Posts Tagged ‘security’

« Older Entries

3 Questions That Every CIO Should Be Asking About Clouds

Wednesday, January 18th, 2012
Image Credit Get over your excitement about clouds and start asking questions

Get over your excitement about clouds and start asking questions

I love clouds, you love clouds, we all love clouds. It seems like everyone in IT is talking about cloud computing and how it’s the next big thing. Cloud computing has almost become a part of the definition of information technology. Look, I think that there’s a lot of good things about cloud computing, but I’m not convinced that it’s the right solution for everyone. This brings up the question of how a CIO can find out if cloud computing is right for his or her IT department. It turns out that there are three questions that just might provide the answer that you are looking for.

How Much Will This Save Me?

A lot of the excitement about cloud computing comes from the simple fact that most CIOs view the cloud as a way to reduce the cost of running an IT department. However, before visions of cash savings start dancing in your head, you need to answer some questions first.

Roger Cheng over at the Wall Street Journal has taken a look at where the expenses in running an IT department come from. What he’s discovered is that servers run about $2000 – $6,000. This capital expense can be avoided if instead of buying more servers a CIO simply subscribes to more cloud computing resources when it’s time to expand the company’s IT infrastructure.

In addition to saving on buying more servers, there are potentially other savings that a CIO can realize by moving to the cloud. Buying more servers would require more IT staff to act as systems administrators – no servers means no hiring of additional administrators.

Are Cloud Services Reliable Enough?

It seems as though every other month or so there is another story in the paper about some cloud provider having an outage. One time it’s Amazon, the next it’s Google. Given the importance of information technology, as a CIO you need to be asking yourself if this cloud computing stuff is really reliable enough for you to be trusting your company’s IT infrastructure to.

It turns out that the analysts have taken a look at the overall reliability of the clouds that are being provided and they are as, if not more, reliable than most company’s IT infrastructure. One reason for this is that providing a cloud is all that the providers do and so they hire and staff in order to ensure the reliability of their product.

What Don’t I Know About Clouds?

The wise CIO knows to ask “what don’t I know enough to ask about?” One key issue has to do with your company’s most precious asset – its corporate data. When you move this data to a cloud, you are asking another company to take care of it. Are you comfortable doing this?

Is your company really going to save money by moving to the cloud? Not every company will – it all depends on how your IT department is set up now and what it’s going to look like in the future. You have other options for saving money – virtualizing the servers that you have today is one way to accomplish this.

What All Of This Means For You

Cloud computing is all the rage these days in the IT sector. CIOs are getting more and more pressure to introduce cloud computing into their IT departments. Before they take this step, they need to get some questions answered.

The promise of cloud computing is that it will save the IT department money. Do you know where these savings will come from? How does the reliability of the cloud compare to your IT department’s current level of reliability? Finally, what other options besides cloud computing do you have for boosting your IT department’s performance?

Cloud computing appears to be here to stay. However, that doesn’t mean that every CIO should race out and jump into the cloud today. Take your time and get the answers to the important questions and your next step will become clear to you.

- Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Do you think that the company’s finance department should be involved in determining if the savings of moving into the cloud would be worth the effort?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

Tags: , , , , , , , ,
Posted in cloud computing | No Comments »

How CIOs Work With Their Board Of Directors

Wednesday, November 16th, 2011
Image Credit Presenting To The Board Is A Big Step For CIOs

Presenting To The Board Is A Big Step For CIOs

Congratulations CIO – you’ve been asked to make a presentation to your company’s board of directors. Oh, oh. What are you going to have to do in order to make your career move forward due to this opportunity and not screw it up?

What Does A Board Of Directors Want From A CIO?

First off, let’s all make sure that we’re on the same page here – do you know exactly what your company’s Board Of Directors is? It turns out that when you legally set up a company, you need to create a Board of Directors to run the thing. One of their first tasks is to find a CEO to run the day-to-day company. That’s right – your CEO works for the Board of Directors. It really doesn’t get any higher than this!

Although the Board does understand the importance of information technology, they really don’t care about the IT department – they have much bigger things to worry about. That means that you are going to have present the information that they have requested very carefully.

Arthur Langer has done some research in this area and he has the following four recommendations for how CIOs should present information to their Board of Directors:

  1. New Ideas: CIOs need to understand why they have been asked to make a presentation to the Board. The Board is not interested in what you spend most of your time worrying about – budget details, hiring issues, etc. Instead, their focus is on the company as a whole and they want to hear from you what you can do to help the company grow. This can include how IT can help out with ongoing operations as well as what you can do more strategically.

  2. Security: Every presentation that a CIO makes to the Board needs to touch on the topic of information security. Remember, they don’t care about the details. Instead, what they want to hear from you is what you are doing to protect the company against risks and what you are doing to ensure that the company’s confidential information won’t get stolen.

  3. Data: If there is one thing that is keeping your Board up at night, it’s worrying about all of that data that your company is sitting on. As the CIO, they see you as being responsible for keeping track of all of this data. That also means that you are viewed as acting as the point-of-contact if the company gets sued and one of those e-discovery programs has to be conducted.

  4. Analytics: Since the Board sees the CIO as being in charge of all of the data that the company collects, they also see you as being responsible for finding ways to get the most out of that data. This means that you need to be ready to tell them how you plan on going about doing this.

How Can You Prepare For A Board Presentation?

Being invited to make a presentation to your company’s board is a great honor. Now you’re going to have to ensure that you make the most of this opportunity. That means, sorry about this, you’re going to have to do some homework.

Here are four things that every CIO needs to do both before and during their presentation to the Board:

  1. Know Your Audience: You should do this before every presentation, and presenting to your Board is no different. You need to understand the personalities of the people who make up the Board. What is their background? What is their reputation within the company? What do other people who have presented to them have to say about them?

  2. Make Friends: How the presentation is going to turn out is often determined before it starts. If you can make contact with Board members before the day of the presentation and ask them questions, then you will have a chance to have an ally in your corner on the day of your presentation.

  3. Time Counts: When you were told how much time you had for your presentation, the person who told it to you was lying. The way that these things work out is that you never get as much time as you were told, or even as much as you ended up being allocated. The Board will hate you forever if you run over your allocated time and will love you forever if you finish up early. Always show up with multiple version of your presentation so that you can fit into smaller and smaller time periods.

  4. Use Stories: As the company’s CIO you have a great deal of sophisticated knowledge about all things related to the IT sector and how they work. Don’t share this during your presentation. Instead, keep things simple and use stories to make you points – this is what the Board will be able to remember.

What All Of This Means For You

The definition of information technology is that it is how a company uses computers to become more successful. As the company’s CIO, it’s your job to make this happen. When your Board summons you to present to them, you need to understand both what they are interested in and what they don’t want you to talk about.

When you are preparing for your presentation you’ll want to focus on what the Board wants hear: how IT can help to grow the company, data security, data management, and how best to use the data that the company has. Additionally you’ll need to do your homework in order to prepare for your big presentation.

We talk a lot about finding ways to get the CIO a “seat at the table” when it comes to mapping out the company’s future. Being asked to present to your Board is a fantastic opportunity for a CIO to make a name for himself or herself. Make sure that you take the time to prepare for this presentation and you’ll see your career take off…

- Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Do you think that you should prepare a separate handout for your presentation to the Board?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

How hard can it be to be a CIO at a major airline? Your job is pretty straightforward – make sure that you can take reservations, schedule the planes and the crews, and print out paychecks ever two weeks. Nothing to it, right? Well it turns out that over at the Virgin America airline, their CIO appears to have made a very bad decision and everyone is now paying for it.

Tags: , , , , , , , , , , ,
Posted in communication | No Comments »

Do You Know How To Lock Down A Cloud?

Wednesday, October 5th, 2011
Image Credit
A Cloud Is No Good If You Can't Lock It…

A Cloud Is No Good If You Can't Lock It…

Everybody loves the cloud. Or at least that’s pretty much how it seems if you’ve pick up any of the IT trade rags in the past 18 months. They are filled with articles talking about how the cloud is going to save IT departments tons of money and how it’s the next great thing. Well, not all CIOs are convinced of this and considering some of the humongous security issues that are popping up, you might want to rethink some of your cloudy thoughts…

That Darn Security Thing Wrecks Everything

Cloud computing is currently the NST in IT (that’s “New Shiny Thing”) and because of that a lot of organizations are making the leap and moving their mission critical applications into the cloud as fast as possible. Their motivation for doing this is because of the proven cost savings that cloud computing can offer to an IT department.

A study by Mimecast shows that 70% of CIOs who are already using clouds are planning on moving additional applications into the cloud during the upcoming year. The problem with this plan is that another study, this one by Cenzic, shows that 75% of cyber attacks are targeting internet applications. These attacks work just as well against a cloud based IT infrastructure as they do against today’s dedicated IT infrastructure.

How To Lock Down Your Cloud

This, of course, leads to the question of just exactly what a CIO should do. Clearly we’re all going to move into the cloud over time; however, what should we be doing to prepare for this move into an unsecured land?

The very first thing that a CIO needs to be doing is to be ensuring that all applications that are coming out of the IT department are being developed to security standards that are being enforced. This can include performing penetration testing and doing code scanning for known vulnerabilities.

Additionally, since your applications will be running in somebody else’s IT environment, you need to take the time to make sure that that environment is going to be secure. This means that you need to work wording into your service level agreements (SLAs) with your cloud providers that will ensure that they will do everything possible to protect your applications while they are running in the cloud.

What All Of This Means For You

Every CIO has to face reality: cloud computing is upon us. The financial benefits of switching from a dedicated IT infrastructure to a cloud-based infrastructure are so incredibly obvious that you won’t be keeping your CIO job for long if you don’t come up with a transition plan.

What too many CIOs appear to be overlooking is that the switch to cloud computing does not make your existing security problems go away. In fact it may actually add to your IT security challenges. To deal with this you need to implement secure coding standards and ensure that you have solid service-level agreements with your cloud vendors.

By itself, a cloud is not a bad thing. The problem is that it is a fat, juicy target for those people who want to do harm to your IT infrastructure. This means that as CIO you need to be sure to look before you leap and make sure that you’ve locked down your cloud before you make the big switch.

- Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Do you think that the benefits of cloud computing can be achieved if you use a private cloud?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

‘Tis the time of year that my CIO customers are starting to get itchy to try new things. The kids are out of school and greener pastures beckon. They keep asking me where they should be looking for their next CIO job. Is there any industry that will truly appreciate the value that a skilled CIO can bring to the job? It turns out that the answer is yes and right now I’m recommending one industry in particular: energy companies.

Tags: , , , , , , , , , , , , , ,
Posted in cloud computing | 1 Comment »

The Machines May Be Virtual, But The Security Problem Is Real

Monday, October 26th, 2009

Photo CreditVirtual Machines Pose Real Security Threats

Virtual Machines Pose Real Security Threats

When you become CIO, you already know that IT security is going to be one of your biggest and least rewarding challenges. If you do a great job at it, then nobody will ever know and you’ll get no credit for it. If you do a poor job, then everyone will know and you’ll get all the blame. That just goes with the CIO job.

In the future, CIOs are going to have a whole new set of security issues that come along with the popularity of virtual machines. The rules for how best to secure these boxes that really aren’t boxes have not been established yet. What can you do to make yourself ready to take on this new challenge?

Just What Is A Virtual Machine?

Before we dive in and start talking about security, let’s make sure that we’re all onboard when it comes to just exactly what a virtual machine is. Awhile back, some very smart folks (a lot of who happened to work at a company called Vmware) realized that most companies were deploying one application per server in their data centers. One for email, one for web hosting, etc.

It turns out that as servers got more powerful, this was incredibly ineffective – most of the server’s processing power was not being used. The smart people created what they called a virtual machine (or VM) – software that sat on the server between the actual server hardware and the operating system that was running on the server. You can sorta think of it as a lower level operating system

Once this VM was in place, they discovered that they could run multiple operating systems (and then of course multiple applications on top of those operating systems) on each individual server. When they did this everything was isolated – if one operating system crashed, it didn’t interfere with the other operating systems / applications running on the same box.

As you can well imagine, this has turned out to be an incredibly popular way to reduce the number of servers that have to be deployed and maintained within a data center. However, it has also opened the door to some nasty security problems…

The Problem With Virtualization Security

Oh sure, you THINK that you know how to secure a data center – lock down all of the network ports going in and out, and then take steps to make sure that you know which staff are allowed to enter and leave. Oh oh, when your servers stop being real physical boxes and start to become virtual images, now you’ve going to have a whole new set of problems to deal with.

Cameron Sturdevant has been looking into just how we can go about securing the brave new future of virtual machines and he’s uncovered ten new issues that you are going to have to be able to deal with:

  1. Moving Too Fast: since virtual machines can be set up and put into operation much quicker than a real server can, you’re going to have to set up some sort of review process in order to keep things under control.
  2. Redefine Your Boundaries: it used to be simple to be able to keep the important things inside the data center and the threats outside when everything needed a physical box. Now that things are going virtual, these boundaries are getting more murky and you will have to spend the time to redraw them.
  3. Killed By Quantity: since it’s so easy to set up a new virtual machine, you’re going to be facing an explosion of them. This means that you’re going to have to establish a policy to determine when a new virtual machine needs to be deployed and when it needs to be turned off.
  4. Moving Day Is Everyday: since virtual machines can easily move from box to box, you’re going to have to lay down the law in order to make sure that the new server has the appropriate security policies in place in order to support the applications that will be running on it.
  5. Not The Same As The Old Boss: both the tools and the policies that used to work in the world of “real” servers won’t necessarily work in the new world of virtual servers. You’re going to have to find / make new ones.
  6. Virtual Tools: in order to police your virtual machines, you are going to want your security tools to run on virtual machines also – makes sense, doesn’t it?
  7. Cutting Costs: how many CPU cycles your virtual security tools take up will be a huge deal very quickly. The rule of thumb is for them to take less than 2-3% of the CPU’s cycles.
  8. Policy Update Time: not only will you need fancy new tools, but you are also going to need to update your staff on just how one goes about securing virtual boxes. Can you say special training?
  9. Where To Focus?: the experts suggest that you spend your time securing both the virtual machine and its applications and don’t worry so much about the underlying virtual machines. The thinking is that virtual machines are by design isolated from everything else so they are more secure.
  10. Get Some Relief: look for virtual machine management tools that will allow your staff to automate the processes of configuring and deploying virtual machines as much as possible in order to minimize security slipups.

Final Thoughts

Like it or not, when you become CIO you’re going to be living in a virtual world. All of the clever security tools and policies that we’ve created in an attempt to secure the world of physical servers that we now live in are not going to work in the future.

Your challenge will be to find ways to secure the virtual data center while at the same time keeping your IT staff’s workload at a manageable level. The good news is that this can be done, the bad news is that you’re going to be in uncharted territory. Good luck future CIO…!

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Everybody wants their IT services for free. When you become the CIO, you’ve got to find an answer to the ugly question of just who’s going to pay you for all of those fancy IT services that your department can provide.

Tags: , , , , , , , , ,
Posted in security | No Comments »

Poisonous Snakes, Sharp Knives, And Angry Natives: How Much Risk Can You Handle?

Monday, October 19th, 2009
CIOs Know That Security Threats Can Strike At Any Time

CIOs Know That Security Threats Can Strike At Any Time

Ok CIO wannabe, we’re right in the middle of a global financial crisis and your IT budget has gotten slashed so much it looks like Freddie Krueger has come back and had his way with it. What are you going to do about your spending on security programs: cut ‘em, hold the line, or spend more. Whoops – that was a trick question: all of the answers will get you in trouble.

What The Other Guys Are Doing

Before making any big spending decision, any self-respecting CIO will do what all leaders do – try to find out what the other guys are doing in the hopes that you can just copy them. Well, in this case you’ll be getting mixed signals.

A survey done by Information Week magazine revealed that 19% of CIOs are cutting their security spending. On top of that, only 27% of the surveyed CIOs are planning on increasing their security budgets – that leaves roughly 50% doing the same old thing.

Its starting to look as though the final remaining sacred cow of IT budgets, spending on securing the enterprise’s IT assets, has finally fallen under the budget trimming axe. This is an excellent opportunity to learn how to be a better CIO: cut too little and the company goes under, cut too much and the company may get sued when your defenses are breached.

What’s Worse: Poisonous Snakes or Sharp Knives?

Here’s another part of your CIO quiz: when your security budget comes under fire and you know that you’re not going to be able to save the whole platoon, who do you pick to live and who do you let die? Tough call eh? That Information Week CIO survey revealed that most CIOs have decided that any security program that deals with compliance in some way, shape, or form needs to be saved.

In the end, CIOs are finally starting to realize that an effective corporate IT security policy consists of just two things:

  • Managing Risk
  • Protecting Data

Don’t Forget About The Angry Natives -
How CIOs Prioritize

If the job was easy, then anyone could be a CIO. The CIOs who get it, those who understand what effective IT security is really trying to do, know that the first thing that they have to do is to determine the company’s overall appetite for risk. If the company has an appetite for a lot of risk, then the CIO can trim the IT security budget to the bone. Otherwise, cut with care!

Successful CIOs realize that the right way to go about setting up an IT security program is to start by realizing that you can’t protect everything to the same level and so you need to identify what IT assets are the most valuable to the company. Once you know this, you need to take the next step and estimate the likelihood that those assets might be lost.

Only after you have both of these pieces of information can a CIO have the IT team start to create security programs and put systems of controls in place to protect what needs to be protected. Although compliance programs are on everyone’s minds in these tough economic times, CIOs need to keep in mind that such programs are not always in line with security best practices.

Final Thoughts

If you want to have any hope of ever being a successful CIO, you’ve got to learn to be able to make the tough calls when it comes to funding corporate IT security programs. Although putting measures in place in order to make sure that the company remains complaint with regulations is good, it’s not nearly enough.

Taking the time to properly value your corporate IT assets and identifying what kinds of risks this data faces is the critical first step that too many CIOs skip over. Take the time to do this correctly and you’ll be well positioned to deal with poisonous snakes, sharp knives, and angry natives. Now if we could just find some way to deal with those pesky rampaging elephants…

What do you think should be a CIO’s #1 security concern: remaining in compliance or dealing with the security threat that comes from outside?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Ok all you CIOs wannabes, guess what one of your first problems is going to be once you assume control of the IT department? No, not that innovation thing. Nor will it be finding new ways to cut costs. Somewhat amazingly considering that we are living in the enlightened 21st Century — you will need to find more women

http://www.theaccidentalsuccessfulcio.com/wp-admin/

Tags: , , , , , , , , , , , ,
Posted in security | 2 Comments »

« Older Entries