Since just before Christmas I posted An Enterprise Carol, I decided just before New Year’s to post An Enterprise Resolution.
In her article The Irrational Allure of the Next Big Thing, Karla Starr examined why people value potential over achievement in books, sports, and politics. However, her findings apply equally well to technology and the enterprise’s relationship with IT.
“Subjectivity and hype,” Starr explained, “make people particularly prone to falling for Next Best Thing-ism.”
“Our collective willingness to jump on the bandwagon,” Starr continued, “seems at odds with one of psychology’s most robust findings: We are averse to uncertainty. But as it turns out, our reaction to incomplete information depends on our interpretation of the scant data we do have. Uncertainty is a sort of amplifier, intensifying our response whether it’s positive or negative. As long as we react positively to the little information shown, we’re actually attracted to uncertainty. It’s curiosity rather than knowledge that leads to increased cognitive engagement. If the only information at hand is positive, your mind is going to fill in the gaps with other positive details. A whiff of positive information is all we need to set our minds aflutter.”
In his book Thinking, Fast and Slow, Daniel Kahneman explained “when people are favorably disposed toward a technology, they rate it as offering large benefits and imposing little risk; when they dislike a technology, they can think only of its disadvantages, and few advantages come to mind. People who receive a message extolling the benefits of a technology also change their beliefs about its risks. Good technologies have few costs in the imaginary world we inhabit, bad technologies have no benefits, and all decisions are easy. In the real world of course, we often face painful tradeoffs between benefits and costs.”
In his book What Technology Wants, Kevin Kelly explained that technology has a social dimension beyond the mere functionality it provides. “We adopt new technologies largely because of what they do for us, but also in part because of what they mean to us. Often we refuse to adopt technology for the same reason: because of how the avoidance reinforces or shapes our identity.”
So, in 2013, as the big data hype cycle comes down from the peak of inflated expectations, as the painful tradeoffs between the benefits and costs of cloud computing are faced, and as IT consumerization continues to reshape the identity of the IT function, let’s make an enterprise resolution to deal with these realities before we go off chasing the next best thing. Happy New Year!
Since ‘tis the season for reflecting on the past year and predicting the year ahead, while pondering this post my mind wandered to the reflections and predictions provided by the ghosts of A Christmas Carol by Charles Dickens. So, I decided to let the spirit of Jacob Marley revisit my previous Enterprise CIO Forum posts to bring you the Ghosts of Enterprise Past, Present, and Future.
The Ghost of Enterprise Past
Legacy applications have a way of haunting the enterprise long after they should have been sunset. The reason that most of them do not go gentle into that good night, but instead rage against the dying of their light, is some users continue using some of the functionality they provide, as well as the data trapped in those applications, to support the enterprise’s daily business activities.
This freaky feature fracture (i.e., technology supporting business needs being splintered across new and legacy applications) leaves many IT departments overburdened with maintaining a lot of technology and data that’s not being used all that much.
The Ghost of Enterprise Past warns us that IT can’t enable the enterprise’s future if it’s stuck still supporting its past.
The Ghost of Enterprise Present
While IT was busy battling the Ghost of Enterprise Past, a familiar, but fainter, specter suddenly became empowered by the diffusion of the consumerization of IT. The rapid ascent of the cloud and mobility, spirited by service-oriented solutions that were more focused on the user experience, promised to quickly deliver only the functionality required right now to support the speed and agility requirements driving the enterprise’s business needs in the present moment.
Gifted by this New Prometheus, Shadow IT emerged from the shadows as the Ghost of Enterprise Present, with business-driven and decentralized IT solutions becoming more commonplace, as well as begrudgingly accepted by IT leaders.
All of which creates quite the IT Conundrum, forming yet another front in the war against Business-IT collaboration. Although, in the short-term, the consumerization of IT usually better services the technology needs of the enterprise, in the long-term, if it’s not integrated into a cohesive strategy, it creates a complex web of IT that entangles the enterprise much more than it enables it.
And with the enterprise becoming much more of a conceptual, rather than a physical, entity due to the cloud and mobile devices enabling us to take the enterprise with us wherever we go, the evolution of enterprise security is now facing far more daunting challenges than the external security threats we focused on in the past. This more open business environment is here to stay, and it requires a modern data security model, despite the fact that such a model could become the weakest link in enterprise security.
The Ghost of Enterprise Present asks many questions, but none more frightening than: Can the enterprise really be secured?
The Ghost of Enterprise Future
Of course, the T in IT wasn’t the only apparition previously invisible outside of the IT department to recently break through the veil in a big way. The I in IT had its own coming-out party this year also since, as many predicted, 2012 was the year of Big Data.
Although neither the I nor the T is magic, instead of sugar plums, Data Psychics and Magic Elephants appear to be dancing in everyone’s heads this holiday season. In other words, the predictive power of big data and the technological wizardry of Hadoop (as well as other NoSQL techniques) seem to be on the wish list of every enterprise for the foreseeable future.
However, despite its unquestionable potential, as its hype starts to settle down, the sobering realities of big data analytics will begin to sink in. Data’s value comes from data’s usefulness. If all we do is hoard data, then we’ll become so lost in the details that we’ll be unable to connect enough of the dots to discover meaningful patterns and convert big data into useful information that enables the enterprise to take action, make better decisions, or otherwise support its business activities.
Big data will force us to revisit information overload as we are occasionally confronted with the limitations of historical analysis, and blindsided by how our biases and preconceptions could silence the signal and amplify the noise, which will also force us to realize that data quality still matters in big data and that bigger data needs better data management.
As the Ghost of Enterprise Future, big data may haunt us with more questions than the many answers it will no doubt provide.
I realize that this post lacks the happy ending of A Christmas Carol. To paraphrase Dickens, I endeavored in this ghostly little post to raise the ghosts of a few ideas, not to put my readers out of humor with themselves, with each other, or with the season, but simply to give them thoughts to consider about how to keep the Enterprise well in the new year. Happy Holidays Everyone!
“Those who cannot remember the past are condemned to repeat it,” wrote George Santayana in the early 20th century to caution us about not learning the lessons of history. But with the arrival of the era of big data and dawn of the data scientist in the early 21st century, it seems like we no longer have to worry about this problem since not only is big data allowing us to digitize history, data science is also building us sophisticated statistical models from which we can analyze history in order to predict the future.
However, “every model is based on historical assumptions and perceptual biases,” Daniel Rasmus blogged. “Regardless of the sophistication of the science, we often create models that help us see what we want to see, using data selected as a good indicator of such a perception.” Although perceptual bias is a form of the data silence I previously blogged about, even absent such a bias, there are limitations to what we can predict about the future based on our analysis of the past.
“We must remember that all data is historical,” Rasmus continued. “There is no data from or about the future. Future context changes cannot be built into a model because they cannot be anticipated.” Rasmus used the example that no models of retail supply chains in 1962 could have predicted the disruption eventually caused by that year’s debut of a small retailer in Arkansas called Wal-Mart. And no models of retail supply chains in 1995 could have predicted the disruption eventually caused by that year’s debut of an online retailer called Amazon. “Not only must we remember that all data is historical,” Rasmus explained, “but we must also remember that at some point historical data becomes irrelevant when the context changes.”
As I previously blogged, despite what its name implies, predictive analytics can’t predict what’s going to happen with certainty, but it can predict some of the possible things that could happen with a certain probability. Another important distinction is that “there is a difference between being uncertain about the future and the future itself being uncertain,” Duncan Watts explained in his book Everything is Obvious (Once You Know the Answer). “The former is really just a lack of information — something we don’t know — whereas the latter implies that the information is, in principle, unknowable. The former is an orderly universe, where if we just try hard enough, if we’re just smart enough, we can predict the future. The latter is an essentially random world, where the best we can ever hope for is to express our predictions of various outcomes as probabilities.”
“When we look back to the past,” Watts explained, “we do not wish that we had predicted what the search market share for Google would be in 1999. Instead we would end up wishing we’d been able to predict on the day of Google’s IPO that within a few years its stock price would peak above $500, because then we could have invested in it and become rich. If our prediction does not somehow help to bring about larger results, then it is of little interest or value to us. We care about things that matter, yet it is precisely these larger, more significant predictions about the future that pose the greatest difficulties.”
Although we should heed Santayana’s caution and try to learn history’s lessons in order to factor into our predictions about the future what was relevant from the past, as Watts cautioned, there will be many times when “what is relevant can’t be known until later, and this fundamental relevance problem can’t be eliminated simply by having more information or a smarter algorithm.”
Although big data and data science can certainly help enterprises learn from the past in order to predict some probable futures, the future does not always resemble the past. So, remember the past, but also remember the limitations of historical analysis.
In the era of big data, information optimization is becoming a major topic of discussion. But when some people discuss the big potential of big data analytics under the umbrella term of data science, they make it sound like since we have access to all the data we would ever need, all we have to do is ask the Data Psychic the right question and then listen intently to the answer.
However, in his recent blog post Silence Isn’t Always Golden, Bradley S. Fordham, PhD explained that “listening to what the data does not say is often as important as listening to what it does. There can be various types of silences in data that we must get past to take the right actions.” Fordham described these data silences as various potential gaps in our analysis.
One data silence is syntactic gaps, which is a proportionately small amount of data in a very large data set that “will not parse (be converted from raw data into meaningful observations with semantics or meaning) in the standard way. A common response is to ignore them under the assumption there are too few to really matter. The problem is that oftentimes these items fail to parse for similar reasons and therefore bear relationships to each other. So, even though it may only be .1% of the overall population, it is a coherent sub-population that could be telling us something if we took the time to fix the syntactic problems.”
This data silence reminded me of my podcast discussion with Thomas C. Redman, PhD about big data and data quality, during which we discussed how some people erroneously assume that data quality issues can be ignored in larger data sets.
Another data silence is inferential gaps, which is basing an inference on only one variable in a data set. The example Fordham uses is from a data set showing that 41% of the cars sold during the first quarter of the year were blue, from which we might be tempted to infer that customers bought more blue cars because they preferred blue. However, by looking at additional variables in the data set and noticing that “70% of the blue cars sold were from the previous model year, it is likely they were discounted to clear them off the lots, thereby inflating the proportion of blue cars sold. So, maybe blue wasn’t so popular after all.”
Another data silence Fordham described using the same data set is gaps in field of view. “At first glance, knowing everything on the window sticker of every car sold in the first quarter seems to provide a great set of data to understand what customers wanted and therefore were buying. At least it did until we got a sinking feeling in our stomachs because we realized that this data only considers what the auto manufacturer actually built. That field of view is too limited to answer the important customer desire and motivation questions being asked. We need to break the silence around all the things customers wanted that were not built.”
This data silence reminded me of WYSIATI, which is an acronym coined by Daniel Kahneman to describe how the data you are looking at can greatly influence you to jump to the comforting, but false, conclusion that “what you see is all there is,” thereby preventing you from expanding your field of view to notice what data might be missing from your analysis.
As Fordham concluded, “we need to be careful to listen to all the relevant data, especially the data that is silent within our current analyses. Applying that discipline will help avoid many costly mistakes that companies make by taking the wrong actions from data even with the best of techniques and intentions.”
Therefore, in order for your enterprise to leverage big data analytics for business success, you not only need to adopt a mindset that embraces the principles of data science, you also need to make sure that your ears are set to listen for data silence.
During this episode, Bill Laberis and I discuss the necessary evolution of enterprise security in the era of cloud computing and mobile devices. Our discussion includes public, private, and hybrid clouds, leveraging existing security best practices, defining BYOD (Bring Your Own Device) policies, mobile device management, and striking a balance between convenience and security.
Bill Laberis is the Editorial Director of the Enterprise CIO Forum, in which capacity he oversees the content of both its US and international websites. He is also Editorial Director and Social Media Manager in the IDG Custom Solutions Group, working closely with clients to create highly individualized custom content programs that leverage the wide range of media capabilities, including print, online, multimedia, and custom events.
Bill Laberis was editor-in-chief of Computerworld from 1986-1996, has been a frequent speaker and keynoter, and has written for various business publications including The Wall Street Journal. He has been closely following the IT sector for 30 years.
The Evolution of Enterprise Security
Additional listening options:
Over the last two months, I have been blogging a lot about how enterprise security has become an even more important, and more complex, topic of discussion than it already was. The days of the perimeter fence model being sufficient are long gone, and social media is helping social engineering more effectively attack the weakest links in an otherwise sound security model.
With the consumerization of IT allowing Shadow IT to emerge from the shadows and the cloud and mobile devices enabling the untethering of the enterprise from the physical boundaries that historically defined where the enterprise stopped and the outside world began, I have been more frequently pondering the question: Can the enterprise really be secured?
The cloud presents the conundrum of relying on non-enterprise resources for some aspects of enterprise security. However, “one advantage of the cloud,” Judy Redman recently blogged, “is that it drives the organization to take a more comprehensive, and effective, approach to risk governance.” Redman’s post includes four recommended best practices for stronger cloud security.
With the growing popularity of the mobile-app-portal-to-the-cloud business model, more enterprises are embracing mobile app development for deploying services to better support both their customers and their employees. “Mobile apps,” John Jeremiah recently blogged, “are increasingly dependent on cloud services that the apps team didn’t build, the organization doesn’t own, and the ops team doesn’t even know about.” Jeremiah’s post includes four things to consider for stronger mobile security.
Although it is essential for every enterprise to have a well-articulated security strategy, “it is important to understand that strategy is not policy,” John Burke recently blogged. “Security strategy links corporate strategy overall to specific security policies; policies implement strategy.” Burke’s post includes five concrete steps to take to build a security strategy and implement security policies.
With the very notion of an enterprise increasingly becoming more of a conceptual entity than a physical entity, enterprise security is becoming a bit of a misnomer. However, the underlying concepts of enterprise security still need to be put into practice, and even more so now that, since the enterprise has no physical boundaries, the enterprise is everywhere, which means that everyone (employees, partners, suppliers, service providers, customers) will have to work together for “the enterprise” to really be secured.
“100 percent security no longer exists in the digital world,” Christian Verstraete recently blogged. “Many companies have to recognize that they have not developed a proactive enough security strategy. They also have to recognize that they have not put the appropriate procedures in place to cope with a security breach when it happens. Instead, they are in reactive mode.”
In my previous post, I blogged about how although any proactive security strategy can only be as strong as its weakest link, the weakest link in your enterprise security could actually be the protocols enacted in the event of an apparent security breach.
“We are confronted with a world where employees bring their own devices and use them for both their private and their business lives,” Verstraete continued. “As our world is getting increasingly integrated, and as social media is used by enterprises to reach their customers and prospects, we need to train our people to ensure they are watchful for social engineering.”
The book Social Engineering: The Art of Human Hacking by Chris Hadnagy, the lead developer of Social-Engineer.org, defines social engineering as “the act of manipulating a person to take an action that may or may not be in their best interest.”
“While software companies are learning how to strengthen their programs,” Hadnagy explained, “hackers and malicious social engineers are turning to the weakest part of the infrastructure — the people. The motivation is all about return on investment. No self-respecting hacker is going to spend 100 hours to get the same results from a simple attack that takes one hour, or less.”
“Denial, ignorance, or the overwhelming nature of threats and vulnerabilities are all causes of a lack of focus,” Ken Larson recently blogged. “In this age of IT, the threats and vulnerabilities raised by mobility, social networking, cloud computing, and the sharing of IT resources between enterprises must be added to the traditional threats that we’ve focused on for years.”
As I have previously blogged, traditional approaches focus mainly on external security threats, which nowadays is like fortifying your physical barriers while ignoring the cloud floating over them and the mobile devices walking around them. The more open business environment enabled by cloud and mobile technologies is here to stay, and it requires a modern data security model.
“Proactively define your security strategy,” Verstraete concluded. “Decide what an acceptable risk level is. Choose and implement tools and procedures accordingly, and train, train, train your employees.” I definitely agree that employee training is essential to strengthening your enterprise security, and especially training your employees to understand the principles of social engineering.
As a recent Techopedia article noted, one of the biggest challenges for IT security these days is finding a balance among three overarching principles: availability (i.e., that information is accessible when authorized users need it), confidentiality (i.e., that information is only being seen or used by people who are authorized to access it), and integrity (i.e., that any changes to information by an unauthorized user are impossible — or at least detected — and changes by authorized users are tracked).
Finding this balance has always been a complex challenge for enterprise security since the tighter you lock an IT system down, the harder it can become to use for daily business activities, which sometimes causes usability to be prioritized over security.
“I believe those who think security isn’t a general IT priority are wrong,” Rafal Los recently blogged in a post about the role of Chief Information Security Officer (CISO). “Pushing the security agenda ahead of doing business seems to be something poor CISOs are known for, which creates a backlash of executive push-back against security in many organizations.”
According to Los, IT leaders need to balance the business enablement of IT with the need to keep information secure, which requires better understanding both business risks and IT threats, and allowing the organization to execute its business goals in a tactical fashion while simultaneously working out the long-term enterprise security strategy.
Although any security strategy is only as strong as its weakest link, the weakest link in enterprise security might not be where you’d expect to find it. A good example of this came from perhaps the biggest personal data security disaster story of the year, the epic hacking of Mat Honan, during which, as he described it, “in the space of one hour, my entire digital life was destroyed.”
The biggest lesson learned was not the lack of a good security strategy (though that obviously played a part, not only with Honan personally, but also with the vendors involved). Instead, the lesson was that the weakest link in any security strategy might be its recovery procedures — and that hackers don’t need to rely on Hollywood-style techno-wizardry to overcome security protocols.
Organizations are rightfully concerned about mobile devices containing sensitive data getting stolen — in fact, many make use of the feature provided by Apple that enables you to remotely delete data on your iPhone, iPad, and MacBook in the event of theft.
In Honan’s case, the hackers exploited this feature by accessing his Apple iCloud account (for the details of how that happened, read his blog post), wiping clean his not-stolen mobile devices, resetting his passwords, including for his email accounts, which prevented him from receiving any security warnings and password reset notifications, and bought the hackers the time needed to redirect everything — essentially all by doing what Honan would have done if his mobile devices had actually been stolen.
The hackers also deleted all of Honan’s data stored in the cloud, which was devastating since he had no off-line backups (yes, he admits that’s his fault). Before you’re tempted to use this as a cloud-bashing story, as Honan blogged in a follow-up post about how he resurrected his digital life, “when my data died, it was the cloud that killed it. The triggers hackers used to break into my accounts and delete my files were all cloud-based services — iCloud, Google, and Amazon. Some pundits have latched onto this detail to indict our era of cloud computing. Yet just as the cloud enabled my disaster, so too was it my salvation.”
Although most security strategies are focused on preventing a security breach from happening, as the Honan story exemplifies, the weakest link in your enterprise security could actually be the protocols enacted in the event of an apparent security breach.
Enterprise security is becoming an even more important, and more complex, topic of discussion than it already was. Especially when an organization focuses mostly on preventing external security threats, which is somewhat like, as in the photo to the left, telling employees to keep the gate closed but ignore the cloud floating over the gate and the mobile devices walking around it.
But that doesn’t mean we need to build bigger and better gates. The more open business environment enabled by cloud and mobile technologies is here to stay, and it requires a modern data security model that can protect us from the bad without being overprotective to the point of inhibiting the good.
“Security controls cost money and have an impact on the bottom line,” Gideon Rasmussen recently blogged. Therefore, “business management may question the need for controls beyond minimum compliance requirements. However, adherence to compliance requirements, control frameworks, and best practices may not adequately protect sensitive or valuable information because they are not customized to the unique aspects of your organization.”
This lack of a customized security solution can also be introduced when leveraging cloud providers. “Transparency is the capability to look inside the operational day-to-day activity of your cloud provider,” Rafal Los recently blogged. “As a consumer, transparency means that I have audit-ability of the controls, systems, and capabilities that directly impact my consumed service.”
A further complication for enterprise security is that many cloud-based services are initiated as Shadow IT projects. “There are actually good reasons why you may want to take a hard look at Shadow IT, as it may fundamentally put you at risk of breaching compliance,” Christian Verstraete recently blogged. “Talking to business users, I’m often flabbergasted by how little they know of the potential risks encountered by putting information in the public cloud.”
In the science fiction universe of Star Trek, the security officers aboard the starship Enterprise, who wore red shirts, often quickly died on away missions. Protecting your data, especially when it goes on away missions in the cloud or on mobile devices, requires your enterprise security to be on red alert — otherwise everyone in your organization might as well be wearing a red shirt.
While checking out the new Knowledge Vaults on the Enterprise CIO Forum, I came across the Genefa Murphy blog post How IT Debt is Crippling the Enterprise, which included three recommendations for alleviating some of that crippling IT debt.
The first recommendation was application retirement. As I have previously blogged, applications become retirement-resistant because applications and data have historically been so tightly coupled, making most of what are referred to as data silos actually application silos. Therefore, in order to help de-cripple IT debt, organizations need to de-couple applications and data, not only by allowing more data to float up into the cloud, but also, as Murphy noted, instituting better procedures for data archival, which helps more easily identify applications for retirement that have become merely containers for unused data.
The second recommendation was cutting the IT backlog. “One of the main reasons for IT debt,” Murphy explained, “is the fact that the enterprise is always trying to keep up with the latest and greatest trends, technologies and changes.” I have previously blogged about this as The Diderot Effect of New Technology. By better identifying how up-to-date the IT backlog is, and how well — if at all — it still reflects current business needs, an organization can skip needless upgrades and enhancement requests, and not only eliminate some of the IT debt, but also better prioritize efforts so that IT functions as a business enabler.
The third recommendation was performing more architectural reviews, which, Murphy explained, “is less about getting rid of old debt and more about making sure new debt does not accumulate. Since IT teams don’t often have the time to do this (as they are concerned with getting a working solution to the customer ASAP), it is a good idea to have this as a parallel effort led by a technology or architectural review group outside of the project teams but still closely linked.”
Although it’s impossible to completely balance the IT budget, and IT debt doesn’t cause an overall budget deficit, reducing costs associated with business-enabling technology does increase the potential for a surplus of financial success for the enterprise.
Since more organizations are embracing cloud computing and cloud-based services, and some analysts are even predicting that personal clouds will soon replace personal computers, the cloudy future of our data has been weighing on my mind.
I recently discovered the website DataGravity.org, which contains many interesting illustrations and formulas about data gravity, a concept which Dave McCrory blogged about in his December 2010 post Data Gravity in the Clouds.
“Consider data as if it were a planet or other object with sufficient mass,” McCrory wrote. “As data accumulates (builds mass) there is a greater likelihood that additional services and applications will be attracted to this data. This is the same effect gravity has on objects around a planet. As the mass or density increases, so does the strength of gravitational pull. As things get closer to the mass, they accelerate toward the mass at an increasingly faster velocity.”
In my blog post What is Weighing Down your Data?, I explained the often misunderstood difference between mass, which is an intrinsic property of matter based on atomic composition, and weight, which is a gravitational force acting on matter. By using these concepts metaphorically, we could say that mass is an intrinsic property of data, representing objective data quality, and weight is a gravitational force acting on data, representing subjective data quality.
I used a related analogy in my blog post Quality is the Higgs Field of Data. By using data, we give data its quality, i.e., its mass. We give data mass so that it can become the basic building blocks of what matters to us.
Historically, most of what we referred to as data silos were actually application silos because data and applications became tightly coupled due to the strong gravitational force that legacy applications exerted, preventing most data from achieving the escape velocity needed to free itself from an application. But the laudable goal of storing your data in one easily accessible place, and then building services and applications around your data, is one of the fundamental value propositions of cloud computing.
With data accumulating in the cloud, as McCrory explained, although “services and applications have their own gravity, data is the most massive and dense, therefore it has the most gravity. Data, if large enough, can be virtually impossible to move.”
The cloud is shifting our center of gravity because of the data gravitational field emitted by the massive amount of data being stored in the cloud. The information technology universe, business world, and our personal (often egocentric) solar systems are just beginning to feel the effects of this massive gravitational shift.