Another week, another security flaw, and it’s a bad one this time. The Bash shell bug, as it’s being called, has been living in your enterprise’s Linux software for more than 20 years and can be found in every version of Linux up to 4.3. Affecting Linux and Mac OS X, the bug is also very versatile and can be exploited to take over any system.
The bug is so bad it was given a rating of 10 by US-CERTS National Vulnerability Database. (You really can’t get any higher than that, folks.)
So (sigh), as SearchCIO’s Fran Sales points out, it’s time to test and patch away. There are various Linux variants available that provide patches; Apple has yet to speak out and address the problem.
If you’re uncertain whether a particular system is vulnerable, Sales’ news roundup provides an easy command to detect whether the Bash shell bug is present.
In other news this week, a hacker stole customer data from Jimmy John’s restaurant, Apple has sold over 10 million iPhone 6 devices last weekend, UPS will be rolling out 3-D printing services at nearly 100 locations nationwide, and more in this week’s Searchlight.
Malcolm Gladwell knows a thing or two to say about disruption and transformation: “It is about habits of mind and attitudes and perspectives,” he says. At the Inbound 2014 conference in Boston, the bestselling author offered three tips on how to cultivate a disruptor attitude, as Senior News Writer Nicole Laskowski outlines in Data Mill.
Many IT experts consider the role of the chief data officer (CDO), which often includes overseeing traditional IT functions, as impinging on the role of the CIO. But according to three CDOs at the recent IBM CDO Summit, their CIOs’ endorsements helped their role soar.
And it’s not just CDOs, CIOs and IT departments that are deeply involved in the data and analytics conversation — marketers are riveted too, as Laskowski discovered at the recent FutureM conference on the future of marketing. In her TotalCIO blog post, read about how to become a data-centric organization, which means getting the lines of business — including marketing — on board.
Also on SearchCIO…
Believe it or not, a security bug discovered this week is a bigger threat to enterprises than Heartbleed. A U.K.-based Unix expert discovered a vulnerability in the Bourne Again Shell (Bash) software, the most widely used command processor that’s found in Linux and Mac OS X operating systems. It will take a while for large organizations to patch affected systems, but experts are unanimous that they should test and update as many as they can.
CIOs often get tasked by higher-ups to complete a wide range of IT projects, but in SearchCIO columnist and CTO Niel Nickolaisen’s experience, disaster recovery (DR) shouldn’t be one of them — or at least, more than the IT team should be involved. In his tip, he gives advice on how to get every major department to take part in DR planning.
Just like Nickolaisen, fellow SearchCIO expert and former CIO Harvey Koeppel is no stranger to planning for disaster recovery and business continuity; he’s got the accolades to prove it. However, no amount of planning could have prepared him for a disaster that struck when he was CIO of a global financial services institution — one that threatened not just the bank’s branches, but people’s lives.
Are you looking to rev up your small business’ mobile strategy? Here’s a hint: Don’t just focus your customers’ smartphones or mobile apps, explained Tom Webster, marketing strategist at Edison Research, at the FutureM 2014 conference in Boston. In Executive Editor Linda Tucci’s SearchCIO tip, review examples of six mobile strategies that focus not on devices, but on facilitating real life instead.
Bring your own device (BYOD) is now the status quo in workplaces, or at least close to it; employees are mixing work and play on personal and corporate-provided devices and consider this consumerization the norm. Lest your enterprise careen toward mobile chaos, flip through SearchCIO’s latest handbook on mobile governance structures and policies to navigate the bring your own anything (BYOx) landscape.
And on SearchCompliance…
Organizations with growing stockpiles of dark data, or data that’s left unused and unanalyzed, might be tempted to dispose of them to avoid the associated expenses and regulatory complications. However, as ARMA International President Fred A. Pulzello outlines, dark data can actually be useful if managed properly.
It isn’t news that marketers are interested in analytics and big data. (Who hasn’t pointed to the Gartner prediction that by 2017, the CMO will spend more on IT than the CIO?) What’s surprising is that a data conversation at a marketing conference is starting to sound an awful lot like a data conversation at an IT conference — at least on the surface.
At last week’s FutureM, an event organized by MITX about the future of marketing, an entire track was devoted to data. Raja Rajamannar, CMO at MasterCard, walked attendees through marketing’s evolution — from reason to emotion to today’s current phase that he’s dubbed marketing 4.0, an iteration that depends not only on data and analytics, but also on how data connects consumers together.
And that wasn’t the only mention of IT infrastructure. The senior director of analytics at Wayfair, an online retailer based in Boston, stressed the importance of building a flexible infrastructure to keep an enterprise’s data options open. “Even if you change directions on infrastructure, you can’t analyze data you don’t have,” David Drollette said.
And Amit Phansalkar, chief data officer at MassMutual Financial Group in Springfield, Massachusetts, said one of his challenges is building a data-centric organization — and by organization, he was referring to the lines of business, not just the IT function data. Marketing, product development, sales all have to become data-centric.
Is it time to launch an in-company IT University?
One of the most surprisingly well attended data track sessions was called Turning Data into Insights. The crash course was given by Christopher Penn of SHIFT Communications, a public relations agency based in Brighton, Massachusetts.
Penn laid out an analytics framework he called marketing DAIS, which stands for data, analysis, insight and strategy. Data and analysis answers the questions of what happened; insight “goes beyond analysis” to answer why something happened; finally, strategy poses the question of what to do next. So far, so familiar, right? (Full disclosure: The entire process of leveraging data is composed of seven steps. Penn said to think of the four that make up DAIS like preparing a menu; the three additional steps — tactics, execution, measurement — are more like preparing the actual meal.)
A good chunk of Penn’s presentation focused on data analysis tools. He assumes, of course, the data is “good,” which means that it’s been carefully selected and is relevant to the question you’re trying to answer, it’s clean and it’s in the proper format. (How do you get good data? Penn breezed through that part, boiling it down to making good choices and buying tools.) Here are the three tools Penn recommended for data analysis:
- Visualization tools. Simple tools organize the data into rows and columns. As data becomes more complex, parsing rows and columns can be difficult. That’s where data visualizations come in. “Visualization is nothing but taking data and painting pictures with it,” he said. He recommended starting simple, with a spreadsheet, before jumping into expensive tools like Tableau.
- Derivatives. Visualizations are great but don’t always tell the full story. With derivatives “We want to see percent change,” he said. He provided marketers with this equation: new minus old divided by old. “When you do that, it takes really, really big numbers that are almost mind blowing and turns them into a much easier number to crunch,” he said. He also talked about second order derivatives to determine how fast change is happening.
- Moving averages. To dig a little deeper, Penn suggested calculating the average from a certain time period. “If you want to kick it up a notch,” he suggested a little trick he stole from the stock market: Compare a seven-day average to a 30 day average to find out what’s trending well and what isn’t.
The audience was riveted.
Message to CIOs
If marketers are willing to sit through a session on turning data into insights at a conference, it might be time to think about offering training sessions by your own IT staffs.
Apple has chosen a side when it comes to consumer privacy.
With the new iOS 8 now encrypting data stored on iPhones, Apple has signaled it’s on the side of consumer privacy. The decision makes sense for Apple, as it moves from being a device company to big time collector of consumer data with its Apple Pay and HealthKit products.
As these and other wearable products take hold in the consumer market, they will make their way into the enterprise and up the ante on the CIO’s challenge: protecting corporate assets and protecting employee privacy.
Given the recent celebrity selfie leak, I’m not sure how much work Apple has in store before it can bank on consumer trust. But CIOs, it seems, are facing an uphill battle. As Associate Site Editor Fran Sales reports in her Searchlight column this week, the results of a survey by MobileIron, a mobile solutions provider, show that there is a trust gap between the employer and employees; and it is by no means small.
Some advice? Ojas Rege, vice president of strategy at MobileIron, suggests revising privacy policies and communication, and to simply assume that every mobile device, whether corporate-liable or employee-owned, is used for both personal and corporate reasons.
In other news this week, Home Depot’s lack of security oversight may have facilitated the hack that happened earlier this month, IBM is launching a cognitive tool using Watson supercomputer, Jolt is looking to launch a clip-on wearable fitness monitoring tool and more in this week’s Searchlight
When it comes to figuring out the value of using the cloud, Forrester Research analyst James Staten advises doing the analyses around the business problem you are trying to address — not around the cloud service you are thinking of using. Makes sense. At SearchCIO we often hear from IT and business readers that the value of technology can’t be toted up in a vacuum but in the context of the business — its market, its customers, its competitors. But how easy is it for CIOs to do that? Not easy at all, according to Staten. That’s true even for what might seem like simple scenarios.
Consider the cost analysis for going with a SaaS application for mobile devices versus developing the app in-house, Staten said. “SaaS applications typically support the latest mobile devices within three weeks of the mobile device coming out.”
The CIO could start by determining how fast the IT organization could deliver the same applications. Let’s say it would take the IT department nine months to develop the apps.
If the business has a good understanding of its financial model, then it would be relatively straightforward to figure out how much money the business would make by being ready for a mobile device in three weeks versus being ready in nine months. But what if the internal IT department wants to be a contender for that app business by changing its delivery mode?
“If you have to do the analysis of ‘Ok well let’s say that we can speed up our internal process by moving to agile [software] development’, now we’re probably talking about an incredibly tough financial analysis,” Staten said, referring to the methodology of developing software in iterative, good-enough chunks.
Staten explains that this analysis requires an IT organization to know what the move to agile development would entail in process and people costs. I imagine the CIO would also want to calculate the long-term benefit of moving to this methodology, in addition to the immediate costs.
But there’s another problem. Turns out, it is not so straightforward to calculate the value of being early to market. “A lot of the costs here are soft, meaning they don’t have bottom line financials behind them. Few companies know how much it costs them to be slow to market,” Staten said.
Indeed, Staten said that cloud analyses of this ilk are often one-offs. In other words, the analyses are customized to the particular application or use-case for an enterprise.
“If you have an application that is highly elastic like a webpage that’s going to change all the time, that’s a very different analysis from ‘We moved our ERP system to the cloud.’ You would get a very different outcome,” Staten said.
And guess what? “[The] people that tend to be the best at this work are the global system integrators and global consultancies,” such as McKessan, McKinsey and IBM Global Services, Staten said. So much for saving money.
Let us know what you think about the story; email Kristen Lee, features writer, or find her on Twitter @Kristen_Lee_34.
You might think the big news this week is Apple’s unveiling of the iPhone 6 and Apple Watch. And you’d be right. Almost.
For CIOs, the news is not about the devices, per se, but what these (by most reports) wonderful new gadgets portend for enterprise IT. As SearchCIO Associate Site Editor Fran Sales reports this week, experts believe the devices will force CIOs to upgrade their mobile strategies.
Take the Apple Watch. JP Gownder, a Forrester analyst who focuses on wearable technology, thinks the device’s health and fitness tracking features paired with its retailers and healthcare providers makes it “a value proposition that’s different from simply pulling a phone out of one’s pocket.”
But here’s the really interesting point. Gownder thinks the market for wearable devices in the enterprise might eventually overshadow the consumer market. Astounding, if true.
The iPhone 6 will make its own waves within the enterprise world. CIOs will have to think about apps for iPhones with larger screens; they will also have to contend with the fact that Apple’s expanded ecosystem of partners brings a more seamless experience to users.
As Sales put it, Apple is reducing the friction between between technology and humans — again.
In other news this week, AT&T has a new CIO; experts say Home Depot’s payment card breach may have exceeded Target’s breach; 5 million Gmail addresses and passwords have been leaked, and more in this week’s Searchlight.
As director of information security at Western Union, in charge of emerging technology and cloud security, David Levin has a deep appreciation of the risks attendant to cloud applications. He also recognizes that workers are under tremendous pressure to deliver results, and if a cloud application helps get the job done, they don’t hesitate to deploy it. The security organization at Western Union, headed by CISO Mike Kalac, didn’t want to play the heavy when it came to the cloud computing habits of the company’s 9,000-plus employees. “We understand that people want to get access to certain information to do their jobs,” Levin said. The challenge was how to help business users take advantage of the cloud without putting the wire transfer giant at undue risk.
First steps: cloud discovery
To get the word out to departments that Infosec was prepared to help the business leverage cloud services, the security team created the WISE program — Western Union Information Security Enablement. “The program is geared toward implementing solutions that make people’s lives better and more productive,” Levin said — in a wise, not reckless, manner. That required ferreting out the cloud applications that could potentially put Western Union at risk. “Part of the WISE program was to identify what cloud applications people were using and how they were sharing Western Union data.”
To that end, he turned to Skyhigh Networks, one of a new crop of cloud-based security and analytics startups. These tools help companies discover and monitor internal usage of cloud services (sanctioned and unsanctioned), assess the risks posed by the cloud services, and enforce policies that mitigate the risks. Rather than simply blocking usage, however, corporate enforcers — in this case, the security team working closely with Western Union IT — use the security tool to assess safer, (and here’s the hard part) equally effective alternatives for users.
Use case: MFT
Levin declined to specify how many rogue cloud applications the Skyhigh tool discovered, except to say that it was in line with the vendor’s widely publicized number (700 to 800 on average for enterprises). The first rogue cloud service Levin’s team tackled was managed file transfer– or rather, unmanaged file transfer. The number of vendors out there providing this service was “shocking,” he said. As the Skyhigh tool showed, many of those software as a service vendors operate with no terms and conditions and have data centers in countries that pose a security risk. Levin leaned on IT to help find and test an application that was as painless to use as, for example, a Dropbox, and that integrated well with other enterprise applications; security ultimately chose Accellion as its file-sharing platform and identity and access management vendor Okta for a single sign-on solution that gave users access to all corporate-sanctioned cloud applications.
“We didn’t make it challenging for them; we gave them solutions we really thought were next-generation and they took to that,” Levin said. “In a few months, we had several thousand users using it.”
IT roadmap: room for improvement
The Accellion platform, combined with the Okta interface, had another positive effect, besides more secure file transfer. “People don’t have to call the help desk and ask, ‘How do I send a file that is bigger than such-and-such?’” Levin said, referring to those employees who were not sidestepping IT.
Skyhigh’s ability to identify risky rogue cloud applications has also given security and IT a roadmap for improvement.
“We have learned how most of the organization is using infrastructure as a service, where they are leveraging some of the collaboration suites and project management [platforms]. These are all areas where, if we could do a better job of supplying them with next-generation technologies, they wouldn’t have to go out and find something else,” Levin said.
In addition to using the analytics tool to ferret out and assess shadow IT, the security team is using the tool to help vet its current vendor contracts, Levin said, including whether certifications are up to date and service levels are being met. “Some of that data feeds into our risk management program, which is world class, and then we don’t have to send them a 20-page questionnaire because we already have the information.”
Next-gen security tools
The data analysis delivered by the tools also helps with building a case for next-generation security tools, Levin said. Western Union suffered a breach in 2007 and again in 2013 when its website was down for maintenance. After each incident security gained “visibility at the board level,” Levin said, and his team has a seat at the table when the lines of business make important decisions that involve information technology. “We try to embed ourselves from the beginning whenever possible, so that when decisions are made, we are guiding the along.”
That said, the security threat keeps growing, fueled in part by the employees’ need to use whatever technology they can to get the job done faster. Plus today’s malware is “very effective, and it is evading a lot of older technologies,” he said.
“Five years ago, it was all about prevention,” he said, “Now the new security tools are moving more toward better reactive systems, because there is no silver bullet; you just have to be well prepared.”
Do you know why Germany won the 2014 World Cup?
According to Qazar Hassonjee, VP of Innovation at Adidas Wearable Sports, the victory is due in part to Adidas’ miCoach Elite Team System.
The miCoach Elite Team System is an ecosystem of various technologies that includes a smart shirt with sensors, a heart rate monitor, GPS, speed cell, a smart ball and more. These devices collect and analyze data about players and the team, allowing coaches to see where their players are on the field, who may be tired and need a rest, who could push it harder, and how training is affecting their players’ bodies.
In order to win, Hassonjee said, it’s not about training harder or longer or faster or stronger anymore. It’s about understanding players’ strengths and weaknesses and tailoring game day strategy to those data points.
But, as Hassonjee said during his presentation at this summer’s Gartner’s Catalyst Conference, before any of that could happen, he and his team at Adidas Wearables first needed to understand the needs of soccer coaches and their players. And the needs were seemingly endless, from obvious conundrums such as how to gauge fatigue to more arcane questions.
“Some of it was like ‘I want to increase the length of athletes’ career’ right? Or ‘I want to bring a rookie in and bring them up to speed much faster,’ right? Or ‘I want to prevent injury’,” Hassonjee said. “So there are a lot of different applications.”
Right. But ultimately everyone wanted to win more games. So the next step for Hassonjee’s team was to probe, “What does winning a game mean?” he said.
In order to figure out the answer to that question, Hassonjee said the back and forth with coaches and teams was essential.
“There was this iterative process in understanding what they really want,” he said. Hassonjee and his team would create a prototype, bring it to the teams to use, receive feedback, and then tweak the product.
One concern many players and coaches had was that the miCoach system would just dump more data on them, causing them to spend precious time figuring out what the data was saying instead of training their teams.
“In each and every case, nobody wanted to make their life more complicated,” Hassonjee said. It was up to Hassonjee and his team to create a system that devised a way to break down the data so that the coaches would be able to understand it right away. “You’re delivering the insight, not the data. Nobody wants more data.”
How exactly the Adidas Wearbles team uncovered those insights is another story.
So how did Germany win the World Cup?
“It’s not about how hard you train, it’s about how smart you train. How do you do that? You do that by bringing a whole suite of systems together where you’ve got things that capture data,” Hassonjee said. “You have the analysis of the data, you’ve got the insights of the data.” Right.
Let us know what you think about the story; email Kristen Lee, features writer, or find her on Twitter @Kristen_Lee_34.
What is there for CIOs to learn from the hack of the celebrity nude selfies and the global exposure of these private naked images? I wish I knew. In this week’s Searchlight news roundup, Associate Site Editor Francesca Sales interviews one business expert who advises CIOs and their companies to strike while public outrage is high (if not universal). They should use this media moment to shake up a cloud culture that puts expediency before data security.
That means putting pressure on Apple and other cloud companies to do a better job of protecting customer data. “It will take companies, especially the bigger ones that have large purchasing power, to say, ‘If you don’t get this fixed, we will not use your products and services,’” Kevin Paul Scott told Sales. Who knows? The ugly publicity around this ugly event might actually put some teeth into the threat of a boycott.
The celebrity nude selfie hack also offers CIOs a not-to-be-squandered opportunity to sell employees on the value of information security, Scott said. “When you’re casting vision internally,” he advises, “you have to connect things that you’re asking employees to do with something bigger.” (What could be bigger than, oh never mind.) The incident is without question an object lesson in the value of making up better passwords. And, now it’s not just the old CI-”No” saying so but the likes of Jennifer Lawrence wishing so. Data privacy takes vigilance in the digital age. Between the data we generate and the eyes this data is intended for is the world wide web. That goes for both intimate photos and sensitive corporate data.
So there you have two teachable moments to come out of this online exploitation. Heck, I’d suggest there’s even a third corporate campaign worth waging. If the multi-million dollar business of stealing, trading and selling intimate celebrity digital images tells us nothing else, it’s that certain kinds of digital information are extremely valuable — e.g. images of the beautiful bodies of famous females. It is the responsibility of CIOs and the other chiefs in charge — and their boards of directors — to make it explicit to their employees which types of corporate information are extremely valuable (or embarrassing if leaked), as well as to take the time to spell out the precautions required to protect that information. (Read our stories on the fledgling field of Infonomics — the economics of information — here and here for more on valuing information.)
To be honest, however, I suspect the significance of this high profile breach for CIOs and for their businesses may turn out to be less about “cloud culture” than it is about culture, period. In particular, the incident indicates the complex relationship a younger demographic, my adult children included, has with technology — a nuanced relationship that most of us non-digital natives can’t begin to understand.
The actors involved in this high-profile breach point up just how confusing and mysterious this relationship is. They understand of course that their physical embodiment is a big part of their worth — a commodity to be showcased in performances, exhibited on Red Carpets, used in ads to push products. Professionals who make a living by how they look know that the minute people stop looking at them their careers are over. But why spend your off time capturing even more images of yourself?
Perhaps for them, the physical and digital commodity exhibited in public — sometimes completely naked — is a public self that is less about them as a person than the private self exposed in the virtual images they choose to capture by their phones. And if so, is that true for all the people in this age demographic who take intimate virtual selfies and also store intimate details of their views and life histories in the cloud?
As I said, I wish I knew how to parse this new technology-driven public/private divide. And I’m betting the oldsters running companies these days wish they knew too.
Have you joined the wearables race yet? If you’re a CIO and you haven’t yet, you might want to get on it. Apple, Nike, Ralph Lauren, Under Armour, LG, and Samsung certainly have.
CIOs should be jumping on board too. And Gartner’s prediction that wearable devices will be a $10 billion dollar market by 2016 only backs that point up, Associate Site Editor Fran Sales reports.
Scot Koegler, an independent tech writer, said in a blog post: “There are initiatives that companies need to consider as they prepare for the wearable onslaught — whether that means proactively planning for their integration in organizational practices or actively restricting their use (at least for the time being).”
But, don’t go it alone, Sales said. She adds that the business needs you and you need the business when it comes to figuring out this next wave of mobile technology in the workplace. So be ever-present at the IoT table.
In other news, there’s been another high profile hack. Didn’t I tell you hackers are persistent? This time, it’s JP Morgan and other US banks who have taken the hit and many suspect the Russians. The FBI is on the case. Also, Jawbone’s UP fitness trackers picked up on the recent 6.0 magnitude quake that hit Napa and showed how the quake affected UP users’ sleep patterns; plus, Dropbox and other online storage sites are scrambling to change their business models as rivals like Google and Amazon drive their costs down and ever closer to zero. That, and more in this week’s Searchlight.