Posts Tagged ‘security’

Newer Entries »

CIO Cloud Computing 101: Problems With Clouds

Monday, August 3rd, 2009
Not All Clouds Are Right For Cloud Computing<br>(c) - 2006

Not All Clouds Are Right For Cloud Computing(c) - 2006

Cloud computing is all the rage these days and everyone who is anyone is making plans to implement at least some flavor of it as soon as possible. It turns out that the decision to go with a cloud computing solution for your IT department might not be as simple as some would lead you to believe. There are challenges to successfully using a cloud and we need to talk about them…

The Seven Challenges Of Cloud Computing

With all of the magazine articles, conferences, and vendors who have shown up to sell it, it’s easy to forget that cloud computing is still an emerging technology – it’s not quite fully baked yet. Neal Leavitt has spent some time studying cloud computing and has identified the following seven issues. CIOs will need to investigate their potential effects before agreeing to any cloud computing initiative:

  • Control: this is the biggest issue when it comes to using cloud computing. By design a company gives up control when they sign up to use a firm’s cloud resources. This means that the cloud provider can make changes to the infrastructure without telling the company at any time. This needs to be managed.
  • Performance / Reliability: When you are using resources that are not located within your firm’s buildings the question of how much computing horsepower you have available when you need it comes up. Additionally, failures will happen and so understanding how you’ll be notified and how quickly issues will be resolved is critical.
  • Security: You know that you can protect your mission critical business data when it’s inside your own walls, but what happens when somebody else is managing it for you?
  • Cost Of Bandwidth: You should be saving money on buying hardware and staffing to maintain it. However, you’ll need to very accurately forecast you bandwidth costs in order to determine the true cost of using the cloud.
  • Vendor Lock-In: true standards for how applications communicate and control applications that are in a vendor’s cloud have not yet been established. This means that vendors are creating their own proprietary interfaces that could end up tying you to a vendor for longer than you would like.
  • Transparency: basically this comes down to the difficulty that you’ll have doing an audit of your IT resources. Since you don’t have true visibility into the cloud you can’t say for certain who has access to your data and how you can keep people out of your sensitive data.
  • Reliability: I’d like to say that clouds are 100% reliable, but I can’t. The trade rags are filled with stories about connections that have gone down and back-up diesel generators that have failed to switch on. There is risk with every decision, you need to decide if you can handle the risk that comes with cloud computing.

Final Thoughts

As exciting as the new field of cloud computing is, CIOs need to slow down and take a deep breath. This is new stuff and that means that not all of the details have been worked out just yet. There are seven major areas that could have a dramatic impact on your company’s ability to get the most out of cloud computing. Do your homework and see if cloud computing offers you a way to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Questions For You

How important is it for you to retain complete control over your IT boxes? How much downtime can your department / business handle? What would the impact of a security breach be? Leave me a comment and let me know what you are thinking.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Cloud computing is hot – there’s no denying that. However, as with all things in the information technology field, cloud computing isn’t standing still. Even as  you read these words, engineers are hard at work defining and refining just exactly what a cloud computing architecture looks like and how it behaves. Let’s take a peek at what the future holds…

Tags: , , , , , , , , , , , , ,
Posted in cloud computing | 8 Comments »

Security Policies Are What CIOs Know Make Good Security Solutions

Wednesday, July 8th, 2009
CIO's Realize That A Good Security Program Requires A Good Set Of Policies

CIO's Realize That A Good Security Program Requires A Good Set Of Policies

What does it take to do a really good job of securing your company’s systems and data? Is it just a matter of picking and implementing the right software or hardware solution? Is there a consulting firm that you can pay millions to who will come in and take care of this problem once and for all? Bad news – the answer is no.

How Policies Make A Security Program Work

Securing a firm’s systems and data is a daunting task. The first step to successful doing this is to develop a risk management program that captures and describes all of the various internal and external risks that your firm is currently facing. Next comes the prioritization which allows you to determine which of these risks is most likely to affect your firm – all risks are not created equal.

Once you have prioritized the risks that your firm is facing, the CIO needs to step in and make sure that a program of actionable policies is created in order to secure your systems. All too often, this is the step that gets skipped and no matter how much technology you throw at the security problem, if you don’t have a good set of polices you’ll never be able to secure your systems.

Polices Secure Your Systems From Day-To-Day

What too many CIOs tend to forget is that the key to any company’s security program is the human element and you manage this by having a clearly understood set of policies in place. Creating the policies is a first step, making sure that everyone knows about the policies and is living them are the next steps.

Kevin Mitnick is a reformed computer hacker who tours the country talking to businesses about the importance of securing their systems. I had an opportunity to hear him talk recently and it was amazing to hear how he acquired the information that he needed to break into company computer systems.

Kevin used a technique called “social engineering“ in which he would basically call up someone and ask them for sensitive system information. No matter if the firms had a corporate security policy in effect, Kevin was basically able to get the people that he called to violate it. No, they weren’t angry with their company, they were just trying too hard to be helpful. That’s what can happen if you don’t have security policies that are well known by everyone.

Final Thoughts

Doing a risk analysis and prioritizing the results is easy for IT professionals to do. However, creating policies that need to be followed by humans and then actually convincing their coworkers to follow the policies can be a real challenge.

A CIO can ensure that security policies will be successful by publicly stating his / her support for the policies and then by following them. Everyone will know if the CIO takes the polices seriously and by showing that you do, you will have found a way to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Questions For You

Does your firm currently have security policies in-place? Have these policies been communicated to everyone? Do they understand them? How can you tell if they are following them? Are you following them? Does anyone know that you are following them? Leave me a comment and let me know what you are thinking.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

So picture this: you’re a CIO and you desperately want to be seen by the rest of the C-level executives as something more than a simple cost center. What to do? If only there was some way that you could tap into all of that incredible creative energy that we all know lives in the IT department…

Tags: , , , , , , , , , ,
Posted in security | 2 Comments »

Vulnerability Management: The CIO’s Other Job

Monday, July 6th, 2009

CIOs Will Get The Blame If They Don't Do A Good Job Of Vulnerability Management

The role of a CIO is to find ways to apply IT to enable the rest of the company to grow quicker, move faster, and do more. As part of this task a CIO needs to take steps to ensure that nothing happens that would prevent this from happening. This side of the job is not nearly as glamorous; however, it is at least as critical. What can a CIO do to ensure that

nothing bad happens

to a firm’s IT systems?

The Job Of Vulnerability Management

The first step in ensuring that a firm’s IT systems continue to allow the company to move forward is to come to terms with the real world. This means that CIOs need to acknowledge that the world can be

an ugly place

and there will always be outsiders

who want to do harm to your firm

. The person in the firm who will be most interested in what is being done to defend against attacks on IT systems will be the

CFO

. When discussing vulnerability management with the CFO, the CIO needs to explain that at its heart it’s really just the principles involved in

risk management

combined with

practical logic

and an understanding of

business value

for the firm.

How To Do Vulnerability Management

Although a CIO won’t actually perform the process of Vulnerability Management, he /she is responsible for ensuring that the program is

set up correctly

. This means that the three key components of a Vulnerability Management program need to be put in place:

  • Data Collection Needs To Be Integrated: Attacks on your IT systems rarely show up all at once. Instead, there is a sequence of minor events that occur as your defenses are probed looking for weaknesses. Having all of your data on system configurations, patch status, and access management polices in one place is a critical part of providing you with the ability to identify issues and respond proactively.
  • Prioritize Based On Business Value: Look, we are all busy and have too little time and budget to begin with. If you understand the value of each IT system, then you can allocate resources appropriately. Not all events require a full blown response – low value systems can be monitored further. Defenses for such can be augmented on your schedule as opposed to on an emergency schedule.
  • Improve, Improve, Improve: Vulnerability management is not something that can be done once and then forgotten about. The world is constantly changing and your program will need to be constantly being refined to adapt to new threats.

Final Thoughts

A CIO can do a great job of empowering the rest of the company to accomplish wonderful things; however, if the firm’s IT systems are compromised then all of the good that he/she has done will be

forgotten in a flash

. A well executed vulnerability management program provides a way to defend the firm against a cruel world. CIOs who follow the three steps that we’ve discussed will have

found a way

to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Questions For You

Does your firm currently have a vulnerability management program? Have you taken the time to assign a business value to each of your IT assets or does everything have the same value? Do you constantly refine your vulnerability management program based on changes in you IT systems and the direction of your business? Leave me a comment and let me know what you are thinking.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

What does it take to do a really good job of securing your company’s systems and data? Is it just a matter of picking and implementing the right software or hardware solution? Is there a consulting firm that you can pay millions to who will come in and take care of this problem once and for all? Bad news – the answer is no

Tags: , , , , , , ,
Posted in security | 2 Comments »

Protecting Company Data Is How CIOs Can Make Friends With CFOs

Wednesday, July 1st, 2009

Securing A Company's Data Provides CIOs With An Opportunity To Work With The CFOData Security. There I said it. It sorta lays there like a big lump of coal and everyone in the company stands around looking at it wondering who’s responsibility it is to do something about it. Nobody, including CIOs really wants to touch it for one very simple reason: it’s a losing proposition.

How To Make Friends With Your CFO

Data security, despite being big, heavy, and ugly, always seems to end up in the CIOs lap. Since you really can’t do anything to prevent this, it sure looks like this is  a great opportunity to try to turn a liability into an asset. Ericka Chickowski over at Baseline magazine has taken a look at this issue and come up with some interesting ways to help CIOs work more closely with CFOs. It all starts with compliance. Now compliance is just about as exciting as security; however, firms are willing to spend the big bucks on making sure that they are compliant because they know that there are potentially some big financial penalties if they don’t. It is the clever CIO that sits down with his / her CFO and explains that the company’s data security program can be thought of as an extension of its compliance program. What this means is that you don’t really need a separate program and your costs should be much lower. What CFO wouldn’t be interested in hearing that?

Get Your Priorities In Order

One of the things that the CIO can learn from the compliance side of the house is that a critical first step is to make sure that you prioritize the company data that you are going to be protecting. All data is not created equal! What’s interesting here is that the importance of any single piece of information is based on two things: its value to the company and its role in keeping the company compliant. If your firm was a hospital, then clearly an electronic patient record would fall into the “top priority” bucket .

Act On Your Priorities – Not Necessarily Your Compliance

The level of protection that the IT department needs to surround a given piece of information with will depend on the result of this prioritization. I hope that you realize that this is just a fancy way of saying that there is some company data that you DON’T have to protect (or at least not very much). Just about now you’d expect me to say that you should always go all out to protect ALL of your company data that is involved in a compliance program. But I’m not going to do that. Chickowski points out that not all regulations are created equal. In fact,  some have fairly weak “teeth”. These are all things that the CIO and the CFO need to understand as they create a data protection plan / compliance program for the company. Spend those limited budget bucks to make sure that the important data is secure and then do what you can for the rest

Final Thoughts

Within the company, the CFO ALWAYS wields more power than the CIO – money talks. Folding a company’s data security program into its compliance program is a great way for a CIO to work closely with the CFO and end up saving the firm money (always a good thing) and ensuring that it is both compliant and its data is secure. In addition to providing a CIO with a reason to talk to the CFO that doesn’t involve begging for more money, an agreement about securing the company’s data can allow CIOs to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Questions For You

Does your company have separate compliance and data security programs? Does your CIO talk with the CFO about how best to secure the firm’s data? Do you prioritize your data or is it all treated as being at the same level of importance? Leave me a comment and let me know what you are thinking. Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

The role of a CIO is to find ways to apply IT to enable the rest of the company to grow quicker, move faster, and do more. As part of this task a CIO needs to take steps to ensure that nothing happens that would prevent this from happening. This side of the job is not nearly as glamorous; however, it is at least as critical. What can a CIO do to ensure that nothing bad happens to a firm’s IT systems?

Tags: , , , , , , , , , , ,
Posted in security | 1 Comment »

Kevin Mitnick Speaks About IT Security

Wednesday, April 29th, 2009

Kevin Mitnick is a reformed computer hacker who now provides security consulting

Kevin Mitnick is a reformed computer hacker who now provides security consulting

I had an opportunity to attend a very large IT health care show up in Chicago awhile back and I was surprised to discover that Kevin Mitnick, the somewhat infamous computer hacker, was scheduled to give a speech.

Now even though I don’t move in computer security circles that much, I know about Kevin Mitnick. I know about him because I read Tsutomu Shimomura’s book Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaw-By the Man Who Did It. If you’ve never read the book, I can recommend it. In a nutshell, Mitnick was a hacker who had evaded capture until he ticked off Shimomura who is a computer security pro. After he did that, Shimomura went after him with a vengeance and eventually helped the authorities catch him and send him to jail.

Now here in America, we all enjoy a good comeback story and that’s basically what Kevin’s been living. He has reinvented himself as a computer security consultant and by all accounts appears to be making a very nice living for himself.

Kevin Mitnick's Business Card Contains Lock Picking Tools - Talk About Unique!

Kevin Mitnick's Business Card Contains Lock Picking Tools - Talk About Unique!

Since getting out of prison, Kevin’s been quite busy. He’s an author and he’s written two books: The Art of Deception: Controlling the Human Element of Security and The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers.

Kevin is actually a pretty good speaker. The focus of the speech that he gave was to remind CIOs that no matter how much they have invested in firewalls, RSA tokens, and passwords that change every 90 days, it’s social engineering that they need to fear the most.

Kevin’s speech basically consisted of stories in which he would tell how he had broken into various computer systems using a variety of low-tech methods. These included making phone calls and asking for cell phone source code (thanks Motorola!) or simply doing dumpster diving to collect scraps of paper with usernames and passwords on them.

Kevin pointed out that one of the most valuable items that he had ever gotten his hands on was the corporate directory for GTE. Once he had this, he had everyone’s phone number and knew who was the boss of who. With this info, he could place calls to get more and more information.

Kevin’s stories and his continuing success on the right side of the law this time should serve as a reminder for all of us that at the end of the day, it’s the people who work in an IT department that are your weakest link in security. If you fix this issue, then you’ll be much closer to having a secure organization.

Have  you ever had a problem with someone trying to gain access to your department / network by using social networking? What do you do to prevent “dumpster diving” from being successful at your place of work? Would you ever hire a convicted hacker to help you improve your cyber security? Leave me a comment and let me know what you are thinking.

Tags: , , , , , , , , , , , ,
Posted in security | No Comments »

Newer Entries »