Answer, it’s both.
Manufacturing is plowing full-speed ahead into the siren-like song of the Industrial Internet of Things (
Musings of a Corporate Consigliere
Thoughts & Advice on Consulting Challenges
Answer, it’s both.
Manufacturing is plowing full-speed ahead into the siren-like song of the Industrial Internet of Things (
Over the last twenty years or so the Project Management discipline has risen obscurity to an integral part of corporate life. If you are reading this from the cubicle farm chances are gaggles of contract project managers are generating countless spreadsheets that dutifully filled out with carefully curated data. This data may or may not be plugged into a vast, unwieldy PMO tool. That data will flow to the various managers and directors who vaguely review the information in status reports. From there it fall into the great bitbucket never to be seen again. Unless a project is heading toward failure, then it will be used to clobber parties who lack the right political protection. That is usually the sad contract project manager who originally created the spreadsheet. Of course the PM is supposed to be part of a project team that should include project coordinators, business analysts, approved budgets, PMO resources etc. Instead, the PM is usually the only management resource assigned to the project. They’ve come in two or three months into the execution phase, there aren’t any requirements, the last PM was fired or left and by the way you have six other projects like this that you are responsible for.
So how did the project management role become the fallguy/girl for the corporate world? If the above statements hold up, how is the project they are assigned to going to be a success? How did the profession get to this point and what can be done to reverse the trend?
More dispatches from the front for this week’s post. Cloudflare, a premier cloud hosting and security provider was compromised back in September 2016. Several lines of faulty code in an HTML parser allowed user session data (cookies, credentials, keys, tokens, etc.) to be scattered about unrelated web sessions by the millions. This data was apparently spread in plain-text and is very difficult to remediate since the information was randomly dropped into unrelated sessions across a massive customer base. According to Cloudflare, the worst data leakage occurred between February 13 – 18th 2017.
I was approached by Snapmunk to provide commentary on this issue, which I did. However I have also have provided similar advice to clients more times than I care to count. We can point back to when the Heartbleed bug was identified back in 2014 but had been running rampant since 2012. Remediation of this issue isn’t the investment of a boatload of expensive tech solutions but can tackle this problem
Here a few of the tips I have provided:
1. What steps would you advise businesses affected by Cloudflare’s data leak take following the leak? How should they go about damage control?
They should immediately activate their breach incident response program. Then coordinate with Cloudflare on a daily basis to ensure they have the latest information on the scope and impact of the Cloudbleed breach. Depending on where the company is located they may have to contact state and local authorities that they have been impacted by the Cloudbleed.
The most proactive damage control would be to contact the users of your company’s services immediately. State what actions you are taking to address the breach and have a defined plan to follow up with those customers to keep them informed.
Internally these companies must review their security posture from top to bottom. Ensure that the CloudBleed incident did not compromise credentials that can access corporate assets and cause further security breaches in the future.
2. What can we learn from a breach like this?
We can assume that Cloudflare was using the latest security technologies with a focus on a “Defense-in-Depth” strategy. However one error in a line of code invalidated millions of dollars in expensive technology. The takeaway for both consumers and companies is no technology service is 100% percent secure. Companies will need to aggressively review software for vulnerabilities. This will sometimes mean very expensive software migrations from legacy applications. On the consumer side, customers have to realize that using the same password for multiple sites, especially sensitive ones, is a very bad idea.
From the Department of Redundancy Department here comes another set of regulatory hilarity that will definitely impact both business and security professionals alike. I give you the GDPR!
The General Data Protection Regulation (GDPR) is very similar to the U.S. NIST, PCI DSS, and HIPAA data security standards. Like U.S. HIPAA or PCI rules, GDPR lays down a foundation of data security and privacy requirements, how consumers can access and transfer their data, fines and penalties and how GDPR applies to EU member states.
GDPR will impact information security products and services globally. Security vendors will have to incorporate GDPR standards into their products and InfoSec professionals will have to be familiar with the various privacy and security rules within GDPR. However EU members have until May 28th 2018 before compliance becomes mandatory.
Information Security Professionals must have more than a passing knowledge of the various rules and regulations that impact the management of the enterprise data in their charge. InfoSec pros must be familiar with local, state, federal and international privacy and security guidelines that govern the confidentiality, integrity and availability of the data they protect. Knowledge of legal and regulatory frameworks is becoming as important a skill as proficiency in the security technologies they use to protect sensitive data.
I’m rather surprised the Certification Industrial Complex hasn’t jumped at the chance to create an overall certification for the mountain of legal and regulatory guidance that governs privacy and security. Maybe having a law degree will be the next prerequisite that HR folks will require for employment. I can see it now, “Corp X req: must have a law degree, CISSP, CRISC, PMP, MBA, 15 years experience. 6 month engagment @$45 per hour.”
Let me know your thoughts in the comments below.
A reoccurring theme in Information Security and Technology is the issue of communication. While this trope has been on the books since the 90’s there hasn’t been much progress toward a lasting solution. Executives appear to be ill-informed of technology risks, issues, needs and wants while those in the tech & security trenches complain bitterly about the apparent cluelessness of leadership.
After a recent conversation with a client about this apparent disconnect, I’ve attempted to sum up the current state of this ongoing problem as well as provide a few tips on how to clear up some of the clutter.
What priorities are not getting through from IT security to the board and C-suite?
What is not translating in the other direction, from the top down?
What are the cultural and other differences between the two extremes that are garbling communications?
How do we fix the communications process and deliver the key points from each end to the other with sufficient clarity and weight?
Let me know your thoughts in the comments below about my approach. What are your ideas on how to help solve these issues?
Healthcare entities and Cloud Service Providers (CSPs) have been reluctant to form business partnerships due to the uncertainty of HIPAA Privacy and Security concerns. Cloud technology was not mentioned in the original HIPAA legislation from 1996 nor included in the HITECH Act of 2009. Barring large-scale EMR outsourcing to a private cloud hosted by their vendor; healthcare organizations shied away from other CSP services. The Department of Health and Human Services had not provided any definitive guidance and healthcare providers did not have a clear understanding of the risk and compliance pitfalls.
This hasn’t stopped healthcare staff from utilizing all manner of consumer-grade cloud solutions. From Dropbox, Box and iCloud, healthcare staff sync their mobile, tablet and laptop device files to readily available solutions that are not HIPAA “compliant” nor do any of these entities have a Business Associate Agreement (BAA) with the overall healthcare provider. This is a huge compliance risk to healthcare organizations. There will be a large cost associated with the move toward CSPs who will sign a Business Associates Agreement (BAA) since many consumer solutions will not agree to the privacy and security stipulations of HIPAA.
Recently HHS released their Guidance on HIPAA & Cloud Computing. Providing the basic risk and compliance building blocks so healthcare entities can start making appropriate decisions with an eye toward managing their compliance and risk obligations.
I had the opportunity to review the new guidance document with the Connected Health Initiative (CHI). This group is heavily involved in the promotion of innovation in mHealth, telehealth and provides a group of like-minded companies to discuss and navigate the regulatory waters in healthcare. [Read more…]
Is cyber-liability insurance a must have for today’s enterprise? How should an organization go about evaluating adding this type of policy to their other stable of risk management vehicles? Let’s take a look at the current market and a few of the questions that need answers before a company invests in a cyber-liability policy.
Cyber-liability insurance is gaining in popularity as a supplement to Commercial General Liability policies (CGL) and could be a good investment for a business looking to hedge their risk. The ROI for this type of policy would have to be weighed against the business model, the data stored and the potential damages they could incur in the event of a data breach. Companies in the healthcare and financial sectors should seriously consider obtaining one of these policies due to the regulatory burden and potential non-compliance penalties these industries face.
Is the cost worth it?
Currently, the cost of cyber-liability policies are quite low. However, with a record number of data breaches in 2015, the cost of these policies is climbing quickly. However they are still quite reasonable. Based on a small breach of 100,000 client records, an enterprise would pay nearly $50k in postage for sending notification letters alone. Most cyber-liability premiums, based on revenue, size and industry hover between $1500. Large multi-billion dollar firms may pay up around $50,000. [Read more…]
The model(s) behind technology spending has been changing dramatically over the last several years with virtualization, consumer devices and “as a service” offerings complicating the procurement process. While they offer tremendous opportunities for astute technology consumers, there are also significant risk that the unprepared enterprise technology consumer may realize with insufficient information.
Add to this the increasing cybersecurity concerns, regulatory compliance regimens and staffing issues; even the largest firms are facing difficulty making informed decisions.
One of the questions I get from my small business clients is how can I perform technology audit to take stock of what it has, identify gaps, and create a plan for new tech purchases?
The first step would be to look at your enterprise strategic plan. What are your business goals for the next three years? What technologies would facilitate reaching those goals? Do you have technologies in house that fill that need currently? Can they be upgraded or configured to meet these objectives? If not, what technologies are available (Cloud or on-premise) to meet your objectives?
These very high level steps fall into the basic strategic planning process, governance and portfolio management. [Read more…]
Is there hype and hysteria around security breaches? Is this going to give rise to a cyber-industrial complex? These questions were recently posed to me by a client at a large insurance company.
Well, let’s look at the current situation. Security breaches are growing in scope and visibility due to the increasing automation and interconnected systems, mobile devices and the sharing of personal data. The financial incentive is there for the criminal, nation-state, malicious actor to perpetrate these crimes.
Cyber-security preparedness in the business community, while becoming more visible in recent years, is still far behind the curve when compared to those who wish to commit cybercrime. There is still a tremendous disconnect with employees and general public regarding the current security threats and what impacts their behavior have in propagating or thwarting a breach.
People should be concerned about security breaches since personal data can be used to damage or destroy an individual’s financial and even personal life. An example of this is the OPM breach were millions of pages of security forms were stolen that contained intimate details of individuals. These can and will be used for leverage against those federal employees in sensitive positions within the government by malicious actors.
Are cybersecurity companies using these incidents as a means to feed the hysteria behind breaches? Of course they are. You see this in any industry when a company sells a product or service that can remediate concerns faced by that industry. However, security is still a comparatively low priority at the executive level within corporations. This is changing, but it remains bailiwick of technologists who have minimal say in enterprise decision making. [Read more…]
In my last post, I touched on the issue of cybersecurity vulnerabilities in medical devices and how the healthcare industry struggles to manage this risk. We also mentioned the June 2013 FDA Safety Memo that outlined what it perceived as the new responsibilities for manufacturers, healthcare entities and the FDA itself regarding the securing of these devices.
Recently I published an online course in collaboration with the Financial Times / ExecSense on this topic. I covered quite a bit of the problematic history of medical device security as well as some strategies on how to address this issue on the technology and business fronts. Healthcare leadership push-back on recalcitrant medical device vendors will be key in addressing this problem. Painful cultural change will also be necessary.
Review the June 2013 safety communication, the FDA broke down the responsibilities of the healthcare organization, medical device manufacturer and the FDA itself. If you are in the healthcare arena, the document is short and well worth the read (Link Above), but I’ll put up some highlights:
Healthcare Providers
• Monitoring network activity for unauthorized use.
• Making certain appropriate antivirus software and firewalls are up-to-date.
• Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services
Device Manufacturers
• Take steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks. Appropriate security controls may include: user authentication, for example, user ID and password, smartcard or biometric; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
• Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity.
FDA
• The FDA released a draft guidance on how manufacturers should address cybersecurity in their pre-market submissions. The FDA also has guidance on how manufacturers should address cybersecurity issues related to products that use off-the-shelf software.
The most interesting sentence in the document and the most powerful is The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity . Of course the inclusion of the word “typically” provides device manufacturers with some significant wiggle room. However this statement begins to take the air out of the standard vendor re-certification argument when it comes to patching and endpoint protection.
Adding more fuel to the fire is the recent release of the Health and Human Services (HHS) Office of Inspector General (OIG) Fiscal Year 2014 Work Plan, which outlines their intent of focusing on medical device security. The work plan states that OIG “will determine whether hospitals’ security controls over networked medical devices are sufficient to effectively protect associated electronic protected health information – ePHI – and ensure beneficiary safety.” The document then clarifies that “Computerized medical devices … pose a growing threat to the security and privacy of personal health information. Such medical devices use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wired or wireless communications.
With both the FDA and HHS OIG now in the act, healthcare clinical project managers and security professionals may finally get the ammunition they need to bend the ear of medical device manufacturers. At present it is primarily the healthcare organization that has to contort its requirements and security concerns to ensure they receive vendor support for their devices.
I’d like to hear some feedback from other healthcare PMs and security professionals on this topic. So please feel free to drop me a line in the comments below!