Kanban for Infrastructure & Security Teams

I work at IGS Energy in Dublin, Ohio. My team and I are responsible for Information Security, Network Engineering, Systems Administration, Telecommunications and Technology Support. We work in a fast-paced environment with frequently changing priorities and deadlines. A few weeks ago, I set a goal to improve and streamline our project communication/collaboration.

We work in a department comprised of several agile development teams. From the moment I started at IGS, I was very impressed with the open and transparent communication involved with running an agile team. In the back of my mind, I always wondered if I could make that work for the Infrastructure & Security teams at IGS. Our team already held daily stand up meetings and worked very closely with the development groups. Could we take it a step further?

We ended up attempting to leverage agile for an Infrastructure-related project. The goal of the project was to replace the portion of our network that is leveraged by our end-users. Unfortunately, we struggled to leverage agile for this project. We found that the work didn’t always fit into standard delivery time slots and often had to be delivered continuously due to inconsistent maintenance windows, etc. We also found that we had to frequently change the schedule to allow us to occasionally focus on daily maintenance and keeping the lights on. Finally, we noticed that attempting iterative delivery of this specific infrastructure project was actually hindering the user experience and negatively impacting the goals of the project.

We ended up trying other methods of project delivery and communication. Everything from sending email status updates to holding individual project meetings. We even tried using Microsoft Teams to document status updates. These solutions were good but we wanted something great.

We really just needed a few things:

  • Open/transparent communication
  • Continuous delivery
  • Clearly articulated priorities

I ended up asking friends and colleagues for advice. I reached out to App Dev Managers, Business Analysts, Infrastructure Leaders and even our VP of IT. I ended up getting some great advice that lead me to the Kanban Methodology. I ended up doing some research and found that several Infrastructure & Operations teams had successfully implemented this form of project flow.

I ended up deciding that it’s worthwhile for us to test out Kanban and see if it works for us. At that point, we had to make a few decisions. Should we have a physical or virtual Kanban board? It made a lot of sense for us to use a virtual board but we still had to decide what product to use. Our organization already had subscriptions to Jira and Office 365 which both offered tools for virtual Kanban boards. However, a member of the team was already using Meistertask and after exploring the UI, we decided to give that a shot.

We ended up starting out with 5 categories:

  • Backlog – Tasks that haven’t been assigned. I was given some great advice to purge items from this category if they remain dormant for an extended period of time. If they’re dormant for that long, clearly they aren’t a priority. An extended backlog of tasks that are never prioritized could turn the board into a source of anxiety.
  • Hold/Blocked – Tasks that have been assigned but can’t be completed at this time. This could be as simple as a task being contingent on the completion of another task.
  • Work In Process (WIP) – Active tasks. Our goal is to limit the amount of WIP to items that can be focused on at that point in time.
  • Validate – Tasks that are being tested.
  • Complete – Completed tasks. It’s important that we take time to recognize these items and celebrate success.

After discussing this with the team, there were a few questions that ended up causing us to make a few adjustments to the process. For example, he team already receives a high volume of requests/tasks through ServiceNow. Should all of those flow through Kanban as well? We made the decision that only items that will take more than 3 business days will be added to the Kanban board.

The team also discussed who could actually create items for the Kanban board. It’s important that we had a clear sense of priorities and didn’t introduce too many cooks in the kitchen. We decided to add an extra category for “brainstorming”. This is an area that anyone on the team can add an item to. During our weekly project review meeting, we will discuss all open brainstorming tasks and decide whether or not they are added to the backlog.

We plan on communicating the status of our tasks during Daily Stand Up Meetings, Weekly Status Meetings, and a Monthly Retro. During our retro, we will review what went well, what we could have done better and what our next steps are. We will also hold retros for any unplanned downtime.

I’m looking forward to seeing how this works out. Have you implemented Kanban for an Infrastructure or Operations team? If so, let me know how it went!

Why I believe in i.c.stars

After finishing grad school in 2015, I had a strong urge to volunteer. I wanted to make an impact. Unfortunately, I didn’t quite know how to devote my time. Should I go to a soup kitchen? Meals on wheels? I reached out to Jen Bowden (Director of Community Investment at IGS) and she gave me some wonderful advice. She told me to find a problem that I was passionate about fixing.

The more and more I thought about it, I was frustrated by the unnecessary barrier that was preventing talented individuals from entering the IT workforce. I was fortunate enough to have an opportunity to invest time and money into receiving a formal education at Ohio University. My formal education served as a great way to demonstrate my work ethic and desire to learn. It ultimately got my foot in the door of a great company and helped kick-start my career. In my mind, there had to be a way to help less fortunate individuals demonstrate those same capabilities while gaining some practical experience. After all, I learned more about business working at our family-owned shoe store in High School than I did receiving a Minor in Business Administration.

Rather than sit back and complain, I decided to try and fix the problem from the inside. I started teaching classes at Franklin University. As much as I loved helping the students, it wasn’t enough. I wanted to do more to remove the barrier preventing talented individuals from entering the IT workforce.

Fast forward a few months and the aforementioned Director of Community Investment at IGS introduced me to Ryan Frederick. Ryan spoke to us about a program that had started in Chicago called i.c.stars. The program identifies, trains and jump-starts technology careers for low-income young adults who, although lacking access to education and employment, demonstrate extraordinary potential for success in the business world and for impact in their communities. Candidates that enroll in the i.c.stars immerse themselves in the program. They go through a 4 month training cycle and spend 60+ hours a week working on a real project for organizations.

The numbers from the original office in Chicago speak for themselves…

  • 300+ total alumni
  • 95% initial placement rate
  • $9,915 average annual earnings before the program
  • $57,240 average annual earnings 30 months after program completion

Honestly, even after seeing those statistics, I was skeptical. I didn’t think that i.c.stars could prepare individuals with little-to-no technical experience for a career as a Business Analyst, Project Manager, QA Analyst or Developer in 4 short months while also managing to deliver a working product. The team at IGS decided to serve as the first project sponsor for i.c.stars Columbus. We saw a partnership with i.c.stars as an opportunity to give back to our community and change lives for the better.

The i.c.stars group was split into several teams that worked to build IGS a dashboard to display information about our EDI transactions. I can definitively say after serving as the organization’s first project sponsor that I had no reason to be skeptical. I am still amazed by the growth that I witnessed during the initial 4 month program.

If you’re interested in learning more about i.c.stars, contact me and I will introduce you to some of their awesome team members. In fact, along with Josh Miller (Training Manager at i.c.stars), I’m establishing a Mentorship Committee at i.c.stars in an effort to help recruit candidates around Columbus to help mentor future classes. We’re looking for folks with experience in Software Development, Database Administration, Business Intelligence, Engineering, Project Management, Leadership, Information Security, IT Infrastructure, QA Testing or Technical Support. The time commitment to mentor could be as much or as little as someone is willing to contribute. If you’re interested in joining the committee and helping recruit mentors for the organization, please let me know. Also, click here if you’re able to spend some time serving as a mentor.

Protecting Yourself From WannaCry Ransomware

Over the last few weeks, I’ve had a few friends ask me for advice related to the recent WannaCry Ransomware attacks. For those of you not familiar with Ransomware, it is a type of a computer virus that restricts access to a system until a sum of money is paid to the attacker. WannaCry is a dangerous variant of Ransomware because it is designed to spread very quickly throughout corporate and private networks. At the height of the WannaCry Ransomware infection, it crippled organizations ranging from auto manufacturers to hospitals.

Unfortunately, this virus has affected consumers as well. People all over the world have lost access to their most prized digital assets including family photos and videos. My advice to the average consumer about Ransomware really boils down to three basic concepts. You need to take steps to make sure that you’re able to prevent, detect and respond to Ransomware. Fortunately, you can take the necessary steps without a ton of effort or financial investment.

Obviously, it would be ideal if you could just prevent Ransomware from infecting your computers. Preventing a computer virus starts with being vigilant. Most infections of WannaCry began with a simple phishing email. It’s very important that you exercise caution when opening emails from unknown senders. Also, be sure to look for the signs of a phishing attempt.

I’m sure at some point you’ve had to respond to an annoying message asking whether or not you want to install a software update. I’ll be the first to admit these tend to happen at the most inconvenient time. Most of the time you don’t even notice a difference after these updates are installed. However, these updates often contain important security fixes and should be installed on a regular basis. In fact, installing one of these updates for Microsoft Windows would have drastically reduced the likelihood that your computer would have been infected with the WannaCry Ransomware.

Another way of preventing a Ransomware attack is to leverage Antivirus. It’s important to note that installing Antivirus won’t guarantee that you’ll be protected from malware. However, it will likely protect you from a majority of potential Ransomware infections. Also, with effective and free Antivirus solutions from companies like Sophos, there’s no excuse not to have Antivirus installed on your PC/Mac.

Normally, you need to take special steps to ensure that you’re able to detect that your computer has a virus. The main difference with Ransomware is you’re almost always aware when it happens. This is because attackers typically display a large message on your computer screen indicating that your files have been locked along with instructions for payment. However, behavior-based Antivirus software can be effective in notifying you that it has detected a Ransomware infection before a majority of your files have been locked/encrypted.

It’s important to prepare yourself for the likelihood that all of your methods of detection and prevention will fail. Even if you have Antivirus installed and are extremely cautions when opening emails, you can still end up with a Ransomware infection. There are a few steps you can take to make sure that you’ll be able to recover from the attack. The most step is implementing automated cloud-based backups.

As I mentioned previously, even the best defenses can eventually fail. Despite the best efforts and intentions, you might discover that your most important files have been encrypted. This is why it’s important to have some form of automated cloud computer backups. By using a backup service like Carbonite, you will be able to recover your files from the backup provider without paying a ransom to the attacker that encrypted them. Also, cloud-based storage providers such as Dropbox provide easy mechanisms to recover your files in the event they become encrypted by Ransomware.

If you find out that one of your computers has been infected by Ransomware, do everything you can to avoid making the payment. Making the payment will likely just put a bigger target on your back and it will become that much more likely that you’ll be targeted again. If you find yourself in a situation where your files are encrypted without a backup, you can attempt to leverage a 3rd party tool to decrypt/unlock the data. However, there is no guarantee that a decryption tool will exist for the particular Ransomware variant that you have.

  • Just to summarize…
    • Exercise caution when opening emails from unknown senders
    • Make sure that you have automated cloud backups using a service such as Carbonite
    • Verify that an updated version of Antivirus is installed on your computers
    • Install security updates on a regular basis
    • Do everything you can to avoid making the Ransomware payment

Why you should secure your accounts with 2FA

Two factor authentication (aka multi factor authentication, login approvals, login verification or two step verification) is a way to prove your identity to a service provider by providing two different authentication methods. Enabling two factor authentication (2FA) is one of the most effective ways of preventing your accounts from being hijacked or stolen. 2FA is not only effective but it’s typically provided at no cost. In fact, you are likely already leveraging two factor authentication without even realizing it.
There are three common ways to prove your identity:
  • Something you have – typically a mobile phone or keyfob
  • Something you know – usually a password or PIN
  • Something you are – frequently is a fingerprint


One of the most typical forms of two factor authentication is the requirement to use a PIN code when using your debit card to make a transaction at an ATM. You’re providing something you have (debit card) as well as a PIN (something you know) to prove to the bank that you are who you claim to be. The addition of a PIN adds a significant amount of security to your debit card transactions. This same concept is often applied to logging into websites.
Most websites only require that you to provide a password to authenticate yourself. You’re simply sharing something that you know to demonstrate that you are who you actually say you are. Ideally, your password is a complete secret to anyone but yourself. Unfortunately, this isn’t always the case.
You will have a password stolen. It’s not a matter of if or when but how often it will occur. Passwords are commonly stolen in phishing attacks, corporate data breaches and through eavesdropping. By adding a second layer of authentication, an attacker can no longer login to your accounts with just your password.
Typically a website will allow you to use your mobile phone (something you have) as a second form of authentication. When you provide your username and password (something you know) to the website, the site will send you a text message with a temporary code. You’ll then provide this code to the website as a second form of authentication. While this method isn’t perfect, it will go a long way to helping secure your accounts and identity.
In my opinion, the biggest drawback to leveraging 2FA is the slight inconvenience. However, the inconvenience is a small price to pay for the significant increase in security. A majority of the websites you use on a daily basis offer this additional security measure. For a list of websites that support 2FA and instructions for enabling this feature, please visit www.turnon2fa.com.

3 Recommended Entry-level IT Certifications

I’ve spent a lot on a formal education at Ohio University. However, it seems to be my industry certifications from Microsoft and VMware that get noticed by recruiters and hiring managers. My certifications were obtained for just a few hundred dollars in examination fees. I was able to prepare for these exams using free materials from the vendor.

It’s always a great thing to have a respected vendor’s logo on your resume/LinkedIn profile. If you’re looking to kick-start your IT career, I highly recommend checking out the certifications that I’ve listed below. I selected each of them based on their low-exam cost and availability of free training materials.



5 Recomended Information Security Tools/Services

I recently had a coworker ask me for some advice about protecting their personal computers. After our conversation, I realized that the information was worth sharing with others so I decided to consolidate it and post it to my blog.

Here’s a list of 5 recommended information security tools/services that I recommend using to protect yourself and your family…

  • Password Manager – I’ll be the first to admit that memorizing passwords can be very frustrating. It seems like each site has their own unique set of requirements. It’s almost impossible to memorize dozens of unique/secure passwords. There’s no need to attempt the impossible when there are really great/free password vaults available. While there are a lot of options to choose from, my favorite is LastPass.
  • Antivirus – It’s entirely possible that you can still fall victim to a virus or ransomware infection while using an antivirus program. Even if the traditional antivirus program only blocks 8/10 malicious attacks, it’s worthwhile to catch the low hanging fruit. It’s important to note that you should leverage an antivirus even if you have a Mac. With great and free programs like Sophos, there’s no excuse why you should have a PC/Mac without antivirus.
  • Cloud Backup – I can’t stress enough the need to have a copy of your data stored off-site. With threats ranging from house fires to ransomware, you’re always a split second away from loosing access to all of your data. This could include everything from your tax documents to your photos. The best offense is a good defense. It’s important to have a plan in place in the event that everything else fails. Automated cloud-based backup services like Carbonite are a huge part of that plan.
  • VPN – Ever get nervous while connecting to a hotel’s WiFi? Installing Freedome VPN on your phone, tablet and laptop can help prevent your Internet traffic from being intercepted while you’re connected to public WiFi.
  • Credit Monitoring – You’re going to be a victim of a data breach. It’s not a matter of if or when but how often. Even if you have all the best tools/services to ensure that you’re able to prevent identity theft, it’s worthwhile to invest in credit monitoring to make sure that you’re able to detect identify theft.

My advice on starting a career in IT

I’ve had several people reach out to me over the last few months asking for advice on how to land their first job in IT. Several of these individuals do not have any formal IT education, training or experience. I decided to consolidate some of the advice that I’ve given on securing an IT job over the last few months into a blog post.

I was very fortunate to have had a 3rd grade teacher (Mr. Fouts) that exposed me to personal computers before they were personal. Mr. Fouts and another teacher set up a Wildcat! BBS server at our Elementary School. From the moment I first remotely connected the BBS system, I was hooked. I was also very lucky to have had an older Brother and two Grandfathers that encouraged my passion for technology. I don’t know when I decided on a career in IT but I also don’t recall ever considering anything else.

I graduated college in June 0f 2008. This was just a few months after the collapse of Bear Stearns. Even with a degree in Information and Telecommunication Systems, I really struggled to find a job. At one point, I had applied to over 100 positions and only been granted a handful of interviews. Finally, I accepted an internship at a local hospital where my primary focus was loading pre-configured images onto desktops/laptops.

The experience of struggling to find an entry-level position in IT helped shape my career in a positive way. I learned that obtaining an education isn’t enough and that I needed to obtain some relevant experience and marketable skills. I quickly found out you often have to make sacrifices to obtain the aforementioned skills and experience. This could mean taking a position with less pay in an effort to learn more about a piece of technology. I also learned the importance of discovering your passion within IT. In my case, I realized that I enjoyed IT Infrastructure and Information Security while serving as an Intern.

When my friends and family members ask me about obtaining positions in IT, I always ask them to be a little more specific. I eventually ask them what area of IT they want to focus on. If they actually have an answer, I try to validate what drove them to that conclusion. If they can’t answer that question, I instruct them to find an answer before going through the steps to seek an entry-level position. If not, they run the risk of committing to a field that they hate. I really recommend performing this task before committing to obtaining a degree (or at least in parallel while obtaining a degree).

How can you find out what area of IT you’re interested in without committing? I’d recommend attempting to find a job shadowing/internship opportunity. If you don’t know anyone who can help secure the internship or shadowing opportunity, start reaching out to individuals on LinkedIn. You’d be surprised how many people are willing to help. Plus, I can’t stress enough how important it is to build out your personal network at the early stages of your career. As my Father always told me…”It’s not just what you know but who you know.”

If you’re still convinced a specific part of IT is for you after completing Internships and/or Job Shadowing, then it’s time to focus on gaining additional experience/knowledge. This is the point in your career transition where you may want to consider obtaining a vendor certificate and/or formal education. You may be fortunate enough that your internship and/or job shadowing leads to a full-time position. If not, don’t get discouraged. Keep reaching out to your connections and applying to as many entry-level roles as you can find. As I mentioned earlier, I applied to almost 100 entry-level positions early in my career before finally being hired.

When it comes time to selecting your first entry-level position, I highly recommend starting at a small or medium sized business. This will allow you to gain a wider range of skills. For example, my first real role in IT was working on the Help Desk at a smaller organization. The small size of the team/company allowed me to begin working on the organization’s servers and networks within a few months. I can definitively state that I wouldn’t be where I am in my career without this first position.

Unfortunately, obtaining industry experience in a new field or area of expertise often requires taking a step back financially. This can be a tough pill to swallow but the experienced gained in an entry-level position is invaluable. I tend to tell people to imagine as if they’re being paid to go to school and learn about the specific area of technology.

In short, take the time to find the right fit. Don’t invest too much time or money into exploring a career path without validating that it’s the right role for you. Also, don’t underestimate the importance of building your personal network.


IT Career Advice For College Students

I recently completed my first term as an Adjunct Professor. It was important to me that I shared some “real-world” advice with the students before the start of their careers. So, I asked some of my colleagues at IGS if they had any words of wisdom to share with my students and I presented their answers on the first day of class. Here are a few of their responses…

  • You should always treat your customers (or people who need your help) as if you’re a customer of theirs; in other words, when you get asked to do something, it may seem insignificant to you compared to other things you’re doing, but your efforts may have downstream impacts that aren’t apparent to you. Your time might translate to something very significant to someone else.
  • Looking back, nothing was more instrumental to my success than an internship. Applying what you learn in class to real world problems takes your learning to the next level. In the three months of my internship, my skills grew at an exponential rate. I made lifelong friends, I learned about new technologies, and I learned how Information Technology can support and even drive the business.
  • “Do not sacrifice theoretical learning for implementation centric learning, and vice versa. They are both duals of each other, and not at odds with each other. If you sacrifice theory, it will deprive you of a much needed analytical framework to rigorously scrutinize the complexity of algorithms. If you sacrifice implementation, you might as well be a math major specializing in discrete math. Likewise, do not sacrifice depth for breadth or vice versa.”
  • Focus on people and learn your business/industry. The technology will come naturally.
  • Always tell the truth. The cover-up is worse than the crime.
  • If you focus on automating yourself out of a job, you’ll never have to look for employment.
  • You’re going to cause an outage. Learn from your mistakes and don’t repeat them.

My encounter with an IRS scammer

For those of you that don’t know, phishing is the activity of defrauding an online account holder of financial information by posing as a legitimate company. Last year, I almost fell for a phishing attempt by someone claiming to be an IRS employee.

I’ve held a variety of roles in Information Security and you’d think I would try to hide the fact that I almost fell for a phone-based scam. However, I think my story can help others so I’ve decided to share it on my blog. Also, it’s not like I’m the only IT Security professional to almost fall for a phishing attempt. Chris Hadnagy literally wrote the book on Social Engineering/Phishing and has been tricked by a an Amazon phish.


At the time I first was contacted by a fake IRS employee, I was in the middle of a legitimate dispute with the IRS over a tuition deduction from a few years prior. I working from home and randomly received a call from a number in Cincinnati from someone claiming to be an IRS employee. I knew that the IRS had an office in Cincinnati and despite the fact that all of my prior correspondence related to my aforementioned dispute had been written, I didn’t think it was out of the realm of possibility that someone from the IRS would call me.

The “employee” began the call by stating that I was going to be taken to court over unpaid taxes. The caller gave me a case number and knew enough about the inner workings of the IRS to sound legitimate. It didn’t make any sense to me why I would suddenly be taken to court when my last document submission was mailed several months before the stated deadline. This should have been my first clue that the call was not legitimate. Unfortunately, due to the fact I was actually worried about my legitimate issue with the IRS, my guard was down.

I was obviously distraught at this point. If my dispute went to court, I would possibly spend more on legal fees and accountants than I actually owed to the IRS. Even though I knew I did nothing wrong, the idea of a settlement went through my head while the caller discussed the issues. However, I wanted to make sure that my accountant was involved in the final decision.

The “employee” let me know that I could avoid court and the associated fees by simply settling over the phone. It was if they could read my mind. I let them know that I wanted to consult my accountant and a few family members with deeper knowledge of tax law before making a final decision. The caller started to get very impatient at this point.

I started to get more of a sense that this call was fake. I eventually asked the “employee” to provide me with a publicly posted phone number for their office. I wanted to call a validated phone number to confirm that I was speaking with an actual IRS employee. I felt that this was a completely reasonable request.

The scammer became enraged, they told me that if I hung up the phone that they would issue an arrest warrant. They demanded that I drive straight to the bank while leaving them on speaker phone. They wanted me to wire them money to a specific account. I was now 100% confident that I was being phished.

If this ever happens to you, this is the point where you should just hang up and report the incident. However, I decided to have a little fun. I decided to keep the scammer on the phone for around 30 minutes while I “drove” to the bank to wire them the money. In reality, I was just sitting at my desk listening to music and catching up on email. I asked them for the account number and routing number so I could “wire” them the money. Armed with that information, I placed the scammer on hold and called the Ohio Attorney General’s office. I filled out a form to inform the IRS as well.

After providing the Ohio Attorney General’s Office and IRS with the details, I hung up on the scammer. They called me back about a dozen times in rapid succession before moving on to their next attempted victim. I’m now almost certain this fraud attempt originated from India where dozens of people were arrested for operating entire call centers filled with fake IRS agents. A few weeks later, I received a letter from the IRS stating that my dispute had been resolved based on the documentation that I provided and I no longer owed any money.

Lessons Learned:

  • The IRS has an entire webpage devoted to validating communications received by their employees. The page also has information for reporting phishing attempts.
  • The IRS will never
    • Call to demand immediate payment, nor will they call about taxes owed without first having mailed a bill.
    • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
    • Require you to use a specific payment method for your taxes, such as a prepaid debit card.
    • Ask for credit or debit card numbers over the phone.
    • Threaten to bring in local police or other law-enforcement groups to have you arrested for not paying.

My Thoughts On IT Certifications

A few days ago, a former colleague asked me about IT certifications. They’re at a bit of a career crossroads and wanted to know whether or not I thought obtaining a certificate was worth the investment of time and money. Given their circumstances, I told them that I thought it would be worthwhile for them to learn about a specific piece of technology and take an exam. However, I was sure to specify that obtaining an IT certification won’t necessarily guarantee that they’ll get that big promotion or secure their dream job.

It’s important to note that every hiring manager is different. As a hiring manager myself, I personally don’t hold a whole lot of stock in certifications. I’ve had coworkers with a half-dozen certifications that were very unreliable when it came to implementation and troubleshooting. I have also worked with some extremely talented individuals that don’t hold a single certification. There isn’t necessarily a correlation between a cert and success.

Don’t get me wrong, there are definitely benefits to obtaining IT certifications. In fact, some organizations won’t consider candidates without relevant certs. During my most recent job search, I ended up getting more questions about my certs from VMware and Microsoft than I did about my Master’s degree. I’m positive that those little vendor logos went a long way to get my resume past HR and to the hiring manager. However, that’s only half of the battle when attempting to secure a position.

Certifications aren’t ever going to be a silver bullet. At some point, you’ll need to rely on your reputation and industry experience to advance your career. That being said, certifications won’t hurt you. They can expose you to technology that you may not get a chance to interact with on a daily basis. Every circumstance is different but if you’re looking to gain exposure to a new area of technology or feeling a bit stale, obtaining a vendor certification is the way to go.