What You Should – and Should Not – Worry About

(In IT) (This Year)

William J. Malik, CISAMalik Consulting, LLC

"The future is already

here, it's just not evenly

distributed."

William Gibson Photo: Midnightzulu

Agenda

Blanchard Bone25,000-32,000 BCE

Why Are We Here?

• Take a peek at the forest for a moment • As your guide:

– App development, John Hancock Insurance – System development/test/planning, IBM – Infrastructure research, Gartner – IT Consulting, KPMG – CTO, Waveset

• Find a serviceable path – Recognize and avoid danger, build a map

Sources of Change

• Social• Technological• Economic • Environmental• Political

• From The Art of the Long View, Peter Schwarz

Social drivers of change

• Demographics – Expectations of newer employees – Tenure of experienced employees

• IT Security problems are either glitches or misbehaviors – Suppose an employee sees something that might be an

information security problem – Would they recognize it? (Awareness)– Would they choose to report it? (Culture) – Would they know who to call? (Procedures)

Technological drivers of change

• Vast numbers of tiny smart devices – Matchbox – match-head – smart dust

• Endpoint power (PDA = phone) – Moore’s Law has been pronounced dead at least

four times in the past ten years • 20,000 films from one MRI • Continuous monitoring • Code quality will limit innovation

Economic drivers of change

• Cloud business case – CME will trade Cloud futures, 6fusion defines chunks – What is your investment time horizon? – Public or private?

• Consolidation phases– Oversight – IT governance– Footprint – physical floor space– Image – define common software infrastructure– Workload – integrate apps and data

Economics of Information Security

• If the cost of getting it is less than it’s worth, it isn’t safe

• Consider cost of a breach as related to lost profit, not lost revenue – Divide cost by margins to size impact

• Do not worry about quantifying risk

Environmental drivers of change

• Going green for green (UTC) – UTC Newington CT Data Center refit sells $50k+ of

power to the grid each month• Board-level budget reallocation

– Boston Bank: IT can spend additional $1M to save Facilities $3M annually

– FDCCI: GAO cannot separate power from facility, so everyone shares when one tenant saves (tragedy of the commons)

Political drivers of change

• Privacy, need to know vs. right to be left alone – Sun’s Scott MacNeally: “You have zero privacy

anyway. Get over it.” 1999– Google’s Eric Schmidt: “If you have something that

you don't want anyone to know, maybe you shouldn't be doing it in the first place,” December 2001 interview with CNBC's Maria Bartiromo

IT Customer Satisfaction (1) • What do your customers want?• What are they willing to pay for?

• If your customers are paying a fair price for a meaningful service, you are aligned

All IT Activities

MeasurableIT Activities

IT ActivitiesUsersCare About

Potential Services

IT Customer Satisfaction (2)

• What does shadow IT do for the organization? – The pilot should know about problems before the

passengers– If the passengers find out first, they will help fly

the plane (even if they don’t know how to fly!) • How much are you spending on maintaining

operational systems vs. investing in new solutions?

2014 Next Steps

• How are your customers, your employees, and your social context changing?

• Do you drive the relationship with your IT vendors? • How do your customers understand the value of IT?• How long will your cloud business plan last?• Can you harness change as an engine for growth?

When the map and the terrain disagree, trust the terrain

References

• Brand, Stewart: The Clock of the Long Now, Basic Books, New York, 1999

• Glenn, Jerome: Future Mind – Managing the Mystical and the Technological in the 21st Century, Acropolis Books, 1989

• Lanier, Jaron: Who Owns the Future?, Simon and Schuster, 2013

• SANS Institute: Heartbleed webcast, April 10, 2014• Schwarz, Peter: The Art of the Long View,

Doubleday, 1991

Questions - Feedback

William J. Malik, CISA

Malik Consulting, LLCwjm@malikconsulting.nethttp://dontbesoanalytical.blogspot.com +1 (203) 274-3521 (c)