Disaster Recovery as a Service (DRaaS)

draas img

One of the most useful concepts to come from the “as a service” model that cloud computing created is Disaster Recovery as a Service (DRaaS). DRaaS allows the business to outsource the critical part of their IT infrastructure strategy that assures the organization will still operate in the event of an IT outage. The primary technology that has allowed Disaster Recovery (DR) to be outsourced, or prosed as a service, is virtualization. DRaaS providers operate their own datacenter and provide a cloud infrastructure where they will rent servers for replication and recovery of their customer’s data. DRaaS solutions have grown in popularity partly because of the increased need for small and medium (SMB) sized business’s IT strategy to include DR.  DR plans have become mandated by the larger companies, who the SMB supply services to, as well as insurers or regulatory agencies. These entities require proof of the DR plan and of the ability to recover quickly from an outage.  It’s a complicated process that few organizations take the proper time to address. A custom solution for each business needs to be designed by an experienced IT professional that focuses on cloud and DR. Most times an expert such as Two Ears One Mouth Consulting partnered with a DRaaS provider will create the best custom solution.

The Principles and Best Practices for Disaster Recovery (DR)

Disaster Recovery (DR) plans and strategies can vary greatly. One extreme notion is the idea that “my data is in the cloud, so I’m covered”. The other end of the spectrum is “I want a duplication of my entire infrastructure off site and replicated continually”, an active-active strategy. Most businesses today have some sort of backup; however, backup is not a DR plan. IT leadership of larger organizations favor the idea of a duplicated IT infrastructure like the active-active strategy dictates but balk when they see the cost. The answer for your company will depend on your tolerance for an IT outage, how long you’re willing to be off-line, as well as your company’s financial constraints.

First, it’s important to understand what the primary causes of IT outages are. Many times, we consider weather events and the power outages they create. Disruptive weather such as hurricanes, tornadoes and lightning strikes from severe thunder storms affect us all. These weather-related events make the news but are not the most common causes. Human error is the greatest source of IT outages. This type of outage can come from failed upgrades and updates, errors by IT employees or even mistakes from end users. Another growing source of IT outages is malware and IT security breaches (See the previous article on Phishing). Ransomware outages require an organization to recover from backups as the organization’s data has been encrypted and will only be unlocked with a ransom payment. It is vital that security threats are addressed, understood and planned for in the DR recovery process.

Two important concepts of DR are Recovery Point Objective (RPO) and Recovery Time Objective (RTO). RPO will detail the interval of time that will pass during an outage before reaching the organization’s tolerance for data loss. The RPO concept can be used for a ransomware attack, described above, to fallback to data for a time before the breach. More often RPO is used to define how long the customer is willing to go back in time for the data to be restored. This determines the frequency of the data replication and ultimately the cost of the solution.  The RTO defines the amount of time the vendor will have the customer up and running on the DR solution in an outage and how they will “fallback” when the outage is over.

If the company is unable to create an active-active DR solution, it is important to rate and prioritize critical applications. The business leadership needs to decide what applications are most important to the operations of the company and set them first to recover in a DR solution. Typically these applications will be grouped in “phases” as to the priority of importance to the business and order to be restored.

Telecommunications networking can sometimes be the cause of an IT outage and is often the most complicated part of the recovery process. Customers directed to one site in normal circumstances need to be changed to another when the DR plan is engaged. In the early days of DR, there was a critical piece of documentation called a playbook. A playbook was a physical document with step-by-step instructions detailing what needs to happen in the event of an IT outage. It would also define what is considered a disaster, and at what point do we engage the DR plan. Software automation has partially replaced the playbook; however, the playbook concept remains. While automating the process is often beneficial there are steps that can’t be automated. Adjusting the networking of the IT infrastructure in the event the DR plan in imitated in one example.

Considerations for the DRaaS Solution

DRaaS like other outsourced solutions has special considerations. The agreement with the DraaS provider needs to include Service Level Agreements (SLAs). SLA’s are not exclusive to DRaaS but are critical to it. An SLA will define all the metrics you expect your vendor to attain in the recovery process. RTO and RPO are important metrics in an SLA. SLA’s need to be in writing and have well defined penalties if deliverables are not met. There should also be consideration for how the recovery of an application is defined. A vendor can point out the application is working at the server level but may not consider if it’s working at the desktop and at all sites. If the customer has multiple sites, the details of the networking between sites is a critical part of the DR plan. That is why a partner that understands both DR and telecommunications, like Two Ears One Mouth IT Consulting, is critical.

The financial benefits of an outsourced solution such as DRaaS are a primary consideration. To make a CapEx purchase of the required infrastructure that will be implemented in a remote and secure facility is very costly. Most businesses see the value of renting the infrastructure for DR that is already implemented and tested in a secure and telecom rich site.

DR is a complicated and very important technology that a business will pay for but may never use. Like other insurance policies, it’s important and worth the expense. However, it’s complicated it should be designed and executed by professionals which may make an outsourced service the best alternative.

If you need assistance designing your DR Solution (in Cincinnati or remotely), please contact us at:

.Jim Conwell (513) 227-4131      jim.conwell@outlook.com      www.twoearsonemouth.net

cloud savings

Financial Benefits of Moving to Cloud


                                                                                                 image courtesy of betanews.com

There are many benefits that cloud technology can offer a business, however, business doesn’t buy technology for technology’s sake, it buys it for positive business outcomes. The two most popular business outcomes desired by most businesses are to increase revenue and reduce cost. Information Technology (IT) has long been known to be one of the costliest departments in a business. So it makes sense, if we’re going to recommend to a cloud solution, we look at the financial benefits. The financial advantages paired with the expertise in determining what applications should migrate to the cloud create a cloud strategy. This consultation is not completed just once but needs to be completed periodically by a strategic partner like Two Ears One Mouth.   Just as telecommunications and internet circuits can get financially burdensome as a business grows, so can a cloud solution. Telecom cost recovery became a financial necessity for businesses when telecom costs spiraled out of control. A consultant would examine all the vendors and circuits to help the business reduce IT spend by eliminating waste. The cloud user faces a similar problem, as cloud services can automatically grow as demand increases. The growth will include the cloud solutions cost as well as the resources.


To follow are the three primary financial benefits of a cloud migration.


CapEx vs OpEx

The primary financial benefit most organizations plan for with their first cloud implementation is the benefit of an operational expense (OpEx) instead of a capital expense (CapEx). This is particularly beneficial for startup companies and organizations that are financially constrained. They find comfort from the “pay as you go model” similar to other services they need, such as utilities. Conversely, enterprises that invest in equipping their own data centers have racks of equipment that depreciate quickly and utilize a fraction of the potential purchased. It has been estimated that most enterprises have an IT hardware utilization rate of about 20% of its total capacity. Cloud services allow you pay only for what you use and seldom pay for resources sitting idle.


Agility and scale

Regardless of the size of your business, it would be financially impractical to build an IT infrastructure that could scale as quickly as the one you rent from a cloud provider. This agility allows businesses to react quickly to IT resource needs while simultaneously reducing cost.  Many cloud solutions can predict when additional resources are needed and are able to scale the solution appropriately. This provides obvious benefits for the IT Manager but can create problems with the IT budget. If the cloud solution continues to scale upward, and it is billed transitionally, the cost can escalate quickly. Cloud instances need to be monitored constantly for growth and cost. For this reason, Two Ears One Mouth consultants have developed a product known as cloud billing and support services (CBASS). CBASS makes sure the benefits originally realized with the cloud migration remain intact.


Mitigate risk

Many best practices in setting up a cloud infrastructure also enhance IT security. For instance, because your data resides elsewhere, cloud users tend to implement data encryption.  This encryption can include not only the data that rests in the cloud providers datacenter but also as it’s in transit between the datacenter and the customer. This is a wise practice for IT security. It can eliminate data breaches and benefit regulatory compliance in some cases. Additionally, security software and hardware, such as a firewall, tend to be superior in larger IT datacenters, such as with a cloud provider. Ironically, IT security which started as a concern of cloud computing, has become an advantage.


Cloud technology has long been a proven technology and is here to stay. It has reduced IT budgets while enhancing IT response time. However, the cost savings of cloud is not automatic and ongoing. Savings, as well as the solution, need to be measured and affirmed regularly. consultants can monitor your cloud environment leaving you to focus on the business.

If you need assistance with your current IT cloud project  please contact us at:

Jim Conwell (513) 227-4131      jim.conwell@outlook.com      www.twoearsonemouth.net

Online Business Communication Tools


image courtesy of softwareconnect.org

In part one of this two-part article, we focused entirely on Microsoft Office 365 because of its dominance in the cloud based business tools market. In the final part of this series, we will focus on the competition for Office 365 as well as other applications that complement Office 365 and alternate communications strategy’s. It’s difficult to compete with a product that has such a dominating market share. To do this, the competitor must have vast resources in development and marketing. The primary competitor for Office 365 comes from Google and their product G Suite, which is built on Google’s Gmail platform. Gmail’s tremendous success in the personal email market has allowed it to be able to build a business product that is a formidable competitor with Office 365. Business Gmail, in the G suite business product, gives its customers the ability to choose an email address that includes the company domain. Additionally, it offers a shared calendar for setting appointments within and outside the group. Google voice adds additional features such as video and voice conferencing. Google has developed products that compete directly with Microsoft Office products Word, Excel and PowerPoint. These applications not only look and act like their Microsoft competitors but also interact well with them. Using Google Drive with these applications can allow collaboration on documents between users on the same account.  Despite the disadvantages of competing with the clear market leader, Google has developed a competitive product both and functionality and price.       (See figure 2 below)


To follow are some of the most popular business communication applications that provide additional functionality that Microsoft and Google’s communication platforms don’t provide.  


Slack is a cloud-based collaboration tool similar to the instant messaging platforms many of us have used in the past. This type of communication’s best place in business is when faster attention or response time is needed than email typically provides. Users can be divided into chat rooms, or channels, for specific applications such as customer service. The content of all conversations, from the start, is searchable and documents can be attached from the desktop or via integrations with Dropbox or Google Drive.


Many small and medium sized business organizations that don’t have large marketing budgets will utilize a marketing automation platform like MailChimp. Marketing automation can take over repetitive tasks such as welcoming new subscribers and reconnecting with an abandoned cart from their ecommerce website. MailChimp will also automate e-mail marketing campaigns and provide detailed analytics of their success. MailChimp‘s popularity has grown as they have developed tight integrations with e-commerce platforms like Shopify and Magneto.


Those of us who have worked in a large enterprise are familiar with customer relationship management software or CRM. These software platforms are designed to build stronger relationships with existing customers, improve communication, and increase and track sales. The companies that create and support this enterprise software are technology giants like Oracle and Salesforce.com. The barrier to entry for these platforms for the small and medium business has been the cost of the software. Not only are subscription licenses expensive but implementation and support costs are very high. More recently a group of Cloud based CRM‘s such as HubSpot has allowed the SMB market to utilize CRM. With these providers, entry costs are low and sometimes even free. Just as important, their integrations with Outlook and G Suite make it easy to implement and support. Like Office 365 described in part one of this article, this software tool has leveled the field between enterprise and SMB.

These business communications applications rely on the ubiquitous nature of the internet and the cloud for delivery. Therefore, this discussion can’t be complete without mentioning the two leaders in the cloud market: Amazon’s AWS and Microsoft Azure. While these technologies have been discussed in previous articles (Azure, AWS), an important detail must be added here. Both technologies have been made so simple to login to their console and create cloud instances it has created a business problem, cloud billing scope creep. The console administrator can select resources needed, and the services can even sense when expansion is required. However, much of the billing algorithms for both platforms are transactional or based on cloud usage. This can allow the affordability factor of the cloud to reverse itself quickly and become a costlier way to build your infrastructure. To help our clients solve that problem, Two Ears One Mouth IT Consulting has created a Cloud Billing Analysis & Savings Service (CBASS). More will be revealed later regarding this service, needless to say we can analyze your cloud billing, make adjustments and re-validate the solution.

If you need assistance with your current IT cloud project, please contact us at:

Jim Conwell (513) 227-4131      jim.conwell@outlook.com      www.twoearsonemouth.net

#cloudbillinganalysis #cloudbillingsupport #cloudstrategy #cbass

Online Business Communication Tools

online-business-toolsimage courtesy of Phoenix One Sales

One major advantage Small and Medium Businesses (SMB) have today over their predecessors are the communication tools which are available. Often these come at little or no cost, and can be purchased and delivered over the internet. Theses cloud based platforms enable SMB to run more efficiently and compete better with their rivals in large organizations. Several years ago, if a company wanted an enterprise class email platform the choices were very limited. By far, the most popular choice would be to implement a Microsoft Exchange email server. Exchange email has major advantages over the typical business email account or personal email services that small businesses relied on. Some of these include: shared calendars with meeting invitations, virtually unlimited email archiving and storage, customizable folders for organization purposes and the ability to have the email address with the business name or domain (me@mycompany.com). However, these valuable features came at a very high cost. The business first had to purchase the Exchange server licenses and the client access licenses (CALS) and then the server hardware, with plenty of RAM and storage to satisfy Exchanges resource requirements. Finally, and most costly of all, is the person who will implement and administer the Exchange server. The administrator of an exchange server is a highly paid resource that the enterprise will come to depend on 24 hours a day,7 days a week, 365 days a year. These costs previously prohibited smaller businesses from purchasing Exchange, or any other enterprise email solutions.

When Microsoft introduced Office 365, the pricing model changed dramatically, the cloud based Software as a Service platform provided email in addition to their popular business applications.  No server hardware was required, and licensing was much simpler and less expensive. An administrator was still required to add and delete email accounts, but it didn’t require the expertise to manage the hardware or the Exchange server software. Additionally, if selected, it may include up to date licenses for Office products, Word, Excel, PowerPoint and Outlook. This solved another problem for the IT manager: different licenses and versions among users for Office applications. With an Office 365 license, a user can download the current version at any time. All of this has allowed smaller companies to have the advantage access to the same level of technology of their larger rivals. Office 365 was priced in a way that made it a “no-brainer” to business with either 5 users or 50,000 users.

In this part 1 of this article, I will describe the different components of Office 365 and pricing of some of their more popular bundles for SMB. In the following post I will list and describe Office 365’s competitors as well as packages that can complement your communications strategy.

Office 365 includes bundled services as well as additional packages that can be added in a’ la carte fashion. Below in figure 1 are a couple of the most popular bundles for SMB and their cost as of the time of this post.

o   Outlook/Exchange email account- Microsoft Exchange has become the standard for email service with all the features mentioned above. Each Office 365 license offers access for up to 5 devices including tablets, phones PCs and MACs.

o   Office Applications- Bundles include the most recent versions of Microsoft’s most popular applications including Word, Outlook, Excel, PowerPoint, One Note and Access. All of these can be updated by each user as Microsoft releases new versions.

o   Web Apps- These web versions of the above applications can be used in tandem with, and stored on, One Drive. This allows users to view and edit documents without a bundle that includes the Office applications.

o   One Drive- A secure cloud storage platform where files can be stored and shared. Bundles including One Drive include at least One Terabyte of data. Business accounts supporting multiple users, a common One Drive account is provided to support SharePoint.

o   SharePoint- A common file sharing platform for documents used by employees as well as customers. Some organizations use it so their customers are able to download brochures or other documents.

o   Yammer- An internal communication and social media platform.

o   Skype for Business- A video and voice conferencing platform. It can be used for specific applications such as webinars or a voice and video conferencing bridge which can connect up to 250 people.

o   Voice over IP (VOIP) phone services- These phone services used in the Skype platform and provided through the Enterprise E5 bundle. E5 will provide everything their enterprise would expect from a VOIP PBX including direct dial numbers, call plans and voicemail with unified messaging. Unified messaging organizes all messaging types, voicemail, email and fax, in one Outlook inbox.

o   Power BI Pro- Advanced personal and organizational analytics with MyAnalytics and Power BI Pro.

Just as it was difficult to compete with Microsoft on their operating system server platforms and Office applications, Office 365 is the leader in these technologies. In my follow-up post, I will describe platforms that compete with Office 365 as well as other applications that look to complement Office 365.

figure 1- the most popular Office 365 bundles for SMB


Are Containers the Forecast for Cloud?

image courtesy kubernetes.io

One of the most exciting and simultaneously challenging things about working in technology is the speed at which change occurs. The process from a cutting-edge technology to a ubiquitous and commoditized product can happen in the blink of an eye. Now that the cloud has made its way into all sizes and types of business the next related technology has emerged: containers. So it is fair to ask; Are Containers the forecast for cloud?

How we got to this port

VMware’s introduction of virtualization was thought by many to be the predecessor of cloud as we know it today. This revolutionary technology allowed early adopters to reduce costs and enhance their IT agility through virtualization software. The day of physical servers for each application are over. Cloud technology has evolved from a single software for the enterprise, to an outsourced product that is provided to businesses such as major technology institutions like Amazon, Microsoft, and Google. Most recently, containers have evolved as a next step for cloud and are largely developed to suit the needs of software developers.
The difference between Virtual Machines (VM’s) and Containers
A container is defined by Docker as a stand-alone executable software package that includes everything needed to run an application: code, runtime, system libraries and settings. In many ways, that sounds like a VM. However, there are significant differences. Above the physical infrastructure, a VM uses a hypervisor to manage the VMs. Each VM has their own guest operating system such as Windows or Linux (see image #1). A container uses the host operating system and the physical infrastructure which supports the container platform such as Docker. Docker then supports the binaries and libraries of the applications. Containers do a much better job of isolating applications from its surroundings and this allows the enterprise to use the same container instance from development to production.

(Image 1)                                                            (Image 2) Images courtesy of docker.com

How can Containers be used in the Enterprise today?

Docker is currently the most popular company driving the movement for container based solutions in the enterprise. The Docker platform enables independence between applications and infrastructure allowing the applications to move from development to production quickly and seamlessly. By isolating software from its surroundings, it can help reduce conflicts between teams running different software on the same infrastructure. While containers were originally designed for software developers, it is becoming a valuable IT infrastructure solution for the enterprise.
One popular platform allowing the enterprise to benefit from container technology is Kubernetes. Kubernetes is an opensource system originally designed by Google that was donated it to the Cloud Native Computing Foundation (CNCF). Kubernetes assists with three primary functions in developing containers: deployment, scaling and monitoring. Finally, open source companies such as Red Hat are developing products to help utilize these tools and simplify containers for all types of business. OpenShift, designed by Red Hat, is a container application platform that has helped simplify Docker and Kubernetes for the business IT manager. The adoption of new technology, such as cloud computing, often takes time to be accepted in the enterprise. Containers seem to be avoiding this trend and have been accepted and implemented quickly in businesses of all types and sizes.

HIPAA- The Who, When and What’s its primary purpose?


The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton in 1996, it has since created some of the most sweeping changes in healthcare reform at that time and for many years after. HIPAA was designed to eliminate discrimination by protecting and securing patients’ health data. This law has since grown into a government regulation with a much larger scope and focus on information technology as it relates to healthcare. HIPAA’s three primary functions are:

  1. Protect the privacy and provide security for Protected Health Information (PHI).
  2. Increase the efficiency and effectiveness of the healthcare system.
  3. Establish standards for accessing, sharing and transmitting PHI.

HIPAA was originally segmented into 3 primary components: the Privacy Rule, the Security Rule, and the Enforcement Rule. Several years later it was amended to include the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Omnibus Rule.

The Privacy Rule

The Privacy Rule was designed to protect and keep private all of our Protected Health Information (PHI). PHI includes information such as a patient’s street address, city, birth date, email addresses, social security numbers or any type of identifiable information obtained in the process of receiving care. Individuals may be charged with either civil or criminal penalties for violating HIPAA privacy rules.

The primary goal is to protect individuals’ PHI while promoting an efficient “flow” of information. It applies to covered entities, which are defined as hospitals, doctor’s offices, insurance companies or any organization that accepts health insurance. It also applies to business associates; organizations that create, maintain or transmit PHI on behalf of a covered entity. These entities must protect any PHI transmitted in any form: electronic, oral or written.

The Privacy Rule also allows for an individual’s personal right to access, review and obtain copies of their PHI. In addition, it authorizes the right to amend or request restrictions on the use of their PHI. As a part of the Privacy Rule, covered entities and business associates are required to appoint a privacy officer, complete workforce training on HIPAA compliance and construct business associate agreements with any entity with whom you are disclosing or sharing information.

The Security Rule

The Security Rule sets standards for covered entities and business associates for the security of electronic health information.

The Security Rule has three primary components:

  1. Administrative safeguards– These begin the security management process by identifying a security officer and performing a risk assessment. The goal is to evaluate risk and make sure only authorized personnel can access PHI. Also, contingency and business continuity plans must be addressed and documented in the event of a disaster or disruption of business.
  2. Physical safeguards – These cover facility access controls (badges), alarms and locks. Any PHI data must be encrypted at rest and in motion and have adequate passwords. The use of tablets, phones, etc. must also be considered.
  3. Technical safeguards- These include audit controls (SSAE), which record and monitor transactions, password, pins or biometrics.

All security Information must be documented and accessible on demand. It is required to be updated and archived for 6 years.

The Enforcement Rule

The Enforcement Rule sets the standards for penalties in the event of a HIPAA violation or breach. Initially, there were very little violations reported or penalties assessed. Today, there are still not many penalties compared to the actual violations, which occur frequently.

Most common infractions include:

  • Unauthorized disclosures of PHI
  • Lack of protection of health information
  • Inability of patients to access their health information
  • Disclosing more than the minimum necessary protected health information
  • Absence of safeguards for electronic protected health information

The following are the covered entities required to take corrective action to be in voluntary compliance according to HHS:

  • Private practices
  • Hospitals
  • Outpatient facilities
  • Group plans such as insurance groups
  • Pharmacies

(source: hhs.gov/enforcement, 2013)

HITECH and the Omnibus Rule

In 2009 Congress passed an amendment to HIPAA: the Health Information Technology for Economic and Clinical Health Act (HITECH). This amendment was designed to reduce cost and streamline healthcare through information technology. HITECH expanded HIPAA and implemented new requirements for the protection of PHI in Information Technology.

In 2013 HHS office of civil rights issued “the final rule” or Omnibus as a means of implementing the changes of HITECH. HITECH changes included:

  • It allowed for changes requested to PHI by individuals and required direct approval before the sale of PHI.
  • Business Associates became directly liable and are required to provide items such as workforce training, privacy officer and risk assessment. HITECH also assigned liabilities to subcontractors of business associates.
  • All breaches to HIPAA must be reported to affected individuals as well as the secretary of HHS. An additional risk assessment must then be completed for each breach.
  • HITECH introduced a tiered approach to breach penalties with recurring infractions in the same year totaling up to $1,500,000. It also gave the state Attorney General the power to enforce HIPAA violations.

HIPAA is one of the most sweeping and all-encompassing changes to ever impact the Healthcare industry. It has evolved to regulate the use of Information Technology within the scope of healthcare in addition to protecting the privacy of a patient’s PHI. Unfortunately, like most government regulations, it is vague and very difficult to enforce. In contrast, it has created valuable safeguards for the protection of our personal health records and it has encouraged improvements to the flow and integration of healthcare data.

If you need assistance with any current IT projects (Cincinnati or remote), or risk assessment for your practice please contact us at:

Jim Conwell (513) 227-4131      jim.conwell@outlook.com      www.twoearsonemouth.net

Project Management, Considering the OutSource

Project Management- Inside or Outsource?

Information Technology (IT) doesn’t deserve the credit for starting the Project Management (PM) process, but no business unit in the enterprises has developed it more. Since computers were introduced into business, and more with the advent of the personal computer, a well-defined process has to be required to keep these tools effective. A skilled Project Manager can guarantee the vision and goals of the project are maintained. In addition, the Project Manager will mitigate security risk and effectively and efficiently use all available resources. They will communicate expectations of responsibility to all team members and make sure the project is completed on time and within the budget.

PM challenges for IT

One reason IT is so challenged with effective PM is the diversity of its projects. Every other business unit is dependent on IT. In larger organizations, the IT will be working directly with finance, sales and the executive suite at the same time. All these groups have unique expectations for IT. Finance may question why the department isn’t running on the latest version of their Enterprise Resource Planning (ERP) software. Sales may wonder how they can use the corporate email to communicate their products and services to their prospects. These requests, in addition to internal infrastructure repair services, keep IT departments overwhelmed and in a reactive mode. These unique and diverse requests have driven IT departments to develop and utilize different PM methodologies some of which are detailed below.

PM Methodologies

  1. Waterfall Method

    – The waterfall method is the most common PM methodology as well as the easiest to implement. Each step is developed in a logical order with one step leading to the next. The current step must be completed before the following step begins. Although this method is easy to implement, it can get complicated as the customers need change. A change in the customer’s needs can create a roadblock and set the project off track.

  2. PMI/PMBOK Method

    – PM has become so vital to all businesses that a Project Management organization has evolved, the Project Management Institute (PMI). Some managers have taken PMI’s conventions and used them to develop a methodology. Their primary conventions, or steps in the project process, are: initiating, planning, executing, controlling and closing. While this creates a very broad methodology, these five standards are universally accepted.

  3. Agile Method

-The Agile method is a product of the 21st century. It was created out of the need to collaborate with your customer through the project process. Agile collaboration is valued over following a rigid plan. Project objectives are developed by the customer and the final deliverable will most likely change the process. Agile has many flavors, or sub-categories, of its methods. The most popular Agile framework to date is Scrum. Scrum is a team-based process with the team led by the Scrum Master. A Scrum Master’s primary focus is to support the team by clearing obstacles and making sure the work is getting completed in the most efficient manner. The teams meet frequently and will break down segments of the project into units called sprints. Agile, and Scrum, allows for flexibility and quick development that many times lead to a satisfied customer.

While all these methodologies will work in IT projects, each has its own set of circumstances where it is the best fit. Many articles have been written about PM and its methodologies including online training and certifications. This free information is valuable, however, the greatest value comes from an seasoned project manager that has experience with successful implementations.  Finally, the most important thing to know is that Project Management is a process, and as well know, processes can always be made better.

If you need assistance with your current IT project (Cincinnati or remote), please contact us:

.Jim Conwell (513) 227-4131      jim.conwell@twoearsonemouth.net      www.twoearsonemouth.net



In this time of IT security breaches, businesses of all sizes have become aware of the consequences of not having a solid IT framework and security policy. What previously was a concern for only large enterprises has now become a challenge all businesses share. Government regulation, such as the Health Insurance Portability and Accountability Act (HIPAA), have mandated compliance for the security of Protected Health Information (PHI) for any size of enterprise that stores PHI. A recent trend has been for large enterprise to relay their compliance and security requirements downstream to their suppliers which may be smaller businesses. One of the initial causes for this was the Target breach. Target, who was fully compliant with their regulatory environment,[1] (PCI DSS), was breached through an HVAC vendor. This Target business partner was primarily responsible for compromising credit card information for millions of its customers and causing large scale damage to Target’s finances and reputation. To learn more about the total cost of a data breach please see my previous article: https://twoearsonemouth.net/2017/11/22/preparing-for-the-cost-of-a-data-breach/ .

In addition to government regulation, industry associations have aligned to create a compliance standard for their data. One primary example of this is the PCI DSS previously mentioned above in regard to Target. PCI DSS develops a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents. The PCI Security Standards Council originates the standards for compliance to all credit card information as well as an approved list of assessors who audit and validate an entity’s adherence to PCI DSS.

Businesses are not completely on their own to navigate through this complex regulatory and IT security environment. There have been a series of IT frameworks developed that an organization can use to reach their goals. These frameworks describe IT “best practices” which are written in general terms. Typically, businesses use them as a reference to achieve regulatory or security compliance. Below are some examples of the most common IT frameworks available today:

  • COBIT– A framework designed by Information Systems Audit and Control Association (ISACA) to provide management and business process owners with an IT governance model that aids in delivering value from IT and understanding the management of risk associated with IT.
  • ISO 27002– An IT security standard originated and maintained by the International Organization for Standardization (ISO) and the International Electro Technical Commission. (IEC)
  • ISO 38500– Similar framework to ISO 27002 for IT used by management and originated and maintained by the International Organization for Standardization (ISO) and the International Electro Technical Commission. (IEC)

IT security best practices at the highest level can be classified in 3 categories; physical safeguards, administrative safeguards and technical safeguards. Below is a brief description of each.

Physical Safeguards are tools such as alarm systems (video), key card systems, secure locks for offices and drawers where laptops and phones are stored, a guard or receptionist always at the front door and a secure IT server room.

Administrative Safeguards are processes that include creating a security officer and/or department, creating training programs to make all employees aware of what data needs to be protected and how it is protected, a company policy for storing and archiving of protected data and business continuity policies.

Technical Safeguards are IT tools such as Unified Threat Management (UTM) and Next-Gen firewalls, malware and virus protection software on servers and workstations, encryption of data in transit and at rest and a strong Business Continuity and Disaster Recovery (BCDR) plan that is tested on a regular basis.

Following these principles and best practices not only help to achieve a business mitigate risk  but also make good business sense.


Contact us so that we may learn more about the IT challenges within your organization. We will provide an initial consult at no cost! We can provide best in class IT Project Management in Cincinnati or remotely.

Jim Conwell (513) 227-4131      jim.conwell@outlook.com      www.twoearsonemouth.net

[1] PCI DSS is an acronym for Payment Card Industry Data Security Standard. PCI DSS is an industry based regulatory authority for the credit card industry.

above image courtesy of RF IDeas

Death of the Salesman?


Lately I’ve been thinking about the beginning of my sales career and how different things are for today’s salesperson. I don’t believe salespeople have exclusivity to the story “How the Internet has changed Business”, but it is the business story I know the best.

I was fortunate my beginnings in telecom in the 1980’s was in project management (PM), not in sales. This allowed me to work closely with sales people, as well as learn the technical side of the business first. The company I worked for, InfiNET, sold and installed phone systems of 100 users or more. After a few customer meetings of discovery, we would typically “cutover” the phone system after 5 pm on a Friday evening.  Our customers had no tolerance for phones to be down for even a moment during business hours, at that time it was their most critical application.

Inevitably, there would be unplanned problems we would resolve on site. This allowed me to create a close relationship with my best technician, a bi-polar genius named David. David knew more about the phone company network, and the equipment we installed, than anyone I’ve ever known. It was on these working weekends, watching David systematically troubleshoot issues, that I sharpened my technical expertise.

The owner of that company, as I was just getting comfortable in PM, asked me if I would like to try sales. I laughed out loud, and gave an emphatic “NO!” Soon I realized that it really wasn’t a question, and my sales journey began. My technical and application knowledge was deep, and my customers trusted me already, so my sales career began with huge success. It wasn’t long before I needed to sharpen my sales skills to keep my funnel growing.

At this time I discovered at the time that the salesperson was a trusted counselor, educator and guide through the process of acquiring goods and services. When I would first meet my prospects for large phone system they had no idea how these systems worked, the components and how to make the right purchase. Business Telecom was still young and businesses were used to paying rent to the monopolistic phone companies for their phone systems. For that reason, the decision makers were primarily financial leaders, not the IT managers that handle the process today.

Fast forward to today, the technology has matured and the advent of the internet has affected the purchase process greatly. Cold calling has become very rare with voicemail and email. Telecommunication has integrated with IT and the primary decision maker is the IT manager. The IT manager, as with most buyers today, has a completely different process for purchasing. The trusted counselor, educator, and guide is dead. The internet has eliminated the role of intermediary for the salesperson. I recently read that 90% of B2B purchases start with a web search, a complete turnaround from when I started.

Where does sales go from here?

Contrary to the messages above, sales is not dead, it’s not even sick. It’s changed, so we need to change. My examples above are about the businesses of technology, but the internet has affected all business. Just ask your travel agent or taxi driver the next time you can find one. The salesperson plays a vital role in business and always will. So how can the salesperson still provide value in today’s environment?

  1. Bridging the Gap– As much as the buyer thinks he knows from his research, the salesperson knows more about the product and service he represents. I’ve seen a gap between what the buyer believes he’s getting and what he’s actually going to get. Once he knows the buyers perspective the salesperson can then see that gap. At that point he can help the purchaser by eliminating mistakes and confusion he has seen others make.
  2. Connecting People– With the demise of traditional prospecting methods, new ones must be developed. Networking is a huge part of this; the salesperson of today spends hours every week building his network. He can share these valuable resources through referrals. It can be a risky exercise to introduce a prospect to others that could offer value independently. Ultimately, he should trust the process of helping decision makers and organizations in this way.
  3. Provide and Display Expertise– Another technique to be developed is sharing knowledge and expertise. Today this is through blogging and social media. The information should be given away in hopes that when the prospects need help they will come to the expert. I’ve see this process work, you need to trust the process.gap

These are some of the ways I’ve found, if you have feedback or know of other ways of providing value please share them with me at jim.conwell@outlook.com or call me at (513) 227-4131

Preparing for the Cost of a Data Breach


One of the biggest challenges, particularly for small and medium businesses (SMB), is trying to anticipate and budget for the cost of a data breach. While larger, often publicly owned, corporations can sustain huge financial losses to litigation or regulatory penalties, organizations with less than $100 million in revenue cannot. Even with the leadership of the SMB becoming aware of the inevitability of an attack, they don’t understand what the potential costs could be and how to prepare for them. This may cause them to task their Chief Information Officer (CIO) or Chief Information Security Officer (CISO) to estimate the cost of a breach for budgetary purposes. The CISO, understanding that addressing the breach issue starts with IT governance, may attempt to educate their company’s leadership on the tools necessary to help to prevent a breach. Both leaders face a difficult decision: what monies are put aside for data security and do we focus on prevention or recovery? Most would agree the answer is a combination of the two: for this exercise I will focus on the components of cost once the data breach has occurred. The four primary silos of cost are response and notification, litigation, regulatory fines and the negative impact to reputation. When the affected enterprise forecasts costs for a potential breach, it not only gives the company an idea of the financial burden it will incur but it also helps those affected to consider documenting the steps to take in the event a breach is discovered.

Notification, the first cost incurred, is the easiest to forecast. Most businesses have a good idea of who their customers are and how best to notify them. A good social media presence can simplify this as well as reduce total costs. After the breach is discovered, the first task is to try to discover which customers were affected. Once that is determined, the business needs to decide the best way to notify them. US Mail, email or social media are the most common methods. The most efficient process for each must be determined. Many states have laws around breach notification and timing, which need to be considered and understood as a part of the process. The larger the organization, and the associated breach, the more complicated this process becomes. In a recent breach of a large healthcare organization, deciding how to contact the affected customers took longer than it should have because the company wasn’t prepared for a breach of the magnitude they faced. The breach affected tens of millions of customers. It was decided that a conventional mail notification was required at a cost of several million dollars!

Litigation and regulatory penalties are similar and can be prepared for in the same way. While regulatory penalties can be better estimated up front, both costs can get out of control quickly. The best way to prepare for these types of costs are with Data Breach Insurance, also known as Cyber Liability Insurance. Cyber Liability Insurance provides coverage for the loss of both first-party and third-party data. This means that whether the data breach happens directly to your company or to a company whose data you are working with, the coverage will be in effect. While most of the time Cyber Liability Insurance is considered for the larger expenses, like lawsuits and regulatory penalties, the right plan can be used for all four types of aforementioned costs: notification, litigation, regulatory fines and damage to reputation.

The hardest to define, and many times the costliest, is the damage to the breached company’s reputation. In a recent study, the three occurrences that have the greatest impact on brand reputation are data breaches, inadequate customer service, and environmental disasters. Of these, the survey found that data breaches have the most negative impact on reputation. If the affected company is in the IT industry, and specifically IT security, the effects are likely to be devastating to the organization. The only trend that seems to be softening that damage is that breaches have become so common that people are more likely to disregard the notification. Greater frequency certainly is occurring, but it isn’t anything the affected company can include in their plan. What you must include in your plan is the message you will communicate with the public to lessen the negative consequences. This should include how you fixed the problem and how you plan to prevent additional breaches in the future. In a recent healthcare breach, the organization partnered with a well-known security platform to better protect patient records going forward.

Considering these four primary areas affected is critical to helping leadership determine the costs associated with a data breach. If you have any questions about determining the cost for your business, contact us today.

Contact us so we can learn more about the IT challenges with your organization.

.Jim Conwell (513) 227-4131      jim.conwell@outlook.com      www.twoearsonemouth.net