Category Archives: Burgess writes for IBM MidSize Insider

Articles crafted by Christopher Burgess which appeared in IBM’s Midsize Insider

Prevendra- BYOD Policies

BYOD: Users are a nightmare without policies

Over the course of the past several years business leaders have evaluated and implemented the bring-your-own-device (BYOD) movement as a cost-effective methodology to preserve or reduce information technology (IT) operating expenses. In the quest to reduce these operational expenses, one might overlook the need to have a robust BYOD policy. A policy of this order addresses not only the technological issues associated with individual use of a personally owned device but also any procedural and data ownership issues. In essence, a policy document levels the expectations between company and employee.

The prevalence of BYOD is growing exponentially. In 2013, Juniper Research recently predicted more than one billion BYOD users by 2018, a number expected to equal approximately 35 percent of all consumer mobile devices. It is unlikely that every one of these devices will be used in accordance with the company’s expectations, but small to medium businesses (SMBs) should integrate their technological solutions and policies and ensure that they are commensurate with their available resources, thus making their BYOD policy a foundational item by coupling it with existing information security policies and other regulatory requirements.

Everyone has policies?

92% of C-suite execs #BYOD, but only 31% have #infosec policies says @helpnetsecurity Click To Tweet

A recent study by Help Net Security indicates, “the majority of C-suite executives (92%) and just over half of small business owners (SBOs) (58%) have at least some employees using a flexible/off site working model. Yet, only 31% of C-suite executives and 32% of SBOs said they have an information security policy for both off-site work environments and flexible working areas in place.”

Whereas, Dell UK Security is spot-on, as detailed in the above video, the use of BYOD is a mainstay. Rare will be the company that does not want their workers to use their own devices.

There is a great deal of work to be accomplished by many companies, who are allowing convenience to trump their security.

Policies Are Married to Technology

In creating the BYOD policy, no assumption should be made by IT professionals or systems administrators regarding the technical acumen of their colleagues who are participating in a company’s offering. The aforementioned Juniper survey noted how 80 percent of smart phones will remain unprotected throughout 2013. In face of so sobering a data point, midsize businesses must implement a technical engagement protocol. The goal is to provide the best possible solution to protect company data today via a secure technological implementation and a road map to a better solution.

Technological solutions cannot stand alone; they must be coupled with appropriate BYOD policies, policies that protect the company’s intellectual property, trade secrets and customer data. At the same time, the policies should not be overly restrictive of how employees may use their device nor overly broad with granting the company access to the employee’s personal data. It may appear to be paradoxical, but an excessively strict policy implementation could in fact put the company at risk of accusation of unfair labor practices, according to a recent piece in CIO; not only that, but many employees faced with highly restrictive policies will seek unsafe workarounds. This is clearly not the purpose of a  policy, which is to improve BYOD risk management, not add to the risk.

BYOD Implementation

An effective BYOD policy engagement will begin with who owns what on the device, under what circumstances the company may access the employee’s device and how that access may occur. Any specialized applications or capabilities as part of the IT BYOD management suite that will be placed on the employee’s device will be identified. These applications may provide the company with an assurance of security through mandatory encryption or remote destruction capabilities. Regardless, it is incumbent upon the implementation team to tender an explanation of what data on the employee’s device the company’s required applications are accessing and how. Similarly, IT’s obligation to declare to the employee with specificity any prohibitions of placing third-party applications on the device that accesses company data should be spelled out with crystal-clear clarity.

As nice as it would be to open BYOD implementation to any and all devices, it is reasonable for the SMB to restrict BYOD to those devices that their IT department is able to support. The last step is to have the policy presented to the employee, signed by both the employee and the company’s representative and periodically revisited with each individual user on a semiannual basis. This will not only keep the company’s expectations top of mind, but IT leadership will also have a window into any hiccups in the technological or policy implementation; the latter is information that could go a long way toward achieving the principal objective of BYOD: To enable business to be conducted in an efficient and secure manner.

BYOD Cost

A desired outcome of any BYOD implementation is to conserve operating expenses, and cost of implementation is therefore a consideration. The Sans Institute white paper, “Managing the Implementation of a BYOD Policy,” provides an effective road map for a pilot BYOD project which can be implemented with little to no additional resources.

There are a plethora of mobile device management suites available from a variety of security vendors. Use one.

All the same, those who rush to embrace BYOD in order to save expense but who fail to ensure that implementation is accompanied by appropriate IT policies and infrastructure that pass legal muster may prove themselves to be penny wise and pound foolish.


A prior version of the above piece, authored by Christopher Burgess, originally appeared on IBM’s MidsizeInsider blog.

Prevendra's Email Updates
Get the latest content first.
100% Privacy. We don't spam.
Business woman found risks in information security |

Your IT Security Teams Enable Business

Having an IT security team is an imperative for all companies, not just those in the enterprise space. This dedicated set of eyes is essential for small- to medium-size businesses (SMBs). It is imperative that security team members have a clear understanding of their role as a support to the organization and that their success be measured by the business team’s success.

While it is easy to assume that IT understands its role in enabling business, the reality is that IT finds itself out of alignment with the business all too often. This was recently highlighted in a Network World piece on the Cloud Security Alliance Congress keynote by V. Jay laRosa, ADP’s senior director, converged security architecture: “As security practitioners here, the problem is not with the cloud but with us, with our ability to evolve.” He went on to add that IT security managers are often seen as barriers to innovation.

IT Security Barrier?

LaRosa’s statement is accurate in many cases. The IT leadership team, be it at an enterprise or an SMB, frequently finds that its CIO has no seat at the company strategy table, and the security team is even less welcome. Why? It is largely due to the perception that the security team is an impediment to the business; it is the “no” team. This dissociation between the perceived goals and metrics of the IT team and the business team creates an artificial conflict, especially problematic within an SMB, where collaboration across company units is paramount for success.

The business team’s goals and metrics are easily understood: They provide goods and services that the market desires, retain current customers and obtain new customers. There is little difference in scope between an SMB and an enterprise in this regard, but the security team is a different story. In general, the goals and metrics of the security team are to minimize risk and reduce the number of security incidents that could derail the business. An enterprise has an advantage when it comes to technology and headcount whereas an SMB may be more resource-challenged. The commonality lies in the natural tendency for the business team to expect security to focus on the minimization of risk so that a negative security event does not happen in the first place. Typically, IT teams, when asked to embrace an innovative technology or means of engaging a customer, are perceived as simply saying “no” in order to minimize risk. These perceptions must be adjusted.

Embrace Change with Innovative Business

LaRosa points out that the IT security professional should “never say no.” Indeed, the conversation has to shift; the desire to embrace change and innovation means that an SMB needs a dedicated and focused security entity. A team that can embrace innovation will find its internal client eager to engage.

The road forward will not always be free of obstacles. There will be times when the IT security team just doesn’t know, and in admitting a lack of understanding of or solutions for an identified risk, it provides added value. When unresolved risks are called out, IT professionals outline a road to mitigation. Once the business team has been offered choices, it has the information required to make an informed decision, such as to defer implementation while the identified risk is mitigated; to proceed with the knowledge that both risk and a roadmap to mitigation exist; or to acknowledge the risk and to hope that it does not become a reality. For IT security teams, their value-add is magnified when providing solutions and options that align the company’s goals and metrics.

 


 

This post was originally written by Christopher Burgess as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet and posted on Dec 16, 2013

Source: http://pivotpoint.io/en-us/article/it-security-teams-enable-business

Prevendra - IBM Midsize Insider

Customer Loyalty Sweepstakes: The Winner Engages the Customer

Depth of customer loyalty is driven by product quality coupled with how successfully the engagement with the customer is executed, according to the November 2013 Nielsen report, “How Loyal Are Your Customers?” which was derived from the Nielsen Global Survey of Loyalty Sentiment in which 29,000 Internet respondents from 58 countries participated. Nielsen’s global survey noted loyalty to be fickle, especially when competitors appear with product, promotions and technological infrastructure that not only catch the customer’s eye but also engage the customer with the least amount of technological friction.

“There is a strong link between the way consumers describe their loyalty habits and the way they subsequently buy — so even comparatively small shifts in what consumers say can manifest in big changes in what they do,” said Julie Currie, senior vice president of global loyalty at Nielsen, in comments about the survey’s findings. Approximately 84 percent of survey respondents indicated a strong preference to choose a retailer with a loyalty program over a competitor without one. The data points toward the efficacy of having a customer loyalty program over not having one. The vagaries of how customer relationship management (CRM) solutions are implemented is where the differentiation between brands takes place. Membership in the loyalty program does not guarantee loyalty, of course, but it does open the door for companies to earn the customer’s loyalty at every encounter.

This does beg the questions, “How are you going to engage with the customer when they are not standing in front of you?” and “How are you going to use the customer data derived from the engagement?” These two questions are not as simple as they may appear.

Use of Data

Information technology infrastructure capable of handling a robust influx of data is paramount. Data may come via a myriad of sources, including marketing, manufacturing, fulfillment, sales and support. Customers in 2013 are likely to be well versed in digital engagement and will be in search of a frictionless experience. The challenge for the IT decision makers at midsize firms is to ensure that infrastructure is interconnecting all internal entities. Most importantly, it enables the company to avoid fragmentation of effort and to speak with one voice. Furthermore, it means having in place the technology to support personalized engagement oriented to the touch points between the customer and the company.

Engagement

The customer may engage via social networks, a help line or loyalty program portals. In each case, the customer is choosing the manner in which it is most convenient to engage. IT leadership, especially in midsize businesses, is accountable for ensuring infrastructure is adequate to the task. If the infrastructure is not sufficiently integrated to allow the instant engagement to roll up to a customer service screen, then the customer experience will be fraught with potential disconnects. This is especially important for those small and medium businesses (SMBs) that may have a local physical presence as well as a far-reaching virtual presence. Capturing the interaction on both planes, the physical and virtual, allows SMBs a level of dexterity to make real-time adjustments to their customer interaction based on engagement data.

The loyalty program’s connectivity with the company’s social networks permits direct marketing and early warning to support staff in the event of a product failure. Moreover, there is no better way to engender word-of-mouth activity than personalization of the customer engagement via the social networks. The integration of social network engagement with the other areas of the company requires infrastructure concordance. The Nielsen report indicated that 75 percent of respondents expected loyalty programs to provide perks, such as free products, with 82 percent in the North American market expecting discounts or other money-saving offers from the loyalty program. SMBs have the ability to engage their customers on the fly, making adjustments as necessary based on sales, social media network sentiment, volume and engagement, thus keeping their loyal customers loyal.

Are Loyalty Programs for You?

Not all loyalty programs prove successful, and customer engagement comes in many flavors. As noted in Time, a number of brands within the supermarket vertical have shuttered their customer loyalty programs, which have a total of more than 172 million participants. They found that it was a more effective strategy to address the customer set at the neighborhood level instead of the individual level. Does that mean that they stopped engaging their customers? Not in the least.

SMBs that make the investment in customer engagement that provides customers with useful information and that enhances their experience will be best positioned to win the customer loyalty sweepstakes.


This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

Prevendra - IBM Midsize Insider

Information Technology at the Strategy Table

The chief information officers (CIOs) and IT management teams of the past were assigned a budget and then expected to execute necessary operations based on that budget alone. This was a situation that required the IT department to row, so to speak, after the corporate ship. Today, successful companies, including those in the midsize market space, have incorporated the CIO and IT management team into the corporate strategy team. Their seat at the business decision maker’s table ensures that the only goal is to make all business teams successful. How do they accomplish this? According to an Economist Intelligence Unit report, “The CIO’s responsibility is still to show other senior decision-makers the ‘art of the possible’ when determining how emerging technology can affect their businesses.”

The Art of the Possible

Interestingly, the Economist report notes that the interviewed CIOs believe that only 35 percent of the senior executives with whom they engage have a strong understanding of the technology needs of their organizations and that only 40 percent of their senior colleagues enjoy a high level of technological literacy. What does this mean for IT professionals? They need to be prepared to translate for and to educate their colleagues, not only about technology, but also about the business benefits of technology. Technological advances, such as in cloud computing, virtualization, security and mobile, are all key components in the business-to-customer engagement, and all of these areas are moving forward at breakneck speed.

The seat at the strategy table will go a long way toward addressing the historic perception of the midsize company’s CIO as more of a tactical than a strategic player. Tim Theriault, CIO of Walgreens, provides sage advice for any IT professional — not just a CIO — in the Economist report: “There is a new way of doing things in which you achieve higher revenue or lower cost or better loyalty or all of them at the same time. The good CIOs I talk to can speak directly to their strategy, what they are doing in business terms.”

Strategic IT a Business Imperative

The IT presence at the business strategy table also requires all parties to remember that the sharing of knowledge is a good thing. In his article at InformationWeek, Peter Waterhouse says, “The advent of technologies like mobile and social computing has made sharing not only feasible, but profitable, too.” Instinctively, professionals know the best solution may come from the most unlikely source. Sharing of data and information across the vertical silos within a company raises the odds of discovery of those unexpected solutions. The leadership strategy table is where the company’s future direction is discussed and where the CIO gains insight into the direction being taken by the other chief x officers (CxOs) of the company. The CIO has the opportunity to educate the CxO strategic leadership team about the capabilities of the IT department. When discussing strategic future direction, the CIO’s ability to articulate what falls within the realm of the immediately possible with available resources and what may require building or acquiring a new capability for the IT team is invaluable to calculating operational expense forecasts.

In the course of these strategic discussions, the decision is often made to proceed with the acquisition of some new capability. The CIO ascertains whether the technological implementation is achievable in house or requires a managed service provider (MSP). Building one’s own capabilities in a rapidly changing technological environment is no small feat, especially for small to medium businesses (SMBs). New technologies may require either staff or contract personnel augmentation, including a means of ensuring that these new arrivals come with the requisite expertise.

In addition, the availability of individuals with unique skill sets may be limited. When evaluating the MSP option, comparison of capabilities across a variety of MSPs is desirable. Engagement of an MSP will frequently be the most logical choice since the SMB is able to implement best-of-class solutions via emerging technologies by leveraging the expertise of an MSP in order to provide immediate benefit to the business without the long-term investment in internal resourcing.

Leadership at the most successful companies will allow the discussion to be strategic, empowering and robust. Business decisions, which include IT solutions, evolve for a common goal: Business success. Therefore, the most valuable approach for the IT professional with a seat at the company strategy table is to speak about IT solutions in business terms.


This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. 

Security 2014 – Educate and Analyze

Prevendra - IBM Midsize InsiderWriting for IBM Midsize Insider, Christopher Burgess offered up his thoughts on 2014


Moving into 2014, the chief information officers (CIOs) of small to medium-size businesses (SMBs) have security challenges ahead of them. In an eWeek piece, Michelle Maisto interviewed Steve Durbin, the Internet Security Forum’s global vice president, who made several recommendations of areas of focus for the information technologist in 2014. These included bring-your-own-device (BYOD) and cloud, personally identifiable information and intercompany data sharing.

Contemporaneously, CSO Online offered an in-depth piece by George V. Hulme, which called out five specific ways in which enterprises should reduce risk: By closing the skills gap; shifting away from a regulatory compliance mindset; improving incident response; communicating to business, not at business; and shifting to increasingly data-based decision making. All of this advice comes down to two ideas, both vital to implementing a security regime within SMBs and enterprises: Training/education and data analytics.

Train and Educate Staff

An opportunity exists to enhance the knowledge of IT professionals and their ability to harvest available data and make solid choices based on that data. These decisions may be proactive, to prevent security incidents from occurring, and reactive, focused on the use of data analysis to reach complete and rapid incident resolution. A portion of the recipe for success requires an investment in current personnel.

It is almost always more cost-effective to make an educational investment in current staff than to step out into the marketplace to find individuals with specific talents; the marketplace is crowded with others looking for that very same talent. Daniel Kennedy, research director of information security at 451 Research, commented in the CSO piece, “We are always seeing conversations about staffing concerns. And it’s not just small and mid-sized companies that are having trouble finding and retaining talent, it’s a problem even at the top.”

Analytics

While enhancing employee skill sets is important, it is equally important that IT make use of tools and resources that are up to date with today’s — not yesterday’s — risks. This may require a different way of thinking and collaborating internally. Data can overwhelm an IT team if collected without a road map to utilization, with the result that the team finds itself lost in data. Having in place the analytics tools required to leverage data will in turn keep the CIO’s team working smarter.

Better empirical data analysis can be achieved. In addition, access to similar industry data sets serve to increase the overall knowledge base of the IT security team. Durbin explains, “Cyber resilience requires recognition that organizations must prepare for a threat. It requires high levels of partnering and collaborating, and for organizations to have the agility to prevent, detect and respond [to an event] quickly and effectively.”

In sum, SMBs will be wise to invest in the education of their current staff. The investment not only raises the level of knowledge but also the overall capacity of the company to address current threats. Furthermore, businesses should encourage collaboration and share knowledge within company walls. A decision by an IT professional can no longer be made on the basis of instinct and experience alone; as noted, empirical data and data from other companies must now be factored into the equation.

Source: http://midsizeinsider.com/

IT Security Teams Enable Business – IBM Midsize Insider – December 2013

Prevendra - IBM Midsize InsiderWriting for IBM Midsize Insider, Christopher Burgess discusses how IT security teams enable business.


 

Having an IT security team is an imperative for all companies, not just those in the enterprise space. This dedicated set of eyes is essential for small- to medium-size businesses (SMBs). It is imperative that security team members have a clear understanding of their role as a support to the organization and that their success be measured by the business team’s success.

While it is easy to assume that IT understands its role in enabling business, the reality is that IT finds itself out of alignment with the business all too often. This was recently highlighted in a Network World piece on the Cloud Security Alliance Congress keynote by V. Jay laRosa, ADP’s senior director, converged security architecture: “As security practitioners here, the problem is not with the cloud but with us, with our ability to evolve.” He went on to add that IT security managers are often seen as barriers to innovation.

IT Security Barrier?

LaRosa’s statement is accurate in many cases. The IT leadership team, be it at an enterprise or an SMB, frequently finds that its CIO has no seat at the company strategy table, and the security team is even less welcome. Why? It is largely due to the perception that the security team is an impediment to the business; it is the “no” team. This dissociation between the perceived goals and metrics of the IT team and the business team creates an artificial conflict, especially problematic within an SMB, where collaboration across company units is paramount for success.

The business team’s goals and metrics are easily understood: They provide goods and services that the market desires, retain current customers and obtain new customers. There is little difference in scope between an SMB and an enterprise in this regard, but the security team is a different story. In general, the goals and metrics of the security team are to minimize risk and reduce the number of security incidents that could derail the business. An enterprise has an advantage when it comes to technology and headcount whereas an SMB may be more resource-challenged. The commonality lies in the natural tendency for the business team to expect security to focus on the minimization of risk so that a negative security event does not happen in the first place. Typically, IT teams, when asked to embrace an innovative technology or means of engaging a customer, are perceived as simply saying “no” in order to minimize risk. These perceptions must be adjusted.

Embrace Change with Innovative Business

LaRosa points out that the IT security professional should “never say no.” Indeed, the conversation has to shift; the desire to embrace change and innovation means that an SMB needs a dedicated and focused security entity. A team that can embrace innovation will find its internal client eager to engage.

The road forward will not always be free of obstacles. There will be times when the IT security team just doesn’t know, and in admitting a lack of understanding of or solutions for an identified risk, it provides added value. When unresolved risks are called out, IT professionals outline a road to mitigation. Once the business team has been offered choices, it has the information required to make an informed decision, such as to defer implementation while the identified risk is mitigated; to proceed with the knowledge that both risk and a roadmap to mitigation exist; or to acknowledge the risk and to hope that it does not become a reality. For IT security teams, their value-add is magnified when providing solutions and options that align the company’s goals and metrics.

Source: http://midsizeinsider.com/

Prevendra - endpoint security

Data Breach: The Downside of Data Loss for SMBs – IBM MidSize Insider – December 2013

Prevendra - IBM Midsize InsiderWriting for IBM Midsize Insider, Christopher Burgess speaks to the downside of data loss to Small Medium Businesses.


 

Preferred business practices dictate cybe rsecurity, but data protection methodologies are a requirement for endpoint devices that contain customer data to protect against the possibility of a data breach/data loss. Customer data is among the most precious of all data within a company, especially if that data contains personally identifiable information (PII). Unfortunately, a substantial number of small to medium businesses (SMBs) in the United States, approximately 14 percent, have chosen not to implement any security measures, and only 9 percent use endpoint security techniques, according to a recent “Small Business Cyber Security Survey” by McAfee and Office Depot. With numbers such as these, it should come as no surprise that a great many SMBs are ripe for a data breach.

Protect the Endpoint

More often than not, endpoint security solutions are viewed as a luxury, an unnecessary operational expense by SMBs. Of course, it is unnecessary until the price of losing customer data is calculated. The situation is analogous to a fisherman setting out to sea without an individual flotation device. At sea without a life jacket? It should never happen. Yet the McAfee and Office Depot survey indicate that 91 percent of SMB companies surveyed are doing just that with respect to protecting company data on endpoint devices. SMBs are rolling the dice in the hope that the device will not be compromised or lost.

Unprotected Endpoint

The risk posed by allowing unprotected endpoint devices within the SMB becomes an actual threat when any of those devices go missing, be it due to theft, accident or carelessness. When a device goes missing, a fundamental breach of the company’s security occurs, and if customers’ PII are stored on the device in an unprotected manner, a material breach has also taken place. It is instructive to consider the incident that compromised over 9,000 Milwaukee city employees, according to the Journal Sentinel. A flash drive containing the names, addresses, dates of birth and social security numbers of approximately 6,000 employees and 3,000 spouses and domestic partners was lost when the automobile of an employee of a city vendor was stolen. The affected individuals are now faced with the very real threat of identity theft and the city and its vendor with the unexpected cost of the post-breach notification and operational adjustments.

Protected Endpoint

The cost to IT of protecting the endpoint would have been negligible in comparison with the cost of the data breach. This leaves every SMB with a clear path to follow: If company or customer data is to be allowed on endpoint devices, then the company’s investment to protect that data is a necessity. The IT department’s investment in the security solution preserves not only the data but also the reputation of the company and its brand. If a protected device goes missing, it is not a data breach; it is a loss of a device that contains protected data.

Every business regardless of size has company data, some of which may include customer data. Regardless of whether the company issues the smart phone, laptop or other device to an employee or the company has embraced bring-your-own-device (BYOD), preferred IT security practice requires the protection of endpoint devices.

Source: http://midsizeinsider.com/