Thursday, February 26, 2015

Information Security Challenges: Conversation with a Fortune 500 CISO


Had an interesting conversation with the Chief Information Security Officer (CISO) of a major Fortune 500 corporation regarding Information Security a few days ago. The freewheeling conversation spanned many dimensions of the Information Security universe.
Information Security- The Public Posture. We exchanged some thoughts on what the public posture of large corporations should be around the issue of Information Security. One school of thought goes that making any claim about a company’s security practices in the public domain is as good as painting a bull’s eye on one’s back as a target for information thieves and hackers. While another school goes that the more you establish your thought and practice leadership in this area the better it is in terms of how your customers and stakeholders value you and are willing to give a premium for your products and services . A fine thin line to walk for sure. The jury is still out as to which would be a better approach. A middle path should be the best course. Easier said than done though in a veritable minefield.
Information Security and The Internet of Things. Switching gears. One thing is for sure though. The Internet of Things is here and is here to say. The “Thing” can be a power-plant as it could be the toaster on your kitchen shelf. And yes, the devices which the corporation makes are “Things” in the Internet of Things too. A network is as strong as its weakest link. And we would need to ensure that our devices do not become a point of entry for any person with evil intentions. Not that people are not trying though. See-saw battles between hackers and protectors is the order of the day. Govt. focus is on protecting the critical infrastructure elements which are now part of this Internet of Things.
Information Security and the Generational Dilemma. Another interesting dilemma is the ever-changing public perceptions about the nature of personal data and the security it needs. A Millennial , much more attuned to a “Sharing Economy” (think Uber, airbnb et al) has a different perspective on sharing personal data then say a Generation “X”er. And with the plethora of data leakages happening almost every day (the Anthem Insurance hack, one more in a long list), each one bigger than the last the public is slowly getting desensitized esp. since there is no big direct economic impact for most individuals other than slowly upward creeping cost of security which gets passed on to the consumer who does not feel the impact (“boiling frog” syndrome) .
All interesting challenges which keep the CISO and his team thinking even as they deal with the other daily challenges like the malware laden spam messages that target our mailboxes or building security approaches spanning the various entities that make up the organization.

Tuesday, February 17, 2015

Enterprise Architecture: Communicate! Communicate! Communicate!



Communicate. This is probably the single most important aspect of an architect's job. Fundamentally, architects are in the role of communicator. After they establish and formalize a solution, they need to communicate that solution as well as its importance and value to stakeholders throughout the organization.
These words of wisdom come from "10 Key Skills Architects Must Have to Deliver Value" . I would go a step farther and say that even "establishing and formalizing a solution" hinges on effective communications with all stakeholders.
Gartner has also identified "Not Spending Enough Time on Communications"and "Not Communicating the Impact" among the "Ten Enterprise Architecture Pitfalls"
But sadly, Communications training would be the last thing on the leaders of Enterprise Architecture minds as they finalize the training plans and budgets for their teams for 2015. More likely than not most dollars will be spent on developing some technical or architectural skills and acquiring certificationsrelated to those. Enterprise Architects as individuals are also likely to ignore it as one of the key skills they need to burnish during the year.
And I would not be surprised if key stakeholders would include lack of communication or ineffective communication as one of their pet peeves about Enterprise Architecture.
Why is it so? Traditionally Enterprise Architects it seems like have viewed themselves as builders of the better mousetrap - "If we build a better mousetrap, people will beat a path to our door" or "we are the geeks, communications is a skill we don't need".
But The Times They Are A-Changin' . Communications is Key esp. given the fast pace of Change.
And so my advice to you the Enterprise Architect - Make Communications one of the key skills you will burnish/sharpen during the year.
And to Enterprise Architecture leaders - Make sure Communications is on your teams' development agenda.
It will be a gift to yourself and your teams which will pay rich dividends.
If you liked this post, you may also like some of my other posts about Enterprise Architecture:

Wednesday, February 11, 2015

Enterprise Architecture is Dead, Long Live Enterprise Transformation!

Ask anyone on the street about Architecture and they'll describe something big, expensive, sturdy, built-to-last, shiny, glitzy, beautiful, took years to build etc. Taj Mahal. Eiffel Tower. Empire State Building. Sydney Opera House.
And ask them to describe IT or the Digital Economy of today they are likely to use words like agile, changing, quick, economical, user driven, Instant gratification etc.
Houston, we've got a problem!
The name of our profession has not kept pace with the expectations from it.Some would say, What's in a name? Rose is a rose is a rose......
This may be the answer to what I asked in another post Why is Enterprise Architecture sitting out the DIGITAL Party?
Ask a marketer though and they'll say having the right name is like being halfway to winning the battle for the customers minds(Chilean Seabass is a delectable delicacy at many high-end restaurants, it was not exactly flying off the grill when it was called Patagonian Toothfish. Who wants a tooth in a meal!)
Let's not be flippant about it though. There is considerable research to show a name matters:
  • The name influences the perceptions about a thing which then influences the expectations from it which then in a feedback loop influences the way the people who are part of the group view themselves, behave and deliver.
Need of the hour is rebranding ourselves as Enterprise Transformation:
  • The business environment is dynamic and constantly evolving.Technological Disruptions are the name of the game and are here to stay. Systems and processes need to be responsive to the constant change. The days when people expected to build gold plated systems and processes which lasted forever are gone. The need is not for expensive "well-architected" last forever solutions but "transformable" solutions that not only cost less to build but are cheaper to re-purpose, refurbish or even throwaway.With the pace of technological progress so fast why would you wed yourself to a technology or technical architecture which will be obsolete before it is fully built?
  • Architecture is static. Sounds like something which starts on a clean slate. While what we do primarily deals with existing systems and processes which need transformation.
  • Architecture is a noun. Transformation is a verb. It is an action word.Transformation implies motion, Architecture sounds like something ready to be put on the shelf.
  • The Business is already alive to this problem. Most organizations have teams named as and tasked with "Business Transformation". More often than not on the IT side they are paired with "Enterprise Architecture". To drive home the shared objectives and close alignment with the business it is logical that the team on IT side have the T-word in its name.
  • Perception Drives Reality. Building a better mousetrap i.e. being good at what we do is not enough. No sense hanging the sign "Great Mousetrap Builder" outside our shop when the customers are looking for "Cat".
Note that I am not talking about just renaming but "Rebranding" which implies focused efforts and initiatives to communicate a repositioning of our objectives in alignment with the new environmental realities, closely aligned with the business.
And I am not the only one seeing the winds of change (tsunami?) headed our way.
Jason Bloomberg says
Let’s simply cross off all references to EA from the org chart and corresponding business cards. Instead, let’s call the EA team the Center of Digital Excellence. Catchy, eh? It even comes with a handy if somewhat ironic acronym: CODE.
In a recent note CEB talks about:
EA, as a function, is still relatively young. Many groups were initially created because their enterprises were reaching new levels of size and complexity. They were established to fight cost and inefficiency, and still remain true to the objective of protecting the architecture.
But EA now faces new and growing pressures. The rise of non-traditional competitors, as well as changes in stakeholders' expectations for technology, have caused many groups to rethink how they drive value within the organization.
One way of driving value would be to align our nomenclature with a key value driver - Transformation.
Now this may rankle some of the purists. Many among us have got used to the word "Architecture" in our titles and may wonder - What would I be called if not an Architect? Well, what about Enterprise Transformation Expert or Enterprise Transformation Specialist.
And if you are the flamboyant kind who can live up to a really flashy title, how about "The Transformer" .
Enterprise Architecture is Dead, Long Live Enterprise Transformation!

Why is Enterprise Architecture sitting out the DIGITAL party?

Jason Bloomberg's post Invite Enterprise Architecture to the Digital Party makes an interesting read. His essential premise is that Enterprise Architects in most organizations are missing the bus as far as staying engaged with; and relevant to digital initiatives is concerned.
This is a shame since "DIGITAL transformation" is the biggest challenge faced by CIOs and "Go Digital" is their biggest mandate per IT stakeholders.
His solution includes what I will describe in marketing jargon as "re-branding" and "re-positioning" Enterprise Architecture as a Center of Digital Excellence.
Hold on to that thought and let's come back to the Digital Party for a second. More specifically - the Party and getting invited to it.
WikiHow lists 3 ways of getting invited to a party which you want to be at and haven't got an invitation to:
  1. Use Your Connections
  2. Provide Your Service
  3. Donate Something Useful
Looks like EA has its work cut out in case it wants to join the party.
The first way sounds easy but as Jason points out "On the surface, EA and digital sound like a match made in heaven..........Only most organizations don’t see this connection – for a number of possible reasons." So looks like the connections if any are tenuous at best and are more often than not perceived as a drag by other players.
The second way has its own challenge as "today’s EA efforts rarely focus on business agility." Digital initiatives view EA's service offerings as being slow and not in tunes with their own pace.
And for the third way the most likely question is going to be "What?". What can EA bring to the party esp. if the "existing EA effort may not be focused on broad-based business improvement at all......focus ends up on technology concerns".
So is all hope lost? Can EA ever be relevant in an era of Digital Transformation? Well , Yes if it gets its act together and adapts to the rules of the new party. The buzzwords at this party are:
  • Agile......"Business Agility"
  • Business Aligned
  • Customer Preferences and Behavior Driven
So much for the ABC's , there will be some dotting of the i's and crossing of the t's required as well.
Ciao! for now....I'll revisit the "Re-branding" and "Re-positioning" in another post. Hold on to those words for now. (Enterprise Architecture is Dead, Long Live Enterprise Transformation!)

Friday, February 6, 2015

Data Breaches: Why Store Data You Cannot Secure?

It has happened yet again. A massive data breach at a major corporation. Yesterday it was Target, today it is Anthem, and tomorrow it can be anyone else - possibly YOU!
This endless battle between attacker and defender is not new though.
Perhaps, as old as the human race itself. A caveman would have stashed his kill for a rainy day only to find someone else look for it, find it and pilfer it away.
What surprises me though is our tendency to create data hoards which are prime targets for data thieves. Reminds me of the days when wealth used to be stored in temples and churches making them the place to go for periodic plunder by marauders.
Why store the Social Security Number (SSN)? Does it really needed to be stored?: Use of Social Security Number to establish identity may be a matter of law and of convenience but I am not sure why corporations need to store it. I would think that once the identity is established (a trusted connection) using the SSN, the same should be discarded and replaced by a "Trusted Handshake Indicator" verifying that trust has been established. Not rocket science, somewhat similar to what companies do when they use your credit card number for a transaction and you do not want it stored by them for repeated transactions. The fact that the SSN is stored in the databases makes them more vulnerable to attack. If you store gold, tonnes of it, and afraid of it getting stolen you need to make sure it is as secure as Fort Knox. Or better still do not store it at all.
Why not distribute the data storage? Secondly if the SSN and other data has to be stored, why store it in a single large data warehouse where a single breach makes the entire store vulnerable. Why not distribute it over multiple warehouses, each with its own security and defenses. This way at least the scope of a breach can be contained and isolated. I know that conventional wisdom of yore was to build massive data warehouses to ensure quick retrieval and processing. And companies made huge investments to build those warehousing capabilities. But now technology has evolved. It is quite easy to pull data from disparate data-sources for transaction processing and reporting. (Think Google, it does not need all the information it searches stored on a single large server). The cost of a data breach can easily surpass the benefits of having all data stored in a single repository.
I am no data security guru and perhaps the above approaches are simplistic. Hey but we got to start thinking and challenging assumptions.
Will we get to a perfectly secure system? Never. You may build the best defenses only to find someone drive an armored SUV through the shatter proof glass windows (Gold Nuggets Stolen From Wells Fargo Museum in San Francisco)
This cat and mouse game between attacker and defender started in posterity and is likely to extend till eternity..........................

Search Google

Google

Site Meter