(Source Photo: here with attribution to Kuster and Wildhaber Photography)
– The attacks are real, stealthy, persistent, and can devastate our nation.
– Cyber attacks occur at the speed of light, are global, can come from anywhere, and can penetrate our traditional defenses.
– In the event of a major cyber attack, what could we expect? Department off Defense networks collapsing, oil refinery fires, lethal clouds of gas from chemical plants, the financial systems collapsing with no idea of who owns what, pipeliness of natural gas exploding, trains and subways derailed, a nationwide blackout. This is not science fiction scenarios. (Adapted from Richard Clark, former Senior Advisor of Cyber Security)
– It is not a matter of if, but whena Cyber Pearl Harbor will occur. We have been fortunate [so far]. (Adapted from General Keith Alexander, Director of the NSA).
I believe we must address these threats and our vulnerabilities in at least five main ways:
1) Increase research and developmentfor new tools and techniques–both defensive and offensive–for fighting cyberwar.
2) Establish a regulatory frameworkwith meaningful incentives and disincentives to significantly tighten cybersecurity across our critical infrastructure.
3) Create a cybersecurity corpsof highly trained and experienced personnel with expertise in both the strategic and operational aspects of cybersecurity.
4) Prepare nationwide contingency plansfor the fallout of a cyberwar, if and when it should occur.
5) Create a clear policyfor preventing cyberattacks by taking preemptive action when their is a known threat as well as for responding with devastating force when attacks do occur.
With cyberwar, just as in conventional war, there is no way to guarantee we will not be attacked, but we must prepare with the same commitment and zeal–because the consequences can be just, if not more, deadly.
I thought this infographic on the “8 Levels of IT Security” was worth sharing.
While I don’t see each of these as completely distinct, I believe they are all important aspects of enterprise security, as follows:
1) Risk Management – With limited resources, we’ve got to identify and manage the high probability, high impact risks first and foremost.
2) Security Policy – The security policy sets forth the guidelines for what IT security is and what is considered acceptable and unacceptable user behavior.
3) Logging, Monitoring, and Reporting – This is the eyes, ears, and mouth of the organization in terms of watching over it’s security posture.
4) Virtual Perimeter – This provides for the remote authentication of users into the organization’s IT domain.
5) Environment and Physical – This addresses the physical protection of IT assets.
6) Platform Security – This provides for the hardening of specific IT systems around aspects of its hardware, software, and connectivity.
7) Information Assurance – This ensures adequate countermeasures are in place to protect the confidentiality, integrity, availability, and privacy of the information.
8) Identification and Access Management – This prevents unauthorized users from getting to information they are not supposed to.Overall, this IT security infographic is interesting to me, because it’s an attempt to capture the various dimensions of the important topic of cyber security in a straightforward, visual presentation.
However, I think an even better presentation of IT security would be using the “defense-in-depth” visualization with concentric circles or something similar showing how IT security products, tools, policies, and procedures are used to secure the enterprise at every level of its vulnerability.
IT security is not just a checklist of do’s and don’t, but rather it is based on a truly well-designed and comprehensive security architecture and its meticulous implementation for protecting our information assets.
Does anyone else have any other really good visualizations on cyber security?
(Source Photo: here)
By now we are all familiar with the news story regarding a prominent lawmaker, recently married, who admitted to a longstanding pattern of inappropriate sexual exploits via Twitter.
As The Wall Street Journal (9 June 2011) notes, the individual got caught when he “mistakenly sent the photo to tens of thousands of Twitter followers,” rather than as a private message.
As a public servant who is a proponent of social media technology used appropriately, I was very concerned when I saw this in the news (note: all opinions my own).
The government needs social media tools like Twitter. It is an important tool for sharing information and alerts. It is obviously not for “sexting” your followers, especially with a Twitter handle that is apparently coming from someone in the government.
Twitter is an important means of engaging the public in important ways, moving this great country forward on policy issues and a vision that is noble, righteous, and for the betterment of our world. What a shame when these tools are misappropriated!
So while I cannot say “with certitude” what exactly this person was thinking, I am certain that we need social media in government and that there are numerous positive ways for it to be applied. With the caveat that the basis for social media by anyone in government has to be truth, transparency and genuine outreach on issues of importance to the people.
A lot of government people and agencies are doing a good job with Twitter and other social media tools. Let’s go back to focusing on the positive work that we can do with them, even as we note with caution how badly they can be misused.
Just coming out of the blazing hot summer, the blizzard this past February seems like ages ago. Yet this storm brought the federal workforce in D.C. to a halt for 6 days, costing more than $100 million in lost productivity per day. This was offset only by the 1/3 of the federal workforce which was teleworking.
I still remember Snowmaggedon because that was when we shoveled out the wrong car because the snow was so high we couldn’t see which was ours.
More seriously though, telework benefits federal agencies in many ways:
1. Increases productivity
2. Enhances work-life balance and morale
3. Helps the environment by keeping cars off the road
4. Can save the taxpayer money by reducing the agency’s footprint
Data from the Telework Research Network indicate that telework could save agencies and participants as much as $11 billion annually (on such things as real estate, electricity, absenteeism, and employee turnover) and that if eligible employees telecommuted just one day every other week, agencies would increase productivity by more than $2.3 billion per year (driven by employee wellness, quality of life, and morale).
Telework got a boost when the House and the Senate passed similar bills–in May and July respectively–to expand telework opportunities. The two chambers now must reconcile their versions before a final bill heads to President Obama for approval. The Telework Enhancement Act would make employees presumptively eligible and require that agencies establish telework policies, designate a telework managing officer, and incorporate telework into agency’s continuity of operations plans.
Five years ago nobody would’ve thought that EA would inform the discussion on telework. EA was still primarily a compliance only mechanism and didn’t have a real seat at the decision table. Now thanks to the efforts of all of you, it’s strategic benefit is recognized, and EA is playing a vital role in planning and governing strategic IT decisions such as in investing and implementing telework solutions for our agencies.
Our distinguished panelists here today will discuss how EA is informing the discussion of telework from both the policy, systems, and security perspectives.
So much for letting the best product win. According to the Wall Street Journal, 13-14 March 2010, Microsoft is forcing their employees to “choose” Microsoft phones for personal use and to push those who don’t into hiding.
Is this a joke or a genuine throwback to the Middle Ages?
Apparently this is real: “Last September, at an all-company meeting in a Seattle sports stadium, one hapless employees used his iPhone to snap photos of Microsoft Chief Executive Steve Ballmer. Mr. Ballmer snatched the iPhone out of the employee’s hands, placed it on the ground, and pretended to stomp on it in front of thousands of Microsoft workers.” That sends a pretty clear message!
I guess the employee can consider himself lucky that Mr. Ballmer didn’t put him (instead of the iPhone) on the ground underneath his foot or perhaps maybe even just burn him at the stake for heresy against Microsoft.
Further, in 2009, Microsoft “modified its corporate cellphone policy to only reimburse service fees for employees using phones that run on Windows.”
While many workers at Microsoft can evidently be seen with iPhones, others are feeling far from safe and comfortable doing this. According to the article, one employee told of how when he meets with Mr. Ballmer (although infrequently), he does not answer his iPhone no matter who is calling! Another executive that was hired into Microsoft in 2008 told of how he renounced and “placed his personal iPhone into an industrial strength blender and destroyed it.”
Apparently, Mr. Ballmer told executives that his father worked for Ford Motor Co. and so they always drove Ford cars. While that may be a nice preference and we can respect that, certainly we are “big boys and girls” and can let people pick and choose which IT products they select for their own personal use.
While many employees at Microsoft have gone underground with their iPhones, “nearly 10,000 iPhone users were accessing the Microsoft employees email systems last year,” roughly 10% of their global workforce.
My suggestion would be that instead of scaring the employees into personally using only Microsoft-compatible phones, they can learn from their employees who choose the iPhone—which happens to have a dominant market share at 25.1% to Microsoft 15.7%—in terms why they have this preference and use this understanding to update and grow the Microsoft product line accordingly. In fact, why isn’t Microsoft leveraging to the max the extremely talented workforce they have to learn everything they can about the success of the iPhone?
It’s one thing to set architecture standards for corporate use, and it’s quite another to tell employees what to do personally. It seems like there is a definite line being crossed explicitly and implicitly in doing this.
What’s really concerning is that organizations think that forcing their products usage by decree to their employees somehow negates their losing the broader product wars out in the consumer market.
Obviously, IT products don’t win by decree but by the strength of their offering, and as long as Microsoft continues to play medieval, they will continue to go the way of the horse and buggy.
Frequently employees face double-bind message in the workplace and these not only impair morale, but also can result in poor decision-making.
One example has to do with whether we should apply tried and true, best practices or be creative and innovative. This manifests when employees bring innovative approaches to the table to solve problems are told, “there’s no reason to recreate the wheel on this.” And then when the employees take the opposing track and try to bring established best practices to bear on problems, they are told disparagingly “ah, that’s just a cookie cutter approach.”
Another example has to do with when and how much to analyze and when to decide, such that when employees are evaluating solutions and they hustle to get a proposal on the table, only to be told they haven’t done enough work or its superficial and they need to go back, “do due diligence, and conduct a more thorough evaluation.” Then when the employees go back to conduct a thorough analysis of alternatives, business case, concept of operations and so on, only to be told, “what is taking you so long? You’re just getting bogged down in analysis paralysis—move on!”
I am sure there are many more examples of this where employees feel like they are in a catch 22, between a rock and a hard place, damned if they do and damned if they don’t. The point is that creating contradictions, throwing nifty clichés at employees, and using that to win points or get your way in the decision process, hurts the organization and the employees that work there.
What the organization needs is not arbitrary decision-making and double-bind messages that shut employees down. Rather, organizations need clearly defined, authoritative, and accountable governance structure, policy, process and roles and responsibilities that open it up to healthy and informed debate and timely decisions. When everyone is working off of the “same sheet of music” and they know what is professionally expected and appropriate to the decision-making process, then using clichés arbitrarily and manipulating the decision-process no longer has a place or is organizationally acceptable.
We can’t rush through decisions just to get what we want, and we can’t bog down decisions with obstacles, just because we’re looking for a different answer.
Sound governance will help resolve this, but also necessary is a leadership committed to changing the game from the traditional power politics and subjective management whim to an organization driven by integrity, truth, and genuine progress based on objective facts, figures, and reason. Of course, changing an organization is not easy and doesn’t happen overnight, but think how proud we can be of our organizations that make this leap to well-founded governance.
IT governance is often implemented with the establishment of an IT Investment Review Board (IRB) and Enterprise Architecture Board (EAB); but to get these to really be effective you have to win the hearts and minds of the stakeholders.
Here are some critical success factors to making IT governance work:
- Management buy-in and commitment—this is sort of a no-brainer, but it’s got to be said; without senior management standing firmly behind IT governance, it won’t take root and IT projects will continue to fly under the radar.
- Prioritizatuion and resourcing—EA, IT Strategic Planning, and IT governance compete with IT operations for resources, management attention, and prioritization. More often than not, many not so savvy CIOs value putting some new technology in the hands of the end-user over creating strategic IT plans, developing transition architectures, and implementing sound IT governance (they do this at risk to their careers and good names!)
- Policy and procedures—IT governance needs a firm policy to mandate compliance to the user community; further the procedures for users to follow need to be clear and simple. IT governance procedures should integrate and streamline the governance processes for authorizing the project, allocating funding, conducting architectural reviews, following the systems development life cycle, managing the acquisition, and controlling the project. End-users should have a clear path to follow to get from initiating the project all the way through to close-out. If the governance mechanism are developed and implemented in silos, the end users have every reason in the world to find ways to work around the governance processes—they are a burden and impede timely project delivery.
- Accessibility—Information on IT governance services including the process, user guides, templates, and job aids needs to be readily available to project managers and other end users. If they have to search for it or stick the pieces together, then they have another reason to bypass it all together.
- Enforcement—there are two major ways to enforce the governance. On the front end is the CIO or IRB controlling the IT funding for the enterprise and having the authority to review, approve, prioritize, fund, monitor, and close down IT projects. At the back-end, is procurement; no acquisitions should pass without having demonstrated compliance with the IT governance processes. Moreover, language should be included in contracting to enforce EA alignment and compliance.
- Cultural change-Organizations need to value planning and governance functions. If operations always supersede IT planning and governance, then both business and technical stakeholders will feel that they have a green light to ignore those functions and do what they want to do without regard to overall strategy. Further, if the culture is decentralized and governance is managed in silos (one manager for SDLC, another for EA, yet another for requirements management), then the processes will remain stove-piped, redundant, and not useable by the user community.
- Communication plan—the governance process and procedures need to be clearly communicated to the end users, and it must address the what’s in it for me (WIIFM) question. Users need to understand that their projects will be more successful if they follow the IT plan and governance processes. Those are in place to guide the user through important and necessary project requirements. Further, users are competing for resources with other important IT projects, and user will benefit their projects by making the best business and technical case for them and following the guidelines for implementing them.