Very bad things happen when security protocols are neglected. Just ask Stephen Fletcher, the now-former CIO for the state of Utah. Fletcher was fired by Gov. Gary Herbert this week over the March data breach that compromised the personal and medical information of about 780,000 Utahns. Two of Fletcher’s former employees are under investigation in connection to mistakes that led to the breach.
Somebody fell asleep at the switch — or server, as it were — allowing hackers in Eastern Europe to slip right into the state’s Medicaid database. They slipped out with hundreds of thousands of birthdates, names, addresses and social security numbers, among other useful tidbits. It’s believed that, by exploiting an unchanged default password on the user-authentication layer of the system, they were able to bypass multiple layers of security controls. Yes, a default password cost at least one person his job, more than half a million people their privacy and millions in taxpayer dollars to clean up the mess.
Herbert said he sought the CIO’s resignation because Fletcher lacked “oversight and leadership.” Ouch. Maybe this wouldn’t sound so bad if, as several accounts suggest, Fletcher weren’t so good. Since he was named the state’s CIO in 2005, Utah has emerged as a leader in government tech and innovation, and Fletcher has been credited with leading the state to successful enterprise-wide IT consolidation and centralization. He’s a past president of the National Association of State Chief Information Officers and a past recipient of Government Technology‘s “Top 25 Doers, Dreamers and Drivers” award. But now a default password overshadows all of that.
Fletcher told Government Technology that the incident was preventable and is an example of why more funding is needed to protect government IT systems. In just the past four months, he said, cyberattacks on the state’s technology system have spiked 600%. But Fletcher also bemoaned the fact that this would overshadow all of the good work done by his department — the cost savings, the consolidation, the presence of more than 1,000 online services for residents.
Whether Fletcher is personally at fault is still under investigation, but he certainly has taken the fall. One would hope security protocols at least existed — if not, the blame surely lies at his feet. If they were in place and employees simply didn’t follow them — well, the blame still falls on Fletcher. In the end, he is the leader in this scenario, and unless it can be proved his team members maliciously left the server vulnerable, it’s his job to make sure they do theirs.
Certainly, this is an extreme example of what can go wrong when security protocols are not adhered to (or are possibly nonexistent), but nonetheless one worthy of every CIO’s attention. Handling security and compliance is a balancing act and a team effort. Stories like this one are sobering reminders that, while it isn’t easy, steadfast attention to managing information risk has value beyond measure.
I spoke with a CIO years ago who went around his data center and randomly shut down servers. He did this for two reasons. For starters, if no one noticed that the server was off for a week, it obviously wasn’t needed.
The other, more important reason? He wanted to see how his IT staff reacted.
It’s not simply that they don’t have disaster recovery documentation, but if they do, people can’t understand it.
In one recent instance, a CIO ran through a disaster recovery scenario, and it went off smoothly, thanks to one all-star on the staff who knew how to recover everything off the top of his head.
“I asked, ‘What if he’s sick of on vacation?’” Kirvan said.
His point is that the documentation has to be simple enough and consistent enough for anyone on staff to be able to step in and recover a system — so simple that, even if your IT staff can’t perform the function for some reason, a non-IT person could.
To help get your staff on the same disaster recovery documentation page, Kirvan suggests checking out disaster recovery software, plan templates and guides, a list of which has been compiled by fellow industry expert Phillip Rothstein.
As we head into another weekend, we’d like to send best wishes to our readers who are also mothers. Come to think of it, being a CIO or IT leader is a lot like being a mom: Every day brings new challenges and changes, you’re constantly trying to keep everyone satisfied, sometimes you just have to say “no,” and you’ve got to be vigilant about keeping the “household” budget.
This week’s roundup of tidbits from around the Web touches on a few of those aforementioned changes: in what IT is investing in, in the data center development cycle and in mobile strategies. Still, there are some things that it seems will never change: A floppy disk means “save,” kids. Why? Because we said so.
More proof that your mobile strategy touches pretty much everything you do, and underlining the importance of the CIO’s relationship with the chief marketing officer and the business: Thanks to social media and mobility demands, investment in CRM (customer relationship management) software has jumped from No. 18 to No. 8 in a Gartner Inc. survey of CIO and CEO priorities.
Still not convinced of the importance of a mobile strategy? Even within the slow-grinding gears of government, the call for “mobile first” is gaining traction.
Blogger Greg Ness opines on how the commoditization of network hardware could drive a new data center development cycle.
So, maybe she doesn’t always give you the best directions or particularly accurate weather forecasts. Did you ever think maybe Siri is just meant for a higher calling? Forget the neoprene case — get this lady a lab coat.
It hadn’t occurred to us until we saw this post that, for some computer users, the floppy-disk icon is not “the floppy-disk icon” — it’s “that thing you click on” to save stuff. It says something very interesting about the evolution of culture and language, yes, but mostly it just makes us feel old.
Call it the triumph of consumerism, or just common sense. Mobile computing is on fire in the enterprise — apps, middleware, tablets — and the proof is in the pesos, pounds, the pieces of eight. Mobile is where the money is, reads the headline trumpeting the new Forrester Research 2012 IT spending report published this week. Mobile spending grabs the biggest share of the rather-modest overall 5% budget increases planned by IT in 2012, according to the report:
- 45% of firms plan budget increases of 5% or more on mobile apps and mobile middleware, outpacing business intelligence (43%) and security (40%), the other two top spending priorities. That’s a measurable change from last year’s survey, when between 36% and 39% of firms planned to boost mobile spending on apps and middleware by 5% or more.
- On the hardware side, increased spending on tablets was on the agenda for 44% of firms, just ahead of storage products (43%) and server hardware (41%).
The figures are based on responses from IT executives and technology decision makers at 3,752 enterprise and SMB firms surveyed by Forrester from October to December 2011.
There are other signs that mobile is where CIO minds are at these days. Despite the ongoing hype around cloud, spending on cloud-based services like SaaS, Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) accounts for less than 5% of IT budgets. Full-time IT staff continues to take the biggest chunk of IT budgets (27%).
The report notes that the increased spending on mobile software and hardware is not just about the money. Mobile computing and consumerism signal a major shift away from IT departments as the commanders-in-chief of technology to the rising role employees play in tech decisions. According to the report, 23% of the IT leaders polled said their business groups wanted to be more involved in IT decisions about technology in 2011, compared with just 6% who saw a decrease in business involvement.
Frankly, based on our reporting on mobility and the consumerization of IT over the past two years, that 23% seems low. CIOs like Rick Roy, just to name but one of the mobile pioneers profiled in our CIO Innovator series, caught the shift early. His meticulously plotted strategy to mobilize CUNA Mutual Group included developing 18 different personas to pinpoint the mobile needs of the insurance company’s 4,000 employees.
What piques my interest lately is not mobile spending, although it is always useful to follow the money. (Or, for that matter, how employees are influencing tech decisions. Old news.) I want to know how CIOs are using their mobile dollars to transform business models at their companies — and in the process maybe even rendering the competition’s models obsolete.
Mobile computing is disrupting tried-and-true business models and centuries-old establishments. The seeds are being planted right now. The decision by Harvard and MIT to offer courses available to anyone who has a phone with an Internet connection is just one recent example. I’d like to hear how you think mobile spending is going to shake up your business. Let me know.
Enterprises are outsourcing mobile app design and keeping the names of their partners a closely guarded secret for competitive gain. IT departments are being asked to redesign customer-facing websites with mobile use in mind, and provision desktop apps like ERP and CRM in a mobile environment.
As Karen Goulart, Features Writer for SearchCIO.com, points out in her story on app dev this week:
Experts and IT leaders believe the real business value in today’s enterprise is being created at the application level — be those apps employee-facing or consumer-facing. They also believe that in this information-on-demand era, those applications need to be part of a mobile strategy.”Nowadays we use those terms, app and mobile app, almost synonymously,” said Michael Le Du, chief technology officer at New York City-based Maxim magazine. “More often than not, when you’re reading or talking about an app, it’s mobile, because that’s really where all the activity is right now.”
Le Du and his development team made their own mobile apps as part of a website redesign, but there is a growing debate about what’s better: build versus buy. A prime example is the case of two hotel chains, one of which developed its own concierge application. But when the author of this story, SearchCIO.com’s Senior Writer Linda Tucci, brought the idea of mobile app design to another hotel chain’s IT leader, he passed on the idea. He believes any app they need will be developed by someone else. Why bother with the cost of mobile app dev when just about any app you might need most likely will become available commercially?
When is the last time you actually dedicated time to innovative thinking? If it’s taking you a while to answer (or you don’t have time to remember because you’re too busy working), you’re not alone; and it might not be your fault. This week’s roundup of bits from around the Web includes two interesting looks at innovation — reasons why you may not have time for it and places where innovation is the only option. Plus, could your Facebook profile help save a life?
When it comes to tech innovation, a lot of managers talk the talk, but relatively few give their workers time to walk the walk.
Poorer countries are proving that starting with less can be a springboard to tech innovation. Case in point: How India and some African nations — places with little legacy telephony infrastructure — are revolutionizing mobile banking.
You’re willing to share your favorite movies and pictures of your cat, but will you share your organ donor status on Facebook? Experts in the field of organ donation say this bold step in social media could make a world of difference for those in need.
As with any study, we take this with a grain of salt and consider the source, but it’s still a little unsettling to hear the suggestion that 90% of websites using Secure Sockets Layer encryption aren’t entirely secure.
Can you speak up? I’m wearing long sleeves. When art and technology mingle, the resulting body of work can be a little strange.
Who would dispute the importance of gaining a competitive advantage in business? Competition is the mother’s milk of capitalism. A competitive edge — an advantage of one company over another vying to occupy the same niche — is the golden goose of profits, as long as the advantage holds sway. The question is, do CIOs really care enough about gaining a competitive advantage? Or has the tenor of the job — the torrid pace of technological change, the high degree of difficulty in deploying IT, the long tradition of IT as a caring and supporting function — persuaded CIOs that conferring and collaborating with other CIOs makes a lot more sense than not?
Gaining a competitive advantage certainly matters deeply to board members, according to recent Gartner research. Maintaining competitive advantage came out as the top concern of 52% of board members, outpacing 26 other board issues, including cost-cutting, restructuring the business and replacing the CEO. “Nothing else came close,” analyst Jorge Lopez, whose research focuses on CEO concerns, told CIOs at the 2012 Gartner CIO Leadership Forum. Another point that makes the old topic of competitive advantage fresh news for CIOs? Lopez cited growing evidence that when companies lose ground during a recession — say, drop from the No.2 to the No. 4 spot in their markets — they don’t regain their edge, at least until the next financial crisis alters the playing field.
However, when CIOs were asked in one of the Forum sessions whether they tracked how their competitors were using IT to competitive advantage, the majority of CIOs in the room said they did not. They were strongly advised not only to start doing so, but also to find out which competitors their CEOs admired for their use of technology.
The CIO’s responsibility in using IT to gain competitive advantage is a complex topic not given to pat prescriptions, I’m learning. One former IBM-er and IT professor, for example, tells me that CIOs need not be as concerned with what their competitors in the field are doing with IT, as they should be with what the exemplars in the IT industry are doing and “how that might be applied to their organizations.” For this reason, having a strong network of CIO peers is absolutely vital to making IT a competitive advantage in their businesses (although this is a bit of a paradox). Moreover, gaining a competitive advantage derived from IT nowadays is less about –maybe never about — deploying technology in the company, he said. All that stuff can be copied. Maybe the richer playing field is competing for customers outside the company. His view is that CIOs should focus on working with external customers and clients to find ways in which IT can make the difference for them. Your thoughts? Let me know.
When I talked to IT Service Management expert Derek Lonsdale about change-management strategy challenges, he kept coming back to the change management advisory board.
True, the advisory board approval process tends to be too bureaucratic at some enterprises, but the real problem is what happens — or should be happening — before a change request even gets to the board.
Here is a rundown of four ways Lonsdale, service management leader and lean expert in the Cambridge, Mass. offices of the London-based PA Consulting Group, recommends tackling change management strategy challenges.
Define what a change is. A poorly defined change management process leads to way too many low-priority changes going to the advisory board. Is it a change request or a project, for example? If a request takes more than 10 days’ effort, it’s a project, not a change request, and shouldn’t go to the advisory board.
Define emergency change request. If you have a lot of emergency change-requests going before your advisory board, your project managers are doing something wrong. The only valid emergency change request is an outage. A last-minute server request is just bad planning, not an emergency change request. In these cases, the project manager should have to queue up behind everyone else’s requests for similar changes.
Automate change management. The approval process has to be automated. You can have standard changes that should be automated — for example, regular changes that happen every month, such as rebooting a server. “Anything that is repeatable, you understand the risk, it’s the same resources involved in it all of the time, it’s never caused an outage — so therefore, it can be a standard change,” Lonsdale says.
Before a change hits the advisory board, complete all approvals and admin processes. “Too often advisory boards waste a lot of time asking, ‘Do you have the right approvals?’ or ‘Have they said yes?’ A lot of the steps that should have been done before it got to the advisory board don’t get done, and it makes the meeting very ineffective,” Lonsdale says.
Let us know what you think about this blog post; email: Christina Torode, News Director
Sometimes innovation begets innovation. This week, check out a gaming company that took the rather innovative step of eliminating hierarchy in the workplace and found it led to — innovation. On a similar note, see how Harvard’s dabblings in big data have led to some innovative results. If that’s not inspiring enough, this week’s roundup also includes some advice on how to keep your best employees and help shape them into leaders.
- Bosses? We don’t need no stinking bosses. A peek inside gaming company Valve, where a lack of hierarchy and other unconventional business practices are promoting innovation.
- If you happen to be a boss, however, check out this advice on how to retain high-potential employees. Turns out, sometimes it’s the managers of those employees who need coaching.
- And speaking of promoting innovation, Harvard this week released “big data for books” — metadata on more than 12 million books, videos, maps and more from its 73 libraries. The university is looking forward to seeing how the information is used. They’ve already gotten a small glimpse: A group of hackers, given one day and information on 600,000 items, created such things as visual timelines of when ideas became broadly published.
- In a workforce increasingly reliant on management skills, these experts weigh in on why IT leaders of today shouldn’t forget about fostering leadership skills in the next generation.
- Got Mac users in your organization? You might want to watch where they’re sticking their USB drives.
Another week, another potential woe for the CIO?
Tuesday saw the long-awaited/speculated release of Google Drive, joining the world of such cloud storage service offerings as Dropbox and Microsoft’s SkyDrive. Google Drive offers 5 GB of free storage for documents, photos, videos and other data. Additional storage can be purchased for a monthly fee.
But simultaneously with the launch of Drive was the raising of red flags from companies questioning the privacy of data stored with Google. In a blog post about Google Drive, New York Times writer Quentin Hardy said the newspaper has already advised its employees not to use the service.
At issue is how customers’ information can be used. Critics were quick to note that Drive falls under Google’s much-scrutinized, all-encompassing terms-of-service agreement, which allows Google to view and use customer content for its own purposes. The most talked-about term in Google’s service agreement on blogs and in the news over the last couple of days is this one:
When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.
But, as Nilay Patel, writer for website The Verge, points out in some detail, this doesn’t differ much from the terms of Google’s cloud storage service competitors. Its competitors just say it a little nicer. The bottom line, Patel rightly notes, is how comfortable you are with the inherent risks of putting your data into the cloud. Agreements are great, but accidents happen.
Google is always aiming for the enterprise, but experts speculate Drive will mostly appeal to SMBs and the single-consumer market. Still, for flag-wavers, this likely won’t lessen their concern. As IT execs well know, just because you didn’t buy it, doesn’t mean it won’t be used. Sure, there are plenty of cloud storage services out there, but the lure of Drive might be greater, based simply on name recognition. Maybe your users have Gmail or use GoogleDocs and won’t see the harm in trying to sync it all up in Drive. One would hope that most companies would have guidelines in place by now to stem the tide of this kind of shadow IT. And further, knowing these guidelines aren’t always adhered to, would have enough rapport with users that they know why the latest thing might not be the greatest thing for their company.
So, what do you think? Have you already put the brakes on Drive, or do you have a policy in place that (you hope) will prevent the adoption of rogue cloud storage? Is Drive being unfairly picked on just because it’s Google? I’d love to hear your take in the comments or in an email.