Posts Tagged ‘risks’

Application Whitelisting Only Works Sometimes – CIOs Need To Know The Facts

Wednesday, August 19th, 2009
Application Whitelisting Offers CIOs Another Way To Protect Their Networks

Application Whitelisting Offers CIOs Another Way To Protect Their Networks

It’s a battle out there: hackers and organized crime groups vs. your company. Whereas you have to worry about keeping the company successful and lowering costs, all they have to worry about is finding ways to break into your network. Doesn’t seem very fair, does it? There is some good news for CIOs: application whitelisting has arrived.

What is Whitelisting?

The problem with trying to protect your company’s network is that the bad guys are always trying new and innovative things. In order to block them, you have to stay on top of what the latest attach vector is and install defenses against it throughout your network. This can be a real time waster – it’s critical to do, but it contributes nothing to the company’s bottom line.

Whitelisting applications takes a 180-degree different approach to securing your network. Instead of trying to identify and block all of the bad malware variants that are trying to get into your network, whitelisting focuses on identifying all of the applications that SHOULD be allowed to access your network.

This of course means that you need to block everything that is not whitelisted. The theory is that all that malware that shows up will find the door to your network slammed shut on them.

Whitelisting Is Not For Everyone

In some enterprise IT environments, whitelisting is the wrong way to go. In these environments, using application whitelisting can actually drive up operational costs so high that things quickly get out of hand. Ill-suited IT environments are those in which workers need to be constantly installing new and changed applications on the fly in order to complete their tasks.

Where Whitelisting Works Well

That being said, there are IT environments in which application whitelisting works very well. These environments tend to be very static with very few application changes. A great example of this is call centers.

Another example where whitelisting has worked well is in the retail sector where cash register environments are very static and only need to be updated ever six months. Some companies have discovered that they have been able to do away with anti-virus protection (and the associated cost of maintaining it) on those machines.

Final Thoughts

The fight to secure the company’s network from the forces that would do bad things to it is never-ending for CIOs. However, this is not what CIOs should be spending their time on – there is not a bottom line benefit.

Whitelisting of applications provides yet another way to secure the firm’s network by taking a novel approach to security – don’t worry about identifying the bad guys, just worry about identifying the good guys.

Whitelisting won’t work for every environment, but in certain static IT environments it can work wonders. CIOs who can identify the right IT environments in which to use application whitelisting will have found a way to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Most company’s most valuable asset, after their employees, is their corporate data. CIOs need to find a way to make sure that they know who is accessing it and why.

Tags: , , , , , , , , , , , , ,
Posted in security | 2 Comments »

Data Protection Secrets: CIOs Know That It Starts At The Endpoint

Monday, August 17th, 2009

CIOs Know That Managing Endpoints Is The Key To Securing Company Data <br> <div xmlns:cc="http://creativecommons.org/ns#" about="http://www.flickr.com/photos/john/47544223/"><a rel="cc:attributionURL" href=
Just imagine this scenario: you’ve just been made CIO of your firm when all of a sudden one of your competitors suffers a massive data loss because of outside hackers. Your CEO storms into your brand-new office and demands to know what you are doing to secure your firm’s data. What would you say?

The Old Way Of Doing Things

Good CIOs realize that a firm’s IT infrastructure can’t just be thought of “those boxes”. Instead, an IT infrastructure consists of three layers of devices: core servers and perhaps mainframes, a set of network connectivity devices such as routers and hubs, and then endpoints – the PCs and laptops that you and I use every day.

IT Networks Consist Of 3 Separate Levels Of Equipment

IT Networks Consist Of 3 Separate Levels Of Equipment

Since there are more endpoints than any other type of equipment in most corporate networks, CIOs realize that this is where must of their company data loss efforts must be focused.

In the past, securing network endpoints often meant that all one had to do was to load up some anti-virus software on every laptop and you could check this off of your CIO to-do list. Sorry – that no longer works.

Welcome To The Real World

As we enter the brave new world of policy management, we are seeing a shift to policy-based enforcement being used to control company data that is being used on enterprise network endpoints.

Using policy-base management of endpoints allows multiple areas to be managed. These areas include:

  • Configuration
  • Patch
  • Access
  • Application
  • Anti-virus

The Case For Using Policy-Based Management of Endpoints

Let’s face it – we are all have too much to do and too little time in which to get it all done. Establishing corporate IT polices allows a set of rules to be laid down that tell everyone what is and is not permitted. When you extend these polices to cover how you manage the endpoints of the company’s network, then all of a sudden you’ve made your life that much easier.

Policies allow you to prioritize the company information that you want to protect. Once you identify this information, you’ll then be able to realize just how much of it is being stored on the endpoints!

This new understanding then allows you to set up a systems security approach to making your PCs and laptops safe. By doing this you’ll be able to ensure that your network endpoints are now secure places to house that valuable corporate data.

Final Thoughts

There’s no way that any one person in an IT department can make sure that all of your PCs and laptops are secure all the time – even if you are the CIO. Yesterday’s piecemeal approach of placing an anti-virus application on each PC and then considering the job done was a poor solution.

Using a system’s approach and establishing company policies for how management of endpoints should be done sets up a much simpler way of ensuring that all endpoints are secure. CIOs that do this will have found a way to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

It’s a battle out there: hackers and organized crime groups vs. your company. Whereas you have to worry about keeping the company successful and lowering costs, all they have to worry about is finding ways to break into your network. Doesn’t seem very fair, does it? There is some good news for CIOs: application whitelisting has arrived.

Tags: , , , , , , , , , , , , , ,
Posted in security | No Comments »

Security Policies Are What CIOs Know Make Good Security Solutions

Wednesday, July 8th, 2009
CIO's Realize That A Good Security Program Requires A Good Set Of Policies

CIO's Realize That A Good Security Program Requires A Good Set Of Policies

What does it take to do a really good job of securing your company’s systems and data? Is it just a matter of picking and implementing the right software or hardware solution? Is there a consulting firm that you can pay millions to who will come in and take care of this problem once and for all? Bad news – the answer is no.

How Policies Make A Security Program Work

Securing a firm’s systems and data is a daunting task. The first step to successful doing this is to develop a risk management program that captures and describes all of the various internal and external risks that your firm is currently facing. Next comes the prioritization which allows you to determine which of these risks is most likely to affect your firm – all risks are not created equal.

Once you have prioritized the risks that your firm is facing, the CIO needs to step in and make sure that a program of actionable policies is created in order to secure your systems. All too often, this is the step that gets skipped and no matter how much technology you throw at the security problem, if you don’t have a good set of polices you’ll never be able to secure your systems.

Polices Secure Your Systems From Day-To-Day

What too many CIOs tend to forget is that the key to any company’s security program is the human element and you manage this by having a clearly understood set of policies in place. Creating the policies is a first step, making sure that everyone knows about the policies and is living them are the next steps.

Kevin Mitnick is a reformed computer hacker who tours the country talking to businesses about the importance of securing their systems. I had an opportunity to hear him talk recently and it was amazing to hear how he acquired the information that he needed to break into company computer systems.

Kevin used a technique called “social engineering“ in which he would basically call up someone and ask them for sensitive system information. No matter if the firms had a corporate security policy in effect, Kevin was basically able to get the people that he called to violate it. No, they weren’t angry with their company, they were just trying too hard to be helpful. That’s what can happen if you don’t have security policies that are well known by everyone.

Final Thoughts

Doing a risk analysis and prioritizing the results is easy for IT professionals to do. However, creating policies that need to be followed by humans and then actually convincing their coworkers to follow the policies can be a real challenge.

A CIO can ensure that security policies will be successful by publicly stating his / her support for the policies and then by following them. Everyone will know if the CIO takes the polices seriously and by showing that you do, you will have found a way to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Questions For You

Does your firm currently have security policies in-place? Have these policies been communicated to everyone? Do they understand them? How can you tell if they are following them? Are you following them? Does anyone know that you are following them? Leave me a comment and let me know what you are thinking.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

So picture this: you’re a CIO and you desperately want to be seen by the rest of the C-level executives as something more than a simple cost center. What to do? If only there was some way that you could tap into all of that incredible creative energy that we all know lives in the IT department…

Tags: , , , , , , , , , ,
Posted in security | 1 Comment »

How Toyota Can Teach IT To Keep Things Fresh

Monday, December 15th, 2008
Toyota Has Several Ways That It Uses To Keep Employees Engaged

Toyota Has Several Ways To Prevent Processes From Becoming Stale

Despite all the talk about innovation these days, we know how things really are. It’s way too easy for us to set up IT processes and procedures that we use to run our IT shops and then over time they become part of a larger “That’s The Way We Do Things Here” culture.

The problem with this is that over time things change. Solutions that were once the best way to do things may no longer be the correct way to be doing something. However, we get caught in our ways and that starts to slow the whole IT department down and then the whole company.

Toyota has found a way around this problem that we can all learn from. They’ve come up with innovative ways to keep their IT employees constantly thinking about how the company can reach out and get new customers, enter new market segments, enter new geographic regions. Additionally, employees are challenged to consider better ways for the company to go after competitors, as well as how to create new ideas and come up with new and better practices.

How does Toyota accomplish all of this? One way is that they set nearly unattainable goals for the company. These goals are what push the company to overcome its existing routines and achieve new levels of performance. One such goal is stated as delivering “a full line in every market”. This is nearly impossible for Toyota (or any car company) to do, but it does a great job of making all employees feel as though they are working together to achieve a common goal.

Toyota’s goals are vague – on purpose. Goals like “create a cleaner car” don’t have clear, nailed-down requirements. By doing this Toyota ensures that employees won’t be able to look at a goal and say to themselves “that goal doesn’t apply to me”. Instead, vague goals result in multiple departments ending up working together in order try to achieve the goals.

What’s interesting about Toyota’s cars which are sold globally is that they aren’t modified to meet local needs. Instead, Toyota takes the time to customize its products to meet the level of consumer sophistication that is found in each country.

IT needs to adopt this way of thinking: how can we modify the way a user interacts with an application to reflect what department they are in? Finance may need sophisticated reporting tools, but sales probably does not.

One of Toyota’s greatest strengths is that it has built a culture in which there is an eagerness to take risks. This excitement about trying new ways to accomplish tasks is what allows Toyota to overcome those things that are blocking it from achieving its almost impossible goals.

Unlike so many other companies, Toyota is not constantly “betting the farm” on massive new projects. Instead, they have adopted a process by which they come up with big plans that they then go about implementing by taking a series of small steps.

This approach coupled with a philosophy of never giving up has allowed Toyota to be successful. When Toyota was developing an environmentally friendly car, they had a lot of failures – engines wouldn’t start, batteries died, etc. However, they never gave up and the Prius was eventually created. Even this car is not the final result, but is rather a stepping stone towards where Toyota wants to get to.

Toyota’s embrace of experimentation has not been done willy-nilly. Rather, they have a structured process called Plan-Do-Check-Act (PDCA) that is baked into their business processes. What makes Toyota different is that employees are encouraged to speak up when something fails or when they run into a unsolvable problem. Toyota’s culture of open communication has a great deal to teach all IT departments.

Does your IT department encourage employees to try new approaches to problem solving? Have you created an environment in which employees feel free to speak up when they run into a problem that they can’t solve? Do you consider your goals to be achievable or impossible? Is this a good thing? Leave me a comment and let me know what you are thinking.

Tags: , , , , , , , ,
Posted in innovation | No Comments »

Risk Management In IT: How Do You Do It Correctly?

Monday, November 10th, 2008
IT Departments Need To Do A Better Job Of Risk Managment

IT Departments Need To Do A Better Job Of Risk Management

The financial melt-down of 2008 had at its core one simple mistake that a whole bunch of companies made at the same time: they did a lousy job of risk management. They made investments in things that were very risky without realizing just how risky they really were. IT departments face the same challenges: at the start of each year we have a number of different projects that we could possibly work on; however, we rarely if ever do a good job of evaluating the risk associated with each of these projects. Instead we focus on things like ROI, business alignment, and which Sr. VP is sponsoring the project to make our decisions. If we don’t want to get caught in our own special version of an IT meltdown, then we had better see if we can figure out a way to measure the risk of an IT project…

So what is risk when you are talking about an IT project? In the simplest terms risk is the chance that an IT project will fail to produce the results that you are expecting because of a given event or set of events. The purpose of risk management is to make sure that you fully understand the risks associated with a project before you start it as well as managing those risks while you are working on the project.

In the world of IT projects, risk is more often then not associated with the company data that we are in charge of collecting, maintaining, and processing. IT teams need to retrain themselves to focus on the value of the data that an IT project is going to be processing and then determine the likelihood that the project won’t be able to do the processing, or in the worst case will corrupt or lose some / all of that data.

What’s really interesting is that outside of IT, the rest of the business has always used risk analysis to determine when they should roll out new products, determine how to spend marketing budgets, and pick which capital investments they want to make. Implementing a good risk management practice within the IT department is yet another way that CIOs can better align their departments with the rest of the business.

Risk management needs to be baked into all of the steps in your IT department’s projects. This runs from project planning all the way to post-production. Everyone knows that fixing a risk earlier in the process is much cheaper than trying to fix it later on down the line.

How much is all of this going to cost? Actually, a fair amount if you end up doing it correctly. You’re going to have to spend money to determine the value of proposed projects, product lines, and any proposed services. Next you’ll have to assign risks to each of these. This can be quite time consuming; however, the process will pay off over time. The key is to have a strategy for how you want to go about doing this. Focusing on where you want the IT department to be in 5 years is a key part of the process because you want whatever project you select to help you to get there.

How can you tell if all of this effort is worth it? There are actually three ways to go about doing this. Most firms use internal audits in order to determine if their IT risk management activities are are paying off. Depending on the industry that you work in, another way is to use regulatory compliance as your measure. Finally, external audits are an expensive but more complete way to measure your effectiveness.

In most IT departments that have an effective risk management function, the funding for the activity comes out of the IT budget. In most companies the belief is that a well executed risk management program will end up saving them money.

In the end, a risk management program will help your IT department to choose the right projects to work on. Once those projects are selected, then it will help you to develop risk mitigation policies, and fix risk vulnerabilities that may end up yielding process efficiencies. It goes without saying that all of this can end up helping a company meet its regulatory compliance needs.

Does your IT department have a way of evaluating the risk of proposed projects? Does your risk management process exist throughout your project process from start to finish? Have you been able to see any savings since you implemented your risk management program? Leave a comment and let me know what you are thinking.

Tags: , , , , , , , , ,
Posted in risk | 3 Comments »