Ahead in the cloud: how to keep your data secure Ahead

TODAY’S CIO
Spring/Summer 2015
Do I really need
to worry about
data centres?
Ahead in the cloud:
how to keep your
data secure
TODAY’S CIO
Spring/Summer 2015
Do I really need
to worry about
data centres?
Ahead in the cloud:
how to keep your
data secure
Sponsored by
Publisher
Tim Murphy
Operations Director
Tony McGuin
Finance Director
John O’Shea
Sales Team
Alvin Campbell, Graham Gallant,
Patrick Johns, Karan Kohli, Mark Phillips
Production
Rob Lowry
Rhodri Hughes
©Sparta Publishing Ltd, April 2015. All rights reserved. No part of this
publication may be used, reproduced, stored in an information retrieval
system or transmitted in any manner whatsoever without the express
written permission of Sparta Publishing Ltd. All of the articles in this
publication have been supplied by contributors, and the publisher cannot
give any warranty, express or implied, as to the accuracy of the articles,
or for any errors, omissions or mis-statements, negligent or otherwise,
relating thereto. Accordingly, the publishers shall not be liable for any
direct, indirect or consequential loss or damage suffered by any person
as a result of relying on any statement in or omission from these articles.
Opinions expressed in articles are not necessarily the opinions of the
publisher.
www.spartapublishing.co.uk
Tel: +44 (0)20 7970 5690
40 Bowling Green Lane, London EC1R 0NE
Contents
Foreword
7
Is the role of the CIO expanding into other fields?
Sparta Publishing Ltd
Security
25
Big Data
28
9
Do I really need to worry about data centres?
Simon Campbell-Whyte, Data Centre Alliance
12
Clarity in a data driven world
Gavin Joliffe, Xtravirt
17
Using end-user IT analytics for better
business decisions
Poul Nielsen, Nexthink
21
Cloud migration is the leading concern
of cloud adopters
Datapipe
Network security is in the details –
the destruction of the Death Star
Ian Whiting, Titania
Privilege gone wild: the state of privileged
account management in 2015
BeyondTrust
A brave new world: understanding the
new EU data protection regime
Jonathan Armstrong, Absolute Software and Cordery
37
Ahead in the cloud: how to keep your data secure
Kevin McLoughlin, Wolters Kluwer
39
The five pillars of the Cyber Essentials Scheme
David Parkinson, in association with the Wick Hill Group
41
The security challenge of the mobile workforce
Samik Halai, Integral Memory
35
Today’s CIO
3
Contents
Technology & Innovation
Testing, quality and the quest to meet
customer expectations
Darren Coupland, Sogeti UK
45
The CIO route to business hero
Derek Britton, Micro Focus
49
Wireless “induction” charging –
the definitive guide
CMD Ltd
53
IT monitoring and business productivity
Dirk Paessler, Paessler AG
43
Learning & Development
57
60
Does risk matter? Disengaging from a
‘self evidently correct’ process
Dr Elmar Kutsch & Dr Neil Turner,
Cranfield School of Management
Advertisers’ Index
Today’s CIO
5
Foreword
Is the role of the CIO
expanding into other fields?
THE ROLE OF ANY SENIOR EXECUTIVE, ESPECIALLY AT
board level, in todays working environment is changing
rapidly and nowhere is this more transparent than in
the ever-expanding role of a company CIO. It’s no longer
satisfactory for the CIO to concern themselves with only
matters of IT, it is now crucial that they are developing their
skills in many other areas. Finance, security, education, as
well as research and development, are all areas that a board
will expect a CIO to have knowledge of and have the full
facts on. In a commercial world where profit is key, the CIO
is now regarded by their fellow senior executives as being
the person with their finger on the button as to what new
developments can increase a company’s earning potential.
As each new technical advance replaces existing
technologies with increasing rapidity, the prospect for new
markets opening up are critical to business development.
The rise of big data, cloud and mobile technologies has
all contributed to this enhanced role for the CIO as the
reliance on their successful and uninterrupted working is
key for a company’s continued profitability. The use of big
data and the cloud are the main talking points for company
IT and who amongst us is not now reliant on their mobile
phone. The innovations of the last decade have been world
changing with developing technologies emerging rapidly
with each passing week or day. What was viewed as cutting
edge and new only a year ago can already look dated.
It’s important therefore that this expanding role of the
CIO is reflected in the pages of Today’s CIO. As big data
and the cloud increase in their importance then so does the
means by which companies are protected. In many cases
and for many companies it is now no longer acceptable to
have a Firewall protecting data, there has to be a Firewall
protecting a Firewall protecting a Firewall ad infinitum.
The security of data is now as important as the storage
of data so being aware of the pitfalls facing a company,
from both external and internal threats of compromised
security, also constitutes a major part of the CIO’s role.
As roles change and merge it is of increasing
significance that a CIO keeps updated across a
variety of skills and is always ready to face any new
challenges, as they will no doubt become important to
the continued success of a company and its CIO.
Today’s CIO
7
Data is everywhere.
But it’s what you see in your data
that makes the difference.
What if you could easily visualise data from varied sources, find hidden
relationships within your data and uncover meaningful insights that can change
your business. Qlik makes it simple to do just that. Imagine what you’ll discover.
qlik.com
Big Data
Do I really need to worry
about data centres?
By Simon Campbell-Whyte,
Executive Director,
Data Centre Alliance
WELL THERE’S NO DOUBT THAT THAT
your organisation’s shareholders and
stakeholders probably hope you are.
But why? Before we examine that, it’s
perhaps not always clear what the term
“data centre” actually means or even
if you have one under your control to
worry about. The EU Commission and
National governments everywhere
are now defining “computer rooms”
and “server rooms” as “data centres”.
So to determine if this article
applies to you, a data centre could be
a multi-million pound facility the size
of a football pitch or perhaps more
likely, it could be a small dark room
in the basement or under the stairs
of your offices, got one or more of
those? If yes then please read on.
The chances are that that small
server room, or whatever you choose
to call it, contains the critical IT
equipment your organisation needs
to function smoothly and there’s been
quite a revolution going on behind
that closed door in recent years. Our
businesses and economies are now
completely dependent on data and
those that cannot access, manage and
secure data efficiently are the ones
who will soon fall by the wayside.
But you might say mine works okay so
why should I worry? You may be lucky
that data centre outages are rare in
your organisation. But one thing is for
sure – when (not if) it happens again,
there is no doubt the impact will be far
greater than the last time it happened.
So organisations really do need to
think of their data centre as probably
the most critical infrastructure, this
has crept up on us in recent times as
being the most important functions
of all businesses. This is why your
stakeholders and shareholders hope
you worry about your data centre, they
know your business will stop dead
the second your data centre does.
So what should a CIO or business
owner do? Protecting against
Today’s CIO
9
Big Data
the apocalypse of an outage can be firefight, so you
need to understand and manage the risk. It is not one
just for the technical department, but actually should
involve all departments as they are now ALL users of the
facility. So you need to be asking questions and seeking
advice. Understanding what the business’s requirements
and dependencies are whilst making sure your data
centre strategy is aligned to this is the first step.
Governments now have data centres on their radar.
Although Information and Communications Technology
(ICT) is undoubtedly an enabler of energy saving solutions,
there remains no section of society or business that is, or
should be, immune from scrutiny when it comes to energy
efficiency and environmental footprint and IT is no exception.
You may be surprised to know that your server room or
data centre is a significant energy consumer. In a typical
office environment, for example, up to 40% of the energy bill
will be consumed within the computer or server room. This
can quickly spiral out of control if not managed correctly,
servers idling in your server room all day and at night
when nobody is using them can run up huge energy bills.
Capacity shortages that can paralyse your organisation
are usually due to things running when nobody knows why
and whom needs them running. So you should ensure this
is measured and monitored as an absolute minimum, if
you don’t you are flying completely blind. Legislation is on
its way to force organisations to deal with this issue, but
organisations can take action to follow best practices that
will save money, energy and increase reliability right now
and negate the need for legislation, schemes such as the
EU Code of Conduct for Data Centre Energy Efficiency
should now be adopted, the alternative will probably
be far more complex, time consuming and costly.
Fast evolving technology and the sheer volumes of data
we now have to cope with are challenging enough, but one
mustn’t lose sight of the human element, nearly all data
centre problems can be tracked to people, so you need to
ensure your people are equipped with the right training
10
Today’s CIO
and skills backed by a clear strategy. Security is another
area that should begin in the data centre, as the stakes
of cybercrime continue to rise, it is critical to ensure your
data centre has the correct access control policies.
So OK now I understand I need to look at the data centre
I didn’t know I had, what is the Data Centre Alliance doing
that can help me? Well if you are not a data centre industry
company, or in the public sector you can join for free for a
start and get access to advice, information, best practices,
tools and resources. One tool we are developing, initially
for the public sector, called EURECA, provides a simple
questionnaire that identifies the energy and cost saving
opportunities within your data centre and recommends
both a self-help and procurement roadmap. We will be
launching the project in March this year, assisted by EU
Commission funding. We also publish regular articles and
advice in our monthly journal and run regular knowledge
sharing events. In summary, there is no doubt your “data
centre” is a sophisticated mission critical asset, the health
of which is inextricably linked to the future health of
your organisation so don’t delay, it is time to find out who
holds the key to that locked door in your basement.
Author information
The Data Centre Alliance is a not-for-profit association
comprising of leaders and experts from across the data
centre infrastructure sector. The DCA is committed to
developing activities and projects to further improve the
effectiveness of the data centres. The DCA also promotes
awareness of the role of data centres and innovations that
ensure the future growth and sustainability of the industry.
Membership is open to all operators of data centres,
however large or small, and organisations that supply the
industry with products and services.
Big Data
Clarity in a
data-driven world
As organisations embrace
virtualised and cloud-based
infrastructures, emerging
new tools help businesses
cut through the plethora
of data produced in their
environments to provide
actionable insights.
By Gavin Jolliffe,
CEO at Xtravirt
12
Today’s CIO
THERE ARE UNQUESTIONABLY
some real and present challenges
for IT organisations when making
use of the valuable data produced
in their environments.
Google’s CEO Eric Schmidt once
made a headline-grabbing statement:
“Every two days now we create as
much information as we did from the
dawn of civilization up until 2003.”1
That’s something like five exabytes
of data – quite impressive. From
IBM and along similar lines: “90%
of all data in the world was created
in the past 2 years alone.”2
These are big statistics, and arguably
a chunk of it may be no more than
‘fumes’. However, the raw sentiment
is simply a reflection of some of the
driving change being observed in IT
today, and helps to orientate us to
either a challenge or opportunity.
Working in a business whose role is
to assist organisations to transform,
modernise and optimise their cloud
and workspace infrastructures, we
meet hundreds of clients of all sizes
and industry verticals, and experience
their challenges first hand.
To clarify, by infrastructure I mean
the core platforms on which IT services
are delivered to the business. This
could be a virtualised or private/hybrid
cloud platform, running their servers,
desktops, applications and all the parts
of the ‘technology stack’ in between.
Two areas that we naturally gravitate
towards when it comes to common
challenges are information and change.
Why? Information is used by the IT team
to make decisions, so it needs to be
as accurate as possible. And change,
because in the era of ‘software-defined’
and ‘IT-as-a-service’, change is the
constant, which comes with distinct
benefits and challenges. Fundamentally
it still comes back to having good
information, and the challenge is
how to effectively get hold of it.
“Most companies estimate they’re
analysing a mere 12% of the data
they have, according to a recent
study by Forrester Research. Is
this good or bad? Well, these firms
might be missing out on data-driven
insights hidden inside the 88% of
data they’re ignoring. Or perhaps
they’re wisely avoiding a resourcegobbling, boil-the-ocean strategy.”3
Why do I need to be informed?
There’s an age-old expression: “You
don’t know what you don’t know.” And
when your competitors out there are
bent on chipping away at your market
share, ignorance is definitely not bliss.
Some of the market challenges faced
by organisations within virtualisation
and cloud currently include:
1. How to gain early mover advantage
to creating agile infrastructure
in a changing landscape?
The move towards the softwaredefined technology operation
is underway with virtualisation
forming the foundation for
IT-as-a-service and Cloud.
2. Increasing convergence of IT
The progressive unification of
operations is driving a greater
need to have automated insight
across IT infrastructure, including
aspects such as management,
security, and compliance. This is
also driving changes in information
sharing and accountability
across different disciplines.
3. Increased pressure on time
IT management and operations
need information, but also need to
cut through information overload.
The aim is to simply obtain a quick
understanding of the operations
environment from a technical and
business perspective, and identify
what action needs to be taken
and who should be involved.
However, many organisations are
finding that a lack of analytics tools and
C
M
Y
CM
MY
CY
MY
K
Big Data
existing data silos are two reasons companies ignore a vast
majority of their own data, as well as the challenge that often
it’s hard to know which information is valuable and which is
best ignored.
It’s a modern world. This stuff is easy, right?
In our experience the pace of technology advancement
is making it easier to build and deploy smart, scalable
IT solutions but, once in place, the ability to sustain the
move beyond simply ‘keeping the lights on’ is arguably
becoming more challenging for many. Reasons include:
n Lack of resources: Many best practice management
procedures such as keeping up-to-date configuration
documentation are not routinely undertaken due to
lack of resources, thus increasing the risk of an issue
affecting performance and stability of the environment
n Administration burden: Analytics and standard reporting
are often considered a mundane task and therefore
there is a lack of motivation to complete tasks
n Information overload: Use of multiple tools across
infrastructure silos makes it difficult for IT teams
to quickly pinpoint important information
n Adapting to new environment: The pace of change
in a virtual or cloud environment stretches the
management capabilities of IT operations and their
ability to proactively detect hidden issues
So what are organisations doing today?
This may not fully reflect all ends of the market, but it’s not
uncommon to find elements of each of these equally present
in 500 seat organisations as well as 50,000 seat enterprises.
n Using free scripting tools: These are usually adequate
for summarising technical information but don’t tend to
present data in the context of management requirements.
Nor do they clearly articulate remediation steps, and
there are risks around the person who created it moving
on, in addition to a need for regular maintenance
n Running system and point monitoring tools: These are
good at providing a wealth of detailed information, but IT
can be left implementing and maintaining an expensive
piece of infrastructure, where just doing the basic set
up already takes a lot of time. Some tools produce a lot
of data which then has to be examined to understand
its value, followed by translating that information for
different parts of the technical team and for the business
management team, which can be time consuming
n Asking team to report manually: This is inherently
inefficient, and adding time consuming management tasks
to the IT team’s workload can be counter-productive
n Maintaining inadequate IT infrastructure policies:
The end result is not documenting environments,
or not running regular assessments on the health
of the virtual platforms, which all increase risk
Where is the future going?
Monitoring does not replace management, although
the two can overlap depending upon the context. There
are many great tools out there used to operate IT
infrastructures, but often there’s a blurring of the lines
between monitoring and management. On the one hand,
monitoring has its roots in a history which talks about RAG
consoles, and reacting to issues once they’ve occurred;
however, that’s not to say there haven’t been some great
developments in predictive analysis and self-learning/
healing to make the system administrator’s life easier.
On the other hand, management aims to be proactive,
looking for insights within technical data to aid cross-team
planning, project management, and business discussions
and reporting. These insights abstract and simplify the
information to drive clarity of decision-making, sustain
standards and good practices, avoid inconsistency,
reduce risk and improve service levels. In many cases, all
of this could reduce the need for some of the heavy duty
tools needed to keep the lights on in the first place.
The gap is undeniably there for many organisations, so
where next?
Over the past 5 years we’ve seen the rise of big data,
the debates about moving from data warehousing to
new services such as Hadoop, the impact on science and
quantum physics, and the rapidly increasing relevancy
of data scientists as a mainstream career choice.
However, we’re now also seeing an expansion to the
mass market with an emerging new breed of tools that
enable more accessible consumption of truly useful
information. These tools help IT address the challenges
of the new dynamics being presented by virtualisation
and cloud, and in many cases significant improvements
can be made just by doing the basics better.
References
1. (Source: http://techcrunch.com/2010/08/04/schmidt-data/)
2. (Source: http://www.ibm.com/smarterplanet/uk/en/
business_analytics/article/it_business_intelligence.html )
3. (Source: http://www.informationweek.com/big-data/big-data-analytics/10powerful-facts-about-big-data/d/d-id/1269522?image_number=2)
Author information
Gavin Jolliffe is a seasoned technology industry
entrepreneur and serial innovator with over 15 years
executive and operational experience. Launching Xtravirt
in 2007 he led its rapid and exponential growth through
innovative software development. Gavin has since built
an industry-leading consulting organisation which is
recognised for its expertise in software-defined data centre
and cloud solutions.
Xtravirt delivers cloud, workspace and data centre
transformational solutions to clients across public and
private sectors. Its consulting organisation is recognised
globally for astute management, sound methodology and
a proven track record, which provide unsurpassed value to
Xtravirt’s clients.
xtravirt.com
Today’s CIO
15
Delivering the action plan
for the data centre industry
Become a member today...
www.datacentrealliance.org
+44 (0) 845 8734587
www.datacentrealliance.org
Big Data
Using end-user IT analytics
for better business decisions
Poul Nielsen,
director of strategy,
Nexthink
BUSINESS IT INFRASTRUCTURES ARE
becoming increasingly complex, with
ever more devices and applications
being added on a daily basis due to
phenomena such as bring your own
device (BYOD) and the Internet of
Things. The technology decisionmakers charged with managing these
infrastructures are also being asked
to constantly improve the service
that they deliver to their end-users,
despite often having to rely on backend, silo-based monitoring systems
that may no longer be fit for purpose.
As a result, end-users find
themselves experiencing problems in
the day-to-day performance of their IT
systems and services. This can result
not only in a drop in productivity but
also in a concerning lack of faith in
their organisation’s IT support team.
Forrester Consulting has compiled
a report1 which profiled IT decisionmakers in the UK and US to evaluate
how the performance of their
organisations’ IT services impacted
their end-users and businesses.
The report’s key findings included
the concern that an organisation’s
IT service desk was usually the last
to know about any performance
problems affecting employees. With
back-end monitoring tools unable to
detect these performance issues,
end-users are either looking to
colleagues for help, or attempting
to solve the problems themselves.
The increasing complexity of IT
service portfolios, and the variety
of applications crossing multiple
technology silos, were found to
be complicating matters further,
and a need was recognised for
new tools and better analytics to
provide service teams with a view
of performance data over time
from an end-user’s perspective.
Complexity and the
need for visibility
According to the report, almost half of
IT decision-makers (43%) considered
the complexity of their IT service
portfolio and the lack of full, clear
visibility into IT performance from
the end-users’ perspective as two
of the most significant barriers to
delivering better service quality.
Increasing levels of complexity lead
to claims that IT support staff lack
adequate end-to-end visibility of any
IT services that span multiple parts
of their organisation’s infrastructure.
Indeed, more than a third (36%) of
respondents considered this to be
a significant barrier to providing
higher levels of service quality.
The survey revealed that IT support
staff were spending three quarters
of their time (73%) troubleshooting
issues such as these, relating to backend infrastructure, and particularly
those issues that involved multiple
aspects of the infrastructure.
Significantly, the survey reveals that
these multi-factor issues, with end-users
experiencing problems affecting several
Today’s CIO
17
Big Data
parts of their organisation’s IT infrastructure, were regularly
being encountered by nearly all IT decision-makers (98%).
The frequency of such issues can be viewed as being
responsible for a form of silo mentality, with 90 per cent of
respondents reporting coming across situations where they
were required to rule out issues specific to a particular device
from issues relating to the wider infrastructure. Respondents
claimed that they spent nearly as much time troubleshooting
problems with infrastructure as they did with problems
directly affecting end-user devices. As a result, 83 per cent
claimed that they found the situation made it difficult for
them to effectively diagnose issues around IT service quality.
It’s perhaps little wonder then that IT support can
often be perceived as being largely reactive in nature.
By way of illustration, the report shows that, in more
than a third of cases (35%), IT support teams were made
aware of a performance or availability issue only when
a ticket was raised by the end-user affected, rather
than being alerted by a back-end monitoring tool.
Whilst the technology does exist to provide insight
into business service availability and performance from
the perspective of the infrastructure, it’s unable to see
what individual end-users are actually experiencing. In
fact, only two per cent of IT decision-makers admitted to
currently employing any form of monitoring tool able to
detect downtime from an end-user’s perspective, and that
could offer insight into its possible effects on employee
productivity, customer satisfaction, and revenue.
End-users taking matters into their own hands
The report reveals that, when an end-user experiences an issue
with application performance, 50 per cent of the time they have
either had a bad experience with IT support in the past, don’t
think that their IT department will be able to solve it, or that IT
will send them somewhere else for assistance. With statistics
such as these, it’s not hard to understand why end-users may
have lost some degree of confidence in their IT support teams.
According to workforce data from Forrester, almost 45
per cent of employees will attempt to solve an IT issue on
their own before they request assistance from the helpdesk.
The same survey reveals that 17 per cent of workers claimed
that they didn’t believe that their IT support team was
able to resolve their performance issues or answer their
technical questions. A further 16 per cent said that they
turned to search engines to find an answer for themselves,
while another 14 per cent admitted to calling the software
or hardware manufacturer’s helpline for assistance.
Further evidence of this perceived lack of faith in
IT support teams can be found in the statistic that
almost a third (30%) of an organisation’s employees
will seek help and advice from colleagues and peers
who aren’t employed in any IT-related function.
Making sophisticated analytics a priority
To combat this lack of faith, and to allow them to take a
significantly more pro-active approach, IT support desks
require more sophisticated monitoring and analytics
tools that will enable them to detect performance and
18
Today’s CIO
service issues experienced by their end-users – often
before the users themselves are aware of them.
Indeed, Forrester’s Forrsights Priorities and Journey Survey
2014 reveals that, when questioned on their priorities for
the next 12 months, more than half of the IT decision-makers
surveyed (52%) stated a need to improve the use of data
and analytics for better business decisions and outcomes.
Additionally, a third of respondents (32%) recognised
the importance of connecting the products and assets
across their technical estate so that they would be in a
better position to monitor and analyse their identity,
location and condition. This visibility, which end-user
analytics is capable of providing, will then enable an
organisation’s IT support staff to identify, understand
and pro-actively address issues at the end-user level.
Making an investment in end-user analytics will enable
an organisation’s IT department to begin improving
the quality and performance of the service it delivers.
IT analytics should be a top priority for IT leaders,
providing the missing component for end-to-end visibility
to proactively make better business decisions.
By routinely monitoring the IT infrastructure,
automatically generating meaningful reports, and
identifying and resolving issues the moment that they
occur, analytics such as these will deliver actionable
insight into whether the quality and performance of the
service meets the needs of the organisation’s end-users.
Ultimately, by applying this insight, IT teams will
become more effective and efficient in delivering projects
and allocating the budget necessary to improve those
issues with service quality that are likely to have the
greatest effect on employee productivity, customer
satisfaction, and the organisation’s bottom line.
Reference
1. Report commissioned by Nexthink.
Further information
About Nexthink
See your IT Infrastructure as never before with Nexthink
End-user IT Analytics for security, ITSM and workplace
transformation. Our software uniquely provides IT
analytics covering all endpoints, all users, all applications
and all connections, all the time, in real-time and new
visibility into your IT infrastructure and service delivery.
Nexthink helps IT Departments connect, communicate and
collaborate to achieve their major goals and to optimize
endpoint security, operations, support, and workplace
transformation projects. Nexthink real-time analytics
and visualization extend help desk, server monitoring,
APM (application performance management) and PCLM
(PC lifecycle management) tools and provides essential
visibility for IT governance.
To learn more visit www.nexthink.com
+44 753-946 6702
Big Data
Cloud migration is the leading
concern of cloud adopters
Datapipe recently surveyed IT
infrastructure specialists and CIO’s
asking them to highlight their biggest
concerns about adopting cloud IT
solutions for their business
The number one concern cited was
the difficulty of cloud migration
Migrating to the cloud can indeed be difficult if you
don’t have the right partner. By enlisting the help of
an experienced and reliable third-party cloud services
provider, companies can migrate to the cloud quickly
and avoid roadblocks. Find a “managed service provider”
who is equipped to manage complex migration needs
and execute a seamless transition to a cloud or hybrid IT
solution. Someone who offers a guaranteed Safe Passage
that assesses your needs to implement a customised
program to ensure that no data is lost or compromised.
Loss of control over services and/or data was the
second largest concern around cloud adoption
Losing the keys to your data to a third party is a big
concern for companies who need to be able to access
their resources quickly. Traditionally, businesses would
have to provide their managed services provider with API
keys and administrator credentials so that they could
manage the network. By choosing the right partner who
truly understands public cloud infrastructures you should
look to circumvent this necessity. By using AWS Trust
Relationships and Security Token Service (STS) software,
your partner should be able to effectively run your system
without needing the keys, allowing companies to retain
complete control over their virtual infrastructure and data.
The third largest concern was the belief
that cloud systems are too expensive
Considering the velocity at which IT is changing and
progressing, keeping solutions in-house is expensive.
Traditionally, it made sense for companies to invest heavily
in private data centres where their own IT specialists
could manage hardware and software solutions.
With the introduction of the five-minute data centre, firms
can now create and destroy information in a matter of minutes
on an IaaS platform and housing such an expanse of data on
traditional infrastructure increasingly making less sense.
So, use cloud solutions and IT experts who are flexible and
move with the market so that your business is never on its
back foot when it comes to IT. By assessing and implementing
Top concerns around cloud adoption
the correct solution for your business. Ensure efficiency
pay for the storage that you need, without overpaying
for unnecessary provisions. Use a solution that is agile
and nimble enough to move with you so that your price
plan is reflective of the storage and resources you use.
Accountability and privacy are a worry in the cloud
With the recent barrage of hacking scandals and breaches,
there is a lot of discussion around the threat of cyber
criminals to cloud technologies. One of a company’s biggest
security threats comes from employees who fail to use
best practices and unintentionally expose their data to
outside threats. It is imperative that you have a formal plan
to build on security best practices that includes two-factor
authentication, role-based access and credential security.
Non-repudiation or the lack of accountability, if a problem
does arise, is a concern when businesses outsource to third
parties. Business owners need to precisely track the actions
of all users. These actions should be tied back to unique user
names and be visible to both the business and 3rd party
managing the cloud services. Once all system access and
activities are monitored through unique user names, you
can react to suspicious activity quickly and effectively.
When to turn to a multi-cloud strategy
for enterprise IT
By this point, most enterprises are firmly committed
to cloud services. This technology has yielded
tremendous benefits, from cost savings to improved
Today’s CIO
21
Equinix LD6 Smart
Data Centre use
Oasis™ Indirect
Evaporative Coolers
Equinix, one of the world’s largest data
centre operators and Internet exchanges is
set to open their sixth London data centre
LD6 in Slough.
The company will use Munters Oasis
Indirect Evaporative Coolers at both sites
to achieve world leading sustainable server
climate control, meeting the demand from
Equinix’s customers in financial services,
cloud and enterprise segments. LD6 aims
to be accredited in Leadership in Energy &
Environmental Design (LEED) to platinum
level.
Forty Oasis IEC 200 systems inc four
MUA units for LD6 Slough are at the
heart of Equinix’s air treatment design,
and will contribute towards lower energy
consumption and carbon footprints. Munters
Oasis IEC 200’s will supply over 8MW of
cooling for the IT Load for the first phase of
LD6. The new LD6 data centre will provide a
capacity of 8,000 square metres equivalent
to housing 2,770 server cabinets.
Today’s CIO
High efficiency cooling
Annualised cooling pPUE of 1.06
Fully separated air
Use of any fresh water type
Annualised project PUE of 1.2
Equinix ‘s investment in the LD6 data centre,
utilises Oasis’s award winning innovative
patented indirect evaporative heat
exchanger and 100% natural ventilation.
“LD6 is a hugely exciting project; the facility
will be the most advanced data centre in
the UK. We are committed to providing
continuous improvement for our customers
and set new standards in efficiency and
sustainability,”
said Russell Poole, managing director of
Equinix UK.
22
•
•
•
•
•
Full case study: www.munters.com/equinix
airtreatment@munters.com
+44 1480 410223
Big Data
flexibility and beyond. Cloud sceptics have been
won over and cloud proponents proven right.
With the cloud’s value firmly established, the challenge
that enterprise IT decision-makers now face is determining
how to develop an optimised approach for maximising
cloud benefits. Increasingly, these leaders are coming
to realise that the answer often lies in a multi-cloud
strategy. In many scenarios, multi-cloud deployments will
deliver the greatest results for enterprises of all kinds.
Here are three of the situations where a multi-cloud
strategy will make the most sense for enterprise IT.
1. Decreased reliance
One of the most common and significant reasons why
enterprises may want to turn to a multi-cloud deployment
is to reduce their reliance on any given cloud services
vendor. In a traditional private or public cloud approach,
the company will simply move all relevant operations and
assets into a cloud environment hosted by a single given
vendor. This is also frequently, although not always, the
case in a hybrid approach that combines elements of
both private and public cloud into a single solution.
In all of these scenarios, the enterprise will inevitably end
up heavily reliant on whichever cloud vendor it has partnered
with. This may not be much of a risk assuming the enterprise
is leveraging an exceedingly reliable service provider, but
there will always be a chance of disruptions and outages.
For many enterprises, such risks are unacceptable.
By turning to a multi-cloud deployment, enterprises can
effectively avoid putting all of their eggs in one basket,
as they will never be fully dependent on a single cloud
service or vendor for their hosted needs. As a result,
companies can achieve a greater degree of autonomy.
2. Diverse needs
Another key reason for enterprise IT to pursue multi-cloud
deployments is to satisfy diverse cloud needs. While there
are many expansive cloud platforms on the market today,
there will still be many situations in which organisations
simply cannot meet all of their IT goals through a single cloud
solution. Or, more commonly, the ideal option for one cloud
need will differ from another. For example, an enterprise
may want to take advantage of AWS services for storage
and Azure for Internet-facing public Web applications.
A multi-cloud approach enables the business to utilise
both of these resources, whereas a single cloud strategy
will force the firm to go all-in on AWS or Azure exclusively.
Multi-cloud’s best-of-breed approach offers the
potential for optimised performance and outcomes.
3. Test and see
Finally, enterprises may turn to multi-cloud strategies as a
means of conducting trials of a number of different cloud
options. While the cloud adoption process has become
much simpler over the course of the past few years,
there is still a fair amount of time and effort required
when embracing a new cloud solution. Doing so on an
organisation-wide scale is an even more massive endeavour. Before fully committing to such an expansive, allencompassing cloud strategy, enterprises may want to see
how well different cloud services function in various parts of
the organisation. In essence, this approach uses multi-cloud
deployments as a means of testing out the different cloud
solutions on the market prior to making a comprehensive
shift to a singular approach. While certainly not necessary
for every enterprise, this strategy can offer major benefits
for large, high-stakes cloud migration plans.
Further information
Datapipe architects, deploys and manages multi-platform
hybrid IT solutions for the enterprise, including traditional
IT, public cloud, private and hybrid clouds. Datapipe offers
unparalleled SLA’s in the cloud space for Enterprises
looking to deploy mission critical IT infrastructures in both
public and private cloud environments including both AWS
and Azure.
Datapipe delivers operational excellence globally, through
a team of experienced professionals, best of breed IT
management applications and next generation data centres.
As such Datapipe is recognised by Gartner as a leader in
cloud enabled managed hosting solutions and is recognised
by Forrester as a global leader in Hosted Private Cloud
solutions.
Mark Underwood
Vice President EMEA – Datapipe
munderwood@datapipe.com
+442075152555
http://www.datapipe.com
https://twitter.com/Datapipe
Today’s CIO
23
TODAY’S
CIO
O
TODAY’S CE
F
C
S
’
Y
A
D
TO
O
Spring/Summer 2015
Spring/Summe
r 2015
r 2015
Spring/Summe
Do I really need
to worry about
data centres?
the
Adjusting to
cheap oil
new world of
tomers
Are your cus to be?
im
who they cla
s,
Move over boy
women mean
too
ess
busin
Sponsored by
Rotterdam
image
trades up its
■
■
■
www.spartapublishing.co.uk
Tel: +44 (0)20 7970 5690
40 Bowling Green Lane, London EC1R 0NE
Ahead in the cloud:
how to keep your
data secure
A sharing ec
on
utilises spar omy
e capacity
Bishops and
actresses of
fer
help to MBA
students
How safe is
da
stored in th ta
e clouds?
Cutting yo
carbon footpr ur
can cut cost int
s too
Sponsored by
Security
Network security is in the details –
the destruction of the Death Star
By Ian Whiting, CEO of Titania
THERE ARE A GREAT DEAL OF SECURITY LESSONS HIDDEN
in the plots and sub-plots of Star Wars – data security,
hackers-for-hire, user error etc. However, what better suits
the information security industry other than the striking
moment that saw the Death Star exploding into glittery
stardust? A chain of vulnerabilities and risk mismanagement
ultimately lead to the unthinkable, the destruction of the
Empires’ superweapon due to an exhaust vent vulnerability.
There is a case to be made that network security lies
in the detail, especially with the rise of the advanced
persistent threat and the development of cyberespionage
worldwide. Criminals acting in the virtual space have long
renounced the generic approach and have instead adopted
a highly targeted crime deployment. Security measures
must come to reflect this shift. For this, Star Wars shows
us how attention to detail can be equally applied to your
organisation for a more efficient defence of the network.
Advanced persistent threat:
operation “Death Star”
The Death Star was an impressive military and political
superweapon designed to annihilate entire planets.
Yet in spite of its mightiness, the Death Stars’ defence
was surprisingly vulnerable to attacks – one small
weakness led to a devastating end result. An assessment
of its vulnerabilities was long overdue and it may
have been a chance to re-write Star Wars history.
1. Network reconnaissance
Rebel spies led by Princess Leia manage to get possession
of the Death Star’s plans, but their ship falls to the Imperial
forces. Leia alone cannot analyse the information she
retrieved. Instead she finds a way of transmitting the data
back to her father’s home planet of Alderaan for further
investigation, by storing the plans in the memory of R2-D2.
At this stage, Leia is captured by the Empire. For the time
being, the Empire is unaware of Leia’s mission purpose. The
princess insists they are there on a diplomatic mission.
Malware with backdoor capacities can infiltrate a
network and remain undetected for years, while leaking
information. For example SEDNIT infectors in operation
Pawn Storm contained mainly backdoors designed to steal
system information and send it to remote C&C servers.
Another example is the highly modular Snake (aka
Uroburos) operation which indicates that the rootkit
had gone undiscovered for at least 3 years, with a
great ability to hibernate for a number of days, which
made it untraceable even to professional eyes.
2. Outsourcing – “Hacking-as-a-Service”
Leia’s stolen plans reach the hands of Luke and Obi-Wan
Kenobi who decide they must follow Leia’s instructions and
reach Alderaan. Luke and Obi-Wan need extra assistance
so they contract the services of mercenary Han Solo, who
can transport them on his ship, the Millennium Falcon.
A coordinated cyberattack can involve multiple actors
taking part, to accomplish various roles along the way. The
underground forums of criminal activity are rife with hackers
of various skills and knowledge that offer their services.
Off-the-shelf tools are also popular either on a one-off
basis or as a contractual service, including updating and
maintenance work. The Silver Spaniel uncovered in 2014,
shows a relatively simplistic campaign which did not build
any software, but outsourced commodity tools available on
hacking forums instead. The attack required little technical
skill, yet it provided scam artists with a prosperous business.
3. Response SIEM – quarantine and counter-attack
The Millennium Falcon has to re-route, in order to reach the
Today’s CIO
25
Security
rebel base Yavin 4, as Alderaan was destroyed by Grand Moff
Tarkin in a demonstration of the Death Stars’ capabilities.
However, the Millennium Falcon gets captured by the Star’s
tractor beam and brought into its hangar bay. When escaping,
the ship manages to evade the Death Star, but at this
point it carries a tracking device which enables Tarkin and
Darth Vader to monitor them all the way back to Yavin 4.
Network defence approaches focused on threat
identification and event management (SIEM) would at
this stage identify a breach and trigger security alerts.
An alert system would provide the CISO with the choice
of further monitoring or ignoring the threat. We see that
the Tarkin and Vader choose to monitor the Falcon and
track it back to base. Yet, without a comprehensive risk
management view of the Death Star’s vulnerabilities,
they ignore the possibility that the rebels would “dare”
target the core of the Star and fail to secure the ports.
4. The attack vector
The Falcon finally reaches its destination and they hand
the plans over for analysis. The examination reveals a
vulnerability in the exhaust port that connects to the station’s
main reactor. Once the weakness was identified, an attack
mission is set up and Luke joins the assault squadron.
In 2014, The Mask (El Careto) was revealed as one of
the “elite” APTs. Its deployment against carefully selected
targets included monitoring infrastructure, shutting down
operations, avoiding detection by wiping instead of deletion
of log files and others. Its purpose was cyberespionage, but
the attack vector was a combination of social engineering and
rare exploits for Java, Chrome, Firefox and other browsers.
Campaigns like The Mask show us that the wide range
of tools and the extensive pre-planning work conducted
before setting up the attack vector remain the most
unpredictable part of the threat. Security and risk
managers are often unaware of the “open ports” and
struggle to discern between critical and minor threats.
An auditing process with clear flags for threat level is the
only way to ensure that malicious actors do not achieve
a more efficient assessment of your network than you.
5. Exploit
After a number of battles, Luke assisted by the Force and
under Obi-Wan’s spiritual advice is able to fire proton
torpedoes into a small thermal exhaust port along the
Death Star’s equatorial trench. This leads to the memorable
image of the Death-Star exploding into space.
The BlackPOS family that ultimately led to the
breach imposed on Target is a good example to the
destructive effects that an undetected vulnerability
can have to the security of a network, and finally to
the reputation of an organisation. It is now known that
the BlackPOS campaign operated through 3 different
strains of malware, all following a similar behaviour:
infiltration, memory scraping and exfiltration.
Target did have a security team in place to monitor
its systems around the clock. Hackers managed to
avoid detection while setting up their malware, but
when they proceeded to the final stage – uploading the
exfiltration malware – alerts went off in Target’s security
department and then…nothing happened. The alarm
was triggered early enough, before any data got leaked,
yet the security operations centre chose to ignore it at
that stage. The reasoning has never been disclosed.
As we see earlier in the film, despite being aware of
the thermal exhaust port, the Empire decidedly had
not taken steps in securing it. The reasoning can be
inferred from their conversations: too insignificant
and too dangerous for the rebels to target it.
There is an important point to make here that regardless
of a networks security system and even quarantine or
counter-attack measures, there is also a great need
for a healthy auditing practice, in order to identify your
weaknesses before attackers get chance to exploit them.
The final facilitator that led Princess Leia and then Luke
Skywalker to succeed in their mission was the Empire having
failed to design a correct risk management framework.
The accounts of many breaches provide sobering
lessons in how organisations can have wide ranging “big
picture, big budget” defences but leave vulnerabilities
in everyday housekeeping. With the Death Star it was
an exhaust vent, with your organisation it might be an
out of date firewall, or a default password that had not
been reviewed during your last pen-test. Monitoring
the details can make the difference between a secure
empire and an embarrassing and very public explosion.
The words of General Dodonna, upon analysing
the smuggled plans, can be the words of any hacker
assessing the entry points of your network: “Well, the
Empire doesn’t consider a small one-man fighter to be
any threat, or they’d have a tighter defence.”
Further information
Ian Whiting is the CEO of Titania, a cybersecurity auditing
software provider. Ian has dedicated the past 15 years to
working with leading global organisations and government
agencies to improve computer security. His efforts have
been recognised by the industry when he was awarded the
“Personal Contribution to IT Security” title during the
Computing Security ceremony.
In 2009 Ian Whiting founded Titania with the aim of
producing security auditing software products that can be
used by non-security specialists and provide the detailed
analysis that traditionally only an experienced penetration
tester could achieve. Now used in over 60 countries
worldwide, Titania’s Nipper Studio and Paws Studio auditing
software has earned countless awards and industry
recognition.
Website: www.titania.com
Tel: +44 (0) 1905 888785
Twitter: @TitaniaLimited
Today’s CIO
27
Security
Privilege gone wild:
The state of privileged account management in 2015
By BeyondTrust
EACH YEAR, AN INTERNATIONAL SURVEY1 IS CONDUCTED
to identify trends in the privileged account management
market. The survey explores how organisations view the
risk from privileged account misuse (either malicious
or inadvertent), as well as trends in addressing and
mitigating the risks. Over 700 information technology
professionals participated in the 2015 survey,
representing organisations in retail, government,
education, manufacturing and technology markets.
Privileged account management was particularly important
to organisations participating in the survey this year. You
don’t have to look much further than the Sony breach and
other recent data breaches to understand why. The use of
stolen credentials is the most prevalent attack vector. From
an adversary’s standpoint, stolen privileged credentials are
the perfect vehicles from which to execute an attack.
However, stolen credentials are not the only risk from
elevated privileges. Malicious insiders may use their privileges
to access, share or steal sensitive data. Inadvertent abuse is
also a concern. Employees with elevated privileges may access
sensitive data out of curiosity, move data to unauthorised
cloud storage for use off-network, or install unauthorised
software such as file sharing applications that put data at risk.
User and account management is information
security at its most basic level. Best practices provide
users with unfettered access to the data and programs
required for their jobs, while preventing other actions
that might introduce risk to the organisation.
With multiple stakeholders, the ability to
view the information needed for each role in the
organisation is critical. Unified reporting was cited
as a critical feature by 56% of the respondents.
There are gaps in privileged account coverage,
but companies are concerned about costs
While their intentions are good, many organisations have some
work to do. Over 47% of the respondents reported that users in
their organisations possess elevated privileges not necessary
for their roles, and 20% report that over 3/4 of their user base
run as administrators. One third (33%) of the organisations
participating in the survey report having no policies (much less,
controls) for privileged password management. This policy
choice greatly increases the organisation’s attack surface
across which malicious or accidental breaches can occur.
The perceived cost of purchasing, implementing and
managing the privileged account management solutions may
be a deterrent to faster adoption. Respondents cited CA,
Dell, and CyberArk as having the highest perceived price.
Survey results
As one might expect from such a diverse set of
industries, opinions differed on many of the particulars
about the need, deployment and rollout of privileged
account management. Despite their many differences,
five key points came through across all segments.
Risk is recognised, and control is viewed as a
cross-functional need
While security teams drive privileged account management
purchases in 82% of respondent companies, privileged
account management risk crosses functional boundaries.
IT is responsible for maintaining systems, and Security
is responsible for the integrity of the information. It
therefore makes sense that compliance (57%) and
operations (43%) are also involved in decision-making
and management. It is also encouraging to note that over
82% of the respondents report that their organisations’
IT operations and security teams “work well together.”
28
Today’s CIO
Privileged user risk is expected to increase
84% of respondents believe the risk to their organisations
from privileged users will increase over the next few years.
The greatest perceived risk is to business information,
including corporate intellectual property, source code,
design documents, trade secrets, and compliancerelated data such as PII (42%). This makes sense given
the increase in media coverage of corporate espionage,
which is typically viewed as a risk from insider abuse.
Need for greater accountability over privileged passwords
The survey shows that organisations believe there is an
opportunity to improve their controls over privileged user
accounts. The common method for managing privileged
accounts is through shared passwords. Just over half (51%)
of the respondents state that shared passwords are managed
“individually.” This could include users sharing passwords on an
ad hoc basis, or simply by memory. 35% indicate that shared
Many Devices.
One Solution.
Absolute Software provides endpoint management and security for all of your
desktop, laptop, tablet and smartphone devices – regardless of user or location.
Optimise productivity, reduce operating costs, prove compliance, and remotely
secure all of your devices and the corporate data they contain.
absolute.com
Security
passwords are controlled “locally,” including spreadsheets,
password vaults, SharePoint, and Active Directory.
end users is an ideal starting point at which to deploy a
single solution to address a very large attack vector.
Inadequate controls over business-critical,
tier-1 applications
In the current environment, business critical, tier-1
applications are attractive targets for adversaries. For those
systems (for example Linux and UNIX servers), 58% of the
respondents believe their current controls against misuse are
inadequate, immature or non-existent. Clearly, addressing this
shortcoming should be a priority for these organisations.
Address the risk of privileged password misuse
Deploy controls that provide system administrators (and
others) with unique, time-limited privileges that can be
controlled at a granular level and monitored. Most important,
maintain a detailed audit trail for spot-checking and
compliance reporting. In the event of a breach, audit logs
can be used for forensic analysis and accelerate incident
response, limiting damages to corporate assets and brand.
Best practices for managing privileged accounts
How to get started
Consider the implementation of the following best practices
to improve the control and accountability over privileged
accounts.
Privileged users play a necessary role in every organisation, but
not all users require elevated credentials. A logical, enforceable
policy for defining the required privileges for each class of
users improves security by reducing the organisation’s attack
surface. Begin with a decision-making team that includes
representatives from all affected stakeholders, then:
■ Simplify – look for solutions that are crossplatform and account for the reporting and
auditing needs of all stakeholders.
■ Discover and prioritise – understand who
has elevated privileges, and target your
most critical applications and users.
■ Implement – start with a single use case
to build internal procedures.
■ Enforce – policies without enforceable controls
do not address inadvertent errors or malicious
behaviour from inside or outside the organisation.
■ Expand – address internal and external users with
legitimate access to your data and systems.
Assemble cross-functional teams to address
privileged account management
Managing and monitoring privileged users is a task that
crosses functional boundaries. While many super users and
system administrators may reside in IT operations, normal
checks and balances would dictate that security groups
provide oversight. By including all stakeholders (including
vendors and contractors who connect into your network) in
the selection, implementation and management of privileged
user accounts, organisations also have the opportunity
to enhance the relationships between these groups, and
reporting and analytics needs can be identified early.
Deploy policies for controls and enforcement
It is clear that privileged user account policies should
be in place in all organisations. However, efforts may be
wasted without controls that enforce those policies. Not all
breaches of policy will be malicious, but inadvertent errors
can still disrupt systems and expose sensitive information.
A privileged account management strategy should include
provisions for exception handling and workflow to allow
users to perform their jobs in an unfettered manner, while
maintaining centralised control over critical assets.
Prioritise implementation by the consequences of
a breach
Often, the most difficult task in managing privileged user
accounts is deciding where to start. While beginning with end
user accounts is good, rollouts should be prioritised based
on the consequences of a breach. Factors to consider include
financial, reputational and regulatory costs to the business.
Prioritising privileged account management implementations
allows organisations to build their own best practices for
deployments, including communications with affected users.
End-user privileges are a good starting point to
address gaps
As seen in the survey results, many organisations do not
manage the privileges of any end users. A discovery exercise
to identify all the privileged accounts in the organisation
can provide a baseline. The population of unmanaged
Finally, monitor your program and policies. Use products
to discover how often users require enhanced privileges and
for what purposes. This will allow you to adjust and improve
policies based on empirical data within your organisation.
Reference
1. BeyondTrust, 24/3/2015, Privilege Gone Wild Survey
Further information
BeyondTrust is a global cyber security company dedicated to
proactively eliminating data breaches from insider privilege
abuse and external hacking attacks. More than 4,000
customers around the world rely on BeyondTrust Privileged
Account Management and Vulnerability Management
solutions to shrink attack surfaces and identify imminent
threats. The company’s integrated risk intelligence platform
presents a unique advantage to reveal critical risks hidden
within volumes of user and system data. This unifies IT and
Security departments, empowering them with the information
and control they need to jointly prevent breaches, maintain
compliance, and ensure business continuity.
Today’s CIO
31
wickhill_survey_advert_cio_magazine.ai 1 21/01/2015 11:21:26
C
M
Y
CM
MY
CY
CMY
K
Security
A brave new world:
understanding the new EU data protection regime
Jonathan Armstrong, data regulation
advisor for Absolute Software and
technology lawyer at Cordery
THE CURRENT EU DATA PROTECTION LAW NOW SEEMS
positively Stone Age. It belonged, perhaps, to a different time.
It came into force in 1995 when the Internet was still in its
infancy. Back then about 1% of Europeans used the Internet.
Things have changed. Every two days we create more data
than we did from the dawn of civilisation until 2003.
The European Commission announced its long-awaited
proposals on what are likely to be viewed as drastic changes
to data protection law in Europe on 25 January 2012. The aim
of the proposals is to make EU privacy laws fit for the 21st
Century and they seek to both change the system and increase
the penalties for a breach. They also seek to introduce data
breach laws similar to those which exist in most U.S. states.
It is still in draft stage and is not expected that legislation
will come into force before 2017 but businesses must start to
prepare now to account for a serious regulation upheaval. This
is not a fine tuning of the law. This is a fundamental change.
Some of the major changes include:
■ Consumers having easier access to their data.
■ Consumers having a statutory right to
have their data deleted on demand.
■ Organisations having a legal obligation to notify
the authorities about data breaches as early as
possible and “if feasible” within 24 hours.
■ The mandatory appointment for companies
with 250 or more employees of a suitably
trained data protection officer.
What are the new penalties?
The new law is raising the stakes. There are increased
sanctions including fines of up to €100 million or
up to 2% of annual global turnover – whichever is
greater. This compares with a current maximum fine of
£500,000 under the UK Data Protection Act 1998.
Former EU Commissioner Viviane Reding has also said
that companies could be fined up to 0.5% of their annual
turnover if they charge users for Subject Access Requests
(SARs). She said that this sum should double if a firm refused
to hand over data or failed to correct bad information.
This is draft legislation with very heavy penalties.
Where does it apply?
What does the new law do?
The new law is much more specific, much more demanding
and much more onerous. The Commission says that the
new law tries to address how to deal with the problems
of big data and social media, BYOD and of the Cloud.
Whether they do this successfully remains to be seen.
The new law will apply throughout the EU and to organisations
outside the EU that are active in the EU market and offer
services to EU citizens. This means, for example, that a
US software company with all its offices in the US, that
handles the data of EU citizens can be investigated,
fined and even prosecuted by an EU Regulator.
Today’s CIO
35
Security
A statutory right to be forgotten will be introduced
The new EU data protection regime also includes
a statutory right to be forgotten. It says:
“Any person should have the right to have personal data
concerning them rectified and a ‘right to be forgotten’ where
the retention of such data is not in compliance with this
Regulation…this right is particularly relevant, when the data
subject has given their consent as a child…and later wants
to remove such personal data especially on the internet.”
The Google “right to be forgotten” case has shown the vast
numbers of people who may apply to have their data wiped.
Companies will need to be much more organised
in handling deletion requests from, potentially
millions, of people from across the globe.
Part of the solution for large organisations will
include the ability to manage data across its device
estate to ensure rapid deletion. In these days of
mobile working, sophisticated software and systems
are likely to be needed to ensure that data across the
enterprise remains secure, accurate and up to date.
A single set of data protection rules
The current law is a Directive and therefore it was left
to EU member states to decide how to bring it into
force under their own domestic legislation. In many
respects, it was this which led to inconsistency.
The current proposal is that the new law will be a
Regulation. This means that it is directly applicable
and Member States will not be required to pass
their own laws in order to bring it into force. This
should mean one law in force across the EU.
One important change is that the requirement to
register data collection and transfer in each country may
be removed. Organisations will instead deal with a lead
country that will regulate their activity across the EU.
Investigations however are likely to still be conducted
by the regulator where the complainant is based.
Further responsibilities under the new law
There are two further heavy burdens under the new
law. The new law says that communication should be
made to the data subject “when the personal data
breach is likely to adversely affect the protection of
the personal data or the privacy of the data subject.”
There is a caveat to this if the company can show
that they have in place “technological protection
measures that shall render the data unintelligible to
any person who is not authorised to access it.”
This means that if there is a data loss of 100,000
customer’s data in relation to a lost employee iPhone, then
a company will have to tell those 100,000 customers that
their data may have been compromised. The legal blowback
from 100,000 irate customers could be considerable.
The brand damage, litigation and media reporting of an
incident would all be significant. If a company has, for
example, software in place to prevent this data on the
iPhone from being intelligible to those who might seek to
exploit it then the company could avert the disaster.
36
Today’s CIO
Added to this, if there is a huge data breach
concerning millions of data subjects all across the EU,
the company will have to deal with each supervisory
authority, each language, each notification requirement
in every country where there is a data subject affected
by the breach. Legal advice will be very important
particularly in the first 24 hours after the breach.
Another important feature of the new law is the
introduction of a corporate data protection officer.
This is a mandatory appointment with specifically
defined responsibilities for organisations with
more than 250 employees. This means that all
over the globe companies of this size will need to
make someone responsible for data protection.
Conclusion
We know that the new regime will bring considerable
responsibility and sanctions for companies that
handle data. We must not forget that it will also
bring considerable opportunities for those that help
them avoid these pitfalls. This law will be radical.
There are two sorts of companies. The ones who
will make changes to their data protection policies
once the law comes into force and those who are
already making changes to allow for the law coming
into force. The responsibilities are so vast that it is
important to get the correct advice and to act now.
Companies should act now to:
■ Draft data deletion policies to comply with
the statutory right to be forgotten.
■ Take steps to appoint and train the
right data protection officers.
■ Look at software solutions to help manage the risks.
■ Draft policies to comply with the breach
notification requirements.
■ Train employees on the risks and how to reduce them.
There will be significant challenges to comply with the
new law. Uncertainties remain. What is certain, however,
is that organisations will have to start now to have a
chance of complying when the new laws come in.
Further information
Absolute Software is the industry standard for persistent
endpoint security and management solutions for
computers, laptops, tablets, and smartphones. As IT
security and management requirements have converged,
we’ve responded by providing our customers with a
consolidated experience, allowing them to manage and
secure all of their endpoints regardless of user, location,
or form factor. This singular view of the IT landscape is
extended to include IT processes and infrastructure with
our IT service management offering.
Security
Ahead in the cloud:
how to keep your data secure
By Kevin McLoughlin
Twinfield UK Head of
Strategic Partnerships and
Product Wolters Kluwer
WITH COMPANIES INCREASINGLY
turning to cloud-based technologies
to find productivity and efficiency
gains, it’s hardly surprising that
guidelines around the use of outsourced
solutions continue to be updated and
strengthened. In recent years there
has been a focus on companies’ use of
third-party technologies – particularly
around the use of externally-hosted
software as well as regulations around
data security. However, it’s not just
a case of preserving confidentiality
and privacy with customer data; it’s
about ensuring that data governance
standards and processes are built
into crucial functions such as
financial reporting and accounting.
How secure is secure?
Although no cloud provider can claim
to be 100% secure, the cloud is now
widely recognised as being no less
secure than much software located
within an organisation’s premises –
and more secure in many cases. For
example, what happens in the case
of a fire or flood? Storing data in an
office or on a local server is much more
likely to be destroyed beyond recovery
than it is when stored in the cloud.
Responsibility for data security rests
with the client organisation, not the
vendor therefore businesses should
do thorough research into third party
suppliers before adopting any cloud
strategy. Any BDO-certified supplier
Today’s CIO
37
Security
is thoroughly – and independently –
audited four times a year to ensure
processes and systems are sufficiently
robust and meet ISO requirements.
Location, location, location
Despite misconceptions that data is
‘floating around in Cyberspace’ it’s
crucial that data is held in several
locations to allow the use of active or
active centres so that an immediate
switch can be made should an incident
occur. Furthermore, an additional
location should be used for regular
data back-up in case of an incident
or breach. According to a recent
survey by iGov, 81% of businesses
suffered a security breach in 2014*,
therefore the location of data has
never been more important.
Only two parties should have
access to your clients’ data: you
and your clients. Moreover, only
employees of the cloud vendor
should have permission and access
to customer’s data. Not only is it
important to preserve confidentiality
and privacy with customer data, it’s
about ensuring that data governance
standards, such as ISO 27001
(Information Security Management)
are built into crucial functions such
as reporting and accounting.
Security as standard
Protection, privacy, back up and
encryption are all processes and
systems that cloud providers should
have as standard. Security audits
to help with compliance such as ISO
9001, SAS 70, ISAE3402 and PCI
38
Today’s CIO
(Payment Card Industry) as well as
planned hacks on your data are vital.
Cloud providers should repeatedly
back up all their clients’ data. In addition
to regular back-ups, data should be
stored and available on request for a
minimum of seven years and should be
covered under European legislation.
Full storm ahead
The benefits of the Cloud are clear – it
can help to empower businesses by
enabling them to access their data from
any location. Costs can be reduced,
as there is no longer a requirement to
maintain your IT system – upgrades and
new hardware or software are no longer
needed. More collaborative and flexible
working practices along with automated
processes harnessed by the cloud, can
help to improve communication and
increase productivity. Furthermore,
your cloud provider can scale up or down
your system and storage needs should
your circumstances change, so that you
can remain focused on the business.
Security should naturally be at the
forefront of an organisation’s mind –
after all, failure to comply with data
standards can expose customers’ (and
businesses’) confidential data to costly
risk, often damaging an organisation’s
reputation. By partnering with a trusted
cloud provider, you can rest assured
that your data is safe, whilst you focus
on getting ahead in the cloud.
*https://www.gov.uk/government/uploads/
system/uploads/attachment_data/file/307297/
bis-14-766-information-security-breachessurvey-2014-executive-summary-revision1.pdf
Further information
Twinfield UK, part of global
information business Wolters
Kluwer, is in the business of cloudbased accounting, an area where
there is a fundamental need for
secure online collaboration between
accountants and their clients.
www.twinfield.co.uk
www.wolterskluwer.co.uk
www.cch.co.uk
Security
The five pillars of the
Cyber Essentials Scheme
Your foundations to good security,
explained by David Parkinson
MUCH HAS BEEN WRITTEN ABOUT THE UK GOVERNMENT’S
new Cyber Essentials Scheme and why organisations should
take the certification and adhere to the standard. It is to
be applauded in its effort to promote and roll out a basic
standard of cyber security not just to those businesses
looking to bid for certain government contracts, but to all
organisations. Within peer groups and supply chains, all
organisations should be able to demand a level of cyber
hygiene from organisations they share information with
and this is where I think the strength of a scheme like
Cyber Essentials lies. As CREST (Council for Registered
Ethical Security Testers) describes, accreditation at
Cyber Essentials or Cyber Essentials Plus should be
seen as a snapshot at the time of assessment but I
would anticipate that perhaps further variations will be
developed that address this once more traction in the
current schemes has followed the early activities.
Underpinning Cyber Essentials are five key controls
– concise points that can be described in simple terms
and that can be addressed using widely available
tools. That availability is of course important if Cyber
Essentials is to be adopted extensively, though some
thought should be put into the selection of those tools
around their effectiveness, implementation, ongoing
maintenance, interoperability and of course cost.
Boundary firewalls and internet gateways
According to the Cyber Essentials Scheme: Summary
document, Boundary Firewalls and internet gateways are
“devices designed to prevent unauthorised access to or
from private networks”. What may once have been a simple
demarcation point, the perimeter of a private network is
under ever increasing scrutiny as boundaries become complex
and private networks are extended into cloud resources. This
then requires consideration in an organisation’s assessment:
whether any contracted external services are to be included
in the scope of the assessment and under whose control
(and responsibility for compliance) they sit. When choosing
a technology vendor to work with in this area, it is becoming
increasingly important to work with a vendor that has a
clear product set that can address cloud deployments.
While the emphasis of Cyber Essentials is placed on the
firewalling capabilities of gateways, to be fully effective
they should also prevent “unauthorised access” from new
and constantly evolving attack vectors rather than simply
providing stateful inspection of network connections. In
other words these should be platforms on which multiple
layers of protection can work together to stop attacks
from being launched through email campaigns, drive-by
infections by innocent (or curious) web users, botnet activity
and of course the as yet unknown attacks for which we
cannot rely on signature based technologies to stop.
Secure configuration
The second key Cyber Essentials control states that
systems should be configured “in the most secure way
for the needs of the organisation”. Clearly this indicates
that care should be taken in the implementation of the
protections to ensure that some basic system hardening
takes place – for example default passwords on network
equipment are replaced with strong ones, unnecessary
user accounts are removed or disabled and also that a local
firewall be installed and configured on computing devices.
The implementation of such a firewall, installed such
that it can block unapproved requests, could be more fully
extended for example to control which applications are
approved to run on the organisation’s workstations. Further,
it could include mobile computing devices under a Bring
Your Own Device (BYOD) scheme. As these devices may
well store and process sensitive information and connect
to the Internet, they are well within the scope of Cyber
Essentials assessment and should ideally be subject to the
capabilities of remote wipe and sandboxing technology to
keep personal and work data separated. While outside of
the remit of Cyber Essentials, a diligent additional measure
that might also be added with this control in mind would
be a form of document security: applying encryption to a
document rather than encrypting the place where it was
stored, and the application of usage rights for different users.
Access control
The Cyber Essentials control of Access Control relates to
not only who should have access to systems but also that
they should have access at “the appropriate level”. Basic
points are given in the Cyber Essentials summary document
including the need for users to authenticate themselves
Today’s CIO
39
Security
using strong passwords before accessing systems and
applications, though it is also worth considering at this
point the use of a two factor authentication technology.
There can often be ongoing operational benefits
to implementing a something you know, something
you have system (usually a physical or mobile-app
authenticator generating a One Time Password). For
instance, help desk calls relating to strong password
resets can be dramatically cut and Single Sign On (SSO)
projects can be implemented with far greater trust.
In addition to user authentication we should also consider
whether devices should be allowed to join our wired and
wireless networks, and what access they should have to other
devices when they do join the network. A good Network Access
Control (NAC) product should offer a means of segmenting a
network that focuses on a device’s access to other systems, as
an alternative measure to just focusing on the user. In BYOD
projects or where guest and contractor access is common,
a smart NAC system can easily place allowed devices onto
appropriate logical segments of the network where the scope
of their access is limited to that which is really needed.
Malware protection
When the Cyber Essentials Requirements document
discusses the need for anti-malware software it is clear in
its requirement for such software to at least be installed
on computers which are exposed to the Internet. We should
also remember that BYOD projects are in scope for Cyber
Essentials assessment and provision should be made to
include anti-malware software for these devices too.
This anti-malware software should be configured
to scan files automatically upon access and scan web
pages as they are loaded. They must be configured to
update themselves automatically (both application
itself and signature files) and should implement a web
site filter, or blacklist, of known malicious sites.
This sounds a comprehensive strategy for protecting
workstations, though could be taken into account with
the requirement for a personal firewall from the Secure
Configuration control and the probable requirement to
cover mobile devices in a similar manner. Rolled together
there should be a clear benefit to administering all of
these elements together through one “pane of glass” and
a single deployment of “endpoint” technology, let alone
benefits in simplified training and procurement.
Patch management
Cyber Essentials states a key control which requires
software running on computers and network devices
to be kept up to date and patched with latest security
patches supplied from vendors. Even in fairly small
organisations the task of patching operating systems,
applications, utilities and auxiliary programs such as
Java and Acrobat can soon become unmanageable.
By tying in a patch management system to the rest of
the controls aimed at computing endpoints not only allows
efficiencies be made over a piecemeal approach but can
achieve increased security through simplified policy setting
40
Today’s CIO
in a single console. Combined reporting and alerting across
these controls can also give a much clearer picture of the state
of the computing estate within scope of the assessment.
Care should also be taken to ensure that selected firewalls,
Unified Threat Management (UTM) appliances and other
network devices are capable of having their program code
and protection service signatures updated simply, and
most importantly reliably. Where these devices are mission
critical to an organisation, a highly available configuration
should be considered so that managed patch rollouts can be
confidently deployed frequently rather than being saved for
infrequent major release upgrades. It’s worth noting that the
Cyber Essentials guidance is that security patches should be
installed within fourteen days of their release by the vendor.
Summary
The Cyber Essentials guidance presents a narrow program
for improving basic cyber security for organisations to
guard themselves specifically against phishing and hacking
attacks which require low levels of attacker skill, and for
which tools can be found easily online. It doesn’t cover
risk management, which is fundamental to managing
information assets, but instead defines basic controls which
organisations can implement to protect their information.
By considering the implementation of these controls
together carefully however, I would argue that greater
security can be gained than by simply addressing each
control separately. If we can recognise that the Cyber
Essentials scheme is the beginning of a process for many
organisations then it should provide a good starting point to
then consider additional controls alongside a rolling program
of staff training and constant review. These might include
application testing and the use of specific web application
firewalls (WAFs), protection from the increasing number of
Distributed Denial of Service (DDoS) attacks, and measures
to perhaps even particularly safeguard data from, and
provide rapid recovery from, the rise of ransomware.
Further information
David Parkinson works with Wick Hill’s vendors and reseller
partners to raise awareness of cyber security issues and
to put together solutions to the business requirements of
their collective customers. Drawing on a twenty year career
in IT and Security, David has experience as IT Manager,
Technical Consultant, VAR and Distributor. Wick Hill Group
provides secure network infrastructure products and
services to Enterprise, Data Centre and SME customers
alike with its partners from offices in the UK and Germany.
Vendors are presented with the support of a full technical
training program, technical support and a full range of
commercial services for its reseller partners.
Security
The security challenge
of the mobile workforce
By Samik Halai, Integral Memory
GLOBAL ORGANISATIONS ARE EMBRACING NEW FLEXIBLE
working practices which have heralded a new era of the
‘always-on’ mobile workforce. Enterprises of all sizes are
reaping the benefits of employees that have constant
access to their work through mobile devices on a 24/7
basis. This connectivity has been proven to deliver greater
levels of productivity, faster response times and a stronger
management network. The momentum behind these changes
has increased over recent years but what are the implications
for data security and what measures work for today’s CIOs?
In reality, it is not the organisation alone that seeks the
benefits of workforce flexibility. Employees themselves
expect to use laptops, tablets and smartphones as a
seamless transition between their work and private
life. In a recent survey, 65% of mobile workers1 were
found to be using a tablet; a practice which is heavily
biased toward younger workers. Given this profile,
the trend toward ultra-mobile devices is likely to
eclipse the use of desktop and even laptop usage.
Growing economic globalisation is also an influential
factor. Differing time zones between colleagues and
business partnerships promotes an ‘always-on’ culture
where mobile access to email and other resources
offer a critical edge in competitive business markets.
Ultimately the flexible workforce with ‘always on’ access
to corporate resources and data, will be universally
acknowledged as a pre-requisite for company growth.
The impact on data security of this expansion of mobile
devices is a major concern facing businesses of all sizes.
The challenge is to retain control whilst offering employees
a mobile user environment which does not create barriers.
The user experience is fundamental issue which calls for
a data security regime that permits the extended use of a
differing formats of devices across a range of operating
systems. However the danger of devices like tablets are
self-evident and private businesses and public sector
organisations are increasingly torn between meeting the
Today’s CIO
41
Security
needs of remote workers and
their duty to protect company
data from a rising wave of
security breaches and threats.
The reality that 1 million laptops
were reported missing in the UK
in 20122 ensures that this issue
will remain at the top of corporate
agenda in the years ahead.
Effective encryption:
hardware vs software
It follows that the ideal solution
effectively manages the risk of data breaches from mobile
devices whilst maintaining invisible protection and a
seamless experience for the user. Stories regarding lost
laptops reported in the media concern security managers
and workers alike. Reassurance that effective security
measures exist on their device is a key user concern.
Essentially CIOs are presented with two stark choices
in their efforts to protect the company’s mobile devices –
encryption software packages or encrypted hardware devices.
Software encryption
Software encryption is often the low cost route to encrypt
data, if the initial cost of the package is taken in isolation.
However, additional costs may apply in the medium term as
additional licensing fees and support fees (quite common
if you are a business user) are incurred. Similar to on board
operating systems, updates to the software are necessary
to ensure that the security is maintained throughout the
software layers. Given that there are other pieces of
software installed on the machine which are additional to the
operating system, compatibility across the various vendors
requires continuous updates for the encryption software.
Perhaps the key negative factor of software encryption
is that it shares the host computer resources to perform
encryption and decryption of the data. Effectively the
authentication takes place in the system memory and
although this can be ‘on the fly’ it is still using memory
and processor resources to complete these actions. The
natural result is slower performance. Some software
encryption packages utilise a TPM chip to store the keys
but the process is still carried out in software utilising the
same system resources and slowing down the machines
ability to perform other tasks simultaneously.
It is additionally important to be aware that software
encryption can be corrupted or negated. Software
running under an operating system can be vulnerable
to viruses and open to other attacks through a virtual
‘back door’ through the interface between the host
machine’s operating system and the actual software
that is designed to protect the system itself.
Hardware encryption
Hardware encryption can initially be the more expensive
option if one only considers the upfront cost and ignores
the TCO. Most hardware encryption devices do not incur
42
Today’s CIO
additional costs such as licensing or support costs – moving
forward. In essence a one off purchase would cover the
lifetime of the product. As per the name, the hardware
encryption is authenticated and processed within the
hardware of the device itself, using an on-board dedicated
processor. Essentially, it operates independently and
does not utilise system resources such as the host system
processor and memory. Leaving these resources free often
gives the user a better experience, whilst still maintaining
a high level of protection. Hardware encryption devices
encrypt and decrypt data instantly and the majority are
unnoticeable to the user and offer 100% mandatory
encryption of all data. The hardware encryption does not
install itself over another software system (such as operating
system) so it is zero footprint and does not require any
software installation on the host system, this makes it less
vulnerable to viruses or other attacks of that nature.
The future for all companies is mobile. The drive toward
remote workforces is coupled with a need for all employees to
be ‘always on’ through mobile devices. Ultimately this will bring
extra strain to bear on CIOs and data security managers who
already have to contend with a rising tide of external threats.
The way forward for any informed mobile security strategy is
the need to provide effective encryption on the devices that
employees prefer to use; laptops, tablets and smartphones.
It is also essential that these encryption methods whether
software or hardware based do not present an obstacle to
the user experience. Delayed boot-ups, constant upgrades
and slow systems must be avoided if encryption measures
covering a growing mobile infrastructure are to succeed.
References
1. IPass
2. The VAIO Digital Business 2013 report by Sony.
Further information
About Integral Crypto
The Integral Crypto range of 256-bit AES Hardware
encrypted drives is trusted by a rapidly growing customer
base, across both private and public sectors – worldwide.
A growing awareness of the dangers of data loss and with
wider penalties aimed to punish instances of poor data
security – Crypto drives have met with a spontaneous
demand. All Crypto models carry highly-regarded FIPS
140-2 certification. Importantly, the technology is bios
independent making it the only SSD available on the market
that utilises its own program to activate and manage the
encryption and enforcement of usernames and passwords.
Essentially a dedicated processor is located ‘on-board’ the
SSD and manages the encryption/decryption tasks without
sharing resources with the host system.
Telephone: 0208 451 8700
Email: sales@integralmemory.com
Web: www.integralmemory.com
Technology & Innovation
Testing, quality and the quest
to meet customer expectations
By Darren Coupland,
Vice President – Testing Services,
Sogeti UK
IN THE NEW ‘ALWAYS ON’ AND DIGITAL WORLD, USERS’
expectations of a high quality, seamless digital customer
experience are becoming increasingly elevated. Because
of this, CIOs are often caught in the middle between
traditional business IT, and having to support new
technologies – such as Social Media, Mobility, Analytics
and Cloud (SMAC) and the Internet of things – as well
as the growing importance of cybersecurity, in order to
support growing needs from the CEO and wider business
as it becomes more digitally capable. Technology is
changing and so the CIO must adapt to these demands.
Moving to digital can provide an organisation with a
wealth of benefits in the areas of customer acquisition,
engagement and retention, and if we consider the
internal users this also encompasses knowledge
management, productivity and improved motivation.
However, with user tolerance for poor performing
applications at an all-time low, and Social Media providing
a forum for instantaneous feedback which can easily
go viral, quality must increase. The effect of not taking
this on board can be expensive – not only in terms of
cost but also reputational damage of your brand and
organisation. Now is the time to address this by focusing on
increasing quality, security and improving the QA function,
leveraging new technologies and processes to do so.
The latest World Quality Report1 shows us that the
proportion of the IT budget allocated to QA and Testing grew
at a record breaking rate from 18% in 2012 to 26% in 2014
in order to support the move to digital. However, spending
alone is not enough – there are a number of challenges
to consider and overcome which I will explore shortly.
The testing landscape
Here’s a snapshot of the testing landscape supported
with findings from the latest World Quality Report,
showing how digitalisation affects the industry and
setting the backdrop for CIOs who want to support
the business’ drive for competitive advantage.
I already mentioned that QA and Testing budgets have
increased, and it seems that digital transformation is also
driving a shift in the way they are spent. New development
projects that support the digital strategy now account for
more than half of spending, with only 48% going to BAU,
maintenance etc. Of this, there has been an increased adoption
or support and delivery of digital (SMAC) technologies:
Social now accounts for 15% of new development work,
Mobility 17%, Analytics and Big Data 40% and Cloud 27%.
Other trends highlighted in the report include an increased
use of tools and a change in the skills required from test
resources to be more technical (for example the increased
prominence in roles such as Software Developers in Test),
and use agile and automation by default. Spend on tools and
personnel also increased year on year between 2013 and 14.
Processes and mind-sets are evolving to enable fast,
continuous delivery. In fact 93% of respondents say that
they are experimenting with or fully using agile methods
which help to increase flexibility and fast responsiveness.
All of this opens up new challenges for the CIO and testing
team...
A whole world of new challenges
The move to digital is being embraced by many organisations
and government departments, where “Digital by Default”
has become the mantra. This is great for the consumer and
employees however creates additional challenges for QA and
Testing teams, mainly due to the increased level of complexity
of test environments and no second chance when it comes
to quality. The whole buying/using and customer service
process must be delivered and made available perfectly,
wherever the user chooses to access it and to top it all, it
needs to be fast, there is no customer service agent who
can cover up poor system performance by having a chat
about the weather or last night’s television. This would be
difficult enough on one device, but with the explosion of
variants of mobile phones, tablets, e-readers and smart
devices available this can seem extremely daunting.
According to the World Quality Report, 53% now
carry out mobile testing, with a focus on security,
performance, validating the customer experience,
compatibility and regression. Yet there appears to be
issues around the tools, devices and processes that
are needed to support this relatively new field which
also cross into traditional application testing.
Today’s CIO
43
Technology & Innovation
Testing tools have improved over recent years, though
now the proliferation of tools available has created new
challenges in its own right. Do you pay for the best tool
on the market or go down the open source route? And
do your testing resources have a high enough degree
of technical expertise to use them effectively? A tool
is only as good as the person using it, after all.
Along the technology lines is the use of cloud
– migration has gained momentum but many still
cite concerns around security as a key reason for
not moving across. I will touch later on why cloud’s
benefit far outweigh any issues you might see.
Security on its own is also a key factor in terms
of securing applications and data to prevent
against breaches, particularly on mobile and
digital devices which typically have less security
controls than would be found on a desktop.
A real challenge though has to be how to deliver digital
projects fast enough to keep up with business demand.
Key troubles in this area include the adoption of agile
and DevOps, plus how to spin up environments fast
enough to still be able to test early in the development
lifecycle. Agile is no silver bullet and though methods
are widely adopted, 61% still have trouble deciding
the right methodology for their business.
So how do you address these pains and ensure IT and
testing are aligned to the organisation’s digital goals?
2. Processes and mind-set
Though it does have its own problems, working in an
agile environment is beneficial, with two caveats: you
must find the right agile methodology for your business
– whether this is SCRUM, Kanban or a tailored mix of
many available options – and you must be willing to
undergo a shift in mind-set from top to bottom. Without
these two things you will experience difficulties. The
same goes for DevOps, Continuous Integration etc.
Introducing thorough mobile and omni-channel testing
– whether in-house or with a third party specialist – is
essential for delivering the desired levels of performance
and functionality, and measuring that customer experience
is a must. Ensure you have the ability to listen to your
users and make changes when they find a problem –
otherwise you will lose them. Crowd testing can be a great
way to achieve enough test coverage, and to validate the
customer experience. In addition, notifications on devices
which prompt user interaction (i.e. beacon technology
where a user uses an app in store and a notification is
sent to the device to encourage purchase in some way)
is a growing trend which needs to be considered.
Finally, run security testing during QA or within the
production environment. Penetration testing right at the
end of the development lifecycle is no longer substantial
enough. To avoid security breaches and reputational
damage similar to that experienced recently by Sony
and Apple, you must test at the application layer too.
So CIOs can manipulate digital transformation to
their advantage and help the business in outstripping
its competitors. Leverage tools, understand new
technologies, focus on a multi-channel customer
experience, work in a flexible manner and, above all,
develop a deep understanding of how these elements
can both align with and drive the main objectives of the
enterprise.
Reference
The action plan – fight your corner
Do not fear. The above might seem impossible to
overcome but it isn’t. I believe there are two different
angles to consider here:
1. Tools and technology
Whilst tools do create challenges of their own, they can be
enormously useful if you have the correctly skilled resources
in place. Automation and accelerators are great for speeding
up the testing process, and if your team can define an
adaptable automation framework to address the rising need
for regression and compatibility testing across devices
then you will begin to reap the benefits in the short term.
Using Service Virtualisation with test environments
will allow you to test earlier which will reduce the number
of costly defects you find later in the process, whilst the
cloud will provide you with additional capacity for your
environments and the option to spin them up, create
templates, and use them almost instantaneously. Gone are
the days of waiting a long time for a new environment.
44
Today’s CIO
1. Published annually by Capgemini, Sogeti and HP
Further information
Sogeti is a leading provider professional technology
services, specialising in Application, Infrastructure and
Engineering Services and delivering cutting-edge testing
solutions. OneShare is our unique, cloud platform and
toolset for managing development and test environments
and supporting agile, CI and DevOps. Agile services include
adoption and roadmap workshops, development, testing and
training. Sogeti Studio for mobile testing provides access
to experienced onshore resources and regularly refreshed
devices, on demand. Our solutions are innovative, scalable,
customisable, and designed to benefit your business. For
more information please call us today on
+44 (0) 20 7014 8900, or email enquiries.uk@sogeti.com.
Technology & Innovation
The CIO route
to business hero
By Derek Britton,
Director, Micro Focus
IN THE LAST FEW YEARS, CIOs
have been under pressure to escape
the technology trap and become
‘business heroes’. While the sentiment
is widely accepted, the reality is no
mean feat. It requires a balancing act
between integrating new, disruptive
technologies that deliver innovation,
while continuing to extract maximum
value from core IT assets and managing
operational challenges. This must
be managed while also navigating a
changing landscape of C-suite roles
and responsibilities, which is confusing
the strategic impact of the CIO.
But help is at hand in a pragmatic,
practical guise: IT modernisation can
act as an effective bridge that helps
the CIO tackle these hurdles and
reclaim their role as business hero.
Integrating disruptive
technologies
According to Gartner, “CIOs face the
challenge of straddling the second
era of enterprise IT and a new, third
“digitalisation” era.” Cloud, mobile,
BYOD, big data, virtualisation and the
ever increasing demands of the end
user are now must-haves. IDC predicts
nearly one third of total IT spend will
focus on these new technologies. Many
commentators agree on the continued
expansion and proliferation of mobile
technologies and the rising belief
that, in a maturing digital market, this
is now the ‘age of the application.’
CIOs are tasked with moving their
business into the new IT era and digital
world to capitalise on innovation
strategies. It means their organisation
must more easily ‘consume’ core
IT services, both for employee and
customer purposes. The rub is that
many of these services rely on trusted,
longstanding applications that typically
sit on a mainframe, making their
integration and alignment with new
disruptive technologies vital if both
investments are to be maximised. An
application modernisation strategy
can turn the mainframe into an
enabler of disruptive technologies,
helping businesses take advantage
of mobile, BYOD, big data and the
cloud, while delivering a solution
proven to be cost effective.
With new channels being added
to IT environments to enable
mobile and internet capabilities,
Today’s CIO
45
Technology & Innovation
CIOs are also facing increasing pressure to support new
devices that can access applications held on IT such as
the mainframe. The problem is that text-based, function
key 3270-based applications, referred to as ‘green screen’
apps, have outdated user interfaces that turn users off.
Research* has uncovered the full extent of this issue.
Of the 590 senior IT decision-makers in organisations
with mainframes that have green screen applications,
more than half didn’t feel that their applications – on
which their business processes depend – were doing
‘a good enough job.’ The survey highlighted the need
for applications to improve drastically or businesses
could face losing out to the competition. By deploying
a modernisation strategy, such apps can enable new
devices to ‘plug in’ to the current infrastructure and
make new mobile and BYOD implementations a more
viable, low cost and low risk prospect – without the need
to code. With mobile, web and desktop connectivity,
access becomes a 24-7 business opportunity.
Tackling operational challenges
The growing complexity of the new IT world, together with the
demand for immediate results from business stakeholders
means CIOs must find a way to efficiently tackle the dayto-day operational challenges, freeing up time to deliver
the volume and quality of services that businesses need.
But this ‘time to value’ equation has two tough obstacles
standing in the way – IT backlog and compliance.
IT backlog, or ‘IT Debt’ as it was coined by Gartner back
in 2010, relates to the backlog of incomplete or yet-to-bestarted IT change projects. A recent study saw 590 CIOs
around the globe estimate it would take an average of $18
million to address their maintenance backlog and bring
their application portfolio up to date – up from $11 million
18 months before. Gartner estimates that within the next
12 months, the global IT backlog, in dollars terms, will have
grown from $500 million in 2010 to reach $1 trillion. Aside
from the obvious cost implications, this work demands
resources which would be better utilised for innovation
projects needed to maintain a competitive advantage.
In addition, compliance requirements like ISO27002,
Basel III, FACTA and SEPA merely complicate the matter.
Regulatory compliance is a pressing concern for many IT
departments, but it takes time, effort and prioritisation to
update the necessary applications. And on top of that, it
takes focus away from delivering what really matters back to
the business. Governance, risk and compliance projects are
unplanned, non-negotiable IT milestones with far reaching
consequences. Meeting regulations with finite IT resources
is a challenge that limits the ability to focus on innovation.
In both cases, more and more IT leaders are implementing
a modernisation strategy, using technology that transforms
mainframe application analysis, development, testing and
workload optimisation. By continually but gradually changing
and updating core business applications through software
development and testing, organisations can turn legacy
into legendary applications that keep up with business
demands, while meeting the time to value challenge.
46
Today’s CIO
The changing shape of the C-suite
The evolving nature of businesses is reflected in the
boardroom.
Three years ago, Gartner predicted that by 2017 Chief
Marketing Officers (CMOs) would spend more money
on IT than CIOs, triggering a continued debate about the
transfer of power and the marginalisation of IT. More
recently, the emergence of the Chief Digital Officer (CDO)
has introduced a new dimension to the debate around
the role and responsibilities of the CIO. During 2013 in
the UK, the number of CDOs doubled to 500, and they
were forecast to reach 1,000 by the end of 2014.
A recent global report by Ernst & Young, which
surveyed 300 CIOs and 40 C-suite executives confirmed
there is a strong need to refresh some of the outdated
perspectives that other executives still hold about the
CIO role. Related to this is a perception that CIOs have a
higher regard for the value that they bring to the business
than that seen by their C-suite peers. For example, while
60% of CIOs strongly believe that they help enable
fact-based decision making in relation to corporate
strategy, just 35% of their C-suite peers agree.
The research highlighted the impact of this dichotomy.
Too few CIOs are currently regarded as true members
of the executive management team, with less than
one in five holding a seat at the top table and less
than half involved in strategic decision-making.
If CIOs are going to deliver on the potential remit
of the role, the potential of IT and secure a position at
the boardroom table, there is an imperative to break
out of the technology trenches and deliver businessled innovation that will capture the attention and
support of the executive management team.
To succeed in an ever more complex and challenged
role, CIOs need to find smart, innovative ways of keeping
pace with technology and change, while maximising the
value of core IT assets. Modernisation is the strategy
that’s turning aging infrastructures into innovationready IT – and CIOs into business heroes.
* Research commissioned by Micro Focus
Author information
Derek Britton is an IT professional with over 20 years
software industry experience. A computer science graduate
from De Montfort University, Derek has held a variety of
software engineering, consulting and product management
positions in the IT industry.
Derek is the Director of Product Marketing at Micro
Focus, the leaders in enterprise application modernisation,
where he is responsible for value proposition and messaging
across a portfolio of software products including the Micro
Focus Enterprise and COBOL solutions. Find Derek on
Twitter at @derekbrittonuk.
B U S I N E S S I S E V O LV I N G .
Cloud, Mobile, Digital and Security are changing your
priorities and the way projects are delivered.
The customer is king and thorough Testing and QA are more important
than ever for achieving competitive advantage with a first rare user experience.
Let Sogeti guide you through these changes – our world leading Testing solutions are
innovative, scalable, customisable and designed to benefit your business.
Leader - Application
Testing Services
(Gartner, 2014)
Leader - TransformationFocused Testing Services
(NelsonHall, 2014)
www.uk.sogeti.com
Leader - Outsourced
Testing Services
(Ovum, 2014)
+44 (0) 20 7014 8900
Be the Master of the
IT Infrastructure
Are you sure you are getting all your emails at the moment? What about
that expensive virtual environment – is it really working to its potential?
If the internet seems a little slow today, is someone in your organisation
downloading large video files again?
Why not have a look at PRTG Network Monitor, a great piece of
German engineering?
PRTG allows your IT personnel to keep track of the availability and performance of your entire IT infrastructure and intervene quickly where necessary.
MOBILE
APPLICATIONS
HARDWARE
VIRTUAL ENVIRONMENT
SOFTWARE
PRTG will enable significant improvement to your staff’s productivity and your department’s reputation within your organisation.
Stop wasting time fighting fires – start becoming the IT master!
Paessler AG
info@paessler.com
www.paessler.co.uk
513708/EN/UK/20150211
Technology & Innovation
Wireless “induction” charging –
the definitive guide
By CMD Ltd
WITH THIS GLORIOUS TECHNOLOGICAL
bloom we are currently in, we are
seeing more and more futuristic
developments every day. The front
runner of this pioneering time is the
wireless charging module, currently
developed to provide additional battery
juice to those flagging smart phones.
Smart phones in the 21st century
are a mission critical device in
the day to day success of every
company, be it a small enterprise or
an international corporation. This
has seen some downright crazy and
bizarre developments in smartphone
technology. Let’s be fair, who would
have considered talking to your phone
in order to conduct a web search? On
the flip side this dependence on mobiles
has seen some pretty helpful and now
essential advances, although sadly
the battery life of the aforementioned
phone hasn’t been one of them.
One thing that has changed
drastically however from the phones
of old is the quality of phone charger.
The trusty Nokia 3310 never required
you to buy a new wire every 4 weeks
at £10 a piece did they? Nor did they
have a detectable wire that is ever so
easily lost or left behind preventing
your phone from receiving the
sweet nectar of electrical charge.
This, in my humble opinion is why
smartphone wireless development
has been at the fore front of the
“wireless revolution”. Wireless
charging maintains safe, reliable,
cable free transfer of power ensuring
each and every mobile device is
forever charged and ready to go.
What is wireless charging?
Wireless charging also known as
“Induction Charging” is the process
of electromagnetic energy transfer
between two devices. To explain this
in terms that are palatable, wireless
charging allows you to charge a
compatible device by simply placing
it onto an induction charging module
without the need for cables or wires,
hence the term wireless charging.
Basically wireless charging
does exactly what is says on the
tin, now that’s all well and good
but how does this magic work?
Well let’s take a look shall we…
The principles of wireless
charging & how it works
Now I understand that to many
“induction charging” might seem like
something from Hollywood science
fiction, but it’s actually nowhere near
as far fetched as you think. In fact
the technology behind this invention
has been kicking about for a while.
Nikola Tesla, for those who don’t know
who this man is, was a Serbian American
inventor from Croatia, who first set out
the principles of wireless charging. He
demonstrated wireless power as early
as 1891 and even claimed to wirelessly
Today’s CIO
49
Technology & Innovation
power an electric car in 1930 which achieved speeds of up
to 90 mph. More recently, before wireless chargers hit the
market, this tech was seen in everyday items like electric
toothbrushes. In a nutshell it’s how they keep their charge.
However I digress, in short wireless charging is the process
in which an electrical current is transferred between two
objects through coils. If you prefer the more technical
explanation, induction chargers use an induction coil to
generate an alternating electromagnetic field from inside the
charger whilst a second induction coil takes the generated
power in the form of the electromagnetic field from the
charger before converting it back into the standard electrical
current to charge your portable devices battery. Simple.
Qi – what is it?
For many people listening in on the buzz generated by the rise
of wireless charging you will be more than familiar with Qi.
But what does it mean? What’s it about? And how do I use it?
Well Qi (actually pronounced as Chee) is quickly becoming
internationally recognised as the standard by which all smart
phones with wireless capability must adhere to. If something
has a Qi wireless charging logo it means you can quite simply
drop your compatible device onto the wireless charger and
it will charge without the need for adapters or cases.
One of the main reasons for Qi development is to generate
a standard and symbol that people from all countries can
understand as the sign for wire free compatible charging,
while Qi is hoping their logo will become a key consideration
in the buying cycle for new smart phone consumers.
To finish off it’s a lot safer with no exposed connection
but most of all this technology is only in the infant
stages of its life. If it stays on this same path in
the near future we will see Qi or induction chargers
popping up all over in towns and cities whilst the same
tech will be transferred into many other devices.
Don’t get left behind and stay ahead of the game.
Compatibility
In theory every smart phone should be capable of
wireless charging with some kind of assistance. Be
this through a coil adapter or a compatible case.
Again this all depends on your phone and we always
recommend consulting the manufacturer to check.
n Smartphone Case
Smartphone cases which turn your ordinary phone
into a wireless wonder are available from a number
of third party suppliers. They contain within them the
technology to transform any phone it fits to support
wireless charging. These come in a variety of shapes
and sizes and charge just like a normal phone.
n Coil Receiver
A coil receiver or wave receiver is a small module
used in conjunction with a wireless induction charger
such as porthole III to allow a smartphone without
QI to charge wirelessly. The Wave receiver includes
an Apple 30-pin lightning charger and a Micro-USB
charger. All you have to do is place the appropriate
connector in your phones charging port and drop
the Wave on top of any wireless charging device.
Why choose wireless charging?
Well there are a number of brilliant benefits of induction
wireless charging, the first and foremost being that it
removes the hassle of USB and cables. Meaning you don’t
have to remember to pick your charger up, no losing that £10
charging wire and no searching for a free socket to plug in and
juice up. Off the back of this it also means your USB slots in
your on desk modules will be free to use on something else
or will be used less therefore increasing their shelf life.
Whilst on the subject of wear and tear it’s worth pointing
out that wireless charging reduces the amount you use
your charging port. You don’t have to keep plugging and
unplugging the charging cable from your device, saving
your charging port, which we all know is something that
can easily be broken on any modern day smartphone.
With this set up your electronic devices are all
enclosed within their respective units meaning they
are away from the external environment. As a result
there is less chance of corrosion from water or the
atmosphere meaning safe and longer lasting charging.
One over looked benefit is the fact that it’s so easy to
charge. This in itself is a benefit, but it leads to a much
greater benefit. You will never have low battery. How many
times have you looked at your phone with 35% and thought
it could do with a little top up, but you don’t want to get your
charger out and plug it in for a quick 10 minute charge? With
an induction charger all you have to do is drop it on for a few
minutes to give your smartphone that extra boost it needs.
50
Today’s CIO
The future of wireless charging
Wireless charging is currently available for lowpower devices and uses, predominantly up to 5 watts.
This is more than adequate for a mobile phones and
devices of that persuasion however the future is
moving towards the higher powered devices such
as fridges, freezers, televisions and even cars.
To bring this a little closer to home in the near future
you can expect wireless charging to jump to tablets and
laptops offer larger coils and a rapid charging experience.
Either way it’s safe to say now induction charging has
gotten a foot hold within our life’s it’s here to stay and
will only grow bigger, better and stronger over time.
Further information
Porthole III
What makes the Porthole III wireless charging module
unique is that CMD have developed a wireless charger that
has an integral power supply so there is no requirement for
a separate USB device to power the module.
This is our very own induction charger and can be used
alongside our wave receiver. Please visit www.cmd-ltd.com
for more information.
Your business
only knows one
speed—fast.
63% of business leaders believe
IT is responding too slowly.
Don’t be left behind.
Learn how the best IT teams are
transforming their function.
Visit cebglobal.com/AdaptiveCIO.
Technology & Innovation
IT monitoring and
business productivity
Dirk Paessler discusses
how IT monitoring
can help to increase
business productivity
AS THE UK CONTINUES TO EMERGE
from the recession, IT has a more
significant role than ever to play in
stimulating economic growth, and
increasing productivity in business.
A study by the Centre for Economic
and Business Research has found
that since the 1970s, technology has
improved efficiency amongst office
workers by 84 per cent. As businesses
start to capitalise on the early stages
of economic recovery, investment in
IT infrastructure is starting to become
a priority once more. IT investment is
growing according to data from Gartner
Inc, with global IT spending set to grow
2.4% to $3.8 trillion in 2015. Enterprise
software in particular is set to see some
of the strongest growth according to
forecasts, rising 5.5% to $335 billion.
However, it could be argued that
this increase in expenditure is not
worth it if underlying inefficiencies in
a company’s existing infrastructure
are not detected and addressed. By
employing an IT monitoring device,
businesses can work towards tackling
these fundamental problems. By
identifying anomalies and bottlenecks,
an IT monitoring tool can address issues
that may be impacting on the speed
of the network, and could potentially
cause network failure if left unchecked.
Supporting investment in IT
IT monitoring software does not remove
the need for investment in IT, but it
can certainly help to direct it and make
it more accountable. By providing
detailed insight into the current status
of a network, an IT monitoring tool
can act as a guide to understanding
Today’s CIO
53
Technology & Innovation
which technologies will provide a
boost to the existing infrastructure.
When a company invests in new
technology aimed at improving
network capability, the product is
expected to work seamlessly, as well
as delivering tangible productivity
gains in a short amount of time. It is the
IT team’s responsibility to make sure
this happens, and with the support of
a network monitoring tool, potential
barriers to effective implementation
can be recognised and limited, therefore
ensuring that the hardware delivers
on all of its anticipated benefits.
Assuring productivity
But it is not just hardware that needs
to be effectively monitored. Office
productivity applications such as
business process management
(BPM) software must also be taken
into account. BPM is a fast-growing
area of investment. WinterGreen
Research has predicted that the
$3.4bn worldwide market will be
worth over $10bn by 2020, as BPM’s
expansion looks set to lead to lower
costs and increased agility. In order
to ensure that businesses take full
advantage of applications that can
help them work more productively, an
effective network infrastructure is
key. IT monitoring software helps to
guarantee this reliability by ensuring
that the network has enough capacity
to accommodate new technologies.
Harnessing innovation
Emerging innovations in the field of
IT look set to present a number of
interesting opportunities for business
in the coming years. Developments
such as the Internet of Things provide
enormous prospects for gains in
productivity, by increasing the speed
of communication and delivering
huge advances in automation. In
the manufacturing sector, the
transformation being inspired by
these technological advances is so
significant that it is being referred to
as ‘The Fourth Industrial Revolution’.
For example, the German engineering
company Siemens is developing the
factory of the future, in which all
parts can communicate with each
other, without the need for a human
54
Today’s CIO
intermediary. The result could be a car
that is capable of talking to the factory;
for example, the vehicle could selfdiagnose a fault, indicate that parts are
required, and influence changes in the
building of the same model in the future.
This revolution offers enormous
opportunities to business, but at the
core of ensuring that the potential is
realised is the steadfast management
of a company’s IT network. IT
monitoring will increasingly play a
vital role in the roll-out of these new
technologies, by making sure that any
faults are registered and addressed
before they can have a negative
impact on network performance.
Helping IT deliver
This increase in automation, as well as
an extended reliance on technology
across all sectors, demands a greater
emphasis on network management,
in order to act as an early warning
system should anything go wrong. As
networks become ever more complex
and investment in IT continues to
grow, any organisation looking to take
full advantage of the productivity
gains today’s technologies and
tomorrow’s innovations can bring
must view investing in IT monitoring
as central to their business.
Author information
Dirk Paessler is CEO and founder of
Paessler, an IT monitoring software
developer based in Nuremberg,
Germany. Paessler leads the
industry in providing the most
powerful, affordable and easy-touse network monitoring and testing
solutions. The company’s software
products deliver peace of mind,
confidence and convenience for
businesses of all sizes, including
more than 70% of the Fortune 100
companies. Founded in 1997 and
based in Germany, Paessler’s global
reach includes more than 150,000
active installations of its products.
TODAY’S CIO
O
TODAY’S CF
Spring/Summer 2015
Do I really need
to worry about
data centres?
the
Adjusting to
cheap oil
new world of
tomers
Are your cus to be?
m
who they clai
s,
Move over boy n
women mea
business too
Sponsored by
Rotterdam
image
trades up its
■
■
■
56
www.spartapublishing.co.uk
Tel: +44 (0)20 7970 5690
40 Bowling Green Lane, London EC1R 0NE
Today’s CIO
TODAY’S CE
O
Spring/Summer
er 2015
Spring/Summ
2015
Ahead in the cloud:
how to keep your
data secure
A sharing eco
no
utilises spare my
capacity
Bishops and
actresses off
er
help to MBA
students
How safe is
data
stored in the
clouds?
Cutting you
carbon footpr r
can cut costs int
too
Sponsored by
Learning & Development
Does risk matter?
1
Disengaging from a ‘self-evidently correct’ process
Dr. Elmar Kutsch and Dr. Neil Turner,
Cranfield School of Management
OUR PROFESSIONAL LIVES ARE CHARACTERISED BY
risk and regular expressions of ‘may’ and ‘might’. Longing
for certainty in, and controllability of, our environment is
commonplace. Increasingly we tend to rely on a process that
is often advocated as ‘self-evidently correct’: the (supposed)
self-fulfilling prophecy of modern Risk Management. Applied
consistently, it serves any context – including IT systems –
and promises gains in efficiency and the comforting ability to
plan our way through the risks in our projects. The major issue
with this, though, is us! We often fail to ensure that we actually
do what is so regularly promoted as ‘good’. We seem to
disengage from that ‘goodness’, leaving us vulnerable to risks.
Is this really true, and, if so, what are the reasons behind it?
It is common for Risk Management to be described
as the single most important process to apply, yet it is
also often cited as the one that goes horribly wrong in IT
projects (e.g. 2, 3). Risk management is designed to assist
in controlling the risks on a project by either preventing
them from occurring or managing the impact if they do, so
that overall objectives can be met. As with other project
controls, it is prescribed in practitioner frameworks and sets
of internal organisational processes. The risk management
frameworks such as those described by the APM4 or PMI5 are
a continuous cycle of identifying, assessing, and responding
to risks. They are designed to be iterative throughout the
life of the project and assist in actively controlling risks.
The purpose of the identification stage is to recognise
potential risks to the project and its objectives. Identification
involves a number of techniques designed to help
stakeholders consider potential positive and negative events,
such as risk checklists, lessons-learned logs from previous
programmes and projects, risk identification workshops,
cause and effect diagrams, brainstorming, and gap analysis.
Assessing and prioritising risks often includes the variables
of probability and impact. These can be quantitative or
qualitative in nature, and often a mixture of the two will be
used throughout the risk register. Finally, the response to
risk may involve actions to reduce the probability of the risk
occurring, the mitigation of its impact, the transfer of that risk
to another party, or just a toleration of the potential effect.
Hence, managers should transform a world of uncertainty
into measurable and controllable risks, by following a
process from risk identification to closure through a
suitable response. So it is advocated. However, although
this makes sense, in our research we observed that that
this is not what many managers actually do. A large number
do not follow the process through to the ultimate stage of
responding to the identified risks, thereby leaving them
more vulnerable. Roughly a third of all risks associated
with critical incidents in IT projects were not actively
managed, with the biggest drop – surprisingly – at the last
stage of the risk management process – responding.
The disengagement at the process stage of
responding to risk is worrying. The reasons are
manifold, but three aspects stand out:
The Lure of Positivity
Knowable risks
100%
Identification
Assessment
Response
94%
80%
Not actively
managed risks
77%
60%
40%
56%
Lure of Positivity;
Lure of Noncommitment;
20%
0%
Figure 1: Extent of disengagement
Deterrent of Powerlessness
Actively
managed
risks
A risk is a concept often associated
with negativity. So, at times, is
the response to it. Responding
to a risk may be interpreted as
an acknowledgement of failure,
the failure to prevent the risk
from existing in the first place. A
response is therefore the obvious
consequence of that failure. As
a result, in order to maintain a
positive ‘image’ of a project – one
characterised by the perceived
absence of risks – managers may
choose to ignore it rather than
respond to it. A response is a visible
action, under the scrutiny and
watchful eyes of stakeholders. Not
responding to a known risk, however,
emphasises ‘out of sight, out of mind’.
Today’s CIO
57
Learning & Development
The Lure of Noncommitment
A risk is an event that has not happened yet, but Risk
Management asks us to commit a response to it. By default,
we like to keep our options open, and in particular to a
fictional risk. Hence, deferring a response until the risk
actually materialises as a real issue is convenient. This
propensity to defer a response is powerful, and this helps
explain why many known (identified, assessed) key risks
were responded to with a severe delay, or even not at all.
Deterrent of Powerlessness
Knowledge is power, as the adage goes. Yet, knowing more
does not necessarily mean that we can exercise power
over our environment. Some of the managers involved
in our study raised the issue that they ‘knew’ a range of
risks, but felt unable to exercise any control over them.
They felt powerless. It is this perception that explains
another form of disengagement from risk response. Time
and effort has been spent on identifying and assessing
risk, yet there the process seems to stop. The apparent
lack of control associated with a specific risk can lead to
little, and in most cases no, dedicated resources (money,
time, etc.) being allocated to the specific risk response.
Consequently, many known risks remained unmanaged
and therefore had the potential to derail the IT projects
we studied. This does not imply that the projects we
looked at all ended in disaster. Quite the opposite, in fact.
Managers showed great skill in managing major issues
and recovering from crises in a timely manner. That’s not
the point, though. Isn’t it a considerable waste if we spend
scarce resources on identifying and assessing risks, in
accumulating ever-greater perfection in forecasting,
if we fail to use our newfound knowledge wisely?
Overcoming these problems is difficult and requires
changing the discourse around Risk Management. We
need to look beyond the mere application of ‘process’. In
order to address the Lure of Positivity, risks need to be
considered ‘normal’ and responding to them understood as
something ‘good’. Changing the atmosphere around risk and
its management is central to this. Negative connotations
need to be downplayed, instead senior leaders must
create and reinforce a culture that incentivises managers
to embrace and engage with risks, rather than ignore
them to maintain an illusionary ‘risk-free’ environment.
Acknowledging risk and the need to respond to it requires
courage and is by no means an indicator of bad planning.
Overcoming the Lure of Commitment is as challenging
as that of Positivity. The costs of a risk response are
immediately visible, whereas the outcome – the risk
event may never actually occur – is not. Responding to
a risk is a ‘leap of faith’, believing that doing something
about it will have the desired impact. Indeed, with the
benefit of hindsight, many responses may not in fact
have had the planned effect, a result of the complex
environment in which they are applied. Managers need
to support action, even given the inherent uncertainty
regarding cause and effect, under the premise that wellchosen responses are generally better than inaction.
58
Today’s CIO
Finally, the desired controllability does not come
out of thin air. The Deterrent of Powerlessness can be
tackled by widening managers’ response repertoires
and increasing their empowerment to deal with a
wide range of risks via greater authority to allocate
resources (e.g. manpower). This allows greater flexibility
to respond appropriately to the risk at hand.
Risk Management – and its failure – is often thought to
be associated with a lack of knowledge. We have found in
many organisations that issues arising in projects were
in fact identified and anticipated, just not dealt with
effectively. The focus of our attention needs to be the on
the identification and assessment of risks, but with an
organisational culture that focuses on pragmatic responses.
Projects are complex and cannot be fully planned in
advance, despite our best intentions. Acknowledging this
at all levels of the organisation and acting accordingly,
thereby remaining engaged with the full risk process, is key
to better project performance. And we all want that.
References
1. This synthesis is based on the paper E. Kutsch et. al. (2013). “Does risk
matter? Disengagement from risk management practices in information
systems projects (European Journal of Information Systems); which
won the Stafford Beer Medal, in recognition of the most outstanding
contribution to the philosophy, theory or practice of Information
Systems published in the European Journal of Information Systems.
A more practitioner-oriented version is also available under E. Kutsch
et. al. (2014). “Bridging the risk gap: The failure of risk management
in innovative IS projects.” (Research Technology Management 57).
2. Nelson, R.R., IT Project Management: Infamous failures, classic mistakes,
and best practices. MIS Quarterly Executive, 2007. 6(2): p. 67-78.
3. Cerpa, N. and J.M. Verner, Why Did Your Project Fail?
Communications of the ACM, 2009. 52(12): p. 130-134.
4. Association for Project Management, Project
Management Body of Knowledge, ed. Anonymous. 2005,
London: Association for Project Management.
5. Project Management Institute, A Guide to the Project
Management Body of Knowledge, in 5th Edition. 2013,
Project Management Institute: Newtown Square, PA.
Author information
Dr. Elmar Kutsch (Senior Lecturer in Risk Management) and
Neil Turner (Senior Lecturer and Director of the Executive
MSc in Programme and Project Management) both teach
at Cranfield School of Management, a leading international
management school, and one of an elite group of schools
worldwide to hold the triple accreditation of AACSB,
EQUIS, and AMBA. Established in the 1960s, the School is
renowned for high-quality teaching and research and strong
links with industry and business. Above all, it is known as
a school that provides relevant management solutions. The
School is one of the world’s largest providers of executive
development programmes for practising managers.
CRANFIELD IT
LEADERSHIP PROGRAMME
Become a more effective IT Leader. Gain the credibility and confidence
to discuss and influence business strategy with your Board.
Key Benefits:
• A broadening of your knowledge base and personal effectiveness
• Improved leadership skills to advance your career
• The ability to shape organisational direction as well as drive business value through IT
• New insights from assignments that have practical relevance to your organisation.
ng
rmi
o
f
e
ns
Tra wledg n
o
o
kn acti
into
For more details call 01234 754570 or email som.action@cranfield.ac.uk
www.cranfield.ac.uk/som/todayscio2015
For a hassle-free visa service
for business or pleasure
to the following destinations:
n
n
n
n
n
China
DRC
Ethiopia
France
Germany
n
n
n
n
n
Ghana
India
Nepal
Nigeria
Oman
n
n
n
n
n
Pakistan
Russia
Tanzania
Ukraine
Vietnam
Visasforothercountriesmaybeavailableonrequest
SecondUKpassportforfrequenttravellers
RenewingexpiringBritishpassports
Weworkbothwithcorporateandindividualclients
Schengenvisaconsultations
Contact us on
+44(0)2078375803
info@cayostravelvisas.co.uk
www.cayostravelvisas.co.uk
Today’s CIO
59
Advertisers’ Index
Absolute Software
29
Bergvik Flooring AB
20
BeyondTrust
26
Cayos Travel Visas
59
CMD Ltd
55
Corporate Executive Board
52
Cranfield Management Development Ltd
59
Data Centre Alliance Ltd (DCA)
Elsevier Ltd
Imation
Integral Memory plc
OBC, 16, 22
2
IFC
6
Micro Focus
51
Munters Ltd
22
Nexthink
13
Ormuco
56
Paessler AG
48
Qlik
Rausch Netwerktechnik GmbH
Schneider Electric
Sogeti UK Ltd
8
14
4
IBC, 47
Titania Ltd
30
Volta Data Centres Ltd
19
Wick Hill Ltd
34
Xtravirt Ltd
11
Zscaler Inc
60
Today’s CIO
32, 33
B U S I N E S S I S E V O LV I N G .
Cloud, Mobile, Digital and Security are changing your
priorities and the way projects are delivered.
The customer is king and thorough Testing and QA are more important
than ever for achieving competitive advantage with a first rare user experience.
Let Sogeti guide you through these changes – our world leading Testing solutions are
innovative, scalable, customisable and designed to benefit your business.
Leader - Application
Testing Services
(Gartner, 2014)
Leader - TransformationFocused Testing Services
(NelsonHall, 2014)
www.uk.sogeti.com
Leader - Outsourced
Testing Services
(Ovum, 2014)
+44 (0) 20 7014 8900
Delivering the action plan
for the data centre industry
Become a member today...
www.datacentrealliance.org
+44 (0) 845 8734587
www.datacentrealliance.org