Microsoft’s announcement of a partnership last week with a group of big banks that includes Citigroup and Wells Fargo to do experiments on blockchain technology must have bewildered at least a few people.
Some may have wondered what on earth blockchain is. Others may have puzzled over why banks that normally compete for business are working together on anything.
They’re not unreasonable things to think. Let’s start with the emerging technology that forms the basis of the digital currency bitcoin. A blockchain database is distributed among a network of computers, instead of being centralized on a server cluster. Built on top of that is a shared ledger; changes that get made to the ledger are made in a way that ensures security and are updated on all computers that are part of the blockchain.
That’s useful in industries like financial services, which often rely on a central clearinghouse to verify transactions. A blockchain would eliminate that middleman, slashing administration time and costs. Banks are looking at the technology to see what else it can be used for — eyeing new ways of handling stocks, derivatives and loans. But they can’t do that kind of testing alone — hence partnerships like the one between Microsoft and startup R3, which leads a consortium of more than 40 banks.
Together, said Martha Bennett, an analyst at Forrester Research, they can work out a panel of issues, including industry standards. To join a blockchain network, organizations need to agree on the technology stack and protocol to put to use.
“There is no competitive advantage for a bank or anybody else in trying to do blockchain on your own — unless you can somehow convince everybody to adopt your standards, and how likely is that?” Bennett said. “So it does require industry collaboration.”
It also helps to pull together resources to try out a complex new technology and see what works and how that might scale outside of the research-and-development labs.
Microsoft’s end of the bargain is to lend tools and its cloud service Azure for the banks to do their testing. In return, it hopes to run their in-production blockchains when they’re done.
The R3 group isn’t the only gang looking to develop uses and standards for blockchain database technology. There is also the open source Hyperledger Project, led by the Linux Foundation. It is looking at ways of doing other kinds of business transactions, too, not just financial ones, so its ranks include multinationals like IBM and Hitachi alongside banks BNY Mellon and State Street. That group overlaps with a growing number of blockchain startups and even with R3.
That’s a good thing, Bennett said, because the contributions each of the players brings with it can feed into the larger development of the technology.
“It is very much an ecosystem play,” she said.
Should a blade of grass move when we nudge it? If it doesn’t, should we assume we’re dreaming? Or in some alternate reality? “I would think I might be in The Matrix,” said Michael Facemire in a recent webinar presentation on the importance of mobile performance.
Facemire, principal analyst for application development and delivery professionals at Forrester Research Inc., believes mobile devices, by virtue of their touchability, have fundamentally changed customer expectations about technology performance. Just as when we touch a blade of grass we expect something to happen immediately, so too with apps and websites accessed through mobile devices. If these digital artifacts don’t respond immediately, we flee. Facemire cited stats from Google and others showing a majority of smartphone users will abandon a “touch activity” after just 2 seconds of inaction.
In a marketplace where transactions are increasingly digital and executed via smartphone, Facemire argues that building high-performance mobile experiences (the title of his Akamai Technologies-sponsored webinar) is paramount to keeping customers and promoting brand loyalty.
The problem is that many companies — and IT organizations, in particular — have not adapted their software development processes to this new reality, said Facemire, a developer and computer scientist by training.
Mobile performance low on developer totem pole
“Speaking on behalf of a lot of developers, when it comes to performance, this is generally not the first thing we think of when presented with a problem,” he said. The challenges that keep development teams up at night are figuring out how to build the software, what components and tools are needed, and what the user interface (UI) should look like, he said.
“Performance is one of those things that you just check a day or two before you ship code.” Indeed, in the traditional waterfall development method, performance review was one of the last stages, he recalled, “right up there with making sure that the legal paperwork had been signed.”
Yet, as Google’s and other companies’ data show, “performance is as important as, if not more important than, the user interface” in ensuring a great user experience, he said.
So what do IT organizations need to do to ensure high-quality mobile performance?
High-performance mobile experiences: ‘Full-stack game’
The first step is to stop making the UI the scapegoat for low-quality mobile experiences, Facemire said. Performance is a “full-stack game,” with the delivery layer, API layer and network connections all playing a part, he said. Content being delivered from a back-end content management system to the front end has to be transformed so that it fits appropriately on the device screen. The API layer has to do its bit: During peak mobile access times — Black Friday for retailers, end-of-quarter for travel and expense companies are two instances — it’s essential that database administrators are not in the middle of some task (for example, indexing the database) that will compromise users’ access to the data they want (a retailer’s product list, an employee’s expense account). Network performance is context-dependent: A 4G connection for customers at a football stadium with 59,000 fans can’t be counted on for high-quality mobile performance. So, ideally, data should be cached as close as possible to the device. But, unlike caching for the Web, caching for mobile is “an area as an industry that we are still trying to figure out,” Facemire said.
Speed and performance
Adding to the problem of delivering high-quality mobile performance is the tremendous pressure developers are under to deliver new material. A development process that once upon a time took 12 to 18 months now happens in two to four months and is rapidly becoming a “zero-day event,” Facemire said.
The good news is that developers are catching up to demand. When Forrester recently asked enterprise developers how fast their teams released applications, nearly a third (32%) said they’re releasing applications monthly or faster. The bad news is that to meet that timetable, teams take shortcuts.
“Unfortunately, a lot of folks simply cut off the back-end part of it,” Facemire said. Only 23% of developers and professionals surveyed by Forrester said they incorporate performance or load testing tools in their software development lifecycle and 15% of them use these tools less than monthly. That’s asking for mobile performance issues – and customer dissatisfaction.
“Quality has to be a part of everything you do from Day 1 — not at the end,” Facemire said. “We need to have testing and we need to ensure our mobile experiences have the enterprise quality customers have come to expect — but to do it more quickly.”
A growing number of hospitals have not been having a good start to spring. Kentucky’s Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, both in California, and now San Diego’s Alvarado Hospital Medical Center and King’s Daughters Health in Indiana are just a few of the institutions that have been hit by ransomware — software that freezes computer systems until money is paid to infiltrators.
All of the hospitals experienced some form of temporary network disruption. Some, like Hollywood Presbyterian Medical Center, even paid the ransom.
The malware intrusions will keep mounting until hospitals — the target du jour for crime circles — re-evaluate how they build their cyberdefenses, said Chris Ensey, COO of Dunbar Security Solutions.
“I do believe that we are on the cusp of a larger spread of this type of activity,” Ensey said.
Financial health for hackers
But why hospitals? And why now? Simple, Ensey said. It’s a quest for more revenue.
“What we’re seeing is the macroevolution of ransomware and the tactics that are being used by organized crime to continue to expand the revenue generated from ransomware,” Ensey said. “The most productive way to do that is by targeted campaigns.”
Hackers started, he said, by sending the malicious software to “a big list of email addresses” in an effort to hook as many people as possible. The hope was they’d get into a few computers, hijack the data on them and make money off each catch.
That evolved into spear phishing — similar phony-email schemes but customized for specific organizations. Hospitals use technologies that help them meet requirements set by the healthcare privacy law HIPAA and other mandates, and those are usually fine, Ensey said. Antivirus software and packet filtering as part of firewall protection “catch the common stuff.” But cybercriminals have gotten good at finding ways to burrow into systems. Hospitals in turn, have to get better at keeping them out, he said.
Guarding against malware intrusions
You may recognize the name Dunbar from the armored cars that banks and other businesses hire to transport large sums of cash. It also sells managed security services, so of course, Ensey stands by those. His pitch: Hospitals can focus on their healthcare infrastructure while Dunbar constantly monitors for attacks. His general-purpose advice for hospitals is to keep pace with the technologies used to hack them.
A “very, very comprehensive backup strategy for their data” is a good start. Using automated backups is a solid strategy; so is the more expensive measure of highly secured colocation facilities to which hospitals can send their data over encrypted channels and replicate it.
Hospitals should also take another look at how they set up employee work stations with access to the Internet, since those can serve as portals for ransomware that can hold healthcare data hostage, Ensey said. Email can be a conduit for malware intrusions, and so can malvertisements — online ads that proliferate malicious software.
And healthcare institutions not only need a CISO in charge of cybersecurity, Ensey said — that executive needs to have “a seat at the table” — the business strategy table, that is. The CISO should have close ties to the CIO, the chief medical officer and the risk management team.
“Being part of those conversations is absolutely paramount to every decision that they make,” he said.
Looking to win friends and make connections in high places? The most important networking rule to remember is also a pretty simple one: It’s not about you. That’s according to Todd Cohen, author of Everyone’s in Sales and keynote speaker at the recent Premier CIO event in Boston.
If it’s not about you, what is business networking about? “It’s about building a relationship,” Cohen said. “And anyone who goes into networking thinking that it’s anything other than about building a relationship will fail.”
The guide to business networking a là Cohen advises CIOs and senior IT leaders to play the long game. Instead of approaching a networking opportunity in search of instant gratification, consider how to add to a conversation. One of the ways Cohen suggests doing that is to think about secondary network connections: Who from among your colleagues will benefit from getting to know the person you’ve just connected with? Then, take your networking win one step further and make the introduction.
The up-front investment of connecting two people together — especially if the connection is a worthwhile one — may not pay off right away, but the likelihood is that it will eventually. Both people will remember the connection — and remember the connector.
More tips for the CIO from Cohen’s guide to business networking
- Only attend a networking event if you can “be present,” Cohen said. “If you’re not, everyone will know.”
- Take the pressure off by making the goals attainable. Rather than doling out a stack of business cards, focus on having two meaningful conversations in an hour. “And a meaningful conversation is nothing more than 10 minutes of talking about something where you both can say, ‘Yeah, that was a nice conversation,'” he said.
- Create a rapport by talking about your interests. Cohen once met a botany hobbyist who explained that a seemingly healthy looking plant was actually on the verge of dying. “He just got me because he talked about something that was passionate to him,” he said.
- Join an organization and commit. “You can’t say I’m going to join [a Society for Information Management chapter] and go once,” he said. “You have to go every month because that’s the only way people are going to trust you.”
- Don’t interrupt a conversation between two people. Instead, focus on someone who is standing alone or groups of three or more people, where it will be easier to get invited into a conversation, he said.
- End a conversation by asking, “What can I do for you?” Especially if the conversation falls into the “meaningful” category. The comment is unexpected, memorable and opens the door for another interaction, Cohen said.
If your organization is doing a lot with cloud computing, you may have heard people on your cloud or security teams talk about the need for a CASB. That’s pronounced KAZ-bee.
No, it’s not a magical creature in the Nintendo game The Legend of Zelda. Or a mispronunciation of the word casbah. Or a reference to The Clash cult classic, “Rock the Casbah.”
It stands for cloud access security broker. It’s a cloud security tool that serves as a gatekeeper to your organization’s systems and loops in whatever security policies you have in place. So if someone tries to access a free file-sync-and-share service such as Box.com or Dropbox, he or she will get a warning notice or could be shut down.
In an October market report, research outfit Gartner labeled CASB a “required security platform for organizations using cloud services” and predicted enormous growth in coming years. By 2020, it said, 85% of organizations will use one, up from less than 5% in 2015.
Johna Till Johnson, CEO and founder of Nemertes Research, presenting results from a security study in a webinar earlier this month, said cloud access security brokers were in use at companies with the most forward-looking and successful cybersecurity strategies.
“This or something like it is something you have to have as you’re moving out to cloud,” Johnson said. “And using it implies that you already have a set of defined policies, and you have a good sense of who should be using what and why.”
So people say it’s hot stuff. It’s still new, though. The Nemertes study — a small one, surveying 17 organizations — found that just 21% of respondents were using a CASB.
That’s probably not why you might not know what it is, though. The study found that just 41% of respondents have heard of cloud access security brokers, but 57% have plans to deploy the cloud security tool.
I’ll let Johnson deliver the punchline: “What that means is, some people are actually using it without knowing what it is, which is actually pretty funny.”
CASB might be an important piece of a cloud security initiative, she said, but it’s not a great catchword. “The folks that make these products and technologies might want to think about a different marketing acronym — I’m just saying.”
I’m not sure the spelled-out mouthful is much better. As for CASB, I think it works better as a magical creature from The Legend of Zelda.
When a California court issued an order to Apple to help the FBI break into the iPhone used by one of the perpetrators of the San Bernardino, Calif., massacre, Sen. Lindsey Graham (R-S.C.), a counterterrorism hawk who in December called on tech companies to stop selling devices that encrypt information, switched sides.
“I thought it was that simple,” Graham told Attorney General Loretta Lynch during a Senate hearing. “I was all with you until I actually started getting briefed by the people in the intel community.”
The public battle waged between the FBI and Apple put the spotlight on encryption and data privacy. According to Chris McClean, an analyst at Forrester Research, that’s a good thing. Now, ordinary people not only know what encryption is — many know enough to argue whether the government should be able to dismantle the technology during investigations. Informed citizens could, he said, push progress in the privacy debate faster than the government can.
The FBI dropped its case against Apple on Monday, saying it accessed the contents of the iPhone. But a larger discussion over privacy and encryption has just begun. Congress is making moves toward legislation that addresses the government’s investigation powers and citizens’ right to protect their information. Sen. Mark Warner (D-Va.) and Rep. Michael McCaul (R-Texas) are pushing for a commission to study digital security and privacy issues and then make recommendations to Congress. But, McClean said, it might not matter much.
He explained using a two-word phrase you may recall seeing plastered on news shows a few years ago: pink slime. That’s the unflattering nickname for processed beef used as a food additive in school lunches. (ABC News did a series on the stuff, and the rest is history.)
“This wasn’t the [U.S. Department of Agriculture] coming down on the manufacturer saying, ‘You can’t serve this to our children.’ They actually said, ‘We give this a thumbs-up,'” McClean said. “But once average citizens saw that, that went viral and they shut it down. Two or three of the companies that created that product were out of business within a couple of months.”
Customers and the privacy debate
McClean sees the same thing happening in the encryption and privacy debate. What happens if the feds petition other companies with people’s information in their databases for intel — cell phone providers, utility companies, makers of home-automation systems? Apple took on a powerful government agency. Will other businesses do that in the name of customers’ privacy?
They might, if customers expect it. Apple’s public opposition to the FBI may have given consumers the push they need to start asking tough questions of the companies that serve them. Once they start digging into privacy policies and asking how their data is being collected and how it’s being used, they may find practices they don’t like — and then voice their displeasure.
“Every company now is a data company,” McClean said. “Your grocery store, your hospital, your bank — they’re all data companies. It will be really interesting to see how much consumers are putting pressure on those types of companies to see whether or not they would stand up the same way Apple has.”
When the FBI dropped its court case against Apple — an order to the tech company to help break into an iPhone in the San Bernardino, Calif., murder case — it left behind unresolved data privacy issues concerning millions of mobile device users.
The bureau sought the help of a partner it did not identify to crack the encryption on the iPhone used by one of the two shooters, Syed Rizwan Farook, but how did it do what Apple, its maker, has said would be hard even for it?
Who’s got the goods
That’s one of many things we just don’t know, said Forrester Research analyst Chris McClean. For example, the hackers could have found a weak spot in an old device — the iPhone 5C used by Farook and owned by his employer, the San Bernardino county government — that Apple has fixed with updated security features.
Or it could have found something else.
“We may hear details later that there’s maybe something more fundamental as a flaw that allows people to break into iPhones, and Apple still doesn’t know what it is,” McClean said. “If there are details that come like that, there would be a larger concern for sure.”
One theory is the FBI can use the key on other phones in other investigations. But federal agents would have to have it in their possession before using it.
Unless the hackers “made a whole lot of money off it,” McClean said, they probably didn’t hand the decryption method over to the FBI. They might do better to sell it to someone else — say, another government.
“I think that there would be an enormous price that they could put on an exploit like that,” McClean said.
A closer look at data privacy issues
A second, longer-term issue pits the ability of government to do investigations against citizens’ right to protect their data.
Two Capitol Hill lawmakers, Sen. Mark Warner (D-Va.) and Rep. Michael McCaul (R-Texas) are trying to build a commission that would study digital security and make recommendations on how Congress should balance security and privacy issues. And a group of private-sector executives and former government officials are pushing for a separate initiative to address the matter, called The Digital Equilibrium Project.
That’s the right way to go, McClean said, as long as the members understand the technology they’re going to be examining. They can learn, he said, since the groups will include technology experts among their members, and other, outside experts can help them understand things like passwords and how encryption works.
But doing an extensive study of technology is a race against the clock. McClean fears that by the time any commission is done working, mobile devices will have biometric features — which identify authorized users by their physical characteristics — and stronger encryption, making them even harder to crack.
“So all of the technology issues that we may discuss over the next year may be moot before they finally come up with any kind of guidance,” he said.
But commissions can still do good on data privacy issues. They just need to be equipped with the right people asking the right questions, McClean said. They’ll have to discuss the various types of data that investigations might want to examine as well as the types of data that users of mobile devices have the right to keep private. They would also do well to look at aspects of European privacy law, such as the “right to be forgotten,” which creates a legal duty to destroy or hide information if requested. In Europe, people are considered the owners of their private information.
“I don’t think we have that kind of viewpoint in the U.S.,” McClean said. “Hopefully, we get enough experts that understand all of the ethical, legal, technology boundaries.”
Bill Michels, CEO and founder of Aripart Consulting, cautioned attendees at CPO Rising Summit in Boston on Tuesday that chief procurement officers (CPOs) have a very short window of time in which to make their mark at a company: The average tenure of a CPO, he said, is less than five years. And the terms of engagement are brutal: Corporate mandates to reduce costs in the supply chain set up procurement officers for failure since costs can’t be reduced year over year indefinitely without a breakthrough change, which is hard to achieve.
The problem, he said, stems from the need to ensure that supplier margins are sustainable over the long term. “You don’t want to run the supplier out of business. We want suppliers to reinvest in the business and innovate, continue to give us improvements year over year and we need them to be healthy to be able to do it,” Michels said.
But, he said, CPOs still need to reduce costs. “Here’s where you’re most vulnerable as a CPO,” he said. “Unless you can come up with ways to come up with innovation, breakthrough, change the specs, change something, you’re not going to do it.”
By the third year of a CPO’s tenure, “if you haven’t changed out your team, your process or the way you’re going about it, or educated management on the value [of the procurement team], you’re in a danger zone,” Michels said.
Value can be demonstrated by protecting the supply chain as a whole and supporting business imperatives to make more money. One example: A biotech company that Michels worked with was less concerned about cost reduction and more concerned about making sure that its supply chain continued to function.
“[Management said], ‘Build me a risk management system that works,'” Michels said. “They built a predictive model of all their suppliers and their supply chain. They identified which suppliers were going [to fail].” As a result of that analysis, the biotech company’s board of directors made a decision to spend $100 million to protect its supply chain, since that supply chain was feeding a $7 billion business. That decision obviously resulted in money being spent rather than saved, but because the expenditure protected the company’s ability to continue making money, the board of directors quickly approved of the expense.
Michels predicts that value will trump price in the future. Citing a 2014 study from the Institute for Supply Management, he said that CEOs are looking for CPOs who can deliver shareholder value, integrate the company’s supply chain, capture innovation and speed the process of getting products to market. CPOs who focus on cost reduction at the expense of these other key requirements will be the first ones looking for a new job.
Beyond the need to deliver value to the company rather than simply cutting costs, chief procurement officers also need to prepare for digital disruption. Michels told the story of a client of his who’d envisioned using artificial intelligence to identify suppliers around the globe, help produce RFIs and RFPs, and then make sourcing recommendations. He said that much to his surprise he learned that there’s a project underway at Stanford University to deliver such a capability through artificial intelligence.
He also suggested that the Internet of Things will have a major impact on the supply chain. “We’re going to have connected suppliers who are going to be able to transfer demand all the way through the supply chain automatically, and we’re going to wind up having perfect inventories and perfect solutions. I think the IoT is going to change your life,” he said.
Apple won’t be forced to build new software that would let the FBI into the iPhone used by one of the shooters in the San Bernardino, Calif., attacks. The bureau withdrew its legal action against the tech company Monday, and the FBI-Apple case is closed — for now.
Here’s a possible future chain of events: Apple will patch any vulnerabilities that allowed the unnamed “third party” helping the FBI access encrypted data on the phone, the FBI will be locked out of another iPhone in another investigation — and the feds will be back in court demanding that Apple help it break into the device.
A win for the feds would send chills down George Do’s spine. The CISO for Equinix, a Silicon Valley provider of data center space, said that if Apple is forced to comply with the order, it would set a “dangerous precedent” — his words as well as Apple’s — that would alter how companies do everything from plotting security strategies to just doing business. (Do spoke to me before the FBI-Apple case was dropped.)
“It would turn our whole world upside down,” Do said. “Depending on where this falls, it has the potential to change things very fundamentally.”
In the FBI-Apple case, the bureau said the software — essentially a new version of the iOS operating system — could be made for just the one phone, and then Apple could discard it. But CEO Tim Cook has maintained there would be nothing stopping the government from demanding that Apple unlock other devices as well.
If law enforcement agencies have that kind of power, companies that make, say, security software or mobile devices, will have to change the way they build their products. Encryption, no matter how strong, will no longer be best way to keep data from prying eyes, Do said.
“They’ll have to find ways around those challenges to manage risk — and that’s going to be hard,” he said.
Consumers of that software, like Equinix, would be affected, too, Do said. Encrypted security tools may no longer be the go-to software for infosec teams. It may also force them to make tactical shopping choices — especially if a certain software or hardware company is known to be in the government’s line of sight.
“Maybe we choose the company that’s less on the radar than a big, giant Apple, right?”
If a cyberattack extinguished the power to the electrical grid in Wisconsin, leading to a prolonged blackout, Maj. Gen. Donald Dunbar would have a lot of work to do. He’d have to turn the wheels of the state’s cybersecurity response strategy. He’d have to mobilize the National Guard he commands to help utility companies quickly get the power back on and emergency teams get to people who need immediate assistance.
Before he could do any of that in the hypothetical future, though, he needs to ensure that there’s communication and cooperation among public and private sectors in the state.
“Because I don’t pretend for a second that the state of Wisconsin or the National Guard is going to come riding in on a white horse in a cyber-event and save the day,” said Dunbar, who is the senior adviser to the Wisconsin government on cybersecurity matters. He spoke to an audience of business and IT executives at the recent Fusion 2016 CEO-CIO Symposium in the state’s capital, Madison. “We all have personal responsibility; we have corporate responsibility when it comes to cyber.”
The U.S. runs on private industry, Dunbar said, and to get it running again after a power grid failure, corporations need to work with the state government on disaster recovery preparations.
Public and private sectors, activate
The first thing companies need to do is tell the government whether they would need help in case of a power-crippling cyberattack, Dunbar said. The banking industry, for instance, invests heavily in cybersecurity and wouldn’t need much assistance from the National Guard. “It’s not on my radar screen.”
But many other businesses, communities and infrastructures are in the state’s line of sight — but the people in charge of them need to speak up so Dunbar knows what resources should go where. He said the state is now in talks with grocery store chains about their power-generation or backup capabilities. The National Guard may be able to ensure delivery of generators in populated areas to “get the power on and keep people fed in the community while the broader recovery happens.”
It’s a challenge to figure out the right chemistry of government and private sector involvement, Dunbar said. And there’s no finish line. He contrasted his present mission of ensuring readiness in the face of constant cybersecurity threats with flying in his early days in the military.
“You put the airplane in the hangar, you’re done. Well, there’s no getting done here,” he said. “It’s 2016. Long after we have departed this earth, this will be a problem for the people on the planet.”
Patrick Schiffman agreed that businesses and government need to team up and develop ways to respond to a widespread failure of the power grid. He’s IT manager at Nord Gear Corp., which produces motors and industrial components used in everything from conveyor belts to Ferris wheels. Together, he speculated, the public and private sectors could come up with creative strategies. Perhaps the government could give companies subsidies to build solar facilities; that way, they could operate without special assistance during a power outage. Or maybe the transportation industry could help the government get supplies to needed locations.
“It’s good that the discussion is happening versus, ‘Oh, we’ll be OK. We’ll figure it out when it happens.’ That’s not the answer,” Schiffman said.
Meantime, Nord Gear is making its own preparations for unforeseen events. The company is working to implement a cloud-based disaster recovery system, Schiffman said, “that will take our infrastructure, resources, our processes and be able to relocate them so we have business continuity of people, places and things,” he said. The company has six locations in North and South America.
“We’re assuming not all of them are affected at the same time because if they are, I’m not caring about the company anymore, right? There’s a bigger disaster that’s out there.”