CIO · Cloud

3 ways enterprises can reduce their cybersecurity risk profile

IMG_5834

If you are an executive (CIO, CISO, CEO) or board member, cybersecurity is top of mind. One of the top comments I often hear is: “I don’t want our company (to be) on the front page of the Wall Street Journal.” Ostensibly, the comments are in the context of a breach. Yet, many gaps still exist between avoiding this situation and reality. Just saying the words is not enough.

The recent Equifax breach brings to light many conversations with enterprises and executive teams about shoring up their security posture. The sad reality is that cybersecurity spending often happens immediately after a breach happens. Why is that? Let us delve into several of the common reasons why and what can be done.

ENTERPRISE SECURITY CHALLENGES

There are a number of reasons why enterprises are challenged with cybersecurity issues. Much of it stems from the perspective of what cybersecurity solutions provide. To many, the investment in cybersecurity teams and solutions is seen as an insurance policy. In order to better understand the complexities, let us dig into a few of the common issues.

Reactive versus Proactive

The first issue is how enterprises think about cybersecurity. There are two aspects to consider when looking at how cybersecurity is viewed. The first is that enterprises often want to be secure, but are unwilling or unable to provide the funding to match. That is, until a breach occurs. This has created a behavior within IT organizations where they leverage breaches to gain cybersecurity funding.

Funding for Cybersecurity Initiatives

Spending in cybersecurity is often seen in a similar vein as insurance and comes back to risk mitigation. Many IT organizations are challenged to get adequate funding to appropriately protect the enterprise. It should be noted that no enterprise will be fully secured and to do so creates a level of complexity and cost that would greatly impact the operations and bottom line of the enterprise. Therefore, a healthy balance is called for here. Any initiatives should follow a risk mitigation approach, but also consider the business impact.

Shifting to Cybersecurity as part of the DNA

Enterprises often think of cybersecurity as an afterthought to a project or core application. The problem with this approach is that, as an afterthought, the project or application is well on its way to production. Any required changes would be ancillary and rarely get granular in how they could be applied. More mature organizations are shifting to cybersecurity as part of their core DNA. In this culture, cybersecurity becomes part of the conversation early and often…and at each stage of the development. By making it part of the DNA, each member of the process is encouraged to consider how to secure their part of the project.

Cybersecurity Threats are getting more Sophisticated

The level of sophistication from cybersecurity threats is growing astronomically. No longer are the traditional tools adequate to protect the enterprise. Enterprises are fighting an adversary that is gaining ground exponentially faster than they are. In essence, no one enterprise is able to adequately protect themselves and must rely on the expertise of others that specialize in this space.

Traditional thinking need not apply. The level of complexity and skills required is growing at a blistering clip. If your organization is not willing or able to put the resources behind staying current and actively engaged, the likelihood of trouble is not far way.

THREE WAYS TO REDUCE CYBERSECURITY RISK

While the risks are increasing, there are steps that every enterprise large and small can invoke to reduce their risk profile. Sadly, many of these are well known, yet not as well enacted. The first step is to change your paradigm regarding cybersecurity. Get proactive and do not assume you know everything.

Patch, Patch, Patch

Even though regular patching is a requirement for most applications and operating systems, enterprises are still challenged to keep up. There are often two reasons for this: 1) disruption to business operations and 2) resources required to update the application or system. In both cases, the best advice is to get into a regular rhythm to patch systems. When you make something routine, it builds muscle memory into the organization that increases the accuracy, lessens the disruption and speeds up the effort.

Regular Validation from Outsiders

Over time, organizations get complacent with their operations. Cybersecurity is no different. A good way to avoid this is to bring in a trusted, outside organization to spot check and ‘tune up’ your cybersecurity efforts. They can more easily spot issues without being affected by your blind spots. Depending on your situation, you may choose to leverage a third-party to provide cybersecurity services. However, each enterprise will need to evaluate their specific situation to best leverage the right approach for them.

Challenge Traditional Thinking

I still run into organizations that believe perimeter protections are the best actions. Another perspective is to conduct security audits with some frequency. Two words: Game Over. While those are both required, security threats today are constant and unrelenting. Constant, evolving approaches are required today.

As we move to a more complicated approach to IT services (SaaS, Public Cloud, Private Cloud, On Premises, Edge Computing, Mobile, etc), the level of complexity grows. Now layer in that the data that we view as gold is spread across those services. The complexity is growing and traditional thinking will not protect the enterprise. Leveraging outsiders is one approach to infuse different methods to address this growing complexity.

 

One alternative is to move to a cloud-based alternative. Most cloud-based alternatives have methods to update their systems and applications without disrupting operations. This does not absolve the enterprise from responsibility, but does offer an approach to leverage more specialized expertise.

The bottom line is that our world is getting more complex and cybersecurity is just one aspect. The rate of complexity and sophistication from cybersecurity attacks is only growing and more challenging for enterprises to keep up. Change is needed, the risks are increasing and now is the time for action.

CIO · Cloud

The difference between Hybrid and Multi-Cloud for the Enterprise

Cloud computing still presents the single biggest opportunity for enterprise companies today. Even though cloud-based solutions have been around for more than 10 years now, the concepts related to cloud continue to confuse many.

Of late, it seems that Hybrid Cloud and Multi-Cloud are the latest concepts creating confusion. To make matters worse, a number of folks (inappropriately) use these terms interchangeably. The reality is that they are very different.

The best way to think about the differences between Hybrid Cloud and Multi-Cloud is in terms of orientation. One addresses a continuum of different services vertically while the other looks at the horizontal aspect of cloud. There are pros and cons to each and they are not interchangeable.

 

Multi-Cloud: The horizontal aspect of cloud

Multi-Cloud is essentially the use of multiple cloud services within a single delivery tier. A common example is the use of multiple Public Cloud providers. Enterprises typically use a multi-cloud approach for one of three reasons:

  • Leverage: Enterprise IT organizations are generally risk-adverse. There are many reasons for this to be discussed in a later post. Fear of taking risks tends to inform a number of decisions including choice of cloud provider. One aspect is the fear of lock-in to a single provider. I addressed my perspective on lock-in here. By using a multi-cloud approach, an enterprise can hedge their risk across multiple providers. The downside is that this approach creates complexities with integration, organizational skills and data transit.
  • Best of Breed: The second reason enterprises typically use a multi-cloud strategy is due to best of breed solutions. Not all solutions in a single delivery tier offer the same services. An enterprise may choose to use one provider’s solution for a specific function and a second provider’s solution for a different function. This approach, while advantageous in some respects, does create complexity in a number of ways including integration, data transit, organizational skills and sprawl.
  • Evaluation: The third reason enterprises leverage a multi-cloud strategy is relatively temporary and exists for evaluation purposes. This third approach is actually a very common approach among enterprises today. Essentially, it provides a means to evaluate different cloud providers in a single delivery tier when they first start out. However, they eventually focus on a single provider and build expertise around that single provider’s solution.

In the end, I find that the reasons that enterprises choose one of the three approaches above is often informed by their maturity and thinking around cloud in general. The question many ask is: Do the upsides of leverage or best of breed outweigh the downsides of complexity?

Hybrid Cloud: The vertical approach to cloud

Most, if not all, enterprises are using a form of hybrid cloud today. Hybrid cloud refers to the vertical use of cloud in multiple different delivery tiers. Most typically, enterprises are using a SaaS-based solution and Public Cloud today. Some may also use Private Cloud. Hybrid cloud does not require that a single application spans the different delivery tiers.

The CIO Perspective

The important take away from this is to understand how you leverage Multi-cloud and/or Hybrid cloud and less about defining the terms. Too often, we get hung up on defining terms more than understanding the benefits from leveraging the solution…or methodology. Even when discussing outcomes, we often still focus on technology.

These two approaches are not the same and come with their own set of pros and cons. The value from Multi-Cloud and Hybrid Cloud is that they both provide leverage for business transformation. The question is: How will you leverage them for business advantage?

Business · Cloud

One theory on Amazon interest in a second headquarters

Amazon announced that they are in search of a location for their second headquarters. The new headquarters facility is expected to create 50,000 jobs and bidders are welcome to submit their proposals to woo the Amazon opportunity. While that, in itself, sounds great, there may be more in the works than just a new headquarters. Let me share my theory on what this may indicate.

THE LOCATION SHORTLIST

First, companies like Amazon do not go into major decisions like this without already having a pretty good idea of how it will end. There is just too much risk at stake. In this specific case, the physical location of the second headquarters. Prior to making the announcement, I suspect Amazon already done their due diligence and has an internal shortlist of potential locations they would accept.

When evaluating Amazon’s two core businesses, Amazon.com and Amazon Web Services (AWS), both rely heavily on technology. Therefore, a headquarters location must have a strong technology ecosystem that can support their separate growth trajectories.

While just about any major city in the US could support a new headquarters, tech-centric locations on the shortlist may include Silicon Valley, Las Vegas, Phoenix, Austin, Atlanta, New York or Boston. One outlier may include Washington DC/ Virginia. Why? As Amazon continues their spectacular growth, innovation and acquisition of competitors, it will need stronger ties to government in-circles.

So, which location? My theory is that the process is more of a formality and the decision is between a couple of locations that will come down to local/ state tax incentives. If true, the shortlist is a few locations less than outlined above.

IS A SPLIT ON THE HORIZON?

It is not common for companies to suggest a second ‘headquarters’ location. It does happen, but not often. There may be an undercurrent driving this move. Amazon has two core businesses; Amazon.com and AWS. Almost two years ago, Amazon announced that Andy Jassy would be promoted to CEO of AWS. This may be the first market in a longer-term strategy for Amazon.

One challenge Amazon continues to face is conflict between their core Amazon.com business and Amazon Web Services (AWS). Major customers of AWS continue to flee when Amazon.com moves into a competitive role. Essentially, Amazon.com gains are negatively impacting AWS. For example, Walmart is just one of the latest customers to do so. In the enterprise space, prospective customers have expressed concern that AWS (historically) is not Amazon’s core business. The distribution business is their core. Of course, in the past few years, AWS has grown significantly. However, it still presents a challenge. Splitting Amazon into two companies with Andy Jassy taking on new AWS entity could be the solution.

SPLIT DECISIONS

But there is a potential problem with splitting AWS from Amazon. When they operate as a combined company, Amazon is not required to disclose their significant AWS customers as they are not material in revenue to their core business. However, if the two companies were to split, this disclosure could be required and would bring focus to who AWS’ material customers are…in a very public way.

Now, if none of AWS’ customers are material, or contribute a significant amount of value (individually) to their financial revenue, this issue is not relevant. However, I suspect that Amazon.com is a major consumer of AWS’ services. And there may be a couple of other major customers.

If there are significant, material customers in the mix, it could present concerns among shareholders of AWS. Today, we don’t have clarity to this issue due to the economic halo effect of the core Amazon.com business. Splitting the companies brings this potential issue to light…and may be the reason Amazon has not split the two companies yet.

IMPACT TO SEATTLE ECOSYSTEM

The last driver may be the Seattle ecosystem itself. Seattle is a vibrant, technology metropolis that supports several major technology companies like Microsoft and Amazon. In addition, major companies like Boeing and Costco consume a significant footprint too. Big companies bring great opportunities and economic growth to communities. However, they can have a downside too. Cost of living increases, risk of losing a company, limited skilled people are all risks that offset the opportunities. One can look to the SF Bay Area/ Silicon Valley to see how this is playing out, how competitive it is for talent and how hard it is to relocate someone to the Bay Area.

It is probable that with Amazon’s success and growth trajectory, they may feel that the Seattle ecosystem is starting to become limiting or incapable of handing the entirety of a company like Amazon today and moving forward. If this were the case, I suspect the shortlist of potential suitors may not include Silicon Valley, New York or Boston.

MY TAKE

All that being said, my theory is that there is an impending split on the horizon for Amazon. The move of Jassy to CEO, AWS’ continued growth and secondary factors point to this as a possible outcome. That coupled with the ability for AWS having proved it can stand on its own without the core Amazon.com business further support the perspective.

I look forward to hearing what you think. Share your thoughts in the comments below!

Cloud

Kicking off Cloud Field Day 2

CFD-Logo

Tomorrow kicks off Cloud Field Day 2 (#CFD2) here in the San Francisco Bay Area and thankful for the invitation to take part. CFD2 brings together an interesting mix of vendors and cloud solutions over the next three days. Here is the rundown of who is participating:

In addition, Thursday evening is the Microservices Meetup, Cloud Field Day Edition. All in all, the meetings this week and the Meetup should provide interesting information on where these companies are with regards to cloud.

While I have quite a bit of experience with most of the companies on this list, there are couple of new ones. And I am always on the lookout for new, disruptive companies. Over the next few days, look for a series of tweets from the group and join in using the hashtag #CFD2.

CIO

IT has a serious credibility problem and does not realize it

IMG_6308

 

One challenge for many IT organizations is that of credibility. In a recent post, I discussed the importance of credibility and the network effect in IT. What is credibility? According to Merriam-Webster, credibility is ‘the quality or power of inspiring belief or (the) capacity for belief.’

The question every IT professional, whether the CIO or otherwise should ask is: What is my reputation with those outside of IT? Do others outside of my organization believe me? Put a different way, do others outside of IT find my ability credible. This may sound strange, but could also be seen as a form of effectiveness for the IT leader and their organization. Sadly, the answer to this question differs on who you ask. When talking about this with CIOs and IT staff, I often find the answer to be ‘yes’. However, when talking with folks outside of the IT organization, the answer is often ‘no.’ I have seen this play out across a number of organizations.

THE IMPORTANCE OF CREDIBILITY

At this point, some may be asking: “So what?” or “Why is this so important?” The short answer is: without credibility, it is increasingly more difficult if not impossible to be effective in IT. For the CIO we often talk about wanting a “seat at the table” as if it is an entitlement. Bottom line: it is something earned, not freely given. Nor is it an entitlement. And without credibility, it is a non-starter. If you cannot effectively manage basics, do not expect to be included in the more interesting and strategic efforts.

Credibility provides the ability to navigate through these points in a meaningful way. Getting to a point where one can transact on their credibility takes time and work. It is important to focus on building credibility over time and avoiding the missteps that erode it.

KNOW YOUR BLIND SPOTS

One way to avoid missteps is awareness of your blind spots. Everyone has them. Few will admit to their existence and even fewer will actively seek to understand and manage them. Yet, understanding where they exist puts you in a very powerful position.

Part of understanding your blind spots is to genuinely listen…and with an open mind. Many in IT are quick to judge, offer alternative solutions or take a defensive posture. Yet, there are times when the best approach is simply to listen and learn. If we, as IT professionals, are truly interested in being perceived as change agents, we need to be genuinely open to feedback. Remember that perception of those outside of IT is reality. It matters less about what IT thinks about itself internally. Do we have all the answers? No.

BUILDING RELATIONSHIPS

By seeking out input and taking the feedback seriously, we can learn where our blind spots are. We also do something else in the process. We build stronger relationships. The positive engagement with others opens the door to deeper conversations where folks learn more about each other. These relationships will naturally lead to showing empathy and appreciation in understanding each other’s perspective.

Let’s face it: IT professionals are not that great at building relationships with those outside of IT. Yet, that is exactly what we need to do. Perception is reality and it is important to understand these differences. Remember, it is more important what they think, not what you think. Perception is reality.

Part of building relationships is knowing when to fall on your sword. This is particularly hard for IT folks who have come up in a culture where failure is seen as a sign of weakness. More important is to maintain a healthy balance. Again, empathy and a good dose of humility are good attributes.

Following these steps while keeping an open mind will help build credibility with those most critical to your success. Understand your blind spots and work on building strong, healthy relationships both within IT and externally. The combination of these actions will change the perception and build credibility.

CIO · Cloud · Data

Why are enterprises moving away from public cloud?

IMG_6559

We often hear of enterprises that move applications from their corporate data center to public cloud. This may come in the form of lift and shift. But then something happens that causes the enterprise to move it out of public cloud. This yo-yo effect and the related consequences create ongoing challenges that contribute to several of the items listed in Eight ways enterprises struggle with public cloud.

In order to better understand the problem, we need to work backwards to the root cause…and that often starts with the symptoms. For most, it starts with costs.

UNDERSTANDING THE ECONOMICS

The number one reason why enterprises pull workloads back out of cloud has to do with economics. For public cloud, it comes in the form of a monthly bill for public cloud services. In the post referenced above, I refer to a cost differential of 4x. That is to say that public cloud services cost 4x the corporate data center alternative for the same services. These calculations include fully-loaded total cost of ownership (TCO) numbers on both sides over a period of years to normalize capital costs.

4x is a startling number and seems to fly in the face of a generally held belief that cloud computing is less expensive than the equivalent on-premises corporate data center. Does this mean that public cloud is not less expensive? Yes and no.

THE IMPACT OF LEGACY THINKING

In order to break down the 4x number, one has to understand legacy thinking heavily influences this number. While many view public cloud as less expensive, they often compare apples to oranges when comparing public cloud to corporate data centers. And many do not consider the fully-loaded corporate data center costs that includes server, network, storage…along with power, cooling, space, administrative overhead, management, real estate, etc. Unfortunately, many of these corporate data center costs are not exposed to the CIO and IT staff. For example, do you know how much power your data center consumes and the cost for real estate? Few IT folks do.

There are five components that influence legacy thinking:

  1. 24×7 Availability: Most corporate data centers and systems are built around 24×7 availability. There is a significant amount of data center architecture that goes into the data center facility and systems to support this expectation.
  2. Peak Utilization: Corporate data center systems are built for peak utilization whether they use it regularly or not. This unused capacity sits idle until needed and only used at peak times.
  3. Redundancy: Corporate infrastructure from the power subsystems to power supplies to the disk drives is designed for redundancy. There is redundancy within each level of data center systems. If there is a hardware failure, the application ideally will not know it.
  4. Automation & Orchestration: Corporate applications are not designed with automation & orchestration in mind. Applications are often installed on specific infrastructure and left to run.
  5. Application Intelligence: Applications assume that availability is left to other systems to manage. Infrastructure manages the redundancy and architecture design manages the scale.

Now take a corporate application with this legacy thinking and move it directly into public cloud. It will need peak resources in a redundant configuration running 24×7. That is how they are designed, yet, public cloud benefits from a very different model. Running an application in a redundant configuration at peak 24×7 leads to an average of 4x in costs over traditional data center costs.

This is the equivalent of renting a car every day for a full year whether you need it or not. In this model, the shared model comes at a premium.

THE SOLUTION IS IN PLANNING

Is this the best way to leverage public cloud services? Knowing the details of what to expect leads one to a different approach. Can public cloud benefit corporate enterprise applications? Yes. Does it need planning and refactoring? Yes.

By refactoring applications to leverage the benefits of public cloud rather than assume legacy thinking, public cloud has the potential to be less expensive than traditional approaches. Obviously, each application will have different requirements and therefore different outcomes.

The point is to shed legacy thinking and understand where public cloud fits best. Public cloud is not the right solution for every workload. From those applications that will benefit from public cloud, understand what changes are needed before making the move.

OTHER REASONS

There are other reasons that enterprises exit public cloud services beyond just cost. Those may include:

  1. Scale: Either due to cost or significant scale, enterprises may find that they are able to support applications within their own infrastructure.
  2. Regulatory/ Compliance: Enterprises may use test data with applications but then move the application back to corporate data centers when shifting into production with regulated data. Or compliance requirements may force the need to have data resources local to maintain compliance. Sovereignty issues also drive decisions in this space.
  3. Latency: There are situations where public cloud may be great on paper, but in real-life latency presents a significant challenge. Remote and time-sensitive applications are good examples.
  4. Use-case: The last catch-all is where applications have specific use-cases where public cloud is great in theory, but not the best solution in practice. Remember that public cloud is a general-purpose infrastructure. As an example, there are application use-cases that need fine-tuning that public cloud is not able to support. Other use-cases may not support public cloud in production either.

The bottom line is to fully understand your requirements, think ahead and do your homework. Enterprises have successfully moved traditional corporate applications to public cloud…even those with significant regulatory & compliance requirements. The challenge is to shed legacy thinking and consider where and how best to leverage public cloud for each application.

Business · CIO

Understanding the Network Effect in IT

When discussing the combination of Information Technology (IT) & network, one quickly runs to thinking about cabling, connectors, switches, hubs and routers. However, there is another type of network that has nothing to do with technology yet directly impacts the effectiveness of an IT organization. This type of network involves people, empathy, credibility and humility.

THE NETWORK EFFECT

Many enterprise organizations believe that the Chief Information Officer (CIO) or the senior most person in IT is the key person that engages with the rest of the company. That is only slightly correct as it ignores the impact from the rest of the IT organization. And it is this impact that actually has a more significant bearing on how those outside of the IT organization view the organization itself. What is at work here is the Network Effect.

How does the network effect affect IT? Let us assume that the CIO spends all 40 hours each week engaging with those outside of IT. Yet, their staff of 100 only spends 20% of their time engaging outside of IT. That would equate to (100 staff x 20% of time x 40 hrs/wk) 800 hours each week or 20x more time than the CIO.

While it is important for the CIO to carry a consistent and appropriate message when engaging with those outside of IT, the same is true for rest of the IT organization. The more people that engage with folks outside of IT, the greater the network effect. And from a numbers perspective, the impact is significant. So is the risk.

UPSIDES AND DOWNSIDES

Creating a consistent message and culture is a critical objective for any leader, not just the CIO. However, when it comes to IT, there are other factors that can turn a positive opportunity into a negative experience.

Most leaders understand the importance of credibility and empathy. This is especially true when considering the support nature of an IT organization. When moving further into the organization, these qualities are often less developed or immature. As a consequence, a potentially positive interaction can quickly turn negative in the form of diminishing credibility for the entire organization.

Each organization is unique in their culture, leadership, and way they engage. Whether it be the CIO or their staff, one should never lose sight of the big picture as it provides the context and guidance for everyone in the company. It is easy to get caught up in the situation and lose sight of the overall situation. Even the smallest actions can have a demonstrable impact.

Too often, IT folks try to mask transparency and quickly run toward solutions centered around their frame of reference which often comes from a siloed perspective. As such, they lack empathy in the user’s situation and how it relates to the big picture.

THE SOFT SKILLS

In IT, we tend to focus on the hard skills of technology with less emphasis on the softer side. Yet, it is those soft skills that can quickly turn a situation into either a positive or negative one. Showing genuine empathy to a situation without placing blame creates a very different perspective.

In the end, whether you are a CIO, leader of an IT organization or individual contributor, it is important to understand the impact of your actions and the actions of your staff. Even those interactions that may seem innocuous can have a resounding and lasting effect. It can lead to building credibility or tearing it down. And credibility is what provides the foundation for relationships, yet we often do not think about how our actions build or diminish it. Hence, the network effect creates a level of opportunity and challenge.