CIO wish list for Santa this Christmas

Despite increasing cybercrime and dependency on digital revenues, many CEOs operate in the dark as 63 percent of CISOs don’t regularly report to their board. By  Marc Wilczek

Security breaches always seem to be in the news, but only a handful of organizations are protecting themselves against these threats by actively reducing their cyber-risk exposure.

Research by the Ponemon Institute revealed that 63 percent of CISOs don’t regularly report to their organization’s board of directors, and 40 percent don’t report to the boardroom at all. Most enterprises still take a reactive approach to cyber-security—that is, they deal with incidents only as they arise, rather than planning in advance—which makes them a lot more vulnerable to cybercrime and puts their digital transformation strategy at risk.

Whether they occur through ransom ware, data theft, or DDoS attacks, security incidents can cause a world of trouble—expensive, reputation-shattering trouble—for any organization, large or small.

Lack of board involvement and accountability

Although today’s companies depend more and more on having their IT systems always up and running, C-Suite executives and board members persist in their reactive approach to cyber-risk strategy. With four in ten CISOs not reporting to the board, the research findings suggest a widespread shortage of accountability. Although cybercrime is skyrocketing and becoming more expensive to counter, just 14 percent of that group report to the board only after a security breach—typically when it’s too late.

But even when corporate directors are kept abreast of the pressing cyber-security matters their companies face, many tend not to act. Almost one-third of CISOs in the Ponemon survey said their board of directors or CEO determines or approves an acceptable level of cyber-risk for the company, and only 21 percent said their board or CEO asks for cyber-security due diligence during mergers and acquisitions. Of course, with every new M&A deal, the company potentially exposes itself to even more cyber-liabilities that might result in a boatload of regulatory and legal fines if a security breach surfaces.

As an example, take an innovative start up that gets acquired by a larger enterprise: The GDPR, for instance, bases fines on the firm’s total revenue, which is typically significantly greater than that of the newly acquired and integrated entity.

Overall, the survey results show that C-Suite executives and board members aren’t assuming enough responsibility for cyber-risk within the company. Consequently, cyber-risks are being trivialized and delegated, while corporate officers are oblivious to what’s going on and how endangered critical corporate data, infrastructure, and other digital assets might be. The message this lax attitude sends to the public is not a positive one.

Prevention instead of reaction to cyber-risk

Rather than doing regular monitoring and analysis, for the most part organizations are hoping for the best and then reacting to incidents only after they occur. For instance, just under 70 percent of CISOs said this was how their organization dealt with cyber-security, and 63 percent claimed they could use better monitoring tools. In other words, it’s not just that companies are taking a lax approach to cyber-security; many of them are also more or less in the dark about the very real threats they’re up against. Over half of the survey respondents admitted that their IT security apparatus had holes in coverage or other shortcomings that made them sitting ducks for cybercriminals.

In fact, a mere 24 percent of respondents described their measurement and metrics program as “mature”, while 30 percent said it was “partial”. It seems that the rest had a mishmash of programs. Furthermore, a whopping 40 percent of CISOs admitted that they don’t quantify or monitor their cyber-risk posture, and just 39 percent of the ones that do bring their findings to their boards of directors.

Given the sheer volume of data and the business demand for opening up infrastructures to allow interlinking of value chains and supply chains, keeping track of cyber-threats is getting a lot tougher. However, when it comes to cyber-attacks, the speed of mitigation is of the essence in order to minimize damages. Paired with the huge shortage of cyber expertise, it is an illusion that throwing people at the issue is going to work. Moreover, human error is still one of the major reasons why IT service chains fail. To ensure an instant response to threats and alarms, organizations must count on automation and machine learning instead.

New corporate mind-set needed

Many organizations have upgraded their IT infrastructure and invested in new technologies, apps, and digital platforms. At the same time, organization, processes and governance models are archaic and can’t keep up. Nearly half of the organizations don’t measure or track their cyber risk, and of those that do, not many let the board of directors know what they’ve discovered.

While this approach might have worked in the analog world, in the digital era, it leads to an unnecessary increase in risks and is simply no longer adequate. Inevitably, digital business is associated with new risks, because revenue, profit and reputation increasingly depend on resilient IT operations. Consequently, the CISO function deserves more airtime in the boardroom. It would simply be negligent to ignore this or delegate it away.

What is needed is a paradigm shift—a new corporate mind-set that values and respects cyber resilience and comprehends the integrity and availability of IT services and data as differentiating factors in the digital economy. But the only way to make this work, says Ponemon, is if corporate boards prioritize it.

“Enterprise culture is formed at the top. If enterprise leaders are not actively engaged in ensuring a strong cyber-security posture, it sends the message that cyber-security is not a mission-critical issue,” says Larry Ponemon, founder and chairman of Ponemon Institute.

“The board of directors and C-suite typically come under fire when their organization suffers a data breach or other security incident, and therefore must be involved in enforcing a proactive approach to identifying and remediating security gaps. While most companies have an executive tasked with accurately determining the efficacy of their cyber-security strategy, they need to be communicating these findings to senior leaders and the board on a regular basis.”

The January end-of-support deadline for Windows 7 is fast approaching. Here’s a rundown of some of the issues companies should keep in mind as that date draws near.By Gregg Keizer

The Redmond doctor came into the room, huffed a chair into place, but wouldn’t meet Windows 7’s eyes, just stared at the desk. “I’m afraid it’s bad news,” the physician said.

Windows 7 let out a long sigh.

“It’s terminal,” the M.D. said. As if Windows 7 hadn’t known it was on borrowed time since July 2015. That scare in the fall of 2012 had been irksome, nothing more. But then three years later, the end was clearly in sight. And here it was.

“Ten weeks,” the doctor said, gazing out the window at the fall leaves. “Maybe eleven. But then….”

What happens to Windows 7 then?

Nothing immediately.

The operating system will continue to work or not, as it did or didn’t, for each user the day before support retirement. That’s important to remember, if only because some still don’t — assuming that after midnight on Jan. 14, 2020, the OS screeches to a stop.

Even Microsoft reminds customers that Windows 7 will continue to run post-retirement, although it could move those reminders closer to the top of its to-do list. In this FAQ about the end of support, Microsoft waited until the fifth item before making note of the operating system’s resilience. “If you continue to use Windows 7 after support has ended, your PC will still work,” Microsoft pledged, also noting, “Your PC will continue to start and run.”

But customer support comes to a halt — theoretically, Microsoft’s phone- and chat-based support won’t answer questions — as do security updates. Yet unless Microsoft issues an emergency update in the four weeks after Jan. 14, the first fixes Windows 7 users will miss arrive Feb. 11. Until then, an out-of-date Windows 7 system will be as patched as if support had continued.

What happens to Office when Windows 7 drops from support?

That depends on the type of Office. Office 365, the version paid by subscription — whether for one, as in Office 365 Personal, or for thousands, as in Office 365 Enterprise E5 — will continue to receive security updates on unsupported copies of Windows 7 until January 2023.

That’s the good news. The bad? Office 365, whose premise is one of constant evolution, will not upgrade to new features or functionality. The feature set, in other words, will lock down and stay that way.

On the Office flip side — those versions sold as “perpetual licenses,” such as Office 2010 or 2016 — will be supported through each suite’s standard span. (Remember: Perpetually licensed Office, a.k.a. non-subscription Office, only receives bug fixes, never feature updates or improvements.) Office 2010, for instance, will be supported until Oct. 13, 2020; Office 2013, until April 10, 2023; and Office 2016, until Oct. 14, 2025.

The most recent perpetually licensed suite, Office 2019, is supported only on Windows 10.

Microsoft did set a caveat, however, on Office support. “If the problem is a result of the combination of Office and an unsupported operating system, the problem will not be supported (emphasis added),” the company stated.

The January 2023 end-of-security-updates deadline wasn’t plucked from the air. It was chosen because that’s how long Microsoft will provide Windows 7 patches for payment through its Extended Security Updates (ESU). Microsoft realized that if it sold ESU to commercial customers, it also had to keep patching Office.

What about Internet Explorer?

Unlike Office, Microsoft will stop patching Internet Explorer 11 (IE11) at the same time it halts updates to Windows 7. In other words, on Jan. 14, 2020.

“As a component of Windows, Internet Explorer follows the support lifecycle of the Windows operating system it’s installed on,” Microsoft says — and has for ages, since that’s been boilerplate for seemingly forever. But elsewhere, the firm put it plainly. “Support for Internet Explorer on a Windows 7 device will also be discontinued on January 14, 2020,” it said here.

The only way to keep receiving IE11 security updates in Windows 7 is to pay for Extended Security Updates (ESU).

What happens to the antivirus defense we use?

That depends on the antivirus vendor’s policies and practices.

Just as happened at the retirement of Windows XP in April 2014, expect that most credible AV makers will continue to pump out new definition updates — the “fingerprints” that identify newly-found malware to the scanner — for Windows 7 long after the OS has fallen off the support list. The three-year availability of Extended Security Updates (ESU) to business customers will guarantee AV vendors that cater to the corporate market will keep definition releases going.

AV support may quickly be limited to issuing definition updates, although some vendors will continue to refresh products with new or enhanced features.

For reference, Symantec moved Windows XP (retired 4/14) and Vista (4/17) to what it calls “Maintenance Mode” only in June 2018. As of that date, Symantec said, “New product capabilities will no longer be provided.” But already-installed software “Will continue to receive the latest malware definitions” as well as “vulnerability updates and compatibility fixes.”

Microsoft has not yet said what it will do for Security Essentials, the free anti-malware product for Windows 7. Again, a look to Windows XP is worthwhile: Microsoft provided definition updates for more than a year after XP’s retirement.

What happens if we can’t get off Windows 7, but can’t run unpatched PCs?

Microsoft will gladly sell commercial customers, from the smallest businesses to the largest enterprises, what it calls “Extended Security Updates,” or ESUs, that provide security updates to patch “Critical” and “Important” vulnerabilities through mid-January 2023…for a price.

The per-device plans will be sold in one-year increments for up to three years, with prices for larger customers running as high as $350 per PC for all three years. (Costs for smaller businesses won’t be revealed until Dec. 1.)

Although Microsoft dubbed ESU the “last resort” for Windows 7 customers, it spent a large chunk of this “End of Support FAQ” describing the service, drawing its boundaries and extolling its benefits. ESU is, by far and away, the most transparent post-retirement security support concept Microsoft has launched. The company recognizes that many businesses will not make the deadline and so it wants a solution, temporary if that, or is eager to use what may be the last ever such OS transition to generate additional revenue.

Or both.

Note that ESU has no bearing on security updates for Office 365 ProPlus — the part of an Office 365 subscription that provides the locally installed applications — on Windows 7.

Even Windows 7-powered PCs that are not covered by ESU will continue to receive patches for Office 365 ProPlus. Microsoft made that clear in the FAQ: “Windows 7 ESU will have no impact on support for Office 365 ProPlus on Windows 7,” it read.

Artificial intelligence will benefit business in myriad ways. But AI that writes for us should be rejected completely. By Mike Elgan

Machines are getting better at writing. They can finish our sentences. They can reply to our emails. They can write news reports and even novels. But just because they can doesn’t mean they should.

Artificial intelligence (AI) is launching a technology revolution that will transform business over the next decade. The most powerful use for AI may be in the area of decision support, where algorithms feed us streams of knowledge and advice as we go about our work. Gartner says AI augmentation alone will create $2.9 trillion (with a “t”) in business value in 2021.

AI evolution is necessary for enterprise security, too, if only because the cybercriminals will use it to build better malware. We’ll benefit from AI in manufacturing, design, transportation and in countless other areas.

In short, AI will prove to be a huge boost to business.

But as we embark on this partnership with artificial intelligence, it’s important that we safeguard human intelligence. And the biggest threat to human intelligence is software that writes.

The creeping takeover of business writing

The mainstreaming of AI business writing began with Google Smart Reply four years ago. Google Inbox users were offered a few colorless options for a reply to most emails. The feature still exists in Gmail, and with a single click you can respond with “Thanks!” or “I’ll send it to you” or “Let’s do Friday!”

Last year Google added Smart Compose, which finishes the sentences you start. You can choose Google’s words by pressing the tab key.

Using Smart Reply and Smart Compose saves time but makes replies dull. They’re dull because Google makes sure the replies are generic and designed to not annoy or offend anyone (for example, Google’s AI never uses gendered pronouns like “he” or “she”), and also because millions of other Gmail users are using the exact same wording for their replies. We all sound the same in our replies.

Google is not alone. Lightkey makes a Windows application that works like Google’s Smart Compose.

Quillbot is a cloud-based tool that can rephrase what you write (or what you copy and paste from others’ writing). It typically produces awkward prose. Machines have no ear for language.

StoryAI is a tool based on OpenAI that will write a whole story if you write the beginning. I tried it by pasting in the opening paragraph of this column. You can read the column StoryAI wrote and decide who did a better job.

We find ourselves in the tragicomic place where AI writes financial news stories mainly for human consumption, but other AI also reads those stories to provide input for automated trading systems. AI does the writing. AI does the reading. And at some point AI is just going to cut humans out of the trade and keep all the money.

Automated writing will not only get better, it will be increasingly built into the tools we use to write things. The temptation to just let the machines do the writing will only grow. What’s wrong with that?

Here’s what’s wrong with that

The main problem with letting AI write for us is that writing isn’t just writing. Writing is one component of literacy, which includes reading, writing and thinking.

Writing involves revision, which clarifies thinking. We think. We write what we think. Then by reading what we write we realize the errors in our thinking, or at least in the way we have expressed our thinking. We rewrite until our thoughts are clearly and accurately and fully expressed. This practice is at the core of our ability to analyze, create, make good decisions and make progress in our lives and in our work.

Literacy and thinking are connected. This was the point of George Orwell’s Newspeak idea in the novel 1984. The totalitarian government in that book used restrictions on language to make complex thought impossible. Its purpose was “to diminish the range of thought” in order to pacify and enervate the public.

Writing, even writing business emails, forces us to confront our own thoughts in black and white. And this makes us cultivate our ability to think clearly.

It’s also the foundation of our ability to talk with logic and coherence. You’ll notice that good writers tend to speak well.

And writing aids memory. Just letting AI communicate for us, even if we choose from a menu of options, makes it easier to forget what “we” said.

More to the point, writing ability is a use-it-or-lose-it proposition, and AI systems that write for us could make us gradually lose it.

By allowing writing tools to do the writing for us, our literacy fades, and we begin to base our decisions on superficial impressions, rather than critical or analytical thinking.

The critical faculty is already under siege with conventions like emoji. By using cartoons in place of words, we communicate vague impressions rather than specific thoughts. As such, it’s not necessary to think specific thoughts in the first place. Textspeak, SMS abbreviations, autocorrect, emojis —- we’re slouching toward idiocracy. AI that writes our business communication for us is the professional version of all that.

Our relationship with literacy exists on a spectrum.

At one end, we’re fully realized humans with language and literacy to think and communicate better. At the other end we’re less human. We’re “echoborgs” — meat puppets who mindlessly regurgitate the words fed to us by AI.

We should be trying to move toward the good end of that spectrum, not the bad one.

Fear mongering over AI is common nowadays — AI, we’re told, will take our jobs and ultimately have no use for us, other than to keep us as pets. This AI techno panic is based on the knowledge that the machines will just keep getting smarter. We should be more worried that AI will make us all dumber.

The most efficient way for AI to make us dumber is to take the task of writing away from us. Our critical and creative faculties will atrophy. Our minds will become dull. And we’ll all become so boring that the machines may not even want us around as pets.

If you’re concerned about AI making us all redundant, you can do something about it today and every day: Don’t let AI put words in your mouth. Reject automated writing in all its forms. Do your own writing. Think for yourself.

The risk isn’t that machines will get smarter. It’s that humans will get dumber.

The blockchain industry is still something of a wild west, with many cloud service offerings and a large universe of platforms that can vary greatly in their capabilities. So enterprises should beware jumping to conclusions about the technology. By Lucas Mearian

Companies are still cautiously dipping their toes into the blockchain trough, hoping to discover where the distributed ledger technology can create efficiencies in their business processes. But for those who are ready to take the plunge, there are common missteps to avoid.

Based on its research of blockchain implementations, Gartner this week published a guide to the seven most common mistakes companies should avoid. Gartner gauges the maturation of new technology through a “Hype Cycle,” a graphic-based lifecycle that follows five phases: from the Technology Trigger, when proof-of-concept stories and media interest emerges, to the Plateau of Productivity, when mainstream adoption occurs – if the technology is more than niche.

Adrian Leow, senior research director at Gartner, said blockchain is currently sliding down toward the “Trough of Disillusionment.” That’s where interest wanes as pilots and proofs-of-concept fail to deliver forcing tech providers to either work out the kinks or allow a technology to fail and die out.

“The blockchain platforms and technologies market is still nascent and there is no industry consensus on key components such as product concept, feature set and core application requirements,” Leow said in a statement. “We do not expect that there will be a single dominant platform within the next five years.”

In fact, last week, Gartner in a separate study claimed that by 2021, 90% of current enterprise blockchain platform implementations will require replacement to remain competitive, secure and relevant.

“Many CIOs overestimate the capabilities and short-term benefits of blockchain as a technology to help them achieve their business goals, thus creating unrealistic expectations when assessing offerings from blockchain platform vendors and service providers,” Adrian Lee, a senior research director at Gartner, said in that study.

By 2025, the business value added by blockchain is expected to grow to slightly more than $176 billion – then surge past $3.1 trillion by 2030, according to Gartner. “Product managers should prepare for rapid evolution, early obsolescence, a shifting competitive landscape, future consolidation of offerings and the potential failure of early stage technologies/functionality in the blockchain platform market,” Lee said.

Consulting firms working in blockchain were surveyed by Gartner earlier this year and confirmed that CIOs aren’t even using the technology for its most valuable features. Mainly, companies are using blockchain as a database for shared record keeping and asset tracking while ignoring a key attribute: it’s an immutable audit trail.

“That no one is using those innovative features calls into question why they’re using blockchain. Just go use a database,”

Avivah Litan, a Gartner vice president and distinguished analyst, said in an earlier interview.

The perception that the technology is not meeting business expectations has resulted in a palpable disillusionment among IT leaders because of the misalignment of expectations and the real-world requirements of enterprise projects. The problem also stems from a simple fact: blockchain is not yet mature enough for all enterprise use cases.

Here’s a rundown on the mistakes companies are making.

1. Not using blockchain to create immutable data audit trails

IT leaders who’ve taken the plunge into blockchain are mainly deploying it in proofs-of-concept tests, often to address the same problems a conventional database could handle, according to Gartner and other research agencies such as ABI Research.

“They’re not using it as a decentralized ledger able to support immutable data audit trails for exchanging a single version of transactional truth – the core mission at the heart of blockchain. For many, blockchain remains a technology in search of a problem,” according to Gartner.

2. Assuming the technology is mature

A second mistake enterprises make is assuming blockchain technology is ready for production use when the market remains largely composed of fragmented platform offerings that try to differentiate themselves in various ways.

Some blockchain platforms are developed more for confidentiality, others for tokenization or the digital representation of fiat currency or goods; still others are created for universal transactions. Most, Gartner said, are too immature for large-scale production work that comes with the accompanying and requisite systems, security and network management services. However, this will likely change within the next few years.

“CIOs should monitor the evolving capabilities of blockchain platforms and align their blockchain project timeline accordingly,” the report said.

3. Confusing protocol with complete business solution

A third misstep is confusing protocol with business solution, as blockchain is a foundational-level technology that requires applications on top of it to fulfill specific business needs.

While blockchain can and is being used in a variety of scenarios ranging from supply chain management to sharing data across medical information systems, it must also include features such as user interface, business logic and interoperability.

“When it comes to blockchain, there is the implicit assumption that the foundation-level technology is not far removed from a complete application solution. This is not the case,” Leow said. “It helps to view blockchain as a protocol to perform a certain task within a full application. No one would assume a protocol can be the sole base for a whole e-commerce system or a social network.”

4. Misconceptions about scale

A fourth misconception is that blockchain should be considered as purely a database or data storage system. The technology does not yet scale well, as each node in the peer-to-peer network receives a full copy of the distributed ledger each time it’s updated; as it grows, performance slows.

Blockchain, Gartner said, was designed to provide an authoritative, immutable, trusted record of events arising out of a dynamic collection of untrusted parties. That architecture comes at the price of database management capabilities.

In its current form, the technology does not implement the full “create, read, update, delete” model found in conventional database management technology. Instead, it should be seen as a write-once, append-many electronic ledger. “A conventional data management solution might be the better option in some cases,” Leow said.

5. Expecting interoperability too soon

A fifth mistake businesses make is assuming the blockchain universe includes interoperability standards. While some vendors of blockchain platforms talk about interoperability with other blockchains, it is difficult to envision interoperability when most platforms and their underlying protocols are still being designed or developed, Gartner said.

Currently, any vendor conversations about platform interoperability should be seen by CIOs and others as a marketing.

“Never select a blockchain platform with the expectation that it will interoperate with next year’s technology from a different vendor,” Leow said.

6. Assuming smart contracts are fully baked

A sixth mistake some make is assuming that smart contract technology is mature. While smart contracts arguably represent the most powerful aspect of blockchain because they are business automation applications that add dynamic behavior to transactions, problems remain.

Conceptually, smart contracts are software scripts that store procedures associated with specific transaction records. For example, a smart contract could ensure that when cargo reaches a point of entry, a manufacturer awaiting the parts is notified. Unlike a stored procedure in a centralized system, smart contracts are executed by all nodes in the peer-to-peer network, resulting in scalability and manageability challenges that haven’t been fully addressed.

Smart contract technology will undergo significant changes. So CIOs should not plan for full adoption yet, opting instead to run small experiments first. That area of blockchain will continue to mature over the next two or three years, Gartner said.

7. Misunderstanding governance

In a private or permissioned blockchain, governance of the network is typically handed by the owner of the blockchain. So while a supply chain consortium may have dozens of members, the originating company is typically in charge of onboarding, verifying identifiable and financial information, and resolving any disputes that may arise. That’s not the case with public blockchains.

“Governance in public blockchains such as Ethereum and Bitcoin is mostly aimed at technical issues. Human behaviors or motivation are rarely addressed,” Leow said. “CIOs must be aware of the risk that blockchain governance issues might pose for the success of their project. Especially larger organizations should think about joining or forming consortia to help define governance models for the public blockchain.”