One of the questions Stuart Madnick will ask of a panel of CIOs at the upcoming MIT Sloan CIO Symposium is who should the company’s CISO report to. Madnick, a professor of information technologies at MIT Sloan, is interested in the organizational and managerial factors that give rise to cyber break-ins, including the role CISOs and CIOs play in security.
MIT Sloan research shows that while CISO reporting structures “are all over the place,” with security officers reporting to CIOs, CFOs, chief risk officers and directly to the CEO, one trend seems firmly fixed: more board interest in cybersecurity.
“I’ll give you a quote I had from a CISO recently. He said that in the previous 10 years, he had met with his company’s board of directors once. In the past year, he’s had three briefings with the board,” Madnick said. “We’re actually seeing in a few cases where the CISO reports directly to the board.”
MIT Sloan research: TJX Cos.
The fact that boards are focusing on cybersecurity roles and relationships is a positive sign. Madnick, who is also the director of the MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC)3, believes that companies — and federal government security programs– pay too little attention to the organizational structures and incentives that make companies vulnerable to cyber attacks.
“I’ll give you just one quick example,” Madnick said. “We did a detailed analysis of the TJX break-in, which was at that time the largest credit card break-in in 2005.” His group compared its analysis with analysis coming out of the FTC and other investigations and “found all kind of issues in the organization that had not been covered.”
“There was an email from the CIO of TJX to his staff. And the email said something to the effect that, ‘We are currently not PCI [Payment Card Industry Data Security Standard] compliant. It will take quite a bit of effort and cost to do so. This is now November. We’re entering into our Christmas rush. This has been a tough year financially. Don’t you all think it would be fine if we deferred becoming PCI-compliant until next year?'” Madnick recounted, referring to an email sent by then-CIO Paul Butka in 2005.
“This is called an email where the answer is embedded in the question. It may shock you to realize that almost no one on the staff saw any problem with doing that,” Madnick said.
Disclaimer: The information in this blog post is for general-information purposes only. Any reliance you place on such information is strictly at your own risk.
Did you just wish I were wherever you are so you could sock me? Or perhaps you covered your ears and yelled, “Nah-nah-nah-nah-nah!”
I can’t blame you. Legal disclaimers aren’t fun to read: They’re typically solid bricks of gray text, and the sentences are stuffed with so many legal abstractions that it’s hard to connect subject and predicate.
He was at the recent Fusion 2016 CEO-CIO Symposium in Madison, Wis., to talk to business and technology leaders about the legal questions raised by the network of connected devices known as the Internet of Things: Who owns and controls the data? Who’s responsible for the security of customer information? What happens if the code in a device hooked up to the Internet is defective and harms someone?
Organizations don’t want to go to court to find out the answers, so they have a lot to think about before plugging into this emerging technology, including the use of time-tested tools.
Disclaimers set boundaries around the rights that parties, specifically your customers, can exercise to take you to court. Lawyers, of course, know how to use them. At Foley’s talk, an audience member said his company has a disclaimer on a map application for mobile devices. He wanted to know how effective disclaimers are. Foley said, “Can I begin with a disclaimer? I’m not your lawyer.”
The audience chuckled, and then listened for the real answer. Legal disclaimers are “important from a legal perspective to protect yourself,” Foley said. But — and it’s a big but — they have little effect on their main audience: customers.
“Because they don’t, or they don’t care to, absorb it, or they don’t understand it, or they’ve seen it so many times that it goes right past. It’s unconscious to them now,” he said.
Ironclad? No. Necessary as businesses increasingly turn to digital business models? Yes.
Perhaps echoing the legal uncertainty in an uncharted technology terrain like the Internet of Things, Foley asked an open question to the audience.
“Has anyone successfully sued an apps services company — Google or iPhone — for driving somebody off a cliff?”
The answer that came back to him was, “I haven’t seen anybody succeed.”
Not yet, anyway.
Who says working in an IT department can’t be like vacationing on a cruise ship?
Along with ridding the office of seven-foot high cubicles and assigned desks, one of the experimental policies Michael McKiernan, vice president of business technology at Citrix Systems Inc., introduced during a workplace redesign was beach toweling.
“It’s similar to a policy you see at a hotel or on a cruise line,” he said at the Fusion CEO-CIO Symposium in March. But it’s not exactly a vacation policy you’re likely to write home about. On most cruise ships, guests who leave towels or books behind in an attempt to reserve a deck chair are given a time limit to return before those items are removed and the chair is made available to another guest.
The same goes for Citrix employees who work in offices where the beach-toweling policy is in effect: If employees leave a desk unoccupied for more than two hours, they are to take everything with them. Otherwise, “you’re taking that resource out of the common pool so that it can’t be leveraged by others,” McKiernan said.
Beach-toweling police: 120-minute egg timers
As with the major cruise lines, enforcement measures also needed to be introduced for the policy to work. On a cruise ship, reserved deck chairs are sometimes tagged by a cruise ship employee; if a guest doesn’t come back within the allotted time, the items are removed. At Citrix, McKiernan introduced 120-minute egg timers. Employees can grab one, wind it up and place it on a desk to signal when someone’s not following the beach-toweling rule.
“It’s not punitive in terms of [we’re going to] take your stuff and throw it in the garbage,” McKiernan said. “But it’s a carrot and stick. We use a little bit of shame with people.” Plus, it’s a way of introducing beach toweling to workers who aren’t steeped in the Citrix culture, such as third-party contractors.
Will beach toweling stick? Only time will tell. At Citrix, McKiernan has taken an almost Agile approach to introducing new workplace redesign measures, so that a policy like beach toweling is often referred to as a prototype and not a finished product. That leaves the door open to tweak and change the policy to reflect the office culture. “We’ve had many different failures,” he said. But learning from those failures, admitting when policies don’t work and changing them so that they do is an important part of the redesign process, he said.
Plus, McKiernan said, what works in California may not work in, say, France or Germany. An iterative approach allows for workplace redesign policies to remain flexible.
The CIO-CFO relationship, as noted here over the years, has a built-in tension. As the senior executives responsible for company finances, CFOs must keep a close eye on expenses, especially those that are large and promise no short-term payback, as is often the case with IT investments. For CIOs charged with using IT as a strategic force, the CFO’s focus on cost and ROI can seem shortsighted, or worse, like a brake on the company’s ability to compete. In this guest post, Mike Sheldon, president and CEO of Curvature, an IT infrastructure and services provider headquartered in Santa Barbara, Calif., offers his perspective on why a strong CIO-CFO partnership is so important now and lays out five ways to build a working relationship that will serve the business well.
Five tips for forging better CIO-CFO partnerships
by Mike Sheldon
CFOs are teaming more with CIOs, according to a recent EY survey on the CIO-CFO relationship. More than 60% of the nearly 700 financial leaders surveyed said they’ve been collaborating more with their CIOs in the last three years, while more than 70% also reported having greater involvement in the IT agenda. As companies continue to transform their businesses to meet an ever-changing digital economy, it’s crucial to nurture strong CIO-CFO relationships. Here are five tips for how CIOs can forge more mutually beneficial IT-finance partnerships.
1. Speak the same language
Typically, CIOs don’t understand finance while CFOs don’t understand technology. Sure, that’s painting the CIO-CFO portrait in broad brushstrokes, but this is one of the biggest barriers to getting CIOs and CFOs on the same page. Both IT and finance need to develop a greater understanding and deeper appreciation for the pressures they face individually and collectively. Technology is changing and growing faster than ever, so it’s nearly impossible for CIOs to know every nuance and tech breakthrough. Likewise, CFOs face more intense scrutiny than ever to forecast wisely and budget judiciously. Sharing challenges — and gaining insight into each other’s worlds — is a great way to form a meaningful collaboration.
2. Use the tools of the trade.
Traditional CIO-CFO relationships are based on the CFO coming up with a budgetary number for the technology spend and CIOs then doing the best/most with what they are given. But what if IT took a page from finance and built a five-year technology roadmap using the tools CFOs use in their financial planning & analysis (FP&A)? Finance has the methodology and FP&A tools to bring substantial insight and discipline to strategic technology planning. This goes beyond equipment refresh and upgrade plans to development of full lifecycle management strategies that can lead to major savings for IT and finance.
3. Capex and Opex decisions should be “we” not “me” issues.
Determining capital expenses (Capex) and operating expenses (Opex) is probably where the CIO gets closest to the CFO. There are plenty of strategies for dealing with these expenditures, and these are best addressed from a “we” — and not “me” — perspective. Some companies want to effectively eliminate Capex altogether by embracing managed services and infrastructure-as-a-service options. There are other organizations where the exact opposite is true because they have cash for technology investments but are striving to reduce ongoing operating expenses. The best answer may lie in-between, so the CIO and CFO can craft the most appropriate strategy.
4. Learn how to negotiate like a finance pro.
In most organizations, finance handles leases, capital purchases and all procurements except IT. This can be unfortunate for the tech team as no one typically negotiates for the best deal better than a finance person. IT guys typically don’t have a background in real estate or negotiations and therefore don’t have full appreciation for the negotiating required to cut costs dramatically. CIOs should turn to their finance counterparts to learn the important tricks of the trade. This partnership may also shine light on current IT buying practices, such as relying on a single vendor or value-added reseller, which could be impacting your ability to get competitive pricing. Or, refreshing your technology infrastructure based on OEM timetables and not your own. There are many opportunities to reevaluate IT options and negotiate a better deal for your business.
5. Get more creative about saving money.
Too often, the CIO is focused on spending every penny of the IT budget instead of looking to cut costs. IT should be encouraged, compensated and rewarded for devising creative solutions to its procurement challenges. There tends to be little incentive for the CIO to bring opportunities to the table to save money or defer spending in keeping with changing priorities. CIOs play a critical role in explaining which technology investments will help the business survive and thrive while CFOs are invaluable in identifying opportunities to reduce spending. My favorite quote of all time goes something like this: “People go crazy together, but they get sane one by one.” The sanity will come to companies one at a time, as CIOs and CFOs team up and start asking — and answering — the tough questions together.
About the author:
Mike Sheldon is president and CEO of Curvature, an IT infrastructure and services provider based in Santa Barbara, Calif. He joined the company in 2001 as vice president of sales and was named CEO in 2006. Under his leadership, Curvature continues to post record revenues and now employs more than 650 people worldwide. Sheldon attended MIT, where he studied philosophy and game theory.
Microsoft’s announcement of a partnership last week with a group of big banks that includes Citigroup and Wells Fargo to do experiments on blockchain technology must have bewildered at least a few people.
Some may have wondered what on earth blockchain is. Others may have puzzled over why banks that normally compete for business are working together on anything.
They’re not unreasonable things to think. Let’s start with the emerging technology that forms the basis of the digital currency bitcoin. A blockchain database is distributed among a network of computers, instead of being centralized on a server cluster. Built on top of that is a shared ledger; changes that get made to the ledger are made in a way that ensures security and are updated on all computers that are part of the blockchain.
That’s useful in industries like financial services, which often rely on a central clearinghouse to verify transactions. A blockchain would eliminate that middleman, slashing administration time and costs. Banks are looking at the technology to see what else it can be used for — eyeing new ways of handling stocks, derivatives and loans. But they can’t do that kind of testing alone — hence partnerships like the one between Microsoft and startup R3, which leads a consortium of more than 40 banks.
Together, said Martha Bennett, an analyst at Forrester Research, they can work out a panel of issues, including industry standards. To join a blockchain network, organizations need to agree on the technology stack and protocol to put to use.
“There is no competitive advantage for a bank or anybody else in trying to do blockchain on your own — unless you can somehow convince everybody to adopt your standards, and how likely is that?” Bennett said. “So it does require industry collaboration.”
It also helps to pull together resources to try out a complex new technology and see what works and how that might scale outside of the research-and-development labs.
Microsoft’s end of the bargain is to lend tools and its cloud service Azure for the banks to do their testing. In return, it hopes to run their in-production blockchains when they’re done.
The R3 group isn’t the only gang looking to develop uses and standards for blockchain database technology. There is also the open source Hyperledger Project, led by the Linux Foundation. It is looking at ways of doing other kinds of business transactions, too, not just financial ones, so its ranks include multinationals like IBM and Hitachi alongside banks BNY Mellon and State Street. That group overlaps with a growing number of blockchain startups and even with R3.
That’s a good thing, Bennett said, because the contributions each of the players brings with it can feed into the larger development of the technology.
“It is very much an ecosystem play,” she said.
Should a blade of grass move when we nudge it? If it doesn’t, should we assume we’re dreaming? Or in some alternate reality? “I would think I might be in The Matrix,” said Michael Facemire in a recent webinar presentation on the importance of mobile performance.
Facemire, principal analyst for application development and delivery professionals at Forrester Research Inc., believes mobile devices, by virtue of their touchability, have fundamentally changed customer expectations about technology performance. Just as when we touch a blade of grass we expect something to happen immediately, so too with apps and websites accessed through mobile devices. If these digital artifacts don’t respond immediately, we flee. Facemire cited stats from Google and others showing a majority of smartphone users will abandon a “touch activity” after just 2 seconds of inaction.
In a marketplace where transactions are increasingly digital and executed via smartphone, Facemire argues that building high-performance mobile experiences (the title of his Akamai Technologies-sponsored webinar) is paramount to keeping customers and promoting brand loyalty.
The problem is that many companies — and IT organizations, in particular — have not adapted their software development processes to this new reality, said Facemire, a developer and computer scientist by training.
Mobile performance low on developer totem pole
“Speaking on behalf of a lot of developers, when it comes to performance, this is generally not the first thing we think of when presented with a problem,” he said. The challenges that keep development teams up at night are figuring out how to build the software, what components and tools are needed, and what the user interface (UI) should look like, he said.
“Performance is one of those things that you just check a day or two before you ship code.” Indeed, in the traditional waterfall development method, performance review was one of the last stages, he recalled, “right up there with making sure that the legal paperwork had been signed.”
Yet, as Google’s and other companies’ data show, “performance is as important as, if not more important than, the user interface” in ensuring a great user experience, he said.
So what do IT organizations need to do to ensure high-quality mobile performance?
High-performance mobile experiences: ‘Full-stack game’
The first step is to stop making the UI the scapegoat for low-quality mobile experiences, Facemire said. Performance is a “full-stack game,” with the delivery layer, API layer and network connections all playing a part, he said. Content being delivered from a back-end content management system to the front end has to be transformed so that it fits appropriately on the device screen. The API layer has to do its bit: During peak mobile access times — Black Friday for retailers, end-of-quarter for travel and expense companies are two instances — it’s essential that database administrators are not in the middle of some task (for example, indexing the database) that will compromise users’ access to the data they want (a retailer’s product list, an employee’s expense account). Network performance is context-dependent: A 4G connection for customers at a football stadium with 59,000 fans can’t be counted on for high-quality mobile performance. So, ideally, data should be cached as close as possible to the device. But, unlike caching for the Web, caching for mobile is “an area as an industry that we are still trying to figure out,” Facemire said.
Speed and performance
Adding to the problem of delivering high-quality mobile performance is the tremendous pressure developers are under to deliver new material. A development process that once upon a time took 12 to 18 months now happens in two to four months and is rapidly becoming a “zero-day event,” Facemire said.
The good news is that developers are catching up to demand. When Forrester recently asked enterprise developers how fast their teams released applications, nearly a third (32%) said they’re releasing applications monthly or faster. The bad news is that to meet that timetable, teams take shortcuts.
“Unfortunately, a lot of folks simply cut off the back-end part of it,” Facemire said. Only 23% of developers and professionals surveyed by Forrester said they incorporate performance or load testing tools in their software development lifecycle and 15% of them use these tools less than monthly. That’s asking for mobile performance issues – and customer dissatisfaction.
“Quality has to be a part of everything you do from Day 1 — not at the end,” Facemire said. “We need to have testing and we need to ensure our mobile experiences have the enterprise quality customers have come to expect — but to do it more quickly.”
A growing number of hospitals have not been having a good start to spring. Kentucky’s Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, both in California, and now San Diego’s Alvarado Hospital Medical Center and King’s Daughters Health in Indiana are just a few of the institutions that have been hit by ransomware — software that freezes computer systems until money is paid to infiltrators.
All of the hospitals experienced some form of temporary network disruption. Some, like Hollywood Presbyterian Medical Center, even paid the ransom.
The malware intrusions will keep mounting until hospitals — the target du jour for crime circles — re-evaluate how they build their cyberdefenses, said Chris Ensey, COO of Dunbar Security Solutions.
“I do believe that we are on the cusp of a larger spread of this type of activity,” Ensey said.
Financial health for hackers
But why hospitals? And why now? Simple, Ensey said. It’s a quest for more revenue.
“What we’re seeing is the macroevolution of ransomware and the tactics that are being used by organized crime to continue to expand the revenue generated from ransomware,” Ensey said. “The most productive way to do that is by targeted campaigns.”
Hackers started, he said, by sending the malicious software to “a big list of email addresses” in an effort to hook as many people as possible. The hope was they’d get into a few computers, hijack the data on them and make money off each catch.
That evolved into spear phishing — similar phony-email schemes but customized for specific organizations. Hospitals use technologies that help them meet requirements set by the healthcare privacy law HIPAA and other mandates, and those are usually fine, Ensey said. Antivirus software and packet filtering as part of firewall protection “catch the common stuff.” But cybercriminals have gotten good at finding ways to burrow into systems. Hospitals in turn, have to get better at keeping them out, he said.
Guarding against malware intrusions
You may recognize the name Dunbar from the armored cars that banks and other businesses hire to transport large sums of cash. It also sells managed security services, so of course, Ensey stands by those. His pitch: Hospitals can focus on their healthcare infrastructure while Dunbar constantly monitors for attacks. His general-purpose advice for hospitals is to keep pace with the technologies used to hack them.
A “very, very comprehensive backup strategy for their data” is a good start. Using automated backups is a solid strategy; so is the more expensive measure of highly secured colocation facilities to which hospitals can send their data over encrypted channels and replicate it.
Hospitals should also take another look at how they set up employee work stations with access to the Internet, since those can serve as portals for ransomware that can hold healthcare data hostage, Ensey said. Email can be a conduit for malware intrusions, and so can malvertisements — online ads that proliferate malicious software.
And healthcare institutions not only need a CISO in charge of cybersecurity, Ensey said — that executive needs to have “a seat at the table” — the business strategy table, that is. The CISO should have close ties to the CIO, the chief medical officer and the risk management team.
“Being part of those conversations is absolutely paramount to every decision that they make,” he said.
Looking to win friends and make connections in high places? The most important networking rule to remember is also a pretty simple one: It’s not about you. That’s according to Todd Cohen, author of Everyone’s in Sales and keynote speaker at the recent Premier CIO event in Boston.
If it’s not about you, what is business networking about? “It’s about building a relationship,” Cohen said. “And anyone who goes into networking thinking that it’s anything other than about building a relationship will fail.”
The guide to business networking a là Cohen advises CIOs and senior IT leaders to play the long game. Instead of approaching a networking opportunity in search of instant gratification, consider how to add to a conversation. One of the ways Cohen suggests doing that is to think about secondary network connections: Who from among your colleagues will benefit from getting to know the person you’ve just connected with? Then, take your networking win one step further and make the introduction.
The up-front investment of connecting two people together — especially if the connection is a worthwhile one — may not pay off right away, but the likelihood is that it will eventually. Both people will remember the connection — and remember the connector.
More tips for the CIO from Cohen’s guide to business networking
- Only attend a networking event if you can “be present,” Cohen said. “If you’re not, everyone will know.”
- Take the pressure off by making the goals attainable. Rather than doling out a stack of business cards, focus on having two meaningful conversations in an hour. “And a meaningful conversation is nothing more than 10 minutes of talking about something where you both can say, ‘Yeah, that was a nice conversation,'” he said.
- Create a rapport by talking about your interests. Cohen once met a botany hobbyist who explained that a seemingly healthy looking plant was actually on the verge of dying. “He just got me because he talked about something that was passionate to him,” he said.
- Join an organization and commit. “You can’t say I’m going to join [a Society for Information Management chapter] and go once,” he said. “You have to go every month because that’s the only way people are going to trust you.”
- Don’t interrupt a conversation between two people. Instead, focus on someone who is standing alone or groups of three or more people, where it will be easier to get invited into a conversation, he said.
- End a conversation by asking, “What can I do for you?” Especially if the conversation falls into the “meaningful” category. The comment is unexpected, memorable and opens the door for another interaction, Cohen said.
If your organization is doing a lot with cloud computing, you may have heard people on your cloud or security teams talk about the need for a CASB. That’s pronounced KAZ-bee.
No, it’s not a magical creature in the Nintendo game The Legend of Zelda. Or a mispronunciation of the word casbah. Or a reference to The Clash cult classic, “Rock the Casbah.”
It stands for cloud access security broker. It’s a cloud security tool that serves as a gatekeeper to your organization’s systems and loops in whatever security policies you have in place. So if someone tries to access a free file-sync-and-share service such as Box.com or Dropbox, he or she will get a warning notice or could be shut down.
In an October market report, research outfit Gartner labeled CASB a “required security platform for organizations using cloud services” and predicted enormous growth in coming years. By 2020, it said, 85% of organizations will use one, up from less than 5% in 2015.
Johna Till Johnson, CEO and founder of Nemertes Research, presenting results from a security study in a webinar earlier this month, said cloud access security brokers were in use at companies with the most forward-looking and successful cybersecurity strategies.
“This or something like it is something you have to have as you’re moving out to cloud,” Johnson said. “And using it implies that you already have a set of defined policies, and you have a good sense of who should be using what and why.”
So people say it’s hot stuff. It’s still new, though. The Nemertes study — a small one, surveying 17 organizations — found that just 21% of respondents were using a CASB.
That’s probably not why you might not know what it is, though. The study found that just 41% of respondents have heard of cloud access security brokers, but 57% have plans to deploy the cloud security tool.
I’ll let Johnson deliver the punchline: “What that means is, some people are actually using it without knowing what it is, which is actually pretty funny.”
CASB might be an important piece of a cloud security initiative, she said, but it’s not a great catchword. “The folks that make these products and technologies might want to think about a different marketing acronym — I’m just saying.”
I’m not sure the spelled-out mouthful is much better. As for CASB, I think it works better as a magical creature from The Legend of Zelda.
When a California court issued an order to Apple to help the FBI break into the iPhone used by one of the perpetrators of the San Bernardino, Calif., massacre, Sen. Lindsey Graham (R-S.C.), a counterterrorism hawk who in December called on tech companies to stop selling devices that encrypt information, switched sides.
“I thought it was that simple,” Graham told Attorney General Loretta Lynch during a Senate hearing. “I was all with you until I actually started getting briefed by the people in the intel community.”
The public battle waged between the FBI and Apple put the spotlight on encryption and data privacy. According to Chris McClean, an analyst at Forrester Research, that’s a good thing. Now, ordinary people not only know what encryption is — many know enough to argue whether the government should be able to dismantle the technology during investigations. Informed citizens could, he said, push progress in the privacy debate faster than the government can.
The FBI dropped its case against Apple on Monday, saying it accessed the contents of the iPhone. But a larger discussion over privacy and encryption has just begun. Congress is making moves toward legislation that addresses the government’s investigation powers and citizens’ right to protect their information. Sen. Mark Warner (D-Va.) and Rep. Michael McCaul (R-Texas) are pushing for a commission to study digital security and privacy issues and then make recommendations to Congress. But, McClean said, it might not matter much.
He explained using a two-word phrase you may recall seeing plastered on news shows a few years ago: pink slime. That’s the unflattering nickname for processed beef used as a food additive in school lunches. (ABC News did a series on the stuff, and the rest is history.)
“This wasn’t the [U.S. Department of Agriculture] coming down on the manufacturer saying, ‘You can’t serve this to our children.’ They actually said, ‘We give this a thumbs-up,'” McClean said. “But once average citizens saw that, that went viral and they shut it down. Two or three of the companies that created that product were out of business within a couple of months.”
Customers and the privacy debate
McClean sees the same thing happening in the encryption and privacy debate. What happens if the feds petition other companies with people’s information in their databases for intel — cell phone providers, utility companies, makers of home-automation systems? Apple took on a powerful government agency. Will other businesses do that in the name of customers’ privacy?
They might, if customers expect it. Apple’s public opposition to the FBI may have given consumers the push they need to start asking tough questions of the companies that serve them. Once they start digging into privacy policies and asking how their data is being collected and how it’s being used, they may find practices they don’t like — and then voice their displeasure.
“Every company now is a data company,” McClean said. “Your grocery store, your hospital, your bank — they’re all data companies. It will be really interesting to see how much consumers are putting pressure on those types of companies to see whether or not they would stand up the same way Apple has.”