How About Those Hidden Costs?

Usually, when a business owner draws up their budget, or when they’re forecasting, they try to get all of the information necessary to make a decision. So they check as many costs as they can, see which ones they can control, see how they can turn a profit, and move in the right direction. Sadly, not all business directors (or, really, many people who try to look at their costs) can find all of the costs. At times, it could be that they can’t see how some costs affect their business.  Or, they don’t see the costs at all. The reason could be that they can’t look at the costs at different levels.

Let’s take the cost of food.  Many will say that the cost of food has increased. I have heard that it’s less expensive to eat out than it is to buy your own ingredients. But this is not always the case. A person can buy the ingredients and choose the size of portions which go into the meal. Unlike a restaurant, where their portion sizes tend to be fixed (or even decrease after about a year), a home cook can just throw in a few units of the ingredient, and have a meal. Heck, when I’m cooking something and using a recipe, I always slash the units that the recipe uses, and go with half the amount. I can save the ingredients for another day, or even make leftovers. But saving on the size of the ingredients and food is only a part of looking at it.

In a recent article on the BBC, it was said that an American woman in the 50s and 60s would spend hours in the kitchen preparing meals. Not all of these women were average; some were highly educated and came from well-to-do families. Food preparation in the home was the usual thing to do. But in the 60s, prepared foods, like TV dinners, came on to the scene. More and more the mother would spend less time in the kitchen. So is this a good thing? Again, it depends on your perspective.

Now that people don’t need to spend so much time in the kitchen, they are freed up to do other things. Things such as eating out, which is what many people do. The BBC article says that Americans spend more on food and drink outside of the home than inside the home. So when a family looks at their grocery bill and gasps at how high it is, they usually don’t contrast this with how expensive eating out can be. The food that the restaurant makes is usually great, but that comes at a high cost, too. The cost to acquire that food usually varies, but it may be a lower cost than the cost of buying it at grocery store (often times, it is). The restaurant, though, has to add in the cost of many other things, such as labor and rent, because they need to turn a profit.

How does this relate to other businesses? The metrics the business may use to determine how costly something is may only be one way of seeing it.  For instance, a company may look at how much power their servers use, which is usually measured in watts per hour. This metric can be used to determine whether to buy servers, or to outsource it (maybe for cloud services). While this is a perfectly good metric, one other metric to consider is how many times the proposed company has had outages at their datacenter, and how they’ve handled these outages.  One other metric (albeit a more involved one) is the cost of moving the company data once the contract has ended with the outsourced company. These are just some examples of how a company should look at possible costs differently.

Please note that I’m not saying that the decision-makers at companies don’t take as many costs into consideration. Ideally, they will take all of the important costs into consideration. The problem is looking at what costs really matter, and what the company can do about them.

Newer Ways of Audit Reporting on Third Party Companies

I went to a recent meeting of the North Texas chapter of ISACA, and there was a presentation on SSAE 18.  For those of you who don’t know, SSAE 18 supersedes SSAE 16, and consolidates Service Organization Controls reporting into something more manageable.  Here, I’ll talk about what I’ve learned about SSAE 18, SOC 1, and SOC 2.

In SSAE 18, more emphasis has been put on testing the design of controls for subservice organizations (e.g. third parties for which the organization has contracted out some process) and whether they are doing what they are suppose to be doing.  The auditor, through Service Organization Control (SOC), has to report on the effective use of these controls.  In the case of a SOC 1 report, they would assist in testing the controls as they pertain to the financial statements.  With SOC 2, the auditor reports on the controls with regards to security, availability, integrity, and confidentiality.

Now the auditor has to look for things such as complementary user entity controls, which are the controls that are assumed to be in place for users.  The auditor will have to look at reports from the subservice company to the main organzation.  They will have to see whether the organization is actually verifying the information in the report.  For instance, the auditor will have to see system-generated reports are being validated by the users of these reports.  The processing integrity principle will be used heavily in this situation.

This audit will look at how management has chosen the suitable criteria for the control, and how well they’ve measured the subject matter (note that “subject matter” means the risk relevant to entities using the subservice company).  So an auditor will look at whether the risk is something related to the entity’s business with the subservice company, then check the metrics of the current control, and see whether they are actually related to the control.

Learning About Setting Controls for I.T. Assets

In my pursuit to get into the information technology (IT) audit field, I must learn about setting controls for securing IT assets, minimizing risk, and eventually testing that said controls work.  In major organizations where information flows constantly and is utilized to advance the organization’s goals, ensuring that the information and knowledge are accurate, intact, timely, and secure are important.  To secure them, though, management must know how this information and knowledge can be lost.  Once they understand this, controls must be put into place so as to prevent this loss.  But management cannot always safeguard these assets.

As a company moves along in its financial year, these controls can break down.  For example, backups can be corrupted (losing information), and employees may leave the company (thus losing knowledge).  So it is also good to reassess whether these controls are working as intended.  This is where the IT auditor steps in, to evaluate these controls, and see to it that that continue to do the job.

Though I know of some ways of testing these controls (e.g. vouching, interviews, and walkthroughs), I have never carried them out.  All I have done is study them.  While studying textbooks is fine, some would say the true teacher is experience, and I have not done so.  For the most part, I have managed a couple of websites (this one included) so that they cannot be hacked.  I have put controls in place to ensure that my website is not compromised.  But to make sure they work, I must turn to someone who has had experience in managing a website.  Not just that, but an IT auditor who will teach me what to exactly do so that this website is not damaged.  Eventually, I would learn more from them so that, when I am on an audit engagement, I can ensure that the company’s valuable assets are kept safe.

Dealing With the Internet of Things

The other day, I attended a meeting of the North Texas chapter of ISACA.  There, the information technology veteran, Austin Hutton, gave a presentation on the dangers of the Internet of Things (IoT).  I have written about the IoT and how it can be used to devastating effect.  One of the problems that Hutton talked about is that there are more IoT devices than there are people on earth.   Thousands are being manufactured and sold each day, and each one of these devices can be hacked to assist in an attack.  And the problem is getting bigger.

Most of those devices were poorly designed, and thus have no way of being updated.  The companies who make these devices have thin profit margins, so they cannot afford to make them secure.  In some cases, the manufacturer buy the chips from other companies, so they are not directly responsible for its security.  The average IoT device can be easily hacked: a number of them have easy to crack passwords, or have flaws that were not detected when they were being designed.  There are even programs which can auto-hack some of these devices.  All the hacker needs to do is learn the make and model of the IoT device, select the program, sit back, and gain control over it.  For those devices which are used as intended, they may be doing something illegal.

Hutton gave the example of a Tempur-Pedic bed which can send the user’s data back to Tempur-Pedic for analysis so as to improve the user’s experience.  He then gave an example of someone else (specifically, his 14-year-old granddaughter) sleeping in the bed, and their data being sent to Tempur-Pedic without their permission.  This can be considered breaking the law because she’s a minor.  How would that situation be resolved?  How can we at least minimize the damage from IoT devices?

For one, education.  Though companies are really selling the convenience of IoT devices, consumers must learn how harmful IoT devices can be.  The public needs to learn that these devices can be used to cause harm to our cities, and possibly to themselves.  Recently, the business of a utilities company in Finland was disrupted due to a DDoS attack, resulting in the heating for their customers being disabled.  What if this was the smart thermostats of many of their customers getting hacked?  The attacker could lower the temperatures in these houses, or disable the thermostat, which would be a dangerous situation to homes in Finland during the winter. How else could these devices be attacked?  An attendant to the meeting, David Hayes of Verizon, had one other scenario.

There are utility companies in North America and Europe that use monitors called SCADAs which can remotely control machines vital to a functioning city (one example is the water pumps which keep drinking water flowing through the city).  What if, Hayes suggested, a hacker takes control of these pumps, and threatens to take them offline, or even increases their work to the point of destroying them, unless he is paid $100,000?  Now we’re starting to see the cost of this problem.  This cost will only increase, as malicious hackers devise ways of misusing these IoT devices.

Another way we can minimize the damage from IoT devices is to ensure that your IoT devices can be modified such that only you can control it.  If you can change the password, do it.  Check that a default root password hasn’t been hardcoded into the device.  If you can, find a device that can be updated (though few IoT devices have the capacity to be updated).  On the government side, we’re going to need some form of  oversight.  For instance, no IoT device bought by  the government can lack the ability to be updated.  How about current IoT devices?  There is little we can do about them.  If we’re dependent on them, then it’s going to be difficult to replace them.  Maybe for the average person it’s easy to change their IoT lightbulbs.  But how can a maintenance manager at a company tell his bosses that, due to the threats these IoT devices have to the security of the company, they all have to be changed.  How much will that cost?

This is a growing problem that will grow more as these hacked IoT devices are used to facilitate these attacks.  It is imperative that this problem be addressed now, rather then have some catastrophe occur, and involve the lives of thousands.

The Nintendo Switch™: Is this the success Nintendo needs?

So Nintendo has shown off their next console: the Nintendo Switch™.
This machine is a touchscreen with detachable controllers called Joy-Cons.  What a user can do is either play it while the device is connected to the TV, or take it out of the dock, and play games on the go.  The device has a number of controller options, including using the Joy-Con controllers, using a Nintendo Switch Pro controller, and just using the touchscreen.  The whole display will  be in full high-definition, and will probably support multi-touch capabilities.  It has been reported that the device has an nVidia Tegra GPU in it, so Nintendo has switched (no pun intended) to a new graphics card maker, and has moved on from ATI/AMD. It also looks as though the device supports cards similar to those used in the 3DS, but I’m sure it has on-board storage, as well. Now I need to ask the question: why should I care about this device?  I already have a PC which can play a number of games quite easily (maybe not the most recent games at the highest settings), as well as a good mobile phone and tablet. So for the most part, I’m not interested. There is a good number of publishers who are saying they will support the Switch. But what will they actually release on the device?  My guess is that, at first, they will release ports for the device (or games that have been remastered). But then what?  Would Bethesda release the next Elder Scrolls game on the Switch? It’s unlikely, considering that they’ll probably release it for the PS4 and Xbone, and of course they’ll have a PC version.  Maybe they’ll make a smaller version, or perhaps they’ll release the mobile version on the Switch.  If that were to happen, though, why would anyone care?  Couldn’t a user just play the mobile version on their phones or tablets?  How would that version be different? Bethesda may release an Elder Scrolls game on the Switch, but it won’t be a version that’ll be found on the other consoles, that’s for certain.

How about other parts of the device?  Will it have specs comparable to the PS4 and the Xbone?  Probably, however those two consoles already have upgraded versions on the way.  It’s true that they won’t be huge improvements over the originals (supposedly, the PS4k will have support for 4k televisions and be capable of running most games at 60FPS.  But that’s it), but they still have
specs that some big developers will like.  How about the development environment for the Nintendo Switch?  Can one easily take their Steam game and port it over to the Switch?  There were a big number of indie developers who really wanted to port their games over to the Wii U.  But the hardware was just too foreign from their familiar hardware to justify a port.  Thankfully, a number of games (such as Axiom Verge) did make it to the Wii U.  But is this enough to keep the new console afloat?

Among other big developers who have pledged support include the old vanguard of Sega, Capcom, and Square-Enix.  These three are laughable, as they have been hemorrhaging money for years.  Sega has lost millions over the past few years (though more recently they have rebound), Capcom has only been kept afloat by Street Fighter, as well as old re-releases of Mega Man and Resident Evil, and Square-Enix has seen marginal return on their mobile phone offerings (don’t even get me started on Final Fantasy).  What are they going to release on the Nintendo Switch?  How are they going to take advantage of the device?  Probably in the same way as the Wii: release only a small number of games, some re-releases, as well as “test” games, and see whether they are a success.  So it’s unlikely we’ll see some big games from these developers (although the remake of Final Fantasy 7 does not seem far-fetched.  Twenty years too late, is what I think).  Other developers include Konami, Activision, and Electronic Arts, but I really doubt they will release anything worthwhile on the Switch.

There are other developers who do look promising.  Platinum Games is making something, and with their track record with Nintendo, they’ll probably make some great content.  Others include From Software, but my guess is that they’ll port over Dark Souls or Bloodborne, so nothing new there.  Another developer on the list is Nippon Ichi, most famous for their Disgaea games.  What they’ll have is anyone’s guess.  Then there’s Epic Games.  That one is a bit of an enigma: why would they develop for the device?  Why would they care?  I have not a clue what they would make for the Nintendo Switch.

All of this information is wonderful, but the public needs to know other things. As I have mentioned, it needs to have specs similar to the competition, so what the final specs will be is unknown.  How will the games be played on it?  Will they all use cards, or will discs be supported?  What are the online capabilities for the Switch?  Since this is Nintendo we’re dealing with, we know it won’t be as good as the competition (probably little voice support, a gimped messaging system, and no online friends group support).  I’m sure the Switch will be region-free (even Iwata talked about this), so that will be a welcomed addition. But all of this will mean nothing if the software and feature support is solid.

We’ve seen the list of developers who are supporting the Switch, but what other features will it have?  In time, those will be revealed.  But is this something that Nintendo is showing that they are different, that they will listen to their fans, and possibly make the games that some of their fans want?  It’s impossible to please all of the fans, but there has been huge criticism for major Nintendo games over the past year.  Star Fox Zero was critically panned and Super Paper Mario: Color Splash was also criticized.  Let’s not forget how different Metroid Prime: Federation Force is from other Metroid games. So how is management going to be different for the Switch?  Will they be more willing to support third party developers (and I’m talking about actually throwing
money at them to develop exclusive content for the Switch, as well as helping them with developing the games)?  Will they make their online system more open to those consumers who just want to freely converse and play with other, different users? Will they allow for the users a little bit of freedom in Miiverse, to show content that may be a bit more grown-up?  Of course, there will still be moderators. It is doubtful, as Nintendo’s management has changed little since Iwata’s passing.

I feel that, if Nintendo really wants to recapture the consumers they lost to the competition, they will have to change some of the leadership at the top.  Even though they got a new president, mostly what has changed was what departments the current management looks over (most of the titles changed to “deputy <title>”, so they have a deputy director of marketing.  I guess they became deputies when they got a new sheriff in town).  It’s true that Nintendo has been getting younger developers into their company, and did try to find a younger president.  But their leadership cannot be made up of people who haven’t not been able to turn around their sales over the past few years. “A problem cannot be solved with the same level of thinking that created it,” as Einstein once said.

Is it too early to say whether this will be a big-selling machine?  Possibly.  But if Nintendo’s track record, their current corporate structure, and the list of developers is anything to go by, it’s doubtful that the Switch will be a best-selling machine five years down the line.