Category: CISO

A New Framework for Preventing Cyber Attacks

The scale of data theft is staggering. In 2018, data breaches compromised 450 million records, while 2019 has already uncovered the biggest data breach in history, with nearly 773 million passwords and email addresses stolen from thousands of sources and uploaded to one database.

Current cyber defense tactics simply aren’t enough, a new model of defense is needed. In research published recently in Future Generations Computer Systems, my co-researchers and I propose a framework harnessing the power of machine learning to accurately predict attacks and identify perpetrators.

Outdated Tactics

The current manual security models are quickly becoming obsolete for a number of reasons. For one, there is simply too much data for human analysts to manually sift through. Hail-a-TAXII, a repository of Open Source Cyber Threat Intelligence feeds, provides more than one million threat indicators. IBM X-Force reports thousands of malware weekly. Verizon’s Data Breach Investigations Report details millions of incidents. These are just a few of the many data sources analysts have at their fingertips.

Another problem is that current cyber threat intelligence (CTI) tactics look only at low-level indicators, small attack signatures such as IP addresses, domain names and file hashes. Low-level indicators are easy for companies to block by plugging them into firewalls and security devices. Unfortunately, they’re also easy for hackers to change. Using only low-level indicators to stop a cyberattack is a little like trying to prevent thieves from robbing your home by enforcing only one window. The thief will just find another window.

The glut of data and preoccupation with low-level indicators contribute to a serious lag in identifying threats. The median time for an organization to determine it is under attack is 46 days. Attacks can go undetected for much longer, the massive data breach at Equifax in 2017, involving nearly 150 million pieces of personal data, went undetected for 76 days.

Relying on low-level indicators simply doesn’t make sense given what we now know about hackers: They use common patterns of attack that can be identified by looking at high-level indicators, otherwise known as Tactics, Techniques and Procedures (TTPs).

Examples of tactics common to certain threat groups involving the compromise of victims’ credentials include:

  • the exploitation of the victim’s remote access tools and the network’s endpoint management platforms by threat group TG-1314.
  • employing key loggers and publicly available credential dumper toolkits by TG-3390.
  • spear phishing using URL shortened links pointing to malicious websites by TG-4127, which targets government and military networks for espionage and cyber warfare.

Typically, hackers will specialize in one attack tactic and gradually evolve the tactic over time. Consider what’s happened with RAM scrapers: malware that enters servers and combs through the memory to find a distinctive code pattern, such as a credit card’s 16 digits. A RAM scraper was behind the 2013 Target data breach that compromised 40 million credit cards, as well as the 2018 Marriott and Hyatt breaches and many others in between.

While the tactic has remained the same, what has changed is how the malware transfers data to the attacker, advancing from FTP to the web protocol and finally to encrypting the information and moving on its own, no longer reliant on a human to copy and transfer the data. Fifty different families of RAM scrapers for stealing personal data currently exist.

The cyber intelligence community already maintains databases detailing high-level indicators. More than 130 adversary technique documents exist. As of late 2018, there were 45 known threat actors and 123 known software tools included in the ATT&CK taxonomy, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK taxonomy shows that the number of TTPs used in threat incidents range from one to 34, with an average of six.

If so much is known about TTPs, why aren’t analysts relying on them for cyber defense? Again, the problem is the massive amounts of data. Manually searching for correlated TTPs is tedious, error-prone and a nearly impossible task. That there is no commonly used vocabulary to describe attacks and attack tactics compounds the problem. TTPs are mostly reported as unstructured textural descriptions, which makes it difficult to correlate attack incidents of the same threat group based on similar TTPs due to synonyms and polysemous words. The same style of attack can be labeled one thing in one database and something completely different in another.

Building a New Framework

The framework we propose in Future Generations Computer Systems is based on our knowledge of TTPs and the problems plaguing the cyber intelligence community, too much data and no automated way to rely on more effective high-level indicators.

The framework creates a network of Threats, TTPs and Detection (TTD) mechanisms. To accomplish this, data was collected from related cyber breach incidents and reliable source threats in the public domain.

In total, more than 327 unstructured documents from about two dozen sources were used. Although machines will likely one day be able to deal with all the nuances of human language, we’re not there yet. This means the data had to be curated and semantically correlated before it could be analyzed by machines: we used ATT&CK […] Read more »..

Talent Acquisition, Retention Leading Diversity Initiatives in Cybersecurity Jobs

Talent acquisition and retention is the leading operational reason that companies have been ramping up their diversity initiatives, according to (32 percent) of respondents in the (ISC)²study.

Nearly one in three (29 percent) added that diversity is important to their organization because the workforce should represent the demographics in society:

  • Nearly three quarters of organizations surveyed (74 percent) instituted a stated diversity value or program in the last 2-5 years. On top of this, a further 16 percent have followed suit in the last 12 months.
  • Overall, 40 percent of survey respondents stated that the HR department is the primary driver of diversity and inclusivity efforts, including measuring employee diversity goals. This compares to just under one quarter (23 percent) who said it was the senior management team and just 10 percent that said it was the C-suite driving diversity initiatives.
  • 60 percent said that up to 20 percent of the current vacancies in their organizations are IT and/or cybersecurity-based. A further quarter (26 percent) said these roles constituted between 21-50 percent of their workforce.

Hiring Cyber Roles:

  • 77 percent of respondents said that cybersecurity roles were recruited for in their organizations in the last 12 months. The number of roles filled ranged from 1 to 31 across the responses, although nearly 55 percent of the respondents said that up to 10 cybersecurity personnel were hired by their organization over the last 12 months. 18 percent said that between 11 and 30 roles were hired in the last year.
  • 37 percent say just 6-20 percent of their IT department employees are aged 18-21, while 35 percent say none of their IT department employees are aged 18-21. This indicates a struggle to bring enough new talent into the department that can learn from their experienced peers[…] Read more »..

Artificial Intelligence Changes Everything in the Security Industry

During my years at Dell, we would share what we serendipitously found in the way of a good read. I thought I’d continue that practice, sending your way, if you haven’t already discovered it, Kai-Fu Lee’s book AI Superpowers: China, Silicon Valley, and the New World Order. It’s a fascinating read – particularly his insight that, “AI will be to the 21st Century what electricity was to the last…and Data – the oil that drives the generator.” Just as nineteenth-century entrepreneurs applied the electricity break-through to cooking food, lighting rooms and powering industrial equipment, today’s AI entrepreneurs are doing the same with the deep learning of artificial narrow intelligence (ANI). Lee’s insights were incisive and inspiring – a clarion call of caution mixed with an articulate voice of hope and encouragement. Having straddled both China and U.S. cultures, his insights into the mind and practices of these largest global markets were eye-opening and even-handed. He explains the fundamentals of Neural Networks and Deep Learning in a way that were easy to grasp and presupposed little in the way of any prior mathematical understanding.

In the Deep Learning of AI, we’ve found that proactive capability we wanted to advance many years ago.  We knew if we could determine the pure genomic state of the benign files that make up the Internet, we could detect malicious anomalies and preempt them before they could hurt us. We just needed technology to catch up with the idea. However, just as predicted 50 years ago by Thomas Kuhn in his book the Structure of Scientific Revolutions, we’re seeing the dawn of a new day where AI’s machine learning and advance mathematical algorithms now offer validated deflection rates, pre-execution, in the realm of 99 percent[…] Read more »..

The 2019 Riskiest States Report — Where Does Your State Rank?

Mississippi, Louisiana, California, Alaska, and Connecticut are the riskiest states in the U.S.A. based on consumer preparedness for cyberattacks, according to a new report from Webroot. The report examines the cyber hygiene habits of 10,000 Americans, 200 in each state, to determine what behaviors and practices they have in place to protect their information or identity from cybercriminals. While the five previously mentioned states scored the lowest on the cyber hygiene test, the average respondent’s grade wasn’t good either: 60% (or a “D”).

Despite the low scores on general cybersecurity knowledge and best practices, consumers reported a high (and false) sense of confidence about their cybersecurity behaviors. The majority (88%) of survey participants believe they are taking the appropriate steps to protect themselves from cybercriminals; however, the high fail rate suggests a major opportunity for improvement.

The 5 Riskiest States:

  1. Mississippi
  2. Louisiana
  3. California
  4. Alaska
  5. Connecticut

The 5 Least Risky (Safest) States:

  1. Kentucky
  2. Idaho
  3. Ohio
  4. North Dakota
  5. New Hampshire

Notable Findings:

Americans in every state are overconfident

  • 88% feel they take the right steps to protect themselves from cyberattacks.
  • Only 10% are A students in cyber hygiene, scoring 90% or higher.
  • The highest scoring state, New Hampshire, only scored a 65%.

Americans have a surface level understanding of common cyber threats

  • 79% of Americans have heard of malware, but only 28% could explain what it is.
  • 70% of Americans have heard of phishing, but only 33% could explain what it is.
  • 49% of Americans have heard of ransomware, but only 21% could explain what it is.

Less than half of Americans adopt cyber hygiene best practices

  • 64% of participants don’t keep their social media accounts private.
  • 63% of participants reuse passwords across multiple accounts.
  • 62% of participants rely on a free antivirus software[…] Read more »..

Machine Learning: How It Works

Machine Learning leverages a four-phase process: Collection, Extraction, Learning and Classification.

Collection

Like DNA analysis, file analysis starts with massive data quantities – specific types of files (executables, PDFs, Microsoft Word® documents, Java, etc.). Millions of files are collected from industry sources, proprietary repositories and inputs from active computers.

The goal is to ensure:

  • statistically significant sample sizes
  • sample files of the broadest type and authorship (author groups such as  Microsoft, Adobe, etc.)
  • an unbiased collection, not over-collecting specific file types.

Files are then reviewed and placed into three buckets: known and verified valid; known and verified malicious; and unknown. An accurate review is imperative – the inclusion of malicious in the valid bucket or valid in the malicious bucket would create incorrect bias.

Extraction

The extraction of attributes follows, which is substantively different from behavior identification or malware analysis historically conducted by threat researchers. Rather than seeking things analysts believe might be malicious, this approach leverages the compute capacity of machines and data-mining to identify the broadest possible set of file characteristics — some as basic as the file size and others as complex as the first logic leap in the binary.

The atomic characteristics are then extracted, depending on file type (.exe, .dll, .com, .pdf, .java, .doc, .ppt, etc.). By identifying the broadest possible set of attributes, manual classification bias is removed. Use of millions of attributes also increases the cost an attacker incurs, creating a piece of malware that could go undetected. This attribute identification and extraction process creates a file genome comparable to the human genome and can be used to mathematically determine expected characteristics of files, just as human DNA analysis is leveraged, determining characteristics and behaviors of cells.

Learning

Once collected, the output is normalized and converted to numerical values for use in statistical models. Vectorization and machine learning are then applied to eliminate human impurities and to speed analytical processing. Leveraging the attributes identified in extraction, mathematicians then develop statistical models that predict whether a file is benign or malicious. Dozens of models are created with key measurements, ensuring the predictive accuracy. Ineffective models are scrapped. Effective models are subjected to multiple levels of testing.

The first level starts with a sample of known files. Later stages involve the entire file corpus (tens of millions of files). The final models are then loaded into a production environment for use in file classification.

It’s important to remember that for every file scrutinized, millions of attributes are analyzed to differentiate between legitimate files and malware. This is how machine learning identifies malware – whether known or unknown – and achieves unprecedented levels of accuracy. It divides a single file into an astronomical number of characteristics and analyzes each against hundreds of millions of other files to reach a decision about the health of each characteristic.

Classification

Statistical models once built can be used by math engines to classify files, which are unknown (e.g., files never seen before). This analysis takes milliseconds and is extremely precise because of the breadth of the file characteristics analyzed […] Read more »..

The role and the focus of a CISO with Tim Swope

Apex sat down with Tim Swope, Chief Information Security Officer at Catholic Health Services of Long Island to discuss his role and experience as a CISO. With extensive experience in the industry, Tim shares his advice and the value of an IT Risk Management Program being the cornerstone for all cyber security work.

Q: What is IT security doing to support innovation in the enterprise?

A: In addition to training the IT Security Staff, we all attend many seminars outlining new and innovative technologies and with our Proactive Risk Management model we are able to determine what GAPS those technologies will close in our organizations.

Q: What is the single most important thing CISOs should be focusing on today?

A: While many security leaders focus on the technical side of cybersecurity, a key focus of mine is risk management. Risk management is the overriding element for successful cybersecurity programs.  We need to know what cyber risks and 3rd party vendor risk that my affect our organizations, assign a risk level and then focus our remediation and management on the top tier risks first.

Q: How can you best describe the relationship between the CIO and the CISO in the enterprise?

A: The CIO and I work very closely together on the overall information strategy for the organizations.  That being said, while the CIO might push for technology solutions that will make access to information easier…..I ensure that we can effectively manage and monitor that technology.  In the Healthcare space, innovation has moved faster than our ability to secure it. I remind the CIO we are FIRST in the patient privacy and safety business..not the convenience business!!

Q: How have you searched for and found the best vendors for your organization?

A: We have a very strict due diligence process for our vendors, especially those that will be working with PHI. However, we are constantly looking and evaluating vendors that may be able to save us cost, have greater automation and solve our needs better.

Q: What is the biggest challenge for a CISO today?

A: In the Healthcare industry, changing regulations, the need to expose patient data to outside entities and ensuring that the same IT security posture remains in place in the face of this change.

Q: What advice would you give an early stage CISO joining an enterprise organization?

A: When coming into a new organization as a CISO leader, I strongly believe in conducting an internal assessment to get an understanding of what controls and technologies are in place. While some CISOs may rely on an outside firm to conduct these, I choose to do an initial assessment myself, putting myself in an outside auditor’s shoes. Rather than looking at somebody else to do it for me, I’ll do it myself and I think that’s the key thing a CISO should do, is understand his or her landscape and do their own personal assessment and only then can you see what you really have.

Q: What is the importance of an IT risk Management Program in today’s cyber security landscape?

A: In order to deliver value to our customers, patients, employees, communities and shareholders, we at Catholic Health Services and other Healthcare organizations must understand and manage the risks faced across our entire organization. Risks are inherent in our business activities and can relate to strategic threats, operational issues, compliance with laws, and reporting obligations.  As part of the overall IT risk management process Information Security, Governance and Risk (ISGR) departments are responsible for various activities that are important to regulatory compliance, information security, data protection and risk management. This group has the authority and responsibility to investigate and assess compliance in all activities relevant to the Security Governance Program and to report on compliance status to IS Management.

The “Framework” that encompasses their Risk Management Program has the primary functions to:

  • Determine categorization of IT risks
  • Define the common framework used to identify and manage potential events that may affect information within the IT infrastructure
  • Define accountability for IT risk management
  • Determine the governance and oversight of IT  risk management activities

Internal and external events affecting our ability to achieve our security and operational objectives are identified at various points in the business cycle. During strategic and business planning and review processes, business unit management assesses the market and competitive environment to identify risks and opportunities facing their business. The various risk management functions within or assigned to that business unit provide expertise, support and input into the process. Each of the risk management functions is represented on applicable management committees to enable effective risk identification and business partnership.

Throughout the year, risk assessments, scans and surveys are performed by the ISGR team to identify internal and external events that might affect the achievement of the Company’s objectives. Additionally, the various risk management functions scan the external environment for risk indicators through analysis of applicable business intelligence, including trends in external health authority and other government inspections and enforcement, legislative changes, and shifts in market, payer and consumer models, as well as relationships with external subject matter experts.

Finally, risk management functions review the output from internal monitoring and assurance activities to identify gaps and emerging risk areas. Risks are analyzed, considering likelihood and impact of a given outcome, to determine how they should be managed.

If we can take a way one lesson from the need for a risk management program it is the following:

Risk Management is the number one process for Identifying potential risks and creating a plan to eradicate or manage them!!

We don’t accept Risk, we continually Manage it!

 

Tim Swope

CISO

Catholic Health Services of LI

Mr. Timothy Swope is currently the CISO of Catholic Health Services, an 18,000 employee hospital group in Long Island, NY. He is an Information Security and IT Risk Management professional who partners with Chief Information Security Officers and IT Governance, Risk and Compliance executives to assess and deliver IT Security and Risk Management programs to Health Care and Insurance, Pharmaceutical and government agencies. After spending over 2 decades assisting clients implement secure enterprise BI, EHR, Meaningful Use and other data science systems, Tim knows and understands the requirements and components that create a secure information security posture. A key area of his expertise centers around interpreting and applying Federal, State and Industry regulations such as: DSRIP, HITRUST, HIPAA, NIST SP 800-53, 21 CFR Part 11, Health Insurance Reform: Security Standards, FISMA (Federal Information Security Management Act) and locally the Zadroga Act to name a few.

He also supported cyber security requirements for Medicaid’s Delivery System Reform Incentive Payment (DSRIP) Program at 2 of New York’s largest PPS’s (Performing Provider Systems) Northwell Health and NYC Health and Hospitals.

He has supported the IT Risk Management and IS Security initiatives of organizations that include Excellus BCBS, Medimmune/ Astra Zeneca, MERCK, ENDO Pharmaceuticals, Novo Nordisk, Daiichi-Sankyo Solutions, Johnson and Johnson, District of Columbia Government office of the Chief Financial Officer, District of Columbia Water and Sewer Authority, City of Richmond, Virginia Department of Public Utilities.

How Travel Buyers and IT Managers Collaborate to Secure Sensitive Company Data

Global business travel spending reached $1.33 trillion in 2017 and is forecast to advance another 7.1 percent in 2018. As this investment continues to rise, it’s increasingly important to help business travelers protect sensitive company information while they are in transit. The cost of neglecting this risk is high, as a single data breach costs an average of $3.62 million.

Data Privacy

Travel buyers within large companies do more than negotiate supplier agreements. They set travel policies that can help reduce an organization’s risk. As such, both IT managers and travel buyers have an important role to play in data security. By coordinating efforts, they can ensure that business travelers are trained, equipped and updated on best practices to help keep personal and company information safe while traveling.

While most companies invest in IT security, a serious oversight in some companies is spending millions to protect their digital data while ignoring the threat of lower-tech hacking techniques. This risk is heightened for employees working while traveling, but it can be mitigated by educating travelers and providing resources to help protect data displayed on their screens.

The following are some measures designed to reduce the visual, verbal, digital and physical exposure of data, protecting key information and thwarting opportunistic hackers. These behaviors and tools can be incorporated into official practices and procedures by IT managers – and travel buyers can reinforce in communications.

Developing better situational awareness: Business travelers are their own first line of defense when it comes to data privacy and security. Whenever possible, they should try to position themselves in a way that limits what other people – or devices – can see, hear or record. They should consider multiple vantage points, including people above them (e.g., on balconies and upper levels) or within “zooming” distance, as well as the locations of security cameras.

Securing screens with privacy filters: Privacy filters help protect what’s on laptop or mobile device screens by blocking unauthorized side views – a particularly useful tool for travelers that spend a significant time in crowded waiting areas or in transit on planes, trains and ferries.

Locking devices when not in use: All computers and mobile devices should be password-protected as a basic security measure, but employees should be required to do so anywhere they access company information. This measure is only effective if they also make sure to lock the device whenever it is not in use – even for short periods of time.

Implementing physical locks and alarms: Physically locking briefcases and carry-ons provides an extra layer of security against opportunistic snatch-and-grab incidents. In addition, laptop alarms are available that combine software with a physical alarm attached to the device. If the device is lost or stolen, the alarm goes off loudly.

Traveling with juice-jack protectors and personal charging devices: Juice-jack protectors can be attached to the end of a USB cord to help protect against skimmers when travelers are charging their devices in public places. If possible, providing personal charging devices to frequent travelers will limit their need to use public chargers at all.

Using portable Wi-Fi hotspots and/or a company VPN: Open or publicly-available Wi-Fi leaves travelers vulnerable to numerous methods of hacking. Ideally, frequent travelers should have their own personal hotspot device to access their own Wi-Fi, but a company VPN can also provide greater protection on an open network […] Read more »..

 

The role, the challenges and the responsibilities of a CIO with Milos Topic.

Apex sat down with Vice President & Chief Information Officer of Saint Peter’s University. With 20 years of experience in leadership, innovation strategies, technology implementation and business development, Milos shares his views on the role of a CIO and  what it means to be an IT leader today.

 

Q: What is IT doing to support innovation?

A: IT is meant to drive innovation and enable others to do the same and take part. IT is a critical partner and a “golden thread” if you will across everything modern businesses and organizations do. As such, it is uniquely positioned to provide value to all.  Furthermore, innovation comes in many forms, but it always requires action. Thinking, planning, strategizing is all wonderful and valuable, but without action, not much will get accomplished.

Q: What is the single most important thing CIOs should be focusing on today?

A: CIOs as well as all executives should be focused on people and business growth. Modern CIOs are more customer facing and are spending time on strategy, vision and innovations across and beyond the enterprise.

Q: Should IT be a business enabler?

A: IT is business in a sense, or it is at the very least an essential part of every modern and competitive organization. As such, it should provide options to challenge old (and at times outdated) business models before others (from the outside) do it for them.

Q: How do you stay abreast of the trends and what your peers are doing?

A: I have invested years (and continue to do so) in building and nurturing relationships across various industries, sectors and markets. These relationships paired with various events (such as those hosted by Apex) are of critical significance in staying current and learning from those who may be further along.

Q: What is the biggest challenge for a CIO today?

A: It varies across industries and different maturity models of organizations, but I do believe that attracting and retaining top talent is one of the largest priorities, it certainly is for me. In today’s world and in major markets such as greater New York City area people have options which is great for them, yet challenging to many organizations.

Q: What is the difference between a CIO and a CTO?

A: Titles vary, but in general, a CIO should be focused on customers, innovation, strategy, growth and providing value to other major areas (Finance, Marketing, Operations, Security, Legal…) while a CTO is leading the existing services and ensures smooth operations of teams.

Q: How has the role of the CIO changed over your career?

A: Visibility has increased, and so have the responsibilities. CIOs have now earned seats on top management teams among their executive leadership peers. They are also more involved in the overall business vision, strategy and direction than ever before. All of these changes have taken place across organizations that are current and future proofed, while others are still behind and are struggling across some of these areas.

Q: What advice would you give an early stage CIO joining an organization?

A: Get as close to the business as you possibly can and learn everything about it. Build relationships, provide value to others and always give more than you take, in every exchange. Spend time and resources on developing leadership, strategy and negotiation skills as they matter in all that we do, professionally and personally.

Q: How important is the relationship between a CIO and a CISO?

A: While the reporting structure is debated by some, the relationship is very important. CIO relationships with everyone they work with are of importance, from CISO, to CFO, CMO, COO…all the way to the CEO. The entire C-suite needs to be unified and transparent with each other in order for all of them to move forward and make progress.

Q: What is the largest obstacle a CIO faces when it comes to security?

A: People. Training and organizational requirements to how data is stored, used and shared. Furthermore, many organizations are not funding information security adequately and proactively.

Q: What falls under the CIO’s responsibilities when it comes to security?

A: I’m of the belief that there should be one top technology leader and that is a CIO. Everyone else should report to them with varying degrees of authority. When it comes to finance, marketing, legal…they are all ultimately under one leader while IT seems to be fragmented in some organizations. The only potential exception is an area responsible for the overall risk, liability and governance for the entire business…they could be outside IT with strong collaborative partnership with the CIO and their leadership team.

Q: How do you see the security landscape changing over the next 12 – 18 months and how are you preparing?  

A: Robots are taking over. From machine learning to artificial intelligence, people can’t keep up with the volume and complexity of threats so continuous investments in tools and technologies is expected. We are experimenting with robotic process automation (RPA), machine learning and will continue to stay current with what is available.  

Q: How worried are you about the “human element” when it comes to security?

A: It is the weakest link in this chain. People make mistakes in opening emails, sharing data, configuring technology (both software and hardware)…the list goes on. Cyber security awareness training should be mandatory across all organizations and should be part of one’s employment record at some point in time.

 

Milos Topic

Vice President & Chief Information Officer

SAINT PETER’S UNIVERSITY

I believe that everything begins and ends with leadership. Leaders have the greatest responsibility for the impact and influence over the people they lead and the outcomes of their organizations as a whole. Furthermore, I am passionate about IT being a trusted strategic partner and an advisor (a service broker) to the entire organization as technology must drive innovation across organizations and provide both strategic and operational business solutions.

I have 20 years of experience in leadership, innovation strategies, technology implementation & business development while my formal education is a blend of science, technology and business. My journey in the Information Technology (IT) profession started in 1997 and over the past 20+ years I have worked on nearly all aspects of IT. I got underway with networking/cabling installs; tech support to programming in C++, C#, Java; web development; system/network security/administration to my most recent positions of leading teams of amazing people providing technology solutions and services while supporting a multitude of organizational needs. Finally, it is essential to always focus on people first, as they matter the most in everything we do.

Sara Nunez: Being a Woman In Technology

Apex sat down with Sara Nunez, award-winning global Program Management executive. With her experience transforming organizations by applying a broad range of integrated strategic execution best practices and business development initiatives, she shares her thoughts on being a Woman in Technology. 

Q: Is the lack of women in tech really a pipeline problem or is that companies are not providing the culture to cultivate and promote their women talent?

A: We need to do research on this topic. There are many factors to this challenge. 1. We were created with special attributes, just as men were created.  2. Society and Cultures have a lot to do with this issue as well. 3. We need women to unleash their potential without looking at this as competition with men. Companies are us people, therefore, it is our duty to transform and enable success with the right mix of people required regardless of them being women or men.

Q: Does the current conversation about women in tech single women out and leave men out of the solution in your organization?

A: The current conversation is needed and I do believe it is a concern for both sides.

Q: What can organizations do to get more women into senior level and executive positions? Where do you see gaps?

A: Companies are looking for talent and new skills.  We need more qualified women with thick skin to be leaders and apply for senior level positions.

Q: What can companies can do to address unconscious bias at all levels of the organization?

HR and hiring programs should measure the desired outcome and strategize to make it happen.  A balance and diversity is critical for organizations around the world.

What advice would you give to a woman considering a career in the tech industry? What do you wish you had known?

A: My mentor once told me, if you love what you do, you will be amazing at it.  If you are considering a career in the tech industry you have to love it, be an expert at it.  Spend extra time to go beyond.  You are not competing with men, you are complimenting them and together as a team you will succeed.  Be you, be a woman.

Q: What do you think is the biggest challenge for the next generation of women and how can we be stronger role models for them?

A: I think the biggest challenge is to keep up with rapid technology changes and the ability to create knowledge rather than looking for it.  Writing articles and visiting universities to share your knowledge with a new generation could give us the platform to prepare them to succeed.  We need to pay forward and push them hard.

Q: How is your organization creating programs and training for men to be better advocates for women specifically around support and sponsorship?

A: Multiple programs are in place, from Leadership Dev Programs and global assignments to mentoring and sponsorships.

Q: How can women better support other women in technology?

A: We need to excel and inspire women to follow the steps and make giant moves to be recognized and valued for who we are.

Q: It is no secret that many women in the tech industry have felt their gender has affected the way that they are perceived or treated in their role. Have you come across a situation that made you feel that way?

A: Do not allow that to happen.  We are in a company to drive results and motivate each other to succeed.  We are ONE.

 

Sara Nunez, IT Enterprise PMO Director

Dynamic, award-winning global Program Management executive and advisor to the C-suite who ensures strategic PMO is embedded throughout the enterprise’s DNA. Transforms organizations by applying a broad range of integrated strategic execution best practices and business development initiatives. Drives organizational goals, improves performance and efficiencies, and capitalizes on revenue-generating opportunities. Generously shares expertise to inspire a passion for learning, creating high-performance teams with intellectual and emotional connection to their work. Agile and multicultural, with expertise across a broad range of industries including telecommunications, technology, wealth management, and education.

Global Talent Shortage is Top Emerging Risk Facing Organizations

Staff shortages have escalated in the last three months to become the top emerging risk organizations face globally, according to Gartner, Inc.’s latest Emerging Risks Survey.

“Organizations face huge challenges from the pace of business change, accelerating privacy regulations and the digitalization of their industries,” said Matt Shinkman, managing vice president and risk practice leader at Gartner. “A common denominator here is that addressing these top business challenges involves hiring new talent that is in incredibly short supply.”

Table 1. Top Five Risks by Overall Risk Score: 1Q18, 2Q18, 3Q18, 4Q18

Rank 1Q18 2Q18 3Q18 4Q18
1 Cloud Computing Cloud Computing Accelerating Privacy
Regulation		 Talent Shortage
2 GDPR Cybersecurity
Disclosure		 Cloud Computing Accelerating Privacy
Regulation
3 Cybersecurity
Disclosure		 GDPR Talent Shortage Pace of Change
4 Global Economic
Slowdown		 AI/Robotics Skill Gap Cybersecurity
Disclosure		 Lagging Digitalization
5 Social Engineering Global Economic
Slowdown		 AI/Robotics Skill Gap Digitalization
Misconceptions
 

Sixty-three percent of respondents indicated that a talent shortage was a key concern for their organization. The financial services, industrial and manufacturing, consumer services, government and nonprofit, and retail and hospitality sectors showed particularly high levels of concern in this area, with more than two-thirds of respondents in each industry signaling this as one of their top five risks.

Gartner research indicates that companies need to shift from external hiring strategies towards training their current workforces and applying risk mitigation strategies for critical talent shortages.

“Organizations face this talent crunch at a time when they are already challenged by risks that are exacerbated by a lack of appropriate expertise,” said Shinkman. “Previous hiring strategies for coping with talent disruptions are insufficient in this environment, and risk managers have a key role to play in collaborating with HR in developing new approaches.”

Talent Shortage May Exacerbate Other Key Risks

Beyond a global talent shortage, organizational leaders are grappling with a series of interrelated risks from a rapidly transforming business environment. Accelerating privacy regulation remained a key concern, dropping into second place in this quarter’s survey. Respondents indicated that the pace of change facing their organizations had emerged as the third most prominent risk, while factors related to the pace and execution of digitalization rounded out the top five emerging risks in this quarter’s survey.

Mitigation strategies to address this set of risks often come at least partially through a sound talent strategy. For example, a key Gartner recommendation in more adequately managing data privacy regulations is the appointment of a data protection officer, while both GDPR regulations and digitalization bring with them a host of specialized talent needs impacting nearly every organizational function.

“Unfortunately for most organizations, the most critical talent needs are also the most rare and expensive to hire for,” said Shinkman. “Adding to this challenge is the fact that ongoing disruption will keep business strategies highly dynamic, adding complexity to ongoing talent needs. Most organizations would benefit from investing in their current workforce’s skill velocity and employability, while actively developing risk mitigation plans for their most critical areas[…] Read more ».”