Finding the right MSSP for securing your business and training employees

Over the past year, small businesses have had to navigate the pandemic’s many challenges — from changes in business models and supply shortages to hiring and retaining employees. On top of these pandemic-driven challenges, SMBs also faced a growing business risk: cybersecurity incidents.

Cybercriminals often target SMBs due to the limited security resources and training that leave these businesses vulnerable. According to a study, Verizon found 61% of all SMBs reported at least one cyberattack during 2020, with 93% of small business attacks focused on monetary gain. Unfortunately, this leaves many SMBs forced to close after an incident due to the high costs incurred during a cyberattack.

Cybersecurity is no longer just “nice to have” for SMBs, but many business owners don’t know where to start. And while measures like a VPN or antivirus system can help, they aren’t enough by themselves. Managed security service providers (MSSPs) are a valuable resource for SMBs, allowing them to bring in the expertise needed to secure infrastructure that they might not be able to afford in this highly competitive labor market.

When looking for an MSSP, hundreds of options often leave businesses overwhelmed. To learn more about the value MSSPs should and can bring to the table, I spoke with Frank Rauch and Shay Solomon at Check Point Software Technologies.

Koziol: What should small and medium business owners look for when selecting a cybersecurity MSSP? What are the must-haves and the nice-to-haves?

Rauch: We are living in a time where businesses, SMBs especially, cannot afford to leave their security to chance. SMBs are a prime target for cybercriminals, as SMBs inherently struggle with the expertise, resources and IT budget needed to protect against today’s sophisticated cyberattacks. We are now experiencing the fifth generation of cyberattacks: large-scale, multi-vector, mega attacks targeting businesses, individuals and countries. SMBs should be looking for a true leader in cybersecurity. They should partner with an MSSP that can cover all customer sizes and all use cases. To make it easy, we can focus on three key areas:

  1. Security. The best MSSPs have security solutions that are validated by renowned third parties. They should prove their threat prevention capabilities and leverage a vast threat intelligence database that can help prevent threats at a moment’s notice.
  2. Capabilities. MSSPs should be offering a broad set of solutions, no matter the size—from large enterprises to small businesses, data centers, mobile, cloud, SD-WAN protection, all the way to IoT security. Having this broad range of expertise will ensure that your MSSP is ready to cover your business in all instances.
  3. Individualized. This may be one of the most critical areas. Your MSSP should be offering flexible growth-based financial models and provide service and support 24/7 with real-time prevention. Collaborative business processes and principles will ensure success and security in the long run.

Koziol: How can SMBs measure the value of bringing in an MSSP? Or, the risks of inaction?

Rauch: The biggest tell-tale sign of a match made in heaven is if you’re receiving your security needs through one single vendor. If not, those options are out there! Getting the best security through one experienced, leading vendor can reduce costs, simplify, support and ensure consistency across all products. This ranges from simply protecting your sensitive data all the way to ensuring you can secure the business through a centralized security management platform. How can you protect what you can’t see?

It makes sense to keep an eye on how many cybersecurity attacks you’re preventing each month. How long is it taking you to create, change and manage your policies? Are you scaling to your liking? Can you adapt on the fly if need be? Are your connected devices secure? These are just some examples that you should be able to measure with simplicity.

Koziol: How has the shift in remote/hybrid workforce changed how cybersecurity MSSPs support SMBs?

Rauch: The shift to a larger work-from-home practice has caused attackers to shift their attacks outside of their network. It is more important now than ever for MSSPs to be providing their SMBs with a complete portfolio — endpoint, mobile, cloud, email and office — that allows them to connect reliably, scale rapidly and stay protected, no matter the environment.

The best MSSPs should have been ready for this day. At any moment, day or night, your organization can be victimized by devastating cybercrime. You can’t predict when cyberattacks will happen, but you can use proactive practices and security services to quickly mitigate their effects or prevent them altogether. The shift to a hybrid workforce exposed the holes in the existing security infrastructure.

On the bright side, security incidents present an opportunity to comprehensively reevaluate and improve information security programs. They show threat vectors that we previously overlooked and raise awareness across the organization to enhance existing or implement new controls. So at the very least, this shift has been an eye-opener for MSSPs.

Koziol: Should MSSPs offer security awareness and training as part of their offering? Why?

Solomon: Absolutely, yes. At the end of the day, knowledge is power. Cyberattacks are evolving and training can help keep SMB employees protected and educated. According to a study from VIPRE, 47% of SMBs leaders reported keeping data secure as their top concern. At the same time, many SMBs lack sufficient skills and capacity to drive improved security on their own.

The only way to fight cybercrime effectively is by sharing experiences and knowledge. Due to the cyber shortage, Check Point Software, along with 200 global training partners, recently announced a free cybersecurity training program called Check Point Mind. It offers many training and cybersecurity awareness programs to give SMBs (or any business) the chance to extend their skills with comprehensive cybersecurity training programs led by world-class professionals.

Koziol: How can working with an MSSP on security awareness education improve a business’s overall security posture?

Solomon: Raising awareness with employees is a crucial step that’s often overlooked. Employees need to be able to identify a phishing attempt and know how to react. In our experience, we see a majority of employees attacked using emails. They receive an email that looks like an official email from someone with authority, asking them to open attachments or click on a link that contains malicious intent.

If employees go through a training course that teaches them what to look for in an attack, this will surely reduce the chance of that employee falling victim to the phishing attempt.

Koziol: What questions should SMBs be asking their current or future MSSPs about cybersecurity?

Solomon: Building on what was mentioned earlier, it is never too late to reevaluate and improve information security programs. Asking questions and investing in a better security posture shows us threat vectors that we previously might have overlooked and raises awareness across the organization to the need to improve existing or implement new controls. SMBs must proactively approach their MSSPs to ensure they are getting the best bang for their buck—security solutions that require minimal configuration and simple onboarding. In addition, they need to ensure they are taking the proper steps when evaluating security architecture, advanced threat prevention, endpoint, mobile, cloud, email and office.

Koziol: What’s ahead for MSSPs in the cybersecurity space? What should SMB owners expect to see next?

Rauch: One of the key areas we’ll see continuously growing is the need for a next-generation cybersecurity solution that enables organizations to proactively protect themselves against cyberthreats: incident detection and response management. As attacks continue to evolve and grow in numbers, unified visibility is a must-have across multiple vectors that a cyberthreat actor could use to attack a network.

A common challenge we see is an overwhelming volume of security data generated by an array of stand-alone point security solutions. What’s needed is a single dashboard, or, in other words, unified visibility, that enables a lean security team to maximize their efficiency and effectiveness. SMBs should take the opportunity to check security investments. The highest level of visibility, reached through consolidation, will guarantee the best effectiveness…[…] Read more »….


Data: The future of quantifying risk

The world is perpetually moving onwards and upwards with cloud adoption.

This phenomenon is no longer surprising or in-and-of-itself noteworthy. In fact, according to recent research, 92% of global enterprises used public clouds in 2021. While there will always be a few inevitable holdouts, soon, nearly all organizations will embrace the cloud in some form or another.

But amidst this shift, there are the ever-growing corporate risks associated with reliance on cloud technology. December 2021’s repeated AWS outages serve as a stark reminder that, despite tremendous benefits, cloud dependence can be a double-edged sword for many enterprise organizations.

Mission-critical issues, such as the need to minimize reliance on concentrated platforms, the necessity to avoid outages, data exposure prevention and more, have now moved the issue from IT manager and developer discussions to full C-suite level priorities, with the goal of removing and reducing risk wherever possible.

Risk is inevitable

Of course, all organizations have some corporate risk — there’s just no way around it. Truth be told, the only way to prevent modern risk altogether would be to go back to the Stone Age and miss out on the huge benefits that come with advanced technology; and even then, companies might still wind up exposed to other types of business risks. In the modern cloud and Software as a Service (SaaS)-based ecosystem, however, corporate risk is clearly something that not only has to be accepted, but properly managed as well.

But this undertaking of trying to decipher and then manage risk has proven to be a challenge. The risk management community continually struggles to build generic models that adequately address these issues, especially while balancing the need to justify risks to business stakeholders. Leadership wants to understand these risks in terms of dollars and cents rather than technical jargon or qualitative input.

For sustained success, security leaders must get a clear view of the risks their companies face, understand how to measure them, invest in them properly, and, when required, defend against them on an ongoing basis.

To this end, in 2017, Gartner coined the term Integrated Risk Management (IRM), which delineates a way to look at and address risk management across the organization to make better, more informed decisions for optimized results. With parameters to address risk identification, assessment, response, communication and monitoring, IRM creates an achievable pathway for this.

In theory, that is.

During the risk identification stage in the IRM model, the responsible party identifies the risk via assessments and/or meetings with stakeholders. The risks are then collected into a spreadsheet or other static legacy solution. They are then analyzed with existing IRM tools, which feed predefined formulas based on manual input from the risk manager in an attempt to try to prioritize those that are most pressing.

But what if companies could incorporate objective data — such as intelligence that has been pulled directly from sources — into the risk assessment? What if, instead of basing risk management on interviews, assessments and gut feelings — and then relegating that information to a static spreadsheet — it could be defined according to the underlying live data and used to make impactful, data-based decisions in real time?

The future of IRM lies in quantifying risk with live — and most importantly — objective data.

Data: The key to truly understanding risk

Instead of relying on inherently unreliable elements like spreadsheets, workflow GRC tools and one-on-one conversations, the use of normalized and structured data collected from all applications a company uses can provide a full, comprehensive picture regarding the risks the company is facing in reality. In place of feelings and potentially subjective assessments, data can express the true story behind the scenes and give companies a far more accurate observability tool with which to understand the corporate risks they must address and then act in time upon it. From there, companies can create a true risk matrix to prioritize what needs to be addressed first, and so on.

Risk professionals will tell you they already do rely on real data gathered from the field during their last survey. In truth, this isn’t the same as data continuously and independently pulled directly from sources. Shifting to a true data-based IRM approach gives companies the ability to objectively view their risks to enable maximum understanding of risk posture…[…] Read more »….


Chase CIO Gill Haus Discusses Recruitment, Agile, and Automation

The world of banking and finance faces aggressive change in innovation, increasing the need to adapt to new evolutionary cycles in financial technology. As customers want more resources and guidance with their finances, institutions such as JPMorgan Chase must nimbly respond in a way that belies their large size.

Gill Haus, CIO of consumer and community banking (Chase) at JPMorgan Chase, spoke with InformationWeek about his institution’s approach to finding the right tech talent to meet demands for innovation, the growing importance of automation, and the personal directives he follows.

When looking at technology recruitment, what skillsets is Chase seeking, both to meet current needs and also for what may come next?

At the root of what we do, we are in the business of building complex features and services for our customers. We have about 58 million digitally active customers; they depend heavily on the services we provide. Technology is behind all those products and services we offer. We are looking for the quintessential engineers that have the background in Java, machine learning engineers, those that have mobile experience as well. We also have technologies that are in “heritage” — systems that we’ve had for many years and we’re looking for engineers that understand how to use those technologies. Not just to support them but to modernize them. The key of our practice is to make sure also that we have those engineers and talent in general that is adaptable … because the market is constantly changing.

Why this is important is not just so we can have talent come in and help us build great solutions; it is also a great opportunity for talent to grow themselves. We provide our employees opportunities to use those new technologies whether it’s public cloud, private cloud, or machine learning. Also, to grow the breadth of their experiences, whether they’re working on mobile technologies, backend systems, or some other solution that touches millions and millions of customers. We offer our employees the opportunity, whether they are an entry-level software engineer, we have programs like our software engineer program where we bring in talent from universities and boot camps to do training. We offer things across the organization where our talent can contribute and learn with teams to build solutions, learn how to use other technology, and become more adaptable.

Gill Haus, JPMorgan Chase

Are there particular technologies or methodologies that have come into play of late that Chase has wanted to adopt or look at?

We’ve made a large move to be an agile organization to organize around our products versus organizing around our businesses. The reason for that is we need to be able to build solutions quickly and those local teams — the product, technology, data, and design leaders — they’re more able to see what’s happening in the market, make decisions quickly, decide what to build or what service to provide, and make sure we’re applying that for our customer versus being organized in a way that makes it more difficult to operate.

The move to an agile work style is really key for us to compete.

The other [part] is the skills themselves. At our scale, machine learning absolutely. We have tons of data about our customers, on how customers are using our products. Customers ask us to provide them insights or guidance. If you go into our mobile app, we have something called Snapshot that tells you how you’re spending money compared to other people like you, ways you can save. Machine learning is the essence and power behind making that happen.

Mobile engineering is also incredibly important for us because more and more of our customers are moving to be digitally active in the mobile space. We want to be where our customers are.

What isn’t often talked about is a lot of our backend services, which is the main Java programming that we do, empowers all of this. From APIs to public cloud because when you deposit money, you’re using those rails. When you are executing machine learning models, you’re still using a lot of those rails.

While we are focused on a lot of the new, we’re also focused on modernizing the core that we have because that is so fundamental to the services we provide.

In terms of scouting tech talent, is there an emphasis on finding brand new graduates of schools that offer the latest skills, retraining existing staff to make use of their institutional knowledge as well?

All the above. The purpose-driven culture we have is really a big factor for us. Money is at the center of people’s lives. If you can create a positive experience for customers in using their money, whether they are able to save more, to pay for something they didn’t expect, or prevent fraud for them, it provides an incredible positive benefit to that individual. That’s important. Many of the people joining, or already at that firm, want to have that positive impact.

One of our software engineering programs is called Tech Connect, which is how we get in software engineers who might not have come in through the traditional software engineering degrees. It’s a way for them to go through training here and find a role within the organization. We also have the software engineering program where we look at entry level candidates coming in from colleges with computer science and other engineering degrees. For employees that we have here, we have programs like Power Up, which is at 20 JPMorgan Chase technology centers where over 17,000 employees meet on an annual basis. There they learn all different types technologies, from machine learning, to data, to cloud. That allows us not only to have people that are here be trained but it makes it compelling to join the firm…[…] Read more »…..



Top 15 cybersecurity predictions for 2022

Over the past several years, cybersecurity risk management has become top of mind for boards. And rightly so. Given the onslaught of ransomware attacks and data breaches that organizations experienced in recent years, board members have increasingly realized how vulnerable they are.

This year, in particular, the public was directly impacted by ransomware attacks, from gasoline shortages, to meat supply, and even worse, hospitals and patients that rely on life-saving systems. The attacks reflected the continued expansion of cyber-physical systems — all of which present new challenges for organizations and opportunities for threat actors to exploit.

There should be a shared sense of urgency about staying on top of the battle against cyberattacks. Security columnist and Vice President and Ambassador-At-Large in Cylance’s Office of Security & Trust, John McClurg, in his latest Cyber Tactics column, explained it best: “It’s up to everyone in the cybersecurity community to ensure smart, strong defenses are in place in the coming year to protect against those threats.”

As you build your strategic planning, priorities and roadmap for the year ahead, security and risk experts offer the following cybersecurity predictions for 2022.

Prediction #1: Increased Scrutiny on Software Supply Chain Security, by John Hellickson, Cyber Executive Advisor, Coalfire

“As part of the executive order to improve the nation’s cybersecurity previously mentioned, one area of focus is the need to enhance software supply chain security. There are many aspects included that most would consider industry best practice of a robust DevSecOps program, but one area that will see increased scrutiny is providing the purchaser, the government in this example, a software bill of materials. This would be a complete list of all software components leveraged within the software solution, along with where it comes from. The expectation is that everything that is used within or can affect your software, such as open source, is understood, versions tracked, scrutinized for security issues and risks, assessed for vulnerabilities, and monitored, just as you do with any in-house developed code. This will impact organizations that both consume and those that deliver software services. Considering this can be very manual and time-consuming, we could expect that Third-Party Risk Management teams will likely play a key role in developing programs to track and assess software supply chain security, especially considering they are usually the front line team who also receives inbound security questionnaires from their business partners.”


Prediction #2: Security at the Edge Will Become Central, by Wendy Frank, Cyber 5G Leader, Deloitte


“As the Internet of Things (IoT) devices proliferate, it’s key to build security into the design of new connected devices themselves, as well as the artificial intelligence (AI) and machine learning (ML) running on them (e.g., tinyML). Taking a cyber-aware approach will also be crucial as some organizations begin using 5G bandwidth, which will drive up both the number of IoT devices in the world and attack surface sizes for IoT device users and producers, as well as the myriad networks to which they connect and supply chains through which they move.”


Prediction #3: Boards of Directors will Drive the Need to Elevate the Chief Information Security Officer (CISO) Role, by Hellickson


“In 2021, there was much more media awareness and senior executive awareness about the impacts of large cyberattacks and ransomware that brought many organizations to their knees. These high-profile attacks have elevated the cybersecurity conversations in the Board room across many different industries. This has reinforced the need for CISOs to be constantly on top of current threats while maintaining an agile but robust security strategy that also enables the business to achieve revenue and growth targets. With recent surveys, we are seeing a shift in CISO reporting structures moving up the chain, out from underneath the CIO or the infrastructure team, which has been commonplace for many years, now directly to the CEO. The ability to speak fluent threat & risk management applicable to the business is table stakes for any executive with cybersecurity & board reporting responsibilities. This elevated role will require a cybersecurity program strategy that extends beyond the standard industry frameworks and IT speak, and instead demonstrate how the cybersecurity program is threat aware while being aligned to each executive team’s business objectives that demonstrates positive business and cybersecurity outcomes. More CISOs will look for executive coaches and trusted business partners to help them overcome any weaknesses in this area.”


Prediction #4: Increase of Nation-State Attacks and Threats, by John Bambenek, Principal Threat Researcher at Netenrich


“Recent years have seen cyberattacks large and small conducted by state and non-state actors alike. State actors organize and fund these operations to achieve geopolitical objectives and seek to avoid attribution wherever possible. Non-state actors, however, often seek notoriety in addition to the typical monetary rewards. Both actors are part of a larger, more nebulous ecosystem of brokers that provides information, access, and financial channels for those willing to pay. Rising geopolitical tensions, increased access to cryptocurrencies and dark money, and general instability due to the pandemic will contribute to a continued rise in cyber threats in 2022 for nearly every industry. Top-down efforts, such as sanctions by the U.S. Treasury Department, may lead to arrests but will ultimately push these groups further underground and out of reach.”


And, Adversaries Outside of Russia Will Cause Problems


Recognizing that Russia is a safe harbor for ransomware attackers, Dmitri Alperovitch, Chairman, Silverado Policy Accelerator: “Adversaries in other countries, particularly North Korea, are watching this very closely. We are going to see an explosion of ransomware coming from DPRK and possibly Iran over the next 12 months.”


Ed Skoudis, President, SANS Technology Institute: “What’s concerning about this potential reality is that these other countries will have less practice at it, making it more likely that they will accidentally make mistakes. A little less experience, a little less finesse. I do think we are probably going to see — maybe accidentally or maybe on purpose — a significant ransomware attack that might bring down a federal government agency and its ability to execute its mission.”


Prediction #5: The Adoption of 5G Will Drive The Use Of Edge Computing Even Further, by Theresa Lanowitz, Head of Evangelism at AT&T Cybersecurity


“While in previous years, information security was the focus and CISOs were the norm, we’re moving to a new cybersecurity world. In this era, the role of the CISO expands to a CSO (Chief Security Officer) with the advent of 5G networks and edge computing.

The edge is in many locations — a smart city, a farm, a car, a home, an operating room, a wearable, or a medical device implanted in the body. We are seeing a new generation of computing with new networks, new architectures, new use cases, new applications/applets, and of course, new security requirements and risks.

While 5G adoption accelerated in 2021, in 2022, we will see 5G go from new technology to a business enabler. While the impact of 5G on new ecosystems, devices, applications, and use cases ranging from automatic mobile device charging to streaming, 5G will also benefit from the adoption of edge computing due to the convenience it brings. We’re moving away from the traditional information security approach to securing edge computing. With this shift to the edge, we will see more data from more devices, which will lead to the need for stronger data security.


Prediction #6: Continued Rise in Ransomware, by Lanowitz


“The year 2021 was the year the adversary refined their business model. With the shift to hybrid work, we have witnessed an increase in security vulnerabilities leading to unique attacks on networks and applications. In 2022, ransomware will continue to be a significant threat. Ransomware attacks are more understood and more real as a result of the attacks executed in 2021. Ransomware gangs have refined their business models through the use of Ransomware as a Service and are more aggressive in negotiations by doubling down with distributed denial-of-service (DDoS) attacks. The further convergence of IT and Operational Technology (OT) may cause more security issues and lead to a rise in ransomware attacks if proper cybersecurity hygiene isn’t followed.

While many employees are bringing their cyber skills and learnings from the workplace into their home environment, in 2022, we will see more cyber hygiene education. This awareness and education will help instill good habits and generate further awareness of what people should and shouldn’t click on, download, or explore.”


Prediction #6: How the Cyber Workforce Will Continue to be Revolutionized Among Ongoing Shortage of Employees, by Jon Check, Senior Director Of Cyber Protection Solutions at Raytheon Intelligence & Space


“Moving into 2022, the cybersecurity industry will continue to be impacted by an extreme shortage of employees. With that said, there will be unique advantages when facing the current so-called ‘Great Resignation’ that is affecting the entire workforce as a whole. As the industry continues to advocate for hiring individuals outside of the cyber industry, there is a growing number of individuals looking to leave their current jobs for new challenges and opportunities to expand their skills and potentially have the choice to work from anywhere. While these individuals will still need to be trained, there is extreme value in considering those who may not have the most perfect resume for the cyber jobs we’re hiring for, but may have a unique point of view on solving the next cyber challenge. This expansion will, of course, increase the importance of a positive work culture as such candidates will have a lot of choices of the direction they take within the cyber workforce — a workforce that is already competing against the same pool of talent. With that said, we will never be able to hire all the cyber people we need, so in 2022, there will be a heavier reliance on automation to help fulfill those positions that continue to remain vacant.”


Prediction #7: Expect Heightened Security around the 2022 Election Cycle, by Jadee Hanson CIO and CISO of Code42


“With multiple contentious and high-profile midterm elections coming up in 2022, cybersecurity will be a top priority for local and state governments. While security protections were in place to protect the 2020 election, publicized conversations surrounding the uncertainty of its security will facilitate heightened awareness around every aspect of voting next year.”


Prediction #8: A Shift to Zero Trust, by Brent Johnson, CISO at Bluefin


“As the office workspace model continues to shift to a more hybrid and full-time remote architecture, the traditional network design and implicit trust granted to users or devices based on network or system location are becoming a thing of the past. While the security industry had already begun its shift to the more secure zero-trust model (where anything and everything must be verified before connecting to systems and resources), the increased use of mobile devices, bring your own device (BYOD), and cloud service providers has accelerated this move. Enterprises can no longer rely on a specific device or location to grant access.

Encryption technology is obviously used as part of verifying identity within the zero-trust model, and another important aspect is to devalue sensitive information across an enterprise through tokenization or encryption. When sensitive data is devalued, it becomes essentially meaningless across all networks and devices. This is very helpful in limiting security practitioners’ area of concern and allows for designing specific micro-segmented areas where only verified and authorized users/resources may access the detokenized, or decrypted, values. As opposed to trying to track implicit trust relationships across networks, micro-segmented areas are much easier to lock down and enforce granular identity verification controls in line with the zero-trust model.”



Prediction #9: Securing Data with Third-Party Vendors in Mind Will Be Critical, by Bindu Sundareason, Director at AT&T Cybersecurity


Attacks via third parties are increasing every year as reliance on third-party vendors continues to grow. Organizations must prioritize the assessment of top-tier vendors, evaluating their network access, security procedures, and interactions with the business. Unfortunately, many operational obstacles will make this assessment difficult, including a lack of resources, increased organizational costs, and insufficient processes. The lack of up-to-date risk visibility on current third-party ecosystems will lead to loss of productivity, monetary damages, and damage to brand reputation.”


Prediction #10: Increased Privacy Laws and Regulation, by Kevin Dunne, President of Pathlock


“In 2022, we will continue to see jurisdictions pass further privacy laws to catch up with the states like California, Colorado and Virginia, who have recently passed bills of their own. As companies look to navigate the sea of privacy regulations, there will be an increasing need to be able to provide a real-time, comprehensive view of what data is being processed and stored, who can access it, and most importantly, who has accessed it and when. As the number of distinct regulations continues to grow, the pressure on organizations to put in place automated, proactive data governance will increase.”


Prediction #11: Cryptocurrency to Get Regulated, by Joseph Carson, Chief Security Scientist and Advisory CISO at ThycoticCentrify


“Cryptocurrencies are surely here to stay and will continue to disrupt the financial industry, but they must evolve to become a stable method for transactions and accelerate adoption. Some countries have taken a stance that energy consumption is creating a negative impact and therefore facing decisions to either ban or regulate cryptocurrency mining. Meanwhile, several countries have seen cryptocurrencies as a way to differentiate their economies to become more competitive in the tech industry and persuade investment. In 2022, more countries will look at how they can embrace cryptocurrencies while also creating more stabilization, and increased regulation is only a matter of time. Stabilization will accelerate adoption, but the big question is how the value of cryptocurrencies will be measured.  How many decimals will be the limit?”


Prediction #12: Application Security in Focus, by Michael Isbitski, Technical Evangelist at Salt Security


“According to the Salt Labs State of application programming interface (API) Security Report, Q3 2021, there was a 348% increase in API attacks in the first half of 2021 alone and that number is only set to go up.

With so much at stake, 2022 will witness a major push from nonsecurity and security teams towards the integration of security services and automation in the form of machine assistance to mitigate issues that arise from the rising threat landscape. The industry is beginning to understand that by taking a strategic approach to API security as opposed to a subcomponent of other security domains, organizations can more effectively align their technology, people, and security processes to harden their APIs against attacks. Organizations need to identify and determine their current level of API maturity and integrate processes for development, security, and operations in accordance; complete, comprehensive API security requires a strategic approach where all work in synergy.

To mitigate potential threats and system vulnerabilities, further industry-wide recognition of a comprehensive approach to API security is key. Next year, we anticipate that more organizations will see the need for and adopt solutions that offer a full life cycle approach to identifying and protecting APIs and the data they expose. This will require a significant change in mindset, moving away from the outdated practices of proxy-based web application firewalls (WAFs) or API gateways for runtime protection, as well as scanning code with tools that do not provide satisfactory coverage and leave business logic unaddressed. As we’ve already begun to witness, security teams will now focus on accounting for unique business logic in application source code as well as misconfigurations or misimplementations within their infrastructure that could lead to API vulnerabilities.

Implementing intelligent capabilities for behavior analysis and anomaly detection is also another way organizations can improve their API security posture in 2022. Anomaly detection is essential for satisfying increasingly strong API security requirements and defending against well-known, emerging and unknown threats. Implementing solutions that effectively utilize AI and ML can help organizations ensure visibility and monitoring capabilities into all the data and systems that APIs and API consumers touch. Such capabilities also help mitigate any manual mistakes that inadvertently create security gaps and could impact business uptime.”


Prediction #13: Disinformation on Social Media, by Jonathan Reiber, Senior Director of Cybersecurity Strategy and Policy at AttackIQ


“Over the last two years, pressure rose in Congress and the executive branch to regulate Section 230 and increased following the disclosures made by Frances Haugen, a former Facebook data scientist, who came forward with evidence of widespread deception related to Facebook’s management of hate speech and misinformation on its platform. Concurrent to those disclosures, in mid-November, the Aspen Institute’s Commission on Information Disorder published the findings of a major report, painting a picture of the United States as a country in a crisis of trust and truth, and highlighting the outsize role of social media companies in shaping public discourse. Building on Haugen’s testimony, the Aspen Institute report, and findings from the House of Representatives Select Committee investigating the January 6, 2021 attack on the U.S. Capitol, we should anticipate increasing regulatory pressure from Congress. Social media companies will likely continue to spend large sums of money on lobbying efforts to shape the legislative agenda to their advantage.”


Prediction #14: Ransomware To Impact Cyber Insurance, by Jason Rebholz, CISO at Corvus Insurance


“Ransomware is the defining force in cyber risk in 2021 and will likely continue to be in 2022. While ransomware has gained traction over the years, it jumped to the forefront of the news this year with high-profile attacks that impacted the day-to-day lives of millions of people. The increased visibility brought a positive shift in the security posture of businesses looking to avoid being the next news headline. We’re starting to see the proactive efforts of shoring up IT resilience and security defenses pay off, and my hope is that this positive trend will continue. When comparing Q3 2020 to Q3 2021, the ratio of ransoms demanded to ransoms paid is steadily declining, as payments shrank from 44% to 12%, respectively, due to improved backup processes and greater preparedness. Decreasing the need to pay a ransom to restore data is the first step in disrupting the cash machine that is ransomware. Although we cannot say for certain, in 2022, we can likely expect to see threat actors pivot their ransomware strategies. Attackers are nimble — and although they’ve had a ‘playbook’ over the past couple years, thanks to widespread crackdowns on their current strategies, we expect things to shift. We have already seen the opening moves from threat actors. In a shift from a single group managing the full attack life cycle, specialized groups have formed to gain access into companies who then sell that access to ransomware operators. As threat actors specialize in access into environments, it opens the opportunity for other extortion-based attacks such as data theft or account lockouts, all of which don’t require data encryption. The potential for these shifts will call for a great need in heavier investments in emerging tactics and trends to remove that volatility.”..[…] Read more »….


How To Define Risks for Your Information Assets

To define risks, learn where they come from, and what their effect on information assets and the operation of your company is, you will need to carry out a risk assessment. In this article we will talk about IT assets and risks. I’m not going to outline the organizational or preparational side of things, such as appointing a risk manager or setting up the assessment process. If you need to learn about the different aspects of defining a process, take a look at ISO/IEC 27005:2018.

Basic method

There are a few different approaches to defining risk, but let’s explore the basics. The first thing you will need to do is define the scope of your information assets. Information assets are all assets which could impact on the confidentiality, integrity, and accessibility of information within your company.

There aren’t any strict criteria on how to assess this scope. The result should be a list of systems, applications, code, etc. which you need to define risks for.

Defining your assets

Assets can be singular or grouped together to unify identical risks for a set of assets.

The simplest way is to make a logical list of systems and applications, grouping them by type. For example:

  • HR systems, like BambooHR, Zoho, Workable, etc.
  • Security systems, like IPS, SIEM, Nexpose, etc.)
  • Communication systems, like Slack, Facebook workspace, Google meet, etc.
  • Access control systems, like PACS, CCTV, etc.
  • Business support systems, like Google Workspace, MS AD, LDAP, etc.

It’s worth taking into account that IT is assets that aren’t just the standard systems and applications with recognizable names, but also:

  • In-house systems
  • Your code
  • Employee workstations
  • Your network and its components
  • Software licenses
  • etc.

When grouping assets, you need to take into account the critical nature of the assets. For example, a service for ordering coffee in the office isn’t as critical as a customer support system. Obviously, you set how critical the system is as you see fit, taking into account that each risk can have different effects on different assets.

Zone of responsibility

This article is not supposed to go into detail about how to define zones of responsibility, but it’s worth mentioning in short.

You need to define who is responsible for what: which employees or departments are responsible for which systems from a business perspective (i.e. responsible for the data and system processes) and which are responsible for the technical aspects (i.e. asset support and management). You also need to define who your users are and who assesses the risks. You can express the result using the RACI matrix:

  • (R) Responsible
  • (A) Accountable
  • (C) Consulted
  • (I) Informed

This is necessary in order to define who will

  • Identify assets
  • Support assets
  • Assess critical nature of assets
  • Assess damage (consequences)
  • Process risks
  • Administer processes for information risk management

Damage assessment

The next step is to work with people in your company to define the damage that could become of the different risks coming to fruition.

Take a look at the table below to see an example of how this is done.

Damage table

Damage Table

Identification of risks

You can identify risks by combining the threats and vulnerabilities associated with each asset. Risks can be categorized by the type of impact they could have on a system or dataset:

  • Confidentiality
  • Integrity
  • Accessibility

Threats and vulnerabilities can be split into two types and this will help you define the impact level the risk will have on the asset and the overall applicability of the risk to a particular asset:

  • Internal (within your security or network perimeter)
  • External (outside of your company’s perimeter

The risk that sensitive data could be stolen when being transferred across your network due to incorrect system configuration. For data being transferred within the company (internal threat), the effects of this risk coming to fruition are much less than if you were to transfer the data externally (e.g. to a cloud provider).

The most difficult part of all is defining and forming the list of risks. You can use the risks that are listed in standards such as ISO, PCI DSS, NIST, COBIT, etc. and adapt them to your own processes.

The domains you consider should include but not be limited to:

  • Access and role management
  • Change and development management
  • System backup and recovery
  • Monitoring
  • Password security
  • Vulnerability management
  • Privileged account management
  • Third party management
  • Physical security

What else affects risks?

The possibility and frequency that a risk might be realized also affects your assessment. Let’s take a look at an example.

Example 1

Unsanctioned access to internal systems which leads to the system admin password being exposed. However, you can only access the system by being on the company’s local network (where connection is only possible with a user certificate and set device) or via VPN that requires two-factor authentication.

In this case:

  • The chance that this risk will be realized is low
  • The possible frequency of this risk being realized is low

As we can see, the actual impact of this risk on an asset is practically zero and you can either not even consider it, or mark it as a risk that you are willing to accept.

Now, let’s take a look at this risk in different circumstances. If we say this risk is prevalent for an external system in a cloud and with local authorization via http, then:

  • The chance that this risk will be realized is high because the admin password is transmitted across an open channel and there is no additional security applied to the admin account
  • The possible frequency of this risk being realized is high because the system is accessible from anywhere with an internet connection

As you can see, the circumstances are something you need to consider when defining and grouping risks for assets according to type and critical nature.

Let’s take a look at some more examples in the context of a marketplace and consider their impact.

Example 2

Neither the company’s site nor mobile application have undergone a comprehensive security review during design and implementation. In addition, there is no process of continuous security assessment (vulnerabilities detection) of the site or mobile application.

This may result in prolonged existence of exploitable vulnerabilities which may lead to the systems being compromised by an outside intruder and a leak of confidential data.

This would impact on:

  • Data confidentiality (misconfiguration in authentication form that grants access to client data)
  • Data and application integrity (vulnerabilities like an SQL injection)
  • Application accessibility (e.g. DDOS vulnerabilities)

If we consider the risks and outcome using the damage table above, we several have types of harm:

  • Reputational damage — Moderate
  • Idleness or inefficiency in service operation — Low
  • Contravention of laws and regulations — Moderate

You should define the value of the damage and the impact in a way appropriate for your business.

Example 3

The company’s disaster recovery plan is outdated and has not been tested for years. Given the moderate potential of an intruder breaching the systems, a combination of events may result in the inability to restore operations at the recovery site within an acceptable time frame.

The data integrity or data accessibility and harm will be:

  • Financial loss – High because it’s very harmful for a marketplace to lose all of its customer data; the company will lose money if customers won’t be able to order goods.

What comes out the other end

When you have completed the process of setting and assessing risks, you should have a document/matrix/table which shows for each asset or group of assets:.[…] Read more »



A CIO’s Introduction to the Metaverse

The “metaverse” is coming. Are you ready? Microsoft, Nvidia, and Facebook have all announced significant applications to give enterprises a door into the metaverse. Many startups are also building this kind of technology.

But just what is the metaverse anyway? Is it something that CIOs need to have on their radar? What are the use cases for businesses? And what are the caveats that organizations need to watch for to reduce risk?

What Is a Metaverse?

Metaverse is essentially a 3D mixed reality “place” that combines the real world/physical world with the digital world. It is persistent, meaning it continues to exist even if you close the app or logout. It is also collaborative, meaning that people in that world see the same thing and can work together. Some experts say that the metaverse will be a new 3D layer of the internet. Gartner’s definition goes one step further, says Tuong Nguyen, senior research analyst at Gartner, specifying that a true metaverse must be interoperable with other metaverses (and thus, many of today’s iterations don’t fit the Gartner definition yet.)

Here’s how Nvidia CEP Jensen Huang put it during his keynote address at Nvidia GTC 2021 online event this month: “The internet is essentially a digital overlay on the world. The overlay is largely 2D information — text voice, images, video — but that’s about to change. We now have the technology to create new 3D virtual worlds or model our physical world.”

Today’s video conferencing, driven into the mainstream by the pandemic, is an example of two-dimensional collaboration. People can participate via their laptop cameras and microphones from home, or they can be in the office in a teleconference room. They can share their screens or use apps that allow for a collaborative whiteboard.

A metaverse layers immersive 3D on top of that. Participants can create avatars (digital representations of themselves) and use those to enter a virtual 3D room. In that room they can collaborate on a virtual whiteboard on the virtual wall or walk around a virtual 3D model of a car they are designing, for instance.

That’s essentially the use case that Microsoft CEO Satya Nadella described when he announced Mesh for Microsoft Teams at the tech giant’s Ignite conference this month. Microsoft will add this capability to its Teams collaboration tool starting in 2022.

This feature combines the capabilities of Microsoft’s mixed-reality platform Mesh (announced in March 2021 as a platform for building metaverses) with the productivity tools of Microsoft Teams, according to Microsoft.

Facebook, which rebranded itself as Meta earlier this year, introduced Horizon Workrooms in August, which are VR meeting spaces for remote collaboration.

Metaverse Use Cases for the Enterprise

Collaboration is one of three primary use cases for a metaverse in the enterprise right now, according to Forrester VP J.P. Gownder.

Another primary use case is one championed by chip giant Nvidia — simulations and digital twins. Huang announced Nvidia Omniverse Enterprise during his keynote address at the company’s GTC 2021 online AI conference this month and offered several use cases that focused on simulations and digital twins in industrial settings such as warehouses, plants, and factories.

If you are an organization in an industry with expensive assets — for instance oil and gas, manufacturing, or logistics — it makes sense to have this use case on your radar, according to Gartner’s Nguyen. “That’s where augmented reality is benefiting enterprise right now,” he says.

As an example, during his keynote address, Nvidia’s Huang showed a video of a virtual warehouse created with Nvidia Omniverse Enterprise enabling an organization to visualize the impact of optimized routing in an automated order picking scenario. That’s an example of a particular use case, but Omniverse itself is Nvidia’s platform to enable organizations to create their own simulations or virtual worlds.

“We built Omniverse for builders of these virtual worlds,” Huang said at GTC. “Some worlds will be for gatherings and games. But a great many will be built by scientists, creators, and companies. Virtual worlds will crop up like websites today.”

The third use case for enterprises falls in the business-to-consumer marketing realm as demonstrated by online gaming platform company Roblox, according to Gownder. On this gaming platform that’s popular with the pre-teen crowd, users can purchase digital clothing to outfit their avatars, and brands are taking notice. For instance, apparel brands including Vans and Gucci have created customized, branded worlds on Roblox.

Should CIOs Put Metaverse on Their Tech Roadmaps?

Yes, but no need to jump in with both feet yet, the experts say.

“CIOs should be thinking about these examples,” says Nguyen. “But you don’t need to have a metaverse presence.” Yet. “It would behoove you to get that frame of reference because of the inevitability. Not being a part of this in some way, you will likely be missing out substantially, just like any organization that doesn’t have a website today.”

Indeed, it may pay off if you decide to wait for version 2. Microsoft’s Mesh for Teams lets users create an avatar and use that instead of turning on their webcams. These personal avatars come complete with facial expressions to convey reactions.

“This is unlikely to get the same level of engagement for others utilizing video in a meeting,” says Tim Banting, Omdia’s practice leader for the Digital Workplace. “Consequently, Omdia believes this feature to be somewhat of a gimmick.”

However, some other use cases may appeal to organizations, he adds. Yet there are other caveats for enterprises to consider when it comes to practical implementation.

“A specific headset, rather than a PC or mobile device, would be required to maximize the user experience,” Banting says. “With many organizations failing to offer remote staff business-quality headsets and external webcams, it’s unlikely that enterprises could justify the expense of VR equipment for regular employee meetings.”

Do You Need to Skill Up Your IT Workforce?

Many of the benefits of metaverse technology will be available through your existing technology vendors already, like Mesh for Microsoft Teams. What’s more, Banting points out that in the consumer VR world, “it’s very much a plug and play environment with easy setup.”

However, “Where things could get interesting is when businesses want to create their own ‘branded’ metaverse. I expect this will be an advanced services opportunity for a new category of partners working in conjunction with marketing.”

Gownder said that an understanding of 3D is a rare skill today, so finding people who can develop on Unity or Unreal Engine may be valuable. But it’s not something that everyone will need to jump on right away..[…] Read more »…..


Post-Pandemic Adaption with CTO Steve Giovannetti

Apex talks to Steve Giovannetti, the CTO and Founder of Hub City Media, a software integration and development consultancy. Giovannetti has worked in information technology since 1988 and was creating commercial applications based on Internet technologies as early as 1995. Here, Steve discusses how he has been and continues to navigate the post pandemic landscape within ML/AI, Cloud, and more at Hub City Media!


Q: What are the roles and responsibilities of the CTO within your services organization?

A: In an organization like Hub City Media, I wear a few different hats. Ultimately, I’m asked to make decisions and research new Identity and Access management technologies and products nearly every day. More specific parts of my job include:

  • Looking at new products or services we might develop in house.
  • Researching and developing new technologies we can apply to our service delivery like devops, cloud or AI.
  • Coming up with creative solutions to client problems. One of the most common has been helping them deal with the challenges presented by COVID-19.


Q: What sorts of challenges did COVID-19 cause for your clients?

A: The most prevalent challenge was navigating from working in an office to having their entire staff working remotely. Most organizations had access infrastructure like VPNs in their office networks, but these infrastructures weren’t stressed like they were when their entire staff I started working from home. We helped our clients navigate through shoring up capacity, as well as implementing more secure remote access authentication technologies (like multi-factor authentication). This allowed them to connect securely to their on premise or even cloud Applications.


Q: Have you found new vendors for your organizations that are now needed in this time of COVID-19 and remote working?

A: Maybe not new vendors, but there certainly were existing strong authentication vendors that saw a jump in activity once companies wanted to grant more access to applications from remote locations. We saw colossal interest and activity with Access Management, multi-factor authentication and passwordless authentication.


Q: Did you have specific projects or initiatives that have been shelved due to COVID-19 and current realities?

A: Very early at the start of the pandemic, we saw some projects get put on hold; however, that

changed once companies resolved the remote access issue. Then, oddly enough, it was business as usual, and companies even started new initiatives on how to improve remote work. For example, we had one client ask us to help them completely automate their hiring process via their Identity Management system, which was only partially automated at the start of the pandemic.


Q: Where are you in the journey of utilizing hybrid cloud and DevOps? What challenges are you facing?

A: Hub City Media was a very early adopter of public cloud, and immediately grasped the importance of DevOps as a practice and as a set of technologies. We spearheaded early efforts to deploy Identity and Access Management systems using Docker and Kubernetes. That practice is quite mature now, and we are constantly improving our techniques. We’ve been doing a lot more with Infrastructure as Code and automating the provisioning of cloud services where we then deploy products. This has allowed us to decrease time to value for our clients, so we spend less time on infrastructure and more time delivering the functionality they are looking to leverage.


Q: Are you seeing more organizations deploying “Enterprise AI” to address Identity and Access Management or just security in general?

A: Yes. AI is becoming more prevalent in Identity and Access Management systems, especially in Identity Governance, where a lot of the burden is placed on members of an organization, specifically managers, to certify the access of their teams. This is a tremendously tedious task that can mostly be delegated to AI. We are also seeing the application of machine learning to deal with identity role engineering in large enterprises. This is another task where humans get overwhelmed in the data analysis to properly define birthright roles – a perfect task for Machine Learning.


Q: What is the current state of Big Data and AI investment? Do you sense the pace of Big Data and AI investment changing?

A: I see it accelerating in the Identity and Access Management sector. The new products on the market make it fairly easy to prove out value in a quick proof of concept. I would expect using AI for Identity Governance to become quite commonplace, and for it to extend to using AI/ML to make Access Management decisions in the future. That will be driven by analyzing access behaviors of users over time – again, an impossible task for a human to perform or even to codify rule sets in advance, but a perfect application of AI/ML.



Steve Giovannetti – CTO & Founder of Hub City Media

Steve Giovannetti is the CTO and Founder of Hub City Media, a software integration and development consultancy. Giovannetti has worked in information technology since 1988 and was creating commercial applications based on Internet technologies as early as 1995. He specializes in the analysis, design and implementation of distributed, multi-tier, applications, and heavily focuses on containerized solutions and running Identity in the cloud. Since 1999, Giovannetti and Hub City Media have been deploying production identity management, directory, and web access management systems for commercial, government and education customers.

The engagement effect: A CISO’s guide to securing hybrid workplace networks

As we approach the 18-month mark of operating in a pandemic environment, it has become quite clear that the key to securing networks with a remote workforce isn’t just about technology. Engagement is also a vital part of the process. Now, don’t get me wrong. Best-in-class technology still serves as the engine that powers network security. People, however, are the drivers that steer it in the right direction to avoid any potential roadblocks along its path.

Many organizations are beginning to implement a hybrid workplace structure that intermixes in-office and remote work. This transition will require us to again adjust security measures, especially amidst the heightened prevalence of ransomware attacks that have wreaked havoc on organizations across the country. Ensuring the hybrid workplace is protected from ransomware is contingent upon promoting a culture of cross-company cybersecurity engagement. For CISOs, engagement must be a top priority. 

There are three foundational pillars to fostering a cyber-engaged workforce: employee engagement, executive leadership engagement and peer network engagement. Commitment and following through on each pillar of engagement is critical to sustaining agility and business continuity essential for successful network security in a hybrid workplace environment. 

Individual Employee Engagement 

Engagement at the employee level requires CISOs to provide consistent communication and transparency to each individual member of the workforce. Most employees are likely feeling cybersecurity fatigue at this point of the pandemic, making them prone to relaxing their habits or taking occasional shortcuts. This complacent attitude is exactly what successful adversaries look for, and now more than ever, we cannot afford shortcuts. Engagement helps combat that fatigue by generating collective “buy-in” to follow security measures and protocols, awareness of the potential threat and a healthy vigilance – even if those measures and protocols create additional work. 

From high VPN usage and two-factor authentication to maintaining alertness to business email compromise and browser extensions, CISOs should actively educate employees on the importance of following the security “best practices” while settling into a hybrid work structure that works best for your organization. 

This type of personal leadership engagement also calls for CISOs to be readily available for any questions or concerns. Employees should feel encouraged to reach out for help, knowing that there’s no such thing as a dumb question. Frictionless and responsive incident reporting should be a cornerstone with the reinforced understanding that if they report suspicious activity, it’s not only our job to investigate it; we also need to communicate that their concerns are being addressed in a timely manner. Making sure your staff knows their concerns are valued with thoughtful and timely responses (not just canned or automated responses) encourages the reporting of suspicious activity in the future. Extending your reach through valued employees improves your sensor network and serves as a vital component to defending against ransomware and other threats. Without that trust, employees will be less inclined to communicate potential threats reliably and with a similar urgency to prevent an incident or potential network breach. 

Executive Leadership Engagement 

Collective “buy-in” at the executive leadership level is ever more critical to maintaining network security within the hybrid model. Culturally for some organizations, this is easier than others and most of today’s executives just get it and have seen or at least have heard of the catastrophic business losses they could face. But to be effective, employees need to know the commitment starts from the top down. CISOs should engage fellow company executives and provide them education, opportunities and materials to demonstrate observable support and focus relevance for how each department can bring value to the organization’s network security.  If the ownership of information security is the sole dominion of one team, you will forever be fighting an uphill battle.

The IronNet 2021 Cybersecurity Impact Report, an independent study that surveyed 473 security IT decision-makers from the U.S., United Kingdom and Singapore, revealed that 86% of respondents experienced a cyberattack in 2020 that required an emergency meeting among their executive board. In times of crisis, executing an “all-hands-on-deck” incident response plan is reliant on swift action at the executive level, where everyone understands their roles and responsibilities. 

Engaging with executives beforehand to clarify their roles, validate procedures, and challenge assumptions in the wake of a relevant crisis establishes transparency and accountability that quickly trickles down across the entire organization. Where organizations fail is when they don’t question, anticipate communication gaps, or consider undetected threats that could cause significant damage or delays to the mission or business.

For example, the Kaseya ransomware attack could have been prevented had the company’s leadership taken further steps to address staff reports of dangerous security flaws – such as outdated code, vulnerable encryptions and product passwords, as well as negligence in meeting basic cybersecurity patching requirements. The concerns were never fully addressed, causing some employees to quit in frustration with the inaction. And as a result, the company fell victim to the largest ransomware attack in modern history. 

Peer Network Engagement 

There’s a false sense of (cyber)security among many U.S. companies as it pertains to network protection. IronNet’s 2021 Cybersecurity Impact Report found that while 92% of respondents expressed confidence in their current security stacks, nearly half cited a rise in incidents over the last 12 month months..[…] Read more »….


Piloting Data & Analytics Transformation With Ashish Agarwal

Apex talks to Ashish Agarwal, Vice President – Head of Data at LendingTree. Ashish delves into the evolving role of a CDO, business transformation, and navigating the trends and challenges of data and analytics.


Q: What is the difference between a Chief Data Officer and a Chief Analytics Officer? Are they one in the same?  

A: The Chief Data Officer is responsible for facilitating the use of data as a strategic asset within an enterprise, to impact business outcomes. They seek to empower every part of the business to make data-driven decisions, with speed. The Chief Data Officer is expected to curate the data strategy, oversee data management and governance processes, and in many companies lead the data analytics function as well. 

Sometimes a company may designate a Chief Analytics officer, to dedicate focus on data analytics, in order to create value and draw useful insights from the data available within the organization. This role typically leads reporting, data visualization and business intelligence teams. 


Q: How have you seen the role of CDO change? Have you encountered any challenges facing the CDO function?  

A: The CDO role has continued to evolve, since its inception. Initially, the focus of the CDO was on compliance and data governance, particularly security, privacy, and accuracy of the data. These “data defense” responsibilities are now considered table stakes. Increasingly, companies want insights into the changing customer expectations and the highly competitive business landscape. Hence, the CDOs are expected to also power “data offense” initiatives, to grow revenues, profits and customer loyalty, through advanced analytics and data science. 

As far as challenges, there are several. Let me name a few that are common: 

First, misaligned or unrealistic expectations by the organization, when trying to become data-driven. The job is not done, by just recruiting a CDO. It requires adoption of new ways of working, and ongoing unwavering support from the senior leadership team, including the CEO. 

Second, prematurely promoting analytics, before establishing a sound data foundation. Many a times discussions center around expediting self-service analytics, while the organization is missing a strong and effective information governance program. Such situations make it extremely difficult and at times impossible, to realize the benefits of a given analytics initiative. Hence, the onus is on the CDO to reset the collective mindset towards a data culture, even when it may not appear to be the most exciting thing to do. 

Finally, creating transparency into the data available within an enterprise, without compromising security and privacy policies. I walk this line by standardizing and automating data discoverability. Mind you that is different from providing unfettered access to data. Imagine provisioning a catalog or index of available data, supported by a swift process to provision access for the right reasons and right people. 


Q: What were some of the challenges and pitfalls to watch for, when driving transformations and standing up data/analytics processes? What advice do you have to effectively address them? 

A: The overarching challenge is to effectively and safely bridge the gap between the eagerness to use data, and establishing a world class data ecosystem and organizational culture.   

Typically, the data and analytics transformation programs begin with a significant amount of optimism, followed by misdirected fear due to the complexity. Hence, the first order of business should be to educate the stakeholders and quickly even out the hype within the company, so you can start talking about business opportunities and scaling. Following that, it’s all about rolling up your sleeves, doing the work and addressing issues head-on. 

Let me take you through a few examples: 

First, data exists in silos for companies that are not born digital or those that have grown through acquisitions. Further, people tend to get territorial and think they have exclusive rights over their data. So, when attempting to break down silos and creating governance, be sensitive about people dynamics.  

Next, collecting data can open up a company to regulatory risks and privacy issues. It is important to acknowledge that mining and refining data, while it can lead to all kinds of opportunities, it also leads to immense risks. Therefore, setting up strong risk management and governance programs is fundamental. 

That said, simply balancing democratization of data and governance is also not enough. It is critical to enable adoption of products, by providing assistance in the moment to analysts learning the new way. 

Finally, you need the right team behind you. Hire the right talent, one that is not only savvy in the use of the modern data tools, but also people skills. 


Q: How do your teams comply with risk and compliance requirements around data security and data privacy? 

A: The key is to invest in a strong and effective information governance program that is built to enable growth and innovation. Start by asking the question – How can we turn data governance into a source of competitive advantage and a strategic differentiator? Then no longer risk and compliance remain a regulatory requirement, we must fulfill.   

A few key tenets of this approach include:  

  • Take a security-first perspective and achieve a state of continuous compliance, against own set policies and industry compliance standards. You can do that by leveraging tools and automation, to get a unified view of all cloud accounts, generate regular compliance reports and send alerts on security threats in real-time. 
  • Be maniacal about operational consistency. From a compliance perspective, the more an organization drives consistency of operations, the easier it is to respond to audit requests and enforce security. For example, extend effective operational security and compliance functions that exist on-premises, also to respective cloud services. 
  • Keep up with the evolving standards, through a flexible change management process and a comprehensive blueprint that reconciles and rationalizes requirements for industry standards, such as PCI-DSS, GDPR, CCPA, HIPAA etc.  


Q: What are the current data trends and how will it impact your organization?  

A: This is a great time to be involved with data. Here are a few noteworthy trends, that I am excited about: 

  • Augmented analytics, that automates data analysis using Machine learning and Natural Language processing. As data continues to arrive in higher volumes and varied sources, use of automation is the key to finding redundancies and errors rapidly. This can help organizations accelerate the path towards efficiently identifying trends and patterns, within their data.
  • Data-as-a-service, which makes data readily accessible internally and from external sources, such as data marketplaces on the Cloud, using a range of modes and interfaces. This new way of delivering information to a user or system, regardless of organizational or geographical barriers, is very empowering and can bring tremendous agility to a business, promote self-service and improve productivity.
  • DataOps, which brings lean principles of removing waste and relentless focus on quality into the data domain. Similar to how software development has been embracing the best practices of lean manufacturing, the development and operations of data can greatly benefit by incorporating Agile and automation practices, to yield greater productivity and quality. 
  • Quantum computing, that will radically advance the speed and scale of data processing through the use of quantum computers, compared to classical computers. This technology has the promise to revolutionize several industries, such as data security, finance, medicine and communications. 


Q: How important is it to have a data driven culture? Have there been obstacles to building a data culture and if so, how have you resolved them?  

A: To sustain in business today, being data driven is not a choice, but a requirement. How well you contextualize and personalize the experience for a customer, can make the difference between retaining or losing them to your competition. 

Yet the biggest obstacle enterprises face is evolving the business model that made them successful in the past, into what is necessary for the business to survive and thrive in the future. This is particularly seen at legacy companies with tenured leaders, who have been phenomenally successful in producing results. I address this challenge, by facilitating data literacy to provide coaching not only to the people on the ground, but also top leadership on the new ways of working, where strategic decisions are driven by sound data analysis, and not just gut feel or how it has always been done.  

The other obstacle is underestimating the investment and commitment it takes, to build a foundation of technology and disciplined  data driven practices. This is not just about buying new technologies, which can be daunting, but committing time and energy of already busy people to a set of activities, which may seem mundane, like reviewing error logs and tweaking data quality rules to accommodate data drift. Further, it requires making hard decisions on breaking down data silos and overcoming ownership issues to facilitate data access, but not compromising on security and compliance policies. 

Finally, there is a tremendous amount of turnover in the job market, due to shortage of relevant skills. Hence employee retention needs to become a critical focus area for the management team. My strategy is to invest in the future of the employees, by offering an environment of learning, and creating opportunities that allow them to have fun, while performing meaningful work. 




Ashish Agarwa – Vice President, Head of Data at LendingTree

Ashish Agarwal is a transformational business-technology executive, passionate about harnessing the power of Digital and Data, to deliver superior customer experiences and achieve ambitious business goals.

Ashish is the Vice President – Head of Data at LendingTree, where he is helping the business grow and become strategic with Data.

Prior to joining LendingTree, he served as Senior Director – Enterprise Data/Analytics and Digital at Ally Financial. Ashish was responsible for innovating and transforming the Digital channels, modernizing the Data ecosystem, developing Fintech partnerships and influencing strategic investments, while building a phenomenally successful engineering centric organization and culture.

Before Ally, Ashish drove business critical Digital and Big Data technology solutions for high performance security trading and consumer lending platforms, at Bank of America and Fidelity Information services.

Ashish is an avid agilist and enjoys bringing together diverse mindsets, and empowering multi-disciplinary teams, to produce transformational business results. 

Ashish holds an M.B.A from Georgia State University, M.S. in Computer Science from Kent State University, and is certified in Data Science/Machine Learning from UC Berkeley and Harvard University.


Changing Lives Through Digital Transformation

Apex talks to Siva Balu, Vice President and Chief Information Officer at YMCA OF THE USA about Digital Transformation and what it means to him and his organization. With 20+ years as an industry leader, his perspective is a must read! 


Q: What does Digital Transformation mean to you?

A: Digital Transformation is to reimagine running your business in a new way using digital technology thereby exponentially changing the experiences of your consumers

Digital transformation is not just for your consumers, it is also transforming the experiences of your employees and stakeholders for the better. 

Digital Transformation is not a project but a continuum where you continuously strive to rethink on how to accomplish your business strategy through digital technology.

I consider there are three foundations of Digital Transformation: technology, security, and data. 


Q: What are some of the challenges of Digital Transformation?

A: Well, to start with, Digital Transformation has become a buzzword. It is very important to spend time in strategic thought leadership on what Digital Transformation means to your organization. How will Digital Transformation impact your consumers and how will it help you grow your business, reduce overhead, significantly increase the customer experience. The first challenge is to define what Digital Transformation means to your organization through a strategic roadmap. Then, it is important to get the stakeholder buy-in. Digital Transformation is not an IT project. It is an asset that needs to be thoughtfully planned. The last challenge would be strategic investment. In many cases, Digital Transformation initiatives tend to run multiple years. It is important to stay the course.



Q: What does Digital Transformation mean to your organization?

A: We are in the early stages of digital transformation where we are rethinking how we interact with our constituents in various areas including branding, marketing, communications, virtual interactions, mobile experience, etc. We are reimagining delivery of fitness and wellness through virtual and mobile platforms. We are looking to connect our digital products to our digital ecosystems. This will help us to tap into the big data in the backend for business intelligence and data analytics. This will also help us curate the consumer experience.

In addition, we are developing secure digital products to deliver chronic disease prevention programs to the program participants. We are currently getting inputs from various stakeholders to identify use cases for our digital transformation, including mental health programs, diversity content and more. 

This is an exciting time to be able to use digital to have a measurable impact in people’s lives. 


Q: What are your top data priorities: business growth, data security/privacy, legal/regulatory concerns, expense reduction…?

A: Some of our top priorities are foundation to our technology ecosystem and our digital transformation. For example, information security and privacy are non-negotiable. We look at data to help enhance our brand value. We use data to empower and enhance our consumer experience and in the long run identify areas where we need to focus on. Diversity, Equity, and Inclusion is an utmost priority for us. We use big data to help us identify where we need to provide programs and services where there may be a need. We are looking to transform our customer relationship management through our digital transformation initiatives. 



Q: How are you justifying the cost needed to evolve and adapt IT to support the speed and agility required by the business?

A: I am smiling thinking about this question. Whether your organization is for-profit, non-profit, government agency or NGO, and irrespective of your industry, everyone is faced with the question of cost at some point. 

This is where having a strong strategic direction, along with stakeholder buy-in is very important. Another issue I have both seen and experienced is, the key stakeholders and leadership treating IT as a silo department. The IT assets belong to the organization, not just to IT. In my experience, any time when there is a need to find efficiencies or cut costs, IT becomes the first target. This is because IT is perceived as expensive by the corresponding stakeholders. So, the challenges of cost justification are real.  

The best approach that has worked for me to continue to evaluate the IT costs and balance it with the business value proposition. The head of the IT team needs to think, act, and react like a business owner. Some of the fundamental values I have practiced are transparency, strategic alignment, constant communication, stakeholder buy-in, not being territorial and most important is to build trust.  Taking the stakeholders through the journey of what is being developed in IT and how it is going to help the organization, answering questions, being objective and open minded will ease the cost justification conversations. 

At the end, showing results will speak for itself. For the IT leaders, while it will be important to justify costs, it is equally important to continuously show the progress and results to your stakeholders.



Q: How would you define “Enterprise AI” in a non-digital native enterprise like your organization?

A: First, every organization will be digital-native in the near future, if not already. Then the premise is, how do we define “Enterprise AI”? It is a question of ‘when’ and not ‘if’. I predict every organization will be using AI in some form or the other in three to five years, most of it will be through integrating with strategic partners and products. AI will help organizations propel into the digital age, provided they have the right use cases identified to focus on. Just like how we moved from mainframes to client-servers, on-premises data centers to cloud, etc., we will move our analytics and business intelligence to AI models. And it will become second nature. There is also a perceived barrier to entry to AI, as there are cost and skillset barriers. We will see more and more vendors providing products powered by AI that will be used at an enterprise level.



Q: How is your organization leveraging Big Data and AI and machine learning to transform their businesses and what opportunities does it present to the business? What are the challenges, and how can these be best overcome?

A: In our newly developed digital platform as part of our digital transformation, we deliver virtual and mobile digital products. We are creating AI models to start using the data to train and deliver the highest level of experience to our consumers through curated content. The challenge we see is with the data, both the quality and the context. We are working on tuning our algorithms to continue to improve our models. 



Q: What operating model and cultural changes have you considered as you shift to a digital business? What parts of your business would benefit the most from a greater digital foundation?

A: I believe the entire organization can benefit from a strong digital foundation. Within the technology team, we are completely in an agile delivery model. We continue to deliver, learn from our mistakes, and keep making relentless forward progress. It may take a bit more time to educate all the cross-functional teams and bring them on the digital journey. We are off to a good start. 



Q: How has DevOps and cloud services changed the way you design, build, deploy, and operate online systems and secure infrastructure?

A: We are a 100% DevOps and Cloud Services shop. This has indeed tremendously helped us move ahead in lightning speed to focus on our digital platform and products, and most importantly to deliver to our consumers. What this has given us is to avoid the distraction of maintaining the legacy systems, time delays due to hardware purchases or other similar challenges one could face by not using cloud services. On the flip side, the DevOps approach helps us focus on the work needed to operate and secure our infrastructure. We encourage a culture of collaboration among all teammates and partners.



Q: What advice would you give an early-stage CIO or CDO joining an enterprise organization?

A: First, understand where your personal and professional passion is. We are all humans who bring our personal self to a professional place of work. Take time to understand the business, the strategy, and the stakeholders. Your team is your important asset. Develop, coach, and build a strong team.  Focus on building trust and credibility. Trust and credibility are built over time by keeping up one’s commitments and delivering consistently.


Siva Balu – Vice President & Chief Information Officer at YMCA OF THE USA

Siva Balu is the Vice President and Chief Information Officer at YMCA OF THE USA. In this role, he is working to rethink the work of Y-USA’s information technology strategy to meet the changing needs of Y-USA and YMCAs throughout the country.

YMCA of the USA is the national resource office for the nation’s YMCAs. The Y is the leading nonprofit in 10,000 communities across the nation delivering positive change through 2,700 YMCAs focusing on youth development, healthy living and social responsibility.

Siva is the creator of the new Y Cloud digital platform to deliver digital, virtual and mobile products to members across the nation. Y Cloud is the world’s first digital platform built for non-profits by non-profit.  

As the CIO, Siva works with the key stakeholders across the nation’s YMCAs in achieving the strategic vision. He leads the creation and execution of the technology strategy through collaboration and thought leadership including digital transformation, data strategy, cloud strategy, information security, project management, mobile apps, social media, CRM, data warehouses & business intelligence, IT infrastructure & operations to support the YMCA movement.

Prior to his current role, Siva has 20 years of healthcare technology experience in leadership roles for Blue Cross Blue Shield, the nation’s largest health insurer, which provides healthcare to over 107 million members—1 in 3 Americans. He most recently led the Enterprise Information Technology team at the Blue Cross Blue Shield Association (BCBSA), a national federation of Blue Cross and Blue Shield companies. He has created several highly scalable innovative solutions that cater to the needs of members and patients throughout the country in all communities. He provided leadership in creating innovative solutions and adopting new technologies for national and international users.

Siva earned a bachelor’s degree in electronics and communication engineering from Bharathiar University in India, a master’s in business administration from Lake Forest Graduate School of Management and executive master’s degrees from Harvard and MIT in Innovation, Strategy and Artificial Intelligence.

In his free time, he volunteers and contributes to several charities, including Special Olympics, Chicago Food Depository, Challenged Athletes Foundation, Beyond Hunger, The Pack Shack, Cradles to Crayons and Gardeneers. Siva is a Board Member at Sarah’s Inn, a non-profit supporting individuals and families impacted by domestic violence, and at The Soondra Foundation, a non-profit that provides healthcare to the poor working class in India. 

Siva developed a passion for long-distance running a few years ago starting with a 5k, and then to marathons and to running multiple ultramarathons. He has run multiple 100-mile races. He recently ran what is referred to as ‘the world’s toughest foot race,’ Badwater 135-miler in Death Valley, and one of the world’s coldest races, Tuscobia 160-miler.