The benefits of IoT are just as well known as the risks that come with it. And, as happens with most new tech trends, CIOs are wary of jumping in at first, Tom Pincince, CEO of Digital Lumens, an intelligent LED lighting startup in Boston, said.
But Pincince hopes CIOs won’t be too wary because although there are risks, “the business benefit is so great that I think the balance between making [IoT] secure and making [IoT] useful [can] easily be reached,” he said.
Lean forward into IoT
Pincince advised CIOs to “lean forward into IoT” and think about how they would use data the IoT will inevitably bring to improve business operations.
As an IoT startup, Digital Lumens, Pincince, and the team, have already begun to discover what connected objects can do for businesses.
“One of the big things that we’ve been able to include in our product is this facility occupancy map,” said, Yolonda Smith, application engineer at Digital Lumens and formerly part of the United States Air Force with a background in cyber security and cyber defense. The occupancy map takes data collected by the LED light fixture sensors in a room or warehouse or manufacturing floor, for example, and maps out where the most activity is happening. “I actually showed that map to a facility manager and a general manager at a certain point and you just saw his eyes go to saucers because all of a sudden he recognized that he can make other decisions based upon the information I just gave him,” she said.
This particular facility manager oversaw a large warehouse with over 1500 of Digital Lumens’ LED lights installed and collecting data, Smith said. The occupancy map made it possible for him to see where within the warehouse his employees were walking to the most. With this information, the facility manager could then rearrange the inventory in the warehouse so that his employees could pull product off the shelves and get them to the trucks quicker and more efficiently.
“That way he could get the competitive advantage,” Smith said. “It was actually really cool that they were able to take it from a light sensor to actually having inventory management.”
But how can CIOs take advantage of all that IoT has to offer while remaining secure?
Here are five IoT security tips from an IoT startup:
1. Be open to discussing IoT within your organization
Like BYOD, IoT is entering the workplace without the CIO even knowing it, Pincince said. And the reason employees are not talking to the CIO about their use of IoT is because “they think the only thing that will happen is that [the CIO] will say no,” Pincince said. CIOs need to embrace IoT and open up the conversation about security best practices with their employees. Pincince said the CIO needs to come forward and say, “I want to engage, let’s make sure that’s all safe, that all the security information and security policies are in place” and figure out how to be partners with employees using IoT devices.
2. Assess the level of necessity
For CIOs in companies creating connected devices that will be part of the IoT, Smith advises that they make sure the data being collected is absolutely necessary to the overall system.
“Every single piece of data that [Digital Lumens] collects is patently necessary to the function of the system and it’s used to, of course, help facility managers and help business leaders and CIOs make other decisions about their infrastructure and about their company and about how they want to move forward,” Smith said.
3. Principle of least privilege
This is the idea that certain people within an organization either using IoT devices or creating IoT devices don’t need access to certain applications or systems or controls in order to do their job, Smith said. Smith uses a toaster as an example: “We don’t need the toaster to have the ability to turn on or to change or to have access to our credit information.” The same goes for a company’s employees; only certain employees should have access to certain information, controls and systems because that access is necessary for them to do their job.
4. Utilize systems
“Utilize services that will allow you to patch, update security policies, update security controls and patch vulnerabilities in addition to updating firmware,” Smith said. She said that one aspect of Digital Lumens’ system that is very helpful when it comes to security is that it allows the team to very quickly update the software and hardware.
5. Use as few services as possible
Digital Lumens, for example, only uses services that are absolutely necessary to make the system work, Smith said. “In our case we only use a service that allows us to provide the most support and we also use a service that allows customers to very quickly interact with the system in a familiar interface — mainly a webpage,” she said. Other than that, everything else is turned off. “Turn off all the services that you don’t need, only use those things that you absolutely need to get your job done,” she said.
Let us know what you think about the story; e-mail Kristen Lee, features writer, or find her on Twitter @Kristen_Lee_34.
CFOs have long played a key role in making IT investments, and in recent years this influence has not only been maintained, but is growing, according to research from Gartner based on a survey of about 200 senior financial executives of all sizes from various industries.
Overall, the June 2014 survey found that 29% of CFOs made IT decisions, compared with 24% from 2013 and the same percentage from 2012 — more authority over IT than any other executive, including the CEO (23%) and the CIO (5%). But more significantly for small and medium-sized businesses (SMBs), the CFO’s rising influence is even more apparent in those organizations: Thirty-eight percent of CFOs authorized technology investments in small businesses (those with as much as $50 million in annual revenue), compared with 35% at midsize companies (more than $50 million to $1 billion) and 14% at large enterprises (more than $1 billion).
Another interesting finding is that in SMBs, there’s a higher occurrence of CIOs reporting to CFOs. The midsize-company group showed the highest occurrence, at 58%, followed by small organizations (49%) and large businesses (35%). The report does issue a caveat about the bias in the study — that technology-minded CFOs were more likely to respond than those with only a fleeting interest in IT. Given this pool of respondents, the number of occurrences of IT reporting to the CFO in the SMB group is substantially higher compared with other Gartner surveys, the report’s authors said.
SMBs lack CIO-CFO partnerships
However, despite CFOs’ growing IT decision making role, not many are partnering with their CIOs on those decisions, particularly in SMBs, the study found. Only 14% collaborated with IT on IT decision making in midsize companies, and a mere 11% work with their CIOs in small organizations (in large organizations, the number is slightly higher, at 16%). This data indicates that although these financial executives understand how crucial technology is to business success, quite a number of them see themselves as either directly responsible for IT or at least a major authority on IT decisions. These perceptions make sense, according to Gartner, because CFOs are generally tasked with controlling their organizations’ budgets and examining the highest-value items. But furthermore, the data seems to suggest a gap: Something is holding these executives back from consulting with CIOs when making these decisions.
While the Gartner report doesn’t offer any possible reasons for this gap, CIO analyst and ZDNet columnist Michael Krigsman believes that other recent survey reports that show similar results indicate that many CIOs still lack credibility and respect from their business peers, and points to three contributing factors in his column, including the persistence of old perceptions of IT as just about infrastructure and CIOs’ struggling to find their place in a digital world where IT expectations have shifted.
So what should SMB CIOs do to address this divide? The Gartner report’s authors strongly urge companies to make sure not only that their CFOs are educated about technology, but that CIOs and CFOs are speaking a common language when it comes to how to use this technology for competitive advantage. “CFOs and IT professionals need to understand how the CFO should be involved, to ensure that the right investments are selected in IT to deliver the right benefits based on the organization’s goals and strategies,” they write. Krigsman’s advice on how to start: “spending more time with business departments and leaders, learning nuances of their needs and goals.”
Graph analytics is not new, but it’s taken on a new life in the enterprise—partly due to better, faster and cheaper technology. Senior News Writer Nicole Laskowski explores the trend and lays out how Goldman Sachs is using a homegrown graph analytics platform for compliance, surveillance and fraud detection.
Want to get ahead? Partnering with your CFO might be the perfect next step. Following Google’s announcement that Wall Street bigwig Ruth Porat will be their new CFO, Site Editor Fran Sales discusses the growing CFO role in making technology investments and the benefits of a strong CIO-CFO relationship.
Post-Millennials—referred to as Gen Z—are set to shake up workplace culture. In a recent video interview, Tom Koulopoulos, co-author of The Gen Z Effect, spoke to SearchCIO about Gen Z-ers now entering the workplace in force and how CIOs can take advantage of that.
Business process management (BPM) systems can be great for your company—except when they’re being used to cover up bad workflow processes. SearchCIO expert Niel Nickolaisen talks about the appropriate use of BPM systems, and how using it as a replacement for process and system simplification can negatively affect your company.
Speaking of BPM, how has digitization affected traditional business process management? SearchCIO expert Harvey Koeppel argues that the BPM lifecycle hasn’t changed as much as you’d think.
Is your business set up to fail? If the leaders of a startup don’t share a common vision, the answer may be “yes.” Take this leadership survey, created by SearchCIO expert Bryan Barringer, to find out if your company is in trouble and what you can do to stop impending disaster.
Should you upgrade to the 802.11ac standard? SearchCIO expert Matthew Craig gives tips on conducting a formal evaluation and talking to network vendors about whether your core equipment can support it.
According to Forrester, CIOs will be the ones running the Internet of Things (IoT). But are they ready? Features Writer Kristen Lee outlines five IoT challenges and five steps that can help CIOs handle them.
Over on the IT Compliance Advisor blog, Sales runs down the latest security and compliance headlines—including the FBI’s quest to expand its hacking authority, the Pentagon’s new program to protect personal data, and a new report that finds most companies fail PCI compliance tests.
Looking to deal with the issue of shadow IT? Then it’s time to rebuild the relationship between embedded IT and central IT. According to ITSM expert George Spalding, the key to solving problems both company-wide and between the two groups hinges on bringing them together and establishing a common language centered on services rather than technology components.
As Site Editor Fran Sales writes, you can now send instant messages and money transfers in the same Facebook conversation. Why does this matter to CIOs? In the latest Searchlight, Sales talks to an IT expert to find out whether this Facebook Messenger feature is the next possible mobile payments disruptor.
BYOD, IoT and mobile devices — how are these impacting wireless networks? In this Q&A, Editorial Director Sue Troy talks with networking expert Craig Mathias to find out how disruptive technologies and devices are shaking up wireless protocols and networks.
How familiar are you with Regulation Systems Compliance and Integrity (Regulation SCI)? In this Q&A, SearchCompliance expert Jeffrey Ritter discusses how SEC oversight expands under Regulation SCI, and how the new rule could mean big changes for IT compliance.
In the latest TotalCIO blog post, Features Writer Kristen Lee explores Gartner’s recent statements about the need for IT departments to be open to and aware of startup-like entities — a trend known as bimodal IT — within your IT organization.
What does the FCC ruling mean for innovation and privacy? Read this #GRCChat recap to get SearchCompliance editors’ and followers’ take on the new net neutrality norm.
Are you properly managing renegade IT at your organization? Assess your IT management skills with this CIO quiz.
Speaking of shadow IT, join SearchCIO editors, fellow tweeters and guest expert Derek Lonsdale on Wednesday, March 25, at 3 p.m. EST for our #CIOChat to talk about dealing with shadow IT and effectively managing IT services. We’ll also be discussing the difference between healthy and unhealthy shadow IT.
But that’s not the only chat happening this week! On Thursday, March 26, at 12 p.m. EST, SearchCompliance editors and followers will be talking GRC management in the digital age in the next #GRCChat. Discussion may include how to avoid both regulatory and consumer risk, the risks created by customer-centric technology, and the lack of business incentives. See you there!
Are CIOs being seduced by digital eye candy instead of thinking about profitability? In the latest Data Mill, Mark McDonald, managing director at Accenture, gives tips on how CIOs can maximize profit and avoid relying on the old way of doing things when forging a new digital strategy.
PayPal’s is buying mobile wallet startup, Paydiant, for about $300 million. Features Writer Kristen Lee talks to market analysts and gets their take on the acquisition and its implications.
The highly anticipated Apple Watch has arrived. Will it be the enterprise’s next big device? In this week’s Searchlight, Associate Editor Fran Sales discusses the Apple Watch and investigates how it could affect the enterprise.
As mobile computing technology evolves and data proliferates at an increasing rate, how can business make the most of the situation? In this feature story, Senior News Writer Nicole Laskowski explains that companies need to join the two forces—mobile computing and data–in order to compete effectively.
How can CIOs best manage cloud data and applications while mitigating risk? In this SearchCIO Essential Guide, we explore cloud risk management best practices that can help your company master the private, hybrid and public cloud and maximize business value.
Think your cloud governance strategy is on point? Take our quiz to test your knowledge of cloud computing management essentials that can make for a smooth cloud transition and help your business avoid IT risks.
Staff shortages in the current threat-laden environment can be dangerous to a company’s security and compliance strategies. How can you satisfy the need for talent and keep your business’ security practices on track? SearchCompliance expert Jeff Jenkins shares his experience with staff shortages and gives tips on how to deal with the situation and find the right employees.
On the IT Compliance blog, Sales discusses private companies’ surprising lack of motivation when it comes to strengthening cybersecurity, recent legislation around consumer data processing and the corporate failures predicted for 2015.
Meanwhile, over on the TotalCIO blog, Laskowski explores the benefits of reverse mentoring in helping older workers stay up to date on the latest technology through Millenials’ assistance.
Knowledge workers might soon be competing with machines for jobs. In this week’s Data Mill, analytics thought leader and author Tom Davenport explains the business benefits of computer augmentation and lays out five strategies for surviving rising automation.
What happened at this year’s Mobile World Congress in Barcelona? In this week’s Searchlight, Fran Sales presents highlights from the event, including mobile payment breakthroughs, the push for global Internet access and Blackberry’s transition into a software company. Also in Searchlight: Apple Pay fraudulent activity and Hilary Clinton’s use of personal email.
In the latest CIO Decisions e-zine, SearchCIO experts address a now-timeless quandary: cutting versus keeping legacy IT systems. Find out how to decide which systems are worth keeping and hear legacy systems management success stories.
Are CIOs ideal picks for next-generation CEOs? Some IT leaders think so. In this TotalCIO blog post, Executive Editor Linda Tucci talks to experts and outlines the trending CIO-to-CEO discussion. Also on the TotalCIO blog, Features Writer Kristen Lee covers the Fusion 2015 conference by discussing the Internet of Right Things and the three phases of cybersecurity maturity. The Fusion conference also addressed how entrepreneurs can construct a successful company culture, as Senior News Writer Nicole Laskowski writes in her blog post.
For private sector companies struggling with high-tech compliance, the U.S. Securities and Exchange Commission’s new Regulation SCI could be the answer. SearchCompliance expert Jeffrey Ritter highlights five things all IT teams should know about Regulation SCI.
What are the biggest IoT security challenges facing the enterprise? In this #CIOChat recap, participants list the top IoT security risks and share their lessons learned from BYOD policies.
Think that because your business is not the size of a Target, JPMorgan Chase or Sony means that you’re immune from today’s breed of cyberthreats? Think again. Just because small and medium-sized businesses (SMBs) don’t have the financial resources or the brand reputation many enterprises do doesn’t mean hackers aren’t targeting them, recent studies show.
Why exactly are SMB organizations in these hackers’ crosshairs? It isn’t so much as what’s on their networks, but how attackers can use those networks. “The hackers are looking at that network as another means, as another jump-off point, to go out and get some other networks. They want to turn your network into basically a botnet,” said Page Moon, CIO of Focus Data Solutions, an IT and Web hosting firm, at an IT Nation 2014 session in Orlando, Fla., last year. In other words, SMBs’ systems are a potential entry point into other, larger networks.
And what do SMB IT pros believe is their top cybersecurity vulnerability? Employees. According to a 2014 study by digital security firm Gemalto, which surveyed 438 IT professionals who work in SMB organizations, 77% of these IT pros believe employees to be the single weakest link in their security infrastructure, and a similar percentage — 75% — say that employees, particularly the risk of them unintentionally leaking data, are their top cloud security concern. And there might be a reason for these fears. According to the findings, the two security challenges that top the IT pros’ lists are social engineering (48%) and BYOD management (42%), which both involve employees.
Social engineering threats expected to rise
The first of these security hurdles, social engineering, is a particularly devious form of cyberthreat because it exploits the fact that many SMBs — their employees and IT pros alike — are lacking in security education; for instance, many believe that only back-end operations are vulnerable to the latest cyberattacks, said Moon. And this security gap has a wider scope, according to the authors of Symantec’s 2014 Internet Security Threat Report (ISTR), which examined trends in 2013. “While the ease of installation and cost of maintenance may have decreased, many new administrators are perhaps not familiar with how to secure their servers against attacks from the latest Web attack toolkits,” the authors write. SMB IT admins also aren’t necessarily diligent about security, such as staying up to date with the latest patches, they said.
Social engineering is lucrative for hackers. For example, 62,000 attacks of one common type of social engineering, spear phishing, raked in $233 million in October 2013 alone. Not a shabby profit, considering that one can buy a spam service to send out half a million phishing emails for only $75, according to RSA, the security division of EMC Corp. And spear phishing aimed at SMBs has been on the rise in recent years: In the Symantec study, 41% of the IT pros who work in companies with 1 to 500 employees reported this type of attack in 2013 — a 5% increase from the previous year. And according to Angel Grant, senior manager for anti-fraud solutions at RSA, social engineering attacks are poised to increase this year.
Employee education reduces risks
It’s clear that it’s not just Fortune 500 companies that are the targets. So how can SMBs arm themselves with the limited resources that they have? For starters, implementing the best security tools and technologies you can afford, perhaps cloud-based security apps, is certainly critical. But you also need to educate your employees. The benefits that come with equipping employees with the knowledge of how to effectively deal with threats are quantifiable — doing so can reduce security risks by up to 70%, according to companies surveyed by the Aberdeen Group recently.
It’s important to note, however, that training employees doesn’t just mean teaching them best practices on creating complex passwords or how to spot suspicious emails, but also changing how they approach their interactions online in general, said Chris Hadnagy, founder of security training company Social-Engineer. “If you just want people to follow the rules — don’t think, just do — you create an easy environment for [hackers],” he told Inc.
Application security is becoming self-aware. A new tool called runtime application self-protection (RASP) could help CIOs boost their IT security, but some experts question whether it’s enterprise-ready.
What can you do to compete against service providers and take back control of your organization? SearchCIO expert Niel Nicholaisen offers a few tips on how to build a better IT service model.
This week, Google launched a set of business-focused technologies that allows employees to run their personal and corporate apps on their android device. Is Android for Work set to take the enterprise by storm and give Apple and Microsoft a run for their money? In this week’s Searchlight, Associate Editor Fran Sales discusses the program’s pros and cons. Plus, FCC ‘s net neutrality proposal passes and a sex bias lawsuit rocks Silicon Valley.
DevOps is a hot trend in IT that’s making companies more flexible and competitive. But, according to Gartner analyst David Cearley, the approach as it is typically practiced today doesn’t go far enough. Cearley explains why security needs to be included in DevOps models and gives tips on how to do it.
Speaking of security, SearchCIO expert Harvey Koeppel dishes on next-generation security risks and how to formulate a new strategy in a mobile culture where the number of mobile devices now outnumbers the number of people in the world.
New PCI DSS 3.0 requirements focus on making sure data security becomes a part of companies’ everyday business processes. But how will they affect your company? In this FAQ, SearchCompliance contributor Caron Carlson explains the changes to expect with the latest version of PCI DSS.
Also on SearchCompliance, learn why continuous monitoring, third-party vetting and other IT best practices are vital to long-term mobile compliance and security. Plus, the latest IT Compliance Advisor blog post broaches the subject of the extra privacy fee that comes with AT&T’s high-speed service as well as Google’s privacy inspections agreement with a European data privacy regulator.
Making the move to the cloud doesn’t need to be complicated. Over on the CIO Symmetry blog, Features Writer Kristen Lee gives expert tips on how to migrate to the cloud and mitigate risks, and what to do after migrating to the cloud.
As explained in my previous post, “Tips for a smooth cloud migration,” the first big hurdle in a cloud migration is figuring out how to get all your data over to the cloud safe and sound.
“Those are good things to worry about and good things to get through,” Lilac Schoenbeck, vice president of product marketing and product management for iLand, a cloud provider, said during a webinar on cloud migrations. But once all the data has been successfully moved to the cloud, more planning still needs to be done. Failing to do so could put an additional management burden on the IT team, Schoenbeck said.
Here is one cloud provider’s tips on how to prepare for and manage the day-to-day once you’ve migrated to the cloud.
Find a provider with a clear, straightforward management environment.
Cloud providers can put heavy demands on the IT team. For example, they can require the IT team to understand their particular kind of scripting, as well as configure their particular management tools, Schoenbeck said. It’s important for IT leaders to figure out what the day-to-day will look like and how much additional work will be put on your staff. “[There are] different types of clouds, different underlying hypervisors, different systems are going to throw off different kinds of metrics,” she said, adding that these conditions could mean that the successful cloud migration could in fact become “an ongoing burden on your team.”
A good strategy? Find a cloud service that has an environment close to your on-premises environment, so it will be easier to operate and easier to evaluate if something goes wrong, Schoenbeck said.
Don’t get stuck with an unexpected bill.
“We always want to know what our costs are going to be. One of the big concerns moving to the cloud is maybe these costs could be very variable, and I might be stuck with a bill I didn’t anticipate,” Schoenbeck said.
She outlined two ways to mitigate that risk.
First, an IT leader or company could go with a provider who uses a reservation pricing model, which means that your costs are fixed month-to-month and you’ve basically reserved a pool of resources in the same way that you might have an on-premises pool of resources to allocate however you like,” Schoenbeck said.
The second option is a pay-as-you-go or the bursting model. With this model Schoenbeck said it’s important “to look for [a provider] who’s going to be really transparent on what you’ve spent so far and, in fact, even predictive about what you will be spending if your behavior continues as it is.”
This visibility will also allow IT leaders to communicate with stakeholders, the procurement team, and whoever else might want or need to know what the bill will likely be at the end of the month, she said.
Look for a provider with a customer-driven roadmap.
Schoenbeck said that some cloud providers will invest very little in management support. As your company juggles more and more projects in the cloud, it then becomes “more and more difficult to operate [and] you don’t actually have anybody… to help ease the way.”
That’s why it’s always important to look at the support options that come with the cloud service you’re planning to migrate to, Schoenbeck advises. She suggests that IT leaders choose a cloud provider that is going to work with you and work with what you need so that the management burden is minimized.
“Often times that’s going to make a big difference in what this means for your team operationally,” Schoenbeck said.
Migrating to the cloud may be a top mandate for CIOs, but it is no easy feat. In fact, cloud migrations “are notoriously difficult” and about 80% of them fail, Mark Broghammer, director of solutions engineering at iLand, a cloud provider, said during a webinar about cloud migrations.
So how can you migrate to the cloud and mitigate risk?
Here are some suggestions Broghammer has for CIOs and companies to think about as they plot their cloud migration strategies.
Long term analysis, the method often used to try to gauge whether an application will work, doesn’t always help you predict whether an application or server will work well with the cloud service you are planning to migrate over to. “The fact is, you don’t know how an application’s going to work in the cloud,” Broghammer said.
This is where load testing, or performance testing, is helpful, Broghammer said. With load testing, a cloud testing provider can test an application or applications against the actual number of users expected. Based on the results of the test, a CIO or company can then gain better insight into how that cloud service will work for them and what the performance of their applications will look like when they actually migrate over to that cloud service.
Migrating physical vs. virtual workloads
We live in a hybrid IT world and companies aren’t uniform across the board when it comes to the type of technologies they’re using. Some companies have a mixture of legacy systems, on-premises, and off-premises services.
“The point is, how can you be cost efficient if you’re running many types of projects on systems being handled by different teams both internally and externally?” Broghammer said.
Different providers often have different systems in place and different processes. Therefore if you have a hybrid environment of different projects on different systems it can be difficult to coordinate everything. That’s why it’s important to make sure your providers have a single approach for the physical and virtual workloads that you are planning to migrate to the cloud, Broghammer said.
He added that now that there are multiple hypervisor program options out there, companies also need to make sure the same processes and systems are in place when choosing a hypervisor program to help them with their migration.
“When migrating, again, make sure the models of migrating different platforms follow the same technology set, or stack, that you’re using for those particular workloads,” he said.
Methods of sending data to the provider
There are several methods for getting your data over to your cloud provider, but the typical ways include physically shipping a drive with your data and/or replicating data.
When it comes to physically shipping a drive, it’s important to ask yourself: are you 100% comfortable with this method? Sure, you can send an encrypted drive, Broghammer said, but the fact is that that the drive and the data on it will pass through the hands of many people. “And the potential loss of that data could set you back in your timeframes,” Broghammer warned.
His suggestion? “I would tend to favor an over the wire approach” because the data would pass through fewer hands and there is added protection with service sockets layer (SSL) business process management (BPM).
Another option is replicating and colocating data.
“Where the data becomes a bit more stagnant (in other words, data that is just sort of sitting there and not much is being done with it) you need to have a multi-site or multi-location strategy with that,” Broghammer said. Even though you may be migrating certain pieces of your architecture into a cloud environment, Broghammer advises that you still may need to colocate and replicate the data.
Let us know what you think about the story; email Kristen Lee, features writer, or find her on Twitter @Kristen_Lee_34.