November 25, 2015  1:30 PM

Between private cloud heaven and hell

Jason Sparapani Jason Sparapani Profile: Jason Sparapani

When Alan Waite first started talking about the difficulty of private cloud computing, he likened what could go wrong to the nine circles of hell in Dante Alighieri’s Inferno, the 14th-century work chronicling the poet’s harrowing journey through the underworld.

“That was considered to be a bit too negative. So I’ve changed it to ‘stairway to heaven,'” said Waite, a Gartner analyst, at the research shop’s 2015 Catalyst convention in San Diego. “Anyway, my points are exactly the same.”

Private cloud disappointment

This slide, from Alan Waite’s presentation at Gartner Catalyst Conference 2015 “Private Cloud: Keys to Success,” features comments from Gartner clients who were disappointed with their private cloud projects.

The truth is, Waite said, public cloud providers like Amazon Web Services and Microsoft Azure can host most everything far more efficiently than you can — no matter what size organization you run. So before anything else, think carefully about your data and whether it needs to be in a private cloud. When you’re crystal-clear on that, start climbing the stairway. Here are Waite’s milestones on the way to private cloud success.

Standardization. This is the No. 1 thing to think about, Waite said. IT can’t comfortably support multiple computing environments on a private cloud and be fast and efficient. “This is a hard conversation to have with the business,” he said. “But the more you can standardize — hypervisors, hardware platforms, operating systems environments, application environments — on your self-service portal, the more likely you are to succeed.”

Politics and team structure. To implement a private cloud environment, you must change your IT organizational structure, Waite said, and appoint a cloud architect and a cloud team to lead the initiative. “If you think that you’re going to keep your silos or server, storage, network, security, applications and so on, and maybe [IT will] have a meeting once a month where they talk about the cloud, it will not work,” he said.

Process and governance. Before building the technology for a private cloud, build a governance structure that will support provisioning — that is, tap computing resources when users need them, Waite said. One client told Waite that he could supply a business application with the resources it needed to run in 11 minutes, but all the approvals required on the business side for it to happen would take three days. That’s unacceptable, Waite said. “Fix the provisioning process before you start.”

Automation complexity. “This is the next thing that runs in to trouble, trying to do too much too soon,” Waite said. Start small, automating just a few important workloads, and progress from there. Otherwise, complexity will grow exponentially — and failure will follow, he said.

Check out part two of this two-part tip for other technology and people issues businesses will encounter as they build a private cloud.

Let us know what you think of the story; email Jason Sparapani, features writer, or find him on Twitter @jmsparapani.

November 25, 2015  1:08 PM

For CIOs, big data conversations shift to IoT

Nicole Laskowski Nicole Laskowski Profile: Nicole Laskowski

The big data conversations among CIOs and senior IT leaders are starting to shift to the Internet of Things, according to Jill Dyche, vice president of best practices at SAS Institute Inc. “I still see them as two different things, but the feedback I’m getting is that big data is evolving into IoT,” she said.

In preparation for 2016, Dyche has been talking with her CIO clients and polling SAS account executives to find out what customers are clamoring for, and a couple of questions related to IoT have started to emerge. They are as follows:

  1. What’s needed? CIOs and IT leaders are asking what technologies or functionalities they’ll need for IoT that they don’t already have in their big data ecosystems — such as event stream processing, Dyche said.
  2. Who should execute? CIOs and senior IT leaders are asking who needs to be on the team. Should it be a mix of incumbent data warehousing experts, data scientists and Hadoop specialists? Dyche said the subtext behind this question is about training versus hiring: What tasks can the current IT department take on and what tasks will require new talent.
  3. Who owns it? One conversation Dyche said she’s having with just about every CIO and senior IT leader she’s working with is who should own and fund projects like IoT — as well as big data and even application development. “The common assumption of the early adopters is that IT will own and enable the stack,” she said. It will supply the event stream processing, the grid platform and the network speed, but CIOs and senior IT leaders are also demanding that the business steps up and makes use of the technology.

November 24, 2015  4:38 PM

CIOs make security a priority for 2016, but not privacy

Nicole Laskowski Nicole Laskowski Profile: Nicole Laskowski

TechTarget’s 2015 Annual Salary and Careers Survey results provided another reminder that while security is a high priority for CIOs and senior IT leaders, privacy is not. When asked to select their three top IT projects for 2016, almost one-third (27%) of the 248 CIOs, CTOs, CISOs, executive vice presidents and directors of IT polled by the survey selected security as their highest priority. Privacy, on the other hand, was dead last out of a list of more than 30 options, with just 1% of those surveyed selecting it.

Although security and privacy share a common goal — to keep sensitive or important information protected, they are often seen as distinct topics that that live on the line dividing IT and the business. According to Jill Dyche, vice president of best practices at SAS Institute Inc., security is often equated with technology whereas privacy is equated with policy, such as how enterprise data is used.

Here’s how she put it: “Privacy is more in the purview of the business in terms of policy-making as opposed to security, which is more of a technology, a platform and, arguably, a software play,” she said. Dyche said the chief marketing officer and the chief digital officer are likely two business executives obsessing over privacy policies right now. “They’re getting that opt in/opt out information in their organizations, and they have to figure out what to do with it,” she said.

Gregory Turner also wasn’t surprised that privacy and security are thought of separately by CIOs and senior IT leaders. Turner serves as the COO and default head of IT at Millennium Collaborative Care, a nonprofit organization that’s trying to better connect Medicaid patients in western New York with health care providers. As an organization that works in the health care industry, security and privacy are often defined differently by local and federal guidelines, such as the Health Insurance Portability and Accountability Act, better known as HIPAA, which regulates how health care data is guarded and used.

As such, Turner distinguishes along similar lines between the two areas: “Security is preventing unauthorized access to systems and data,” he said. “As for privacy, even though you have access to applications and systems, you may not necessarily have access to personal information related to employees or patients.” Per HIPAA’s privacy rule, health care organizations are also required to create policies that “set limits and conditions on the uses and disclosures that may be made of such information without patient authorization.”

But, Turner said, while patient identities have to be carefully guarded, they also have to be clearly communicated from one health care provider to another to ensure a high-quality care, which can require a sophisticated methodology. “The patient identifier is an important component to a solution,” he said. “But you almost have to have a mapping program that will allow another provider or a doctor’s office to say, ‘this patient under Millennium is this guy in this practice’ without sharing the identifier.”

Turner is, in essence, talking about data governance, which Dyche described as a topic that can make it easy to conflate security and privacy. “A lot of those conversations we were having five years ago about data governance are coming back in the form of data security,” she said. “If you deconstruct the security requirements, you get to platforms and access rights, you get to the data itself and the policies around that data.”

October 31, 2015  1:10 PM

Six 3D printing myths dispelled

Nicole Laskowski Nicole Laskowski Profile: Nicole Laskowski

CIOs who’ve taken a more conservative stance on 3D printing may want to think again, according to Pete Basiliere, an analyst at Gartner Inc. “It’s imperative that the IT organization be prepared for use and the disruption that will occur when 3D printing is throughout your organization,” he said.

That can be hard to do when 3D printing myths abound, giving CIOs the false impression that they can put things off for now, Basiliere said. In that vein, he went on to dispel six 3D printing myths during his talk at the Gartner Symposium/ITxpo. They are as follows:

  1. 3D printing is too expensive. 3D printing can be expensive, but it doesn’t have to be. Like 2D printers, prices for 3D printers can range from a few hundred dollars (and can be purchased at Staples) to well over a million dollars.
  2. 3D printing is only good for cheap plastic parts. Simply not true, Basiliere said. 3D printers are now being used to manufacture key parts for hearing aids and dental restoration, which aren’t cheap and, in the case of a dental crown, aren’t plastic.
  3. It will bring manufacturing back. “A lot of folks seem to think that it will, but I disagree,” Basiliere said. “We will always have products that benefit from being mass produced.” 3D printing, though, will enable businesses to mass produce customer personalization. New Balance, for example, can design shoes specifically tuned to a runner’s gait. “They’ll build soles for shoes that have a unique spike placement for that athlete,” he said.
  4. 3D printers can print replacement organs. “No, we can’t,” Basiliere said. “And they probably won’t in my lifetime.” But a San Diego-based company called OrganOVO can bioprint tissue. The company is partnering with pharmaceutical and cosmetic companies like L’Oreal, which is using bioprinted skin tissue in the cosmetic development process.
  5. Terrorists will print undetectable guns. “No doubt they will try, but it’s like the equivalent of counterfeiting one dollar bills,” Basiliere said “It’s not worth the risk.” At least as of right now, it’s easier to acquire weaponry in other ways.
  6. The market is in flux. Publicly traded companies, including the two biggest in the industry, “have had a heck of a ride over the last two years,” Basiliere said. Stock prices have increased dramatically only to dip lower than original starting prices. “But when I talked to major manufacturers of 3D printers around the world … every other manufacturer said their sales were strong and growing and that they hadn’t seen a decline in 2014 or the beginning of 2015.”

October 30, 2015  6:59 PM

CIOs’ leadership skills help teams see greater vision

Jason Sparapani Jason Sparapani Profile: Jason Sparapani

The years and days leading up to the anticipated Y2K computer glitch were frenzied for anyone in IT. Rafael Mena, who was a software development project manager at Florida’s Orange County government, had about 30 projects on his list at any given time. He recalls a conversation with a department head about one of them.

“‘What priority is this project?'” Mena asked him. “He says, ‘What do mean? They’re all No. 1.’ I said, ‘OK they’re all No. 1. Can you tell me which is which one is No. 1a, which one is b and c?’ He didn’t like that, so he pretty much left the meeting.”

Mena, now CIO for Orange County and speaking at a career panel at the recent Gartner Symposium ITxpo, in county seat Orlando, Fla., was in home territory. But his message was for CIOs and aspiring CIOs everywhere. Conversations like the one he had 15-plus years ago don’t happen in his IT department.

“Communication to me is the most important aspect within my operation, my group,” Mena said. “My organization knows what priority No. 1 is, No. 2 is,” he said.

The panel discussion, hosted by professional network Hispanic IT Executive Council, brought together Mena and Daphne Jones, CIO for global services IT at GE Healthcare. The pair talked about the qualities, characteristics and skills CIOs need to lead IT in an era of unprecedented technological change and maintain a unified vision.

CIO career panel

Gartner analyst Gene Alvarez (right) moderates a discussion with CIOs Daphne Jones, of GE Healthcare, and Rafael Mena, of the Orange County (Fla.) government, on succeeding as a CIO today, at the recent Gartner Symposium ITxpo in Orlando, Fla.

Jones said in her IT organization, alignment with a single set of goals is crucial. That’s enforced by town hall-style meetings and smaller team-based check-ins. It’s all part of the mission to be “simple, relentless creators of value.”

“So I drive simplification. How can we do it faster? How can we do it with less bureaucracy?” she said. Doing that requires a deep knowledge of the business goals — and determination. “The word no, the word impossible is just somebody’s opinion; it’s not a fact, so my goal is to think of the word impossible and just knock it out of the way and be relentless in the pursuit of value.”

For Mena, the goals of the county mayor are paramount, so he works to ensure his team is working toward them, meeting with senior managers once a week and every staff member every quarter. That ongoing line of communication is especially important for his government-sector IT team, which is responsible for supporting the IT and business systems for his central Florida district of 1.2 million. It’s an environment where anything can happen, so IT staffers need to be prepared for hurricanes, fires, floods — anything.

“Somebody dies in our jail for one reason, things change. We got to see what happened,” he said. His team would support the resulting investigation, doing research, processing information, analyzing data. “In our business you’ve got to be flexible to be able to deal with the constant change.”

One of the strengths of Mena’s team is its diversity, which gives rise to a broad range of ideas on how to crack problems, he said.

“I have people from all over the world: China, India, Russia, Brazil, Venezuela, Colombia, Italy, Argentina,” he said. “When we sit down and discuss how to solve problems, it’s very interesting to share different perspectives from people who lived and were raised in other parts of the world. So the solutions are richer; the perspectives are different.”

Let us know what you think of this story; email Jason Sparapani, features writer, or find him on Twitter @jmsparapani.

October 23, 2015  6:23 PM

Cloud council: Pick PaaS to swiftly develop, deploy apps

Jason Sparapani Jason Sparapani Profile: Jason Sparapani

The need for speedy development and deployment of applications is a real one — which is why organizations shouldn’t pass on PaaS.

That was the gist of a talk on platform as a service by Mike Edwards, who works on cloud computing standards at IBM.

“That’s where PaaS fits,” Edwards said in a webinar Thursday. “It’s about supporting the economic pressure for the need to develop more and better software — because ultimately your business is implemented through software.”

The Cloud Standards Customer Council, an advocacy organization for cloud services customers, aired the webinar to present the paper “Practical Guide to Platform-as-a-Service,” which gives an overview of PaaS plus recommendations on deployment and operation. The paper was written by Edwards, John Meegan, program manager for IBM’s Open Cloud, and other CSCC members.

PaaS sits in a unique spot in the cloud computing horizon, Edwards said. Like infrastructure as a service (IaaS) and software as a service (SaaS), it eliminates the need for the customer to manage things like servers, storage and networking. But while IaaS offers full-on data center capabilities in the cloud, customers still have to deal with applications, data, runtime and operating systems. And SaaS applications, though appealing — the provider handles all the hardware and software on its end — don’t always meet an organization’s specific needs.

PaaS in context

This slide, from the Cloud Standards Customer Council presentation “Practical Guide to Platform as a Service,” compares PaaS with other cloud offerings.

PaaS, though, may be just right: The provider sets up the servers and hardware and configures and operates them. The customer just has to put in application code and data, an easy-to-follow recipe for creating customer software, Edwards said.

“The whole idea here is to simplify the whole task of building custom applications and running them, making it much easier than it would have been on-premises or even with infrastructure as a service,” he said.

There are a number of PaaS products on the market — Microsoft Azure, IBM Bluemix and HP Helion, to name three high-profile examples — but all of them share certain characteristics. Most important is the support for custom applications that are native to the cloud. They also support a number of runtimes — important if you’re developing a number of applications. For example, there is the Java JDK runtime for Java applications and Node.js runtime for Node.js apps. The capability is sometimes called “polyglot.”

“Basically it means PaaS can support the most appropriate technology for your application,” Edwards said.

Characteristics of PaaS

This slide shows the 12 characteristics of PaaS offerings, as detailed in the CSCC paper “Practical Guide to Platform-as-a-Service.”

There are 12 shared characteristics in all, including coming equipped with mechanisms for deploying quickly — PaaS environments can take “minutes or seconds in some cases” — security and middleware capabilities and developer tools.

Organizations that are thinking about PaaS have a lot more to think about. They need to build a cross-functional team involving not just the IT department but also business units, which have all the end users. That way, IT will know what capabilities people need to have. They also need to carefully examine the cloud service agreement with the provider so that the PaaS does what’s needed. And they need to take costs and charges, software licensing, and compliance requirements into account.

And then there’s governance: having a communication channel open to the provider, having the right security controls in place and knowing the physical whereabouts of your data. Edwards brought up the recent scrapping by the European Union of the Safe Harbor pact, which allowed Europeans’ personal data to be hosted on U.S. servers. It’s now illegal.

“It’s all about knowing where your data is and that the appropriate data controls are put in place and for the processes that you’re handling,” Edwards said.

Let us know what you think of this post; email Jason Sparapani, features writer, or find him on Twitter @jmsparapani.

October 19, 2015  11:26 AM

Dell-EMC and the cloud joust

Nicole Laskowski Nicole Laskowski Profile: Nicole Laskowski

Senior IT leaders and analysts called the $67 billion Dell-EMC deal a good thing, for the most part. A combined and stable Dell-EMC should offer CIOs a great source of products for their company data centers, but what about cloud offerings? For some experts, that’s the big question.

Jonathan Reichental, CIO for the City of Palo Alto, and Glenn O’Donnell, vice president and research director at Forrester Research Inc., described the merger as a data center infrastructure play, a still-important global market. “There is still a sizable global market in data centers. Those systems have to be updated and modernized,” Reichental said.

O’Donnell echoed Reichental’s comment about continuing to meet those traditional hardware needs for the enterprise. “The extreme majority of companies are still going to require some in-house data technology,” he said. For those purchases, CIOs are going to want a trusted advisor who won’t gouge them on prices. The Dell/EMC combo could provide that balance, he said.

But how the Dell-EMC deal plays in hotter, less mature technology areas such as cloud services, which give the business added flexibility and agility, is still a little muddy, O’Donnell said. Speculation abounds, but Dell has not publicly stated its plans for the “EMC federation,” a collection of acquired companies that had “significant autonomy” under EMC, including Pivotal, RSA and, most notably, VMware, according to a report titled Quick Take: Dell Buys EMC, Creating a New Legacy Vendor.

“In particular, the combined firm has not committed to merging or otherwise rationalizing EMC Virtustream and VMware vCloud Air into a single service portfolio, which means there’s little impact on the public cloud market,” according to the report, which was written by several Forrester analysts, including O’Donnell. Virtustream (acquired by EMC in May) offers a suite of cloud management services while vCloud is a public cloud platform.

It’s not as though Dell-EMC is out of the cloud game. The merger will enable Dell to provide “converged solutions to power private clouds,” according to the Forrester report. In fact, Forrester recommends the CIOs of companies more than a decade old to “keep Dell on your shortlist for converged infrastructure private cloud.”

But is it enough? The Forrester report (among others) goes on to say that those offerings won’t be able to match the prowess of “hyperscale public cloud leaders Amazon Web Services, Google, IMB and Microsoft,” who are all aiming for the enterprise.

October 16, 2015  1:58 PM

Frito-Lay: ‘Omniculturals’ at the intersection of IT and marketing

Linda Tucci Linda Tucci Profile: Linda Tucci

Ram Krishnan has a big job in IT. He is the chief marketing officer (CMO) at Frito-Lay North America, a $14 billion division of PepsiCo. In addition to Fritos corn chips and Lay’s “Betcha can’t eat just one” potato chips, the company’s products include Doritos, Tostitos, Cheetos, Ruffles and my childhood favorite, Cracker Jack — in other words a pantheon of junk food whose brilliant branding would appear to have little to do with IT.

Not so, not any more, as Krishnan made abundantly clear in his keynote talk on the intersection of marketing and technology at last week’s FutureM conference in Boston. (The “M” stands for marketing.) At Frito-Lay, where the marketing team is replete with marketing technologists, data and technology are central to a brand’s success, Krishnan said.

Krishnan, named one of the “30 Most Creative People in Social Media Marketing” by Business Insider, is the driving force behind Frito-Lay’s “Do us a Flavor” promotion. The online campaign is waged largely on Facebook where millions of users have submitted, shared, voted on and Tweeted about new #DoUsAFlavor combinations for Lay’s potato chips. (The 2015 U.S. finalists are: Greektown Gyro, New York Reuben, Southern Biscuits & Gravy and West Coast Truffle Fries. The winner can opt for $1 million in prize money or a cut of the sales.)

Krishnan also oversees “Crash the Super Bowl,” an online competition now in its 10th year. Frito-Lay asks customers to create their own Doritos commercial for the big event, guaranteeing that at least one ad will be aired during the Super Bowl. (This was last year’s bro-centric winner.) Digital, interactive campaigns of all sorts connect Frito-Lay products with holidays, cult TV shows and social movements. At the FutureM conference, Krishnan let the audience in on how Frito-Lay is digitally deploying Chester Cheetah, the (slightly creepy) official mascot of Cheetos, to get a piece of Halloween.

The omniculturals

The word that came to mind when I read the flavor descriptions from the 2015 #DoUsAFlavor campaign and watched the off-color winning Super Bowl ad was yuck, but people like me don’t matter. My adult children do. The campaigns are aimed mainly at the two youngest of today’s five generations of consumers — the technology pioneers or Millennials, born between 1981 and 1996, and the digital natives or Gen Z-ers, born between 1997 and 2015.

Millennials and Gen Z-ers are not the same, Krishnan explained, but they are united by technology. “Technology has been omnipresent throughout their lives and is a universal language for these two cohorts,” he said. Indeed, when marketing Lay’s potato chips, sold in 76 countries, “it is striking how alike these cohorts are across the globe.”

“We call these consumers omnicultural. Geography does not define who they are. The demographic around the globe has much the same taste in music, in style, video games,” he said.

Of the many attributes shared by the omnicultural cohort are three that are of  particular to interest to CMOs — and should also be of interest to CIOs. They are:

1.  BYOS, or bring your own screen:  The average American has access to four screens, according to Krishnan, and 87% use multiple screens at the same time. When Krishnan’s family gathers in front of the TV — a popular image in advertising since the dawn of television — he’s  on his laptop, his wife is on her iPad, his daughter is on her phone and his son is playing a video game. Marketing campaigns today must not only have “sharability” but be designed to be consumed on multiple screens.

2.  ROI, or return on image:  Millennials and Gen Z-ers care about digital presence, in ways previous generations (with the exception of movie stars and public figures) do not. They curate their digital presence with more care than they curate their living spaces. According to Krishnan “52% of [Millennials and Gen Z-ers] said  that when they get ready in the morning, one of the things they are thinking through is how what they are wearing will look on a social media post.”

 3.  Any reason to #celebrate: Both Millennials and Gen Z-ers have a “self-inflicted pressure to live interesting lives,” Krishnan said.  One of the ways they track and promote interesting lives is on social media. “They use hashtags as a way to connect with peers, as a way to actually navigate this world and to make the days of the week more interesting,” he said.

CIOs, CMOs live in scary times

Finally, conventional marketing doesn’t engage this demographic. “These two cohorts don’t want to be marketed to but they are willing to have a conversation with the brands — and create content,” Krishnan said. In fact, traditional marketing is dead to them.

“This is one of the scariest times to be a marketer. The industry and landscape is changing. I would submit to you that no other function is changing as dramatically as marketing, outside of IT,” he said.

Email Linda Tucci, executive editor, or find her on Twitter @ltucci.

October 8, 2015  2:04 PM

Gartner Symposium: Why does a CIO need a CDO?

Nicole Laskowski Nicole Laskowski Profile: Nicole Laskowski

ORLANDO, Fla. — How can a chief data officer (CDO) help a CIO? Gartner analyst Debra Logan counted the ways at the Gartner Symposium ITxpo.

As businesses go digital, many CIOs will need help, especially at companies struggling with data quality and data governance issues. “What we’re really telling you is that you’re getting a bunch of new responsibilities because of digital business,” said Logan, who has written extensively about the role of the CDO. “Flipping to digital leadership expands the role of the CIO.”

And it adds pressure to an already pressure-filled job, especially if CEOs are expecting to double revenue attributed to digital business in the next five years, as Gartner’s annual CEO survey suggests. A data officer, or a person responsible for building a strong data foundation, reducing risk and exploiting the value of data, can help CIOs push the data envelope for businesses that need to transition from historical to predictive analysis, from passive analysis to active experimentation, from analyzing structured data to analyzing text and multimedia, and from separating analytics to embedding analytics. “That’s going to require a lot of stuff, data quality being the first on the list,” Logan said.

Plus, if data governance is still a struggle, CDOs can help there, too, retooling practices from command and control to something a little more people centric, Logan said. “One of the first programs CDOs often launch or are put in the middle of is [master data management], which is a core information governance project,” she said.

She encouraged CIOs to not only embrace the CDO (or the chief analytics officer) as a colleague — but to help shape — and even champion — the role as well. “When the relationship is good, then things start to happen, and [CIOs and CDOs] have success,” Logan said. And when it isn’t, they often don’t. Plus, she said, if a data officer is inevitable, CIOs will be happier if they have a voice in how the position is developed than if they don’t.

That said, not all companies will develop a CDO role. Gartner predicts only 25% of businesses will have a CDO by 2017. Some companies won’t need one; others may need a CDO, but may not be ready for one. Logan advised that if the CDO position doesn’t have board level support, if the business is overly protective of their data and resistant to change and if data governance isn’t a priority, CIOs should avoid suggesting the company develop the position.

Still other companies may want the CIO to take on CDO responsibilities. If that’s the case, Logan said, the worst thing a CIO can do is assume the role without additional resources and personnel. “Because, guess what, it’s going to take people to do this,” she said.

October 7, 2015  8:11 AM

Gartner Symposium to CIOs: Vigilance, curiosity for better security

Jason Sparapani Jason Sparapani Profile: Jason Sparapani

ORLANDO, Fla. — At an event where predictions of tomorrow’s technology held center stage — algorithms operating cars, smart machines helping call center agents do their jobs better, “robo-bosses” evaluating our performance — it’s telling perhaps that the first speaker was Brian Krebs.

Krebs, the investigative reporter who broke the story of the 2013 Target security breach, told a crowd of CIOs and senior IT executives at this year’s mammoth Gartner Symposium ITxpo that many victims of cyberattacks had the information right there in their event logs — they just didn’t have the curiosity to check them.

Investigative reporter Brian Krebs speaks at the Gartner Symposium ITxpo in Orlando, Fla., on Sunday.

Investigative reporter Brian Krebs speaks at the Gartner Symposium ITxpo in Orlando, Fla., on Sunday.

“I guarantee you the fraudsters don’t suffer from this — they’re infinitely more curious by nature,” said Krebs, a former Washington Post reporter who now dogs cybercriminals on his website Krebs on Security. “And their curiosity really knows no bounds.”

You say you’re secure — are you sure?

The problem organizations have, Krebs said, is a “perception-reality gap.” They think they’re doing what they need to do to secure their systems and their networks — they have virus and firewall protection in place, they regularly install software patches and they secure email. But those conventional approaches are no match for who Krebs calls the bad guys, who have multiplied over the past few years and as a result are innovating at a rapid rate.

To cite two examples, operators of underground marketplaces for stolen identity card information are vying with the competition by giving customers discounts when they buy in bulk and even profiling them using analytics to offer the types of card numbers they prefer — MasterCard over Visa, say.

Organizations aren’t keeping up in their security practices, Krebs said, because they want the benefits of technology but are reluctant to put in the unglamorous work of continuously monitoring their networks and shoring up weaknesses. And they don’t want to spend more than they have to.

“Traditionally, organizations have spent an inordinate amount of their scarce security budgets trying to meet security compliance obligations that they may have,” he said. What they should be doing is looking for ways to attract and keep talented security folks.

For Shirish Patwardhan, co-founder and CTO of Indian software company KPIT Technologies, the issue hits close to home.

“All my company is compliance-based,” he said. And he knows that won’t stop breaches. “It’s very dangerous because this is going to go on and on.”

Patwardhan said the type of preventive approach Krebs prescribed isn’t promoted enough among organizations. People are people, he said, and if security breaches don’t happen to them, they don’t happen, period. “It’s just a human inclination,” he said.

‘Everyone gets hacked’

The clarion call for heightened vigilance echoed in other chambers at the conference. In a keynote speech describing a “post-app” economy of algorithms that do jobs once done only by humans, Gartner analyst Peter Sondergaard spoke ominously about threats facing all organizations today.

“Everyone gets hacked in the new world. It’s only a matter of time,” he said, adding that 71% of organizations have had to switch on disaster-recovery or business-continuity procedures over the past two years. “Minor problems are constants and major incidents are inevitable. Be ready.”

It was a sentiment not lost on Robert Juckiewicz, vice president for IT at Hofstra University.

“We worry about it every day,” he said. Security has become one of his organization’s highest priorities, but there’s an added layer of complexity and difficulty at educational institutions.

“The purpose of education is to create and disseminate information. That goes counter to security,” he said.

While at the conference, he talked to a peer in an accounting firm who said the practice there is to block everything. “At a university, you can’t do that. You should be able to look at anything.”

Let us know what you think of this post; email Jason Sparapani, features writer, or find him on Twitter @jmsparapani.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: