ORLANDO, Fla. — At an event where predictions of tomorrow’s technology held center stage — algorithms operating cars, smart machines helping call center agents do their jobs better, “robo-bosses” evaluating our performance — it’s telling perhaps that the first speaker was Brian Krebs.
Krebs, the investigative reporter who broke the story of the 2013 Target security breach, told a crowd of CIOs and senior IT executives at this year’s mammoth Gartner Symposium ITxpo that many victims of cyberattacks had the information right there in their event logs — they just didn’t have the curiosity to check them.
“I guarantee you the fraudsters don’t suffer from this — they’re infinitely more curious by nature,” said Krebs, a former Washington Post reporter who now dogs cybercriminals on his website Krebs on Security. “And their curiosity really knows no bounds.”
You say you’re secure — are you sure?
The problem organizations have, Krebs said, is a “perception-reality gap.” They think they’re doing what they need to do to secure their systems and their networks — they have virus and firewall protection in place, they regularly install software patches and they secure email. But those conventional approaches are no match for who Krebs calls the bad guys, who have multiplied over the past few years and as a result are innovating at a rapid rate.
To cite two examples, operators of underground marketplaces for stolen identity card information are vying with the competition by giving customers discounts when they buy in bulk and even profiling them using analytics to offer the types of card numbers they prefer — MasterCard over Visa, say.
Organizations aren’t keeping up in their security practices, Krebs said, because they want the benefits of technology but are reluctant to put in the unglamorous work of continuously monitoring their networks and shoring up weaknesses. And they don’t want to spend more than they have to.
“Traditionally, organizations have spent an inordinate amount of their scarce security budgets trying to meet security compliance obligations that they may have,” he said. What they should be doing is looking for ways to attract and keep talented security folks.
For Shirish Patwardhan, co-founder and CTO of Indian software company KPIT Technologies, the issue hits close to home.
“All my company is compliance-based,” he said. And he knows that won’t stop breaches. “It’s very dangerous because this is going to go on and on.”
Patwardhan said the type of preventive approach Krebs prescribed isn’t promoted enough among organizations. People are people, he said, and if security breaches don’t happen to them, they don’t happen, period. “It’s just a human inclination,” he said.
‘Everyone gets hacked’
The clarion call for heightened vigilance echoed in other chambers at the conference. In a keynote speech describing a “post-app” economy of algorithms that do jobs once done only by humans, Gartner analyst Peter Sondergaard spoke ominously about threats facing all organizations today.
“Everyone gets hacked in the new world. It’s only a matter of time,” he said, adding that 71% of organizations have had to switch on disaster-recovery or business-continuity procedures over the past two years. “Minor problems are constants and major incidents are inevitable. Be ready.”
It was a sentiment not lost on Robert Juckiewicz, vice president for IT at Hofstra University.
“We worry about it every day,” he said. Security has become one of his organization’s highest priorities, but there’s an added layer of complexity and difficulty at educational institutions.
“The purpose of education is to create and disseminate information. That goes counter to security,” he said.
While at the conference, he talked to a peer in an accounting firm who said the practice there is to block everything. “At a university, you can’t do that. You should be able to look at anything.”
Security breaches occur so often now that it’s a rare week when one doesn’t make the headlines. Companies that hope to have a chance against these constantly evolving threats need to be hiring a new type of security professional, said a panel of security experts and practitioners at the recent MassTLC Security Conference in Boston.
For instance, at online marketplace Care.com, which collects sensitive customer information, the security officer role requires security and business expertise, said panel member Dave Krupinski, the company’s co-founder and CTO. The head of security has deep understanding of technology and security practices and a deep knowledge of the business’ digital and physical assets.
“[The security officer] is aware of our asset landscape, where all these assets are, and also aware of the threat landscape, where threats may be coming in,” said Krupinski.
Gerry Beuchelt, CSO at Demandware, a software technology company, agreed that companies need to hire security experts who have a deep technical understanding of the type of assets they are charged with protecting. “Do you want them to go down the application security path? [Then, they] need to know how to code,” he said.
Companies that are looking for candidates with both broad and deep functional expertise, however, are going to have to be more “creative” in their hiring processes, according to panelist Josh Feinblum, vice president of information security at cybersecurity firm Rapid 7.
“I’d say focus less on the ‘I’ve had four years of experience being a security engineer,’ and more on the ‘I’ve scripted things; I’ve automated things,'” he said, adding that he is probably the exception when it comes to security certifications: “If I see a CISSP on a resume, I almost disqualify the person.”
Care.com’s Krupinski agreed that someone who has had hands-on experience in the technology, particularly DevOps, a discipline which tends to be “more proactive about security,” is a more attractive candidate.
“You do want people who are very, very hands-on, familiar with the technology stack you’re working in, and also familiar with automation and [developing] tools and technologies that can simulate threats and that are running on a continuous basis against your systems,” he said.
The fear of being out-competed by a born-digital upstart is so strong in today’s business climate, it requires a new verb. Businesses will do anything to keep from getting “Ubered” — that is, falling victim to the kind of harm inflicted on the taxi industry by the popular ride-sharing app.
“There is a great fear in companies right now — ‘Who’s the Uber in our space?'” Judith Hurwitz, president of consulting company Hurwitz & Associates and writer of numerous books on IT, told me at the recent Hybrid Cloud Summit in Cambridge, Mass. “It’s the threat that you don’t know is even there that has people worried.”
CIOs who don’t want their organizations blindsided need to help the business be flexible and move swiftly to changes in demand — and unexpected competition. Hybrid cloud computing can help them get there, Hurwitz said. In fact, the mix of public and private cloud deployments not only offers the right blend of cost-savings, instant scalability and security to meet the rising needs of the business, it is the future of computing itself.
Are CIOs ready for such a future?
“It depends on the CIO,” she said. “The most successful CIOs that I have worked with, talked to, they are the ones that they are very fluent in the business, they understand it well, they have a seat at the table. They are able to be the person that isn’t just folding their hands and saying no, but they’re saying, ‘Let’s do this, but let’s do it this way.'”
Hurwitz explained that while CIOs need to ensure that their organizations’ systems and data are protected, they are equally at risk if they don’t talk to the business, know what the business goals are and make the right executive decisions about how to achieve them with IT.
“What decisions are you making? Are you holding on to those decisions for too long?” she said. “Are you afraid to change? Because there’s definitely a lot of fear of change in IT.”
On the flip side, CIOs who speak the business language but don’t closely follow the technology will also find themselves in hot water.
“If they spend all of their time acting as the CEO,” Hurwitz said, “are they really in a place where they can help make the strategic decisions? Or do they then rely on the technologists who are deep into some cool new stuff, but where’s the sense of perspective? So you have to balance those out.”
Emily Mossburg, a principal at Deloitte & Touche LLP, provided information security leaders with some useful insight yesterday into why their jobs are so freaking hard. The occasion was the Mass TLC event on “The Business of Security” in Boston. Mossburg, who specializes in cyber resilience, was a keynote speaker.
“We’ve been focusing on innovation for the last 100 years. We’ve been building up technologies to enable our organizations to do things faster, to do things more efficiently, to enable our organizations to grow in new ways, including new interfaces with third parties, including new platforms that allow us to interact with clients in new ways — all focused on growth and sharing of data,” Mossburg said.
The aim of all these data-sharing innovations was to give companies better information. “And more data is always better,” Mossburg said. But data protection was not part of the innovation equation. IT environments were built to be hacked.
“There was no thought about what are the risks of sharing this data; about what are the risks to individuals, to our enterprises, to our country in sharing this data and making it so interconnected,” she said.
“So right now we are the midst of playing an amazing catch-up game, a catch-up game in which we are taking years of years of legacy technology and infrastructure and trying to make it secure,” she said.
Security by design
To change the rules of the game, information security leaders “need to move to the front of the problem,” Mossburg said, outlining what is now considered best practice in security circles, but is rarely practiced: secure by design.
“We need to move to the front of the problem, to the innovation lifecycle, to the process development lifecycle, to the technology development lifecycle, to the system development lifecycle,” said Mossburg. Cyber risks need to be considered from the beginning — as the innovations are being designed, not after. The process change will also change the perception of security professionals and change their roles.
“By including the cyber security and risk requirements up front, we start to align ourselves with innovation, we start to be part of the innovation stream, we change the dialogue of what it is all of us do,” she said.
Be the innovation. That seemed like good advice.
NEW YORK CITY — Decisions are oftentimes colored by environment. Consider the humble cafeteria.
“When you walk into a cafeteria, something comes first, something comes last,” Katherine L. Milkman, associate professor of operations, information and decisions at The Wharton School at the University of Pennsylvania, said at Strata + Hadoop World. “And the first thing you encounter is more likely to end up on your tray than the last thing you encounter — because [at the beginning], your tray is empty.”
That’s not accidental; it’s the product of “choice architecture,” a concept Milkman said was best described in the 2008 book Nudge: Improving Decisions about Health, Wealth, and Happiness. “The idea is that everywhere we make decisions, we’re being influenced by our environment — by the architecture around us,” she said.
Milkman, who relies on big data to analyze how people avoid making the choices that would seem to be in their best interests (e.g. exercising more, cutting down on junk food intake), suggested that if environment plays such an important role in making decisions, maybe it’s time to take action. “Why not be a wise choice architect,” she said to attendees. “Why not try to improve decisions and facilitate better choices by, perhaps, putting ‘healthier foods’ first” in the cafeteria line of IT choices?
Based on her extensive work with A/B testing or split testing and her analysis of data both big and small, she provided five tips on how to become a choice architect:
Set helpful defaults. A “default decision” occurs when the decision maker takes no action and, instead, accepts what’s offered. She provided the example of organ donation; in countries where the default decision is to opt-out of an organ donation program, the number of organ donors is significantly lower compared to opt-in programs. That could be an example of laziness, Milkman said, or an example of consumer trust. “We take whatever the default is to be the policy recommendation, and that can be very powerful,” Milkman said. “Remember to design your defaults wisely whenever you’re creating a system, because they change behavior.”
Prompt people to plan whenever you want them to follow through on intended behaviors. In an A/B test for a free on-site flu shot clinics, Milkman sent two types of messages to different employees: Group A received a mailing that simply provided information about the upcoming event; group B received the same information and then asked employees to make note of the date and time for their own benefit. Those in group B took advantage of the free flu clinics more than those in group A. “[Prompting] works because, one, it helps the person think through obstacles,” said Milkman. “And, two, it also embeds plans more firmly in memory.”
The power of leveraging social norms or our tendency to want to follow the herd. Milkman pointed to an A/B test done at a hotel on towel reuse. Group A received messages that mentioned saving the environment as a reason to use fewer towels; group B received messages that encouraged joining fellow guests in the reuse of towels to help save the environment. “The second message was dramatically more successful in increasing towel reuse,” Milkman said. In a similar vein, Opower, a company that creates software for utility companies, sends out mailings that compare a homeowner’s energy usage to that of his neighbors. “A/B tests of this company has shown, year over year, this [messaging] reduces energy consumption by about 3% reliably,” Milkman said.
Create accountability. Holding someone’s feet to the fire works. Milkman pointed to a Michigan primary to prove her point. A decade ago, registered voters were sent different mailings that informed them they were being studied; others were mailed the voting record for the last two elections of everyone in the neighborhood — the record, not who a person voted for, is public record — and they were included on a list sent to their neighbors. “This accountability to neighbors increased voter turnout by eight percentage points, which to my knowledge is the single largest increase in voter turnout from any mailing that has ever been sent,” Milkman said, who also noted it was a “pretty aggressive” tactic.
Capitalize on fresh starts. Statistically, there are moments when people try to put their best foot forward — “at the start of a new week, new month, following celebrations of holidays and following birthdays,” Milkman said. “If you’re thinking when to provide tools to follow through on goals, these fresh start moments might be opportune opportunities to do so,” she said.
By 2020, more than 7 billion people and businesses — and close to 35 billion devices — will be connected to the Internet. The prediction, from IT consultancy Gartner, helps make that current “It” girl of IT buzzwords — “digital business” — less abstract. In a reality where the digital and physical worlds are intertwined, old business models don’t suffice.
Hence a need for new digital business designs. Look no farther, says Gartner, than Walt Disney World where wearable RFID-enabled MagicBands now function as room key, wallet, admission ticket and line skipper. (See Gartner’s definition of digital business below.)
The creation of new digital business designs, however, is really underway at only about a third of companies (32%), according to the firm’s recent “2015 Digital Business Survey of IT, Business and Marketing Executives,” and the front-runners, as Gartner calls them, are “breaking from the pack:”
“…a widening gulf is forming between organizations already undertaking digital business initiatives and those only in the planning phase,” analyst Jorge Lopez and his co-authors state.
Gartner’s data is consistent with recent data from McKinsey & Co., which showed that most companies have not yet realized the full value of digital.
Digital business doers vs. planners
The report, published last month, is based on responses from 304 executives at organizations with $250 million or more in 2014 revenue. The survey showed that digital doers don’t think or act like digital planners. Companies that are already doing digital initiatives, for example, don’t make a distinction between digital business strategy and plain old business strategy. Planners, on the other hand, see the two as separate. Digital investments by the doer group are for “piloting and deploying,” while the planner group “is into investigation and experimentation.” Makes sense.
Here’s where the gap is more than just semantic: Digital business front-runners overwhelming list “adopting new technology” as their highest priority, followed by “creating a highly collaborative environment” and “supporting customer-driven technology change.”
Adopting new technology is also the top priority for digital business planners (although by 21 percentage points lower than the doers: 70% vs. 49%), but — and this is the telltale data point — “renovating core IT toward a digital business future” is their No. 2 priority.
In other words, the doers are already busy transforming corporate culture to support customer-driven change, among other initiatives, while the planners are still mired in renovating legacy IT systems. Widening gulf indeed.
Veep of digital business
Here are a few more findings of interest to CIOs:
“Securing business and customer data” was cited as the leading requirement for digital business design, followed by “digital marketing capabilities to reach new customers” and “system integration of people, business and things.”
When respondents were asked who were the people responsible for leading digital business innovation at their companies, the leading candidate varied depending on who was doing the answering: CIO or IT director was among the top three roles, according to 57% of IT executives; CMO was among the top three, according to 38% of marketing execs, and business unit manager or managing director was among the top three, according to 35% business executives.
Also, a new role appears to be gaining ground: VP for digital business was cited by 22% of all survey respondents, up from 11% in 2014.
One thing seems clear in the morass of biased opinion: Everybody wants to get in on digital business.
Here is Gartner’s definition of digital business:
The creation of new business designs that not only connect people and business, but connect people, business and things (physical objects that are active players and contribute to business value) to drive revenue and efficiency. Examples: use of sensors, asset tracking, smart machines, smart grid, 3D printing and robotics, smart cities and drone delivery.
United Parcel Service Inc.’s transformation from analog to digital business is well-known in the logistics industry. At the recent Big Data Innovation Summit in Boston, Jack Levis, director of business process management at the Atlanta, Ga. delivery company, walked attendees through the years-long transformation from manual to digital processes for every step — from route generation to real-time driving instructions to truck-loading.
The digital processes are enhanced by analytics. Handheld computers carried by UPS drivers are smarter because of the built-in GPS chip; and analytics also play an increasingly important role in decision making for things like preventive maintenance.
“I don’t know if it’s big data; I don’t know if it’s analytics or if it’s just process re-engineering,” Levis said. “The key is, data needs to turn into insight and insight into better decisions. If you have insight that doesn’t turn into a better decision, that’s trivial,” Levis told the group.
UPS continues to build out its digital platform with additional functionality. Levis explained that new digital tools were built exclusively for employees until it dawned on his team that UPS customers might also enjoy using them. “If I can flip a bit to change where a package goes, why don’t we let our customers flip that exact same bit,” Levis said.
The idea turned into My Choice, which notifies customers of an upcoming package delivery and gives them a chance to manage their options if, say, they’ll be out of town that day. “We took what we built for ourselves, and we opened up those tools to our customers,” Levis said.
MyChoice debuted in 2011, but turning process tools over to customers is fast becoming a best practice for the digital business.
McKinsey & Co. published new data this month on how C-suite executives rate their progress on digital initiatives.
Bottom line for CIOs: The shift to digital is a super-high priority for the 987 executives surveyed by McKinsey, but it is still more hope than reality at most companies — and therefore should represent a significant opportunity for CIOs to take a leadership role. (More on the should-part below.)
Here are some of the McKinsey data points to ponder.
- Nearly three-quarters of C-level executives (71%) believe digital initiatives will add top-line revenue to the business.
- Nearly two-thirds (64%) say digital activities will result in bigger profits.
- However, less than one-third said their companies’ business activities are digital.
- Nearly half of respondents said their companies are capturing just 20% or less of the potential value that digital activities could bring to the business
- Nearly half (46%) said their CEOs are personally involved in the companies’ digital agendas, up from 23% in 2012.
- CIOs were ranked as the second-most digitally-involved exec at 35%, compared to 32% of CMOs and 23% of business unit heads. (CIO digital clout slipped from 40% in 2014 as CEO involvement rose.)
Biggest challenges to going digital
- Lack of internal leadership or talent, both functional and technical, topped the list of the most significant challenges to realizing digital objectives at 31%, followed by:
- lack of data and understanding of how digital trends affect industry and company competition;
- inability to keep pace with faster speed of business of under digital;
- inability to adopt an “experiment mind-set.”
Process automation climbs digital agenda, activities vary by industry
How the push to digital actually plays out at companies is pretty interesting. Most executives said their digital programs are focused on strengthening and growing the existing business, not aimed at new businesses or geographies — in line with what they said a year ago.
However — in a survey result especially germane to CIOs — digital activities within the enterprise are changing.
While “digital engagement with customers” remains the top corporate priority (as it was in the last three surveys), “automation and/or improvement of business process” has climbed the digital agenda: Just over half of respondents cited it as a top-three priority, right after “digital innovation of products, services, business or operating models.”
Priorities differ by industry: “Big data and advanced analytics” is a much bigger digital priority for healthcare than in other sectors, while business process improvement is of most concern to manufacturers. “Digital customer life-cycle management” is of low concern for all industries surveyed, suggesting that this is an area, in addition to business process improvement, where CIOs can step in and take charge.
Inside track from digital high performers
Of the 987 executives surveyed, 71 or a mere 7% identified themselves as high-performing digital companies. Here are the areas where they differed most significantly from their less digitally-enabled peers:
- Reviewed portfolio more frequently for digital-related opportunities and threats (53% vs. 35%)
- Made significant changes to risk profile and time horizon of business portfolio (51% vs. 21%)
- Reallocated of larger share of resources between businesses in the portfolio (46% vs. 29%)
Speed is critical: 43% of high performers say their companies take digital initiatives from idea to implementation in less than six months vs. 17% of all other respondents.
Time to get going!
( Click here for the full report).
For last week’s Searchlight column, I approached SearchCIO expert and former Citigroup CIO Harvey Koeppel to get his take on HP’s layoff of 30,000 jobs in its Enterprise Services business as it prepares to separate into two companies in November. Koeppel applauded the decision, saying the company has long needed to do something to make itself relevant to enterprises once again in today’s digital age. But he also said HP is going to have to change its cost-savings-driven rhetoric if the two offspring companies are to succeed.
Unfortunately, this culture of executing transactions as opposed to focusing on customers’ business needs and building relationships is rampant among many big companies today, not just HP, said Koeppel.
“It’s just outrageous when you listen to the internal talk about not just the lack of understanding of who the customers are, but actual disdain for what idiots the customers are,” Koeppel said. Companies that share this view, he believes, are destined to fail. “It is just so 1950s,” he added.
Part of the problem, as Koeppel mentioned in Searchlight, is that many companies’ technology sales and marketing strategies are managed quarter by quarter. But this approach isn’t conducive to building customer relationships.
“Relationships aren’t built in timeframes measured in quarters; relationships are built in timeframes measured in years,” he said.
He’s speaking from personal experience. As CIO at Citigroup’s Global Consumer Group, Koeppel awarded a $100 million contract to a company because its marketing representative spent three years establishing a relationship with him.
“I knew him and he knew me, but more importantly he had a total understanding of what Citi’s issues were and was willing to bear all the resources that were needed to solve specific problems, as opposed to executing a transaction and making numbers look good for this quarter,” Koeppel said.
Koeppel did acknowledge that it’s difficult not to strategize on a quarterly basis, “when that’s what the CEO’s job really is, is keeping shareholders happy, keeping Wall Street happy.”
There’s one aspect of HP’s culture the company has to tackle if its new endeavors are to succeed, and that’s improving staff morale, particularly post-layoff, according to Koeppel.
Big companies typically “lose the best and keep the rest after the cut,” Koeppel said. The people who remain tend to become demoralized — and if leadership doesn’t pay attention to the culture and the “people that matter,” a vacuum gets created inside the organization, he said.
“Smart people will go find other jobs, and [the company ends up] keeping the people who are too insecure to go find other jobs,” he said.
But Koeppel believes Meg Whitman and her leadership team are capable of tackling these issues.
“I have a lot of respect for Meg Whitman,” he said of HP’s CEO, whose career he has been following since her stint at eBay. “I think she’s got the brights, the smarts and the moxie to make something like this happen.”
Bangalore, Delhi, Manila, Cebu City, Shanghai. CIOs have traveled far afield in search of cheap labor for business process outsourcing (BPO). But according to a recent report from Cliff Justice, principal, Shared Services and Outsourcing Advisory at KPMG LLP, there’s no place like home for the best deals on BPO projects.
That’s provided home can take advantage of advances in robotic process automation (RPA). Not to be confused with the robots in metal pants, software-based RPA uses artificial intelligence (AI) and machine learning capabilities “to handle high-volume, repeatable tasks that previously required a human to perform,” writes Justice.
According to “Bots in the Back Office: Business Process Outsourcing (BPO) Withers as Robotic Process Automation (RPA) Grows Up,” software will trump geography for labor arbitrage: “Rising global labor costs are causing BPO to become unsustainable at the same time as technologies are advancing and converging in such a way that they can not only augment work, but replace workers.”
New class of ‘digital labor’
As traditional business process automation — one of IT’s principal jobs in the enterprise — is combined with machine learning, data analytics and “cognitive inventions,” a new class of digital labor will arise that can do the work of humans — faster, better and cheaper — no matter where those humans reside, the report states.
The cost benefits of BPO labor arbitrage, typically between 15% to 30%, will be outmatched by the 40% to 75% cost reduction that can be delivered by labor automation, according to KPMG. That’s a lot of money and potentially a lot of jobs: The global BPO sector is a $300 billion industry, employing more than 3 million people.
Who is in the crosshairs? The millions of call center workers employed globally, for starters. But any human job that involves “largely transactional, low-end, repeatable tasks” is fair game for RPA, says Justice. And as RPA matures, higher-level jobs are also subject to being done better and faster by software robots.
As my colleague Sue Troy reports in her story, “Cognitive robotic process automation poised to disrupt knowledge worker market,” over the next 10 years, “the work of 110 million to 140 million knowledge workers around the globe may be handled by cognitive robotic process automation systems.” But Justice, who cited the figures at the recent World BPO/ITO Forum’s Global Sourcing & Cloud Summit in New York, cautions that displacement doesn’t equate with 140 million jobs lost. The economy and demand for knowledge workers will continue to grow, he said, and a portion of the displaced workforce will be freed up from doing repetitive clerical and administrative tasks to focus on higher pursuits, including innovation.
KPMG: 5 factors that spell doom for BPO
What’s not up for debate is that the appetite for offshore outsourcing is changing, as companies elect to do smaller deals and fewer of them. Citing KPMG research and market trend data published in The Wall Street Journal, Justice points to what’s happened at companies in India — still the leaders in offshore outsourcing — where the value of deals worldwide shrank to $120.4 billion in 2014 from $206.8 billion in 2010. The number of deals decreased 61% between 2010 and 2014, to 1144 from 1805.
The report pulls out five factors that spell doom for BPO:
- Shrinking talent pool due to global demographic trends
- Escalating labor costs in emerging markets
- Expanding capabilities of robotic technologies
- Internet of Things making devices smarter and reducing need for human intervention
- Increasing influence of platform-centric cloud service providers
Justice reports that traditional service providers are embracing the new operating models introduced by RPA. Let us know what you are doing with RPA.
For more information on how RPA is poised to shake up the ITO/BPO marketplace, see my interview with Carnegie Mellon’s Andy Wasser.