As technology takes an increasingly important role in many businesses, the role of a Chief Information Officer (CIO) becomes more central to the core operation of the business. The CIO answers directly to the board of a corporation, the CEO, or the CFO and, as such, has a wide influence over internal issues that go beyond IT management. Governing of information goes beyond governing simply information technology. Most companies that have a heavy investment in information technology create a Chief Technology Officer (CTO) to play the role of visionary leader in the area of technology and product architecture. CIOs are not always technology managers by background. They can be technology aware business managers able to bridge the cultural and process differences between technology delivery and business users. According to recent surveys, a majority of IT leaders report a shortage of high-level personal skills among their management. CIOs are often the people who reduce the gap between IT professionals and non-IT professionals in order to make these relationships productive. The organizational and personal development skills of the CIO are increasingly valued in organizations that meld technology with other business organizational functions. The CIO must balance roles in order to integrate technology into the organization and work toward competitive advantages for the company. The CIO has responsibilities in the area of finance, professional recruitment, policy and strategy development. Many CIOs have especially strong management skills. In many, business acumen and strategic perspectives take precedence over technical background. Many CIOs are appointed from the business side of the organization. Many have MBA or MS in Management level training. As information gains greater importance in organizations, the prominence of the CIO as a key person in formulating strategic goals for organizations as grown. Many CIOs are adding additional executive titles to. This trend is often referred to as “CIO Plus.” As the role of the CIO broadens, and responsibility increases, the risk in the job also increases. The CIO takes responsibility for a lot of the errors and breakdowns that cause company losses. In 2014, when 40 million credit card details and 70 million customer details were stolen by hackers at Target, it was the CIO who took responsibility and had to resign. Much of the burden on CIOs is risk management. The CIO must be knowledgeable about their industry so they can adapt and reduce the chance of error. Many companies are changing from product development and sales to an emphasis on services. The models of increasing numbers of former software and technical companies are changing to Software as a Service, Infrastructure as a Service, and Business Processing Outsourcing. In those companies, the role of the CIO has been changing toward that of a third-party manager for the organizations. The CIO has to possess the business skills to relate to organizations as a whole, more than just a limited set of technical skills. The CIO role is changing to include anticipating trends in the marketplace and insuring that the business navigates these trends. The evolution of the CIO followed the evolution of IT. When the main frame was king, the CIO (or whatever they called them then) were strictly back office. CIOs worked to automate office functions to reduce head counts. They tightly supervised programmers who were busy writing home-grown software. This generation of CIOs had technical backgrounds. They were most often recruited from outside […]
Where is your company headed, and what kind of IT system does it need to reach its goals quarter by quarter, year after year? Many businesses don’t know how to address this question with the appropriate depth and strategic thinking. CEOs, executives, managers, and small business owners may know where they want to take their company, but may not have a clear idea of the IT decisions they’ll need to make along the way. Companies are also facing a plethora of technological changes that affect everything from marketing to cyber security, and they need to decide which tech solutions to adopt and how to prioritize them within their budget. Without strategic IT planning, companies face various disadvantages: Wasted money on unneeded hardware and software. IT decisions that don’t align with business needs and objectives. A lack of focus and organization, and an emphasis on short-term thinking. A failure to anticipate technological developments and their effects on the company. An inability to prioritize projects and expenditures that are most necessary at any given point. Poor communication between IT personnel and the rest of the company. How can an IT road-map help? Your company’s IT road-map is a master plan for how you’ll use technology to support your business operations and goals over the coming three to five years. The document clearly spells out your strategic IT planning, providing a detailed overview of the projects you wish to undertake and the decisions you’re prioritizing. Employees holding leadership positions in your company can use this document as a basis for discussing, planning, and guiding decisions. It’s an excellent collaborative tool, ensuring that everyone is on the same page. It helps your IT personnel work closely with employees in other departments to make the decisions best suited for your company. How can you create an IT road-map? Creating the road-map will involve input from company leadership and from your IT team (which includes your managed services provider and any in-house personnel). As for the content of the road-map, start by answering the following questions:What are your company’s top priorities? Make a list of the important goals and milestones you want to reach, and the ways in which you envision your company developing. Even though this list isn’t specific to IT, but applies to your company more generally, it will give your IT road-map coherence and remind you of the purposes underlying various IT decisions. What IT projects or major tasks do you wish to undertake in the coming months and years? Organize these into a timeline that includes estimated start and end points and other information about the resources required (e.g. budget and personnel, including the employees overseeing each project). You can also categorize the projects by different IT areas. For instance, one category can be anything pertaining to your network architecture, and the modifications you want to make to it; another area can involve your e-commerce platform and how you want to develop it and keep it secure. What are your justifications for each project? Spelling out the specific reasons for each project will help you prioritize them, position them appropriately in the timeline, and identify projects that you may want to delay, modify, or scrap. Especially for projects scheduled in the coming year, the justifications should be well-developed and detailed. For example, if you’re planning to adopt a new kind […]
The National Institute of Standards and Technology has issued a draft document on “Digital Identity Guidelines,”and it contains some surprises if you follow traditional password practices. Section 5.1 is the relevant section on ?memorized secret authenticators,? more commonly known as passwords or PINs. The advice is based on the latest research, so it’s worth paying attention to even if it’s a change from current practice. The National Institute of Standards and Technology has issued a draft document on “Digital Identity Guidelines,”and it contains some surprises if you follow traditional password practices. Section 5.1 is the relevant section on ?memorized secret authenticators,? more commonly known as passwords or PINs. The advice is based on the latest research, so it’s worth paying attention to even if it’s a change from current practice. The minimum length for user-selected passwords should be 8 characters, and ones with 64 characters or more should be allowed. The number of possible passwords goes up exponentially with their length, so a long one is a strong one. Letting the user store a hint about the password is a really bad idea. It makes it easy to remember, but also easy for someone who sees the hint to guess. A service should check the user’s chosen password against a list of easily guessed ones. If there’s a match, the user should be required to pick another one. Too many people will pick obvious ones like ?123456? (which is also too short) or ?password.? Passwords should never be stored directly on the server. Instead, it should store a hash of the password that meets certain minimum requirements. A hash is a value which is algorithmically derived from the password but doesn’t allow the password to be regenerated from it. This way, even if someone gets the password data from the server, the actual passwords aren’t compromised. The number of login attempts in a session should be limited. Password entry should use a secure connection. Those requirements shouldn’t surprise many people, but now it gets interesting: The service shouldn’t ?impose other composition rules.? That means it shouldn’t require, for instance, digits and special characters. NIST says that ?users respond in very predictable ways to the requirements imposed by composition rules.? Adding a digit to the end of a password or replacing ?o? with ?0? doesn’t do much good. The service shouldn’t require periodic password changes for their own sake. It just makes people choose easier passwords or write them down next to the computer. Users should have the option of seeing their password as they’re entering it. Hiding it is good if others might see the screen, but it makes it hard to enter complex passwords, especially on a mobile phone keyboard where typing errors are easy. Information theory says that a strong password is one with high entropy. Entropy, roughly speaking, is a measure of randomness. When applied to passwords, it’s measured in bits. The idea is that the number of possible passwords someone would have to guess from is the number of alternatives you can express in that many bits. Each additional bit doubles the amount of work needed to guess the password. The NIST document, though, finds this concept too vague to be useful and says that methods of calculating entropy aren’t very accurate. A known password has just one […]
On July 29th, it was discovered that cybercriminals had ?exploited a U.S. website application vulnerability to gain access to certain files,? according to the company. In the statement released on August 7th announcing the breach, Equifax reported that those responsible had managed to access information including names, birth dates, addresses, Social Security and Driver’s license numbers. 209,000 people also lost their credit card information, and dispute documents with personally identifiable information were accessed affecting another 182,000 people. The scope of this attack is staggering, especially considering that the total population of the United States is estimated by the Census Bureau to be 324 million adults. A quick calculation tells us that the 143 million potentially affected makes up a full 44 percent of the country?s total adult population. As if this situation isn?t bad enough for Equifax, the activities of some of the company leadership are also being called into question. Chief Financial Officer John Gamble Jr., U.S. Information Solutions President Joseph Loughran, and Workforce Solutions President Rodolfo Ploder sold almost $2 million in company shares mere days after the breach was uncovered. While it is not yet clear if the breach and these sales are connected, Equifax has released a statement stating that the men had no knowledge of the intrusion when the sales were made. The company?s stocks fell by more than 12 percent shortly afterward. Equifax is currently working with state and federal authorities, including the FBI, and is actively alerting those whose information was accessed through the mail. We suggest that you keep an eye on your mailbox in case you have been breached. There are plenty of websites and services, including one from Equifax, dedicated to determining whether or not your personal information was accessed–all you have to do is give these sites and services access to your personal information. In light of what has happened, we do not recommend taking this route. Instead, you should be careful to monitor your own financial information and to report any oddities to the proper authorities. You may also be tempted to enroll in an identity protection service. Equifax themselves are offering a free year of monitoring from their service, called TrustedID. However, there have been reports that enrolling in this service will leave you ineligible to participate in a class action lawsuit against Equifax. If you decide to enroll, make sure you understand all of the fine print. Otherwise, you should make sure to go through and change your passwords and watch your credit statements for suspicious activity. This is especially true if you utilized any of Equifax?s business services, as your business could be affected as well. If you suspect that your information was stolen, the Federal Trade Commission offers a helpful guide to determining if that is the case. If so, you need to report it to the Federal Trade Commission as well as place a fraud alert on your credit report.
