- Partner - StrataFusion
- CIO - Electronic Arts; CIO - McAfee; CIO - Logitech
- VP, Sales Operations & IT - Cisco
- Founding technologist and executive in the establishment of Department of Homeland Security's Transportation Security Administration (TSA). Nominated by U.S. Secretary of Transportation Mineta in November 2001 to assist in the creation of the TSA and secure the 435 commercial airports in the United States.
- All 8 Best Practices
- Pre-Call Discovery Process
- One-on-One Call with Expert
- Session Summary Report
- Post-Session Engagement
Where is your Data? CIO as Cloud Integration Officer
- Many companies don't "get it" when it comes to data management and security.
Employees today demand to have access to all of the same services on their mobile devices as they do via their computers. In addition, they can easily procure a new cloud drive using their credit cards. This, as well, will create challenges for CIOs to ensure their companies' key information is secure. Most CIOs know of approximately 50 percent of the cloud services used in their enterprise. So, understanding where your data is can be extremely difficult to control, let alone manage.
Now, with mobile devices becoming the predominant business tool, privacy, security and data management take on new meaning. Of these, data management is the biggest issue, because most of us have started down the mobility path by thinking how to control devices. But, since the devices have and will continually change, device management is only partially successful. Yesterday Blackberry, then the iPhone, now Android devices are the predominant devices. With tablets, who knows who will win. Nobody here has a crystal ball. So focusing on what you can control is key...YOUR DATA.
Many enterprises are still focused on the device. But, realistically, it isn’t the device – it’s the data and the information on the device.
- When your employees are working from home, how do you know what they’re doing?
- What kind of data do they have access to?
- If they leave a mobile device in a taxi, what would you lose?
- How do you wipe the data on it, how do you clean it and how do you maintain your data?
Data security is what the security companies are striving to protect. Enterprises are really pushing this hard within the security companies. What does data security, personal information, PII, PCI and company confidential information look like?.
Of course, governmental regulations add more complexity, in some industries more than others. But, in the end, it is about the data.
Most of us have a security strategy with multiple layers or rings to segment and protect the core systems, intellectual property, customer and financial data all the way out to the edge of an enterprise. And mobile devices add another level of complexity and security.
No one size fits all anymore. The key thing we’re all worried about is data. People will lose devices. You’ll lose your computer one day or your kids are on it, and who knows what they do.
The key is to understand the environment you work in and build a plan to continuously improve data management.
- Where in the cloud is your data?
We're facing use and growth of SaaS solutions and the cloud by IT and, even more significantly, by business functions such as marketing, sales, finance, engineering.
One of the challenges of CIOs and enterprises is understanding the use of these SaaS or cloud services and where the data resides --- where your key company intellectual property or customer information might reside within those applications. You may have a list of 50 to 100 additional SaaS or cloud services that have key product, marketing, intellectual property or customer data that is not under any kind of review, control and governance. You need to understand where that data is and whether it should be there.
We’re finding CIOs’ knowledge of how many solutions within the cloud they are using is off by as much as 50 to 75 percent. So, there are far more applications in use today than there ever were in prior years and it continues to grow. Understanding what applications are being used and what kind of data is in these applications is really critical.
Today, how the CIO finds out is when the business user comes to integrate his or her solution to an existing application supported by IT. Then the questions begin and work starts.
Another facet of this issue is integration. Many of these cloud services become critical to running your company. The challenge of knowing where your data is, having it in the cloud, is really a question of how you integrate the data to your enterprise and then across other cloud services.
Many of these are cloud solutions that require key product or customer information that resides in your enterprise and now needs to be connected back to your enterprise for the overall solution to function.
Much of this can be done today without any kind of oversight by the CIO or the IT organization. This creates exposure to your company's brand in the form of leakage and could result in a loss of intellectual property.
There are also security and compliance regulations you need to be aware of as a company. Understanding where your data is is essential to maintain compliance and ensure risk is minimized.
- Social networking: What is the impact to your company?
There are more than 1 billion users on Facebook. How many of them are your employees? What are they saying about your company?
Somebody Tweets a new product release before it’s announced. He/she wasn't trying to do anything subversive. People just don’t know any better and it’s too easy.
You get into a conversation, you’re having a few drinks and you ask me a question about what’s going on at my company and I let something slip. Its very simple to do.
Employees in the workplace today use social networking sites continuously. They also work via social interactions with other employees more so than by using structured systems, tools and applications.
The problem is that the social sites are oftentimes very public. There is limited security around them and employees end up divulging company secrets, proprietary information, maybe information about financials or product releases that shouldn’t be.
The positive side is that you could learn a great deal about what your customers want and what they are saying about you and your product or service via these social or systems of engagement --- the key is to have a listening mechanism that your company can engage in and respond.
There could be an online community bashing you and your company. These new systems of engagement are far more important for the CIO to pay more attention to versus traditional systems of record like your payroll systems, manufacturing systems and financial systems. CIOs, CMOs and CEOs that learn and embrace this will succeed in the future.
These social interactions aren’t going to come through a traditional marketing system; they are going to be on the many Internet-based social networking sites. So, there is a lot of value to be gained by enterprises if they pay attention to social networking sites.
The biggest troublesome part of the technology is there are so many ways you can connect outside of the four walls that control, governance and monitoring are very difficult and time consuming.
This data is very unstructured. It occurs between employees and their friends, vendors, manufacturers, customers, etc. This data comes in large amounts. The concept of BIG DATA solutions to gain knowledge from these sources becomes very useful and important.
This form of getting work done is now part of every company and is here to stay. That wasn’t the case 25 years ago. This new way of working can be a strategic advantage if embraced properly.
- Compliance requirements is the area of most concern and work to meet.
If you’re a pharma company and you’re doing research in the research labs, there is likely no access to the Internet, let alone Facebook. The networks are all locked down, so nothing gets in or out. Nothing by happenstance gets out of the research labs. Networks are all firewalled – they’re blocked.
Healthcare, Pharma and many other industries have regulations they must abide by. Each industry handles security and compliance differently. Changes to regulations are also moving quickly; security solutions are still catching up to meet the demands. As well, security threats are becoming more and more sophisticated (for example, Advanced Persistent Threats - APTs) and require a continued vigilance to protect your key information.
Most SW tools used in the enterprise are developed with the consumer in mind. They are largely architected with the consumer in mind vs. the enterprise. They also can create inherent security risks.
So, you might be thinking "well, why don't we just restrict use of any and all cloud solutions. . . especially in industries where strict regulations create cause or concern?"
The answer is simple: it is time-to-market or competitive pressures. Releasing a new product or drug to the market sooner creates huge value to the company. As well, developing products and services require investments. The cloud allows anyone to create agility, flexibility and value without large investments in capital.
Consistently monitoring your use of social networking interactions, new cloud services being turned on, and where your data lives are fundamental. The CIO must develop plans around this. If someone comments on a product release, or says the company sucks, it’s out there on the Internet, permanently. There is no "pulling it back." The proliferation of consumer based applications that are used in the enterprise exacerbates this problem and it is growing. It is the new norm.
CIOs are chasing their tails. You can never really catch up, because there is a new tool or new app every day; everybody is using something in the consumer space that they found or heard about. This has become a continually more complex and growing problem.
A strategy that includes prevention, detection and response is required. CIOs will never prevent all security risks, hence they need a way to detect new risks. Then implement quickly a response to the threat. These are the basic fundamental building blocks of a solid security game plan. As well, solid communication and policy management can help limit any exposures.
There are government regulations that likely apply to your company or industry. As well, your corporate culture will dictate what is acceptable. Understand this quickly. That dictates a lot of what you implement in terms of trust models vs. the prevention, detection and response systems you can put in place.
- Understand human error, corporate culture and education.
It starts with awareness. Creating a culture of data security, compliance and awareness is important.
A lot of times people don’t understand what information is confidential and what isn’t. They have no idea of what vehicles they should or shouldn’t be using when they are talking about the company.
As well, oftentimes there is already an existing cloud solution in place and in use. But employees are anxious to solve a problem and move ahead and sign up a new service – "I have a problem to solve and I need a solution now."
The CIO's challenge is that most employees feel the CIO will slow them down. What is key here is that the CIO must be communicating that he or she is open to new ways of working and, indeed, embraces the cloud and use of SaaS solutions. The CIO will then have to back up words with action in support of new cloud solutions when they are discovered. Creating a culture to leverage the cloud will gain support by all and will allow the CIO to implement, integrate and secure these solutions up front vs. having to solve problems.
There's a whole litany of questions most employees just don’t understand. Awareness has to be the first thing in training.
Few employees will know all of the rules, but you’ve got to put some common sense barriers along the roadside so everyone knows what they can do and what they shouldn't do. Most poor decisions are due to ignorance and are not purposeful.
As well, educating the leadership team on the cost of a poorly integrated and architected enterprise will gain support. Use examples to make the case. Don't be the "Say No" CIO. Be the "Yes and here's how" CIO.
Marching down any new path will create new challenges. But the advantages of the cloud are clear and the CIOs who will stay employed will embrace the cloud and develop strategies to ensure critical data is well integrated and secure.
- Enterprises are still unclear which core systems to implement.
Should you put your core financial systems in the cloud? Critical engineering systems? Customer sales and support systems?
Enterprises need to understand which systems are "core" (create competitive advantage) and which data is "core." This will be a huge help to guide them relative to the use of Saas/cloud and the relative controls they should use.
As an example, let's say you’re a pharma company and, within your research and development organization, research-related information is critical to your business and provides a competitive advantage. The loss or premature release of this information will create financial or brand issues if it got out. Then this data is CORE and should not be sitting within a public cloud environment.
The opposite situation is really key. What services and data are not critical or sensitive (core) to your business? These are the candidates to leverage cloud-based services.
I believe, over time, everything commoditizes and therefore are candidates to be delivered via the cloud. Those CIOs who push non-CORE systems and data to the cloud will save money, improve agility and create flexibility within their enterprises.
- Success is setting contractual terms with flexibility to increase and decrease/eliminate use of the SaaS/cloud solution.
There are many cloud companies that are going out of business. And, when this happens, are you prepared contractually and operationally?
- Your data is out "there" someplace.
- You have 30 days to get it back.
- You have other priorities and few available resources or skills to provide an alternative.
- It’s a huge cost and there could be a disruption in the service.
Most of us leverage SaaS and the cloud with a view that its a one-way move with no thought of ever bringing it back. This is exacerbated by employees who do not worry about the longer term support implications. Few think of the consequences of a provider going out of business.
Ensuring the terms of your contract allow for you to pull the data back is the first step. Understanding what alternate solutions exist is the second. Having a process to evaluate the viability of a service provider is the last, but important step to ensure there are no surprises. Devising a method or plan to get your data back may have to be implemented.
This situation increases with the use of small, new startup cloud companies. Do your due diligence.