiveness.

In fact it is Cyber Event Days - the KPI - which reveals the diagnostic of what to do next to improve the effectiveness of Cyber programs, but if only you know what to look for and how to use it.

  • For some, CED KPI measures are in the low single digits.
  • For others CED measures are in the tens-of-thousands.
  • But for most, CED measures are mostly between the two extremes.

So what is this CED (Cyber Event Days) KPI?

(more…)

Cyber’s ODI Operating Model – The Future of Cyber Security

Wednesday, August 8th, 2018

Cyber's ODI Operating Model is the emerging future of cyber security.

This operating data intelligence (ODI) operating model will take over Cyber operations and be driven by data.

However, as an actual set of realized practices today, Cyber’s ODI does not yet exist in full regalia and will not for some time.

Despite being emergent, ODI is the unstoppable future of Cyber.

Let’s take the covers off Cyber's ODI and peek at what it is, why it is the future of Cyber, and what to expect of it.

But before we do, let’s review today’s dominant Cyber operating models.

(more…)

Cyber’s ESD Operating Model – Balancing Risk-Reward for the Digital Value Chain

Thursday, June 28th, 2018

Cyber's ESD Operating Model (Eco Stack Defense) is a balancing act – with real world consequences – played out every day by organizations around the world.

For enterprises with the least effective cyber security results, the ESD Eco Stack is an unknown, unseen and unused operating model. For those with the most effective results, Cyber's ESD is standard operating procedure.

Where do you fit?

Wellington’s ongoing research reveals global population breakouts of 20 percent at the bottom, 68 percent in the middle, and 12 percent at the top, going from least to most cyber effective.

Whether you are in the bottom, in the middle, or at the top, understanding and improving your ESD Eco Stack effectiveness is the same thing as becoming more cyber effective.

Read further to discover what Cyber’s ESD Eco Stack is, why it’s important, and what you should consider doing about it.

(more…)

Cyber’s CDA Operating Model – Both Ends Against the Middle

Friday, June 15th, 2018

For Cyber security, Cyber's CDA Operating Model is, in practice, both ends operating against the middle.

Both ends of CDA are focused on one thing, and one thing only: appropriate controls to manage the risk of using digital.

In the case of CDA, one of its ends consists of all the activities focused on prevention, while those at the other end are focused on improvement.

Stuck in the middle are all the activities focused on detection.

The effectiveness of any enterprise cyber program is measured by how quickly the turn-around time is from one end of CDA to the other end.

Reducing this time close to zero – which can be approached but like any asymptote is impossible to achieve – is a sine-qua-non for cyber security.

Effective cyber security managers do CDA better than others, and those who keep the dance between its two ends in harmony are among industry leaders.

(more…)

Cyber Security Operating Models and Cyber Effectiveness

Monday, May 21st, 2018

Cyber Security Operating Models and Cyber Effectiveness.

Operating Models for Cyber Security

An operating model involves all the resources available to an organization to operate: it is used to express how companies deliver value to stakeholders and customers, it beneficiaries, and how organizations are structured to operate day-to-day.

As such, operating models are an expression of the effectiveness and efficiency of the use and allocation of resources to achieve stated aims and objectives.

When it comes to cyber security the common aims and objectives often include:

  • Keeping the name of the CEO and the company out of the limelight for having been 'compromised'
  • Staying ahead of the attacks and vulnerabilities to achieve the above
  • Engaging risk-appropriate controls to accelerate digital transformation projects

These are a few of the common objectives for cyber security.

Others are those normally associated with its measures, such as rates of patches applied, numbers of data loss/compromise events, and number of unresolved cyber event sequences among others.

(more…)

GDPR is all about PII data

Friday, November 24th, 2017

GDPR is all about PII data. Observers not familiar with the practices of privacy and security often look perplexed when you tell them that - with the exception of data protected in transit for use with web applications and virtual private networking - most data stored and accessed via applications on-premises or via hybrid, private and public Cloud applications, is unprotected.

But in this era of evaporated security perimeters, it has always been all about PII (personally identifiable information) data.

GDPR

In the era of the General Data Protection Regulation (GDPR)  of the European Union (EU), it is all about PII data.

Although most organizations possess supervisory policies and principles about which data is considered public, confidential and sensitive, very few actually go to the trouble of automating the enforcement of these policies. Few companies go to the trouble of identifying, flagging, tagging and marking PII data. But this all changes starting with GDPR.

(more…)

No CMDB – Problem or Opportunity?

Saturday, October 14th, 2017

Do you have no CMDB and does this represent a problem or opportunity for you?

For those not familiar with the term, CMDB stands for Configuration Management DataBase. Traditionally, such a database contains relevant information about the IT infrastructure, IT services, and the relationships between the two.

Increasingly, CMDB  encompasses the relationships - and digital services - external to the enterprise.

Such digital services as containers, APIs, virtual services, third-party service providers, Cloud services, managed services, and supply-chain services are but some of the external digital services the enterprise increasingly relies on for operations.

So what is the relevance of a CMDB?

Let's find out.

(more…)

The Changing Nature of SOCs

Thursday, December 29th, 2016

Security Operations Centers (SOCs) are largely confined to use by big businesses and governments, especially large federal governments and large enterprises among the global 1,000.

Unfortunately, the resources - and available security talent - that are common among global 1,000 and large federal governments are not common among local governments, small businesses, and most healthcare service delivery institutions. And the numbers back this up, if data breaches are representative performance indicators.

Data Breach and Cybercrime Indicators

For example, the data breach statistics of the Identity Theft Resource Center reveals it is the combination of medical, healthcare and business sectors that account for the largest share - averaging almost eight-in-ten (79 percent) - of data breach events tracked by the center between 2012 and 2016.

By comparison, the data from Hackmageddon for November 2016 reveals that 80 plus percent of cyberattacks it tracks are due to cybercrime, with the majority of these directed at three industry sectors: hotel and hospitality sector (23.5 percent), the retail sector (17.6 percent), and the entertainment sector (11.8 percent).

(more…)

Why Managing Risk Does Not Compute

Thursday, July 21st, 2016

One of the disciplines for information security is risk management. Managing the risk of using IT is after all, what it's all about when it comes to digital security, or so they say. For example, when faced with the alternative of not closing a deal before the end of quarter versus closing it, what do you think will happen?

Obviously, the deal is going to get done. But what of the circumstances surrounding this? The deal got done but at the risk of the sales manager's mobile phone and downstream IT systems becoming infected with malware because her customer was using a local - and unproteced - wi-fi hotspot at the local coffee shop to sign an electronic contract form.

The alternative would have been to delay taking the order until the customer, a Don Allbody, could reach an Internet connection that could be secured. The problem was that Don was actually out-of-town on a fishing trip and he was in the coffee shop next to the dock where his party was about to board for an all-day seaside fishing trip. He would be back in late in the afternoon, but he informed Sally - the sales manager - that he would not be able to get sign the contract later because he had to pick up his family at the local airport who were arriving later that evening.

(more…)

Vendor Integration and Risk Management – Two

Tuesday, June 7th, 2016

Vendor integration and management is posing growing demand on IT for its own needs, and those of multiple business line constituents. In this part two, we look at some of the common procedures being used to implement successful vendor integration and risk management efforts.

More mature organizations collecting information related to business value and business impact on an ongoing basis from vendors. For IT this may mean quarterly reporting, annual self-assessments, and daily log-reporting of critical KPIs. For security, it often means reporting frequencies tied to severity levels.

The more frequent gathering of relevant data comes from IT systems, application and security logs and phone calls, while less frequently used are onsite interviews, web-based self-assessment questionnaires, spreadsheets, text and email.

(more…)

Vendor Integration and Risk Management – One

Wednesday, May 4th, 2016

Vendor integration and risk management is a growing demand on IT that is taking more time and effort to do at all, never mind do it right. IT has traditionally ignored the necessary resources, time, and attention to vendor integration and risk management programs. For some enterprises integration and management of vendors is ignored while at others vendors are over-managed.

Our ongoing research indicates vendor integration and risk management programs collect information for multiple uses, including internal audit, compliance, risk management, IT operations, human resources, contract administration, legal and IT security. Furthermore, our ongoing research clearly reveals the information sought from vendors – especially for lines of business – are domain-specific, and varies considerably by industry and function. For example, information collected from contract companies servicing ATM machines in the banking industry is not the same as information collected of clinical service providers in the healthcare service industry. These type of core services – ATM in banking and clinical services in healthcare – are but examples of core services outsourced to contractors.

(more…)

The Cone of Silence

Sunday, June 21st, 2015

We live within the cone of silence, at once a vacuum and a deafening sound infecting almost all businesses today: some more than others.

It is especially evident in companies where the boss only hears what he or she wants to hear, not what customers are saying and doing, and where the underlings only tell the boss what he or see wants to hear. It is at its loudest pitch in companies where the boss micromanages everything and yet has no time for anything. The cone of silence is reinforced by incivility and rudeness in the workplace, and driven by ego, overstress, and information overload. An outcome of the cone of silence can be seen when businesses lose the way. The retail sector is replete with examples, the most recent of which includes the American retailer Gap planning to close more than one-fourth of its stores in the coming year.

(more…)

Are Passwords Passe?

Tuesday, August 5th, 2014

Are Passwords Passe?

Now that rainbow tables - see Rainbow table entry at Wikipedia here - are ubiquitous, and breaking passwords with 8 to 10 characters is easily accomplished, one has to conclude the answer to the question is an obvious YES - PASSWORDS are PASSE.

In the old days - yesterday for some - the angst over passwords was near an all-time high in regard to the prophylactic benefit it provided organizations.

This can be seen with the seriousness of some organizational policies - sometimes enforced - about password aging, length, changing, required mix of characters and disallowed characters.

As if it mattered!

The policies and procedures governing password usage are still enforced strictly by the security mavens I run into at most firms.

(more…)

Is PCI Dead or Not?

Sunday, March 30th, 2014

Is PCI - the supposed protector of credit card data - dead or not?

Is the Payment Card Industry Data Security Standard dead or not?

Yes and no.

Those who are not familiar with PCI can find out more about it at the PCI Security Standards Council.

PCI - what it does well

PCI is meant to improve security controls for handling sensitive credit card data transferred between users, merchants and back-end systems where credit card data is processed, stored and available.

PCI has a storied history from its inception in 2004.

It has done a good job of instilling the need for more funding, time and attention to implement data security that heretofore relegated security to backwater status in IT.

If you are with a large enterprise, that backwater status no longer exists.

For this we can thank PCI compliance.

Thank you!

But outside of large enterprises, data security is still treated as an IT technologist's backwater, if it exists at all.

PCI - the reality

Unfortunately, all the well-known breaches involving credit cards - most recently the one impacting Target and its customers - have also involved IT systems that passed their PCI compliance audits.

Why?

One of the reasons why PCI compliant systems repeatedly suffered breaches is that the "state" of systems and procedures that passed audits, change from day to day.

The likelihood that what was audited a month ago, three months or even six months ago is different from the environment on the day of a hack, is pretty high.

Another reason is that hacks go around the seams, including PCI seams that are well published.

Think about it.

The PCI standards for cybersecurity are widely published and well known, especially to hackers.

While the public standards may not be specific building blueprints - so to speak - they offer enough evidence of what to expect, what to look for, and what to avoid, that defensive home-field advantages implemented with proscribed PCI technical controls is actually an advantage for hackers.

PCI - underlying change

The underlying reason why PCI could be dead is that it relies on the old perimeter security paradigm.

Cloud, mobility and Apps have obliterated the perimeter.

In it's wake an entire lineup of tired saw-horses of security consultants, practitioners and vendors still chipping away at an older generational concept of what stood for "good enough" security that is now dead.

As sure as the age of perimeter security is deprecated, the use of PCI measures and controls will need to undergo its own aging and evolution process.

But make no mistake about it, PCI compliance is not going to stem the tide, and will not provide the desired shield, although it may slow the less capable a bit.

PCI - it's all about change

Once you're beyond the expectation of PCI compliance - and any cyber-focused compliance regime - being good enough data security, you can move onto solving the ever-changing nature of the intelligence and counter-intelligence game that is modern cybersecurity operations today.

Is PCI dead?

The mandates for retail and credit card processing remain with us while those who are successful moved beyond PCI for protecting data covered by the mandates.

Research and the Lamp Post

Wednesday, November 20th, 2013

Is research a Lampost for illumination or is it something to be used as a support by kids who have been drinking too much Kool-aid?

David Ogilvy of advertising fame was also a trained researcher who once said, "I notice increasing reluctance on the part of marketing executives to use judgement; they are coming to rely too much on research, and they use it as a drunkard uses a lamp post for support rather than for illumination."

Has much changed since David said this?

Today's Lamposts

David practiced at Gallup between 1938 and 1948, and then at Ogilvy and Mather between '49 and '73.

Although David came out of retirement in the late Nineties, the world changed by then, and it has changed enormously since.

Long gone are the days when there is an internal staff trained and versed in the ways of conducting and analyzing research.

Instead, today we see untrained people fielding online surveys that are convenient to launch, convenient to field, and convenient to assume the results have meaning: especially when we are looking for confirmation of our beliefs.

Research as a discipline has been replaced by "research buyers" who don't know the difference between good and bad research.

And it does not matter if the purpose of the "buy" is to confirm preexisting biases.

Finding Illumination

If you are to get beyond this, it will take informed buyers to know what is good or bad research, what is secondary or primary research, and what is opinion versus pure conjecture and spin.

If there's any hope, there are some industries that "get it right" more often than others.

And there may be some hope in using analysis of "big data" streams, especially where the sampling lends itself to these new sources of information.

Even so, it will serve us well to continually ask whether we're holding up the lamp post or using it to illuminate the path.

In the meantime, you should always be asking tough questions about populations involved in the research, the methods employed, comparisons with null sets, and other annoyances if you want illumination.

NPS Fantasy Land!

Monday, May 27th, 2013

I've been struck by the zealotry surrounding the wonders of NPS (Net Promoter Scores) for a number of years now.

Opining all manner of solutions to most business ailments, promoters of NPS have made in-roads across most American businesses, to the point that "the system" is now regarded by CEOs as truth unveiled.

NPS and Fantasy Land

Nothing could be further from the truth. The reality is that the mathematics - and the methods - behind NPS are pure fantasy.

NPS asks one simple question, "Would you recommend ABC to your friends?" The promoters of NPS espouse the the higher your score, the more likely you will experience stellar growth in your business.

I've seen large and small businesses alike fall for this stuff over the years and have not seen one of them leverage the money spent on NPS into improved customer loyalty, improved customer satisfaction, improvements to customer expectations, or into improvements in revenue or profit.

Moreover, the population distributions, assumptions and mathematics behind NPS are riven with unrealistic expectations. If the collection of data for any NPS survey is random you would not see the distributions required to even achieve breakeven NPS scores.

In fact I've seen many NPS programs where the selection of customers is based on which ones will yield the highest scores by employees who have in-bred conflicts of interest to hand-pick customers to achieve the highest scores.

Assuming the customer selection process were random, a majority of respondents will say that  "5" on a 10 point scale is average.

But the math of NPS skews the distribution such that only 9s and 10s count as "promoters, all "7's and 8's" are thrown out, and all scores between "1 and 6" count and "detractors". Subtract the "detractors" scoring 1 through 6 from the "promoters" scoring 9 and 10, and voila you have the magic NPS number.

The only thing you might be able to infer about those casting ballots between "1 and 6" is that they will probably not promote your company or its products. But this is a far cry from assuming all of these people will go out and tell their friend to expressly not do business with your company.

The relevant questions are not asked, "Did you dissuade your friends from doing business with our company?" and "Did you recommend our company to your friends?" You only asked if they "WOULD" recommend. Any other inferences cannot be assumed and is not borne out from empirical evidence.

Probability and NPS
Moreover, the mathematical unreality of NPS is its underlying problem.The probabilities of ballots being cast for the 1-to-10 scale with 5 being the perceived mid-point by almost all people is:

  • 10% for "9s and 10s"
  • 20% for "7s and 8s"
  • 70% for "1s to 6s"

This results in hitting a negative 50 percent - on average - for NPS scores which is where most organizations start their journey. Surprise - surprise - surprise, customers are saying that 5 is average on a 10 point scale!

Adding insult to injury, the businesses that see these results - especially the CEOs - take the negative numbers personally and then completely torque their organizations for years trying to achieve positive NPS scores.

To achieve breakeven for NPS, unrealistic distributions such as the following have to be achieved:

Detractors        Neutral      Promoters

50                             0                       50

40                            20                     40

30                           40                      30

20                           60                     20

10                           80                      10

Hitting these skewed distributions is only possible when the process of collecting the data is not representative of your customers!

So, what problems are you really trying to solve?

  • Are you trying to have a number you can crow about to your pals on the golf course? - Then plow ahead with NPS.
  • Are you trying to understand what the range of your customer's expectations are? - Then look to something else.
  • Are you trying to sell more applesauce to the customers who buy apples? - Then look to something else.
  • Are you trying to sell more oranges to new customers interested in fruit?  - Then look to something else.

It's simply amazing how the desire to make business decisions based on a single number can have such an impact on organizations. But then we've seen this movie play out in the financial services sector with the use of VaR, haven't we.

As a species we learn the hard way.

The Human Microbiome

Wednesday, May 22nd, 2013

Did you know about the latest research being done on the human microbiome?

If not, don't worry, you're not alone.

Even many of my biochemistry friends have never heard about it.

There's an NIH (National Institutes of Health in the US) funded, five-year study focused on the impact of the microbiome on the health and disease states of people.

Should you care?

Read on.

What's a microbiome?

What this "microbiome" you ask? It's the microbial cells that live with us, all over us, and in us, and that appear to have an impact on everything from our health to our DNA. These little cells are not exactly bacteria either, but another class of beings known as archaea.

The microbiome taking up residence with you may weight as little as little as a half pound, to as much as three pounds. The little critters appear to be involved in everything from our genetics to our health, mental states and capacities; and they've been living under our noses (or should I say in our noses) without our even being aware of them until late into the 20th century.

The research being completed is fascinating and indicative of much more that needs to be learned.

Additional resources:

NIH funded research at http://www.hmpdacc.org/

Microbiome Journal at http://www.microbiomejournal.com/

Overview at The New York Times at http://www.nytimes.com/2013/05/19/magazine/say-hello-to-the-100-trillion-bacteria-that-make-up-your-microbiome.html?pagewanted=all&_r=0

Heart Disease at The Economist at http://www.economist.com/news/science-and-technology/21576062-hardening-arteries-may-be-caused-malign-interaction-meat-eating-and

Archaea at Microbe World at http://www.microbeworld.org/types-of-microbes/archaea

What’s Your Bliss Point

Sunday, May 5th, 2013

Bliss Point - in economics - is the quantity of consumption beyond which any further increase in consumption becomes less satisfying. Bliss Point is associated with maximizing desires and wants in the absence of any cost or spending restraints - such that beyond some point where desires and wants have been satisfied, pleasure becomes less and less fulfilled and eventually becomes boring.

Bliss Point in the Food Industry

This same term - Bliss Point - is used by the processed food industry to engineer the formulations of three critical ingredients - salt, sugar and fat - to deliver just the right amount of palatability to achieve hedonistic pursuit of food, independent of hunger levels.

Think of the muchies and you have a good idea of what this means in the extreme. Or think of your daily reflexive grab for potato-chips, ice-cream, yogurt (yes yogurt, because current sugar-levels in these catchy-looking packages are as high or higher in sugar levels than some candy bars), cookies, crackers, pretzels and cheeses.

But Bliss Point as it's been applied in the world of processed food stuffs does not depend on unlimited resources to realize maximize enjoyment. Rather, the processed- and fast- food industries have made it cheaper for consumers to purchase laboratory-invented and assembly-line manufactured food-stuffs that are based on mixing salt, sugar and fat, than it is for consumers to purchase whole foods that have not been adulterated.

The engineered food-masterpieces are optimized to exploit palatability. And palatability - hedonistic-hunger - is shown to be directly related to opioid receptors in the brain, spine and gut: the same opioid receptors stimulated by illicit drugs.

Should salt, sugar and fat be banned as illicit drugs?

Some might make the case for it. Others argue that imposing this stiff a burden on these ingredients and industries is overreach: no one is forcing people to purchase junk-food and eat it after all. But when that's all that's available to you through corner convenient stores in many inner-cities, making healthier choices about what to eat may not even be an option.

The medical literature and exhaustive test results make clear that most people should reduce current levels of consumption of salt, sugar and fat in fast- and processed- foods.

Some common problem-foods to check nutrition labels include those with:

High salt: fast foods, cheese sauces, bread crumbs, baked beans, canned soups

High sugar: dates, candy, pie crust, raisins, milk shakes, yogurts

High fats: fast foods, pie-crusts, cheeses, hamburgers, snack foods

The connection between obesity, diabetes, heart disease, cancers, and a number of other disease conditions from such dietary inputs are documented.

What's your Bliss Point?

What’s Your Magic Number?

Saturday, April 13th, 2013

What's your magic number?

If you've never heard this question or phrase, you've probably been living off-network or away from the developed world for some time. It's a term used by people for different reasons and a variety of meanings.

Numbers

We employ numbers in accounting to maintain financial accounts that assess our current balance among other purposes. We use numbers in educational institutions to assess relative performance levels of students and teachers. Numbers are used to design almost everything man-made and we use numbers to plumb the breadth and depth of the natural world around us.

What is the Magic Number?

But what is this "magic number" thing?

For a business manager it might be the backlog number. For a sales manager it might be the conversion rate, the forecast, and the quarterly "number" that's finally posted upon which commissions are paid.

For a business owner it might be growth rate. For a CEO it might be earnings, return on assets, return on equity, the trading price of stock or the achievement of objectives established with the board.

For a customer service representative the magic number could be the number of calls serviced per hour, time spent on the phone per caller, or the number of successful close-outs per day.

For a lawyer the magic number may be billable hours. For an airline pilot the magic number is likely to be accident-free miles. For a truck driver it's likely to be miles per day between required rest times.

For sports fanatics, the magic number may be the number of games remaining to be won until the home-town team wins a slot in the upcoming post season playoffs. The formula for this magic number looks like:

Magic number = total games - # of wins by 1st place team - # of losses by2nd place team + 1

In financial risk mathematics, Value at Risk became the magic number to express the total value of a portfolio that could be lost over a certain time horizon.  We won't both to include VaR calculations here; it would require an entire series of blog articles.

Magic Numbers: a reversion to the Mean

With the exception of teams remaining in contention for a playoff spot, almost all magic numbers reflect an arithmetic mean - the average - value for a series of numbers in a given population.

As an "average" value, most magic numbers aren't really magic at all: they simply represent current consensus of the group. There's really nothing "magic" about them other than the magic number is simply the current mean or average.

But, it's the differences in the population - the deviations - at any given time that really are the interesting numbers. Most intriguing of all are the maximum differences between the outliers in a population and how far removed these are from average.

The outliers tell the story

It's the outliers that are really the magic numbers, not the mean. I don't mean the outliers that are so far away from any cluster, but the clusters of numbers that might be two, three, four or more sigma away from the mean.

The outliers tell the stories of "unexpectedly" super levels of performance or of sub-par performance. Or the outliers tell the story of overwhelming evidence of correlation between disease outcomes and causative agents.

Or the outliers reveal financial graft and corruption in the servicing of mortgages. Or outliers reveal the reasons why some organizations continue to be plagued by security breaches resulting in financial damage, public scrutiny and scorn, business downtime or other outcomes.

So the next time you hear the question, "what's the magic number?", think a bit beyond the comfortable box of average, and look for and then understanding what's behind the fat-tails.

Going beyond average to find the magic numbers

The average is not the magic number. Instead it's our way of saying this is the current level of average. For those who want to go beyond average, who want to understand how to improve results, or how to limit risk exposure, going beyond the magic number is necessary to going beyond the contextual level of acceptable mediocrity.

It's the outliers that are really the magic numbers, not the average.

These are really the magic numbers!

What did PT Barnum Say?

Saturday, March 16th, 2013

No one went broke underestimating public taste.

Several of my friends on the supply-side of the industry recently said things like, “Oh, I’ve got four Magic Q’s that I have to deal with in the next few months.” Another said, “You won’t believe what we’re spending on this”, referring to the total price of dealing with the supplier of the Magic Q Pageant.

And a Pageant it is, but more of a beauty queen affair than anything else. There might be 10, 15 or twenty entrants in any one contest for a Ms Firewall, Mr BI Platform, Ms Data Warehouse, Mr Ant Trap, or whatever other award will attract enough suppliers gullible enough to fork over good money for these blue-ribbons that are quickly forgotten until the next year and which are largely ignored by tech-buyers who spend the most money on hardware and software.

The demand for these beauty prizes does not come from large enterprises. Managers of IT in these organizations will tell you directly, “I’d be fired if I used them as a reason for my recommendation”, and “Heck no we don’t use them (the vendor the Magic Q’s), they (his bosses) are paying me to make these calls.”

So where does the demand come from?

Some of the demand comes from midsize and smaller businesses, neither of which has the staffing to “make the calls” or the recommendations and are following the leaders in their industries. These are also the same people who send staff to this vendors conferences to learn about an area of technology that is new to them. And, some of the demand is fed by an unknowing press and media who just love entertainment and so-called “news” to sell adverts, especially online. And that’s just what the Magic Q’s are, an expensive form of entertainment. But most of the demand comes from and is fed in large part by the industry that pays for these silly blue ribbons – the suppliers themselves, which explains why so many buyer’s ignore these blue ribbons.

Where else does the demand come from?

You might not believe it, but it also comes from sales functions within supplier organizations that use their inability to sell a product that didn’t make it into the Magic Q as their reason they lost the big order, when in fact the loss of the order has nothing to do with it. It’s just another sales gimmick that I’ve seen too many organizations fall for and any sales or general manager dumb enough to fall for this line deserves what’s coming to them.

And of course there’s push-based reinforcement from the supply-side itself, the industry entertainers (oops, the “analysts”) who take this side show seriously and then honestly believe they are making a contribution to society.

Expensive entertainment

As mentioned, the Magic Q’s are expensive entertainment. It’s quite amazing that the take generated from this nonsense is nearly one percent of all spending on enterprise hardware and software purchased each year. Beyond the cost of vying for one of the Magic Q spots are the costs of turning puffery into press releases, the costs of advertising, additional labor costs to manage the Magic Q game, and labor costs to respond to and support it.

Then there’s the indirect but more consequential cost of lost opportunity as suppliers put a stranglehold on customer-led improvement in their products in favor of Magic Q-led change that will lead to more favorable treatment in the beauty pageant to be held next year. Then there’s the cost of inflated acquisition prices paid for a takeover that is associated with one or more Magic Qs owned by the target.

Everyone on the supply side now uniformly questions why they continue spending good money on the carnival side-show called the Magic Q, but they continue to spend the money and then push these puffed-up blue ribbons as though it meant anything. Perhaps they do it out of habit, perhaps from fear, perhaps from peer pressure, perhaps from a lack of confidence, and perhaps because there appears to be no alternative.

It’s long overdue the Magic Q is replaced or retired.

It’s time to “just say no” and start paying attention to customers instead of paying attention to the Magic Q. Perhaps the one percent uplift in ticket prices could be plowed back into more productive purposes.

Now what was it that PT Barnum said was born every minute?