Biswajit Mohapatra, Vinay Parisa and Joydipto Banerjee
In our recent Journal article
, we talk about how enterprises are adopting technologies like cloud, analytics, social and mobile tools to drive a strategic advantage. Emerging businesses that are born on the cloud have these technologies as part of their DNA and are at an advantage, as they can focus on a small number of core competencies that are integral to their business, unlike established enterprises that were formed using a strategic but different business model from the internet era. We are at the cusp of a smarter era where systems and applications are designed to interact with each other and generate a lot of data. Businesses are starting to depend on sophisticated analytics to distill insights and context from this increasing volume of digital information. These insights are changing the way enterprises do business with their customers. By 2020
, it is expected that there will be more than 200 billion connected devices, and machine-generated data will be 42 percent of all data.
In the infrastructure world, as cloud computing evolved, it became increasingly evident that there was still room for traditional applications and hardware. A new deployment model, the hybrid cloud, started to emerge, and with it the automation that was built for the cloud started to find use in the traditional datacenters. By abstracting the infrastructure, the cloud automation makes it possible to scale the resources between public and private clouds to offer a perfect solution for unique requirements. Cloud automation software also includes monitoring and predictive analytics solutions, which are used to analyze the data generated by the infrastructure in order to allocate appropriate resources for applications, there by bringing a greater level of optimization.
Gartner predicts that by 2016, 25 percent of external application implementation will be on mobility, cloud, analytics and social computing services and more than 50 percent of application modernization efforts will address business demand for enhanced functionality to legacy systems and not cost reduction. Enterprises lacking a modernization strategy are going to lose a lot of ground and will face an uphill task of playing catch-up. For an enterprise to be successful across technological eras, it must continuously reinvent itself and embrace innovation and be early adopters. These new technologies enable rapid change, growth and innovation in business. A modernization strategy is essential for an organization, and big data will be the key to hidden opportunities.
I believe discussions about bring your own device (BYOD) should take cultural and organizational context into account. There is no right or wrong BYOD-related decision in an absolute sense; you must put it into the right perspective. That is why I will start setting the context. I am working as a health care chief information officer in Italy, where IT spending, IT staffing and IT governance are chronically underestimated. Our health care model is fragmented at the regional level, with little coordination and supervision at the national level; this is the reason why international health care IT players are basically not present in Italy. The consequences are beginning to be evident. Our information systems are often outdated legacy systems. From the cultural point of view, I must say health care is one of the most stimulating fields in which to work. Diverse cultures (doctors, nurses, staff, social operators, and information and communications technology professionals) are working together, and this provides an absolute value and richness. But I cannot avoid noticing that, up until now, I have not seen an “IT-savvy” culture emerge in any of the institutions I know.
On the other hand, innovation is pushing its way into health care, above all in the clinical engineering field. Again, this is extremely positive, since new medical devices and better technologies for the operating theaters mean better outcomes for patients. Pervasive innovation also means better lifesaving devices, such as new-generation wireless-enabled pacemakers. Mobile health is a reality in many hospitals, albeit often built on the weak foundation of high-risk legacy systems. New regional electronic health record systems are under construction in many areas, and health care applications are spreading fast.
My recent Journal article
gives readers a glimpse into the dynamic and complex health care setting. Viewed in this context, BYOD could be an opportunity or a risk at the enterprise and patient level. In my article, I explain the key questions to be asked before implementing a BYOD strategy in a hospital or before deciding not to implement a BYOD strategy, which is a challenging option as well.
An ineffective BYOD strategy could end up opening information systems to data thieves; data breaches in health care are growing exponentially. For example, the US Federal Bureau of Investigation (FBI) warned
those in the health care industry about hackers, and in August, Community Health Systems
in Franklin, Tennessee, USA, announced that hackers stole data on approximately 4.5 million patients. Even worse, if you do not plan well and better execute your BYOD or lack thereof, you could end up with life-threatening situations for your patients, as I explain in my Journal
Health care, as mentioned in the FBI private industry notification
, is more fragile than other industries. That is striking since, as a consumer, I would put more trust in a setting where I risk my life, such as in health care, than in banking. I think this is the time to wake up and to review how we deal with information systems in health care. It is not only a matter of BYOD; it is a matter of protecting our sensitive health care data and, in extreme situations, our lives.
Read Giuliano Pozza’s recent Journal article:
,” ISACA Journal
, volume 5, 2014.
John Simiyu Masika, CISA, CISM
Business leaders are always faced with the challenge of guiding change and transforming their respective functional areas. Chief information officers (CIOs) and chief information security officers (CISOs) face similar challenges in leading information security changes. The drivers for change and transformation in information security operations include an escalating business risk and a need to comply with new legislation and regulations. A new business strategy, either as a result of business reorganization or other changes, can also drive the need for an information security transformation.
How should a CIO or CISO effectively lead change and transformation of information security? According to Harvard University Professor John P. Kotter, Ph.D., managers who successfully transform businesses and functional strategies and processes do 8 things right and they do them in the right order. Practically, Kotter’s 8-step process for leading change can be mapped with various information security change initiatives as shown below:
View Larger Graphic.
Leading change requires a systematic approach to issues. This involves having all key stakeholders play a role in institutionalizing those changes in order to achieve meaningful results both in the short term and long term. This approach mirrors guidelines provided in Information Security Governance: Guidance for Information Security Managers.
Read John Masika’s recent Journal article:
“Leading Change and Transformation in Information Security,” ISACA Journal, volume 5, 2014.
Ashwin Chaudhary, CISA, CISM, CGEIT, CRISC, CISSP, CPA, PMP
My recent Journal article
addresses increasing concerns over user privacy due to a wide usage of personal mobile devices in the workplace. Recent privacy violation issues faced by large organizations have brought the topic of privacy issues into the limelight. There are several increased privacy regulations, such as the US Health Insurance Portability and Accountability Act (HIPPA) and the US Health Information Technology for Economic and Clinical Health (HITECH), which focus on health-related privacy issues, and the US Children's Online Privacy Protection Act (COPPA) for the online privacy of children. Such efforts are initiated to bring about stringent privacy regulations; however only strict enforcement of these regulations can ensure the law’s effectiveness.
With respect to bring your own device (BYOD), an enterprise’s focus is mainly on the corporate network and data security rather than user privacy. As a social responsibility, organizations also need to adopt user privacy audits and assurance programs to manage user privacy, as this protection is equally as important as protecting corporate security.
Regulations and compliance requirements that mandate annual certification are generally at a point-in-time, and some of them are based on self-assessment and self-certifications, which may lead to cutting corners. Continuous independent assurance programs, such as Service Organization Control (SOC) 2 or SOC 3 Type2, should be considered in corporate security planning.
Read Ashwin Chaudhary’s recent Journal article:
“Privacy Assurance for BYOD,” ISACA Journal, volume 5, 2014.
Ed Gelbstein, Ph.D.
Information technologies have advanced in huge leaps and cause a significant disruption to familiar models, which happens roughly every 10 years. These advances also drive massive and rapid increases in the numbers of people with access to them.
The speed of these changes has no precedent in human history, and the power of these technologies has transformed both the work environment and our personal lives and brought with it many positive contributions.
However we have by now learned that technology is never perfect; hardware vulnerabilities and software errors can be assumed to be impossible to totally avoid by design. For those with good knowledge of mathematical logic, there are Gödel’s axioms on incompleteness
from 1931 that can be used to demonstrate that error-free software is theoretically impossible.
This opens the door for researchers and hackers to find such vulnerabilities and the consequent stream of updates, fixes and patches. But then, this is only half the challenge: these imperfect devices end up in the hands of people who may not have sufficient knowledge of good security practices—the article refers to this knowledge as “digital hygiene”—and are, therefore, exposed to infection as a result.
Well-meaning awareness programs may not be enough to change how people approach digital hygiene. My 2013 book Good Digital Hygiene
lists 41 measures that can help protect systems and data. Sadly, most people say these measures are a good idea and that they will do something about it “one of these days,” but they usually do not act until after something has gone wrong.
My Journal article
concludes with 4 actions that information security professionals can take to help their organizations. The last action suggests learning from marketing people, whose approach is to stimulate a wish to do or acquire something. This works a lot better than using an approach that outlines what cannot be done.
Many who use sophisticated technologies have limited knowledge or even awareness of security issues and what their roles are in managing them. Without a behavioral change from these individuals, we can expect the risk of security breaches with increasingly severe consequences to remain a hot topic.
William Emmanuel Yu, Ph.D., CISM, CRISC, CISSP, CSSLP
I live in a country where most Internet users are increasingly using their mobile phones to access the Internet. The Nielsen Pinoy Netizen Report found that thirty-four percent of Filipinos get a daily dose of their Internet usage from mobile phones, and that number is poised to increase further. This is also country with a 110 percent mobile phone penetration rate and was known as the “Text Messaging Capital of the World.” If enterprises want to reach their customers and users, then they need to do it via mobile platforms. As a result, enterprises have been making moves to provide better accessibility to their services by using mobile technology.
This increasing move to mobility has led to a number of potential concerns in terms of security. My recent ISACA Journal article, “The Price of Mobility: Secure Development of Enterprise Mobility Applications,” aims to cover some of the key considerations when building enterprise mobility applications. Of the many areas of discussion, some mobile security concerns are:
- Securing the transport—It is essential to treat the network as unsecured and apply all controls to ensure the proper use of such a network. Developers are not to make any assumptions with respect to the security guarantees provided by the network.
- Applying a “clean as you go” mentality—Unlike web applications, mobile applications have a tendency to leave data lying around on devices. It is essential to ensure that these pieces of information are either secured or removed.
- Securing credentials—Unlike backend based applications, where security credentials involving common systems and application programming interfaces (APIs) can be stored in a secure backend, mobile clients’ default storage is not considered secure enough for this. Additionally, the use of improperly handled common applications keys can cause security leakages that affect all your clients.
- Host security validation—It is bad enough that users of web-based Internet applications do not check if the host digital certificate is validated with a commonly agreed upon browser indicator. This matter is made worse with mobility applications as the Secure Sockets Layer (SSL) validation indicator is not consistently implemented across platforms. Developers must provide additional controls to manage users with respect to improperly validated digital certificates.
Enterprise mobility applications provide a powerful tool for organizations to use to extend their reach with mobility. But there is a price to pay in terms of additional security controls that must be put in place. Like any wave, riding it can bring unprecedented forward momentum, but can be dangerous if not done properly.
Read William Emmanuel Yu’s recent Journal article:
“The Price of Mobility: Secure Development of Enterprise Mobility Applications,” ISACA Journal, volume 5, 2014.
Zhiwei Fu, Ph.D., CISA, CGEIT, CRISC, CFE, PMP, John W. Lainhart IV, CISA, CISM, CGEIT, CRISC, CIPP/G, CIPP/US and Alan Stubbs, MAS
Fraud is a common risk that should not be ignored. Any organization that fails to appropriately protect itself faces an increased vulnerability to fraud. Organizations that collect or disburse monies have long been targets of fraud—whether by actors illegally collecting US Social Security and US Medicare or fraudulently obtaining tax refunds.
Criminal elements are becoming increasingly sophisticated and continually find new ways to game the system. Organizations also face significant increases in information flow, with a wide range of data architectures coming from disparate and unstructured sources at different velocities. This new reality brings with it new challenges. Organizations now need to find and respond to nonobvious instances and patterns of fraudulent behavior more effectively and more quickly. They must develop the analytical capabilities to actually detect fraud efficiently and predict emerging trends based on suspicious behaviors.
In our recent Journal
article , we recommended organizations develop an integrated and holistic counterfraud program that enables enterprise-wide information sharing and collaboration to prevent first, detect early, respond effectively, monitor continuously and learn constantly. Specifically, organizations should especially focus on the following critical success factors for effective and efficient fraud risk management:
Fraud Risk Management by Design
- Effective governance and clear organizational responsibility
- Integrated framework and holistic approach
- Rigorous risk assessment process
- Ecosystems of counter fraud capabilities
Big Data and Advanced Analytics
- Big data and technology
- Intelligence and predictive analytics
- Anticipation and preemption of emerging trends
- Countering fraud is an ongoing and continually evolving process
- Balancing enhancements of the process, organization and governance, and technological capabilities with their proper integration enterprise-wide
Continual Collaboration and Learning
- Fraud detection and prevention is more than an information gathering exercise and technology adoption
- Fraud prevention is an entire life cycle with continuous feedback, learning, application and improvement
Kim Maes, Steven De Haes, Ph.D., and Wim Van Grembergen, Ph.D.
By talking with some chief information officers, business sponsors and project managers in empirical research, we determined that most people in contemporary organizations know what a business case signifies. They have a rather good idea what should be included when developing such an investment document, and most of them understand its purpose. Moreover, they acknowledge that a business case may play an essential role in the decision making and ultimate benefits realization of the IT-enabled investment. Not surprisingly, it was found that a very large proportion of European companies develop some kind of a business case today.
However, many of these people could not give an adequate answer to how they were using such a business case after the investment was finally approved. Most of the business cases gathered dust on someone’s shelf or hard disk, and the realization of investment benefits was not tracked after the official launch of the end products and services. The practice of using a business case is characterized by the so-called knowing-doing gap. Organizations understand the importance of using a business case throughout the entire investment life cycle, but very few organizations are acting upon this important insight.
The advice coming out of our expert and case research is straightforward. First, organizations should start by clearly articulating what the investment is about and what it should realize. Second, developing and using a business case is not a solitary activity, and relevant stakeholders should be closely involved throughout the entire process of business case use. Finally, the maintenance of the business case during investment implementation requires an equal amount of attention in order to cope with escalations or capitalize on new, interesting opportunities. It should be noted that performing these kinds of business case practices will not be an easy task, say the experts, yet their effectiveness with regard to well-founded investment decision-making and investment success will be high.
John Snow, a character in the book and TV series Game of Thrones, realized that it was nonsense to have a wall dividing 2 cultural groups, with 1 group living south of the wall and 1 relegated to the north side. They were so different and yet so similar because of a shared goal: to survive the common enemy.
I believe in IT, we are in a similar situation. Now more than ever, diverse groups who share common goals but have different backgrounds, languages and cultures are required to cooperate. Unfortunately, our effort to improve the specialization and competence of IT professionals are building a frustrating wall.
This way of operating cannot work. If we as IT professionals continue to deepen our technical and methodological skills without finding ways of effective communication and cooperation with other social groups, we are doomed to fail both in governance of enterprise IT (GEIT) and in value creation for the enterprise and society.
How can we change the status quo? This problem, of course, is not new. Social scientists studying similar situations have come up with an interesting concept called boundary objects. Boundary objects examine how different communities use information in different ways. Boundary work and boundary objects are only a part of the solution. Other basic ingredients of the recipe for effective collaboration are a shared governance framework, business and IT eLeadership, and effective communication.
Ronald Zhao, Ph.D., Frank Bezzina, Ph.D., Pascal Lele, Ph.D., Simon Grima, Ph.D., Robert W. Klein, Ph.D., and Paul Kattuman, Ph.D.
Several comprehensive and systematic frameworks for risk management have recommended 3 lines of defense (LOD) for effective risk management and control. The focus of each of these 3 LODs is on governance, communication and human resources.
A previous Journal article
of ours illustrates an automatic dynamic system of audit and internal control interactions, which helps in instilling a culture wherein the insurers and their risk counterparts articulate risk management and financial information by evidence-based management processes, which are transparent and monitorable (as required by Solvency II and recommended by Basel III). It helps with the collection, treatment and consideration of data previously considered uncertain and hidden by all the lines of activity within a firm.
The IT investor relationship management (IRM) modules of online analytical processing (OLAP) client server interactions can be customized to automate the alignment in real time of the 3 LOD principles with Basel III and the 3 pillars of Solvency II. This is achieved by using:
- Cost accounting modules of the first line of defense (pillar 1 and pillar 2)—The first LOD is therefore organized by the device of procedures of predictive asset management (financial and human resources [HR]) based on the interactions of the finance function and the HR function to establish the frontline employees.
- Cost accounting modules of the second line of defense (pillar 2)—The second LOD is the function of operations management, which automatically provides independent oversight of enterprise risk management (ERM).
- Cost accounting modules of the third line of defense (pillar 3)—The third LOD is jointly assured by the reporting procedures of the HR function and the operations management function. They are modules of pillar 3/disclosure and transparency: Improve market discipline by facilitating comparisons and regulatory reporting requirements.
- These modules supply data by 3 reports (Cost saving, working conditions and psychosocial risk reports) that are particularly useful for updating the risk profile when the financial and social quality of the counterparty risk (including CCR or Counterparty Credit Risk) is deteriorating.
Our JournalOnline article assesses the impact of this technology on employment in each of the G20 countries.