CXO Security

Culture Change, Emerging Threats and the New CIO

Culture Change, Emerging Threats and the New CIO

As CIOs we all come from different backgrounds and experiences. Before I moved to a career in technology chasing more ‘say it in green’ aspirations, and ultimately seventeen years as a CIO, I was a forensic anthropologist and specialist in identifying diseases of the skeleton. I worked with police and medical examiners in three states doing CSI stuff, and with museums and universities doing pathology research on early populations.

Just a few years ago, I was asked by colleagues at the Museum of Natural History if I would speak at the Physical Anthropology meetings in Anchorage about two historic Inuit (Eskimo) groups from Point Hope, a sandy prominence on the northwest coast of Alaska. It had been years since my research on these groups, so I thought I would do a quick search online to catch up with the current state of knowledge and how much it had changed over the past 30 years.

Two Types of Data Came Back

Scholarly journals at $25 an article, and papers written by graduate students that were free. Why should I pay? I could sort out the good from the bad and make my own decisions on quality and value. The free stuff was clearly “Good Enough”.

As a culture, we have shifted away from excellence in favor of “Good Enough” as long as it lowers cost, provides convenience and delivers immediacy. We use cell phones that sound like you are speaking under water, satellite radios where the signal disappears when you pass under a tree or a bridge, watch full length video and television in high definition on 3 inch screens – but for the cost, convenience and immediacy – having what we want, when and where we want it is “Good Enough”.

The acceptance of “Good Enough” was important. We needed the cultural shift to “Good Enough” to clear the way for mobility. And we needed the acceptance of “Good Enough” to give mobility and cloud the time to move beyond just emerging ‘consumerization’ and begin to evolve (even if it is far too early to say mature). And we needed evidence of the evolution and expansion of device, infrastructure, application and data mobility to spark acceptance and drive new possibilities for innovation.

But let me take a moment to clear a myth prevalent in the press: Innovation and mobility are not synonymous.

Innovation was not just invented. And yes, we have been innovating for a very long time. From the first PC, distributed networks, client server technologies, browsers and the Internet, and long before, innovation is how we got here. And regardless of technical platform, mobile or traditional, the pace of innovation will only accelerate. The role of the CIO is changing, and it will for all of us, but not always or only for the reasons getting most of the press.

Mobility and the Role of the CIO

The role of the CIO is innovator, business leader and manager of risk. The CIO is designated by vantage to see the business in context, identify structural and process opportunity and risk, to champion change and create resilience by design. The new role of the CIO is to do this amid an emerging, ‘always on’ culture with new rules, new paradigms and a new technical agenda.

The good news is that mobility, cloud and social communities have in fact evolved. With that evolution, shifting culture and technologies are creating a world rich with opportunity. The bad news however is that the world is not by any stretch safer.

I said that the culture has changed. Business is asking for more. Digital technologies are driving the convergence of lines of business. Mobility has re-defined our consumer. Mobility is the new mantra for innovation.

So let’s talk about mobility. It has re-defined the way we work, organize, collaborate, socialize and participate. It has re-defined our work/play/life balance and has created this always on, always there, always in the game mentality that has changed how we do business and engage with family, friends and life perhaps as no technical change we have seen before.

I was at a family dinner recently where many at the table were parents and grandparents. They had completely missed the “computer age.” A few are still frustrated by their television’s remote control and believe that a computer virus is something you catch from a computer. Dinner over and everyone satisfied, I looked up to see three generations, young and old, and even the baby, with a smartphone of some type in hand.

Computing technology has never been this inclusive before. Shopping, communicating, playing, paying bills, showing videos of the grandchildren and sharing photos of the new Shi Tzu puppy all sitting together, a family whose life portal, window to shared experience, and their day to day had become their smartphone.

These were the innocent bystanders of the computer age brought into a new technical mainstream by the technology of mobility, given instant and unlimited reach and capability with no prior exposure to risk, threats or vulnerability, no technical understanding born of experience and no professionals providing cautions or guidance along the way. It is these “nouveau mobile,” together with the experienced, the eager, the reluctant adopters of technology change, the laggards and of course the digitally native who now comprise our technical community.

With our new consumer and new culture comes new dangers, and they are the same dangers for all of us, regardless of our technical path.

When we talk about mobility and cloud and BYOD, we speak about them as separate because we manage them that way technically and organizationally. Devices are likely managed by IT, cloud by the applications group, social communities by marketing and BYOD perhaps by a security policy group.

I see them all as part of the same, all part of the culture shift towards self-empowerment and mobility, the ability to collaborate and communicate, bring applications, data and infrastructure to anywhere, access them at any time and from the device of your choice.

This reminds me of a video called “Bambi meets Godzilla”. It’s a cartoon made in the 1970s by Marv Newland.

Bambi, a precious little deer is grazing in a field, nibbling flowers, sipping from the brook, looking up at the sun, nibbling more flowers, sipping from the brook, and then down comes this giant dinosaur foot and the cartoon ends.

So here we are grazing in a myriad field of apps, looking up at the cloud, a new cloud appearing almost daily, each promising what dreams are made of, shaking, poking and stretching our device du jour, absent any awareness and without regard for source, credentials, quality, security or privacy. You can almost see the shadow of that giant foot.

How many of us ask where this app came from before we download and click? How was it tested? Was it third party certified or did the developers just check the box that said we conform to the required standards and pay the fee?

How many of us know where our data is going or if it is protected, or if its privacy is really maintained once we put it out there in the cloud? And if we have the assurances of our cloud provider in contract, what about their providers? Or theirs’?

CIO’s, Risk and Technology Change

As a profession, CIOs have been managing technology and technology change for a long time. We know that establishing effective governance is the first step in assuring a stable and secure environment. Mobility and cloud are safer for all of us if we adhere to the prudent IT governance that has served us for so many years and through so many shifts in technology.

In past years (when I had operations responsibilities) I used a tool I call the House Rules to get everyone speaking the same language. I issued the House Rules each year and adjusted the rules to meet changing business needs year by year. This established a common vocabulary and understanding of my expectations. There was no ambiguity. Developers, engineers and analysts all spoke the same language. These were the rules that decisions were measured by and the metrics that all conversations were based upon.

For example:

    • Do we have the skills, documentation and readiness for support?
    • Is access limited to that which is required and intended?
    • Are all physical, technical and contractual safeguards in place?

Innovation and mobility are moving very fast and we need to get behind that. But…

    • Threats are increasing and becoming more targeted.
    • Our ability to protect ourselves is diminishing.
    • The geography we consider our perimeter has expanded into cloud space we don’t control.
    • Law and regulations hold us accountable for breach of private data and the penalties can be severe.

Many of us are governed by regulations that vary by industry, but in all cases hold us accountable for breach of individual privacy through data loss. Often our responsibilities are different for every state, under federal law, and in each of the countries in which we operate.

Fraud, digital crime and cyber-attacks are no longer just disruptive, but are a potential threat to continued operations, revenue and markets and need to be considered in our plans for continuity and preparedness. As we increase our digital presence both as provider and consumer, this can only increase.

    • New devices, apps and cloud services are emerging faster than people or IT departments can absorb.
    • Mobility and cloud have moved operations further from the infrastructure under our control.
    • Attacks against us are increasing in sophistication and are more difficult to detect.
    • Technology and the culture are changing too fast for law and policy to understand and regulate.
    • Our support organizations are outpaced by the expense and complexity of the defenses we need.
    • We have technical solutions for malware, but we don’t for human behavior.

Mitigating the Growing Threat

They say that it is not IF you will be attacked, but WHEN. For some of us the question is more about “How Long Have I Been Compromised, How Deep Have they Penetrated, What Have They Taken and How Do I Get Them Out?”

There has been extensive discussion about the effectiveness of varying approaches or components of our security practices in mitigating threat and providing an effective defense. That said, it is clear that any framework for approaching the emerging threat environment needs to be pervasive and consider all of the following and more:

    • Develop risk awareness in the employee community through education.
    • Increase the capability of technical, legal and crisis response teams.
    • Enforce a program of protection for both mobile and stationary end points and data.
    • Effective use of data loss protection strategies to protect intellectual property and company confidential data.
    • Strict administrative controls that limit access to files, systems, applications and network resources and prevent inappropriate access.
    • Continuous threat and breach monitoring whether self-managed or through engaged professional services.
    • Traditional and effective ‘defense in depth and variety’ provisions for perimeter, system and infrastructure security.
    • Continual focus on understanding data and assets, what and where they are, how they can be used and how they need to be protected.
    • Understanding of the regulatory environment and adherence to both domestic and international data protection and privacy laws.
    • Effective attack preparedness, incident response, disaster recovery and business continuity preparation.

Innovation has fostered new technology. It has created a new consumer. It has also made us believe that everything is “Good Enough,” and thus introduced new considerations for business protection. The days of an anti-virus system and a firewall alone are gone. We each need to develop a strategy of education, skills, and responsiveness, technical defenses and data knowledge to know what we have, where we have it and how compliance, good sense and best practice demands we protect it.

Copyright M. Gomberg, all rights reserved – Do not replicate, distribute or excerpt without author permission.

Explore More

Contributors

Martin J. Gomberg

Martin J. Gomberg, Senior Vice President & Chief Information Officer, A&E Television Networks

Martin J. Gomberg is senior vice president and chief information officer with AETN where he has been for more than 15 years. Martin is very proud to be associated with such immediately recognizable brands as A&E and The History Channel ... More   View all posts
Add Comment
Click here to post a comment

Advertisement

Grande 1 MPU 300X250
Martin J. Gomberg

Login


Not Member Yet?
Register

Register

  • Name

  • Contact Info

  • About Yourself

  • Minimum length of 8 characters
  • Upload
  • Location

  • Professional Background

  • Other Social Profiles

  • Areas of Interest