As director of information security at Western Union, in charge of emerging technology and cloud security, David Levin has a deep appreciation of the risks attendant to cloud applications. He also recognizes that workers are under tremendous pressure to deliver results, and if a cloud application helps get the job done, they don’t hesitate to deploy it. The security organization at Western Union, headed by CISO Mike Kalac, didn’t want to play the heavy when it came to the cloud computing habits of the company’s 9,000-plus employees. “We understand that people want to get access to certain information to do their jobs,” Levin said. The challenge was how to help business users take advantage of the cloud without putting the wire transfer giant at undue risk.
First steps: cloud discovery
To get the word out to departments that Infosec was prepared to help the business leverage cloud services, the security team created the WISE program — Western Union Information Security Enablement. “The program is geared toward implementing solutions that make people’s lives better and more productive,” Levin said — in a wise, not reckless, manner. That required ferreting out the cloud applications that could potentially put Western Union at risk. “Part of the WISE program was to identify what cloud applications people were using and how they were sharing Western Union data.”
To that end, he turned to Skyhigh Networks, one of a new crop of cloud-based security and analytics startups. These tools help companies discover and monitor internal usage of cloud services (sanctioned and unsanctioned), assess the risks posed by the cloud services, and enforce policies that mitigate the risks. Rather than simply blocking usage, however, corporate enforcers — in this case, the security team working closely with Western Union IT — use the security tool to assess safer, (and here’s the hard part) equally effective alternatives for users.
Use case: MFT
Levin declined to specify how many rogue cloud applications the Skyhigh tool discovered, except to say that it was in line with the vendor’s widely publicized number (700 to 800 on average for enterprises). The first rogue cloud service Levin’s team tackled was managed file transfer— or rather, unmanaged file transfer. The number of vendors out there providing this service was “shocking,” he said. As the Skyhigh tool showed, many of those software as a service vendors operate with no terms and conditions and have data centers in countries that pose a security risk. Levin leaned on IT to help find and test an application that was as painless to use as, for example, a Dropbox, and that integrated well with other enterprise applications; security ultimately chose Accellion as its file-sharing platform and identity and access management vendor Okta for a single sign-on solution that gave users access to all corporate-sanctioned cloud applications.
“We didn’t make it challenging for them; we gave them solutions we really thought were next-generation and they took to that,” Levin said. “In a few months, we had several thousand users using it.”
IT roadmap: room for improvement
The Accellion platform, combined with the Okta interface, had another positive effect, besides more secure file transfer. “People don’t have to call the help desk and ask, ‘How do I send a file that is bigger than such-and-such?’” Levin said, referring to those employees who were not sidestepping IT.
Skyhigh’s ability to identify risky rogue cloud applications has also given security and IT a roadmap for improvement.
“We have learned how most of the organization is using infrastructure as a service, where they are leveraging some of the collaboration suites and project management [platforms]. These are all areas where, if we could do a better job of supplying them with next-generation technologies, they wouldn’t have to go out and find something else,” Levin said.
In addition to using the analytics tool to ferret out and assess shadow IT, the security team is using the tool to help vet its current vendor contracts, Levin said, including whether certifications are up to date and service levels are being met. “Some of that data feeds into our risk management program, which is world class, and then we don’t have to send them a 20-page questionnaire because we already have the information.”
Next-gen security tools
The data analysis delivered by the tools also helps with building a case for next-generation security tools, Levin said. Western Union suffered a breach in 2007 and again in 2013 when its website was down for maintenance. After each incident security gained “visibility at the board level,” Levin said, and his team has a seat at the table when the lines of business make important decisions that involve information technology. “We try to embed ourselves from the beginning whenever possible, so that when decisions are made, we are guiding the along.”
That said, the security threat keeps growing, fueled in part by the employees’ need to use whatever technology they can to get the job done faster. Plus today’s malware is “very effective, and it is evading a lot of older technologies,” he said.
“Five years ago, it was all about prevention,” he said, “Now the new security tools are moving more toward better reactive systems, because there is no silver bullet; you just have to be well prepared.”
Do you know why Germany won the 2014 World Cup?
According to Qazar Hassonjee, VP of Innovation at Adidas Wearable Sports, the victory is due in part to Adidas’ miCoach Elite Team System.
The miCoach Elite Team System is an ecosystem of various technologies that includes a smart shirt with sensors, a heart rate monitor, GPS, speed cell, a smart ball and more. These devices collect and analyze data about players and the team, allowing coaches to see where their players are on the field, who may be tired and need a rest, who could push it harder, and how training is affecting their players’ bodies.
In order to win, Hassonjee said, it’s not about training harder or longer or faster or stronger anymore. It’s about understanding players’ strengths and weaknesses and tailoring game day strategy to those data points.
But, as Hassonjee said during his presentation at this summer’s Gartner’s Catalyst Conference, before any of that could happen, he and his team at Adidas Wearables first needed to understand the needs of soccer coaches and their players. And the needs were seemingly endless, from obvious conundrums such as how to gauge fatigue to more arcane questions.
“Some of it was like ‘I want to increase the length of athletes’ career’ right? Or ‘I want to bring a rookie in and bring them up to speed much faster,’ right? Or ‘I want to prevent injury’,” Hassonjee said. “So there are a lot of different applications.”
Right. But ultimately everyone wanted to win more games. So the next step for Hassonjee’s team was to probe, “What does winning a game mean?” he said.
In order to figure out the answer to that question, Hassonjee said the back and forth with coaches and teams was essential.
“There was this iterative process in understanding what they really want,” he said. Hassonjee and his team would create a prototype, bring it to the teams to use, receive feedback, and then tweak the product.
One concern many players and coaches had was that the miCoach system would just dump more data on them, causing them to spend precious time figuring out what the data was saying instead of training their teams.
“In each and every case, nobody wanted to make their life more complicated,” Hassonjee said. It was up to Hassonjee and his team to create a system that devised a way to break down the data so that the coaches would be able to understand it right away. “You’re delivering the insight, not the data. Nobody wants more data.”
How exactly the Adidas Wearbles team uncovered those insights is another story.
So how did Germany win the World Cup?
“It’s not about how hard you train, it’s about how smart you train. How do you do that? You do that by bringing a whole suite of systems together where you’ve got things that capture data,” Hassonjee said. “You have the analysis of the data, you’ve got the insights of the data.” Right.
Let us know what you think about the story; email Kristen Lee, features writer, or find her on Twitter @Kristen_Lee_34.
What is there for CIOs to learn from the hack of the celebrity nude selfies and the global exposure of these private naked images? I wish I knew. In this week’s Searchlight news roundup, Associate Site Editor Francesca Sales interviews one business expert who advises CIOs and their companies to strike while public outrage is high (if not universal). They should use this media moment to shake up a cloud culture that puts expediency before data security.
That means putting pressure on Apple and other cloud companies to do a better job of protecting customer data. “It will take companies, especially the bigger ones that have large purchasing power, to say, ‘If you don’t get this fixed, we will not use your products and services,'” Kevin Paul Scott told Sales. Who knows? The ugly publicity around this ugly event might actually put some teeth into the threat of a boycott.
The celebrity nude selfie hack also offers CIOs a not-to-be-squandered opportunity to sell employees on the value of information security, Scott said. “When you’re casting vision internally,” he advises, “you have to connect things that you’re asking employees to do with something bigger.” (What could be bigger than, oh never mind.) The incident is without question an object lesson in the value of making up better passwords. And, now it’s not just the old CI-“No” saying so but the likes of Jennifer Lawrence wishing so. Data privacy takes vigilance in the digital age. Between the data we generate and the eyes this data is intended for is the world wide web. That goes for both intimate photos and sensitive corporate data.
So there you have two teachable moments to come out of this online exploitation. Heck, I’d suggest there’s even a third corporate campaign worth waging. If the multi-million dollar business of stealing, trading and selling intimate celebrity digital images tells us nothing else, it’s that certain kinds of digital information are extremely valuable — e.g. images of the beautiful bodies of famous females. It is the responsibility of CIOs and the other chiefs in charge — and their boards of directors — to make it explicit to their employees which types of corporate information are extremely valuable (or embarrassing if leaked), as well as to take the time to spell out the precautions required to protect that information. (Read our stories on the fledgling field of Infonomics — the economics of information — here and here for more on valuing information.)
To be honest, however, I suspect the significance of this high profile breach for CIOs and for their businesses may turn out to be less about “cloud culture” than it is about culture, period. In particular, the incident indicates the complex relationship a younger demographic, my adult children included, has with technology — a nuanced relationship that most of us non-digital natives can’t begin to understand.
The actors involved in this high-profile breach point up just how confusing and mysterious this relationship is. They understand of course that their physical embodiment is a big part of their worth — a commodity to be showcased in performances, exhibited on Red Carpets, used in ads to push products. Professionals who make a living by how they look know that the minute people stop looking at them their careers are over. But why spend your off time capturing even more images of yourself?
Perhaps for them, the physical and digital commodity exhibited in public — sometimes completely naked — is a public self that is less about them as a person than the private self exposed in the virtual images they choose to capture by their phones. And if so, is that true for all the people in this age demographic who take intimate virtual selfies and also store intimate details of their views and life histories in the cloud?
As I said, I wish I knew how to parse this new technology-driven public/private divide. And I’m betting the oldsters running companies these days wish they knew too.
Have you joined the wearables race yet? If you’re a CIO and you haven’t yet, you might want to get on it. Apple, Nike, Ralph Lauren, Under Armour, LG, and Samsung certainly have.
CIOs should be jumping on board too. And Gartner’s prediction that wearable devices will be a $10 billion dollar market by 2016 only backs that point up, Associate Site Editor Fran Sales reports.
Scot Koegler, an independent tech writer, said in a blog post: “There are initiatives that companies need to consider as they prepare for the wearable onslaught — whether that means proactively planning for their integration in organizational practices or actively restricting their use (at least for the time being).”
But, don’t go it alone, Sales said. She adds that the business needs you and you need the business when it comes to figuring out this next wave of mobile technology in the workplace. So be ever-present at the IoT table.
In other news, there’s been another high profile hack. Didn’t I tell you hackers are persistent? This time, it’s JP Morgan and other US banks who have taken the hit and many suspect the Russians. The FBI is on the case. Also, Jawbone’s UP fitness trackers picked up on the recent 6.0 magnitude quake that hit Napa and showed how the quake affected UP users’ sleep patterns; plus, Dropbox and other online storage sites are scrambling to change their business models as rivals like Google and Amazon drive their costs down and ever closer to zero. That, and more in this week’s Searchlight.
If you want to know what the next few years will bring in mobile computing, look to the Vatican, Alan Murray said to a roomful of Boston techies. Up on the screen was an image of St. Peter’s Square during the inauguration of Pope Benedict XVI in 2005, packed with people. Eight years later at the inauguration of Pope Francis, the same scene is emblazoned by mobile devices held overhead to record the event — a testament to the rapid and widespread adoption of mobile technology, if nothing else.
“By the year 2020, almost all of your revenue will come from a product that doesn’t exist now,” Murray boldly predicted. “Mobile is becoming transformative for most people and the way people do business.”
Murray, who heads up the product roadmap at Apperian, a mobile application management vendor, knows how to make an impression. A picture is worth 1000 words; so is a good sound bite. He was speaking at this summer’s Mass TLC Mobile Summit, along with the Jim Whalen, the longtime CIO at Boston Properties, the REIT founded by mogul Mort Zuckerman.
The topic of the session was “Developing an enterprise mobile strategy to deliver innovation and accelerate opportunity.” And the high-level message from both Whalen and Murray was pretty straightforward: Figure out mobile economics now or risk being harmed by a competitor that has.
Murray didn’t just mouth off about mobile disruption. Like the excellent salesman he no doubt is, he came armed with examples of companies that are essentially disrupting their own business models by exploring how they can exploit mobile computing. For example:
- Netflix clawed its way back from near-extinction in its DVD-only days by “embracing new surfaces” compatible with mobile computing, namely streaming; it’s also creating digital content to build customer loyalty and as a hedge against rising licensing fees. (PS: IMHO, the fact that Netflix was shut out of last night’s Emmys doesn’t mean TV and cable don’t view the online model as a threat.)
- Barclays Plc, the British multinational banking and finance company, has taken the radical step of not offering a corporate email address to any employees under the age of 24, unless they request one. The fact that those employees may all end up asking for email accounts doesn’t matter, according to Murray. “They’ve done it to force themselves to think about new ways to engage in a post-email world,” he said.
- Cisco rolled out a mobile app that shortened its sales approval cycle from days to hours.
Whether Cisco’s mobilized sales approval process actually improves the velocity of sales; or streaming content turns Netflix into an entertainment powerhouse; or a no-email policy ingratiates Barclays to millenials, of course, is another matter. At least the business process is not the rate limiter.
Mobile technology trumps human touch
Probably the most vivid example Murray gave was about the skincare brand Clinique, which got a nearly instantaneous benefit from using mobile to disrupt its business model. As its name suggests, the brand, which is owned by Estee Lauder, trades on the notion that its products are therapeutic. The white lab coat worn by the sales people behind its store counters reinforces the brand identity.
The shtick, however, was not playing well with the digital natives, so (with the help of Apperian, naturally) Clinique developed a point-of-sale app called Blue Ocean that interacts with customers by initially asking them to take a survey related to skincare. As the customer answers questions about her skin type and skin care regimen, the back end maps to relevant Clinique products. At the end of the survey, which takes about 90 seconds, the app makes some recommendations on what products to buy.
“Turns out, people buy three times as much product from an iPad as they do from a person,” Murray said.
Technology trumps the human touch? I can understand that. It’s natural to feel the salesperson behind the counter has ulterior motives for recommending certain products. Or maybe we lied to the salesperson, so in turn know that any advice we get is suspect. That the iPad sells more than the human being behind the counter just shows how much we’ve come to trust technology, at least for now.
“Clinique hasn’t gotten everyone in the world to buy through iPads, but it has seen an increase in counter revenue of about 30% and this year rolled out 17,000 iPads across 1300 locations,” Murray said.
Clinique’s counter-side iPad is not just keeping its salespeople busy ringing up orders; IT had to put in a brand new content management system to handle the app on the back-end.
Email me at Linda Tucci, executive editor, or find me on Twitter at @ltucci.
I’m about to tell you something you’ve probably heard over and over: addressing a security breach right away is the best way to mitigate the threat.
Why am I telling you this? Because Heartbleed has struck again. This time stealing 4.5 million patients’ personal data including names, birth dates, and social security numbers from Community Health Systems (CHS), a Tennessee health network.
And CHS is not alone. UPS has reported that their customer’s credit and debit data may have been stolen at 51 of its franchises, with malware being uncovered in the registers at those locations.
Despite the great strides in security and improved defenses, there are still gaps in many organizations’ security systems, Associate Site Editor Fran Sales reports.
Constant vigilance is key, especially since it’s clear hackers are persistent and won’t be letting up anytime soon.
In other news, Microsoft’s former CEO Steve Ballmer is stepping down from its board citing his purchase of the LA Clippers as his motive; many Twitter users are unenthused by the companies experiment of injecting tweets into their timelines from users they don’t follow but are deemed “popular or relevant”; Facebook is taking a stand against fake-news by labeling parody news sites such as the Onion and The Daily Currant so there is no confusion — and more in this week’s Searchlight.
I’m going to go out on a limb here and say nobody likes to be unknowingly spied on. So when Edward Snowden broke the news that the National Security Agency was looking at and collecting people’s private information, the public at large was not happy. But data privacy is an issue that poses a particularly sticky challenge for CIOs.
As CTO Niel Nickolaisen asks in his piece on the digital footprint and whether it’s a boon or bane to business, “How do we each manage the two sides of digital tracking? Do we prefer privacy over the clear economic value of customer intimacy?”
It seems some vendors like SpiderOak, a service that allows users to privately store, sync and share their files, are coming down on the side of protecting customer data. The service encrypts stored information, Associate Site Editor Fran Sales reports in this week’s Searchlight column, and even unleashes a “warrant canary” to subtly notify users that the government has come calling for their info.
For CIOs, however, the decision not to mine customer data is not always so easy: As Sales notes, CIOs are often asked to take their customer’s data and turn that into new revenue streams. But Nickolaisen also predicts there will be regulations in the future that may force companies to choose privacy over profit; as such, he encourages CIOs to start experimenting with potential solutions.
In other news: Cisco plans to cut 6,000 jobs, Google released a diversity report that showed, not so surprisingly, that its workforce (particularly its tech sector) is overwhelmingly white and male, and more in this week’s Searchlight.
I’m here at the Gartner Catalyst Conference in sunny San Diego, where people from all walks of business have gathered to discuss pertinent issues in business and technology today. With hundreds of sessions on a wide range of topics, by the end of the day you’re likely to collapse into bed with new facts and strategies swirling in your head — this is certainly the case for me.
But one session in particular stood out to me from the conference’s first day: the story of McGraw Hill Financial — a leader in credit ratings, benchmarks and analytics for the global capital and commodity markets — and its hybrid cloud journey.
Srinivas Sarathy, an enterprise infrastructure architect at McGraw Hill Financial, took the audience through the company’s whole process: why it decided to go to the hybrid cloud, the tradeoffs, the challenges and the lessons learned.
“Delivering applications in an agile fashion is paramount to us being competitive in … our marketplace,” Sarathy said.
McGraw Hill has 17,000 employees spread across 29 different countries, and 40% of its revenue is generated through global markets. “So one of the benefits of cloud computing for us is to reach various locations without having to make a large upfront investment into infrastructure and data center facilities,” Sarathy said, adding that no one cloud is right for McGraw Hill and that’s why it went for a hybrid approach.
Here are more of McGraw Hill’s lessons learned from its hybrid cloud journey:
Consider cost, but still choose a capable provider
When moving to the cloud, cost tends to be at the forefront for business decision makers.
Software can be incredibly expensive, Sarathy said. “And when you’re talking about deploying it across the scale that I mentioned, it’s a multimillion-dollar investment, and you’re not even sure what’s going to happen two years from now — things may change. So it’s unfortunately a part that requires some tradeoffs, some compromises. The question is, what is the least amount of compromise that you can make in this journey?”
For McGraw Hill, having a well-thought-out sourcing strategy saved them a lot of time and money, and that started with choosing the right sourcing provider.
“You have to ensure that your sourcing provider has the capability,” Sarathy warned. “There are a lot of companies that are masquerading as having the capability, but sometimes that’s not necessarily true.”
Determine your outsourced vs. in-house needs for data support
Another challenge McGraw Hill faced once it moved to the cloud was data support. Once you outsource to the cloud, who is going to support it? Should you outsource support or build support skills in-house?
“What we found was the answer is a combination of a couple of things,” Sarathy said. “Certain capabilities such as architecture, code automation… some of those skills are skills that you do want to have in-house. Those are high value skill sets. And then obviously you need the skill and the specialization in terms of regular data support.”
Establish a cross-functional governance team
Companies tackling a hybrid cloud should make sure the CIO, security team, networking team and developer team are all part of the governance process, Sarathy advised.
“We ensure that they are part of these decisions so that these are choices that they are making for the company, as opposed to central IT imposing these decisions on them,” Sarathy said. “That governance process is key, because you want your application team to come along for the journey. Without all business units being part of this, you just don’t have the scale to justify the investments.”
Do your due diligence in choosing your CMP
Put in the necessary time to carefully choose a cloud management platform (CMP), Sarathy said.
“My advice would be to not necessarily think that one CMP will [take care of all your needs],” Sarathy said. “Invest in another CMP, probably a low-cost, open source software such as OpenStack, and experiment with that and accept the fact that the marketplace will change. So let’s not try to make a decision that has a long-term consequence.”
Pay heed to execution, talent and communication
What’s the most important aspect of strategy? Sarathy asked his company’s strategy leader that question. His answer?
“He said, ‘The most important thing about strategy is not the strategy, it is the etcetera.’ I said, ‘What is the etcetera?’ He said, ‘E.T.C.: execution, talent and communication.’ And it was a surprisingly humble answer to what I thought would be a very complex, sophisticated answer,” Sarathy said.
ETC is important because it’s only a matter of time before the executives ask you what you have delivered as a result of this large cloud investment, Sarathy said — how well you accomplished your goals, the resources you used and how you explained your wins (and losses).
Develop horizontal skill sets
When McGraw Hill began using Amazon Web Services, it didn’t have an AWS operations team in place in terms of server, database and regular support teams.
“So we worked … to form a team that was trained to support AWS,” Sarathy said. “That meant that we had to have people with multiple skill sets. Our server admin had to know a little bit about middleware, and the database guy had to know a little bit about storage, because in AWS you need the horizontal skill set more than the vertical skill set.”
And by horizontal skills, Sarathy means there is heightened value in areas such as software development where employees most likely will be asked to learn and acquire multiple skills.
“We are now truly a broker,” Sarathy said. “Our job is to broker services and marry the right solutions to the right business need.”
Could you be using the recent Russian hack to your advantage? If you’re a CIO, the answer is yes, according to Ronald Breaux, head of the privacy and data security Group at Hayes and Boone, an international law firm.
Associate Site Editor Fran Sales talked with Breaux about the massive theft and what it means for CIOs in this week’s Searchlight. Breaux’s advice is to strike while the iron is hot, so to speak, and use the theft as yet another lever to reinforce security compliance and to get the security budget required for today’s cyberthreat environment. Find his recommendations for upgrading your security protocols in Fran’s column.
In other news of note this week: the C-suite shakeup in the wake of Walgreens’ $15 billion merger with Swiss-based Alliance Boots, airline cyber-attacks and Google’s purchase of the smart messaging app Emu — in this week’s Searchlight.
If you’re a CIO who takes offense when someone questions your IT security program, it may be time to get out of your own way for the sake of your company. That’s the provocative view of Kevin Beaver, an information security consultant — floated in this week’s Searchlight news roundup by Associate Site Editor Fran Sales.
“The interesting thing, to me, that rarely comes up in these discussions is how the CIO can actually be part of the security problem. Not many, but quite a few CIOs view security as a threat to their jobs,” said Beaver. “If you point out security risks, then you’re pointing out their shortcomings.”
But, as Sales gently admonishes, this is no time for protecting egos or turning a blind eye to security. Guarding a company’s information assets will require the attention of everyone in the enterprise from the top down, as a new report published by the Department of Homeland Security makes clear.
Released this week, the report reveals that attackers use brute-force cracking to log into remote desktop solutions. Once they gain access, hackers deploy Backoff, a family of malware capable of memory scraping, keylogging, and command-and-control communication and injecting malicious stubs. With malware like Backoff to contend with, companies need a multilayered approach to security — and a lot of human vigilance. The column also includes the report’s tips for improving security.
In other news, Facebook is giving its mobile messaging user the next few days to download its dedicated Messaging app, Singapore has managed to integrate NSA’s mass surveillance and data mining into their society without laws getting in the way (hmmm!), and much more in this week’s Searchlight.