Posts Tagged ‘risks’

« Older Entries

Do You Know How To Lock Down A Cloud?

Wednesday, October 5th, 2011
Image Credit
A Cloud Is No Good If You Can't Lock It…

A Cloud Is No Good If You Can't Lock It…

Everybody loves the cloud. Or at least that’s pretty much how it seems if you’ve pick up any of the IT trade rags in the past 18 months. They are filled with articles talking about how the cloud is going to save IT departments tons of money and how it’s the next great thing. Well, not all CIOs are convinced of this and considering some of the humongous security issues that are popping up, you might want to rethink some of your cloudy thoughts…

That Darn Security Thing Wrecks Everything

Cloud computing is currently the NST in IT (that’s “New Shiny Thing”) and because of that a lot of organizations are making the leap and moving their mission critical applications into the cloud as fast as possible. Their motivation for doing this is because of the proven cost savings that cloud computing can offer to an IT department.

A study by Mimecast shows that 70% of CIOs who are already using clouds are planning on moving additional applications into the cloud during the upcoming year. The problem with this plan is that another study, this one by Cenzic, shows that 75% of cyber attacks are targeting internet applications. These attacks work just as well against a cloud based IT infrastructure as they do against today’s dedicated IT infrastructure.

How To Lock Down Your Cloud

This, of course, leads to the question of just exactly what a CIO should do. Clearly we’re all going to move into the cloud over time; however, what should we be doing to prepare for this move into an unsecured land?

The very first thing that a CIO needs to be doing is to be ensuring that all applications that are coming out of the IT department are being developed to security standards that are being enforced. This can include performing penetration testing and doing code scanning for known vulnerabilities.

Additionally, since your applications will be running in somebody else’s IT environment, you need to take the time to make sure that that environment is going to be secure. This means that you need to work wording into your service level agreements (SLAs) with your cloud providers that will ensure that they will do everything possible to protect your applications while they are running in the cloud.

What All Of This Means For You

Every CIO has to face reality: cloud computing is upon us. The financial benefits of switching from a dedicated IT infrastructure to a cloud-based infrastructure are so incredibly obvious that you won’t be keeping your CIO job for long if you don’t come up with a transition plan.

What too many CIOs appear to be overlooking is that the switch to cloud computing does not make your existing security problems go away. In fact it may actually add to your IT security challenges. To deal with this you need to implement secure coding standards and ensure that you have solid service-level agreements with your cloud vendors.

By itself, a cloud is not a bad thing. The problem is that it is a fat, juicy target for those people who want to do harm to your IT infrastructure. This means that as CIO you need to be sure to look before you leap and make sure that you’ve locked down your cloud before you make the big switch.

- Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Do you think that the benefits of cloud computing can be achieved if you use a private cloud?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

‘Tis the time of year that my CIO customers are starting to get itchy to try new things. The kids are out of school and greener pastures beckon. They keep asking me where they should be looking for their next CIO job. Is there any industry that will truly appreciate the value that a skilled CIO can bring to the job? It turns out that the answer is yes and right now I’m recommending one industry in particular: energy companies.

Tags: , , , , , , , , , , , , , ,
Posted in cloud computing | No Comments »

Application Whitelisting Only Works Sometimes – CIOs Need To Know The Facts

Wednesday, August 19th, 2009
Application Whitelisting Offers CIOs Another Way To Protect Their Networks

Application Whitelisting Offers CIOs Another Way To Protect Their Networks

It’s a battle out there: hackers and organized crime groups vs. your company. Whereas you have to worry about keeping the company successful and lowering costs, all they have to worry about is finding ways to break into your network. Doesn’t seem very fair, does it? There is some good news for CIOs: application whitelisting has arrived.

What is Whitelisting?

The problem with trying to protect your company’s network is that the bad guys are always trying new and innovative things. In order to block them, you have to stay on top of what the latest attach vector is and install defenses against it throughout your network. This can be a real time waster – it’s critical to do, but it contributes nothing to the company’s bottom line.

Whitelisting applications takes a 180-degree different approach to securing your network. Instead of trying to identify and block all of the bad malware variants that are trying to get into your network, whitelisting focuses on identifying all of the applications that SHOULD be allowed to access your network.

This of course means that you need to block everything that is not whitelisted. The theory is that all that malware that shows up will find the door to your network slammed shut on them.

Whitelisting Is Not For Everyone

In some enterprise IT environments, whitelisting is the wrong way to go. In these environments, using application whitelisting can actually drive up operational costs so high that things quickly get out of hand. Ill-suited IT environments are those in which workers need to be constantly installing new and changed applications on the fly in order to complete their tasks.

Where Whitelisting Works Well

That being said, there are IT environments in which application whitelisting works very well. These environments tend to be very static with very few application changes. A great example of this is call centers.

Another example where whitelisting has worked well is in the retail sector where cash register environments are very static and only need to be updated ever six months. Some companies have discovered that they have been able to do away with anti-virus protection (and the associated cost of maintaining it) on those machines.

Final Thoughts

The fight to secure the company’s network from the forces that would do bad things to it is never-ending for CIOs. However, this is not what CIOs should be spending their time on – there is not a bottom line benefit.

Whitelisting of applications provides yet another way to secure the firm’s network by taking a novel approach to security – don’t worry about identifying the bad guys, just worry about identifying the good guys.

Whitelisting won’t work for every environment, but in certain static IT environments it can work wonders. CIOs who can identify the right IT environments in which to use application whitelisting will have found a way to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Most company’s most valuable asset, after their employees, is their corporate data. CIOs need to find a way to make sure that they know who is accessing it and why.

Tags: , , , , , , , , , , , , ,
Posted in security | 3 Comments »

Data Protection Secrets: CIOs Know That It Starts At The Endpoint

Monday, August 17th, 2009

CIOs Know That Managing Endpoints Is The Key To Securing Company Data <br> <div xmlns:cc="http://creativecommons.org/ns#" about="http://www.flickr.com/photos/john/47544223/"><a rel="cc:attributionURL" href=
Just imagine this scenario: you’ve just been made CIO of your firm when all of a sudden one of your competitors suffers a massive data loss because of outside hackers. Your CEO storms into your brand-new office and demands to know what you are doing to secure your firm’s data. What would you say?

The Old Way Of Doing Things

Good CIOs realize that a firm’s IT infrastructure can’t just be thought of “those boxes”. Instead, an IT infrastructure consists of three layers of devices: core servers and perhaps mainframes, a set of network connectivity devices such as routers and hubs, and then endpoints – the PCs and laptops that you and I use every day.

IT Networks Consist Of 3 Separate Levels Of Equipment

IT Networks Consist Of 3 Separate Levels Of Equipment

Since there are more endpoints than any other type of equipment in most corporate networks, CIOs realize that this is where must of their company data loss efforts must be focused.

In the past, securing network endpoints often meant that all one had to do was to load up some anti-virus software on every laptop and you could check this off of your CIO to-do list. Sorry – that no longer works.

Welcome To The Real World

As we enter the brave new world of policy management, we are seeing a shift to policy-based enforcement being used to control company data that is being used on enterprise network endpoints.

Using policy-base management of endpoints allows multiple areas to be managed. These areas include:

  • Configuration
  • Patch
  • Access
  • Application
  • Anti-virus

The Case For Using Policy-Based Management of Endpoints

Let’s face it – we are all have too much to do and too little time in which to get it all done. Establishing corporate IT polices allows a set of rules to be laid down that tell everyone what is and is not permitted. When you extend these polices to cover how you manage the endpoints of the company’s network, then all of a sudden you’ve made your life that much easier.

Policies allow you to prioritize the company information that you want to protect. Once you identify this information, you’ll then be able to realize just how much of it is being stored on the endpoints!

This new understanding then allows you to set up a systems security approach to making your PCs and laptops safe. By doing this you’ll be able to ensure that your network endpoints are now secure places to house that valuable corporate data.

Final Thoughts

There’s no way that any one person in an IT department can make sure that all of your PCs and laptops are secure all the time – even if you are the CIO. Yesterday’s piecemeal approach of placing an anti-virus application on each PC and then considering the job done was a poor solution.

Using a system’s approach and establishing company policies for how management of endpoints should be done sets up a much simpler way of ensuring that all endpoints are secure. CIOs that do this will have found a way to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

It’s a battle out there: hackers and organized crime groups vs. your company. Whereas you have to worry about keeping the company successful and lowering costs, all they have to worry about is finding ways to break into your network. Doesn’t seem very fair, does it? There is some good news for CIOs: application whitelisting has arrived.

Tags: , , , , , , , , , , , , , ,
Posted in security | No Comments »

Security Policies Are What CIOs Know Make Good Security Solutions

Wednesday, July 8th, 2009
CIO's Realize That A Good Security Program Requires A Good Set Of Policies

CIO's Realize That A Good Security Program Requires A Good Set Of Policies

What does it take to do a really good job of securing your company’s systems and data? Is it just a matter of picking and implementing the right software or hardware solution? Is there a consulting firm that you can pay millions to who will come in and take care of this problem once and for all? Bad news – the answer is no.

How Policies Make A Security Program Work

Securing a firm’s systems and data is a daunting task. The first step to successful doing this is to develop a risk management program that captures and describes all of the various internal and external risks that your firm is currently facing. Next comes the prioritization which allows you to determine which of these risks is most likely to affect your firm – all risks are not created equal.

Once you have prioritized the risks that your firm is facing, the CIO needs to step in and make sure that a program of actionable policies is created in order to secure your systems. All too often, this is the step that gets skipped and no matter how much technology you throw at the security problem, if you don’t have a good set of polices you’ll never be able to secure your systems.

Polices Secure Your Systems From Day-To-Day

What too many CIOs tend to forget is that the key to any company’s security program is the human element and you manage this by having a clearly understood set of policies in place. Creating the policies is a first step, making sure that everyone knows about the policies and is living them are the next steps.

Kevin Mitnick is a reformed computer hacker who tours the country talking to businesses about the importance of securing their systems. I had an opportunity to hear him talk recently and it was amazing to hear how he acquired the information that he needed to break into company computer systems.

Kevin used a technique called “social engineering“ in which he would basically call up someone and ask them for sensitive system information. No matter if the firms had a corporate security policy in effect, Kevin was basically able to get the people that he called to violate it. No, they weren’t angry with their company, they were just trying too hard to be helpful. That’s what can happen if you don’t have security policies that are well known by everyone.

Final Thoughts

Doing a risk analysis and prioritizing the results is easy for IT professionals to do. However, creating policies that need to be followed by humans and then actually convincing their coworkers to follow the policies can be a real challenge.

A CIO can ensure that security policies will be successful by publicly stating his / her support for the policies and then by following them. Everyone will know if the CIO takes the polices seriously and by showing that you do, you will have found a way to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Questions For You

Does your firm currently have security policies in-place? Have these policies been communicated to everyone? Do they understand them? How can you tell if they are following them? Are you following them? Does anyone know that you are following them? Leave me a comment and let me know what you are thinking.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

So picture this: you’re a CIO and you desperately want to be seen by the rest of the C-level executives as something more than a simple cost center. What to do? If only there was some way that you could tap into all of that incredible creative energy that we all know lives in the IT department…

Tags: , , , , , , , , , ,
Posted in security | 2 Comments »

How Toyota Can Teach IT To Keep Things Fresh

Monday, December 15th, 2008
Toyota Has Several Ways That It Uses To Keep Employees Engaged

Toyota Has Several Ways To Prevent Processes From Becoming Stale

Despite all the talk about innovation these days, we know how things really are. It’s way too easy for us to set up IT processes and procedures that we use to run our IT shops and then over time they become part of a larger “That’s The Way We Do Things Here” culture.

The problem with this is that over time things change. Solutions that were once the best way to do things may no longer be the correct way to be doing something. However, we get caught in our ways and that starts to slow the whole IT department down and then the whole company.

Toyota has found a way around this problem that we can all learn from. They’ve come up with innovative ways to keep their IT employees constantly thinking about how the company can reach out and get new customers, enter new market segments, enter new geographic regions. Additionally, employees are challenged to consider better ways for the company to go after competitors, as well as how to create new ideas and come up with new and better practices.

How does Toyota accomplish all of this? One way is that they set nearly unattainable goals for the company. These goals are what push the company to overcome its existing routines and achieve new levels of performance. One such goal is stated as delivering “a full line in every market”. This is nearly impossible for Toyota (or any car company) to do, but it does a great job of making all employees feel as though they are working together to achieve a common goal.

Toyota’s goals are vague – on purpose. Goals like “create a cleaner car” don’t have clear, nailed-down requirements. By doing this Toyota ensures that employees won’t be able to look at a goal and say to themselves “that goal doesn’t apply to me”. Instead, vague goals result in multiple departments ending up working together in order try to achieve the goals.

What’s interesting about Toyota’s cars which are sold globally is that they aren’t modified to meet local needs. Instead, Toyota takes the time to customize its products to meet the level of consumer sophistication that is found in each country.

IT needs to adopt this way of thinking: how can we modify the way a user interacts with an application to reflect what department they are in? Finance may need sophisticated reporting tools, but sales probably does not.

One of Toyota’s greatest strengths is that it has built a culture in which there is an eagerness to take risks. This excitement about trying new ways to accomplish tasks is what allows Toyota to overcome those things that are blocking it from achieving its almost impossible goals.

Unlike so many other companies, Toyota is not constantly “betting the farm” on massive new projects. Instead, they have adopted a process by which they come up with big plans that they then go about implementing by taking a series of small steps.

This approach coupled with a philosophy of never giving up has allowed Toyota to be successful. When Toyota was developing an environmentally friendly car, they had a lot of failures – engines wouldn’t start, batteries died, etc. However, they never gave up and the Prius was eventually created. Even this car is not the final result, but is rather a stepping stone towards where Toyota wants to get to.

Toyota’s embrace of experimentation has not been done willy-nilly. Rather, they have a structured process called Plan-Do-Check-Act (PDCA) that is baked into their business processes. What makes Toyota different is that employees are encouraged to speak up when something fails or when they run into a unsolvable problem. Toyota’s culture of open communication has a great deal to teach all IT departments.

Does your IT department encourage employees to try new approaches to problem solving? Have you created an environment in which employees feel free to speak up when they run into a problem that they can’t solve? Do you consider your goals to be achievable or impossible? Is this a good thing? Leave me a comment and let me know what you are thinking.

Tags: , , , , , , , ,
Posted in innovation | No Comments »

« Older Entries