TechTarget’s 2015 Annual Salary and Careers Survey results provided another reminder that while security is a high priority for CIOs and senior IT leaders, privacy is not. When asked to select their three top IT projects for 2016, almost one-third (27%) of the 248 CIOs, CTOs, CISOs, executive vice presidents and directors of IT polled by the survey selected security as their highest priority. Privacy, on the other hand, was dead last out of a list of more than 30 options, with just 1% of those surveyed selecting it.
Although security and privacy share a common goal — to keep sensitive or important information protected, they are often seen as distinct topics that that live on the line dividing IT and the business. According to Jill Dyche, vice president of best practices at SAS Institute Inc., security is often equated with technology whereas privacy is equated with policy, such as how enterprise data is used.
Here’s how she put it: “Privacy is more in the purview of the business in terms of policy-making as opposed to security, which is more of a technology, a platform and, arguably, a software play,” she said. Dyche said the chief marketing officer and the chief digital officer are likely two business executives obsessing over privacy policies right now. “They’re getting that opt in/opt out information in their organizations, and they have to figure out what to do with it,” she said.
Gregory Turner also wasn’t surprised that privacy and security are thought of separately by CIOs and senior IT leaders. Turner serves as the COO and default head of IT at Millennium Collaborative Care, a nonprofit organization that’s trying to better connect Medicaid patients in western New York with health care providers. As an organization that works in the health care industry, security and privacy are often defined differently by local and federal guidelines, such as the Health Insurance Portability and Accountability Act, better known as HIPAA, which regulates how health care data is guarded and used.
As such, Turner distinguishes along similar lines between the two areas: “Security is preventing unauthorized access to systems and data,” he said. “As for privacy, even though you have access to applications and systems, you may not necessarily have access to personal information related to employees or patients.” Per HIPAA’s privacy rule, health care organizations are also required to create policies that “set limits and conditions on the uses and disclosures that may be made of such information without patient authorization.”
But, Turner said, while patient identities have to be carefully guarded, they also have to be clearly communicated from one health care provider to another to ensure a high-quality care, which can require a sophisticated methodology. “The patient identifier is an important component to a solution,” he said. “But you almost have to have a mapping program that will allow another provider or a doctor’s office to say, ‘this patient under Millennium is this guy in this practice’ without sharing the identifier.”
Turner is, in essence, talking about data governance, which Dyche described as a topic that can make it easy to conflate security and privacy. “A lot of those conversations we were having five years ago about data governance are coming back in the form of data security,” she said. “If you deconstruct the security requirements, you get to platforms and access rights, you get to the data itself and the policies around that data.”
CIOs who’ve taken a more conservative stance on 3D printing may want to think again, according to Pete Basiliere, an analyst at Gartner Inc. “It’s imperative that the IT organization be prepared for use and the disruption that will occur when 3D printing is throughout your organization,” he said.
That can be hard to do when 3D printing myths abound, giving CIOs the false impression that they can put things off for now, Basiliere said. In that vein, he went on to dispel six 3D printing myths during his talk at the Gartner Symposium/ITxpo. They are as follows:
- 3D printing is too expensive. 3D printing can be expensive, but it doesn’t have to be. Like 2D printers, prices for 3D printers can range from a few hundred dollars (and can be purchased at Staples) to well over a million dollars.
- 3D printing is only good for cheap plastic parts. Simply not true, Basiliere said. 3D printers are now being used to manufacture key parts for hearing aids and dental restoration, which aren’t cheap and, in the case of a dental crown, aren’t plastic.
- It will bring manufacturing back. “A lot of folks seem to think that it will, but I disagree,” Basiliere said. “We will always have products that benefit from being mass produced.” 3D printing, though, will enable businesses to mass produce customer personalization. New Balance, for example, can design shoes specifically tuned to a runner’s gait. “They’ll build soles for shoes that have a unique spike placement for that athlete,” he said.
- 3D printers can print replacement organs. “No, we can’t,” Basiliere said. “And they probably won’t in my lifetime.” But a San Diego-based company called OrganOVO can bioprint tissue. The company is partnering with pharmaceutical and cosmetic companies like L’Oreal, which is using bioprinted skin tissue in the cosmetic development process.
- Terrorists will print undetectable guns. “No doubt they will try, but it’s like the equivalent of counterfeiting one dollar bills,” Basiliere said “It’s not worth the risk.” At least as of right now, it’s easier to acquire weaponry in other ways.
- The market is in flux. Publicly traded companies, including the two biggest in the industry, “have had a heck of a ride over the last two years,” Basiliere said. Stock prices have increased dramatically only to dip lower than original starting prices. “But when I talked to major manufacturers of 3D printers around the world … every other manufacturer said their sales were strong and growing and that they hadn’t seen a decline in 2014 or the beginning of 2015.”
The years and days leading up to the anticipated Y2K computer glitch were frenzied for anyone in IT. Rafael Mena, who was a software development project manager at Florida’s Orange County government, had about 30 projects on his list at any given time. He recalls a conversation with a department head about one of them.
“‘What priority is this project?'” Mena asked him. “He says, ‘What do mean? They’re all No. 1.’ I said, ‘OK they’re all No. 1. Can you tell me which is which one is No. 1a, which one is b and c?’ He didn’t like that, so he pretty much left the meeting.”
Mena, now CIO for Orange County and speaking at a career panel at the recent Gartner Symposium ITxpo, in county seat Orlando, Fla., was in home territory. But his message was for CIOs and aspiring CIOs everywhere. Conversations like the one he had 15-plus years ago don’t happen in his IT department.
“Communication to me is the most important aspect within my operation, my group,” Mena said. “My organization knows what priority No. 1 is, No. 2 is,” he said.
The panel discussion, hosted by professional network Hispanic IT Executive Council, brought together Mena and Daphne Jones, CIO for global services IT at GE Healthcare. The pair talked about the qualities, characteristics and skills CIOs need to lead IT in an era of unprecedented technological change and maintain a unified vision.
Jones said in her IT organization, alignment with a single set of goals is crucial. That’s enforced by town hall-style meetings and smaller team-based check-ins. It’s all part of the mission to be “simple, relentless creators of value.”
“So I drive simplification. How can we do it faster? How can we do it with less bureaucracy?” she said. Doing that requires a deep knowledge of the business goals — and determination. “The word no, the word impossible is just somebody’s opinion; it’s not a fact, so my goal is to think of the word impossible and just knock it out of the way and be relentless in the pursuit of value.”
For Mena, the goals of the county mayor are paramount, so he works to ensure his team is working toward them, meeting with senior managers once a week and every staff member every quarter. That ongoing line of communication is especially important for his government-sector IT team, which is responsible for supporting the IT and business systems for his central Florida district of 1.2 million. It’s an environment where anything can happen, so IT staffers need to be prepared for hurricanes, fires, floods — anything.
“Somebody dies in our jail for one reason, things change. We got to see what happened,” he said. His team would support the resulting investigation, doing research, processing information, analyzing data. “In our business you’ve got to be flexible to be able to deal with the constant change.”
One of the strengths of Mena’s team is its diversity, which gives rise to a broad range of ideas on how to crack problems, he said.
“I have people from all over the world: China, India, Russia, Brazil, Venezuela, Colombia, Italy, Argentina,” he said. “When we sit down and discuss how to solve problems, it’s very interesting to share different perspectives from people who lived and were raised in other parts of the world. So the solutions are richer; the perspectives are different.”
The need for speedy development and deployment of applications is a real one — which is why organizations shouldn’t pass on PaaS.
That was the gist of a talk on platform as a service by Mike Edwards, who works on cloud computing standards at IBM.
“That’s where PaaS fits,” Edwards said in a webinar Thursday. “It’s about supporting the economic pressure for the need to develop more and better software — because ultimately your business is implemented through software.”
The Cloud Standards Customer Council, an advocacy organization for cloud services customers, aired the webinar to present the paper “Practical Guide to Platform-as-a-Service,” which gives an overview of PaaS plus recommendations on deployment and operation. The paper was written by Edwards, John Meegan, program manager for IBM’s Open Cloud, and other CSCC members.
PaaS sits in a unique spot in the cloud computing horizon, Edwards said. Like infrastructure as a service (IaaS) and software as a service (SaaS), it eliminates the need for the customer to manage things like servers, storage and networking. But while IaaS offers full-on data center capabilities in the cloud, customers still have to deal with applications, data, runtime and operating systems. And SaaS applications, though appealing — the provider handles all the hardware and software on its end — don’t always meet an organization’s specific needs.
PaaS, though, may be just right: The provider sets up the servers and hardware and configures and operates them. The customer just has to put in application code and data, an easy-to-follow recipe for creating customer software, Edwards said.
“The whole idea here is to simplify the whole task of building custom applications and running them, making it much easier than it would have been on-premises or even with infrastructure as a service,” he said.
There are a number of PaaS products on the market — Microsoft Azure, IBM Bluemix and HP Helion, to name three high-profile examples — but all of them share certain characteristics. Most important is the support for custom applications that are native to the cloud. They also support a number of runtimes — important if you’re developing a number of applications. For example, there is the Java JDK runtime for Java applications and Node.js runtime for Node.js apps. The capability is sometimes called “polyglot.”
“Basically it means PaaS can support the most appropriate technology for your application,” Edwards said.
There are 12 shared characteristics in all, including coming equipped with mechanisms for deploying quickly — PaaS environments can take “minutes or seconds in some cases” — security and middleware capabilities and developer tools.
Organizations that are thinking about PaaS have a lot more to think about. They need to build a cross-functional team involving not just the IT department but also business units, which have all the end users. That way, IT will know what capabilities people need to have. They also need to carefully examine the cloud service agreement with the provider so that the PaaS does what’s needed. And they need to take costs and charges, software licensing, and compliance requirements into account.
And then there’s governance: having a communication channel open to the provider, having the right security controls in place and knowing the physical whereabouts of your data. Edwards brought up the recent scrapping by the European Union of the Safe Harbor pact, which allowed Europeans’ personal data to be hosted on U.S. servers. It’s now illegal.
“It’s all about knowing where your data is and that the appropriate data controls are put in place and for the processes that you’re handling,” Edwards said.
Senior IT leaders and analysts called the $67 billion Dell-EMC deal a good thing, for the most part. A combined and stable Dell-EMC should offer CIOs a great source of products for their company data centers, but what about cloud offerings? For some experts, that’s the big question.
Jonathan Reichental, CIO for the City of Palo Alto, and Glenn O’Donnell, vice president and research director at Forrester Research Inc., described the merger as a data center infrastructure play, a still-important global market. “There is still a sizable global market in data centers. Those systems have to be updated and modernized,” Reichental said.
O’Donnell echoed Reichental’s comment about continuing to meet those traditional hardware needs for the enterprise. “The extreme majority of companies are still going to require some in-house data technology,” he said. For those purchases, CIOs are going to want a trusted advisor who won’t gouge them on prices. The Dell/EMC combo could provide that balance, he said.
But how the Dell-EMC deal plays in hotter, less mature technology areas such as cloud services, which give the business added flexibility and agility, is still a little muddy, O’Donnell said. Speculation abounds, but Dell has not publicly stated its plans for the “EMC federation,” a collection of acquired companies that had “significant autonomy” under EMC, including Pivotal, RSA and, most notably, VMware, according to a report titled Quick Take: Dell Buys EMC, Creating a New Legacy Vendor.
“In particular, the combined firm has not committed to merging or otherwise rationalizing EMC Virtustream and VMware vCloud Air into a single service portfolio, which means there’s little impact on the public cloud market,” according to the report, which was written by several Forrester analysts, including O’Donnell. Virtustream (acquired by EMC in May) offers a suite of cloud management services while vCloud is a public cloud platform.
It’s not as though Dell-EMC is out of the cloud game. The merger will enable Dell to provide “converged solutions to power private clouds,” according to the Forrester report. In fact, Forrester recommends the CIOs of companies more than a decade old to “keep Dell on your shortlist for converged infrastructure private cloud.”
But is it enough? The Forrester report (among others) goes on to say that those offerings won’t be able to match the prowess of “hyperscale public cloud leaders Amazon Web Services, Google, IMB and Microsoft,” who are all aiming for the enterprise.
Ram Krishnan has a big job in IT. He is the chief marketing officer (CMO) at Frito-Lay North America, a $14 billion division of PepsiCo. In addition to Fritos corn chips and Lay’s “Betcha can’t eat just one” potato chips, the company’s products include Doritos, Tostitos, Cheetos, Ruffles and my childhood favorite, Cracker Jack — in other words a pantheon of junk food whose brilliant branding would appear to have little to do with IT.
Not so, not any more, as Krishnan made abundantly clear in his keynote talk on the intersection of marketing and technology at last week’s FutureM conference in Boston. (The “M” stands for marketing.) At Frito-Lay, where the marketing team is replete with marketing technologists, data and technology are central to a brand’s success, Krishnan said.
Krishnan, named one of the “30 Most Creative People in Social Media Marketing” by Business Insider, is the driving force behind Frito-Lay’s “Do us a Flavor” promotion. The online campaign is waged largely on Facebook where millions of users have submitted, shared, voted on and Tweeted about new #DoUsAFlavor combinations for Lay’s potato chips. (The 2015 U.S. finalists are: Greektown Gyro, New York Reuben, Southern Biscuits & Gravy and West Coast Truffle Fries. The winner can opt for $1 million in prize money or a cut of the sales.)
Krishnan also oversees “Crash the Super Bowl,” an online competition now in its 10th year. Frito-Lay asks customers to create their own Doritos commercial for the big event, guaranteeing that at least one ad will be aired during the Super Bowl. (This was last year’s bro-centric winner.) Digital, interactive campaigns of all sorts connect Frito-Lay products with holidays, cult TV shows and social movements. At the FutureM conference, Krishnan let the audience in on how Frito-Lay is digitally deploying Chester Cheetah, the (slightly creepy) official mascot of Cheetos, to get a piece of Halloween.
The word that came to mind when I read the flavor descriptions from the 2015 #DoUsAFlavor campaign and watched the off-color winning Super Bowl ad was yuck, but people like me don’t matter. My adult children do. The campaigns are aimed mainly at the two youngest of today’s five generations of consumers — the technology pioneers or Millennials, born between 1981 and 1996, and the digital natives or Gen Z-ers, born between 1997 and 2015.
Millennials and Gen Z-ers are not the same, Krishnan explained, but they are united by technology. “Technology has been omnipresent throughout their lives and is a universal language for these two cohorts,” he said. Indeed, when marketing Lay’s potato chips, sold in 76 countries, “it is striking how alike these cohorts are across the globe.”
“We call these consumers omnicultural. Geography does not define who they are. The demographic around the globe has much the same taste in music, in style, video games,” he said.
Of the many attributes shared by the omnicultural cohort are three that are of particular to interest to CMOs — and should also be of interest to CIOs. They are:
1. BYOS, or bring your own screen: The average American has access to four screens, according to Krishnan, and 87% use multiple screens at the same time. When Krishnan’s family gathers in front of the TV — a popular image in advertising since the dawn of television — he’s on his laptop, his wife is on her iPad, his daughter is on her phone and his son is playing a video game. Marketing campaigns today must not only have “sharability” but be designed to be consumed on multiple screens.
2. ROI, or return on image: Millennials and Gen Z-ers care about digital presence, in ways previous generations (with the exception of movie stars and public figures) do not. They curate their digital presence with more care than they curate their living spaces. According to Krishnan “52% of [Millennials and Gen Z-ers] said that when they get ready in the morning, one of the things they are thinking through is how what they are wearing will look on a social media post.”
3. Any reason to #celebrate: Both Millennials and Gen Z-ers have a “self-inflicted pressure to live interesting lives,” Krishnan said. One of the ways they track and promote interesting lives is on social media. “They use hashtags as a way to connect with peers, as a way to actually navigate this world and to make the days of the week more interesting,” he said.
CIOs, CMOs live in scary times
Finally, conventional marketing doesn’t engage this demographic. “These two cohorts don’t want to be marketed to but they are willing to have a conversation with the brands — and create content,” Krishnan said. In fact, traditional marketing is dead to them.
“This is one of the scariest times to be a marketer. The industry and landscape is changing. I would submit to you that no other function is changing as dramatically as marketing, outside of IT,” he said.
Look for our story next week on Frito-Lay’s use of six layers of data to personalize its marketing to the omnicultural generations.
As businesses go digital, many CIOs will need help, especially at companies struggling with data quality and data governance issues. “What we’re really telling you is that you’re getting a bunch of new responsibilities because of digital business,” said Logan, who has written extensively about the role of the CDO. “Flipping to digital leadership expands the role of the CIO.”
And it adds pressure to an already pressure-filled job, especially if CEOs are expecting to double revenue attributed to digital business in the next five years, as Gartner’s annual CEO survey suggests. A data officer, or a person responsible for building a strong data foundation, reducing risk and exploiting the value of data, can help CIOs push the data envelope for businesses that need to transition from historical to predictive analysis, from passive analysis to active experimentation, from analyzing structured data to analyzing text and multimedia, and from separating analytics to embedding analytics. “That’s going to require a lot of stuff, data quality being the first on the list,” Logan said.
Plus, if data governance is still a struggle, CDOs can help there, too, retooling practices from command and control to something a little more people centric, Logan said. “One of the first programs CDOs often launch or are put in the middle of is [master data management], which is a core information governance project,” she said.
She encouraged CIOs to not only embrace the CDO (or the chief analytics officer) as a colleague — but to help shape — and even champion — the role as well. “When the relationship is good, then things start to happen, and [CIOs and CDOs] have success,” Logan said. And when it isn’t, they often don’t. Plus, she said, if a data officer is inevitable, CIOs will be happier if they have a voice in how the position is developed than if they don’t.
That said, not all companies will develop a CDO role. Gartner predicts only 25% of businesses will have a CDO by 2017. Some companies won’t need one; others may need a CDO, but may not be ready for one. Logan advised that if the CDO position doesn’t have board level support, if the business is overly protective of their data and resistant to change and if data governance isn’t a priority, CIOs should avoid suggesting the company develop the position.
Still other companies may want the CIO to take on CDO responsibilities. If that’s the case, Logan said, the worst thing a CIO can do is assume the role without additional resources and personnel. “Because, guess what, it’s going to take people to do this,” she said.
ORLANDO, Fla. — At an event where predictions of tomorrow’s technology held center stage — algorithms operating cars, smart machines helping call center agents do their jobs better, “robo-bosses” evaluating our performance — it’s telling perhaps that the first speaker was Brian Krebs.
Krebs, the investigative reporter who broke the story of the 2013 Target security breach, told a crowd of CIOs and senior IT executives at this year’s mammoth Gartner Symposium ITxpo that many victims of cyberattacks had the information right there in their event logs — they just didn’t have the curiosity to check them.
“I guarantee you the fraudsters don’t suffer from this — they’re infinitely more curious by nature,” said Krebs, a former Washington Post reporter who now dogs cybercriminals on his website Krebs on Security. “And their curiosity really knows no bounds.”
You say you’re secure — are you sure?
The problem organizations have, Krebs said, is a “perception-reality gap.” They think they’re doing what they need to do to secure their systems and their networks — they have virus and firewall protection in place, they regularly install software patches and they secure email. But those conventional approaches are no match for who Krebs calls the bad guys, who have multiplied over the past few years and as a result are innovating at a rapid rate.
To cite two examples, operators of underground marketplaces for stolen identity card information are vying with the competition by giving customers discounts when they buy in bulk and even profiling them using analytics to offer the types of card numbers they prefer — MasterCard over Visa, say.
Organizations aren’t keeping up in their security practices, Krebs said, because they want the benefits of technology but are reluctant to put in the unglamorous work of continuously monitoring their networks and shoring up weaknesses. And they don’t want to spend more than they have to.
“Traditionally, organizations have spent an inordinate amount of their scarce security budgets trying to meet security compliance obligations that they may have,” he said. What they should be doing is looking for ways to attract and keep talented security folks.
For Shirish Patwardhan, co-founder and CTO of Indian software company KPIT Technologies, the issue hits close to home.
“All my company is compliance-based,” he said. And he knows that won’t stop breaches. “It’s very dangerous because this is going to go on and on.”
Patwardhan said the type of preventive approach Krebs prescribed isn’t promoted enough among organizations. People are people, he said, and if security breaches don’t happen to them, they don’t happen, period. “It’s just a human inclination,” he said.
‘Everyone gets hacked’
The clarion call for heightened vigilance echoed in other chambers at the conference. In a keynote speech describing a “post-app” economy of algorithms that do jobs once done only by humans, Gartner analyst Peter Sondergaard spoke ominously about threats facing all organizations today.
“Everyone gets hacked in the new world. It’s only a matter of time,” he said, adding that 71% of organizations have had to switch on disaster-recovery or business-continuity procedures over the past two years. “Minor problems are constants and major incidents are inevitable. Be ready.”
It was a sentiment not lost on Robert Juckiewicz, vice president for IT at Hofstra University.
“We worry about it every day,” he said. Security has become one of his organization’s highest priorities, but there’s an added layer of complexity and difficulty at educational institutions.
“The purpose of education is to create and disseminate information. That goes counter to security,” he said.
While at the conference, he talked to a peer in an accounting firm who said the practice there is to block everything. “At a university, you can’t do that. You should be able to look at anything.”
Security breaches occur so often now that it’s a rare week when one doesn’t make the headlines. Companies that hope to have a chance against these constantly evolving threats need to be hiring a new type of security professional, said a panel of security experts and practitioners at the recent MassTLC Security Conference in Boston.
For instance, at online marketplace Care.com, which collects sensitive customer information, the security officer role requires security and business expertise, said panel member Dave Krupinski, the company’s co-founder and CTO. The head of security has deep understanding of technology and security practices and a deep knowledge of the business’ digital and physical assets.
“[The security officer] is aware of our asset landscape, where all these assets are, and also aware of the threat landscape, where threats may be coming in,” said Krupinski.
Gerry Beuchelt, CSO at Demandware, a software technology company, agreed that companies need to hire security experts who have a deep technical understanding of the type of assets they are charged with protecting. “Do you want them to go down the application security path? [Then, they] need to know how to code,” he said.
Companies that are looking for candidates with both broad and deep functional expertise, however, are going to have to be more “creative” in their hiring processes, according to panelist Josh Feinblum, vice president of information security at cybersecurity firm Rapid 7.
“I’d say focus less on the ‘I’ve had four years of experience being a security engineer,’ and more on the ‘I’ve scripted things; I’ve automated things,'” he said, adding that he is probably the exception when it comes to security certifications: “If I see a CISSP on a resume, I almost disqualify the person.”
Care.com’s Krupinski agreed that someone who has had hands-on experience in the technology, particularly DevOps, a discipline which tends to be “more proactive about security,” is a more attractive candidate.
“You do want people who are very, very hands-on, familiar with the technology stack you’re working in, and also familiar with automation and [developing] tools and technologies that can simulate threats and that are running on a continuous basis against your systems,” he said.
The fear of being out-competed by a born-digital upstart is so strong in today’s business climate, it requires a new verb. Businesses will do anything to keep from getting “Ubered” — that is, falling victim to the kind of harm inflicted on the taxi industry by the popular ride-sharing app.
“There is a great fear in companies right now — ‘Who’s the Uber in our space?'” Judith Hurwitz, president of consulting company Hurwitz & Associates and writer of numerous books on IT, told me at the recent Hybrid Cloud Summit in Cambridge, Mass. “It’s the threat that you don’t know is even there that has people worried.”
CIOs who don’t want their organizations blindsided need to help the business be flexible and move swiftly to changes in demand — and unexpected competition. Hybrid cloud computing can help them get there, Hurwitz said. In fact, the mix of public and private cloud deployments not only offers the right blend of cost-savings, instant scalability and security to meet the rising needs of the business, it is the future of computing itself.
Are CIOs ready for such a future?
“It depends on the CIO,” she said. “The most successful CIOs that I have worked with, talked to, they are the ones that they are very fluent in the business, they understand it well, they have a seat at the table. They are able to be the person that isn’t just folding their hands and saying no, but they’re saying, ‘Let’s do this, but let’s do it this way.'”
Hurwitz explained that while CIOs need to ensure that their organizations’ systems and data are protected, they are equally at risk if they don’t talk to the business, know what the business goals are and make the right executive decisions about how to achieve them with IT.
“What decisions are you making? Are you holding on to those decisions for too long?” she said. “Are you afraid to change? Because there’s definitely a lot of fear of change in IT.”
On the flip side, CIOs who speak the business language but don’t closely follow the technology will also find themselves in hot water.
“If they spend all of their time acting as the CEO,” Hurwitz said, “are they really in a place where they can help make the strategic decisions? Or do they then rely on the technologists who are deep into some cool new stuff, but where’s the sense of perspective? So you have to balance those out.”