It’s not if, it’s when. That’s how a Massachusetts Technology Leadership Council panel of security experts talked about the potential for security breaches in the cloud. That inevitability might be one of the reasons why enterprise CIOs are still reluctant (though less so than they used to be) to head to the cloud, a luxury small and mid-sized businesses simply cannot afford. The good news for those in charge of SMB IT: There are ways to diligently prepare for a sneak attack that can help mitigate the potential damage.
In this SearchCIO small business IT tip, Nick (aka Rattle) Levay, CSO at security provider Bit9 in Waltham, Mass.; Chris Ray, chief information security officer for targeted marketing firm Epsilon; and Chris Wysopal, co-founder and CTO at Software as a Service security provider Veracode, address the question: “How do you prepare your company to respond to a breach?” Here are their pointers:
Reach out to business teams, law enforcement and security trainers
Chris Ray: Make sure you have other departments involved up front [such as] legal and corporate communications. Have a preexisting relationship with external law enforcement, consult with them. … I’m also a firm believer that if you don’t have a large team, leverage someone else and do not take this all upon yourself. There are plenty of companies out there that have forensic retainer services. Get that in place [because] when something happens, you don’t want to be scrambling around trying to get a contract signed. Have someone available. And when you do a retainer-type service, they’ll offer so many hours of free training to help you in your program. Having that in place is, by far, one of the most important things to make sure you do.
Visualize worst case scenarios
Nick Levay: I understand that a lot of small organizations can’t do a full written response plan, but as someone whose responsibility it is to do security, you should spend some time working through some of your worst-case scenarios and doing mental preparations. That’s because at any given point, you could come into work one day and find out it just turned into the worst day in your career. At that time, it’s going to be important to senior management that you are calm and in control. If you can do that, all of those interactions with executives, help desk, the legal department … all of that stuff gets easier if you can convey calm and control. The only way you can do that is by working through worst-case scenarios in your head.
Organize drills to provide hands-on experience
Chris Wysopal: One of the things we do, and we do this quarterly, are “table top exercises.” So we all get into the board room — the security team, people from IT, people from corporate communications, the corporate council — and come up with the different scenarios that could potentially happen. Usually it’s about a two- to three-hour exercise, and the person leading rolls out the information you’re discovering. I guess it helps if you play Dungeons & Dragons. It’s been very helpful for us when we’ve had incidents that just resulted in downtime that could have been a security incident but turned out to be some sort of human error. Having those processes in place so people know to get together and work through it is invaluable.
Get to know the business
Levay: If you’re in charge of security and response for a company, you have to understand the business. If you are a pure technical person and you only understand the technical infrastructure and you don’t understand how the business works, it’s going to be hard to run a security response. That’s one of the things about practicing security that makes it so intellectually challenging when you really get to the management levels: You need to understand the business really well. Not necessarily as well as the CEO or the CFO does, but you need to understand the business mechanics: where the money flows, where the crown jewels are, how the groups interact with each other. Otherwise, you’re not going to be able to make informed decisions.
Cybersecurity is front and center on SearchCIO this week.
With cyberattacks coming from every corner, CIOs and security experts believe a strong security program can be a competitive differentiator for their companies, similar to how car safety determined the rise and fall of certain brands in the auto industry. But can these security evangelists convince the rest of the business that a function traditionally viewed as a cost can help the bottom line? Executive Editor Tina Torode looks into various infosec case studies in this week’s feature.
Speaking of ‘cyber’ matters — the perimeter defense is officially dead. That’s according to our expert contributor Harvey Koeppel, who addresses common cyberdefense myths in this week’s CIO Matters column and explains why it’s time to play some cyberoffense.
Koeppel isn’t alone in the call for modernizing cyberdefenses. Ed Amoroso, CSO at AT&T, proclaimed at New York’s recent Landmark CIO Summit that it’s time we scrap outdated perimeter defenses and — wait for it — head for the cloud to shore up enterprise security. Executive Editor Linda Tucci reports in our TotalCIO blog.
Also on SearchCIO…
Senior News Writer Nicole Laskowski looks into how Thomson Reuters used crowdsourcing to search for engineering talent, with a twist: through internal competitions. See how Mona Vernon, head of Thomson Reuters’ innovation data lab, got her crowdsourcing project off the ground, and what problems she suggests are crowdsource-worthy.
Meanwhile, wondering what the analytics landscape will look like in a few years? You’re in luck, because some high-profile BI experts have lots of ideas. At Gartner’s Business Intelligence and Analytics Summit, BI heads from the likes of Cisco, GE and Caesar’s Entertainment exchanged views on hiring chief digital officers, predictive analytics and more.
The latest on Searchight: Facebook tuned in to users’ penchant for creating private content, particularly in the mobile realm — and now has $2.5 billion in Q1 revenue to show for it. Take a hint from the social media giant on how to engage your users; plus, news on Apple considering environmental sensors, Obama’s soccer match with a humanoid robot, and more.
Lastly, remember the prediction that by 2017 CMOs will spend more on IT than CIOs? Forrester Research analyst Andrew Bartels digs into three big reasons why CIOs are still very much in control — and should be — of their business’ tech budgets, despite the increasing technology appetites of their colleagues at marketing.
And on SearchCompliance…
What’s so noteworthy about the Department of Health and Human Services’ announcement of an upcoming pre-HIPAA-audit survey? After all, the Office of Civil Rights has been auditing covered entities since 2012. As Ed Moyle covers in this SearchCompliance tip, what’s different in this new round of audits is that business associates will now be in the regulatory bull’s eye. Find out how business associates should address this challenge.
Hear ye, hear ye: The latest issue of our SearchCompliance handbook has arrived! Read up on the latest happenings in cloud risk management, governance and compliance, including the questions you need to ask cloud providers to gauge GRC readiness, and how cloud strategies are involving to take security into account.
If you missed April’s #GRCchat tweet jam on information lifecycle management, please check out our recap to catch up on how IT organizations are dealing with mounting data and the resulting governance issues by fortifying their information management strategy.
And on that chatty note — get ready for another #CIOChat tweet jam! Join SearchCIO next Wednesday, April 30, at 3 p.m. EDT to talk predictive and prescriptive analytics. And be on the lookout for next week’s CIO Symmetry roundup; plus, get our news and tips in real time by following @SearchCIO, @SearchCIOSMB and @ITCompliance.
There is a war going on in IT between old and new business intelligence — and it’s slated to be a tough matchup. A story getting a lot of attention on SearchCIO this week came out of Dan Sommer’s session at the Gartner BI and Analytics Summit. Scroll through the comments to learn whether readers are choosing old BI or new BI — but not until you’ve formed your own opinion!
In today’s Searchlight column, learn about this year’s IT-heavy crisis management plan at the Boston Marathon. Also read about Microsoft’s forced update, how you can buy a fancy Toshiba Satellite Pro laptop and the first Heartbleed-related arrest.
Also on SearchCIO…
Does cloud spell the end of corporate IT? Not for CIO Don Baker and CTO Michael Beckley. These two corporate executives are exploiting cloud computing for business gains. This feature story by SearchCIO contributor Dina Gerdeman can also be found in our recent cloud computing ezine.
If IT professionals aren’t worried about cloud technologies taking their jobs, maybe self-service BI tools will have them shaking in their boots. In Monday’s Data Mill column, Nicole Laskowski shares why data scientists might be deemed useless by enterprise organizations in the near future.
In small business news, contributor Christine Parizo shares why it’s important to find a website developer that fits your corporate culture as well as fulfill your organization’s requirements.
In this video from the RSA 2014 Conference in San Francisco, security architect Robert Shullich sits down with site editor Ben Cole to discuss how many companies don’t understand the scope of their data assets and why this ignorance creates big information security holes.
What info management processes are needed to separate corporate and personal data to avoid privacy issues? Jeffrey Ritter, Esq., founder of the Ritter Academy, offers his expert opinion on protecting information assets, whether personal or corporate.
Watch SearchCompliance for recaps from this week’s information lifecycle governance-themed #GRCchat. Interested in joining our next tweet jam? Pencil SearchCIO in for a predictive/prescriptive analytics-themed #CIOChat on Wednesday, April 30, at 3 p.m. ET.
The big news this week? A defect in one of the Internet’s key security methods, OpenSSL, that’s forcing two-thirds of all websites to consider changes to protect the security of consumers. Learn more about what this OpenSSL heartbeat bug — appropriately named “Heartbleed” — means for CIOs in today’s Searchlight column.
Are you looking to perfect your organization’s enterprise risk management strategy? Look no further than our April CIO Briefing! In this Essential Guide, learn to recognize, observe and banish threats to your beloved organization with tips and news stories from SearchCIO. Featured articles cover risks related to human error, natural disasters, financial uncertainties and more.
Evan Schuman, a freelance writer specializing in security, mobile and payments issues, delivered six tips on avoiding mobile application security problems. Read all about these application threats, then weigh in on whether your organization plans to hire a mobile security expert to vet its apps.
Another big question we’re aiming to answer: Does more data ever trump clean data? Greg Pfluger, vice president of information systems at American Family Insurance, took on this burning question at the Fusion 2014 CEO-CIO Symposium — and his response might leave CIOs wide-eyed.
In another data-oriented piece, Senior News Writer Nicole Laskowski explains why Gartner urges CIOs to plan analytics strategies for smart devices — beginning right now. If they snooze on strategizing for a workplace filled with smart T-shirts, smart light bulbs and smart contact lenses, they may very well lose.
March’s #CIOChat coverage is never-ending: Get four CIO tips for bringing software as a service ideas to the executive planning board, and read up on why communication in IT is key to managing rogue IT in the enterprise.
Over on SearchCompliance…
New governance, risk and compliance (GRC) regulations are forcing cloud services providers and customers to modify their data management and security processes. Site Editor Ben Cole shares what your security team needs to know in this SearchCompliance tip. Cole also blogged about the importance of business-wide transparency and buy-in as part of a larger GRC strategy.
How about another round of tweet jams? Join SearchCompliance next Thursday, April 17, at 12 p.m. EDT to discuss information lifecycle governance during the monthly #GRCchat. Two weeks later, mark your calendar for SearchCIO’s predictive/prescriptive analytics-themed #CIOChat on Wednesday, April 30, at 3 p.m. EDT.
This week on SearchCIO.com, we dished up expert advice pertaining to prescriptive analytics, cloud security and shadow technologies.
CIOs hoping to conquer the next business frontier should look no further than our e-zine on prescriptive analytics. In the April issue of CIO Decisions, learn how prescriptive analytics can revolutionize how work gets done and serve as an RX for CIOs aiming to optimize forecasted outcomes.
Last week’s rogue technology-themed tweet jam stirred up quite the discussion on Twitter, much of it revolving around how rogue and shadow are unfit terms to describe what’s going on with unsanctioned IT. Discussions also covered why communication is key in avoiding — or embracing — rogue implementations, as well as the benefits and pitfalls of going rogue.
Did you hear about the new wolf of Wall Street? The lead item in this week’s Searchlight column by Associate Editor Emily McLaughlin focuses on Michael Lewis’s revelations about high-frequency trading. Read the full column for more from the week, including Greenpeace on why Amazon’s cloud is the dirtiest and reasons why carrying two phones — one for personal use and one for business — might benefit users.
This week’s Data Mill column by Senior News Writer Nicole Laskowski outlined five tips for a secure cloud-first strategy, inspired by the Massachusetts Technology Leadership Council’s seminar on securing data, availability and reputation in the cloud. Bonus: Advice on crafting a hybrid cloud strategy.
Cloud chatter isn’t reserved for SearchCIO readers. On SearchCompliance, we held our #GRCchat tweet jam of the year, with a focus on cloud computing security. Read our first recap to learn who readers think is responsible for security in the cloud. Then, learn how GRC regulations force cloud service providers to rethink their security offerings in this tip by Site Editor Ben Cole. And while we’re swapping security tips: How can security professionals ensure privacy in a mobile device management (MDM) policy? Contributor Jeffery Ritter provides the answers.
Could it be true? Mobile users are officially driving the decisions of head honchos. How, you ask? Yesterday, Microsoft CEO Satya Nadella announced the company was launching Office for iPad. As of 11 a.m. Pacific time on Thursday, March 27, all-touch versions of some of the most successful office productivity applications in history — Word, Excel and PowerPoint — became available on the world’s most popular tablet. Read more about this long-awaited announcement in Linda Tucci’s Searchlight column.
Highlighted in our most recent CIO Decisions e-zine, “Rogue Technology: What Lies Beneath,” is this feature on Bart Murphy, CIO/CTO at the Careworks Family Companies. Murphy’s just-say-no-to-rogue-IT mission is aimed at heading off surreptitious technology purchases by giving employees what they need to get their jobs done.
Executive Editor Linda Tucci takes on this month’s Future State, a SearchCIO column focused on emerging technology and its potential impact on CIOs and their organizations. Tucci writes about the latest attempt to mass produce a semi-autonomous flying car — and while this isn’t the first time we’ve heard about the flying car, you should really read the full column to find out the latest advances.
Up on our TotalCIO blog, Senior News Writer Nicole Laskowski shares a Q&A with Gartner Inc. analyst Tom Austin in advance of the Gartner Business Intelligence and Analytics Summit. The big question on deck: “What will be the biggest pain point for CIOs when it comes to embracing “smart machine” technology?”
In another piece by Laskowski, Greg Pfluger, vice president of information systems at American Family Insurance, explains under what circumstances more data trumps clean data
Finally, do you know enough about risk management to put your CEO at ease? Take our CIO quiz to make sure you are protecting your most valuable IT assets in light of new threats and emerging mobile trends.
In case you missed it…
Laskowski shared advice from Mark McDonald, managing director and digital business strategy lead at Accenture, on developing a well-thought-out digital business strategy. Karen Goulart’s Searchlight column last week highlighted a “lifelogging” story on Mashable, New York Times news about Android pioneering the official start of the wearable device era and an NPR clip explaining why the Warren Buffet-Quicken Loans billion-dollar March Madness bracket is worth a fortune.
What is expected from the Securities and Exchange Commission (SEC) in terms of regulatory enforcement in 2014? SEC Chair Mary Jo Foley says that this will be “an incredibly active year in enforcement.” Get the full story in this FAQ.
Also on SearchCompliance, contributor Judith Myerson shares five steps for handling residual risks as part of the risk assessment process.
Next week, watch for recaps from the SearchCIO rogue IT #CIOChat and cloud compliance #GRCchat tweet jams. Stay tuned for our next weekly roundup here on CIO Symmetry and follow @SearchCIO, @SearchCIOSMB and @ITCompliance to get news as it’s posted.
“Talking smack” is often frowned upon, but talking “SMAC”? Completely acceptable. In a two part-interview with Andi Karaboutis, Executive Editor Linda Tucci got the Dell CIO to discuss SMAC — social, mobile, analytics and cloud — and the many enterprise uses of these technologies. Karaboutis also opened up about how IT can turn itself from an order taker into a business partner while driving efficiency and productivity.
SearchCIO expert contributor Harvey Koeppel brought his usual array of charts, humor and historical perspective to his latest column on big data. In the first part, Koeppel explains why enterprises can’t simply treat big data as little data writ large, but must understand that it changes everything. In part two, Koeppel points to the myriad ways in which CIOs can draw value from disruptive technologies such as social, wearables, the Internet of Things and robotics.
Can we give some of the “CIO vs. CMO” talk a rest, and focus instead on the synergies a partnership can create? Senior News Writer Nicole Laskowski explains how a strong alliance between CIOs and their organization’s chief marketing officers can bring about a new era of data-drive marketing strategies.
In her weekly Data Mill column, Laskowski took an in-depth look at whether employees are circumventing the official company intranet in favor of the external social platforms they use in their non-work life. Got an opinion? Weigh in on the story page. Laskowski also shares this handy list of five questions CIOs should as in crafting an effective digital business strategy.
Our latest SearchCIO handbook, “Big Data in Motion,” is ready for your reading pleasure. It’s stuffed with some amazing case studies of healthcare of organizations that are using data proliferation to improve health outcomes, despite the sometimes-sticky matter of protecting data on the move.
In SMB coverage: We round up some of the best free IT templates from around the Web and share a webcast that lays out the benchmarks of a winning bring your own device program and shares the five W’s that every organization should consider as part of a BYOD acceptable use policy.
Last but not least: It’s almost #CIOChat time! Plan to join us Wednesday, March 26, at 3 p.m. EDT when we discuss rogue and shadow IT and all of its benefits and drawbacks.
Our latest FAQ looks at how Securities and Exchange Commission enforcement and development of rules will evolve in 2014, which has already been an active year, contributor Caron Carlson explains.
What are your organization’s biggest governance, risk and compliance (GRC) snafus and obstacles? In this video from the recent GRC Summit in Boston, Site Editor Ben Cole speaks with an expert about how a lack of collaboration and poor third-party management can doom a GRC program.
SearchCompliance will also be hosting its own tweet jam, #GRCchat, next week! Tune into Twitter Thursday, March 27, at noon EDT to talk with our editors and followers about the role of compliance in the cloud.
Looking to develop a digital strategy? Start with the basics “but with a digital twist,” says Mark McDonald, managing director and digital business strategy lead for Accenture. McDonald, a keynote speaker at the Fusion 2014 CEO-CIO Symposium in Madison, Wis., said every digital business strategy should answer five questions:
1. Who wants to be your customer? “That’s a fundamentally different question than we’ve had in the past,” McDonald said during his talk. “Who are our customers presumes we are in control of who does business with us.” But in the digital world, it’s the customers who have the control. In a blog post, which he published after his talk, he expanded on this idea, writing, “This inverts the answer to this question and the approach to finding that answer.”
2. Why will digital outperform the current business model? Don’t fall into thinking you can simply digitize the way you’re already doing business; that “does not constitute a digital business strategy,” writes McDonald. To avoid “the digital substation trap,” start asking why. “It’s a motivation question,” McDonald said. “Yes, I can put it out there, but why are people going to use it and why are people going to abandon a different kind of activity?”
3. Where will the value be demanded and delivered? Related to the question above, digital businesses demand different thinking. And things as basic as a “value chain” simply don’t translate. That’s being replaced by customer networks and ecosystems, according to McDonald. One way to answer the question of where value will be delivered is to think “less about where you play and more about who you play with,” McDonald writes (emphasis added).
4. When will digital transformation happen? Only a soothsayer could pinpoint exactly when a market will transform or face digital disruption but, McDonald said, if you can learn to recognize the “forces that shape the market,” you’ll be able to see the storm before it strikes. Signals to consider: customer direction, product selection and pricing, and even product information intensity.
5. How will you win? To answer that, McDonald suggested businesses must first know this: How will the players assemble — both internally and externally? Both questions get at the same thing: survivability. As he pointed out in his blog, a strong digital business strategy needs a direction. One to consider: How to shift from using new technology to improve business as usual to using “new technology to bring new value proposition and operations to market.”
As the workweek winds down, catch up on all of the news, tips, guides and videos you might have missed this week on SearchCIO and SearchCompliance.
Is your CIO career in tip-top shape, or do you have a lot to learn about the CIO role? In our latest Essential Guide, we look at how to achieve a high-level career in information technology. Learn about the management techniques that work, the tools and technologies available to you and the real-life case studies of CIOs who have gotten ahead by, well, getting ahead of their peers.
We’re on the verge of St. Patrick’s Day, not Valentine’s Day, and yet, love is in the air. In her weekly Searchlight column, Senior News Writer Nicole Laskowski asks whether contextual computing is the love child of big data, mobility and the Internet of Things. It’s a love triangle only likely to grow as our digital and physical lives become more intertwined, so be sure you’re ready to pounce on the enterprise applications of ubiquitous computing.
Editorial Director Christina Torode rolled out a two-part podcast interview with Derek Lonsdale, an IT transformation leader, Lean expert and CIO advisor of global management and IT strategy with consulting firm PA Consulting. The topic at hand? Configuration and IT asset management, and why it’s important that the two processes be sympatico. In the first part, find out why these systems need to be integrated. In part two, listen to the case for merging asset and configuration management systems.
Our March issue of CIO Decisions e-zine tells a whale of a tale about rogue IT — those technology set-ups that lurk under the surface of your enterprise, enabling ability while also putting your information at risk. Are you prepared to take on — and make the most of — these rogue technology arrangements?
Our latest SearchCIO handbook asks the question, “What’s mobility got to do with it?” As the bring-your-own-device movement expands, it’s up to the CIO to enable a mobile workforce, one that thrives off the latest portable tools in order to achieve business results. This handbook provides advice on how to propel your mobile program forward.
This week’s CIO Searchlight kicks off with a witty look at the effects of the appification trend through the lens of some classic 1990s slacker movies. Read the full column for info on the Web’s 25th birthday, Edward Snowden at SXSW and more.
We shared two more video interviews from the Governance, Risk and Compliance Summit held last week in Boston, Mass. In the first one, Duke Alden, vice president of global information governance at risk-management firm Aon plc, spoke with Editor Ben Cole about how companies can build a converged approach to data governance and the risk management processes that go along with it. The second video, featuring Gretchen Herault, vice president of site standards and user safety and deputy chief privacy officer at Monster, examines the numerous security risks that exist around BYOD and explains how companies can protect corporate information. (And, if you missed last week’s video with keynote speaker Brian Barnier about proactive risk assessment, catch up here.)
Finally: It’s listicle time. SearchCompliance contributor Jeffrey Ritter weighs in on the four rules of mobile information management you don’t want to neglect. Designing your governance program is only the first step.
It’s conference season for the CIO/IT Strategy Media Group! With one group in San Francisco, another in Wisconsin and a third at a local show in Boston during the past two weeks, our brains (and recorders) are packed with CIO content to share.
Coming out of the Fusion 2014 CEO-CIO Symposium this week in Madison, Wis., Karen Goulart’s weekly Searchlight looks at what dooms a digital strategy – and apparently, if your business is diving right into digital, you’re doing it wrong. Also from Fusion: Nicole Laskowski shares tips about forming partnerships in the C-suite between CIOs, chief marketing officers and even chief financial officers.
On our blog, Goulart discusses gauging the benefits of cloud ERP and why it’s a more talked-about topic among small-business IT leaders than enterprise CIOs. And speaking of the cloud, in an Ask the Expert tip, Forrester Research Inc. analyst James Staten shares why bring your own encryption (BYOE) — a cloud computing security model that allows cloud services customers to use their own encryption software and manage their own encryption keys — is an important model for enterprises today.
In other SearchCIO news…
Take it from Ann Mei Chang, CIO at global aid agency Mercy Corps: IT could be wasting an immense amount of money and resources in deploying technology without a clear understanding of its value and value to end users, Linda Tucci reports from MIT’s Disrupting Life! event.
This week also brought us the latest issue of CIO Decisions e-zine, focusing on rogue IT. CIOs are often unaware of these technology deployments, but IT leaders bear responsibility for managing security and data on these devices, services and apps — and could grow their careers by squeezing additional agility and value out of them.
Over on SearchCompliance…
Coming out of the RSA Conference in San Francisco, Calif., last week, Christina Torode pulled together a quick read featuring four luminaries’ POVs on underestimated security threats. In this blog post, hear from Marcus Ranum, Howard Schmidt, Dave Cullinane and Eugene Spafford.
SearchCompliance also hit the 2014 Governance, Risk Management and Compliance Summit in Boston, Mass., Wednesday to learn about emerging trends in risk management from leaders in the field. Ben Cole caught up with Brian Barnier, principal analyst and advisor at ValueBridge Advisors LLC, after his morning keynote to ask more about his proactive approach to enterprise risk management in this on-camera interview.