CAROUSEL AOTS — Digital transformation is rattling every business. Certain advanced and emerging technologies are shaping up to be critical on this journey. But how do organizations define success?
At this year’s Always On Technology Symposium (AOTS) Thursday in Boston, organized by Carousel Industries, IT pros and partners took a shot at it.
Jason Viera, chief technology officer at Carousel, set the stage for the conference theme “Success” and how businesses think about success in three technology areas that are making companies successful today: artificial intelligence (AI), security and cloud.
Why these three technologies? Because they’re key technologies shaping digital transformation.
“Companies can’t turn a blind eye to these technologies,” Viera said. “If you don’t like change, you’ll like irrelevancy even less.” Viera said.
While it quickly became clear that there’s no one definition for success, it also became apparent that how success is defined for a given technology is multifaceted and must be viewed from three vantage points: the organization, the team and the individual.
What better way to put into perspective just how difficult it is to define success for a given technology than to home in on security.
In a panel discussion – "Security Success Defined" – moderated by Viera, Jason Albuquerque, CISO at Carousel Industries; Jon Fredrickson, CISO at Blue Cross Blue Shield of Rhode Island; Reg Harnish, CEO of Gray Castle Security; Chris DeCarli, manager, security infrastructure services at FM Global; and Joe Pangborn, chief information officer, U.S. Naval War College, accepted the challenge.
From the get-go, everyone agreed that security is never done.
“With today’s advanced threats you can no longer check boxes and say, 'Mission accomplished,'” said Viera.
Panelists batted around responses to questions on topics such as: security and compliance; balancing security controls with end user expectations; meeting businesses security requirements versus opting for product capabilities; and defining success in light of a security breach.
Jumping into it, panelists first considered the question: How to differentiate between compliance with true security efficacy in their organizations?
Albuquerque contends that security is the driver of compliance. Compliance is a reporting structure while true security protects the organization.
“[Compliance] has to become a byproduct of security,” he said. Do it in the reverse and you’re not really securing the network or the infrastructure; you’re putting checks in the boxes. “You’re appeasing auditors.”
Panelists shared the view that compliance contradicts security. There are different ways to solve different problems. In security, compliance is one accepted way — and if you’re not doing that, you’re considered to be out of compliance.
DeCarli pointed out that some organizations define meeting regulatory compliance as success.
“When you’re looking at how you define success, you have to understand the people in your organization and what’s driving their security plan,” he said. “If you’re a security professional passionate about security, your target may be different than those who look at compliance and regulatory guidelines.”
For Pangborn, success is accomplishing the mission and accomplishing it securely. His unique environment means complying with DoD and department of Navy regulations, which are geared around tactical and operational systems.
“Trying to implement those security checklists in an education and research environment is very difficult," he said.
In fact, he pointed out that if he only addressed a compliance checklist, his mission would fail, and education and research couldn’t happen.
“We have to alter those and find a solution that securely implements particular applications and supports the environment,” he said.
What about balancing security controls with end user expectations?
“You have to bake it into your DNA,” said Albuquerque. “Because then the user experience is part of that project and you know it’s secure by design.”
Pangborn talked about a company’s culture, which starts at the top.
“It starts with the board, with the CEO, and gets pushed down," he said.
Fredrickson said the balancing act is between how the user needs to operate and how secure the organization has to be. He gave the example of a doctor who needs to provide a security code every time she logs into the computer, which is multiple times a day. What about designing the system, so when she logs into the computer in the morning she enters a security code and gets computer access all day long?
“We moved the needle and the doctor got a better user experience,” he said.
A question that rarely gets asked when it comes to cybersecurity is, “Is it worth it?”
“We don’t do a good job in cybersecurity of asking the question, 'Is it worth it?'” said Harnish. “So, is multifactor authentication worth the end-user inconvenience for risk reduction in the health care system?” he said.
An admittedly surprising answer from a guy that sells cybersecurity services: “Everybody should be thinking about how they do the absolute minimum in cybersecurity to meet what they consider their risk profile,” said Harnish. “Because you can do more but you’ll just introduce inconveniences that aren’t serving the business mission.”
What about meeting the business' security requirements rather than buying into vendor product capabilities?
Panelists agreed that they need to know what their security requirements are before they talk to vendors who often tell them what they need — or they risk not aligning with the business.
“Don’t call the vendor first,” said Pangborn.
Most buyers start at the wrong end of the process, buying the tools first, rather than making security a business conversation.
“My perspective is that I want a partner,” said Albuquerque. “I want someone that I can trust to do the vetting, to look through the mess of security companies pushing product. The partner will know my business and help me select the right technologies to get me to my business outcome along this journey.”
Finally, panelists addressed the question: How do you quantify success in light of a security breach?
Fredrickson looks at two areas to decide success in a cybersecurity attack: Did I detect it? How quickly did I recover?
“If I was successful, than I detected this thing [before someone else did] and did I do it faster than a previous incident?” he said. “On the business side, it’s about getting back to business as usual.”
DeCarli agrees and goes a bit further.
“It’s also about whether you had a program in place prior that was defensible and justifiable, and it’s a plan that you were following,” he said. “Or, were you throwing security solutions against the wall and had no idea of what your risks were.”
No response plan, however, is comprehensive and successful if you’re not practicing your plan, contended Albuquerque. In fact, you’re doing your business a disservice.
“If you’re not going after that plan so that it becomes muscle memory at some point, if you’re not training or trying different methods of attack and detection [and so on],you’re doing a disservice.”
For Harnish, measuring success in light of a breach is about business resiliency and resuming business operations within an acceptable time frame.
“An organization that can effectively measure things like time to detection, they’re unicorns,” he said. “This is about, how do we introduce resilience to the business such that our mission is protected no matter what’s going on?”
Speaking to the complexity of security, Pangborn adds, “So, time to detect, time to react and protecting the rest of the network from that vulnerability.”
And security doesn’t only fall to the IT team, because it goes beyond being a technical issue.
“You have to think across the business and work with the different teams in the business, such as finance, HR [an so on],” suggested Albuquerque.
At the end of the day, panelists agreed that a safe organization becomes a trusted organization. They also agreed that success is a moving target and it’s unique to each organization.