Leading off this week’s roundup, from our sister site SearchCIO-Midmarket.com, we have a CIO whose gold medal-worthy green tech innovation is truly energizing London’s Olympic Park. Also, read about how speeding to market with software could kill a trading firm, and read about the CIO’s role in IT transformation.
As chronicled on the SearchCIO-Midmarket.com blog, CIO Symmetry, the CIO of the London summer games scored big, lighting up Olympic Park with green tech innovation. And he didn’t even have to put on a Speedo.
Speed is great for sprinters and the like but can be downright dangerous for makers of stock-trading software. Perhaps Wall Street’s third stock-trading fiasco in five months will drive home this point.
Winning by changing the rules doesn’t sound very sportsmanlike. Unless we’re talking victory over network hackers — then by all means we ought to hear out the argument for changing the rules of writing code.
Think social collaboration is a frivolous pursuit? Perhaps this bar graph can convince you otherwise.
Finally, be sure to check out this week’s CIO Matters column, in which SearchCIO.com’s Editorial Director Scot Petersen looks at the role of the CIO in the midst of IT transformation.]]>
Somebody fell asleep at the switch — or server, as it were — allowing hackers in Eastern Europe to slip right into the state’s Medicaid database. They slipped out with hundreds of thousands of birthdates, names, addresses and social security numbers, among other useful tidbits. It’s believed that, by exploiting an unchanged default password on the user-authentication layer of the system, they were able to bypass multiple layers of security controls. Yes, a default password cost at least one person his job, more than half a million people their privacy and millions in taxpayer dollars to clean up the mess.
Herbert said he sought the CIO’s resignation because Fletcher lacked “oversight and leadership.” Ouch. Maybe this wouldn’t sound so bad if, as several accounts suggest, Fletcher weren’t so good. Since he was named the state’s CIO in 2005, Utah has emerged as a leader in government tech and innovation, and Fletcher has been credited with leading the state to successful enterprise-wide IT consolidation and centralization. He’s a past president of the National Association of State Chief Information Officers and a past recipient of Government Technology‘s “Top 25 Doers, Dreamers and Drivers” award. But now a default password overshadows all of that.
Fletcher told Government Technology that the incident was preventable and is an example of why more funding is needed to protect government IT systems. In just the past four months, he said, cyberattacks on the state’s technology system have spiked 600%. But Fletcher also bemoaned the fact that this would overshadow all of the good work done by his department — the cost savings, the consolidation, the presence of more than 1,000 online services for residents.
Whether Fletcher is personally at fault is still under investigation, but he certainly has taken the fall. One would hope security protocols at least existed — if not, the blame surely lies at his feet. If they were in place and employees simply didn’t follow them — well, the blame still falls on Fletcher. In the end, he is the leader in this scenario, and unless it can be proved his team members maliciously left the server vulnerable, it’s his job to make sure they do theirs.
Certainly, this is an extreme example of what can go wrong when security protocols are not adhered to (or are possibly nonexistent), but nonetheless one worthy of every CIO’s attention. Handling security and compliance is a balancing act and a team effort. Stories like this one are sobering reminders that, while it isn’t easy, steadfast attention to managing information risk has value beyond measure.]]>
The other, more important reason? He wanted to see how his IT staff reacted.
What DR and BC expert Paul Kirvan has found too often is that a lack of disaster recovery documentation is stymieing the best-laid and expensive – costing into the millions — DR strategies.
It’s not simply that they don’t have disaster recovery documentation, but if they do, people can’t understand it.
In one recent instance, a CIO ran through a disaster recovery scenario, and it went off smoothly, thanks to one all-star on the staff who knew how to recover everything off the top of his head.
“I asked, ‘What if he’s sick of on vacation?’” Kirvan said.
His point is that the documentation has to be simple enough and consistent enough for anyone on staff to be able to step in and recover a system — so simple that, even if your IT staff can’t perform the function for some reason, a non-IT person could.
To help get your staff on the same disaster recovery documentation page, Kirvan suggests checking out disaster recovery software, plan templates and guides, a list of which has been compiled by fellow industry expert Phillip Rothstein.]]>
GM has gone from losing billions of dollars to making money, $7 billion so far this year. Thanks to its reorganization and government bailout, North America’s largest car company is largely debt-free. Granted, Europe is a problem. Apparently the company is not doing so well in South America either, a big car market. And the stock price is not where it should be. But in distinction to life in pre-bankruptcy days, GM’s new executive management team now has the luxury of actually running the business (as opposed to lurching from crisis to crisis), Amman told The Wall Street Journal Senior Editor Darren McDermott during a session at the recent MIT Sloan CFO Summit in Boston.
What was GM’s strategy for lowering its risk profile? One big step was to dramatically reduce the company’s break-even point, Ammann said. “We had a huge fixed-cost base, so we had to build a certain number of vehicles to cover the fixed cost. We had a supply-push business model: You built the vehicles and then figured out how to sell them.”
“Getting the break-even point down allowed us to have a business model where we are building to demand, as opposed to building a particular level of volume, to allow the business to break even,” he added.
Building to demand: That should ring a bell for CIOs, I think. Calibrating IT supply to meet business demand is both tough and arguably more critical than ever if IT hopes to be a strategic partner. One way of building to demand is to build in the cloud, scaling up or back to keep the break-even point at a place where IT departments can spend less than their budgets. Why do that? So they can plow a predictable amount of money into innovation.
However, “you can’t cost-cut your way to prosperity,” said Ammann, whose New Zealand accent lends his statements a kind of matter-of-factness. GM invests about $16 billion a year in product development. The company needs to worry about whether it’s allocating the right amount and if it’s getting value for its money. With a debt-free balance sheet and low break-even point, on the other hand, GM can give its engineering department a predictable set of things to work on and a predictable amount of money to spend. And that, Ammann claimed, is the “best way to get efficiency into an engineering department.” That’s in distinction to the days when the fiscal crisis du jour resulted in billions wasted on engineering products that got canceled midstream.
To recap: Reducing the break-even point, so IT has a little money left over, makes it more likely that CIOs will have a predictable stream of revenue to plow into innovation.
Ammann didn’t get into the particulars of how that GM break-even point was lowered — the brutal job cuts, factory closings and production moved to China. That’s ancient history now. The current reality is that GM’s break-even production volume in North America is about half what it was pre-bankruptcy. And the executive team is relentlessly focused on keeping cost from creeping back in, he said. What’s important is that GM keeps “the break-even point down low enough so we are making money in basically any market environment,” he added. “It’s all about operational execution.”
One last observation, not exactly on point but germane: Ammann has inserted himself into GM’s product planning process — a nervy thing to do for a CFO, it seems. But product development is important for GM, so naturally he “went and got in the middle of it.”
“The role of finance … is that we are there to bring the information and insights to enable the right business decisions. And there are a lot of really important business decisions getting made when you are setting your future product portfolio and future investment strategy,” he said.
Ammann’s advice to the CFOs in the audience: “If you show an interest in the business, the business will show an interest back.” The same could be said to CIOs.]]>
But cloud uptime? Now that is an even larger trust issue that CIOs just can’t seem to get past. At least, not the CIOs attending a recent gathering of public cloud services providers sponsored by the trade and investment arm of the British Consulate-General.
The CIOs and cloud services providers came together to hash out what it’s going to take to get enterprises onto the cloud. Security was an issue, of course, with data transparency and knowing who has access to their data among the concerns.
As for performance, one CIO said he would FedEx a terabyte of data to a public cloud provider for fear that the provider’s network couldn’t handle a data transfer of that load. One attendee said performance uncertainties in the cloud could possibly weaken your disaster recovery plan.
The CIOs also didn’t trust that their public cloud providers wouldn’t go out of business. CIOs have a long memory and haven’t forgotten that seemingly well-established hosting providers can go out of business — think Exodus Communications.
In 2000, Exodus was the darling of the hosting industry, with revenue of $818 million, stocks worth $90 a share and 42 colocation facilities — not to mention nearly 5,000 customers, including Microsoft, Yahoo and the New York Stock Exchange. Many of the company’s customers, however, were dot-com startups that failed to pay their hosting bills, pushing Exodus further into debt as it continued to build and acquire more facilities. (Some experts believe that the next wave of winners in outsourcing will be the ones that have large infrastructures that can support the entire services layer, from software to hardware. That would require big investments in infrastructure, like those Exodus made.)
Public cloud providers are not immune — a few bad infrastructure and financial planning decisions could bring the multitenant house of cards down. What happens to customer data then? Just as they asked during the dot-com bomb and downfall of application service providers, CIOs want to know how public cloud providers will deal with porting data and services to another cloud provider, or back in-house.
They don’t want their data to end up as an asset in bankruptcy court.
But this is a nascent industry, and CIOs are willing to wait for public cloud providers to grow up a bit. And as they grow, CIOs would like the providers to keep these other capabilities in mind:
CIOs are sending clear messages to public cloud providers. It will be interesting to see how the providers live up to these demands — or maybe private clouds are the way to go?
Let us know what you think about this blog post; email Christina Torode, News Director.]]>
Because they are designed to serve the masses, large clouds like Amazon.com’s Elastic Compute Cloud, or EC2, have standard service level agreements that may refund businesses for time lost; but that’s pennies compared to the business that could be lost during an outage. Enterprises want to shift some of the financial risk to public cloud providers, but with increasing interest in cloud services, providers have little incentive to change their business models, according to Drue Reeves, director of research for the Burton Group in Midvale, Utah. The issue was brought home by Eli Lilly’s decision last week to walk away from Amazon Web Services (AWS) after its negotiations failed to push some accountability for network outages, security breaches and other forms of risk to AWS inherent in the cloud. In the article, an AWS spokesperson denied that Eli Lilly was no longer a customer.
At the moment, there isn’t enough jurisprudence to decide who pays for what, Reeves said, so he gathered a panel of lawyers and cyber insurers to comment on what has been deemed the Wild West of computing at the Burton Group’s Catalyst conference in San Diego last week. Heck, Rich Mogull, analyst and CEO of Securosis LLC, a consultancy in Phoenix, even called the public cloud a seedy bar.
“We don’t really have cloud law,” said Tanya Forsheit, founding partner of the Information Law Group in Los Angeles. “It’s going to happen. . . .[S]ome big breach involving a large provider will result in a lawsuit, and we might see principles coming out of that,” she said. Until then, negotiation is the order of the day around liability policies, she added.
Indeed, there have been 1,400 “cyber events” since 2005, according to Drew Bartkiewicz, vice president of cyber and new media liability at The Hartford Financial Services Group, a financial services and insurance company in New York. “If you had an event in 2005, you’re lucky,” he said. “The severity over the last two years is starting to spike. This is an exponentially growing risk.” With so much information flowing around the clouds, supply chains become liability chains, he added. “The question is, who is responsible for information that’s flowing from one cloud to another when a cloud goes down?”
The answer comes down to contracts, and what should be considered a reasonable standard of care, Forsheit said. “Have we reached a point where encryption is the standard?” she asked.
But enterprises aren’t the only ones at risk in the cloud: If the large providers are forced to indemnify businesses, the game will be over, Reeves predicted. The industry needs to figure out how to share the risk in order for the cloud market to mature. “Otherwise, the cloud becomes this limited place where we put noncritical applications and data,” he said. “If we don’t address this issue of liability, we’re stuck.”
SearchCIO.com will be following the issue of liability policies in the cloud. Do you have a story that needs to be told? Contact me at email@example.com.]]>
The story reports on an internal BP document showing that for financial reasons and expediency, the oil company chose to use the riskier of two options to seal up the well that soon after started spewing untold gallons of oil into the ocean. The document was provided to the Times by a Congressional investigator.
Presented with the internal evidence that BP knowingly chose the riskier of the two options, a BP spokesman reportedly told a reporter there “was no industry standard” for the casing used to seal up deepwater wells. The approach used by BP “had not been unusual.”
Unfortunately, the result of BP’s choice is very unusual.
In the absence of an industry standard, BP pursued a risk management strategy that turns out to put the planet at risk. The response certainly makes a case for industry standards, and shows why government must step in when fools don’t fear to tread.
Anyway, I think it’s safe to say that BP’s risk management strategy didn’t pay off. It already has cost this conglomerate far more than the billions it will take to clean up after it.
The new face of BP is a dead brown pelican, blackened from bill to tail with oil, neck twisted and defunct wings outstretched. No industry standard, BP? Go tell that to the dead and dying.]]>
You’re probably well aware of the benefits of social media in the workplace. They can function as excellent recruiting tools for HR, serve as user-friendly collaboration platforms for staff and boost a company’s customer outreach (McDonald’s, for instance, hired its first social-media chief this week.).
But CIOs must also consider social media’s pitfalls, especially if they haven’t drafted social media policies to guide their staff. According to Senior News Writer, Linda Tucci, IT consulting firm Burton Group Inc. pointed to these risks associated with compromised social media accounts in the workplace:
Meanwhile, over on our sister site, News Writer Jessica Scarpati zeroed in on compliance concerns. According to the survey “Usage Trends, End User Attitudes and IT Impact“ from FaceTime Communications Inc., a unified communications security and compliance vendor, when asked if they could reproduce social network communications if required by an attorney, 65% of IT managers said they could not.
And although 77% of enterprises said they archive emails, only a fraction (19%) logs communications via social networks; 13% reported archiving tweets, the survey found.
The story also cites several good examples of social media gone wild in the workplace, as well as the fallout. Perhaps most shocking? Two nurses were fired from a Wisconsin hospital last year following allegations they had taken pictures of a patient’s X-ray — which showed an object lodged in his rectum — with their cell phone cameras. One nurse was accused of posting the photo to her personal Facebook page (she later deleted it).
Now, tell me whether you’ve seen the phrase “lodged in his rectum” in any other IT story you’ve read this week. (Actually, please don’t tell me, as I’m not sure I’d want to know the details.)
Do you have your own social media horror story to share? Or has your company established social media policies to clamp down on security and compliance concerns?]]>
One big oil company that she advises hired a lawyer as its CIO because it views information as a risk, and in turn wanted someone who understood the risks involved in data management.
Apparently the role of the CIO, particularly those in heavily regulated industries, truly is becoming one of an information manager, as opposed to a keeper of technology, she said. As such, enterprises want a CIO who understands the legal ramifications of information dissemination and one who can establish policies and controls that will help avoid lawsuits.
There are several factors driving some enterprise to hire legal experts as CIOs, and, granted, this is coming from Logan’s view as an e-discovery expert. But for one, regulatory agencies are much more active now in changing and enforcing the rules of e-discovery.
“This is really causing legal people to ask ‘Just what is in that 27 terabytes of information? What’s going to come back to haunt us?’” she said, adding that a recent conversation with a lawyer informed her of a new set of changes coming down the pike from the Federal Rules of Civic Procedure on e-discovery.
As a result, enterprises want to start producing data far before a subpoena or a case is brought against them — the number of lawsuits has risen during the recession, because, unfortunately, it’s a way to make money, she said.
She’s not saying that the future CIO role is all about legalities. It’s more that CIOs should view themselves as information guardians, and managing information entails the ability to manage risk.
Although, it doesn’t hurt if you do take a legal course or two. Gartner, after all, recently sent one of its analysts to a course called Legal IT at the John Marshall Law School.
Read more on what attendees at the Gartner BI Summit had to say about their BI direction and technologies on their radar. BI coverage in coming weeks will touch on developing a BI strategy, emerging BI technologies and how Gartner rates the capabilities of the big BI vendors: IBM, Oracle, SAP and Microsoft.]]>
“For me, security and risk management is a mind-set. When I go into a restaurant with my wife and kids, I automatically see where the exits are,” says Whiteside. And how the waitress handles the credit card. How far the credit card machine is to another table. The location of the security cameras, the station of the guard.
“I am always thinking about the security scenario, not to take advantage of it, but to be aware,” Whiteside says.
Whiteside is chief information security officer for Visiting Nurse Service of New York (VNSNY), the country’s largest not-for-profit home health care provider. Some 130,000 patient medical records and pieces of credit card data fall under VNSNY’s watch. The organization must comply with the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard and the Sarbanes-Oxley Act (SOX).
Whiteside practices what is called a risk management approach to security compliance. I interviewed him this week for a story I’m doing on the topic. While his organization has many regulatory obligations, “the way I approach compliance is through risk. We do not focus on just ensuring we are compliant,” Whiteside says, stating the first principle of risk-based management to information security.
“When I look at new applications or systems or architectures, I am looking at the risks to our business and the risk to our information. Those are the things that are important, not does it meet a line item associated with HIPAA and SOX,” Whiteside says.
A risk management mind-set is always looking for patterns — not items on a regulatory checklist — that pose a threat to the asset one is responsible for protecting. So when somebody comes to him with a security problem, even if he knows nothing about the particular system or application, he can formulate a set of questions.
Incidentally, most CISOs live in a security mind-set, he says, whether they’re hard-core techies or recruits from the business side. “The methodology they follow by day at work is the methodology they live outside of work,” he says. At conferences, when CISOs unwind afterward with a drink, they invariably play a Where’s Waldo? version of security gaffes, competing to see who can spot the most security lapses. “It’s kind of weird if you are outside the circle.”
The mind-set can have its limitations, as in “If you are a hammer, the whole world looks like a nail,” adage.
Indeed, when he is taken by surprise, it is typically by something that happens on the business side.
“You can’t believe that business would make that decision. You have that mind-set and forget people don’t think that way,” says Whiteside, who nonetheless never forgets what needs to happen next.
“But the fact is they went down that path, and you have to make it right. CISOs are support personnel. That is the reality. We are on the same side of the business as the help desk, and that is all we are. Until it can be determined how a CISO can make the company money, we will always be there to support.”]]>