When Andrew Stanley received the email from PayPal, he knew immediately that something was amiss. There in the PayPal domain name, “under one of the a’s” was a Turkish accent mark called a cedilla.
“If you looked at it on your laptop monitor, it looked like a little speck of dust,” said Stanley, who is the chief information security officer at Philips, the Amsterdam-based healthcare and consumer lifestyle company.
“I didn’t use anything with PayPal and I said, ‘What is that?’ I happened to put my finger on it and it didn’t move. That’s when the light went on,” Stanley told the audience at the recent MIT CIO Symposium, where he was a guest speaker in a session titled, You were hacked: Now what?
Of course, what caught the expert’s eye, a layman could easily miss. In fact, laymen do easily miss such warning signs on a regular basis. According to a recent study, over 90% of cyberattacks start with a phishing email.
Educating employees on how to detect and prevent phishing attacks continues to be a crucial step in protecting sensitive information, Stanley said. Tabletop exercises simulating online attacks and penetration testing are other good ways to test an organization’s – and their employees’ — cyber incident response capability.
“Penetration testing forces you to be a little more real-time. In certain types of pen tests, they are actually looking at your detection systems to see what they can and can’t pick up,” he said.
He also stressed the need for hiring security intelligence staff.
“That’s one of my highest cost investments,” he said. “We have our tactical or technical intelligence team, which is able to look at trends and different phishing attempts and try to correlate that to a particular attacker. Then we have our strategic intel team that’s trying to figure out the ‘why’.”
Figuring out the “why” is vital, because determining the hackers’ intent before the information walks out of the door is going to help organizations prevent such attacks in the future, Stanley added.
James Lugabihl, director, execution assurance at HR management services firm ADP, and also on the panel at the MIT CIO Symposium, said that fostering a security conscious culture is one of the key strategic pillars of ADP’s security organization. “We try to drive that in every opportunity we can within our brand image.”
He laid out several steps to help drive a security culture: Managing privileged administrator accounts, having proper network segmentation and implementing the right crisis management plan. Organizations need to plan properly and focus on the proper execution of their incident response plan, he added.
“I don’t agree with ‘practice makes perfect’; perfect practice makes perfect. Because if you are doing it wrong in practice, you will continue to do it wrong when it hits the fan,” Lugabihl said.
File this in your folder marked Digital content strategy for the Millennial crowd. (More on the crowd part later.)
In 2015, Scripps Networks Interactive, parent to cable blockbusters HGTV, Food Network and the Travel Channel, launched a new business division: Scripps Lifestyle Studios. Its mission?
According to Vikki Neil, who oversees the division, a big aim was to get to where most companies and advertisers want to be these days: on the social platforms favored by Millennials — Snapchat, Facebook, YouTube, Instagram, etcetera — with the full digital panoply of videos, photos, blogs and articles.
Two years later, the 125-person division has racked up five billion video views and delivered some 5,000 pieces of original content distributed across seven social platforms, which it updates 24 times a day. That’s a 750% growth — without raising headcount, Neil told an audience of digital strategists at the recent Digital Strategy Innovation Summit in New York.
“We basically went in and said, ‘Hey, guess what guys? Everyone has a new job. Starting tomorrow you’re all going to be content creators,” she said.
Along the way, Lifestyle Studios has developed a better sense of how to reach advertising’s new favorite generation. One guiding principle of its digital content strategy: “It has to look authentic. If you create something that is faux, you need to call it faux and make a joke of it,” Neil said.
Another selling point will be familiar to parents of Millennials. “Communal stuff works well — they love a crowd,” a finding reflected in the digital content her division creates for Food Network and HGTV, and on the TV screen, Neil said.
“If you go to the shows, you’ll notice a lot more people now on the TV screens and in the digital content, for sure. You’ll see people doing things with their families, instead of just one person,” she said.
Big holiday gatherings also present opportunities for developing content for Millennials, but with a twist, Neil said. She pointed to a Millennial-focused project her division did for Thanksgiving.
Called Friendsgiving, the digital content targeted an audience that was “not necessarily aiming for the traditional Thanksgiving gathering,” but was interested in having a “communal collaboration” to mark the occasion. The Scripps’ content featured a gathering where everyone brings something, like a potluck, but “more elevated,” Neil said. “Packages around that did well for us and for advertisers.”
Digital content strategy expands
The pursuit of an effective digital content strategy continues apace at Scripps Networks Interactive (SNI). Earlier this month, the company announced the acquisition of online food publication Spoon University, started by millennials Mackenzie Barth and Sarah Adler. The company also expanded its 2015 deal with Snapchat’s Discover platform to include new food and home programming aimed at “millennials and centennials who may not yet be hooked on our premium offerings,” the company said.
In the SNI’s May 23 earnings call, the Lifestyle Studios division was called out as the company’s “one-stop shop for all digital content, leading the way for digital and video integration” by Kenneth W. Lowe, SNI chairman, CEO and president.
“The Lifestyle Studios generated nearly 2.9 billion video views. That’s an increase of about 450% over the first quarter of 2016, really a remarkable achievement and just one example of our determination to expand our reach across all devices,” Lowe crowed.
Bonus tip on digital strategy: Read about how centennials will force companies to rethink online privacy.
Open communication channels are critical to organizations’ cyber-risk management strategies, according to Michael Siegel, principal research scientist at MIT Sloan School of Management. Yet board reporting by CISOs about the risk of cyberattacks is only now becoming a regular practice.
“The understanding of cyber risk and the reporting of cyber risk to the board was perhaps nonexistent, except at the top-tier financial companies,” said Siegel, also the associate director at MIT’s Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity.
As data breaches and ransomware attacks have become regular items in news headlines, however, board demands for more cyber intel is increasing. “Now I’m hearing report quarterly, report monthly. I’m hearing the CISO reporting and working on risk assessment presentations to the board.”
Communicating about the threat of cyberattacks is complicated, Siegel said, because other risks organizations face — the potential of getting hit with lawsuits, say, or sustaining property damage after a natural disaster — are managed in the risk management office, with efforts typically led by a chief risk officer or the CFO.
Those executives and the CISO have different views of cyber-risk management, he said. Take cyber insurance, also known as cyber liability insurance coverage, which can help organizations offset the financial damage of a data breach. About a third of U.S. companies have policies now, according to a PwC report, but the market is growing and is projected to hit $7.5 billion by 2020.
It’s CFOs and CROs who are fueling that interest. CISOs — not so much.
“To the CISO — I’ll overstate this — but cyber insurance really doesn’t mean anything,” Siegel said. “It’s something the CFO does to manage the ultimate risk of the company. To the CISO, that my systems work and that I’m not attacked and that we don’t have downtime — the operational aspect of keeping things running — is the major significance.”
The CISO then is perhaps in a better position to understand what the risk of, say, introducing new technologies in the organization is, he said — highlighting the importance of clear communication between the IT security chief and the CFO in guarding against cyberattacks.
“They have to understand how to speak to each other and make the two things work.”
MIT’s Michael Siegel discusses more about cyber-risk management — including the “inverse ROI” of not investing in cybersecurity — in this SearchCIO interview.
CAMBRIDGE, Mass. — Universal basic income, a monthly stipend given out by a government to help cover its citizens’ basic needs, is getting a lot of attention as advances in automation exceed what even the experts predicted and median wages continue to stagnate. But two researchers at the recent MIT Sloan CIO Symposium said the need for universal basic income (UBI) is premature.
Andrew McAfee and Erik Brynjolfsson, authors of the forthcoming Machine, Platform, Crowd: Harnessing Our Digital Future, said UBI is not a viable solution for the sort of job loss happening in our current economy. “The data are incredibly clear: Month-by-month, as long as we’re not in a recession, we need more hours of work to make the economy go,” said McAfee, principal research scientist and co-director at the MIT Initiative on the Digital Economy.
Indeed, despite the fact that machine learning systems are advancing at a faster pace than expected, machines still can’t do everything, according to the researchers. And when McAfee and Brynjolfsson researched UBI for their previous book, experts explained to them that “the core problems were not so much something that you could write a check for. It was the fact that people wanted to be engaged in their community, wanted to work,” said Brynjolfsson, director of the MIT Initiative on the Digital Economy and an economist.
Regardless, UBI is not an all-or-nothing solution for people suffering from wage stagnation, Brynjolfsson said. Adjustments to public policies on minimum retirement age, family leave, health care and disability support could raise the standard of living while keeping people engaged. And, he continued, these kinds of policy decisions to benefit the citizenry are not unprecedented in our history. The introduction of public education, anti-trust policy changes in the income tax code and social security are examples of policies made for common good, Brynjolfsson said.
“All of which were incredibly controversial at the time, and yet we got past it,” McAfee said.
“And the net effect was having a dynamic capitalistic vibrant economy with lots of competition, lots of innovation but also living standards that were raised for a broad set of people,” Brynjolfsson said.
“If you’re bringing a chief digital officer inside the company to make the company work more effectively, more productive — that’s the role of the CIO,” said Jim Fowler, vice president and CIO at GE. He was speaking at the MIT Sloan CIO Symposium in Cambridge, Mass., on Wednesday.
The chief digital officer, which shares the initialism CDO with the chief data officer, should be focused on commercial products, Fowler said — “software and analytics that you want to sell outside to your customers” — and how to develop and market those products. “That’s the value,” he said.
Peter Weill, chairman of MIT’s Center for Information Systems Research, said companies that offer innovative digital products and have data connections across services, making internal and customer operations seamless, see a significantly higher net margin than competitors do. “So that’s high stakes,” Weill said in a keynote address at the symposium.
As director of IT, the CIO plays a critical part as organizations make the shift from solely physical products and services to digital ones. But the chief digital officer role has drawn lots of attention, too, with some predicting that many CDOs would eventually replace CIOs in their organizations.
But Fowler’s comments affirm the view that gives the CIO and CDO discrete job descriptions, with data governance, IT security and cost-effectiveness the purview of the CIO and product design and marketing strategy the CDO’s. Celso Mello, CIO at Canadian home heating and cooling company Reliance Home Comfort, analyzed the roles in an article on SearchCIO’s sister site, SearchCRM.
“CIOs have focused on maintaining, improving and sometimes replacing IT infrastructure and legacy systems.” Mello wrote. “CDOs, on the other hand, are about breaking legacy paradigms and using new technology in new ways.”
Distinct — but linked
Fowler spoke about the CIO and CDO in the context of massive changes at his 125-year-old company. At the center of those changes is the “customer experience.” So companies in the market for industrial equipment like gas or steam turbines get machines that “run better, run longer, run more efficiently,” he said.
For Fowler, as head of IT, that means building “digital twins” of those physical assets and hooking them to data and analytics, connecting that with processes running in-house and externally in customers’ facilities.
“The CIO is focused on GE for GE. We have a billion-dollar target of productivity that we have to drive,” he said. “The CDO is focused on turning us into a $10 billion software business.”
Fowler admits that “underneath the covers, there’s a ton of overlap” between the CIO role and the chief digital officer role, and he even reports to GE’s CDO, William Ruh.
“But they are two very distinct roles,” he said. “I think if you’ve got a CDO that’s doing the role of a CIO and there’s a CIO there, a discussion needs to happen.”
For more insights on digital transformation from CIOs at the MIT Sloan CIO Symposium, read this SearchCIO report.
U.S. companies eager to implement robotic process automation — software that automates how humans interact with software — are often fixated on seeing a proof of concept, said RPA technology expert David Brain. And that’s not good.
“I feel bad going to clients and proving what’s been proven several times over,” Brain said. People will automate a simple process that might require one employee and half a spreadsheet and declare success.
“‘Yes, we’ve proved the concept!’ But all they’ve proved is that the technology works. What they haven’t proved is whether there is a business case for automation and will it deliver the scale of improvements the company wants to achieve,” he said. Rather than a POC, companies should insist on POV — proof of value — before embarking on RPA. “That’s the bigger challenge.”
Brain is co-founder and COO of Symphony Ventures Ltd., a consulting, implementation and managed services firm specializing in what the firm dubs “future of work technologies”– RPA technology among them. Founded three years ago, the firm has worked on RPA projects across a broad range of industries and geographies. “We’ve done deployments in five continents so far,” he said.
All work is local
The firm’s projects have also covered a diverse set of business processes. That’s because RPA is not a “process-specific solution,” Brain stressed, but rather the automation of rules-based, manual work not covered by a company’s process-specific technology systems. And that work necessarily varies from company to company.
“You can have five organizations and they each could be running the same ERP system, but the way in which these systems are configured depends on the particular company’s rules and that means there is different work that falls out manually,” Brain said.
At some companies, Symphony experts are called upon to automate the current manual process, using RPA technology to automate the work the same way employees do it. Other companies will want help on optimizing the process first before automating it.
“It really depends on what is driving the business decision,” Brain said. The nature of the work Symphony automates is always rules-based, but those rules can be extremely complex. (The firm has done projects in which it’s taken several months to capture and learn the processes that are eventually automated.)
Proof of value: Five steps
But, whether the RPA work is of the “lift-automate-shift” or “lift-shift-automate” variety, or involves simple or complex rules, companies need to follow certain steps in order to get a “proof of value.” Here is a synopsis of Brain’s five steps for deploying RPA technology:
- Scope the transformation
“RPA is a transformational tool, not a desktop macro builder. Look for pain points within the organization and identify what needs to change. This isn’t just a cost play; rather, it has to do with mitigating the challenges of growing in a linear fashion by increasing the number of full-time employees. For some, it is about improving speed and quality to differentiate in the market. Others are attracted by the insight and analytics that come from consolidating all transactional data into one database for real-time visibility.”
- Capture, map, measure
“The next step is to analyze the business and map processes at keystroke level. To do so, use experts in RPA, as it is important to drill into the areas where configuration will be complex. Standard operating procedures, training materials and system manuals will be great inputs, but not enough by themselves. Have the RPA experts sit with the process experts to map what really happens; afterwards, it will be easier to plot costs and service levels to the processes as a baseline.”
- Analyze and design
“With the scope defined and mapped, identify processes and parts of processes most suitable for automation. Then calculate the time and cost to implement these, as well as the benefits of doing so. Design a target operating model (TOM), which is a graphical depiction of the business structure and processes affected by the RPA implementation; it should detail everything from stakeholders to the applications/systems used by the automation. It’s important to map not just the RPA portions but also the scope of the business to determine how to redeploy resources to drive greater business value.”
- Plan and forecast the journey
“Consider all that is involved in the transformation and don’t underestimate the time required for change management and benefits realization. Create the implementation plan and financial model by looking at the savings and the cost avoidance that this transformation will bring over an estimated three years. Consider the cost of not only implementing RPA but maintaining the solution and updating it to take on additional tasks as needed.”
- Gain sponsorship
“Use the business case, TOM and strategy to get support for prioritizing this transformation. The business case will justify that, usually predicting ROIs of 300% or more.”
Eric Daimler, former White House presidential fellow at the Office of Science and Technology Policy, was surprised that no one at the recent MassIntelligence conference in Boston had heard of Cozmo, a miniature robot that by the looks of it could be the offspring of the two main characters in Pixar’s WALL-E.
Or at least no one admitted to hearing of it. “Come on, it’s on Amazon, for goodness sakes,” Daimler said to attendees. “You need to go out and buy this guy right away.”
Price point won’t be much of a barrier to purchase. At less than $200 a pop, Cozmo is pretty inexpensive — as far as robots go.
But Daimler’s bigger reason for talking up the robot had less to do with the actual technology and more to do with what the technology is teaching roboticists. Cozmo, created by the startup Anki, plays games and pushes miniature boxes around. And, Daimler said, “it’s on the leading edge of robot-human interaction.”
One of the keys to Cozmo’s success is its personality, which Daimler said will be a “useful tool in developing technology.” Cozmo, for example, “learns you and it learns your face and it will, in some really crazy way, try to pronounce your name,” he said. Its eyes help to convey emotion like happiness, confusion and even boredom, accompanied by a distinct sound (think BB-8) and sometimes even movement.
In the next two to four years, Daimler said home technology will have similar components such as face recognition technology and, yes, personality. “If Cozmo misses a block, what it does is it expresses disappointment,” he said. “Imagine if your dishwasher did that.”
Another lesson learned in robot-human interaction is how robots should approach humans. When Cozmo moves toward someone it recognizes, it never turns away from the person. Daimler said moving in a straight line, turning 90 degrees and then moving in a straight line might make sense from a computational perspective, but it doesn’t make sense in practice. “What they found is that people get freaked out if the robot turns away. It’s unpredictable behavior.” Instead, Cozmo “kind of waddles toward you,” he said.
Finally, size, apparently, matters. Cozmo is tiny, the size of a couple of fists. “When it makes mistakes, and it will make mistakes, we’re more forgiving of it,” Daimler said. When the robot is bigger, the stakes in robot-human interaction are higher, and the machine is expected to operate perfectly, he said.
“You can imagine the reaction would be a little different if Cozmo was seven-feet tall,” he said.
Jeff Haskill, the IT security chief at AstraZeneca, is, according to his boss, “a very technical CISO.” Dave Smoley, CIO at the U.K.-based pharmaceutical manufacturer, praised Haskill for his technological background, which includes nitty-gritty IT work and cybersecurity.
While reporting on the collaboration between CIO and CISO and its impact on AstraZeneca’s efforts to move huge tracts of its IT operations to the cloud, I asked Haskill whether he agreed with Smoley. Were his CISO skills technical skills?
“I’ve done about all on the IT side,” said Haskill, who also runs the IT infrastructure team. He was a software developer, worked on servers and installed large networks. He’s also grounded in forensics and many IT security areas.
“The thing is that you can’t stop there,” he said. “You’ve got to go ahead and understand what the business wants.”
Understanding that is key to an IT strategy designed to encourage scientific innovation and business growth at AstraZeneca, Haskill said. It’s also part of a larger trend: Business skills like communication and policymaking are becoming essential CISO skills.
Candy Alexander, a former CISO and independent consultant, said there are still more technical CISOs out there than business-minded ones, but the role in general is “morphing more into a business partner,” much like the CIO role.
The challenge for CISOs today, Alexander said, is they “have to keep feet in both worlds” — understanding deeply technical issues regarding cybersecurity and IT architecture and the often political and contractual language of business.
Haskill faces the challenge by handing a lot of the technical aspects he oversees over to “people that are obviously a lot smarter than I am” — namely, his security operations, networks and infrastructure teams — so he can focus on business needs.
But having solid knowledge of those issues, however — knowing how cybersecurity fits into the company’s compliance with industry regulations, for example — makes him “more well-rounded” and allows him to relay critical messages to business leaders.
“My ultimate goal is to be able to go in and show complex items, especially in the cyber world, to board members, to our senior leadership, so they understand,” he said. “So they can go ahead and make the appropriate decisions for the business.”
BOSTON – Sam Madden, professor of electrical engineering and computer science at MIT, is hoping to help advance the field of machine learning from dark art to principled science with an open source project. ModelDB, available on GitHub, is essentially a database system designed to help organize and manage machine learning models.
“These models are the engines of machine learning,” Madden said at the MassIntelligence conference, hosted by MassTLC and MIT’s Computer Science and Artificial Intelligence Laboratory. “They are the things that take the data and extract the insight out of it.”
When researchers build machine learning models, the process is highly iterative. Models are built using training data, and, if they’re supervised models, they are tested, evaluated and then tweaked (i.e. new features are added, new parameters are added) to improve their performance. That process is repeated — sometimes hundreds of thousands of times, according to Madden — until the models perform at an acceptable level.
But there is no way to manage the process. “You go through thousands of these models, you update the models all of the time, and there’s no sort of standardized way to track the history of the modeling process,” he said.
Madden likened it to the way people organize personal documents on their computers, which is to say not at all. “People are terrible at it,” he said. “And they don’t promote carefully organized data.”
ModelDB is a database system that acts as a central repository for machine learning models — all iterations — and is searchable, creating a system of record for researchers. “People can look at see what’s been done in the past and continue work that’s been partially completed,” Madden said.
Features include “experiment tracking,” so that models in the pipeline can be logged; “versioning,” or the ability to compare model performance; and “reproducibility,” so that any model can be rerun an any input data set.
“This isn’t a deep or radically complicated idea,” he said. “But it’s one of the things that I think is needed in order for us to go from where we are now, which is sort of this [dark] art, to a much more principled scientific approach.”
We finally know which two big tech companies were conned millions by an email phishing scam, as reported last month, and you might recognize them.
The culprit — a Lithuanian man being charged with fraud, aggravated identity theft, and money laundering by the Department of Justice — swindled Google and Facebook out of $100 million collectively by pretending to be a popular Taiwanese electronics manufacturer.
The man allegedly forged emails from employees, invoices and contracts and asked the tech giants to send payments to his bank accounts in Latvia and Cyprus, instead of the real company’s actual bank accounts — and it was enough to convince employees at Google and Facebook.
“Humans are the most vulnerable point of any information system; even the world’s biggest tech companies aren’t immune to this,” said Neil Wynne, CISSP and Gartner analyst. “The vast majority of cyberattacks use social engineering, such as phishing, to trick employees into taking actions detrimental to the company. Many large and high-profile breaches have started with successful phishing attacks.”
A recent report from threat management provider PhishMe found that 91% of cyberattacks start with a phish. The top reasons that people fell for the emails: curiosity, fear and urgency. These are the things that attackers pray on — and upping technology-based defenses can’t address those kinds of vulnerabilities, said Wynne.
“There tends to be an over reliance on a technology-based approach,” he said. “Instead, CIOs should take a multipronged approach that spans technical, procedural and educational controls to effectively mitigate these attacks. The education aspect is a critical component because it increases employee resilience to social engineering.”
“I think the big takeaway from this incident is, first and foremost, that a cybersecurity awareness program is critical to all companies regardless of size — big or small,” said Austin. “Many of these fraudsters will try to get employees to break standard process and procedure by saying ‘this is very confidential’ or ‘this is related to some new merger or acquisition’ or something like that.”
Austin said the size of the scam suggests that the Lithuanian scammer got employees at Google and Facebook to break process and procedure by convincing them to do it through believable documentation and credentials and/or by finding someone who wasn’t trained on what the process and procedure was.
In other words, the major takeaway for CIOs to avoid similar phishing scams: educate, educate, educate employees on their role in data protection.