With the explosion of the Internet of Things, it’s time to rethink the CISO role — including who that role reports to. This was the consensus of a panel of security leaders at this month’s MIT Sloan CIO Symposium in Cambridge, Mass. The traditional reporting structure that puts security and risk officers under the IT organization doesn’t work in the age of Internet-connected things, they said.
The massive growth in the number of connected devices will create new and exciting opportunities for businesses, but it will also create more attack surfaces, the panel said. IoT equals more cyber-risks, better hackers and a flourishing black market for the stolen data from those devices. Indeed, IoT’s impact on security spending could be huge: from $6.89 billion in 2015 to $28.90 billion by 2020, according to an estimate by research firm Markets and Markets.
The IoT challenge for security leaders is two-fold: They need to convince their companies that security should be built into Internet-enabled products and services from the get-go; they also need to show the business and board members that security is an enabler, not an obstacle, to business processes.
That’s a big hurdle to clear, said Mark Morrison, senior vice president and CISO for State Street Corp. in Boston. In his experience, employees, including business leaders, don’t really get how security fits into business operations.
“We’re constantly balancing operations with security,” he said. “It’s a much larger challenge, because everything that people do with a computer, they expect to work miraculously.”
This lack of understanding goes both ways: IT leaders have often been guilty of pushing out tools for the business without completely understanding the business risks and requirements, said Sam Phillips, CISO for Samsung Business Services.
Reporting structure a barrier to cybersecurity
The first step in turning the tide of how the security function is viewed by the business is having the CISO role operate independently from the IT organization, Morrison and Phillips said.
Morrison’s State Street job is his fifth stint as a chief security officer, and he has always reported to the CIO.
But at State Street, Morrison also reports directly to the board. “I’m the only standing agenda item,” he said of board meetings, which meets nine times a year. Every time, he fields the same questions about cyber-risks: How serious are they? Does he have enough resources to do his job? All this while his boss, the CIO, sits by his side.
“What happens is this natural tension between operations and cybersecurity, and there’s only so much money. There’s only so much time and prioritization that can be allocated,” he said. The reporting structure makes it “hard to give a very honest answer.”
Phillips agreed that the current reporting structure has become a roadblock. In his previous CISO job, he started out reporting to the CIO, and found it difficult to keep security moving forward. One big issue was resources.
“I wanted money to drive security programs,” Philips said, but when security was “hidden off in someone else’s organization,” his programs often got short shrift. Eventually, he ended up reporting to the chief legal officer. This separation from IT allowed him to maintain his programs’ momentum.
“I think a lot of companies are going to see [CISOs and] chief risk officers reporting directly to the COO or CEO,” Morrison said. Phillips agreed, adding that he’s seen several other companies where these functions report directly to the audit committee or the board of directors.
Before CIOs sign up their companies for a gig in the sharing economy, there are a few things to know. Chris Taylor, general manager, Uber Boston, bears both good and bad news for organizations looking to build a platform on which an ecosystem of value creators and consumers can converge. Taylor, speaking during a recent panel discussion on platforms at the 2016 MIT Sloan CIO Symposium, detailed the pros and cons of these business models.
Companies are becoming more reliant on technology, and that’s opening up new doors for chief information officers. Not only are CIOs sometimes touted as being next in line for CEO, but corporate boards are turning to CIOs to help them stay ahead of the technology curve.
For CIOs interested in stretching their careers in the board room direction, it’s not a bad idea to gather advice from those in the know. Media maven Larry Kramer is one such expert. Kramer, a board member at TheStreet, Gannett Co. Inc., Harvard Business Publishing and Syracuse University, recently provided a room full of chief digital officers (another C-level executive interested in the board room) with tips on how to make the leap . Although directed at CDOs, Kramer’s advice applies just as easily to CIOs.
Know what you bring to the table
“The best thing you can do if you want to be on a board is to have as broad of an experience as you can,” Kramer said at the recent CDO Summit in New York City. “Have specialty areas you’re good at, but prove that you’re somebody who solves across a series of problems even though you have an expertise.”
Kramer brings a range of media skills to the table that he’s gathered from print, television and the Web. He’s also well versed in building a digital business, having served as the president of digital media at CBS, which means he knows first-hand what the successes and failures of making such a transition look like.
But it’s not just the broad range of experience that serves corporate boards well, it’s also his depth of knowledge. Kramer started his career in 1974 as a reporter for the San Francisco Examiner and went on to work at variety of name-brand establishments like The Washington Post, USA Today and CBS MarketWatch (which he co-founded and served as CEO). “It’s one of the few jobs left where being older is, in fact, a help to the job,” he said. “It’s the experience that matters. You’re selling your experience.”
Know your place with the CEO
Board members are bosses to the CEO, and part of the job is to offer guidance. “If you ever go in and get interviewed for a board seat and you’re talking to the CEO, let him or her know that you understand your job is to support him or her,” Kramer said. Support doesn’t equate to loyalty; instead, aspiring board members should strive to become a CEO’s sounding board, an advisor willing to listen to ideas and ask insightful questions or provide insightful comments.
If they’re strategic, CEOs will lean on board members as sounding boards. “If he’s got a big idea or she’s got a big idea and if he or she is smart, he or she will work through it with a bunch of board members, engage them. … Then, when it’s presented formally, it’s presented with support from other people on the board,” Kramer said.
Know who you answer to
CIOs will need to make the transition from the management table to the board table. As a manager, CIOs generate and then execute on their ideas. As a board member, they can still generate good ideas, but how — and when — those ideas are executed is out of their control. “Your temptation is to say, ‘Just give me that conference room, and I’ll get it done,'” Kramer said. “But you can’t. And they don’t want that.”
By “they,” Kramer is referring, in part, to the shareholders, bosses to corporate boards. The shareholders bring a unique set of challenges to the job that new board members may not have experienced before. “You’re going to have people who want to cash out in five years, others who want to make money in the next two quarters, and others who want that stock to steadily grow for 20 years,” Kramer said. “You have to deal with those realities, and your ability to measure those things is critical.”
It’s a different dynamic than working with — or for — the executive management team, Kramer said. He advises new board members get to know who the shareholders are and what they’re trying to get out of the company. Doing so can create a useful line of communication between the CEO and the shareholders. Said Kramer: “That will help the CEO if you can go and say, ‘If you did this, these shareholders will be happy.'”
Mitaka is not only the latest release of the OpenStack cloud infrastructure service; it’s also a city in Japan.
In a webinar Thursday detailing the 13th version of the open source platform, Brad Topol, IBM engineer and a member of OpenStack’s worldwide project team, explained that OpenStack release names are typically related to the cities the planning conferences are held in. Releases come out every six months, ahead of the semiannual meetups.
The conference before the current release was in Tokyo, in October. Mitaka is in the Japanese capital’s metro area, 8.6 miles from the city proper. Fans of Hayao Miyazaki, director of Spirited Away and other animation fantasies, may know the city as home to the Ghibli Museum, which displays the work of film company Studio Ghibli.
“It’s always a fun exercise trying to get everyone excited and look up the places and things that are nearby,” said Davanum Srinavas, a software engineer at Mirantis, which develops and supports OpenStack. In the webinar, Srinavas ticked off technical details of the Mitaka release, which has a wealth of new features designed to make the cloud software easier to install and manage.
Names are suggested by OpenStack community members, who help plan and design new versions of the cloud infrastructure, then voted on and given legal clearance, Topol said.
OpenStack release names are alphabetical, so they started with Austin, named for the location of the first conference, in Texas’ capital, in 2010. They went on in 2011 to Bexar, the county where the second conference city, San Antonio, is situated, and in fall 2015 made it all the way to Mitaka. The next release will be called Newton. That’s the name of a historical home in Austin, where the OpenStack gathering was held a second time, in late April.
The OpenStack folks may have done better to name the next version, due in October, Navasota. The town, 115 miles from Austin, has an exotic-sounding name — and it’s home to the star of the übermensch Internet meme, actor Chuck Norris.
I hope he’s not offended.
Read details about OpenStack’s newest release, Mitaka.
The newest release of the OpenStack cloud infrastructure is designed to be easier to install, easier to use and easier to manage.
That could be big news for CIOs. The cloud platform is delivering flexibility and processing power at lower cost to big-name companies such as AT&T and eBay. But calling for lots of installation, maintenance and development support, OpenStack has come to be known almost as much for its DIY-style complexity as it has for its innovative potential.
OpenStack Mitaka, the 13th release from the OpenStack Foundation, came out in April. Brad Topol, an engineer at IBM and “core contributor” to the free, open source software, gave an overview of new features in Mitaka in a Cloud Standards Customer Council webinar Thursday.
OpenStack “controls a large pool of compute, storage and networking resources throughout a data center,” Topol said. Everything is managed on a dashboard, eliminating the need to separately order up an application server and a database and configure networking to build a Web application, which could take more than half a year.
It’s essentially an open source version of public cloud offerings such as Microsoft Azure and Amazon Web Services, so “no vendor lock-in” is a big part of the pitch. Beside its public cloud option, OpenStack is designed to allow organizations with the right resources build their own private clouds as well.
New in OpenStack Mitaka
Releases come out every six months, each building on the last with tweaks from a worldwide circle of OpenStack members and developers. OpenStack Mitaka comes with “lots of growth, lots of intensity,” Topol said.
The OpenStack Client is the centerpiece of the latest version. It’s a tool that lets users manage all of the operating system’s components — not just core computation, networking and storage but also “advanced services” such as data processing and workflow management. Subprojects — the term OpenStack uses for all its services — were difficult to manage, especially when the software first came out, back in 2010.
“Each subproject had its own little command-line tool, which all worked slightly different, all used slightly different syntax, would drive our operators nuts,” Topol said.
Services will also be easier to set up in this release, he said, including Nova, the computational engine, and Keystone, the identity management service. Neutron, OpenStack’s software-defined-networking function, lets users build a network, attach a server and assign an IP address — all in one step.
(Get used to the catchy names for the components — Sahara, Tempest, Cinder — they run up and down OpenStack.)
The release also aims to improve scalability, Topol said. That means big, complex applications are easy to launch using the orchestration component, Heat. It’s also designed to quickly maintain and update resources apps need, such as database and Web servers, networks and attached storage.
Jacked-up computational and security components also perform better in big applications in Mitaka, Topol said.
A turning point?
The infusion of user-friendliness happens at a key time in OpenStack’s young life. The cloud operating system grew from a joint initiative by NASA and cloud computing company Rackspace into an open source project that has spanned the globe, with nearly 180 countries, 589 companies — Cisco, Dell and VMware among them — and tens of thousands of people contributing to its planning and design, Topol said.
But people aren’t just adding to it; they’re also using it. European research lab CERN, for example, smashes particles together to learn about the universe and in the process generates reams and reams of data that’s then fed into OpenStack, Topol said. Retailers such as Walmart are using it for e-commerce — expanding on its elastic infrastructure in times of intense demand — say, Black Friday.
And telecoms AT&T, Swisscom and South Korea’s SK Telecom have hooked up to OpenStack for its network function virtualization, which takes network services away from proprietary hardware and puts them on virtual machines.
At the most recent OpenStack Summit, held in Austin, Texas, Donna Scott, an analyst at market research outfit Gartner who was once less-than enthusiastic about OpenStack, recommended the platform for businesses with cloud data applications. And Forrester Research in a September brief called OpenStack “a credible platform on which to grow.”
In a video, the OpenStack Foundation’s Chris Hoge said the new Mitaka release was influenced by the need for simplicity, consistency and transparency in interface design. Those same principles have put Apple at the top of the tech heap and catapulted apps like Box.com and Dropbox into the mainstream. Make it easy. What an idea.
Find out where OpenStack release names come from.
The problem: The National Blood Authority is a statutory agency that provides blood products to healthcare facilities in Australia. Australia’s geography makes blood delivery challenging: The country is comparable to the continental U.S. in size and has remote areas hundreds of miles from the coastal population centers. Maintaining adequate blood supplies is a life saver when it can take a couple of days to transport blood to some regions. The authority’s staff, however, wasn’t able to access blood data when working remotely. As a result, personnel would spend days or weeks preparing data before leaving the office. The data was often out of date by the time it was used.
The Technology: The authority decided to upgrade its IT, deploying virtual desktop infrastructure (VDI) on hyper-converged appliances from Nutanix. The VDI environment, which replaces a storage-area network, runs blood management and patient registry systems. VDI provides secure remote access, so authority staff can log into the agency’s systems when they are working outside the office at remote clinics or other locales. Staff members can obtain up-to-date data “on the spot, in real time,” noted Peter O’Halloran, the authority’s CIO. That real-time access means agency personnel are better prepared to help healthcare facilities optimize blood inventory levels.
The Results: More timely data in the field has helped the authority avoid blood wastage costs to the tune of about $10 million per year. The revamped infrastructure, meanwhile, also saves 34 minutes per week on log-in times and reduces the time spent on pre-trip data and document preparation. The savings contributed to a pay-back period within the first five months of installation. “The availability of real-time, remote access to the information — as enabled by VDI technology — and the productivity improvements delivered by VDI” are the primary reasons “we delivered the wastage reduction and enhanced efficiencies,” O’Halloran said.
Last week I wrote about the 13% fall in Apple revenue after 13 years of growth, surveying opinions on whether the news says something about Apple — and the product taking the blame for the slide, the iPhone — or about the market as a whole.
John-David Lovelock, analyst for market researcher Gartner, said the market for smartphones is saturated. People have their devices, whether Apple or Android, and for now they’re holding off on buying replacements. When they decide to buy them, Apple will return to revenue growth.
There are real signs of a smartphone market slowdown: Market researcher IDC declared sales largely flat year on year, while a study by another outfit, Strategy Analytics, shows shipments have fallen 3%, from 345 million units to 335 million.
Tech sales lag
But the Apple revenue slump also plays into the sluggish-technology-market narrative of 2016, Lovelock said. Gartner predicted in early April that IT spending would contract 0.5% from 2015 to $3.49 trillion. That owes partly to the trend toward digital business models. Organizations are going into “cost-cutting mode” to fund them, putting money toward cloud-based services, which have lower upfront costs.
“And of course discretionary spend on things like mobile phones, PCs, tablets, storage arrays are the things we’re seeing suffering first,” Lovelock said.
CIOs are, of course, already hip to this. They’ve been moving away from supplying phones for employees to the model known as bring your own device, or BYOD, for some time. That’s good in this market, Lovelock said.
“This is a great opportunity for CIOs to continue that move — cost optimization means that they’re going to push BYOD and extending lifecycles more.”
Calls for bigger, better, newer
Yet the Internet rings with expectations for more innovation from Apple.
“Apple has had a fine, long run, but changes are constant, competition is everywhere and consumers are fickle,” wrote reader Norman C. Burns, who goes by ncberns on TechTarget’s community forum IT Knowledge Exchange, where this post can be found.
“Everyone has already bought their phone. Since evolution is far less interesting than revolution, Apple needs the next game-changer.”
One of the questions Stuart Madnick will ask of a panel of CIOs at the upcoming MIT Sloan CIO Symposium is who should the company’s CISO report to. Madnick, a professor of information technologies at MIT Sloan, is interested in the organizational and managerial factors that give rise to cyber break-ins, including the role CISOs and CIOs play in security.
MIT Sloan research shows that while CISO reporting structures “are all over the place,” with security officers reporting to CIOs, CFOs, chief risk officers and directly to the CEO, one trend seems firmly fixed: more board interest in cybersecurity.
“I’ll give you a quote I had from a CISO recently. He said that in the previous 10 years, he had met with his company’s board of directors once. In the past year, he’s had three briefings with the board,” Madnick said. “We’re actually seeing in a few cases where the CISO reports directly to the board.”
MIT Sloan research: TJX Cos.
The fact that boards are focusing on cybersecurity roles and relationships is a positive sign. Madnick, who is also the director of the MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC)3, believes that companies — and federal government security programs– pay too little attention to the organizational structures and incentives that make companies vulnerable to cyber attacks.
“I’ll give you just one quick example,” Madnick said. “We did a detailed analysis of the TJX break-in, which was at that time the largest credit card break-in in 2005.” His group compared its analysis with analysis coming out of the FTC and other investigations and “found all kind of issues in the organization that had not been covered.”
“There was an email from the CIO of TJX to his staff. And the email said something to the effect that, ‘We are currently not PCI [Payment Card Industry Data Security Standard] compliant. It will take quite a bit of effort and cost to do so. This is now November. We’re entering into our Christmas rush. This has been a tough year financially. Don’t you all think it would be fine if we deferred becoming PCI-compliant until next year?'” Madnick recounted, referring to an email sent by then-CIO Paul Butka in 2005.
“This is called an email where the answer is embedded in the question. It may shock you to realize that almost no one on the staff saw any problem with doing that,” Madnick said.
Disclaimer: The information in this blog post is for general-information purposes only. Any reliance you place on such information is strictly at your own risk.
Did you just wish I were wherever you are so you could sock me? Or perhaps you covered your ears and yelled, “Nah-nah-nah-nah-nah!”
I can’t blame you. Legal disclaimers aren’t fun to read: They’re typically solid bricks of gray text, and the sentences are stuffed with so many legal abstractions that it’s hard to connect subject and predicate.
He was at the recent Fusion 2016 CEO-CIO Symposium in Madison, Wis., to talk to business and technology leaders about the legal questions raised by the network of connected devices known as the Internet of Things: Who owns and controls the data? Who’s responsible for the security of customer information? What happens if the code in a device hooked up to the Internet is defective and harms someone?
Organizations don’t want to go to court to find out the answers, so they have a lot to think about before plugging into this emerging technology, including the use of time-tested tools.
Disclaimers set boundaries around the rights that parties, specifically your customers, can exercise to take you to court. Lawyers, of course, know how to use them. At Foley’s talk, an audience member said his company has a disclaimer on a map application for mobile devices. He wanted to know how effective disclaimers are. Foley said, “Can I begin with a disclaimer? I’m not your lawyer.”
The audience chuckled, and then listened for the real answer. Legal disclaimers are “important from a legal perspective to protect yourself,” Foley said. But — and it’s a big but — they have little effect on their main audience: customers.
“Because they don’t, or they don’t care to, absorb it, or they don’t understand it, or they’ve seen it so many times that it goes right past. It’s unconscious to them now,” he said.
Ironclad? No. Necessary as businesses increasingly turn to digital business models? Yes.
Perhaps echoing the legal uncertainty in an uncharted technology terrain like the Internet of Things, Foley asked an open question to the audience.
“Has anyone successfully sued an apps services company — Google or iPhone — for driving somebody off a cliff?”
The answer that came back to him was, “I haven’t seen anybody succeed.”
Not yet, anyway.
Who says working in an IT department can’t be like vacationing on a cruise ship?
Along with ridding the office of seven-foot high cubicles and assigned desks, one of the experimental policies Michael McKiernan, vice president of business technology at Citrix Systems Inc., introduced during a workplace redesign was beach toweling.
“It’s similar to a policy you see at a hotel or on a cruise line,” he said at the Fusion CEO-CIO Symposium in March. But it’s not exactly a vacation policy you’re likely to write home about. On most cruise ships, guests who leave towels or books behind in an attempt to reserve a deck chair are given a time limit to return before those items are removed and the chair is made available to another guest.
The same goes for Citrix employees who work in offices where the beach-toweling policy is in effect: If employees leave a desk unoccupied for more than two hours, they are to take everything with them. Otherwise, “you’re taking that resource out of the common pool so that it can’t be leveraged by others,” McKiernan said.
Beach-toweling police: 120-minute egg timers
As with the major cruise lines, enforcement measures also needed to be introduced for the policy to work. On a cruise ship, reserved deck chairs are sometimes tagged by a cruise ship employee; if a guest doesn’t come back within the allotted time, the items are removed. At Citrix, McKiernan introduced 120-minute egg timers. Employees can grab one, wind it up and place it on a desk to signal when someone’s not following the beach-toweling rule.
“It’s not punitive in terms of [we’re going to] take your stuff and throw it in the garbage,” McKiernan said. “But it’s a carrot and stick. We use a little bit of shame with people.” Plus, it’s a way of introducing beach toweling to workers who aren’t steeped in the Citrix culture, such as third-party contractors.
Will beach toweling stick? Only time will tell. At Citrix, McKiernan has taken an almost Agile approach to introducing new workplace redesign measures, so that a policy like beach toweling is often referred to as a prototype and not a finished product. That leaves the door open to tweak and change the policy to reflect the office culture. “We’ve had many different failures,” he said. But learning from those failures, admitting when policies don’t work and changing them so that they do is an important part of the redesign process, he said.
Plus, McKiernan said, what works in California may not work in, say, France or Germany. An iterative approach allows for workplace redesign policies to remain flexible.