Cybersecurity in the Wake of Sony

Transcription

Cybersecurity in the Wake of Sony
JOURNAL REPORT
THE WALL STREET JOURNAL.
© 2015 Dow Jones & Company. All Rights Reserved.
Tuesday, February 10, 2015 | R1
Cybersecurity in the Wake of Sony
At the annual meeting of The Wall Street Journal’s CIO Network, chief information officers
accepted that being hacked was a given. The question was how to react to it.
BY JOHN BUSSEY AND STEVEN ROSENBUSH
IF THERE WAS one specter hanging over this year’s gathering of The
Wall Street Journal’s CIO Network, it could be spelled: S-O-N-Y.
Conversation during breaks gravitated to the remarkable destruction of Sony Pictures Entertainment’s network and files that
hackers caused in November.
This hack wasn’t about stealing intellectual property and slinking away, or pranking a former employer. These hackers broke in
and fired up the wrecking ball.
The global chief information officers who gathered at the third
annual CIO Network in San Diego last week are a chastened crew.
When asked who hasn’t been hacked, just one hand went up in the
audience, and that CIO got a lot of skeptical looks. And when
asked if business and the government were making progress
against hacking or were losing the battle, the group overwhelm-
ingly said the latter.
But the conversation quickly got pragmatic. “Don’t go overboard
on security,” one CIO said. “I still have to address other matters.”
Company networks need to grow and be flexible, interact with vendors and customers, and accommodate internal innovation. Cybersecurity has become just one more item on the corporate risk-management list—albeit high on the list, several CIOs said.
When they weren’t being told by speakers how technology will
radically change their jobs, the CIOs swapped advice on radical
changes already long under way, most notably the rapid shift of
data to the cloud. Determining what data and computing to keep
at home and what to outsource to the cloud is no easy calculation.
“Finding on-ramps to the cloud is the No. 1 priority on my
agenda,” a CIO said. For many CIOs, that on-ramp looks more like
a cloverleaf interchange—a complex hybrid of public and private
clouds, knit into existing corporate data centers.
That more versatile network is needed, in part, to digest the proliferation of data coming in from customers, vendors and internal
production. Some 44% of the CIOs said their companies now tackle
big data projects “all the time.”
Which, of course, brought the conversation back around to security….
Mr. Bussey is an associate editor of The Wall Street Journal.
He can be reached at [email protected].
Mr. Rosenbush is the editor of The Wall Street Journal’s
CIO Journal. He can be reached at [email protected].
The Software of Life
J. Craig Venter on finding the answers to our biggest questions
What Drives Us All
MR. BUSSEY: You’re in a perfect position
to answer a core question for us, which
is, what is life?
MR. VENTER: The short answer is life is
a DNA software-driven system, at least
on this planet, as far as we know. Every
species is driven by their DNA software, totally and completely.
The much more complicated answer
deals with energy balance in a cellular
system and transporting molecules in
and out. But it all gets down to reading
your DNA software from second to second in every one of your cells, making
new proteins, making new versions of
your cells. Without the software, you
can’t make new hardware.
MR. BUSSEY: You’re trying to sequence
one million genomes by 2020, so that
you can have a database to look for
correlations between disease and genetic makeup. Tell us how that is coming along and the implications.
MR. VENTER: The challenge is trying to
learn how to read that software that we
have. My genome was the first one sequenced 15 years ago. And there’s not
that much more that we can interpret
today than we could 15 years ago, because there have only been a few hundred to thousand genomes that have
been sequenced.
What we’re trying to do is not just
sequence the genomes. We’re trying to
measure every physiological parameter
we can. If we record all these variants
in people, we can start to understand
what parts of the genetic code code for
these different pieces.
We’re doing 3-D photographs of people’s faces. We measure about 30,000
parameters on your face, different distances, distance between your eyes.
We’re trying to use the machine learning to get so we can predict your face,
a photograph of you, from your genetic
code. Because it is all genetic.
We’re trying to do the same with
voice. Perfect pitch is genetic. It’s 100%
genetic. All these parameters have genetic elements that are coded for.
We’re trying to find how to maximally
read and interpret that genetic code.
MR. BUSSEY: The implications for medicine are that you’re going to be able to
show predispositions for various diseases if you have a big enough database from which to draw those relationships. Is that right?
MR. VENTER: Absolutely. We can do that
now, but to a very limited extent. Part
of the problem with the discovery of
the so-called breast-cancer genes was
that physicians wrongly told women
that had the genetic changes associated
with the genes that they had a 99%
chance of getting breast cancer. Turns
out all women that have these genetic
changes don’t get breast cancer.
Part of what we’re trying to discover, so we can get people the true
facts about their situation, is: If you
have a risk for disease such as breast
cancer, do you have other protective elements that give you a low likelihood
that you’ll actually get breast cancer?
Gary Fong/Dow Jones
J. Craig Venter is in the life business.
The co-founder and chief executive
of Human Longevity Inc. has had his
hand in any number of projects related
to the nuts and bolts of existence—from
sequencing the human genome to actually creating synthetic life.
The Wall Street Journal’s John
Bussey spoke with Mr. Venter about his
work and what implications our growing knowledge of DNA holds for medicine, human longevity, technology and
ethics.
Here are edited excerpts of their conversation.
The Ethical Questions
MR. BUSSEY: Are we going to take that
science and that technology and begin
to screen out from insurance coverage
those who might have some disability
as a result of their genetic history?
MR. VENTER: It depends on the country
and it depends on the system. A CEO of
one of the major pharmaceutical companies in Europe had a clinical trial. It
was approved.
But the single payer in that country
sorted through the data and said, “We
noticed there were no positive responses in people age 80 to 90. So
we’re not going to pay to have any patients in the 80-to-90 range get that
drug.”
It’s a total misuse of the data. And
there’s no competition to keep it right.
We’re OK in this country, because we
have a lot of competitive systems. If
one says they’ll restrict it, you can go
somewhere else.
MR. BUSSEY: Theoretically, how long
can we live?
MR. VENTER: I don’t think there’s necessarily any a priori limits. Human
lifespan used to be 30 years, 25 years.
‘Our goal is not to increase the lifespan. It’s to try to
increase the healthy lifespan.’
But there’s no basic, fundamental reason why it has to be short.
MR. BUSSEY: What do we look like when
we’re 175?
MR. VENTER: Our goal is not to increase
the lifespan. It’s to try to increase the
healthy lifespan. Because we have a lot
of other problems in society that, if we
all start living to 140, those problems
are only going to get worse. But if we
can change medical cost and the quality
of people’s lives for 100 years, that’s a
huge impact.
Life in the Lab
MR. BUSSEY: In 2010, you announced
that you had created synthetic life.
A BURST OF INVESTMENT
INSIDE
Venture-capital investment in genomics shot up last year, with a focus on biopharmaceuticals companies
Venture-capital investment in
U.S. venture-backed genomic
companies*
$700 million
2014 investment by industry segment
500
400
$122 million
Health-care services
Medical devices and
equipment
Medical software and
information services
600
$398 million
Biopharmaceuticals
$99 million
$73 million
300
200
10 biggest deals of 2014
100
COMPANY
INDUSTRY SEGMENT
AMOUNT RAISED IN MILLIONS
Invitae Corp.
Health-care services
$120
Human Longevity Inc.
Biopharmaceuticals
$70
10X Genomics Inc.
Biopharmaceuticals
$55.5
Syros Pharmaceuticals Inc.
Biopharmaceuticals
$53.2
BioNano Genomics Inc.
Biopharmaceuticals
$53
Blueprint Medicines Corp.
Biopharmaceuticals
$50
CardioDx Inc.
Medical Devices and Equipment
$35
*Venture capital includes all investments made by venture
capitalists or venture-capital-type investors, i.e. those making
equity investments in early-stage companies from a fund with
multiple limited partners
Personalis Inc.
Medical Software and Information Services
$33
Epic Sciences Inc.
Medical Devices and Equipment
$30
Source: Dow Jones VentureSource
Twist Bioscience Corp.
Biopharmaceuticals
$26
0
2005 ’06 ’07 ’08 ’09 ’10
’11 ’12
’13 ’14
2014 investment by round
First round
Second round
Later stage
$116
$182
$393
million
million
million
The Wall Street Journal
Walk us through that.
MR. VENTER: This is the 20th anniversary of when we sequenced the first genome. Just from that first bacterial genome, we’re trying to understand:
What’s the minimal basis of life? Is
there a smaller equation of gene sets
that all life derives from?
We decided the only way to answer
that was to take the ones and zeros out
of the computer, use four bottles of
chemicals, and remake the genetic DNA
molecule, and then boot that up. It was
a completely chemically made DNA
molecule that we put into a cell. It took
over that cell. And everything, after a
short time, in that cell derived from
that new software we put into the cell.
Richard Bejtlich and
Shuman Ghosemajumder
on how the data breach at
Sony Pictures is a paradigm
shift for cybersecurity.
R4
Howard Schmidt on
what companies should ask of
Washington when it comes to
cybersecurity, and what they
should be doing themselves.
R4
Maarten Sierhuis says
we need to understand human
behavior on the road better
before cars can reliably
drive themselves.
R5
CIO Network Videos>>
George Colony on the
challenges the ‘Age of the
Customer’ poses for CIOs.
R5
John Chambers discusses
how the role of the CIO will
change in the next few years.
R6
Amy Braverman on the
need for new methodologies
in handling big data.
R6
The CIO Task Forces’
recommendations and
CIOs’ top priorities
R2
For the full lineup of CIO Network video interviews with top
technology executives about the challenges of today’s tech world,
go to WSJ.com/LeadershipReport.
THE WALL STREET JOURNAL.
R2 | Tuesday, February 10, 2015
JOURNAL REPORT | CIO NETWORK
The Task Forces’ Priorities
The technology executives at last week’s CIO Network conference divided into five task forces to debate
their management and policy agendas in the following areas. Here are their top recommendations.
THE NATIONAL AGENDA
1
FUND STEM
Develop and fund an endto-end architecture for STEM
to include students, parents,
teachers, employers and
educational institutions.
2
LEVERAGE LEARNING
The government should
enact a liability-free zone centered on information sharing
around cybersecurity with
no penalties.
3
FIX HEALTH CARE
Break the current model.
Use technology to create an
incentive model that drives
positive financial and clinical
outcomes.
4
IMMIGRATION
We need a medium-term
increase in H1B visas.
STAYING SECURE AND INNOVATIVE
CO-CHAIRS
Scott Blanchette, CIO,
Kindred Healthcare
Sheila Jordan, Senior Vice
President, Chief Technology
Officer, Symantec
SUBJECT EXPERT
Terry Benzel, Deputy Director,
Internet and Networked
Systems, USC Information
Sciences Institute
GETTING THE MESSAGE ACROSS
1
BE A CHANGE AGENT
Understand the steps to
creating change with the current corporate culture in mind.
Pace yourself. Deliver tangible
value early. Create a path to
change with concrete steps.
2
FOCUS ON VALUE
DIFFERENTIATION
Always emphasize the value
being delivered rather than
the cost of technology. The
value needs to be visible.
3
TURN RISK INTO
OPPORTUNITY
Use current challenges such
as market conditions, cybersecurity, innovation and data
analytics as a catalyst for
engagement in the boardroom. Use the opportunity to
drive the components of your
business agenda.
4
BUSINESS-CENTRIC
VISION
Create a vision; form a strategy. Communicate that vision
to stakeholders in a transpar-
ent way. Effectively communicate the right messages to the
right individuals, execute, and
then measure your success.
CO-CHAIRS
Anil T. Cheriyan, CIO,
SunTrust Banks Inc.
Suren Gupta, Executive Vice
President of Technology and
Operations, Allstate Insurance
SUBJECT EXPERT
Chris Patrick, Global Leader,
CIO Practice, Egon Zehnder
TECHNOLOGY’S GOT TALENT
1
BEYOND THE USUAL
SUSPECTS
Take risks and refrain from
simply checking a box. Be
open to raw talent who have
the smarts, the ambition, the
enthusiasm and the curiosity.
Also look for people who
understand how ‘Year Zero’
works with technology, and
who are commercially minded.
This strategy requires the CIO
to take ownership and develop
and install a path for their
success.
2
WIRED FOR CHANGE
Change is constant; look
for people who come at problems from a different perspective. Are we talking about a
risk taker? Yes. But not someone who just takes risks. Re-
cruit people who are incredibly
adaptive to and can drive
rapid change, both personally
and professionally.
3
LEADERS AND
SUPERSTARS
Identify and build leaders and
superstars. Leadership is the
‘”It” factor. CIOs should invest
their time in budding leaders.
Let them know they are making a difference in the organization. Create leadership education/mentorships for the top
technical talent so they won’t
fail when offered more
responsibility. Be sure your
organization can identify,
develop and reward the
superstars.
4
CREATE A ‘STICKY’
CULTURE
Create an environment for
talent to come, stay and grow,
and a narrative defining innovation in terms of what your
company does best. Build an
environment to improve
employee work/life balance.
CO-CHAIRS
Gerri Martin-Flickinger,
Senior Vice President
and CIO, Adobe
Mark Settle, Senior Vice
President and CIO, IHS Inc.
SUBJECT EXPERT
Katherine Graham Shannon,
Global Managing Partner,
Information and Technology
Officers Practice, Heidrick &
Struggles
THE CIOS’ TOP PRIORITIES
The five task forces at the
CIO Network conference presented their recommendations
to the full conference, which
voted these as the top five
overall priorities:
1
MAKE IT EVERYBODY’S
BUSINESS
Make sure everyone in your
community—including third
parties—knows what the
boundaries are, what needs to
be protected, and where
there’s room to move. Everyone is a cop on the beat. Everyone also is a target. Build a
comprehensive education system from top to bottom of the
company that includes governance that embraces security
at every step.
2
CYBER RISK =
BUSINESS RISK
Categorize what data in your
company is the most critical.
Make it clear to everyone how
a breach would translate to
business impact.
3
BE A CHANGE AGENT
Understand the steps to
creating change with the current corporate culture in mind.
Pace yourself. Deliver tangible
value early. Create a path to
change with concrete steps.
4
BUSINESS-CENTRIC
VISION
Create a vision; form a strategy. Communicate that vision
to stakeholders in a transparent way. Effectively communicate the right messages to the
right individuals, execute, and
then measure your success.
5
ANTICIPATE THE
CYBER 9/11
Cybersecurity needs to be elevated to an international level;
firms across industries and
governments across regions
must organize for this battle.
They should view it as securing a common cyberborder.
The Wall Street Journal would like to thank
the 2015 sponsors for their generous support
of the CIO Network annual meeting.
1
MAKE IT EVERYBODY’S
BUSINESS
Make sure everyone in your
community—including third
parties—knows what the
boundaries are, what needs to
be protected, and where
there’s room to move. Everyone is a cop on the beat. Everyone is also a target. Build a
comprehensive education
system from top to bottom of
the company that includes
governance that embraces
security at every step.
2
CYBER RISK =
BUSINESS RISK
Categorize what data in your
company is the most critical.
1
BE THE BLACK SWAN
CIOs should think about
how digital disruptors would
approach their industry. Understand how to partner with
the business. Find radically
new revenue models and zerocost supply models. CIOs
should partner with earlystage external entities to find
new business models.
2
10X CYBER EVENT
CIOs should contemplate
a 10x cyber event such as a
solar flare or massive cloud
outage. Continuity plans need
to assume the worst-case
scenarios. Be sure to test to
assure your most important
DON’T HUNKER IN
THE BUNKER
Don’t think of security as the
gate at the end of the process
that restricts innovation. Put
it at the front end of product
development to enable the
solution. Engineer it into every
step of the process.
CO-CHAIRS
Tammy Jeffery, Vice President and Chief Technology
Officer, General Growth
Properties
Lidia L. Fonseca, Chief Information Officer and Senior Vice
President, Quest Diagnostics
4
ANTICIPATE THE
CYBER 9/11
Cybersecurity needs to be elevated to an international level,
which means companies
across industries and govern-
SUBJECT EXPERT
Richard Bejtlich, Chief
Security Strategist, FireEye
assets are safeguarded. Make
sure you have physical
redundancy as well.
CIOs should explore unintended opportunities and
consequences of new technologies, including impacts on
labor.
3
GLOBAL REGULATORY
DYNAMICS
Countries increasingly dictate
where you can store your data
and how you use it. As companies move business elements to the cloud, CIOs need
to partner with government
affairs departments to develop
a plan to navigate the changing regulatory landscape.
4
AUTOMATION OF
EVERYTHING
Automation increases connectivity among new devices.
CO-CHAIRS
Bask Iyer, Senior Vice
President and CIO, Juniper
Networks Inc.
Meg McCarthy, Executive
Vice President of Operations
and Technology, Aetna
Philip R. Wiser, Chief Technology Officer, Hearst Corp.
SUBJECT EXPERT
Salim Ismail, Founding Executive Director, Global Ambassador, Singularity University
CIO NETWORK MEMBERS
(Chief information officers/
chief technology officers, except
as noted)
Rich Adduci, Boston Scientific
Rob Alexander, Capital One
Financial Corp.
Steven B. Ambrose, DTE
Energy Co.
John Applegate, KPMG LLP
Michael S. Bahorich, Apache
Corp.
Simon Benney, Rio Tinto
Robin Bienfait, Chief Innovation Officer, Samsung
Electronics America
Scott Blanchette, Kindred
Healthcare
Keyvan Bohlooli, Ryder
System Inc.
Michael S. Brown, VP, Global
Information Technology,
ExxonMobil Global Services
Tony Buttrick, Flagstar Bank
Robert J. Casale, Massachusetts Mutual Life Insurance
Karen Chamberlain, Western
& Southern Financial Group
Paul Cheesbrough, News Corp
Anil T. Cheriyan, SunTrust
Banks Inc.
Denise Clark, Estee Lauder
Ted Colbert, Boeing Co.
Keith Collins, SAS Institute
Lee Congdon, Red Hat Inc.
Craig Cuyar, Cushman &
Wakefield
Richard Daniels, Kaiser
Permanente
Dale Danilewitz, AmerisourceBergen Corp.
Julia K. Davis, Aflac Inc.
Robert Dickie, Zurich
Insurance Group
Darren Dworkin, Cedars-Sinai
Health System
Mandy Edwards, CBRE Group
Philip Fasano, AIG
Victor Fetter, LPL Financial
Lidia L. Fonseca, Quest
Diagnostics
Sonny Garg, Exelon Corp.
Michael E. Gioja, Paychex Inc.
Stephen J. Gold, CVS Health
Bruce Greer, VP, Strategic
Planning and Information
Technology, Olin Corp.
Celso Guiotoko, Nissan Motor
Suren Gupta, Executive VP,
Technology and Operations,
Allstate Insurance
William Hills, Navy Federal
Credit Union
Gil Hoffman, Mercy Health
Donald G. Imholz, Centene
Sonja Chirico Indrebo, Statoil
Chris Isaacson, BATS Global
Markets Inc.
THE JOURNAL REPORT
© 2015 Dow Jones & Company, Inc. All rights reserved. 3C8308
3
ments across regions must
organize for this battle. They
should view it as securing a
common cyberborder.
THE BLACK SWANS
The Journal Report welcomes
your comments—by mail, fax or
email. Letters should be addressed
to Lawrence Rout, The Wall Street
Journal, 4300 Route 1 North, South
Brunswick, N.J. 08852. The fax
number is 609-520-7256, and the
email address is [email protected].
For more information please visit
CIONetwork.wsj.com.
Make it clear to everyone how
a breach would translate to
business impact.
For advertising information
please contact Katy
Lawrence at 214-951-7137
or [email protected]
Bask Iyer, Juniper Networks
Guilda Javaheri, Golden State
Foods
Tammy Jeffery, General
Growth Properties Inc.
Sheila Jordan, Symantec Corp.
Manish Kapoor, NuStar
Energy LP
Adriana Karaboutis, Executive
Vice President, Technology
and Business Solutions,
Biogen Idec Inc.
David Kardesh, Cabela’s Inc.
Jay Kerley, Applied Materials
Deborah Kerr, Sabre Holdings
Dan Kieny, Black & Veatch
Stuart Kippelman, Covanta
Energy
K Ananth Krishnan, Tata
Consultancy Services
Madelyn Lankton, Travelers
Brian LeClaire, Humana Inc.
Bruce Lee, Fannie Mae
Darryl Lemecha, VSP Global
Robert Logan, Leidos
Robert Lux, Freddie Mac
Krish Mani, JELD-WEN Inc.
Jonathan Manis, Sutter Health
Michele M. Markham,
HD Supply
Gerri Martin-Flickinger, Adobe
Systems Inc.
Meg McCarthy, Executive Vice
President, Operations and
Technology, Aetna Inc.
Kathy McElligott, Emerson
Electric Co.
James M. McGlennon, Liberty
Mutual Insurance
Paul Meller, Dow Jones & Co.
Jamie S. Miller, General
Electric Co.
Cynthia B. Nash, Windstream
Michael Nelson, Amway Corp.
Mike Parisi, Vice President, Information Technology, Illinois Tool Works Inc.
Karen Porter-Wolf, Assurant
Solutions
Banesh Prabhu, Senior EVP
and Group Head, Technology and Operations Group,
Siam Commercial Bank
Larry Quinlan, Deloitte
Bob Quinn, Palo Alto
Networks
Joe Reilly, Zions Bancorp.
Craig Richardville, Carolinas
HealthCare System
Denise Saiki, Lockheed Martin
Michael Sajor, Apollo
Education Group Inc.
Joseph Santamaria, Public
Service Enterprise Group
Glenn Schneider, Discover
Financial Services
Stuart Scott, Tempur Sealy
International Inc.
Tony Scott,VMware Inc.
Clive Selley, BT Group PLC
Mark Settle, IHS Inc.
Janne Sigurdsson, Alcoa
Mark Sims, Vice President,
Business Transformation,
Scotts Miracle-Gro Co.
Eric Singleton, Chico’s FAS
Joseph C. Spagnoletti,
Campbell Soup Co.
Tony Stoupas, Moody’s Corp.
Luis Taveras, Barnabas Health
Tim Theriault, Walgreens
Boots Alliance Inc.
David Thompson, Western
Union Co.
Sri Valleru, Nabors Industries
Ltd.
Sankara Viswanathan, Day &
Zimmermann Group Inc.
Lanpin Wan, LINN Energy
Philip R. Wiser, Hearst Corp.
PARTICIPATING GUESTS
Richard Bejtlich, Chief
Security Strategist, FireEye
Terry Benzel, Deputy Director,
Internet and Networked
Systems, USC Information
Sciences Institute
Amy Braverman, Principal
Statistician, Jet Propulsion
Laboratory, California
Institute of Technology
John T. Chambers, Chairman
and Chief Executive Officer,
Cisco
George F. Colony, Chairman
and Chief Executive Officer,
Forrester Research Inc.
Shuman Ghosemajumder, Vice
President, Product Management, Shape Security
Salim Ismail, Founding
Executive Director and
Global Ambassador,
Singularity University
Chris Patrick, Global Leader,
CIO Practice, Egon Zehnder
Howard A. Schmidt, CoFounder, Ridge-Schmidt Cyber LLC; former Cybersecurity Coordinator and
Special Assistant to
President Obama
Katherine Graham Shannon,
Global Managing Partner,
Information and Technology Officers Practice,
Heidrick & Struggles
Maarten Sierhuis, Director,
Nissan Research Center
Silicon Valley, Nissan
North America
J. Craig Venter, Co-Founder,
Executive Chairman and
Chief Executive Officer,
Human Longevity Inc.
REPRINTS AVAILABLE
FULL PAPER: The entire Wall Street Journal
issue that includes the CIO Network report
can be obtained for $6.50 a copy. Order by:
Phone: 1-800-JOURNAL
Fax: 1-413-598-2259
Mail*: CIO Network
Dow Jones & Co.
Attn: Back Copy Department
84 Second Ave.
Chicopee, Mass. 01020-4615
JOURNAL REPORT ONLY: Bulk orders of
this Journal Report section only may take
up to six weeks for delivery and can be
obtained for $5 for one copy, $2 for each
additional copy up to 50, and 25 cents for
each copy thereafter. Order by:
Phone: 1-877-345-6540
Email: [email protected]
Mail*: Dow Jones LP
Attn: Mailing Operations Dept.
84 Second Ave.
Chicopee, Mass. 01020-4615
REPRINT OR LICENSE ARTICLES: To order
reprints of individual articles or for information on licensing articles from this section:
Online: www.djreprints.com
Phone: 1-800-843-0008
Email: [email protected]
*For mail orders, do not send cash. Checks
or money orders are to be made payable to
Dow Jones & Co.
THE WALL STREET JOURNAL.
Tuesday, February 10, 2015 | R3
C NNECT
Move forward. With confidence.
Every C-level role has grown more challenging, but the CIO role
stands apart for its complexity and ability to impact business
performance. CIOs have to prepare the business for what’s next,
in the face of relentless technological change and spontaneous
market conditions. Let us help you tackle what’s next – through
insights, connections, career support, and services that are
custom designed for CIOs.
Connect with us at www.deloitte.com/us/cioforum
Copyright © 2015 Deloitte Development LLC. All rights reserved.
THE WALL STREET JOURNAL.
R4 | Tuesday, February 10, 2015
JOURNAL REPORT | CIO NETWORK
A Losing
LOSINGBattle
BATTLE
A
Executives see a number of ways to significantly improve their
companies' information security, but most feel that their efforts
are falling short and that they will continue to lose ground to
cyberattackers.
Easier Said Than Done
Gary Fong/Dow Jones (3)
Percentage of surveyed chief information security officers and other
executives who said the following actions would have a significant impact
or be a game changer in reducing the risk associated with cyberattacks,
and the executives' self-assessment grade for each action
‘If you’re a sufficiently interesting target,
you will be breached.’
‘There is much greater awareness of security
at every single level.’
Richard Bejtlich
Shuman Ghosemajumder
deep integration of security into the technology
85 Develop
environment to drive scalability. GRADE C
active defenses to be proactive in uncovering
75 Deploy
attacks early. GRADE C
differentiated protection of most
74 Provide
important assets. GRADE C
information assets and related risks in a way
74 Prioritize
that helps engage business leaders. GRADE Cincident response and testing.
65 Improve
GRADE C+
existing business processes and governance mechanisms,
55 Leverage
with strong linkages to other risk/control functions. GRADE C-
Advantage: Attackers
How the Hacking Scandal
At Sony Changes the Picture
Richard Bejtlich and Shuman Ghosemajumder say the key is
limiting damage rather than preventing attacks
Sony Pictures. The Pentagon’s
social-media accounts. And now
Anthem, the big health insurer.
Is nothing safe from hackers
anymore?
Richard Bejtlich, chief security
strategist for FireEye Inc., a network security company, and
Shuman Ghosemajumder, vice
president of product management for Shape Security, a website security company, spoke at
the CIO Network conference
about what companies might
learn from the spate of recent intrusions to stay a step ahead of
trouble.
Here are edited excerpts of
their conversation with The Wall
Street Journal’s John Bussey.
Timely Detection
MR. BUSSEY: Has the Sony Pic-
tures breach changed the game?
Everybody in this room has been
dealing with hacking incidents,
but the Sony case seems to have
crossed a threshold. And we’re
still not sure how much damage
got done. Is it a paradigm shift?
MR. BEJTLICH: We’re there. And
in the 17 years I’ve been doing
incident-detection response, I’ve
never seen anything like it.
worry about North Korean hackers attacking your company and
destroying data? I would say the
answer is no, unless you’re going
to produce a bad movie about an
assassination.
The lesson you can take away
from this is you need to be in a
position where you can detect
when something bad happens
and stop the bad guy before he
accomplishes
his
mission,
whether it’s stealing data, leaking data, destroying data, changing data, whatever the case is. If
you’re a sufficiently interesting
target, you will be breached.
There is no company or organization in the world that can stop
it, including the U.S. government. We’ve seen that. But you
need to cut off the bad guys before they do what they came
there to do.
Our current research shows
the amount of dwell time—the
amount of time a bad guy
spends in your enterprise before
somebody notices—is a median
of 209 days. And two-thirds of
the time, somebody else tells
you—usually the FBI. We need to
bring that way down.
Greater Awareness
MR. BUSSEY: You’re inside Sony.
FireEye Mandiant is one of the
consultants in trying to fix
things?
MR. BEJTLICH: Right, it’s public
knowledge. Now, what’s unfortunate about this breach is the
techniques that were used are
not particularly sophisticated.
Does it mean everyone has to
MR. BUSSEY: Shuman, are we
stuck with this? You’re going to
get breached, it’s a matter of
mitigation, live with it. Is that
where we are?
MR. GHOSEMAJUMDER: Pretty
much. The problem is that it’s
extremely easy for anyone to become an attacker. And they can
attack from anywhere in the
world. They can compromise
machines from any other part of
the world in order to be able to
make it appear as though the attack is coming from someone
else.
But what I think is fundamentally changing is that there is
much greater awareness of security at every single level. When I
studied computer science, we
didn’t spend a lot of time on security. When I studied business,
we didn’t spend a lot of time on
security.
But now, we’re seeing that every single CIO, every single CEO
in the world, has to have a certain level of knowledge about security and how it affects their
business. And that required level
of knowledge is constantly increasing. So the view of security
is changing from something you
add on to your IT to make sure
you’re mitigating risks, to something that enables IT. You have
to think through it in terms of
any IT system requiring security
being approached in a thoughtful way in order to be effective.
Out of the Wild
MR. BUSSEY: Can you reflect on
what just came out of the White
House, calling for more cooperation within industry, legislation
that alleviates the liability problem that companies would have
in releasing information to the
government if they were cooperating more. Is that behind the
curve at this stage of the game,
or is that a positive development?
MR. GHOSEMAJUMDER: I think it’s
both. Government action in general trails what’s happening in
the technology industry. But I
think it’s incredibly positive to
be able to see this sort of effort
and to hear the word cybersecurity coming out of the mouth of
the president of the U.S. It creates a much more positive environment to be able to invest in
security and to elevate consciousness of security at every
level of an organization. And, as
we’ve seen over the past year,
this is something that really is
now a board-level discussion
that companies are having.
It’s very difficult for any type
of government action or any sort
of law enforcement or legislative
action to be able to protect companies against the types of
threats that they face, especially
from places where that particular government may not have
any jurisdiction.
Whenever you see a new report about a piece of malware
that has been active in the wild
for years before it was discovered, that can’t make you feel
good in terms of how you’re protecting against the effects of
that particular piece of malware
and others like it that you haven’t been able to detect, that
the entire security industry
hasn’t been able to detect yet.
But there are steps you can
take that make you fundamentally more secure. There are different types of security technologies like using transport-layer
security, using two-factor au-
What Business and the Feds
Must Do About Cybersecurity
n How do you believe the relative level of sophistication will evolve for
your institution compared to potential attackers over the course of the
next five years?
69% | The sophistication or pace of attackers
will increase somewhat more quickly than
our own—risk will increase somewhat
17%
17% | The sophistication or pace of attackers
will increase much more quickly than our own—
8% risk will increase dramatically
6% 8% | We will continue to maintain parity with
attackers—the level of risk will remain the same
69%
6% | We will increase our sophistication more
quickly than the attacks, making us safer
n Who could have the most impact in reducing the overall level of
threat associated with cyberattacks in your sector?
18%
16%
23%
11%
32%
32% | Industry and cross-country associations
and standards groups
23% | Regulators and policy makers
18% | Technology vendors
16% | Individual companies and institutions
11% | Law enforcement
n What impact does government regulation have on your ability to
manage cybersecurity-related risks?
40% | It requires a lot of time and effort, but
does not really make us more secure
32%
16%
40%
12%
32% | On balance it encourages us to be more
secure in a helpful way
16% | It makes us less secure by requiring
actions that do not make sense or taking
resources away from higher-priority actions
12% | No/Limited impact
Source: Global survey of 100 executives in 2013 by the World Economic Forum and McKinsey & Co.
The Wall Street Journal
thentication. These aren’t things
that are trying to identify attacks
that you find in the wild and then
trying to mitigate them when you
see them coming in again. They
are things that fundamentally
change your security and IT architecture to make you less vulnerable to attacks in general.
MR. BUSSEY: This question is
from someone in the audience.
What companies are you seeing
that demonstrate the best practices on how to increase security
awareness within the company?
MR. BEJTLICH: The top sectors
that I’ve seen are the prime defense contractors—the Lockheeds, those sorts of companies—partly because what they
do for their own company they
can sell to others. And financial
companies, because they are hit
by everything. They’re hit by
disgruntled activists, they’re hit
by organized crime. They’re hit
by nation-states. Every angle
you could imagine. So the financials have to deal. And they have
a strong risk-management culture.
‘At every board meeting,
cybersecurity should be
on the agenda.’
Howard Schmidt offers advice for all parties
With every report of a highprofile data breach, alarm over
cyberattacks grows, both in
Washington and in boardrooms
across the U.S.
Howard Schmidt, the cofounder of Ridge-Schmidt Cyber
LLC and a former cybersecurity
adviser in both the Obama and
Bush administrations, sat down
with The Wall Street Journal’s
Noelle Knox to talk about what
companies and lawmakers
should be doing to fight threats.
Here are edited excerpts:
Who Do You Call?
MS. KNOX: We asked the CIOs in
the audience how often they discuss cybersecurity with their
boards. Fifty percent said every
Mixed Feelings
CIO Network members weigh in
on government-business
cooperation on cybersecurity
President Obama's proposed
steps to boost cybersecurity
coordination between
government and business:
52% 48%
Would improve
my company's
ability to
protect itself
The Wall Street Journal
Wouldn't
make much
difference for
my company
90 days. Is that enough?
MR. SCHMIDT: At every board
meeting, whether it’s monthly,
whether it’s quarterly, cybersecurity should be on [the
agenda]. If not, you’re going to
wind up in a situation where
you’re having an emergency
board meeting to discuss something that has gone wrong.
You have to have a plan. You
should have general counsel,
public relations, communications, the IT people, the security
people—all of them need to have
a structure in place to be able to
deal with something like this.
MS. KNOX: If a company is at-
tacked, who should they call? Is
there a point person?
MR. SCHMIDT: Clearly, we have
designated in the U.S. government that the Department of
Homeland Security has the role
of coordinating with the private
sector on threats, vulnerabilities
and best practices. So DHS has a
dedicated command center and
everything else to deal with it.
Not everything rises to that
level, and most of the things
that take place are crimes, so
the FBI or Secret Service is involved. But DHS should be the
point of contact. They should
bring in law enforcement and
the intelligence people, as
needed.
MS. KNOX: We’ve got a new Congress this year. If the CIOs here
go back and talk to their government-affairs people to lobby in
Washington, what should they be
asking for?
MR. SCHMIDT: The biggest thing
is what the government is going
to share with companies.
I remember one of the major
financial-services firms about
three or four years ago was intruded upon—a piece of malware
by all accounts. It was held for
109 days before the government
released it.
And I’d sit there and say, “We
have to release this to the other
financial services” firms. They
go, “No, we have the possibility
of a foreign nation involved. We
have criminal investigations going.”
How many people could have
been victimized during those 109
days? Or were they and we just
didn’t know about it? So, the
ability to share information almost immediately, with some
rare exceptions, should be the
No. 1 request. Most of this stuff
is just a matter of, “Watch out
for this IP address. Watch out
for this particular piece of malware. Watch out for this phishing email,” and stuff like that.
The second thing, and this is
my warning to the private sector, if we don’t start telling the
government that we are doing
things, and everybody in this
room is doing something more
than they’ve done, the government is going to continue to look
down the road of how do we
regulate? They’ll start focusing
on critical infrastructure first.
Then they’ll start looking at the
economic world—and not just financial-services companies.
Digital IDs
MS. KNOX: What three things
should the private sector be doing with the government to improve communication and fight
breaches?
MR. SCHMIDT: It’s interesting.
Since 1998, when President Clinton signed an executive order
creating ISACs, Information
Sharing and Analysis Centers,
for all the sectors, we’ve got all
those in place. Not everybody
participates. Not everybody recognizes it. But No. 1 is that’s the
information sharing.
There is an information-sharing bill that was originally put
together by Dutch Ruppersberger and Mike Rogers who just
recently left Congress, but it
doesn’t relieve the liability issues that we need in the private
sector. If we’re sharing information about something that happened, we need to have some
level of protection because we’ve
got customers, we’ve got supplychain partners, etc.
The second thing is the government released a national
strategy for trusted identities in
cyberspace, also known as digital identities. We all know how
to do it. The technology is there.
The government said, and we
were very specific, “this is not a
national ID card. This is not a
driver’s license for the Internet.
We want the private sector to
develop an ecosystem that gives
us the ability to get away from
user ID and passwords.”
The government said, “We
will be your biggest customer.”
I’ve got at least seven government accounts—taxes, Social Security, my VA, and all these
other things—where I have to
create a user ID and account in
the government system. You
shouldn’t have to do that.
So we need to do away with
this whole issue of identity management and really get away
from user ID and passwords.
The third thing, and it’s probably one of the things that’s,
once again, not that difficult, is
using encryption in conjunction
with the digital identity. So, for
example, if we fully recognize
that at some point we can’t protect everything, like somebody
leaving a USB stick somewhere,
we want to make sure that whoever gets it doesn’t have the
ability to do anything with it.
THE WALL STREET JOURNAL.
Tuesday, February 10, 2015 | R5
JOURNAL REPORT | CIO NETWORK
Researchers Study
Mystery of Drivers
‘We need to
understand how
humans behave
on the road.’
Before self-driving cars get
the green light, a lot of hurdles
need to be overcome. To look
more closely at some of those
challenges and explore how this
research may have broader applicability, The Wall Street Journal’s Gabriella Stern turned to
Maarten Sierhuis, an expert in
artificial intelligence, a former
NASA scientist, and now director
of the Nissan Research Center in
Sunnyvale, Calif. Edited excerpts
of their conversation follow.
MS. STERN: A few weeks ago, you
announced a partnership with
NASA, your former employer. Is
Nissan sending autonomous cars
to Mars?
DR. SIERHUIS: Well, it’s easier to
drive on Mars because there are
no humans. But it’s more the
technology that NASA’s been developing for the last decade, autonomous systems, and what
we’re trying to do with autonomous vehicles. They’re very in
sync. I think we can do great research together on this topic.
MS. STERN: Driving has defined a
large aspect of American culture,
and the autonomous car will
radically change that. As the
head of Nissan’s Research Center, you are amassing engineers,
experts in artificial intelligence,
but also anthropologists?
DR. SIERHUIS: Yes, driving is a
very human activity. We need to
understand how humans behave
on the road. How people communicate between cars and bicyclists and pedestrians. I believe
there is a language we can un-
derstand and create to teach the
car how to communicate.
MS. STERN: How do your anthro-
pologists collect data? Do you
put cameras in cars?
DR. SIERHUIS: There are two
ways. One is you put cameras in
the car and try to make it unobtrusive. The other way is just to
stand on a corner and videotape.
I have a fascinating videotape of
an intersection in Amsterdam,
and if you see what happens in
about 10 minutes it will blow
your mind. How people create
this, as we say, “coordinated
chaos” on the road is fascinating.
To teach cars to live within
that and drive within that, we
have to understand how humans
do that.
MS. STERN: Is this related to
what you have been quoted as
calling “human-centered artificial intelligence”?
DR. SIERHUIS: Yes. I call it “human-centered computing.” It is
about understanding how humans behave, and using that to
build computer systems.
I have coined this term “lean
research.” We do not have the
time to spend five, six years
studying what humans do, in order to build technology. We have
to do it faster. So we’re trying
this method where we do observations, we bring in people, we
cocreate, design together, then
create a prototype and test it. It
can be done in simulation, or in
a test track, or maybe even on
the road.
MS. STERN: How is lean research
different from, say, “agile” or
any of these other buzzwords,
describing how to do things
quickly and effectively?
DR. SIERHUIS: It’s a process
where you go into a cycle and
you try to improve as quickly as
possible. You want to get to a
prototype as fast as you can, in
order to test it out.
One of the hardest things for
autonomous vehicles is that it’s
difficult to try it on the road,
when a pedestrian suddenly
crosses the road, when I don’t
anticipate what the car will do. I
can’t try this out. So, we’re creating a simulation environment,
a virtual world of exactly the
roads that we’re driving in Silicon Valley, in which we can test
things very fast. Then, that same
software we can use to now
drive on the same roads. This is
a way we can try to speed up
this research cycle.
MS. STERN: I read a study that
said most Americans are afraid
of the concept of a self-driving
car. Then there are people like
me, who would welcome a selfdriving car because I am a terrible driver. How do you gauge
what the customer will want?
DR. SIERHUIS: This is a very difficult problem, to bring technology changes to the world, where
we actually do not know yet how
people are going to interact and
want to use the technology. [Especially] with something like a
car, this is not an easy thing.
At NASA, we had to study
how people will live and work on
the new forces bearing on the
job of the CIO.
‘The power
is shifting
away from
institutions.’
MR. ROSENBUSH: How does the
company’s technology budget
evolve over the next few years?
MR. COLONY: CIOs should very
knowingly look at their companies’ portfolios and say, “OK,
how much of my portfolio is IT,”
to run the internals of your company, “and how much is BT”
[business technology], the technology, systems and processes to
win, serve and retain customers.
George Colony on ‘BT’ vs ‘IT’
MR. ROSENBUSH: What are some
of the biggest technological challenges companies currently face?
MR. COLONY: I’ve been around for
eons in this business. And the
CIO has had a number of challenges during decades of my career. [What’s happening now] is
not a technology change. This
isn’t going from mainframe to
mini computers or mini computers to PCs or PCs to client servers. That was all internal stuff.
We’re in what we call “the Age
of the Customer,” where the customer is now using technology
to price precisely, to be able to
critique your products precisely
and publicly. And, to be able to
buy anywhere. This is kind of an
amazing statistic, but according
to our data, 18% of U.S. consumers now buy outside of the U.S.
once every three months. The
power is shifting away from institutions, toward the customers.
And that’s really the sea change.
That’s really the big deal that’s
happened now. And those are
MR. ROSENBUSH: There’s a real
integration of the CIO with the
other members of the leadership
team. But your research shows
that everyone isn’t so good at
that. What are the obstacles?
MR. COLONY: To an extent, it’s really about language. I talked
about going to your staff meeting and every time the word
“customer” is mentioned, thinking about your enterprise architects and your head of application development and whether
they really have an awareness of
and a view to the customer.
So it’s really about language,
number one. Two, it’s about the
people who work for you. Do
they have the actual ability to
think about the customer. Three,
it’s the ability to think in models
not about the internals of your
company, but how the customer
is actually thinking about you.
A NEW DAY
How businesses are reacting to the power of consumers
Spending Shift
Keeping the Customer Happy
Business spending on technology is shifting toward
more of a focus on customers, as opposed to
operational needs.
Businesses are determined to make shopping
online a better experience.
n Percentage of all technology spending by U.S.
businesses and governments on products and
services that help win, serve and retain customers
35%
30
of business leaders say improving
74 percent
the customer experience is a high or
critical priority.
OK
(65-74)
42%
10
’11
’12
Source: Forrester Research
’13
’14*
’15*
’16*
’17*
*Forecast
BEHIND THE WHEEL
Executives at the CIO Network conference were asked the
following questions about driving.
n Do you think you're
a better driver than
an autonomous car?
No
65%
Yes
35%
n How often do you text while you drive?
(Be honest!)
2%
2% | Always
22%
12%
24%
39%
12% | Often
24% | Sometimes
39% | Rarely
22% | Never
The Wall Street Journal
MR. ROSENBUSH: Our sense is
that the market is moving faster
and faster. There’s more data.
For most companies, unless they
were created recently, their DNA
is based in something a bit older.
So how do you catch up?
MR. COLONY: I’ve always said to
CIOs, “Look, if you work for a
CEO who doesn’t get it, then
quit. Go work for somebody
else.”
MR. ROSENBUSH: What distinguishes the CIO environment
right now?
MR. COLONY: As I like to say, you
are now in the pockets of your
MS. STERN: Because of so many
of the contingencies?
DR. SIERHUIS: We call it socially
acceptable driving. It has to do
with the rules of the road, the
culture that you’re in. It depends, place by place. And so if
you create very difficult intersections, it’s going to be very
hard for an autonomous vehicle
today to negotiate that.
But if you’re driving on the
highway and you’re driving
straight, I would say that the car
is probably faster in its reaction
time and knowing how to handle
situations more safely than we
as humans do.
customers all the time. You’re always with them, 24 hours a day.
When they need you, if you are
there for them, they will love
you.
If you are not there for them,
they will doubt you. If you’re not
there for them a second time,
they will drop you.
WALL STREET CAPABILITIES.
MAIN STREET SENSIBILITIES.
We created Regions Securities to provide
small- to mid-cap companies high-quality
service and advice from talented, relationshiporiented bankers. That means your business
gets our dedicated “A Team” every time.
Our capital markets experience and deep
resources enable you to receive creative,
customized solutions tailored to meet
your company’s strategic and financial
objectives. From capital raising in the
debt and equity markets to mergers and
acquisitions advice, our bankers can set
things in motion for your company. It’s time
you got the attention you deserve.
Terry Katon
Executive Managing Director | [email protected]
11%
10%
Very poor
(0-54)
1%
Poor
(55-64)
5
0
2009 ’10
MS. STERN: Do you think you’re a
better driver than an autonomous car?
DR. SIERHUIS: I think at the mo-
ment, most reasonable human
drivers are still better than autonomous vehicles. And this is
not because we can’t get to autonomous vehicles that are better. It depends on what situation
you are describing. So, if I show
you this video about this intersection in Amsterdam, I could
guarantee you that I am better
negotiating that intersection
than any autonomous vehicle
that is right now on the road.
Excellent
(85+)
20
15
will learn where this fine balance is between autonomous or
driverless, or autonomous on the
highway versus autonomous in a
city, autonomous self-parking
versus autonomous self-parking
in a parking garage.
n Forrester Customer Experience Index scores for
175 large North American brands in 2014
Good
(75-84)
37%
25
Mars with robots. We did that
by going to the desert or the
North Pole for a month, trying to
live like we would live on Mars
to find out what the issues are.
With autonomous driving, it’s
the same thing. We need to get
to the point where we can try
this on the road in a safe way to
experience what it means. Then,
if we can get customers or people in the cars, that’s where we
MR. ROSENBUSH: How much typically is devoted to BT right now?
MR. COLONY: If you look at tech
spending in the U.S., it’s about
$1.1 trillion in the year 2015. Of
that number, about $780 billion
is IT and about $250 billion is
going to be BT. So it’s about a
75-25 split. It really depends on
what industry you’re in. If you’re
in the food industry, you’re going to have a much higher IT. If
you’re in retail, you’re going to
have a much higher BT.
CIOs Face the ‘Age
Of the Customer’
Technology has put more
power than ever in the hands of
customers, and businesses ignore
this at their peril, says George F.
Colony, chairman and chief executive of Forrester Research Inc.
The Wall Street Journal’s Steven
Rosenbush interviewed Mr. Colony about business technology in
“the Age of the Customer.” Edited excerpts of the conversation
follow.
Gary Fong/Dow Jones (2)
Maarten Sierhuis on the road to autonomous cars
Sources: Priority figure, survey of 2,958 global business leaders
conducted by Forrester Research January through April 2014.
Customer Experience Index, Forrester survey of 7,538 U.S.
consumers in the fourth quarter of 2013.
The Wall Street Journal
Corporate Banking | Capital Markets & Advisory Services | Dedicated Industry Experience
© 2015 Regions Securities LLC. Investment banking and business advisory services are
offered through Regions Securities LLC, 1180 W. Peachtree St. NW, Suite 1400, Atlanta,
GA 30309. Member FINRA and SIPC. Regions Securities LLC is an affiliate of Regions Bank. |
Regions and the Regions logo are registered trademarks of Regions Bank. The LifeGreen color
is a trademark of Regions Bank.
Investment and Insurance Products:
Are Not FDIC Insured | Are Not Bank Guaranteed | May Lose Value
Are Not Deposits | Are Not Insured by Any Federal Government Agency
Are Not a Condition of Any Banking Activity
THE WALL STREET JOURNAL.
R6 | Tuesday, February 10, 2015
JOURNAL REPORT | CIO NETWORK
Why Most Firms
Better Get Moving
‘I think in this next
decade, IT will be
in vogue again.’
John Chambers has been chief
executive of Cisco Systems, the
world’s largest maker of datanetworking equipment, for 20
years. Although Cisco’s annual
revenue has grown to more than
$47 billion under his watch, the
company’s core networking business is now facing threats from
lower-cost competitors.
Mr. Chambers sat down with
The Wall Street Journal’s senior
deputy technology editor, Scott
Thurm, to discuss the intense
digital disruptions facing all
companies.
Here are edited excerpts:
Back in Vogue
MR. THURM: Last year, you said
almost in passing that the role of
the chief information officer is
going to change more in the next
year than it has in the past five.
Can you tell the CIOs here what
you meant by that?
MR. CHAMBERS: If your CEO was
[at the World Economic Forum]
in Davos, I guarantee you that
the No. 1 thing on his or her
mind is how to make your company a digital company.
No. 2 is the “Internet of everything” and the capability of
sensors, etc. It has exploded. It’s
going to change every country
and every business. It’s also
about fast innovation, which
means fast IT, and then it’s
about security.
But almost every company
coming out of Davos said, “I’m
not moving fast enough. I have
to become a digital company
first, a physical company second.”
If that’s on the CEO’s mind,
then guess what? That’s on the
CIO’s mind. I think in this next
decade, IT will be in vogue
again. It will be centered all
around these new concepts, and
the role of the CIO can change
dramatically.
MR. THURM: Your CIO is Rebecca
Jacoby. How has her role
changed at Cisco in the last couple of years?
MR. CHAMBERS: Every company’s
future is going to depend on
whether they catch the market
transitions right. Forty percent
of the companies in this room
won't exist, in my opinion, in a
meaningful way in 10 years unless they change dramatically. So
getting market transitions right
is the first issue, and obviously,
digitization and the Internet of
everything is at the front of that.
The second is don’t stay doing the same thing for too long.
That’s the second thing that
causes a company to fail. You’ve
got to move into market adjacencies, and bring what you
learned back to your core capability. GE is doing that remarkably well.
The third thing, and this is a
tough one, you must reinvent
Gary Fong/Dow Jones (2)
Cisco’s John Chambers on digital disruptions ahead
yourself—as a CIO, as a CEO and
your company. Most companies
struggle do that, especially the
more successful ones.
And then there is the pace of
change. We’ve changed more at
Cisco in the last 12 months than
at any time in our history. It’s
Becky’s job to make sure she
leads in this.
Making Data Meaningful
MR. THURM: The amount of data
we’re going to be creating from
Internet-connected devices is going to increase exponentially.
How are the CIOs of the world
supposed to manage all that
data?
MR. CHAMBERS: This is something CIOs need to lead in. It’s
very simple. It’s getting the right
data at the right time to the
right device or right person so
they can make the right decision.
That means the role of the
network is going to change dra-
matically.
Contrary to a lot of people’s
views on big data, I think the
majority of the data will actually
be analyzed and acted upon at
the edge of the network. And if
you write your applications
right, they can run in the cloud,
they can run in your data center,
they can run in the [wide area
network], they can run right all
the way to the edge. It will
transform business at a tremendous pace.
WORK IN PROGRESS
A look at how far CIOs have come in expanding their roles, what skills they're focusing on and what they see for themselves in the years ahead.
Still on the Periphery
Focus on Leadership
Ambition vs. Perception
17%
CIOs cite several management skills more often than technological skills
as being crucial to their success. The area cited most as being in need
of improvement: communication and influencing skills.
Where CIOs see themselves in five years, and where other C-Suite
executives see them
Other C-suite
executives
CIOs
of CIOs are members of their company's executive
leadership team
n Percentage of CIOs who say they have strong engagement with the
executive management board on these issues
n Percentage of CIOs saying each of these is a key attribute for
the position
Discussing IT budgetary issues and infrastructure management
Leadership skills
81%
67%
CEO
13%
Other C-Suite position
31%
Bigger CIO role,
within the company
or elsewhere
13%
Communication and influencing skills
Discussing IT's role in business transformation
79%
64%
Analytical approach and organizational skills
Providing facts as a basis for strategic decisions
77%
52%
63%
Project and change management skills
Participating in strategic decision making
74%
43%
33%
Happy to stay
in current position
13%
Other
Technological skills and know-how on IT trends
Discussing business performance and challenges
36%
64%
Source: Ernst & Young 2012 global survey of 301 CIOs and others with ultimate responsibility
for the IT function in their organizations, as well as 40 C-suite executives not within the IT
function
The Wall Street Journal
42%
of CIOs say improvement in their communication and
influencing skills is very important
It’s a Whole New Data Game
Amy Braverman on the need for new methodologies
Companies are getting a flood
of new data from customers,
vendors and the factory floor.
What are some ways to think
about big data—and to reduce
uncertainty when building a
business strategy around it?
The Wall Street Journal’s
Scott Thurm spoke with Amy
Braverman, principal statistician
at the Jet Propulsion Laboratory,
who comes up with ways to analyze and make accessible troves
of information from NASA’s
space-borne instruments.
Here are edited excerpts of
their conversation.
‘Data collection
is so different
than it used
to be.’
Making Sense of It All
MR. THURM: What do you do
when you don’t have all the
data, or it’s not all neatly organized?
DR. BRAVERMAN: Two things.
Data collection is so different
than it used to be. Spacecraft are
collecting information on thousands and thousands of variables
about the health of the Earth
and the atmosphere. Freeways
have built-in sensors, so you can
go to your smartphone and see
how many people are getting on
at your on ramp and getting off.
The supermarket, every time you
scan something, it’s going into a
database.
This opportunistic data collection is leading to entirely new
11%
kinds of data that aren’t well
suited to the existing statistical
and data-mining methodologies.
So point number one is that you
need to think hard about the
questions that you have and
about the way that the data
were collected and build new
statistical tools to answer those
questions. Don’t expect the existing software package that you
have is going to give you the
tools you need.
Point number two is having to
deal with distributed data.
There’s been a lot of work done
on distributed computing, where
you have a computation, and you
want to farm the computation
out in pieces, so that you can get
Big Challenges
Percentage of surveyed IT and business leaders listing each of
these factors as one of their organization's top hurdles or
challenges with big data
Determining how to get value from big data
65%
Risk and governance issues (security, privacy, data quality)
32%
Obtaining skills and capabilities needed
30%
Integrating multiple data sources
30%
Integrating big data technology with existing infrastructure
29%
Defining our strategy
28%
Funding for big-data related initiatives
25%
Source: Gartner Inc. survey of 302 IT and business leaders in June 2014
The Wall Street Journal
it done faster. What do you do
when the data that you want to
analyze are actually in different
places?
There’s lots of clever solutions for doing that. But at some
point, the volume of data’s going
to outstrip the ability to do that.
You’re forced to think about how
you might, for example, reduce
those data sets, so that they’re
easier to move.
What We Don’t Know
MR. THURM: One of the projects
that you work on is dealing with
satellite capture data of CO2
concentrations in the atmosphere.
DR. BRAVERMAN: The satellites
we work with are in polar orbit,
which means they are flying
from north to south and then
back up the backside of the
Earth. A satellite that’s in polar
orbit with the Earth turning underneath it is always going to
cross the equator at the same
time every day. I think for CO2,
it’s 1:30 in the afternoon.
If we want to draw conclusions about the global distribution of carbon dioxide, we have
to know that the data we’re collecting pertains to 1:30 in the afternoon.
Plants breathe. And they exhale. Typically, they’re doing
photosynthesis during the day.
At 1:30 in the afternoon, the
plants are going to be sucking up
a lot of carbon dioxide.
It would be a mistake to draw
a conclusion about the global
distribution of carbon dioxide,
based on those data, for all
times of day.
You have to be aware of the
biases that may be imparted to
the data that you have, relative
to the data you wish you had.
Percentages may not add to 100 due to rounding
18%
3%
5%