CIOSynergy in Boston on September 24, 2015, was as usual compact, high-energy and insightful. About 150 CIOs attended the half-day event. Scott Shuster (BusinessWeek, ABC News, NPR) was the able and engaging guide and foil for the event. I joked with him later that his seamless connecting of IT ideas and probing questions probably merited an honorary CIO degree for him if such were offered.
The format was moderated talks, with two panel discussions interspersed. There was space for vendor sponsors to showcase their wares. The keynote was by Kevin Poulsen, former Black Hat and Senior Editor at Wired. What an eye-opener on the world of computer fraud and the underground markets that support it! In his 20’s, Kevin earned notoriety (and five years in prison, with a ban from using computers and the internet for an additional 3 years) for taking over the phone lines of a radio station to win a Porsche 944, among other exploits. He teased and broke into FBI and other government sites. He spoke about the recent credit card breaches, going back to when it all started. The mysterious international criminal marketplaces for buying and selling cards and identities, and some of the colorful, ruthless and smart criminal minds behind them were covered. Two positive notes: one, that Kevin is now very much a good guy, a respected journalist for over 15 years, running Wired’s Threat Level blog that is in fact helping the fight against crime. Second, that those new chips on credit cards will indeed help cut down on credit card fraud.
Lavanya Rastogi of OSSCube spoke about how the enterprise is opening up to Open Source because of the need to accommodate both innovation and scalability. He talked of the need for fresh approaches and “full stack” people: those who span business understanding through delivering business value. He emphasized how Open Source is redefining the world. OSSCube has been able to deliver solutions in 6 to 9 months that would ordinarily have taken 3 to 5 years! A memorable quote: “We are either disrupting or getting disrupted”.
David Hood of Mimecast spoke about how the email environment has grown in complexity. From the hygiene level of malware avoidance through data loss prevention, Mimecast offers cloud services, Office365, online Exchange and archiving. He predicts that in two years more than 50% of businesses will be using Office365/Exchange. The cost of onsite email is just prohibitive with its backup/DRP needs as well as the need for speedy response to new threats.
Dyn’s Scott Hilton spoke of “demystifying the cloud”. Dyn partners with the likes of Microsoft, Cisco, Polycom and others so that as assets are moved to the cloud they offer both visibility and management of availability and performance. Security, control and vendor diversity were covered and Dyn’s ability to both monitor and optimize were discussed.
A highlight for me were the two panel discussions. The first was billed as a CIO “tell-all” with six participants: Needham Bank, Boston Private Bank & Trust, Wentworth Institute of Technology (education), Alex and Ani (who do jewelry), J.Polep Distribution Services (food distribution) and Bright Horizons (childcare) – a diverse bunch. The second was a CIOhealth panel with four participants: Century Health Systems, Health Trust, NxStage Medical and Health Alliance. Both panels veered towards discussions around security and compliance. Here is some of what was said that stayed with me:
- Security issues have a big impact on a company, so risks needs to be managed. Many companies create plans, but unless the plans are actually exercised there is little value. You cannot have an incident and discover that your plan is inaccessible or not fully understood. You have to act quickly or you will have chaos.
- You need a culture that does not penalize people who alert you to a risk or a breach. People have to be comfortable saying “something looks out of whack here – I need to tell someone about this”. It is better to have false positives than silence.
- While awareness/testing is up, remediation is not. It is unacceptable to have a 5% or 10% failure on phishing – that would mean havoc! Can do social engineering tests, but accountability is needed. Have board level and lawyer involvement. If people fail tests, there must be a warning that they are putting a company at risk.
- IT can expose vulnerabilities, but it is business culture that needs to change to minimize risk.
- Zero issues in the past is not an indicator for the future. Recent public breaches have shown that.
- Nation states have unlimited budgets for hacking.
- The perimeter used to be the firewall. Now a company’s perimeter is really the vendors it deals with. With vendors, you are typically reliant on third-party reports about their security. Try to audit — see if you can add that to your vendor contract. Security and IT people need to do the due diligence because lawyers cannot do it. Vendors try to use language to protect themselves.
- You can never be 100% secure. You need to define the risk and get the business to say that it is acceptable.
- If you ask a vendor for their security policy and you get it in days rather than instantly – that is a red flag! They probably did an internet cut-and-paste. That is unacceptable.
- Compliance work can negatively impact security! It draws away resources, without necessarily adding value at the high level. An example: consider a biker, who is well protected with layers of leather gear and a helmet. He or she can remove all the leather gear and just keep the helmet to be in compliance – but the real other protection is no longer there!
- Sometimes companies are asked to comply even in areas of less relevance to them. This takes away money from security.
- Washington is usually reacting to a compliance issue. Short term thinking is pervasive.
- In healthcare, Meaningful Use, HIPAA are big, but can get in the way of security. Users typically do not understand the security of their health info on mobile devices. HIPAA is behind on mobile devices.
- Use third part security firms to do training each quarter: password protection, phishing, live social engineering, phone scams. Every week, send a phishing test to one person in a department – establish base lines to see if you are improving. Help people understand targeted attacks.
- Connecting and security policy concerns are rising for at-home patients.
- There is a huge need for interoperability in health care. A lot of companies did their own thing when they were hit with HIPAA compliance. Must learn to share data. Lots of compliance requests overlap, e., State requirements. You need a database for efficiency.
- Getting data into Electronic Medical Records was step one. Step two is getting the data out and making good use of it. The next Meaningful Care Stage 2 in 2016 is Analytics. This will require people with both medical and analytical skills.
- Work closely with your EMR vendors. Data portability is far behind on what is needed, but will come. Healthcare is still reactive – it needs to be more proactive.
As you can see, CIOSynergy had much to offer and think about. I was surprised and pleased by how much was covered in just half a day – a testament to the great planning that goes into these events.