While there is still one bowl game left to be played and confetti to clean up, 2014 is now done and leaves a mixed IT legacy. After 2013’s issues with the NSA leaks, the Healthcare.gov mishaps, and the 40 million credit identities stolen from Target, 2014 did not turn out much better on security and availability. Home Depot, eBay, JPMC all had major incidents in the ‘year of the hacks‘. Add to that the celebrity photo leaks from the Apple hacks. Add to that of course the Sony uber-hack and their playstation service failure at Christmas. All in all, 2014 was quite a dismal year for IT security. On the positive side, we saw continued advances in smart technology, from phones to cars. Robots and drones are seeing major reductions in price while leapfrogging in usability and capability. So, technology’s potential seems brighter than ever, yet we still underachieve in our ability to prevent its mis-use. Now 2015 is upon us and I have compiled some IT resolutions that should contribute to greater success for IT shops in the coming year!
The first IT resolution is …. security, security, security. While corporate IT security has improved in the past several years, we are still well behind the hackers. The many breaches of 2014 demonstrate these shortcomings. Security is one of the fastest growing portions of IT (the number 2 focus item behind data analytics), but much more needs to be done though most of the crucial work is just basic, diligent execution of proper security practices. Many of the breaches took advantage of well-known vulnerabilities either at the company breached or one of its suppliers. For example, lack of current server patching was a frequent primary root cause on hacks in 2014. And given the major economic hits of the Sony and Target breaches, these events are no longer speed bumps but instead threaten a company’s reputation and viability. Make the case now to your senior business management to double down your information security investment and not show up on the 2015 list of hacks. Not sure where to start? Here’s a good checklist on security best practices that is still current and if fully applied would have prevented the majority of the public breaches in 2014.
Next is to explore and begin to leverage real-time decisioning. It’s more than big data — it is where you use all the information about the customer and trends to make the best decision for them (and your company) while they are transacting. It is taking the logic for ‘recommendations of what other people bought’ and applying data analytics to many kinds of business rules and choices. For example, use all the data and hidden patterns to better and more easily qualify a customer for a home loan — rather than asking them for a surfeit of documents and proofs. And offer them optimal pricing on the loan most suited for them — again determined by the data analytics. In the end, business policies will move from being almost static where changes occurs slowly, to where business policies are determined in real-time, by the data patterns. It is critical in almost every industry to understand and begin mastery of this technology.
Be on the front edge of the flash revolution in the enterprise. 2015 will be the year of flash. Already many IT shops are using hybrid flash disk technologies. With the many offerings on the market and 2nd generation releases by mainstream storage vendors like EMC, IT shops should look to leverage flash for their most performance-bound workloads. The performance improvements with flash can be remarkable. And the 90% savings on environmentals in your data center is icing on the cake. Flash, factoring in de-duplication, is comparable in cost to disk storage today. By late 2015, it could be significantly less.
If you haven’t already, go mobile, from the ground up. Mobile is the primary way most consumers interface with companies today. And with better phones and data networks, this will only increase. But don’t rely on a ‘mobilized’ version of your internet site. Make sure you tuning your customer interface for their mode of interaction. Nothing is more cumbersome to a consumer than trying to enter data from a phone into an internet form designed for PC. Yes, its doable, but nowhere near the experience you can deliver with a native app. Go mobile, go native.
Bring new talent into the IT labor force. By 2020, the Bureau of Labor Statistics estimates there will be another 1.4 million IT jobs in the US — and not nearly enough computer science graduates to fill them. Companies big and small should be looking to hire both new graduates in the field AND encourage more to look to computers for their career. In the 1970s and 1980s, before there were formal computer science programs at universities, many outstanding computer scientists received their degrees in music, biology, languages, or teaching. We need another wave of converts for us to have the skilled teams required for the demands of the next decade. As IT leaders, let’s make sure we contribute to our field and help bring along the next generation.
What are your 2015 IT resolutions? Let us know what should be on the list!
Best, and have a great New Year!
Jim
Thanks for the 2015 IT resolutions blog.
Regarding your advice for other CIOs to appeal to their sr. management for more security budgets, do you think that quantifying digital risk would help in making the case? It feels to me that there is still a lack for a common security and risk language that both the business and IT can understand… A metric-driven, business-aligned approach to managing digital risk should help the business executives better understand the challenges that many IT leaders still express in (too) technical terms… Do you have an opinion/advice on this?
Nick, I think we should do more to quantify the risk to the business. In addition to recent debacles of Target and a few others (where the loss in the company’s market value was substantial and measurable) as well as the severe penalties on staff for not addressing the risk (the CIO and the CEO eventually got fired), we can add well-known costs. A year of credit monitoring for a customer or employee whose confidential information is stolen would cost you $120- $180 per customer. Exposing health information carries a substantial fine for each instance from the federal government. And in egregious cases like Target, credit card companies are suing Target to recoup their costs of replacement and fraud. In short, I recommend you use a potential loss figure of $250/customer or employee instance if you have a breach. The numbers add up quickly for any corporation of size, and responsible management means these risks must be mitigated. I trust this provides some objective data for you. Best, Jim Ditmore
Jim – very insightful and informative as usual. I hope you had a happy and safe holiday. Best wishes for a prosperous 2015.
As usual, great stuff Jim. I’d probably stress a few others that are perhaps off-shoots of yours but I believe worth the effort…
Security: Eliminate all back doors. If you need a better reason than the obvious, look at the most recent FREAK attacks. A good steward of other peoples money would not allow anyone to use anything less than a browser that does not allow for the export-RSA standard and anything less than a 4096-bit key. CDN’s are big risk items here. Consider this, a Hacker with little more than $100 USD can buy all the Amazon EC2 server time needed to break a 512-bit RSA key. The Export-RSA standard is an old backdoor the US government mandated but no longer requires. This very current example reminds me of all the “backdoors” we’ve implemented over the years for those “just in case” scenarios. With today’s languages, network appliances and infrastructure, these back doors should never be needed.
Your comment about what we used to call CRM, that is leveraging all the information on a client to create real-time decisions, instantly presenting customers with relevant options including alternative products and or instant customization of their present offer of interest. Companies that want to embrace this, and it will come, need to ensure they are organized to allow for it. When we started this back in 97, we quickly found that central data collection and access was the easy part. Silo’ed business groups had to agree to allow relationships to be shared. Think about a Private Bank customer paying millions in fees all of a sudden “joined” internally by the Banks Asset Management Group. Who owns the relationship? Where does the customer go for help? Next thing you’ll see is the re-emergence of the centralization of IT services and high matrix-ed support services. All this from customers with more than one means of interaction with their service provider. So if, using our example above, the PB has mobile video chat with their customers, then every other group that customer is tied into must have it too.
Now about all those devices….
Cisco predicts that their will be 50 billion (yep, billion) connected devices by 2020. Now not all of these devices are going to connect to the same service to support their primary function but there will be cross-over between them. Have the refrigerator notice you’re out of milk and order it through the online grocer will require a message to the bank to add the charge to the your account and another message to the car to schedule a trip to pick up that gallon of milk or a message to the Smart Home front door camera to expect a delivery.
Lastly, I will again agree the Flash is worth embracing. Although its been around since I’ve been rolling out automated trade execution systems, the earliest one I put in a DEC (yeah, I know, kinda dates me) but this was their new fault tolerant cluster released in the early 90’s). The problem was, two 256k (yes k as in kilobytes) cost near what the entire CPU cost. Well cost is now so low, all my machines use at least 128GB as the system drive. Even my laptop and of course all my hand helds do too. Hughe opportunities to increase performance and all the associated benefits, just as long as we take it across all areas of the architecture. Its like when we used GPUs to speed up algo trading and execution, or the “Ginnie Mae” pay-down cycle. If the application is poorly written, FLASH is useless. And lets remember that if your max network capacity is constrained, accessing and calculating at the speed of electrons only to be slow in delivery to the end user, really doesn’t buy you what you paid for. The strategy and architecture has to take into account the big picture.
So, just my two cents on some really great points you raised for 2015. I would add one more this. You did mention Mobile and again, you are right. This presents challenges is SO many areas. The one it most challenges you with though is the one where it doesn’t exist. Whole markets of people in Africa for example and parts of emerging markets simply aren’t there yet. What an opportunity this presents. Give’m a $200 netbook or $50 cell phone, put up a couple of towers (or wait for Google’s balloon to swing by) and you can adopt a customer you would never have had, all the while, expanding your market share in places you never thought possible.
BTW – these were my 2015-2020 predictions from a financial services / capital markets perspective only:
Ever increasing demands on internet bandwidth as we approach a projected 50 billion connected devices by 2020, will result in unprecedented changes to the internet infrastructure and communications media.
With nearly everything connected, vast amounts of data, more than would fit on the media within the worlds largest data centers, and more than current database architectures could handle, will require new technologies and supporting infrastructures.
Ubiquitous global real time data with near zero latency acquisition times will affect capital markets, customer relationship management and speed to market for new products and systems resulting in a need for ever agile architectures and systems design.
Mobile computing will be pervasive resulting in a need for more widely distributed and complex service and support models.
Disaster recovery and Business Continuity Models will have to become inherent in all architectures as the need for static work environments disappears.
Security concerns will continue to grow and will become the greatest risk to all enterprises. Aside from the obvious risk to customer privacy, capital markets and credit risk will create exposure unimaginable in today economy..
Joe,
Thanks for the outstanding comment and perspectives. I particularly think your point about the internet structure changing due to all the devices being connected in the next several years is very perceptive and will likely happen. And of course, I completely agree about the security concerns. All the best, Jim Ditmore