OPPORTUNITY NEVER SLEEPS

IT LEADERSHIP IN AN AGE OF
DISRUPTION, COMPLEXITY, AND RISK

William D. Reed
Copyright © 2016 by William D. Reed

All rights reserved. This book or any portion thereof may not be reproduced or used in
any manner whatsoever without the express written permission of the publisher except
for the use of brief quotations in a book review.
 Dedication

For Mom, Dad, and Monica


Table of Contents

Acknowledgements
Preface – Opportunity Never Sleeps
Introduction
The Opportunities
The Challenges
Information Technology (IT)
We can do better
Leadership
Overview of the book
Part 1 – Challenges
Chapter 1: Disruption
Chapter 2: Complexity
Chapter 3: Risk
Chapter 4: Cyber Threat Landscape
Part 2 – Enablement
Chapter 5: Business Transformation
Chapter 6: Smart IT
Chapter 7: Risk Mitigation
Part 3 – Transformation
Chapter 8: Change
Chapter 9: Overcoming Obstacles
Chapter 10: Leading
About the Author
Works Cited

Acknowledgements

Writer: William D. Reed

Editor: Dr. Sara McCaslin

Cover Designer: 99Designs (BABARZAMAN)
 Preface – Opportunity Never Sleeps

Life is short. Our time is finite. Every day provides us another opportunity. Another
possibility to improve ourselves, our families, or organization, our country, and our world.
Every day, opportunities are abounds to transform our way of life. And every day, our way
of life is challenged by the possibilities of undesirable outcomes and experiences.
Every complaint, setback, problem, and challenge is a signal to us of the need for change
to the status quo. Opportunity never sleeps.
 Introduction

We are living in an Age of Disruption, Complexity, and Risk. The global economy is
undergoing massive changes. Today, businesses sticking with the status quo for too long
are losing market share and confronting shrinking profit margins. The outcomes of
yesterday are not enough for an economy undergoing transformative change in value
proposition and consumer demands. However, for those who think differently, work
smarter, and ready to lead, there are opportunities to thrive.
The Opportunities
This is the time for all of us: organizations, governments, individuals, customers; for
Information Technology (IT), to make a difference by embracing the rapid pace of
change, and the climate of uncertainty in order to capitalize on new opportunities. In this
time there is the potential to re-imagine the way we work, live, and play – to start from
scratch in our garages, to leave our competitor scrambling, to enter new markets, to
think differently.
Every day, all around us, we are exposed to new opportunities. Today we have more
tools, resources, and knowledge available to us than ever before in recorded human
history. These circumstances make today favorable to attaining our goals.
Consider that an Internet search engine company and an online book reseller are now
working with NASA to develop a plan for drones to make deliveries to people’s homes.
The largest phone companies own no telco infrastructure (Skype, WeChat). The most
popular media owner creates no content (Facebook). The world’s largest taxi company
owns no taxis (Uber). The largest accommodation provider owns no real estate (Airbnb).
The fastest growing banks have no actual money (SocietyOne). The world’s largest movie
house owns no cinemas (Netflix). The largest software vendors don’t write the apps
(Apple & Google). The world’s most valuable retailer has no inventory (Alibaba).
Consumers can “deposit” a check with their phone. A doctor can monitor their patient’s
vital from his iPad on the beach. Online retailers can infer your preferences from your web
browsing patterns and make relevant recommendations. Militaries use technology to
target enemies on the battlefield.
Driven by fundamental advancements in technology, widespread connectivity, and startup
thinking, the conventional ways of doing business and working are being disrupted. What
is possible for each of us today is incredible! The opportunities never sleep.
The Challenges
Disruption
Not every organization will survive this period of rapid change. Not every Chief
Information Officer (CIO) will retain their job. Many IT professionals will find the future
inhospitable. As technology manufacturers go out of business and technology integration
partners are pushed aside, IT will face the threat of being forsaken for the “Cloud”.
Everyone will be forced to change, innovate, and transform. We must adapt if at a
minimum we expect to survive, and definitely if we want to thrive. Let’s explore the
challenges ahead.
“In the next few years, your company could be out of business. By some estimates, 40%
of companies today might not exist in 10 years”, said Cisco Systems chairman of the
board, John Chambers at the Consumer Electronics Show early in 2015. Major change will
be required if we are to survive. He went on to state that companies must disrupt
themselves or risk being disrupted by the competition.
Disruption is an unplanned, unexpected deviation from the norm. It could be a change in
the revenue stream, a new way of charging for services, or a dramatic decrease in time
to market; it could mean alterations to corporate organizational structures, work hours,
and where workers do their jobs. Disruption could also mean changes in communication
patterns and knowledge sharing. Disruption could alter the means of war and conflict, the
means of production, or the way information exchange is conducted. It could be soldiers
in front of laptops plotting the next missile attack on the hill from across the ocean.
Disruption, and the change that accompanies it, is already at work in the world of
business. For example, there has never been a better time than today to start a business.
The barriers to enter the market are lower than ever, and the ability to compete with
more established organizations has never been more possible. The world has gone
digital, with the major economic powers of the world running off of a digital
infrastructure. This digital infrastructure is leveling the competitive landscape leveled the
playing field. At the same time, this digital world is making an impact on the wellbeing of
the majority of the world’s economy, with adverse outcomes having never been more
serious.
What’s even more astonishing is the speed at which changes are occurring. Disruption in
the status quo is occurring in all aspects of our lives, across the globe – in our nations,
our governments, our companies, and all the way down to our individual way of life. New
opportunities are abound for change, and the nature of our digital world has dramatically
increased the complexity of how all this technological wonder works under the hood.

Complexity
One of the challenges of speed in the digital economy is complexity. The ability to adapt
quickly, to see what’s coming, while allowing the business to ideate new possibilities
often mean changing the scope of IT projects. This is a very different model than IT has
traditionally been accustomed to. Normally, requirements are captured, vendors and
products are evaluated, integrators are evaluated, and project timelines and budgets are
created. Once started, it’s hard to change course in such projects, especially if there are
too many changes. Today, start and stop is becoming the norm. Agility is the word of the
day.

The digital world we live in is very complex. It is too large, fast, and complex for anyone
to keep up with it in their heads. Many just understand pieces of this digital world. As the
business world continues to embed more processes, services, and products with new
technology, we are now confronted by the complexity trap. A trap that masks
dependencies, exceed most people’s comprehension, and when sprung the effect is not
being able to get ahead of the situation. This kind of complexity makes changes to the
environment more challenging and diagnosing problems more difficult.
Another effect of complexity is decision paralysis as we are faced with an unending need
for making more decisions, at a faster pace, and with more uncertainty. Which software
should we use? Which hardware should we commit to? Who do we partner with for
integration? Of the thousands of vendors to use, which works best? It may be hard to
understand, but there is dangers in decision overload. Because we have too many
options, choices, or directions to select from, we end up making sub-optimal choices. This
makes us spend more money than we should, own more tech than we need, and waste
valuable time that is precious.
The question of managing the procurement process, solution integrators, and product
choice can also slow down the IT decision making process. The availability of 3rd party
providers of products and services can encourage self-defeating behavior as they attempt
to gain favor while striving to be chosen. Business decisions are now more uncertain,
investments are cloudier, and we end up taking on more risk than necessary – all too
much for a single person to understand.

Risk
While opportunity stays up all day, it is accompanied by risk. Unwanted outcomes expand
as the opportunities expand. Across verticals, business leaders and IT are under extreme
pressure to adapt to the changing landscape to both survive and thrive. We find ourselves
struggling to balance the importance of maintaining business operations with the drive for
continual innovation and growth, while working in an environment now under constant
threat of cyber-attacks and criminal activities. The risk landscape has many new factors
to consider for the development of mitigation strategies.
The digital world is on fire – awash in business disruptions, extremely complicated
business operations, and seemingly never ending waves of cyber-attacks. In the backdrop
lies the consumerization of IT, along with an increasingly mobile work force and board
level scrutiny. In this environment, business leaders are continuously looking for ways to
mitigate against unwanted outcomes.

“They burned the place down”, said Michael Lynton, CEO of Sony Pictures Entertainment,
who reflected on the cyber-attack in November of 2014 that leaked confidential corporate
data to the public, destroyed data, and effectively shut down their network. If is widely
believed that North Korea was behind the attack.

On the competitive front, imagine being disrupted in the market by a rival that just
released a compelling product offering very similar to what you were about to. You
suspect a cyber breach when you discover that ten years of IP was leaked out of the
organization.
When the return on investment (ROI) is nowhere where it was projected…investing in
these technology projects are becoming money pits. They are either completely failing
without ever delivering, or so far delayed to the market that they are already irrelevant.”
While the shopping season is heating up, and our competitor is making changes on the fly
to their systems to capture more customer spend, we are on a technology freeze until
next month to avoid breaking anything.
Risks from technology use run the gamut – going out of business as a result of the
business model being disrupted by a competitor, monetary losses, stock price decreases,
or market positioning slippage. There are pink slips for CEOs and CIOs following cyber
security breaches, failed implementation projects, and slow and broken services that
affects customer facing operations. Business are concerned about opportunity losses,
business disruptions, and loss of relevance.
Our everyday lives have never been as intertwined and dependent on technology.
Technology has wed itself into virtually all aspects of most business operations. The level
of dependency on technology is so great that many are only now really coming to the
realization of the true impacts of cyber-attacks against the infrastructure that we depend
on.
Boardrooms of large companies are worried about various business risks –reputational,
operational, and cyber, just to name some. They are also concerned about being
blindsided by a disrupter. Boards today have new issues to worry about: Will the dangers
of our new digital economy negatively affect operations, earning them a place in the
nightly news? Will another young upstart company come out of stealth mode and disrupt
their revenue streams?
Getting cyber security risk management right is critical, and the first step is to recognize
that cyber security is a business problem. For that matter, all IT projects are business
projects. And the technology industry as a whole, along with governments, have to have
a common stance against these attacks. We can’t continue to talk of “advanced” and
“sophisticated” when we are not taking advantage of the tools we have at our disposal.
The industry as a whole has to take responsibility for so many flaws in our designs,
infrastructure, and software.

The business impact of technology failures, victimization of cyber-crime, and slow

implementation of cyber security has put IT in a critical position to help their
organizations succeed. At the same time, IT has already its hands full. Keeping pace with
business needs has been challenging, as the number of changes required of the
infrastructure and systems we manage continue to increase. Defending against
sophisticated cyber-attacks is an organizational problem, not limited to IT or Information
Security. Keeping pace with that, in addition to the need of IT to help the business
innovate, are both necessary to survive and thrive in a very disruptive and competitive
environment.
Information Technology (IT)
IT is at the center of these market changes powered by new technology. This has
resulted in the transformation in how we work, live, and play. IT is made up of talented
workers across a wide spectrum. IT is a combination of internal employees, third party
contractors, consultants, technology integrators, vendors, and cloud providers. IT designs,
builds, protects, and support the technology infrastructure that make our modern digital
economy possible. From running the service desk, to supporting user devices and
desktops, to managing the servers and storage that run business applications, to writing
the software code, all the way to engaging the c-suite in planning and strategy. To the
business and end users, IT is seen as one monolithic entity that is either helping or
getting in the way of productivity. IT touches almost every aspect of the operations of
business today.

IT has never been under more pressure to deliver for their businesses. No longer just
responsible for keeping the lights on and toiling in the background, IT is needed up front,
to help directly engage the customer experience to drive business growth. Technology is
the engine, data is the fuel, and software code are the brains in the digital economy. IT
has to move up to the front seat with the business to help navigate the uncertain roads
ahead, enable new market value, and confront increasingly dangerous cyber threats.
Today, organizations need IT more than ever before.
However, for far too many teams, in far too many industries, IT is distracted fighting
preventable fires. The speed to deliver business value is slowed down by manual tasks,
countless hand offs, endless meetings, decision overload, and too much finger pointing.
IT is being pulled in too many directions by the constant business changes caused by
market disruptions. IT is mired in the complexity of its own technology to power new
business initiatives, at times making it difficult for the business to use. IT is running in
silos. This is in stark contrast to what should be the focus: helping your businesses win.

And if market and organizational challenges were not enough, IT is under extreme
pressure to avoid unwanted business outcomes and damage from cyber-attacks. As IT
battles to keep pace, it is confronted by criminals, nation states, and terrorists making
use of the very same technology and infrastructure as everyone else us to carry out their
acts.
IT wants to be trusted, relevant, and make a difference. IT wants to say “yes” more often
to business requests and be ready when called upon. IT wants to protect their
organization’s brand, keep their systems up, and assist their organizations experiment
with new ideas to stay competitive. They want to be an active participant in their
organization’s mission.
IT wants to bring more to the table and help lead the way forward in age of disruption,
complexity, and risk.
We can do better
The world can do better. The market at large can do better. Your organization can do
better. IT can do better. You as an individual contributor can do better. Only you can
know exactly what that better looks like, but the level of world disruptions on how we
work, live, and play, signal us that the status quo is not safe. The opportunity for
something else is real.

IT is at a fork in the road. In front of use is the opportunity to be the linchpin of our
organizations’ transformation efforts. Unfortunately, there is also the possibility of being
the constraint that holds them back. There is only so much that can be outsourced to 3rd
parties. It's very tempting for some in the business to believe that the cloud will solve all
their problems. When the rubber hits the road, business often finds out the hard way that
IT provides more than just provisioning and servicing tickets. The narrow view of IT that
some in our organizations have loses sight of the full IT value stack.
IT has a responsibility. Our slowness to adapt and grow has at times left the business in
the dark. Even when internal IT has what the business needs, it often does a poor job of
packaging and branding it – and branding is one of the strengths of the cloud. Go to
www.cloud.com, take out a corporate card, and presto: services on demand. Contrast this
with IT, which seems to revel in making consumption difficult – hard to find, slow to
respond, and poor feedback. IT can do better. IT has to be better if it wants to stay
relevant. We can do better.
The confluence of new business opportunities enabled by technology brings along certain
risks, that untamed, can slow down business growth, increase operating costs, and
increase opportunity losses. We in IT must get a firm grasp on the strategy necessary to
deal with technical operations in a way that allows us the time, space, and legitimacy to
make even bigger impacts on the business bottom line.

It is no small task trying to see the possibilities through the noise of compliance, security
FUD, vendor hyperbole, and endless requests from the business. There has to be the right
culture, framework, and mindset in place to thrive and be agile in these challenging
times.
The proverbial tactics are critical to the execution of any strategy. There are no
advancements without the details. The details matter. And when cloud comes knocking
and the business jumps on without IT, they are potentially opening the business up to
unnecessary risk.
Today’s business landscape sees the large established companies try holding out against
the young upstarts. With a record low barrier to entries, existing business models are
being challenged. As a result, your business is looking at ways to optimize their
operational budgets and looking for new ways to engage their customers. IT will often be
called upon to support new initiatives that will promote these goals. One of the most
prominent features of this competitive environment is speed. Speed today is forcing IT to
responds faster than ever before. Becoming faster and more agile are key to IT being
more relevant to business needs.
Leadership
Our world, now digital, is constantly being disrupted from multiple fronts, has grown
extremely complex, and requires a speed of decision making, feedback, and outcomes
never before seen.
It needs IT to lead, inspire, and thrive. That leadership is transformational: it guides,
encourages, and inspires others to work toward shared goals, with a common vision. It
recognizes the challenges and risks, looks at the possibilities, and sets momentum in
motion onto the right path.
As technology dominates the operations and growth of our modern economy, IT is
positioned to help enable their businesses to win in the market. I will guide you on a tour
of today’s business, technology, and risk landscape, and explore the trends by looking at
both the opportunities and the risks. It will help set the framework and mindset to
understand the new possibilities for your organizations, while at the same navigating the
risk landscape.
IT as a person – you can’t help someone until you help yourself. Put your mask on first
before trying to assist others. IT as a team – contributing and helping the man and
women next to you succeed, increases the power of the technology applied to business
use. IT as part of the larger organization – IT is a team within a larger team.
Leadership can be applied broadly. Anyone can embody and live the life of a leader and
make positive change in their organizations. In their own way, each person can add to
the larger collective of the group to create something larger than the sum of its parts. For
everyone in IT, you don’t need a title or explicit mandate to lead.
You will need to understand your sphere of influence. There are those things you can
control, things you can influence, and things you can neither influence nor control. You
need to spend your time and energy on what you can effect.
Overview of the book
There is a need to understand how the digital world works, and how the web of
complexity threatens to hinder business progress. For example, there are unprecedented
levels of dependencies on our modern technology infrastructure, resulting in lurking risks
that need to be addressed.

Technology is both an enabler and a tool for competitive advantage. Getting our
technology houses in order allows to assist our businesses more. The ability to forecast
new opportunities, and the chance to hold off avoidable risks to productivity, revenue,
and brand reputation is achievable.
Companies that transform how they operate are delivering IT services to the business
world in record speed in such areas as digital storefronts, back-end integration on new
systems with legacy systems, and mobile experiences – all by using new ways of thinking
and interacting with its customers with new systems of engagement to leverage our
investment in systems of record.
IT needs a way to think, talk, and approach the opportunities and challenges.

Audience
The target audience for this book is IT. IT is such a broad term. This includes individuals
with titles such as Chief Information Office, Chief Information Security Office, Chief
Technology Officer, IT Director, Business Analyst, Project Manager, Server Administrator,
Network Administrator, Storage Administrator, Messaging Administrator, Mainframe
Admin, Service Desk, Help Desk, Information Security Analyst, Incident Responder,
Application Developer, Q&A, Desktop Support technician, Enterprise Architect, team lead,
and many others. We are I.T.

What does IT do? We write software code that runs the Internet. We manage the
software that runs the datacenters that process the digital economy. We take calls from
end users when they have problems with their computers. We design, install, configure,
and operate the routers, switches, load balancers, servers, hypervisors, mainframes, and
storage area networks. We support the infrastructure that makes it possible to send and
receive email, to take orders from the web site, make it easy for end users to find stuff by
typing amazon.com, instead of 54.239.17.7. We present to the board of directors, interact
with the CEO and VP of divisions on new initiatives. We work on both the back end in
operations and the frontend with the business and their interactions with paying
customers.
IT professionals work in such a large and diverse collection. For profit and non-profit.
Many different sized. Include every industry, such as retail, government, finance, health
care, oil & gas, construction, etc. Some public, some private, some in regulated industries
subject to HIPAA, PCI, or FTC. All with different business priorities, cultures, and business
models.

While there are many difference, there are some fundamental principles that all of us in
IT can follow that allows us to thrive in this disruptive landscape.
Let’s start bringing clarity to our new world by understanding the complexities and new
opportunities. We need to understand ourselves, the market, and the upstarts well
enough to be relevant. And to do that, we need be sure we understand the inner
workings: the software that’s eating our world, the convergence in technology stacks and
architectures, and how this can increase our ability to make better decisions faster. We
have to know our weakness and plan to address trough continual learning. We have to
look to see how our careers and roles will evolve in the next few years and make the
necessary changes to stay relevant.

Book Layout
We will talk about being making IT Leaner, Faster, and Smarter – moving at the speed of
business needs and adapting as needed. We have to make decisions faster. To do this,
our decision-making framework has to be built to handle supporting decisions with
analytics. Talking in the language of the business to inform, learn, and provide feedback
will be explored. We will explore how IT can position itself to execute on this. The
mindsets, the framework, the terminology of business operations will be explored. Why,
What-if, and how will be discussed.
In Part I, we look at the Challenges in front of us: market disruptions, growing
technological complexities, and an increasingly risky business climate. We will discuss a
systematic approach to understanding current and near-term disruptions, complexities,
and risks in order to pave the way for organizational success as defined by the business.
In Chapter 1, we will cover disruption, the business market conditions and the macro
challenges facing most business, from the interruption of the status quo, to thinking
differently, to continuous experimentation.
In Chapter 2, we discuss complexity, with the problems of silos, digital disruption, and
convergence.
In Chapter 3, we will look at business risks and the dangers that lurk – from lost
opportunities, to business disruption, and losses.
In Chapter 4, we will look specifically at the risks associated with cyberspace threats.
In Part II, we transition into getting things done through enabling the business via a
systematic approach to conceiving the technical frameworks, architectures, and platforms
necessary, while simultaneously navigating current and near-term disruptions,
complexities, and risks in order to pave the way for organizational success as defined by
the business. In this section we will also discuss how IT can guide their businesses
through the complexities of today’s technology and help reduce the uncertainty around
future investments. Our goal will be to re-imagine how we design our systems, rethink
how we work, and begin to alter the cost model of cyberattacks.

In Chapter 5, we look at helping our organizations delivery value to the market, by

enabling digital transformation, helping the business to improve its decision making skills,
and helping operations become more efficient.

In Chapter 6, we look inward to enable and get fit, build more agile infrastructure, and
become more service intelligent – the making of Smart IT.
In Chapter 7, we talk the militarization and criminalization of cyberspace as we focus on
what is overcoming FUD in cyber security, understanding asset protection in a digital
world, the imperative to build agile infrastructure, and the power of adaptive defense to
reducing overall business risk.

In Part III, we discuss transformation, from there to here, from current state to desired
state. This includes a systematic approach to tackling change and transformation with the
assembling of a high performing team built to win and continually improve, while
simultaneously navigating current and near-term disruptions, complexities, and risks in
order to pave the way for organizational success as defined by the business. We also talk
about how to encourage IT to embrace the change we need, learn to more effectively
overcome obstacles as a team, and demonstrate our value proposition. Our goal is to
create our own upward spiral, where we leverage our talents and teamwork to create a
multiplier effect on our organization.
In Chapter 8, we enter the transformation section of the book and dive into a discussion
on change, including how we think about it and should we do it.
In Chapter 9, we discuss how all things are possible, unless you live in the real world and
are constrained by real obstacles. We will investigate how does IT approaches these
constraints and obstacles, and how we work through or around them to get things done.
In Chapter 10, there is a call to action on the value proposition of what IT has brought
into the table in the past, and what we can add today and into the future.

Call to action
Success will be paved by thinking differently, working smarter, and leading change. Let us
commit to continuously learning new things and producing better outcomes and
experiences.
Let us do more than just survive the day, let us thrive. Let us embrace the uncertainty
and risks, and go do amazing things! For opportunity never sleeps!
Let’s go on this journey together. Let’s learn, explore, and grow together.
This should be used as a discussion framework to orient IT to embrace the challenges
and capture the opportunities.

My call to action is for IT to use this book to lay the groundwork for how to approach the
major challenges ahead. When the status quo is no longer working for us, change is
needed. IT should lead it!
 PART 1 – CHALLENGES

The systematic approach to understanding current and near-term disruptions,

complexities, and risks in order to pave the way for organizational success as defined by
the business.
Chapter 1: Disruption

Disruption –the interruption to what is going on, how something is done, the way to think
about something; something that stops what you are doing, draws your attention to a
potential change; neither good nor bad, but definitely something to pay attention to and
address.

The status quo has been interrupted. Disruption is occurring at the societal, market, and
individual levels. As a society, a large number of people have experienced change in how
they live, work, and play. With that has come a change in expectations regarding speed
of delivery. We expect faster service, faster access to data, and the ability to receive
value while being connected everywhere all the time. The relationship between consumer
and seller has greatly changed, with more options to price compare, switch services
quickly, and pay as you go. Market transitions in the form of expanded services, speed of
delivery, and a wide variety of choices has disrupted many markets.
There are various faces of disruption: taking advantage of market conditions to alter
customer perceptions of value to draw them your way; interrupting your current way of
thinking; interrupting what or how you are doing it. Disruption is neither inherently good
nor bad; disruption is a fact of life, and it is key to the nature of market changes that
impact the technological advancements that continue to embed themselves in our way of
living and working. It effects entire markets, individual companies, and individual
workers. It can work in favor of the startup, as well for the incumbent fending off the
upstarts. It is fundamental to change in order to survive, improve, and thrive in the
market. As deviation from the norm, business leaders are tuned into dealing with
uncertainty; as such, IT needs to understand the implications for their organizations as it
will effect everything from changing requirements, to new ways of doing work, to how
budgets are approved. Ultimately, new opportunities will be found where your
organization can disrupt the status quo.

Market Interruptions
The technology, producers, and consumers are all changing. How they all interact
tomorrow is uncertain. The boundaries between industries are fading. More companies
are swimming in different lanes. The only truth in today’s world is to expect the
unexpected and plan to adapt fast.
Customer Experience
It about more than outcomes in the business landscape today. It also about experience.
Many consumers are willing to pay more for how they feel about the consumption
choices. The digital economy allows the technology enterprise of digital world to coexist
and interact with the physical world. Dependent on which industry we are in, the digital
disruption can come in many forms or from many different sectors; any economy
worldwide favors the digital storefront while back-end process of traditional physical were
man’s hands are still hand on, i.e. such as construction, is heavily influenced on the
backend by technology. The leading startup companies out in the tech field, along with
traditional marketing, traditional law firms, and in the medical fields, we find changes in
the revenue streams where traditional models of collecting income and profiting off those
sales has been static.
Many changes to the stream of income have occurred in the new digital world. To go out
to purchase a new item one can go to the website, but can also can still go to traditional
brick-and-mortar store. Many industries traditionally immune to rapid technology
changes, especially on the front end, are making many changes on the backend to
transform business processes. Customers are also being by disruption. Consider the
experience of the customer when faced with so many choices: we can consume 20 and 30
different options involving food, clothing, and even music. There is a big fight to capture
the attention of the end-user as the customer marketing departments are vying with each
other as they continually improve and innovate develop the digital storefronts.
Amazon.com is the most obvious online storefront, where now you can shop for food,
music, magazines, electronics, books, spare parts, toys, and more. Amazon has been
competing day-to-day with Walmart, who is expanding from a traditional brick-and-
mortar store, where the same type of items can be purchased, to a stronger online
presence. They are just the most obvious example of this technology driven disruption.
Most business, large and small, in most industries, are seen some dramatic changes in
how they do work.
What is clear is that IT is feeling the effects of this disruption. It is important for IT to
understand what these changes mean to the revenue stream, and how IT must best
position itself to adapt to the changing environment and always be in a position to help
the business win.

Speed is powerful
One of the most discerning characteristics of disruptions is speed. The change in market
conditions are occurring at a pace faster than traditional strategy turnaround times. The
time to analyze the situation and respond to both competitor and consumer is shrinking.
It is the time for us to detect oncoming changes and to get things done. Often we hear
about time-to-market, which is defined as the amount of time it takes for the business to
come out with something new, which could be a new creative idea, a new way of doing
business, new ways of engaging customers, or a new way of finding a spot to drill the oil.
Most new business initiatives have a technology component. The question for IT is
simple: how long will that take? Time is one of the key factors determining the
competitive advantage when you consider your competitor may get to it before you make
a decision or even figure it out.
You are disadvantaged in that disruption threatens your potential growth; as such, speed
is a critical factor as time-to-market is very important to the business. As IT, we must be
very mindful of this and realize just one of the key reasons for the existence of shadow
IT. We must be agile enough to adapt quickly while remaining in a position to help our
business to move at market.

IT cannot be the reason why time-to-market is delayed. When IT becomes the

bottleneck, it becomes a critical issue. When IT is too slow, when it is the reason that the
business is slow to market, it decreases the amount of choice the business has, and
decreases the velocity, agility, and flexibility in a highly competitive market.
Also, speed is a factor of decision making: if the decisions for the workers on the front
lines of business today are taking too long, you could be forsaking the opportunity to
maximize sales. From the back end operations, to the front end on the assembly line, in
the grocery line, or out in the field, decisions need to be made at a market speed.
Sticking with this retail industry example, we see that speed is of the essence when a
customer has started to leave your store and you realize later that there was an upsell
opportunity – you may be too late. Speed is of the essence and vital to decision making,
for people on both the front and back ends. Data informs the velocity with which you can
inform your front-line and back-end people.
For producers of goods and services, this has meant the ability to capture consumer
needs and wants is increasingly reliant on more data and more efficient supply chains.
For example, incumbents who are still struggling with the amount of data generated and
how to put it to use are leaving money on the table, and a lot it. Patricio Robles reported
the following in early December 2015: “Retailers are collecting more data than ever, but
putting that data to good use is apparently proving to be more challenging than many
anticipated. According to a study conducted by IHL Group for DynamicAction, retailers
around the world lost well over half a trillion dollars in the past year due to out-of-stock
inventory”. [1]
In business, anyone who needs to make a speed critical decision to help support decision-
making, is very valuable, and can provide a very competitive advantage from a strategic
standpoint. Businesses are on the lookout for market shifts. It is a critical skill to be able
to see beyond the horizon to better anticipate when and where the shift will happen. A
market that affects the bottom line affects the growth rate of the company and the
outlook of the company. Some say that in the next 10 years, many companies will no
longer be in existence. That is a sobering number, and it means that the market shifts
are very important. Businesses need to detect these market shifts as soon as possible to
have best possible chance of making changes needed to become relevant, to stay
competitive, and to stay in business. In areas of business need, desires, and unwanted
outcomes, you can normally find a technology component that give IT an opportunity for
organizational visibility and chance to make a difference…a chance to lead.
Where does your organization stand?
Business is looking at one or a combination of two perspectives at any time. From IT’s
perspective, where your business is oriented at any time will give you leading indicators
of the patterns of technology needs and market risks. In each case there will be threats in
the form of risks that could negatively affect the bottom line; but there are also present
opportunities that provide chances for creating new possibilities at the highest point of
your influence.
You can also look at these conditions through two different prisms, the first being the
status quo. The status quo represents maintaining the current value proposition and
continuing to service customers. Before the age of disruption, this period of stability could
last for a very long time. The second prism is the thinking differently, which involves
feeling the need for a new approach to adding value in the marketplace.
First, let’s look at the incumbent, who has already established their value to its
customers. The opportunities here are for controlling the pace of change with the express
purpose of anticipating future competitor pressures and looking at transformation,
innovation, and change. The goal of this is to continually bring value to your customer
base while also looking to increase your market share. The threats for the incumbent are
the challengers of the innovator dilemma, an upstart sprouting up and cutting into your
base, and the subsequent loss in market share that results.
Secondly, for the challenger that is looking to break into an existing or new market space
– this could be a startup or existing company – the opportunity here is for re-thinking
your value proposition and market position. This includes looking and determining gaps in
what is not being offered to customers today by re-imaging the problems. The threat lies
in the inability to break into the market because of the difficulties in taking market share
from others or because the market is saturated.

Now for a note on terminology: innovators introduces new methods, ideas, or products;
producers as defined here those that create the products, services, and experiences and
sell into the marketplace; and consumers are those that buy them to consume.
We are in world that is thinking differently. As Albert Einstein once said, “we cannot solve
our problems with the same level of thinking that created them”. Our business
interactions, how we enable business innovation, processes, and services; how we
consume new technology; and how we mitigate new risks introduced by our technology
use are all up for rethinking the way we approach new challenges.

The Faces of Disruption

What are the faces of disruption? They are how we conduct business, the way we
connect socially, the way we engage culturally, the way we construct our thinking, the
way we create value. They are digital disruption and creative disruption. The interrupt us,
crying out “Hey stop, listen up, your attention is needed!”
Today, business has many options on how to provision services, applications,
infrastructure, and end nodes. These are consumption models, focusing on how these
resources are procured, maintained, paid for them, and maintained. These consumption
models have garnered the interest of the c-suite. It is of great interest to CFOs to know
the effect on cash flow that the procurement of services as business need have.

Consumption models allow flexibility for IT and the business. As some suggest, a business
might look completely to the cloud for all its services, but the reality is that most
consumption models will take a hybrid approach for the foreseeable future. Most
companies will continue with the traditional way, while others will be farmed out to
multiple third parties. These third-party services a multitude of service-level agreements,
payment types, and contracts. Some services, for example, might be storage for a three-
month period with one cloud provider 1, while cloud provider 2 may provide for a CRM
add-on service that would be too expensive to do in- house.
If the system is mission critical or contains intellectual property, it may be prudent to
keep it in in-house, while a new customer facing portal could be built in the cloud and
connected to the internal backend systems. There are many models available to an
organization.
If IT doesn’t do it, the business units have shown a propensity to do it themselves by
buying services from external sources that they felt IT was too slow to respond to.
Because when a developer in a business unit needs to stand up 20 new instances of
MySQL and Apache to develop and test a new feature, Amazon or Azure provides speed
and convenience.

Say these consumption models allow agility. Businesses can be run in a faster, quicker
way, but it has potential to open up risk to the business, because IT can’t respond fast
enough.

Organizational Changes
The incumbents are having to adapt. Digital disruption is forcing organizational structural
changes, such as altering reporting structures, division layout, cost structures, and
different compensation packages; businesses are changing how they are structured to
improve operational flexibility and the ability to adapt to market conditions. Because of
the decreased time to make decisions and the decreased time-to-market, the
organizational structure of many modern-day companies are becoming flatter, providing
less middleman, providing faster access between the executive team to front line
employees. New roles are being created with new titles like Chief Technology Officer and
Chief Innovation Officer to Chief Risk Officer. CIOs and CISOs are interfacing more with
the boards and having to speak a different language. That gives rise to new
opportunities, for new skill sets, and also warning for those who are unwilling or unable
to make the change.
Lean Startups
The challengers have access to more resources. One of the opportunities that exist today
is to create startups in our own organization. Lean startups, using principles of lean
thinking, can be used by both small teams working out of their garages, and very large
enterprises. The principles are not limited the size of the company or the type of industry.

Your business can look to a “blue ocean strategy”: instead of slogging it out in common
areas, your business needs to create uncontested market space and float to the top of
innovation, relevance, and value to your customers. We need to ask ourselves if what we
are working on today is doing that. Are we doing okay playing in the same solution and
product space as our competitors?
We have an immense amount of knowledge, resources, and market access. Are what we
are producing matching that? Are we producing the type of outcomes and experiences the
market wants or need?
We should be listening around the business to see where our organization stands.
Continuous experimentation is a characteristic for startups and challenger as they don’t
limit themselves to just trying it once, but try again and again, observe the impact, make
adjustments to their assumptions, and see what else is possible.
Today, startups have a distinct advantage over traditional business models. We live in an
era where small firms – as small as one person – can attempt to start a new business
where they can compete with much larger established companies. The barrier to entry
has really been lowered by the advent of technology and other disruptive forces. The
disruptive forces present in today’s digital economy allows small, nimble groups of people
to try out new ideas experiment to see what works, and then attempt to take advantage
of what does work. The barrier to entry from a capital investment standpoint has been
significantly lowered. The infrastructure required to start a company has also been
significantly lowered. All the infrastructure one needs to start a business in many cases in
the digital economy can be procured from external providers. They can provide
everything from accounting, to HR systems, to marketing, and sales tools. A lot of
traditional systems that operate business are available online.
An even better benefit of this is the ability to start the services and stop them with little
to no hassle, as opposed to traditional businesses require large lead time with IT to
deploy new systems. Young startup companies are able to go out there to the cloud,
provision a sales campaign, try it out, tear it down, and there is relatively short period of
time. With the corporate AMEX card, many things are now available. This is an extreme
advantage of allowing many experimentations to see what works.
However, this also can be taken advantage of by the larger, more established companies.
They too have access to the same type of services in this disruptive market. They too can
have small pockets of branches that allow the businesses that are able to take
advantage.
For example, traditional customer relationship management systems, or CRM systems,
have involved a very large and long process for IT to deliver to the business. Long project
lead times, lots of customization, loss of integration time, and many stories of failed CRM
deployments mean that businesses are now looking to the cloud services to deploy this
type of solution. Salesforce.com, a great success story, has the ability for the sales team
of your business, regardless of size, to bypass IT and go straight to the established set
up. System software as a service one of many cloud consumption models are the most
well-known from Drop Box, allow us to share files, to corporate collaboration software
such as Google Hangouts or Google Docs. Many system traditionally employed by into IT
is now available by lines of businesses, directly bypassing IT.
Work Anytime, Anywhere
Disruption in the digital world has opened up new work lifestyle options. From where you
work, to how you work, to when you work, we all find that life balance has changed and
different working roles are greatly expanded.
No longer restricted to a cable in the corporate office, many workers and many industries
are allowed to become more mobile. Employees are conducting work on smart phones, or
connecting remotely from laptops while on the road, providing greater flexibility to
workers and their associated industries. This in turn is allowing some companies to
downsize and close down physical remote offices. Such mobilization means the
unshackling of the worker from the organization’s physical real estate. For the worker in
the field, it means the ability to connect remotely, which in turn means more face time
and less time commuting back to the office to fill out paperwork. It means optimizing
everyday tasks, such as expense reimbursement, to timecard submittal, to updating
forecast information, and looking customer records in real time. There are many ways get
the job done in the digital world. Location is no longer a constraint.

Some business are following the motto of mobile first by building more business apps for
mobile platforms, leveraging new collaboration tools, and allowing creative freedom in
the professional workforce. There are tradeoffs, however. More flexibility in schedules
allows for more freedom in home/work priorities, but also means the business can reach
from work into workers personal lives, extending from morning to night, and into
weekends.

Adapt or Perish
There a two types of companies: those that choose to adapt of their own and those that
go out of business.
Vendors Landscape
"Cisco has changed more in the past year, as we position ourselves for the future, than
we have any five years before this. Over the past six months, we have reorganized the
entire company. Almost 70 percent of our engineers are now doing something different
for us. We had to do some very painful things like laying off 7,000 people and hiring back
6,000 with different skill sets. We have moved from selling boxes to selling outcomes.”
from John Chambers, Chairman of the Board of Cisco Systems. [2]
The vendor industry in transition. New companies starting today are growing up in the
age of the cloud, requiring less capital expenditures on infrastructure. Any with so many
overlapping areas, this means direct competition. There is significantly less friction
between needs and the means to acquire because of flexibility in financing as operational
expenses, with flexible time commitments, with faster turnaround on new features,
shorter durations. How organizations view the vendors has been disrupted. This is leading
to massive changes in organizational structures, product mix, and maintenance and
service contract structures, and more flexibility in licensing options. It is also resulting in
shorter launch periods for new products and services, as well as an increase in software
offerings.
To aid in their transformations, foes are entering into arrangements, friends are stepping
on each other’s toes in similar areas, mergers and acquisitions are accelerating, and more
ecosystems are developing. Many vendors are being forced to adapt their business
models to market forces and young upstarts with new ideas that are disrupting our
traditional ways of thinking about the problem space. The disruption occurring in the
business landscape is having many effects on the IT field, especially in the consumption
models of how businesses want to consume the technology.

Traditionally, business requests for new systems would be vetted through the IT
department or go out on the market into the vendor community looking for products and
solutions. The vendors and manufacturer of products, hardware, and software,
traditionally had a direct relationship with IT. But in the age of disruption and
consumerization of IT, vendors are finding that they are having to greatly adapt to the
changing environment. Major, big name players, like Microsoft, Cisco, HP, Oracle, and
Dell, have in the last few years been downsizing by cutting tens of thousands of jobs,
while at the same time creating entirely new positions, with different job requirements
and technical focus. These new positions have names like data analytics, cloud architect,
software developer, and enterprise architects – all attempts to stay relevant and compete
in the marketplace.

Digital vendors are competing hard against cloud providers as internal IT infrastructure
gears such as storage and compute are on a steady decline. In additions, PC sales are on
a decline as they are being eclipsed by laptops, tablets, and smartphones.
Vendors also find at the sales process has deftly changed in our new digital economy.
Whereas traditionally the sales force of the vendors went out to pitch their products to IT
in these companies, they are now finding an environment where the focus is shifting to
systems and business outcomes.
With many of their products becoming commoditized, most information that IT
traditionally relied on the vendor for can now be searched online, searched long before
the vendors salesperson can get even get on site to make their pitch. As a result, vendors
are adapting as fast as they can to offer more professional services, consulting work, and
managed services to their offerings. This comes with options for cloud-assisted or
replacements for organizations on premise solutions. Some companies and some vendors
are in sourcing and spinning out parts of their company in order to innovate, while others
are aggressively acquiring additional companies to diversify their offering. Expect to
continually see consolidation, acquisitions, spin offs, public to private, and private to
public in the near future.
In today’s environment, vendors must partner up to stay relevant. The technology stacks
are too complex and varied for one vendor to cover the breadth of customer needs even
in a narrow vertical. As such, vendors are continually aligning themselves in strategic and
sometimes tactical partnerships to bring a more complete level of services to their
customers. To fail to do this invites the risk and being left behind, followed by market
share decline.
As Clayton Christensen discusses in his work on the Innovators Dilemma, the more these
vendors go in new directions with ideas contrary to their roots, the more they risk
cannibalizing their existing revenue streams, and inadvertently disrupting themselves
negatively or at the wrong time. This dilemma helps to explain a common business
complaint about them: they are not innovating enough, or that they are too much status
quo with just a little incremental improvement. As new upstarts force even more market
changes, established vendors will have hard decisions to make about how they want to
confront the innovator’s dilemma.
The entire technology ecosystem is being impacted and disrupted: internal IT, external
3rd party’s contractors, hardware manufacturers, cloud providers, software vendors,
consultants, integrators, and value added resellers. Every one of these entities are
undergoing significant changes to their business models, requiring changes in go-to-
market strategies, service offerings, revenue models. Some of the largest manufactures
are significantly reducing head count in some areas, while at the same time staffing up in
new emerging technology areas.

Partner Landscape
Partners, which include consultants, technology integrators, and value added resellers
(VAR), are also feeling the effects of disruption. Traditionally implementing vendor’s
choices with their specialty, one sees now a very big push to add more consulting
services and managed offerings to get higher-margin business deals. More businesses
being delivered as packaged solutions, differently from how VARS have operated in the
past. Sales commission base of gross product for more items are being commoditized and
reducing both margins and gross profit.
Many VARS are now acquiring emerging firms to expand their offerings, making
acquisitions to provide a national presence, and getting their engineers more training and
certification. And now more and more of them are starting to get into the security field,
as it has become more prevalent for their business customers. Most VARS are also adding
managed services solutions, where they’ll take care of your day-to-day operations.

Rise of the Cloud

Amazon, Google, Facebook and others have disrupted the market, hastening in the age of
the cloud. Upending the common ways of consuming technology, it allows business to get
out of the hardware business, and reduce the friction of dealing with the “plumbing” by
building a utility service. By offloading “common” infrastructure, it frees up its attention to
the organizational specific work of its business. It appeals the business need for more
agility and ease of use.
It allowed the perception of IT being too slow to grow. Perception of service delivery
speed is colored by what cloud providers show. Similar in concept to next day delivery,
standard mail through the postal service can appear slow but without the extra cost of
paying more for it. And cloud providers have created multiple flavors of offerings:
infrastructure, platform, and Software-as-a-Service (SaaS).
SaaS is the most impactful. It is a complete solution, from underlying hardware all the
way to the application itself and all the operational tasks of maintenance taken care of. It
is immediately available for business use. Salesforce, workday.com, Experian.com, are
ready to go. And your business users can go to well-crafted websites, get there question
answered, get free try out, no lock in, and a convenient payment system. Just pull out the
corporate credit card and you are up and running. Contrast that to the internal process
with IT.

SaaS also provides flexibility for programmers who don’t have a problem with
dependencies and just want quick access to virtual environments. More importantly, it
allows IT in general an easy way to scale its infrastructure and reduce capital expenditure
requests.
Platform-as-a-Service (PaaS) provides benefits to software programmers who are looking
to dive right into coding, and don’t won’t to deal with standing up the dependencies of
their environment.
Infrastructure-as-a-Service (IaaS) allows IT to scale its computing power much quicker
and many times cheaper than procurement, for shorter durations.
Chapter 2: Complexity

“It’s really complex to make something simple”, Jack Dorsey, CEO of Twitter

One of the marks of leadership in IT is taking on the challenge of complexity so others

don’t have to. Complexity is our enemy…if we are the consumer of the product, services,
or experience. However, for the producer, it is our required friend. Without it, there would
be no comfort or advancement in human life, for every simple experience in modern day
life is made simple to use; behind the curtains, in the kitchens, basements, and
datacenters, stand a complicated, advanced, and impressive array of technology and
people who brought it to life and run it every day. Consider that the next time you push a
switch and the lights come on, pull the lever and water comes out, or click the button on
your phone and a box arrives at your door the next day.
If simple was simple to create, everyone would do it. But innovation requires lowering the
barrier to consume in order to be successful in the market -- we need to distinguish
between the complexity that is needed to innovate, and the complexity that is wasteful
and not needed.
Let’s look at complexity from two perspectives, and from there test whether value is
added or not. First, from the market and business view, organizations are at most risk
from disruption from competitors when our value proposition becomes stale. This
sometimes happens when our business operations become bogged down in bureaucracy
and waste. Doing things that provide no customer value, and in some cases no one
internally will notice it until it too late and market share is lost. The non-value added
activities can actually slow down service, product improvement, and delivery. These
activities often add up over time, but are hard to really notice when still are hitting our
goals. This is in contrast to value-added complexity, where there exists the opportunity to
enable more competitive value, increase customer retention, and improve the experience
either as the incumbent or the challenger.
For the second view, from the technology side, complexity is driven down from business
demand, technology’s change of pace, and IT’s challenge of keeping up. Non-value
activities produce technical debt, the accumulation of tasks that have been pushed aside
for another day (that never comes) in order to keep up. Extra waste is introduced into the
IT processes, making it more inefficient. Constraints build up over time in the
infrastructure, make it progressively harder to change in the future and monitor. Value-
added complexity results in being an enabler, improving governance, enhancing upstream
business offerings, and allowing for greater customer value offering.
In order to innovate, to provide differenced services, to enable that new feature, to speed
up delivery, and to offer more options to the customers requires this complexity on the
back end. So how does how does IT help? From the business view, it is about awareness
to guide our strategy. On the technology side, it is wheelhouse to run a lean efficient
system. The challenge in how IT is structured and how work flow and resources are
shared, but is exasperated by organizational and cultural limitations of silos.

A World of Silos
“We didn’t know those guys down the hall had already spent the last 6 months figuring
out the problem and developing a fix for it. It would have nice to have known before we
forked over six figures to hire an outside consultant to tackle the exact same problem for
us… I guess keeping costs down is not that important!” frustrated workers everywhere.
Silos suck! Workers can’t see enough of the big picture to understand their roles and
contributions to the company. Valuable data is trapped, cut off from sharing with others
who could really benefit from them. One team spends more money on something that
others won’t share, driving up organization expenses. We are running in organization
structures built in the past and hoping it works well enough for to handle consumer
demands that hint at horizontal teaming. Finger pointing, lagging response, and lack of
accountability could very well be the indicators of future disruption.

What are silos? The isolation of systems, process, departments, teams, etc. from each
other. They often appear under separate reporting, budget, and requirement structures.
In extreme cases, silos can represent isolation and individualistic thinking. It provides the
scope of responsibility, i.e. developers code functionality, help desk takes user
complaints, storage engineer’s deal with capacity, InfoSec guys take care of firewalls.

Where did silos come from? They are a byproduct of the way the organization has
developed and been managed over the years. The existence of silos has the potential to
effect mergers, acquisitions, and reorganizations. Do silos provide any value? Yes, but
very limited and in the form of local optimization.
There are three basic types of silos: organizational, process, and technical infrastructure.
Silos tend to hide upstream and downstream, producing friction on workflow, limiting
visibility in performance, duplicating tasks and resources. A silo encourages local
optimization at the expense of global performance.
IT departments that are looking to transform themselves are working to break down silos
to improve service to the business. The marketplace is demanding it, as progress is
capped without organizational global optimization. In technical parlance, the days of
interconnecting IP and IPX networks were challenging. They were islands unto
themselves, with systems having to choose sides. The power of global optimization is
enabled by convergence, collaboration, operational intelligence.
With its roots in a form of division of labor similar to the rest of the organization, the
internal structure of IT can be very compartmentalized. This inhibits the sharing of
knowledge, initiatives, and problems among teams. It often leads to operational friction,
where getting things done gets bogged down and delayed in a structure not designed for
the kind of speed and response required of a modern digital world. It also leads to
unnecessary complexity. Processes are opaque for the leaders of business frustrated with
IT service delivery velocity (or lack thereof).
IT has been partially addressing this problem on the technology side by consolidating
services centrally to be shared across the enterprise. These shared resources take on the
SLA’s of all additional groups that are added on. As such, the security and reliability of the
shared systems must be exceptionally designed, maintained, and monitored. IT must
build confidence in them, and market them not servers, databases, and switches, but as
services.
For organizations where their org structures don’t help them improve, then that is a
problem that needs to be addressed – we call this an opportunity. Let your competitors
suffer through market irrelevance in their silos. Now let’s talk some tech.

Digital Landscape
A world of 0s and 1s – freed of the constraints of physical limitations, moving at near
instantaneous speed; always on, connected, and increasingly dependent.
Fast, complex, and interdependent, today’s disruptive digital world carries with it perils,
challenges, constraints, and risk. Today’s modern networks are borderless. Many of its
users operate away from the office, or to part of their work remotely. With this ability to
work anytime, anywhere, IT has enabled a mobile workforce that is no longer tied to the
desk. And as a function of outsourcing many business functions, much data and
processing occurs outside the IT controlled infrastructure. ADP is a popular third party, for
example, or a call center in India taking level 1 calls.
This anytime, anywhere, on any device access has also severely affected maintenance
windows. With the amount of preventive maintenance, i.e. applying Microsoft patches to
servers, IT knows that are many times when systems need to interrupted during this
time. As the number of managed systems grows, the more patching and rebooting of
systems are needed. In addition, services are now running processes that run around the
clock with dependency on other 3rd party systems. These challenges comes into conflict
with the business needs to keep systems online, all the time. The result is fewer
approved maintenance windows, with shorter maintenance windows. The impact will be
even more pronounced later when we discuss convergence.
As the number of systems outside the firewall grows, combined with less approved time
to patch systems, and an increase in the number of work activities occurring on employee
owned equipment, IT faces a challenging environment to keep pace in.
Our Digital World
Digitization has virtualized the physical world. Images, sounds, text, pictures can be
converted into bits, 0s and 1s. Audio, video, faxes, conversations, information, movies are
all free of physical media now. Aided with high speed and ubiquitous network access,
those bits can be transmitted directly to users on their devices around the world.
Our digital world have seen amazing and enabling changes over the last few years. With
high speed connectivity becoming so pervasive around the world, a whole range of new
services are now available. From website browsing and email, we now have voice and HD
video being delivered. How about delivering the newest version of Microsoft operating
system via the internet instead of customer to installs from DVDs? Given the pervasive
location of high speed access, from coffee shops, malls, and airports, we are now location
independent. It has opened the freedom to work almost anywhere. Some new offices are
taking advantage of new speeds to go all wireless, with lan-like performance exceeding
many wired connections. Homes have more bandwidth than some businesses. Newer
cellular technology also provides high speed access, allowing bandwidth heavy apps like
video to be delivered.

The younger generation is drifting away from landlines, instead using their cell phone as
primary phone. Integrated TV, Voice, Internet services over broadband are available. A
wave of new end user devices is expanding the interfaces with computing, offering
options beyond the traditional PC or laptop, expanding to include smartphones and
tablets.
Some new startup companies are forgoing buying their own infrastructure and relying
completely on the cloud to operate. Corporations are migrating off traditional expensive
WAN links and going with higher speed and cheaper Internet connections with VPN to
corporate networks.

The digital world is the Wild, Wild West. It represents an unregulated, lawless world
where anything can happen. The business world has embraced the Internet for business
use. One of the effects of the Internet is the consumerism-led mindset of end users that
has been created – and this mindset has reached all the way to the executive suits. It is
this consumer mindset that dominates people’s expectations, conditioning for what is
normal, and what service should look like.
Growth of connectivity
The Internet was built by the US Military for connectivity and functionality. It is amazing
to look back at the numerous ways this need for communication for a handful of nodes in
a research environment could decades later lead to global connectivity that was the basis
for the astounding explosion of new opportunities for our economy and way of life. The
underlying infrastructure, protocols, and system of the Internet, however, was not
designed for security.

Sometimes it is amazing that anything works on the Internet. The IPv4 address space
was more than large enough to accommodate basic functionality. The explosion of then
number of connected governments, companies, individuals and the deluge of diversity of
IP enabled devices today make IPv6 and its larger address space needed in the future. In
our world, we are learning to expect to connect with refrigerators, light poles, and
tractors. In short, connectivity is pervasive.
The IP protocol makes our digital world possible. The infrastructure required to support IP
is pervasive, complicated, and impressive. It is firmly rooted in the physical world – with
the majority of traffic traversing physical cabling. However, there is also a diverse set of
non-cabling infrastructure that allows for users to be untethered. In short, IP is carried via
land, air, sea, and space.
Cabling remains is key to our digital world. Underground and underwater fiber-optic
cabling is how telecom carriers connect the Internet’s backbone across the world. In fact,
the global economy is dependent on it, with 99% of all inter-continental Internet traffic
being carried via underwater fiber.

High speed bandwidth is available to both businesses and homes via pervasive
broadband access. The branch office is being reimaged as a result, which in turn opens up
new opportunities for small business and teleworkers. Metro Ethernet options continual
being offered at lower rates and higher bandwidths like 10 GB. In addition, there is
increasing higher bandwidth in datacenters, where 10 GB is becoming more common and
40 GB and 100 GB connectivity is also now available. There is fiber cabling growth, with
wider coverage and higher bandwidths.
Both the user and his device have been untethered from the wall jack through
connectivity via air, enabling mobility. Mobility allows for the transformation as to where
and how people work. This enablement is made possible via cellular networks (with
3G/4G currently prominent, and powered by cell towers and antennas that litter our
landscape); 802.11x (currently up to gigabit plus speeds); wireless meshes citywide
(providing connectivity as a service platform); and satellite-based infrastructure for hard
to reach locations with limited physical cabling infrastructure access (location-based
services provided by space-based infrastructure for both military and commercial use).
The Internet is a global, resilient traffic delivery system made possible by the Internet
Protocol (IP) IPv4 and IPv6, Border Gateway Protocol (BGP), and Autonomous Systems
(AS) with Autonomous System Numbers (ASN). DNS, powered by root servers, allow
people to easily navigate on the web with human readable names.
Connectivity provides the foundation for all that is possible in a digital economy. In 1995,
the year that the first commercial traffic was allowed on the Internet, Amazon and eBay
were born. When people, processes, and data are connected, the possibilities are
limitless. Every business process opens up to the possibility in participating in a system
that allows the process to be transformed. That transformed process in turn transforms
how we live, work, make war, solve problems, and tackle mankind’s wicked problems. We
are now looking forward to a future world of human to human, human to machine,
machine to human, and machine to machine communication.
The existence of a free, simplified upgrade process with a few clicks combined with high
speed broadband paved way for the Microsoft 10 operating system to be streamed to
millions of users over the Internet –no DVD media required. Along the same lines,
consider how you no longer need to go a rental store to pick up the latest favorite movie,
but rather you can just stream it – this, too, has been transformational in the digital
world.
The systems of records for some of our countries most critical systems like banking and
insurance, are run on mainframes. As those industries transform to meet market
demands, they are building new services with Systems of Engagement and Innovation
using newer technology, such as extended www services with mobile technology. In that
we see the old and the new working together, extending services with modern web
architectures that work with legacy systems.

Progress builds on existing infrastructure to enhance. In a world where machines talk to

other machines, the opportunities are abundant. And as your business comes to grip with
how to compete in a very competitive digital world, IT has an opportunity to guide the
discovery process. With every new opportunity, comes new challenges. Existing
infrastructure and processes have constraints that must be confronted. All in the
backdrop, we must also keep today’s revenue engine up and running, all the while
confronted with the new realities of ever present cyberattacks. When IT transforms itself,
it is position to help the business thrive. But it must come to grips with the complexity of
all this new technology, pervasive connectivity, and time delivery demands. IT must be
masters of the infrastructure that supports the new digital world. However, all this
infrastructure has no meaning without the most important enabler of digital services:
software.
Software is controlling, eating, and infecting the world
“More and more major businesses and industries are being run on software and delivered
as online services—from movies to agriculture to national defense. Many of the winners
are Silicon Valley-style entrepreneurial technology companies that are invading and
overturning established industry structures. Over the next 10 years, I expect many more
industries to be disrupted by software, with new world-beating Silicon Valley companies
doing the disruption in more cases than not.” Quote from Marc Andreessen, former co-
founder of Netscape, in an article titled “Why software is eating the world.” [3]
Marc Andreessen was referring to the prevalence of software in the digital economy, and
the fact that the physical economy also is greatly controlled, influenced, or dependent on
software. Software is everywhere; it is the underpinning of both our physical and digital
worlds; from operating underneath the air traffic control centers allowing airplanes to
move safely, to the cars we drive, the cash registers we use at department stores, to the
transactions we make to purchase a new book online at Amazon.
Software is any set of instructions that directs a computer to perform specific operations.
Software code executes at the lowest level machine language instructions, indicating to
the underlying hardware what it needs to accomplish its goal. There is system software
for the base operation systems, including device drivers, and operating utilities. There is
application software, which is what most end users are accustomed to because they
interact it with every day. There is the software that IT is very intimate with that runs
backend business processes.
There are millions of lines of software code in multifunction printers at home, and
10,000,000+ lines of software code for smart phones. New automobiles have an average
over 100 million lines of code. Windows 7 have over 40 million lines of code. All the
software used to power all of Google’s services exceeds 2 billion lines of code. [4] That’s
a lot of software, and a lot of lines of code. They run elevators run, building automation
systems, cars, fighter jets, and traffic lights. They run the websites we buy products
online, handle inventory management for retail stores, and powers the check-in systems
at hotels.
All these actions in the digital world are being powered by software code; bits and bytes
of instructions telling machines how to operate. Machines and code underpin our world.

As disruptions force a faster response, companies are turning to digital transformations to

stay relevant and to compete. This has put a premium on the need for modern software
developers. Requests for new features and fixes is affecting more and more of the
systems that customers directly interact with on a daily process. Traditionally, the process
of updating back-end systems was out of sight. Today, millions of people worldwide get
the notifications on their phones that an update is available, either for the base operating
systems (iOS, Android), or for the many third party applications installed. These updates
are code changes made by software developers to add new features, fix bugs, or to patch
a security vulnerability. This represents a much faster turnaround when compared to old
days where it might take a year to do produce software code.
The software is now distributed to new systems and processes with a focus on producing
code quickly. The process around developing code is substantially different from the old
traditional method, i.e. waterfall method, where there are long lead times from
requirements gathering to actually getting the code out and delivery times of months and
years were common.
New methods, like agile methods with roots from Lean principles, along with the
emergence of DevOps, has emphasized smaller, faster, and more frequent releases of
code to continually add functionality and fixes. In analyzing the actual workflow of
software development, Lean principles identified delays in the delivery process as a
function of how developers and infrastructure personnel worked. These principles will be
discussed more in Act 3, as this opens many new opportunities for IT. Fast iteration of
code changes are happening hundreds and thousands of times per day, to systems which
are in production. These in-production systems allow the business to move at a higher
pace, function at a higher speed, fix bugs faster, add new features, capitalize at the
speed of business, offer something new on your digital front-end or add new futuristic
features to back-end systems integrating multiple software platforms.
In light of the complexity of the software development landscape, organizations are
looking to streamline the process for multiple coding efforts, especially those involving
integration with legacy systems. Because of this, developers need a more accessible way
to integrate than continually building from scratch in different ways. By developing a set
of routines, protocols, and tools for building software applications, it is possible to guide
how software components should interact. This is referred to as Application Program
Interfaces, or API.
Infrastructure as Code

Infrastructure is a very manually intensive set of system to configure, monitor, and

change. By taking a system level approach to life cycle management, we can define how
we want to system components to behave, and centrally declare the state we want them
to operate; whether they be physical or virtual, on premise or in the cloud; compute,
storages, and increasingly network layers with coming of software defined networking.
This is opening up the possibilities to much faster provisioning, greater visibility, and
elimination of constraints in the data center that tie applications to infrastructure, racks,
and particular datacenters. Also, it is providing IT with another way to be more agile and
more responsive the infrastructure changes needed to support the underlining
applications that the business requires to operate.
When we look at the role of speed in IT service delivery to the business, and the
criticality of that speed to the business’ ability respond in a timely fashion to the business
need, we need to take a look at the Mean Time To Deploy (MTTD), Mean Time To
Implement (MTTI), Mean Time To Respond (MTTR), and Mean Time To Repair (MTTR).
These factors that go into determining how IT were responded to request for service, and
come out with the number that not only provides a measure of our response time, but
provides a far better estimate of how long it will take to get something done.
If we break down the actual components that make up the service delivery estimate, it
includes the ability to change infrastructure, change software, update end-user software
interfaces, and workspaces. It can also involve the ability to move an employee from
cube to another, with phone and computer services moving with the employee. Each one
of these items are comprised of individual tasks in the workflow. Accomplishing these
takes may require not just simple automated commands, but manually implemented
changes. The kind of information needed to accomplish these tasks is coded in the minds
of IT, who become a valuable resource themselves.

In addition, IT departments have traditionally been formed as silos: one team does X,
another team does Y, and another team does something else. If we were to map out the
entire process, from the business or request, to service delivery, we can find 5, 6, or
maybe 10 handouts from different teams. We can see multiple delays as one task is
completed and the next team is notified, and then that notification it may sit on
someone’s desk. Often times service requests involve hours or days waiting for someone
to respond to an email or a request in the queue. There is a delay as the request moves
from team to team, even though, say, the person at the second silo can normally take
care of their piece very quickly once they actually get it. For IT to increase the speed of
delivery, it must remove these constraints, must remove the wait times, and idle times,
and must accelerate. Software defined infrastructure provides the potential to reduce that
time.
Digital Software Supply Chain
The 2015 State of the Software Supply Chain Report by Derek Weeks, makes the analogy
to car makers who take care with how they support the larger number of component
parts that are put into building a new car [5]. There is a huge number of 3rd party and
open source components of code. That has the benefit of speeding up valuable developer
time on more unique features, reusing common pieces. Sonatype CTO Joshua Corman
likes to say, the “software is eating the world”. Looking at the 2015 Verizon Data Breach
Investigation Report, Verizon indicated that a significant percentage of the breaches they
studied had applications exploited that had patches available for over 10 years that
would have fix the bugs [6]. Code uses common open sources. Developers often just grab
a copy of code without checking which versions have known vulnerabilities and which
ones don’t.
A disturbing example is Heartbleed. It resulted in loss time, distraction, with a larger
number of apps still not patched to this day. Here is an excellent description of it, and
what it does.
“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic
software library. This weakness allows stealing the information protected, under
normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS
provides communication security and privacy over the Internet for applications such
as web, email, instant messaging (IM) and some virtual private networks (VPNs).
“The Heartbleed bug allows anyone on the Internet to read the memory of the
systems protected by the vulnerable versions of the OpenSSL software. This
compromises the secret keys used to identify the service providers and to encrypt the
traffic, the names and passwords of the users and the actual content. This allows
attackers to eavesdrop on communications, steal data directly from the services and
users and to impersonate services and users…Without using any privileged
information or credentials we were able steal from ourselves the secret keys used for
our X.509 certificates, user names and passwords, instant messages, emails and
business critical documents and communication.” [7]
Encryption is at the heart of the digital economy. Without it, our digital world would not
be what it is today. The assumption for operating commerce is that our communications e
safe from external view. When we browse to secure sites on the Internet, we assume
encryption is protecting us. When the Heartbleed bug was discovered, the scope of the
potential impact was astounding. First, what was the scope? Hundreds of thousands of
sites were effected, as well as hundreds of major vendor’s products, and it struck at the
heart of our digital economy.
This was not a design flaw in the SSL/TLS protocol, but rather an implementation mistake
in OpenSSL – a software coding mistake. It went a long time without detection, even
though it was widely used. We can assume that until tested, our security based on
assumptions are simply not adequate.
Without leaving a direct trace, anyone on the world Internet could exploit a site, gain
access to the secret keys used for encryption, and listen in on private communications.

The digital supply chain is a critical aspect to look at from a risk standpoint, from where
our software comes from, to software of the middleware that we run our businesses on. It
is critical that IT pay special attention to the entire digital supply chain from beginning to
end. And the communities, government and private sectors need to work together to
make sure that all our components, from circuit boards, to laptops, to assemblies from
third parties in foreign countries have assurance of non-interference by potential bad
actors – that the supply chain is secure.
Foreign entities and our own government may have incentives to embed malicious and
secret pieces of firmware and code on component parts in order to spy on private
communications. We also must take into consideration what would happen if the digital
supply chain was interrupted. Software developers have responded to the need for speed
in business, and often speed up the development cycle by making use of existing
software components and modular software building blocks, thus existing modules are
reused to save time. The logic behind this is simple: it save time from rewriting the same
process over and over again. Modules are shared among many different consumers of
software application development, taking advantage of what has already been
developed. That’s a smart thing to do, but we must be wary of components, especially
open source components which are shared across millions and millions of systems.
Software applications are prone to widespread impact when exploitable bugs are found,
i.e. such as happened with the heart bleed bug, which affected millions of websites.
The digital supply chains from beginning to end must be observed, watch, and improved
upon to protect our digital world. Many developers reuse web components, libraries, and
plugins in modern web and mobile apps. In addition, in the mobile space, much of the
infrastructure that supports these apps are the same back-end that supports web apps.
As such, developers not familiar with handling that type of environment can introduce
vulnerabilities.
IT needs a test environment, ideally identical to that of production. If that environment is
not available, then there could be some problems when the code gets into
production. Coders are under extreme time pressure to deliver workable code. At times,
these compressed time frames can come at the expense of sound sanity checking,
potentially leading to vulnerabilities downstream in production. Also making this more
challenging is the fact that not all coders have been trained in the best practices of
secure coding.
Functioning versus security is a battle that is often lost by security. However, we know
that fixing bugs afterwards is more costly and timely. The best time is up front, in the
development phase. This is the critical stage. As more time passes, and more defects are
coded in, the more technical debt builds up and the more time has to be spent on fixing it
later.
This makes the supply chain of the code that runs our digital infrastructure that much
more complex and challenging to keep up with.

Convergence
Coming together, unifying, smaller, less moving parts, more dependent, more complex,
faster, and the future of digital infrastructure and operating models.

Convergence can be described as the coming together of multiple disparate systems to

form one. Convergence is a common concept you’ll hear in the technology industry today.
We will discuss multiple areas of convergence, from the data, voice, and video
convergence onto single wire, to convergence of information technology and operational
technology, to smart systems, i.e. buildings, to team collaboration, or One IT.
Convergence takes many forms, but in our disruptive world, convergence is disrupting
both the digital and physical world. It changes the traditional models of support,
protection, and maintenance. Data and voice was first convergence IT took advantage of
a decade ago. In its early years, many thought it would not take off, and that it was
fallacy to put voice traffic on the network. Traditional PBX systems used to live on that
old PC on the floor of the wiring closet that no one touched. Now it’s multiple virtual
applications running on a modern unified collaboration platform. Making use of available
resources on the wire, voice was added, then followed by video, then by physical video.
In the datacenter, you see convergence also with storage traffic. Today, convergence is
everywhere.
Internet Protocol (IP) is the industry leading protocol on both private and public networks.
IPv4 is the prevalent protocol in use, with the current available address space all but
exhausted. Through many work arounds over the years, including widespread use of
Network Address Translation (NAT), we have made it through. IPv6 has a much larger
address space in on the horizon. We can expect a long period of dual stack routing. IP-
based networks makes up the service backplane. Traditional data has now a lot of
company. It is now a common share resource, building on a long history of stable and
reliable use. Shared medium is aided by quality of service (QOS), virtual isolation via
virtual local area networks (VLAN), and higher bandwidth speeds (up to 100 GB) making
it a platform for integrated data, voice, and video.
Convergence once again makes it easier to provide for agility in the new construction of
buildings, where a single converged network allows physical cameras, voice, and data
traffic to share a single architecture. It provides resilience and flexibility on new
construction and renovations, no longer needing three separate networking
infrastructures. Now a single infrastructure is all that is needed to run all of these.
Traditional PSTN analog phone systems are steadily being migrated over to digital and IP
Telephony. Video, from a videoconference, from one desktop to another, from videos
training, and even from interactive videos is also being migrated. Traditional security
cameras mounted on the external surface of buildings for security guards to monitor the
perimeter are now being converged onto our data networks. This campus and core
backbone network is now transmitting video feeds that are protecting the exterior gates
and the back doors, as well as any internal hallways of physical buildings. As such,
convergence on IP of physical security is another fascinating aspect. Increasingly more
buildings are installing new, IP enabled, high-resolution cameras, where the video feeds
are riding on common networks.

Convergence has implications for lifecycle management of the infrastructure, in particular

patching systems. From network switches and routers that process the packets, to
storage and compute that store and process the video. Consideration must be given to
how the design accounts for minimizing or eliminated disruption needed for maintenance.
What once was just a printer, is now a camera recording activity on the grounds.

Take a look at the data center where convergence is having a high impact on architecture
design and cost structure. Consider the convergence of data, voice, video (with physical
IP video) as all hallmarks of the new converged single wire, the converged sharing
medium now in the data center. The convergence began years ago with iSCSI, NFS, and
CIFS protocols sharing storage traffic with data traffic. Now we are looking fiber channel
(FC). FC is the backbone of traditional storage area networks, with characteristics such as
high-performance, high security, highly measured by domain expertise and storage
administration. FC networks are seen today by many as still off-limits to convergence.
By listing the benefits from fewer moving parts, to shared physical devices, to the lower
cabling costs, to lower power and cooling, FC storage is also coming under the realm of
convergence. That convergence is being made possible with enhancements to the
Ethernet protocol to support FC, and also the result of bigger pipes such as 10 GB, to 40
GB to 100 GB. This allows a large enough highway system to handle data, voice, video,
block level, and file-based storage, all differentiated based on logical separation,
performance, scalability, and security. This allows for a converged fabric inside the data
center, which has implications for the design data centers, including how storage is laid
out and how the different components integrate with each other. It also has big impact
on how computers interface with the network, how the network takes input from other
networks, and computing resources, both physical and virtual.
This also has significant implications for performance, making sure its application writing
out to the disc is I/O, needing preferential to treatment over voice, as well as the call
control, going into a call manager. In fact, complexity actually increases, as the data
fabric becomes smarter and more agile with the ability to carve out virtual lanes for
different resources such as applications or different data, voice, and, video types.
This is a part of agility that IT needs in order to help keep up with business demands. As
business demands change, new applications are brought on line, new characteristic for
disk I/O come about, new characteristic for data traffic arise, from bursty to bulky, we see
that the data fabric must and can handle all the different types of services and
requirements.

And on top of that, one of the biggest constraints that IT has had in designing the data
center, namely getting funding approved for multiple capabilities: isolation, secure
connectivity, performance, and service assurance.
Operational Technology (OT) meets Information Technology (IT)

Convergence isn't limited to just the type of data traffic on the new data fabric. We talked
about data, voice, video, and storage.
But now, an emerging trend is the convergence of information technology (IT)
infrastructure with the infrastructure of industrial control systems (ICS), used to control
physical facility equipment, industrial sectors, and critical infrastructures. The ICS include
programmable logic controllers (PLC), supervisory control and data acquisition systems
(SCADA), and other embedded systems. The newer products being sold today are often
coming with network connectivity built-in, with wired (Ethernet) and wireless (802.11 and
Bluetooth). Operational Technology (OT) can be seen in oil and gas and other technical
factories, anywhere with programmable language controllers (PLC) and SCADA devices
running power plants, or anywhere with controllers controlling assembly lines.
Traditionally, OT has had legacy infrastructure in place for many decades, often
constrained to what was currently available because of the cost to upgrade gear. Now
convergence offers a new opportunity: a new possibility of having traditional
programmable devices share the same data service fabric as the data network.
With the growing needs for remote control and automation of industrial systems, vast
amounts of raw data that can be mined, and there is the desire to derive more value out
of the systems with increased integration with systems on the IT side.

Smart Things
As OT continues convergence with the IT infrastructure side, this has implications across
security, performance, and domain scopes for manageability. What does smart mean? It
can mean software, connectivity, and centralized control; feedback loops, and real-time
communications. We're now seeing the evolution to smart things. Let’s take a look at
some smart things that you probably familiar with: planes, trains, and automobiles,
building control systems, meters, and TVs.
Business are looking at the office building and are making it smarter. Convergence of
information technology infrastructure, software, and programmable controllers is allowing
builders to transform their designs and how buildings operate. Building Automation
systems involve converging on IT infrastructure by using the service fabric to provide
connectivity, isolation, and security. Building Automation Systems control fire, heat,
water, power, lighting, vertical transport (elevators), HVAC, video surveillance, and
physical security. On new constructions, buildings systems infrastructure changes the
model of how contractors build new buildings from the ground up. Building Automation
Systems are using less overall physical infrastructure, leveraging a common platform, and
laying the foundation for more energy efficient buildings.

This means that before an owner can take occupancy, they must have basic IT switching
infrastructure in place. This IP network is the primary means of connectivity for all the
building systems controls. Before HVAC systems, heating systems, or lighting systems can
be brought online, the infrastructure (compute, networking, and storage) needs to be in
place; these systems are now controlled software applications.
Now, instead of multiple wiring infrastructures for each building system, one IP service
fabric is all that’s needed. Overhead pagers, a suppression system for fire sprinkler
systems, the video camera for security surveillance, building automation, and elevator
systems, software on the back-end is now controlling things, and communicating with
different systems across the IP backbone.
Because of this level of automation compared to traditional buildings, there are
significant cost savings for building our buildings from the ground up. Smart systems help
not only with efforts to minimize total cost of ownership, but also provide the ability for
flexibility for operational maintenance, and value added services when all systems can
communicate over a common platform, on a single IP backbone. Smart buildings allow
the building to operate more efficiently, reducing expenses. How this reduction in
expenses occurs in the ability to program lights when not in use, the ability to use motion
detection to be smarter about when lights come on and when lights go off, the ability to
control access through doors to a single system, to the ability to help mitigate potential
building degradations. It also helps optimize energy efficiency to help control costs and
improve visibility. Even retrofits of existing buildings can become smarter.
The smart home provide similar functionality of the smart building. Many homes are now
installing add-on systems to make the house smarter: devices to control indoor lights,
digital video cameras for security, systems to make sure outdoor lights come on or go off
at a certain time, and devices to open the door when the homeowner comes near the
garage.
Smart cars help to optimize fuel mileage, improve safety, help avoid collisions on the
road, and assist with parking. Onboard embedded chips and software talks across cellular
networks back to the cloud provider, over to the service provider, all in order to provide
additional services. As an example, look no further than OnStar. The smart cars also offer
additional add-on features to enhance the driving experience.
One of the goals of smart cities is to achieve the same efficiencies we've seen from the
smart cars, buildings, and homes, but expanded to the entire city. Studies show how
governments can help optimize use of taxpayer money, and a smart approach can help
city governments implement the results of these studies. From lighting, security, traffic
routing, movement of vehicles, and the efficient use of parking, the smart city has great
potential to reduce governmental costs and enhance municipal services.

Next Generation Infrastructure

As technology has continued to improve, it is transforming how the business and IT think
about way they design their systems and how users interact with the technology. New
possibilities have opened up to IT to serve up to the business, such as the all mobile
wireless office, using gigabit wireless, or more flexibility for IT when building out new
floors or new office space for the businesses.
Storage has seen massive improvements. For example, consider storage duplication. One
of the main problems with end-users email use is multiple copies of documents that have
resulted in the excess waste of precious storage cost. Now, with single instance storage
1000 copies of the same file attachment will not penalize actual storage space, greatly
altering the storage cost curve. Also, the ability of de-duplication has really expanded the
ability to get more bang for the buck.
Hyper convergence to convergence of computes and storage into blocks and flex pods
now allows IT to deliver the infrastructure components together, prearranged,
engineered, and pretested to isolate a particular workload for fast delivery. And the
solution provides great benefits to IT. The new hyper convergence includes networking all
control through software and a nice compact form factor, providing great benefits for
things such as VDI. Because of this, the cost per user of each additional virtual user is
more easily calculable.
Messaging is at the heart of most businesses. Microsoft Exchange has made fantastic
advancements, greatly increasing the availability of messaging for the enterprise.
Traditionally, getting approvals from the business to perform maintenance on exchange
services has been a has been a headache, but now with database availability groups
(DAG), the ability to increase the availability of mailboxes and maintain and upgrade
online infrastructure results in a great new tool.
Another aspect to consider is unified identity and privilege management. In the era of
cloud applications, the proliferation of apps, both homegrown and third-party, has created
a user functionality challenge with every growing need for more usernames and
passwords. Centralized identity management, single sign-on, multifactor authentication,
and trust relationships are greatly needed.
This greatly ties into unified access: the ability to gain access to the network and only the
resources authorized, regardless of location or method. Access from a kiosk at Starbucks
or a kiosk at the airport, jacking into the lobby of a conference room, connecting to the
wireless network at headquarters or a branch office – in short, access from any place, any
device is key to unified access. The ability to positively identify the end-user, and securely
give access to corporate resources is very important.
Chapter 3: Risk

Risk – the potential of an unwanted outcome.

Many people today just call it keeping the lights on – operating the infrastructure that
supports the business. When IT gets that right, while also keeping pace with new
business demands, needs, and initiatives, which is even more good news. It would be a
fantastic world of an accomplishment to say we efficiently operate the technology, and
we actively help the business contain costs, grow, and innovate. If that was the end of
the story for IT, it would be more than enough. But we all know that is not the end of our
duties.
The threats to the physical world has followed us into the digital world. The benefits that
our advanced technology has brought is available to anyone. Business and societal
benefits now amplifies the threats that are all too common in human history. In some
respect, it should not have come as surprise, but when a society becomes accustomed to
historical risks, sometimes we lose track of just how much we have learned to live with
the increased cost, delays, and inconveniences. For those who thought the digital world
provided cost free, easy, and risk free benefits, they are finding out that they were
mistaken.

Risk Matters
Confronting the impact and probabilities of unwanted outcomes.
Be careful, something bad could happen! A state of uncertainty where some of the
possible outcomes are unwanted is called risk. These outcomes can involve a loss, an
injury, or a catastrophe. In the eyes of the stakeholder, which can be anyone depending
on the circumstances, this particular set of outcomes is undesirable. And every
stakeholder has different thoughts about what constitutes these outcomes. In fact, in a
business where there can be many owners, each one could disagree about what is
unwanted, or what the threshold for unwanted should be.
Often, these undesirable outcomes, like injuries and catastrophes, are described under
losses, and in particular financial losses. Even a catastrophic outcome such as death can
be measured in dollars. Consider the life insurance field, where a dollar amount is tied to
the likelihood of death. Actuarial tables are used to help determine probabilities and
timings of death in order to determine what your premium amount will be, based on the
likelihood of death across a pool of insured so that the insurance company will payout
less than it receives from all its customers.
In business, undesirable outcomes involving a loss of income are something leaders try to
avoid. Such an undesirable outcome could be a business outcome that causes legal action
and results in money to being paid out. A company could be under industry regulations,
and choose a course of action that violates regulations that ultimately results in fines.
Being the victim of a cyber-hack could damage brand reputation, ultimately filtering down
to losses in sales. For individuals, you could be blamed for the failure to stop the hack
and lose your job, and in turn this outcome is bad for your personal income.

The meaning of undesirable is in the eyes of the individual business; it is something that
every business leader, even within the same organization, may have different
philosophies about, as well as different thresholds for action. And often, that view will
change over time. A major factor in the business appetite for risk taking is heavily
influenced by how risk factors are communicated to them, if they are communicated at
all. As the complexity of technology masks some of the underlying dependencies and
flaws in the digital infrastructure, risks often go unidentified and unaddressed.
In later chapters we will discuss how the matter of risk and risk management will be
integrated into decision analysis for understanding the benefits of business opportunities
using risk/rewards analysis. For now, let’s dive into some terminology.
Our digital world is one where rarely is there complete certainty for decision makers –
this involves what is termed uncertainty, where there exists more than one possibility.
The “true” outcome, state, result, or value is not known, and therefore the future is not
known. Business leaders are accustomed to uncertainty under normal conditions. But in
an era of disruptions and complexity, the level of uncertainty has never been higher. The
speed of change is so fast that traditional decision making is being overwhelmed to just
keep pace and stay relevant.

Defining risk for the organization

Risk is defined by the business – not IT, not the government, not the auditor, not the
competitor, not the market. Every organization is a voluntary coming together of people
and resources to work towards some goal. What outcomes and experiences that are
advantageous, and those that are unwanted or undesired is determined by asset owners,
those holding liability for the organization. No two auditors are exactly the same, making
the exact same judgments, every time on every individual organization. No rules or
regulations are enforced exactly the same every time. Interpretation and context are
constant. The number of legal cases are an indication of exactly how inexact and
consistent things are. No two CEOs sitting around the table will perceive the same
outcomes as bad. No two cyber-attacks have the same effects on the bottom line.
If the business can’t tell IT what the losses or disruption are from an attack, then is this
risk? And if not, is IT spending too much effort trying to “protect” it? If IT wants to help
mitigate risk, it has to know what the business leaders view as unwanted; not just in
general, but especially when disruption and complexity often masks the true drivers of
risk.
In a world of uncertainty, many outcomes are possible. Some outcomes will be positive
for your organization, as in a case of an investment. That investment could be the money
you put into a project, or time that you spent on a project could provide fruitful endeavors
for the work done.
On the other hand, some of the potential outcomes could have an adverse effect or
unwanted affect, and cost you money. In many cases in business, an adverse effect costs
dollars. It also can be things that translate to loss of money later, more hardships or
trouble, or just unwanted. Whatever the case, in a world of uncertainty, we must take
chances to succeed. We must take actions without knowing all the information upfront,
knowing that some of the potential outcomes could be unwanted. And in our everyday
business operations, there is risk of unwanted outcomes.
Challenges of innovation and growth in a world of disruption.
Disruption in the market is eating away at XYZ Corp profits. A new upstart, operating
100% out of the cloud, with a workforce of fewer than 100 people with many working in
jeans out of their homes, was challenging them for market share. They were in danger of
being “u-bered”.
The new Chief Digital Officer was way in with his new initiatives to vastly improve the
company’s Systems of Engagement to capture the mindshare of its customers. Four
months into the project, the Hadoop cluster still was in its shipping boxes – not enough
power to bring it up. IT was struggling to locate which of its overprovisioned systems
could be turned off to make room in the power cap for the new gear. When the systems
were identified, there were challenges around moving workload around.

But those were the easy problems. The consultants sub-contracted software developers
to write new code from scratch that was going to integrate all the companies systems
together, and provide an automated workflow allowing an improved customer
experience. No one told IT, as the in-house developers had to try to communicate all the
requirements for integration into the legacy systems, the storage team tried to
communicate the capacity and performance issues, and the InfoSec team tried to
communicate the issues with opening APIs to mission critical and sensitive systems to 3rd
party vendors.
The CDO was left explaining to the board of directors why the plan to just use cloud to
bypass the slowness of IT was not working.
Challenges of IT operations and fulfillment
This was the largest business initiative to date. All the pertinent parties were there to
discuss the scope of the project, from costs, risks, and expected goals. The VPs of
Marketing, Sales, and Product Development, along with the 3rd party vendor and
implementation consultants hammered out the details. Not too much later, hardware was
ordered to support the project. A project manager was assigned, contracts were signed,
and money was allocated.
Everyone was in sync on this initiative to help drive growth in a competitive market
landscape…everyone, except IT. No one from IT was invited to these meetings. The first
sign that something was going on was the arrival at the primary data center of a new
million dollar Hadoop cluster in a rack. The delivery guys asked the IT guys at the
datacenter where they should put it.

Challenges of Cyber Security Defense

In today’s digital world, most organizations rely on a breach incident notification system.
It lets the company know that someone has compromised some data from their systems.
This notification system has a zero cost to deploy. There is no training needed. It requires
no lengthy implementation timeframe. Getting this system up and running is not intrusive
to business operations.
When the bad guys manage to breach security controls and successfully extract data,
then subsequently make it available on the criminal underworld, and/or actually attempt
to leverage it for criminal activities like identity or fraud, then this system is able to
detect it and inform the business. If you monitor security breaches in the news, you may
have noticed this system in use.
What happens if such as system is not implemented and used? Typically a news reports
of a new breach at a company, and the details of the case indicate that it was detected
by a 3rd party, with law enforcement, like the FBI contacting the victim to inform them.

Let’s talk a minute about the scope of risk from the business standpoint. Many boards of
directors are looking at two particular risks that they have concerns about. One is
reputational risk, which ultimately could impact the bottom line. The other is the risk of
being disrupted, i.e. from a startup company that alters the revenue stream of the current
business model. In both cases, money is impacted. There are many ways of losing
money: loss of income, loss of potential income, a loss of future income, and increasing
expenses.
The interesting fact about risk when it pertains to loss of money, regardless of how many
different factors are involved, is the focus on how the loss happened and how it can be
prevented in the future. In the end, from a business standpoint, it does not matter the
why the loss occurred, however the why is important for understanding and heading it off
in the future.
One must keep track and focused on the meaning of risk. It makes no difference if the
inventory worth millions of dollars is burnt up in a fire versus a loss due to cyber security
intellectual property that results in a profit loss from market share lost. The adverse
effect can be accidental, or it can be intentional; it could be an insider, or an outsider; it
could be natural or unnatural.
Whatever the adverse effect, that is what we try to mitigate against. This is why you will
see organizations bringing cyber security under the umbrella of enterprise risk
management. The particulars are important in mitigation efforts and who might be
responsible, but at the end of the day, a 5 million dollar expense is definitely an
undesirable outcome.
For an analogy of risk to our own live, let’s compare this to our own personal lives. What
are some of risks that we are concerned about? There are many, such as whether my
cholesterol is low enough or too high. There can be risk factors for a potential heart
attack or other health issues down the line. There is a chance that my garage could burn
down. There a chance that a burglar may come over to break into my house and steal
jewelry. A tree fall down on my car and damage it.
There are many bad things that could happen to my person, my possession (such as a car
and a house), and to my family members in each of these cases just mentioned. We take
many steps to mitigate against these risks. In the case of the car, we buy auto insurance.
In many areas, insurance is mandated, while in others it is optional. Even if it was not
mandated, many people would still buy insurance to mitigate the risk that a tree limb
falls on a house and causes damages to it, forcing out of pocket expenses. Insurance
allows me to go make an insurance claim, and it is the same for case for my house. In my
garage if it burns down, there is insurance, or if you’re leasing an apartment, then there
is renters insurance that can also mitigate against the potential for fire, water damage, or
loss of valuables. If a burglar breaks in and steals your wife’s valuable jewelry, this too
can be claimed.

Of course, we also do certain things and to make sure the burglar can’t break in, such as
installing doors with locks and alarm systems, or having a firearm. When we park our
cars, we look to make sure to notice that we aren’t parking under a tree limb about to
break. When it comes too much weight, we can work with a personal fitness trainer. We
spend money to go to have a gym membership to help keep in shape, and will shop
around to buy certain foods to become healthier. These are all attempts to mitigate the
potential outcomes adversely affecting our personal selves, family, property, and other
valuable assets.
Mitigating Business Risk
IT must view security threats in terms of business risk. There are many vulnerabilities,
flaws, and bugs in our technical infrastructures, software, and defenses. However, our
focus needs to be on undesirable outcomes as defined by the business. This is a critical
point. The business has to define this for us. IT can’t do this for the business. The role of
IT here is to facilitate the identification process, providing relevant, timely, and
actionable information to the business.
The two dimensions of risk that we want to understand are 1) the business impact of
undesirable outcomes, and 2) the probability of their occurrence.
Business Impact
Traditionally, business impact analysis, or BIA, has been performed to prepare disaster
recovery and business continuity plans. We must ensure this process captures the
complexity of systemic dependencies of business services to the underlying infrastructure
that is becoming beyond the scope of people to maintain and watch manually. The point
is that a list of impacts that ignores true dependencies will underestimate actual risks. For
example, many IT budgets are trimmed for financial reasons; some of those line items
comprise critical components to maintain a resilient infrastructure. Shortly, we will
explore impacts in more detail. I would also like to note that I will continue to refer to IT
and not just InfoSec. This is a team effort. InfoSec has domain level expertise in the area
of cyber security; however, the actual factors to determine levels of risk are a function of
factors from across the entire IT team, and indeed across the entire business. We must
be vigilant in conveying this concept to the business, who has too many times believed
security was an issue just for one group, such as the way the accounting department
takes care of payroll.
One main example of unwanted outcomes for the CIO is losing your job. The CIO has a
vast number of responsibilities, and must carry out numerous roles; and as such, the risks
are consequently vast. A cyber breach making headlines could result in blame being
affixed to individuals, and the firing squad called to aim at the CIO.
Probability of Occurrence

The probability of occurrence is an area that IT really needs to pay more much attention
to. The security industry has gained a lot of its fear sales tactics reputation from not
properly framing the actual likelihood of these bad outcomes from occurring. In a problem
framing where all bad things could happen, with no thought about the likelihood of it
happening to your particular organization, is an unfordable proposition for most business.
This runs counter to how business and the wider world actually works. No one would or
could actually buy insurance that tried to cover all losses for everything.
Many options and strategies about mitigating risk are thoughtless. We need to step back
and take a look at the risk formula again, focusing on what assets we are trying to
protect. We can avoid something bad happening when we take the time to define what
the impact of the adverse effect will be.

Risk can be expressed in monetary terms. Back to our houses example, if it costs X
amount of dollars to us if our house burns down, then we can buy a certain level of
property insurance to help protect us from a large out of pocket expense. Conversely, for
an organization, they will conduct a business impact analysis to identify its assets and
assessed the business impacts of damage. As part of a business impact analysis, the
team works with the business owners and the stakeholders who have liability for the
company in order to determine an inventory of all the critical assets, both physical and
digital. From there they develop a list of scenarios for bad things that could occur to these
assets, and then assign a monetary values to each one. IT can help the stakeholders
understand the changing landscape and what assets mean in a digital world. IT will also
need to educate others on the technical dependencies of operating in a digital economy
so their input in the BIA process is relevant.
That’s was one aspect of risk, and the other main aspect that IT focuses on is the actual
likelihood or chance that something adverse will in fact happen to the business or a
particular asset. Or put another way, what is the probability that my digital assets – for
example, intellectual property or IP – will be compromised – my main competitor will gain
a copy of this intellectual property – thus allowing the competition to leapfrog us in the
market? What is the probability of that occurring?
If in fact the probability is low, that fact have a large impact on what you do to mitigate
against this risk. It is a high impact of effect to have your competitor gain access to your
R&D data, but you can consider it a low probability because the controls that IT has put
in place. Conversely, it might be that you think the probability is high because you’re not
exactly sure of how well your controls are working.
The probability is critical to the process of managing risk. Traditionally, the impact has
been more known in the physical world; however, in today’s digital world we must make
sure we adequately prepare ourselves for defending digital assets. One area that could
use more work is in the likelihood or probability that IT often presents to the business.
There are many security impacts that could involve many bad things that could happen.
The severity of the impact and dollar amounts are incomplete without quantifying or
expressing how probable it is that this thing could happen. In a world of finite resources
a lot of uncertainty, one cannot mitigate against all potential risks. Making the calculation
of probabilities a critical step in managing risk in business.
Undesirable Outcomes - Risk

There are three areas in which the impact and ramifications of the failure of IT to deliver
to the business can be seen: opportunity losses, business disruption, and loss of
relevance. It is important to IT to understand these three areas so we can make a plan
and strategy to avoid them and put ourselves in a better position to help their business
thrive.

Lost Opportunities
“Nothing is more expensive than a missed opportunity.” H. Jackson Brown
Opportunity losses is an important concept to understand. The impact of IT failures have
direct consequences for businesses. As we discussed, in this new disruptive digital world,
with competitive forces and calls for constant change, the goal is to have the agility to
survive, and ultimately thrive in the marketplace.
“The ACME project will not be ready on schedule…” Those were the words, from IT to the
business unit, as part of an update on timelines for a new project being undertaken that
the business hopes will save it. This project is massive, and involves scaling multiple
teams, allocating a multimillion dollar budget, and committing to a multiyear effort in
duration. And it is touching legacy systems, integrating with new modern Service
Oriented Architecture, a homegrown middleware app, reaching out to third-party services
for lookups, all while integrating in-store POS systems with marketing and customer
membership sites. Also involved are accounting, shipping and the back office inventory
system, and some finance servers.
This is a massive undertaking, brought forwarded by new executive leadership. This
project was born to save the company.
Unfortunately, IT was not ready for the challenge. Dragged down after years of just
keeping the lights on, underfunded for the number of projects in front of them, suffering
from a flat to low head count growth, expected to produce faster delivery time requests,
and all the while functioning in an increasingly complex and interdependent environment.
IT is under extreme pressures to perform. IT is often misunderstood on its true role to the
business, and viewed as a cost center. Add the pressure IT has fighting fires, with all-
nighters to get the situation fixed, passing out just enough information to get the end-
user off the phone, struggling pacify the business owner just enough, while avoiding the
CEO bringing down the wrath to IT…how bad do things need to be? They get very bad,
but if especially if your company is on the line in a highly competitive marketplace. IT
does not want to be to one holding the blame.

IT needs to deliver. And in situations where the obvious fixes were addressed and more
resources were poured into the situation, failure is still an option. Take for instance a
case where there are plenty of technical domain experts, very good software developers,
consolidated and virtualized data centers, all new modern infrastructure, and all the
latest endpoint devices. With all that, if IT still was not succeeding in the eyes of the
business, then the root causes of discontent has not been addressed. When the mean
time to deliver is still too slow for the business, the progress IT makes may be surface
level: it had fails to fully embrace what its true role is in the digital age of disruption.
When transformation is required, change is needed, and one must understand the scope
of the opportunity and one must understand the possibilities. To see to possibilities, one
must explore what competitors are doing and what the marketplace offers, but also take
a look at the challenges, constraints, and risks of bringing it into being. These are not
insurmountable. Those are questions that IT must ask and answer. We must take a look
at strengths, expertise, and wisdom to succeed. We cannot get caught looking in the
rearview mirror at the old world…this is the digital world.
Those steeped in tradition of the physical world, with workers getting their hands dirty,
and even those traditional verticals, are heavily influenced by the digitization revolution.
The question becomes how fast does IT need to be to stay relevant? The answer is as
fast as needed to keep up with the business demands.
We have to ask ourselves if we are taking advantage of all that is new and possible out
there. We must ask ourselves if we are confronting the challenges or merely trying to get
around them. Can IT strategically manage the risks associated with these new initiatives,
while dealing with compliance, governance, and security associated with this new
project? If the controls we put in place to mitigate identified risks have the effect of
impeding the organization’s ability to conduct business and compete, then we will have
self-inflicted our own lost opportunity. If the cause is in the fact we were not ready to
enable the needed changes in a timely fashion, then that is another problem that must
be addresses. And that is the biggest adverse effect of them all.
IT has influence on the risk appetite of their organizations. The real risk for today’s
business is not taking enough calculated risks. Created by internal constraints, lack of
knowledge, or lack of imagination. The more risk you need to take to leapfrogging
competitors, the more the business comes to lean on technology and IT.
Many companies today will not exist in 10 years. This is a sobering reality of the
challenging market conditions. The impact is real. IT may be limited in what it can do to
prevent that, but one thing is for sure: we want to make sure IT is not the reason that
the business lost. That IT did all it could do to help by 1) making business operations as
efficient as possible, 2) mitigating business risks from cyber threats, and 3) supporting
growth and innovation initiatives.
Slow response times to competitors

How fast is fast? Well, it is fast enough for the business to compete yesterday. Let’s say
your main competitor is just one online service offering, and it beats anything that you
have today. It is able to deliver faster and more efficiently than you can. Your competitor
is using technology that goes beyond what you are using. It has found new and
interesting ways to leverage technology in as many new ways as possible. It overcame
the constraints and the challenges involving risk, and went to market in a fundament
fundamentally different way. Your competitor is now delivering to his customers a service
which you cannot hope to compete with in your current state. The impact of this will be in
your market share -- market share loss affects the bottom line, and it affects your
business.
Implications of corporate espionage

Economic espionage represents “the greatest transfer of wealth in history,” said General
Keith Alexander, NSA director and commander of U.S. Cyber Command, at the American
Enterprise Institute in 2012. BlackOps Partners Corporation, which does
counterintelligence and protection of trade secrets and competitive advantage for Fortune
500 companies, estimates that $500 billion in raw innovation is stolen from U.S.
companies each year. Raw innovation includes trade secrets, research and development,
and products that give companies a competitive advantage. “When this innovation is
meant to drive revenue, profit, and jobs for at least 10 years, we are losing the
equivalent of $5 trillion out of the U.S. economy every year to economic espionage,” said
Casey Fleming, CEO of BlackOps Partners Corporation. “To put it into perspective, the
U.S. will take in $1.5 trillion in income taxes and $2.7 trillion in all taxes in 2013.” [8]
What happens when your type of breach doesn’t get detected and make it to the
headlines? While the headlines are screaming credit cards, medical records, or personal
information breaches, this attention can hide the fact that organizations have a lot of IP
breach reports that will not make the news.
Many breach reports focus in on data record leakage, and often breach reports attempt to
quantify the effect of the loss by using record count. Sometimes this narrow focus loses
site of some of the bigger impacts the data loss. It is very difficult for a third party on the
outside to make such a quantitative calculation for internal organization.
Let’s say the CEO of a carmaker pulls up at a light, and as he turns his head he notices
the car that pulls up beside him. What he notices is the striking similarity of the car next
to him to the designs of his own company’s new car is about to be released to the public
very soon. Something has happened here. Either the competition has been extremely
lucky, or they have hired an insider to steal their research and development. In a highly
competitive marketplace, fierce competitors will often attempt to payoff insiders in order
to extract information and get the heads up on the competition. Or they could have used
a computer hack to externally access the intellectual property. In this case of corporate
espionage, there will not be a big headline highlighting the breach. In addition, there
often is a lag in learning that the system has been compromised and intellectual property
has been stolen. In a market driven by disruption, the slightest advantage can make the
difference between a market share that shifts up or shifts down.
What is highlighted in the national news is the case of nation state espionage. The most
common case is that of China, a country of over 1 billion people and a government
dedicated to ensuring and minimal of 8% growth in GDP per year – and that is a very
aggressive growth rate. We have seen in the history of China’s turn to capitalism, a
spiraling growth with a need to meet the burgeoning demands of a growing population.
The innovation and intellectual property design in-house has not kept pace with the
Western world. Therefore, the Chinese government has sponsored wholesale the state
strategy of corporate nation-state espionage, with the express purpose of helping
Chinese industries keep pace. As a result, the FBI has reported that US jobs are lost to
the efforts of Chinese stealing intellectual property.
Failed and Slow service delivery models
Changing how goods are consumed, for instance renting movies, can put your business
model in jeopardy if you don’t have enough of a mix of existing and new. The speed at
which the market shifts makes standing still risky. That is the story of Blockbuster, and
their passing on the opportunities to purchase Netflix years ago, and a decade later, it
was filing for bankruptcy while competitors using alternative delivery systems took their
market. A lot happened in that span of a decade, at what today looks obvious, does not
necessary so in the present.
Digitally delivering movies over digital infrastructure has saved the customer from having
to travel to local store. Leveraging the digital infrastructure with high speed broadband
access and sharing the same wires that use for web browsing and email has
revolutionized that industry. That’s a different type of IT model, a new delivery model
enabled by technology is helping online streaming become such a great success. We
know the results: look what happened to Blockbuster, and compare that to the success of
companies like Netflix. The next time our business is looking at what they could do to
compete, IT has an opportunity to help it think beyond what is doing today. IT can look
at what is possible and find ways to make it a reality.
Loss of Relevance
They didn’t even ask us.
In a world where consumerization of business technology is running rampant, it is salt in
the wounds for IT to get pitched by third parties to sign up for their services since
hundreds of their employees have already done so.
As defined by Wikipedia, Consumerization is a “re-orientation of product and service
design in the market away from business and government and other organizations
towards individual. The individual is now the main consumer and target for product and
software design. As such the end-user is now in a position to heavily influence what they
use inside of their businesses.” [9]. This is a big contrast to the traditional model of IT
issued and managed devices, apps, and services.
The biggest implication of this is that no longer does IT have control over the end-user
working inside the lines of business. This has been a windfall for end-users, as they now
have more flexibility, choice, and tools to help them get their jobs done in a world of
innovation and disruption. This is a good thing, also, in that it allows anyone to enter the
market or provide a new service. The knowledge worker has more flexibility and control.
From an IT standpoint, this has not come without problems. Current controls that IT has
put in place over the years were designed and built for certain types of technical
architectures, certain types of services, certain types of users, certain types of endpoints,
and in a particular location. In a world of consumerization, this has all been disrupted.
As a consumer market with manufacturers now focused on individual desires and user
functionality, companies are keen to display more features and provide more capabilities
to the end-user. This has had the effect of pushing control and security to the back
burner. In some cases, security is an afterthought; sometimes security is not discussed at
all in the development phases. The rules in the digital world are speed and adaptability,
adding more functionality and continuing to empower the user (customer). This new
wave overtaking the organizational structure of businesses has been amazing.
This may be fantastic for end-users at home, but the effect is mind-boggling. It’s rewriting
the rules of the processes put in place by governance for business and its corporate
assets. As business owners have personally benefited from consumerization, they have
not been in the best position to understand the implications and the risk to the
organization. Fast and quick are great at long, as the controls are put in beforehand and
are still effective.
In many cases, the essence of controls that IT can leverage for consumer products,
services, and applications has meant that the risk profile that organization is running has
now been exponentially increased.
From the standpoint of business, they have not seen the difference; from the IT
standpoint, it is all the difference in the world. The controls that were normally budgeted
for yearly have now been rendered obsolete. Ineffective, too slow, in many cases no
longer relevant, such as approach is the equivalent of all the jewelry and money being
relocated from the comforts of the safe in the basement and distributed to thousands of
locations. Corporate intellectual property in digital format now lives on mobile laptops,
tablets, and smartphones which can all be accessed from employee’s homes, therefore
remotely accessing corporate data.
For all intents and purposes, the effectiveness of the control at the border are obsolete.
We’re in a borderless world where we can no longer count on location are a primary
defensive advantage.

Consider the story of Blackberry. Blackberry used to be the dominant business email
device. It had strong controls for IT, could be controlled by IT, and email could be
encrypted while the integrity was controlled. With the advent of personal smartphones
from iOS and Android, and their inclusion of support for corporate email, it begun the end
to corporate controlled. There have been a couple of effects from this.
First is the shift in mindset: this is my phone, and while I read corporate email on it, it is
still mine. The second is the deluge of applications designed for iOS and Android. While
they make a great platform for developing corporate apps, the vast majority of apps
installed are consumer or third party apps. This results in the comingling of business and
personal. Now it has led to IT and vendor rush to build mobile device management to
control the endpoint because of the loss of governance and leakage of data.
With this mind shift change, you will often see users transmitting corporate data via
commercial email instead of corporate email. Sharing apps are prevalent. When a user
uses iCloud to back up their device and sync content with their other personal devices,
corporate data is now being transmitted to a third party with no legal constraints.
Corporate data is leaking. If you look under the hoods of the smartphone in the local file
structure, you will find that every attachment from corporate email is left there. This
means for a new employee who is using the same phone from job to job and who has not
wiped it, corporate data in the form of Word, Excel, pdfs, and etc. are still on the device.
If you look at the control that 3rd party apps are granted on install, you will see that they
ask for overly permissive rights, that if misused, could allow unscrupulous 3rd parties
access to documents and other data. The malware writers are increasingly targeting the
mobile platform.

The implication of the blurring between personal and business workstyles mean the
impact and probabilities of bad outcomes have changed. The risk profile has to be
revisited in this new landscape.
IT must be careful to must maintain relevancy to the business. In the past, there were
few options for the business but today in the digital world, there are cloud providers and
VARs that are competing intensely for managed services across the IT technology stack,
from datacenter all the way down to use end points. In today’s business environment, all
lines of businesses must prove their relevance on a day-to-day basis, to prove to the CEO,
and ultimately the board, that their money is spent well, and IT is no different.
As trust breaks down, business users go into the shadows. How should IT look at shadow
IT? Could it perhaps be viewed as an opportunity? Shadow IT can be viewed as honest
feedback from users and the business, amounting to a wakeup call. Should we be looking
it as potentially unauthorized use of external third-party systems, or perhaps C-level
sanctioned? Or perhaps IT can view 3rd parties as allies, providing what we can’t provide
ourselves. We can work with the lines of businesses to take advantage of this. IT should
consider this an opportunity for collaboration. The technical advancements have made
possible the quick, fast, and efficient lower barrier to new technology services in order to
serve the business needs.
From file sharing and video collaboration, to workflow analysis, to many other services
that are traditionally deployed internally, IT can work hand-in-hand with the lines of
businesses to provide the right mix of internal and external services, provided a unified
service delivery front, reducing as much of the friction with technology consumption as
possible for the end users. For at the end of the day, IT needs to be involved in order to
provide the necessary due diligence to reduce organizational risks by providing
governance, compliance, performance, and service levels.

Far too often businesses are bypassing IT and later come to regret their decision. From
compliance violations, to security breaches, to incompatibility with existing systems,
sometimes much data has been taken off site just to find out that the integration with
internal system is not possible or is cost prohibitive. In such instances, cost savings can
give way to costly waste.
If IT was to go to accounting and take an inventory of all their expenses, one might be
shocked to find the amount of money being spent on corporate credit cards. The practice
of expensing systems can open a business up to many risks that are not necessarily
needed. The Board of Directors and is CEO are often not aware of these risks that are
being opened.
First, IT must be fast and quick enough to deliver the services it is capable of and which
are possible with existing technologies and existing personnel. IT must also collaborate
on those services that it can’t provide with 3rd parties, and make workable solutions for
both the business and IT. This is a win-win providing governance, compliance, and risk
mitigation.
Shadow IT is in part the result of a loss of trust in IT, and also in part the reality of the
situation that there are services and choices that business requires (or wants) but IT can’t
provide. In the latter case, the business has no choice but to go around IT and go directly
to third parties. It’s ironic that in some cases the problem is not in functionality, but in the
packaging. IT has not traditionally been in the customer experience business that 3rd
parties specialize in. IT build systems with business functionality are at times poorly
rolled out, with disjointed communication and confusing interfaces. Branding of services is
an opportunity.
The consumption model has changed. You practically work with their parties to create a
hybrid model, finding the best of what both parties do best, and providing the best
together with a seamless integration plan for the business. You can be in a position to
provide the governance, which can ultimately be lost when businesses don’t have all the
domain expertise necessary to make great choices for picking out their parties. The
business don’t want to find out later that all the control that they have invested money in
is of no use because the data intellectual property lives somewhere else. Unfortunately,
ease of use can cost the business time and money.
Some of the impacts are loss of governance, which can lead to one or more of the
following:

1. Increases likelihood of sensitive data being leaked

2. Causes expenses to be higher than needed
3. Results in underutilization of invested solutions
4. Makes collaboration harder

5. Potentially creates a blind spot on new customer insights

Business Disruptions and Losses

Work stopped, productivity lost, loss in revenue - unhappy customers, unhappy
stakeholders.
As businesses have increasingly leveraged technology to operate, improve, and grow
their operations, the level of dependency in technology has increased exponentially. No
modern economy in the world can operate today in the absence of this technology. Major
advancements in human developments over the last couple of decades have been driven
by man’s use of ever increasing advanced technologies. From the hardware, software,
and network connectivity, all aspects of modern life on earth are dependent on the
functioning operations of our digital infrastructure. And when it does not work or is
interrupted, the impacts are felt.

Production line stoppage

ABC Papers, Inc., is in the business of making paper. In its production plant, an assembly
line of reams of paper are in the process of going through station by station. Various
workers are on the line and manning their control stations. Outside the noise of the line,
a contractor is in the main lobby, waiting to gain access to the server room. They are
here to upgrade their control system software, which runs apps on a Windows rack mount
server and connects to a local SQL instance. This particular system is one of three
primary apps that control various systems on the assembly line. As the contractor
proceeds its work, they are now ready to apply the changes to the server to make the
needed changes.
On the line, one of the managers notices a problem with the next job that is schedule to
run. His screen has locked up. As the last job is making its way through to the end, it is
time for the next job to be moved from the queue into the active state. Minutes later,
commotions are heard in the hallways, and alerts are going off. The production line has
stopped. The manager screams for an explanation: what the heck is going on?

As IT looks into the problem, it appears from the crowd in the server room and the
familiar look of the “starting windows” screen that a server is coming back up. It appears
that the contractor applied his change by rebooting the server with their app on it…the
same server running SQL that is hosting the databases for all the application. After the
server makes it back up and databases reconnect to the apps, the job queue gets moving
again…oops!
Ecommerce site down and millions in losses
In a normal week the orders are coming in, and our products are moving across different
product categories. The users are browsing our e-store, and the numbers on the
organizational dashboard for those purchasing products are looking good. However,
things turn gloomy very quickly as the number of purchases start to decline. This after an
8% increase every minute in the last hour. The number of new orders are slowing down a
number new visitors to it to your site is plummeting.
Something’s wrong, what’s going on here? A frantic call is put into the help desk. Hey,
anything wrong for system is the site up, helpdesk track down the server admin page get
a call from the business, they pheasant around the campsite become site. After making
the rounds, the service desk manager calls the user back and indicates everything is
okay.
Eight hours later a call comes in from the CEO to the CIO. He is not very happy, asking
are you onsite, you responding that nothing is wrong with the systems; a call to the CIO
was triggered, leading to an all hands on deck. the file at home e-commerce site for
application developers says that rechecked db-server-1 five yesterday, and it turns out
that the actual business services users 19 different servers and five databases spread out
across 3 datacenters, Amazon cloud, and 5 third party partners. Your ecommerce site not
a single server; is an entire business service. In the end, the developer indicated he didn’t
have access to the production logs to investigate further. All the log files are available for
access and some the system not available as they sit in the DMZ the dead and pulsating
give us access to that is hours turns into day to sales pressing for answers. IT did not
know the service chain, the technology dependencies, or have the visibility.
Air flights grounded
According to the Wall Streets Journal, in July of 2015, a software glitch caused a nearly
four hour outage at the New York Stock Exchange [10]. On the same day and morning as
that, a computer glitch temporarily grounded United Airlines flights that lasted nearly 90
minutes after a router failure disrupted its reservations systems [11].
The ICU is down
Alert! The ICU is down, and frantic call goes out to pediatric nurses who were off their
shifts to please return to the hospital in order to man the children’s pediatric ward of the
hospital. Nurses were called back in to work because the system that is used to monitor
the pediatric ward had gone offline. A technology solution and IT solution is no longer
functioning. The reason is simple: a virus spread around the network, disrupting PCs,
disrupting systems, disrupting the business, impacting workflow of workers, impacting the
business, and impacting children.

The physical and digital convergence is real, and it even affects work shifts and workflow.
Just look at the interruption calls by failure of an IT system. In this case the virus
outbreak did not directly target this organization, but was rather unintentionally brought
into the organization and wreaked havoc. This is a great deal of dependency on the
technology. We have not had this much dependency ever before in history.

The monitoring technology was implemented to reduce the number of people required to
monitor the patients in the ICU ward; but now that system is down. Recalling and third-
party value-added resellers help go door-to-door trying to clean machines with CD’s,
having to ask which machines to check first and which rooms have a machine. IT did not
have answers, for it became a case of going from room to room, looking to see if a
computer is in the room. And some of those computers have been sitting there over a
decade ago, fallen victim to poor inventory records. The ability to stop something like this
from affecting the business was in its infancy.
There will be no court cases today…the court system is down
There will be no court cases today. Sorry, we are closed because our IT system is down.
We were hit by a virus. Those looking for justice, maybe in town just today for the case,
were turned away. The court system was down as multiple systems across the network
were disabled due to a virus that their antivirus control system did not pick up. IT called a
third-party to assist with identification of the virus and to assist with the plan to clean out
the machines. The court was closed for four days [12].
Twitter, New York Stock Exchange, and Hacktivism
“At 1:07 p.m. on Tuesday, when the official Twitter account of the Associated Press sent
a tweet to its nearly 2 million followers that warned, "Breaking: Two Explosions in the
White House and Barack Obama is injured," some of the people who momentarily
panicked were apparently on or near the trading floor of the New York Stock Exchange. At
1:08, the Dow began a perilous but short-lived nosedive. It dropped about 150 points,
from 14697.15 to 14548.58, before stabilizing at 1:10 p.m., when news that the tweet
had been erroneous began to spread. By 1:13 p.m., the level had returned to 14690.
During those three minutes, the ‘fake tweet erased $136 billion in equity market value,’
according to Bloomberg News' Nikolaj Gammeltoft. About an hour later, the market
recovered, and the Syrian Electronic Army (SEA) claimed responsibility. [13]
A little told element of the story was the impact that machines played in the fast
response to the false news; in particular, algorithms. As reported by …., algorithms in the
stock exchange handle over 70% of actual trading. The algorithm took in the fake twitter
info and automatically made trades in response [14]. We are living in a new reality where
new sources have exploded, there is less fact checking, the information is coming in
faster, and there are automatic responses to all of this that are moving faster than
humans can understand. The barriers for putting false information out to the world has all
but disappeared. News media has been disrupted. New operating models are in place,
with less journalistic research and less reporting.
Another emerging threat is the ability for stolen data to be altered and then put into the
public space. Without the ability to validate, public figures could be subjected to
reputation smearing and slanders, potentially causing embarrassment, and, in some
cases, altering their public careers.

Major US banks have been under DDoS attacks, often to disrupt operations, and at times
to mask intrusion attempts. Considering the importance of online banking, this impact to
the customer experience and the business bottom line is serious. There is also nation
state use of cyber-attacks for national interests. It seems that this is destined to be a
new permanent feature in our landscape.
Chapter 4: Cyber Threat Landscape

An attack via the digital infrastructure multiplies the attack surface and lowers the
barriers to entry; an attack on the digital infrastructure itself is an attack on our economy;
and an attack on the digital infrastructure with the purpose of kinetic impact is deadly.

Disruption and complexity in the business and technology landscape provides the context
by which uncertainty reigns in the cyber threat landscape. IT is at a crossroads. Many IT
departments are starved of budget, working outside headline-making breach news and
government regulations compelling spending. Business at the macro level have not come
to grips with nature of the risk presented by our dependence on technology. Most of the
world’s lives are intimately influenced by technology that they do not understand. The
level of dependencies in the modern economy have grown to the point of no return. As a
society this active embedding of new technology into our cars, houses, and missiles, and
bodies, when combined with the seriousness of real threats, has the potential to thwart
economic stability and growth, personal freedom and privacy, while at the same time
resulting in a stymie of organizational advantages from innovation.
The board of directors don’t know. The c-suite really is not in tuned here. The plant
foreman just knows that when his guys hit that button over there, the factory just works.
Business disruptions are lulling the population into a false sense of free and easy
mentality inspired by organizations succumbing to consumerization. With that, the
expectations have disrupted IT governing and control models. Prodding by headlines and
compliance is insufficient to change the course.
IT finds itself at a crossroads: in danger of being relegated to irrelevance if it fails to
understand real business risk, teach stakeholders, and lead. IT is tasked with being in the
know of how these systems work. Sadly, many times these systems are running amok
and without understanding, problems only become noticeable when something breaks.
In an era of uncertainty, the business need to get work done faster provides many
challenges for IT in its efforts to defend its organization’s digital assets and services.
Dealing with a borderless perimeter, an increasingly mobile workforce, an influx of
employee owned devices and apps not under IT control, the resulting environment is ripe
to put defenders at a disadvantage. Help from government agencies and vendors are
lacking in the necessary depth of the seriousness as it relates to the problem space. On
top of that, IT has not done a good enough job of educating the business on this risk
landscape. We need to rethink our strategies to deal with these new cyber risks if we
intend for our organizations to thrive. This is an opportunity.
The primary purpose of all this technology is enablement. The connectivity, speed, and
software are designed to enable. Protection is a side consequence, and the cost of doing
business that also exists in the physical world. Armies, police, guns, insurance, and fences
are not core desires: they are add-ons to enable the economies and workings of human
endeavors.
The risk landscape in the digital economy sees what the most important threat factors
are. The landscape is very dynamic, with many different players with many motivations
using many different tactics. In a nutshell, there’s a lot going on that threatens your
organization, your nation, and the underlying infrastructure of the global digital economy.
Speed kills, and in a digital world, stolen assets are not actually removed from their
original location, but are copied. That copying of data out of your network occurs in
minutes and hours. This is a world of fast compromise and slow detection, often by 3rd
parties. The FBI ranks cyber threats above terrorism as a threat to national security.
The threat in perspective
In response, the C-suite is writing more checks, IT is installing more security appliances,
and end-users are watching more training videos. But make no mistake, we all are failing
at risk mitigation.
When is a leak not a leak, but a robbery? The terminology often used to describe a cyber
intrusion and the exfiltration can lead to confusion. But what we are talking about is
stealing, accomplished by a multitude of different actors with various motives committing
acts of crime in a digital world. Digital assets that are stolen costs the organization
money, reputation, and also downstream problems for citizens. The impact from this
criminal activity also includes kinetic destruction in the physical world. It also has the
impact of increasing the cost of doing business when working to maintain operations
while under DDoS attacks. When machines are wiped and essentially destroyed,
destruction makes a direct impact on the organization.

It also effects how we work. New questions arise, such as “Should everything be online all
the time?” “What is appropriate for email communications when that message could be
exposed to the public?” Today’s threat landscape is forcing tough questions to be asked
about how we operate, and what the path forward should be.
When your CEO spends his Saturday morning on his iPad browsing the Internet, he is
likely to come across a website that redirects him to a malicious site that puts his
browser in a loop – a scam to get him to call a number or click a link “to help”. He is one
click away from being scammed, having personal information used in identity theft, or
from being used in other nefarious criminal activity. The Internet is the Wild West – there
is no central cyber cop on duty. As security defenses have been put up to protect workers
beyond the corporate firewall, the mobility of the workforce has put our workers frontline
in the lawlessness of the Internet. The comingling of data, devices, and space has
produced an ever expanding attack surface that has to be dealt with. With more
freedoms for workers comes potentially more risks.
Cyber Security has gone from a niche for IT to a boardroom priority. It is spoken about
consistently in the headlines of the Wall Street Journal and in Presidential State of the
Union addresses. The global security spend alone is estimated to top 75 billion dollars.
The nation’s largest bank, JP Morgan Chase Bank, a victim of a cyber breach itself in
2015, expects to double its previous 2014 security budget to 500 million dollars to
address the challenge [15]. That is real money being redirected from other areas of the
business.
The number of industries coming under attack is increasing. More companies are now
reporting breaches to the public, some partly because of legal requirements in industries
losing credit card and PII data. A more wary public and equal wary politicians are
increasingly asking who are behind these attacks, how did they get in, and what was
“stolen”.
The players are now also starting to use similar tactics, techniques, and procedures. Who
are the bad guys and what are they after?
Criminals and Armies doing what they do, just in Cyberspace
There is crime in the world, both physical and cyber. There is nation state military
operations occurring in the world, also both in the physical and cyber realms. The biggest
gap involve our mindsets, trying to account for the implications of criminal and military
activity via the same digital infrastructure as business and society are using to great
benefit. This failure to understand the differences has led to our collective response being
haphazard and scattered. Threats from criminals and nations must be mapped onto the
digital world to ascertain the needed adjustments to thinking, strategy, and defenses.
In the past (although it still occurs) the bad guy had to physically drive down to the bank
to perform a “stick-up” of the cashier to steal money. Today, criminals operating in the
digital world are doing it behind laptops located around the world. Location no longer is a
deterrent. There is no longer a moat helping protection your assets. An organization’s
financial assets are in a digital format, stored in virtual safes behind virtual walls. Anyone
who can remotely connect over the public Internet to your front door in the digital world
could pose a threat. In effect, the benefits of connectivity from anywhere in the world
also provides a new avenue of attack, a new attack surface; this allows an even greater
number of people to steal from you. The digital world also affords the bad guys
anonymity. Whereas great physical harm can come to one who has to physically come to
your of bank to rob it, hiding behind anonymity on the internet provides a comfort level
for many criminals and other threat actors.
If the truth be told, we should not be shocked to know that just as much crime is
happening in cyberspace as in the physical world, especially considering the nature and
history of our physical world. As much crime and as many criminal organizations exist
with many motives, all resulting in so many threats. Just as the benefits of the digital
economy are being reaped by so many, so to other threats that are moving from the
physical world to digital world.
Nation states are using the cyber world as an extension to the battlefield – militarization
of cyberspace. “They burned the place down”, as quoted by the chief information officer
of Sony Studios. It was a was a reflection to what occurred to his organization and what
many believe, including the US government, was a state sponsored cyber-attack from the
government of North Korea. When Sony employees came in work on Monday morning to
start their day by logging on to their computers, they were greeted with a message
indicating they had been compromised. A screenshot image was displayed on the screen,
and in the background, malware was counting down with a timer. On reboot, the disk was
wiped. Mass numbers of machines were inoperable. Emails between executives at the
company were leaked online, showing embarrassing correspondence and impropriate
business language. Contracts and other legal info was also leaked.
The organization was forced to resort to fax machines and cell phones to operate. The
replacement of 10,000 PCs required a lot of hard drives, causing an interruption in normal
delivery times for drives to reach the normal market customers. Threats made to the
company about its business operations garnered the attention of the President of the
United States, who would later sign a new national initiative allowed United States the
authority to respond to cyber-attacks with physical retaliation [16].
Another very important thing must be kept in consideration are the implications here;
namely, what must be considered is the potential to disrupt digital operations. Disruption
of the internal infrastructure that underpins the digital economy provides risk factors
(outside nuclear warfare) not seen in human history. Not only is the physical economy
critically dependent on the underlying physical infrastructure, but the convergence of the
control systems embedded in our digital infrastructure that controls nations critical
infrastructure now makes fast, global, negative threats possible. As we must talk to
shortly critical infrastructure of nation states of the largest economies in the world are not
actually being targeted that threat against the physical infrastructure is one aspect. The
other aspect of disruption is the internal routing of traffic across the Internet for which
much of our digital economy depends on. This is definitely something that IT needs to
consider.
The U.S. Military has added cyberspace as a domain of warfare. A presidential order has
been signed allowing sanctioned actions cyber actors.

Stuxnet is what some a calling the world’s first digital weapon. Stuxnet, as it came to be
known, was unlike any other virus or worm that came before. Rather than simply
hijacking targeted computers or stealing information from them, it escaped the digital
realm to wreak physical destruction on the equipment the computers controlled [17].
Widely believed to have been created by the US and Israel to slow down Iran’s nuclear
weapons program, one of its unfortunate side effects is that this advanced malware is
now out in the wild, be re-engineered and repurposed by others for future use.
The nation state of China is widely viewed as the source of espionage of US companies
for the purpose of stealing intellectual property and feeding that to their industries to
compete. The FBI has said that economic espionage is “a problem that costs the
American economy billions of dollars annually and puts our national security at risk.” The
number of billions is staggering. While the FBI has put the annual cost of economic
espionage at approximately $13 billion, that only reflects the cases the bureau has
actually handled. The Commission on the Theft of American Intellectual Property has
estimated total losses, including jobs, competitiveness, stock value, market share, etc., to
reach into the hundreds of billions [18].
In the world of terrorism, hacking can get you targeted by the US military. According to
news reports, a cyber hacker affiliated with the Islamic State Hacking Division was
responsible for exposing the personal information of hundreds of U.S. military and
government personnel. He was killed in a drone strike in Syria [19].
The US remains a top target in light of threats to our critical infrastructure. Critical
infrastructure is a term used by governments to describe assets that are essential for the
functioning of a society and economy. According to the Department of Homeland Security
(DHS), “The nation's critical infrastructure provides the essential services that underpin
American society and serve as the backbone of our nation's economy, security, and
health. We know it as the power we use in our homes, the water we drink, the
transportation that moves us, the stores we shop in, and the communication systems we
rely on to stay in touch with friends and family.” [20]

According to DHS, there are 16 critical infrastructure sectors. These compose the assets,
systems, and networks (physical and virtual) that are considered so vital to the United
States that if they were incapacitated or destroyed it would have a massive and
debilitating effect on the nation. [20] It also important to note that the vast majority of
our nation’s critical infrastructure is privately owned and operated – this means technical
controls that protect this infrastructure, and as a consequence the US ability to operate is
vital. In addition, there are serious consequences of disruptions, like those caused by
DDoS attacks. Many organization run their business on the public Internet infrastructure,
everything from remote office and teleworker connectivity, to IoT devices, to customer
access to your digital storefront.

Cyber Threat Actors

Let’s take a look at the players in this dynamic threat landscape. When thinking about
risks organizations face in the digital world, let’s explore the threat actors, from insiders,
competitors, nation states, and hacktivists. Here’s a list for reference:
1. Insiders
2. Criminal Organization
3. Competitors
4. Nation State
5. Terrorist
6. Activists

7. Individual

Who: The insider is one of your current employees. Every day, when IT walks down the
hall, we are passing fellow employees who could be a threat, a risk to your business.
Threat/Why: This insider could be disgruntled or upset about perceived slights in the
work environment, or distressed about a denied pay raise. The insider is a unique
position, sitting behind your controls for years with legitimate and trusted access.
Who: The criminal organization is organized criminal activity in the digital world.
Threat/Why: They do the same basic things that they do in the physical world. The
primary motivation is financial: some person or entity wants money. This is the age old
motivation for crime, but just on the digital stage, and in some cases motivated because
of the easier access and anonymity. There are so many examples: Crypto locker,
blackmail, stolen credit card data, identity theft, and impersonation. In short, something
is of value to the bad guys. It could be intellectual property, personable identifiable
information that is useful, credit card data, trademark data, patents, or legal info. Every
day, both in the physical world and the cyber world, criminals do what criminals do…
commit crime.

Who: The competitor the company next door with a similar market and similar customers
in a very competitive environment.
Threat/Why: Where any intellectual property is available, it might provide an edge. We
must consider the possibility that our next-door neighbor could use technology attack to
our company for the express purpose of gaining an upper edge in the marketplace. Many
have doubted this would be an actual attack, relegating it more to fantasy. However,
2015 saw a case of a professional baseball league team being accused by the FBI of
hacking into the competitive baseball league’s system with express purpose of accessing
intellectual property on player movement [21].

Who: The nation state is a country whose government has instructed forces to launch an
attack on another country.
Threat/Why: In this case, the technology can take many forms. One common form is
espionage, where one nation gains access to the governmental secrets of other nations
either to obtain intellectual property, or for the future capability to disable critical
infrastructure. The key point to remember is that there are people behind the keyboards
coming in to work every day to run campaigns to support their countries goals. They are
adept, they have resources, they are persistent, and they are well coordinated.

Who: The terrorist.

Threat/Why: A terrorist is a person who employs terrorism as a tool to achieve their
goals. Terrorism is the use of violence and intimidation to instill fear and terror in pursuit
of some political means.

Who: The activists; in the real world, they hold signs and make political statements.
Threat/Why: The goal of an activist is to make political statements. Everyone is familiar
with the risk of activists in the physical world. In the digital world, the activist uses
technical skill to deface websites can attempt to encrypt critical data and hold it hostage
to attempt to destroy data to make a political point. Anonymous is a prime example.
Who: The individual.

Threat/Why: When an individual participates in cyber-attacks, the primary goal is simply

to be a nuisance. The nuisance motivation can be powerful, and range from playing a
prank and being annoying to actually causing a hardship.

Tactics, Techniques, and Procedures

Not let’s focus on methods. Threat actors, with their known motivations, have often
accomplished a task by going about a well-worn path of gathering information,
enumerating systems, determining targets, exploiting weaknesses, pivoting from one
system to another, finding the target, and remaining persistent.
Tactics, Techniques, and Procedures (TTP) include exploiting users with phishing,
exploiting open network access with no to little segmentation, taking advantage of
excessive rights, and abusing credentials.
Malware
“Malware, short for malicious software, is any software used to disrupt computer
operations, gather sensitive information, or gain access to private computer systems.
Malware is defined by its malicious intent, acting against the requirements of the
computer user…’’, as defined on Wikipedia [22].
Very well written software can be developed by a community that works together.
However, bring technical skills together with a market of bad actors with malicious intent
and you have malware. It is one of many malicious tools used by cyber criminals. They
try to get it run on or against a machine to exploit weaknesses in its operation system,
applications, or manner of configuration all in in order to gain leverage on its target. If an
attacker can remotely exploit software, a foothold may be gained. As defenders have
improved countermeasures, attackers have moved on to attempts to get their software
run on the end-user machine. Remember the Law of security: if someone can get you to
run their code, it is no longer your machine.
Impersonation
An act of pretending to be another person for the purpose of advancing a threat actor
goals.
Cyber criminals impersonate a user by stealing their credentials. This is similar to
physically stealing keys and credentials of employees. In the cyber world, it can include
login information, device certificates, and encryption keys used by employees,
contractors, or other 3rd parties. In the digital world, impersonation is often used. You
present credentials to identify yourself as you.

The difference between you and me to a login screen in many cases is a simple username
and password. If the bad guy can impersonate you, then he doesn't necessarily have to
get malware onto your system. He can go where you go, see what you see, and do what
you do.

There are many critical systems today that rely on single factor authentication. Often the
password is rarely changed. Sometimes, it is an administrative burden to change it often
with legacy systems. With the explosion of the number of systems that ask you for a
password, the human mind has limitations on the number of different, unique passwords
it can remember, especially when we are trying make unique passwords each time.
Attackers often use of social engineering. Most major cyber-attacks have used some form
of social engineering to attain their goals. Social engineering is a non-technical method of
leveraging the natures of user’s decision making process, especially where it concerns
exploiting trust. It is often used in the attack chain against end users in order to bypass
typical controls.
The daily access of personal systems during the day, like online banking, personal email,
and social accounts simply exacerbate the situation. There are costs and technical
challenges to integrating dozens of business systems, and personal systems at times
share the same credentials.
When the human mind forgets the password, a recovery process is used. The bad guys
have targeted the forgotten password procedures of many consumer sites. Often, the
personal data stolen from breaches is used in subsequent attempts to defeat the
procedure.
From the user’s standpoint, he is trying to get things done, not be the keeper of 50 virtual
keys. The social security number was never intended to be used in the identification and
authentication process like we it used so prevalently today.
The convergence of work and personal times, locations, and devices has created a certain
level of distraction. As a result, users are often comparing play fast and free with business
and due diligence. The tendency to look for the easy path can lead users to lower their
guard on due diligence on data handling and password maintenance.
The personal information of users aggregated from multiple breaches over time allows
the bad guys to develop a dossier on potential targets. The information users put on
social sites can also be mined for additional clues on potential passwords chosen.
Traffic interception
Intercepting traffic is tactic that gives attackers access to the raw digital bits of the digital
infrastructure. Traffic can be intercepted from wired, wireless, and remote connections. It
can impersonate the destination site and effectively defeat encryption. It can redirect to
sites of the attackers choice using various techniques like DNS poisoning, Route injection,
and ARP poisoning. And various tactics are in use, including wireless impersonation on a
hotspot, i.e. @ Starbucks, defeating air gap solutions, having someone to plug in USB
stick, getting an insider to directly access network node, or attaching a rouge AP on the
inside network.

The Defenders Dilemma

IT is charged with helping mitigate business risks in all its forms, operating in a fast
paced and complex landscape, with competing priorities, and many undesirable outcomes
and alternatives.
Attack surface increasingly getting larger

Not only the software that you track with run software, but there is in your printers and
on your phone. It runs your Smart TVs, action cameras, and even your earphones at
home. It’s on your telephone network, and in your TV. Your smart TV test software has
code running on your TV to help improve the customer experience usability of the system.
Software is everywhere. And all software is susceptible to bugs in the code. These bugs
open up vulnerabilities across the technology stacks. Everywhere makes for a large attack
surface. The controls as well as the systems themselves that are processing services and
holding data. It is not enough for IT defenders use of controls to mitigate against cyber
threats. The very code itself must be addressed if we are to be make an impact.
Struggle to encode technology jargon into business language
IT stills speaks in code, understandable only to other techies. The board of directors, C-
suite, and other stakeholders are at a loss for what we are talking about. The risks,
threats, opportunities, and cost justifications are a mystery when we speak to them
because we don’t speak their language. We have an opportunity to improve this situation,
if we want to be taken seriously.
Nature of work changing
The nature of work changing has had major effects on the risk landscape. As business has
reaped the benefits of the technology, we must understand the dynamic roles and
changes involved. This includes both where and how we work, and this has a definite
effect on the risk factors that we have been talking about. One major area is the actual
effect on the effectiveness of current security controls.
Most current controls were built, designed, and tested for the physical. For example, a
corporate or branch office was protected by a firewall at the gate. As the workforce has
continually moved outside the gates of that perimeter, we’re now living and working in
borderless environments; there are many any to any connections is occurring, some on
corporate issued end points and a world the users bring their own devices. The benefits
can be seen in the workflow flow and the workplace.

IT and Information Security need to be mindful of the fact that this is having an impact.
IT needs to build communication to the business. The new risk factors are necessitating
the need for architectural, structural, and mindset adjustments. These are needed to
update the controls for this new digital world, and they must be communicated clearly to
the business.
Information Sharing is too slow
One of the challenges of sharing vital information with the community on an attack is the
legal constraints and corporate restrictions on what patient 0 can report. This can lead to
a sub-optimal lessons learned because the actual TTPs against the actual control
disposition is not known. There are various laws on who and what must be reported.
There is also a lack of clear standards dealing with ways of quickly sharing Intel. The
result is that adversaries are allow to re-use the same TTPs against thousands of
organizations.
Talent shortage
As in the past, talent continues to be the most critical tool that IT possesses in securing
business assets. As the demand continues to grow, the cyber security talent market is
heating up, with open positions unfilled for long periods of time. This is especially
noticeable in those who have skills for analyst’s roles in security operations and incident
responders.
These detection and response roles are critical to mitigating risks.
Many organizations are turning to partners to fill the gaps. The market growth
opportunity will continue into the foreseeable future.
Security budgets often not based on assessment of risk
In a Ponemon Institute global research report, only 32% of respondents indicated that
the budget was based on an assessment of security risks [23]. In the other cases, senior
management used some method of determination: what the org felt was the right
amount or some percentage of total budget.
Over 75 billion will be spent overall on security the year of 2015. That may be a lot of
money, but this question is whether or not it’s enough, in the right areas, and is it applied
effectively to affect probability and impact.
Complexity and Fragmentation
As IT looks to adjust to new threat landscape, it is finding a very complex and
fragmented environment. IT can expect to experiences challenges, constraints, and risk
along its path.

Designed for ease of use

In a market driven by consumerization and influencing the enterprise space, vendors and
manufacturers are incentivized to design for ease of use. The reason is grounded in the
business priority of maximizing revenue. Ease of use helps customer acceptance. The
implication to security efficacy cannot be understated. For example, the Microsoft
Windows operating system is designed for functionality across the widest audience, and
across the broadest set of software and device support. It is designed for ease of ease to
a consumer market. It is a broad platform for applications written for business. However,
there are many design choices that reflect these priorities.
What many consider to be more secure platform – the *nix platform – just does not have
the user popularity on the desktop front. And on the server front, the Windows platform is
a very popular with developers. That means the base operating system supports both
Fortune 500 companies, and your grandmother’s home PC. Microsoft is balancing
functionality and security.
Infrastructure gear also takes functionality heavily into consideration. The theme is to
make it faster to get gear up and running, as the primary vendor concern is the gear that
is not bought because of difficulties to use. IT has to transform infrastructure, operating
systems, and software into enterprise grade mitigation.
Technology Silos
Another challenge IT defender is the product procurement process, from reviewing the
features and functionality, to the support and cost questions. Scope is very limited, and
the goal is to try get the most bang for the buck. For example, consider the problem of a
new secure mobile solution from a vendor which does not support a wireless
infrastructure. It may have trouble integrating with the wired side, forcing IT to have two
network vendors: one for wireless and one for wired. Some vendors are attempting to
unify wired, wireless, and remote access into one product, resulting in one solution set to
make things easier. IT must be on the lookout for architectural solutions like that. IT
needs to make sure vendors are providing integration capabilities, and that the vendor’s
product provides information to other products and can take the information from other
products into its core, thus offering and providing actionable controls. This is what IT
needs to look for.
Vendors slow to innovate
Vendors only add transformational functionality or deeper integration when they get
pressured. In particular, the behavior of what direction and effort is put into a product is a
function of what the revenue implications are when enhancements are not brought to
market. In essence, the vendor being impacted by not improving, especially if the market
that vendor operates in happens to be in the same situation. Failure to transform the
underlying principles of their product development drives weaknesses across the
technology stack that make detection, protection, and response challenging. Some
industries are more agile than others, while others are saddled with legacy systems that
are extremely difficult to upgrade. Vendors are going to need to make changes to how
they develop their products to stay relevant.
Fragmented security market

Also challenging for IT is that the security market is fragmented. You have those vendors
who are traditional infrastructure and software players trying to break into security; and
those traditional security focus companies trying to integrate into more traditional
systems. These companies are finding their niches being challenged as their relevance
drop. In response, you see turning to new technologies like analytics, machine learning,
and threat intelligence inputs to help keep up. The primary example is the anti-virus
makers, whose solutions have low detection rates and high infection rates against today’s
malware, going undetected for long periods of time. This is forcing major security niche
players to increase his innovation that help them improve their control sets.
Non-niche players are attempting to either acquire niche players or integrate their
technologies into bears or to have add-ons to infrastructure level play integration
sometime a slow and clunky advises shaky roadmap a time to see how all the integrated
pieces will work together. In any case IT looking to have a long range plan 3, 4, or 5
years find it challenging to get vendors niche or otherwise develop provide a sure footing
and his approach forward. This can make the budgeting process more challenging,
especially when IT need to come before the business and asked for money, money
normally having to stretch multiyear out into the future.
Common Mode Failures & Vulnerabilities
Always On, Always Available is one of the most critical aspects of convergence. With the
number and type of systems in a network sharing a common infrastructure increasing,
common mode failure analysis becomes a more critical process.
Common mode failures refers to events which are not statistically independent. A single
fault causes failures in multiple parts of a system. An example, consider what happens
when all of the pumps for a fire sprinkler system are located in one room. If the room
becomes too hot for the pumps to operate, they will all fail at essentially the same time,
and all based in one cause (the heat in the room). Another example is an electronic
system wherein a fault in a power supply injects noise onto a supply line, causing failures
in multiple subsystems.
The complaints of the network being down can now be inclusive of reading a financial
report, talking on the phone, recording of the parking lot, to signaling to a PLC to close
the valve. We must revisit our redundancy strategies and implementations.
Similar to a failure, a common mode vulnerability has potential as an impact multiplier. A
single vulnerability in a single component could become a vulnerability of the many
systems behind it. As controls often rely on location, a weakness in a firewall could
potentially expose thousands of systems behind it to the public internet.

So many patches, so many systems, so little maintenance time

IT is slow to patch production systems. With so many systems, cloud computer resources,
and limited maintenance windows, it is challenging to keep pace. The lag time behind the
fix and actual patches is a problem, and there exists a need to address challenges of
changing environment, especially when we consider that Verizon breach report indicated
that just a small number of vulnerabilities which accounted for majority of successful
attacks had a patch for over 10 years.
Costs models not in our favor

It is now cheaper for bad guys to run attacks, but very expensive, time consuming, and
sometime disruptive for IT to implement defense when the main purpose is to run a
business. Right now, our cybersecurity cost model is broken. Adversaries can often use
the same attack against thousands of entities. It’s cheap for them to use the same tool
and keep trying until they succeed. And eventually, they do. [24]
 PART 2 – ENABLEMENT

The systematic approach to conceiving the technical frameworks, architectures, and

platforms necessary, while simultaneously navigating current and near-term disruptions,
complexities, and risks in order to pave the way for organizational success as defined by
the business.
Chapter 5: Business Transformation

Innovation – a new idea, new way of doing things, a new service, a new product, a new
way to engage your customer, a different way of thinking. Innovation is used to tackle
pressing, challenges to market viability, competitiveness, and continued customer
relevancy. As such, it is absolutely necessary for organization’s survival in a world of
disruption, complexity, and risk. IT must be a part of the weight of the organization’s
efforts here, giving valuable assistance. We enable better solutions to meet new
requirements, unarticulated needs, or existing market needs.

Understanding today’s digital world and the business, technological, and risk landscape
sets the foundation for identifying what is possible today. Once the decision has been
made to go for it, IT needs to support innovation at the business level, enabling a lean,
agile, and smart systems, while also accepting the challenge of cyber threats. What is
possible? Let’s take a look.
Is your company or industry in the news tonight? Is there some market shift, change, or
disruption that effects your organization? Are you in the Oil & Gas industry, where under
$50 a barrel of oil is devastating the job market? How about manufacturing, where the
decline has been going on decades? How about banking, where the number of tellers is
dropping? Market disruptions have real impact to our organizations, their bottom lines,
and their employees. In a global economy, there are disruptions from energy fluctuation,
wars, and increasing competitive pressure. And if you are a publicly traded company, then
stockholder pressure for return on investments put the pressure on for non-stop top line
growth and cost control. The stakeholders in your organization are under extreme
pressure, and as such, that is the framework from which IT operates.

IT has to operate as enabler of growth, an engine for innovation, and protector of the
business value stream. IT has to help the business see threats on the horizon, enable
digital transformation, support decision making across the organization, and support
business operational excellence.
IT needs to capitalize on what is possible. It must see it, respond to it, adapt, and realize
new opportunities as a result of it. Not all opportunities are in direct response to a
problem; it can also be a change in thinking in how to approach how we live, work, and
play. IT doesn’t directly handle the P&L; but it can support those who do. First, let’s
enable.

Digital Enablement
The theory and strategy sounds all good and all, but unless you can execute, you are just
wishing. The new standard response from IT - Yes, it is possible….and this is how (and
how much, when it will be ready, and the levels of new business risk that will be
introduced).
It develops a digital strategy aligned to address business challenges, priorities, and risks.
In collaboration with the business, IT can jointly formulate and continue to refine strategy
around ways to capitalize from the digital transformation disrupting all markets.

The disruptor sets the new bar for better, faster, and more desirable in the market. Every
day, someone, some company is g trying to change the standards for excellence, re-
defining what is possible, challenging how we do what we do. Sleep too long on a
problem, and the business across the street will take advantage and leapfrog you.
Technology enabled business transformation are creating disruptions in all industries,
even challenging the notion of losing even when you provide what the buyers want at
lower price. Things are different.
Outcomes Matter
We won or lost, we made our revenue numbers for the quarter or not, we delivered on
time or not. Binary, yes or no responses are used to address the concept of outcomes. If
my investment in company x delivered a return, that could be desired. If brand x is
cheaper than brand y, that factor may decide which one is purchased.
Another binary concept is survive or not. This could refer to your company, the product, or
your job. Outcome matters. But in a world of disruption, just showing up and delivering
what is expected is not always enough. Customers want more. Outcomes only tell part of
the story. The experience of the buying process and the lifecycle of consuming it that fully
dictates that the experience also matters.
Experience Matters

Customers can buy things from many places. Job seekers can get work from many places.
Companies can hire from many places. Sometimes, price is the most important buying
factor. Consumers of all types have various criteria, at different times, and for different
types of products and service. When the consumer wants more, then to compete, we
have to create a distinct experience. When we want more, our company, customer, and
we want to thrive. When we want the journey to be different, we want to make a
difference.

Your business is undergoing digital transformation not just to survive, but to grow
revenue and market share. The customers experience is reimagined through digital
transformation. Experience refers to how the customer feels about the brand, the
company, the product, and the service, and not just at the beginning of the interaction,
but all the way through.
The Tale of 2 ITs
Example: Internal employees trying to get their work done
Joe is on his way into the office; he will spend another 45 minutes in traffic, where he will
sit in the office for 2 ½ hours to accomplish tasks that will not add much customer value.
His IT department has already set him up with remote access and the brand new VDI
solution that was 6 months late being deployed – he nevertheless found it not helpful. On
this day, he makes the drive in to get “work” done. He will be confronted with water
cooler talk in the kitchen, a long login time on his laptop followed by two reboots for
Microsoft updates trouble finding the printer, and only after 500 mouse clicks he will turn
his attention to logging into the expense system to enter his receipts. At the login
prompt, he has to pull out a piece of paper from his wallet that has the password written
on it. That paper includes the passwords of 20 other systems. For security reasons, IT
forces complex passwords on all of them. He will eventually get around to manually
typing in his expense receipts in the corporate expense system.
Across town, Bob uses his smartphone from the road to push six buttons to complete the
same task. He sees 3 more customers, gets proposals, collateral information, and
updates the customer database all from his personally owned smartphone. He beats
traffic home in time to see his son get home from school. Somehow someone heard to
voice of the user, and transformed an entire business process!
External: Customers doing business with your company
Jane has to drive downtown, find parking, stand in line, and wait for the next available
person to attend to her need.

On the other side of town, Janine downloaded an app to her smartphone, logged in, and
tapped three buttons. In the background, an entire services chain is being initiated,
orchestrated across silos of departments, technology, and distance. The service is
delivered in seconds. Jane is done under a minute and on to more important matters for
her. Somehow someone took the time to use technology and orchestrated processing to
cut time to deliver!
Internal: Groups doing business with IT
Tim has only been on the job for three weeks now. He has spent most of his time getting
to know the business, his team, and how things work around the plant. His is struck by
three phenomenon: how long it takes to get reports back on throughput by stations, the
constant need for his guys to stop what they are doing on the floor to go inside to update
the job run, and the amount of guessing his foremen seem to be doing on determining
when maintenance should be performed on the equipment. After talking to his team, it
becomes apparent there is misunderstanding between his guys and central IT becomes
evident. There is a long list of requests, complaints, and help desk tickets that are in
various stages of being worked on, some dating months back. He hears that there have
been several all hands on meetings, but to no avail.
Terrence just started at the competitive plant across the street. On day one, someone
from IT came down and introduced herself to him and welcomed him onboard. She came
along with the HR person as part of new hire orientation. As soon as Terrence signed his
paperwork, along with his non-disclosure, birthrights were instantiated across the
enterprise app store. When he logged in from his personal laptop, he was able to access
a portal that included service metrics for his entire group, with SLA’s and estimated
completion times. Also was a consumption matrix showing resource use across the
enterprise service bus with costs, estimated alternatives with pricing, and a composite
risk score on all assets his plant had dependencies on. Somehow IT knew he was coming
and was prepared!
(Software Code) Coding for enablement and transformation of business
processes
“Today, most organizations rely on IT more than they know. Almost every commitment a
company makes to the outside world, whether it’s related to projects, operations,
compliance or financial reporting, requires IT. Yet, many CEOs will still say, ‘We’re not
Google or Microsoft. IT isn’t a core competency. We can outsource all of this.’
For most companies, IT functions as the nervous system and provides an increasing
amount of the organizational muscle mass. Most critical business functions are entirely
automated within IT, and 95% of all capital projects depend on IT to get done. Today,
nearly every business decision will result in at least one IT change.” [25]

Where do you find opportunities to help your organization? They can be found
everywhere, every day as they present themselves cloaked in problems, complaints,
disruptions, threats, and the silent, unseen market needs.
High performing organizations effect the bottom line. Organizations that leverage their
software developers to produce more embedded and impactful business process
functionality into both the front end and back end area position themselves to have the
largest positive impact and contribution on the business.
In the digital world, digital transformation is driven by new capabilities enabled by
application development. As IT has fought the friction of organization silos in order to
keep pace with business demands, a community has developed over the last few years to
bring the principles of Lean and Agile to life to tackle bringing quality code to life faster –
DevOps. It takes head on the challengers of software developers and infrastructure teams
within IT, reducing friction and improving global optimization. The idea behind it is to
bring your developers closer to the business in order to properly capture workflow and
functionality, both front end and back end.
There is a movement under way that can help your business –DevOps. Using principles of
Lean that enable a closer integration of software coders and operations to greatly expand
the speed and quality of code delivered. The result is the ability to experiment more
often and to responds to customer needs at market speed. This becomes even more
critical as more standalone products in the market are enhanced with some service
component that is powered by software.
(Things) Internet of Things
According to Wikipedia, Internet of Things (IoT) is defined as “the network of physical
objects or "things" embedded with electronics, software, sensors, and network
connectivity, which enables these objects to collect and exchange data. The Internet of
Things allows objects to be sensed and controlled remotely across existing network
infrastructure, creating opportunities for more direct integration between the physical
world and computer-based systems, and resulting in improved efficiency, accuracy and
economic benefit; when IoT is augmented with sensors and actuators, the technology
becomes an instance of the more general class of cyber-physical systems, which also
encompasses technologies such as smart grids, smart homes, intelligent transportation
and smart cities. Each thing is uniquely identifiable through its embedded computing
system but is able to interoperate within the existing Internet infrastructure. Experts
estimate that the IoT will consist of almost 50 billion objects by 2020”. [26]
Billions of things, sensing, capturing, controlling objects, and communicating with each
other, systems, and people open an enormous opportunity to transform areas of growth
and operations across all industries – from tackling operational challenges in the field, to
inventory, to remote facility operations, to end user consumer experiences. The internet
of things allows feedback to help determine when the robot needs to services, improves
traffic flow with traffic light control, administers medicine via an IV pump, and can even
locate a wheelchair.
What does IoT mean for IT? In the past, before convergence, before the ubiquities of
network connectivity, the advance in smaller electronics, and distributed software, many
of the areas of business operations were not in our scope. Now, within IT’s scope are
telephones, video cameras, wheelchairs, badge readers, factory motors, and
manufacturer assembly lines. Systems covering both the executive suite and the factory
floor are involved, with thousands of dispersed systems now running on a common IP-
based backbone, running software code that needs to maintained, and generating
massive amount of data to needs to be processed. This means more responsibility, but
also more opportunity to help our organizations. How many systems today have some IP
connectivity that now runs on our network that in the last decade was the responsibility
of someone else in your organization?
IT must be aware of areas that now fall under our influence and begin to think about they
interact as systems that support the business – here we will find opportunities to help.
(Value Connectivity) Application Programming Interfaces as a platform
Application Programming Interfaces, known as API, are a set of routines, protocols, and
tools for building software applications that specifies how software components should
interact, as defined by webopedia.com [27]. APIs are a necessity in the digital world for
enabling new services and revenue streams. APIs are foundational technology for digital
enablement and new service and business opportunities. “Behind every smartphone,
mobile app and connected experience is at least one API,” according to Apigee [28].
To participate in business growth, your organization can look to increase the value of
your offerings by interfacing with other ecosystem partners to enhance the experience,
improve the outcomes, and increase the touch points to drive bottom line revenue growth
and increase market share. It’s about speed to market and enhanced offerings that our
company cannot build all on our own. We need to connect with others to add more value
and scale what we provide. Leveraging what we already have, including data stored in
legacy systems, combined with new sources of data, connecting with 3rd party data
sources and services call allow us to bring new value to the marketplace.
IT has an opportunity to support business digital efforts by exposing more systems to
APIs, and by using 3rd parties sources to enrich our own. This also allows for greater
scalability by re-using what has already been created. The value is not in rebuilding what
is there, but via API using other platforms to enhance ours.
As Brian Koles of ChallengePost said, “A company without APIs is like a Computer without
Internet…you wouldn't want a computer without Internet access.” As software continues
its transformation of industries, a lack of connectivity increasingly equates to being
broken. Many of the best apps out there are skillfully interconnected collections of APIs.
Koles expressed the relationship between software developers and APIs very concisely:
“If software developers are the new rock stars, then APIs are the instruments with which
they make their music. “ [29]
Digital interfaces are needed for ecosystem partners to work with you. Our digital world is
one where platforms and ecosystems will dominate, and our value will lie in the ability to
string of all of this together into a cohesive offering. APIs will help service people to
people, people to machine, and machine to machine connectivity. It is foundational for
enabling us to take action on the opportunities for the Internet of Things.

Optimizing Decision Making

Making decisions is what we all do every day. The outcome and experiences we have are
influenced by how well we make those decisions. We must seek to get better at making
decisions. And by the way, make sure you check to see how well you are doing at making
those decisions. As IT we must strive to make the most effective use of our finite
resources and maximize the available business opportunities.
Making Decisions
Could your decision-making process be leaving money on the table? Could it be adding
extra percentage points of cost your current operations? Could it be sabotaging your
organization’s future earning potential? Decision-making, whether good or bad, should be
measured. If the ultimate success or failure of the organization hinges on outpacing the
market, it behooves everyone to ensure that the decision-making process is producing
optimal outcomes.
It is critical that we make good decisions to improve our condition. It a hallmark of great
leadership to access the situation, be guided be good data, analyze that data, and then
execute. Optimizing decision making is vital to both strategic decisions and operations. IT
can help facilitate the decision making process by bringing together stakeholders, with
the right decision framing, and the supporting data. And data needs to be structured in a
consumable manner.
To decide…is to be alive.
Move left or right, to the cloud or on premise, go with vendor x or vendor y, let users
bring their own devices or issue them, upgrade system of record and migrate to new
platform, etc. – countless decisions that put together can make or break a company.
To accomplish any of the goals that we talked about so far, one must take a look at the
decision-making process. Decision-making is a key component and key skill for IT to
make improvements and transformation decision-making affects for every aspect of what
we’ve talked about up to this point. It ties into how to procure services, how to choose a
vendor, how much to pay for service to go with should we make this recommendation is
assist security risk every day. IT has to make decisions and the business has to make
decisions IT can improve business decision making by leveraging some the new tools and
analytic processes that are available today.
Decision making needs to occur in a wide variety of contexts, such as strategic planning,
real time process support, and critical operations. Some decisions occur in a process that
could take months and involve extensive data gathering and detailed analysis. Multiple
stakeholders could be involved in the ultimate decision. A consensus may need to be built
over a period of time to make the most beneficial decision for the business. IT in this
context is supporting the business in this decision making process by providing the data
fabric necessary to supply relevant information. Also, IT itself has its own strategic
decisions it must make on an ongoing basis.

In other contexts decision making could mean making near real-time decisions in
operations where data and analysis is automatic and informs the decision maker in a
relatively short period of time and mitigates against risks. Decisions often need to be
made on the front lines in business settings. This the optimal place for decision making to
occur and usually involves real-time or near real-time for operational relevancy to be
maintained. To support differentiated needs for decision support from data and analytics,
we must distinguish the various data needs of the organization.
Bad Decisions
The implications of making bad decisions are varied. And it affects us all, individual
personally, as employees, as governments, as organizations, and as IT. Bad decisions can
all result in a negative outcome in market competitiveness by being late to respond to
customer needs, vastly wasting finite time, money, and effort, and opening up and
needlessly exposing ourselves to unnecessary risk. Secure operations when done right are
table stakes. However, considering how poorly the industry as a whole is doing, it is
critical to get protection, detection, and response right. Making bad decisions can cost our
company big time; it could result in going out of business. First we need to have a
framework in place to make good decisions that go beyond hunches and good luck. Four
out ten companies in existence today may not still be in existence in 10 years because
they have been disrupted by a competitor or weakened due to shifting market needs and
wants. IT can help itself, individual employees, and the organization.
Good Decisions
New York Air Brake give US Railroads the potential to save up to 1 billion
The train engineer at the control of a 20 foot long train system steers his way along the
tracks across thousands of miles. He is using his experience from years on the job to
make decisions about how fast to go, where to pick up speed, where to slow down, and,
in general, how he should operate to train. In the case of New York Air Brake, their
highest cost of running the business was fuel, so any improvements that decreased the
amount of fuel used to run their trains directly affected the bottom line of this company.
Even the slightest percentage decline in fuel usage could make a significant difference
when expenses ran in the high millions.
The trains themselves are filled with electronic circuitry boards and systems, littered
throughout the trains, the tracks, and control systems of the tracks. The potential was
this: if we could leverage the information produced by all the systems on board the train,
then potential insights could be gleaned on ways to optimize the operations of the trains
– and ultimately the downstream effect would be a reduction in the amount of fuel being
used.
Unfortunately, what is common in some industrial and automotive systems, there many
suppliers of components, each using their own unique operating parameters, systems,
and control systems. As such, there is not a common communication protocol or
information bus that makes it easy to collect information.
In the case of New York Air Brake, they found such a platform that made it possible to
ingest the myriad of data sources from the different components into one central location.
Once aggregated, they dove into the raw data underlining the train systems as a whole,
and began to explore the data set. Using the help of third-party providers of components,
they worked as a team to glean insights that what’s before or not. What came out of this
exploratory analysis of the raw data were the hints and clues needed to optimize how to
train operators to operate the trains. By aiding and assisting the train operators, the data
was used in a feedback loop to provide guidance and aid the best way to handle curves,
speedups, and slowdowns – ultimately resulting in the reduction in fuel use the train
operations. The business outcome was astounding: billions of dollars saved in operating
cost for reducing fuel [30], [31]. When IT helps the business collect and analyze data,
these kinds of things are common.

Should a basketball coach rest his star player for an upcoming game?
Should a basketball coach rest his star player for upcoming game? In ad sport define by
the importance of the stars players’ availability to play an actual game, the health of the
players is critical. Sports doctors surmise that wear and tear on basketball players bodies,
in particular joints like knees, lead to the probability of potential injury. The hypothesis
that has been stated is: if you can get an indication of tiredness and undue wear on the
joint of a star player, then you can head off potential injury by resting said player.
That was the case with the 2015 world championship involving the Golden State Warrior
wearable leveraging technology. By having its players wear exercise sensors on their
body during practices, recording the observations made by the coaching and training staff
during the actual games, and studying the minutes played by each player, coaches were
able to take the data from the and predict that up for an upcoming game that some of
their star players were reaching an exhaustion level. In a preventive move, Coach Steve
Kerr rested the eventual league MVP Stephen Curry for upcoming game at a point where
analytics indicated he had reached an exhausted state, thus increasing the likelihood of
injury [30]. By using observation and making use of new technologies and analytics, the
team is now actively looking for ways to decrease the likelihood of injuries to his star
players, thus reducing overall likelihood of miscarriage by them and in consequence the
probabilities of more wins for the team. The NBA as a whole is looking to leverage and
wearables in actual games, although still in the early stages.

Data as Fuel for Decision Support

Business runs off the insights, answers, and clarity of data.
Organizations see a potential boon in actionable insights derived from big data, not only
to sell more widgets and services, but also to better manage healthcare, stop the flow of
counterfeit drugs, track terrorists, and maybe even track your phone calls. Hence it's a
given that big data isn't inherently good or evil. It's how you use it that counts. [31]
The sheer volume and variety of new data generation worldwide is outstripping the
current capability of organizations to manage, analyze, and act upon. We have an
opportunity to tame these technical challenges and abstract this complexity from the
business so they can focus on the insights and driving more customer value.
There exists a myriad of business end-users would like to consume this massive amount
of data. Sometimes referred to as data consumers, these end-users who consume the
data are from all across the organization…from security teams, data scientists, customer
marketers, sales, inventory managers, and executives. Data uses include the following:
businesses trying to detect fraud, marketing directors looking for new insights into
customer buying patterns, sales trying to determine the next best strategy to increase
growth profit, and the CEO determining the growth of the business as a whole. IT itself is
a consumer of information needed to optimize its operations.

It’s important to understand what data means to the business. It affords a tremendous
opportunity, as places the business in a position to leverage that data as useful, valuable
information because of the analytics made possible by the use of raw data – making
operational intelligence possible.
How data informs the decision making process
If the decision making process is to improve, then we first understand the process by
which people are making their decisions; we need to know what is driving their choices.
That can be a scary thing for some people. However, it is in the best interest of the entire
team to ensure are decisions are based on the best data at the time.
One area we are generally concerned about is hunches. We don’t want to stifle intuition-
based decisions honed from years of experience. However, when uncertainty can be
reduced, bad assumptions can be minimized. For example, a store manager may have a
good feel for when to put more cashiers up front, skill he may have developed from
experience. If the extra cashiers are part of a process in the warehouse to unload goods
and shelve items, then that process could be starved of needed resources and ultimately
frustrate shoppers looking at an empty shelf. So every time the manager shifts personnel
to the front, there could be a negative impact. So, if we can help inform the manager’s
decision with a combination of historical data on time to wait in line along with real-time
tracking of the buildup of the lines, we may be show a pattern that allows the managers
to proactively schedule his people to optimize both front counter and back end warehouse
operations. This also has the benefit for other managers to understand the underlying
rational for his resource allocation; allowing other stores to potentially learn from this
situation.
A data driven approach allows you to discover what we are doing wrong and challenges
some of the long-held assumptions. We have a lot of opinions, but we don't necessarily
know where we are wrong. We need to start asking questions, having conversations, and
learning from the data.
Risk analysis, as we discussed in earlier chapters, feeds decision analysis, both for the
business and IT. How we make decisions may be more important the decisions
themselves. Every actions, from who to hire, what system to procure, who to partner with
for IT, is based on decisions. And there isn’t just one way that a business makes
decisions. Choices whether should we change our organizational structure, should we
enter this new market, or change our strategy all entail various ways and methods for
coming to these decisions.
IT can help this process on a couple of fronts. We have already talked about the criticality
of risk analysis. We can also help with improving our support of the decision process of
various business entities via the availability of data, information, and insights at the right
time, to the right people, with the right context. Also, we can lead in clear and concise
communication. The value of Lean and Fast IT is the agility is gives to the business.
Data is the new Oil
It drives everything. It starts out raw and when we process it, it becomes powerful. It
informs our decision making. It powers our digital economy. It is data.
Data’s impact has many comparing it as a raw material similar to oil. Oil is refined into
multiple uses, including fuel and plastics. The opportunity for IT is to improve the value
that can be refined from data to producing information and insights that actionable for
the business. Time is money, and where IT can help in making this data more easily
available, faster, and in a secure manner, will go a long way towards helping the business
gain competitive advantages.
Modern data is described in terms of three characteristics: volume, or how much data
there is; variety, or how many different formats or structures the data can be in; and
velocity, referring to how fast the data is being produced. The volume of data alone is
incredible: in 2012 alone, 2.5 quintillion bytes of data were generated [32]. Data
Structures include structured, semi-structured, quasi-structured, and unstructured data,
which accounts for 80% of the data in the world [32]. New sources of data are coming
online every day, including data from mobile sensors, social media, video surveillance,
smart devices, geographical exploration, medical imaging, and gene sequencing. Data
Repositories include spreadsheets, data warehouses, and analytic sandboxes. However,
there are distinct challenges that come with this massive amount of data: the format of
the data warehouses are often too rigid, and traditional data architectures inhibit data
exploration and higher levels of analysis, architecture changes based on where data is
collected, and the sheer volume can be challenging to collect and manage.
Data analytics are another important factor in data. The drivers of analytics are varied:
optimizing business operations, which include sales, pricing, profitability, and efficiency;
identifying business risks, which includes customer churn, fraud, and default; predicting
new business opportunities, including upsell, cross-sell, and best new customer prospects;
complying with laws or regulatory requirements, such as anti-money laundering, fair
lending, Basel II-III, Sarbanes-Oxley (SOX).
Business intelligence and data science have evolved from an explanatory to an
exploratory approach. Analytic models are many, including clustering, association rules,
classification, regression analysis, time series, and text analysis. Location of data and
architecture to manage lifecycle.
Data is truly the new oil. And like oil, raw data must be refined into information which
then powers operational intelligence and insights. Data feeds the day to day operations
of the business.
Confidentiality and Privacy

We are custodians of tremendous amounts of data, some which contain sensitive

information and may include personally identifiable information. In fact, we are collecting
much more private data today than we did in the past, and this includes metadata about
user behavior. There are many more connect point to this data, including data from 3rd
parties in support of value add for business needs. We need to be sensitive to the
practice of sound governance around all data collected. The issues of privacy is
increasingly becoming more important as the digital exhaust of unstructured data gives
increasingly more insights into the behavior of people.
Data Availability
Schema-on-Write giving way to more Schema-on-Read.
Refining transforms the raw data that ultimately turns into operational intelligence. As
such, it must be timely; as the name implies, must be available in near real-time.
Someone may need this data within the hour to the make a decision. For example, a two-
hour or five-hour window is too late if operations requires you to know the impending
failure within a five-minute window. Knowing about it the next day, after a batch process,
it would be too late, also.

It has an expanded role to play in delivering useable information faster to the business.
Consider the time frame typical for refining the data and presenting it back to end-users.
The traditional schema-on-write approach defined the data structure or schema upfront.
This defined the way the data had to be ingested, manipulated, and read back. This had
the disadvantage of slowing down the time-to-value to the point of being business
irrelevant. New approaches are using schema-on-read, allowing much more flexibility to
define, change, and experiment with the data. It can accommodate a variety of data
users’ needs while leaving the underlying raw data intact. This flexibility gives way to
more freedom to adjust on the fly.

Data can be used in manual systems, and it also can be used into automatic systems,
where applications are aggregated to run, and a span adapted on-the-fly. By having the
data streaming in, it acts as input to various control systems, such as traffic control
systems, a systemic control systems, and alerting systems. It can even be used to alert
the manager to put an extra cashier at the front. When the software is using data as a
raw material input, it can be used to make the system alert, allow software the
opportunity to act on it, and enable the software to respond to changes on-the-fly. We
have an opportunity to make data available everywhere.
Making relevant and useful data available to the right people at the right times, where
they work.
Taking care of data governance and mitigating against data leakage are the prerequisites
for normal business operations. This is standard operating environment for IT to check off
as an item that is covered. Data is a driver for business growth, competitive
differentiation, and innovation.
One of IT’s primary goals is to help the business win by doing what is necessary to make
relevant and useful data available to right people, at the right times, where they work.
Data Driven Culture
I have a hunch that I am wrong because I don’t have enough information, context, and
knowledge about the situation.
The purpose of data science is not to replace people, but to aid them. The goal of data
science is to inform the decision making process. People can formulate good questions,
and use the principle of the scientific method to bring more rigor to the decision making
process. Leveraging the benefits of lean thinking, people, and architecture, we are more
able to be guided by the facts and adjust to those facts very quickly.
In contrast to the long procurement process of six months of evaluations and back and
forth with multiple vendors, we can now formulate a hypotheses, test it, observe the
outcomes and results, and if it fails, we fail fast and try again. Instead of being prisoners
to perfection up front, we can let the data guide the way forward. Let's look at two
aspects: decision overload and uncertainty.
Decision Overload

Complexity and speed are forcing more decisions to be made, and these decisions are
often made at a faster pace. When the choices and outcomes are both murky, it can
make the decision making process even that more difficult. The stakes can be very high,
and if the outcome is negative the impact can be devastating.
This affects the entire organization. In a digital world that promises everything with such
ease, the choices that are put in front of us can seem very similar and uncertain. This
uncertainty can be the result of too many variables, many of which are out of our control.
Making decisions on limited information with a lot of uncertainty can have negative
consequences depending on the context in which the decision is made and the potential
impact of the outcome. The first step in dealing with decision overload is to decompose
the problem into smaller bites/components. Then determine which of the components are
critical in choosing the direction or choice to make.
Questions that IT needs to answer
▪ Is it cost beneficial to move to the cloud?

▪ How safe are we know?

▪ Is our competitor gaining on us?

▪ Should we outsource?

▪ Should we upgrade?

▪ Should we bring something back in house?

▪ How can we break downs the walls of our silos?

▪ How can we respond faster to the business?

Uncertainty
Business uses quantitative principles and speaks in financial terms. It speaks in dollars
and cents. IT has traditionally used qualitative features to communicate information and
to attempt to make a point. Qualitative features have subjectivity embedded within
them, which make it harder for those who don’t have the technical language to
understand. Qualitative features will embed themselves into the decision-making process
of IT when we are going to the business asking for more money. We need this because
we feel that it is in our best interests to go and do X, Y and Z. We think that project
number five is better than project number four based on experience.

Quantitative measurements and language require a discovery process that surveys users
for more information, runs experiments, creates models, and contextualize what was
captured beyond hunches. The goal is to find out exactly what the situation is. Does this
particular line of business actually like this particular service that we have been
providing? If not, let’s find out why, and make a change. What features or benefits does
the business like from the third party? What specific feature is used most often? We can
use surveying tools to find out exactly what is going on. As we bring as much clarity as
possible to each component, the more uncertainty is reduced, improving our overall
chances of making better decisions.
Supporting decisions under uncertainty

In the absence of perfect knowledge, decisions must be made under uncertainty.

All the data in the world, no matter how good and fast, can’t substitute for the way you
leverage it to support your decisions. Making decisions, big or large, is the difference
between success and failure. Businesses today operate in a landscape of uncertainty. The
decisions that are being made every day could be sabotaging today’s success and future
market viability.
Douglas W. Hubbard, inventor of Applied Information Economics (AIE), talks about his
research and observations on the “costly myth that permeates many organizations today:
that certain things can’t be measured.” In the preface to the book, he makes this
statement: “The result is that decision makers are making less informed decisions than
they could be.” Because of this, bad ideas are accepted, good ideas end up rejects,
valuable resources are sadly misallocated, money is wasted, and, in some cases, people’s
life and health are put into jeopardy. [33]

It isn’t easy to quickly determine the risk/rewards of a decision in a continuous state

where there is no perfect information and uncertainty is a constant to be reckoned with.
We know that reducing that uncertainty to optimize the decision making process is critical
to reducing overall risks. We can use measurement to reduce uncertainty as much as
possible, to prove our understanding of the real opportunities and risk.
We need to ask some questions about all this data that is pouring in: do we know how to
measure those intangibles that would reduce the amount of uncertainty about the
decision that needs to be made, and that would increase the chance of better outcomes?
Data can now be considered a competitive advantage. He who has the information first
has the potential to take advantage of it first. In today’s market, data is critical – crucial
to competitive advantage, a necessity to help on return on investment, a source of
competitive advantage, an opportunity to improve operational efficiencies, and chances
to better mitigate risk.
Is your organization using their guts instead of the data? Consider the case of customer
engagement, which is about leveraging technology to capture user sentiment and actual
behavior. The digital world is observable and quantifiable. We can measure the very
finest detail of user transaction. If we can capture this, we can then feed pertinent
information into our decision making process. We are then using data instead of guts to
make decisions.

We have many decisions to make on a daily basis. Also, there are many things we do
today that feed into decisions we must make tomorrow. In a complex landscape, the time
to digest and process information can be very compressed, so it is critical that we have a
methodology in place for framing the decision to be made, quickly getting the needed
supporting data, and processing that data for decision analysis.
Also, you don't necessarily need big data for data science, but big data needs data
sciences. Often, we have more data than we need, and we don't need as much data as
we think.

Business Operational Excellence

Every opportunity to improve how your organization conducts business is an opportunity
to save money, capture a new customer, to stave off the competition.
Let’s take a look at how high-velocity organizations think differently to outpace their
competitors.
Business Operations Center
Day to day, information, visibility, and progress can be aggregated in a virtual operations
centers.

Operations are common for infrastructure (NOC) and security (SOC). There is also an
opportunity to build and operate an operations center designed for the business – a
business operations center (BOC). The characteristics of such a BOC would be as follows:
distributed, secure communication, real-time data streams, visual process mapping,
market intelligence, daily operations for KPI, and a business response system.
Today, most business operate in silo information lanes where actionable information is
slowed by organizational and operational friction. A BOC ask and answers the questions
of how the business is doing today, where are the opportunities for improvement, and
where are the threats. The purpose is to gain system-wide, organizational visibility to
become agile. Remove friction from decision making and response, while painting a
consolidated picture of current organizational health. The BOC would include business
process dashboards, visibility, alerting, and escalation processes. It would be virtually
accessible with secure communications to authorized employees and stakeholders. It
would address the issues that employees have keeping up with emails, voicemails, and
poorly designed. The business would work with IT to build their key performance
indicators, business rules and contexts, process assumptions, and operating methods. It
would make the data available where needed, ensure system level visibility, and greatly
enhance the ability to adapt in real time to threats and opportunities.

This level of transparency can be scary for some; however, disruption and complexity,
and risk requires a level of agility that exceeds gut reaction, phone tag, email hell,
wasted time in non-productive meetings, and useless, out-of-date reports.

Ready to Adapt
Be prepared, for when called upon to act, you have to be ready to say yes.
Your organization response to market threats can adapt in a variety of ways. And each
one can trigger different downstream technology demands, changes, and new
capabilities. This can happen by the following:

▪ sensing the market shift early enough

▪ making investments to capitalize

▪ making an acquisition

▪ forming a strategic partnership

▪ developing a tactical partnership

▪ using free lancers

▪ implementing a skunkworks using a small team internally

▪ spinning out talent in a startup atmosphere

For example, as IT walks the hallway and we can overhear the following conversations,
complaints, problems, issues:
▪ A security guards talking about a break in at one of the warehouses, resulting big
financial losses. The IP surveillance cameras deployed at corporate last year were not
extended out to remote locations because of cost. Will warehouse managers be
calling IT soon? What new changes will be made to the infrastructure to
accommodate surveillance across the business at more locations?
▪ Across the hallway, the VP of Marketing is upset about his group’s inability to locate
their most common customers to direct a new campaign their way.
▪ Further down the hallway, one of the truck drivers comes in and mentions the
problems he is having with the routes he is being given; he thinks it taking him the
long way.
 ▪ The manager of the call center mentions that his reps still can’t pull up certain
historical information when customers call in.

For IT, think of these as invaluable insights, opportunity signals – a chance to improve to
situation. Hanging around the business and looking to help is great. Be very aware of the
context.

In the past it was sufficient to receive the specific request, depending on what part of IT
you were in – do your part and move on the next task in queue. Today is a new day, a
new age where our impact on our organizations require us to move farther upstream of
the value creation stream, seeing opportunity for ourselves, partnering more with the
business to early indications on requirements, and ensuring we have our bases covered.
We are responsible for all technology related code, hardware, and services that provide
the engine for business operations, innovation, and future growth. Let’s make sure we are
ready. Now, the question is this: can we deliver? Are we fit enough to keep pace with the
business needs?
Chapter 6: Smart IT

Smart IT is a model of IT that transforms the way IT thinks, works, and leads despite
disruption, complexity, and risk. It embraces the uncertainty that market disruption
brings, embraces complexity to enable additional customer value add by making it simple
to consume, and significantly reduces the impact and probabilities of negative business
outcomes.

IT that is high performance makes great positive impacts on their organizations. IT is in

the service enablement, to make business technology possible; it is in the delivery, to
enable and keep pace with business needs; and it is the orchestrator of large and
complex consumption provider ecosystems. We are the vital interface of business and
technology use. We can empower our organization to say yes, be nimble, and be
resilient. We can help to design and build an organization, an architecture, and a culture
to enable business initiatives and strategies while still fulfilling needs.
The patterns of the relevancy of IT to the business can be looked at through the lens of a
real-, or near-real, time factor. Our business is our internal customer. The difference of
not being able to deliver in time could result in a “don’t’ bother” from the business, or a
“we will get it elsewhere” – which implies going rogue and hints of shadow IT. The world
dichotomy between innovation and keeping the lights on are the tale of two ITs. We want
to be the department of Yes. We want business external customers have choices. If IT
doesn’t deliver, the business doesn’t deliver, and our customers can look elsewhere.
The patterns of success include:

▪ Not waiting for the end user to complain

▪ Adjusting just in time

▪ Measuring to know and improve

▪ Embrace the new consumption models

▪ Valuing finite resources

Keep in mind that everything can’t be found outside, and as business units and end users
bypass IT at some point they may come back needing you to win…so be ready.
Don't try to boil the ocean. Resources are finite. Time, people, and money are all finite.
Most organizations can't afford to collect or analyze everything. They can't afford to look
at every security alert. They can't afford to try every possibility. The more ambiguous the
purpose, question, or scope, the more bloated the organizational efforts will be. Fat
organizations waste resources and struggle to change, defend, and innovate because of
split attention. This is what keeps your organization out of the shadows and into the light.
It is one thing to be technically possible, and another for your organization to capitalize
on it. Even when the "secret sauce" is known by a competitor there is no guarantee of
success. The organizational capability to execute on change is a skill and muscle that
needs to be exercised to be successful.

Let's start by tackling complexity, whether it is waste or a function of providing value, it

should be better understood in order to be optimized and subject to our improvement.

Optimized Flow
You need to see the whole picture, optimize the workflow, and accelerate.
Too many people are spending too much time troubleshooting problems that are too
often first reported by end users. This has an impact in the form of higher cost and lower
quality services. Time spend reacting is time that could be used elsewhere. The
traditional management approach to technology delivery are limiting. The opportunity for
IT is to identify, plan, and execute on tackling the problems of firefighting and chasing
our tails once and for all. In order for us to support the business, we have to re-imagine
how we approach our work. We can draw on the great success businesses have had with
applying the principles of Lean to the operations and thinking. The goal for any
organization is to continually create value while using fewer resources and minimizing or
eliminating waste. IT needs to drop some operational friction.

Lean
As described by the Lean Enterprise Institute, “lean thinking changes the focus of
management from optimizing separate technologies, assets, and vertical departments to
optimizing the flow of products and services through entire value streams that flow
horizontally across technologies, assets, and departments to customers. Eliminating
waste along entire value streams, instead of at isolated points, creates processes that
need less human effort, less space, less capital, and less time to make products and
services at far less costs and with much fewer defects, compared with traditional business
systems. Companies are able to respond to changing customer desires with high variety,
high quality, low cost, and with very fast throughput times. Also, information
management becomes much simpler and more accurate…lean applies to every business
and every process. It is not a tactic or a cost reduction program, but a way of thinking
and acting for an entire organization. Businesses in all industries and services, including
healthcare and governments, are using lean principles as the way they think and do”.
[34]
The principles of Lean have been talked about by the business community for many
years, and have been used to dramatically transform operations. It has its roots in
manufacturing and the Toyota Production System (TPS). TPS used Lean principles to
revolutionize the factory floor, dramatically improving performance and speed, and
reducing waste from the factory floor.
Many people have mistakenly believed that Lean only has applicability to manufacturing.
However, Lean principles are just as relevant to services, including HR, customer service,
etc., and is being used to improve speed. Lean has made its way into the service side of
business for firms such as law firms and hospitals.
We want to accelerate the velocity of our processes that feed the system, that deliver
business services. That is key to making IT faster. The faster IT delivers services, the
faster potentially the upstream business service delivers value to its customers. One of
the primary ways of increasing velocity is by reducing waste. Lean principles will help us
to be able see slowdowns, lags, and re-work where we never saw them before.
We discover that process steps that we thought were important are, in fact, not
important at all. Value added tasks will rise out of non-value adding tasks. Time traps,
places where work sits idle waiting for human action will begin, will start to stick out.
When team members across the system look at the processes from beginning to end it
will open up new ways of thinking about why the process flows in this particular manner.
Unlike some business waste reduction efforts that require a capital outlay, revisiting your
work flows are all process related. Often, the technology that may be needed to adjust
workflow already exists in the environment. There will be little to no capital outlay
required.

When IT has mastered workflow optimization, it can branch out and engage business
units about what is has visibility into from waste standpoint.
Flow

Flow is the unobstructed processing of ideas, tasks, collaboration, and work, all
performed with minimum friction, waste, and inefficiencies. In daily work, resources are
optimized to enhance patterns of activity to enable the production of positive outcomes,
services, and experiences. It is systematic among teams and natural for the people
involved, intelligently providing value, optimizing finite resources, and making a
difference. It is tuned for global, end to end impact, and highly tuned to the purpose of
the understanding of the activity: the why.

Flow is a concept of moving from one step in the process to the next step. The concept of
flow is important in understanding Lean concepts, and improvement in service delivery of
everything IT does. In effect, it is part of a delivery model delivering business services to
the business. Those business services comprise applications software, infrastructure, and
support models. Each service entails personnel performing certain tasks, following certain
guidelines for provisioning, configuration, and modification of the systems.
Let’s take a step back. What happens when the business comes to IT and asks for new
services? IT takes a look and makes a determination of when that service can be put in
place for the business to do this. IT is to take a look at every step of the way every
process and come up with a timeline for delivery based on Lean concepts. Let’s look at
the process and optimize the flow from step to step and process to process, from a
systemic standpoint.

Fast is a very important concept. Fast flow is an enabler. It allows for ideation, the rapid
iteration of trials – it gives us the freedom to experiment, to try out, and to see what is
possible. When we have fast flow, we can try something out. If we don’t like it, we try
again, pushing back out. Fast flow allows IT to say yes more often, and gives more
definitive timelines to business requirements. It makes IT even more relevant. The other
interesting thing about fast flow is IT can leverage it not only for its own operations, but
also to help faster flows inside of the business.
There is planned work and unplanned work. The former is the chance to be strategic,
make improvements, and add functionality. Strategic is work on projects specifically tied
to the business. Secondary projects support general capability and are necessary over the
long haul to have maintainable systems. Change can be maintenance operations and
tasks. Ideally would like to be able to make changes throughout the year, and not be
restricted to particular times, days, or seasons. When we have agile architecture and lean
principles, we can make changes more often, and that improves the stability and security
of our applications and infrastructure. Planned work can be mapped out and anticipated,
increasing the chances of success.

The latter, unplanned work is what IT calls firefighting. We really want to reduce this type
of work. We were left running around fighting fires at the last moment. Unplanned work is
something we want to reduce, as it crowds out strategic and operational work, and
disrupts to flow of personnel and time.

Work-In-Process (WIP)
Work started but final product, service, and/or experience are not yet ready for
consumption.
Work-in-process is an important concept to understand in both flow and the principles
around Lean. IT must have a firm grasp on what the impacts are of busy times, idle
times, and handoff times in order to understand inefficiencies in the processes. This
allows IT to optimize the process, increasing collaboration between different teams to
improve handoff times, reduce idle time, and ultimately accelerate and make IT go
faster.
What are the roadblocks and inhibitors of speed? They are unending WIP.
How do you recognize a process that is not Lean? Here are some examples …
▪ Compliance

▪ Manual check

▪ Management sign off

▪ Wasteful meetings

▪ Waiting for TCO and justification

▪ Decision paralysis

▪ Waiting on 3 bids

▪ Not completing the important tasks up front in the design

One of the drivers of WIP is a function of a more mobile workforce. In traditional cube
bound work environment of the past, virtually all knowledge workers were at their desks
all day. As requests came in, the workers were right there, ready to work on it. Today,
many of the workers who are assigned tasks or are in the approval chain are on mobile.
That means they are on in the field, on the road, or on airplanes. A request via email
could sit in someone’s inbox while they are in between offices. When the request is read,
the person may not be in a good position to stop, gather data, think about it, and
respond to later in the day. This could be an opportunity for workflow automation,
streamlining of approvals, and providing more readily available decision supporting data.

Attention IT, a new request just came in from the business and they needed it fast. They
need “it” now, and it could be anything from a new system to collect information on the
number of trucks going in and out, on to a summary of said truck the fuel expenditures.
Oh, and they need it as soon as possible. As IT scrambled to assemble all the needed
parties involved, they managed to produce what was needed in a world record 40 hours.
That was an impressive turnaround, until the business called back later to scrap that plan
and instead go an entirely different route.
Or how about three months into development of the new point-of-sale system that
wouldn’t integrate with the new rewards program? The marketing department came
back and needed to change over 50% of the scope requirements, requiring major rework
and re-appropriation of staff allocation. Or the CIO, who just returned from a convention
with Gartner analysts talking of new trends, now wants to collect 50 TB of data from
control units on board tankers and transmit that data back to corporate to analyze in real
time. No problem, right? Every day IT is required to be quick in standing up with the
necessary infrastructure and software to fulfill the needs, all the while minimizing the
potential risks.
But what truly is being agile? What does that mean? Does that mean getting a request
from the business, when parameters, the scope, the pacing, and delivery date can change
(and often will change on the fly)? Does it mean that as soon as resources have been
calculated for the new initiative, everything has been finalized, and new gear is on the
way you can make it? What if they call letting you know that we need something
different, requiring a different infrastructure. For IT, the frustration is genuine –the gears
is already on the way, or the contracts are signed. Agility means the ability to change on
the fly, in part because business itself is being required to do the same thing in the age of
disruption.

The business IT they’re all one thing is all of the business and everyone must be more
agile, which have the mindset property set properly.
The next thing to do is to create the framework necessary to become more agile, which
includes taking a hard look at all the new technologies, shifts, and changes. And be able
put those solutions in place to allow one more agility, in one place to at agility comes the
place is in programmatic infrastructure, it’s in the principles of DevOps, and in workflow
automation. One hundred steps in multiple processes, not a problem. It is not the number
of steps in the process to go from request to delivery that counts, it’s how will you can
automate the workflow. For leading organizations know with workflow automation, a lot
of the processes a lot of the steps.
As processes occur, we need to know how we are doing: are any changes needed, and
are we meeting the needs of both our internal and external customers? We need
feedback in all we do to be successful and relevant.
Feedback Loops

The output of one action produces response(s) back in response to the initial actions. The
signal returned is in response to the initial action. Without feedback, one cannot know the
effects of ones action’s, we are limited in improving, and are basically blind to how we
are doing.

Feedback loops are critical to change, critical to transformation, critical to survive, and
critical to thrive. If we take a direction or course of action and don’t have a feedback loop,
one is in great danger of losing, and losing big, for when you navigate the many options
available in business today, and you must know how you are doing.
Feedback informs you to stay the course or turn and make a change. It is too costly to go
down one path blindly without the feedback loop, costing you time, money, and effort. In
IT and business, poor feedbacks loops have led to great inefficiencies and slow
operations, and the slow response to business needs such as time to repair are often too
slow, and service desk queues can backup with chronic performance problems,
languishing in queue for weeks and potentially months, with IT unable to connect the
dots between one issue to another indicator to another.
If it takes too long to resolve, the person working the issue at the time needs to know
what’s going on, and what has happened before. When troubleshooting an issue that we
need to know as soon as possible if we are going down the right path.
The feedback loop is critical to cyber security defense, where every second counts, where
every second of not detecting a potential intrusion by an adversary can be serious and
costly. To deliver solutions and services to the business, we must get feedback to know
what we are looking for, and when we deliver the service we need to have a feedback
loop to tell us how well things are operating in the field. Not hearing a complaint back
from end users is not the same as good service.

As an example of a slow feedback, consider IT finding out several months late that a new
$1 million Hadoop cluster from a 3rd party had just arrived on the floor of your data center
without any involvement from you. A lot of the business was not happy with your existing
service, and worked around you, using the corporate credit card to get something done. If
a business group is unhappy with your services, you need to know as soon as possible,
and use the upfront time as the best chance of addressing the complaint. Try something
different, iterate to try to see what works. If it doesn’t work for the business, then without
fast feedback we lose the ability to try something else. If we know that something didn’t
work, we have a better chance to go on and iterate among different options until we can
figure out exactly what needs to be changed, and from there to make the change
needed. The business needs feedback is critical: we must have feedback loops that are
quick, agile and fast.
To provide feedback at scale and speed, we need to consider …
 ▪ Vulnerability scanning, feedback loops

▪ Device profiling, feedback, histogram

▪ Wireless movement patterns

▪ Remote connectivity patterns, locations, duration, spread

Waste
Resources are finite, we cannot afford to waste. Two of our most valuable resources are
time and money, both of which are wasted when we don’t think and work systematically.
Organizations surviving today while still wasting resources will be tomorrow’s news. IT
must value that which is limited to be more relevant and valuable to the business. Stop
spending valuable IT resources on supporting obsolete systems, processes, and
relationships from the past instead of focusing on future growth.
Stop wasting valuable and finite resources. Resources can be time, money, and actual
resource use. And in many cases, the business is constrained by these same resources.
One of business operating imperatives, from board of directors, to c-suite, to leaders in
business units is cost control. Flow is concerned with velocity, and waste is a major drag
on that, often requiring re-work. Resources are often tasked with fighting avoidable fires
are being distracted from more strategic work. Budget cuts are causing innovation to
come from the shadows, and organizations are seeking ways to work smarter –
eliminating waste in their processes and redirecting the savings to fund innovation, while
keeping their budgets flat.
In reality, many IT departments have already been forced, by the economy since the
great recession, to scale back because of cuts in budgets and man power. Business is
pressuring us to streamline expenses and do more with less. Capital expenditures are
down, but operations expenditures on third party firms are up.
Waste can take many forms: time, resources, utilization, and money. Also, when work is
not done correctly the first time, rework expends resources. When IT is slow to respond
to business request, is wasting business money. It is very important to understand what
late delivery times mean to the business. Ultimately they are costing money. Slow hand
off times is also a waste of time. Requests waiting for a simple change, sitting in queue,
provide potential for automation of certain process flows. This is what the cloud providers
have mastered: the ability to orchestrate and automate multiple routine tasks, allowing
much higher speeds, and giving the illusion of instantaneous service delivery.
Money tied up in a budget for an IT project that is way over budget could tie up resources
(money) and limit its use elsewhere. This is similar to a lack of a part on the assembly
line of a plant, except that instead of a part it is money that can’t be used elsewhere.
That is one reason for the importance of becoming more accurate in estimates for
projects, and not only in this case of money, but also in time. IT projects are notorious for
coming in late, and, at times, failing to deliver at all.

Resource Portfolio Rationalization

We need to rationalize our technology portfolio. This portfolio includes applications,

hardware, partners, methods of work, and how we spend our time. This means getting rid
of things which are slowing down processes, reducing the effectiveness of competing and
things that are constraining growth.
Patterns of reducing waste
▪ Gain visibility in work flows and value streams

▪ Reassess the number of vendors, partners, and consultants for redundancy and
overlap

▪ Investigate manufactures solution stacks

▪ Cutting out the fat in the areas of too many vendors, partners, contracts, and tools.

▪ Investigate converged infrastructure

▪ Investigate cloud partners to off load functionality

▪ Make time spent collaborating via meetings more impactful

▪ Develop culture on root cause analysis to reduce expending time on symptoms

Variation
Variation can refer to differences in the way we do work, which can depend on who is
doing the work and when it is done. When these differences exist but without a design
reason, it indicates that we don’t have a standard way of doing it. In areas of adaption
within complex environments, this can be problematic as the level of dependencies
dictate a more deterministic and thorough understanding of our environments.
The first request is handled by Engineer #1. He is a veteran of the infrastructure team.
He provisions the user for the requested service from his experience, his memory. This
process involves 15 unique steps. When he is not interrupted, you can complete the
entire process in 20 minutes. When he is busy, it can take up to 2 days. It should be
noted that he happens to sit next to two colleagues that have ownership of several of the
tasks the process requires. They both require administrative rights to 5 different
infrastructure domain areas. The steps also happen to be manual. If either of Engineer
#1’s colleagues are not sitting at their desks at the time he is processing, then that 20
minutes will take longer. In short, 20 minutes is the ideal mean time to complete.
Engineer #2 works out a remote office. He has to send emails to those two admins to
complete their tasks. He rarely sees them in person.
The two engineers all have different work times, schedules, work locations and personal
ways of performing the tasks. In all cases, the tasks are common and done manually. No
one person understands how all the tasks interrelate, or the impact when there is
variation on how the tasks are completed. Does the configuration change of a new route
entry in the core router make a difference? It sure does! A more specific route is not the
same as a summarized route, because the latter is broader and has in the past allowed
excessive network access – in a world where unfettered IP connectivity provides overly
broad access and a larger than necessary attack surface to defend. When the latitude in
configuration standards become too wide, then performance and security issues can
appear at the least expected times (like right before you are scheduled to go on vacation
or at 4:50pm on Friday).
Depending on which engineer completes this task could be the difference of how it is
designed and configured. Is also varies when the task will be completed. Variation can be
the enemy of success. One of the benefits that customers like about cloud is their speed.
One of the characteristics to their ability to offer such services is the minimization of
variation in the process of provisioning services.
Technical Debt
Technical debt is work that is due or owed, and when not done at in an appropriate time
frame continues to build up in a long list of incomplete tasks that compounds, thus
increasing the probability of a common mode failure in the future.
You have been meaning to go back and wrap up those other tasks from the last project,
such as writing that documentation, re-cabling the closet, fixing those lines of code,
updating the internal portal, updating the script, or reviewing the access control list. But,
other new work keeps coming in, pushing more items onto the to-do list. New items
getting added to the backlog, and as long as the lights are on, the imperative to go back
and wrap up never come up until something breaks.
Debt is often used for the terminology of DevOps dealing with the accumulation of bug
fixes that must be fixed at a later point in the supply chain. Fixing things that are broken
down the line ends up costing more time and money. The accumulation of fixes and re-
work that must be done, in a general sense less, is technical debt. All the undone work in
IT, involving infrastructure, software delivery models and personnel improvement, needs
to be done. Existing technical debt makes it difficult to go from here to where we need to
go overnight. We must work to reduce the level of debt, the unfinished tasks that are
sitting and waiting to be done, to be able to improve.
A critical aspect of becoming lean and staying lean is understanding the culture of
DevOps. Technical debt is known as all the software coding work that was not done
before gone, and delayed access to software, code to bugs, and all the challenges of
operations has in getting the code into production. All those little things that are delayed
or done in the hurry to get code into the field will build up and reduce their ability to
move faster in the future. This makes for buggy code and problems forced upon the end
user, who will be frustrated by bad code.

Here’s where an analogy can be helpful for illustration here: let’s look at personal finance.
What does debt mean in your personal life? It means obligation that you owe to another
party. In this case you are servicing the debt from month-to-month. By making consistent
payments, month-to-month, you are staying even. You owe no one anything beyond what
your daily and monthly living expenses are. If you don’t, then you fall behind and interest
accrues – you end up owing more. In IT, you owe unfinished work that was left undone
because you were interrupted. We cannot pay off month-to-month, the new projects take
on higher priority, and unfinished tasks continually build up. The important work of
documenting processes, performing file rights audits, and fixing performance bugs get
pushed to another day that sometimes never comes.

Of course, you ideally want to pay off the total debt to free up valuable resources for
more strategic uses. IT that want to spend more of their time with business impacting
innovation needs to strive for this. This means tackling backlog work, projects, and tasks
to come up to date. This accumulation on unfinished tasks compound. This delay in
getting things done, that need to be done, increases the level of debt. This often leads to
falling behind on key work, and increasing the probabilities of something breaking in the
environment because all the inspections weren’t done because we ran out of time. To
compensate, we often ask for more people and money. It ultimately can lead to helping
the business fall behind to a competitor. We do not want to pass this on the business.
Any delays in delivering services with business impact due to debt could be the reason
you are inefficient compared to competitors running leaner. In today’s disruptive market,
speed kills and technical debt is a drag on flow and time-to-deliver.
So how she we deal with technical debt? First, we need to know what we’re dealing with.
We must take in account everything we responsible for. What is in the realm of IT from
an asset standpoint? What is the infrastructure that we are responsible for?
We then must map that to all the applications that the infrastructure was built to serve,
and we must understand applications and the mapping to business service. For far too
long IT has been ignorant of what the business needs and how they make use of the
system. We can no longer be ignorant of what the systems do and why they’re here. This
is one of the reasons that we are hindered when we need to secure more budget. Often
we don’t understand the correct business language to speak to those that approve the
budgets, who can write the checks. In a time when our systems are under attack on the
cyber warfare front, it is more critical than ever that IT be able to speak the right
language that the business can understand.
I will talk about later in leading and inspiring the change needed. We will talk more in
depth about how to communicate in terms of what business understands, but for now our
focus is how to understand debt, and to get a handle on debt. We must have a tieback
from the business. Every system that we maintain that will give us the foundation to start
asking some tough questions. For instance, why are we still paying maintenance on this
particular system if it is no longer used by the business? Why are we not tracking the
usage of the software that we pay maintenance on every year? Why are we buying the
full version of this software if only the minimum features are being used by the majority
of the end users? Maybe we still do not have a detailed diagram, report, layouts, and very
clear documentation for far too long; maybe we’ve been afraid to unplug that one cable
because we are not exactly what will happen.

Are we buying new systems, paying for maintenance on other systems, and testing new
systems that it the business will never use? Can we provide the same service using a
cloud service at reduced price? Every time the IT budget includes items for things that are
not used, we are increasing our level of debt.
The more we know, the more we will be in a better position with the, and the more we
will be able to help business compete. Just like in our personal lives, when we are
overweight, with a high body mass indicator, which means we are consuming too much
that of what we don’t need, and not enough what we do need. In IT, we need an
inventory of everything we do, produce, and consume. We need to know how business
needs are fed by our technology infrastructure, software, and data. This will allows us to
be in a better position to ask those hard questions and have a better idea what are real
risks are.
Acceleration
Acceleration is a key ingredient in how to get from here (current state) to there (goal),
increasing the velocity of the flow of work in order to meet business demands. In cases
where our organization competitor is managing to deliver faster to the market, then we
may need to increase the flow of value through your system. Almost all business
processes can be negatively affected by slow flow when they are dependent on
technology.
For IT to go faster and produce faster for the business, it must possess the following:
▪ Acceleration

▪ Automation

▪ Orchestration

Acceleration is about speeding up the rate of value delivery.

Automation is not about replacing people. In ideal world, in a time long passed, your
organization would simply hire more people to do the work. But today, more people are
not on the way. You are still on the hook for producing the results with what you have.
Automation is about improving process. In IT, automation allows processes to accelerate,
provides flexibility to experiment as changes can be rolled out quickly, and multiplies the
efforts of existing IT personnel. Automation is about taking the knowledge of individual
tasks and orchestrate workflow. In this light, a whiteboard full of tasks that number in the
100s becomes trivial when workflow is automated. Make no mistake, the human intuition,
know-how, and intelligence is required to design such a system, maintain it, and
ultimately optimize this process. Automation accelerates and provides for agility.
Orchestration allows for intelligent staging and sequencing of work tasks. It is critical to
optimizing flow. Going faster is great, but if we go faster doing the wrong things and
produce unwanted outcomes consistently, that might not be the best thing unless we are
experimenting. And by the way, IT must ensure they maintain tight control over this
process, for we have seen how automated tools and processes have been used by the
bad guys to exploit us.
We must do our best to make sure as we improve our ability to go faster, and that we are
adding value and reducing waste. We need flow. To help confront complexity,
standardization can help reduce the number of moving parts, reusing common processes,
tools, and inputs. It can make workflow more predictable, and lends itself to consistent
operation and improvement. It also lends itself to being automated.
IT needs to simplify as much as possible. Simplification can be removing waste and only
doing the minimum necessary to provide the service. It can be streamlining the number
of products, vendors, and providers. It can be reassessing our engagement process with
third parties. We should look at our bid process and ask if our procurement process is
helpful overall, or causing unnecessary complexity.
As long as your business services are tied to specific architecture, hardware, and
providers, the harder it is to make changes. As a result, simple maintenance tasks can
become quite convoluted. Remove your business services dependencies from the
underlying infrastructure.

Adaptive Infrastructure
Infrastructure designed, configured, and capable of adapting quickly to dynamic software
requirements in order to meet dynamic business needs – a requirement for IT to deliver
faster.
IT supports the systems that enables user access to organizational assets, data and
services. The highest priority is to ensure a highly available, always-on environment that
hosts the data and services. Ensure the all components, in coordination with risk
mitigation input, are kept up to date to improve functionality, security, and reliability. IT
must be on the road to bringing adaptive infrastructure into reality for their organizations.
Programmable Infrastructure
Manual configuration is approaching legacy status. This marks coming end to box-to-box
configuration.
Physical versus Virtual. On-premise vs Off-premise. Outsource or insource. Yes to all. We
must abstract these questions and their implementations from our organizations services,
applications, and data.

Programmable infrastructure with policy centralization means getting away from the box-
to-box manual configuration. Northbound API for business and process intelligence, and
southbound API for the heavy lifting of translating to the underlying infrastructure.

We gain agility by virtualizing the infrastructure underneath the business service. We

need to decouple the applications from the infrastructure, the service from the app, and
the user from the device. This also means we need to embed identity, both user and
device, into the roaming experience and embed security controls with the mobile user.
Resource Virtualization

Any service and application should be free to move from one infrastructure to another,
scale between different providers, maintain control systems when moved, while still
maintaining performance and corporate governance, and business and customer
functionality.
Virtual machines and containers are the next level of virtualization and isolation that
provides software developers with another option. Faster and more agile than
hypervisors, they allow us to focus on the code and not underlying dependencies and
result in a case the code is developed versus run in production.
Other actions include detaching the dependencies and constraints, thus making operating
system upgrades trivial. We need to remove friction from making changes to apps and
tools, and don’t be afraid to change in flight to adapt to changing conditions.
Core IT Services

Basic services that are available as an option can be scaled as consumptions rate
increase. It’s not a question of whether we should virtualize, whether we should serve up
virtual desktops, whether we should let users bring their own devices, whether we should
do some Cloud, or should our firewalls cover physical as well as virtual environments –
we are a point where these all should be considered basic services, not the analysis
paralysis of determining if it is a good time.
IT should not get caught up in decision paralysis, running endless analysis to determine if
new cutting edge technology should be used. Instead, IT should be leveraging
advancements in converged infrastructure, cloud services, and flexible financing; altering
how we use partners; and virtualizing the consumption front end so that IT can ideate
quickly over new technology and determine if it is a good fit. For example, take the case
of virtual desktop infrastructure: this is a service that should be available for all of our
core IT services across all industries. It is in essence the virtualization of the user’s
desktop, made available remotely anywhere, anytime, and whenever the end-user needs
it. By leveraging virtual infrastructure, IT can now create a small core service from a
small block of infrastructure, optimize for the VDI requirements, and not requiring too
large of an initial outlay a budget. By building modular blocks on top of convergent the
structure, IT can intelligently scale infrastructure as needed, as the business users require
the service.
Access means access the corporate offices via wired connections, be it wireless access,
and remotely, whether on the road at a Starbucks or at the kiosk at an airport. Isn’t this
democratization of universal, unified access? IT needs to consolidate the access
methodology to secure this universal access, providing universal visibility, strong views
identification, and the service assurance model to meet the needs of business users doing
their work.
Jim came into the Houston branch office today to prepare for a client meeting. No one
else was around and he needed to connect his laptop to the network to gain access to his
Outlook calendar. Jim cannot find an open port in any of the cubes, so he decided to
unplug a little black box on the floor next to the printer to connect his laptop. An
intelligent network can handle this scenario without any problem, while still ensuring
differentiated experience based on user, the device, and a required service level. For
example, if one was to swap the network connection of a printer and IP phone, or an
analog fax machine connected via an ATA and an IP Video camera, a smart network
should be able to handle this seamlessly and maintain security, functionality, and quality
of service (QOS).
The network should be adaptive enough to not require human intervention. Depending on
the context of the connection, the network should identify the device plugged in, profiling
device type and determining the correct access rights, and then begin profiling the traffic
types generated from that port, be it a wired or wireless virtual port. If a Samsung
smartphone TV is plugged into a jack, it should not have universal access to all data
center resources. If a guest user comes into the office wanting to connect to the Internet,
he should not have to worry about where to plug in. If there is an open port in the
conference room, the risk level of exposing the entire data center to a guest should not
depend on a verbal policy or manually creating a mac-based whitelist on a switch. The
network should be smart enough to handle a guest, distinguishing the rights and access
level of this type of user. All connection types should be logged, all access attempts
correlated in near real-time and historically on the back end, and a network traffic types
should be profiled automatically. This is the nature of a smart network designed for
today’s business requirements.
To be a high performing IT organization, we have to excel at service operations. The
characteristics of this include the following: fast, responsive, reliable; service delivery;
fast mean time to deliver; and fast mean time to repair.

Operational Intelligence
Operational Intelligence – security, IT, and business – are critical capabilities that will
help organizations operate at market speed. Such a dynamic environment demands
visibility, key performance indicators, and data – all in real-time.

IT is uniquely positioned to lead on the topics of business innovation and risk mitigation.
Business innovation involves disruption, transformation, talent development, and
monetary allocation. Business risk management involves brand and reputation,
operational resiliency, and business process management. Common to both areas is
operational intelligence, the systematic collecting, analyzing, visualizing, and decision
support from all sources of available raw data.
Operational intelligence provides critical capabilities to help the boardroom operate at
market speed. It is the secret sauce, so to speak, in establishing organizational cadence
and creating that feedback loop that we talked about earlier on flow. It allows the
business to listen to the data and quickly iterate or pivot operational intelligence. It is the
key to establishing this fast feedback loop. We talk about in the next chapter on decision-
making foundational to that is operational intelligence and fast feedback loops.
From an operational standpoint, what should you be focusing on today? How about
tomorrow? The answers to those questions can be informed by the insights derived by
key data sets analyzed for signals of action. Signals of action are found in the ocean of
data that our technologies contain. Areas to investigate further and optimize should be
guided what the data from our machines clue us in on. IT Service Intelligence provides
the connection from business services to the underlying technology. When potential
issues are discovered, IT can swarm to address the problems and perform corrective
action.
Data in Action
Raw data is useless unless it is refined into insights suited for operations.

The key to making use of data to drive business and IT operations is to extract actionable
insight from raw data to help people make better decisions. It is a combination of data,
people, technology, statistics, math, and domain knowledge, all working together.
Meaning from data is both a science and an art. It uses theories, techniques, and tools
from math, programming, machine learning, data mining, data visualization, business
analytics, accounting, and social sciences.
What is so original today is the new types of raw data. They also have the characteristics
of volume and variety, which is challenging traditional data analytics tools. This can be
applied to automated decision-making, and can be seen in disruptive business models,
i.e. Netflix for recommendations. Data has the capability of helping people solve
problems, make better decisions, and do their daily work.
The application of data science to business operations permeates both IT and business.
New cyber security products are using data science modeling in this solution sets.
Businesses are using it on the consumer sentiment analysis, banks use it for fraud
detection, security product manufacturers use it to detect insider threats, and supply
chains use it for predictive demand requirements.

There are still more uses of the science and art of data value: trend forecasting, A/B
Testing, root cause analysis, anomaly detection, market segmentation, topic modeling,
capacity planning, correlating data from 2+ sources, data mining and normalization, KPIs
and executive dashboards, predictive modeling, sentiment analysis, and conversion
funnel/pathing.
We have trend forecasting, that predicts future value or outcomes based off historical
data; sentiment analysis, assigning emotional labels to textual data; anomaly detection,
spotting events which are dissimilar enough from other events to warrant further
investigation. Some other examples include transactions which occur faster than human
comprehension, such as DDoS attacks from IP address ranges, or high-value customer
purchase patterns. For example, finding statistical outliers like the non-average outliers
(more than two standard deviations from the average); or non-typical outliers (more than
one point five times the interquartile range above percent 75 or below percent 25). These
are the types of signals that we can flag for deeper analysis.
The science and art of data insights for IT operations has many examples, such as server
CPU and memory metrics, DNS logs, or firewall logs; this information can be distilled
down to atomic data elements. Analysis can be performed against the data set much like
businesses are using it for many customer facing analysis. This can address malware
detection, capability problems, root cause identification, customer usage.
What can we do with data? Compare 2 different states and see if we can train a model to
tell the difference with something it has not seen before. Let’s take a look at data of CPU
and memory usage of machines. One group has malware and the other does not. Can we
use a model to find a pattern that distinguishes the two?
When it comes to data, we need to keep your audience in mind. What questions do they
want? How do they want to see it? How do you find out what they want? Ask them, talk
to them, have an ongoing dialogue. They may not know what they want. We must
iterate, try out different things, and elicit feedback.
How do we handle the cost and complexities? How do you maximize our decision making
in this environment?
Know your people
When do most users login in? How many of them use personal devices? What does the
pattern look like for file access? Do they really like to stream Final Four games? Or are
they a heavy social media group? What do they like, and how do they like to do it?
Know your systems
What does normal look like? What does it look like when it works? What happens when
an IP phone boots up? When a windows servers reboots how long does it normally take
to come back up? One of the most critical mistakes IT makes is its failure to fully
understand the systems it supports. Even when it is hard to get under the hood, its
behavior and effect on other systems can be observed and understood. Let’s take a look
at the Windows registry, DNS, DHCP, proxy logs, call logs, badge system, windows
process to explore.

Laying the groundworks for next generation management of Windows are PowerShell and
Windows Management Instrumentation (WMI). Sixteen years in the making, a
distinguished engineer brings Linux-like command line control to the windows platform.
On the edge of headless windows server we have Windows Nano.
Know your data

When it comes to our data, we need to know where it lives, who owns it, who created it,
who uses it, and how should it be protected.
What you should be collecting now
There is certain data that every IT team should be collecting today.
IT needs to collect the data is necessary to run its operations. Not only is data about daily
operations critical to ensure business service is uninterrupted, often when IT looks for
new initiative, but a third-party will recommend gathering data for assessment. Looking
to move to the cloud? A third-party will come in and want to collect data about the
current server, networking, and storage usage characteristics for the type of workflow
under consideration. Thinking about VDI or virtual desktop infrastructure? A third-party if
you want to come in and collect data about a subset of your workstations, to understand
processor, disk, network, and memory utilization. Are you still in the process of
virtualizing some of your physical machines to virtual? If so, a third-party will want to
collect data on current utilization of your physical servers in order to properly size, the
new hardware to run the virtual workload.
The importance of centralized logging. In all three cases, data about the utilization of
resources of systems under IT control is being requested by third party vendors looking to
do assessments for potential projects. However, IT should consider this type of data core
IT services. The type of data should be collected already by IT, to run normal operations.
There is no reason for IT not to have this of information readily available. It should be as
a matter of just pulling the data for third-party vendors to provide analysis of existing
performance and characteristics of the workloads.
It must know itself better than anyone else. IT should have a very intimate, in depth
knowledge of the underlying systems under its management umbrella. This includes
systems that provide the services that underpin a business and technical operations that
support business services that are a function of the business itself. For far too long, IT has
struggled to procure the proper budget, put in the proper monitoring systems, and had a
way to adequately analyze all the data for systems critical to running a business in the
digital world. Far too many tools have been accumulated over the years for the purpose
of gaining visibility into the systems that IT manages. However, for far too long these
individual tools haven been trapped in silos, providing just slivers of the picture of the
health of these systems. As change is required to operate today’s disruptive environment,
and there exists a constant need for changes to be made to systems, it is time for IT the
gain a system-level view of all the technical infrastructure that the business runs on. It
has been a long time coming, as we have been talking about this for years.
You should be able to answer the questions that follow.
Pattern Questions
▪ How many of systems X are we currently running production?

▪ What is the breakdown of operating systems of our systems running in development

environment?
▪ Of all our systems, which ones are current on their Windows updates?

▪ How many mobile devices are currently accessing our email system?

▪ Has the amount of wireless traffic in our main headquarters changed in the last
three weeks?
▪ Have any of our critical protected systems with personal identifiable information
changed in the last two weeks?
▪ Are any of our Web servers running in the DMZ currently trending up or down in CPU
utilization over last three months?

▪ Has any host on our internal network attempted to send mail directly to the
Internet?
▪ What is the breakdown of usage by department on the primary storage area
network over the last six months?
These are all common management questions that IT should be able to answers in a
relatively short period of time. IT should view each of the individual elements and
components as the underlying backbone powering their businesses today. Just as
businesses must maintain inventory and visibility over products and services that it
provides, IT should be accountable to itself and the businesses, mastering this process.
Is it actually faster in the Cloud than on premise?
Are you guessing or measuring with data? Get out of the hunch business.
How do you know? Are business units subsidizing the costs of cloud and making on
premise solutions look more expensive? Make sure the business is not surprised down the
road if there assumptions on the cloud don’t match reality in operations, security, and
innovation.
Everything you know today about technology is changing. Smaller, less power, more
capacity, and smarter gear are being introduced to the market daily. You can’t outsource
that which only the business can do. You are still responsible for the protection and
integrity of your data. Is your legal team satisfied with the cloud contracts? Cyber
criminals target the data, not the infrastructure. Move your IP to the cloud, and they will
follow. Cloud providers will increasingly be targeted for vulnerabilities. Innovated with IoT
will be changing the data patterns. You may have too much data that you are capturing
at remote locations to effectively and practically to move across the wire to the cloud for
analysis. Some business are able to move 100% to the cloud, but that does not mean IT
is not still very busy managing the technology stack. Measure, analyze, and monitor to be
sure.
Root Cause Analysis
Know your systems. Until you find the root cause of problems, then you are operating in a
state of self-imposed uncertainty. That uncertainty has a habit of coming back an
inconvenient time.
We need to be very proficient in troubleshooting our systems. That means we need to
know how they operate very intimately. This implies means making observations about
the systems before, there are problems, getting under the hood of our systems, taking
them apart and seeing how they work, and then testing the components to see how they
interact and handle under stress. This allows us to know them intimately and to be able
to determine root cause very quickly.

Every system has many components. We should baseline each component as individual
items and ultimately as an entire system. Baselining is a methodology of observing
initialization and operations. We would need to put an observation regimen in place to
have visibility into normal operations. We want to be extremely accurate in what normal
means. Implied in this is the ability to notice when the system is not running normally,
thus making it easy to spot anomalies. On the factory floors, manufacturers use the
statistical process controls to ensure the quality of operations. It makes it obvious when
output is out of norm. If we collect data on our systems, we can then run analytics across
the systems to gain operational intelligence across as normal operations. This is act of
mitigating risk.
Creating baselines and detecting anomalies are not tasks humans are well suited to
doing, especially considering the volume of system data that needs to be analyzed. This
is where data science and analytics can be leveraged. Distinguishing the normal from the
abnormal allows us to run fast IT. The challenge IT normally faces in troubleshooting is
the fact that it does not know what normal looks like. This even more acute when sub
optimal configurations and an architecture run just well enough on the surface to appear
to be working properly. Even more dangerous is when it appears the network is quiet and
our antivirus programs are not alerting, giving us the false impression that we are secure.
The similar problem in business operations is when some of our customers continue to
purchase, however perhaps on the verge of turning. If our business service is declining
and we’re slowly turning away customers, it may reveal itself at such a slow pace is not
to be visible when it does occur.
Visibility
That which we can’t sense directly or infer from its presence is unknown to us. And that
blindness leads to missed signals that can cause us to miss out on new opportunities or
threats.

Here are three key patterns to be aware of:

▪ Know yourself better than anyone else, including 3rd party and attackers.

▪ You can’t manage what you can’t see!

▪ If you can’t see it, can’t measure, can’t analyze it; then you can’t defend it.

What happens when you have all the data? What opportunities does that open up for
your organization? Exploring, questioning, and investigating your environment can be
accomplished using who, what, when where, how, and why:
▪ [who] User of Interest: the c-suite, board of directors, VPs, contractors, first 3
months and last 3 months of employment
▪ [what] Nodes of Interest: unpatched, newly released from manufacturer

▪ [when] Time of Interest: after hours, weekends,

▪ [where] Location of Interest: office, home, road

▪ [how] flow

▪ [why] multivariable, correlation

Can you detect an anomaly on your network? How long does it take? Remember, for a
system, it is a trivial task. For manual human interaction, it’s very difficult. Know what
happens in cases such as these:
▪ Unplug an AP on the floor

▪ Attempt to log on with a system account

 ▪ Attempt to log on with an account from fired employee

▪ Submit a patent from terminated employee for similar work

Make sure you can track down answers to these types of questions:
▪ How long before a manager knows the lines are backing up?

▪ How much extra gas is your truck fleet expending using sub-optimal routes?

▪ A customer walks into your store … how long do they have to wait?
Chapter 7: Risk Mitigation

“The bad guys are smart, well equipped, and determined. There’s no reason that the
good guys can’t be the same.” -as stated in the M-Trends 2015 “A view from the
Frontlines” report.

We need to think in terms of systems. When we do, we will greatly help our organizations
win! The impact of getting it wrong is being too slow to respond. When the business fails;
IT fails; security fails. Unfortunately, impact has to be big and painful sometimes to force
change.
There are many dangers that lurk within: the assets we protect, the threats that
challenge us, and infrastructure we depend on. This is now getting board level visibility.
The question is how risks from technology threats managed to impact the business
bottom line. Failure is no longer confined to a help desk ticket. As to the Industrialization
of Hacking, keep in mind that these are not your father’s hackers. It’s important to level
set our terminology to facilitate a useful discussion. We have been approaching security
all wrong!
We must strive to a quickly as possible close the gap between our dependency and our
effectiveness in protecting our digital infrastructure. Our continued benefits and return on
investments depend on the gap closing. It is quite a challenge to mitigate risks and
improve our defenses while simultaneously not breaking things or disrupting business
operations. After sitting through another 3rd party’s assessment report and list of
recommendations, IT had a feeling that many of the conclusions were very familiar to
them. Many of the remediation items were things that they have wanted to do
themselves in the past. However, budget constraints, technical challenges, and
integration difficulties made it extremely difficult or sometimes even impossible to get
them implemented.
We see this from restrictions from their party vendors who threaten to invalidate support
contract if their system were updated, to business units, who forbade their data from
being shared with other groups, to hardware limitations or licensing problems which will
not allow for completing the work. The SANS 20 Critical Controls are often more
problematic to make a reality when operating under the constraints of just keeping the
lights on. With the attention of the big cyber breaches on the front pages of newspapers
disappear, the attackers work once again in the background where they wish to stay
quiet.
With the attackers out of sight and quiet to the masses, coupled with the urgency of now,
the stakeholders will once again shift their attention back to the pressing issues of
competing in the disruptive marketplace. This is normal human behavior. To make the
point very poignant, many people will live with high risk factors and/or their doctor’s
recommendations. It is often an emergency trip to the hospital that once again brings the
problems back to the forefront. All illness and health issues that grow over time, and the
failure to address them early when indicators give hint to future potential problems is
unwise. If you knew that you can take action today to help reduce a problem tomorrow,
how many of us would see that as an opportunity?

Balance between innovation and control

On our way to enabling this new business functionality, a very large unforeseen
vulnerability was opened up that has the potential to be exploited by current active
adversaries operating against our industry. We estimate a high likelihood that this
vulnerability will be exploited in the upcoming holiday season and open our business to
potential brand damage. The challenge is balancing the potential business gains from this
new functionality against the impact of damages. It is critical for IT and business to
establish the framework ahead of time on how we will assess and measure probabilities
and impact to make these tough decisions.
At any time, from anywhere, all the chaos from unrestrained consumerization of IT must
be balanced with need of the business to mitigate against risk. Some have suggested
that this consumerization is unstoppable, and bring your own device (BYOD) is a
differentiation with hiring new young upstart talent and losing talent in an old traditional
stodgy environment. While this may be true, the question for the business owners, who
have liability and responsibility for the bottom line, need the right information to be able
to make informed decisions on how to approach these challenges and potential risks. IT
and the technology industry at large needs to be more innovative. And business
stakeholders need be aware of the implications that new technology, functionality, and
innovations have on their risk scale.
Inverse relationship between opportunity and the attack surface

Imagine if we could connect all our fleet vehicles with Internet connectivity and pull
performance metrics. Also imagine a thousand new endpoints exposed to the Internet.
If you want to look very closely will see that as the attack surface has grown it is highly
correlated with the expanded opportunity for business. In its efforts to drive business
growth, the organization and its employees look for opportunities to be more innovated.
As a function of these efforts, by doing work differently, engaging customers in new ways,
or using alternative techniques, often leads to different patterns of technology use. These
new patterns alter the use of technology and often fall out of scope of existing security
controls.
The implications are clear that business owners are informed and educated on the
changing control set requirements. The business will need to invest in modernizing the
controls, infrastructure, and organizational structure to maintain pace. This will be critical
as we do not want to stifle innovation and productivity gains of the end-user. This is why
we mitigate unnecessary risk as the vendors and manufacturers are working to catch up.
IT must be ready to make the business cases for the changes in investments that will be
needed to maintain pace with innovation. These investments are needed maintain the
minimum control update denominator.
Managing the Risk Landscape

IT needs to be in sync in addressing risk mitigation as defined by business parameters,

not technical constructs. We have to address “alert fatigue” with targeted efforts. You
can’t manage what you can’t see, and if you don’t know the business impact and
probabilities of occurrence, then are blinded to what is important, misapply controls, and
expend your time chasing alerts. You must identify, classify, and manage business assets.
On the infrastructure and controls that enable the defense of assets, you must see
weaknesses and vulnerabilities to address the gaps and plan on mitigation approaches.
You must identify the threat actors pertinent to your industry and company, make current
attacks visible, and understand the context in regards to risk your business assets.
Determine business impact and probabilities of occurrence. In circumstances where the
risk is market is likely and undesired, then actively improve controls and defend.

Beyond Fear, Uncertainty, and Doubt

Art of the possible
Beyond fear, uncertainty and doubt.

IT must embrace disruption; IT must embrace uncertainty; IT must embrace doubt.

There is much that is possible in today’s digital economy IT is in position to take

advantage.
First comes having understanding. IT should have a good grasp of what the business is
going through and what the business strategies are in ways that it can assist the
business. Then, and only then, IT would be in a great position to help the business
leverage new opportunities.
Business leaders are moving with boldness, understanding the risk and uncertainty in the
business climate. IT also must move with boldness, and must adapt and learn new ways
of thinking to create new frameworks for operating and have the speed and attention
necessary to be successful.
Flexibility and speed are the key capabilities of our time. Being ready to go when the
business needs us is what is most important. IT can lead – with technology being so
pervasive in our personal and work lives, an opportunity exists as technology is the
language of IT. IT is in the position to thrive in this environment. What IT has lacked in
the past is the Ianguage of business. This lack of business language had hindered IT’s
ability to properly align goals and priorities. That has meant that the real risks from our
technology use and adversaries leveraging technology has not been getting through to
the stakeholders.
As cyber security has become one of the primary drivers of business operational risk, IT
must ensure that we have the correct mindset to tackle this challenge. There are many
mitigation methods in IT’s sphere of control that is already available to us.

The security market currently is filled with a lot of hype around the answers. IT must
make sure the right questions are being asked. We must be crystal clear on the business
objectives and meaning of risk mitigation. It is all about the assets. If you stay focus on
business assets, then you will be in position to make a difference in your mitigation
efforts. The noise of the easy solution with an appliance and cloud connection will be
highlighted to determine if can contribute to your efforts.
What IT has been doing wrong for years is designing by budget. Lifecycle management
has turned into procurement nightmare and an overemphasis on a bottom line number.
We have failed to communicate the design considerations to the applicability of business
value. The link to business services are ultimately how business consumes and uses those
IT services. Given the roles and the purposes of IT services and how they map to
upstream business infrastructure, IT can position itself to make a stronger case for
enablement and innovation via our technology designs to enable more resilient systems
to disruptions.
Getting a grip on cyber defenses is a critical business function. A common risk mitigation
framework uses a coverage model of protection, detection, and response as a system of
defense. After many years of the majority of security spend in the protection bucket,
more organizations are looking to adjust that distribution as the inevitability of breach
sinks in. As in the real world of insurance, we already know there will be fires, accidents,
and death. Detection and response are getting more budgetary attention. Yes, 911 will
need be called because locks did not stop a criminal from robbing your home.

Let’s talk about the importance of the response. Your business may make that decision
based in part who the identified threat actor is, their perceived motivations, the business
impact. Is this the case of personal identifiable information (PII), medical records, or
intellectual property? Is it cheaper to pass on a response? If there is no legal or
regulatory aspect, the business may decide to ignore if competitors can’t take advantage.
If a nation-state is involved, then assisting the government with prosecution in the case
of espionage.
Or in the example of Sony, a military response on the cyber front may be needed. The
most important facet that deters organized cybercrime is the potential for being caught.
One of the benefits of cybercrime is anonymity: predators are hiding behind a computer
screen, but behind every criminal organization and behind every keyboard is a person
who ultimately wants to avoid being detected and punished. We must increase the cost
of criminal activity if we want to make a difference in this cyber fight with the
pervasiveness of cybercrime. Today, as is in the physical world is heavily influenced by
the cost of doing crime.
One of the difficulties in today’s landscape is the overflow of data coming in from multiple
parties, often masking the critical clues. The battle to deal with cyber threats doesn’t
really begin until a relevant threat to our organization has manifested. We must
understand that our focus on the business defined concerns is what makes the real
difference. It informs our mitigation strategies and response plans. IT is often unaware of
the many ways that the business has dealt with crime before in the physical world.
Business is very adept at mitigating risk via insurance; in fact, this is a primary tool used
by business to mitigate risk as more companies start to look at the insurance market for
cyber policies. Insurance companies will be assessing our defense posture and maturity
level more often in their underwriting process. Your insurance policy will be written after
a 3rd party reviews your controls and environment. The last thing you want is to have a
claim denied after a breach because of lack of due diligence. This has is and always will
be a business level discussion. This is something IT cannot do for the business; rather,
this is something that IT can help facilitate for the business.
Every single day across the country and across the world crime is taking place. This a
reality, but we cannot devote all of our attention to criminals. Our main objectives is
helping the business, and therefore must provide a very resilient infrastructure to support
the business. We must protect, detect, and respond to intrusions, all while the business is
up and running. The cyber resiliency value chain allows us to remove single points of
failure in order to recover quickly from interruption and to make the impact far less costly
operation of our business.

Knowing ahead of time the impact of interruptions for specific domains allows IT to
proactively architect its infrastructure and its delivery model to allow for disruption as
well as fast and rapid recovery. This means that an intrusion can be detected within
minutes, hours, and days. Not weeks, months, and years. A business impact analysis
assess time to recover, and when that was caused by a cyber-attack, we have should
have planned for that just like the disruption from a hurricane.
The difference between a technical intrusion and a notifiable board breach is time to
detect, respond, and contain. Preplanning ahead of time in response already has in place
the teams, processes, and technology required to for board and market notification,
media handling, collaboration with law enforcement, legal ramifications. This means
response plans for isolation, forensic analysis, and cleanup are already in place. This prep
work is what allows the business the confidence to address its customers on what
happened and continue to operate.
A company operating without a response plan is involves very costly risk management.
To make the decision to operate a business with the lack of a plan is a base form of
negligence, and is the equivalent of not having insurance on a home. A running ADT
alarm system with video cameras observing those around, locking doors, and taking self-
defense class in a world of hostility is how we face such issues in the physical world.
Finally, one must understand what the threat is in order to plan for contingencies.
Businesses very good at creating contingency plans for variation operations, and the
importance of doing so in the case of cyber security is no different.
Observations

▪ Testing yourself to see how serious and likely the risks are.

▪ If stakeholders don't understand the risks, then they can't be part of the solution.

▪ Let stakeholders define the response plan.

▪ Your response plans should be preloaded.

▪ In the near future, you will need to be make your voice heard in legislations,
regulations, and privacy matters.
▪ A breach report limited to legal liabilities may not provide useful information if the
basics are not being covered.
▪ Avoid the over use of the word sophisticated.

▪ Malware is code, it is not magic. If what malware does impresses you, then you are
 not paying attention to all the wonders that the modern digital life style makes
possible with truly wondrous code.

▪ Be willing to change the cost model.

▪ The purpose of the mail system is to communicate and collaborate, not analyze if it
is a link to a bad site.

▪ It may seem like a lot to track by the human brain, but is trivial for
computers...that's what we built them for.
▪ Save your business lots of money by not buying security products that protect the
wrong things or places, including things that end users don't actually use.
▪ You have to properly scope the protection domains so you don't waste finite
resources.
▪ You have to prioritize, focus, and optimize.

When you get IT right in a digital world, a range of possibilities open up for your
organization. But how does one go about getting from your current state to here?
First, we must tackle fear, uncertainty, and doubt (FUD) head on. We can’t make critical
decisions, day to day, in an atmosphere of misunderstandings and confusion. Then, we
have to work on ourselves, the way we do our business, think about the issues at hand,
and way we work. Next, we need to examine our decision making process to determine if
we can getter better. Finally, we need to inspire and lead the change necessary to
survive and thrive.
Let’s begin by looking at some FUD.

Whatever we do, however we approaches the threats, challenges and constraints, we

must do it in the context of business and the challenges it faces in an uncertain and
dangerous world. We all need the right perspective on a failure of cyber defense of our
organization.
“It was a sophisticated attack by what must have been a nation state”, a common theme
when defenders need to explain to the business what happened, and when the business
gets in front of the cameras to explain why they were not able to stop it. In some cases
that could be an accurate, but in others, it could be masking a larger problem. It could
also be the case that in actuality it was a potentially much less advanced threat actor,
using common tools, and using documented techniques from previous attacks in the same
industry. This is an indictment against the organization’s commitment and operational
efficacy.
Fear…Bad guys are bad, not supermen. We deal with them every day in real world. There
ways can be studied, learned, and adapted to. There will be limits to how far the bad
guys will be allowed to roam. The digital world still is bound by the physical world were
humans still use kinetic responses to critical threats.

The technical uncertainties and specifics around how sophisticated an attacker and his
techniques are in some sense provides cover for IT and organizations when they fail their
due diligence. It’s a lost opportunity to thwart a larger number of attacks and thus do not
limit the financial and brand damage to the business. And this is not helped by such a
collective meme of “prevention is dead” from business, vendors, and consultants. We
must be on guard from using that as a crutch for underperforming. When we as defenders
force attackers to work harder in achieving their goals, then that meme is a more apt
description, but not when many of the basic controls and best practices are not being
implemented. We have to get better at protection.
And we can’t limit our thinking of protection in only technical terms. Getting malware on
an endpoint in of itself does not constitute a business risk. In the attack chain, there are
many phases. The biggest breaches have had a continuum of phases to ultimately get a
business on the nightly news. We have to help stakeholders answer the “so what”
question. Sophisticated does not necessarily mean unstoppable or relevant in the
business context.
Let’s also challenge the mantra of “prevention has been take care of, now move onto
detection and response.” Lots of preventive controls are not in use; non-technical reasons
for that include culture, politics, and use convenience.
Asset Mindset
It’s all about corporate assets and operations – the reputation and brand, the data,
services, and experiences the business brings to the market that generates revenue. As
such, assets are those things that are business derived asset valuation. So IT does not
need to attempt to protect every technical attack, but prioritize those threat actors and
the TTPs that pose a risk to business defined assets.
Is there a measurable opportunity loss as a result of digital information being read and/or
used by an attacker? The business and IT should map out the threat models to identify
what type of IP could provide an advantage to a competitor. We need to differentiate the
impact by the various threat actors.
There is a difference between embarrassment, and embarrassment that could lead to
reputation or brand damage ultimately impacting revenue. Business and individuals have
become very good at dealing with physical crime, its impacts, and ways to mitigate it. We
must do the same thing for crime and attacks in the digital world. The business can't be
held hostage from operating out of fear.
We must continuously monitor the threat landscape. When we see new malware that
encrypts our data and tries to extort payment for unlocking access, then we must revisit
our data protection strategy and make any necessary control and tactical updates to
mitigate. Some of these situations will in the future will take on some of the qualities of
the physical world. Many security controls are required by law, industry, best practice, or
as a requirement for being insured. Likewise there are many baseline techniques to
reduce both impact and likelihood that are not being implemented.
We must be careful not to fall into trap of “if we just had more of whatever, that the
problem would go away.” Before writing a check, make sure you have understanding and
knowledge.
As individual organizations, we must support broader industry wide initiatives,
appropriate government law changes, and just common sense.
Without domain expertise, consultants cannot adequately understand the environment or
make sound judgments. Domain expertise is a requirement. So is the business language
that the relevance must be communicated to have it acted on by management. The
quickest way to inefficiencies is to continue to talk different languages.
The latest news of new hack can sound scary, in a vacuum. We need context and
relevance for our organization. When you understand the importance of software, data,
and convergence, you can appreciate the actual challenges, constraints, risks, and
possibilities. You will be in a better position to answer why, what-if, and how. You will
have a framework to logically organize incoming news to put it into context, understand
the implications, and adjust if needed.
As convergence of IT and OT continue to reap the rewards, the news of the threats to
industrial controls systems, scads, and programmable logic controllers should sound
familiar. The purpose of these are automation...improving operations by reaping the
various benefits that automation brings, especially to systems out in remote locations.
But IT already knows these threats, has seen them, and knows how to mitigate the
threats – it is just a matter of whether they have successfully implemented what they
know is a baseline setup.
Let's take a look at six digital devices in the network. An IP phone, a PLC, a surveillance
camera, a building automation system server, iPhone, and an automobile. Let's look at
the commonalities: remote connectivity, an IP address, software, electronics, and domain
level technical specs of how each works there are commonly available on the Internet. As
more systems and things take on these commonalities, the larger the scope of IT
responsibility. Don’t be surprised if in the future an executive comes to IT asking for help
in getting his new car software updated.
Business Contexts
With the context from the business, IT is chasing its own version of reality.
Not all bad things are equal. We must move towards a common language for what is bad
for us. There is a distinct difference between incident, intrusion, and breach. First, in the
digital world, copying data is stealing. Many metrics count cost per records, like credit
card and health records and data. That is just a subset of important digital assets that
has value that we can surmise is being actively “stolen” across industries. Secondly, we
are only capable of reporting breaches we know about, or conversely a third party tells us
about. If you don’t know, you can’t report. Thirdly, depending on the legislative and
compliance your organization is bound by, cyber intrusions into your environment needs
to “impact” relevant data that is scoped.
For example, POS malware running on a thousand of your stores that does not transmit
credit card data has not technically caused a reporting event. If IT blocks the transfer of
the credit card data from the jump station out your network, what is the reportable
event? Conversely, persistent malware that does not access any of your defined critical
systems or data may not rise to the level of board level conversation. It remains a
potential threat that could cause an unwanted outcome, but has not yet. The business
can influence what impact a successful exfiltration has. If at the end of the year the
business is unable to map out a negative outcome, loss of revenue, expenses paid out,
loss productivity, then from their perspective, there was no risk. IT can influence what
systems and data are actually susceptible to exfiltration. IT needs to work off a
framework aligned with business operation and designed to aid its cyber defense efforts.
If our architecture is flawed, the stakeholders are not informed, the business is blocking
efforts to apply controls, and IT is not following design and operational best practices,
then we, as a collective group have failed the minimum standard of care. The bad guys
are repeatedly fielding similar tactics, tools, and procedures. It is time we joined the
fight. Stakeholder education, quantifiable analysis of risk factors, formation of risk
mitigation strategy, and accountability by all.
Approaching the Challenges

When discussing the risk in the business landscape, cyber security is a vital area to
discuss. First things first, IT must have the correct mindset to think about cyber security
and risk in the business landscape. It we go back once again to our definition of risk, it is
the potential for an outcome to have an unwanted or adverse effect from the perspective
of the business, commonly an outcome that impacts the bottom line. A cash outlay is an
adverse effect the business wishes to avoid. Any technology-related issue that causes the
company to lose money or force of payout is a risk. IT needs to help the business
mitigate against this as much as possible.
Previously, before our digital economy took off, IT had a pretty good handle on the
controls necessary to keep the business relatively safe. The boundaries of assets that
needed to be protected were clearly defined. Endpoints were desktops, and maybe a
handful of laptops that were all corporate owned and IT managed; but most endpoints
were all behind the firewall, providing a clear boundary between us and them. Remote
locations all connected back to headquarters, with no direct connection to the Internet.
This clear boundary made it relatively easier to deal with the threats coming our way.

In fact, IT has been doing a pretty good job of preventing threats from outside, providing
great protection at the boundaries, hardening our publically facing end points, reducing
vulnerabilities on Web servers, and closing off the avenues of access. IT had done a
pretty good job at frustrating attackers trying to get inside the network. That was then.
Now the landscape is changed, and not something IT brought upon, or something
attackers came up with: it was a result of a change in the business models. It was a
change in mindset from the end-users; an onslaught of the consumerization of IT, cloud,
mobile, and bring your own device (BYOD).
Bad guys are well known in the physical world. For some reason, the digital world is
viewed by many as different. However, it should come as no surprise that crime, war, and
political activism existing in the physical world would also operate in the digital one. Let’s
explore some key principles of cyber security.
A matter of risk
Not every organization views risk the same way. Every organization has different
appetites for risks, is subject to different laws and regulations, and their use of
technology varies widely. You must ensure your stakeholders are informed on the cyber
threat landscape, your current defense disposition, and highlight the gaps. Using a variety
of responses, including process changes, user education, infrastructure enhancements,
cyber insurance, faster mean time to recover, and improved operational visibility, the
impact of attacks can really be minimized.
Laws of Security
Commonalities, trends, and patterns that are observed over the years.

Years ago, Microsoft release what is it observed in the security landscape titled the “10
Immutable Laws of Security”. These were principles that were not necessarily solved by
technology but long enduring challenges to the defenders. [35]
Some of these principles should be viewed as common sense. If a bad guy can persuade
you to run his program on your computer, find a way to alter the operating system on
your computer, or has unrestricted physical access to your computer, then it's not solely
your computer anymore. If you allow a bad guy to run active content in your website, it's
not your website any more. Weak passwords trump strong security. Encrypted data is
only as secure as its decryption key. A computer is only as secure as the administrator is
trustworthy. An out-of-date antimalware scanner is only marginally better than no
scanner at all.
Here is my updated list
▪ If a bad guy can persuade you to run his program on your computer, via phishing
 methods like an email with URL or infected USB drive left on the ground for you to
use, you no longer own your computer.

▪ If a bad guy can gain unrestricted physical access to your device, then you know
longer own your computer.
▪ If a bad guy can guess your password, you know longer own your identity.

▪ Weak passwords trump strong security.

▪ If single factor authentication is used, a compromised credential trumps your

security.
▪ If you allow a bad guy to run active content on your website, it's not your website
any more.

▪ If you allow a bad guy to get in the middle of your network traffic, he now controls
your where you go.
▪ If you allow a bad guy to get your decryption key, then you no longer have
encryption.
▪ If you allow a bad guy can get a certificate, they can impersonate you and your
device.
▪ A computer is only as secure as the administrator is trustworthy.

▪ A fully updated anti-malware scanner is only marginally better than an out-of-date

antimalware scanner, which is only marginally better than no scanner at all.
▪ If a bad guy can find a way to make money, he will want your data, whether credit
card, health records, or other PII.
▪ Keep in mind what one does when not watched. Bad guys are aware when others
are around; when they see the police, security guards, or the US Army. Being seen is
an often a deterrent to bad actors and also normally good actors. Attackers,
criminals, and nation-states act differently when watched.
▪ Bad guys take advantage when the cost equation is in their favor. If the cost of the
conducting the attacks does not increase, then they will continue to use the same
TTPs. They like operating in the shadows and taking advantage of the defenders
having to defend such a large attack surface.
The Patient 0 Conundrum
All the action leads to the end-point, and someone has to be the first to have come into
contact with it.
“If we could stop malware from executing on the end point, then it would be a game
changer and significantly reduce what we have to detect and respond to. Pre-execution is
the place to make the decision”, from Stuart McClure, CEO of Cylance. He approached the
Patient 0 problem with math and science. This is a story of how math, machine learning,
and modeling a security practitioner’s knowledge of how bad guys work turned the
sunshine on the flawed belief that prevention is dead. This is an example of a productized
solution.

Traditional antivirus software is built on the concept of having seen the attacker’s code
before. Once seen, then it can be analyzed and identified with signatures, by hashes, IP
addresses, and domain names. Once the attacker’s code has been seen and analyzed by
the antivirus software makers, then they can develop a signature that will be able to
detect is code in the future. All the consumers of the antivirus software products will then
go out and update their software with the updated signature. Hence, new virus, analysis,
develop a new cure, and apply.
Let’s look at how anti-virus (AV) software works. It has to have seen the malware first to
identify and block it. It’s quick to accurately identify and stop. AV is recognized as a
compliance control tool. It has struggled with memory constructs, but is very good with
file-based malware. It has problems with polymorphic malware that creates new variants
each time it’s delivered. Also, malware writes will attempt to obfuscate their code to
make it harder to detect. As a result, there are limitations to heuristics methods.
The most basic need is to determine if a file is malicious before allowing it to run. That is
the challenge. If it does run, then there are multiple conditions (system rights, patch
level, available vulnerability, etc.) that may or not allow the code to be successful in its
goal.
For the majority of customers, this works out okay. Critics of this method rightly point out
that most malicious actors use code that is not detectable by today’s antivirus software.
Obviously, this is because the signature does not match the new code. It is relatively
easy for attackers to slightly alter their code to bypass detection. In this case, the failure
to detect means that they are not actually stopped from running, and ultimately fails
protect the endpoint. This problem also affects intrusion detection systems, which also
are looking for the most part, at signatures that gives away the presence of known bad
code passing through the network.
The list of signatures is becoming too large for the endpoint itself to keep up. One
solution is to crowdsource the problem, like Virus Total to see if this file (identified by
hash) has been seen before, and making use of cloud to detect a larger set of malware
files. Then we would have the end point query the cloud to see if they recognize the file.
Now we are also seeing the use of hashes to match the file to speed up the lookup
process.
Newer technologies have come along to help enhance security. On the network and at
the end point, there is the matching on hashes of executables. However, hashes are very
similar to the signatures trying to detect malicious code. The hashes of a file that has
been found to be malicious, and the product is attempting to match it before allowing it
to run. Security providers build databases of hashes of malicious code from the wild. Once
these files have been captured, collected, and analyzed, the hash of said file can be
added to a database. The security products then download and update the list of known
bad software.

In this scenario, this type of solution helps your organization in cases where they are not
the first to have actually encountered this particular piece of malware. In the many cases
in which the initial attack is not targeted specifically at you, then security vendors will
make updates available to account for it, and you receive the benefit and ability to block.
If, however, your organization is being specifically targeted, more than likely the attacker
will use malware that has not been identified yet, leveraging common tools available
online. The attackers can simply upload their code and test it against the major antivirus
current signature basis to ensure that it won’t be detected. However, they do have to
ensure they use it before these products and services alert the antivirus makers to
something that their products did not catch. Attackers also will repack their code to make
it look different. There exists a potential for false positives, and at times not all agree on
the verdict of bad. Still, this is a signature based system, matching on that which has
been identified in the wild already: the Patient 0 problem.
There are sandboxes that can be located on the network to look capture files and observe
their behavior. If we can get the malware to run, we can observe what it does and learn
the indicators. There is both static and dynamic analysis. We can observe the behavior of
the file in an isolated sandbox and inspect its actions, attempting to be patient 0 in an
isolated environment and learn from there. Based off what we observe, we can make a
determination if the file is bad. Then the environment can be destroyed. This behavioral
analysis can also be done at the endpoint itself. This is obviously not as advantageous if
the code has a chance to cause damage or spread.
The challenge is that that this test environment cannot reproduce all the environments on
the back end as there can be a wider varieties of environments. Also, bad guys will write
their code to perform a check and not run if the environment is virtual or the target
characteristics don’t match.
Now let look at the use of machine learning to help make the determination of good
versus bad for a file. We would start by gathering a very large data set of know malware
in cloud infrastructure to scale. Then we run the data set through training models to
extract all the features of the files. Next we apply a machine learning algorithm to
attempt to classify unseen files as good or bad based on the learning of the functions
previously learned from the training model. Statistical analysis is used to render a verdict
of good or bad.
The next approach is a variant of behavioral detection, but instead of running it on the
network, we run it on the end point in a micro virtual machine. This works on both file-
based and memory constructs. Code is allowed to run, but it is isolated from the
protected desktop by micro virtualization enforced by Intel VT-hardware. This method is
able to make deterministic verdict by actually inspecting actual behavior in actual
particular user environment. When every system is in essence a honeypot, it dramatically
increases analysis coverage via distributed endpoint sensors. Real time detection can
leverage discovered information up to cloud for additional analysis and indicators of
attacks. The benefit is that the analysis environment mirrors the targeted endpoint and
feeds valuable intelligence on the nature of the malware into a cloud based system to
update knowledgebase.
Indicators of attack look at the uses of legitimate tools as part of the attack process.
Today’s endpoint may have a rich set of administrative tools that can be leverage by the
bad guys in lieu of using malware. In this case, we can monitor the endpoint for
indicators of attack, picking up the signals of the use of legitimate tools in the attack
chain.
All these approaches have challenges and constraints. What are the caveats on impact to
user functionality? What are the tradeoffs? How this approach fits with our particular
environment is the primary question. What is its effectiveness when applied to us?
We are always on the lookout for transformative approaches, techniques, and models
that change the game.
Cyber security standard of due care
The modern economy is built on many standards that are widely accepted. Without them,
chaos would ensue with everyone doing their own thing.

“The National Institute of Standards and Technology Cybersecurity Framework may be

voluntary, but it offers potential advances for organizations across industries”, as stated
by PwC, in their 2014 paper entitled: “Why you should adopt the NIST Cybersecurity
Framework” [36]. The Framework is the result of a February 2013 US Presidential
Executive Order titled “Improving Critical Infrastructure Cybersecurity” [37]. It has
applicability to organizations outside of critical infrastructure as well.
The report goes on to theorize that this framework may become foundation for a
standard for cybersecurity and privacy regulation, and may impact legal definitions and
enforcement guidelines for cybersecurity moving forward in the US. As a result,
organizations that adopt the framework at the highest possible risk-tolerance level may
be better positioned to comply with future cybersecurity and privacy regulations
It goes on to state that “the framework may also set cybersecurity standards for future
legal rulings. If, for instance, the security practices of a critical infrastructure company are
questioned in a legal proceeding, the courts could identify the Framework as a baseline
for “reasonable” cybersecurity standards. Organizations that have not adopted the
Framework to a sufficient degree—Tier 3 or Tier 4, for instance—may be considered
negligent and may be held liable for fines and other damages.

There is opportunity in the future for the more widespread adoption of industry
standards. When sound design principles, features, and functionality are built in from the
ground up, without the organization having to engage in a risk analysis, they are
considered industry standard. Let’s have your organization contribute to minimum
standards for our industry. We cannot “win” if our flawed views of identifying the
probabilities of something bad. If we applied this level of thinking to the physical world, it
would look significantly different and be a lot more dangerous. First of all, everyone
would be on their own, marking off the check list or compliance, and then using various
identification of risks, blindly guessing at what they should be doing. There are a lot of
best practices and suggestions, but no guidance like a general contractor designing in
safety features that automatically go in without even thinking and analysis, even though
there might be an identified need for it based off of risk analysis. The digital world needs
standard security hygiene, basics for those who understand the technical underpinning of
the infrastructure and of minimum standards.
Central logging, synchronized time sourcing, two-factor authentication, dynamic patching
of base and 3rd party application add-ons, dynamic inventory… these should be
considered standard design elements, not something a consultant needs to come in and
convince our management that it is a good idea to invest resources into making these a
reality. The defender-attacker state will be better known when we do the basics.
The Learning Organization
Every day is another day to learn something new and apply it tomorrow.
What did you learn from the experience? How can the blue team adjust defenses? Red
team can help validate changes were done properly. What you learned from an attack,
did you share with end users? We get continually get better. We need to design and build
infrastructure that reflects improvements in technology, a view into various attack chains
and TTPs, the realities of how organizations, workers, and customers interact in the
digital world. We need to apply what is now technically possible with a different mindset
of how to view digital assets, to architect a defensible infrastructure, and how to
operationalize adaptive defense.
We need a solid perception of reality, where we stop guessing at it and test it. The “it” is
what we believe we are doing well, bad, or are unsure of. We are patching fast enough,
all mobile users are doing this, fill in the blank, we are using buggy modules when there
are fixed versions available, etc. Blue Teams, Red Teams – how about one team that
thinks multi-dimensionally? State what we believe, test, measure, analyze, update
beliefs, improve, and repeat. What can a compromised personal laptop plugged into the
network see and do? IT must accept adapting, changing, and transforming as the norm.
Protect the business assets, build defendable architecture, and have active threat
defense.

Asset Protection
It is critical you understand what is important to guide what you do on a daily basis.

The three protection domains are end users, business services, and digital assets.
Digital Assets
When your monitoring solution alerts that server01-chi-exch01 has gone offline, the
meaning to IT and the meaning to the business are two different things. To the business,
a service is down, the “Internet” is down. To IT, is may just be a server that is down.
In the digital world we must have a complete inventory of our digital assets. This
inventory needs to be dynamically updated, scalable, and accurate. If you notice that
when a business impact analysis is performed, the asset owners of those business –
owners, executives, managers of the lines of businesses, those that are liable for this
assets – are the ones that are normally interviewed. This input is so crucial, that you do
not let custodians of the systems be the ones driving the prioritization of the inventory of
the digital assets. IT has an important role here, as it must frame the discussion for
business owners to understand potential impact and probabilities by understanding the
difference between physical and digital assets.
Not everyone understands the criticality of the system to run their business, or how much
dependency has been created by gaining the benefits of digitization. IT might come into
the office in the morning and the computers don’t come on; this has a big impact ability
to do basic day-to-day operations. So much of our lives are now controlled by the digital
technology infrastructure that we cannot operate a normal society without this
infrastructure, without the systems up and running. One digital asset is the availability a
system that is a critical piece which affects back-end operations, reputation, and brand.
Confidentiality is another aspect that must be protected. Depending on what the data is
that were dealing with to the run our business, some of the data could be under
regulatory guidelines and some others could be bad if it is our competitors had their
hands on it. It is therefore crucial that the business defines that for us. IT plays a critical
role in setting the stage, and the framework for have a discussion of what could go
wrong, and in turn express to the business that bad impact in the form of dollars.
The next step is try to take an even more visible leadership role here and help make
determinations of the probabilities of this outcomes. Here, IT has intimate knowledge of
the security controls that are currently in effect, guarding the digital assets of the
organization. In the world of convergence, many physical assets are tightly intertwined
with the digital assets: physical access to buildings are controlled by digital resources,
digital assets, and digital infrastructure; the operations of elevator to go up and down;
and HVAC systems, controlled by software running on servers, as a complexity continues
to increase in the digital infrastructure that we are using for business to take advantage
of the technology.

The attack surface is increasingly getting larger and larger with many more parts, many
more dependencies, and many more interactions, and as a result the ability to
dynamically adapt to any environment and individualize the scope of the end of
dependencies and the changes is critical to helping calculate the probability of adverse
effects.
We want to reduce the chance of compromise, leakage, or disruption of intellectual
property (IP). We attempt to prevent harm, loss, or unwanted outcome from happening
to our organizational assets. We want to encourage the action of reducing the severity,
seriousness, or painfulness of something unwanted.

People
People are our most valuable asset and highly target by attackers.
Our organization’s most powerful resource is people, powered by talent, dedication, and
hard work. From social engineering techniques and advanced malware arrayed against
our end users, all mitigation strategies and tactics begin and end with our users. The
impact on end users include the negative consequences of compromise of user’s digital
identity.
All our digital identities and footprints of our activity in the digital world are created,
used, and stored on infrastructure that is actively being used by both producers and
threat actors. Everyone is a target. Every device is a target. What is the value of a
compromised host?

User Education
Beware of the cost model for "free" stuff. Hey, the purpose of the football game is not to
entertain, it's is to sell beer, cars, and insurance. It's problematic when the consumer
does not understand the cost model. Free cloud services have to raise money to support
the infrastructure required to run the free services.
Posting personal information online is risky, and people must be aware of this. For
example, in the case of the Ashley Madison breach we see the dangers of signing up to
social sites that allow us and other virtual users to share personal information and
participate in social services. What are your users posting online? Are they signing up for
free services with your corporate email address? Are they reusing the same passwords as
their corporate account? Are they posting corporate data on those sites? Are they linking
your corporate data sources? Are they opening themselves up to blackmail? This
environment provides an opportunity for IT to educate and teach.
User are is very helpful when consumer products and more businesses are capturing
credentials, voice prints, and biometric markers that can be used maliciously against
users.

Why should IT worry about Smart TVs? Because new threat vectors are being introduced
in our users home and our corporate offices, potentially setting a playground for hackers.
These devices are essentially computers, running software, connected online. Questions
of privacy are a concern, as are new ways for bad guys to compromise your network and
potentially your business assets.
Your voice is being recorded, transmitted, examined, and potentially saved. "Please be
aware that if your spoken words include personal or other sensitive information, that
information will be among the data captured and transmitted to a third party through
your use of Voice Recognition," Samsung posted in its Smart TV privacy policy…Samsung
says it needs to send your voice commands to a third-party, because that company
converts your speech to text. But Samsung also collects your voice commands to perform
research and determine whether it needs to make improvements to the features. [38]
People’s fitness gyms are using fingerprint readers in lieu of ID cards to gain access.
Personal digital assistants, such as Apple’s Siri, are capturing your voice. Applications of
iris scanners are being used by government agencies and the military for identification.
Computers, laptops, tables, smartphones, and smart TVs, all are utilizing video cameras
and microphones. Controlled by software, potential for misuse to operate the camera or
microphones to eavesdrop on users.
IT has a responsibility toward those working for businesses that interact with digital
identities and those who educate users who interact with companies that do. IT needs to
use education to drive awareness to empower user’s ability to make informed decisions
on potential risks to them.

Business Services
Concern yourself with how users interact with each other, the technology, and the data.
With this knowledge, you will have insights into how this fits together into services. Map
these services to the underlying technology infrastructure, and you will understand the
nature of the business service as an organizational asset that requires protection.
Factory floors automation, hotel reservations, parts ordering, customer info lookup – most
business process operationalize under the technology infrastructure. Cyber-attacks, direct
and indirectly, can disrupt business operations. For some, downtime can cost millions per
second, to loss of customers who go to competitors, to reputation damage for services
that can’t be rendered. IT needs to map the intersection of technology and business
process. We want to ensure the resources that are needed to maximize uptime and
availability of services are communicated and tied to business metrics. Gaps should be
tightly coupled with budget requests. Especially on technical constraints and limitations,
we need to document the business choice for work arounds and the mitigation choice
implications.

In the example of industrial control systems allow more control and monitoring in the
utilities industries, allowing for automation in remote and distance control systems that is
not financially practical to staff with people. The business of this automation helps control
facility costs and opens up additional data and integration points on OT. Security in this
context is an enabler.
Digital Assets
Assets, in digital format, are the backbone of the modern economy. It has value in its
business operations use and as the sensitivity of the information itself. Value it just like
the paper money in the safe.

IT should build out asset matrices to map out our digital assets.
▪ Unstructured data: files (places to store, governance, protect)

○ Word documents (legal docs, plans, strategy, )

○ PDF documents

○ Excel documents (financial reporting’s, )

○ PowerPoint documents

○ AutoCAD drawings

▪ Unstructured data: emails (user access & account control, legal implications)

▪ Structured data: databases (user access & account control, governance, protection)

○ Credit Card

○ Health e-records

○ Application data

Stakeholders are the ones with liability when something goes wrong. When IT educates
them on opportunities and risks, then they are in a position to more clearly define asset
types and value. How they define assets informs IT how it approaches risk mitigation.
Working alongside stakeholders, IT can get a handle of the organization’s asset portfolio.
Can include identifying data types, locations, privacy, access rights, and ownership. Other
responsible courses of action include development of a protection strategy for availability,
confidentiality, & integrity, asset types, format types, access methodology, maintenance
regiments, and location.
For example, a hacker has just successfully run CryptoLocker malware performing
ransomware, using encryption to hold hostage a user’s data files, demanding money in
exchange for the private key to regain access to the files. It is it is scanning for network
shares and encrypting files. This particular user happened to have excessive file shares,
and unfortunately for you it appears to have access to all the files across all departments
in the company. What is the impact to your organization if every department’s shares
become inaccessible? Faced with the prospect of having to pay extortionist, the business
asked IT what it should do. Does your recovery point objective and recovery time
objective take into account such a potential threat? Depending on how IT answers this
question will help determine the impact of a loss.
Unstructured Data: Files
In a digital world data is supreme. Do you know where your data is? Do you know who
owns the data that is created? When the user transferred to a different division or leave
the company, are you governing the right to said data? Unstructured data is problematic
in many organizations, with location, ownership, accounting, and security unknown. Many
organizations have the problem of a security identifier that includes 500 or a UID of 0 as
the owner.
When the request comes in for more storage, the question assumes that available
capacity has been consumed by business relevant data that needs to be retained. Modern
storage technologies optimize the use of space through deduplication, compression and
single instance assignment. Space that once was wasted is now available. As the cost of
storage continue to drop for on premise storage systems, cloud-based options are
available for the right types of data pending your performance, governance, and security
considerations.
This inevitably leads to a breakdown of data governance. Common problems of data
governance include the lack of visibility and entire scope of all data created by business
users, the leakage of confidential information to third parties with unclear legal
ramifications for recovery, and inefficiencies calls by use of having to go out and search
for relevant data in their everyday work.
IT has an opportunity to assist users spend less time looking for stuff. A common time
waster for users is spending valuable time looking for data or recreating information that
has already been created. We need to finds ways to incorporate more unstructured data
in structured systems, create searchable documents portals, and give multiple views from
multiple devices to the same protected storage system. In short, create a clearer
organizational preferred way to handle unstructured data. Such problems are created
when a user’s roles are unclear and they are guessing at the best way to handle files.
Attempts to corral this problem where SharePoint portals are used to centralize and
secure data for users is often proven futile. A strong signal on user dissatisfaction with
internal options is the detection of cloud based storage options in use. A year’s worth of
work all stored in Google’s cloud opens up interesting questions about ownership of
intellectual property. The terms of service of such services often require a checkbox to be
selected to set up the initial account. Closer inspection often reveals quite a large latitude
in the cloud providers legal rights against all material created and stored on their servers.
The question now becomes who, the company, the user, or Google, actually owns
intellectual property stored in digital format. And perhaps one day the government
agency come knocking at Google stores to take a look at the access of files for a user of
interest, who happens to be one of your employees.
Could critical and sensitive information be exposed to government entities? I’m not sure
the board of directors are quite sure of such implications. This is quite different from
having a government entity come to the front door of an organization with a subpoena
looking to access information on the company’s own servers versus the risks of the data
being exposed in the background of a third-party system potentially unknown to you.

Such are the complications and risks when systems IT implements are not being used. In
a situation where the file storage service was not ready in time, or usable enough, then it
could potentially be a failure by IT to improve the service, market their solution to the
end-users, or not effectively communicate the true risks to the stakeholders to get them
to address the issue. IT should not take on excessive rights for itself. Role delineation and
separation of duties is key. Opportunity for digital rights management and file auditing
can assist with this challenge.
Unstructured Data: Email
The number one collaboration tool and platform is electronic mail, known popularly as
email. From requests, to questions, to corporate strategy, email is the primary means of
communication in most organizations. Email attachments are the most common means to
transmit power point documents, spreadsheets, reports, agenda, and technical detail.

In a digital world, unstructured data in the form of standalone files is just one aspect of
digital data. The same challenges and risks just discussed with file shares also applies to
email. Email is the unofficial dumping ground of all business operations. It often does
double duty for instant messaging, status checks, bulletin board material, ad hoc file
storage, and serving as the all-around Swiss Army knife of collaboration in today’s digital
world. Found stored inside email servers may be very sensitive information about the
company and the user, personal identifiable information, critical and sensitive information
about customers and competitors, and very personal information about the users
themselves. As with files, often business users will also be use of multiple email systems,
meaning the official business email account, and one or potentially multiple third-party
provider cloud services such as Hotmail or Google Gmail. The switching back and forth
between business and personal often gets blurred depend on how it is configured on
mobile devices. Intermingling of business and personal is challenging for the overall
effectiveness of data governance.
Could millions of dollars of security controls be wasted on poorly designed risk mitigation
strategies? One of the primary causes of poorly designed risk mitigation framework is a
lack of understanding of the threat landscape, the nature of how users actually work, and
underlining. Understanding of the technical systems that run the business and underpins
our digital world. If you knew ahead of time that you strategies and technical controls
would not work, and they were not serving any purposes for compliance reasons, to that
money be more efficiently use for something else? There is no purpose to wasting finite
resources: money.
If stakeholders operating under false assumptions and how the digital world works, it is
incumbent on IT to bridge the gap and increase their level of understanding. Every dollar
wasted on a control that has no chance of succeeding without stakeholder involvement
and support, is another chance that one less dollar is left available to help the business
win to help IT do what it needs to do, and ultimately one dollar less that could potentially
go to your salary.
Data Protection
With today’s explosion in data volume, data protection strategy has been disrupted.
Backup to tape, currently referred to as legacy, is now considered insufficient as a
protection strategy. The first problem is time: the maintenance window for backup to
tape is no longer sufficient to cover the volume of data to be protected. With newer
storage technologies around storage area networks, and data replication snapshot like
technology, new strategies are being developed to protect digital assets. Integration into
the application stack is allowing snapshot like technology and also protecting critical
applications at the application level, making recovery realistic to meet an organization’s
recovery point objectives and recovery time objectives. In addition, today’s data
protection strategy must count for the risk factors introduced by cyber attacker’s use of
encryption to attempt extortion from organizations. The ability to the today’s data
protection replication technologies to use DVR like features to roll back file to previous
versions at a particular time have become invaluable as mitigation resource. The ability
of IT to report back to the business that we were able to recover unencrypted files from a
snapshot two hours ago will limit the loss of work and potential all the business to forgo
considerations of paying ransom.
Strategy to tier the level of protection for different types of data allows IT flexibility
coming out with an agile approach to protecting data. With a combination of strong user
authentication, information rights management, encryption, and data loss prevention,
including user behavior analytics, combined with ease of user access and good
performance for access, IT can provide the foundation for minimizing organizational risk.
Prescription
It is time for some housecleaning, time to get our hands around data governance with
stakeholder support. We must know our data: where it lives, who owns it, who should
have access, how to monitor for operations and security, and its business value. If we
cannot answer these questions and feel assured that IT, the business users, and the
stakeholders are all in alignment on these questions, it is time for us to close this gap and
get the same page. It is time for spring cleaning. Unless users are trained and educated
on file maintenance, it will never be done.

Defendable Architecture
Defendable architecture is able to be protected, an architecture that aids, assists, and
encourages mitigation of risk from cyber-attacks. It does this by making it difficult for all
components of the attack chain to succeed over time without defenders detecting and
countering. Defendable architecture reduces the impact of the actions of the attacker,
limits the impact of a vulnerability, and decreases the probability of business loss or
unwanted outcome.

There are some common risk factors that are widely seen in successful breaches. These
factors are exploited by threat actors in the most talked about breaches. The last few
years have seen advances in technology that give IT more ways to approach some of the
challenges that have hampered our efforts to address these gaps. We have also seen
changes in how we think about approaching defense strategies. I believe in the end there
are some things we all just need to get better at doing.
Time after time, if you read the details of cyber breaches, you realize that often the exact
initial point of compromise is not known. Obviously, for gaps and actually determining the
entire nature of the attack, and often because potential legal liabilities, all that is known
about the attack is not shared with the larger community. We are often left with
statements of the sophisticated nature of the attack, suggesting helplessness by the
defenders. After breaches occur, some businesses use that a cover for something
preventable or possibly minimized. As we know, the attacker will take the path of least
resistance, therefore it makes no practical sense for an attacker to use the latest zero-
day exploit when front door is wide open.
The factors that makeup risk that the business is exposed to in the cyber world are often
a function of business processes, which emphasize speed, efficiency, cost control, and
profits. Security controls that inhibit the business from doing the job of making money
often result in recommended controls being ignored or bypassed. Here, IT must heed the
call of the business priorities, and realize we must employ more sophisticated security
controls, and focus in on a critical pass of attack success. Success in your security
program is a function of success in your enterprise risk management program. The
manifestations of success can include larger IT budgets, larger head count, and more
buy-in from management on needed process changes.
We must take advantage of the design of our infrastructure, the lifecycle management of
hosts, and visibility to gain situational awareness to feed continuous improvement in
defenses while maintaining business operations functionality.
Let’s start with a framework that helps our mitigation efforts.

A control framework that works

A framework provides the basic structure of how an organization’s infrastructure is

designed, how users, services, applications, and data interconnect and interact with one
another is a systemic way.

When IT thinks about this framework, it should focus on business defined assets. Our
thinking should be asset-centric, with concern for how users interact with technology. This
framework should enable, encourage, and assist the identification, prevention,
recoverability, and response against a wide range of threat actors and methods. The
focus should be on business risk. We must be careful to watch out for actions that are
technically cool but do not have an actual impact on reducing risk. If we want users to
have to “take off their shoes” before logging in, we want to make sure we are actually
gaining some security and not just slowing the business down.
IT has suffered over the years by budget constraints and component isolation. The effect
has been design by cost. Components that don’t talk with each other, undersized
solutions, single fault features, expensive features activations, complicated maintenance
contracts, and fragmentation are the result, producing a management nightmare.
The budget constraint challenge has to be attacked by a vision and strategy rollout
aligned with business initiatives scheduled out in phases. The individual components are
configured a certain way on purpose. Architecture makes is easy to make changes, watch
user and device activity, enforce service assurances, and the ability to isolate the spread
of malicious endpoints. Our design should limit what our security and operations guys
have to watch and respond to. The greatest gift we can provide them is to limit the noise,
limit the impact of breach.

IT can really shine by finally documenting how are infrastructure is structured and why it
is that way. This involves assumptions and work arounds, and our expectations for
performance and maintenance.
And to the business response of that security product is too expensive, we should respond
with a business case presenting our security vision and strategy. We have to get out of
the business of product pushing.
We must know what the mitigations options are available. Perhaps we only need to cover
a subset of critical systems. Re-think how you try out new services, product, and
software. Vendors are responding to market disruption and are altering how they sell
their offerings. There are more choices and ways to consume from them. Also, try rolling
out new product to systems over shorter periods of time and running tighter evaluation
testing. Or perhaps there are compensatory controls that can cover control gaps. Maybe
only a subset of systems needed to be covered, for example, point of sale systems,
devices of the executive team, HR, and legal. Map out who would best be helped by it.
Proxy the Internet connections of internal user like customer support reps if you want to
try out that new sandboxing technique. Try some willing road warrior on that new secure
app via mobile application security suite.

IT must learn to love and embrace platforms, not individual products. Platforms allow us
to plug in other solutions, leveraging that which is already there. We need to stop
overbuying, duplicating functionality, and making work for ourselves. Simplicity,
transparency, visibility, recoverability are the key words.
Resiliency means that we can sustain degradation to service and continue to services
business requests…we can swap out and endpoint in minutes and get the user back up on
another system…access data that’s replicated to another location should primary site
become unavailable…restore files encrypted by CryptoLocker – unleash your own version
of Netflix’s famous Chaos Monkey tool.

Flex your deployment muscles by trying to deploy a new agent on 10,000 endpoints,
gather relevant data, capture end user input, evaluate, and make a decision within a
months’ time. Stop being constrained by technology that is no longer relevant, contracts
that have outlived their usefulness, and solution partners who are deploying tech that
requires re-work after they put it in.
Access: Know Access Connectivity (Context)
You are who the username and password say you are. Impersonation in the digital world
is as dangerous as it is in the physical. Cyber criminals are using compromised credentials
to log into systems as us. Also, they are using compromises personal information for
identity theft and fraud. This is the problem with single-factor authentication. Also, we
need to ensure the level of access to services, applications, and network resources match
the user’s role and proper context.

Identity and Access Management

For users to do their work, they require access to networks, data, services, and
applications. The context of access includes who the user is, their role in the organization,
the end point they are connecting from, the times of the request, the location of the
request, the means, and the business reason.
We need to ensure that we match the role to actual rights. Excessive rights tend to
expose larger attack surfaces. From the day the user is hired to the day they leave the
organization, our ability to manage differentiated access over the lifetime of the user will
be critical to assuring controls are adequate. From the viewpoint of the user, their ability
to get their work done often requires access to many applications. For some enterprises,
this could number in the hundreds. Your signals that that your system is not user friendly
enough is the amount of account lockouts, wrong passwords entered, simplicity of the
passwords chosen, use of sticky notes, and reuse of the same passwords. We have an
opportunity to simplify with stronger authentication and increased identity factors in
conjunction with federated identity management. Shift the complexity to the back-end to
us, and get the user out of the business of managing passwords and getting access
instead of focusing in on work to help the business succeed.

Privilege Account management is useful in decreasing the attack surface by limiting the
time that accounts have access to systems. This includes tagging and monitoring trust
relationships for correct context. Legitimate user access from legitimate system at
legitimate times need to be flagged for unseen or indicators of leakage or persistence.
User account rights for administrative purposes should only be setup when actually
needed. Develop processes around auditing service accounts and monitoring for privilege
abuse.
Positive Lateral Movement
Once initially compromised, can this host pivot to critical areas of your network? In far too
many environments, the answer is yes. We know the TTPs often used by attackers
leverage lateral movement to find its way to its target. Past attempts for the industry and
customers to effectively segment their networks has proven too burdensome and
challenging in practice. Advancements in today’s networking and security technology,
coupled with tighter integration between vendors, mean that is now possible to create a
dynamic, differentiated, secure access control system, one that scales to cover wired,
wireless, and remote access; supporting multi-factor user authentication, including 2FA,
and device profiling to identify the source of the node attempting to connect, in order to
define and apply specific, context access to authorized resources. Segmentation limits
lateral movement, and makes unauthorized access easier to detect.
Continuous monitoring of context access for pattern detection and adaption of control
configuration. Anomaly detection, baselining, and machine learning. The scope includes
the core, datacenter, enterprise edges, remote/branch, and end point visibility.

Things: Know what you have (Inventory)

When you know about a thing, you can account for it in your defense strategy.
Controls are applied to know entities, components, and systems. Are we not sure what
we have, where it is physical located, or if it is corporate owned? Who uses it, what is the
actual use of it? Audit actual use, get rid of little used resources, continually look for ways
to kill legacy systems or get to more attractive migration price points, audit for legal
software. Ask yourself what are your users trading for all that free stuff and convenience.
If you don’t know about a system then you can’t apply controls and keep it up to date.
Code: Secure Software Supply Chain
Software code runs the world; know what code you have, where it comes from, and
watch over it to make sure it is legit.
IT must have pervasive visibility on all software in used in our organization so we can
govern it to reduce risks to your organization.

Where software is sourced from, how it is installed and updated, how to audit it to
prevent illegal and rogue apps, how to stop malware from being installed, maintenance
consistency, and licensing rationing (effects of cloud) – all of these are important for IT to
know about. We can’t govern what we don’t know about. We should be committed to
patching software for the systems that we manage. This includes operating systems,
firmware, appliances, IoT devices, core operating system, commercial off the shelf
(COTS) software, in-house development, and 3rd party developed.
A digital software digital supply chain exists where most code is assembled from multiple
developers and sources. If we are going to be entrusting our cars, elevators, and IV
pumps to software, then we should demand accountability, transparency, and agility in
the supply chain.
There is hope around using some of the principles of Lean, Agile, and DevOps to assist
the efforts of mitigating cyber security risks. This means continuous delivery capability,
automated tests, and service catalog for providing repeatable builds for developers.
The benefits include faster time to code delivery, higher code quality, more frequent
releases, integrated process such as ITIL treating automated changes not requiring
approval like manual processes, easier to insert security testing, and safer environment
to introduce changes without breaking functionality. In the software development
lifecycle, there is opportunity to more closely integrate InfoSec principles, mitigation
steps, and code review into the DevOps process. Some are calling this DevOpsSec, where
InfoSec meets the DevOps movement, with its commonalities and adjacencies.
Consider the supply chain attack, where one of your vendors is breached for the sole
purpose of abusing trust relationships. For example, in what was viewed as a precursor to
attacking upstream targets, the vendor RSA was targeted for its proprietary algorithms,
which could potentially could have been leveraged against some of their customers of
authentication tokens.
“In that case, the attackers weren’t doing it for gain at RSA as far as anyone’s been able
to tell, but there were reported attacks shortly after that against defense contractors that
had characteristics of someone exploiting what was probably taken from RSA,”
said Eugene Spafford, professor of computer science at Purdue University. “Those defense
contractors were the real targets, but they were using a very strong security tool – RSA’s
tokens. So, if you’re an attacker and faced with a strong defense, you can try to break
straight through, or find ways around that defense...” In that sense, Spafford said, the
Bit9 and RSA attacks can be thought of as “supply chain” hacks. “Supply chain doesn’t
necessarily mean the sale of finite items, but it’s all along the chain of where things might
find their way into your enterprise that can be contaminated, and I suspect we’ll continue
to see more of these types of attacks,” Spafford said. [39]
 Active Threat Defense

At this very moment, hackers throughout the world are scanning networks and looking for
victims. Companies that are prepared can handle these as routine incidents, rather than
an inevitable series of high-profile crisis events. Preparation is the most significant aspect
to lowering business risk, as told by Shawn Henry, President, Crowdstrike Services, Inc.

Traditional information security has employed static controls, architecture, and posture.
How a system connected to the network was defended and rarely changed. Access
control lists at the edge and in the interior changed infrequently and any changes were
performed manually. The scope defined in those ACL(s) often were not specific. There
was no context to the endpoint communicating on the network. Attempts at network
control were fraught with operational difficulties and not widely implemented. Beyond
finding that a host was infected, then remediation was enacted. In addition, the behavior
of users of those systems was not known. Where or how they were connecting, to which
type of application, and at what times and durations were not taken into consideration of
access request. Today’s infrastructures requires agility, dynamism, and context
awareness to adapt to the environment and current state.
A matter of risk
This is about impact for stakeholders and the likelihood bad things will occur. Think and
act on it in the same terms that business people do.
The primary objective is mitigating business risk. In concert with the business, IT should
be operating mitigation strategies in line with agreed upon identification, categorization,
and prioritization of business assets, priorities, and operations. That is the guiding
principles when actively defending the organization. This will include upstream and
downstream partners, industry competitors, and your customers. You need pre-defined
scenarios that are relevant for your organization, inside your particular industry, and
within your current culture and setup.
Once the scope of business interests are defined, relevant threats are monitored, and the
organizations appetite for risk are agreed upon, IT can confidently and actively pursue
activities to accomplish its mitigations goals. Now let’s look at three key areas that will
allow us to do our job: threat modeling, an early warning system, and threat hunting.
What is your Risk Appetite and Tolerance?
When a security control cannot be applied because of its business context, IT must
identify the business risk factors. Does this sound familiar: our system was too old to
upgrade to newer model which supported encryption, the vendor won’t allow us to patch
it or the support contract will be broken, or this particular version doesn’t support third
party radius support?
Model your Threats
Models are used to assist decision makers and IT responders in making higher quality
business decisions to contain the threat and mitigate the business risk.

We need a way to visualize the threat actors, tactics, techniques, procedures, motives,
and their interaction to our unique organization in order to inform our security posture,
strategies, and operational guidelines.

Intelligence collection, analysis, and multi-directional sharing are key aspects to informing
our threat models. It keeps IT up to date and aware of relevant current threats to our
organizations. A combination of 3rd party threat intelligence, increasing governmental
Intel, and our InfoSec team’s resources feed the variable of credible threats that we map
out against our current defense controls (administrative, physical, and technical) of our
business assets. To assist in understanding the threat potential, we can model relevant
threats to your environment.

We need multi-directional threat intelligence, collaborating with partners and customers

both upstream and downstream. We should be subscribing to a number of intelligence
feeds. Bringing that in and quickly making a verdict on the applicability to our
environment. We should also be monitoring our network to see if any of the observed
indicators of compromises are in our systems. Our personnel should join local and
national ISACS. We should actively partner and collaborate with those in our same
industry. Also we should be willing to share Intel that we get that can help those in our
business ecosystem. Finally, we should be familiar with federal groups that assist.
Cyber Threat Early Warning System
“In an intrusion case, spotting the difference between abnormal and normal is often the
difference between success and failure. Your mission is to quickly identify suspicious
artifacts in order to verify potential intrusions.”…from SANS [40].

Early warning is a major element of business risk reduction. Let’s discuss some
terminology. A change is to make the form, nature, content, future course, etc., of
(something) different from what it is. The challenge in recognizing change is to detect
relevant signals from your organization in the ocean of data. Secondly, when something
deviates from what is standard, normal, or expected, we call that an anomaly – and
anomalies are in inherent in change. Third, when a something, especially a trend or fact,
indicates the state or level of something, we have an indicator. Lastly, something left
behind after an event of intrusion has occurred, like a file or process, is an artifacts.
Changes are signaled by anomalies, indicators, or artifacts.
The National Weather Service, headquartered in Silver Spring, Maryland, is a part of the
National Oceanic and Atmospheric Administration (NOAA) branch of the Department of
Commerce. Its primary objective is to provide weather forecasts, weather warnings, and
other weather-related products to the public. The goal is to assist in providing protection,
general information, and safety. This includes both life and property. [41]
The NOAA and National Weather Service provide an early warning system of upcoming
weather storms, including potential impacts, areas affected, and recommendations. We
need something similar in our situation: a cyber early warning system allows us to re-
evaluate, prepare, and make the necessary preparations. First, we need to identify and
use indicators so that we can recognize changes and anomalies that indicate potential
issues. Secondly, we need to know what active threats are out there could impact our
environment. Like in the case of an impending storm, we need to watch out for fast
moving threats that are attacking similar industries as ours, similar systems as ours, and
those that are effective against defense like ours.
A cyber warning system need ability to runs automatically in near real-time. Required
features would include scalability, minimization of false positives, the ability to learn or
recognize repeating patterns, and knowing to discount periodic spikes. Challenges
involving to the amount of human effort to accomplish this are ongoing, because such an
early warning system is not easy to operationalize manually.
Anomalies can take the form of unusual behavior like rogue processes, unknown services,
code injection and rootkit behavior, unusual OS artifacts, suspicious network activity, and
evidence of persistence (e.g., artifacts). Here are some general categories of anomalies
of interest:
1. Deviations in counts, values, frequency over time
2. Rare events
3. Peer/population outliers (unusual vs. peers)
It is not enough to use basic statistics, such as Gaussian normal distribution, deviations,
and standard deviation, to analyze our data. Our IT does not fit standard bell curve.
Instead, we need something more sophisticated: probabilistic modeling and analysis. We
can use machine learning to best fit the right statistical model to our data in our specific
environment. However, aiding the analyst is machine learning. The development of
unsupervised machine learning models can be used to find anomalies in massive data
sets. Supervised model required us to know the structure of the problem and feed the
model existing data. Supervised models must be trained based on known data, while
unsupervised models do not.
Such an approach results in fewer false alarms. Basically we to take our raw data, both
historical and real time, and map it into detectors to product anomaly alerts. We want to
change how you are operationalizing the information; i.e. anomaly dashboard. Then we
fold the results into our workflow for investigation.
Use cases for this approach are many:
1. Detect unauthorized login activity
 a. Unusual number of login attempts (brute force attack activity)

b. Anomalous login times or geographies

c. Rare accounts accessing systems

2. Identify data exfiltration

a. Anomalies in byte-ratio behavior

b. Rare destination IP/geographies
c. Pervasive access of rare content categories (gambling, etc.)
d. Unusual lengths of DNS request

3. Find compromised endpoints

a. Rare outbound connection attempts
b. Unusual rates of port/IP scanning
c. Rare destination/port access
d. Rarely occurring event codes
e. Unusual rates of security events (event storms)
4. Detect snoopers and scrapers
a. Excessive requests to rare URLs
b. Clients generating rare status codes for URLs

c. Unusual data volume by client

See the invisible
Detection is not dead! Ever wonder if something that is invisible to the naked eye and
odorless can be detected? Considering that it can be life threatening, we should hope
not? It sure can, think about a carbon monoxide detector. So, are we helpless to detect
cyber-attacks? The attacker and their TTPs can be detected. There entrance into our
environments always change something. We have to be good enough to detect that
change.
Fast Response
The faster you can respond, contain, and recover, the faster you can give the C-suite help
in dealing with the fallout and containing the damage.
When the compromised asset is a laptop, a re-image is possible. When that resource is a
production server, then we are talking about a different response approach. A mission
critical system servicing customer requests are not so easy or practical to re-image. We
may have to resort to containing C&C traffic until other actions are possible.
Time is money, and the longer it takes to detect, the increased chance for increased
damage and losses. The longer it takes to remediate, the more costly the cleanup. The
benefit to stopping more attacks upfront and quickly, containing those that make it
through our initial defenses, is that we reduce the potential impact of destructive
payloads. We must remember that once compromised, the ability to destroy is trivial.
Observe the gap in the breach report. Compromising a host is not necessarily sufficient
for gaining access to data. The failure to limit lateral movement may be one of our
biggest failings.

IoT is not special. A phone system is not special. A SCADA system is not special. Core IT
with core control principles on converges systems addresses all the overlying systems.
The biggest impact IT can have is to help contain costs by minimizing potential data
leaks, service disruptions, and expenses on cleanups.
Response is not dead! We need to make recovery trivial. If we respond fast enough then
there is no cost and we can minimize the impact to the business -- perhaps even low
enough to be handled by cyber insurance. So if it is not possible to prevent the entire
attack chain from data exfiltration, can we recover fast enough to limit it to technical
incident rather than a business one? Can we rebuild end points fast enough to limit loss
productivity to the users? Can we transform response with agile techniques to alter the
cost and impact equation? Our goal should be to master automatic response,
orchestration, and anticipation where you will need it the most.
Incident Response will want to know the answer to these common questions:

1. What is it?
2. Where is it?
3. What is it doing?
4. How bad is it?
5. Who is it?
To understand the underlying framework to discuss, let's next look at the business
(disruption, innovation, lean) and technical (software, data! and convergence)
landscapes. Then we will discuss the cyber security challenges.
Go Hunting
You know what to look for, you know where to look; go out and find the threats to your
business now.

In our dynamic environment, things are constantly in motion: being created, moved,
changed, and deleted. We must actively search and test our environment similar to how
attackers would. We need to flip our time and effort distribution to over 80% in design
and testing, and 20% in applied time. We need to be able scale our effort and time by
automating security checks on our apps, against our infrastructure, and against our
people.
One goal should be the active, dynamic, and proactive approach of organizations that
self-initiate behavior in anticipation of a dynamic threat environment involving acting in
advance of negative business impacts. This means taking control and making things
happen rather than just adjusting to a situation or waiting for something to happen. Let
take a look at Indicators of attack and compromise, design and control weaknesses,
insider threats, threats against the executive suite, and data leakage.
The TTP of threat actors are observable on the network and endpoints. It is possible for
IT to go looking for these signals. Indicators of Attack give an early indication of potential
breaches, especially in an era where an attack does not require malware. We also need
to some means to determine the scope and strength of the attack. Without some insight
to this, IT will have problems with resource allocation, personnel prioritization, and focus.
Is this nuisance, automated crime of opportunity, or is this directed by a competitor, or a
nation-state? Active hunting helps with the process of attribution, helping inform the
probability of “who” is doing the attack. If this is an active campaign, we will deal with it
differently than nuisance. For example, on the network, detecting traffic to know
command and control (C2) domains or IP addresses is an indicator.
With indicators of compromise, we are looking for changes, anomalies, and artifacts. The
presence of malware is the most obvious. A more sophisticated method is detecting
changes in the state of the endpoint that are not normal for your environment. Deviations
in our baselines, snapshots, or startup registry entries on Windows system has changed.
They could be new or altered processes, files, hashes, registry entries that can be
matched against known indicators of compromise.
There is no reason we can’t seek out and find the majority weaknesses in the design,
configuration, and controls of our environments by using an active process. Some of the
common vulnerabilities such as weak or default passwords, open ports, unpatched
systems, misconfigured access control lists, poor input checks, and excessive rights. New
systems that plug in or connect to our network should be identified by automatic
processes, especially newer IoT devices brought in by business users. This identification
should auto populate our configuration management databases, tagged, and assigned to
defined access groups. Known vulnerabilities should be identified and incorporated into
your patching process. These types of weaknesses often also are present upstream and
downstream in employee systems, partners, and vendors systems that connect to your
network. Automatic vulnerability checks should feed results back into your operations
process. Known exploit tools should automatically be run against your environment and
any success should auto alert your ops team. IT should be the first to detect it.

The insider threat represents a challenging problem. By their very nature, insiders have
been deemed by your organization as trusted. They have rights to systems and data as
part of their jobs. We must verify that trust by monitoring behavior. Insider Threat
Behavior looks for observing patterns in user activity, establishing trends, looking out for
anomalies in behavior (user, endpoint, and network).
Today’s threat actors are increasingly targeting the executive suite. From spear phishing
and whaling techniques, persons with access to sensitive organizational information and
power are often coming into the crosshairs of attacks. We can actively check social media
sites for your business and its users. For example, the Ashley Madison breach exposed
data on its subscribers, many with corporate email accounts. Data dumps like this could
include some from your organization and we want to head off the potential for blackmail.
Also, detecting ccorporate data leakage in these dumps is important.

A more certain path forward

Read any breach report, and you will find a reason stated by the bad guys are able to
gain access to the company’s network. This often accompanied by a failure of the human
layer, people. In only mentions some process or best practice that was not followed.
What is often left out that the reasons why? Means of dollars invested in new security
control products that could have stopped potential attack that was not turned on, but was
there a reason for that? A simple click on an email exploited the entire security control
infrastructure?
When federal authorities are involved in your company on investigating a breach, and
with internal lawyers hovering around try to control liability for ensuing lawsuits, breach
information that the community at large receives is partial. The report insinuates that a
simple single step would have stopped the attack. This is interesting, considering the
report insinuates a very sophisticated and organized criminal organization or nation state
targeted the company. Just because a sophisticated advance attacker uses a simple
exploit or means of access does not mean they cannot escalate the attempt. If one is
attributing a cyber breach to a sophisticated actor, and can also be assumed that there
are many avenues of attack. An HVAC subcontractor is not the only potential avenue to
gain access.
Detecting change allows for agility and change along the process of the attack chain. And
for sophisticated actors, they have the ability to take out a suitcase of money to buy
insider access or to place an insider in a key position with the proper access rights, and
there are many ways for criminal entities to carry out their objectives. To be helpful for a
cyber defender, information from a breach needs to indicate more detail in the exact
attack patterns and countermeasures encounter during the attack. What would be helpful
is insights about the defenders countermoves, and other potential controls that may not
have been in place or enforced. This of course assumes that the information is even
available. Often times, even with the help of third-party instant response firms and the
FBI, many details of the actual attack methods and timing are never discovered.

And we should not neglect to go back and ask ourselves why some of the popular and
best practice controls are not put in place. Often, the means by which we are
implemented controls could have an impact to the business operations in the form of
system interruptions. The processing of daily operations often times get pushback from
the business itself. A system that is in line with traffic and having false positives that is
interfering with normal work can be quickly forced to be turned off. IT has often been
confronted with vendor products which have not performed as advertised, causing
problems interruptions as business activities. Even when we try our best to make the
security controls quiet and non-intrusive to users, there are times when the products we
put in place require user interaction or slows the work getting done. IT must remember
the purpose of the systems that users work with every day…and that is to get work done,
not stop at multiple security checkpoints.
The intersection between getting work done and securing the critical assets of the
business is a place the IT must thrive. Giving feedback to the business on the potential
risks and not interrupting business operations is the job to IT has to do very well.
What would be helpful is more insights into the attacker-defender battle. Reports showing
actual maneuvers of the attacker against active defense, trained defenders, and
appropriate tools would be very useful. The successful attacks against weak defense with
no visibility or very limited coverage is not very helpful. IT across the industries must
elevate the game across the board. We need to see what the landscape looks like when
IT is prepared, armed, aligned with business priorities, and updated with the latest
technologies and processes, as well as what the attack-defender landscape look like.

The ways of warfare leverage the technology benefits that businesses today use to
compete in the marketplace. There inexorably connected to the same ways and
methodology that we’re using to disrupt the marketplace. At this point there is no going
back. In an era of super convergence of technology, architectures, and business entities,
our world, the digital world industry to be linked to the physical world, literally
underpinning our lives. The stakes are higher in our world, because as we become more
dependent on this technology attacks become more costly. IT, we must do better.
How can risk be measured in an environment where domain level expertise, near real-
time context, and environmental risk factors are dynamic in nature? We can no longer
afford to have underlying weaknesses in such basic countermeasures, best practices, and
solid design principles. Considering the nature of the threat and the size and number of
infrastructure that need to be secured, it is a tall task for the current number of IT
professionals available. Some small and midsize enterprises will continue to look more to
third parties and cloud providers, while large enterprise and governments will continue to
attempt to staff up in house. Questions we will have to answer collectively are how we
educate the next generation, how we construct our governmental legislation and
regulations, and how we all view are dependencies on this fantastic new technology that
are opening some many new opportunities.

The good news is we can leverage our initiatives and efforts in one domain and apply
them to multiple domains. In a digital world, when you master the zeros and ones, the
software code, the hardware, the connectivity, and an understanding of how they work
together as a system, then the system can be observed, measured, and analyzed. And as
businesses are continually disrupted every day and digital world is awash in a deluge of
data, IT can continually apply the science and math of analytics to this problem space
and address the needs to maintain pace with business innovation and growth, meet and
exceed our time, to deliver services to the business, and maintain a healthy shift in the
cost model of the attack – defender landscape. It’s time for IT to get leaner, faster, and
smarter.

Be confident in our organization to help, then disrupt ourselves if need be, before being
blindsided by a competitor. Be resilient to move risks from cyber-attacks from
catastrophic and board level panic, to under enterprise risk management and just part of
the current business environment. Be innovative and enabler to help inspire your business
to ideate, fail, and experiment until market traction is gained.
 PART 3 – TRANSFORMATION

The systematic approach to tackling change and transformation with the assembling of a
high performing team built to win and continually improve, while simultaneously
navigating current and near-term disruptions, complexities, and risks in order to pave the
way for organizational success as defined by the business.
Chapter 8: Change

Change is often an uninvited and unwanted guest into our lives. It interrupts what we are
doing and asks us to do things differently. For many, that can be uncomfortable.
However, meaningful change requires transformation. Transformation is a common
stated goal in business today. What does transformation mean? It means a change from
one state to a new state. This is commonly in response to disruption. A change in the
status quo can force massive change in how things are done. To codify this change, we
must transform the way we do things, the way to think about things, the way they
approach problems, to make sure we survive in a very highly competitive work
environment. How we enable transformation is an interesting question.

The Upward Spiral

I originally was going to target this book towards the chief information officer (CIO). My
thinking was that this person was at the epicenter of operations and innovation, being
most likely to feel the tug of the competing forces for time, money, and focus. But I
resisted that and went with IT as a single entity as the main target. Anyone in IT can
lead, regardless of title and position in the org chart. This dichotomy manifest itself
throughout the organization, so I decided that in challenging and disruptive times that
effect everyone, then everyone can decide to lead and inspire.

We all our subject to justifying our request for money, our roles, and our demands for
faster response from the business. This is a team. IT is that team, and in the end IT is
part of the business team. But this guide is directed at you because of the complexity of
our digital landscape today. In spite of what vendors may try to sell, the fact is that all
our challenges are embedded in the minute details of operations of what we do. There
are no magic easy buttons here. Solutions come from hard work grounded in the technical
underpinnings of the 0s and 1s that drive our world. We can do better, and our
organizations are depending on us to maintain relevancy in the market.
A main constraint against any improvement or change is not having the time to improve:
that is a downward spiral into stagnation, firefighting, and irrelevance. To make all these
changes possible, we must first reverse these downward spirals and leverage multipliers
to move forward and upward. The impact of multipliers is felt throughout the organization
much more than that of an individual or a small group.
Test your hypothesis. Question – would a new change help move the customer line
faster, increase attach rates, increase customer satisfaction? Remember, everyone is a
customer. Understand the implications of delayed response. Is frustration building up over
time? A complaint is good, for it provides valuable feedback. And feedback is what we
need to gauge where to focus our attention, measure how well we are delivering value,
and identify where we can get better. Many people are unconsciously adapting and are
noticing something not working like it should. Learning about such work arounds reveals
potential areas of improvement.

The Invited Guest

Succeeding even when the odds “appear” to be against you.
"You can’t do that. It impossible”, says the naysayers. No money. No time. We don’t know
how. It is in situations like these that it may seem like you are David going up against
Goliath in the form of the inertia of the status quo. Or on the flip side, sometimes your
competitor is David –the 5 guys in the garage envisioning a different future, thinking
differently about the problem, asking thought provoking questions, and challenging
popular assumptions underlying the current state. The “underdog” sees the world
differently, and answers the what-if questions in a far different way. As David, don’t
assume the biggest guy always wins.
Often, the world forces us to change if we want to survive, to protect ourselves, to make
it another day. Often, change is not very welcome in organizations. It often means doing
things differently -- working different muscles, having different conversations, taking on
new roles, and accepting new duties. At times change can feel awkward, uncomfortable,
and unfamiliar. Many people would rather avoid these changes and stay with what’s
comfortable, the status quo.

However, to survive in today’s digital world, change is a requirement. And not just small
change, but in many cases transformation is required. This can mean transformation in
how we think about the challenges, how we work around difficulties, or how we work and
influence those around us.

We must move from the water cooler chatter to the serious discussions of improving the
situations, and leading the changes we need.
It’s okay for water cool talk to be generic and full of assumptions, with no expectation of
accuracy or consequences for being wrong. But when it gets real for you and your
organization, when it matters to you personally, then it’s time the get serious about the
change we need to lead, inspire, and support.

It can be dangerous to delay until tomorrow the actions you need to do today. Be wary of
the delay caused by today's survival instincts, because delay will only make it worse and
we will find the options more constrained tomorrow. Choices can get narrowed, margin of
error can get smaller, and the risks of failure can increase with each passing day. What
are you prepared to do today to accomplish your goals?
As organizations grapple with the need to make changes on a larger scale, and often to
be more agile, they are looking for ways to inspire the teams, lead changes, and show by
example. Communicating strategy and tactics through the organization, across silos, and
through teams is needed. And the stakeholders in our organizations that have liability
cannot limit their support to a check box, a corporate wide email blast, and a speech.
Naysayers delay action. The proposed idea does not address everything that is needed…
we shouldn’t do it. As a result, we waiting too long to act. There is a tendency to over
discuss and over analyze a new idea or proposal, looking at what it doesn’t do or address.
We should be asking what it does address and what is good about it. Try it, learn from it,
and leverage that new knowledge. Inherent in change is a willingness to try new ideas
and proposals.

Multi-dimensional thinking
Binary logic works very well in technology, but is disaster in business. It constrains the
vision of what is possible, limits the range of options, and, worst yet, and artificially
constrains the problem space, thus eliminating from considerations solutions that might
be the answer.
Different users have different starting points, means, understanding, and incentives to
change.
Here are some common questions that may be asked or statements that may be made:
▪ But it works, what’s the problem?
 ▪ I didn’t know I had that in me

▪ I didn’t know that there were so much help available

▪ I didn’t know complexity could be tamed

▪ There is so much I didn’t know

Often, change requires people to do things differently, and that scares people sometimes.
That’s one of the reasons that change is often called the uninvited guest.
To prepare for change, accept its normality. We must accept the fact that change is a
constant in life; change is normal, not something to be dreaded. When one realizes that
change is normal, inevitable, and required, one should take advantage of it and be in
front of that change, as opposed to being thrown into the middle of it.
Often, the longer one waits to make the necessary changes in this organizational
structure, the harder it can become. To maximize your impact on the world, you want to
invite change in your organization. Why? Because when you don’t, you are very likely to
be disrupted. You want to interrupt your way of conducting business in order to have the
most influence over the future outcomes. It is preferable to having the change forced
onto you.
Understanding the world around you is a learning process. Why is this happening? Why is
the other not happening? What if we could do things differently? What if this outcome
happened instead of another? How do we overcome the obstacles? The learning phase of
inviting change can be an exciting time.
IT is in a good position to have access to organization across the board, whereas some
sections of the company have limited face-to-face time, or only interact with certain other
departments. IT, on the other hand, has access to the entire company: day-to-day
access to the lines of businesses, executives, secretaries, janitors, and the security guard
at the front door. All of the different groups and departments all interact and depend on
the use of technology to get their work done. They consume and are impacted by
technology services. IT should take this opportunity to learn about what’s going on inside
the organization, truly understanding the needs, problem areas, and potential
opportunities across departmental lines.
As IT has a firm understanding of the technical background of new technology that our
end users will encounter at home or in the media. It can share its knowledge with the
rest of the organization. IT should be the source for information on what’s new in the
market, what new features are being added, what are some new cyber risks, how the
new technology is affecting the world at large and your particular organization
specifically. IT can share knowledge, tips, strategies and best practices and technologies,
thus affecting how people work, and even effecting how they live at home. IT can share
new tips, productivity hacks, gains, and more use cases. This becomes even more needed
as that amount of technology in end users home continue to climb -- the average home
network has up to 15 IP enabled devices connected [42].

An advisory role is well-suited for IT. It can have an advisory role for the business, where
it is looking for ways to innovate, control costs, and optimize how business is done. IT
can advise on new ways of thinking about the problem in terms of technology,
spearheading innovation. IT can help lend a credible voice to what’s possible, discovering
new ways to apply technology and, especially, new ways to use data. IT can take the
lead in helping businesses deal with data, helping management to see something new, to
process something new, and to take advantage of something new. IT is in the perfect
place to ask questions about things like what can be done about this for customer
sentiment detection, or have you thought about improving this process by using a new
application, or have you tried doing this out in the field to improve delivery times or
response times, or our how are our competitors are using new technology for customer
interaction. In this way, IT can advise on the front lines and in the back lines while
remaining quite valuable to organization.
Productive collaboration is how IT can communicate, and communicate very well. It is
important to cut down on the confusion caused by the language barriers between IT and
the business. The building of a team that can effectively work together to improve,
progress, grow the business, and innovate to compete is a key collaboration. It
encourages feedback to find out what’s working, what’s not working, and what we can do
better. In a true dialogue, both sides seek to understand, and seek to be understood.
We now have a population of users now familiar with many social 2.0 avenues of
disseminating information. IT can leverage them also: IM, portals, video, Facebook, and
LinkedIn to name a few. There are many mediums for collaboration, such as surveys,
social apps, and videos. For example, why not release a video when IT is ready to roll out
a new service? Treat it with excitement like it’s a new product coming out. IT can no
longer afford to out marketed by 3rd parties. For the things it does well, we must tell a
story by constant interaction with the business on one-on-one and on group basis. IT can
help deliver that message and stay close to the ground to know what’s going on. By
having to close collaboration with the business, it allows IT to have a cushion between
when change is about to be pushed upon it, and find itself disrupted, and when we can
lead a gradual and more humane disruption led by ourselves.
By inspiring productive changes to disrupt ourselves and our competitors, IT can help
inspire the business itself and, ultimately, the next-generation coming-out of leadership
that will be taking our roles in the future. This act is up. Anyone can come back from a
convention and bring back new ideas to the company to try to help it grow. IT can teach,
and lead in this way, helping to set strategy for the company on new ways of doing
business. IT can anticipate and sense changes around the corner, enabling the business
to stay in front of the changes.
Accountability is necessary in age of finite resources and unlimited potential. IT must be
accountable to the business by maintaining focus on business outcomes. We must value
money, how we spend it, how we save it, how we help the business make more of it.

IT should also strive for meetings designed with intent, with relevant data at hand, and
clear action plans. The meeting itself should last only as long as needed to get to the
point. This showcases another side of the lean culture of valuing finite resources, which
would be, in this case, time.
Ways that change initiative can come about include regulations, compliance, or
competitive advantage. Even change that on the surface seems like a bad thing does not
have to be; as some say, don’t let a crisis go to waste. Change could also come as part of
up of upgrades or a transformation initiative. Leading by example during a time of change
can help others come around to your initiatives and wishes.

IT should give some thought to its image. Make the front entrance inviting. Business
services enabled by IT should be inviting, transparent in operations, quiet from security
controls, and attractive. Even the packaging that IT uses sometimes turns away users
from applications that function just fine. Remember the front entrance – physical or
virtual – ca many times be all that's needed to get people to come.

Culture, Strategy, and Execution

“Culture creates the foundation for strategy and will either be a company's greatest asset
or largest liability. While culture has many aspects and manifestations, its core should
include a clear sense of purpose and shared values that guide decision making across the
company”. [Daniel Patrick Forrester, Author, Strategist, THRUUE Founder & CEO] [43]
Change is survival. It is the destination and the journey all at the same time.
Transformation is hard when what you are already doing today what seems to be
working. Change meets Risk head on. Change is often an unwelcome visitor. But what
does everything have in common? Disruption, transformation, and change. In all cases, IT
must change to keep up and must remain adaptable to change.
Let's not underestimate the potential difficulties here. With the risks high for your
personal wellbeing, change has still proven elusive in the face of overwhelming data and
moving stories. With high impact and probabilities, the "obvious" need to change course
can prove challenging.
Some of the success in standard, due care, and best practices that have come about in
the physical world were spurred on by legal precedence, law suits, deaths, and
catastrophes that could have be avoided. These in turn triggered new laws and
regulations. Many changes are enacted when the incentive structure is modified or there
are penalties that encourage it. Examples include mandatory car insurance, legal rules of
the road for driving according to traffic signals, or insurance underwriting that requires
security cameras and guards.
We need to be mindful that for every dollar that is rerouted to mitigate risk is a dollar
taken from somewhere else. Best practices and due care were developed to help comply
with that we are required to do.

Market forces encourage the changes. Potential brand or reputational risks could affect
your bottom line. A certain level of protection and response could be an advantage in the
market place. Being ready to respond, reducing the impact, and communicating well to
your customers could make a breach turn into a bump instead of catastrophe. The first
time you give thought about what do during a breach should not be during an actual
attack.
One of the best ways to invite change is to put a worthy challenge in front of ourselves. It
is a way to inspire the best in all of us. But to accomplish the big things, we have to learn
how to overcome the constraints applied to the finite resources we have at our disposal.
Chapter 9: Overcoming Obstacles

We must develop the capacity to understand and feel what our co-workers, end users,
and organization as a whole is experiencing from within their frame of reference and
perspective. Our co-workers in IT are partners that we need to get things done and make
our work journey fulfilling and worthwhile. They, like you, are going through a lot. We
need to know the men and women in the trenches with us. End users are co-workers; in
different departments, but when we walk down the hallway, they are one of us – imagine
what they are going through, and remember that everyone is always going through
something personally that you don’t know about.
Pay more attention to what is bothering them, what is making their daily jobs
problematic, and what is in your reach to help. It is not the primary job to spend all their
time trying to remember 20 passwords, hovering over hundreds of links, looking over the
thousands of emails they are processing every day, and navigating multiple portals to find
that one particular document while trying to get their jobs done. Your organization exists
to accomplish its goals. Those goals are how you get your paycheck. Remember this,
because it will guide you as you the navigate hurdles.
Your frame of mind is critical
IT has to get out of the habit of automatically thinking that users are the problems. We
need to get beyond wondering what they did wrong this time, and believing that if they
just didn’t click on something, we wouldn’t have these “problems”. Clicking is part of
normal operations for collaboration and getting things done – not analyzing every email,
website, and link, pausing to wonder if it is bad or not. The sum effectiveness of our
controls should not rest on the end user and their click decision. We can do better than
this. And at the end of the day, if our entire risk mitigation strategy relies on whether one
user chooses to click or not, then our collective capability is in a very sad state.

Confronting Constraints
A constraint is limitation or restriction that is blocking what you need in order to
accomplish your goals. You are not going anywhere if you don’t address constraints that
are obstructing your progress. They must be addressed in order for you to succeed.

IT faces a variety of constraints in the pursuit of its goals. Here are five very common
constraints:
1. People
2. Time
3. Technology
4. Knowledge
5. Money
Make a list of goals, initiatives, and tasks that you want to accomplish, that you are
running into obstacles with, and that you are having difficulties overcoming.

Next we are going to look at the form these constraints take for IT, and for each one
discuss courses of action to overcome them.
People
Physical bodies: we don’t have the headcount necessary to keep pace with business
demands.
Belief System / Thinking: the way people in our team think dampens the want, will, or
desire to change, the will to change. Their thinking may also conflict with newer
techniques (PowerShell scripting vs GUI), methods (agile vs waterfall), architecture
(hybrid cloud vs on premise only), and design (converged wired/wireless edge vs
autonomous or FCOE vs dedicated SAN switching).
Culture: our group spent money on this new system, you can't share, we don't trust your
way of doing things, we are old school - the age of the mainframe and not x86
architecture. The incentives and human interactions are not conductive to the kind of
collaboration needed to get things done. Tribes are locked into organization silos,
hoarding valuable knowledge, expertise, and budget. Or the problem is simply a case of
its mine, not yours – keep out!

Actions
▪ Leverage staff augmentation, partners, vendors, consultants – an ecosystem
approach to multiplying for market facing value chain
▪ Develop leadership skills to inspire a new culture of responsibility, empathy,
teamwork, and collaboration
▪ Sponsor internal meetup with the business to impart the market pressures

▪ Develop career roadmaps for team members across silos

Time
Time: life’s most valuable resource. In some environments, you have the people and
culture; your people just don’t have the time to keep up.
“If we had another week, we could get to it.” “Our time is being eaten up on redundant
requests; we have a way and system to correct it - if only if we had the time to deploy it”.
This is the epitome of the downward spiral.
Actions:
▪ You will have to carve out time to enact future time savings results. Improvement
time. i.e. maintenance (clean up that wiring, fix some of those application bugs,
finally update that documentation and get it posted on the internal SharePoint site).

▪ You need to offload work of task to third party (up/down, backups, account resets)

▪ You need to learn to say no better

▪ You need to give better visibility into IT, with total resource commitments broken
out by business priorities and owners, along with available vetted 3rd parties capable
of picking up the workload with costing structure
▪ Optimize work task flows with orchestration and automation (virtual computing
environments, policy-based security access, rights entitlement )
▪ Implementation of more self-service for end users (i.e. password management,
equipment requests)
▪ Get earlier indications on future technology needs in order to reduce the lead time
on the requests by embedding in their processes
Technology

Technical: legacy systems, out of business suppliers, tied to critical systems, capacity
issue, pipe not big enough, not enough ports, not enough storage, not enough CPU
cycles, not enough licensing, not enough wireless coverage. There can be a myriad of
these that come up over time.

Actions
▪ Develop a remediation plan

▪ Develop roadmap and budgeting

▪ Sell the vision to management of the next generation infrastructure needed to

compete in the market. Highlight current technical constraints.

▪ Develop software/hardware rationalization strategy to trim your vendor mix

▪ Begin process of transitioning to platforms in lieu of best of breed

▪ Build out more agile infrastructure and replace legacy as possible

Knowledge
Knowledge: our people don’t have experience with this technology, soft skills, or area to
do the work.
For example, this particular system that was installed years ago needs to be updated.
The persons that work on it have long since been fired. There is virtually no
documentation created – the system just kinds of work. This is out of your control.
Actions

▪ Identify remediation plans to address documentation deficiencies (partners)

▪ Address new systems that you are responsible for and don’t repeat bad
documentation
Money
Money: time honored constraint; every dollar has to be fought for. Especially when
looking to address other constraints, this one is usually a common answer. We can
overcome obstacles by spending money to buy more people, knowledge, and technical
barriers, or so they say.
For example, when a 2nd firewall was proposed for the design of the new network, IT
informed the partner that the budget was already was tight, they would have to do
without.
The firewall example could have been many other things: another piece of equipment,
another software module, more time for a programmer for quality testing, more time for
testing the new wireless before implementing the RF tags to be used for inventory
tracking in the warehouse. From equipment, to contractor time, to paying from project
management time, a cursory look at the bottom number can distort the design process
and set the course for the downward spiral of accumulated technical debt. More work
arounds and gaps in redundancy, proper testing, and ability to scale when the business
requires it puts the system architecture supporting business operations in future jeopardy.
For every shortcut can eventually interact and cause the system failure that rarely shows
up in continuity, disaster, and cyber response planning. And every day our systems go
unmonitored because of lack of infrastructure to capture, monitor, and analyze, is another
day of lost historical and contextual insights that helps us maintain and improve.
Actions

▪ Learn how decision makers make decisions

▪ Learn how those in the business successfully get budget approval do it

▪ Learn how to communicate at the level of C-Suite and board members, and other
stakeholders
▪ Demonstrate your value of the budget that has been approved

▪ Demonstrate business and financial literacy specified to your organization (e.g., risk
mitigation versus new cool widget)
▪ Learn how to visualize and communicate current state, threats, and opportunities to
non-technical audience.

▪ Learn how to assemble multiple group leaders together on common outcomes,

experiences, and functions; leveraging common platforms. You have to counter the
argument from one group that the solution is too expensive. Make a larger case.

Communication 101
One of the keys to overcoming obstacles is communication: “Communication is the
purposeful activity of information exchange between two or more participants in order to
convey or receive the intended meanings through a shared system of signs and semiotic
rules. The basic steps of communication are the forming of communicative intent,
message composition, message encoding, and transmission of signal, reception of signal,
message decoding and finally interpretation of the message by the recipient.” [44]
Change necessitate effective communication between those seeking to change the status
quo and those who are not actively participating in transformation. For IT to lead, we
have to communicate among ourselves, with the end user, and with the organization at
large, and do so effectively. IT has to do it very well when in front of the board of
directors – the ultimate stakeholders with liability. IT also has to do it with the guys on
the front lines. IT has to do it with partners.

One of the great challenges in leading transformation to deal with disruption is the ability
to lead change. Leading change requires great communications, to convey to the
business at large what is the current state, what are the potential opportunities, what the
relevant threats are, what the alternatives are, and what are the timelines for decision to
be made. IT needs to have a communication strategy, framework, and tools to be
successful.
We have the insights and can assist, but we feel that we are unable to get our message
out, to the right person, or in a timely fashion. Maybe heads are nodding, but we have a
sense that they are not getting it. If our audience truly understood what was at stake,
don’t you believe there would be a change in attitude, actions, and commitment? How
do we change this?
Common Model for Information
When dealing with the business, we should use their common language and a common
information model. They are accustomed to dealing with risk and uncertainty, and when
IT learns to speak their language we will likely find a more receptive, cooperative
audience.
Effective communication can’t be understated. Our world is defined by business,
complexity, and speed. Millions of dollars are spent every year to attempt to deliver
messaging to tight audience, in a timely fashion, to elicit a certain response.
It is important that you can get the message out in a way that it doesn’t get lost in
delivery. For example, you just finished fully documenting the opportunities or risk and
put it in a 100 page report, or you just prepared a 100 slide PowerPoint presentation, but
no one seems to be getting the message. The lead takeaway has been buried where the
intended audience just can’t get it. This is a very common problem.
Remember that your potential audience is diverse. Some receive new information better
in an Excel spreadsheet, some like visualizations showing cause and effect, while others
need a compelling story. And as part of a sales process, there can be multiple people in
decision making chain, all with different communication styles, all needing to be swayed
and eventually all brought to the conclusion that a change is needed.
It’s not enough that the expert knows what the terms and analysis means; this
information must be shared both upstream and downstream. The systems that we use
and deploy are a hodgepodge of vendors that use various naming schemes, creating
unnecessary complexity. To effectively communicate, you need your own common model
for describing data. To facilitate understanding and to build consensus, the first step is to
make sure everyone is on the same page. Again, there is a need for a common model for
describing data. This will allow everyone, both in groups and on different teams, to look
at the same set of data, dashboards, and reports, and come to the same conclusions.

Consistent Communication Strategy

We must have a consistent communication strategy and subsequent execution. We
should develop cadence and norms for how the user should expect to collaborate with us.
Are we using haphazard email footers in your communications? Are we making it clear
where should users turn to in an emergency? Are there multiple sites they have to
navigate in order to get help?
Clarity
We must strive for clarity in both our internal and external communication. This is
necessary when demonstrating our value to the business or collaborating with business to
identify new potentially enabling technology, or when we have to educate the business
on real opportunities for enablement, cutting through the noise and hype, or when we
have to explain new technical capability in business terms. It is needed when we are
recommending viable alternatives.
Clarity is needed when we need bring to the table new innovative ways to attack costs,
an innovation, and/or data on growth issues.
Being Pro-active
Every day, winning organizations are sensing opportunities in the business and pro-
actively helping the organization to win. Always be on the lookout for new possibilities,
and be ready to transform that into opportunity for the front line. IT should be willing to
make calls like this: “I thought you might need assistance, so I gave you a call to help,”
or “I sent you an updated report to help you for you meeting tomorrow. I just identified
another savings opportunity and wanted to share the numbers with you.”
Right Audience, Right Language
It’s important to be mindful when communicating to take time to understand the
audience. This helps with ensuring that we are communicating effectively, with clear
messaging, and in a considerate matter. However, what happens if we are delivering the
message to the wrong person or group? Then our message simply gets lost.
Maybe our audience has a general interest, but no ownership of the risks. Ownership
implies risk, because the impact can produce a loss for them. Unfortunately, in most
cases front line employees and IT has no liability – at worst, loss of employment, but
they can find another job. For an owner, we are talking about business income loss and
potential legal ramifications.
Another facet to this problem is using the right language with the right audience. Owners
communicate in certain languages that allow them to run businesses. They are very busy
and if the message coming their way is not matching their language, then the impact
and/or probability of occurrence can be lost. If we want to get their attention, we must
learn to speak their language.

Being Heard
Often changes are communicated to stakeholders via email. With most stakeholders
receiving hundreds and perhaps thousands of emails on a daily basis, communication of
relevant information and timelines for decisions can often be lost in the noise. The other
major venue for communicating information is the meeting. Depending on the structure
of the meeting and the agenda, there may be a limitation on amount of time to
effectively communicate our message. Also, the format that you choose convey your
information could inhibit your main points from getting across.
The benefits of effective communication cannot be underestimated. Therefore, IT must
continuously improve its ability to communicate, both verbally and written, as well as in
multiple formats. Often business stakeholders are constrained for time to fully take in the
meaning of messages, and are also is limited in their ability to accurately assess the
decision to be made. We must make sure our message is heard and our hearers have the
information they need to make a decision.
Whys and Hows
When change is required, communicating the “why” and “how” can go a long way
towards winning support. When someone understands the importance of doing a task a
different way, they are more apt to follow along.
How are we actually communicating posture today? Are we defining breach and incidents
properly? Are we defining material breach properly? Are we communicating this to
management? To communicate effectively to management, we may need to explain
these in terms of the costs of clean up, while at the same time indicating that the impact
may be mitigated with the right cyber insurance. Management needs to know if there are
impacts to stock price as a result, or changes to monthly cash flow, or potential legal
actions against the organization that may result in a payout. We also must remember the
real meaning of loss or leakage, with the meaning of these words must be discussed in
the context of digital assets.
Getting Results
You may be surprised how much behavior is driven by miscommunication, such as using
the wrong language, making it difficult for proper understanding. Without understanding,
productive change can’t happen, nor can risks be properly identified and mitigated. And
mitigation means reducing the likelihood of occurrence, and/or reducing the impact.
The results of our communication are of the utmost importance; for example, a meeting
involving a discussion of security risks might result in a mitigation strategy for deploying a
new control to reduce the likelihood of unauthorized access to a critical business asset,
thus decreasing the risk. Also, the business can decide to add insurance against loss of
that information, putting a cap on potential out of pocket costs, decreasing the cost
impact, thereby decreasing the risk. The probability (likelihood) that something bad will
happen to an asset. None of those decisions would have been made without clear,
concise communication in the language of the audience.

A Winning Team
If you are stuck in a silo, you will struggle, IT will struggle, and your organization will
struggle. The hallmark of high performing organizations is teamwork. You don’t have to
go it alone – assemble a real team.
The greats news is you are not alone. Others are facing challenges similar to yours, trying
to navigate the complexities and keep their heads about water. Teamwork is vital when
dealing with complex systems, such as those that power our digital infrastructure.
“Team members need to learn how to help one another, help other team members
realize their true potential, and create an environment that allows everyone to go beyond
his or her limitations. Teams can be broken down into from a huge team or one big group
of people, even if these smaller secondary teams are temporary.” [45] The team has a
common purpose, shared vision, and a desire to improve.
This is in contrast to a group of employees who begrudgingly engage with each other just
because there boss makes them. Individuals showing up just for the paycheck, just trying
to make it through the day, or who have already “checked” out because of a lack of
direction make the problems of siloes more acute. If IT wants to overcome obstacles and
improve their condition, then we have to operate as a team. It is not optional in today’s
disruptive world. The five guys in the garage are definitely working as a team, and as
recent history has shown, their growth and success can be traced directly to the
multiplying power of teamwork and shared focus. If you don’t want to be disrupted, then
team up and get to work.
Business is a team sport, and IT can leverage the resources of different groups inside the
business to help do everyone do their job even better. From human resources, to the
legal department, to maybe a data scientist or two, to maybe one of the accountants, IT
should look at itself and the business as functional unit that can leverage other teams.
Team building can be used to overcome skillset deficiencies in certain areas. For
example, finding a data scientist that happen to have domain expertise in security can be
challenging. But we can bring together multiple people with complementary skills that
can be combined to accomplish the work of data science. Multiple people with different
skills sets can combine them by working together. Inside your organizations today is a
plethora of knowledge and experience. Managing risk is practice and skillset that many of
your departments have been dealing with for years. Down the hallway, one of your co-
workers has a faster way of accomplishing a task you are spending too much time on.
There is someone who can share, teach, and advise you. You may see them of the
elevator every morning and not realize that they are an ally waiting to be called upon.

Consider the end user on the frontlines. Fixing symptoms are infinite, but fixing root
causes are finite. Teach a user how to “fish” in order empower them.

Consider HR, Human resources. From the employees on your own team, to that guy down
the hall that could be an insider threats, to that star player who can help make the
business break into a new market, the quality of the people in your organization has
human resources at the front in screening process. In the people, process, and technology
domains of business operations, people are the input most important factor for the
success of business. People are also the most important factor in how well your IT team
performs and delivers for the business. HR is often used to help bring in contractors to
help supplement IT on particular projects.
HR is also your friend when IT performs its end-user education around technologies, and
threats. That new compliance videos training center around the office commonly comes
from the HR department asking employees to watch a training video, watch a phishing
training webcast, or new expense system. Anytime the IT team needs to communicate
information around processes, changes and trends in general, HR can be a valuable
asset. When HR completes the process of on-boarding a new employee to the company,
they normally have a process to send a new user request to IT to get that user setup into
multiple systems, for a new active directory user account, and for setting up home
directories, and assigning them to the proper groups. And on the backend when the
employee is terminated, HR normally notifies IT of that event, which triggers the process
of decommissioning and disabling user accounts as appropriate.
Now consider legal, because business law matters. Legal covers areas like employee
rights on privacy. IT has in the past been called on by the business to treat emails or files
for legal cases against the organization. Legal could also potentially come to IT
requesting forensics analysis of the use of laptop for potential insider data leakage to a
competitor. Legal helps IT set the parameters for such processes. Also, when IT is
assessing the potential risks to some of the shadow IT moves by users, such as cloud
provided file shares, legal can provide guidance on what legal recourses of the company
are available if intellectual-property need to be retrieved from that users private file
shares.
Also, if IT would like to make a stronger case to the business that such services should be
blocked in these organization, legal, provide the needed justification for business legal
standpoint. Lawyers often have a more impactful response from stakeholders who have
liability. Legal departments also help set the guidelines for what the business is required
to report intervention of a cyber breach. The particulars of who has to be notified and
when, what type of information must be revealed to potential federal investigators, and
what needs to be held back to protect against potential legal consequences.
Think about the Auditor, and teaching your auditor while learning from them. Is your
organization bound by HIPPA, SOX, or PCI? Do you come under the prevue of the FTC or
NERC? One of the ways to maintain positive standing with the regulatory and
governmental entities is to collaborate. They are represented by individuals who many
times have to interpret on the regulations and laws. Many times they don’t have the
technical knowledge to properly judge your compliance. Working with them can smooth
the relationship, and give you an open channel to make your case on why the way you
are complying is appropriate.
Your company probably has a marketing group. It could be one guy, or a whole
department. Whatever you sell, someone has to brand your business in a noisy
marketplace. That is what marketing is there for. Along with sales team, they are out on
the front lines trying to drive revenue. Ever had lunch with the director marketing? You
should. Remember that you get paid money made from products and/or services sold,
and marketing has a hand in that. They have experience in branding, message encoding,
and persuading. You need to persuade decision makers? Or need to get end users to stop
doing something? Check in with marketing. Reach out to them for help on your internal
messaging challenges. Next time you are struggling to get users to use that new system
(the one your team spend 6 months developing at testing) check with marketing to see if
they could help with persuading the users.
An immutable law of cyber security is that if you can’t physically secure your assets, you
no longer own it; that’s why we need to consider Physical Security. It is critical that your
datacenter is physically secure and no one is wandering around you server racks. It’s also
important that your wiring closets are secured and no one has attached a tap to an edge
switch. Usually we find ourselves integrating with their systems, like badge scanners and
IP video surveillance systems. Within physical security there is a wealth of information
that can be leveraged to detect threats.

There are still other team members to consider: technology partners, integrators,
vendors, consultants, etc. Your team is not limited to internal employees. Consider
thinking differently about how you currently use your partners. Are you getting the most
out of your partners? Do you have too many? Are you in the same domains? Do you not
have enough partners? What resources, like labs, can you leverage or practice on?
IT wants more than fulfillment and product pitches – IT needs business partners and
partnerships that assist with producing outcomes and experiences, while reducing risk.
We need business parts to help battle complexity in system design and lifecycle
management.
There is an opportunity for your partners to distinguish themselves: providing guidance to
your preferred partners how you want to consume services and product, significantly
curtailing the VAR pricing battle over commodities, allowing more design and assessing
on the front end, planning out multi-system and multi-years initiative to produce a more
predictive project scheduling.
There is an opportunity for VARS to develop a business relationship beyond fulfillment.
They can truly offload work from your plate by proactively bringing new ideas to the
table, and partnering on the toughest challenges. IT can begin by raising the standards
for VARS on projects, including the design and architecture. IT should be able to ask
questions: what are the consumption possibilities, how can creative financing make if our
investments CFO friendly, what can our guys off load to you. How are your partners
handing off the end of project to you? How do they handle features not available from the
solution at time of implementation? What resources, like labs, can you leverage or
practice on? Can you beta test the next version? Can they work out some flexible
financing?

Continuous Learning
Life University…where every day is another opportunity to improve. Never too young,
never too old, there is always more to learn and to understand.
This disruptive landscape also provides an opportunity for career development and skills
advancement. Instead of waiting for the inevitable role changes or being pushed out, look
to improve your technical skillsets, basic business acumen, and leadership skills. IT
personnel can anticipate the changes around the corner and began to transition to
expand their roles, sometimes with new responsibilities and title: CIO to CTO or CEO,
administrators to architects, desktop support to mobile strategist, project manager to
analyst, admin to service delivery, security analyst to responder.
IT administrators can begin the role of transitioning to architects. Some CISO’s are
making the transition to risk officers, and some CIOs are starting to make the transition
potentially to CEO. All up and down the line, IT has capabilities that may be taken over
by new forces. In the future IT will have chance to improve its technical, business and
interpersonal skill sets. We can predict how our career path may go by focusing on
abilities such as “mining” raw data, performing analysis, and discovery new insights. We
can improve communication and presentation skills, as well as writing and speaking skills.
When such skills are developed, our career opportunities for IT will evolve will expand. **
Pay attention to new job titles that are on the market.
Math and Science in the early years are critical for the next generation of leaders and
thinkers in technology to help drive innovation, understand data analysis, and mitigate
risks to secure our future.
There is a great deal of concern that not enough young people are entering the
disciplines of science, technology, engineering and mathematics (STEM). Included under
the umbrella of STEM is information systems. For our young people to remain
competitive, they need to be introduced to the concepts of computer programming at a
young age. Tools like the Raspberry Pi, a credit-card sized computer at the fraction of the
cost of a tablet, can help kids learn that computers are about more than games and
socializing. Exposure to robotics teaches young people about how computers can be
made to interact with the world around them.

It is vital that we reach our future IT leaders when they are still kids. As an example,
consider this: for kids in poverty, computer science is a force multiplier, and in general
provides a potential path out [46]. Given access to computer science classes, courses,
and programs, they find their lives changed. The impact of these courses is a positive
opportunity – students relaying the happiness they feel when their family sees them
writing computer programs, and the sense of accomplishment when they succeed on an
assignment. Computer science gives young people a sense of empowerment and control
over their lives, and such experiences give us students who want to pursue a career in
computers.
We need to be starting younger, developing when we are in our prime, and even near our
retirement age – continuous learning. In particular, all 3 groups should pay attention to
1) coding skills, 2) security domain knowledge, and 3) data science. The patterns of
future success as individual contributors to the IT team rests in the patterns of continuous
learning.
Map out your career path 3 years into the future. Compare announced layouts and track
the new positions that open up. Look at the new technology programs opening up in the
universities. Check on the type of courses being offered online. Don’t limit yourself to
what your organization is willing to spend on training for you – be willing to invest in
yourself. Make encounters with partners on projects a learning experience to gain more
knowledge. Encourage your partners to help you learn how to fish at the pond. The days
of just ordering the #2 special and call you when it done is coming to an end. IT needs to
understands how its systems working, even if someone else installs and/or monitors it.
Learning Python is a fun and valuable skill. In the near future, most enterprise
architecture and software deployment will be programmable. On box configurations will a
relic of the past, and Python is a great way to learn to code this future architecture.
Become familiar with Microsoft PowerShell, now available on all Windows platforms. Of
course, basic understanding of Linux is necessary. It runs most infrastructure today, from
switches, routers, firewalls, embedded devices, smart tablets, and phones. Learning R,
allows you to better statistically explore data sets. Tinker with Raspberry Pi, to reinforce
Python, but also for the familiarity of code interacting with hardware. Encourage hacking
and tinkering…Why….How does that work?
There are a wide variety of opportunities for continual learning, from formalized classes,
to self-paced online classes, to local meetup groups with interest in specific areas.
It’s important that we don’t forget the soft skills, too. In an article on CIOs, Computer
Weekly reported that “53% of IT leaders report a shortage of people with high-level
personal skills” in the workplace [47].

Power Tools
All heroes need tools to get things done. Get your tool belt ready in order to look, see,
visualize, understand, learn, and share by leveraging walks, talks, maps, trees, models,
and stats.

We will now discuss certain concepts that will greatly enhance your ability to understand
organizational and employee needs and opportunities, get your message across, and
inspire that change that is needed. IT has access to decades of knowledge, models, and
theories across many domains in business, economics, finance, communication,
engineering, science, math to leverage for its use. IT needs to put on a tool belt and
break out some power tools.
Observe
To perceive and be cognizant of the current state by actively going to look and see.

Gemba Walk is the term used to describe personal observation of work – where the work
is happening. The original Japanese term comes from gembutsu, which means “real
thing.” This concept stresses three concepts: 1) in-person observation, the core principle
of the tool; 2) observing where the work is being done, as opposed to discussing a
warehouse problem in a conference room; and 3) interacting with the people and process
in a spirit change for the better. [48]
In his article entitled: “Why Management Should Go to Gemba”, Sam Grier wrote “If you
seek solutions to problems that need to be fixed, go to Gemba. If you want to see the
work behind the reports, go to Gemba. If you want to show leadership, go to Gemba. Go
to where the work is performed and observe and engage with those who do it.” [49]
Go watch a security analyst work an incident. Watch a service desk employee work an
end-user call. Sit in on project update with the app developer. Sit in on a change
management meeting. Sit in on a sales call or marketing meeting. Go visit a store, or
factory, or remote office. Go where the work is being done, while it’s being done, by the
people doing the work. What do you see?
Retrospective is a blameless culture that is seeking to learn from yesterday’s mistakes, to
understand them in context today, in order to improve in tomorrow.
According to Waite and Lyons on the dZone Agile Zone “Retrospectives are used
frequently to give teams the opportunity to pause and reflect on how things have been
going and then, based on those reflections, identify the improvements they want to
make. Conducting retrospectives frequently and regularly supports a team to continuously
improve their performance...” [50]
Such retrospectives need to be done at short intervals and frequently to feed
improvement. Continuing from the article by Waite and Lyons, four questions to ask are:
1) what went well? 2) what didn’t go so well?; 3) what have I learned?; 4) what still
puzzles me? [52]. These questions should be asked when a new application is being
developed, and new project updated, when a VOIP system is being installed corporate-
wide, or when there are new initiatives to install data collection system at remote
locations. Ask to join in the conversation after work has been done and reflect on these
four questions.
Visualize

Make the observable visible in a manner that can assist learning and sharing.
Visualizations are very powerful tools for seeing how processes work, understanding
entire systems, and sharing insights with others. Visualization of data is the creation and
study of the visual representation of data (a part of Data Science). Its goal is to
communicate information, and when implemented properly it succeeds in communicating
complex ideas with clarity, precision, and efficiency. Visualization can be used to tell a
story, or help the target audience to digest the information and insights you are trying to
highlight.
Consider that the transmission speed of the optic nerve is about 9Mb/sec (comparable to
fast image processing). This makes our eyes good for pattern matching and edge
detection. It also means that our eyes can interpret a massive amount of information
when packed into a small space – hence the power if visualization.
The power of visualization takes advantage of the brains ability to recognizes patterns,
find trends, and consume a much larger amount of data in this format compared to
written or oral formats.
When visualization is mentioned, many people’s minds jump to PowerPoint, but
remember that PowerPoint slides are not an end in themselves. PowerPoint is tool that
empowers you to change the way you encode the message – if you choose to do so.
Many people have a negative view of Microsoft PowerPoint, often blaming bad meetings
on the tool. You have probably heard the famous saying “death by PowerPoint.” As a
result, people are looking more at white boarding to “solve” the problem. But is
PowerPoint really the problem?
If you look at the message you are trying to get across as you develop the presentation,
this tool works just fine. Normally, the problem is the message and not the tool. If you
start to list the bad traits of PowerPoint, take a moment to look closer. These “bad traits”
are often design choices by the creator, not a requirement or constraint enforced by
PowerPoint. When you have something you want to say, time must be spend upfront to
craft the correct design.
Let’s take a look of the some of the visualizations available and applicable to IT.
A map is a symbolic depiction highlighting relationships between elements of some
space, such as objects, regions, and themes. According to Wikipedia, “maps can be static
two-dimensional, geometrically accurate, or approximately accurate representations of
three-dimensional space, or even dynamic and interactive.” [51] Maps can represent any
space, real or imagined, without regard to context or scale. Although most commonly
used to depict geography, maps are very useful for the visualizing process, because their
relationships and entities can provide insight on casual relationships, and allowing the
previously invisible to be clearly seen (and offering an improved understanding).
Process Mapping is used to visually map the process as it actually exists currently. It
provides an opportunity to see work duplication, delays, rework, and other non-value
added activities. When done as a team that is involved in both upstream and downstream
directions, it is an excellent means to clarify, empathize, and provide improvement
guidance. Value stream maps includes additional information that is often used in Lean
processes to find waste.
Kanban is an effective tool to support running a production system as a whole, and an
excellent way to promote improvement. A Kanban board is one of the tools which can be
used to implement the Kanban method for a project. Kanban boards are considered a
variation on traditional Kanban cards. Instead of the signal cards that represent demand
or capacity, the board utilizes magnets, sticky notes, colored washers, or plastic chips to
represent work items. Each of these objects represents an item in a production process as
it moves around the board. Its movement corresponds with a manufacturing process.
Kanban can be used to organize many areas of an organization and should be designed
accordingly. The simplest Kanban board consists of three columns: "to-do", "in progress"
and "done". More complex Kanban boards can also be created that visualize the flow of
work across a value stream map. [52]
Fault Trees are used in fault tree analysis to analyze undesired states or outcomes in
order to identify ways to mitigate the probabilities of occurrence. Using the undesired
state at the root of the tree, we work backwards through Boolean logic to determine
different ways it could occur. IT can use them as a power tool in all areas of risk
mitigation, from detecting infrastructure design flaws, to software bugs, to policy gaps.
They have proven very useful in common mode failure where the complexity of our
infrastructure makes is increasingly difficult to account for all the dependencies. One
example of a good application of it would be in the introduction of business critical
process at a branch location that has not had is infrastructure update to account for the
new SLA and critically factors. Often, cost pressures limit the level of system
redundancies at remote locations, so initial design considerations and assumptions must
be revisited. Fault tree analysis is an effective tool to allow for the review.
Attack Trees share some similarity with fault trees. They visually show how
organizational assets might be attacked. They are very useful for threat modeling and
determining appropriate security controls to mitigate risk. For example, understanding
the TTPs against mobile workers can give insight against the best way to approach the
question of BYOD policies, as this challenge can only be properly addresses by analyzing
the actual technical domain of the issue.
Understand

To understand is to improve one’s knowledge and challenge assumptions about a

situation.
There are different approaches to gaining an understanding about a topic, whether it be a
system or the cause of a failure.

Description Statistics are numbers is used to describe data. In a world deluged with data,
we need a way to present a summary of the raw data to allow for interpretation by the
audience. IT will often use it to support its case for new budget, justification for
necessary changes, or simply to persuade. For example, IT might be required to
summarize how our systems are actually used, instead of guessing. This leads to more
questions, such as exactly how many of our users use personal devices. How often do our
users go to dangerous sites? How much time do they spend looking for information on our
systems?
Wikipedia provides a good definition of experiments: “An experiment is a procedure
carried out to verify, refute, or establish the validity of a hypothesis.” [53] As a result,
they provide valuable insight into cause-and-effect by manipulating different factors and
observing the outcome. Experiments vary greatly in both goal and scale, but a key
characteristic of true experiments is their reliance on repeatable procedure and logical
analysis of the results.
Experimentation, when done properly, should follow the Scientific Method. The Scientific
Method involves a powerful methodology whose impact cannot be underestimated. Used
in all major technological, scientific, and mechanical advancements of our modern
society, it allows us to explore observations and answer questions in our search for cause
and effect.

Models are very useful to understand our environment and how it changes with changes
to certain changes. One definition is as follows: a generalized, hypothetical description,
typically based on an analogy, used to analyze or explain. We can use models in
budgeting, security. “Models capture relationships among many factors to allow
assessment of risk or potential associated with a particular set of conditions, guiding
decision making for candidate transactions.” [54]
Present
Present is to provide a platform to deliver messaging to an audience in order to inform,
share, persuade, reassure, and inspire.
The goal of a Presentation is to inform, persuade, reassure, and inspire. It is one of the
most important tools in leading change. Storytelling is one type of presentation. As such,
it is one of the oldest and most powerful tools in human history for transmitting
information, inspiring change, and leading other to actions.
Storytelling is an effective means of narrative to communicate within the realm business,
offering various benefit and advantages. For example, can help the speaker remain inside
the constraints of time. Crafting a story can also embed your message, which could
include objectives, purposes, company data and information, and the call to action. This
allows the complete message to be delivered in short period of time, and to be perceived
by the receiver a deserving the time needed to reach the end.

Stories are used in marketing, sales, and speeches. When used well, they are able to
convince their audience to make a change. In the case of marketing, in a format of a
commercial or news ad, the messenger is able to convey a message that encourages the
receiver to go out and purchase the product. In sales, a representative is able to convince
a potential buyer that their product is the best for their business. After hearing a very
convincing story of success from a sales rep based on their past customer, this new
customer is sold on the solution. In a speech, a speaker is able to convey the urgency of
calls by relaying a story that it has all the elements necessary to engage the audience,
relate to where they currently are, and provide a convincing call to action. This results in
a path for the audience to heed the words of the speaker.
To be most effective in presenting a story, clearly represent the baseline of a situation as
it exists before implementing changes. This allows you to include a more concrete story
of what is contrasting with the changes you are leading.
Anytime IT is speaking to an audience outside of IT, it should be taken for granted than
some level of translation is required. Another tool that IT should not forget in
implementing storytelling is the use of patterns. These can be used in translating techno-
talk to C-level, translating C-level to techno-talk, translating Risk-talk into tech-talk into c-
level, as well as translating apps into infrastructure requirements.
Let’s take a look at some of the areas where a story can be valuable to its effort to
educate, convince, or inspire our business counterparts.
It can often prove very difficult to educate the business to perform a task or process a
certain way that is counter to what could be perceived as the easier way. One very
important area involves taking care of how data is handled. Often times, end users find it
more convenient to copy corporate files from shared locations down to their personal
device, such as a laptop, to make it easier for the work on it when they leave the office.
IT has been a position of having to track down the restored data loss – data that was
never updated back on the corporate file share, data that only existed on the individual
laptop, and data which had just been reported as a loss by the end-user. An IT initiative
to expand or improve centralized data storage, as well as govern and secure said data,
could prove a wasteful expense if in fact the end-users do not actually use the resource.
This leads to an example where a story-telling approach might be beneficial.
There was an end-user named John, who thought he knew better. John is an engineer,
and a very smart and sharp employee. He was pretty tech savvy, especially around the
house. John works on very large engineering drawings which he needs to have access to
at all times. John decided to take upon himself the storage of said protected data. He
goes out and uses Dropbox, a free file sharing service on the cloud where he can back up
all is engineering drawings for a very low price and feel assured that his data is
protected.
John, in this case, is an example of a conscious end-user who went the extra mile to
protect his data. Enjoying the benefits of being mobile, he can now get his work done
while out of the office, in any location he wants.
Chapter 10: Leading

IT is critical to businesses’ ability to compete and survive in the market place. IT is

positioned to influence outcomes and experiences. Where it can, IT can help lead the
way.

Leadership
Leadership can be defined as follows: “Leadership is the art of motivating others to want
to struggle for shared aspirations.” from a presentation by Malcolm Harkins, Global Chief
Information Security Officer of Cylance.
So exactly who is this we? When I make the case that IT should lead, or that we should
lead, exactly who am I referring to? Also, what do we mean by leading? Who is we in this
leading? And, who is being led? Don’t you need a title to lead? Don’t I have to be the
boss to lead? Won’t someone else take care of that? Can’t I wait it out?
Leaders are not born, entitled, or given super powers. Leaders can be any of us,
regardless our standing in the organizational chart, time on the job, or assigned role.
Leaders are defined by their actions, ability to influence others, and ability to help
overcome obstacles. Anyone can imagine new ways of thinking, inspire others, and help
guide team efforts in the right direction. Also, anyone can be influenced by another to
help their cause, thus anyone can lead and be lead. Unfortunately, if no one, including
those who technically may have been tagged as a leader, steps forward, the work that
needs to be done can linger unfinished for a long time – victory to the status quo.
The future viability of your organization, the relevance of IT, and the prospects for your
future career all depend on change taking place to stay relevant. If no one else is leading,
then it is your own best interest to step forward.
The nature of leadership is changing. We are moving away from a command and control
leadership style where wisdom comes from an all-powerful, all knowing, charismatic
leader, inspiring the masses.
Leadership is dispersed across the organization. Many processes and innovations exists
because someone took it upon themselves to do what was necessary. Often not written
down and in a corporate video, these individuals brought enough people along to attain
some shared goal.
No one can wait for the next great charismatic leader to show up with a new
transformation project. The time window for transformation is shrinking every year as the
pace of disruptive change continues.
Leadership can be seen in everyday life. Everything is now be left in your hands. From
your career path, job future, financial and health wellbeing; means that your quality of
life is now, more than ever, in your hands. You have to embody the change you want in
the world. Your ability to influence the outcome is in your hands.

The IT Value Proposition

When you have something of value, others value you more. They are more apt to be lead
and join your cause.
When distributed leaders work in concert together as a winning team, IT can elevate its
relevance. The value proposition is this: IT helps the business win in the marketplace. We
bring new customer value by building newer code, deploying new technology, and
mitigating risks enough to allow us to operate everywhere and anytime. We collect raw
data, refine it, and make it available to the business. Often out sight for end users, but
different business users will ask different questions of the same underlying data. There
are overlaps in the data needed by the marketing department to understand how
customers are making use of their products, plant facilities on optimizing floor equipment,
and a security operations center trying to determine if a breach has occurred. All rely
heavily on IT to serve up actionable data. IT has the valuable perspective of seeing
aspects of operations across multiple facets of the organization to pool resources.
Of all the possible outcomes in business, IT can help tip the scales in favor of most of the
outcomes being positive for the organization and delivery value. One of the ways to
showcase our value and understanding of business imperatives is to make sure we are
always delivering value. The markets and industry that we operate in are wide and very
diverse. That value will be specific to your business. With power tools we have discussed
at hand, you will be able to engage the business to answer the questions that matters
the most to the stakeholders, focusing on what they value and where you can make a
difference.

We must ensure that we value the money that the business entrusts us with. Often we
can leverage free, simple, and fast to make our impact felt. Ask yourself this: are you
leveraging all the features, capabilities, and benefits you have already bought? Does the
board and CEO view your group as someone who values a dollar? Educate the board on a
regular basis. Market your wins to the business on a regular basis. Spread the word on
new features and capabilities. Show them how you are making use of the tools you
already have at your disposal. Provide avenues of training, and share the knowledge held
in the IT department. Most of the C-suite is inundated with technology in their personal
lives and at home – extend a helpful tip.
How simple can it be? Consider this: does everyone use the basic features of Microsoft
Excel? Can someone in sales pull relevant data points from your data sources to use in
an existing formula to provide more timely outputs?
Do you advertise what you already have accomplished? Did an upgrade on your wireless
network just enable support for using Apple Bonjour to print from iPad to that nice shiny
color laser printer down the hall? Did one of your developers just add a new lookup
feature on the product web portal for historical order listings saving time? Did you just
finish deploying new scripts to automate loading truck routes over 4G networks to the
drivers in the field?

Make a list of the major IT projects you completed over the last year. Then map those to
digital enablement initiatives and business priorities and pain points. Communicate the
success. Upstream or downstream of you, someone is benefiting from the work you are
doing. Think about it.
IT can do even more to help the business make decisions in the land of uncertainty. And
where some of the possible outcomes involve a loss, injury, catastrophe, or are just
simply undesirable, then we can do better at managing those risks with true quantitative
alternatives and rationale changes.
IT is the champion of mining data and process information, the virtual oil that is used to
deal with uncertainty in business operations and decision making.
The CIO helps the organization analyze data. Data is information with context and
meaning. IT helps build the systems that provide to the organization plans, tools, and
procedures for collecting, displaying, analyzing, and interpreting data to help the business
operate and win.

IT understands how to increase profits by using our digital and human assets, while
simultaneously holding down operating costs and limiting the impact and likelihood of
unwanted outcomes.
IT is at the apex of business – tech effects, strategy matters, and communication
matters. IT is vital in helping to drive productivity across the organization. The next
generation of IT will work with principles such as agility, simplicity, standardization,
predictive, service-oriented, efficient, and resilient.
We imagine, re-imagine, we dare, we innovate, and we take chances. We are
informative, helpful, collaborative, innovative, lean, and fast. Our lives depend on it. Our
success depends on it. The 1st time we are surprised, the 2nd time we learn, the 3rd time
we adapt. We are champion of our people, our services, our value, and our results. We
measure, we experiment, we fail, we learn from failure. We give and receive feedback.
We incorporate the feedback in a timely fashion and incorporate that back into our
decision making process.
IT must help build a culture that eats strategy, a strategy that challenges the status quo
and whose outcome is a high performing organization. Culture is the nature of how we
work and collaborate. It takes more than writing checks, approving projects, hiring more
talent, and doing more training to build a culture of success First we have to help change
the culture, and IT is an integral part of that.
IT is responsible for using technology to deliver on organizational goals for growth,
productivity, efficiency, innovation, and improved customer experiences. IT should be
leading technology-driven business innovation at their organizations, not mired in the
daily concerns of running IT.

The Opportunity
“Opportunity is missed by most people because it is dressed in overalls and looks like
work”, attributed by many to Thomas Edison.
Will you know it when you see it?
Look more closely to see opportunity. For when you look closer at the things that matter
most to you, your teammates, and your organization; and you feel that the challenges in
front of you are not getting the best from everyone...then you have found an opportunity.
When something that appears bad happens, look for what conditions are produced that
may lead you down a different path, one where your thinking is challenged.
The tension between what we say we want to accomplish, how we currently approach
our challenges are not matched by intent, focus, capability, and applied effort by you, IT,
and the organization...then tomorrow brings opportunity.
We can apply our knowledge and experience to help reduce the probabilities and impact
of unwanted outcome for the business. We have the opportunity to reduce business risk
in its many forms by helping our organization deal with market disruption, technology
complexities, and ability to adapt.
I like how this was expressed by the author of the blog, Philosoblog:

“Most people expect opportunity to knock on their door from time to time. But what do
you expect to see when one opens the door? Many expect to see opportunity dressed in a
suit, holding a bouquet of balloons and a very large check…unfortunately, that’s not what
opportunity is, at least for 99.9% of us. Opportunity is just that, an opening, a chance to
apply yourself and make something happen. Opportunity, when it knocks on your door, is
usually a chance to work your butt off for a significant amount of time with the hope for a
great reward at the end (if everything goes well)…here, when I say hard work, I mean
work of a non-trivial level of effort over a non-trivial period of time. Hard work is the
opposite of feather dusting the coffee table. And I don’t just mean physical work.
Planning, organizing, putting something together, that can be hard work for the brain”.
[55]
When finite time is broken up with time set aside for maintenance, learning, thinking, and
sharing, then we are putting in the work necessary to capitalize on the opportunities to
help our organizations. And help can come in any form – don’t limit how you believe it
should look.
Recall our discussion of visualization. Visualizations can also serve as a tool to help see
the opportunities that are before us. We need to map the opportunities that are available
to inspire us to detect what others don’t see yet. That gives us the visibility into what
should garner our greatest attention.
The “Opportunity Never Sleeps” Working Group

When mapping opportunity, there are certain useful patterns to document and discuss.
The key points to focus on here are as follows. Seek to fix broken stuff, do it relatively
quickly, and communicate value to others until it is understood. Hold the entire team
accountable. Build in a safe environment that encourages a blameless culture, seek to be
understood, and seek to understand.
First, go through this mapping exercise yourself. On a blank sheet of paper, write down
all the challenges in front of you personally. Then write what you see as ways you could
influence the changes you believe need to be made. Finally, write down how you believe
you can improve your contribution to your organization.

Then move on to your immediate team. In a trusted environment, repeat the process,
this time on a whiteboard, for everyone to see. Spark discussion. Be as specific as
possible to really defined current problems. Challenge yourself and ask are these
problems being confronted as a team. Consider the talent in the room: do you believe the
best effort is being brought to bear? If you believe particular problems are important
enough to be fixed, then, as specifically as possible, intentional design a course of action.
Move on to another team to get them to join yours in this conversation. Now add to the
discussion handoff points, inter team communications, and resource sharing. Surprise
each other by sharing what is giving you the most problem and how you think you could
help them get their work done.
Continue until you are looking at whole IT team, that end to end value stream from CIO
to service desk. See problems both problems and possibilities. Re-imagine, experiment,
and improve. What business process, product, service, or experience can you positively
influence as a team?

You are IT – this could be your moment

How is your organization doing? If not great, why not? If not ok, why not? What are you
prepared to do about it? If things need to change, is there currently anyone leading the
charge on that front? Is so, it that someone you? Is the last IT transformation effort stuck
in the ditch? Are you the change agent that is needed to start the process of reimagining
IT to help your business navigate market disruption, technology complexities, and risks?
So, what are you going to do? IT is made up of individual people. IT changes because the
individuals change. It may be your time to make a decision.
The status quo reigns supreme when the gap between what people think about how
something should work, and how it actually works is not apparent.

If your organization believes it is doing everything possible to maintain market share and
you think this is incorrect, how will you change your actions tomorrow to help others see
the possibilities? If the organization is assuming an unnecessary level of risk in an area
because of lack of awareness, what are you going to do enlighten them on the true state?
And don’t fall into the trap of believing any action is too small. Someone down the hall
could benefit from something as simple as creating an Excel formula, building a different
type of report, updating the layout of an app, or allowing users in the field the ability to
connect remotely to fill out “paperwork”.
Market share, revenue performance, and business goal attainments all hinge on the
ability to see and capitalize on opportunities and mitigate against risks. What role will
you play in making this possible every day?
The focus here on risk is the acknowledgment of the criticality of mitigation strategies
that make since for your particular organizations to enable business initiatives, processes,
and innovations.
One you realize how much you have at stake, then you realize how much risk potential
risk there may be. Around every corner, around every business action, every day, across
the organization, there are many possibilities for negative consequences.
Business deals with risk every day, from the accounting department, to sales, to the
executives. IT can learn from them how they think about risk, approach it, and mitigate.
Learning the language that is used is important to being able to communicate effectively
on today’s digital disruptions and the accompanying risks.
The mitigation of risk is a critical discipline for businesses to overcome challenges and
constraints to innovation, to maintain normal business operations, and to survive
disruption.
Our disruptive digital world indeed is complex, fast, and risky. As we have seen, our world
is filled with a myriad of risks that are constantly changing in form, impact, and
probability – risk never sleeps!

But we have also seen that there are many ways we can mitigate risks and increase our
chances our chances of benefiting from positive outcomes. There are many possibilities
and ways to overcome the challenges in our world. Be the change agent your
organization, co-workers, and you need – go disrupt and transform. The biggest risk in
life may be not taking advantage of the opportunities in our lives. Indeed, risk is not the
only thing that is always awake. The good news for is that opportunity never sleeps.
 About the Author

William knew we could all do better. He had a feeling we were taking the long way
around in circles, avoiding the work that needed to be done, and were settling for okay.
Something told him that the clock was ticking on our opportunities. If we didn’t take
advantage, we would regret them later in life. Tomorrow is not promised. The biggest
assumption we make is that we will see tomorrow. We are mired in working on things
outside our control, when we could influence more positive outcomes and experiences in
life if we focused on what was possible.

But to do that, we had to understand our condition and how the world actually works, not
how we thought or wanted it to work. We had to start working on the actual sources of
the problems, not getting stuck working around symptoms. We had to start constructing a
course of action that was actually designed to accomplish or stated goals. We had to
monitor our progress to ensure we stayed on course.
He has seen firsthand the technical debt, silos, broken communication, despair of IT, and
business frustrations. And, he has seen the possibilities, the hopes, and the opportunities.
He believes we have been blessed with great opportunities to continue to improve
ourselves and organizations. There is no reason enterprise IT cannot reach new heights
and help our businesses thrive in age of disruption, complexity, and risk.
William has seen the challenges, constraints, and risks while working in the trenches of
IT. He has worked for multiple technology value added resellers, representing the major
vendors and technologies in the industry. He has worked in various roles in IT. As
someone that has spent over 20 years analyzing, designing, building, defending, and
supporting technology infrastructure for many businesses over the years, and followed
the technology trends and cyber threats, he sees the opportunities for our organizations
and for us as individuals in a fulfilling career in technology.
We are a generation that cannot afford to squander the resources, knowledge, talent,
and responsibilities in front of us. For we know, we can’t deny. Our failure would be
unacceptable.
These days, William is actively learning more about decision making support, which
includes data science, learning how to build data models in Excel, and visualizing
workflows to better understand how systems work.
His passion is bringing a fresh perspective to a problem and inspire a team to tackle and
win. And to help individuals and organizations make better decisions to improve
outcomes and experiences.
He is now a first time author with plans to publish more, build a change platform, and
inspire a new generation of young and old technologists to design, build, and defend our
digital world.

He has consulted across major industries, including banking, health care, retail, oil & gas,
education, government, finance, legal, and construction. He received his B.A. in
International Studies from Roosevelt University in Chicago, IL. He currently resides in
Houston, TX.
 Works Cited

[1] P. Robles, "Despite big data investments, retailers struggle with inventory issues," 5
December 2015. [Online]. Available: https://econsultancy.com/blog/67269-despite-big-
data-investments-retailers-struggle-with-inventory-issues/. [Accessed 22 December
2015].
[2] T. Spring, "Cisco's Chambers: 'Disrupt yourself, or be disrupted'," 7 January 2015.
[Online]. Available: http://www.crn.com/news/networking/300075285/ciscos-chambers-
disrupt-yourself-or-be-disrupted.htm. [Accessed 22 December 2015].

[3] M. Andreessen, "Why software is eating the world," 20 August 2011. [Online].
Available:
http://www.wsj.com/articles/SB10001424053111903480904576512250915629460.
[Accessed 17 December 2015].
[4] C. Metz, "Google Is 2 Billion Lines of Code—And It’s All in One Place," 19 September
2015. [Online]. Available: http://www.wired.com/2015/09/google-2-billion-lines-codeand-
one-place/. [Accessed 17 December 2015].
[5] D. Weeks, "The 2015 State of the Software Supply Chain Report," Sonatype, 2015.
[6] Verizon, "Verizon 2015 Data Breach Investigations Report," Verizon, 2015.
[7] Codenomicon, "Heartbleed," 29 April 2014. [Online]. Available:
http://heartbleed.com/. [Accessed 18 December 2015].

[8] J. Phillip, "The Staggering Cost of Economic Espionage Against the US," 3 January
2014. [Online]. Available: http://www.theepochtimes.com/n3/326002-the-staggering-
cost-of-economic-espionage-against-the-us/. [Accessed 18 December 2015].
[9] Wikipedia, "Consumerization," 1 October 2015. [Online]. Available:
https://en.wikipedia.org/wiki/Consumerization. [Accessed 18 December 2015].
[10] B. Hope, "NYSE Says Wednesday Outage Caused by Software Update," 10 July 2015.
[Online]. Available: http://www.wsj.com/articles/stocks-trade-on-nyse-at-open-
1436450975. [Accessed 18 December 2015].
[11] C. Drew, "United Airlines Grounds Flights, Citing Computer Problem," 8 July 2015.
[Online]. Available: http://www.nytimes.com/2015/07/09/business/united-airlines-
grounds-flights-citing-computer-glitch.html?_r=0. [Accessed 18 December 2015].
[12] B. Olson, M. Vargas and D. Lezon, "Computer virus shuts down Houston Municipal
Courts," 6 February 2009. [Online]. Available: http://www.chron.com/news/houston-
texas/article/Computer-virus-shuts-down-Houston-municipal-courts-1742589.php.
[Accessed 18 December 2015].

[13] M. Fisher, "Syrian hackers claim AP hack that tipped stock market by $136 billion. Is
it terrorism?," 23 April 2013. [Online]. Available:
https://www.washingtonpost.com/news/worldviews/wp/2013/04/23/syrian-hackers-
claim-ap-hack-that-tipped-stock-market-by-136-billion-is-it-terrorism/. [Accessed 18
December 2015].
[14] T. Karppi and K. Crawford, "Social Media, Financial Algorithms and the Hack Crash,"
Theory Culture & Society, pp. 1-20, 4 May 2015.
[15] T. Kitten, "Chase's Cybersecurity Budget to Double," 10 October 2014. [Online].
Available: http://www.bankinfosecurity.com/chases-cybersecurity-budget-to-double-a-
7427. [Accessed 18 December 2015].
[16] A. Carman, "NSA chief confirms physical retaliation could be warranted in cyber
attack response," 12 May 2015. [Online]. Available:
http://www.scmagazine.com/michael-rogers-gives-speech-at-george-washington-
university/article/414267/. [Accessed 28 December 2015].
[17] K. Zetter, "An Unprecedented Look at Stuxnet, the World’s First Digital Weapon," 3
November 2014. [Online]. Available: http://www.wired.com/2014/11/countdown-to-zero-
day-stuxnet. [Accessed 18 December 2015].
[18] T. Armerding, "Chinese spies target US intellectual property," 24 August 2015.
[Online]. Available: http://www.csoonline.com/article/2973542/security-industry/chinese-
spies-target-us-intellectual-property.html. [Accessed 17 December 2015].

[19] O. Pawlik, "ISIS hacker who exposed troops' personal info killed in drone strike," 27
August 2015. [Online]. Available:
http://www.militarytimes.com/story/military/2015/08/27/isis-hacker-who-exposed-
troops-personal-info-killed-drone-strike/32461467/. [Accessed 18 December 2015].
[20] Department of Homeland Security, "What Is Critical Infrastructure?," 17 September
2015. [Online]. Available: http://www.dhs.gov/what-critical-infrastructure. [Accessed 18
December 2015].
[21] N. Schmidt, "Cardinals Investigated for Hacking Into Astros’ Database," 16 June
2015. [Online]. Available: http://www.nytimes.com/2015/06/17/sports/baseball/st-louis-
cardinals-hack-astros-fbi.html. [Accessed 18 December 2015].
[22] Wikipedia, "Malware," 20 December 2015. [Online]. Available:
https://en.wikipedia.org/wiki/Malware. [Accessed 29 December 2015].
[23] Ponemon Institute LLC, "2015 Global Study on IT Security Spending and
Investments," Dell SecureWorks, 2015.

[24] Department of Homeland Security, "The Broken Cybersecurity Cost Model- And How
Information Sharing Can Fix It," 9 July 2015. [Online]. Available:
http://www.dhs.gov/blog/2015/07/09/broken-cybersecurity-cost-model-and-how-
information-sharing-can-fix-it. [Accessed 20 December 2015].

[25] IT Revolution, "Manifesto," IT Revolution Press, [Online]. Available:

http://itrevolution.com/manifesto/. [Accessed 1 January 2016].
[26] Wikipedia, "Internet of Things," 1 January 2016. [Online]. Available:
https://en.wikipedia.org/wiki/Internet_of_Things. [Accessed 1 January 2016].
[27] V. Beal, "API - application program interface," [Online]. Available:
http://www.webopedia.com/TERM/A/API.html. [Accessed 29 December 2015].

[28] Apigee Corporation, "About," [Online]. Available: http://apigee.com/about/apigee.

[Accessed 29 December 2015].
[29] B. Koles, "A company without APIs is like a computer without the Internet," 29
November 2013. [Online]. Available: http://readwrite.com/2013/11/29/company-without-
api-computer-without-internet. [Accessed 2015 29 December].
[30] A. Khoury, "Stephen Curry among other warriors to use wearable tech during
practice," 16 November 2015. [Online]. Available:
http://www.digitaltrends.com/wearables/golden-state-warriors-wearable-tech-reduce-
injuries/. [Accessed 28 December 2015].
[31] J. Bertolucci, "10 powerful facts about big data," 10 June 2014. [Online]. Available:
http://www.informationweek.com/big-data/big-data-analytics/10-powerful-facts-about-
big-data/d/d-id/1269522. [Accessed 28 December 2015].

[32] M. Conner, "Data on Big Data," 18 July 2015. [Online]. Available:

http://marciaconner.com/blog/data-on-big-data/. [Accessed 9 December 2015].
[33] D. Hubbard, How to Measure Anything: Finding the Value of Intangibles in Business,
Third ed., Wiley, 2014.
[34] Lean Enterprise Institute, "What is Lean?," [Online]. Available:
http://www.lean.org/WhatsLean/. [Accessed 29 December 2015].
[35] Microsoft, "Ten Immutable Laws Of Security (Version 2.0)," [Online]. Available:
https://technet.microsoft.com/en-us/library/hh278941.aspx. [Accessed 29 December
2015].
[36] PwC, "Why you should adopt the NIST Cybersecurity Framework," PwC, 2014.
[37] NIST, "Cybersecurity Framework," 11 December 2015. [Online]. Available:
http://www.nist.gov/cyberframework/. [Accessed 28 December 2015].

[38] G. Goldman, "Your Samsung TV is eavesdropping on your private conversations," 10

February 2015. [Online]. Available:
http://money.cnn.com/2015/02/09/technology/security/samsung-smart-tv-privacy.
[Accessed 30 December 2015].

[39] Krebson Security, "Security Firm Bit9 Hacked, Used to Spread Malware," 13 February
2013. [Online]. Available: http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-
used-to-spread-malware/. [Accessed 28 December 2015].
[40] SANS Digtal Forensics and Intrustion Response, "Community: Cheat Sheats,"
[Online]. Available: http://digital-forensics.sans.org/community/cheat-sheets. [Accessed
30 December 2015].

[41] National Weather Service, "About the NOAA National Weather Service," [Online].
Available: http://www.weather.gov/about. [Accessed 30 December 2015].
[42] O. Kharif, "Tech Blog," 29 August 2012. [Online]. Available:
http://go.bloomberg.com/tech-blog/2012-08-29-average-household-has-5-connected-
devices-while-some-have-15-plus. [Accessed 15 December 2015].
[43] D. Forrester, "Culture Really Does Eat Strategy for Breakfast," 19 August 2014.
[Online]. Available: http://www.entrepreneur.com/article/236603. [Accessed 15
December 2015].
[44] Wikipedia, "Communication," 11 December 2015. [Online]. Available:
https://en.wikipedia.org/wiki/Communication. [Accessed 15 December 2015].
[45] Jain, N., "Run marathons, not sprints," in 97 Things Every Project Manager Should
Know: Collective Wisdom from the Experts, O'Reilly Media, 2009, p. 96.

[46] J. Budisantoso, "Computer science is a way out of poverty," 10 December 2015.

[Online]. Available: http://www.usnews.com/news/stem-
solutions/articles/2015/12/10/op-ed-computer-science-is-a-way-out-of-poverty. [Accessed
15 December 2015].
[47] S. Manwani and D. Flint, "From manager to chief information office," November
2004. [Online]. Available: http://www.computerweekly.com/feature/From-manager-to-
chief-information-office. [Accessed 15 December 2015].
[48] "The Many Sides of a Gemba Walk," [Online]. Available:
http://www.isixsigma.com/methodology/lean-methodology/many-sides-gemba-walk/.
[Accessed 18 December 2015].
[49] S. Grier, "Why Managemetn Should Go To Gemba," [Online]. Available:
http://itmanagersinbox.com/245/why-management-should-go-to-gemba/. [Accessed 15
December 2015].

[50] L. Waite and C. Lyons, "The 4 Questions of a Retrospective and Why They Work," 15
January 2013. [Online]. Available: https://dzone.com/articles/"4-questions"-retrospective.
[Accessed 15 December 2015].
[51] Wikipedia, "Maps," 17 December 2015. [Online]. Available:
https://en.wikipedia.org/wiki/Map. [Accessed 18 December 2015].
[52] Wikipedia, "Kanban," 10 November 2015. [Online]. Available:
https://en.wikipedia.org/wiki/Kanban. [Accessed 15 December 2015].
[53] Wikipedia, "Experiment," 1 December 2015. [Online]. Available:
https://en.wikipedia.org/wiki/Experiment. [Accessed 15 December 2015].

[54] S. Pramanick, "Advanced Predictive Analytics: Predicting the Outcome!," 16

November 2012. [Online]. Available: http://www.ibmbigdatahub.com/blog/advanced-
predictive-analytics-predicting-outcome. [Accessed 15 December 2015].
[55] philosoblog, "Opportunity is most often missed ...," 15 June 2011. [Online].
Available: http://philosiblog.com/2011/06/15/opportunity-is-most-often-missed/.
[Accessed 15 December 2015].