Category: Security

Post-Pandemic Adaption with CTO Steve Giovannetti

Apex talks to Steve Giovannetti, the CTO and Founder of Hub City Media, a software integration and development consultancy. Giovannetti has worked in information technology since 1988 and was creating commercial applications based on Internet technologies as early as 1995. Here, Steve discusses how he has been and continues to navigate the post pandemic landscape within ML/AI, Cloud, and more at Hub City Media!

 

Q: What are the roles and responsibilities of the CTO within your services organization?

A: In an organization like Hub City Media, I wear a few different hats. Ultimately, I’m asked to make decisions and research new Identity and Access management technologies and products nearly every day. More specific parts of my job include:

  • Looking at new products or services we might develop in house.
  • Researching and developing new technologies we can apply to our service delivery like devops, cloud or AI.
  • Coming up with creative solutions to client problems. One of the most common has been helping them deal with the challenges presented by COVID-19.

 

Q: What sorts of challenges did COVID-19 cause for your clients?

A: The most prevalent challenge was navigating from working in an office to having their entire staff working remotely. Most organizations had access infrastructure like VPNs in their office networks, but these infrastructures weren’t stressed like they were when their entire staff I started working from home. We helped our clients navigate through shoring up capacity, as well as implementing more secure remote access authentication technologies (like multi-factor authentication). This allowed them to connect securely to their on premise or even cloud Applications.

 

Q: Have you found new vendors for your organizations that are now needed in this time of COVID-19 and remote working?

A: Maybe not new vendors, but there certainly were existing strong authentication vendors that saw a jump in activity once companies wanted to grant more access to applications from remote locations. We saw colossal interest and activity with Access Management, multi-factor authentication and passwordless authentication.

 

Q: Did you have specific projects or initiatives that have been shelved due to COVID-19 and current realities?

A: Very early at the start of the pandemic, we saw some projects get put on hold; however, that

changed once companies resolved the remote access issue. Then, oddly enough, it was business as usual, and companies even started new initiatives on how to improve remote work. For example, we had one client ask us to help them completely automate their hiring process via their Identity Management system, which was only partially automated at the start of the pandemic.

 

Q: Where are you in the journey of utilizing hybrid cloud and DevOps? What challenges are you facing?

A: Hub City Media was a very early adopter of public cloud, and immediately grasped the importance of DevOps as a practice and as a set of technologies. We spearheaded early efforts to deploy Identity and Access Management systems using Docker and Kubernetes. That practice is quite mature now, and we are constantly improving our techniques. We’ve been doing a lot more with Infrastructure as Code and automating the provisioning of cloud services where we then deploy products. This has allowed us to decrease time to value for our clients, so we spend less time on infrastructure and more time delivering the functionality they are looking to leverage.

 

Q: Are you seeing more organizations deploying “Enterprise AI” to address Identity and Access Management or just security in general?

A: Yes. AI is becoming more prevalent in Identity and Access Management systems, especially in Identity Governance, where a lot of the burden is placed on members of an organization, specifically managers, to certify the access of their teams. This is a tremendously tedious task that can mostly be delegated to AI. We are also seeing the application of machine learning to deal with identity role engineering in large enterprises. This is another task where humans get overwhelmed in the data analysis to properly define birthright roles – a perfect task for Machine Learning.

 

Q: What is the current state of Big Data and AI investment? Do you sense the pace of Big Data and AI investment changing?

A: I see it accelerating in the Identity and Access Management sector. The new products on the market make it fairly easy to prove out value in a quick proof of concept. I would expect using AI for Identity Governance to become quite commonplace, and for it to extend to using AI/ML to make Access Management decisions in the future. That will be driven by analyzing access behaviors of users over time – again, an impossible task for a human to perform or even to codify rule sets in advance, but a perfect application of AI/ML.

 

 

Steve Giovannetti – CTO & Founder of Hub City Media

Steve Giovannetti is the CTO and Founder of Hub City Media, a software integration and development consultancy. Giovannetti has worked in information technology since 1988 and was creating commercial applications based on Internet technologies as early as 1995. He specializes in the analysis, design and implementation of distributed, multi-tier, applications, and heavily focuses on containerized solutions and running Identity in the cloud. Since 1999, Giovannetti and Hub City Media have been deploying production identity management, directory, and web access management systems for commercial, government and education customers.

The engagement effect: A CISO’s guide to securing hybrid workplace networks

As we approach the 18-month mark of operating in a pandemic environment, it has become quite clear that the key to securing networks with a remote workforce isn’t just about technology. Engagement is also a vital part of the process. Now, don’t get me wrong. Best-in-class technology still serves as the engine that powers network security. People, however, are the drivers that steer it in the right direction to avoid any potential roadblocks along its path.

Many organizations are beginning to implement a hybrid workplace structure that intermixes in-office and remote work. This transition will require us to again adjust security measures, especially amidst the heightened prevalence of ransomware attacks that have wreaked havoc on organizations across the country. Ensuring the hybrid workplace is protected from ransomware is contingent upon promoting a culture of cross-company cybersecurity engagement. For CISOs, engagement must be a top priority. 

There are three foundational pillars to fostering a cyber-engaged workforce: employee engagement, executive leadership engagement and peer network engagement. Commitment and following through on each pillar of engagement is critical to sustaining agility and business continuity essential for successful network security in a hybrid workplace environment. 

Individual Employee Engagement 

Engagement at the employee level requires CISOs to provide consistent communication and transparency to each individual member of the workforce. Most employees are likely feeling cybersecurity fatigue at this point of the pandemic, making them prone to relaxing their habits or taking occasional shortcuts. This complacent attitude is exactly what successful adversaries look for, and now more than ever, we cannot afford shortcuts. Engagement helps combat that fatigue by generating collective “buy-in” to follow security measures and protocols, awareness of the potential threat and a healthy vigilance – even if those measures and protocols create additional work. 

From high VPN usage and two-factor authentication to maintaining alertness to business email compromise and browser extensions, CISOs should actively educate employees on the importance of following the security “best practices” while settling into a hybrid work structure that works best for your organization. 

This type of personal leadership engagement also calls for CISOs to be readily available for any questions or concerns. Employees should feel encouraged to reach out for help, knowing that there’s no such thing as a dumb question. Frictionless and responsive incident reporting should be a cornerstone with the reinforced understanding that if they report suspicious activity, it’s not only our job to investigate it; we also need to communicate that their concerns are being addressed in a timely manner. Making sure your staff knows their concerns are valued with thoughtful and timely responses (not just canned or automated responses) encourages the reporting of suspicious activity in the future. Extending your reach through valued employees improves your sensor network and serves as a vital component to defending against ransomware and other threats. Without that trust, employees will be less inclined to communicate potential threats reliably and with a similar urgency to prevent an incident or potential network breach. 

Executive Leadership Engagement 

Collective “buy-in” at the executive leadership level is ever more critical to maintaining network security within the hybrid model. Culturally for some organizations, this is easier than others and most of today’s executives just get it and have seen or at least have heard of the catastrophic business losses they could face. But to be effective, employees need to know the commitment starts from the top down. CISOs should engage fellow company executives and provide them education, opportunities and materials to demonstrate observable support and focus relevance for how each department can bring value to the organization’s network security.  If the ownership of information security is the sole dominion of one team, you will forever be fighting an uphill battle.

The IronNet 2021 Cybersecurity Impact Report, an independent study that surveyed 473 security IT decision-makers from the U.S., United Kingdom and Singapore, revealed that 86% of respondents experienced a cyberattack in 2020 that required an emergency meeting among their executive board. In times of crisis, executing an “all-hands-on-deck” incident response plan is reliant on swift action at the executive level, where everyone understands their roles and responsibilities. 

Engaging with executives beforehand to clarify their roles, validate procedures, and challenge assumptions in the wake of a relevant crisis establishes transparency and accountability that quickly trickles down across the entire organization. Where organizations fail is when they don’t question, anticipate communication gaps, or consider undetected threats that could cause significant damage or delays to the mission or business.

For example, the Kaseya ransomware attack could have been prevented had the company’s leadership taken further steps to address staff reports of dangerous security flaws – such as outdated code, vulnerable encryptions and product passwords, as well as negligence in meeting basic cybersecurity patching requirements. The concerns were never fully addressed, causing some employees to quit in frustration with the inaction. And as a result, the company fell victim to the largest ransomware attack in modern history. 

Peer Network Engagement 

There’s a false sense of (cyber)security among many U.S. companies as it pertains to network protection. IronNet’s 2021 Cybersecurity Impact Report found that while 92% of respondents expressed confidence in their current security stacks, nearly half cited a rise in incidents over the last 12 month months..[…] Read more »….

 

Piloting Data & Analytics Transformation With Ashish Agarwal

Apex talks to Ashish Agarwal, Vice President – Head of Data at LendingTree. Ashish delves into the evolving role of a CDO, business transformation, and navigating the trends and challenges of data and analytics.

 

Q: What is the difference between a Chief Data Officer and a Chief Analytics Officer? Are they one in the same?  

A: The Chief Data Officer is responsible for facilitating the use of data as a strategic asset within an enterprise, to impact business outcomes. They seek to empower every part of the business to make data-driven decisions, with speed. The Chief Data Officer is expected to curate the data strategy, oversee data management and governance processes, and in many companies lead the data analytics function as well. 

Sometimes a company may designate a Chief Analytics officer, to dedicate focus on data analytics, in order to create value and draw useful insights from the data available within the organization. This role typically leads reporting, data visualization and business intelligence teams. 

 

Q: How have you seen the role of CDO change? Have you encountered any challenges facing the CDO function?  

A: The CDO role has continued to evolve, since its inception. Initially, the focus of the CDO was on compliance and data governance, particularly security, privacy, and accuracy of the data. These “data defense” responsibilities are now considered table stakes. Increasingly, companies want insights into the changing customer expectations and the highly competitive business landscape. Hence, the CDOs are expected to also power “data offense” initiatives, to grow revenues, profits and customer loyalty, through advanced analytics and data science. 

As far as challenges, there are several. Let me name a few that are common: 

First, misaligned or unrealistic expectations by the organization, when trying to become data-driven. The job is not done, by just recruiting a CDO. It requires adoption of new ways of working, and ongoing unwavering support from the senior leadership team, including the CEO. 

Second, prematurely promoting analytics, before establishing a sound data foundation. Many a times discussions center around expediting self-service analytics, while the organization is missing a strong and effective information governance program. Such situations make it extremely difficult and at times impossible, to realize the benefits of a given analytics initiative. Hence, the onus is on the CDO to reset the collective mindset towards a data culture, even when it may not appear to be the most exciting thing to do. 

Finally, creating transparency into the data available within an enterprise, without compromising security and privacy policies. I walk this line by standardizing and automating data discoverability. Mind you that is different from providing unfettered access to data. Imagine provisioning a catalog or index of available data, supported by a swift process to provision access for the right reasons and right people. 

  

Q: What were some of the challenges and pitfalls to watch for, when driving transformations and standing up data/analytics processes? What advice do you have to effectively address them? 

A: The overarching challenge is to effectively and safely bridge the gap between the eagerness to use data, and establishing a world class data ecosystem and organizational culture.   

Typically, the data and analytics transformation programs begin with a significant amount of optimism, followed by misdirected fear due to the complexity. Hence, the first order of business should be to educate the stakeholders and quickly even out the hype within the company, so you can start talking about business opportunities and scaling. Following that, it’s all about rolling up your sleeves, doing the work and addressing issues head-on. 

Let me take you through a few examples: 

First, data exists in silos for companies that are not born digital or those that have grown through acquisitions. Further, people tend to get territorial and think they have exclusive rights over their data. So, when attempting to break down silos and creating governance, be sensitive about people dynamics.  

Next, collecting data can open up a company to regulatory risks and privacy issues. It is important to acknowledge that mining and refining data, while it can lead to all kinds of opportunities, it also leads to immense risks. Therefore, setting up strong risk management and governance programs is fundamental. 

That said, simply balancing democratization of data and governance is also not enough. It is critical to enable adoption of products, by providing assistance in the moment to analysts learning the new way. 

Finally, you need the right team behind you. Hire the right talent, one that is not only savvy in the use of the modern data tools, but also people skills. 

 

Q: How do your teams comply with risk and compliance requirements around data security and data privacy? 

A: The key is to invest in a strong and effective information governance program that is built to enable growth and innovation. Start by asking the question – How can we turn data governance into a source of competitive advantage and a strategic differentiator? Then no longer risk and compliance remain a regulatory requirement, we must fulfill.   

A few key tenets of this approach include:  

  • Take a security-first perspective and achieve a state of continuous compliance, against own set policies and industry compliance standards. You can do that by leveraging tools and automation, to get a unified view of all cloud accounts, generate regular compliance reports and send alerts on security threats in real-time. 
  • Be maniacal about operational consistency. From a compliance perspective, the more an organization drives consistency of operations, the easier it is to respond to audit requests and enforce security. For example, extend effective operational security and compliance functions that exist on-premises, also to respective cloud services. 
  • Keep up with the evolving standards, through a flexible change management process and a comprehensive blueprint that reconciles and rationalizes requirements for industry standards, such as PCI-DSS, GDPR, CCPA, HIPAA etc.  

 

Q: What are the current data trends and how will it impact your organization?  

A: This is a great time to be involved with data. Here are a few noteworthy trends, that I am excited about: 

  • Augmented analytics, that automates data analysis using Machine learning and Natural Language processing. As data continues to arrive in higher volumes and varied sources, use of automation is the key to finding redundancies and errors rapidly. This can help organizations accelerate the path towards efficiently identifying trends and patterns, within their data.
  • Data-as-a-service, which makes data readily accessible internally and from external sources, such as data marketplaces on the Cloud, using a range of modes and interfaces. This new way of delivering information to a user or system, regardless of organizational or geographical barriers, is very empowering and can bring tremendous agility to a business, promote self-service and improve productivity.
  • DataOps, which brings lean principles of removing waste and relentless focus on quality into the data domain. Similar to how software development has been embracing the best practices of lean manufacturing, the development and operations of data can greatly benefit by incorporating Agile and automation practices, to yield greater productivity and quality. 
  • Quantum computing, that will radically advance the speed and scale of data processing through the use of quantum computers, compared to classical computers. This technology has the promise to revolutionize several industries, such as data security, finance, medicine and communications. 

 

Q: How important is it to have a data driven culture? Have there been obstacles to building a data culture and if so, how have you resolved them?  

A: To sustain in business today, being data driven is not a choice, but a requirement. How well you contextualize and personalize the experience for a customer, can make the difference between retaining or losing them to your competition. 

Yet the biggest obstacle enterprises face is evolving the business model that made them successful in the past, into what is necessary for the business to survive and thrive in the future. This is particularly seen at legacy companies with tenured leaders, who have been phenomenally successful in producing results. I address this challenge, by facilitating data literacy to provide coaching not only to the people on the ground, but also top leadership on the new ways of working, where strategic decisions are driven by sound data analysis, and not just gut feel or how it has always been done.  

The other obstacle is underestimating the investment and commitment it takes, to build a foundation of technology and disciplined  data driven practices. This is not just about buying new technologies, which can be daunting, but committing time and energy of already busy people to a set of activities, which may seem mundane, like reviewing error logs and tweaking data quality rules to accommodate data drift. Further, it requires making hard decisions on breaking down data silos and overcoming ownership issues to facilitate data access, but not compromising on security and compliance policies. 

Finally, there is a tremendous amount of turnover in the job market, due to shortage of relevant skills. Hence employee retention needs to become a critical focus area for the management team. My strategy is to invest in the future of the employees, by offering an environment of learning, and creating opportunities that allow them to have fun, while performing meaningful work. 

 

 

 

Ashish Agarwa – Vice President, Head of Data at LendingTree

Ashish Agarwal is a transformational business-technology executive, passionate about harnessing the power of Digital and Data, to deliver superior customer experiences and achieve ambitious business goals.

Ashish is the Vice President – Head of Data at LendingTree, where he is helping the business grow and become strategic with Data.

Prior to joining LendingTree, he served as Senior Director – Enterprise Data/Analytics and Digital at Ally Financial. Ashish was responsible for innovating and transforming the Digital channels, modernizing the Data ecosystem, developing Fintech partnerships and influencing strategic investments, while building a phenomenally successful engineering centric organization and culture.

Before Ally, Ashish drove business critical Digital and Big Data technology solutions for high performance security trading and consumer lending platforms, at Bank of America and Fidelity Information services.

Ashish is an avid agilist and enjoys bringing together diverse mindsets, and empowering multi-disciplinary teams, to produce transformational business results. 

Ashish holds an M.B.A from Georgia State University, M.S. in Computer Science from Kent State University, and is certified in Data Science/Machine Learning from UC Berkeley and Harvard University.

 

Changing Lives Through Digital Transformation

Apex talks to Siva Balu, Vice President and Chief Information Officer at YMCA OF THE USA about Digital Transformation and what it means to him and his organization. With 20+ years as an industry leader, his perspective is a must read! 

 

Q: What does Digital Transformation mean to you?

A: Digital Transformation is to reimagine running your business in a new way using digital technology thereby exponentially changing the experiences of your consumers

Digital transformation is not just for your consumers, it is also transforming the experiences of your employees and stakeholders for the better. 

Digital Transformation is not a project but a continuum where you continuously strive to rethink on how to accomplish your business strategy through digital technology.

I consider there are three foundations of Digital Transformation: technology, security, and data. 

 

Q: What are some of the challenges of Digital Transformation?

A: Well, to start with, Digital Transformation has become a buzzword. It is very important to spend time in strategic thought leadership on what Digital Transformation means to your organization. How will Digital Transformation impact your consumers and how will it help you grow your business, reduce overhead, significantly increase the customer experience. The first challenge is to define what Digital Transformation means to your organization through a strategic roadmap. Then, it is important to get the stakeholder buy-in. Digital Transformation is not an IT project. It is an asset that needs to be thoughtfully planned. The last challenge would be strategic investment. In many cases, Digital Transformation initiatives tend to run multiple years. It is important to stay the course.

 

 

Q: What does Digital Transformation mean to your organization?

A: We are in the early stages of digital transformation where we are rethinking how we interact with our constituents in various areas including branding, marketing, communications, virtual interactions, mobile experience, etc. We are reimagining delivery of fitness and wellness through virtual and mobile platforms. We are looking to connect our digital products to our digital ecosystems. This will help us to tap into the big data in the backend for business intelligence and data analytics. This will also help us curate the consumer experience.

In addition, we are developing secure digital products to deliver chronic disease prevention programs to the program participants. We are currently getting inputs from various stakeholders to identify use cases for our digital transformation, including mental health programs, diversity content and more. 

This is an exciting time to be able to use digital to have a measurable impact in people’s lives. 

 

Q: What are your top data priorities: business growth, data security/privacy, legal/regulatory concerns, expense reduction…?

A: Some of our top priorities are foundation to our technology ecosystem and our digital transformation. For example, information security and privacy are non-negotiable. We look at data to help enhance our brand value. We use data to empower and enhance our consumer experience and in the long run identify areas where we need to focus on. Diversity, Equity, and Inclusion is an utmost priority for us. We use big data to help us identify where we need to provide programs and services where there may be a need. We are looking to transform our customer relationship management through our digital transformation initiatives. 

 

 

Q: How are you justifying the cost needed to evolve and adapt IT to support the speed and agility required by the business?

A: I am smiling thinking about this question. Whether your organization is for-profit, non-profit, government agency or NGO, and irrespective of your industry, everyone is faced with the question of cost at some point. 

This is where having a strong strategic direction, along with stakeholder buy-in is very important. Another issue I have both seen and experienced is, the key stakeholders and leadership treating IT as a silo department. The IT assets belong to the organization, not just to IT. In my experience, any time when there is a need to find efficiencies or cut costs, IT becomes the first target. This is because IT is perceived as expensive by the corresponding stakeholders. So, the challenges of cost justification are real.  

The best approach that has worked for me to continue to evaluate the IT costs and balance it with the business value proposition. The head of the IT team needs to think, act, and react like a business owner. Some of the fundamental values I have practiced are transparency, strategic alignment, constant communication, stakeholder buy-in, not being territorial and most important is to build trust.  Taking the stakeholders through the journey of what is being developed in IT and how it is going to help the organization, answering questions, being objective and open minded will ease the cost justification conversations. 

At the end, showing results will speak for itself. For the IT leaders, while it will be important to justify costs, it is equally important to continuously show the progress and results to your stakeholders.

 

 

Q: How would you define “Enterprise AI” in a non-digital native enterprise like your organization?

A: First, every organization will be digital-native in the near future, if not already. Then the premise is, how do we define “Enterprise AI”? It is a question of ‘when’ and not ‘if’. I predict every organization will be using AI in some form or the other in three to five years, most of it will be through integrating with strategic partners and products. AI will help organizations propel into the digital age, provided they have the right use cases identified to focus on. Just like how we moved from mainframes to client-servers, on-premises data centers to cloud, etc., we will move our analytics and business intelligence to AI models. And it will become second nature. There is also a perceived barrier to entry to AI, as there are cost and skillset barriers. We will see more and more vendors providing products powered by AI that will be used at an enterprise level.

 

 

Q: How is your organization leveraging Big Data and AI and machine learning to transform their businesses and what opportunities does it present to the business? What are the challenges, and how can these be best overcome?

A: In our newly developed digital platform as part of our digital transformation, we deliver virtual and mobile digital products. We are creating AI models to start using the data to train and deliver the highest level of experience to our consumers through curated content. The challenge we see is with the data, both the quality and the context. We are working on tuning our algorithms to continue to improve our models. 

 

 

Q: What operating model and cultural changes have you considered as you shift to a digital business? What parts of your business would benefit the most from a greater digital foundation?

A: I believe the entire organization can benefit from a strong digital foundation. Within the technology team, we are completely in an agile delivery model. We continue to deliver, learn from our mistakes, and keep making relentless forward progress. It may take a bit more time to educate all the cross-functional teams and bring them on the digital journey. We are off to a good start. 

 

 

Q: How has DevOps and cloud services changed the way you design, build, deploy, and operate online systems and secure infrastructure?

A: We are a 100% DevOps and Cloud Services shop. This has indeed tremendously helped us move ahead in lightning speed to focus on our digital platform and products, and most importantly to deliver to our consumers. What this has given us is to avoid the distraction of maintaining the legacy systems, time delays due to hardware purchases or other similar challenges one could face by not using cloud services. On the flip side, the DevOps approach helps us focus on the work needed to operate and secure our infrastructure. We encourage a culture of collaboration among all teammates and partners.

 

 

Q: What advice would you give an early-stage CIO or CDO joining an enterprise organization?

A: First, understand where your personal and professional passion is. We are all humans who bring our personal self to a professional place of work. Take time to understand the business, the strategy, and the stakeholders. Your team is your important asset. Develop, coach, and build a strong team.  Focus on building trust and credibility. Trust and credibility are built over time by keeping up one’s commitments and delivering consistently.

 

Siva Balu – Vice President & Chief Information Officer at YMCA OF THE USA

Siva Balu is the Vice President and Chief Information Officer at YMCA OF THE USA. In this role, he is working to rethink the work of Y-USA’s information technology strategy to meet the changing needs of Y-USA and YMCAs throughout the country.

YMCA of the USA is the national resource office for the nation’s YMCAs. The Y is the leading nonprofit in 10,000 communities across the nation delivering positive change through 2,700 YMCAs focusing on youth development, healthy living and social responsibility.

Siva is the creator of the new Y Cloud digital platform to deliver digital, virtual and mobile products to members across the nation. Y Cloud is the world’s first digital platform built for non-profits by non-profit.  

As the CIO, Siva works with the key stakeholders across the nation’s YMCAs in achieving the strategic vision. He leads the creation and execution of the technology strategy through collaboration and thought leadership including digital transformation, data strategy, cloud strategy, information security, project management, mobile apps, social media, CRM, data warehouses & business intelligence, IT infrastructure & operations to support the YMCA movement.

Prior to his current role, Siva has 20 years of healthcare technology experience in leadership roles for Blue Cross Blue Shield, the nation’s largest health insurer, which provides healthcare to over 107 million members—1 in 3 Americans. He most recently led the Enterprise Information Technology team at the Blue Cross Blue Shield Association (BCBSA), a national federation of Blue Cross and Blue Shield companies. He has created several highly scalable innovative solutions that cater to the needs of members and patients throughout the country in all communities. He provided leadership in creating innovative solutions and adopting new technologies for national and international users.

Siva earned a bachelor’s degree in electronics and communication engineering from Bharathiar University in India, a master’s in business administration from Lake Forest Graduate School of Management and executive master’s degrees from Harvard and MIT in Innovation, Strategy and Artificial Intelligence.

In his free time, he volunteers and contributes to several charities, including Special Olympics, Chicago Food Depository, Challenged Athletes Foundation, Beyond Hunger, The Pack Shack, Cradles to Crayons and Gardeneers. Siva is a Board Member at Sarah’s Inn, a non-profit supporting individuals and families impacted by domestic violence, and at The Soondra Foundation, a non-profit that provides healthcare to the poor working class in India. 

Siva developed a passion for long-distance running a few years ago starting with a 5k, and then to marathons and to running multiple ultramarathons. He has run multiple 100-mile races. He recently ran what is referred to as ‘the world’s toughest foot race,’ Badwater 135-miler in Death Valley, and one of the world’s coldest races, Tuscobia 160-miler.

 

 

 

Machine identities: What they are and how to use automation to secure them

Security teams who aim to control secure access to networked applications and sensitive data often focus on the authentication of user credentials. Yet, the explosive growth of connected devices and machines in today’s enterprises exposes critical security vulnerabilities within machine-to-machine communications, where no human is involved. 

That’s where machine identity comes in. Machine identity is the digital credential or “fingerprint” used to establish trust, authenticate other machines, and encrypt communication.

Much more than a digital ID number or a simple identifier such as a serial number or part number, machine identity is a collection of authenticated credentials that certify that a machine is authorized access to online resources or a network. 

Machine identities are a subset of a broader digital identity foundation that also includes all human and application identities in an enterprise environment. It goes beyond easily recognizable use cases like authenticating a laptop that is accessing the network remotely through Wi-Fi. Machine identity is required for the millions or billions of daily communications between systems where no human is involved, like routing messages across the globe through various network appliances or application servers generating or using data stored across multiple data centers. 

Why Machine Identity Management Needs to Be Automated 

As the number of processes and devices requiring machine-to-machine communication grows, the number of machine identities to track also grows. According to the Cisco Annual Internet Report, by 2023, there will be 29.3 billion networked devices globally, up from 18.4 billion in 2018. That is more than 10 billion new devices in just five years!

Improper identity management not only makes enterprises more vulnerable to cybercriminals, malware and fraud, it also exposes organizations to risks related to employee productivity, customer experience issues, compliance shortfalls and more. While there is no stronger, more versatile authentication and encryption solution than PKI-based digital identity, the challenge for busy IT teams is that manually deploying and managing certificates is time-consuming and can result in unnecessary risk if a mistake is made. 

Whether an enterprise deploys certificates to enable device authentication for a single control network or manages millions of certificates across all its networked device identities, the end-to-end process of certificate issuance, configuration and deployment can overwhelm the workforce. 

The bottom line? Manual machine identity management is neither sustainable nor scalable.

In addition, manually managing certificates puts enterprises at significant risk of neglected certificates expiring unexpectedly. This can result in certificate-related outages, critical business systems failures and security breaches and attacks.

In recent years, expired certificates have resulted in many high-profile website and service outages. These mistakes have cost billions of dollars in lost revenue, contract penalties, lawsuits and the incalculable cost of lost customer goodwill and tarnished brand reputations. 

How to Automate Machine Identity Management

With such high stakes, IT professionals are rethinking their certificate lifecycle management strategies. Organizations need an automated solution that ensures all their digital certificates are correctly configured, installed and managed without human intervention. Yes, automation helps reduce risk, but it also aids IT departments in controlling operational costs and streamlining time-to-market for products and services.

In response to market forces and hacking attacks, PKI has become even more versatile. Consistent high uptime, interoperability and governance are still crucial benefits. But modern PKI solutions can also improve administration and certificate lifecycle management through:

●    Crypto-agility: Updating cryptographic strength and revoking and replacing at-risk certificates with quantum-safe certificates rapidly in response to new or changing threats.

●    Visibility: Viewing certificate status with a single pane of glass across all use cases.

●    Coordination: Using automation to manage a broad portfolio of tasks.

●    Scalability: Managing certificates numbering in the hundreds, thousands, or even millions.

●    Automation: Completing individual tasks while minimizing manual processes...[…] Read more »….

 

5 minutes with Vishal Jain – Navigating cybersecurity in a hybrid work environment

Are you ready for hybrid work? Though the hybrid office will create great opportunities for employees and employers alike, it will create some cybersecurity challenges for security and IT operations. Here, Vishal Jain, Co-Founder and CTO at Valtix, a Santa Clara, Calif.-based provider of cloud native network security services, speaks to Security magazine about the many ways to develop a sustainable cybersecurity program for the new hybrid workforce.

Security: What is your background and current role? 

Jain: I am the co-founder and CTO of Valtix. My background is primarily building products and technology at the intersection of networking, security and cloud; built Content Delivery Networks (CDNs) during early days of Akamai and just finished doing Software Defined Networking (SDN) in a startup which built ACI for Cisco.

 

Security: There’s a consensus that for many of us, the reality will be a hybrid workplace. What does the hybrid workforce mean for cybersecurity teams?

Jain: The pandemic has accelerated trends that had already begun before 2019. We’ve just hit an inflection point on the rate of change – taking on much more change in a much shorter period of time. The pandemic is an inflection point for cloud tech adoption. I think about this in three intersections of work, apps, infrastructure, and security:

  1. Work and Apps: A major portion of the workforce will continue to work remotely, communicating using collaboration tools like Zoom, WebEx, etc. Post-pandemic, video meetings would be the new norm compared to the old model where in-person meeting was the norm. The defaults have changed. Similarly, the expectation now is that any app is accessible anywhere from any device.
  2. Apps and Infrastructure: Default is cloud. This also means that expectation on various infrastructure is now towards speed, agility, being infinite and elastic and being delivered as a service.
  3. Infrastructure and Security: This is very important for cybersecurity teams, how do they take a discipline like security from a static environment (traditional enterprise) and apply it to a dynamic environment like cloud.

Security: What solutions will be necessary for enterprise security to implement as we move towards this new work environment?

Jain: In this new work environment where any app is accessible anywhere from any device, enterprise security needs to focus on security of users accessing those apps and security of those apps themselves. User-side security and securing access to the cloud is a well-understood problem now, plenty of innovation and investments have been made here. For security of apps, we need to look back at intersections 2 and 3, mentioned previously.

Enterprises need to understand security disciplines but implementation of these is very different in this new work environment. Security solutions need to evolve to address security & ops challenges. On the security side, definition of visibility has to expand. On the operational side of security, solutions need to be cloud-native, elastic, and infinitely scalable so that enterprises can focus on applications, not the infrastructure.

Security: What are some of the challenges that will need to be overcome as part of a hybrid workplace?

Jain: Engineering teams typically have experiences working across distributed teams so engineering and the product side of things are not super challenging as part of a hybrid workplace. On the other hand, selling becomes very different, getting both customers and the sales team used to this different world is a challenge enterprises need to focus on. Habits and culture are always the hardest part to change. This is true in security too. There is a tendency to bring in old solutions to secure this new world. Security practitioners could try to bring in the same tech and product he/she has been using for 10 years but deep down they know it’s a bad fit…[…] Read more »….

 

Meet Angela Hogaboom: Cloud Expert of the Month – May 2021

Cloud Girls is honored to have amazingly accomplished, professional women in tech as our members. We take every opportunity to showcase their expertise and accomplishments – promotions, speaking engagements, publications, and more. Now, we are excited to shine a spotlight on one of our members each month.

Our Cloud Expert of the Month is Angela Hogaboom.

Angela has been a Cloud Girl since 2015. After establishing a career in the cloud consulting space, she pivoted to cybersecurity and compliance in 2018 and now serves as the Director of Assessment and Innovation at RSI. Angela’s main focus is enabling clients to achieve new business heights while also securing their organizations through technology, operations, and governance. Angela lives in Broomfield with her husband and 2 boys and spends much of her time serving on the Cloud Girls Board and she’s always looking for new ways to enable women in technology and security.

When did you join Cloud Girls and why?

I joined Cloud Girls in 2015 after I left my job in a cloud company to start my own business. I was introduced to Manon by a number of colleagues in the industry and she told me I would be a great candidate for the group. Like many others, I was looking to connect with other women in the field who could offer me guidance and support in my journey.

What do you value about being a Cloud Girl?  

The Cloud Girls have been a great source of inspiration and support throughout my career. We have representation from incredible companies and the vibe is never competitive because we’re all committed to supporting each other and the next generation of women in tech.

How did you find a career in tech? Did you choose it, or did you end up here and how?

I entered the tech field purely by accident. I was an Executive Assistant looking for a new job and was approached by the CEO of a telecom company that had recently acquired a data center and had just launched their cloud computing division. At the time, I hoped to grow into a marketing role, which I did. I spearheaded the rebrand of the VoIP line and was tasked with coordinating the computing rebrand. By taking on these challenges, I was really forced to step outside of my comfort zone and learn new things. My job ultimately led to my consulting career. I was a partner/reseller for a number of tech services and in 2018, I attended a privacy workshop with the hopes of networking with my target client base. Instead, I became so intrigued by the subject matter that I spent all of my time learning about privacy and pondering the tie-ins to cybersecurity. I ultimately pivoted to cybersecurity and left my consulting career to become a compliance advisor and practitioner. Now, I’m expanding on that journey by pursuing my degree in cybersecurity.

How do you avoid being complacent in your role?

Cybersecurity is a field that changes every day. To be honest, it’s incredibly difficult to keep up with the latest tech, incidents, legislation, and chatter. I’ve found that by selecting the domain areas that really energize me, I’m better able to stay in touch with the landscape. For areas I have known deficiencies, I have a collection of resources I can use for additional information. Sometimes it’s trusted online sources and sometimes it’s my professional network.

What one piece of advice would you share with young women to encourage them to take a seat at the table?

Don’t be afraid to mess up. I have seen so many girls and women refuse challenges because they hold themselves to a standard of always performing well. If I hadn’t failed many of the challenges presented to me, I wouldn’t have the career I have now. It takes stepping out of your comfort zone and falling down just to get back up a few times to really find your path in life and work.

Which superpower would you like to have? Why?

I would freeze time! There are so many things I want to do and learn and never enough hours in the day.

What was the best book you read this year and why?

Rising Strong by Brene Brown. The last few years have been so turbulent for everyone and I think Brown does an excellent job of conveying that feeling of “belonging everywhere and nowhere.” It’s one of the few books I’ve read that made me feel better about being in my own skin, living a life that I can admire, and being an ally for others..[…] Read more »…..

 

Top 10 most in-demand cybersecurity skills for 2021

In a tech-driven world, the security industry is still facing a talent shortage, and finding skilled candidates to fill any of the thousands of open positions available is one of the greatest challenges facing hiring managers.

To put an end to the skills gap, organizations are focusing not only on finding new talents, but on upskilling their security teams through courses offered by training providers or pursuing relevant industry certifications.

But what are organizations looking for? Which combination of soft and hard skills is the most sought after in 2021?

Top in-demand cybersecurity skillsets

The most in-demand skillsets for security professionals are listed here in no particular order. These are what organizations are most likely looking for when choosing the right person to safeguard their systems, networks, data, programs and digital assets.

1. IT and networking skills

Being able to analyze and resolve high-level security issues on a network requires solid technical skills. This includes system administration and networking skills, as well as understanding how to adopt security controls to protect digital assets from cyber threats.

Other skills include assessing the security of wired and wireless networks and implementing the latest security best practices in troubleshooting, maintaining and updating information systems.

Building a foundation of technical skills is important for many types of cybersecurity careers. Common entry-level certifications focused on networking and security basics include:

2. Analytical skills

Analysis is an essential skill for security professionals tasked with examining computer systems to foresee problems, assess risks and consider solutions to prevent, detect and respond to cyberattacks. This not only requires technical proficiency in utilizing security tools to identify complex cyberthreats, it requires soft skills, such as problem-solving, critical thinking and the ability to communicate and persuade management to adopt stricter safety protocols.

Analysts can take on different roles like a cybersecurity analyst, information security analyst, computer systems analyst and malware analyst.

Technically- and analytically-minded professional certifications include:

3. Threat intelligence skills

Security professionals need to evaluate threats and their associated risks to a system and organization. Most companies have many tools in place to identify threats, but these are useless without professionals that can properly analyze, rank and mitigate the threats discovered.

Popular certifications related to threat intelligence include:

4. Incident handling skills

Quickly responding to an incident is key in ensuring the smallest possible damage to an organization. But it’s also important to investigate the situation thoroughly and provide recommendations to address loopholes in an organization’s security posture. Other skills include the ability to create an effective incident response plan (IRP) to reduce the risk of IT service downtime when an incident occurs.

Popular learning paths and certifications related to incident response include:

5. Auditing skills

IT auditors conduct system and security audits at organizations so that vulnerabilities and flaws within them are found, documented, tested and resolved. Auditing can uncover vulnerabilities introduced into the organization by people, technology or processes and whether there are risks or other complications associated with them.

Possessing auditing skills means not only having knowledge of basic system infrastructure, data analytics and risk management, it means also having exceptional interpersonal and communications skills to effectively present findings to technical and non-technical personnel.

For those considering a career as an IT/IS auditor, a few certifications and career paths are available, including:

6. Penetration testing skills

Using exploitation techniques for testing purposes is a sought-after cybersecurity skill. Pentesters generally have hands-on skills and a passion for breaking things. Their discoveries help organizations improve digital security measures and resolve security vulnerabilities and weaknesses. They do exactly what a malicious hacker would do when attempting to break into a system — with permission, of course.

For professionals who believe penetration testing is the right career for them, common certifications include:

7. Forensics skills

Forensic investigations are an important part of incident response. They use various forensic tools to recover deleted, damaged or otherwise manipulated data from a range of devices, such as computers, tablets, phones and flash drives. Digital forensics professionals require sound investigative practices, strong data interpretation and effective presentation skills to produce evidence in a court of law.

Common digital forensics certifications or learning paths include:

8. Governance, risk management and compliance skills

Effective governance, risk management and compliance (GRC) is critical to business operations. GRC professionals are asked to be able to develop and implement strategies and solutions that are both aligned with business objectives and consistent with industry regulations (HIPAA, CCPA, GDPR, ISO 27000 series, NIST CSF and NIST RMF).

Related certifications and training for GRC professionals include:

9. Virtualization and cloud computing skills

Most organizations use cloud services — be it software as a service (SaaS), platform as a service (PaaS) or infrastructure as a service (IaaS) — so cybersecurity professionals who can deploy, configure and manage a virtualized environment and its security are in demand…[…] Read more »….

 

When security and resiliency converge: A CSO’s perspective on how security organizations can thrive

You’ve just been hired to lead the security program of a prominent multinational organization. You’re provided a seasoned team and budget, but you can’t help looking around and asking yourself, “How will I possibly protect every asset of this company, every day, against every threat, globally?” After all, this is the expectation of most organizations, their customers and shareholders, as well as regulators and lawmakers. In my experience, one of the top challenges security leaders face is trying to optimize a modest security budget to protect a highly complex and ever-expanding organizational attack surface. In fact, Accenture found that 69% of security professionals say staying ahead of attackers is a constant battle and the cost is unsustainable. For most, this challenge is extremely discouraging. However, success is not necessarily promised to those with resources – it’s more about how resourceful you can be.

As organizations worldwide digitally transform at a breakneck pace, the stakes are increasing for cybersecurity programs. Cyberattacks no longer just take down websites and internal email. They can disrupt the availability of every revenue-generating digital business process, threatening the very existence of many organizations. With this heightened risk, organizations must shift from a prevention-first mindset to one that balances aggressive prevention measures with a keen focus on enabling efficient consequence management. This shouldn’t be read as a response-only strategy, but it does mean:

  1. Designing business processes to minimize single points of failure and reduce sensitivity to technology and data latency, recognizing that technology and data risk is extremely high in today’s environment.
  2. Focusing asset protection programs disproportionately on the assets that underpin the most critical business processes or present the greatest risk.
  3. Architecting technology to anticipate and recover from persistent, sophisticated attacks, as the “zero trust” approach suggests.
  4. Establishing an organizational culture that acknowledges, anticipates, accepts and thrives in a pervasive threat environment.

Most cybersecurity leaders today only focus on, or are limited to focusing on, the third of these four items. Many are aggressively pursuing zero trust related modernization programs to increase the technology resilience of their organization’s systems and networks. However, the other three strategic imperatives are not achieved due to a lack of organizational knowledge, access, influence or governance.

The same can be said for physical security leaders, who likely do their best to focus on the second item, but may not understand the interdependency between an organization’s physical and digital assets. Unless a building is labeled as a data center, they may be unlikely to protect those physical assets that are most critical to their organization’s digital operations.

All security programs, both digital and physical, struggle to achieve the fourth item, limited by their lack of business access and influence. So, how do security organizations move from being security-centric to business-centric? The journey starts by taking a converged approach.

Why converge?

Implementing a converged security organization is perhaps one of the most resourceful and beneficial business decisions an organization can make when seeking to enhance security risk management. In this era of heightened consequences and sophisticated security threats, the need for integration between siloed security and risk management teams is imperative. The need for collaboration between those two teams and the business is equally imperative.

In my role as the Chief Security Officer of Dell Technologies, I oversee a converged organization with responsibility for physical security, cybersecurity, product security, privacy and enterprise resiliency programs, including business continuity, disaster recovery and crisis management. As discussed in a recent article, organizations that treat different aspects of security – such as physical and cybersecurity – as separate endeavors, can unintentionally undermine one area and in turn, weaken both areas. With a converged organization, the goal is to bring those once-separate entities together in a more impactful manner. I’ve seen convergence lead to greater effectiveness in corporate risk management practices. But, the benefits don’t stop there. It also increases financial and operational efficiency, improves stakeholder communications and strengthens customer trust.

Over the course of this series, I will walk you through how security, privacy and resiliency teams with seemingly different capabilities and goals can work together to advance one another’s priorities, all while marching towards one common goal – greater organizational outcomes. First up, let’s discuss the benefits gained from converging enterprise resiliency and security programs.

The road less traveled – benefits of converging resiliency and security

While I’ve observed an increase in organizations merging cybersecurity and physical security programs, I’ve seen fewer organizations bring resiliency into the mix, despite it being potentially more important. In fact, an ASIS study found that only 19% of organizations converged cybersecurity, physical security and business continuity into a single department.

In my experience, converging resiliency programs with all security programs enables organizations to consistently prepare for and respond to any security incident or crisis – natural disaster, global pandemic or cyberattack – with a high degree of resiliency. More importantly, converging these programs empowers security organizations to achieve the strategic imperatives mentioned earlier.

Now, let’s look at some of the more specific benefits:

  1. Business continuity programs help prioritize security resources

As discussed earlier, one of the main challenges for security leaders is trying to find resourceful ways to adequately secure the breadth of a company’s assets, often with a less-than-ideal budget that limits implementing leading security practices across every asset. By converging business continuity, a core component of a resiliency program, with cybersecurity and physical security programs, security leaders can identify the most critical business processes and the digital and physical assets that underpin them. This in turn provides clear priorities for security focus and investment.

Non-converged security organizations generally prioritize their focus through the lens of regulatory and litigation risk, rather than having a deep understanding of business operational risk and its ties to revenue generation. For a physical security leader, this may look like prioritizing physical security resources in countries that have stronger regulatory oversight and more stringent fine structures, or those that contain the most employees. For a cybersecurity leader, it may mean focusing on databases that contain the most records of personal information, a costly data element to lose. While these approaches are not wrong, they are incomplete. In fact, the most critical business assets don’t often look like those most commonly prioritized by security. It requires a business lens to find the assets that the business depends upon to thrive, rather than focusing on the assets that might lead to a lawsuit if left unprotected. It means thinking about business risk more holistically.

Business continuity planners have perfected the art of applying a business lens to explore complex, interdependent business processes, some of which even sit with third parties. When organizations don’t continuity plan well, it isn’t until an incident strikes that they find most of their company’s revenue was dependent on an overlooked single point of failure.

However, business continuity alone is typically only looking for issues of availability. By converging resiliency and security programs, business impact assessments and security reviews can merge, resulting in more holistic assessments that consider both business and security risk across the full spectrum of availability, confidentiality and integrity issues. As a further sweetener, business stakeholders can have a single conversation with the converged risk program, reducing distractions that pull them from their primary business focus.

By integrating these two programs, converged security organizations can ensure their priorities are closely aligned with the business’ priorities. Whether it be digital assets, buildings or people, an organization’s most critical assets are clearly identified and traced to critical business processes through robust business continuity planning, then secured. Tying these programs together enables security leaders to protect what matters most, the most, which is the most important benefit of converging security and resiliency programs.

  1. Security makes business continuity programs smarter

For the modern security professional, the only thing better than spotting a difficult-to-find critical business asset in need of protection is for a business to improve its processes and reduce the number of assets needing protection in the first place. By embedding security context into the continuity planning process, business continuity programs become smarter. With this knowledge, converged organizations can more effectively propose process engineering opportunities that optimize security budgets and reduce organizational risk. This is particularly true where the resiliency team has deeper access and insights to the supported organization than the security team.

Typically, business continuity planners are introduced to business processes and underlying assets only after they are in place, which means planners discover existing resiliency risks. Contrast that with modern security programs embedded in business and digital transformation projects from the beginning. By merging security and business continuity programs, the value proposition shifts from “smart discovery” of business process reengineering opportunities to one of resilient and secure business process engineering from the initial design point, helping organizations get it right the first time.

This type of value can extend from the most tactical processes to more strategic business initiatives, such as launching a new design center overseas. Converged security organizations can share a holistic, converged risk picture to inform business decision making. A typical converged risk assessment for such a project may consider historical storm patterns, geopolitical instability, national economic espionage, domestic terrorism, labor risk and so on. This holistic view results in better risk decisions and better business outcomes.

  1. Security and crisis management go together like peanut butter and jelly

Crisis management is another core capability of resiliency programs. The benefit of converging crisis management and security programs is twofold. First, security is often the cause of the crisis. Historically, organizational crises would be a broad mix of mismanagement, natural, political, brand, labor and other issues. In the last year alone, the world has seen a dramatic rise in cyberattacks.

Second, this is the area where the culture of the two organizations is most closely aligned, allowing for low-friction integration and improvement. Crisis management professionals are accustomed to preparing for and managing through low-likelihood, high-impact events and facilitating critical decisions quickly, with imperfect information. If you ask a security leader what the motion of their organization looks like, you will likely get an identical answer. Leaders can unify and augment these skillsets and capabilities by bringing crisis management and security programs together. And, this is becoming more important in a world where consequence management – how capably a company responds when things go wrong – can be the difference between a glancing blow and a knockout.

  1. Disaster recovery programs thrive when paired with security

Disaster recovery teams focus on identifying critical data and technology, and ensuring it is architected and tested to handle common continuity disruptions. In a mature resiliency program, this means close relationships between continuity planners and application owners. Often, however, resiliency programs struggle to gain deep access and influence within technology organizations, or the disaster recovery technology-centric arm of the program is challenged to integrate with the more business-centric continuity planning arm. A converged resiliency and security program eases these challenges.

Disaster recovery programs often sit within the technology organizations themselves, and in those cases, technology integration is not a challenge. However, these programs can sometimes struggle to maintain close access to the business organizations they support. In these cases, converging resiliency and physical security programs enables teams to leverage the strong business relationships and closer business access that physical security programs often have. By integrating these programs, physical security teams can create the inroads needed so disaster recovery programs can deliver the most value in a business-connected manner.

Conversely, for disaster recovery programs that sit within business or resiliency teams, they can often struggle to gain traction with an organization’s technical owners. In these cases, converging disaster recovery with a cybersecurity program can be a game changer. Cybersecurity core programs focus on application, database and system security, and have an existing engagement model with those the disaster recovery teams need to influence. By integrating with cybersecurity programs, disaster recovery teams can leverage existing processes and organizational relationships to accelerate their impact. The integration of these programs also provides a more efficient unified engagement model for the technology asset owners, creating overall efficiency for the organization.

Finally, the cause of disaster recovery events is increasingly cybersecurity related. Disaster recovery teams must adjust their architectures and programs to account for ransomware, destructive malware attacks and other evolving threats. The expertise needed to do this well rests with cybersecurity organizations who, once converged, are well positioned to help with this journey.

  1. Security brings digital expertise to resiliency programs

Consider this: When a hurricane strikes, the location and severity of the storm’s eye depends on the time of day, the topography and numerous meteorological factors. It doesn’t target you specifically. Organizations are informed of the hurricane’s arrival days in advance. And, the organization is not the only victim of the hurricane, so external support is mobilized and resources are provided. Given all these factors, organizations infrequently experience the most severe possible outcomes. Now, consider a typical cyber crisis: When a ransomware attack strikes, it is without warning, usually targeting and impacting the most critical business assets and is designed to hit at the most inopportune time. Moreover, the victim is often blamed, which means outside help is scarce. Of course, organizations should continue planning for hurricanes, earthquakes, pandemics and other natural disasters, but the evolution of digital crises makes the resiliency threat landscape more complex. The results of these troubling trends: Cybercrime will have cost the world $6 trillion by the end of this year, up from $3 trillion in 2015. Natural disasters globally cost $84 billion in 2015.

Business continuity professionals have thrived for decades by helping their organizations predict and prepare for natural disasters and physical security incidents. To date, the best practice to prepare resilient data centers is to evaluate redundant electrical grid availability, historical weather patterns, earthquake trends and, most importantly, to confirm that the backup data center doesn’t reside within a certain physical distance of the primary data center. Cyber threats have added new challenges to this equation, as even two ideally positioned, geographically distanced, modern data centers often rely on the same underlying cyber systems and networks. It’s not uncommon to find ransomware attacks, which travel at the speed of light and aren’t bound by physical distance, devastating organizations when both primary and backup data centers are encrypted for ransom or, worse, deleted by destructive malware. This is only one example that highlights the new resiliency risks faced by the world’s recent dramatic increase in digital dependency and cyber threats. By converging cybersecurity and resiliency programs, organizations are better positioned to contend with this challenging new reality…[…] Read more »….

 

How We’ll Conduct Algorithmic Audits in the New Economy

Today’s CIOs traverse a minefield of risk, compliance, and cultural sensitivities when it comes to deploying algorithm-driven business processes.

Algorithms are the heartbeat of applications, but they may not be perceived as entirely benign by their intended beneficiaries.

Most educated people know that an algorithm is simply any stepwise computational procedure. Most computer programs are algorithms of one sort of another. Embedded in operational applications, algorithms make decisions, take actions, and deliver results continuously, reliably, and invisibly. But on the odd occasion that an algorithm stings — encroaching on customer privacy, refusing them a home loan, or perhaps targeting them with a barrage of objectionable solicitation — stakeholders’ understandable reaction may be to swat back in anger, and possibly with legal action.

Regulatory mandates are starting to require algorithm auditing

Today’s CIOs traverse a minefield of risk, compliance, and cultural sensitivities when it comes to deploying algorithm-driven business processes, especially those powered by artificial intelligence (AI), deep learning (DL), and machine learning (ML).

Many of these concerns revolve around the possibility that algorithmic processes can unwittingly inflict racial biases, privacy encroachments, and job-killing automations on society at large, or on vulnerable segments thereof. Surprisingly, some leading tech industry execs even regard algorithmic processes as a potential existential threat to humanity. Other observers see ample potential for algorithmic outcomes to grow increasingly absurd and counterproductive.

Lack of transparent accountability for algorithm-driven decision making tends to raise alarms among impacted parties. Many of the most complex algorithms are authored by an ever-changing, seemingly anonymous cavalcade of programmers over many years. Algorithms’ seeming anonymity — coupled with their daunting size, complexity and obscurity — presents the human race with a seemingly intractable problem: How can public and private institutions in a democratic society establish procedures for effective oversight of algorithmic decisions?

Much as complex bureaucracies tend to shield the instigators of unwise decisions, convoluted algorithms can obscure the specific factors that drove a specific piece of software to operate in a specific way under specific circumstances. In recent years, popular calls for auditing of enterprises’ algorithm-driven business processes has grown. Regulations such as the European Union (EU)’s General Data Protection Regulation may force your hand in this regard. GDPR prohibits any “automated individual decision-making” that “significantly affects” EU citizens.

Specifically, GDPR restricts any algorithmic approach that factors a wide range of personal data — including behavior, location, movements, health, interests, preferences, economic status, and so on—into automated decisions. The EU’s regulation requires that impacted individuals have the option to review the specific sequence of steps, variables, and data behind a particular algorithmic decision. And that requires that an audit log be kept for review and that auditing tools support rollup of algorithmic decision factors.

Considering how influential GDPR has been on other privacy-focused regulatory initiatives around the world, it wouldn’t be surprising to see laws and regulations mandate these sorts of auditing requirements placed on businesses operating in most industrialized nations before long.

For example, US federal lawmakers introduced the Algorithmic Accountability Act in 2019 to require companies to survey and fix algorithms that result in discriminatory or unfair treatment.

Anticipating this trend by a decade, the US Federal Reserve’s SR-11 guidance on model risk management, issued in 2011, mandates that banking organizations conduct audits of ML and other statistical models in order to be alert to the possibility of financial loss due to algorithmic decisions. It also spells out the key aspects of an effective model risk management framework, including robust model development, implementation, and use; effective model validation; and sound governance, policies, and controls.

Even if one’s organization is not responding to any specific legal or regulatory requirements for rooting out evidence of fairness, bias, and discrimination in your algorithms, it may be prudent from a public relations standpoint. If nothing else, it would signal enterprise commitment to ethical guidance that encompasses application development and machine learning DevOps practices.

But algorithms can be fearsomely complex entities to audit

CIOs need to get ahead of this trend by establishing internal practices focused on algorithm auditing, accounting, and transparency. Organizations in every industry should be prepared to respond to growing demands that they audit the complete set of business rules and AI/DL/ML models that their developers have encoded into any processes that impact customers, employees, and other stakeholders.

Of course, that can be a tall order to fill. For example, GDPR’s “right to explanation” requires a degree of algorithmic transparency that could be extremely difficult to ensure under many real-world circumstances. Algorithms’ seeming anonymity — coupled with their daunting size, complexity, and obscurity–presents a thorny problem of accountability. Compounding the opacity is the fact that many algorithms — be they machine learning, convolutional neural networks, or whatever — are authored by an ever-changing, seemingly anonymous cavalcade of programmers over many years.

Most organizations — even the likes of Amazon, Google, and Facebook — might find it difficult to keep track of all the variables encoded into its algorithmic business processes. What could prove even trickier is the requirement that they roll up these audits into plain-English narratives that explain to a customer, regulator, or jury why a particular algorithmic process took a specific action under real-world circumstances. Even if the entire fine-grained algorithmic audit trail somehow materializes, you would need to be a master storyteller to net it out in simple enough terms to satisfy all parties to the proceeding.

Throwing more algorithm experts at the problem (even if there were enough of these unicorns to go around) wouldn’t necessarily lighten the burden of assessing algorithmic accountability. Explaining what goes on inside an algorithm is a complicated task even for the experts. These systems operate by analyzing millions of pieces of data, and though they work quite well, it’s difficult to determine exactly why they work so well. One can’t easily trace their precise path to a final answer.

Algorithmic auditing is not for the faint of heart, even among technical professionals who live and breathe this stuff. In many real-world distributed applications, algorithmic decision automation takes place across exceptionally complex environments. These may involve linked algorithmic processes executing on myriad runtime engines, streaming fabrics, database platforms, and middleware fabrics.

Most of the people you’re training to explain this stuff to may not know a machine-learning algorithm from a hole in the ground. More often than we’d like to believe, there will be no single human expert — or even (irony alert) algorithmic tool — that can frame a specific decision-automation narrative in simple, but not simplistic, English. Even if you could replay automated decisions in every fine detail and with perfect narrative clarity, you may still be ill-equipped to assess whether the best algorithmic decision was made.

Given the unfathomable number, speed, and complexity of most algorithmic decisions, very few will, in practice, be submitted for post-mortem third-party reassessment. Only some extraordinary future circumstance — such as a legal proceeding, contractual dispute, or showstopping technical glitch — will compel impacted parties to revisit those automated decisions.

And there may even be fundamental technical constraints that prevent investigators from determining whether a particular algorithm made the best decision. A particular deployed instance of an algorithm may have been unable to consider all relevant factors at decision time due to lack of sufficient short-term, working, and episodic memory.

Establishing standard approach to algorithmic auditing

CIOs should recognize that they don’t need to go it alone on algorithm accounting. Enterprises should be able to call on independent third-party algorithm auditors. Auditors may be called on to review algorithms prior to deployment as part of the DevOps process, or post-deployment in response to unexpected legal, regulatory, and other challenges.

Some specialized consultancies offer algorithm auditing services to private and public sector clients. These include:

BNH.ai: This firm describes itself as a “boutique law firm that leverages world-class legal and technical expertise to help our clients avoid, detect, and respond to the liabilities of AI and analytics.” It provides enterprise-wide assessments of enterprise AI liabilities and model governance practices; AI incident detection and response, model- and project-specific risk certifications; and regulatory and compliance guidance. It also trains clients’ technical, legal and risk personnel how to perform algorithm audits.

O’Neil Risk Consulting and Algorithmic Auditing: ORCAA describes itself as a “consultancy that helps companies and organizations manage and audit algorithmic risks.” It works with clients to audit the use of a particular algorithm in context, identifying issues of fairness, bias, and discrimination and recommending steps for remediation. It helps clients to institute “early warning systems” that flag when a problematic algorithm (ethical, legal, reputational, or otherwise) is in development or in production, and thereby escalate the matter to the relevant parties for remediation. They serve as expert witnesses to assist public agencies and law firms in legal actions related to algorithmic discrimination and harm. They help organizations develop strategies and processes to operationalize fairness as they develop and/or incorporate algorithmic tools. They work with regulators to translate fairness laws and rules into specific standards for algorithm builders. And they train client personnel on algorithm auditing.

Currently, there are few hard-and-fast standards in algorithm auditing. What gets included in an audit and how the auditing process is conducted are more or less defined by every enterprise that undertakes it, or by the specific consultancy being engaged to conduct it. Looking ahead to possible future standards in algorithm auditing, Google Research and Open AI teamed with a wide range of universities and research institutes last year to publish a research study that recommends third-party auditing of AI systems. The paper also recommends that enterprises:

  • Develop audit trail requirements for “safety-critical applications” of AI systems;
  • Conduct regular audits and risk assessments associated with the AI-based algorithmic systems that they develop and manage;
  • Institute bias and safety bounties to strengthen incentives and processes for auditing and remediating issues with AI systems;
  • Share audit logs and other information about incidents with AI systems through their collaborative processes with peers;
  • Share best practices and tools for algorithm auditing and risk assessment; and
  • Conduct research into the interpretability and transparency of AI systems to support more efficient and effective auditing and risk assessment.

Other recent AI industry initiatives relevant to standardization of algorithm auditing include:

  • Google published an internal audit framework that is designed help enterprise engineering teams audit AI systems for privacy, bias, and other ethical issues before deploying them.
  • AI researchers from Google, Mozilla, and the University of Washington published a paper that outlines improved processes for auditing and data management to ensure that ethical principles are built into DevOps workflows that deploy AI/DL/ML algorithms into applications.
  • The Partnership on AI published a database to document instances in which AI systems fail to live up to acceptable anti-bias, ethical, and other practices.

Recommendations

CIOs should explore how best to institute algorithmic auditing in their organizations’ DevOps practices…[…] Read more »…..