The EU-U.S Privacy Shield data transfer pact is now in effect, and U.S. cloud providers, e-commerce retailers and other companies that want to collect customer data from their European Union counterparts can start signing up to use the laws Aug. 1.
The framework, which replaces the Safe Harbor agreement dissolved in October 2015, has stronger security protections for EU citizens whose personal information will be shipped across the Atlantic. U.S. companies on the receiving end have to self-certify, promising to uphold data privacy principles such as “notice” — which requires companies to let customers know what will happen to their data. But in complying with Privacy Shield principles, companies can also use the new pact to improve their reputations as customer-centric organizations, said Enza Iannopollo, an analyst for Forrester Research.
“If I am required by the regulation to put in place a process to address access requests for the data of my customers, how do we do that?” Iannopollo said. “Am I giving them the right explanation, and when I do that, when I communicate with them, am I showing the right level of sensitivity and the right level of understanding?”
If the answer to those questions is yes, that’s good news, Iannopollo said. Customers will give high marks to companies that explain their privacy policies on their websites in ways they can easily understand. If companies give the job to their legal teams, and those teams churn out dense legalese, customers may feel discouraged and underappreciated.
“You’re losing a big opportunity, which is using that content to show once more to your customer, ‘I care about you,'” Iannopollo said. “‘I’m easy to do business with, and I’m putting you charge and this is the control that you have over your data.'”
Ensuring customers’ security and privacy, she said, can be a “differentiating factor.” Consumers will happily continue to give their business to customer-centric organizations they feel respect them and their privacy — and even pay more for their products and services.
“Compliance is where you start, but then you can push privacy really all the way to a business growth strategy,” Iannopollo said.
Before organizations needed to protect the business data their workers access on smartphones and tablets, they had to — and still do — protect the data employees use on laptops and PCs. So why not use those same endpoint security tools to protect mobile devices?
Two main things: the way people use mobile devices and the way mobile devices are built, said Gartner analyst Dionisio Zumerle, co-author of the recently updated report “How Digital Business Reshapes Mobile Security.”
“The traditional management models just don’t fit mobile,” Zumerle said. “You have the way that people use their mobile devices — that promiscuous way, if you will — that they use mobile devices with personal and business.”
Users are “promiscuous” on mobile devices, Zumerle said, because they’ll just as soon as use a reporting tool to prepare a business presentation on their smartphones or tablets, for example, as they will post a picture of an Independence Day picnic with their families on Facebook. Mobile devices make it easy not to discriminate.
That doesn’t happen as much with laptops or PCs, Zumerle said, “maybe because people don’t consider a laptop that personal.” Or it could be because most of the personal activity that is done on laptops — email, scrolling through Twitter or Instagram, or shopping on Amazon — happens in browsers.
Lack of oversight
Another reason traditional tools don’t work can be traced to the architectural differences between traditional devices and mobile devices. For example, laptops and PCs have been built to do things like track user activity. And if anything untoward is going on, they can be locked down.
“With certain agents on the device, you can pretty much see a lot of what’s going on, on the device and a lot of what the user is doing is with the device, with the enterprise data on the device,” Zumerle said. “And that’s something that you cannot do on mobile devices for technical reasons.”
What most companies today are using to manage and protect mobile devices, a panoply of enterprise mobility management tools, do allow organizations to see some, but not all, of what a user is doing on a mobile device. And there are newer tools, such as cloud access security brokers, that will send a warning to someone trying to, say, access a free file sync-and-share service such as Dropbox. So someone trying to move two gigabytes of data from a mobile device won’t be in stealth mode.
“Still, it’s difficult to see what data was that two gigs of data,” Zumerle said. “Just pictures from my birthday party? Or was it real enterprise data from customers?”
Dionisio Zumerle discusses the trends that are shaping mobile security today and how to get started on a strategy in this SearchCIO interview.
Barcelona, Amsterdam, Berlin.
Those are the cities that could replace London as Europe’s technology hub now that the British people have narrowly voted to separate from the European Union.
If London loses its premier status, CIOs in England’s glittering capital — and elsewhere in the tech-rich United Kingdom — will have even more trouble recruiting hard-to-find talent.
Programmers, developers and other IT folks from all over Europe have long journeyed to London to seek their fortunes — or at the very least, a start to their careers, said Forrester Research analyst Laura Koetzle.
Tech hub no more?
Often, they go straight from college to a notoriously expensive city, she said, “knowing that they’re not going to have that much money, and they’re going to live in a stinky flat share … because it’s the best market in Europe, where they can rise the fastest and do the most interesting things.”
But as legislators work out details of the split over the next two years, the immigration status of thousands will be thrust into uncertainty. If it’s too hard to stay in London, many tech workers will go someplace else.
Barcelona, Spain, or Amsterdam, Netherlands — cosmopolitan cities with flourishing IT sectors and relatively lower costs of living — are likely alternatives, Koetzle said. Berlin or Stockholm, Sweden, could also take the title of technology hub.
Venture capitalists, too, seeing less promise, could move to talent-friendlier shores, as could their startup protégés.
Keeping the capital’s gain
To keep the talented Europeans they already have, Koetzle wrote in a paper released after the EU referendum, London-based CIOs should give themselves a new title: chief retention officer. As the government sorts out visa and immigration policies, CIOs’ challenge will be to convince their European workers to go through what could be a lot of extra effort to stay in a country that’s not so easy to live and work in anymore.
One suggestion: Get hipper. Start by giving workers the social media and collaboration tools they want to use, such as Skype and Slack.
“Further, revitalize your tired old ‘back-office campus’ as a cool, vibrant place to work in order to keep your star developers,” Koetzle wrote.
Company leadership has a vision for where the business should be headed. The new direction diverges from what made the company successful. It will require new business models, new financial models, a new business psychology — it calls for innovation. How does leadership make it happen?
Don’t overlook innovation software, said Mohan Nair, who spoke to me recently about his experience with Spigit software. “You can’t do it the old-fashioned way.”
Nair is the chief innovation officer and a senior VP at Cambia Health Solutions, a Portland, Ore., not-for-profit that got its start nearly a century ago selling insurance to loggers and mill workers in the Pacific Northwest. In recent years, Cambia has moved beyond insurance into consumer healthcare and technology. Today, the health insurer, which has 2.5 million members and employs 5,500 people, comprises some 25 companies, many of them aimed at helping people become more involved in their healthcare decisions through online, mobile and digital technologies.
Nair, who was trained as a computer scientist and went on to run software companies, was recruited in 2003 to Cambia, then known as The Regence Group, to help the company’s then-new CEO, Mark Ganz, engineer a “total transformation of the business from the bottom up, not top down.”
Unleashing vs sanctioning innovation
The bottom-up transformation started at the top with the CEO’s vision to make Cambia a more customer-centric company — a radical viewpoint in the health insurance industry at the time, Nair said — and with leadership’s conviction that innovation be seen as a company value.
“You don’t say, ‘Let’s have a lab and you guys are going to get all this innovation after the smart people think it through. You make innovation a responsibility and a requirement.”
But saying that henceforth innovation is a company value doesn’t make it so. “It’s not that easy,” Nair said. It’s important that innovation is not something seen as “allowed” by the company. “That’s not what innovation is about. There is a renegade quality to innovation and you should unleash it, not allow it.”
One thing that helped unleash new ideas at Cambia, Nair said, is the innovation software from Spigit he introduced five years ago.
“It allows for true bottom-up crowdsourcing in a somewhat disorganized way. Anybody at any level can say, ‘I challenge us to solve this problem. I challenge us to identify solutions in this area,'” he said. “Technology has no emotion, but the design of the technology can allow emotion to manifest itself.”
While Cambia’s organizational structure — who reports to whom, the various paths up the corporate ladder — is the “backbone of the company,” Spigit’s innovation software “is like the nervous system of the organization,” Nair said.
“It’s all about how ideas flow from one part to another, where redundancy could be good and where focus can be the enemy of new ideas,” he said.
Measure — but not too soon
It’s also important that innovation be measured. To that end, Cambia employees are surveyed quarterly on their bosses’ ability to “absorb and understand” new ideas. The company also measures how many ideas are coming through the system, identifying which people are getting more ideas going than others and what techniques they are using to make that happen, Nair said. The company has also found a correlation between people who submit ideas and their performance rating — people with high performance ratings tend to contribute more ideas than their lower-performing peers.
But, he cautioned against imposing metrics too early in the process. “I never put those measurements in place until I felt we had reached a tipping point, which is about 28% of the company submitting, viewing or contributing new ideas,” he said.
While the aim of the innovation software is to generate ideas that bring business value, companies should not fixate on business results too early, he said. “When we were at 5%, 8%, 10% participation it was about loving the idea less and encouraging the people with the ideas more.”
The innovation scorecard
Indeed, it takes about four or five years for the technology-enabled innovation model to “mature,” Nair said, who rattled off Cambia’s latest
- 29% of employees engaged in innovation
- 1,276 ideas generated
- 5 companies created (two from crowdsourcing)
- $171 million in contributed revenue
“The most recent company we are about to launch will be a very dramatic transformation. It is in the area of pharmacy transparency and came from a pharmacist who submitted his idea into the crowdsourcing toolkit,” Nair said. “Others latched on it — and eight months later he is founder of a company.”
How does a tech revolution begin? With the hyped rollout of some slick gadget at a convention in Las Vegas or San Francisco, followed by headlines everywhere about how the thing is already changing people’s lives (meanwhile, folks are queuing outside retail stores in the rain wearing ponchos)?
Not quite, said IT consultant Judith Hurwitz. Technologies that “transform everything” take decades to evolve.
Hurwitz, who wrote Hybrid Cloud for Dummies and other books on IT, was at the recent Cloud Expo in New York to talk about cognitive computing, which simulates human brain functions. It learns the way we do, Hurwitz said, and will change the way business applications are built.
Software of the future will rely not on programming, as traditional apps do, but on an ever-flowing input of data, changing as structured database files and unstructured journal articles and videos are ingested and analyzed.
It will have an enormous impact on data-intensive industries like healthcare, changing the way doctors diagnose patients – they’ll collaborate with machines like IBM’s Watson on diagnosing patients. And in manufacturing, according to The National Academy of Engineering, production systems will be imbued with intelligence and reasoning — and operate themselves.
That’s not all. Cognitive computing will refashion legal and financial services, retail, marketing and security, Hurwitz said.
It just won’t happen tomorrow.
“When the technologies are mature enough, ubiquitous enough, the infrastructure’s in place — that’s when dramatic change suddenly happens out of nowhere,” Hurwitz said.
Take the Internet. When did you start sending more emails than letters? Probably around 1996 or ’97. Electronic communications were first sent in the early 1970s over the ARPANET, a networked developed for the U.S. Department of Defense.
There was no come-from-behind tech revolution with the fax machine either. It was developed throughout the mid-to-late 1800s but didn’t become an office staple until the 1980s.
“All of these technologies take time to evolve,” Hurwitz said. “This is the reality.”
A long-term care provider turned to cloud computing to shore up security and boost application performance. Here’s the rundown:
The IT situation at Creative Solutions in Healthcare was pretty dire two and a half years ago. When CIO Shawn Wiora came on board he found alarming security issues. The company’s out-of-date Windows Server 2003 machines were out of synch with current security protocols. Patch management as a formal program was practically nonexistent. There was very little documentation of Health Insurance Portability and Accountability Act (HIPAA) compliance. “From a security perspective, it was a ticking time bomb,” Wiora recalled. IT performance was also an issue with slow electronic health record (EHR) system response times.
Wiora noted a disconnect between the state of IT and Creative Solutions’ passion for patient care. The company, based in Fort Worth, Texas, runs more than 49 skilled nursing and 13 assisted living facilities. The CIO determined cloud computing would let the IT side catch up with the rest of the company. The company selected VMware’s vCloud Air, an infrastructure as a service offering, as its core cloud computing technology. VMware, Wiora said, was open to accommodating Creative Solutions’ security vision: A customized version of the Health Information Trust Alliance framework, which incorporates HIPAA, NIST and PCI among other security controls.
Incorporating the key frameworks into its cloud from the start put Creative Solutions on the proper security track. In addition, the cloud deployment improved the performance of applications such as EHR. Instead of a two-second lag, the company recorded round-trip latency in the 40-to-80 millisecond range. That’s an important plus for care delivery, considering caregivers at an individual facility use kiosk computers to record thousands of patient interactions daily. The company has also addressed internet outages, using Cradlepoint technology that fails over to 4G LTE in the event of disruption. “The company is now a phoenix out of the ashes in terms of IT,” Wiora said.
How to attract and retain talent for a digital future? That was the question posed by session moderator George Westerman, principal research scientist at MIT Initiative on the Digital Economy, at the recent MIT Sloan CIO Symposium in Cambridge, Mass. Wrapping up a discussion among three business executives and a prominent academic that ranged from using data to find the right talent to dealing with robots in the workplace, Westerman asked, “What one piece of advice would you give to a CIO how to build the right skills for the future in their unit and the organization?”
Karen Kocher: “I would have it be for the CIOs to be advocates of data-based talent decisions.”
Chief learning officer for healthcare insurance company Cigna, Kocher relies on data and various software tools to “identify the tendencies, the characteristics, the competencies of an individual.” Cigna does this to determine what differentiates a high performer from his or her peers. The company uses the same method to create a “role profile” that can be used as a reference point when helping others to develop their own skills. CIOs are key to implementing such tools and systems, she said, “because you are the ones most people look at as the sources of valuable data and information.”
Steve Phillips: “Hire the best and trust the people.”
Phillips is CIO of electronics distributor Avnet Inc. His strategy of developing skills for a digital future starts with finding the right people — often by building relationships with students and professors at universities. He also emphasizes the importance of building teams of people with the “right diversity” of say, thoughts or skills. Not only does that make for a powerful team, but it helps leaders with their own personal growth, Phillips said. “It also should drive for excellence and rigor as well.”
Gerald Chertavian: “Think differently about talent, where it resides and how you access it.”
Chertavian is CEO and founder of nonprofit Year Up, which helps low-income young people build their technical and business skills and get jobs. He stressed that if organizations look for talent in just the usual places — namely, four-year colleges and universities — “you’re really starting to narrow the pond in which you are fishing.” The 18-to-24-year-olds Year Up works with are highly motivated, Chertavian said, and stay in jobs two-to-four times longer than the average Millennial, who sticks around for 18 months.
Tom Davenport: “Plan for augmentation, not automation. Think of smart people working together with smart machines.”
The analytics and knowledge management scholar cheated, using two sentences instead of the one Westerman required — but both drive home the same idea. The digital future will be people working alongside robots. Robots are smart. They learn fast. And they “keep taking over things that we normally did,” Davenport said. So they aren’t overshadowed, the people CIOs hire need to be good at what they do — at some technical skill, such as programming — but they also need to exhibit “human” characteristics and skills such as initiative, interpersonal skills and teamwork.
Having a tough time defining an IT security strategy able to take on big data and the Internet of Things? The panelists on the “Big Data 2.0: Next-Gen Privacy, Security and Analytics” session at last month’s MIT Sloan CIO Symposium feel your pain. One big conundrum for IT security practitioners, the panel agreed, is how enterprises should handle security and data governance amid the coming onslaught of regulations aimed at IoT and big data.
Moderator Alex “Sandy” Pentland, the Toshiba Professor of Media Arts and Sciences at MIT, said companies can’t afford to wait for regulations to come up with a governance strategy; IT security leaders need to figure out where the vulnerabilities are vis-à-vis new technologies — or put themselves at risk.
Rob Thomas, vice president of product development at IBM Analytics, said he likes to think about building data governance strategies like building castles. “When castles were constructed in the 1100s, they [were built as] a place to wage an offensive, to go on offense,” he said. He added that this is exactly how enterprises should approach their data strategies. “If the organization is waiting to hear what the regulations are, and then you respond with a data strategy, you have no chance of being ahead of the market.”
According to Thomas, going on the offense requires knowing what your data assets are, the flow and lifecycle of that data, and who has access to it and why.
Legal repercussions put damper on playing offense security
However, the task of building a data governance model that can tackle these demands in light of emerging applications such as IoT is easier said than done, said Anthony Christie, CMO of Level 3 Communications, an internet service provider and telecommunications company. If companies get it wrong, the consequences can be costly — and dire. He pointed to his own industry as an example.
“Carriers and internet service providers today … have the ability, in many respects, to proactively play this offense and to stop the number of threats — but the laws around culpability, if you get it wrong, are so grave that right now some of the more conservative providers don’t even want to deal with it,” he said.
So, is there a way to get out ahead of lagging government regulations? Pentland brought up the idea of test beds, or specific towns or cities in which companies can experiment operating under new rules, to gauge what consumers and citizens think is working.
Christie also believes test beds are a great opportunity for companies to explore and look for partners to develop their security and data governance strategies. He said these types of relationships have proven beneficial to Level 3, but companies may have to look beyond the obvious partners.
“In [Level 3’s] case, we actually had better success not with other service providers … but with equipment providers, who want to develop their equipment better,” he said.
Cloud Expo 2016 had an ambitious billing: “The World of Cloud Computing All in One Place!”
Held in a subterranean sector of the Jacob K. Javits Convention Center in New York in June, the convention indeed spanned a lot of topics, with educational sessions falling into 10 topical areas. “Enterprise cloud adoption” was one; containers and microservices another; wearables and the internet of things a third. Vendors led many of the sessions, but, for the most part, kept them neutralish.
One, dubbed a “power panel” of cloud vendor reps, discussed how to convince latecomer C-level executives to embrace the cloud. Randy De Meno said keep it simple.
“We have more devices creating more data,” said De Meno, chief technologist at Commvault, a data management software vendor with a cloud infrastructure line. Many execs already have one of those devices, an iPhone. “If you use iCloud, congratulations. You’re in the cloud. So a lot of C-level understand that.”
On the expo floor, where vendors are expected to talk up their wares and hand out swag like pens and stress balls, one vendor gave the crowd of coders, application developers, IT managers and consultants at the conference something a little different. Stratoscale, which sells software-defined networking, invited people to line up and play a video game. The prize was a remote-control toy helicopter.
Patricia Palacio, a disaster recovery architect at IT services provider Cognizant, was on the lookout at Cloud Expo for new technologies that might help convince more customers to do DR in the cloud. She said she’s not good at video games, but she got in line anyway, played and won the toy.
“It’s for my son,” she said. He’s 14 and, unlike his mom, a gaming fan. “I think he’ll like it.”
IT vendors weren’t the only ones with stuff to sell at Cloud Expo 2016. The New York Times was there with a special offer for conference goers: 75% off home delivery of the print edition of the newspaper and 50% off digital. After signing up, new subscribers got a set of Times-branded Google Cardboard virtual-reality glasses.
Food and drinks are an integral part of any tech conference. At Cloud Expo — which, curiously, had no water on offer between sessions — there were the usual pasta bars, roast-meat stations and tables stocked with bottled beer and wine. There were also a few curiosities. One was the cappuccino machine at the IBM booth. My colleague, SearchCloudApplications reporter Joel Shore, asked, “When you think of IBM, what do you think of?” He promptly got in line for a frothy café.
Another surprise was a hot dog cart wheeled onto the expo floor. But then, perhaps it wasn’t a surprise to many there. It was New York, after all.
What are the qualities of a CIO? Gone are the days when the CIO role called for being responsible for mostly IT systems. Top-performing CIOs in the digital era are innovation-focused, devote more time to external customers, interact with their executive committees, and have their systems available for both internal and external use, according to a recent MIT CISR report.
“Five years ago, CIOs were generally perceived as being operation-oriented … but in the last couple of years the perception has become much more strategic,” Craig Stephenson, managing director of North America CIO practice at Korn Ferry, said.
Stephenson was speaking at a panel discussion on “The Perfect CIO: Empowering Business Partners and Serving Customers,” at the recent MIT CIO Symposium in Cambridge, Mass.
One indication of the shift to a more strategic business role is the rise in the number of CIOs reporting to the company’s top business executive. CIOs are now reporting to CEOs 56% of the time at Fortune 500 companies, a 12% increase over the past five years, Stephenson said.
Indeed, Stephenson said that most CIOs not only work more closely with their CEOs, but also are well positioned to become future CEOs because of their strategic involvement across the enterprise, from marketing to product development to partner relationships.
One thing that hasn’t changed in recent years: the longstanding reluctance of many CIOs to report to CFOs. Stephenson said that it takes a lot of work these days to convince a prospective CIO to report to the CFO. CIOs much prefer reporting to CEOs, a relationship that gives them access to the board and allows them to operate as a peer to others in the C-suite, he said.
Qualities of a CIO
So, what is the “perfect CIO” in Stephenson’s view?
“CEOs are looking for components of a CIO’s portfolio … that lead to exponential growth,” he said. “It might be around how you deal with change, it might be how you enable others, it might be how you bring people together.”
Here are some of the other qualities of a CIO outlined by Stephenson:
- A perfect CIO, as discussed above, should be able to combine both operational and strategic activities. According to a MIT CISR survey, 50% of CIOs — in addition to overseeing IT operations — are primarily responsible for innovation and managing digital threats. CIOs should have experience reporting to the board on a quarterly basis.
- A perfect CIO is able to attract and retain top-notch talent.
“The key risk for the CIO every single day is people,” Stephenson said. “There is a tremendous drain on talent in the marketplace.” CIOs should make sure their team members stay focused and are engaged. Stephenson recommended CIOs spend 10% -15% of their time on ensuring that their teams are being mentored and monitored appropriately.
- Perfect CIOs should understand their company’s business priorities and objectives to ensure that they can leverage technology plans and strategies to achieve those goals.
- A perfect CIO should be dynamic, charismatic, agile and willing to step outside his/her comfort zone.
- A perfect CIO should be able to communicate effectively. That means CIOs need to be comfortable interacting with their companies’ business partners and stakeholders — both within and outside the company — and with a high level of confidence.
“I think the CIOs that can actually facilitate consensus, common purpose and mission, are the ones that are actually really set to achieve great things,” Stephenson said.