CTOvision.com

Context for the CTO, CIO, CISO and Data Scientist

You are here: Home / Archives for The Boardroom

CTOvision Subject Matter Experts Know The Needs of the C-Suite

 

Technology Context For The Board and C-Suite

Whether you are a board member seeking tech context of use to your business or a techie seeking context in expressing things to the board this section is for you.

We provide insights from leading executives and expert technologists in succinct reports below. We also provide insights into our processes, and would love to talk to you about how we can serve your needs for due diligence in M&A. For insights into our processes see: Our Technology Due Diligence Processes.

Stay In The Loop: Sign Up To Receive Daily, Weekly or Monthly Newsletters

Some of our most popular reporting for the c-suite includes:

Cybersecurity Due Diligence: Now a best practice in Merger & Acquisition (M&A)

CTO as a Service: Leverage proven enterprise technologists to further your business objectives

DoD Contractors: Complying with new DFARS regulations is easier with external help

What Is The FFIEC Cybersecurity Assessment Tool?

What Cybersecurity Companies should I research?

How do I kick off market research?

How do I engage a CTO for Technology Due Diligence?

What should I tell the board about cybersecurity?

What Executives Should Know About Ethereum

What Should Executives Know About How Blockchain, Smart Contracts and Cryptocurrencies Are Disrupting Business?

All Companies Who Interact With European Citizens Must Check Architecture For Compliance With New GDPR Data Rules

Enterprise Security and Functionality Benefits of the new Software Defined Perimeter (SDP) Approach

2018 Goal: Re-position Cybersecurity As An Enabler

What should board members know about cybersecurity?

How do I start or scale my federal business?

More questions or comments? Ask about Crucial Point's corporate CTO services including Technology Due Diligence

Vulnerabilities In Almost Every Chip: “Could Something Like This Really happen?”

I’ve been tracking computer security issues, including vulnerabilities for decades, and have never seen anything quite like this. Newly announced vulnerabilities, which were publicly disclosed by the Register on Tuesday, are in almost every modern computer chip. The vulnerability cannot be changed in hardware of course (you would have to buy new hardware that is designed differently), but software patches to operating systems can mitigate the problem. The bad news is the patches will very likely slow down any computer they are installed on.

Here is more background: There is a feature in the architecture of most modern chips, especially Intel and AMD chips, that helps speed up processing and optimize performance. This feature, called “speculative execution”, is a benefit to missions and functions across all industries and in systems from those at home and work to large ecommerce sites and of course governments globally.

But security researchers at Google’s Project Zero found that this feature, which is designed into the hardware itself, can be exploited in ways that give unauthorized parties an ability to read sensitive information in the system’s memory, including passwords and encryption keys. That can open up the entire system to an adversary who seeks to exploit it.

The Google team are community minded players and began working with others soon after their discovery. This means that a larger team of security researchers have been working on this for quite a while. Patches are coming to  operating systems to mitigate these risks. However, in most cases these patches are going to reduce the functionality of the computers they are installed on. Imagine having a computer that you bought and paid for now operating at 30% less capability. How much do you feel you should have paid for that computer now?

For some reason I keep thinking of Fred Kaplan’s book “Dark Territory.” In it Kaplan describes the reaction President Ronald Reagan had after viewing the 1983 movie “WarGames.” As you probably recall, the movie starred Matthew Broderick as a teen hacker who gets access into the main command and control computer at NORAD. Reagan enjoyed the movie but started thinking of what might happen if the real systems had vulnerabilities. After sharing a synopsis of the movie with his cabinet he asked the then Chairman of the Joint Chiefs of Staff, General John Vessey, “Could something like this really happen?”  After looking into it the General returned to the white house with his report, which started off: “The problem is much worse than you think.”

That sums up my view. This is bad. Worse than you might be thinking. We have to take action.

Three considerations for for action:

  • Like it or not, you have to patch your systems.
  • Collectively we have to figure out how to force companies to deliver more secure hardware, this is foundational (maybe all designers should be asked to read “Dark Territory“).
  • Humanity also needs to figure out what justice is in this situation. How can we best try to set things right for those whose computers are being slowed due to the fault of hardware designers. Maybe tort law and court cases are the way forward to help answer this question of justice.

There are other things to consider doing as well. For everyone I strongly recommend you sign up for our reporting at OODAloop.com, where we review digital threats and seek to give you the early warning you need to beat threats.

For those of you in the military or strategic policymakers in government, we would like to draw your attention to our recent post titled “The American Way of War Is Based On Tech: Don’t Let It Be Our Downfall!

What You Need To Know About Mary Meeker’s State of the Internet Report

We should all collectively thank Mary Meeker for her continued efforts in helping capture key trends in our interconnected technology. Her yearly report on the state of the Internet (embedded below) provides context relevant to just about every enterprise decision-maker.

Here are key takeaways:

  • Global smartphone growth is slowing. Growth was 10% two years ago, and only 3% last year. Growth in Internet connectivity is also slowing. My view: This is to be expected. Now expect continued slow growth till 100% of humanity upgrades from old school cell phones to smartphones. Same with Internet connectivity. We are on path to 100% connectivity but we are in the long tail phase. A more important number to track is percent market penetration vice rate of growth. For the U.S., we are now at over 80% market penetration for smartphones (not in Meeker’s brief, see ComScore).
  • The trend towards voice interaction with computers is heating up. 20 percent of mobile queries are now made via voice. Expect that to grow. Expect growth in the home and office too. Meeker points out that Google’s ability to understand voice is reaching the 95% accuracy rate. So you might ask yourself, when will it be as good as humans at understanding language? Guess what, humans are not perfect at understanding spoken language and have about the same error rate. To me this means computer based language understanding has a good chance at being better than human understanding of spoken language really soon. Stand by!
  • Meeker does a fascinating job of highlighting how many successful leaders and entrepreneurs are also fans of gaming. Global interactive gaming is becoming a common experience for a huge percentage of humanity, with over 2.6 billion gamers in 2017. Meeker makes point that in many ways global interactive gaming is helping humanity prepare for the coming shift in computing interfaces.
  • Cloud computing is turning out exactly like tech leaders (including all you CTOvision readers) have been predicting. It is providing more opportunities for enterprises of all sizes (from the smallest business to the largest corporation and governments). It is also providing incredible opportunities for entrepreneurs, innovators and investors. And individuals are also benefiting tremendously. But, there are still risks that have to be mitigated and security issues to resolve. As more and more applications and services migrate to the cloud, more will be required for security.
  • In healthcare, Meeker shows three great waves of how healthcare is delivered. For most of humanity, healthcare was done by human touch and physical examinations. For the last 25 years, there has been machine assisted and analog technology support. Today we are seeing the rise of digital technology in health care delivery. This is generating new data cycles aimed at improved outcomes is: Digital Inputs, Data Accumulation, Data Insight, Translation for Impact.

And on a humorous note: 

Mary’s slide decks are full of informative graphs. I have a graph I would like to present too. The graph below plots the number of slides in her presentation, going back to 2006.

Ha! So analyze that! Looks to me like the number of slides in the State of the Internet Brief have hit the knee of the curve and can now be expected to double every year. If this doubling continues then in just 12 years it will contain over a million slides. In 33 years there will be more slides in her brief than there are smartphones in the world! (Mary if you are reading this I hope you are smiling! I would like more slides because I love what you are doing!).

The So-What:

On a more serious note, the most actionable thing the brief should do for enterprise technologists is help you to think through current business processes. There are many continuous questions to ask yourself. For example:

  • How do you learn to more rapidly access the impact of new technology on your business model?
  • How does your understanding of the future of IT inform decisions on technology selections for your enterprise?
  • What do you do to better secure your infrastructure?
  • What do you do to better empower your workforce to take advantage of the new realities of technology?

We hope that as you think through those questions you stay with us at CTOvision for continued updates. Please be sure you are signed up for our monthly newsletter and our daily alerts by visiting our Newsletter Settings page. And track the latest on Twitter at @CTOvision.

 

Enterprise Security and Functionality Benefits of the new Software Defined Perimeter (SDP) Approach

The dynamic nature of today’s IT Operations has eroded the network perimeter in ways we have all been watching and even cheering on! This is a new world of mobility, cloud computing and rapid partnering for success.

But the erosion of the network perimeter is making traditional security a roadblock to efficiency. No one wants to allow holes to be poked in the security system but no one wants to shut down connectivity to partners either.

The Software Defined Perimeter uses software techniques to render the internal environment invisible to all outsiders, unless trust is granted. Secure connectivity is provided only to trusted users and devices. The SDP approach was pioneered by proven enterprise IT, cloud computing and security experts working collaboratively together under the Cloud Security Alliance (CSA).

SDP Combines:

  • On-device authentication
  • Identity-based access
  • Dynamically provisioned connectivity

Key benefits of this approach include the following unique security properties:

1) Information Hiding

No DNS information or visible ports of protected application infrastructure. SDP protected assets are considered “dark” as it is impossible to port scan for their presence.

2) Pre-authentication

Device identity (of the requesting host) is verified before connectivity is granted. Device identity is determined via a MFA token that is embedded in the TCP or TLS set up.

3) Pre-authorization

Users are provisioned access only to application servers that are appropriate for their role. The identity system utilizes a SAML assertion to inform the SDP Controller of the hosts’ privileges.

4) Application Layer Access

Users are only granted access at an application layer (not network). Additionally SDP typically whitelists the applications on the user’s device – thus provisioned connections are app-to-app.

5) Extensibility

SDP is built on proven, standards-based components such as mutual TLS, SAML and X.509 Certificates. Standards based technology ensures that SDP can be integrated with other security systems such as data encryption or remote attestation systems.

For more information on this approach contact us

Cybersecurity Due Diligence: Now a best practice in Merger & Acquisition (M&A)

Cooley is an international law firm recognized for its technology practice and experience in multiple practice areas, including Mergers and Acquisition (the firm has handled over 1,000 M&A transactions since 2010). In a recent post on the Cooley M&A website titled Cybersecurity Diligence in M&A Transactions, Cooley partners Andrew Lustig and Randy Sabett  bring clarity to a clear trend in the marketplace: cybersecurity diligence is now a part of the M&A diligence assessment.

Lustig and Sabett put it this way:

Historically, M&A due diligence focused on “traditional” risk areas such as tax, employment and benefits, intellectual property protection, and contracts (inbound and outbound). As technology advanced and software became a more significant, if not the primary, asset due diligence evolved to include such things as software escrow (where a third party may have copies of a target’s source code) and open source software (where ownership of a company’s source code might be tainted by claims by the open source community) among other things.  Specialists with substantive knowledge are now often brought in to perform detailed diligence in these technical areas.

Today, it has become apparent that cybersecurity has become one of the areas where substantive diligence should be conducted not just as an afterthought but as an integral part of the M&A process for any deal, particularly those that involve targets with any kind of online presence. In fact, according to the “Cybersecurity and the M&A Due Diligence Process – A 2016 NYSE Governance Services/Veracode Survey Report,” 85% of public company directors and officers say that an M&A transaction in which they were involved would likely or very likely be affected by “major security vulnerabilities.”  In addition, 22% of those surveyed say that they would not acquire a company that had a high-profile data breach, while 52% said they would still go through with the transaction but only at a significantly reduced value.  The Verizon/Yahoo! situation and the recent Telstra/Pacnet deal highlights the importance of cybersecurity diligence and the benefits of having carefully-worded contractual provisions to reflect the parties’ negotiated risk-allocation for cybersecurity breaches after a deal is signed.

We have contributed to cybersecurity assessments on both side of M&A transactions. We have helped acquiring firms better understand the digital risks and security posture faced by the firm they are going to acquire, and we have helped firms that want to be in a better position to be acquired ensure they have taken prudent steps to reduce their digital risks.

If you are on the buy side of an M&A deal, you will want to make sure your cybersecurity due diligence delivers the information you need. This includes:

  • Information that may point to not yet revealed cybersecurity problems
  • Estimates of the cost to remediate cybersecurity issues
  • Information on the risk due to cybersecurity issues, including quantification if possible, since it could impact decisions on whether to consummate the deal or negotiate down the purchase price
  • Indications of compliance problems
  • Understanding of security frameworks/approaches
  • Understanding of the security architecture
  • Awareness of breaches and how they have been responded to

If you are on the sell side of an M&A the information above should motivate you to focus on your security posture. Other considerations include:

  • Does your entire executive team understand their role in cybersecurity?
  • Do you have strong governance (policy, process, leadership) that supports your security compliance requirements (which may well include, for example, the Gramm-Leach-Bliley Act (GLBA), FFIEC, FINRA, FISMA, HIPAA, HITECH, Fair Credit Reporting Act (FCRA), and others
  • Do you have an up to date, actionable cybersecurity policy? Do you have an incident response plan? Do you have a privacy policy that is actionable and applied?
  • What is the status of your technical defenses?
  • Have you had appropriate independent verification and validation of your approach to cybersecurity?

Whether you are on the buy side or the sell side of an acquisition, we recommend you start with a cybersecurity assessment to cover all aspects of cybersecurity people, process and technology.

Also see:

Leveraging The FFIEC Cybersecurity Assessment Tool (CAT) To Improve Corporate Culture and Raise Security Posture

The FFIEC (Federal Financial Institutions Examination Council) is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions. In 2006, the State Liaison Committee (SLC) was added to the Council as a voting member. The SLC includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).

For the last several years the FFIEC has been making contributions to cybersecurity awareness, including initiatives aimed at helping financial institutions better understand and deal with cybersecurity risks. In June 2013, the FFIEC announced the creation of the Cybersecurity and Critical Infrastructure Working Group to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups. In addition, the FFIEC began assessing and enhancing the state of the industry preparedness and identifying gaps in the regulators’ examination procedures and training that can be closed to strengthen the oversight of cybersecurity readiness.

On 30 June 2015 the FFIEC released a new Cybersecurity Assessment Tool. This tool is intended to help financial organizations large and small better assess and understand risk and also the organization’s maturity in cyber defense.

We have worked with financial institutions and other high risk organization in cyber security assessments for years and have seen first-hand the benefits that the FFIEC approach can provide to organizations. We have also captured many lessons learned from our engagements across the financial (and other) sectors regarding this approach. We share some of those lessons here:

  1. The most important lesson is to understand that the FFIEC CAT should not be seen as just a compliance drill. Regulators will check you for compliance and that is very important. But if used correctly it can also help an organization become more efficient, effective and more secure.
  2. The tool is meant to help and is not designed to be a one-size-fits-all approach. It is best when tailored to your specific organization.
  3. The most important determinant of whether or not the tool will work for you is the attention it gets from senior leadership. And getting their attention means approaching it with the vision of leveraging it to support and enhance business functions. In the financial industry that usually means focusing on enhancing trust among customers and partners.

Here are more thoughts:

The tool has two parts. The first assesses the institution’s inherent risk profile based on five categories:

  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

It is this first section that is the most problematic. It seeks to quantify cyber risks in a very simple way, and this is actually a very complex and hard to measure/quantify topic. On top of that, the best topics to address regarding risk are going to vary significantly from company to company, and even division by division for larger firms. Perhaps this first section can just be thought of as a rough plan to deviate from. It can be an important drill to seek to assess cyber risks, of course, but it seems both arrogant and naive of the FFIEC to think that they can produce a matrix that captures risk for every organization. Since most organizations in the highly regulated financial sector will already have a chief risk officer and many risk processes around cyber, maybe this section should just be offered as a template of considerations.

The second section of this tool brings some good ideas and approaches to evaluation of the organization’s Cybersecurity Maturity five domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

This is were the tool can make contributions to many organizations. The descriptions and definitions for each of these domains and then the assessment factors in each domain are useful, especially for organizations that do not already have an approach to cybersecurity.

 

 

 

 

 

DoD Contractors: Complying with new DFARS regulations is easier with external help

If you are a DoD contractor of any size, including sub contractors to other contractors, you no doubt have already heard of the new changes to the Defense Federal Acquisition Regulations (DFARS) requiring enhanced security controls over contract info. The regulations are specific and will be costly. The good news is that the cost of compliance is considered an allowable cost under Federal Acquisition Regulation (FAR)/Cost Accounting Standards (CAS), which means if you do things smartly the government will allow you to role the cost into what is allowable for rates you charge. More good news is that when you engage external help in complying with DFARS you can leverage the talent of people who know the most efficient way to get these things done. This can not only get you into compliance but can make you more secure and save you money.

More reading:

Complying With Health Insurance Portability and Accountability Act (HIPAA) Security Rules

New DoD Rules For Contractors Focus On Enhancing Security and Incident Response

 

The Shifting Cyber Attack Target Set And Why It Matters To The Mid-Sized Business

For years now the firms with the most to lose by cyber crime have been investing in cyber defense technologies, techniques and procedures designed to mitigate threats. Motivation do enhance defenses has largely been directly correlated to the potential for loss. Resources put on cybersecurity and threat mitigation has been correlated to size of a business. If a firm has a lot to lose and a lot to invest, like one of the top ten banks, for example, very well developed cyber security programs can be expected.

The largest firms are mounting such a significant defense that attackers are shifting their focus. It can be far more lucrative to target a mid-sized business.

Cybercriminals view the mid-sized business as right in a sweet spot of having resources to target but not enough defenses.

Our reporting on OODAloop.com has shown indications of this shift. Although the big attacks (Target, HomeDepot, OPM, Anthem, NSA etc) get lots of media attention, most attacks are on smaller firms.  Statistically 95% of attacks are against mid-sized or small businesses. 50% of attacks are against firms with less than 250 employees.

What is troubling about this is that smaller firms have a much harder time recovering from attack. Breach requires cleanup, forensics, notification of employees, customers, clients, causes costly damage to brand, may diminish goodwill, and can result in direct financial loss. A smaller firm can have a very hard time recovering.

Digital life is unfair. The big guys like Target, Home Depot, eBay all recovered from massive cyber attacks with no noticeable impact on share price a year after their attacks. But mid-sized businesses may well be driven to bankruptcy.

Yep, life is unfair. So if you are a mid-sized business, get over how unfair it is and think through what to do about it. Some questions to consider:

  • Do you know what data is most important to you and your business? What would cause a potential extension event if it were compromised or corrupted? How are you protecting that data? Is it encrypted? Who manages the encryption? How do you do identity management and access management/control over access to that data?
  • Do you have a process in place to learn from others? No matter what your industry is there are places to learn best practices and procedures to improve your security. One place to start is the National Cyber Security Alliance, but most businesses will also be able to tap into organizations focused on your sector.
  • Do you have external advice and assistance from professionals who know cybersecurity, the cyber threat and cyber risk mitigation strategies? No one can do this alone. We would love to help. Get in touch at: OODA LLC.
  • Are you tracking the strategic cyber threat? We provide a free daily newsletter called The OODA Daily Pulse which provides succinct context that can inform your cybersecurity strategy and help you optimize your cyber defenses.

Life is tough for the small to midsized business. Our view is it should not be any tougher than it needs to be.

Track the most disruptive technologies by diving into our categorized index:

Artificial Intelligence Companies | Big Data Companies | Business Intelligence Companies | Cybersecurity Companies | Cloud Computing Companies | Collaborative Tool Companies | Infrastructure Companies | IoT Companies | Mobile Companies | Robotics Companies | Services Companies | Tech Titans | VC, PE and Finance Companies

For more see:

Things To Do Right Now About Your Cybersecurity Workforce Crisis

Intel Security has released Hacking the Skills Shortage, a report revealing the current cybersecurity workforce crisis. The report is full of interesting observations. For example, 71% of respondents admitted that this lack of talent has had a direct and negative effect on their organization.

The shortage in cybersecurity skills has done measurable damage to companies. It is harder for firms to leverage new technology to compete in the market, harder to comply with government directives for protecting data, and harder to ensure the trust of partners, suppliers and customers. This shortage is causing real trouble.

The trouble only gets worse when hackers succeed. According to the Intel survey, one in three respondents admit the shortage has made their firm a more desirable hacking target (we think it is hitting far more, but that is what the survey said).

Additional key findings of the survey include:

  • 82% of respondents reported a shortage of cybersecurity skills
  • 9 out of 10 respondents say that cybersecurity technology could help compensate for skill shortages
  • 76% of respondents said their government is not investing enough in building cybersecurity talent

We have direct and personal experience in this domain and see the impact of this shortage across multiple industries. Our recommendations are that firms seek to mitigate this challenge by a comprehensive approach that includes actions like:

  • Understand that mitigating cyber risks is not just the job of the cybersecurity workforce or even the IT team. Security and IT teams play important roles, but business leaders from across the organization must be involved to mitigate digital risk.
  • Educate your entire workforce on the nature of the threat, as well as what they need to do to help keep your organization secure.
  • Review all your plans and policies to focus on ways to optimize your cybersecurity spend and optimize your need for trained cybersecurity professionals.
  • Consider the right ways to optimize your outsourcing strategy, including the smart use of cloud capabilities for your IT and also the smart use of outsourced cybersecurity vendors.
  • Consider leveraging the talents of a firm that provides CISO as a service solutions.

If your organization is suffering from the impact of the cybersecurity skills shortage we would love to hear from you and would be glad to provide more insights relevant to your planning to address this gap.

More Content

Cyber War

SciFi

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]