Blog

Unisys: Micro-segmentation and AI in the security wake of Equifax

The Equifax security breach is on everyone’s mind. Equifax has broken our trust and made clear that security is everyone’s problem — ultimately, no one is immune to the effects of poor computer security.

With Equifax in mind, it’s time to talk trust and security. To dive deep, I invited the chief trust officer of Unisys, Tom Patterson, to be a guest on episode 238 of the CXOTalk series of in-depth conversations with world’s leading innovators.

Unisys traces its history back to 1873, with typewriters and adding machines, and the company is an iconic brand in American business. Unisys brought in Tom Patterson to lead its global security business.

During our conversation, Patterson explains why effective security must go beyond technology to encompass business strategy and practice at the most senior levels in an organization. It’s a perspective that explains why organizational leaders and technologist are jointly responsible for securing data, corporate assets, and even critical infrastructure.

However, the technology itself is also fascinating. From micro-segmentation to predictive analytics, there is plenty of material for the most hardened technologist to study and enjoy.

Watch our entire conversation in the video embedded above and check out the edited excerpts below. You can also read the entire transcript of our discussion.

Is security a business or technical problem?

It used to be bits and bytes and routers and firewalls. Now, it’s boardroom decisions and what should we do about an M&A? How should we go into a merger? How should we partner in this country or that country?

These are all business decisions. And, the threats are dramatic. There’s not only the threat of being shut down or having all the information that you are entrusted with taken from you, but there’s also regulatory compliance now. New regulations coming that starts next year where the fines start at $20 million dollars and go up from there.

It’s an issue that goes well beyond the technology. That’s what the chief trust officer role works with here. We’re a coordination point for privacy, physical security, and business security issues.

Whether there’s a hierarchy, whether they’re in the same group, whether they get together informally, all their voices need to be respected and proactive. If the group is getting together for the first time after a security event has happened, that’s the wrong time. These folks should be working together on a regular basis.

A lot of time, privacy reports to the legal counsel, and the physical security reports to the COO and the chief security officer reports to the CIO, which are still different towers still. We haven’t evolved that much that quickly.

But, having them work together at the direction of the board, at the direction of the CEO and the global leadership team. Get together, work this stuff out together, that’s where they’re finding these great synergies. That’s where they’re saving money. That’s where they’re lowering risk overall; privacy risk, and security risk, and physical security risk. We can address all these things together.

Where does technical debt have an impact?

Most every company of any size that’s been around for a while has issues like technical debt. They’ve got old stuff and there’s not enough money to buy all new stuff.

So, they’ve got to work together and be realistic with each other, and say, “Well, we’ve got this privacy spin that we’ve got to do, and we’ve got this technical debt issue here, and we’re trying to go an open business in country X and country Y. Let’s design a system, maybe using a cloud provider and some micro-segmentation and we do this.”

Suddenly, we’re addressing all those issues with one spend. That opens the eyes not only of the practitioners but also of the business leaders and the governance leaders across the board. Literally around the world.

What is micro-segmentation and why is it so important?

Security people have long known that it’s better to segment their network, so, if one part gets broken into, the other parts will be safe. It’s a concept called “east-west collateral movements,” which you want to stop.

They used to do by putting a firewall between this building or that building, or between this giant network or that giant network. That’s how they segmented their networks.

Well, we have gone to clients that had over 100,000 individual rules on one firewall. No one can keep up with that! They don’t know what rules are there, who wrote them, what they’re for; so they don’t touch them. In those old days, it was so expensive to segment that people stopped doing it.

Enter a new concept, a new technology, called “micro-segmentation.” We’ve been working on it for over five years with individual clients, but it’s now a generally available commercial product called “Stealth,” which we can weave into any existing network to allow you to create little, tiny microsegments, completely transparent to the users, that don’t require any firewall rules. If you’re in accounting, you get to see the accounting resources and nothing else. If you’re in marketing, you can see the marketing resources and nothing else.

Even though all the networks are still interconnected, the packets are locked into these little, tiny microsegments, which makes it easier to protect the network and deliver the resilience that’s necessary. Someone still might click on the wrong thing, but that attack is going to be limited to their little group. The accounting people and Poughkeepsie might be affected but not the rest of the world.

We use artificial intelligence to create the whole mapping. When we roll out micro-segmentation with Stealth, it can be transparent to employee or associates. If they are not breaking the rules, they’ll never even know it’s there.

Explain the concept of resiliency?

Resiliency is a key word in 2017. They UN is focused on that. Many big, global organizations are trying to shift the focus because in security you have to be perfect to be any good at all. Resiliency and “perfect” are difficult to achieve in this day and age. Even the best systems are attacked successfully because something breaks down. So, we’re focused on resiliency.

For example, what if someone at a power company clicks the wrong thing in their email or leaves their laptop on the train with the password taped to the top. Or, they lend their laptop to their kid who clicks on the wrong website at home one night. Those things happen; it’s part of life.

The concept of resiliency, which Unisys really stresses with its clients, recognizes that’s going to happen but don’t let it shut off the lights for an entire country.

We deploy all sorts of countermeasures within an organization to make sure that when something happens, we can limit it. It starts by segmenting so if one part of the power system is corrupted, the rest will not be.

But now, we’ve implemented cool things, like predictive analytics. If we look at many data points within the organization and around the world and use artificial intelligence to analyze them, we can predict threats forming that look like they’re going to attack. At the same time, we now have machine-to-machine defenses that can automatically reconfigure themselves into a more defensive posture when they see predicted threats starting to form.

That’s the future of what critical infrastructure really needs. They need it not only in power, they need it in transportation, in banking. There are 18 critical infrastructure sectors around the world. That critical infrastructure needs protection.

Any quick thoughts on Blockchain and security?

I love Blockchain for distributed trust. It’s going to be a huge enabler, especially around the Internet of Things, where trillions of devices that are connected. There won’t be time to go to a trusted third party, so we need peer-to-peer trust. That’s what Blockchain brings us. Great place to focus on learning, and investing, and working with building into your systems.

What about security and IoT?

IoT is a privacy issue, first and foremost. Internet of Things devices are used as industrial control systems. We protect a lot of the valves that open and close gas pipelines and oil rigs, and electrical switches on towers.

All those are little, mini computers. Those have to be secured. The things like the FitBits and the health monitors need to initially be secured for privacy, but we need to design the same level of security that we’re doing in the industrial control systems into all sorts of IoT.

It’s a big issue coming out. First, you’ll see it in privacy on the consumer side. Then, you’ll see it as security, as we move from cars entertaining us to cars driving us home. That’s going to be the big change and we need to take security seriously across the board.

Finally, quick thoughts on security in cars?

Cars scare me because they have never historically taken security seriously. There’s a thing called the Can bus, which is an interconnection point for sensors that have been on cars all along. In the beginning, everything plugged into that, including turning your steering wheel to “park” and pressing the accelerator or your brake.

Now, we’re starting to have better systems, like little, tiny firewalls and microsegments in the cars themselves. You definitely are going to choose which brand of vehicle to buy based on their cybersecurity safety record, and it’s something that every manufacturer is getting very, very serious about.

CXOTalk brings together the most world’s top business and government leaders for in-depth conversations on AI and innovation. Be sure to watch our many episodes!

(Cross-posted @ ZDNet | Beyond IT Failure)

Three CIO survival lessons: “Step up or step aside”.

Every day, people send me self-serving marketing fluff masquerading as research reports, so you can imagine I perk up when interesting and substantive data comes across the wire.

In sharp contrast to the usual fake research, Deloitte University Press caught my attention with its excellent new report, analyzing the “transitions” (job changes to the uninitiated) of 200 Chief Information Officers. The researchers conducted extensive interviews with business and IT leaders in organizations related to these CIO transitions.

To learn more, I spoke with Khalid Kark, who is the CIO Program research director at Deloitte.

Although Deloitte’s research focuses on CIO transitions, I interpreted the data to summarize several survival lessons that are applicable to all CIOs.

Survival lesson 1: Personal credibility gets you hired

The following chart presents the reasons why business stakeholders chose their new CIO:

Priorities of business stakeholders

The criteria summarized in the graphic sheds light directly on what business leaders want and expect from the CIO. Once the CIO is in place for a while, those expectations may change, but underneath it, leadership skills and personal credibility are dramatically more than important than technology background. This conclusion is striking since the CIO role historically was all about technology infrastructure.

The CIO survival message is clear: build a strong personal brand to prove leadership and demonstrate credibility.

Survival lesson 2: Overcome the core, chronic conflict by managing expectations

One of the most instructive conclusions from the research is described in the following chart, showing top objectives during a CIO’s first year:

Top CIO objectives

Top CIO objectives

The top three objectives are operational excellence, vision and roadmap, and talent.

From the CIO perspective this means ensuring the technology works, creating a plan, and assembling the right talent and team. If systems don’t work as expected then the CIOs credibility will drop like a stone in the ocean, so early focus on stable operations just makes sense.

But then, compare the CIO view with the outlook of business stakeholders, as shown above in survival lesson one.

When a new CIO starts work, business leadership views talent and transformation as top priorities. This perspective also makes sense, because senior leaders want the CIO contributing quickly to innovation and strategy.

However, the gap between business expectations and CIO reality creates a core, chronic conflict. The CIO must ensure operational stability at all costs, yet other business leaders expect a new CIO to support strategic goals such as innovation almost immediately.

The conflict is worsened because IT infrastructure is mostly “invisible” to employees; for example, most users do not think about phone systems or email until those tools stop working.

Paradoxically, the best IT organizations make infrastructure look easy; everything just works, apparently by magic, with perhaps some occasional nudging or tweaking from the CIO.

During our call, Deloitte’s Khalid Kark explained that it is crucially important for CIOs to manage business expectations related to operations and strategy:

The CIO role has come to a point where either you step up or you step aside. During the first six to nine months, a new CIO must focus on operational excellence. However, within a year, the CIO must transition to being a strategist. In other words, solidify the base before moving on and set the right expectations on timing and plan.

This survival skill hinges on the need for CIOs to be strategic while building a top-notch project planning and execution team. It’s then the CIO’s responsibility to explain what IT will deliver and when.

(Incidentally, this conflict situation is hardly new and is well-documented.)

Survival lesson 3: Build a narrative and tell stories

Deloitte’s research highlights the need for CIO’s to build a narrative and tell stories that help business leaders understand the challenges, goals, and logic behind IT plans. This illustration summarizes:

Stories and narrative

Stories and narrative

A quote from the research explains:

Develop a narrative that illustrates how technology, not IT, drives value for the enterprise. Be careful to not force company experiences, examples, biases, and context from previous jobs into the new role. Walking the halls, factory floors, and retail outlets can provide stories and anecdotes that will likely help build a powerful narrative. Understand, acknowledge, and focus on the current business priorities and context.

Empathy and communication are the essential building blocks a CIO can use to build relationships at every level in the organization. The best stories make issues specific, visceral, and real to the business.

Unfortunately, many technology executives are uncomfortable building a narrative and don’t know how to tell educational and engaging stories. If that’s you, then get aid from outside the company; it’s just a no-brainer.

The CIO survival lesson: a strong narrative can communicate your goals and stories make it real. Together, they build credibility and will magnetize the business around your objectives.

(Cross-posted @ ZDNet | Beyond IT Failure)

Open source – we need better pathways so inclusion can flourish

Running a conference with a really strong cohort of diversity scholars this week, with a broad range of skills and backgrounds, really made me think. We had Ian Skerrett, VP of marketing at the Eclipse Foundation, and Abby Kearns, executive director of the Cloud Foundry Foundation at the event. Both are keen to improve diversity in their communities. But how are we going to create better and more welcoming pathways for a more diverse range of entrants?

I asked both Ian and Abby what other roles there were outside writing code. They both gave solid answers about different roles and opportunities. One stock answer in open source is of course Write Documentation! You don’t need to be a great coder to write excellent docs. But when you have 20 diversity scholars in the room, you kind of want answers that are going to make some of them think – blammo – that’s what I want to do! In many ways we’re making solid progress in open source, as this exchange from OSSsummit, also this week, shows:

But I had a project manager there, looking for a job. How would she get a paid position to take advantage of her skills. I felt there was a disconnect between open source, as practised by folks that work at vendors already, and the wider community of prospects. I have written before about my empathy failure in understanding open source maintenance.

“But understanding the value of the maintainers means taking a broader view, touching on many of the critical social issues we face in open source. Thus for example we celebrate the coders, but not the people that made the patches, or documented the system, or helped manage the community, responded to the pull request politely. The best and most useful open source though has the best documentation, has the best architecture of participation.”

We need to do a better job of explaining the beauty of working in a welcoming open source community. We need to ensure the communities actually are welcoming. Kudos to the Go community – they’ve been doing a really great job of being welcoming, and encouraging new people to become committers and join the community.

But the missing element is perhaps getting the economics right. We need to find models to pay people doing the work, beyond “join a commercial open source vendor”. People from under-represented groups in tech are likely to be less well paid, and as such may find it hard to contribute. I helped two young black men this year to fund raise for their studies – it’s hard to spend time on things like open source code, docs or design, when you’re a kid from a single parent family trying to pay for your own education.

I don’t know what the answers are, but I do think we need to do a better job of the economics if we want to make our open source communities more diverse. We need to make the New Patronage Economy work more effectively. What do you think? I’d love to know.

Please let me know if you’re hiring for excellence. All of our scholars are amazing people. In hiring them you’ll also improve the diversity of your team. Not all of the folks in the program are looking for jobs, but some are. RedMonk is trying to get beyond just giving free tickets to our events for under-represented groups, and to start deepening our network and creating opportunities for people. Let me know if you’d like to get involved.

 

Once again, thanks Salesforce.com for sponsoring the program.

(Read this and other great posts  @ RedMonk)

Why data transformation is the new digital transformation, post Equifax

This morning I spoke to the International Payments 2017 conference with a talk about data transformation. I have written about this theme before, and they asked me to turn the ideas into a talk. It’s an interesting conference – because the payments industry is in the throes of a massive change, as new technologies approaches and entrants emerge.

For example Alipay, the payments arm of Alibaba, the Chinese ecommerce company attended, and it was pretty mind-blowing to learn that you can now buy from KFC in China using facial recognition. No phone, no dongle, just bring your face. Alipay has some really interesting new approaches to lightweight risk management, underpinning an API-driven approach to payments. In China everything is about processing stuff faster at the point of sale – with such a huge population, cash is seen as little more than friction. A major railway station can’t afford to have people messing around. It’s all about volumes of people, China scale.  But back to my talk.

One idea I covered in some detail was the question of where data could or should be a balance sheet item. I borrowed heavily from our very own Rachel Stephens post on data and the balance sheet. Is data an asset or a liability or both? If the former, how does it depreciate, and what is the cost of managing it? Of course the answer is – it depends. Data is slippery and very hard to value, because it only ever has value in context. Generally fresh data is worth more, but in some contexts logs are more valuable: a geologist doesn’t generally care what happened yesterday. What does it mean to have a data savvy culture? What’s the value of search data, and maps?

When I first began to look at the data transformation question – enterprises becoming more data savvy it was from the perspective of gaining better insights from data. But of course a corollary is security, and the Equifax breach, which came to light last week, was a gift in terms of thinking through the issues of data governance with a group of payments professionals. Today information security state of the art seems like medicine in the age of the Plague. Sometimes it feels like we are wearing weird masks and hoping for the best. Apply your patches folks – Guy Podjarny of Snyk lays out issues and solutions here clearly and dispassionately.

Just as digital transformation has shifted testing left, making it the responsibility of the developer, rather than separate QA and testing teams, so we really need to get our acts together on secure development, patching and making security part of a data-savvy corporate culture. Consider that GDPR, a new Europe wide data standard, will introduce fines for serious breaches of up to 4% of global turnover (net sales generated by a business). Taking advantage of data will require managing it far more effectively.

Google and Facebook may have just as much data about us as Equifax, but at least it manages it properly.

 

(Read this and other great posts  @ RedMonk)