Did you know about the latest research being done on the human microbiome?

If not, don’t worry, you’re not alone.

Even many of my biochemistry friends have never heard about it.

There’s an NIH (National Institutes of Health in the US) funded, five-year study focused on the impact of the microbiome on the health and disease states of people.

Should you care?

Read on.

What’s a microbiome?

What this “microbiome” you ask? It’s the microbial cells that live with us, all over us, and in us, and that appear to have an impact on everything from our health to our DNA. These little cells are not exactly bacteria either, but another class of beings known as archaea.

The microbiome taking up residence with you may weight as little as little as a half pound, to as much as three pounds. The little critters appear to be involved in everything from our genetics to our health, mental states and capacities; and they’ve been living under our noses (or should I say in our noses) without our even being aware of them until late into the 20th century.

The research being completed is fascinating and indicative of much more that needs to be learned.

Additional resources:

NIH funded research at http://www.hmpdacc.org/

Microbiome Journal at http://www.microbiomejournal.com/

Overview at The New York Times at http://www.nytimes.com/2013/05/19/magazine/say-hello-to-the-100-trillion-bacteria-that-make-up-your-microbiome.html?pagewanted=all&_r=0

Heart Disease at The Economist at http://www.economist.com/news/science-and-technology/21576062-hardening-arteries-may-be-caused-malign-interaction-meat-eating-and

Archaea at Microbe World at http://www.microbeworld.org/types-of-microbes/archaea

IT Policy Compliance

Beauty is in the eye of the beholder. This is something my mother always told me, especially when I was younger and too immature to realize there was any other perspective on the world other than mine.

When you’re only five years old, your perspective is the only one that matters, right?

When it comes to information security, perspective is what matters.

Unfortunately the perspective from a decades-long fixation with the dualism of inside and outside is now history. It was good while it lasted. It’s now time for another.

The inside-outside point-of-view (POV) came of age when firewalls became the controls keeping the unknown world from outside the enterprise network from invading the corporate nest-egg and allowing anyone to walk off with whatever they darned-well desired.

We believed in the crunchy-exterior.

Well, if the events of the recent week don’t convince you the age of inside-outside security concepts is over, nothing will. The New York Times covers the story well, In Hours, Thieves took $45 million in A.T.M. Scheme and exposes the reality that there are no more insides or outsides anymore.

Let me repeat: there is no inside nor outside anymore!

And, anyone in the security community caught thinking this way should be run out of town on a rail-head, or if they have redeeming qualities told to repent after they’ve written 500 times on their electronic chalk-board, “There is no more inside or outside anymore.”

There’s the criminal folks who want to sift and sort from where the money is nowadays or to nation-break on their way-to-glory and fame, and then there’s the rest of us law-abiding citizens whose mothers would be in aghast if we had a hand in the cookie-jar.

It’s time to realize that the old inside-out conceptions, perceptions and POV’s about security are over with – and move onto the reality that it’s harder than this, and we’re entering a new age of information intelligence. The sooner you make this transition, the sooner you’ll be able to make forward progress.

IT Policy Compliance

Bliss Point – in economics – is the quantity of consumption beyond which any further increase in consumption becomes less satisfying. Bliss Point is associated with maximizing desires and wants in the absence of any cost or spending restraints – such that beyond some point where desires and wants have been satisfied, pleasure becomes less and less fulfilled and eventually becomes boring.

Bliss Point in the Food Industry

This same term – Bliss Point – is used by the processed food industry to engineer the formulations of three critical ingredients – salt, sugar and fat – to deliver just the right amount of palatability to achieve hedonistic pursuit of food, independent of hunger levels.

Think of the muchies and you have a good idea of what this means in the extreme. Or think of your daily reflexive grab for potato-chips, ice-cream, yogurt (yes yogurt, because current sugar-levels in these catchy-looking packages are as high or higher in sugar levels than some candy bars), cookies, crackers, pretzels and cheeses.

But Bliss Point as it’s been applied in the world of processed food stuffs does not depend on unlimited resources to realize maximize enjoyment. Rather, the processed- and fast- food industries have made it cheaper for consumers to purchase laboratory-invented and assembly-line manufactured food-stuffs that are based on mixing salt, sugar and fat, than it is for consumers to purchase whole foods that have not been adulterated.

The engineered food-masterpieces are optimized to exploit palatability. And palatability – hedonistic-hunger – is shown to be directly related to opioid receptors in the brain, spine and gut: the same opioid receptors stimulated by illicit drugs.

Should salt, sugar and fat be banned as illicit drugs?

Some might make the case for it. Others argue that imposing this stiff a burden on these ingredients and industries is overreach: no one is forcing people to purchase junk-food and eat it after all. But when that’s all that’s available to you through corner convenient stores in many inner-cities, making healthier choices about what to eat may not even be an option.

The medical literature and exhaustive test results make clear that for most people, current levels of consumption of salt, sugar and fat from fast- and processed- foods should be reduced.

Some common problem-foods to check nutrition labels include those with:

High salt: fast foods, cheese sauces, bread crumbs, baked beans, canned soups

High sugar: dates, candy, pie crust, raisins, milk shakes, yogurts

High fats: fast foods, pie-crusts, cheeses, hamburgers, snack foods

The connection between obesity, diabetes, heart disease, cancers, and a number of other disease conditions from such dietary inputs are documented.

What’s your Bliss Point?

IT Policy Compliance

Should you reflexively buy from your big-box seller or consider taking a chance on that small start-up or local retailer you met a few weeks ago? This is a question that’s not always on the mind of buyers of all sorts of goods and services – but should be. For it’s the decisions you make as a buyer that influence and shape the market, and therefore your future.

Should you buy from the big-box location offering you maybe 5 percent off the going retail price for a commodity item, or should you purchase the same item from your local retailer at the higher price.

Your actions will influence the lives of people behind the counters and running the local business, whereas it probably won’t matter as much to the big behemoth down the street.

Moreover if you buy local, the cash flow stays in the locale instead of being siphoned off to a locale that may be 3,000 miles away, 9,000 miles away – or more. And, the taxes paid by the local business owner add to the value of the local base, making the local economy that much stronger.

But there are pros and cons beyond the health of the local economy to buying small versus buying big that also need to be taken into account.

Buying big

If you buy big, you generally know that you can get the same item in Singapore that you can get in London or Omaha. If uniformity or homogeneity matter, then this may be an important factor.

You may be able to get better pricing from the bigger supplier, but this will depend on how much competition the giant faces in your sector or geography.

You are likely to get the same service-levels no matter what. Uniformity of service for one customer will generally be the same for all customers, unless of course you are one of the customers that generate more than 5 percent of the behemoths revenue stream, in which case you’ll be offered service levels that other customers can only hope for but will never receive.

You are also likely to run into levels of hubris, unethical and illegal behavior you’d never find from a smaller supplier, including ignoring contracts, breaching contracts, and ignoring customer commitments while taking their money.

The benefit of buying big is that you’ll more likely be able to deal with fewer suppliers, which should reduce some of your burdens. But don’t believe the urban legend about buying big to have one throat to choke: it’s doesn’t work unless you are among that suppliers biggest customers.

Buying small

If you buy small you are unlikely to be able to purchase the item in Singapore, London and Omaha. You may only be able to get it locally, or it might not be localized for your geography. It may be the same item or it may not.

You might pay a bit more, or if the size differential is in your favor you might actually pay quite a bit less, depending on the product or service and the competitive environment.

You will generally receive much better service levels, where they are available. And this is the sticking point. If you need service in West Osh Kosh and the supplier only covers East Osh Kosh currently, this could cause problems for you. Otherwise, be prepared for generally better service levels from your local and smaller suppliers: they need and want your business much more than the big behemoth does.

You will not run into hubris, and are much less likely to face a supplier that will willingly break a contract or ignore a customer or another supplier.

The drawback to buying smaller and local is that you’re likely to be in the position of having to manage more suppliers. Excepting the few rotten apples you might run into, you’re more likely to have suppliers willing to “go the extra mile” to make you happy.

Your turn

Now it’s your turn.

What will you do: buy big or buy small?

IT Policy Compliance

Do you ever have the feeling you’re in one of those background noise-chambers where the same sound or sounds keep playing-on, time after time without letup?

I have this experience a lot when it comes to the word “risk” and how most people in IT interpret what it means, or should I say what they mean by the word “risk.”

Risk

My definition of risk is simply the outcomes or impacts resulting from trigger events operating on and within an environment. The outcomes may be aided and abetted, or hindered, by vulnerabilities and the environment itself.

Example

The risk of disease from air-borne illness is injury or death. This is the outcome or impact of being exposed to some virus or bacteria. This outcome is more likely in tropical humid climates than in drier and less humid northern climates.

In the example, the risk is disease and its potential outcomes, including injury or death. The trigger event may be a pathogen or might be a carrier of the disease sneezing in an enclosed jet 30,00 feet in the air. Or, the trigger event might be related to colony formation aided in humid regions such as the tropics but that is retarded in drier and less humid northern climates. If the immune system of Uncle Dick or cousin Jane were more vulnerable to the bacteria, this would make it easier for the bacteria to grow and accelerate its attack, impact and outcome on its host.

The Chaos of Language

The same applies to the world of information systems and security. But for some reason many people in the world of information security – and almost all the vendors pitching security products and services – confuse themselves and everyone around them by calling trigger events risks, or calling the environment the risk, or calling vulnerabilities risks. This shows up in such statements as “the technology risk”, the “vulnerability risk”, the “ecosystem risk”, and the “security risk” among other favorite lazy thinking phrases oft’ heard.

Sorry to rain on the parade, but these things are not risks.
The outcomes or impacts that might result from vulnerabilities in IT systems, lax or no procedural controls, or unfunded mitigation steps are the real risks to organizations and people, not the factors leading to the outcomes. Do factor contributing to the outcomes? Of course they do. But they are not the risks. Instead of identifying the factors as the risks, we should be constructing rich storyboards that connect events to their outcomes.

Unfortunately the laziness with the use of language and the confusion over what “risk” means has resulted in an inability on the part of many people in IT to clearly articulate what the business impact of vulnerabilities are likely to be. The confusion has resulted in an inability to communicate the relationship between environmental factors, trigger events, vulnerabilities and their business outcomes.

The result is that many senior business leaders have no idea what risk IT is talking about when it comes to the table asking for money to mitigate “security risks”, instead of describing the business outcome: such as the risk the company will be sued, capital from financial markets will decline, and sales will decline after a massive data breach occurs.

What’s the risk?

If you do not clearly communicate the difference between what is likely to cause adverse outcomes from the outcomes themselves, then you’ll fall short of the support needed to fund mitigation strategies to manage the risks.

And the reason you won’t be funded is because no one will understand what you’re talking about.

This is a pretty large risk, and one that can be managed by carefully articulating the desired state, the adverse outcomes you are trying to avoid, the trigger events likely to lead to the adverse outcomes, and the environmental and vulnerability factors you will be mitigating to reduce the likelihood of the outcomes.

If you can do this, you’ll reduce the risk of not being funded – and thereby reduce the business risks associated with why information security policies, procedures or controls are implemented and maintained.

IT Policy Compliance

What’s your magic number?

If you’ve never heard this question or phrase, you’ve probably been living off-network or away from the developed world for some time. It’s a term used by people for different reasons and a variety of meanings.

Numbers

We employ numbers in accounting to maintain financial accounts that assess our current balance among other purposes. We use numbers in educational institutions to assess relative performance levels of students and teachers. Numbers are used to design almost everything man-made and we use numbers to plumb the breadth and depth of the natural world around us.

What is the Magic Number?

But what is this “magic number” thing?

For a business manager it might be the backlog number. For a sales manager it might be the conversion rate, the forecast, and the quarterly “number” that’s finally posted upon which commissions are paid.

For a business owner it might be growth rate. For a CEO it might be earnings, return on assets, return on equity, the trading price of stock or the achievement of objectives established with the board.

For a customer service representative the magic number could be the number of calls serviced per hour, time spent on the phone per caller, or the number of successful close-outs per day.

For a lawyer the magic number may be billable hours. For an airline pilot the magic number is likely to be accident-free miles. For a truck driver it’s likely to be miles per day between required rest times.

For sports fanatics, the magic number may be the number of games remaining to be won until the home-town team wins a slot in the upcoming post season playoffs. The formula for this magic number looks like:

Magic number = total games – # of wins by 1st place team – # of losses by2nd place team + 1

In financial risk mathematics, Value at Risk became the magic number to express the total value of a portfolio that could be lost over a certain time horizon.  We won’t both to include VaR calculations here; it would require an entire series of blog articles.

Magic Numbers: a reversion to the Mean

With the exception of teams remaining in contention for a playoff spot, almost all magic numbers reflect an arithmetic mean – the average – value for a series of numbers in a given population.

As an “average” value, most magic numbers aren’t really magic at all: they simply represent current consensus of the group. There’s really nothing “magic” about them other than the magic number is simply the current mean or average.

But, it’s the differences in the population – the deviations – at any given time that really are the interesting numbers. Most intriguing of all are the maximum differences between the outliers in a population and how far removed these are from average.

The outliers tell the story

It’s the outliers that are really the magic numbers, not the mean. I don’t mean the outliers that are so far away from any cluster, but the clusters of numbers that might be two, three, four or more sigma away from the mean.

The outliers tell the stories of “unexpectedly” super levels of performance or of sub-par performance. Or the outliers tell the story of overwhelming evidence of correlation between disease outcomes and causative agents.

Or the outliers reveal financial graft and corruption in the servicing of mortgages. Or outliers reveal the reasons why some organizations continue to be plagued by security breaches resulting in financial damage, public scrutiny and scorn, business downtime or other outcomes.

So the next time you hear the question, “what’s the magic number?”, think a bit beyond the comfortable box of average, and look for and then understanding what’s behind the fat-tails.

Going beyond average to find the magic numbers

The average is not the magic number. Instead it’s our way of saying this is the current level of average. For those who want to go beyond average, who want to understand how to improve results, or how to limit risk exposure, going beyond the magic number is necessary to going beyond the contextual level of acceptable mediocrity.

It’s the outliers that are really the magic numbers, not the average.

These are really the magic numbers!

IT Policy Compliance

The biggest problem contributing to elevated risk – according to most practitioners – is a lack of consistency in operations and following procedures.

Consistency in applying patches, consistency in inspecting logs, consistency in testing new builds before releases, consistency in monitoring and consistency in removing unauthorized accounts among other procedures and policies.

The lack of consistency was driven home the other day for me when a friend – who is not in security – related a story of what happened to him after a job change. After starting work in his new position he was handed a laptop which did not have an antivirus endpoint agent running on it. He asked the person in IT who delivered the laptop to him to fix the problem and the response he received was “don’t worry about it, it will take of itself.”

Assuming “it will take care of itself” meant the the agent would be detected automatically and that this would set off a procedure to install the agent without him being involved, my friend ignored the issue.

About two weeks after this discussion he noticed some strange things happening with his laptop and decided to check whether the antivirus agent had been installed or not. And as you might have guessed, the agent was not installed on the laptop despite the claim from the original IT person that “it will take care of itself.”

After calling for help from someone else in IT, he was told the laptop had been infected by a trojan-horse that found a nice home for itself on the laptop. After re-formatting the drive and having a new image of all the software re-installed, the laptop was delivered to my friend. Indeed, “it had taken care of itself, just not in the manner my friend anticipated.

Sometimes we spend a lot of time and effort debating whether some controls need to be implemented or not to mitigate risks, whether we’re spending more time and money on detecting problems instead of preventing them, or debating the value a particular framework or technology, but it’s simple things like following policies and procedures that often causes the most problems.

Consistency – and the lack of it – are the hobgoblins of security.

IT Policy Compliance

Time was when the words TCB meant something. They don’t anymore: at least not for a generation or more that never heard the term and wonders why one would care or even bother.

For the the uninitiated the term refers to Trusted Computing Base, what seems to be today an odd notion that something was or could be trusted.

It also referred to an entire culture and discipline. A series of evaluation criteria that were designed around the concept of a TCB to address systems in which a security kernel was implemented as well as those in which a security kernel was not implemented.

The lack of a security kernel included systems in which objectives for security operations were not fully supported because of the size or complexity of what was called a reference validation mechanism. Now there’s a concept not heard of by the current generation: a reference monitor.

Perhaps it’s time for some of today’s developers and designers to look into what makes a reference monitor a reference, and then wonder at the self-deception that has developed around the concept of what’s been come to be know as sandboxes.

For convenience, the evaluation criteria of old used the term trusted computing base to refer to the reference validation mechanism, be it a security kernel, front-end security filter, or an entire computer system. And that was its boundary conditions, a computer system, within which the TCB and reference monitor was tested to be effective. And of course like anything els ein life, the designers of the day gamed the system by artfully crafting TCBs with software services that would pass muster but would never be used in the real world because users would configure them differently. Worse, if you connected a network to the system, all bets were off. And, when networking and the Internet intervened the utility of TCBs and reference monitors, as well as the entire Rainbow series fell into disfavor. It didn’t matter what the Red Book covered, it was much too complex to keep up with the rate of technology change then, and would be today.

But, their genesis and the disciplines behind these efforts were necessary requisites to the development of network guards and their descendents which came to be called firewalls – which became modern conceptual equivalents of reference monitors for networks by the way.

For the young-ins among us who do not understand the breadth and depth of the knowledge, testing and arduous work that were and are the foundation of most security solutions today, it is worth traveling back in time to see the structures your grandparents, Uncles and Aunts developed.

Take flight in the time machine by visiting the Rainbow series housed at the The Federation of American Scientists site at www.fas.org/irp/nsa/rainbow.htm.

Or visit the NIST history of computer security at http://csrc.nist.gov/publications/history/.

Or see the readings at the MIT OpenCourseware at http://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-857-network-and-computer-security-fall-2003/readings/.

Or learn about the contributions made by the cryptographer luminaries.

There are lessons here for the current and next generation to learn from and hopefully produce from that will carry forward hard lessons learned to make progress into the future.

The foundations of information security developed by the likes of James Anderson, David Bell, White Diffie, Len LaPadula, Roger Schell and Adi Shamir among many, many others offers much better footing than all the certification-this, certification-that and trained Monkey stuff that passes for security nowadays.

IT Policy Compliance

A friend of mine – a CISO for a healthcare organization – mentioned to me that his sole focus was to identify what could be done to “prevent” problems from occurring in the first place and to identify changes that can be made to controls when failures occur to avoid the same or similar problem the second time around.

I can’t control what I don’t control

I found it interesting that he viewed controls as having a binary state: either they work or don’t. So we engaged in a friendly discussion about whether there was a gray-state where you just don’t know if something is working, and the contributions that people, procedures and technology make to insecurity. My friend eventually relented that most of security is gray; that it’s simply not visible enough in a timely enough fashion. He also agreed that people play an important role in whether policies are being upheld or not. But he’s really fixated on what he can control, which is the technology and would not budge off this. His argument is that he has no control over what people do, or which processes Doctors, nurses or other healthcare providers use, and that his only armament in a war with Visigoths is technology.

How many of us act on this belief, that technical controls are the only tuning-knob that we can use to manage risk? I suspect more people responsible for information security take this position than not, and that more are like my friend than not. But it’s the nexus of how people use and misuse tools available to them that portend outcomes good and bad alike.

The people working on designing aircraft never envisioned a day when passengers would hi-jack airplanes and smash them into tall skyscrapers.

The inventors of the wheel never saw the day in the future when chariots would be used to reign war on another society, when the Rover module would wander around Mars, or that fighter jets would take-off from aircraft carriers.

The attackers?

It’s really how people use – and misuse – all of the tools available to them that is at the root of most problems, vulnerabilities aside. And I say vulnerabilities aside rather lightly because it is vulnerabilities that make an attack easier. Vulnerabilities offer the least resistance to any external force and as such need to be considered a high priority in any risk management discipline, information security included.

The attack on Pearl Harbor was successful largely because those on the ground did not think the improbable could or would occur. We have to recognize that the improbable is probable, that Black Swans occur in the world, and that some take further advantage of vulnerabilities to amplify their wrath. The Black deaths that include the Plague of Justinian in the 6th and 7th century, the European Plague of the 14th century and the Plague that hit China and India in the late 19th century were Black Swans aided by vulnerabilities that included poor sanitation, non-existent hygiene, migration of rodents, war, famine and weather.

White hats and black hats

White hats are always playing defense while Black hats are always on the offense. Black hats get to choose the time, place and setting for an attack. They get to choose the weapons and the means of pressing an attack. They get to choose the tempo and tactics used on the battlefield. They select the battlefield. Being a better White hatter may mean playing like a Black-hatter and forgetting about your preconceptions while using your skill and knowledge. White hats get to defend with whatever tools are at their disposal, and respond to attacks with their best skills and tactics.

Is it enough? I’m not sure and history shows us that new technologies invented for good purposes become used for evil purposes never imagined by their creators. What will mobile devices be used for in two, five or more years?

Adaptability

Our predispositions tend to keep us captive. The French found this out at the outset of World War II when the Germans simply went around the Maginot line.

In the world of information security we are predisposed to focus on technical controls and trying to prevent another outbreak of the one we just recovered from, only next time around the wound we receive is unlikely to be due to the same means used in the last event. As a result we are likely to miss social engineering attacks which are less costly and easier to implement.

Or our past experience blinds us to the reality unfolding before us. If we remember the most recent phishing attack, we may forget the last time we dealt with a buffer overflow or a combined threat. Or, we might forget a denial of service attack is really a ruse to pull our attention from a back-door exfiltration that is underway. And because we tend to focus on the most recent, the more familiar and the memorable “big events”, we are often surprised by the simplicity taking place in front of our noses.

I suspect that going forward the skill most needed by survivors will be adaptability: it’s the adaptable who will get to play another day.

IT Policy Compliance

No one went broke underestimating public taste.

Several of my friends on the supply-side of the industry recently said things like, “Oh, I’ve got four Magic Q’s that I have to deal with in the next few months.” Another said, “You won’t believe what we’re spending on this”, referring to the total price of dealing with the supplier of the Magic Q Pageant.

And a Pageant it is, but more of a beauty queen affair than anything else. There might be 10, 15 or twenty entrants in any one contest for a Ms Firewall, Mr BI Platform, Ms Data Warehouse, Mr Ant Trap, or whatever other award will attract enough suppliers gullible enough to fork over good money for these blue-ribbons that are quickly forgotten until the next year and which are largely ignored by tech-buyers who spend the most money on hardware and software.

The demand for these beauty prizes does not come from large enterprises. Managers of IT in these organizations will tell you directly, “I’d be fired if I used them as a reason for my recommendation”, and “Heck no we don’t use them (the vendor the Magic Q’s), they (his bosses) are paying me to make these calls.”

So where does the demand come from?

Some of the demand comes from midsize and smaller businesses, neither of which has the staffing to “make the calls” or the recommendations and are following the leaders in their industries. These are also the same people who send staff to this vendors conferences to learn about an area of technology that is new to them. And, some of the demand is fed by an unknowing press and media who just love entertainment and so-called “news” to sell adverts, especially online. And that’s just what the Magic Q’s are, an expensive form of entertainment. But most of the demand comes from and is fed in large part by the industry that pays for these silly blue ribbons – the suppliers themselves, which explains why so many buyer’s ignore these blue ribbons.

Where else does the demand come from?

You might not believe it, but it also comes from sales functions within supplier organizations that use their inability to sell a product that didn’t make it into the Magic Q as their reason they lost the big order, when in fact the loss of the order has nothing to do with it. It’s just another sales gimmick that I’ve seen too many organizations fall for and any sales or general manager dumb enough to fall for this line deserves what’s coming to them.

And of course there’s push-based reinforcement from the supply-side itself, the industry entertainers (oops, the “analysts”) who take this side show seriously and then honestly believe they are making a contribution to society.

Expensive entertainment

As mentioned, the Magic Q’s are expensive entertainment. It’s quite amazing that the take generated from this nonsense is nearly one percent of all spending on enterprise hardware and software purchased each year. Beyond the cost of vying for one of the Magic Q spots are the costs of turning puffery into press releases, the costs of advertising, additional labor costs to manage the Magic Q game, and labor costs to respond to and support it.

Then there’s the indirect but more consequential cost of lost opportunity as suppliers put a stranglehold on customer-led improvement in their products in favor of Magic Q-led change that will lead to more favorable treatment in the beauty pageant to be held next year. Then there’s the cost of inflated acquisition prices paid for a takeover that is associated with one or more Magic Qs owned by the target.

Everyone on the supply side now uniformly questions why they continue spending good money on the carnival side-show called the Magic Q, but they continue to spend the money and then push these puffed-up blue ribbons as though it meant anything. Perhaps they do it out of habit, perhaps from fear, perhaps from peer pressure, perhaps from a lack of confidence, and perhaps because there appears to be no alternative.

It’s long overdue the Magic Q is replaced or retired.

It’s time to “just say no” and start paying attention to customers instead of paying attention to the Magic Q. Perhaps the one percent uplift in ticket prices could be plowed back into more productive purposes.

Now what was it that PT Barnum said was born every minute?

IT Policy Compliance