Dan Brody Chief Information and Technology Officer CITO


The Google Phishing Attack

google_scam.pngOn May 3, 2017, a massive phishing attack targeted Google Docs, and anyone with a Gmail account was a potential victim. Luckily, Google was able to quickly shut down the attack with only 0.1% of Gmail users being affected. However, this sophisticated phishing attack shows the savviness of hackers and their ability to trick even the world’s most technically advanced companies.

Attack Breakdown

This was no ordinary phishing attack. Normally, a phishing attack sends users to a fake website to deceive them into typing their password or other compromising data, giving the hacker access to any sensitive information. The phishing emails were designed to look as though they were a Google Doc sharing invite. When the user clicked, they were taken to a fake Google page that asked them for permissions to access the Doc. If users granted permission (see  example image to the right) for the app, the hackers had the opportunity to gain access to the user’s account.

The hackers were successful in their attack by using the OAuth protocol, which is a way for users to authorize websites, like Google, Facebook and Twitter, to access their information. OAuth does not share password information; instead, it uses special access tokens. In this case, the hackers built their own Google Docs app to gain access to the account. By granting the fake app permission, the users unknowingly gave the hackers access, all without requiring a password.

What Can You Do

While only 0.1% of Google’s 1 billion users were affected before Google shut down the attack, it is important to know what to look for to prevent your users from falling victim to a phishing scam.

  1. Avoid suspicious-looking emails;  many phishing attacks come in email attachments or links.
  2. If you are unsure about an email, look at who it is “From” before opening it. Better yet, examine the email headers to verify the sender and domain.
  3. Never open an email attachment from someone you don’t know.
  4. Check the permissions your third-party apps have on your browser.

If you think your users have fallen for the Google phishing scam, you can revoke the app’s access to their accounts. Google has already taken steps to ensure everyone affected is no longer vulnerable to hackers.



What Is Amazon Go? What It Means Its Competitors?


  • Amazon announced the launch of Amazon Go, an automated, checkout-free convenience store in Seattle, Washington, powered by technologies such as computer vision, sensor fusion, and deep learning.
  • The store is currently being beta tested by company employees before opening to the public in early 2017. Products found at Amazon Go include ready-to-eat meals and snacks prepared by on-site chefs.
  • In this note, we comment on what the launch of the store means for Amazon as well as the grocery industry in the US

amazongo-e1480951426599Amazon Go, Amazon’s “checkout-free” convenience store, is the newest innovation from Amazon, and it has generated considerable interest since the news of the store’s launch was released. Described as running the “world’s most advanced shopping technology,” this innovative concept has the potential to revolutionize the brick-and-mortar retail experience, bridging the digital and physical worlds, and creating unprecedented convenience for the consumer.

A Huge Opportunity for Amazon

If the “Just Walkout Technology” that integrates into Amazon Go proves to be a success after its pilot run, it could have significant implications for Amazon, such as the following:

More consumer data will lead to better shopping recommendations: Amazon known for its ability to gather and use data to offer an ever-improving customer experience. When shopping for convenience purchases and food, people inherently shop differently than when doing so online. Why a brick-and-mortar convenience store is a new consumer touchpoint for Amazon and one that is inherently different from online shopping. Having access to data from the store will likely enable Amazon to provide even better shopping recommendations to its shoppers.

Feed into Amazon’s AWS business: The technology powering Amazon Go will likely become a commodity sooner rather than later, and Amazon can choose to offer it to other retailers as a complement to its Amazon Web Services (AWS), which include cloud-computing services, analytics, and marketplace platforms.

Play into health and wellness: As Amazon Go sells primarily meal kits and ready-to-eat snacks, Amazon will, in fact, be collecting data on people’s food consumption and nutrition habits. We see this as an attractive opportunity to develop original products or integrate data with existing wearables that track fitness and health to offer a convenient 360 wellness-monitoring solution.

What it Means for the Industry

The news of Amazon Go’s launch is coming at a time when Walmart is piloting a new store concept—the Pickup and Fuel concept—that offers same-day pickup for groceries ordered online and on the back of news that Amazon is planning the launch of its grocery-store pilot program.

US market looks set to boom, as average basket sizes get pushed up, and retailers become more aggressive in their e-commerce offerings. While Amazon Go will likely not have an immediate impact on the market, we see the launch of the store as an industry catalyst that will likely stir up the competition to deploy technology in brick-and-mortar spaces and ramp up e-commerce efforts even further.


Amazon Go is a 1,800 square-foot convenience store located at 2131 7th Ave in Seattle, Washington. The store is open only to Amazon employees during a beta-testing program, but the company has announced that it will open to the public in early 2017. The products sold at the store include bread, milk, cheese, chocolate and ready-to-eat meals and snacks prepared by on-site chefs.


The video that Amazon released on YouTube describes the Amazon Go technology as the “world’s most advanced shopping technology.” According to the company, the store and shelves equipped with computer vision, sensor fusion, and deep learning.

To be able to shop at Amazon Go, shoppers need to download and log-in to the Amazon Go app, which provides them with a QR code they scan when entering the store. Shoppers are then allowed to pick up and return items freely from the shelves. Amazon’s technology detects customers when they walk out of the store and charges their purchases to their Amazon account. There are no checkouts, cashiers or physical payments.

A2 Hosting How To Upgrade to Ubuntu 16.04 LTS

logoI recently started using a virtual private server VPS over at A2-Hosting. I always seem to need a server to experiment with that behaves more like a bare-metal machine than a shared cloud server.

The A2-Hosting VPS come with different versions of Linux I chose Ubuntu 14.04 LTS wich is the most current version that A2 provides. My lab was to test the latest beta release of Microsoft SQL on Linux. MSSQL requires the latest version of Ubuntu 16.04 LTS and at least 4GB ram. So we need to upgrade from 14.04 to 16.04, here is how you do it.

The Ubuntu operating system's next Long Term Support release, version 16.04 (Xenial Xerus). First, let me say that you should do this on a clean VPS that has not been used for anything else yet.  Because we are on 14.04 we will have to go through two stage upgrade 14.04 -> 15.04 -> 16.04. Follow these steps and you will be fine.

Step 1 – Upgrade Currently Installed Packages to Wily 15.04

Note that you are login into the A2 VPS as root with information provided on the A2 Services Screen  [Portal Home / Client Area / My Products & Services / Product Details] Before beginning the release upgrade, it's safest to install the latest versions of all packages for the current release. Begin by updating the package list:

apt-get update

Next, upgrade installed packages to their latest available versions:

apt-get upgrade

You will be shown a list of upgrades and prompted to continue. Answer y for yes and press Enter.

This process may take some time. I am also partial to VIM editor but you can use the standard VI editor if you like. You will nee into install VIM if you would like to use it like me.

apt-get install VIM

Answer y for yes and press Enter.

I suggest before you change /etc/apt/sources.list file you make a backup

cp /etc/apt/sources.list /etc/apt/sources.list.old

Next, we will edit the file

vim /etc/apt/sources.list

We are going to change "trusty" to "wily"

deb http://archive.ubuntu.com/ubuntu wily main
deb http://archive.ubuntu.com/ubuntu wily-updates main
deb http://security.ubuntu.com/ubuntu wily-security main
deb http://archive.ubuntu.com/ubuntu wily universe
deb http://archive.ubuntu.com/ubuntu wily-updates universe
deb http://archive.canonical.com/ubuntu wily partner

Optional quick way in one-step search and replace

sed -i -e "s/trusty/wily/g" /etc/apt/sources.list

Next, we need to perfrom the upgrade you can do this in one line as bellow.

apt-get update && apt-get dist-upgrade

Step 2 – Upgrade Currently Installed Packages to Xenial 16.04

I suggest before you change /etc/apt/sources.list file you make a backup

cp /etc/apt/sources.list /etc/apt/sources.list.old2

Next, we will edit the file

vim /etc/apt/sources.list

We are going to change "wily" to "xenial"

deb http://archive.ubuntu.com/ubuntu xenial main
deb http://archive.ubuntu.com/ubuntu xenial-updates main
deb http://security.ubuntu.com/ubuntu xenial-security main
deb http://archive.ubuntu.com/ubuntu xenial universe
deb http://archive.ubuntu.com/ubuntu xenial-updates universe
deb http://archive.canonical.com/ubuntu xenial partner

Optional quick way in one-step search and replace

sed -i -e "s/wily/xenial/g" /etc/apt/sources.list

Next, we need to perform the upgrade you can do this in one line as bellow.

apt-get update && apt-get dist-upgrade

Step 3 – Post Upgrade Cleanup on Ubuntu Xenial 16.04

Now that we have completed the upgrades we will want to clean and remove unused packages.

 apt-get autoremove --purge -y;apt-get clean

That easy you can now install your software you want. In our case, we installed Microsoft MSSQL according to the instruction found here https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-setup-ubuntu provided my Microsoft.

After you have installed the mssql server you should be able to run top to see details of the service running.




Healthcare Vertical Networking Overview

The following sections describe the key considerations for the Healthcare Vertical.


The healthcare system needs to protect patient personal medical records and financial information. Securityrich features such as dot1x, MAB, Guest-access (centralized) , CISF (Catalyst Integrated Security Features), and Cisco TrustSec (CTS) are deployed to provide identity-based services securely.

Network Services

The healthcare system must enable traditional and specialized resources in order to provide reliable access and faster delivery of electronic medical records (EMRs), electronic health records (EHRs), and medical and diagnostic lab reports needed for the collaborated care services. Network services such as video delivery and Quality of Experience with Custom QoS and Auto QoS are deployed to allow collaborated care services between lab, doctors, nurses, caregivers, and patient facilities.

Network Virtualization

Optimizing the existing network using technologies such as VRF-Lite, GRE, and Private VLAN helps in effective IP address use, as well as providing the required network segmentation to meet some of the healthcare system’s needs, such as VPN, Guest access, and isolating DMZ servers from each other.

Effective Network Management

Network administrators should be able to efficiently manage and monitor their networks to quickly respond to the dynamic needs of the healthcare system. The administrators could use Cisco-provided tools such as Cisco Prime Infrastructure and WebUI to quickly deploy, manage, monitor, and troubleshoot the end-to-end network.

System & Network Resiliency

The healthcare system and hospital emergency departments cannot afford to have larger downtimes, which calls for strict system and network level resiliency. Stack HA, EtherChannel link-level resiliency, Virtual Switching System (VSS), and First-Hop Redundancy Protocol (FHRP) help in meeting such demands at different levels of the network.

Deployment areas Features
Security Dot1x, MAB, CISF, ACL, guest access, Cisco TrustSec
Network services Multicast, QoS, AutoQoS
Network virtualization VRF-Lite (Virtual Routing and Forwarding), Generic Routing Encapsulation (GRE), Private-VLAN
Efficient network management  Cisco Prime Infrastructure, WebUI, Zenoss
System & network resiliency  EtherChannel, Stack HA, FHRP, VSS


Network Profile

The Healthcare Vertical Profile is designed with the three tier architecture with Hybrid (L2/L3) access.


Site-1 (the left-portion of the topology) represents a block of a Hospital deployment where a Cisco Catalyst 3850 and 3650 are deployed in access layer. The 3850 in the distribution layer is 10G.

Site-2 (the middle portion of the topology) represents another block of the Hospital deployment, where a 3850and 3650 are in the access layer and a 4500 is in the distribution layer.

Site-3 (the right portion of the topology) represents another block of Hospital deployment with Cat4KSUP7E/7LE, 2960X, and 3560CX in the access layer and a Catalyst 4500 in the distribution layer. All sites use common Cat6500 in the core layer. Based on the size of the campus, its geographical location and user-scale, there might be more distribution switches connecting to the core layer.

Table below describes the use cases that were executed on the Healthcare Vertical Profile. These Use cases are divided into buckets of technology areas to show the complete coverage of the deployment scenarios.

These technology buckets are composed of system upgrade, security, optimizing network & traffic, network services, monitoring & troubleshooting, simplified management, and system health monitoring, along with system and network resiliency.

No. Focus Area Use Cases
System Upgrade
1 Upgrade
Network administrator should be able to perform switch upgrade and
downgrade between releases seamlessly.

  • All of the configuration should be migrated seamlessly during the
    upgrade/downgrade operation
  • SW Install, Clean, Expand, Archive Download
Network admin to secure the L2 access against MITM, DOS attacks using
the CISF (Cisco Integrated Security Features)

  • PortSecurity, IPSG, DAI, DHCP snooping
Network admin to deploy input/output PACL, RACL and VACL with large
number of ACEs for various traffic patterns (IPv4)
4 IBNS 2.0 Mode
Network admin wants to deploy endpoint/end-user security using MAB/
Dot1x with IBNS 2.0 Mode (eEdge/new-style).

  • PC behind the Phone: AuthC > Dot1x for the PC and MAB for the Phone, Host mode : Multi-Domain
  • Dot1x, MAB: PCs, Phones. Host Mode: Single Host, Multi-Host, Multi-Auth
  • AuthZ : dACL, Dynamic VLAN
  • Clients spread across open, closed and low impact modes
  • Critical VLAN
  • Re-authentication timers
5 Auth-Manager Mode
Network admin wants to deploy end-point/end-users security using MAB/
Dot1x with Auth-Manager Mode (legacy)

  • PC behind the Phone: AuthC > Dot1x for the PC and MAB for the Phone, Host Mode : Multi-Domain
  • Dot1x, MAB: PCs, Phones. Host mode: Single Host, Multi-Host, Multi-Auth
  • AuthZ : dACL, Dynamic VLAN
  • Clients spread across open, closed and low impact modes
  • Critical VLAN
  • Re-authentication timers
6 Guest-Access
Network admin wants to provide temporary guest access CWA

  • CWA—Self Register Guest Portal
Network Virtual
7 VRF-Lite
Network admin to provide VPN connectivity and optimize the use of IP
address, using the VRF-Lite

  • VRF routing using overlapped IP addresses
Network admin to provide logical isolation between the VPNs and share
dedicated network resources using GRE to provide Guest and Partner

  • Path Isolation between the VPNs using GRE tunnels
9 Private VLAN
Network admin to deploy Private VLAN for efficient IP address aggregation

  • Primary VLAN, Secondary VLAN
  • Isolate port, Community port, Promiscuous port on the physical interface depending on the connected endpoints
Network Services
 10  Multicast Video (Access/Distribution)  Network admin wants to enable and deploy multicast services.

  • V4 & V6 Multicast
  • L2/L3 Multicast video delivery using PIM-SM, PIM-SSM, IGMP/MLD Snooping
  • PIM-SM with static RP, auto-RP, PIM-SSM with static RP
 11  QoS (Access/Distribution) Network admin needs to enhance user experience by ensuring traffic and application delivery using custom QoS policies for trusted/untrusted interfaces.

  • Traffic types: VOIP, Video, Call Control, Transactional Data, Bulk Data, Scavenger
  • Policing Ingress and Priority & BW Management in Egress
  • AutoQoS on certain ports that are connected to endpoints
 Monitoring & Troubleshooting
 12  NetFlow (Access/Distribution)  Enable IT admins to determine network resource usage and capacity planning by monitoring L2/IPv4 traffic flows using Flexible NetFlow

  • Traffic types: L2, IPv4
  • FNFv9, IPFIX-v10
  • Prime Collector
  Simplified Management
 13  Prime-ManageMonitor  Network admin wants to manage and monitor all the devices in the network using Cisco Prime Infrastructure
 14  Prime-SWIM  Network admin should be able to manage images on network devices using Cisco Prime Infrastructure for upgrade/downgrade.
15 Prime-Template  Network admin wants to configure deployment using Cisco Prime Infrastructure.

  • Import and deploy customer specific configuration templates.
  • Schedule configuration for immediate or later deployment.
  • Simplify configuration using config-templates
16 Prime-Troubleshooting  Simple network troubleshooting and debugging for IT admins

  • Monitor & troubleshoot end-end deployment via maps & topologies
  • Monitor network for alarms, syslogs, and traps
  • Troubleshoot network performance using traffic flow monitoring
System Health Monitoring
 17  System Health (Access/Distribution) Monitor system health for CPU usage, memory consumption, and memory leaks during longevity
System & network resiliency, robustness
 18 System Resiliency (Access/Distribution)  Verify system level resiliency during the following events:

  • Active switch failure
  • Standby/Member switch failure
  • EtherChannel member link flaps
19 Network Resiliency (Access/Distribution)  High availability of the network during system failures using:

20 Typical Deployment Events, Triggers (Access/Distribution) Verify that the system holds well and recovers to working condition after the following events are triggered:

  • Config Changes—Add/Remove config snippets, Default-Interface configs
  • Link Flaps, SVI Flaps
  • Clear Counters, Clear ARP, Clear Routes, Clear access-sessions, Clear multicast routes
  • IGMP/MLD Join, Leaves

STARTUPS FOR SOCIAL GOOD Why Social Good Startups Make Sense

  • A startup for social good is an enterprise that applies market-based strategies to achieve a social goal.
  • According to Deloitte, 75% of millennials believe businesses are too fixated on their own agendas and not focused enough on helping to improve society.
  • Zoona is Africa's hottest startup. Offers Emerging Entrepreneurs a platform to provide money transfer and other services to unbanked consumers.
  • A global socially driven ecosystem has emerged to support startups for social good—the system offers funding and community resources to entrepreneurs.

The Startup for Social Good

A social good startup is an enterprise that applies market-based strategies to achieve a social goal. Such startups can be either nonprofit or for-profit organizations, but in this report, we focus on for-profit ventures.

Why Social Good Startups Make Sense

Socially responsible businesses are not a new concept—there has been a push for corporate social responsibility, sustainable business practices and corporate philanthropy over the last few decades. But the emergence of the millennial generation as the largest part of the US labor pool and its growing importance as a consumer demographic have put the spotlight on the social good startup model. The reason can be found in the millennial profile itself. As employees, Millennials are characterized by seeking meaning and impact over financial gain, and as consumers, they are said to be socially minded and passionate about values. The 2015 Deloitte Millennial Survey states that “Millennials overwhelmingly believe that business needs a reset regarding paying as much attention to people and purpose as it does products and profit. Seventy-five percent of Millennials think companies are too fixated on their agendas and not focused enough on helping to improve society.”


Given the millennial profile and beliefs, the social good startup model exhibits benefits in three key business aspects:

  • Marketing and sales: The evolving consumer profile means that more and more customers will be paying attention to product and service attributes beyond price and quality. The Nielsen 2014 Doing Well by Doing Good survey showed that 42% of North American respondents would pay extra for products and services from companies committed to having a positive social and environmental impact.
  • Recruiting: Social good startups can attract committed talent under their mission and values. A 2012 report by the nonprofit organization Net Impact showed that 65% of university students expect to make a difference in future jobs, and 58% would agree to a 15% pay cut to do so.
  • Company culture: Social good companies tend to build close-knit cultures of like-minded individuals united around a cause that goes beyond financial gain. Translating into higher levels of job satisfaction and talent retention.


Is a good example of a profit based company doing good.

www.ilovezoona.com Zoona is Africa's hottest startup. Offers Emerging Entrepreneurs a platform to provide money transfer and other services to unbanked consumers. In Africa, people rely on their extended family and community networks for support to help them pay their school fees, cope with health emergencies, find jobs, and save for their future. These are cash economies with high rates of poverty and unemployment and very little access to formal financial services – but people living in these communities still have dreams, aspirations, and potential to achieve better lives for themselves and their families.

The Pokémon Go Invasion Is Unstoppable


  • With a peak of 26 million active players, Pokémon Go is the most successful mobile game ever in the US, surpassing even Candy Crush Saga at its peak of popularity.
  • The game employs augmented-reality technology to combine live video with computer graphics, encouraging players to go outside and explore their surroundings to find virtual monsters.
  • Retailers are seeing the additional foot traffic the game has generated as a mixed blessing, as not all players are buying in stores, but they can benefit from the phenomenon by offering players “Lures” and “PokéStops” and by supporting teams.


Pokémon Go has experienced wild success since its July 6 launch in the US, becoming the most successful US mobile game ever, despite some minor glitches and server crashes, even surpassing Candy Crush Saga in popularity. There are opportunities for retailers to participate in this huge cultural phenomenon. Some stores and malls are already seeing additional (wanted and, in some cases, unwanted) store traffic as a result of the game’s popularity, and generating revenue from merchandise, but stores near PokéStops can see further benefits by setting up “Lures” to bring players into their stores. And retailers can offer their PokéStops (where players can get Poké Balls to increase their power) and sponsor a team. They can also tie themselves to Pokémon Go via social media.


Pokémon is a video game, originally released in 1995 for the Nintendo Game Boy, in which the player captures and battles tiny monsters called Pokémon, which is a Westernized version of the Japanese phrase for “pocket monster.” The Pokémon Company brings in about $1.5 billion in revenue annually, and the franchise generated revenues of nearly $58 billion through 2015 from sales of more than 200 million video game units. Game creator Satoshi Tajiri has said he loved video games and insect collecting, and so collaborated with game company Nintendo and a graphic designer on the original Pokémon. In all the game’s permutations since its launch in 1995, there has been a total of 722 known species of Pokémon (151 are present in Pokémon Go). The individually named monsters resemble a range of species, from turtles to pigeons to humanoids, and the most famous one is Pikachu, a plump, banana-yellow rodent with rosy cheeks. Game play centers on catching Pokémon and battling others. Players can catch wild Pokémon using Poké Balls or defeat them in a battle to gain experience and learn new moves. Players possess a functional database called a Pokédex, which collects a Pokémon’s data after it has been captured.


The newest version of Pokémon Go runs on smartphones and uses augmented-reality technology to combine images from a phone’s camera with computer graphics of the Pokémon figures. The game generates pictures of the monsters appearing on city streets and in various other real-world locations. The game was developed by Pokémon Co. and Niantic, a spin-off of Google parent Alphabet. While previous versions of Pokémon were video games that ran on handheld devices or consoles, in the mobile version, the player physically moves around the neighborhood to locate Pokémon and “throw” Poké Balls at them to capture them. Players can also participate in battles at PokéGyms, physical locations where players gather to pit their monsters against others and grow their teams. The game was initially released in only six countries—the US, Australia, New Zealand, Germany, the UK and Italy — and was rolled out in another 26 countries on July 16 and in Canada on July
17. The game finally became available in its countries of origin Japan on July 22 and in Hong Kong on July 24.

The Apple App Store includes instructions and a description of the game:

  • Venusar, Charizard, Blastoise, Pikachu and many other Pokémon
    have been discovered on planet Earth!
  • Now’s your chance to discover and capture the Pokémon all around
    you—so get your shoes on, step outside and explore the world
    . You’ll join one of the three teams and battle for the prestige
    and ownership of Gyms with your Pokémon at your side.
  • Pokémon are out there, and you need to find them. As you walk
    around a neighborhood, your smartphone will vibrate when there’s
    a Pokémon nearby. Take aim and throw a Poké Ball… You’ll have to
    stay alert, or it might get away!
  • Search far and wide for Pokémon and items.
  • As you level up, you’ll be able to catch more powerful Pokémon to
    complete your Pokédex. You can add to your collection by hatching
    your Pokémon Eggs based on the distances you walk. Help your
    Pokémon evolve by catching many of the same kind.
  • Take on Gym battles and defend your Gym.
  • As your Charmander evolves to Chameleon and then Charizard,
    you can battle together to defeat a Gym and assign your Pokémon
    to defend it against all comers.
  • It’s time to get moving—your real-life adventures await!

Players who want to capture monsters more quickly can make in-app purchases of PokéCoins (100 PokéCoins cost $0.99; 14,500 cost $99.99), which they can exchange for extra Poké Balls, extra lives and other items.


Where Oh Where Should We Outsource!

There are several options when it comes to building a team and making things scalable. If we want to look at flexibility while maintaining cost, then the first place we should look is at an offshoring option. There is, of course, the possibility of building all the teams here locally and keeping everything under one roof. While this provides maximum control, it does have a higher cost and may not provide as much flexibility as scaling offshore. So let me suggest that we approach things with a hybrid model, allowing the most flexibility, controllable costs, and maximum scalability.

1. Offshoring options

The concept of offshoring a software development project has its place, and it offers opportunities and potential savings. The first is a substantially lower offshore labor rates and the second comes from the theory of elasticity in staffing. However, there are pitfalls to be well aware of before deciding to send our software development offshore. I have more than 15 years of working with outsourcing in various locations around the world. Ensure that we can quickly move to the hybrid model in a cost-effective and secure way. While avoiding many of the pitfalls and horror stories you hear from others.

All too often I do hear from people I know about these pitfalls and horror stories. Why do these companies and projects go awry when the offshore? The basic answer is that they have no idea what they’re doing when it comes to outsourcing and pick up a company that they have not build a long-term relationship and therefore do not have the ability to create a team with a vested interest in their business. They also do not have a local leader who communicates and controls the offshore team.

Here are some essential items that we will discuss in future articles:
• Lower labor rate
• Staffing elasticity
• Language and culture issue
• Non-disclosures and confidentiality
• Project communication

A. Outsourcing Contract Company

i. Working with a contract company provides the maximum flexibility. However, this does have a higher cost because you are relying on someone else to manage your team to the hiring and firing in general administration.
ii. With a high-quality shop and healthy relationships and agreements, this model can be very successful.
iii. The inherent risk is that you’ve allowed a third-party company to gain access to your source code, and they could potentially sell this in competition with you.
iv. Typical rack rate costs are 50% or higher than building our shop. I’ll discuss rates further on.
v. We can also create a dedicated branded team within an existing supplier. I have found this to be a very efficient model.

B. Build our own Offshore Development Center (ODC)

i. This model provides us with a solely dedicated team to our projects and provides protection to our company and our proprietary information.
ii. The team members operate in a separate physical location and are contractually obliged to keep strict confidentiality and nondisclosure.
iii. There are items to consider when setting up our shop, these costs are real-estate, hardware, software, and human resources; additionally, there are regulatory and tax implications to consider.
iv. Because we’re paying employees directly ourselves, we will not incur the multiple markups of labor costs.

2. Offshoring Locations

Since I’ve worked with teams around the world, let us discuss the various options on where to locate our satellite offshore development center.

i. India: Probably the best well-known as a center for outsourcing. India has a fascinating culture when it comes to doing business one has to understand that yes does not always mean that I’m going to do it or that I understand. Some basic language issues are depending on location around the country. Cost do very base on which city you locate an office. While India’s government has improved its efficiencies and dealing with businesses, there still is a very cumbersome bureaucracy.

The distinct advantage as an American or Canadian company is that the rule of law is based on British legal system and is very similar to Canada. Meaning that contracts signed with employees, and leases and other things will be similar to how we do business here. I do have a law office in Mumbai that I’ve used several times and have an excellent reputation.

There is a drawback as far as the image for our company when offshoring in India. Here we can see that the perceived quality is lower than what we can provide here domestically. Let me state that this is perceived quality, not the real quality that we get out of the people we hire.

Labor rates when using an outsourcing company will range from $12 US for QA and testing up to $25 US for mobile development, and these are a per hour cost. Be aware here that costs are rising in India.

ii. Eastern Europe and Russia: if you are looking for very high-quality programmers than this is certainly an option especially when it comes to mathematical and analytical type of programming. Culturally well they say on their face that they aim to please the environment can be very adversarial because of their "I am always right attitude." There are often significant language issues.

Security and the rule of law – is almost nonexistent. Holding a company or individual employees accountable to a North American company is next to impossible.

Labor rates for an outsourcing company range from $20-$50 an hour.

I believe that we would receive a negative perception in the marketplace and with investors if we were outsourcing in Eastern Europe.

iii. Israel: here’s an attractive option for several reasons; 1) The technology perception for investors would be very high as Israel perceived as a leader in almost every technology field. 2) With all the people who have moved to Israel from around the world, there is an advantage to having a truly multilingual development shop. 3) English is the language of business, and a vast majority of the population are English and French speaking. 4) Time zone offset is only six hours.

Security and the rule of law – in Israel we will not have the same level of issues regarding security as we may have in other countries. Based on a British rule of law all agreements would be similar to what we have here in North America.

I believe here that investors in the marketplace would perceive a very high value on having a technology team based in Israel. And it would certainly increase the valuation of the company.

Labor costs will be higher than in India, Eastern Europe, and Russia. Developers paid between $30,000 and $50,000 US per year.I believe that this option is worth investigating

I believe that this option is worth investigating, please contact me to discuss further.

3. Technology ORGANIZATION

Typical IT organization considering companies under rapid growth, I gave some consideration to the product development and information and technology organizational chart. Below is a relatively generic representation for discussion purposes. It does take into account the hybrid development model using both onshore and offshore teams.


My previous article on optimizing outsourcing may also be of assistance. Please see my article http://www.brody.ca/key-optimum-outsourcing/

The Real Threat when they go Phishing


Dealing with the real threat posed by Spam and Phishing

Phishing attacks, or email-based scams, are one of the most popular ways hackers infiltrate networks. Using phishing attack, a cybercriminal can steal data, hold information, for ransom or conduct corporate espionage.

Gone Phishing

Spam and hacks targeting email have neem around for decades, but they remain surprisingly effective.

  • Business users receive between 12 to 14 spam emails a day on average.
  • Over 100 million phishing attacks occur daily.
  • Around 90% of companies have experienced a phishing attack in the past 12 months.
  • About 28% of spear phishing attacks can circumvent existing cybersecurity defenses.

The True Cost of Phishing

Cybercriminals keep turning to phishing because these attacks can yield major paydays.

  • Spear phishing incidents cost victimized organizations 1.6 million on average.
  • 19% of SMBs were successfully breached through phishing. Small business lost $9,000 per hack, and 60% of SMBs go out of business after a data breach.

How You Can Protect Yourself

Educating employees on phishing, backing up important files and patching software can all help thwart phishing attack, but they're not enough on their own.

  • Prevent threats from entering your network in the first place with a next-generation firewall and a unified threat management solution.
  • Ensure that every single endpoint in the network is adequately protected.

I have had to allot of success with Untangle to prevent Spam and Phishing attacks. I also use the open source version at home to protect my family.

You also need to watch out for Cybersecurity threats and attacks are always evolving. Viruses, worms, trojan horses, spyware, adware and scareware, this includes our for ransomware. Ransomware defined as a type of malware that creates a restriction of some type on the user’s computer.  To remove the restriction; the user must pay a ransom. This form of crimeware is unique in that it tries to coerce the user into directly paying the criminal––effectively turning the malware itself into a way for the attacker to profit. Over the past five years, ransomware has become more and more widespread because of the initial success of cyber criminals in convincing victims to pay to recover their files.

What can you do?

  • Always keep backups
  • Lock down administrative rights
  • Stay up to date
  • Protect at the gateway
  • Keep every endpoint protected
  • If email looks suspicious, it probably is
  • Don't open attachments unless you know who they are from and what they are.



Wash – Rinse – Spin Repeat Project Budget Time

CIO/CTO are managing budgets, proposals, and projects case making season now. It comes around every year to go through your wash cycle. A time when business cases start to being prepared for next year’s projects, and it seems as though every year I am asked for tips on how to best “sell” a proposal "Wash - Rinse - Spin." While I understand what’s asked, it concerns me to hear it put in those terms.

A business case should clearly set out the benefits of what is proposed along with the expected costs, and some supporting elements. It should then be judged alongside other business cases on its merits, and either gets approved or not. If the business case demonstrates clear benefit, then it shouldn’t need selling; and if it doesn’t, then it shouldn’t be positioned (or sold) as if it does!

The purpose of project justification

The fundamental issue with many project justification processes is that they aren’t entirely based on what is right for the organization, but have decisions clouded by force of personality and political influences. This article is not about how to improve the process, so we’ll save that for another day. But it’s easy to understand why projects are positioned to try and appeal to those stakeholders whose views and preferences seem to carry more weight.

Let’s try to put that to one side and focus on what the project justification process should be about. The project proposal or business case needs to address just a few basic elements, most importantly the following three:

  1. What benefits will the project deliver to the organization? That might be revenue growth or cost savings, but should be expressed in financial terms wherever possible. It should also address when the benefit occurs to allow for accurate calculation of the return on investment.
  2. What costs will the project incur? The obvious cost piece is the project itself, but this should also consider ongoing support and maintenance costs. Again, an indication of when the various costs will occur should also be included.
  3. How does the project align with organizational strategy? The organization will have established some strategic priorities, and an explanation of how the proposed initiative aligns with those should provide.

It’s clear to see how these elements contribute to the project selection and approval process--the projects that align with the corporate priorities and deliver the best net return are most likely to be approved. There will be exceptions, of course--regulatory projects, maintenance initiatives, etc. But the “game changers” will be passed based on the elements above.

Project proposals will all have their supporters--the people and groups that came up with the ideas and developed the business cases. The champions of these proposals have a personal stake in the project approval -- not just ego and reputation, but also more tangible factors like department budgets, resource levels, particular position, etc. It is very tempting to overstate the benefits, understate the costs and make the project sound as though it closely aligned with the organization’s goals and objectives. Then what might be the case--to “sell” the proposal rather than just present it and allow it to live or die on its own merits.

Controlling the spin

Reduce the potential for abuse in the justification project stage, and organizations should consider some different steps. One of the simplest--but also one of the most effective--is to provide standard templates for proposals that focus on numbers and how those numbers are developed rather than allowing for a lot of free text descriptions and discussion that may not add value. Helping to make the review and comparison of proposals simpler because there is more consistency between business cases. The downside of this approach is that it makes a proposal rather “sterile” and removes the opportunity to explain what may be new and complex ideas.

The next step that organizations should consider is an independent review of numbers before submission to the decision-making process. An informal audit by the finance team of the cost and benefit claims can help to identify any errors or unrealistic assumptions and will also ensure that there is consistency in the numbers used for the different financial calculations (things like exchange rates, the cost of capital, etc.).

The final step that can is the simplest but rarely is done. That is simply to measure the actual benefits and costs against the business case. In many organizations, the business case seems to be ignored as soon as a project is approved. By holding sponsors accountable for the numbers that they claimed in their proposals, a lot of the more blatant salesmanship can be eliminated.

Proposal/Project justification is a competitive business--there will always be more proposals than there is money available for investment, and it’s easy to understand why people try to gain an advantage over competing proposals. It’s the organization’s responsibility to ensure that this “noise” is eliminated and that all proposals compete equally for the available funding.

cropped-CIO_Brody1.png@CIOBrody Consulting
Daniel Brody
Contact Me


%d bloggers like this: