Month: February 2016

How Leveraging the Cloud Can Enhance Your Security Risk Profile

Cloud

It’s a given that cloud adoption is growing heavily, but I continue to hear how security is a concern or roadblock for some. Yes, the ever increasing stories of cyber attacks have ensured security remains a top priority for CIO’s, as it should be, but I’m always amazed at how security in the cloud is looked upon as a major hurdle or obstacle.  Moving your apps to the cloud does take a new way of thinking about security but it shouldn’t hold you back.  Leveraging the cloud, particularly SaaS applications, actually enhances your security risk profile.

It’s a myth that using SaaS apps or putting information in the cloud is inherently less secure than keeping everything on premise.  The data needs to be secured no matter where it lives and keeping it on-prem does not make it more secure.  What is true is that it’s different, and as long as you understand the differences, your company’s risk profile is much better off.

One great reason to use the cloud is that you’re outsourcing the development and hosting of your applications, enabling you to focus on more core, business value activities.  This also includes security, if done right. Leveraging the cloud gives you access to a great pool of resources, whether it’s with your cloud vendor or in combination with other cloud vendors.  This is because the skills and resources available with most cloud vendors are much greater than what you can muster yourself.  It’s the lifeblood of their existence and the teams and time devoted to overseeing security is far greater than what most companies can do cost effectively on their own.  This doesn’t mean that cloud vendors can’t get hacked as well.  They can.  Even though most of the highly publicized security breaches have actually been to on-premise environments, cloud vendors have been hacked. There are no guarantees but the same goes with your on-premise environment too.

However, using the cloud doesn’t mean you ignore the security concerns and just leave it to the vendors.  To fully leverage the cloud for improved security, you need to understand what truly needs to be secured, understand your vendors’ policies and procedures, implement a few tools, and ensure your users are trained and aware of how they can help prevent security attacks.  This is not an exhaustive list by any means and I just touch on a few of them below, but these items will put you in a better position going forward.

Data Classification:  First, you need to understand what information you really need to protect.  Not every piece of data your company produces is sensitive or confidential, so classifying your data as to what is truly sensitive, private or regulatory impacted is step 1.  Understanding where this data then resides (likely more than one place) is then required so you know what to focus your extra efforts on.

Implement Two Factor Authentication (TFA) . TFA is one of the best tools available to ensure outsiders aren’t accessing your applications via insecure or stolen passwords. Many of the leading Identity Management tools have this capability and there are other stand alone options available too.  End users are much more accustomed to this with their banking or other apps, and it does raise the security strength of your apps.

Internal User Training – Internal users are the biggest hole in an enterprise and ensuring the end users know the security best practices is an easy and inexpensive tool.  More companies are instituting security training as a requirement for all employees.  This is even more important with a SaaS / browser based application environment.

Understand Your Vendor Practices  Just because you’re offloading your application development and hosting to your SaaS provider doesn’t mean you absolve yourself of any oversight or due diligence up front. You still need to understand your vendors capabilities and keep ongoing oversight of your SaaS vendors.

As a buyer of SaaS applications, here are items that you should understand and investigate. Again, It’s not a exhaustive list, nor will you find consistency with the approaches or capabilities, but you still need to familiarize yourself with the following:

  • Encryption (in transit and at rest)
  • Internal Controls
  • Backups / redundant data centers
  • How quickly are your vendors patching critical vulnerabilities?
  • How does the vendor QA its product?
  • How do they test DR/Contingency?
  • Do they have best practices with continuous delivery?
  • What are their change management practices?
  • How do they handle PII or sensitive data?
  • Employee profiling/security training and programs/phishing programs
  • What is their monitoring and notification process?
  • Do they have data centers in countries that require specific data residency requirements (if applicable)
  • SSO Support
  • Dedicated CISO
  • Automated testing
  • Peer reviews on coding

These are all capabilities that any software provider should ideally have, so the more you investigate and push, the better you’ll be for it in the end.

There are also many new approaches coming out of startups, from leveraging micro services to machine learning, so you should also pay attention to emerging technologies. Keeping abreast of the new and emerging companies should be a CIO core competency, but it’s even more important today with security and the cloud.  Putting your applications and data in the cloud provides a great deal of business value, in what can be a more secure environment.  You just to need to understand the differences.

Yes – IT is Still Relevant

consmerITWe had a great discussion recently on the topic “Is IT still relevant”, where I was joined with Tim CrawfordMark Thiele and Bob Egan on a Google Hangout and Twitter chat (#CIOitk), and a few themes came out that I think are worth highlighting:

The Consumerization of IT has changed our expectations of enterprise systems, and has raised the bar on what technology should be like in the
work place.  These expectations, the speed of change in today’s business environment, and the ability for the business to obtain cloud services themselves, has turned the IT organization upside down.

The challenge for today’s IT leader is to recognize this change and adjust accordingly.  Many CIO’s have already done this, but there are still quite a few who haven’t.  There is no “model” that CIO’s can just pick up and follow, but they can follow a few simple guidelines to improve their standing with the business and ensure relevance:

  • Speak the language of the business. You can’t focus on providing business value if you aren’t talking to the other business departments and executives in their language.   See my previous blog post on this subject.
  • Get out and understand the challenges your employees are facing. IT leaders must be outward looking, fully understanding the business challenges facing the organization from within and externally.
  • Embrace shadow IT. This  means embracing how the cloud is helping bring innovation into your organization faster (and better) than you can do it yourself.  There is a need for IT to be involved, but not everything has to go through a centralized IT department.
  • Focus on customer engagement. The customer is king and this is what drives the future of your business, so understand the customer needs.  Think ahead and ensure that the IT organization is doing things that can improve customer engagement.

Culture Matters

Another point that was brought up on Twitter was about culture and how that affects IT’s perception. This is a very important point and something that can’t be overlooked.  Culture really does matter.  Yes, technology has become a big part of everyone’s business but not all organizations have completely caught up to this thinking throughout the C-suite. Without a culture of valuing and leveraging technology, IT leaders face headwinds on change. Change is hard for many organizations and for those that are slow to adopt, they’ll likely be left behind.  Just ask Blockbuster.  So, all the hard work can easily be met by cynicism and doubt, but you can’t give up.

The IT Organization and the CIO of the Future

The future of the IT organization was also discussed, and a common theme was that staffing is an issue.  Cloud adoption, embracing shadow IT, and an agile mindset change the way IT organizations operate and think and the skills are different. I went through these in a presentation last year on the Future of the CIO, but the highlights are that IT leaders need to be:

  • Consultants to the business
  • Conductors vs builders
  • Entrepreneurial
  • Social
  • Evangelists for innovation and agility
  • A business enabler, focusing on what’s core and strategic to the business

Many thanks to Tim for moderating the session, Mark and Bob for their great insight, and Amy Hermes for her drive and unparalleled PhotoShop and marketing skills.  Keep an eye out for the next CIOitk (in the know) chat session.

Why Leaders need to be on Twitter and My Experiences

I’ve meant for a while to write about my Twitter experiences, and after being named earlier this year as a Top 100 Social CIO on Twitter by The Huffington Post, it felt that now was as good a time as any. In short, all technology and business leaders should be embracing social media as a leadership voice and Twitter is a great avenue to learn, engage and promote your brand. Yes, using social media needs focus and an understanding of what you care about, but that’s an important foundation that every leader needs to discover and embrace. Twitter is a great source for news, a place to discover intelligent minds, an avenue for engaging discussions, and an opportunity to grow your professional and personal network.

I made a conscious decision about 2 years ago to dive head first into the social media world. I admit that I had been a laggard, being a very casual Twitter user and taking a stab here and there at blogging.  I had always stayed pretty active on LinkedIn, but more for general networking than collaborating and sharing.  The turning point for me was realizing that as I worked for a B-B company that didn’t embrace social media, I struggled to champion adoption and articulate the business value since I wasn’t a part of it.  I knew that embracing the social world was an important piece to driving innovation and I felt it was important to become an expert and lead by example.

I had always prided myself on being a generally social person, building relationships with professionals across many industries at various levels and roles, but I knew there was more to it.  At the same time, I knew it was time to redefine and articulate my personal brand better than I had been doing, and I realized that upping my game on the social media front was the next frontier.

I set my sights on two fronts that had been ignored; Twitter and Blogging.  With Twitter, I researched suggestions on how to get the most out of it and I quickly understood that to be successful on Twitter, you needed to focus yourself.  Twitter is a vast world with a very wide-range of topics and engagement.  As the suggestion rightly pointed out, without a distinct initial focus, I’d be lost and wouldn’t get the most out of it.

Knowing I wanted to focus on my passion for the intersection of business and technology, and the benefits of using the cloud, I started there.  Following some experts I knew who were heavy twitter users was the start and I never looked back.  I started paying more attention to who was authoring articles that I was interested in.  Almost always the writers were active on Twitter, engaging others while also using Twitter to promote their writings.  Perfect.

It quickly became apparent to me that I had been missing out on connecting with and learning from a huge number of people who were interested in many of the same things I was.

I’ve learned a lot since I started and have connected with and personally met a number of very smart people.  Being social, via Twitter, LinkedIn, blogs or any of the other mechanisms prevalent has really provided the following value, and these are the reasons why every leader should be on Twitter:

  1. Source of news – Twitter is a great source of relevant news stories that are of interest to you.  Most leaders are sponges when it comes to reading and Twitter is a great door for this.  The feed can feel a little overwhelming at times and I find myself starting the day on Feedly or Flipboard more often, but I typically find some new and interesting posts on Twitter every day.
  2. Place to engage and have meaningful conversations – Once you get past just following what people are sharing, you will find there is a large segment that use Twitter for conversations.  I’ve found this to be even more valuable and engaging than just reading posts.  Real conversations can and do happen, but it does take an effort. Not everyone uses Twitter in the same way and some are more interested in responding than others, but it’s great when a meaningful conversation happens.  It’s even better when others are included, which expands the engagement and input.
  3. Professional expansion – Twitter is a great place to connect with professionals who care about similar topics.  Creating and nurturing your network has been demonstrated to be a key factor to long term success and Twitter is a great avenue to expand your network. You can get trolled by sales people and others promoting their ware, but it can be managed if paid attention to.
  4. Personal expansion – Not all learning is professionally based, and many people on Twitter are sharing and conversing about sports, life, faith, food, and many other non-professional topics. l started off only tweeting about professional topics, but my 23 year old son made advised me (via Twitter of course) that I should be spending upwards of 15% of my Twitter time on non-business topics. It took me a bit to get into that rhythm, but the non-business related tweets ended up providing a similar experience to what I found in my professional tweets.  Following sports writers, foodies, locals and others expanded my horizon on another level.  You do need to keep it clean though if you’re using the same Twitter handle for both, so do try to hold back when your team just blew that large lead to lose the game!
  5. Research – I’ve used Twitter a few times now to do research on a specific topic.  Using TweetDeck, I can easily add columns for specific hashtags (#) if I’m looking for articles or blogs on a topic. This has helped tremendously when needed for a presentation or just for following a topic that has an ongoing interest.  There is a lot of writing out there that shows up with hashtags that you wouldn’t normally find on a Google search.

So, if you’re not on Twitter, now’s a good a time as any to get started.  Send me a note or tweet if you’re looking for any other suggestions.