Monday, October 24, 2016

What happens when your CEO chooses an IT vendor without help from IT ?

The company was on the way to recovery after management change which decided to renovate the business and bring it back to relevance to new customers at their terms; products went through a facelift and upgrade to appeal to the younger generation of consumers. The forgotten sleepy company thus began their journey into the big bad world of Digital customer engagement, ecommerce, and compete with the old and new age companies who had already gained mindshare and market share with a head start.

The new CEO had some success to his credit of having turned around ailing business; in his no nonsense style he reviewed and made appropriate changes across various functions inducting fresh talent where required. As a part of the transformation he also endorsed technology enablement of company operations which was executed successfully by the new CIO. Everyone aligned to the vision of the CEO who took decisions swiftly, leveraging old connections and partners from the industry who had worked with him.

With aspirations to make a dent in the global market with digital commerce, he tasked an old friend and known marketing guru with much acclaimed success of having turned around the fortunes of flagging brands a few decades back. Bringing him out of semi-retirement, the CEO believed that he would be successful in the new age too. The old man acquiesced to the request and used it as a launch pad for his struggling digital practice run by the next generation; the project was signed off with broadly agreed scope and timelines.

Months passed quickly as they progressed on the journey with Marketing taking the lead of the new business opportunity. Working with the vendor and market sales team, the HQ Marketing team created a market communication plan, collateral, outreach and activation program, while coordinating with other teams to come together to launch the business. It is then they realized that integration with the new IT systems was critical to launch and sustain the new business; so the CIO was inducted into the group.

By this time the initial deadline had already passed and the CIO was asked to rush through system integration and not delay the launch. Apologetically he agreed to expedite the task and traveled the extra mile to understand requirements from the vendor and provide the necessary help. As meetings progressed, his antennae buzzed that everything was not hunky dory. He dug deep and wide to realize that they were hurtling towards eventual Armageddon with no signed off requirements, project plan, and skills of the developers.

Subtle shift of responsibility, the CIO setup project governance, requested weekly updates that reluctantly started coming as the second deadline passed. Marketing happily deferred to the CIO to take lead in fixing the broken and achieve success; the CEO was apprised of the situation and that the project will slide some more before recovery. Surprisingly, the CEO accepted the status without too much protestation and asked the CIO to keep him informed as they progressed; he justified the potential debacle as a calculated low cost risky experiment.

The CIO intuitively knew that the project will not be able to deliver to expectation if it continued on its current trajectory. Taking external help he educated the team about best practices and what can be with the right set of resources; The CEO unwilling to accept the mistake of having chosen an incompetent vendor continued to push on; he was unable to go back to his old friend to shift the project to an alternative vendor. The project thus continued to flounder for a while, the business losing the opportunity as a result.

This situation of the CEOs pet project continues to haunt companies where decisions are taken based on comfort and past performance even though unrelated; in many cases convenient scapegoats are found. Almost every CXO steps outside their competency to demonstrate value addition beyond their roles, many times with detrimental results. Corporate politics unfortunately does not allow open debate on these matters; power centers get away with suboptimal designs and strategies leaving the organization at loss.

It requires strong leadership to accept a mistake and equally strong leadership to challenge the situation before it gets out of hand. C level teams rarely get into confrontations preferring to be nice to each other and loud mouth managers take advantage of this state of affairs. “I am here to be effective and not popular” was a quip I had heard from one such maverick leader who had taken the company to new heights. Everyone loved him as he bonded the team together on sustained success that he brought to the company.

Where did the project end up ? Coming soon … 

Monday, October 17, 2016

Fatigue is setting in on Information Security scares, a darker future ahead ?

Another site hacked, millions of user credentials compromised !
Zero day attack discovered, patch on the way !
Ransomware is getting smarter, stay alert !

Everything having an embedded computer or chip is vulnerable to potential attack especially if connected to the Internet. Compromised software, backdoors, unchanged admin passwords, shared identities, complex every changing passwords written down on pieces of paper, the number of ways in which we are being exposed is increasing every day. The information security bogey is breathing down our neck every minute while we wonder where the next attack with emerge from to compromise our identity or steal from us.

Every company going Digital is exposing information to the Internet; strategy varies by company and implementation, but the fact is that now information is available on servers that are facing the public and thus will be targeted. IT organizations and vendors tend to live in their self-proclaimed paradise, smug that they have taken adequate steps to protect themselves. Most of believe that if there is no evidence of leakage or compromise, then I am protected and do not need to worry about the changing threat landscape.

IT departments are under constant pressure to keep the information assets of the company secure and ensure safety of data residing in various machines, removable media, data in motion, and also address phishing attacks on customers using their domains, as well as employees clicking through on spam. Protect the gullible, irresponsible, and naïve who refuse to learn from training programs and past mistakes; at the same time provide access to information on mobiles, via internet cafes, and public wireless hotspots.

Device management, network management, VAPT (Vulnerability Assessment & Penetration Testing), firewalls, anti-virus, DLP (Data Leakage Protection), log management, SIEM (Security Information & Event Management), patch management, hardened devices, VPN (Virtual Private Network), multi-factor authentication, identity management, IDS (Intrusion Detection System), IPS (Intrusion Prevention System), Automatic malware detection and analysis, Anti-adware, WAF (Web Application Firewall), the list of tools is almost endless.

All these pieces or combination have to work together to make the enterprise safe and protect the extended ecosystem and staff. The information security organization struggles to educate and protect the digital assets of the company while consumerization of IT keeps creating holes in the fabric. Everyone wants email access on phones and enterprise apps on the go; the same phones have all kinds of apps downloaded from public app stores snooping around; containerization is still new though evolving.

Employees, especially senior management desire flexibility to additionally access corporate applications from their home computers which are not under the corporate security programs. Increasing touch points increase susceptibility; the CISO has to work hard keeping under control the complex jigsaw which threatens to collapse regularly. Organizations are reaching a break point wherein they are now working on acceptable risk models rather than fix every piece that is broken or likely to be threatened. Let some fires burn !

Most companies live in the perception that targets are normally the visible and high profile companies rather than the small, relatively unknown, obscure or insignificant websites and portals. DDOS attacks are launched only when there is commensurate gain; hacking attempts are made only on digital assets of value or high visibility. While this may be relative truth, reality is that no one can afford to be slack in their preparedness or live in a fool’s paradise that as a low profile non-entity they are safe.

In most large enterprises, security budgets have been steadily increasing to the point that they are now being managed independent of IT. Business expects periodic feedback on information asset security and action being taken by competitors; Boards want answers on risks to business, market, and reputation in the digital world. The bogey of security is no longer adequate to get budgets sanctioned, they need clearly outlined business case, risk profiling, regulatory compliance for some industries, ROI, and connect to business outcomes.

News of breaches today have become less sensational with people accepting the fact that some will get compromised while the majority will stay safe and a few will not disclose. In most cases the root cause analysis indicates human oversight, error or not following the basics resulted in successful attacks with majority being internally motivated. Complex and high tech attacks target (pun not intended) easy pickings on financial and personal data that can be used for monetary gain, or are orchestrated by state actors.

Don’t let fatigue defeat you, stay awake and alert, the complex digital world increases dependence on technology and there are no choices to make !