Netswitch

Payment Card Processors Hacked in $45 Million Fraud

Steve King — Tue, 14 May 2013 04:09:59 +0000

U.S. federal prosecutors indicted eight people accused of running a vast carding scheme.

IDG News Service - A vast debit card fraud scheme that allegedly netted US$45 million has been linked to the hacking of credit card processors in the U.S. and India.

Federal prosecutors in New York indicted eight men on Thursday whom they accuse of a scheme centered on raising the limit on prepaid debit cards and then withdrawing the cash from ATMs.

“In such operations, hackers manipulate account balances and in some cases security protocols to effectively eliminate any withdrawal limits on individual accounts,” the indictment reads.

“As a result, even a few compromised bank account numbers can result in tremendous financial loss to the victim financial institution,” it said.

Payment card processors are typically expected to comply with the Payment Card Industry Data Security Standard (PCI-DSS), a code of best practices created by the card industry designed to prevent hackers from obtaining card details.

In one example, the hackers raised the limit on 12 accounts at the Bank of Muscat, based in Oman. The account details were obtained through a U.S. credit card processor, which handles Visa and MasterCard prepaid debit cards. It was not identified in the indictment.

The account numbers were distributed to people in 24 countries, who encoded the account details onto dummy payment cards that could then be used in ATMs. Around Feb. 19, the Bank of Muscat lost $40 million in less than 24 hours as the people made withdrawals.

A single card’s details was used around New York City for an astounding 2,904 withdrawals, amounting to $2.4 million, according to the indictment. The same number was used in other withdrawals worldwide for another $6.5 million.

The Indian credit card processor, which was also not identified, held the details for prepaid Visa and MasterCard debit accounts with the National Bank of Ras Al-Khaimah PSC in the United Arab Emirates.

The limits for five of those accounts were increased, and the card details send to people in 20 countries. More than 4,500 ATM withdrawals were made, causing $5 million in losses, the indictment said.

The defendants are charged in U.S. District Court for the Eastern District of New York with conspiracy to commit access device fraud, money laundering conspiracy and two counts of money laundering.

Choosing the Best Path to Eliminate Network Vulnerabilities

Steve King — Sun, 05 May 2013 19:37:00 +0000

Vulnerability Management (VM) should not be taken lightly, especially in an era with growing threats every day and an ever increasing cost of risk management. There are lots of tools and vendors with exaggerated claims of success and service. Be careful to choose the ones who have a proven track record of success.

The choice of what solution you implement for VM will directly affect your company’s actual state of security and overall compliance. As you weigh options for each step of VM, consider these tips

1. Automate as much as you can. Many of the steps to vulnerability management are repetitive and applied to all networked devices in the enterprise. Manually doing these tasks consumes an enormous amount of time and resources. Regulatory requirements may require your company to extend VM to suppliers, business partners, and channel representatives. There’s no way you’ll have enough budget and people on staff to do all these steps manually. Automation is a must – and not only for affordability and economies of scale, but also to ensure that VM is done in a rapid, systematic, and comprehensive manner. It’s one of those cases where machines are better than people!

2. Use solid, safe technology along with a proven vendor. With VM, we’re talking about preserving the safety and security of your network, applications, and data. Don’t skimp on the technology or the consultants required to do the job right. And be especially careful about implementing experimental, unproven solutions into your VM system. When it comes to your business network, systems, and data, safer is better than sorry. Stick with VM technology and a vendor that has a solid track record and broad experience in the user community.

3. Chose a solution that grows with your business. Change is the only certain aspect of business, so check out a proposed VM solution’s ability to scale as your organization’s requirements grow more complex and demanding. It’s one thing to secure a few machines or a small department; it’s another to coordinate VM with multiple departments, divisions, business units, and independent business partners – domestic and global.

Watch Out for Those Open Ports with Your Coffee!

Steve King — Sun, 05 May 2013 04:21:07 +0000

For those who frequently use the free public Wi-Fi in coffee shops such as Starbucks and Dunkin’ Donuts, you’re likely already aware of how easy it is for hackers to steal your personal and financial information over the shared network.

But what you may not realize is how cybercriminals could gain access to sensitive data in other ways that might not be on your radar.

According to ThreatMetrix, a provider of cybercrime prevention solutions, some hackers even leave malicious USB drives on tables for curious customers to plug into their devices. This allows them to retrieve personal information and even social network passwords. Although this may seem unlikely, ThreatMetrix says the scenario actually occurs.

Cybercriminals can also use video cameras on a mobile device to capture what you’re doing nearby. This means if you are entering your credit card or email login information into a smartphone, you could be recorded doing so.

More sophisticated techniques include network scanners, which detect open ports on a device connected to the network, and “hotspot honeypots” which intercept a user’s Internet connection and give full access to that network.

Here’s a look at what to keep your eyes peeled the next time you settle into a coffee shop:

Complex Password Policies Are Creating Havoc in the Workplace.

Steve King — Thu, 02 May 2013 04:05:15 +0000

More than half of us say that we can’t remember all our passwords. Which makes sense, given that almost a third of all companies require their employees to remember six more more of them.

Cloud identity management company Ping Identity says that between the six or more corporate passwords and all the personal passwords that we maintain, the average person has to remember 15 passwords. That’s probably a recipe for disaster, given the total information onslaught we face every day, which is why the majority of us — 61 percent — re-use passwords from site to site.

That’s what security companies call “password negligence,” and the results are costly.

Too many passwords and not enough memory contributes to 39 percent of all malicious hacking attacks, which can cost large enterprises $5.5 million each.

One solution, of course, is corporations requiring users to change their passwords every 30 to 60 days. That’s more secure, theoretically, but people often re-use an old password. Or, worse, if they’re worried they won’t be able to remember the new password, they may write it down.

The end result, unfortunately, can be less security than before the change.

Check this out:

A Shift to the Consumerization of Information Technology

Steve King — Mon, 29 Apr 2013 18:28:52 +0000

How to Become the CIO of a New Generation

Users’ demands that they be allowed to use technologies of their own choosing isn’t a fad that will fade. CIOs can’t squelch these demands—nor should they. The consumerization of IT is a symptom of a shift in workplace expectations that has been brewing for years and is now reaching an inflection point.

A Shift in the Relationship

The “consumerization of IT”—defined as the use of technologies that can easily be provisioned by non-technologists—is a hot topic among CIOs these days. Many IT leaders like to think that today’s challenges from users to allow iPhone, iPad, and Android devices instead of corporate-sanctioned BlackBerry or Windows Mobile smartphones, or to overlook departments deploying software-as-a-service (SaaS) applications, will diminish as users tire of their novelty. Microsoft’s Windows 8 is also likely to encourage the company’s huge user population to use cloud and cross-device data-sharing, to use personal apps, and to use tablets for both business and personal purposes. Perhaps IT leaders believe that like PCs in the 1980s, IT will eventually corral them.

But those views are wrong. Today’s consumerization of IT trend is the culmination of a fundamental shift in the relationship between employers and employees—especially professionals—that began four decades ago. This shift has only now worked its way into the world of enterprise technology. It’s apparent to PwC that employees’ demands to use their personally preferred mobile devices, personal computers, applications, social media, and cloud services represent a transformation in the relationship between the typical IT organization and the business as a whole.

Netswitch believes that, unfortunately, most CIOs are missing this larger trend because they view the problem as simply a question of what, if any, additional endpoint hardware and software technologies IT will support and what management, security, and compliance controls to put in place should it decide to do so. These CIOs and their IT organizations are, at best, reactive: they agree to support an employee-supplied device or application after some group has pressed its will, and then manage by exception, adjusting policies to each new circumstance.

The shift that’s happening now is dramatic, and many CIOs are stuck in the middle. On the one hand, the individuals who make up organizations are wanting to be empowered and saying, ‘I should be able to use these tools that make me more productive,’ while on the other side, it’s not the CIO but the IT staff who are very accustomed to doing things in a very controlled and closed kind of way.

To be successful, CIOs must be proactive. They must accept the inevitability of the consumerization trend and prepare for it by rethinking how they run IT. CIOs must forge new, collaborative relationships with users, give them freedom to make IT decisions, and teach them how to assume responsibility for those decisions. They must also rethink IT architecture and controls to focus on controlling—or loosening controls on—information, rather than enforcing hardware and application standards.

This paper explains the fundamental drivers of IT consumerization and shows how the CIO can embrace that force for the good of both the enterprise and the user.

An Expression of a Deeper Shift in Workplace Expectations

The consumerization of IT is really about societal change. It’s easy to blame vendors for the consumerization of IT. Blame Apple for inventing the iPhone and adding enough enterprise support to make executives refuse to take no for an answer when they want to use iPhone devices at work. Blame Facebook, Twitter, and Google for creating social and collaborative technologies that, once entrenched in employees’ personal lives, became appealing for business. Blame salesforce.com for selling directly to business unit executives, intentionally bypassing IT, with the promise of fast, hassle-free deployments.

Blame the inventors of hypertext and web browsers who created the ability for individuals to get information from anywhere. Go back even further, and blame Microsoft and Apple (again) for creating the PC ecosystem that, 30 years ago, started it all by letting people become familiar—even skilled—with computer technology at both work and home.

The blame game misses the point, however, mistaking the manifestations of change for the underlying phenomenon. These technologies have expanded user expectations and abilities, and empowered users to act on their own. The fact that technology has become so personal and so easy to personalize encourages employees’ desire to have “their” technology. Meanwhile, new capabilities can be provisioned at such low cost that individuals and business unit managers become encouraged to deploy trials quickly and, if they work, to expand them quickly. And because technology is so readily available to them, employees can often figure out how to bring it in whether or not IT approves—a dramatic change for many CIOs and their approaches to technology management and compliance.

But technology developments haven’t caused the consumerization of IT. Consumerization of IT is an expression of a deeper shift in workplace expectations, especially among employees.

We believe that its roots lie in the social upheaval of the 1960s and 1970s that ushered in the notion that diversity is a positive force and that individual empowerment is good for business and society alike—ideas that stemmed from the shift in Western society after World War II. Soldiers returned home, but instead of going back to their farms or small towns, they moved to cities and suburbs, bought houses, and went to work for large companies.

These trends then gave rise to corporate structures, work processes, management styles, and the work ethos that endure today. The added impetus for diversity and individual empowerment transformed the workplace even further, and by the 1980s resulted in flatter organizations with less middle management.

In the same era, companies began to adopt quality circles and participative management approaches, leading to the rise of the contingent, distributed, and flexible workforce in the 1990s. In the 1950s, employees expected and relied on a long-term commitment to an employer. Now, in a new century, it’s becoming more common for employees to be “nomads,” preferring contractor status and taking responsibility for their own careers.

The Democratized Workplace

Employees wanted to feel like they were contributing meaningfully to their organizations—to have the workplace democratized. Companies had to put processes in place that let workers participate in decisions. And that’s when the total quality management and quality circles began to evolve.

Customers began co-creating products. We moved from the linear manufacturing management of a product to a kind of integrated chaos that was about the people. And because the pace of change continues to increase, we’ve moved even further down that integrated chaos line.

That “integrated chaos” is now the norm at many companies. As a result, companies place greater emphasis on the value of individual contributions in professional jobs—promoting a meritocracy—as well as provide commensurate freedom of action. With freedom comes responsibility, but modern management gives professional workers lots of autonomy.

The Workplace is Being Democratized.

At the same time, the typical work environment no longer rigidly separates work and personal activities. As employers expected employees to be available as needed, companies created the infrastructures for mobile and work-at-home scenarios. That, in turn, led companies to allow personal activities at work to compensate for the loss of personal time outside of normal business hours. It shouldn’t be a surprise that employees want just one cell phone and the ability to use the tools they prefer across all their environments. Work tools have been democratized, too.

Now the tail end of the baby boomer generation that transformed the workplace is giving way to the next generation of managers who have ingrained expectations that they will control their work environment. And they now have direct access to the technology that lets them do so.

This evolution can be neither controlled traditionally from the center nor ignored as inconsequential. Some of the social dynamics underpinned by the changes in technology will fundamentally change the way that we view the world and the way that we interact. If CIOs understand this context, they can create a more positive and supportive engagement with employees who insist on having “their” technology.

The CIO Challenge: Forging an Adult Relationship with Users

The fact is that personal computer technology is now entering its fifth decade—the late baby boomers and younger employees grew up with this technology, and many have never lived without it—and so people are more savvy about a wider range of technology than technology managers often give them credit.

It’s true that some employees don’t care about the technology they use; IT can provision these employees as before. But the ones who view technology as an extension of themselves will use their preferred technologies regardless of rules and guidelines to the contrary. CIOs need to engage them rather than have them fired or held to account, because they’re the same forward-thinkers who are likely to identify emerging business opportunities for the enterprise.

Many in IT seem reluctant to accept the existence of this new breed of employee; jokes about users correcting errors by using White-Out on their screens persist to this day, and “stupid user” stories remain crowd-pleasers in technology publications.

It’s true that most employees don’t have a sophisticated understanding of what technologists do. Employees are likely to be naïve about the work that goes on behind the scenes to make consumer technologies so effortless to use. And fewer understand the implications of supporting personal technology choices in a networked, process-oriented environment or the issues involved with integrating them with existing applications and infrastructures.

But that’s no reason to protect employees from themselves as if they were babies trying to walk. CIOs need to forge an adult relationship with users. Like parents guiding adolescents, CIOs need to give users the knowledge and tools to make their own decisions and the room to make some mistakes—or risk poisoning their relationship. More independent users may take actions that CIOs and IT managers are not always comfortable with. But if the CIO doesn’t let users do so, they’ll never learn. Either the CIO will be stuck with a demanding infant forever—or with a teenager who gets more brazenly defiant as he or she chafes at restrictions. Neither outcome serves the CIO or the business.

This “parents of teenagers” mind-set is a difficult adjustment for many CIOs and IT managers, who are responsible for making sure nothing bad happens because of IT. Failure to ensure functioning business processes, compliance, and security has resulted in IT leaders being fired.

The role of the teenager, meanwhile, is difficult for many employees who believe they are more mature in these areas than they really are. But part of learning is exposure to consequences; as we all know, taking responsibility for our mistakes is a significant part of growing up.

It follows that employees—individually and as members of business departments—need to be held accountable for their behavior with technology, so that with the freedom they desire to directly deploy technology comes the responsibility to at least cause no harm to the company.

But all business leaders, not just the CIO, must accept such a paradigmatic change. It’s not just the CIO’s conundrum. It’s really management in general. Many company management teams cannot conceive of or perceive how their employees think about these social or collaborative processes enabled by the Internet platforms. They did not grow up with them and are simply scared to death of relinquishing control of the processes to the masses.

Business executives faced with relinquishing control may take the attitude that inmates are taking over the asylum. But employees are not inmates, and thinking of them that way is a sure path to failure. Yet CIOs rightfully fear that business staff will forget their promises when the novelty of controlling their own technology wears off or the burden of doing so becomes clear. When organizations execute change, most problems come from a lack of clarity about goals, roles, and process or the lack of a strong and supportive performance practice that includes rewards and consequences.

How CIOs Benefit from the Consumerization of IT

As employees and business unit leaders become more familiar with technology details, they will undertake more of the effort of putting together solutions for their individual and group business processes. That may seem like a loss for IT, but it’s not. After all, the business units will not undertake the end-to-end focus on processes that extend across multiple business units and even enterprise boundaries. It is the end-to-end enterprise view that the CIO role will need to protect—and for which the CIO becomes better positioned when not focused on the tactical management of endpoints.

There will still be a need for infrastructure provisioning to serve the requirements of all business units, as they don’t have the skills—nor the interest—to do so effectively.

IT organizations will retain the duty to build and manage the internal IT infrastructure and the externally provisioned services for enterprise applications (such as in a hybrid cloud approach)—even those that run at the business-unit level. But the CIO’s focus and mandate becomes more strategic: execute key business initiatives while enabling analytics, information exchange, and other activities that leverage the assets of the enterprise as a whole. And the relationship with the business units becomes one of strategic adviser and best practices counsel, not perceived bureaucratic impediment. That relationship truly propels the CIO into the position of executive leadership that so many seek.

A New IT Architecture for a New Business Relationship

Many CIOs and IT leaders blanch at the thought of employees creating or adopting a rat’s nest of technologies that are poorly integrated, used in ways that create compliance and security risks, and eat up precious IT resources in an effort to contain the damage.

One reason for the fear is ignorance. Netswitch sees only a small number of CIOs who both understand the value of IT consumerization and know technology well enough to understand the implications of giving users more control from the security and compliance point of view.

CIOs who have extensive business experience but little technology experience are apt to underestimate the management and security issues when trying to accommodate the consumerization of IT, whereas CIOs who have had a strong operational focus tend to let a risk-avoidance mentality thwart legitimate flexibility. In both cases, the business suffers.

Any CIO who was professionally active in the early 1990s will remember the difficulty IT organizations endured to centralize and integrate the mishmash of technologies deployed by business departments in the years following the rise of the PC. It took more than a decade to rationalize organizations’ technologies and supported processes—an investment CIOs don’t want to see thrown out or to repeat as individuals and business departments assert technology ownership again.

Ironically, that will be exactly the result if CIOs try to treat the consumerization of IT as a contagion to be stamped out or quarantined. Studies by Aberdeen Group and others show that such heavy-handed control both drives up costs and increases risks as employees work around corporate sanctioned systems.

Netswitch also believes that treating the consumerization of IT as a contagion will only isolate the CIO and the IT organization, driving IT into an operations-only ghetto that is at the greatest risk of being automated and outsourced (whether to the cloud or traditional vendors).

Conversely, we believe that a willingness to embrace, or at least tolerate, consumerization will help CIOs effectively support its legitimate aspects and, even more importantly, increase the strategic value of the CIO role to the business.

The role of the CIO is not to manage IT systems. Rather, it is to help the business understand the information architecture that underpins its activities and, with business leaders as partners, to document, clarify, optimize, and reengineer business processes. In this role, the CIO has domain control over how the information used in those processes is stored, networked, and managed.

Part of that architecture rethink must involve many of the security and compliance policies and their expression in infrastructure choices that some IT professionals say are important to managing IT consumerization. The policies and technologies owned or managed by IT are part of the problem. It seems like most enterprises have IT infrastructures that reflect pre-Internet architectures and that are not well suited to meet the needs and expectations of interoperable, Internet-oriented architectures. These outdated architectures inhibit the very agility, collaboration, and coordination that consumers experience on the Internet and desire to use in the enterprise.

Within a new, open approach to devices and services there remains a requirement for CIOs to ensure that information is captured, organized, and secured but available to all the employees who would potentially use that information. Letting users choose their own technology will create considerably more streams of information, which is ultimately good for the enterprise.

The challenge for CIOs is to ensure that relevant systems and data continue to meet the standards of care and use for which IT continues to be responsible.

For example, IT will need to provide access to data that resides in core applications (such as enterprise resource planning [ERP] and customer relationship management [CRM]) and to ensure that new information generated in the now open environment finds its proper place in the enterprise information architecture. The traditional approach of a master database administrator—to enforce the architectural standards and data element definitions—must be modified toward a more flexible set of approaches.

These flexible approaches should allow data to be captured or created outside the formal database processes, but be integrated by means of common definitions and standards. This type of dynamic, organic approach should replace a formal upfront control approach to database architecture.

Although there’s no silver bullet that can deliver this result, we see frameworks emerging for CIOs to explore and adopt. The sooner you investigate them, the sooner you can turn the consumerization of IT phenomenon into a positive for yourself as CIO and for the organization you serve.

A Framework for CIOs in the Era of Consumerized IT

If you’re willing to accept that employees who want to use their favorite technology and related local processes should be given the opportunity, how do you safely and effectively provide that opportunity?

The methods Netswitch recommends are “soft” ones meant to address the social shift underlying IT consumerization. Although you’ll no doubt create formal IT frameworks—for example, to determine security policies and methods for ensuring compliance with them—responding to consumerization with only technical policies and their related tools misses the point. Just as a user’s desire for an iPhone or a Mac or OpenOffice is a manifestation of the underlying social shift that has occurred in the workplace, so too are choices of mobile management tools and data plan reimbursement levels manifestations of IT’s behavior changing to align with that social shift.

Thus, to address that larger context, Netswitch has identified seven approaches that can help you shape your decisions about how IT will support consumerization.

1. View requests for support of personal or departmental technology as an indication that there is an opportunity for better results

It’s critical that you accept that the value of any technology may be in the eye of the beholder. Given that the business units are accountable for their success, they should get to judge that value. In other words, if the result of letting the business units use technology of their choosing is no worse than neutral, adopt a “let’s see if we can support that” approach.

The conversation at work is always about productivity, not technology per se. The IT organization should help users determine whether what they want to do truly solve a problem. Ask users how a technology they want will help them, what their ultimate goal is, and what obstacles prevent them from achieving it, and how their technology choice would change things.

Then ask yourself whether your current IT organization is positioned for, and has the skills to support, the technologies and processes that IT consumerization requires. Although the highest levels of competence in some emerging technologies may reside among users, the enterprise IT team must have at least a working knowledge of these technologies to ensure they can be integrated into the enterprise environment.

In addition, new approaches to software development, deployment, and maintenance must be learned. And, though often overlooked, it’s important for the personal, social, and political skills of the IT team to shift from command and control to become service oriented.

2. Promote the concept of shared ownership

The shared ownership approach is gaining traction in the mobile context, where employers let employees choose smartphones and tablets and use corporate resources if those choices can be managed consistently with IT security and management policies and processes.

In essence, in the shared ownership model, IT gets access to and appropriate control over the device to manage corporate applications and data, and the user gets control and rights to the device to install personal applications and access personal communications. Modern tools allow such co-management, but the real advantage is that this shared ownership approach reinforces the responsibility that the user or department assumes when it chooses technology, encouraging good behavior. For example, falling victim to a phishing attack on a personal smartphone might result in remedial actions, such as having enterprise data remotely erased or losing access to the corporate virtual private network (VPN).

Another issue in the shared ownership model is who pays for user and department-requested equipment: IT, the department, and/or the employee. This is an accounting question, not an IT one, although IT may need to install the technology to manage the centralized accounting of these business-unit-approved individual expenses.

Accounting for devices is another area where the IT management mind-set must shift from complete control to controlling only what is essential. The overall responsibility for the integrity of systems and data remains with the CIO regardless of how you partition work and responsibility for consumer devices and applications. You do not need to clean up the control issues that emerge, but you do need to ensure that users deploying new systems follow the guidelines you have put in place.

That is part of the new responsibility that goes with their new freedom. You should work with your organization’s external auditors to determine and influence how they will assess IT in their work to accommodate consumerization. Do not accept the traditional standards of control, which hold IT fully responsible for what happens to user devices, and be prepared to establish new approaches and tools.

3. Assume heterogeneity

Whether the motivation derives from personal preferences or pursuit of actual business advantages, often multiple tools are available that are effective for a task or process. So why be limited to just one? For the IT organization, an assumption of device and application heterogeneity forces an architectural mind-set that is based on policies and processes, not specific technologies. Heterogeneity drives the architecture toward principles such as loose coupling that are themselves good things to strive for in support of enterprise agility.

Heterogeneity suits the times. Technologies change, vendors come and go, the business grows through acquisition or changes through divestitures, and business processes adapt to market and other forces. Support for heterogeneity allows you to easily adapt to new applications and deliver new capabilities.

The Extensible Business Reporting Language (XBRL) is a good example of a heterogeneous approach. It provides a flexible framework inspired by the ease of use and ubiquity of the web’s markup language to create a standardized approach for sharing, processing, analyzing, and presenting business information and related attributes. Information can be integrated across an organization while letting local business units use applications and technologies that work best in their local context.

This style of collaborative, loosely coupled, orchestrated framework would apply equally well to other corporate processes—including IT processes—that involve heterogeneity. Enterprise architecture, technology architecture, service-oriented architecture, and IT Infrastructure Library (ITIL) version 3 also use similar concepts. The bottom line is that methods are available to support heterogeneity in a business-appropriate manner.

4. View information systems as an onion

To view technology as a monolith, with each layer managed and controlled the same way, is folly. For this reason, policies are key to effective technology usage, allowing IT to manage the various devices, applications, and data across the many layers of the technology onion. Some require more control or security than others. Policies based on role, information type, and other key factors let IT ensure security and execute compliance across technologies commensurate with the risk for each factor.

Some organizations have taken one step in this direction by differentiating core and non-core activities, enabling users and departments to experiment outside the core enterprise systems (such as ERP) and data sets, while regulating the interaction of any such information systems and the data they generate with those core systems. This separation helps set the stage for a broader architectural change that abstracts information and processes from the tools and systems that act on and create them, and it formalizes the notion that non-IT employees are partners in choosing and managing the organization’s technology and information systems—two key steps in adapting to IT consumerization.

5. View control as a means to an end, not the end itself

Dealing with empowered individuals and co-ownership of technology processes likely sounds very messy to many CIOs, especially those who have been focused on operational efficiency, repeatable processes, and control-oriented compliance and security.

The key is to control only assets that are meaningful to control or what is legally required. Such assets may include information covered by privacy regulation, company trade secrets, and data related to transactions that need a validated audit trail or, in some more regulated situations, a precise chain of accuracy.

Whether by inclination or necessity, many CIOs have assumed the burden of control for the company—for control of business processes, outcomes from those processes, compliance, and security—and they assume that they must control anything new. Whether this approach stems from, at best, an attitude that “father knows best” or, at worst, the pretensions of a martinet, it’s misguided.

Control is hardly the sole province of the CIO. Traditional management has long treated people as mechanical cogs, using various methods (some rewarding, some not) to enforce repeatable, machine-like activity. Although changes in management approaches since the 1970s have loosened such control in many knowledge-work environments and in some factories, it persists in many service and manufacturing industries—from fast-food service to call center operations, from truck delivery to food processing.

Most managers are well trained in the linear predictability that makes for efficient, consistent operations. That’s only half the skill set needed to effectively control the consumerization of IT. Organizations have linear predictability and product consistency on one side, which is necessary to run a business, and then there is this need for the integrated chaos that’s people. That’s where the notions of policies, risk and reward assessment, rewards, and consequences come into play.

Because you may need to adjust your policies along the way, it’s also necessary to be a learning organization. You need to have in place a method to learn from the experiment and then apply that going forward.

6. Focus on intellectual assets first

As the locus of corporate computing has left corporate buildings and campuses, the notion of protecting information assets by using boundary security at the physical perimeter makes less and less sense. And this notion of protecting the physical perimeter is evaporating for more than just security.

Given today’s mix of employees, contractors, suppliers, and cloud-based services, business processes transcend boundaries. Thus, the business architecture a CIO manages, facilitates, and secures needs to start with information. A business process leverages and manipulates information assets. That’s what the intellectual property is in an organization.

For the CIO, this approach puts the emphasis on the “I”—information—in his or her title. We are now looking at distributed data systems, many of which are outside of the organization’s data systems, so the very idea of not having a standardized application or a standardized piece of hardware will be a nonsense argument in the end.

We need to get to the point where we can validate the use of information sets. If we start to define the boundaries not as an infrastructure, not as a network, and not as a particular device, then really the boundary is any information data set. Intellectual property can, for example, be standardized and thus managed more securely. The ModelWare platform at Morgan Stanley and the EDGAR Online I-Metrix system at the Securities and Exchange Commission update work processes that were characterized by thousands of electronic spreadsheet files and their inconsistent manually developed formulas created ad hoc by each user. To prevent such inconsistency, I-Metrix uses standard formulas and presentations—as part of an intellectual property library managed at the enterprise level—to enable collaboration among analysts. SEC analysts now use I-Metrix to review every company report for anomalies and accounting issues, ensuring consistent review despite the variance in skills and focus of each analyst.

More and more chief information security officers (CISOs) understand this context for managing information assets, rather than endpoints. That should encourage CIOs who want to move the organization beyond the traditional endpoint homogeneity that is upended by the consumerization of IT trend. The question is not ‘How do we bludgeon everyone to death to use the same application?’ but ‘How do we manage risk using the plethora of applications that we have, and how do we manage data at the data level independent of the application, or the platform, or the hardware that it sits on?’

We foresee technologies such as data loss prevention and digital rights management being useful to manage valuable information assets, although these technologies are in their infancy today. But we also suggest that part of taking advantage of the consumerization of IT is to know when information assets don’t need protection.

Sometimes, the value of an asset comes from being exploited for value creating activities. The shift in the music industry, whose “protect the product at all costs” approach resulted in massive piracy that threatened the industry’s businesses is a great example; now, a more flexible ecosystem involving a blend of digital rights management and open usage has emerged and the industry has at least stabilized.

The valuing of information assets isn’t an IT problem. This is a business problem, and CIOs alone cannot drive this mind-set change toward greater flexibility, even if IT can play a strong role in enabling it: It can lead, it can cajole, it can manipulate, it can demonstrate value-add—IT does that anyway.

7. Remember, IT consumerization isn’t really new

Consumer technology has lapped at the enterprise shores for years. It used to be that photocopiers and fax machines were closely guarded, highly managed technologies; today, they are typically available for self-service. PCs were once limited to use by specialty workers, until they were adopted by almost anyone with a desk. And more importantly, the processes facilitated by each new technology became democratized as well.

It is reminiscent of going from desktop publishing as a department in an organization to where everybody in the company knows how to use PowerPoint. Or from when the finance folks were the only ones who knew how to use Excel, whereas now everybody’s responsible for their own spreadsheets. Graphic design is another example. When people started to use those design tools themselves, the concern at that time was, ‘Oh my God, branding’s going to go out the window.’ But business units and employees adapted, through standards, policies, education, and, yes, trial and error. The same is true of the technologies that IT owns today that are becoming democratized.

CIOs Must Embrace a Democratic Management Approach

A clear split divides those who are using the consumerization of IT as an opportunity to reinvent the CIO agenda. Some are now partnering very aggressively with the business, whereas others wish for the 1990s and are in complete denial about the change under way. The dot-com bust caused many to stop thinking of technology in only heroic terms, diminishing the value of CIOs at many organizations. Then came the recession and its big squeeze on technology innovation.

Now there’s the consumerization of IT, which for many is the final straw in a period of ongoing turmoil among the CIO ranks. Netswitch has never seen so many CIOs looking to leave their current jobs because the role is no longer suitable for them, either because the role has turned into a “keep the lights on” role or because the role has become too transformational and they want comfort.

Ironically, the consumerization of IT could lead to both outcomes. It could push IT into the core and away from the business in some organizations. The trend also could challenge the CIO to be a transformation champion, leveraging the tech-savvy parts of the business and redefining the role of IT at the same time to one of stewardship more than operations. Netswitch believes the latter is necessary for most organizations, or will be in the coming years, but we know that the trail is still being blazed and the destination itself is more a hope than a certainty.

CIOs must get in front of the consumerization trend. Ultimately, we have more faith in the core business principles adapting to technology, than in technologists trying—in essence—to run the company through controls. Consumerization isn’t, ultimately, about technology management, and CIOs who think it is are fooling themselves.

Certainly, tools and practices will emerge that facilitate better management, security, and control of end-user technologies such as PCs, mobile devices, applications, and cloud-provisioned services. But those tools will be effective only if they work in the real world of users who have high expectations. The fact that the US military and the National Security Agency have decided that such consumerization of IT is not only inevitable, but can be supported, sends a strong message to CIOs in all industries that a new context for managing IT is emerging. Even a major security breach attributed to consumerized IT won’t stop this trend in its tracks, because employees’ demands to be listened to and trusted as an IT partner—to be empowered—are getting stronger with each generation.

Humans will be unpredictable, and managers of any type—particularly IT managers and CIOs—will need to embrace this and educate themselves about it. Because of the power that people now have, organizations can’t possibly make them widgets. They’ve almost become free agents within the system because in their quest for ever-increasing productivity, companies have empowered them so much.

So the way to be successful as a CIO is to accept that fact.

New research in the psychology of work and in the neuropsychology of response to change helps show how. What it boils down to is understanding and managing the self in terms of how do you respond to the necessity of inclusion, of collaborative decision making, of collective intelligence—that emotional intelligence piece that moves to understanding others.

Investing in that kind of management and collaboration is essential to success in a workplace that seeks to get the most value from its employees’ varied strengths. And it’s essential for the CIO to be effective as more than a technology implementation and operations leader. If companies spending enough time building the human side of their organizations, establishing trust, understanding what each other’s talents are; having that emotional intelligence or social intelligence, and then having a tolerance for mistakes, is really what this type of innovation requires.

Some CIOs are naturals at such management. Many are not and will need help—plus a senior IT management team that (a) accepts that the consumerization of IT is really about making people productive and (b) has the skills to manage an environment where diversity is the rule. It comes down to being politically savvy and having good skills and leadership and risk management. And, that’s easy to say and hard to do. But expect it to be expected in the next few years.

Netswitch sees many organizations in the throes of this shift, dealing with it in a range of ways, from denial to embrace. Most organizations, though, are reactive. They’ll roll out a less restrictive mobile policy after salespeople and some managers each buy their own iPhone. Or they’ll turn a blind eye to the marketing team when it adopts a social networking tool, as long as no harm apparently occurs.

We recommend that CIOs—and business management as a whole—be proactive instead. Rather than wait for rebellious employees to flout the rules, recognize that heterogeneity of technology is a strategic imperative and start deciding now which information assets must be controlled, standardized, and dictated. To do so, ask questions about which information needs to be protected, and in what processes and forms. Find out which tools—whether applications, devices, or services—are truly not interchangeable with others.

Determine the domains in which users may be allowed to succeed or fail on their own because they bear the consequences and responsibilities for their actions, as well as gain the value of learning from their experiences. And figure out which risks require which levels of oversight and direct management.

Then map out the education, information architecture, and policies you need so you can adopt the new workplace order of individual empowerment and diversity—before you end up implementing them as a patchwork of exceptions. Getting ahead of consumerization will not only align your technology and management systems to the human reality, reducing friction, but it will also put you in a stronger position to lead technology and the business as a whole.

It won’t be easy, and like those organizations that reworked their hiring, promotion, schedule, and training policies in the past few decades to accommodate the diversity of employees and their individual circumstances, you may make some mistakes along the way. But the companies that led the way in shifting the approach to human resources management attained better results than those who resisted or ignored what employees wanted and needed to become more productive, happier contributors to the company’s success.

LivingSocial’s Breach Underscores What We’ve Been Saying.

Steve King — Mon, 29 Apr 2013 04:32:11 +0000

The cyber attack Friday on the Internet deal site LivingSocial that forced it to reset the passwords of some 50 million users has elements of what’s becoming an all too familiar storyline.

Along with the names, birth dates, and email addresses of some of the site’s users, the intruders also accessed those users’ passwords.

The passwords could have been used to access user accounts on LivingSocial, but the online deals firm says it doesn’t believe any accounts have been compromised.

Neither was the database containing credit card information touched. However, if a hacker compromised a user’s account, they could still run up charges on the payment card associated with that account.

.

Secure enough?

Since LivingSocial hashes and salts passwords stored on its system, any data thief will have to work to unscramble the passwords.

“Hashing” involves scrambling the password with an algorithm. That hash is then “salted” with random characters to make it even more difficult to crack by an unauthorized party.

How difficult they are to crack is a subject of debate. LivingSocial used a hashing scheme called SHA1, which some in security circles feel is too weak to withstand the kinds of brute force attack that can be mounted by a byte bandit today.

Now that hackers are having their way with a batch of those passwords, LivingSocial is taking its security measures another step. The company says it is hashing its stored passwords in a stronger algorithm based on Blowfish called bcrypt.

No matter what algorithm is used to hash passwords, however, it won’t do any good if the keys to decode the hash are also stolen with the passwords—although there’s no evidence of that yet in the LivingSocial case.

Moreover, since all users reset their passwords, theoretically, the old passwords won’t do the byte bandits any good at LivingSocial. The problem is, many users reuse passwords from site to site, so while those old passwords won’t work on LivingSocial, they may work on others.

Two-factor authentication urged

This latest break-in is just another argument for introduction of two-factor authentication everywhere. We’ve been saying this for the past year.

“More websites need to use items like the two-factor authentication that Google uses,” says Brian Laing, vice president for marketing and business development for AhnLab, a security solutions provider headquartered in South Korea. . ”That way if [hackers] do get your password, they still need to authenticate via phone to use the account from a new laptop or desktop.”

Another worrisome issue about the LivingSocial attack is that information that should have been encrypted wasn’t, said Mark Bower, a vice president with Voltage Security.

“Identity information, email addresses, and dates of birth are potentially sensitive in combination—particularly in cases where password resets are based on ‘secrets’ like date of birth, maiden names, and so on as the answer to an identity verification question,” he wrote in an email to TechHive/PCWorld.

He explained that the data stolen from LivingSocial could be used at other sites to compromise a user’s account using the site’s password verification systems.

“Given that the organization went to the trouble of encrypting passwords, then why didn’t they extend that to the rest of the data?” he asked. “To hear of another breach of this extent with clear data being exposed of any kind, when its trivially simple to avoid it by using data-centric protection, is alarming.”

Alarming, indeed. We are continually surprised at how casually most of our prospects take password, or for that matter, most all security issues these days. Amazing.

Mobile Security Screw-ups Worth a Half Million Dollars … EACH!

Steve King — Wed, 24 Apr 2013 01:09:55 +0000

$429,000 per year for mobile computing security mishaps is a compelling number

We thought this was a great article and one which underscores our focus on a growing problem and a concern that should be on the top of everyone’s CXO list of things to worry about. But, why isn’t it?

If mobile security isn’t on your mind, you are either not reading enough news, you are a Blackberry device user, you are a “It won’t happen to me” type, or you are a phisherman, scammer or malware proliferator. Mobile security is at or near the top of everyone’s security lists. As it should be. Mobile security is muddied by a lot of vendor hype and marketing confusion. What do you believe and whom should you believe about mobile security? The answer, I’m afraid, is “it’s complicated.” It must be more complicated than I ever anticipated because I’ve been told that the $429,000 number “isn’t compelling.”

Symantec’s State of Mobile Computing Survey (Jan 2012) found the following loss information related to mobile computing security incidents:

“The average annual cost of mobile incidents for enterprises, including data loss, damage to the brand, productivity loss, and loss of customer trust was USD$429,000 for enterprise. The average annual cost of mobile incidents for small businesses was USD$126,000.”

If those numbers don’t readily compel you, then maybe this additional fact will: Those amounts result in diminished profits and, as the survey says, “damage to the brand.” How can you put an exact value on brand damage?

Symantec makes the following statement in its Recommendations section of the report:

“Organizations that choose to embrace mobility, without compromising on security, are most likely to improve business processes and achieve productivity gains. To this end, organizations should consider developing a mobile strategy that defines the organization’s mobile culture and aligns with their security risk tolerance.”

Mobile security is at or near the top of everyone’s security lists. Here’s further proof of that sweeping generalization:

“Mobile adoption is not without risks, and IT organizations recognize this challenge. Approximately three out of four organizations indicate maintaining a high level of security is a top business objective for mobility and 41 percent identified mobile devices as one of the top three IT risks, making it the leading risk cited by IT.”

Sure, companies probably have insurance against these kinds of losses, but the payments are very high too. But do insurance companies pay off if the investigation finds that the company was negligent in security training for its employees, for providing insufficient security for mobile devices, or for not protecting its employees in BYOD scenarios?

Thus far, we haven’t been able to locate an insurance expert capable of answering that question.

With mobile security at the top of the security risk list and losses due to security incidents nipping at the half million dollar mark, can I mark you down as “compelled” by these facts?

Maybe you’re one of the people who is confused by what you read concerning mobile security. Maybe you’re one of those who is confused by vendor hype and marketing fluff. You don’t know which way to turn for honest answers about mobile security. I know it’s confusing. I know there’s a lot of FUD surrounding security in general and mobile security specifically. But you don’t have to be confused.

Symantec offers some general strategies for those who have jumped into a more mobile workforce. But here are some specific, detailed suggestions to enhance your mobile security.

Implement a multi-pronged approach to security. Firewalls, mobile device management software (MDM), endpoint security, and monitoring will prevent a majority of security risks.
Educate your employees. Informed employees who are aware of security issues are safer employees who aren’t likely to cause security incidents that cost you a lot of money.
Enlist security training for IT staff. You’d be surprised by the number of IT professionals who don’t have a clue about security threats to your network. Statistics coming soon to illustrate this.
Hire a third party security consultant. More than 90 percent of security breaches are found by third party security consultants.
Draft a mobile security policy. Whether you issue mobile devices to your employees or allow them to bring their own devices, you need a written policy. It’s part of your due diligence in reducing risk.

Security is an “off the top” expense. Budget for it. And just to be safe, have a contingency plan in case of a security breach. It’s the equivalent of an emergency response plan in case of a natural disaster (and I am sure you have one of those). Have your security consultant draft this plan and run through drills for it. It’s just as important as those annoying fire drills and backup/restore checks that you perform on a regular basis. You do have those, don’t you?

The average annual cost for mobile security incidents in enterprises is USD$429,000 and USD$126,000 for SMBs. Can you really afford not to be compelled by those numbers? The CXOs in your company should be, if you’re not.

By Ken Hess for Consumerization: BYOD

Our National SAP Practice Manager Discusses SAP HANA and Supply Chain Performance Management

Steve King — Fri, 19 Apr 2013 20:38:52 +0000

Kurt Steele has extensive experience in Supply Chain Solutions with SAP, and is a certified SAP HANA consultant. Kurt’s SAP project management experience is centered on the implementation and management of business improvement projects, performance improvement turn-around strategies, and difficult technical projects.

Kurt says, “Supply chain costs account for an incredible 60% to 90% of overall expenses, playing a significant role in bottom line performance. Typically, supplier and procurement managers spend a great deal of time on tactical and operational issues to ensure day-to-day operations are not affected by supply problems. The quickly changing complexities of the supply network often lead to reactionary behavior, with the hot issue of the day dictating the focus. And, it doesn’t have to be this way!”

Kurt’s experience in verticals such as Telecommunications, Consumer Packaged Goods, Technology, and Automotive, has taught him that, “Companies with global reach source materials, manufacture products, and sell goods and services around the world. Because of the unpredictable nature of global networks due to human and natural causes, companies are vulnerable to endless risks, from fluctuating economic conditions to international conflicts and natural disasters. The earthquake that struck Japan in March 2011 was a good example. The quake disrupted the manufacture and distribution of Japanese-built automobile components, affecting car builders and dealers around the world and contributing to an industry slump in production and sales. And, we saw that first hand at Tenneco.”

“One of the most effective ways to combat that risk is to look to the SAP Supply Chain Performance Management application running on SAP HANA. It can really help companies manage their supply chain more effectively and become more responsive. Companies can track performance, diagnose bottlenecks, and uncover opportunities in real-time and react accordingly, dramatically improving their supply chain performance.”

Kurt’s SAP experience includes leading complex projects for Hewlett Packard, Nestle, Vodafone, Telstra, T-Mobile, South Africa Telkom. Utilx, TriValley Growers, Sunsweet, Rayovac, and Tenneco Automotive. He also has led teams to implement ERP systems for the SME market with Apptivo on the HP Cloud.

“Often, companies misalign targets due to the lack of understanding the actual impact of the supply chain activities on the whole enterprise performance, lacking timely visibility into end-to-end operational processes such as order to cash and daily surprises and way too much firefighting due to a complete lack of proactive insights.”, Kurt says. “The benefits of SAP HANA can be extraordinary. Improved supply chain performance always results in reduced costs. For those looking for hard dollar savings, I have known companies who estimate that a 5% reduction in supply chain spending can increase net income by over 40%. And, that’s worth going after.”

Prior to joining Netswitch, Kurt spent 10 years as the National Practice Manager for Endymion Systems, a certified SAP partner, with over 50 consultants in their SAP Practice, and prior to that, he was the Practice Leader for Whitman-Hart’s Western US SAP Practice, as well as their thought leader for SAP HR and BW.

Spotlight on the Consumerization of IT

Steve King — Wed, 17 Apr 2013 04:29:35 +0000

In 2012, 55 percent of employees viewed work related data on their personal mobile devices, and the numbers are only rising. Consumerization is an unstoppable trend. The question is not whether or not to adopt it, but how to approach it. Here is what you need to know to get started.

What is IT consumerization?

Many people define IT consumerization as using your personal mobile device at work, but more accurately, IT consumerization is the reverse trend of technology being designed for personal use making its way into the enterprise. Of course, this includes when employees use their personal smartphones or tablets in a business setting, referred to as Bring Your Own Device (BYOD).

However, the consumer technology employees use at work is not limited to hardware. For instance, companies are increasingly using social media to reach their audience, are using Gmail as their email service, and are sharing information over Dropbox. All of these things are consumerization, and they are changing the way companies operate by taking control away from IT.

How does IT consumerization work?

Consumerization works in a number of ways. The most common form of IT consumerization is when people use consumer technology, such as smartphones and tablets, for work related activities. This can include checking a work email account, updating your calendar or reading work files on your personal device.

Additionally, employees are reaching out to clients and each other using software made for personal use. They are chatting with consumers over Facebook and Twitter, posting how-to videos on YouTube, using Skype to speak with colleagues across the country or across the world and sharing files over Google Docs and Dropbox. A Forrester study has shown that employees are going to use these technologies with or without their company’s consent, so it is best to get IT involved early to ensure that company data stays secure.

How much does IT consumerization cost?

IT consumerization can cost a company more than you might think. An Aberdeen Group study found that an organization using 1,000 mobile devices spends an additional $170,000 annually when employees bring their own devices to work. This is partially due to the enterprise reimbursing employees on average $10 more for the wireless voice and data plans than the company would spend if it purchased the plans directly.

Other costs include purchasing a mobile device management platform and the labor costs for IT to set up and manage employees’ personal devices to the company’s system. In fact, the annual cost for an IT department to manage smartphones is expected to rise 48 percent this year, from $229 in IT labor costs per user in 2011 to $339 in 2013.

What does the enterprise need to know about IT consumerization?

The bottom line about the consumerization of IT is that there is no stopping it. Even though consumerization creates more work for IT professionals, the enterprise needs to find ways to support it to keep data secure and employees happy.

Once IT has managed to get the risk of consumerization in check, the enterprise can start exploring the multitude of ways that consumerization can be used to the enterprise’s advantage, internally by keeping employees more connected to each other and to their work, and externally by keeping the enterprise connected to its customers. Despite its risks, the consumerization of IT can be a huge advantage when used correctly.

What are the benefits of IT consumerization?

The consumerization of IT has several benefits, including keeping mobile workers connected, keeping the enterprise in touch with consumers through social networking, keeping workers who prefer to have their personal devices with them at all times happier, and increasing productivity. Employees are more accessible with the increasing adoption of IT consumerization, blurring the lines between work time and home time, making employees more likely to work while out of the office.

In fact, a Good Technology survey shows that some employees are working almost an entire day extra each week away from the office. Consumerization is also creating an environment of self-support among users. Instead of always going to IT for help, employees are turning to each other for assistance. Consumerization has outward advantages as well. Take Best Buy as an example: the company is effectively using Twitter as a customer care service. Twelpforce, its Twitter account manned with over 3,000 employees, acts as a real-time help desk. Consumers are on social media, and expect the companies they work with to be there, too.

What are some disadvantages of IT consumerization?

The consumerization of IT is risky. Company data, shared over multiple forms of software and accessed on multiple devices, is less secure. Risk is also increased because IT is losing control over the technology employees are using. A Forrester report conducted last year found that 37 percent of employees are using consumer technology without the permission of their IT department. Examples include employees communicating with clients directly over Facebook, sharing information over Google Docs and posting videos to YouTube on ways customers can fix problems themselves.

While all of this can be good, it opens to door to decreased security and bigger risks. Also, with all the information that is now stored on personal mobile devices, the enterprise faces substantial risks if those devices are lost or stolen. In fact, a recent study by Symantec found that 83 percent of people who found a lost smartphone would attempt to access sensitive corporate data on it. To mitigate these risks, IT has to be on board with consumerization so that it can secure and monitor employee activity and devices.

How do I get started with IT consumerization?

The first choice managers have to make is whether they want to purchase devices for their employees, provide employees with an allowance to purchase their own devices, or allow employees to use their personal devices at work. Next, businesses have to develop company policies regarding consumerization, which can include determining what apps employees can download on devices with sensitive company data.

Without a clear plan on how a company will approach consumerization, IT will lose control over what employees do. An Osterman Research White Paper found that among companies with 1,000 or more employees, only 54% have a BYOD strategy, reducing IT’s ability to manage those devices. Next, managers should decide upon a mobile device management (MDM) solution, one that will secure and manage employees’ devices, ensuring that mobile devices are password protected and can be wiped remotely if lost or stolen. It should also be able to track mobile device usage by the applications it accesses and data it attempts to read while it is operable within the enterprise.

Additionally, using a comprehensive MDM strategy ensures that organizations have a unified network that all devices work on, even when using multiple mobile operating systems.

How do I ensure that my consumerization strategy is secure?

The best way to ensure that your consumerization strategy is secure is to employ a mobile device management (MDM) solution. These platforms allow organizations to secure, monitor, manage and support mobile devices such as smartphones and tablets. A good MDM solution will require that mobile devices are password protected, that they can be wiped remotely if they are lost or stolen and, in some cases, will limit what apps employees can download onto their phones, and also monitor the mobile device’s usage within the enterprise.

IT also has to monitor the other ways in which employees are using consumer technology. That means having well thought out company policies regarding social media, cloud computing and other consumer technologies, and may include providing employees with company approved alternatives to consumer software.

The key is finding a middle ground where company data is secure but where employees will also have the freedom to use technology effectively. To achieve this, educating employees about best practices for using consumer technology is key.

What do users need to know about IT consumerization?

Consumerization has many advantages for users, but some distinct disadvantages that employees need to be aware of. Paramount among them is the loss of control. Since consumerization presents certain risk to the enterprise, employers are increasingly requiring that IT have access to user’s devices. This means that companies can dictate to users which apps can and cannot be downloaded onto their devices and that the enterprise can wipe the device remotely if it is lost or stolen, potentially removing all personal photos and data along with company data.

This also results in a loss of privacy, since the enterprise can monitor what users are doing on their personal devices. While this is a concern for many users, the bottom line is that management doesn’t want to know everything you are doing on your mobile device, just that which relates to company data. And the benefits of consumerization for users are great. Users have the freedom to work on a device of their choosing and the flexibility to work away from the office.

All of this must be carefully thought out and effectively communicated to employees and it begins with clear, reasonable policies and extensive training.

What are some good resources for learning about IT consumerization?

There is no shortage of information out there on the consumerization of IT and it can be a hassle sifting through it all. Netswitch will continue to cover the topic throughout 2013 and will continue to strive to keep you up to date on everything that is happening in the world of IT Consumerization as it matures and develops. Happy BYOD!

The Consumerization of IT- The Next-generation CIO

Steve King — Sat, 13 Apr 2013 03:31:26 +0000

The “consumerization of IT”—defined as the use of technologies that can easily be provisioned by non-technologists—is a hot topic among CIOs these days. Today’s consumerization of IT trend is the culmination of a fundamental shift in the relationship between employers and employees—especially professionals—that began four decades ago. This shift has only now worked its way into the world of enterprise technology.

To be successful, CIOs need to be more proactive. Accepting the inevitability of the consumerization trend and preparing for it by rethinking how they run IT. CIOs should consider forging new, collaborative relationships with users, giving them freedom to make IT decisions, and teaching them how to assume responsibility for those decisions. And rather than enforcing hardware and application standards, they’ll need to rethink IT architecture and controls to focus on controlling — or loosening controls on — information.We will explore this topic in depth throughout the remainder of the month and feel free to download white papers as they occur on our site or subscribe by contacting us.