The Enterprise Guide to Successful AI

In a survey of 1000 Canadians, 31% of people said that companies that use AI in their operations and customer communications are the future.

People recognize the potential of AI and companies can no longer afford to be ignorant. AI is now disrupting every industry and the question is whether established companies will take proactive steps to ensure that disruption doesn’t happen to them.

The long-term path to success with AI requires companies to approach the integration of AI through an “AI Triple Win” framework of utility, privacy/security, and trust.

The AI Triple Win Framework

To achieve business success, the framework incorporates three key, foundational components:

  1. Utility: AI must solve pain points, add value, and serve genuine needs.
  2. Privacy and Security: Companies must incorporate privacy as a fundamental principle in every aspect of their work as opposed to an afterthought, and data must be held safely.
  3. Trust: Companies must achieve AI for Good, not simply AI for profit.

Let’s consider each pillar in more detail.

Pillar #1: Utility

To have the goal of using AI simply because competitors are using it is misguided. Whether creating utility means answering customer questions within seconds, serving consumers with more relevant website ads, creating product delivery efficiencies, or entertaining people while they wait for a taxi, every AI tool must serve a genuine need. Companies must have clarity on the role that AI can play in for them in growing their company and that requires Utility.

Within companies that focus on retail and customer service, AI tools help people find clothes that fit properly (Levi’s), and answer questions about products and services (Sephora, Lowe’s). Alibaba, a leader in applying advanced technologies in the retail space, has even employed smart racks and mirrors to help people see themselves in new styles without ever trying the clothes on, a boon for accessibility.

Similarly, within the food and QSR category, both Campbell’s Soup and Knorr use AI to help customers customize recipes based on ingredients currently in their home. Taco Bell uses a Slack chatbot to take orders. In addition, Domino’s Pizza allows consumers to place orders by sending a message that contains only the word “Pizza.”

Consumers are ready for AI customer experiences

Our research has showed that Canadians feel positive about AI in the customer service space. Many people believe that AI has the potential to improve customer service (40%) and can provide the same or better customer service than a person (20%). Further, 59% of people would feel comfortable with AI providing recommendations on what to purchase.

Given that 36% of people say Canadian businesses should invest in using AI technologies to run their business, it is clear that consumers are ready for companies to use AI.

Pillar #2: Privacy and Security

Unfortunately, few companies have made the second pillar, privacy, a key differentiator. DuckDuckGo, an internet browser that purposefully does not track its users movements (unlike Google, Firefox, and others), is enjoying increased consumer interest. Snips is an up-and-coming voice assistant alternative to Alexa and Siri that focuses on privacy and security. And Purism builds digital technologies with security as the main feature.

What companies can do, however, is make privacy and security key components of their publicly displayed company policies. Plain language allows anyone to understand what data a company is collecting and for what purpose (Apple, Encircle), what changes have been made to privacy policies (Fitbit), and how to withdraw consent for the collection of data (Danske Bank).

Consumers are ready to bring AI into their personal lives

Our research shows that people are comfortable with the possibilities that AI facilitates. People are comfortable trusting AI to regulate the temperature inside their homes (72%), organize their schedules (64%), and provide companionship to people who need it (58%). At the same time, however, people don’t blindly trust brands to respect their privacy and always maintain security. More than 43% of people worry about the AI on their phone, and a whopping 78% believe that AI will increase the lack of privacy.

We’ve already seen that people understand and want the benefits of artificial intelligence in their personal and work lives. They simply want companies to implement those processes in a way that respects their privacy and maintains their security.

Pillar #3: Trust

The third pillar of successful applications of AI is trust, an overriding aim to achieve AI for Good. In today’s world of transparency and instant communication around the world, revenue grabs are simply not sustainable. Companies must act in ways that are genuinely good for their customers.

Fortunately, many companies build consumer trust by not only providing good quality products and services, but by also actively and intentionally striving to do the right thing. Nike and Under Armor are prime examples in that they have taken a higher level approach to implementing AI in their business. Rather than simply using AI to facilitate customer service and purchase decisions, Nike and Under Armor mapped AI tools against their mission statements to create apps and virtual assistants that go beyond their products and services and help people lead healthier lives.

Consumers don’t yet trust companies to do the right thing

Unfortunately, companies using AI still have a long way to go to achieve a broader level of trust from consumers. Our research found that:

  • 20% of people believe companies using AI don’t have any ethical standards for AI in place
  • 31% worry companies might misuse AI to their own advantage
  • 41% believe companies using AI are focused on reducing their costs at the expense of people
  • 28% say Canadian businesses will use AI in ways that harm customers financially

Even though technology has impacted our lives for centuries, making millions of jobs extinct (Where are the buggy builders and lamp lighters today?), and creating millions of new jobs (Hello, data miners and user experience designers), people still worry that companies using AI will treat people unfairly and cause job loss and personal financial problems. The fact that AI and robotics will create almost 60 million more jobs than they destroy by 2022 doesn’t always feel personally relevant. People need to trust that companies will treat their employees and their consumers fairly today…[…] Read more »


Cybersecurity Weekly: Colorado BEC scam, CyrusOne ransomware, new California privacy law

A town in Colorado loses over $1 million to BEC scammers. Data center provider CyrusOne suffers a ransomware attack. California adopts the strictest privacy law in the United States. All this, and more, in this week’s edition of Cybersecurity Weekly.

1. California adopts strictest privacy law in U.S.

A new privacy rights bill took effect on January 1, 2020 that governs the way businesses collect and store Californian consumer data. The California Consumer Privacy Act mandates strict requirements for companies to notify consumers about how their data will be used and monetized, along with offering them a hassle-free opt-out process.
Read more »

2. Starbucks API key exposed online

Developers at Starbucks recently left an API key exposed that could be used by an attacker to access the company’s internal systems. This issue could allow attackers to execute commands on systems, add/remove users and potentially take over the AWS instance. The security researcher who reported the incident to Starbucks was awarded a $4,000 bounty.
Read more »

3. Cybercriminals filling up on gas pump transaction scams

Gas stations will become liable for card-skimming at their pay-at-the-pump stations starting in October. In the meantime, cybercriminals are targeting these stations with a vengeance, according to security researchers. This is because pay-at-the-pump stations are one of the only PoS systems that don’t yet comply with PCI DSS regulations.
Read more »

4. Travelex currency exchange suspends services after malware attack

On New Year’s Eve, the U.K.-based currency exchange Travelex was forced to shut down its services as a “precautionary measure” in response to a malware attack. The company is manually processing customer requests while the network stays down during the incident response and recovery process.
Read more »

5. Xiaomi cameras connected to Google Nest expose video feeds from others

Google temporarily banned Xiaomi devices from its Nest Hub following a security incident with the Chinese camera manufacturer. Several posts on social media over the past week have showcased users gaining access to other random security cameras. Google warned users to unlink their cameras from their Nest Hub until a patch arrives.
Read more »

6. Colorado town wires over $1 million to BEC scammers

Colorado Town of Erie recently lost more than $1 million to a business email compromise attack after scammers used an electronic payment information form on the town’s own website. They requested a change to the payment information on the building contract for a nearby bridge construction project.
Read more »

7. Maze ransomware sued for publishing victim’s stolen data

The anonymous hackers behind the Maze ransomware are being sued for illegally accessing a victim’s network, stealing data, encrypting computers and publishing the stolen data after a ransom was not paid. Lawyers claim the lawsuit may be to reserve their spot for monetary damages if money is recovered by the government.
Read more »

8. Landry’s restaurant chain suffers payment card theft via PoS malware

A malware attack struck point of sale systems at Landry’s restaurant chain that allowed cybercriminals to steal customers’ credit card information. Due to end-to-end encryption technology used by the company, attackers were only able to steal payment data “in rare circumstances.”..[…] Read more »….


Watch Out: 7 Digital Disruptions for IT Leaders

Here are seven digital disruptions that you may not see coming.

Be like Apple, not Kodak. Years ago, Kodak was the first to offer digital film. But instead of pursuing the market that would disrupt one it already commanded, Kodak opted to invest in its traditional business by buying a chemical company for its conventional film business. Other companies went on to market digital film. Then came digital cameras and mobile devices with cameras in them. Kodak chose the wrong path.

Apple went down the path of disrupting its own successful product, the iPod MP3 player, to develop and sell the iPhone. It turned out to be the right decision.

Gartner VP, analyst and chief fellow Daryl Plummer recounted these stories in the introduction to his keynote address titled 7 Digital Disruptions You Might Not See Coming at the Gartner IT Symposium recently. So how do you be Apple instead of Kodak?

“It’s really about protecting yourself from what might happen to you,” Plummer said. “Futureproofing yourself means that you are ready for the things that are coming, and even if you don’t know what they are, you can adapt.”

What disruptions may be coming down the pike that you aren’t expecting? Plummer provided a peek into the following 7 digital disruptions that you may not see coming:

1. Emotional experiences

Inexpensive sensors can now track physical biometrics, and organizations are working on providing hyper-personalized digital experiences, according to Gartner. The firm is forecasting that by 2024, AI identification of emotions will influence more than half of the online ads that you see.

This trend will reach beyond marketing to consumers. It could also be used in HR applications and be applied to employee evaluations, for instance.

Gartner recommends that CIOs identify emotional trigger-based opportunities with employees and customers, add emotional states evaluation to 360 Review processes, and mitigate privacy concerns with opt-in for-pay emotion mining.

2. AI decency, trust, and ethics

How do we know that the decisions AI is making are fair when there are many examples of questionable results that exhibit bias? What about fake news and deep fakes? Plummer said that this trend will disrupt trust models, certification of developers, auditing rules, and societal norms for trust. Gartner is predicting that by 2023, a self-regulating association for oversight of AI and machine learning designers will be established in at least four of the G7 countries.

CIOs should prescribe principles that establish an AI trust framework for developers and users.

3. Distributed cloud

Plummer said that in its most basic form, this trend means that the responsibility for cloud will shift entirely to the provider. About 75% of private clouds won’t work out in the long run because the DIY effort won’t be as good as what is available in the public cloud. Openshift, Cloud Foundry, and Azure Stack are taking us along this path to distributed cloud.

The trend will disrupt private cloud, hybrid cloud, data location, and data residency.

CIOs should demand packaged hybrid services, identify latency-sensitive use cases, and request explanation of economics of cloud operations.

4. Democratization of space

While it cost 4% of the entire U.S. budget to put a man on the moon, putting a satellite into orbit now costs just $300,000, Plummer said. That has led to a low space orbit getting mighty crowded with hundreds of satellites. It also raises a host of new questions. What rules apply to data residency in space? What laws apply? What about crime in space? Countries and companies will be competing in space, and the cheaper it gets to launch a satellite, the more crowded it will become.

This trend will disrupt the economics of space-based systems, connectivity, and legal issues.

Technology providers will need to explore LEO (low earth orbit) connectivity options as space-based compute options become real.

5. Augmented humans

People will have technology such as chips and storage embedded in their bodies, and it will drive disruptions such as PC thought control, brain computer interfaces, and mind-link technology.

To prepare, tech providers should enhance disabled access to compute technology using brain computer interfaces and begin the shift from lifestyle to lifeline technologies, according to Gartner…[…] Read more »…..


Trial Before the Fire: How to Test Your Incident Response Plan to Ensure Consistency and Repeatability

While many organizations go to great lengths to set up effective security operations incident response plans, few proactively test their processes to ascertain how they will work when faced with a real threat.

Fifty-nine percent of incident response (IR) professionals admit that their organizations follow a reactive approach, according to a report from Carbon Black. Essentially, teams assume their processes work reasonably well to address the incident at hand … until they don’t. While organizations must have IR plans in place, it’s even more important that they a) work consistently and b) are updated and improved over time.

Testing incident response processes within the security operations center (SOC) should yield two important results: a clear understanding of whether your plan is likely to work and a list of gaps that should be addressed. There is no point testing them if the findings will play no role in optimizing your processes.

Lessons learned from your tests must be properly documented for them to have real, lasting value for your security operations team. Plus, you don’t want to find out your emergency plans don’t work when disaster strikes. What makes sense on paper or the whiteboard often doesn’t work as planned when put into practice.

Schools run fire drills, so everyone knows what to do when the bells go off. So, why aren’t we applying this logic more broadly in cybersecurity?

What is incident response?

IR refers to the systematic response to and management of events following a cyberattack or data breach. It involves a series of actions and activities aimed at reducing the impact of such an event.

A typical IR plan includes six phases which help the affected organization recover from an incident or simply contain it once it occurs: preparation, identification, containment, eradication, recovery and lessons learned.

When building an effective IR plan, security teams should determine the following:

  • The purpose of the plan.
  • Details on how to use the plan.
  • Your ability to respond to different incident types – including unauthorized access, malicious code, denial of service and inappropriate usage – and whether your information assets would be affected by such events.
  • Event handling protocols for each incident type and how to respond. This should include a checklist of which playbook needs to be triggered in the event of a cyberattack or breach. (A playbook, also known as a runbook, is common to the SOC and defines the flow of activities associated with a specific security issue and subsequent investigation and response. The goal is to build a consistent set of activities followed in every case, no matter the analyst assigned to it.)
  • Your ability to set up a “war room” for critical decision makers to receive and share information across the organization.
Testing the waters

Once you have a clear, documented plan in place, you should periodically test it through simulations to assess effectiveness and make continuous improvements. So, how can you put your processes to the test? Most security operations teams today use three methods:

1)     Paper tests

The most theoretical and likely the first step for security operations teams who don’t have well-documented processes. However, paper tests leave too much room for error and should only be used to look for small process changes.

2)     Tabletop exercises

These scenarios consist of company stakeholders sitting around a, you guessed it, table and running through a mock security event. While these exercises may appear informal, you should prepare well in advance, make sure the right individuals participate from across the organization and that the scenario is as real as possible. Allow for up to half a day to put key processes through their paces and troubleshoot as you go.

3)     Simulated attacks

The most effective way to pressure test your processes is to simulate a real-world attack to see how your organization will respond.[…] Read more »





How Cybersecurity Leaders Can Best Navigate the C-Suite

Recent data breaches at companies like British Airways and Capital One have made it more evident than ever before that cybersecurity leaders must prepare for a staggering amount of potential threats. Credential stuffing, account takeovers, and insider threats are all vectors of attack that could potentially devastate a business. But without the C-suite’s support, it’s impossible for cybersecurity leaders to effectively plan for and defend against these threats.

If the C-suite doesn’t fully understand a security risk, they likely won’t prioritize investing to defend against the potential threat. This, of course, can lead to disastrous consequences, like losing loyal customers, hurting brand reputation, or incurring major fines. The British Airways breach led to a fine of almost $230 million, and that doesn’t include non-tactile losses like a damaged reputation. As a result, it’s up to the security leaders to effectively communicate and position security risks to company leaders and decision-makers.

Here are five tips to help cybersecurity leaders navigate the C-suite:

Make cybersecurity a priority—for everyone

While leaders acknowledge security is a vital part of their organization, they often prioritize other initiatives that provide a more direct return on investment. According to a recent study from Nominet, 90 percent of C-suite members think their organization lacks the proper resources to defend against a cyberattack, and 76 percent of them think a security breach is inevitable. This highlights a disconnect: While C-suite executives acknowledge security is an issue, they’re not doing all they can to protect their organizations.

In another report from Wipro, 72 percent of organizations cited employee negligence and lack of awareness as a top cyber risk. Because of this, cybersecurity leaders need to find ways to relate cybersecurity to all departments of a business. Pushing everyone in the organization—not just the C-suite and IT teams—to think about security through awareness programs and other initiatives is necessary for any organization. When everyone actively thinks about cybersecurity and how it affects the overall well-being of the company, preventative measures will be more effective. Whenever presenting a specific threat, take a minute to explain why all employees across the business, including the C-suite, should care about it. For instance, the CMO will likely be interested to know how a hacked third-party tag on the website could steal customers’ personal information, thus violating user privacy regulations and affecting brand reputation. By working with the C-suite to make the business security efforts a top priority across the company, nobody will be caught off guard in the case of a new threat or a security incident.

Attach cybersecurity needs to business requirements

Cybersecurity leaders often have difficulty quantifying risk into impact, or cash cost, and presenting it in a way that aligns with business goals. For example, a member of the security team might need to explain to the C-suite why an organization should purchase a new encryption service. Instead of only speaking to the importance of encryption and broadly mentioning that it could save the organization money down the road, point out some industry statistics to back it up. A recent IBM study suggests that encryption reduces the cost of a data breach by $360,000 on average—a number that should persuade anyone to consider better encryption. A simple cost-benefit analysis is all that’s needed.

Overall, security leaders should communicate threats in an easily digestible way, but also show how the small initial cost to close a security hole can prevent a more significant cost down the road. According to the same IBM study, the average data breach costs an organization $3.92 million—a crippling setback for any organization. If possible, spell out what a cyber threat could cost the organization, including costs around incident response, potential fines, and lost customers.

Get to the point

The C-suite has a lot of responsibilities. If security teams present them with too much information at once, C-suite executives might overlook critical details. It rests on the cybersecurity leader’s shoulders to provide just enough information to show impact, but not too much to lose their audience. Explain essential details, like the immediacy of an attack or how many people it could affect. Diving into the technical specifics of credential stuffing or email phishing attacks, however, might not be the best strategy to get a CEO’s attention. Leave out extremely technical jargon along with the non-essential graphs and charts […] Read more »


What Do You Need to Know About the California Consumer Privacy Act?

When the General Data Protection Regulation (GDPR) was enacted more than a year ago, it was far reaching, and many organizations were caught off guard because they thought it didn’t apply to them. But in fact, it did. Now the California Consumer Privacy Act (CCPA) is about to go into effect (Jan. 1, 2020), and any enterprise that does business in the state of California will need to change the way they manage personal information.

California has the fifth largest economy in the world. In fact, it’s actually bigger than that of the United Kingdom. Why is this relevant? Well, given the size of California’s economy, this legislation will clearly have a considerable global impact. It will tip the scales on privacy around the world. To prepare for the CCPA and other future data security legislation, organizations must focus on identifying the types of personal information they have and evaluating the flow of that data coming in and going out of the organization. Getting a handle on the flow of your sensitive data is also a great early step toward avoiding a breach, regardless of the regulations you need to follow. More importantly, it is the foundation of a solid data privacy strategy, which should be the end goal for global enterprises.

CCPA is only one in a myriad of data security regulations that will come to pass in the next few years. No organization can afford to develop an entirely new strategy for each regulation, so now is the time to develop a comprehensive data privacy policy that ensures the safe handling of all data, and particularly sensitive data. A few baseline practices can set your organization up for safe data handling and help you avoid starting from scratch every time a regulation changes or a new one comes out.

The objective of these guidelines is to provide you with some pragmatic thoughts around preparing for CCPA. They are based on conversations we had with security and data executives at enterprises worldwide regarding what’s worked best for them to address CCPA and other pending data privacy regulations.

1. Break Down Data Siloes

As organizations mature, departmental silos naturally emerge as the business evolves and expands into different areas. As part of this evolution, each business segment develops its own way of generating, collecting and managing data. However, when it comes to data protection strategies and meeting privacy regulations, businesses must break down these internal walls to consistently protect data across the entire organization. Privacy is an organization-wide initiative and stakeholders need solutions that have an impact in all areas.

Data protection solutions themselves should not be siloed either. The most successful programs take advantage of the data security frameworks and processes that already exist in individual departments. For example, instead of simply focusing on identifying and categorizing data to help meet CCPA mandates, consider the security technologies already in place and how data categorization can integrate with them to drive further success from a security standpoint. Consider how data context through classification and categorization can be used in other areas of the business or to power existing security technology investments – such as cloud access security brokers, data loss prevention solutions, encryption technologies or next-generation firewalls.

Implementing a cross-departmental data security solution can also be a real boon to business. Who knows what useful data might be sitting over in another department? If security solutions are implemented in a siloed fashion, however, an organization will not only increase its risk of noncompliance but will also lose an opportunity to create deeper awareness about what data protection means for each aspect of the business.

2. Create Rich Metadata

Metadata is the glue that connects all data within an organization. Metadata enables organizations to flag sensitive information in files, documents and web pages but also provides a way to compile more detailed and useful data about that data. For example, the metadata for an Excel spreadsheet could include personal data, the type of personal data (name, address, etc.), and the author of the spreadsheet. From a data protection standpoint, this information can be used to better identify, classify and protect corporate data. From a data management or analytics point of view, it can help business leaders develop strategies for new initiatives. Ideally, metadata can bring together an organization’s data protection and data management strategies to protect and advance the business simultaneously.

When considering privacy regulations such as CCPA, security professionals must look holistically across the organization to create metadata that all security technologies and data management systems within the organization can take advantage of. For example, what does the firewall need to be more efficient? Could firewall policies benefit from file metadata that identifies that personal data is contained in the file?

People often associate metadata with just the identity of the data, but it can also be used to govern how long an organization should retain this data. We know a key aspect of data protection is identifying retention for the possible deletion of data and this can all be defined in metadata. After identifying how long the data should be held, organizations can action programs to ensure information is deleted or archived in a way that is in line with data privacy regulations. Do you really need to keep a document listing employee names and dietary restrictions captured ahead of the corporate holiday party or can that be deleted once the party has taken place?

3. Use Machine Learning to Understand Context

Numerous machine learning models in the market today have already been tuned for personally identifying information (PII). Solutions designed to help with CCPA and GDPR compliance should leverage those models when it comes to data detection. Data categorization tools with machine learning built-in make it easier to understand the context around data, which in turn helps determine how to handle different types of data. Rather than simply flag social security numbers or bank account numbers, tools that employ machine learning can help users identify personal information contained within the narrative of documents and emails, such as health history or employee review details, for example.

What’s more, machine learning enables organizations to automate their PII strategy. Data categorization tools with built-in machine learning capabilities allow organizations to focus on getting their arms around privacy. As confidence in the system grows, data handling policies can be applied automatically.

Because most organizations have ever-increasing, complex environments, leveraging technologies that offer machine learning capabilities are critical for implementing efficient and intelligent data identification solutions to help achieve CCPA and GDPR compliance goals.

4. Know Where Data Goes and Why

The act of identifying data is one thing but keeping track of said data and managing it to ensure that compliance as it moves throughout the organization is quite another. Most data protection solutions will come with some sort of out-of-the-box dashboard, but a more efficient and customized way of approaching this is to think about the broader organizational analytics strategy.

Security professionals must understand what types of data their organization collects and where it goes once collected. It’s also critical to understand how people interact with personal data. Is personal data leaving the organization? Understanding how data is created, collected and shared will help security executives develop information handling policies that work with business strategies while also protecting sensitive data. They may discover they need to change security policies to be more efficient relative to how people are using data.

Once information handling policies have been refined, security executives can find ways to leverage their company’s data analytics approach to put good monitoring practices in place. As mentioned earlier, the lines between data management (or analytics) and data protection are beginning to blur as data becomes central to business strategies and privacy becomes a top concern for consumers.

5. Evaluate Who has Access to Personal Data

A central aspect of any data protection strategy is understanding who has access to  personal information within the organization […] Read more »

Talent Acquisition, Retention Leading Diversity Initiatives in Cybersecurity Jobs

Talent acquisition and retention is the leading operational reason that companies have been ramping up their diversity initiatives, according to (32 percent) of respondents in the (ISC)²study.

Nearly one in three (29 percent) added that diversity is important to their organization because the workforce should represent the demographics in society:

  • Nearly three quarters of organizations surveyed (74 percent) instituted a stated diversity value or program in the last 2-5 years. On top of this, a further 16 percent have followed suit in the last 12 months.
  • Overall, 40 percent of survey respondents stated that the HR department is the primary driver of diversity and inclusivity efforts, including measuring employee diversity goals. This compares to just under one quarter (23 percent) who said it was the senior management team and just 10 percent that said it was the C-suite driving diversity initiatives.
  • 60 percent said that up to 20 percent of the current vacancies in their organizations are IT and/or cybersecurity-based. A further quarter (26 percent) said these roles constituted between 21-50 percent of their workforce.

Hiring Cyber Roles:

  • 77 percent of respondents said that cybersecurity roles were recruited for in their organizations in the last 12 months. The number of roles filled ranged from 1 to 31 across the responses, although nearly 55 percent of the respondents said that up to 10 cybersecurity personnel were hired by their organization over the last 12 months. 18 percent said that between 11 and 30 roles were hired in the last year.
  • 37 percent say just 6-20 percent of their IT department employees are aged 18-21, while 35 percent say none of their IT department employees are aged 18-21. This indicates a struggle to bring enough new talent into the department that can learn from their experienced peers[…] Read more »..

The 2019 Riskiest States Report — Where Does Your State Rank?

Mississippi, Louisiana, California, Alaska, and Connecticut are the riskiest states in the U.S.A. based on consumer preparedness for cyberattacks, according to a new report from Webroot. The report examines the cyber hygiene habits of 10,000 Americans, 200 in each state, to determine what behaviors and practices they have in place to protect their information or identity from cybercriminals. While the five previously mentioned states scored the lowest on the cyber hygiene test, the average respondent’s grade wasn’t good either: 60% (or a “D”).

Despite the low scores on general cybersecurity knowledge and best practices, consumers reported a high (and false) sense of confidence about their cybersecurity behaviors. The majority (88%) of survey participants believe they are taking the appropriate steps to protect themselves from cybercriminals; however, the high fail rate suggests a major opportunity for improvement.

The 5 Riskiest States:

  1. Mississippi
  2. Louisiana
  3. California
  4. Alaska
  5. Connecticut

The 5 Least Risky (Safest) States:

  1. Kentucky
  2. Idaho
  3. Ohio
  4. North Dakota
  5. New Hampshire

Notable Findings:

Americans in every state are overconfident

  • 88% feel they take the right steps to protect themselves from cyberattacks.
  • Only 10% are A students in cyber hygiene, scoring 90% or higher.
  • The highest scoring state, New Hampshire, only scored a 65%.

Americans have a surface level understanding of common cyber threats

  • 79% of Americans have heard of malware, but only 28% could explain what it is.
  • 70% of Americans have heard of phishing, but only 33% could explain what it is.
  • 49% of Americans have heard of ransomware, but only 21% could explain what it is.

Less than half of Americans adopt cyber hygiene best practices

  • 64% of participants don’t keep their social media accounts private.
  • 63% of participants reuse passwords across multiple accounts.
  • 62% of participants rely on a free antivirus software[…] Read more »..

The role, the challenges and the responsibilities of a CIO with Milos Topic.

Apex sat down with Vice President & Chief Information Officer of Saint Peter’s University. With 20 years of experience in leadership, innovation strategies, technology implementation and business development, Milos shares his views on the role of a CIO and  what it means to be an IT leader today.


Q: What is IT doing to support innovation?

A: IT is meant to drive innovation and enable others to do the same and take part. IT is a critical partner and a “golden thread” if you will across everything modern businesses and organizations do. As such, it is uniquely positioned to provide value to all.  Furthermore, innovation comes in many forms, but it always requires action. Thinking, planning, strategizing is all wonderful and valuable, but without action, not much will get accomplished.

Q: What is the single most important thing CIOs should be focusing on today?

A: CIOs as well as all executives should be focused on people and business growth. Modern CIOs are more customer facing and are spending time on strategy, vision and innovations across and beyond the enterprise.

Q: Should IT be a business enabler?

A: IT is business in a sense, or it is at the very least an essential part of every modern and competitive organization. As such, it should provide options to challenge old (and at times outdated) business models before others (from the outside) do it for them.

Q: How do you stay abreast of the trends and what your peers are doing?

A: I have invested years (and continue to do so) in building and nurturing relationships across various industries, sectors and markets. These relationships paired with various events (such as those hosted by Apex) are of critical significance in staying current and learning from those who may be further along.

Q: What is the biggest challenge for a CIO today?

A: It varies across industries and different maturity models of organizations, but I do believe that attracting and retaining top talent is one of the largest priorities, it certainly is for me. In today’s world and in major markets such as greater New York City area people have options which is great for them, yet challenging to many organizations.

Q: What is the difference between a CIO and a CTO?

A: Titles vary, but in general, a CIO should be focused on customers, innovation, strategy, growth and providing value to other major areas (Finance, Marketing, Operations, Security, Legal…) while a CTO is leading the existing services and ensures smooth operations of teams.

Q: How has the role of the CIO changed over your career?

A: Visibility has increased, and so have the responsibilities. CIOs have now earned seats on top management teams among their executive leadership peers. They are also more involved in the overall business vision, strategy and direction than ever before. All of these changes have taken place across organizations that are current and future proofed, while others are still behind and are struggling across some of these areas.

Q: What advice would you give an early stage CIO joining an organization?

A: Get as close to the business as you possibly can and learn everything about it. Build relationships, provide value to others and always give more than you take, in every exchange. Spend time and resources on developing leadership, strategy and negotiation skills as they matter in all that we do, professionally and personally.

Q: How important is the relationship between a CIO and a CISO?

A: While the reporting structure is debated by some, the relationship is very important. CIO relationships with everyone they work with are of importance, from CISO, to CFO, CMO, COO…all the way to the CEO. The entire C-suite needs to be unified and transparent with each other in order for all of them to move forward and make progress.

Q: What is the largest obstacle a CIO faces when it comes to security?

A: People. Training and organizational requirements to how data is stored, used and shared. Furthermore, many organizations are not funding information security adequately and proactively.

Q: What falls under the CIO’s responsibilities when it comes to security?

A: I’m of the belief that there should be one top technology leader and that is a CIO. Everyone else should report to them with varying degrees of authority. When it comes to finance, marketing, legal…they are all ultimately under one leader while IT seems to be fragmented in some organizations. The only potential exception is an area responsible for the overall risk, liability and governance for the entire business…they could be outside IT with strong collaborative partnership with the CIO and their leadership team.

Q: How do you see the security landscape changing over the next 12 – 18 months and how are you preparing?  

A: Robots are taking over. From machine learning to artificial intelligence, people can’t keep up with the volume and complexity of threats so continuous investments in tools and technologies is expected. We are experimenting with robotic process automation (RPA), machine learning and will continue to stay current with what is available.  

Q: How worried are you about the “human element” when it comes to security?

A: It is the weakest link in this chain. People make mistakes in opening emails, sharing data, configuring technology (both software and hardware)…the list goes on. Cyber security awareness training should be mandatory across all organizations and should be part of one’s employment record at some point in time.


Milos Topic

Vice President & Chief Information Officer


I believe that everything begins and ends with leadership. Leaders have the greatest responsibility for the impact and influence over the people they lead and the outcomes of their organizations as a whole. Furthermore, I am passionate about IT being a trusted strategic partner and an advisor (a service broker) to the entire organization as technology must drive innovation across organizations and provide both strategic and operational business solutions.

I have 20 years of experience in leadership, innovation strategies, technology implementation & business development while my formal education is a blend of science, technology and business. My journey in the Information Technology (IT) profession started in 1997 and over the past 20+ years I have worked on nearly all aspects of IT. I got underway with networking/cabling installs; tech support to programming in C++, C#, Java; web development; system/network security/administration to my most recent positions of leading teams of amazing people providing technology solutions and services while supporting a multitude of organizational needs. Finally, it is essential to always focus on people first, as they matter the most in everything we do.

Philadelphia University’s Cybersecurity Program Receives “Top Curriculum” in the US, an industry-leading educational research organization, has named La Salle University’s Master of Science in Cybersecurity a top 25 internet security program for 2019, and also awarded the program “best curriculum.” analyzed every online master’s program in internet security in the nation with a team of 43 industry experts, hiring managers, current students and alumni.

According to, the study leveraged “an exclusive data set comprised of interviews and surveys from current students and alumni in addition to insights gained from human resources professionals.” Their methodology weighted academic quality (academic metrics, online programming, and faculty training and credentials) at 40 percent, student success (graduate reputation, student engagement, and student services and technology) at 40 percent, and affordability (average net cost, percent of students with loans, and default rate) at 20 percent. The study incorporated current data from the Integrated Postsecondary Education Data System (IPEDS) and statistical data from the National Center for Education Statistics. Only programs from accredited nonprofit institutions were eligible.

“We are honored to be recognized as a top 25 internet security master’s program, with a special nod to our curriculum,” says Peggy McCoey, assistant professor and graduate director for La Salle’s M.S. in Cybersecurity. “We have developed a flexible, rigorous, and highly relevant program to ensure today’s students develop competencies in cybersecurity management as well as breach detection, mitigation and prevention. The Program balances both theoretical and practical aspects and draws key learnings from industry practitioners to ensure attention to ethical principles and changes related to cybersecurity.”

La Salle’s M.S. in Cybersecurity is a 100 percent online asynchronous program with three start dates and eight-week courses so students can complete two courses per semester. noted its “engaging courses in cyberwarfare, cybercrime and digital forensics” in support of its “best curriculum” designation[…] Read more ».