Playbook –

In this episode I discuss Cyber Security Awareness Month and how global espionage is changing the nature of corporate security Cyber Warfare and Espionage is changing the way IT has to secure corporate environments Technology has given new opportunities to us all; leveling the playing field in industries far and wide. And it expected to continue to do the same as more countries leverage inexpensive technology to execute their agendas against others Thor Olavsrud in his article on CIO.com titled, “Security Arms Race Heats Up, But IT Battles Back against Attacks” says, “We are in the midst of what is essentially a security arms race, with cyber-criminals constantly seeking new and better ways to attack systems while organizations shore up their defenses. Warfare is changing as well. Now it is economic and cyber. We have observed the emergence of espionage and cyber attacks conducted by countries in the pursuit of their own interests. The outstanding article written by Kim Zetteremail for Wired Magazine, How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History outlines how Stuxnet…”known as the most complex malware ever written—a piece of software that would ultimately make history as the world’s first real cyber-weapon” A weapon so powerful it targeted machines that were not even connected to the Internet, transmitting itself via USB memory stick between machines. To accomplish this many more machines were infected than the intended target, meaning there was potential for collateral damage as the malware spread. It was only discovered when an infected machine started to malfunction calling attention to the situation. Wikipedia defines a Zero-day attack: is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability. This means that the developers have had zero days to address and patch the vulnerability. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability. Zero-day vulnerabilities can be purchased on the black market and can cost from $50,000 to $500,000 Stuxnet leveraged 4 zero-day vulnerabilities: the LNK vulnerability, print spooler vulnerability, Windows keyboard file vulnerability, and task scheduler file vulnerability. Flame has multiple components designed to conduct different espionage via infected systems; taking screen shots of email and instant messages, stealing documents, turning on microphones or video cameras to record information near the device. Low Orbit Ion Cannon: LOIC performs a denial-of-service (DoS) attack (or when used by multiple individuals, a DDoS attack) on a target site by flooding the server with TCP packets or UDP packets with the intention of disrupting the service of a particular host. People have used LOIC to join voluntary botnets Obfuscation techniques: change the coding just enough to make it difficult to detect and identify The development of exploit toolkits also is beginning to expand geographically, he said. Most toolkits are created by people in Russia and Eastern Europe. However, a small but growing number of toolkits are coming out of China, though they are less sophisticated and might not have all the features as other malware, such as complex user interfaces, Web administration tools or control panels. However, it is an indication that the money that can be made via Web exploit toolkits is fueling interest worldwide Every release by a government entity engaging in cyber espionage into the wild can be quickly reverse engineered and decomposed by smart developers. Turning the very weapon used by the military into a civil weapon against corporations Kim Zetteremail in the article on wired.com, Flame and Stuxnet Cousin Targets Lebanese Bank Customers,

CIO's and IT leaders have many responsibilities; however, one of the greater challenges is in developing an effective disaster recovery plan. In this episode I share some thoughts on how to get a solid plan in place. What is a disaster? - Pandemic - Access to the building - Fire - Water - Power outage - A regional event - Power outage - Weather (hurricane, snow, ice, and earthquake) - Terrorism - Systems - Catastrophic bug - Security breach Start with system ownership - Business owner: Ownership is important from the business side in determining priorities for recovery and checking systems - IT owner: Ownership is important from the IT side for knowledge base. This translate to ensuring applications are up to date and patched on a regular basis to ensure ability to recover Application tier for recovery priority - Tier 1: 4 hour - Tier 2: 8 hour - Etc. Integrated environment: understand cross dependencies Documentation was in the wiki but the Intranet was tier 4 so no way to recover because instructions were not there Move toward redundancy and resiliency Don’t build your own data centers anymore Just a machine room with telecommunication and end points Cloud services - Primary Servers - Burst capacity - Disaster recovery Business continuity - Used to be an office facility kept dark - Now a shared office space - Or through virtualization any Internet connection will do How should you be testing? - The straight answer that is most commonly done is to certify the applications prior to rolling into production generally done by the development teams and often without actually testing them - Scenarios should be thought out and then tested through “table top” exercises - Once a year a complete disaster recovery exercise should be conducted Certification before each system rolls into production

In this episode of the CIO Playbook I am discussing the dark art of meeting management chapter two, how to manage conference calls. Okay, so how many of you have to sit on conference calls on a regular basis? How often do you get the heavy breather? The dog barking in the background, or the all too often music on hold? Yes we live our lives on conference calls these days and we will be living more of them as we seek more ways to control costs. This next installment of my Meeting Dark Arts series will be the various conference call etiquette rules I picked up over the years. Make sure you share these at the start of every meeting to remind everyone on the call that we all suffer when someone isn't paying attention (yep, that is the keyboard you are hearing in the background) First the list of etiquette rules for those of you not wishing to read all the details: Remind us in the beginning about the rules With large calls let people know you are waiting to start Run a call just like any other meeting Provide local dial in numbers Remember there are time zones Remember to mute your phone! Don’t put us on hold Watch the noise makers Don't eat while on the call Don't have side conversations Keyboards are a no no Say your name (when you enter, when you speak, when you leave) Don't be long winded Everyone has an accent! End the call The important message here is that each of these rules should be shared at the start of your call. I am amazed at how often these rules are forgotten. My teams are global and therefore almost all of our meetings are conducted via telephone or video. At the start of each meeting I remind everyone of the etiquette so that we can be as productive as possible. I am curious to hear your thoughts.

In this episode of the CIO Playbook I am discussing Steve Jobs' leadership style and how he used it to transform seven industries. My thoughts are based upon articles and Steve Jobs Transformed 7 industries Personal Computing Animated Movies Music Phones Tablet Computing Retail Stores Digital Publishing Steve Jobs was known for being a tough boss and many managers often focus on his toughness as the key to his success. There is more to Steve Jobs and I will discuss what others have written as Steve's other leadership approaches: Simplicity Responsibility When behind leapfrog Don’t Depend on Focus Groups Impute Hire only the “A” Players Stay Hungry Stay Foolish

In this episode of the CIO Playbook I am discussing how we can get more out of our meetings through several tips and tricks to hold more effective meetings. This is chapter one. With all of the wonderful technology that we have available to us to da...

In this episode of the CIO Playbook I am discussing how to set up Intranet Governance. The Internet is a powerful tool we use everyday - Wikipedia - Google/Yahoo/Bing/ (did you Google it) - News and information sites - Video and Audio - Photography - Facebook, LinkedIn, Pinterest, Twitter, etc. One of the great successes of the Internet is its ability to enable an organization to operate more closely Enabling self-service Strengthening departments through better information sharing Enabling the Knowledge worker An information hub for business Reduced training costs The Internet Represents Self Service - When was the last time you want into your bank - Where do you go for medical advice first - Where do you conduct investment research Why Governance for the Intranet - Consistency, usability - Ease of finding things - Branding - Loyalty - Lower costs - (Training, Compliance, Policies) - Alignment with organizational objectives - Performance standards (response time, meta data, searchable - Ability to keep up with evolving technology What is Governance - Strategy - Vision - Direction - Budget - Set Policies - Set Standards - Prioritize Projects - Resource Allocation - Conflict Resolution - Final Decisions Approaches to Governance - Do Nothing - Committee of Stakeholders - Centralized Single Owner - Decentralized No Owner Do Nothing - Many times we hear the excuse for not setting out standards because they would limit creativity - Assume implicit standards - Practices and Recommendations - Varying Quality - Often faded or not longer updated content Decentralized No Owner - Typically IT runs this model - Haphazard enforcement of policies - Recommendations and guidelines - Quality is limited - Not necessarily cohesive content Committee of Stakeholders - Recommended Committee Membership - Corporate Communications - Human Resources - Operations - Technology - Representation from various members of the greater organization - Intranet Strategy Group - Intranet Operations Group - Intranet Development Group Centralized Single Owner - Clearly codified standards - High quality - Solid support and infrastructure - Quality architecture - Site-wide tools When Do You Start, Usually Before - Recommend that governance start before you set up your site - However, most of the time governance is added afterward - Usually after the site has grown organically - And the user experience is decreasing and things are hard to find - Generally it is a site with loads of good information but not easy to find and the customers are complaining about it How do you Transition From Informal to Formal - Consider a staged approach - Determine stakeholders (programs, offices, IT, HR , Senior Management) - Establish a cross-functional team - Transition to centrally managed functions and resources A Basic Web Structure - Content Editor - Business Owner - Developers - Administrators - Designers Define your: - Policies - Processes - Ownerships - Enforcement Next Steps: - Monitoring performance standards - Monitoring standards and good practice - Improve usability - Marketing the Intranet - Job descriptions for Intranet related tasks, to ensure appropriate separation of duties - Create Consequences for non-conformance

In this episode of the CIO Playbook I am discussing how to get approval to attend a conference. When budgets are tight conferences can be viewed as an extravagance, however, if you are serious about developing your value to the organization attending conferences is important part of the personal development process. Austerity is In Budgets are tight Training vs. Conferences Learning Development Model 70% On the job 20% Feedback from working on good and bad examples 10% Courses and reading Business Resource Management Model 70% of time dedicated to core business 20% of time dedicated to projects related to core business 10% of time to projects outside of core business Management Time Model 70% of time to core business line 20% of time to adjacent business line 10% of time to truly new opportunities Here are some of the techniques to gaining support for attending a conference: Offer a Lunch and Learn -    Talk about new products -    New additions to existing products -    What are others doing -    What are others facing as challenges Write a Summary -    Different than a lunch and learn -    No more than a few pages -    Cover key highlights -    Competency center Connect the Conference to Strategy -    Better service levels -    Enable scalability -    Increase leverage from what we already have -    Reduce total cost of ownership -    World class industry leader -    Find out what others are doing in out or your industry Development Objectives -    Career growth tied to training -    Growth opportunities -    Select the appropriate conferences When all Else Fails -    Offer to split costs -    Offer to pick up some of the costs -    Set a precedent There you have it suggestions on how to justify a conference and move your personal development forward. Until next time.

In this episode of the CIO Playbook I am discussing how to get the most value out of attending conferences. Describing what to do before, during and after to get the most of your valuable time: Before the Conference - Identify the people you want to meet - Prepare questions - Determine the session you want to attend - Get a list of attendees During the Conference - Attend the sessions, however if they are not interesting be prepared to leave to find another - Look for hallway sessions to meet and exchange ideas - Be an active participant - Seek out the speakers when they are finished to exchange additional ideas and questions - Spend time at the vendors booths - Network - Have fun - Keep some snacks on hand so that you keep your blood sugar up After the Conference - Follow up with the connections you made at the conference - Write up your notes - Give a presentation to your co-workers Success is ultimately your responsibility. Thus to get the most value from a conference focus on the sessions, people, connections, and what you can take away.  This will enable you to grow professionally.

I am pleased to be organizing a regular podcast that will provide an opportunity to hear from leading authorities in technology leadership on what a successful CIO is and how to develop the right competences for success. This podcast is set up with the aim of creating a center of excellence for quality leadership training, targeting technology leaders while being easily accessible to all. This podcast will be the perfect way to combine powerful leadership skills with the newest technologies providing an opportunity for new leaders and those with many years of experience to find something they can leverage into their respective space. As a senior leader with more than 20 years’ experience in the technology field, I am deeply involved in efforts to understand, codify, and promote the skills and attributes which senior leaders must exhibit to be effective contributors to the organizations they lead. In this regular talk my goal will be to map the pathways to the development of effective leadership as a Chief Information Officer (CIO) and the skills that must be acquired en-route to this role. This podcast is invaluable to any senior professional who aspires to become a CIO, Director, or a Senior Manager within the field of information technology. It will also serve to be highly informative to all corporate leaders and recruitment professionals by offering learning about what characteristics distinguish a successful Chief Information Officer and what to look for when hiring leaders.