by Jack Santos | May 20, 2013 | Submit a Comment
It used to be a good idea. Ask something that was immediately obvious and only knowable by YOU or a very few people – and make it the last line of defense for a password reset or some other high-security function. Mother’s maiden name. City you were married in. Make and model of your car.
Until, like everything, it gets carried to an extreme. Like for instance, the Apple ID reset process. Let’s look at these security question…
I suppose the standard response would be (if the answer is not readily available) MAKE SOMETHING UP and remember it! But wasn’t it the purpose of these security questions NOT to have to remember ONE MORE THING. Heck, if that were the case I wouldn’t have forgotten my password in the first place!
…and then there was the concept of REUSE. Use a question that is personal information, but whose use is fairly standard across websites (mothers maiden name, for example). But then that, of course, leaves one open to the possibility of a breach at one site is a breach of all of them.
This, we at Gartner, would classify as a wicked hard problem of identity and authorization. And there is no answer yet (two factor authentication aside). The Achilles heel of virtuality.
These first job questions – do you mean my news route, part time job after high school, full-time job after college? The first one that actually paid me? or paid me a salary?
That first album I purchased? duh, maybe it was Jimi’s “Live at the Fillmore East”, which explains why I can’t remember a dang thing….
We’ll talk about wicked hard problems like that, and more, at this year’s Catalyst Conference in San Diego.
Category: IAM security Tags: consumerization, data management, security
by Jack Santos | May 13, 2013 | Submit a Comment
If you have followed my blog, you know that I annually review the US HHS breach report, just to see what kind of year we had in healthcare security. Well, enough time has gone by since the end of year reporting to make sure we have captured the stragglers. Prior years observations are here for 2010 and here for 2011.
Well I am happy to say that we are off the curve to have 50% of the population breached for healthcare data by 2025. Whew! 2011 now looks like an anomaly in our rear-view mirrors. Breaches in 2011 affected almost 11 million people. In 2012 healthcare breaches affected 2.5 million, about the same level as 2009 – which was a partial year of reporting.
Hmmm, so we may be looking at 3 scenarios:
1) Rules and fines have had their effect. The industry has woken up and has taken serious precautions that has sharply reduced breaches.
2) 2011 was an anomaly, and it won’t ever happen again.
3) The numbers are suspect – not everything is being reported.
This year’s graph is telling:
compared that to our trending from 2011:
This year’s wall of shame includes these top 3 breaches:
Utah Department of Health: 780,000 individuals affected
Emory Healthcare: 315,000 individuals affected
South Carolina Department of Health and Human Services: 228,435 individuals affected
Government and Non Profits are not immune: at least 5 city agencies, 7 Universities stick out.
Repeat offenders? It happens. Kindred Healthcare, The Brookdale University Hospital and Medical Center (NY) , Riderwood Village (MD), and Florida’s Memorial Healthcare System each had a total of two separate breaches in 2012.
Maybe we have turned the corner on healthcare security breaches (how come I feel that may be optimistic at best?). Or maybe there is a major case of ignorance, or a fear of reporting and lack of compliance going on. Or maybe criminals have a target rich environment with banks, and could care less about Protected Health Information.
What do you think?
Category: Healthcare Tags: Healthcare, privacy, security
by Jack Santos | April 26, 2013 | Comments Off
This is Harper Reed. He’ll be part our Catalyst conference keynote in July.
You have to wonder about someone when their website proclaims them as one of the “coolest guys ever”.
And didn’t he write “To Kill a Mockingbird”?
Maybe we can forgive his publicist for the moniker. The photos of the tattooed mohawked geek-glassed joker make you wonder whether he’s in charge of IT at the local skateboard park, or is a refugee from a metal concert. And “Mockingbird”? That was Harper LEE…
But then you find out that one of his BFFs is Barry O – AKA PreSIdent of the UnItEd StaTes.
You see, Harper Reed was the CTO for the Obama 2012 presidential campaign. All that talk about analytics? The “get out the vote” software that trumped Romney’s feeble implementation, and many attribute to winning the election? The buck stops at Reed, and that’s where the ideas start too. Catch him at our Catalyst conference in San Diego, July 29-Aug 1. He’ll also lead a breakout session.
This ain’t no poser, so bring your board, it’s gonna be sick…
Category: Catalyst 13 Tags: Catalyst-NA
by Jack Santos | April 11, 2013 | Comments Off
Dan Ariely is fond of pointing out that “door locks only keep the honest out”. Locks are basically a reminder, like a sign, that it’s socially unacceptable to go further.
One could make the argument that is true when it comes to human behavior about scams…if you have a personal relationship with someone, you are less likely to scam them. Unless you are pathological. It falls under the same category of that old saw “generalize the negatives, individualize the positives”.
So what does that mean in a world where your personal face-to-face connections keep shrinking when compared to the world of social acquaintances that you have online – like those 1000 linked in or facebook contacts? Enter, social engineering. It’s my thesis that the decrease in the personalization of relationships through online social networks, the more that the psychological barrier to scamming someone is lowered, increasing both the likelihood, scale, number, and effectiveness, of social engineering attacks.
In other words, social engineering opportunities are there, much like walking down the street and trying open doors are there. Yet, unlike the door analogy, there’s is no psychological barrier in place in our online lives that makes entering that metaphorical door – or crossing that line – less attractive. I am talking about those of us that do NOT have pathological issues. Evidence to this is the amount of Millenials downloading music, movies, books for free.
So if my theory is correct, we can only expect the scale or tenacity of social engineering attacks to increase, and from some unlikely (normally trustworthy) sources. And that will only change if one of two conditions happen:
1. The likelihood of capture and retribution, or high barrier to entry (like, for instance, a fool proof lock with reinforced doors) makes the scam attempt subject to a very low success rate (success rates that are infinitesimal compared to the increased ability, and low cost, to pull off an online scam – think spam) or,
2. Our social network lives raise themselves to a level of trust and familiarity so that the smallest attempt is viewed as generally unacceptable social behavior – and can be communicated and outed. Think something like “Snopes” for social engineering alerts, and strong identity frameworks that publicly tie attempts to the instigator. But then that gets precariously close to 1984 scenarios (ignore the fact we are almost 30 years beyond that scenario).
If my thesis rings true, what other conditions can you foresee that will mitigate my expectation? Which one of these two can most likely happen?
Come to our Catalyst conference in July for more on topics like this…
Category: Cloud Nexus Social Media Tags: consumerization, culture, Social media
by Jack Santos | April 9, 2013 | 2 Comments
There is another way to talk about the sudden world domination scenario of tablets and iPads, and that is in the context of end-user revolution.
Sure – we can argue that form factor (tablet) or multi-touch screens is the end of PC domination of IT solutions. (Today’s WSJ CIO Journal)
But the real reason is speed and ease of use beyond the GUI. Specifically, the instant on/always on aspect of tablets. Fundamentally, the world is saying “enough already!” with 2-10 minute startup times on PCs, and rapid degradation of performance as more software is piled on to your run of the mill desktop or laptop. I was initially concerned that tablets (in particular iOS devices) would also suffer from app arthritis – the slow degradation of responsiveness and stability that we are all too familiar with in the PC world. So far, reports of that have been minimal – due in no large part to Apple app store curation and Apple’s ruthless devotion to shutting down an app that is exhibiting poor behavior (get that Adobe?)
As my colleague Chris Wolf pointed out in another Wall Street Journal article, tablets aren’t the only game in town. Virtual desktops can lead us down the road to “me”-centricity and fast boot/switch times – such as what many healthcare institutions are doing in the name of speed and medical error mitigation (in this case Seattle Children’s – which also spoke at last year’s Catalyst conference; this year’s conference is coming up – see below).
I believe desktop virtualization will be a factor (finally! It has been churning in the background for years). But whether it will break out of the shadow of tablet mania remains to be seen. Another data point? the replacement of PC-based point of sales with tablet point of sales in many stores. Desktop virtualization will be a force, but it may now be on the margins, or mainly tactical. Remember 3270 screen scrapers?
That is not to say that those margins are not a significant part of the IT mission. Desktops/laptops aren’t going away anytime soon. Even longer refresh times seem to be the future. Ultrabooks, ssd based small footprint laptops, are in the mix, too. Like desktop calculators…. desktop virtualization, and an ongoing PC/laptop footprint in ultrabook-like form factors will morph into a niche solution… that’s what the market is saying.
One of the many in-depth technical topics at Catalyst this year…
Category: Cloud Externalization Mobility Nexus Wireless Work Place Tags: consumerization, culture, mobility, Wireless
by Jack Santos | April 8, 2013 | Comments Off
This is an interesting analysis of the potential impact of Facebook Home:
I think the subplot is whether consumers will value order and harmony over chaos and choice. IT can have a big say in influencing consumer choice to “order and harmony”, especially if confusion reigns.
Either way, this kind of fragmentation can’t last for long (say 5 years?) and 2-3 leaders will emerge. Apple already has one of those slots…after all, they have won the “order and harmony” crown when it comes to mobile app ecosystems.
I would disagree that consumers care less about fragmentation – gearheads call it that, consumers call it confusion and differences in how phones are used. We (I’m a consumer, too!) want something that works, and a choice that follows the herd with easy to share experiences.
Facebook phone, Samsung, Microsoft, Blackberry, are presenting all of us with a dizzying array of choices, and confusion on which one to choose, and how we work (especially when trying to convey a shared experience with others), what we can get on what device with what OS. This can’t last long…look at what happened with PCs – remember Amiga OS (which made a brief business push), all the variations of Unix, Windows, Os2, Be, yes even Wang OS, not to mention the proprietary hardware innovations (MicroChannel – where are you now?) – to name a few? Eventually it will get down to 2 or 3 (that’s how markets work) until there is a new disruptive innovation.
In my social circles I hear lots of frustration over UI and choice. And everyone is looking for advice. With mobile work usage in a personal setting (because of BYO) becoming a huge selection factor, IT is in a position where it could influence decisions, and influence the coming market fallout.
The fact is the market will fallout..the real question about IT’s role in a mobile world is how can IT influence that fallout.
It could be that the API and OS issues are becoming less of an issue for IT – they are doing more buying, less building, and if they follow our advice will follow a web-based HTML5 (not native) delivery regimen for the most part… but IT will be worried about whether key vendors can support all the choices, and which partner/vendor is in a better position to survive, and who in the mobile OS world has market share – all issues where the consumer would value IT’s advice, if delivered as advice and not “thou shalts…”
So in the end, IT’s role in a mobile world could be more about HOW we (IT) do what we do – not the technical comparisons, or the whats.
Those are just the kind of topics we’ll talk about at this year’s Catalyst conference in San Diego on July 29.
Category: Innovation IT Governance management Managment Mobility Nexus Social Media Work Place Tags: consumerization, IT relevance, management, mobility
by Jack Santos | January 2, 2013 | Comments Off
What you can count on at the end of every year is “Year in Review”, and “Crystal Ball” type of articles, blog posts, etc. I suppose it gives one a sense of continuity and anchor on an annual basis.
In IT, and technology strategy in general, it often comes down to trying to divine the trends from the fads. This piece from the WSJ by Tom Davenport certainly focuses on that – Tom sets our minds at rest in proclaiming “Big Data” a trend, versus a fad.
So be it.
In my mind, its not so much whether a certain topic is a trend or a fad, but what the subtext is – and what are the underlying forces that may make a difference in how we make our companies, and ourselves, successful. This is true not only for the CEO or CIO, but for everyone in the enterprise – from the janitor on up (I used to say mail room; but with email, that is going the way of the horse and buggy).
Trends and Fads (T&F) are just shorthand for our feeble minds – ways of thinking about, and remembering, potentially important things in our lives, meta-events – so to speak. It’s not the T&F itself – they are just sign posts - but the underlying implications that are important. Tie-dye, pet rocks, furbys – all fondly remembered as fads. But the implications (in order) – 60s upheaval, Luddite-like reaction to increasing game sophistication, and (conversely) the dawning of robotics in an early form…those were the underlying aspects of the fads that could be the subtext, and expose what we may call a trend, but is really an implication that will cause us to change our strategy, or our future actions.
You may even call it “searching for patterns”…. or paying attention to details.
What it came down to me, as a CIO , was priorities and timing. Paying attention to T&F was just a start. Realizing the underlying implications was the analysis. Setting priorities, planning , execution – that was the end game.
The current fads are Facebook, Linked in, and Twitter. The underlying trend is the growth of social media. Ari Herzog, A friend of mine, blogged about his take on these, and metaphors for them. It’s clear what he is going to do as a result of his assessment of these T&Fs.
So…T&F is nice…but the real question you should be asking yourself is: what does it mean, and what should you do?
Category: CIO issues Future management Managment Social Media Strategic Planning Uncategorized Tags: CIO, IT relevance, management, Predictions, Strategy, words
by Jack Santos | December 19, 2012 | Comments Off
One of the things we talk about at Gartner is how computerization is changing business – not just back office systems (HR, CRM), but from a fundamental product perspective.
I can remember discussing with my business colleagues (at an insurance company in the 1990s) what a treasure trove the collection of OBD (on board diagnostic) information we have at our finger tips – and how it could impact the rating and pricing of car insurance. At that time actuaries were skeptical. “People will just keep there cars in the driveway during sampling periods” said one. “Why would we want to do anything that potentially reduces revenue?” said another.
So goes the innovators dilemma. Leave it to market disruption to force a hand. Like Progressive’s “Snapshot”.
Progressive insurance’s product is now in 42 states and is revolutionizing auto insurance. Plug in a small 5×5 inch device into your car, and they get near real-time reports on your driving. This is the new world of telematics. Look forward to reports like these:
For the record, those two trips from 9-1 on Sunday were back and forth to church…
OK. Guilty as charged. I am a homebody. No getting out bars at 1 am for me…
But I probably need to get a little less aggressive on braking, which confirms what my wife has always told me, now with hard incontrovertible evidence.
I can only imagine the mountains of data being collected…and its eventual use in determining pricing, rates, identifying habits that forecast the potential for an accident, and (ultimately) how it could be used by drivers to adjust their driving habits. The analysis and use of this data is a poster child for Big Data and Business Intelligence.
And it is only the beginning. This is the bricks and mortar equivalent of what happens with online shopping, as our lives go online more and more. Surveillance, collection, use, ownership of data –all issues for our time.
“Progressive will retain information collected or derived from the device indefinitely”
Archeologists thought they had a field day going through latrine trash from the colonial era – wait another two hundred years to see what they do with this data!
There is a whole host of legal technicalities here – use by law enforcement in an investigation (criminal or not), or even use by a spouse in a divorce proceeding (imagine that!).
Parents monitoring teenagers driving… accident re-creation using data from multiple vehicles..correlation of speeds with local speed limits (can I get a ticket after the fact? A potential enormous new source of revenue for municipalities…); the list can go on and on.
Eventually, the use of this data may bring more income to Progressive than the base insurance product….its only a matter of time. Already, third party providers (such as Telanon) are offering services to analyze driving habits based on the data collected.
…and all the other companies are now playing catch up….
Progressive has an exclusive arrangement with Xirgo, the manufacturer of the device, and it communicates over the AT&T wireless network. They also have patents on the concept (usage based policy rating). Lets see how long that lasts…as my colleague Carlie Idoine pointed out, it’s an innovation that will only provide temporary competitive advantage as everyone plays catch up. State Farm is using OnStar, SYNC or In-Drive technology to mimic similar data collection.
This form of predictive analytics has profound implications – not just for companies, but for society as a whole. Note Progressive’s own report on what they have learned thus far. Their study correlates with our own assessment of the increased personalization and individualization that technology is enabling. Interestingly, one of Progressive’s findings is that “the majority of drivers with lower-risk driving behavior are subsidizing a smaller number of drivers with higher-risk behavior.” Whether it’s auto, healthcare, or homeowners – insurance is about the spreading of risk over a group of individuals, and establishing a community pool. But it also has always been about the financing of, or spreading the cost of, adverse events over time for groups AND individuals. Clearly, the model is changing – or at least getting readjusted (pun intended) - for some companies.
Just another example how the creative use of IT can change a business….
Category: Applications Cloud Externalization Future Information Management Innovation Mobility Nexus Operational Technology Tags: 3g, Cloud, consumerization, data management, innovation, Predictions, Strategy, Wireless
by Jack Santos | November 27, 2012 | 1 Comment
This morning’s WSJ CIO journal had a piece on software audits by Microsoft and Oracle. That brought back painful memories of a particularly arduous period in my CIO career.
It started with a conversation with my CEO about their hatred for Microsoft in general, and Bill Gates (who they met personally) in particular. Board politics can get very personal. Unfortunately this led to some serious internal blind eye tactics when it came to software licensing.
Didn’t take long after I was on board that I got a call from Microsoft asking for an audit, and waving the potential for BSA fines over my head (with jail time probably not far behind).
I had always felt that the annual Enterprise Agreement (EA) “true up” was a two edged sword. If you are not on top of it, it gives MS the right to really take the company to task financially. In this case, we didn’t have an EA (although I was interested in negotiating one), and the call was unsolicited. and there I was in the middle of this mess.
It wasn’t anything that we couldn’t buy ourselves out of – pretty expensively. That’s what happened. But nonetheless, the whole experience brought back vague recollections of uncle Vinnie in the Italian south end. The sense of family, whether it be genetic or corporate, is a powerful force.
Luckily, there were no cement shoes in it for me this time around. The morale of the story? Stick to your agreements, as painful as they are. I hope my CEO friend learned that lesson….
Category: CIO issues Vendor Contracts Tags: CIO, vendor
by Jack Santos | November 12, 2012 | Comments Off
“There are known knowns; there are things we know that we know.
There are known unknowns; that is to say there are things that, we now know we don’t know.
But there are also unknown unknowns – there are things we do not know we don’t know.”
— Donald Rumsfeld
I was reminded of this quote when reading about how Carl Sagan fought for cameras on early planetary probes – and lost. His thinking, ostensibly, was about answers for the questions we weren’t asking – can’t even imagine or think of. And defining new questions.
He lost his argument, but only for the first few Venus probes. Every spacecraft from then on has had a camera. The benefit in terms of scientific results, and public engagement, has more than made up for the cost.
I am reading a draft of a Big Data paper that my colleague Svetlana Sicular has written – to be published soon (on Guidance for Big Data adoption). It occurred to me that we are in those same stages with Big Data. If we are driven by our urges for certainty, by metric driven, know all the questions search for answers, we are bound to miss the big picture, and destined to avoid important answers – and business affecting – discoveries that answer questions we don’t even know to ask yet.
It’s like that right now – the explosion of data from not only watching and measuring the actions of people on the internet (shopping, news reading, facebook), but also the explosion from “the internet of things”.
I personally had to deal with that explosion in a hospital setting as a CIO. The question was about what constitutes a medical record versus a personal health record – what was “hospital” data, and what was “health history”. At the time, the massive amounts of bedside instrumentation data that was just beginning to find its way onto networks (usually a non IT network, but in a related “clinical engineering” network – another IT vs Operational Technology (OT) issue) was viewed as something we probably don’t want to store for a significant period of time, or even provide patient access to. It was questionable as to whether it was part of the “electronic medical record”, much less the “patient health record”.
How wrong that point of view was, and is.
And munging (that’s a technical term) through that data, as an individual, a clinician, or as a researcher, is like tunneling through a gold mine. Big data is struggling with how to define the questions.
What is the metaphorical equivalent of “Carl Sagan’s camera” for Big Data? We don’t know what we don’t know.
Category: Cloud Information Management Innovation Nexus Strategic Planning Tags: Cloud, culture, data management, innovation, management, Strategy