Create the best policy but exclude me from it …

The compliance audit demonstrated significant gaps in the processes and policies which had put the new CIO in a quagmire on how to get started. The report was indeed incriminating to the internal and outsourced team; there were numerous cases of process being bypassed or ignored along with weak ambiguous policies and controls. The task appeared to be herculean and the team was smarting from the beating they had received from the CFO to whom the Audit team reported. The CIO had come on board a month back and was still undergoing his induction.

Every company that has an active audit function reviews compliance, risk and process strength linked to defined policies; the frequency of audit varies but at least once a year IT does figure in the calendar. They sift through logs, evidence of process adherence, change requests, documentation, defined standards, IT security, procurement discipline, and exceptions to all of these. For IT the exercise is fraught with danger when in the real world compliance is difficult with almost every senior manager requesting deviation to policy.

To get started the CIO decided to seek help from the audit team who had engaged one of the big audit firms. The audit team was surprised since none of the auditees had ever asked them for help; they dutifully connected the CIO to the Consultants. Citing conflict of interest, they recused themselves from the potential engagement. Not one to give up so easily, the CIO reached out to their competitors and engaged them in a full review of people, process, policy and technology towards creating a practical implementable set of policy.

Months and many iterations later the CIO was satisfied with the end result in which his team had contributed through the process. The classification of policies and associated procedures appeared comprehensive and pragmatic in their intent. The IT team was also content that finally they had markers that would leave little room for exceptions while the outsourced team who is responsible for execution will find it easier to comply. But before putting the plan to action, the CIO sought the opinion of the vocal CFO.

Weeks passed after the documents were emailed with no response; the CIO personally reminded the CFO of the pending request. Time was running short as the next audit was due in another few months and the CIO did not want another negative rating to fend. He also had dependencies on some of the other functions to work in tandem. Much nudging and cornering later the meeting was scheduled. The CIO had his team and the consultants on standby should there be a need to discuss some aspect in detail.

These policies are not user friendly ! The consultant has given you standard cookie cutter templates ! How do you expect senior management to comply with these ? We cannot be expected to change and remember complex passwords every so often. World over businesses are going digital; how can you have a draconian internet access or social media policy ? We need to allow people the freedom to engage with customers ! The world is going mobile; you should allow access to information on demand. You have to figure out a better way to implement security !

The CFO went on shredding the documents deriving satisfaction in his qualification and comment; the impracticality of the suggestions had the CIO wondering if ever the company will succeed in creating a framework that will protect the systems as well as allow for processes that are necessary towards good governance. His counter arguments were brushed aside by the CFO who was unwilling to listen in his quest to add value. The CIO thanked the CFO for his critique and decided to seek counsel from other CXOs towards implementation.

The rest who had lived with far more restrictive policies elsewhere commended the CIO for his rational real-world approach. Soon the next audit came and the results showed significant improvement in compliance which validated the approach taken. The CEO was full of accolades for the CIO while the CFO squirmed and then tried to take credit by highlighting his review prior to execution. The rest knew better and nodded to the CIO on the road taken and positive end outcomes. The CIO thanked everyone for their understanding.

A few weeks later when the CFO requested an exception to a policy which was denied as it required the approval of the CEO who was against deviations !

We have been hacked !

Not too long ago I had this interesting encounter with a CIO in a highly agitated state talking to someone on the phone while pacing the corridor of a hotel. He looked up to acknowledge my presence and continued the tirade, his face changing shades of red I never thought possible. I waited for him to complete his conversation (more of a monologue) and then asked him the reason for his state of mind. He stated that the information security of his company had been compromised and he was still discovering the extent of damage.

Information security has always been one of those investments that are like an insurance policy every organization takes to protect them. The number of threats has been going up since the internet became intertwined into the enterprise fabric; with the complexity increasing and external attacks rising in sophistication, solutions have evolved attempting to stay abreast of the game. Security budgets have been rising steadily and so have been instances of successful breaches to companies big and small.

In the older days of IT deployments, basic anti-virus was deemed adequate; today they encompass almost every device and mode of communication used by enterprises, partners, vendors, and the corporate road warrior. Even manufacturing process controls and industrial equipment were targets of some attacks which left many companies and governments struggling. Every day we hear of new data compromises, phone taps, social media sharing agreements leaving individuals and their shares exposed to the world.

Using surveys and incidents everyone talks about a majority of the threats being internal attributable to recalcitrant employees or contractors; many have also been victims of social engineering that coerced sensitive information from gullible staff. Thus building moats around the castle largely served as preventive measures for the external snooper. Despite this the industry feasting on the FUD (Fear, Uncertainty, Doubt) factor, has continued to corner the hapless CISO and CIO to make significant investments though not without reason as highlighted by many attacks and data leaks.

Based on identified security measures and advice from vendors and partners and in conjunction with his business leaders, my CIO friend had put in all the available technology at his disposal; audits and other exercises had declared his enterprise to be secure. He had also followed all the good practices and undertaken the path towards popular security certification. Despite all this his fortress had been breached and he was now at the receiving end to justify why all the heavy artillery could not secure the company.

The extent of damage was not too high with a few noncritical servers being breached, but they raised an alarm internally. The CIO in damage control mode had to address the issues it raised. A systemic exercise and root cause investigation revealed that these servers were adequately protected with all the controls that the security team had put in place. The breach was discovered to a compromised password which had been gained using social means. The hapless user who knew no different had shared his credentials.

All the policies, processes and technology were no match for the human frailness which exposed the company. My friend controlled the damage as much as he could and was wondering how to prevent recurrence of such an attack in the future. His training courses and promotional material to all the employees talked about refraining from such behavior; the hackers obviously wielded higher convincing powers. As frustration poured out on sympathetic shoulders, I could only offer him words.

When information security gets compromised, what should companies do ? Whether it happens due to ignorance inside or brute force from the outside, any breach can impact company credibility, image, and customers. The resultant impact is dependent on the industry, size and position in the market. I believe that CIOs and CISOs should build in steps on internal and external communication which should be executed without fail. Damage control is as important as the technology solution; after all, the weakest link in the chain is human.

Unraveling BYOD/T

The one trend that everyone is talking about and which figures on every list (priorities, trends, technology, whatever) is Bring Your Own Device/Technology. It has had proponents and opponents from various quarters within and outside the enterprise. Opinions and views, recommendations and pitfalls, management tools and security concerns, the list is endless and continues to keep the CIO bewildered irrespective of whether s/he embraces BYOT or not.

From what I recollect, it all started with the iPhone and then extended to tablets, laptops, and what have you. Not that earlier personal devices did not connect to the corporate network; they did on the wire and then over the air, if you will remember devices with a technology called “activesync”. The early phones offered limited connectivity and as the network improved and so did the technology, browser based apps started appearing. The resident app followed soon enough.

I don’t remember all the devices that I used over the last decade and longer being provided by the company; which would imply that we did have a lenient policy even before the BYOT buzz appeared and started haunting every technology professional. The early PDA which eventually integrated the phone had limited use and was not widely prevalent due to unwieldy size and interface. Except for the early large form factor devices, it was not a statement to make.

Evolution of the device and the network created new possibilities and the scattered raindrops became a flood; apps for everything and power in the hands of the executive with no constraint on time. Business impatience became the hallmark of new technology deployment to swamp all available and unavailable time. The CIO built layers of infrastructure, applications and security to manage the demand. It did not matter who or how many used it; if it was possible, then it had to be available.

The democratization of information worried only the CIO until stories of compromise started spreading. Compromise not always by the external world, but bits of information scattered across slowly fading away with exits, ignorant employees losing devices or passing hands within the family. Enterprise liability driven by law and governance suddenly finds itself at loggerheads with BYOT.

Depending on the country of incorporation and most probably operation, the laws require stringent compliance. BYOT contravenes some with liability creation for not just the CIO but the CEO and even the global HQ. A cyber law expert thrust the fear of the law of the land to listening CIOs who cringed with every clause and interpretation of impact to the executives and the enterprise.

So what are the choices available ? Will the CEO not want the next new device on the block to be connected to the corporate infrastructure ? Does s/he not evaluate the ramifications to the enterprise ? Is ignorance a good excuse ? I believe that the CIO needs to raise the bar with heightened awareness starting with the Board and then cascading downwards. It takes only once incidence to create collective pain. CIOs can address the contingent liability with reasonable due diligence, control and documentation to dampen down the impact.

It is not going away, but what it means to you is up to you. BYOT = Bring Your Own Trouble, or BYOD = Bring Your Own Demise, or BYOD = Bring Your Own Destiny, or BYOT = Bring Your Own Tension, or BYOT = Bring Your Own Threat, or BYOD/T = ? You decide !

Mobile computing and security paranoia

The last few weeks have seen many news and analysis items on the enterprise mobile market leader, a player that made ‘email on the go’ a way of life, in addition to creating sore thumbs and marital discord for many corporate executives. After all these years, now there are growing concerns around national security in many countries around the world, not just corporate data compromise.

A few countries have taken a tough stance banning the service or seeking the key to monitor all traffic. The European Union decided to totally shift away to a popular consumer phone for their state offices with 20K+ users. The phone’s largest users as well as the associated services are worried about whether they will be required to shift away within a short span to another option. They are scared about imagining life without the familiar buzz every few minutes (of another email) and business applications.

Today we cannot think of work life without access to email, corporate applications, sales data and many more on the mobile. These devices have made 24X7 slaves out of their owners. Expectations of instant response to a message (irrespective of the hour) are becoming the norm. This increased productivity is now factored into the workload. Apart from enabling the sales force with planning, reporting and sales data, mobile devices have provided even the typical desk bound executive an ability to stay connected at home. Thus enterprises have seen improvements that were not possible earlier. Suddenly, all this appears to be under threat.

Should the CIO be worried about this looming uncertainty? While a total shutdown is not imminent, restriction in services is a reality. This may extend in the future and cripple the basic functioning of these devices.

To me, the answer is a resounding yes. Country laws and regulations are paramount for every entity operating within the geographical boundaries. There is no circumventing these; so if applications depend on a type of service, they may have to be rewritten or discarded. Alternatives should be explored and options made available, should a switch be required to reduce the adverse impact. This should be discussed with the management and the level of impact (if any), be communicated clearly and explicitly.

With an ever increasing number of mobile devices deployed by the corporate or just connected to the enterprise (employee owned), it’s important to periodically assess and review mobility solutions and options. Work with the service providers to create an insurance policy. No one wants to die, but insurance always makes sense.

Web 2.0 (Social Media) and the CIO

There are two camps out there, which hype the perils and advantages of social media for an enterprise—both are gaining ground and visibility. The CXO suite is confused, and this leads to pendulum like actions (moving from one end to the other) on how they react to these prophesies and theories. In many cases, it also results in total inaction, as they understand, and are comfortable with status quo. This leaves the employees in disarray—they act in an uncontrolled manner, thereby adding to the uncertainty.

Confusing? Well, that’s the moot point, so let me elaborate.

There are enough consultants, research papers, anecdotal references and general hype—that every business (irrespective of industry, geographical presence, market share and multi-channel presence) should leverage social media by connecting to consumers. This connection is deemed so important that businesses are creating presence across almost every social networking site—trying to gather the consumer around this space. A few have been able to get there with some degree of success, while others are struggling to find the meaning of being there. As organizations understand this social media revolution bit by bit, the general feeling is that it might translate to real money in the bank.

The same enterprises are paranoid, when it comes to opening access to social networking sites for their employees. One extreme is to mandate the CIO to block access to social networking sites (as the management believes that it results in precious time being frittered away). On the other hand, the balancers are defining policy for staff on the dos and don’ts of how to engage on social networking sites. These policies are expected to act as deterrents towards moderating use. However, IT organizations tend to bypass these policies for their own kin, thereby rendering the effectiveness suspect. I have not come across any organization having an open access policy with no restrictions on content, or the way it is used.

The two stances detailed above are divergent from each other. In the first case, the organization seeks to leverage social networking towards creating a business benefit, while on the other hand it restricts its own staff from participating. Every staff member is also a consumer of merchandise and services; companies would like to leverage the insights that can be created by understanding behavior. So if a similar stance is adopted by every business unit, the end result will be akin to companies creating retail stores, but preventing their employees from shopping.

Is the CXO’s disconnect due to the inability to understand the impact or control the behavior of the consumers? Or is it a generation gap between the digital natives (the new workforce) and digital immigrants (the policy makers)?

Under the guise of corporate security, the restrictions constrain natural desire to reach out in the digital world. CIOs should recognize these trends within the enterprise based on demographic undercurrents, and leverage the internal consumer’s voice before reaching out to external consumers using the digital media. These same employees will help you find ways to tap this latent source if aligned to the initiative. Else they are likely to be disruptive, since they want the freedom—because they can!

(IT) Security and the CIO

Last month, many CIOs (including me) were subject to a barrage of security events—as if the world suddenly needed a lot more protection than it had in the past! CEOs, senior vice presidents and thought leaders suddenly seem to have descended upon the CIO, challenging the security postures of enterprises.

Questions challenging the efficacy of currently deployed solutions were very similar across almost all vendors. Many data points from a multitude of surveys were bandied around in an attempt to make CIOs succumb to the FUD (fear, uncertainty, and doubt) factor.

A typical session begins with “Top 5 technology priorities”, and since the presentation was being made by security vendors, IT security figured prominently in these lists. To the hapless CIO, statistics reveal a scary world full of crackers and nefarious elements (who want to take away customer data, send spam, phish users, attack end computing devices, and sniff network traffic). It did not matter if the audience agrees with these or not. Irrespective of whether the displayed data is from the same geography or industry, the ground is set for discourses on why your enterprise is not secure if it hasn’t deployed the specific vendors’ solutions.

Almost all cases are built upon the premise that data is only stored electronically, and leakage can only happen in electronic forms. The exercise of data classification is touted as the starting point—except that beyond a point, this classification becomes irrelevant, as the imposed controls make conducting business a painful task. Mobile workers appear as the villains who will lose a laptop or connect to unsecured wireless networks compromising valuable data.

Yet another cry is a ban on social media. This does not acknowledge the fact that business also uses these channels for connecting with customers. The mantra is “you cannot trust these gullible ignorant employees, they are the weakest link”.

Yes, people are indeed the weakest link in security compromises; but they can also be the strongest. The biggest tenet of any business operation is trust. If the enterprise cannot trust its employees to be prudent in their usage of various communication modes or protect the data that matters, then I don’t believe that a technology solution is the answer.

Information security can be effective with help of education, continuous reinforcement by the management, a “zero tolerance” policy towards adverse incidents, periodic reviews, and finally the technology stack which is dependent on the business operations. Exception management is fraught with danger, and should be aggressively discouraged. Many mature organizations have found that making an example of truant employees enhances levels of security, and builds trust with customers in the long run. Attempts to hush such cases, or not taking strict action which may already be defined in the policy sends a message of tolerance, which can significantly compromise the enterprise.

Vendors need to listen as they engage (see Irrelevance of vendor presentations) the CIO in discussions on how they can help their customers in sustaining and improving their information security postures. This has to be based on an assessment, and not based on inane survey data that may be far removed from reality for the audience. Else, they face the risk of alienation from their prime customer, the CIO.

Top 5 technologies CIOs do not want to hear about

I came back from a marquee CIO event this weekend and the experience has me wondering was the time well spent ? When you have 100 odd CIOs from large companies congregating for 3 days having taken their time out to learn, network, debate and whatever CIOs do in such events, it is blasphemous to subject them to basic stuff on technologies. So here is a list of stuff that CIOs do not want to hear about in any technology event.

1. Virtualization : everyone has done it to the extent possible and nothing new to talk about by any vendor; be it storage or servers, or even desktop. This is a no-brainer, so stop !
2. Unified Communication : we have been tying ourselves into knots telling everyone that beyond the IP phones, IM, Chat, Video-conferencing, tele-presence, web-conferencing, audio-conferencing, white-boarding, and combining all of this into one device (if such a device exists and can be deployed across WIFI, CDMA, GSM, WIMAX, 3G at one go), is there a big business benefit ?
3. Security : yeah ! we all have UTM, at least in theory, and yes, we patch our servers, desktops, laptops, mobile phones and take backups everyday. So what's new ?
4. Green Computing : it's fashionable to talk green; a speaker asks "Do you have green clothing ?". In the past every generation of computers doubled the computing power; in the future every generation will reduce power consumed by 50%. Green is not only about saving power in the data center and your end-computing devices.
5. SaaS and Cloud : everyone has an opinion and with the exception of sales force automation, no new offerings worth talking about. Waiting for the cloud to form and the rain, the IT organization cannot be like the Indian farmer. IT has to continue delivering every day as business does not wait.

Every vendor who sponsors an event for CIOs believes that they can continue to offer the same old stale product presentations and numbers that do not make sense to most of us. I believe that if this were to continue, the participation in such events will continue to decline to a level where the opportunity will dry up for the vendors.

Are there other technologies you want to add to the list ?

Security and the CIO

Last week I attended a CIO conference that focused on IT Security. The debate that ensued was whether IT security is strategic or tactical within an organization. This was discussed by an eminent panel comprising of CIOs, Chief of IT security and a consultant.

From the word "go" it was kind of obvious that no one is willing to accept that within their enterprise IT security is tactical. Many instances were cited to drive home the point that it is indeed strategic. When I asked around the audience, it was evident that the desire is to get security to a strategic level but the reality is that in most organizations the level of focus is purely tactical.

The proponent of the strategic intent even went on to give a story about how his business leader consulted him on security; little realizing that the example made it quite evident that there was no alignment between the business leader who was primarily ticking off his checklist on clearances sought after the system was ready to deploy.

A few CIOs were prudent in stating that there is a balance between the strategic intent and the tactical implementation. Without the technology and process underlying the operation, the people will rarely see the value of what it really means.

I happened to talk about IT security in another seminar a couple of weeks back which desired to highlight the practical aspects of IT security and how does one manage it. The discussion was not about whether a tactical view should be taken or strategic with discussion and debate on the pros and cons of deployment, but how does one succeed in deploying controls and technology with the help of people to be effective.

The question still remains in my mind whether in the first place we should elevate the question "IT security is strategic or tactical". To me IT security is a must without which IT will probably collapse with significant business impact. Even the best laid plans do fail (the story of TJX is still not cold) and not for want of trying but someone trying harder to break in.

I welcome your thoughts.