Why this sudden view that all is well?  Have we knocked out these cyber nasties?  Hardly. Estimates discussed at this year’s RSA Security Conference in February were that from 10% to 20% of the Internet is infected with something. 

The days when bored college students and macho programmers vied to create and distribute the most elegant or loudest and annoying malware are long over.  Stealing information and identities has become big business.  Organized crime and nation state-sponsored cyber-espionage are quiet activities – they don’t want to attract attention.  

These groups are using remote management capabilities that would be the envy of many corporate IT departments to accumulate and maintain herds of zombie PCs – PCs that belong to unsuspecting computer users everywhere.  Once they’ve infected a system, they patch it, suppress the anti-virus software that may be present, and variously manage its configuration. In this way, they ensure that rival botnet herders can’t steal it from them, and the legitimate owner never even knows they are there.

Remember last year when Aunt Sue was driving you crazy asking for help fixing her PC?  Haven’t heard from her for a while?  “The PC is working just fine, thank you.”  Yes, she’s no longer concerned … but the rest of us should be because her infected system can be used to attack ours.

This problem of users who don’t understand their systems well enough to tell something is wrong isn’t going to be solved by educating them.  As computers get easier to use, there is less incentive for users to understand how they work internally.  Who can fix their car by themselves these days? 

The organizations best positioned to detect these infected systems are the major Internet Service Providers (ISPs).   So far, they haven’t been incentivized to do anything about the problem.  ISPs are in a position relative to their customers to perform the same role corporate IT departments carry out with workstations on their intranets.  They can run monitoring systems to detect infected machines, provide mechanisms to help fix them, and not let them on the network until they are fixed. 

I don’t think anyone would argue against the result this would produce; the rub is figuring out who pays for it.

These findings are especially significant for our public sector clients, because they directly relate to the way these organizations should offer online services to citizens. Citizens who want to access their social security records or tax information online will expect the government to protect their identities and their privacy. Public sector organizations will have to provide secure authentication and strong protection from cyber criminals.

This will hold true in the private sector as well. Commercial services providers in areas such as financial services and healthcare are facing the same challenges with regard to how they interact with consumers on line. Solutions to challenges such as data protection and securing mobile devices will be essential.

Cybersecurity issues are reported in the headlines on a weekly basis, and consumers are more aware of the threats than ever. With this awareness will come expectations that the organizations they trust to protect their data will do just that.

View my new video on the Unisys Security Index.

It seems like an opportunity lost that the Border Agency didn’t look at the Easter holidays as an opportunity to showcase its preparedness for the Olympics, given the natural surge in outgoings and incomings to the UK borders. Instead, the impression given is that a plan for expanding both departure and arrival procedures simply isn’t in place. Unless BAA and the Border Agency are able to pull a rabbit out of the hat in the coming months, then we’re looking at a serious problem at our airport and seaport terminals during the summer. And if they pull such a rabbit now it clearly will be a panic measure. UKBA preparedness has to be judged, at this late stage, by what is evident now.

With 11 million tickets available for the Olympic Games, the influx of international attendees, athletes, visitors and media will be a significant proportion of this number. There are a number of scenarios which UKBA could play with at this late stage to mitigate this disastrous situation:  firstly, if the number of border staff reductions continues at its current rate, and the full scrutiny procedures remain the same, the worst case is that a situation could evolve quickly whereby planes are forced to turn away from our major airports because other planes are stuck at airbridges, not unloaded, because the arrivals immigration hall is packed. Alternatively, if border procedures are relaxed and Brodie Clark’s plan for intelligence led screening is fully followed by a committed and coherently led UKBA, then some sort of order might be imposed. It didn’t happen before – hence the removal of Mr Clark – so the probability of it being imposed now is slim. The likelihood now is that stringent document scrutiny no longer takes place and we run the risk of letting through potentially dangerous and serious criminals.

But there is still time to improve the situation. The Home Office and Border Agency need to sort out their differences and put in place some sort of short term but dramatic measures at our borders ahead of The Games.  In a recession, spending on our borders was likely to be lean but a combination of technology and increased personnel in the short term should be well worth the outgoing to keep our country safe when all eyes will be on us from around the globe.  Can you imagine the media fallout if we get this wrong.

With Iris technology and e-Gates assisting in reducing the number of staff required to process incoming passengers, the obvious solution would be to start by increasing the amount of automatic scrutiny afforded by these technologies. Rent it, don’t buy it, and insist on the latest technology, whilst increasing staff to supervise the automation. They do not need to be UKBA since all they are doing is keeping an automatic process going.  At this short notice the only answer is to enhance the integration of staff and technology.  From our (Unisys) previous work around cargo traffic and delivery at the Beijing Olympics, we understand the importance of planning in advance for these types of events but when you only have less than 100 days to go, you need to do something drastic.

The UK is set to experience the biggest surge at our borders for the next ten years and we have next to no time left to prepare adequate processes for dealing with this influx of visitors to UK and the Olympics. Action is needed now to ensure the UK is protected so those travelling to London for The Games can enjoy their experience from the moment they arrive at any UK airport or sea port terminal. The Olympics should be a celebration of the achievements of the UK in preparing for such a global event. It won’t happen again in UK for decades or longer.  Show the world that UK Borders are open to visitors not a barrier to tourism.

We’ve launched this series in the spirit of debate that drives so much of IT decision-making today. Our first post asked, How Much Security is Enough?

Today Nick Evans, Vice President and General Manager within the Office of the CTO and Roberto Tavano, Vice President of Global Security Sales for Technology, Consulting & Integration Services will ponder the question: SHOULD SECURITY BE OFFENSIVE OR DEFENSIVE?

Nick’s answer: “It depends who the enemy is.”
Roberto counters with “Security must be preemptive.”

What’s your counterpoint? What do you think about Nick’s and Roberto’s advice? What’s your security posture in your organization? Please share it with your fellow readers in the comments section that follows this post.

NICK EVANS: It depends on who the enemy is

Nick Evans, Vice President and General Manager
Office of the CTO

First, we should start off by defining what we mean by offensive security. At the extreme end of the scale, we are talking about coordinating attacks on cyber-criminals via cyber-related means. I think this is appropriate for certain areas of the public sector or the military, where data protection and confidentiality are paramount, and where cyber warfare is a legal part of the playbook. In fact, last year, as part of unveiling a new offensive strategy, Deputy Defense Secretary William J. Lynn III stated that a new “dynamic defense” would seek to deter potential attackers by searching for them on the Internet instead of waiting for an attack.

For non-governmental organizations, however, you can’t fight cyber-criminals by becoming a cyber-criminal yourself. Commercial security should always be defensive; that is to say, be able to protect, detect, and respond to threats. But as the threat evolves, commercial organizations might feel it necessary to take on a more offensive posture, while remaining within the letter of the law.

So what can a commercial organization do beyond a defensive security program? One example is to employ the use of offensive systems such as honeypots. These contain a data cache that’s attractive to hackers, but doesn’t actually contain any sensitive information. What the system does contain: A trap.

Hackers lured into the honeypot are monitored as they work to exploit the fictitious system. The organization’s security team learns about the hacker’s behaviors, tools, and techniques; and works to gather sufficient evidence to track them down, pursue them legally, and ultimately, take them offline for good. For more background on this, a useful article is this piece from Symantec which looks at entrapment, privacy and liability considerations.

At Unisys, we are seeing organizations start to move from a reactive security defense posture to a proactive enterprise security intelligence methodology, where advanced data analysis is helping to predict threats before they cause significant damage. The key aspects of this proactive enterprise security intelligence methodology are the integration of an array of sensors such as intrusion detection, malware and antivirus detection, and data loss prevention coupled with continuous compliance capabilities, forensics and situational awareness all built into the operational model. To read more about this, check out our CyberSecurity Predictions for 2012.

ROBERTO TAVANO: Security must be preemptive

RobertoTavano, Vice President of Global Security Sales
Technology, Consulting & Integration Services

I prefer the terms preemptive and reactive instead of offensive or defensive. Offensive and defensive relate well to a military enterprise; not so much to commercial IT. And by taking a preemptive approach to security, you are proactively anticipating the risks, vulnerabilities, and channels of attack against your enterprise.

But in order to adopt a preemptive posture, the organization needs to be adaptive. Unfortunately, few commercial organizations are adaptive in terms of their CyberSecurity. Risk assessment in most enterprises is done once, put into a formal plan, and filed away to live in obscurity, in perpetuity.

To be adaptive means to be constantly assessing risk. It’s not just a matter of building a wall to protect the organization, or reacting quickly when it’s attacked. Organizations that are adaptive evolve their security measures fluidly in sync with potential threats.

The good news is that this issue is coming into sharper focus with the rise of IT consumerization and the rise of brick-and-mortar businesses embracing the benefits of the cloud. The enterprise is extending its reach and opening its doors beyond previously conceived physical and logical boundaries.

For me, the right answer going forward is designing and upholding a preemptive approach to security. The alternative – always chasing, understanding, and reacting to an attack – isn’t attractive or effective, and is by definition perennially behind the curve.

Take a preemptive stance, and you can lead the way to the future of cybersecurity.

When it comes to IT strategies, however, there are few absolutes. IT leaders, teammates, and consulting organizations often draw lines in the sand when it comes to any given approach to solving a technical or business matter.

But the fact is, in IT, there are often several ways to approach and attack a problem. While each approach is equally valid, at the end of the day it comes down to which among the valid approaches aligns best to a given organization’s business and culture.

It is in the spirit of debate and decision that we offer a new series of blog posts focused on CyberSecurity that provide a point and a counterpoint, featuring Unisys Nick Evans, Vice President and General Manager within the Office of the CTO and Roberto Tavano, Vice President of Global Security Sales for Technology, Consulting & Integration Services.

Today’s question: HOW MUCH SECURITY IS ENOUGH?

Nick answers: “You need a balanced and adaptive approach.”
Roberto counters with “Security is not an exotic matter. It’s just part of your life.”

Nick Evans: You Need A Balanced and Adaptive Approach

Nick Evans, Vice President and General Manager
Office of the CTO

Over the past decade, we’ve seen instances of cybercrime increase in frequency, scale, and sophistication. As a result, there’s a growing need for ever-more robust CyberSecurity measures for businesses in order to keep up with this “cyber arms race.” Coincidentally, today’s high tech workplace is driving the need for sensitive data protection systems, dealing with an increasingly porous enterprise security perimeter, and other security vulnerabilities.

Considering that the threat level for cybercrime is constantly changing, it’s important to be able to understand the relative risk levels and determine how much, and when, to invest, in terms of an appropriate level of insurance. I’m talking about the well-known risk-reward continuum, one that will change year-over-year or even more frequently. According to a recent study by the Ponemon Institute, just released in March, it’s estimated that recovery from a successful data breach will now cost a typical enterprise an average of $5.5 million.

Besides rising year over year threat levels, the actual physical layout of enterprise security is also changing. Traditionally, you put your security at the perimeter – either the building or firewall – forming a simple boundary. Today, with the explosive growth of the Consumerization of IT, where information workers bring their own personally-acquired devices to work, we’ve entered the era of what I call “the borderless enterprise.”

IT departments are increasingly asked to secure progressively porous and blurring security perimeters in a situation where data is residing on smartphones, tablets, netbooks, and myriad other Internet-connected consumer devices well beyond the organization’s four walls. Now compound all this with cloud computing, and software as a service, where an increasing amount of transactions are conducted in the public cloud or within externally-hosted private cloud environments. You have to take an holistic approach, and think about all the potential areas of vulnerability where a person (or, increasingly, persons) can gain access to sensitive data, wherever it resides.

So to design your most appropriate security measures, you need to constantly balance your risk/reward equation and invest accordingly, while carefully monitoring emerging technologies for potential new security vulnerabilities.

RobertoTavano: Security is not an Exotic Matter. It’s Just Part of Your Life.

RobertoTavano, Vice President of Global Security Sales
Technology, Consulting & Integration Services

Perfect security does not exist. We all know that. Furthermore, everybody in an enterprise has their own point of view on security. Management sees IT security as purely a technical matter, while end users might find it annoying to have to change usernames and passwords every few months.

Security professionals understand their current level of security is never enough. They know that risk cannot be zero at any time under any circumstance. So the question to ask isn’t “how much security is enough?” The question to ask is, “are you truly capable of calculating the cost of stopping a potential attack?”

Direct costs are often straightforward to calculate. But what about the indirect costs? Brand value, legal actions, tarnished image, loss of credibility, etc. – assigning a value tag to such elements depends solely on your organization’s business model and environment.

Incidentally, indirect costs could be vastly bigger then direct ones. You want your security to be like the oxygen in the air we breathe. Without it your chances of survival are zero. Yet you are hardly aware of its existence – it’s just an integral, invisible part of the environment. Security should not stand out as a fence or as a special feature, but rather seamlessly weave into the very fabric of your organization.

So when talking about the cost of security and who is responsible for driving security, for me, it’s all about a team effort. The CEO has to consider CyberSecurity very high on his or her agenda. And the organization must educate their employees to behave in a secure fashion.

However, creating a model for strategic communities may require significant investment of time and resources.

First and foremost, it requires planning.  Positioning strategic communities to support a company’s market areas of strength, target industries, and key employee roles, and aligning them to business objectives and goals is essential. 

Second, developing a framework for enablement and evolution is critical to sustaining a successful community environment.  Effective frameworks include a project plan, a communication plan for socializing the purpose of the community in order to attract and retain members, and a culture transformation plan to help employees understand the value of community participation.

Third, communities must be well managed.  I like to use an analogy created by my former Booz Allen colleague, Walton Smith, who likened communities to gardens, each requiring a gardener to “seed, feed, weed and harvest.”  Too often companies launch communities with a “build it and they will come” mindset.  Employees may come, but will they stay and engage? 

In order to sustain and attract new members, communities must provide ongoing value. Community managers play a pivotal role in keeping communities viable and helping them grow.  They engage subject matter experts who can provide the right answers to questions at the right time and transfer knowledge and best practices to help community members evolve their skill sets. They seed content and motivate members to share and engage with each other through newsfeeds and community webinars. They promote the exchange of ideas and harvest and repurpose valuable knowledge. They also capture metrics to measure community growth and effectiveness.

Finally, communities cannot be successful without employees who are enthusiastic, engaged and willing to share.  This is where culture transformation comes into play. Successful strategic communities have clearly defined key benefits areas and related use cases to illustrate how community involvement delivers value to its members as well as to the business. Nothing drives behavior change more than a colleague’s positive experience with a new tool, a process or community involvement. Savvy community managers capture and repurpose these success stories to drive membership, increase adoption and validate business value.

Strategic communities that are well-planned, properly enabled and effectively managed can significantly impact the success of social collaboration within the business enterprise. Just ask the next knowledge and collaboration strategist you meet. Better yet, take a look within your own organization and assess how strategic communities can play a role in the success of your social collaboration efforts.

For example, here in rugby-loving New Zealand, 14 percent of New Zealand iWorkers said they use iPhones for work purposes, compared with just 2 percent in 2010.  By 2012, 10 percent of Kiwi iWorkers expect that iPhones or other smartphones will be their most critical business devices in 2012, compared to 5 percent currently.  This is in line with the global trends.

Consumer devices and applications are more technologically advanced than their corporate device counterparts. Is this then the death knell for the high-end server?  Not at all; in fact the server plays a key role when rolling out true mobility – enterprise-class applications – to employees and customers alike.

Moving with the times

It’s a “no brainer” that organisations that embrace mobile devices satisfy customer, employee and partner expectations.  Yet most organisations have only scratched the surface of the potential benefits from the increased productivity these devices allow. 

Our research also found 12 percent of Kiwi organisations plan to develop mobile apps for use by their employees in the next 12 months. This will enable greater efficiency in existing business processes by allowing access to update corporate data while out of the office, as well as the potential to develop whole new business models made possible by mobile applications. 

Mobility and the Mainframe

Ironically, while smartphones and tablets are fast replacing desktops as critical business devices, they bring a new lease of life to the mainframe.  IT and service management applications are one of the key areas being redeveloped to be used on mobile devices so that IT managers have increased flexibility in managing their organisation’s servers. This means they can work from multiple locations, while still monitoring system utilisation, available memory, waiting entries and policy compliance. Unisys has even built dynamic application support into its ClearPath servers to handle the frequent logging in and out that is typical of mobile users. 

Working from a smartphone, however, doesn’t mean accepting a compromise in security or functionality.  For example, Unisys ClearPath MCP Mobile Monitor App enables an IT manager to work remotely using an iPhone, iPad or iPod touch, while still having desktop functionality.  Security is taken care of by iOS Keychain, which stores server passwords in the mobile device and Hypertext Transfer Protocol Secure (HTTPS), which encrypts data exchanged between the mobile device and the ClearPath MCP server. 

In addition, organisations may choose to make their applications available as software as a service (SaaS) via a private cloud so that sensitive corporate data does not sit on the device itself, but rather resides on the company’s secured mainframe where access to the data can be protected via encryption and setting “communities of interest” so that only those who should have access can access the data.

The big picture

Organisations can reap fantastic benefits from mobilising existing processes with smart devices, but there is also potential for much more.  Mobile enablement is an opportunity to re-think and re-design business models and processes.  Making applications work with mobile devices makes them real business tools and helps organisations improve the efficiency of existing business processes or even create whole new business models.

Making it happen

Many business applications are now available online for mobile devices.  These programs are often easy to set up and some even allow you to turn your existing applications into iPhone and iPad applications.  For example, the ClearPath ePortal specialty engine is used to modernise mission-critical enterprise applications without altering the app itself so that it can be accessed on mobile phones via easy to use web interfaces.   This is how Rio de Janeiro water utility company CEDAE offered customers the ability to pay their water bills using their smartphones.

In addition, some point and click graphical solutions mean applications don’t even require programming, like the Unisys ClearPath MCP Mobile Monitor App available via the Apple App Store.  This approach is particularly important in these cost conscious times when organisations want to increase the functionality of existing IT infrastructure rather than “rip and replace” the whole thing.

With smart devices, people have the choice and flexibility they demand, and organisations can continue to manage costs and security and provide support.  Mobilising processes can bring improved productivity, efficiency, quality and even better working relationships across multiple levels in an organisation. 

Now that the technology is here to safeguard and facilitate business processes, organisations have the freedom to enhance their businesses with mobilisation technology, from changing customers’ experience at the coalface to creating entire new business models.

At Sears, leveraging the API economy by unlocking their legacy data into open APIs is core to their strategic vision.  Creating open APIs to access their legacy data (e.g. product catalogs, historical purchases, customer preferences, user recommendations) means innovation is happening out there. Open APIs are critical elements of expanding their brand, and creating opportunities for engaging customers wherever they are.

Netflix outsources innovation by letting developers integrate the Netflix service into apps with full control over the user experience.

A solution in itself, APIs are now a strategic resource, requiring an ongoing combination of marketing, usability, design, promotion, and in many cases pricing. All of these elements factor into whether an enterprise will compete successfully in the mobile space with the APIs themselves, and the products and services that are offered through them. The Business of APIs is no longer just a technology play but a business play where the APIs need to be managed and launched as a business, requiring ongoing diligent business and technical planning, functionally and non-functionally.

The most effective way to expose APIs for consumption by mobile devices is to offer them as a packaged set of Service Oriented Architecture (SOA) services, implemented using SOA principles and technologies.  This will be simple to accomplish for enterprises that are already SOA-enabled. For enterprises that are not SOA-enabled, it’s time to invest in building SOA expertise in order to ready themselves to compete and succeed in the Business of APIs.

The newly announced Unisys Application Modernization Platform as a Service (AMPS^SM) solution employs a full lifecycle service-oriented approach for providing a Business of APIs perspective to an enterprise’s API solutions. With AMPS, an enterprise can manage its API portfolio from the core business model perspective, govern its development, and provide comprehensive production API management, where APIs can be published, promoted, and managed in a secure, scalable way.

AMPS uses its patent-pending modernization framework, proven technologies and Center of Excellence services to bring together the business and technical communities to provide a holistic approach to the Business of APIs.  AMPS provides the mechanism for discovering and harnessing an enterprise’s APIs as well as blending them with complementary APIs from partner companies.

With AMPS, the result is a rich flow of information and collaboration across the enterprise, promoting faster innovation and growth in ways that may never have been thought possible before.

¹ An application programming interface (API) is an interface that an application provides in order to allow requests for service to be made of it by other computer programs including mobile applications to allow data to be exchanged between them.

This leaves IT organizations with the challenge of developing a coherent, consistent and smart data analytics capability across their application portfolio which is rapidly aging and growing in both size and complexity.  Today’s application portfolios include large numbers of software components with intricate dependencies and a wide variety of technologies.  Most of these aging applications store a wealth of data that, if made accessible to smart analytics engines, can provide valuable business insights to operate efficiently, grow competitively and comply with regulations effectively. 

As a result of aging application portfolios, however, IT managers find themselves struggling to rapidly adapt yesterday’s technology to today’s business needs while trying to assure that the budgets are not exceeded, planned returns are achieved and business is not exposed to excessive risks.  This application modernization problem has reached a point where it is way beyond the capabilities of traditional “rip-and-replace” approaches.  This problem directly affects the quality of business services, revenue, company reputation and business continuity. What is needed is a new approach to application modernization – one with minimal cost and risk that can help open up the vast amount of information that is collected on a daily basis and unlock new business potential.

Over the past years, the service-oriented approach to application modernization has proven to be successful in delivering the premise of business flexibility and cost savings – but at the expense of increased complexity and overhead if service governance and management is neglected.  An important step in achieving complex enterprise service-oriented modernization initiatives is adopting a comprehensive platform that can provide seamless, full life-cycle governance that extends from design-time management to run-time performance, utilization and security of software services.  A solid service management foundation with smart governance controls is a key success factor in achieving a cost-effective, secure and manageable service-oriented enterprise. 

Unisys Application Modernization Platform as a Service^SM (AMPS^SM) solution achieves just that.  With its best-in-class service management and monitoring approach, AMPS delivers on its key principle of strategic IT service governance and transparency.  Using proven technologies and a patent-pending modernization framework, AMPS provides an open, standards-based architecture.  This allows you to incrementally modernize and open up enterprise applications and expose valuable business data to external analytical engines using an optimized shared-service application development process.  AMPS mitigates the complexity, risk and time-to-market issues associated with similar Service-Oriented Enterprise platforms by providing policy-based, automated governance processes through a subscription-based,  hosted service.  AMPS provides rapid enablement of legacy enterprise applications so that the valuable mission-critical business data can be made available for intelligent analytical engines, helping to tame the information beast.

Implementation and integration of socially-enabled applications into the fabric of an enterprise’s business processes and supporting applications portfolio is increasingly the rule rather than an exception.

Beginning with changes that need to be made to business processes, the organization has to modify existing enterprise IT systems – such as, Knowledge Management, Case Management, Customer Relationship Management and Enterprise Content Management – as well as decide how these plans fit with the enterprise’s strategy for related activities such as mobile computing. Organizations must ensure these modernization initiatives are synchronized with existing business/system modernization projects, to weave social technologies into the fabric of an enterprise’s core applications.

As with other disruptive IT technologies (Mobile, Cloud, and Smart Computing), Social Computing adds to the burdens faced by beleaguered IT departments, in particular challenging the application modernization programs already underway.

Like Service-Oriented Architecture (SOA) initiatives, the most widely accepted approach to IT modernization, Social Computing offers consistent capture, repurpose and reuse of knowledge and delivers measurable business value through increased employee/stakeholder/partner productivity and improved operating efficiency.  By capturing and sharing lessons learned, the enterprise can improve the quality of business offerings and solutions, generate new ideas and innovations, and increase client satisfaction and business agility.

The newly announced Unisys Application Modernization Platform as a Service (AMPS^SM) solution delivers these key modernization initiatives. Unisys AMPS solution ensures the enterprise incorporates modernization imperatives, like Social Computing, into the fabric of the applications portfolio.  AMPS achieves this by: maximizing the economies of scale by re-using assets rather than creating new ones; eliminating overlap or redundant IT assets and their corresponding business processes and functionality; and establishing information sharing across the enterprise. AMPS ensures that these modernization programs commence in weeks and not months/years, with predictable and consistent operational costs.

With AMPS, the enterprise can live up to the speed of change demanded by the market to deliver new and improved services to its customers and ensure incremental business growth.

One I’d like to highlight here is ITSM (IT service management) as a service. Like CRM, it is a critical service for most enterprises. It typically provides key services required by the business such as managing IT resources and providing IT services to either internal or external end users. Functions like asset and configuration management, change and release management and most importantly service and incident management are performed by ITSM solutions. Typically these systems are on-premise and staffed by the IT department. They are capital intensive and consume large amounts of labor. Many organizations who have on-premise ITSM in place are struggling with the high total cost of ownership and administrative burden they pose. Dealing with the inevitable upgrade cycle and on-going maintenance burden are factors causing many to switch to more modern SaaS-based ITSM solutions. The delivery of these solutions mirror CRM offerings and provide the same benefits:

• Reduces overall costs
• Eliminates need to install and operate software or servers
• Provides the latest version, requiring no software upgrades
• Offers modern solutions – built for the web with latest technologies and typically easy to learn and use
• Subscription based which covers license, maintenance, and support fees
• Continuous innovation that provides new features and capabilities
• Shortest time to value – can be deployed quickly and gain full value in days and not months.

Solutions as a Service such as cloud-based sales force automation and cloud-based ITSM provide their services via the utility-based delivery model that works so effectively in the water and power industries.  After all, the cloud delivery model is based on many of the same principles – shared infrastructure, over provisioned, redundant functionality, monthly fees based on usage, and best handled by domain specialists rather than individual IT departments.

One last thought before I end – think about how effortless it is today for entrepreneurs to set themselves up with some of the key infrastructure and application services they need to run their business.  They can be up and running with robust, enterprise class applications in the shortest time ever – and it will only get better. This is just the tip of the cloud iceberg – much more is coming!

I’m in the minority who loves change – the opportunity to learn something new. I will admit, I was reluctant to swap my beloved Razor Phone for an iPhone, swipe my airline card to get my plane ticket, or replace my check book with a debit card, but Google, American Airlines and Bank of America did such a great job of socializing the value of changing my behavior, that all resistance faded. Today, I can’t imagine my life without these conveniences. Can you?

Let’s put “change” in the context of Social Media for the internal business enterprise. Why should social connection, knowledge sharing and collaboration matter to company leadership? Why is it important to imbed these practices into a company’s culture? Let’s look at three aspects:

(1) Social media makes knowledge sharing both explicit (written) and tacit (what people know and are currently thinking), transparent and fluid. Many companies wrestle with knowledge access and management issues caused by multiple silos of authoritative content.  Adopting social collaboration platforms, tools and processes enables companies to break down restrictive access barriers. In the past, employees viewed hoarding knowledge as power and associated it with job security. Today, one who readily shares knowledge and expertise whether by contributing documents to a knowledge base, writing blogs, or posting to newsfeeds wields greater power.

Employees contributing intellectual capital are recognized by peers through ratings and comments on their submissions and, in some cases, employees are incented and rewarded for contributing to the company’s knowledge base.  These “knowledge champions” are seen as high value contributors – empowered by the sharing of knowledge, not the hoarding of knowledge.  Knowledge is now more fluid and far reaching. An email sharing knowledge one to one or one to a designated few is limiting in scope. Conversely, a newsfeed post or a blog post sharing that same knowledge is available to all employees interested in the subject. Similarly, an employee seeking an answer to a question on a specific subject can direct it to all employees with that expertise (known or unknown) and find the right answer quickly.  Social media makes this serendipitous form of learning possible.

(2) Consistent capturing, repurposing and reuse of knowledge, in particular for client proposal, contract and engagement assets, delivers measurable value to the business through increased employee productivity and improved operating efficiency. By capturing and sharing lessons learned, the quality of business offerings and solutions evolve, new ideas and innovations are generated and client satisfaction and marketplace agility is increased.

(3) When subject matter experts share their expertise in a socially-enabled community setting, the opportunity for members to enhance their skills and expertise, and advance career paths increases exponentially.  Socially-enabled communities play an important role in knowledge transfer.  They promote connection and collaboration, diminish the learning curve associated with new hires and employees who are assuming a new job role, and serve as an ecosystem for the development of ideas and innovations. Communities become a knowledge-sharing hub – a place where employees can go “to get work done.” Efficient access to subject matter expertise, relevant information and timely answers to questions make employees more productive.

Research published by Forrester, Global Enterprise Web 2.0 Market Forecast: 2007 To 2013, projects that enterprise spending on Web 2.0 technologies will reach $4.6 billion by 2013 and climb to $6.4 billion by 2016.  Gartner predicts that social technology will be integrated with most business applications by 2016. But, deriving value from social media is not just about implementing Web 2.0 technology. It is, in fact, transforming a company’s knowledge-sharing culture and influencing daily behavior patterns to ensure effective adoption and exploitation of the new social tools and processes. 

Change is not easily accepted across a large business enterprise; the challenge is greater for global companies where cultural behaviors and language barriers add complexity. Companies using a “build it and they will come” or organic implementation model can expect a long transformation journey and run a higher risk of employee frustration and failure because value propositions are often at too high a level to be meaningful to employees. Whereas, companies that use a structured approach to implementation create searchable profiles to help employees build a company presence and to establish a valuable network of colleagues, develop and evolve company-sponsored communities of excellence to foster connection and collaboration, and conduct role-based awareness campaigns, communications, training and support to realize a more rapid rate of adoption and more consistent and effective level of use.  

Transformation is a journey, not a destination and it tells the story of change. It’s been 18 months since Unisys embarked on its journey to socially-enable its global work force. We are well on our way toward achieving that goal with more than 15,000 of our 23,000 global employees connecting and collaborating with social media tools. It is our hope that we will reflect back a year from now and wonder how we ever got along without them.

Overall, the key theme for 2012 will be one of customer-facing business innovation and we’re predicting that organizations will continue to embed and integrate these disruptive IT trends into their mission-critical business applications and processes, having cleared some of the earlier technical hurdles.

We expect organizations will expand the IT and business scenarios in which these trends will be applied and place even greater emphasis on streamlining IT service delivery through intelligent automation and low cost deployment mechanisms such as cloud computing. In addition, with expectations for IT to be a direct contributor to companies’ top-line revenues increasing year-over-year, there will be an intense focus on innovating with these technologies including mobile and social computing around mission-critical, customer-facing scenarios to deliver highly value-added and differentiated services in a more cost-effective manner.

Overall, in the most forward-thinking organizations, we expect these six disruptive IT trends to move from the periphery and become more a seamless part of the enterprise application fabric: more pervasive, embedded, integrated, secure, and insightful, and more directly contributing to both customer-facing and internal business objectives. These are the hallmarks of truly disruptive technologies – offering an approach which is often “faster-better-cheaper” than conventional approaches and thus quickly rendering prior techniques obsolete.

Since there’s so much to discuss in this year’s predictions, we have opted to explore our predictions with a set of blog posts from Unisys subject matter experts covering each disruptive trend which you can visit by clicking on each trend below.

• Cloud Computing
• Mobile Computing
• Social Computing
• Big Data / Smart Computing
• IT Appliances
• CyberSecurity

We hope you enjoy reading our Predictions for 2012 and look forward to hearing from you!

Private Cloud implementations continue to accelerate

We expect that private cloud implementations will continue to accelerate in 2012, as clients seek to leverage them across their infrastructure to drive improved organizational responsiveness and cost savings, while securing these systems within the enterprise perimeter.  In private clouds, we believe that ubiquitous virtualization across servers, storage, networks and applications, coupled with maturity in managing this virtualized IT estate, will be needed to optimize IT cost reductions and drive business agility improvements for the enterprise.

Fueled by private cloud implementations, we expect that hybrid clouds will grow in popularity in 2012, driving decisions on applications and data location to optimize costs, focus on core business enablement and drive business alignment.  In CIO Magazine, Forrester Research analyst Galen Schreck addresses How to Plan Now for Hybrid Cloud Management stating “Over the next three years, leading edge IT shops will start blurring the boundaries between public and private IaaS environments, so that applications can move between them based on immediate needs and economics.”  We therefore expect to see increased interest in enterprise-class cloud management software, with the ability to manage both public and private clouds as an integral part of an overall data center environment.

Software as a Service builds on email and collaboration and expands towards line of business applications and IT infrastructure

We believe organizations – both IT and business units – will accelerate their adoption of SaaS solutions for email and collaboration to further reduce costs and simplify operations. Additionally, in 2012, we predict SaaS will extend into line of business applications, supporting mission-critical transaction processing.  Over the next few years, intelligent analytics built into these SaaS applications will enhance the ability for organizations to support sales, supply chain, logistics and support personnel in real time, making better sense of huge volumes of data more quickly to provide better responsiveness and customer support.

As SaaS extends further into the business, IT Service Management SaaS solutions will become popular, as they can significantly enhance time to value for ITSM process improvement initiatives.  We predict that ITSM SaaS vendors will promote standard configuration solutions, with minimum customization and best practices codified into the software and its workflows.  The resulting reduced implementation cycle will lead to much faster deployment of enterprise management projects.

Overall, we expect organizations to begin the process of broadly assessing their applications portfolio to take greater advantage of cloud computing opportunities. These assessments will provide clients opportunities for consolidating applications and take advantage of a growing suite of SaaS offerings to simplify their IT operations and improve their flexibility.

Deployment Considerations

But how an organization adopts Private Cloud and SaaS solutions can have a significant impact on the long term success of these projects.  In many cases IT has spent too much time building virtualized pools of IT resources and private clouds and not enough time establishing standards for SaaS adoption or hybrid cloud management. This has often left business units free to procure cloud services with corporate security policies and compliance requirements ignored.  Misunderstood SLAs (service level agreements) may not deliver the required performance, capacity and availability, and organizational data ownership, availability and security could be put at risk.  Business unit, legal and IT organizations must be aligned to ensure these possibilities are mitigated.

Finally, let’s also consider the integration requirements between the organization’s software and data and that of the SaaS provider’s applications.  There may be complex, cross-application integration required to get the right information in the right form to the right decision makers at the right time without having to retrain the entire organization on how to navigate an entirely new application.

Recommendations

So what do we recommend given these predictions? 

First, organizations should increasingly consider SaaS a viable option for common line of business applications and IT management solutions, especially if they’re already considering outsourcing, as SaaS vendors may provide more cost-effective solutions than traditional outsourcers. We also believe that effective governance of security, compliance, and corporate policies will help ensure effectiveness and reduced risk when adopting SaaS solutions for mission-critical line of business applications, thus requiring IT’s involvement in business unit purchases of SaaS.  To help make effective governance a reality, IT Service Management SaaS solutions can provide the agility required to quickly implement the software functionality that underpins effective service management processes.

Second, enterprise architects should investigate new enterprise-class cloud management software and roadmaps from vendors to determine the best mid-term strategy. There is a plethora of cloud management stacks to choose from, requiring your ability to separate the wheat from the chaff for your organization.  Base your decision criteria on the necessary levels of security, availability, scalability, flexibility and self service, while ensuring a single management view of services, software and infrastructure across all deployment models in the hybrid enterprise.  CIOs should also engage with managed services vendors on their hybrid cloud management capabilities to consider outsourcing alternatives.  And always keep in mind that the cloud tool is just one part of building a hybrid enterprise capability – so ensure that other elements such as financial policy, security, ITSM, support services and system architecture are well integrated in your approach.

Lastly, we recommend that CIOs establish virtualization practices that encompass all aspects of virtualization to ensure best value is gained from virtualization, consolidation, shared IT services and private clouds.  User self-provisioning of cloud resources should follow an automated process utilizing standard configurations and pre-approved changes that address security and organizational policy compliance.  Workflow automation should be used for requests that can’t be satisfied with standard configurations to allow faster authorization and implementation.

With so many aspects of cloud across the hybrid enterprise – SaaS, IaaS, PaaS, public cloud services, private clouds, potentially community clouds – a balanced approach is needed to strategize, architect and instantiate your cloud services.

In 2012, we expect organizations to move beyond providing basic mobile device management services, and strategically develop more sophisticated methods for managing, securing, maintaining and deploying an ever-growing number of mobile devices and applications within their organizations.

We also predict that organizations will devote significant resources to developing new applications and reengineering business processes as they look to connect with clients and improve employee productivity.  Here’s how.

Mobile Device and Application Management

The rapid adoption of consumer mobile technologies is challenging the traditional model of managing and securing IT endpoints within the enterprise, forcing organizations to alter their approach to device management. To get a better handle on managing and deploying their mobile applications, we expect organizations to adopt enterprise App Stores and emerging Mobile Application Management (MAM) solutions. Enterprise App stores will be used to securely provision, deploy, and audit corporate approved mobile applications. To provide even more robust application management services and address management needs not fulfilled using mobile device management, we expect organizations to begin to adopt MAM solutions.  MAM solutions provide functionality including application provisioning, patching, monitoring, virtualization, license management, and enhanced security by isolating corporate data and protecting personal information on “Bring Your Own Devices” (BYOD).

As noted in Burak Bilir’s recent blog post, Taming the Mobile Application Portfolio in your Enterprise, we believe that organizations will require Mobile Device Management, Mobile Application Management, and well-defined processes in order to effectively manage mobile applications in 2012.

Process Re-Design for Mobility

As part of their mobile application development and application-enablement initiatives, we expect organizations to also review existing business processes to uncover process re-design opportunities in a new, mobile context.  Mobile-enablement can streamline and optimize existing processes, and more importantly can enable business process innovation by re-thinking how processes can be delivered more effectively using mobile devices.  Enhanced information available from mobile device sensors and inherent analytics capabilities will offer prime opportunities to enhance processes as organizations look to connect with clients and improve employee productivity.

In summary, we recommend that as organizations move forward to mobile-enable both internal- and customer-facing mission-critical applications, they also review existing processes to uncover process redesign opportunities in a new, mobile context.  To provide more robust application management services and embrace business opportunities introduced with the Consumerization and BYOD trends, organizations should utilize enterprise App Stores and adopt Mobile Application Management solutions.

In 2012, as mobile devices become the computing platform of choice for employees and customers, we expect organizations to fully embrace enterprise mobility as the preferred channel for doing business.  This will provide important opportunities for IT organizations with a well thought out mobility strategy to support business growth and gain a competitive advantage.

In 2012, we expect that organizations will accelerate the trend towards socially-enabling their client-facing channels and contact points, to gain greater connection to consumers and drive insights into client behavior that can improve service and client loyalty. Organizations will rapidly integrate social technologies into the fabric of their core enterprise applications in areas such as customer relationship management, case management, exception handling, and other transactional systems. There will also be greater use of advanced social networking technologies to enhance employee collaboration in geographically distributed enterprises – helping to improve efficiency, employee satisfaction, and overall client service levels.

Let’s explore these areas in some more detail. So far, investments in social computing have helped organizations create a solid baseline, social computing framework which supports internal employee collaboration and knowledge management and/or external customer engagement initiatives. Over the next couple of years, we expect to see this infrastructure transform into a new ubiquitous architectural layer, some call the “Enterprise Social Layer”. This new enterprise capability will redefine not only how we collaborate with colleagues, prospective and existing customers, and business partners but will also provide a wide range of social collaboration support for critical business processes and transactions.

Today, leading organizations are proactively engaged in building on their initial Social Computing experience, gained through global employee collaboration, knowledge management, corporate communications, marketing, customer forums and technical support communities. These companies have started to take this capability to their transactional, line-of-business applications by social-enabling business-specific functions supporting core business objectives (Figure-1). Early adoption has given sectors such as Customer Relationship Management (CRM) a head start in this direction.

Figure 1: Enterprise Social Computing Scenarios

Social Computing has the potential to greatly improve certain types of business workflow by cutting cycle-time for manual processes like exception handling.  So far, process automation technology has struggled with unstructured, irregular, ad-hoc processes that rely on manual collaboration and expert judgment. Some examples include insurance claims, supply-chain operations, case management, citizen reporting and exception handling. Most enterprise applications that require real-time employee collaboration and knowledge sharing for decision-making purposes, or those that require manual or “out-of-application” actions or holistic reasoning will benefit from the extended-reach, faster cycle-time, and automation of “social-enablement.”

The opportunity is here and the time is now.  Companies that embed social computing into their enterprise application fabric can gain productivity benefits across line of business applications and processes because it can inject a rich social experience and significant, expedited human insight into every end-user touch point.

In 2012, we believe there will be an accelerated use of IT Appliances in three key areas in addition to their well-known deployments related to intelligent analytics:

1. Cloud Infrastructure Appliances:  Highly scalable cloud appliances will leverage inexpensive, off-the-shelf hardware with a choice of open source and vendor cloud software stacks, allowing IT to more quickly deploy and more easily scale their private cloud implementations to support new and unexpected workloads.  Appliances can reduce the time and effort to implement private cloud infrastructures and management through pre-integration, and promote rapid scalability.
2. IT Infrastructure Appliances for Mission-Critical Environments:  IT organizations will begin to look at IT appliance innovations from mainframe vendors to transparently host their Windows and Linux applications, and to take advantage of desirable mainframe attributes such as application isolation, high security, transaction processing rates and availability, and lights-out operations.
3. CyberSecurity Appliances:  Both on premise and highly portable in a variety of form factors, these appliances will come on the scene to improve data security, availability and timeliness and reduce network bandwidth requirements for geographically dispersed enterprises.  High adoption rates will result due to ease of implementation, simplicity of deployment and lower management costs.

To better align with these IT appliance trends, we recommend that:

1. Data Center Architects should evaluate vendor offerings for cloud appliances that provide scalable cloud infrastructures utilizing inexpensive components, to determine whether these can meet their reliability, availability, recoverability and compliance needs.  Training, staffing and policy plans should be developed to complement architectures utilizing these new cloud appliance offerings to gain best long term value.
2. CIOs and Enterprise Architects should examine mainframe appliance abilities to provide desirable attributes to current and planned applications and IT services.  Total Cost of Ownership (TCO) rather than capital investment cost should be formulated for moving applications to mainframe environments, looking at mainframe services based on-premise, hosted and/or in public clouds.
3. CISOs and Security Architects should weigh the use of client-side security and data appliances to help prevent security breaches while using public or private networks and make more efficient use of network bandwidth.  Evaluate using these solutions to implement secure, high performing remote access and data transfer for remote offices, teleworkers, mobile staff, contractors, and in public safety, first responders.  Examine whether these appliances will help meet regulatory compliance related to network security, as well as reduce costs in implementation time, staff overhead and network operations.  Finally, security and data architecture should be developed that takes advantage of these appliances.

Thoughtful application of IT appliances can help speed IT initiatives, reducing both time and total cost to achieve value from these initiatives.  So it’s important to take into account the capabilities and limitations of IT appliances when developing your enterprise architecture.

In 2012, the challenges will move from mostly technical ones such as determining the right solutions and platforms suitable for gathering Big Data-related insights to business challenges of determining how and where to get the optimal business benefit from big data analytics.  With so many different sources of data streaming into the enterprise, including new data streams that have become available from external sources, one of the key considerations will be knowing which streams of data can give the greatest payback in terms of real-time insights and corresponding real-time decision making.

As highlighted in my prior blog post, Big Data and Smart Computing – The Road Ahead for IT, Smart Computing is an excellent complement to the Big Data challenge because once CIOs have transformed their information infrastructures to intelligently collect, store and manage this information, they still need rapid and automated ways to sift through the data, identify patterns, and perform intelligent analytics. Our additional predictions in this space therefore fall into two areas: Data Management & Storage and Data Analytics.

Data Management & Storage

We expect that, driven by the need to address exploding data growth and diversity, organizations will enhance their data audit and security measures for compliance, renew their emphasis on storage rationalization, and prepare to transform their information infrastructures. The time is ripe to fundamentally re-think and re-design how enterprise information is collected, stored and managed and to take advantage of today’s lower costs of storage, processing and analytics. The challenge highlighted earlier, however, will be to determine the key business opportunity areas beyond quick wins in certain areas such as click-stream, ad-targeting and customer sentiment scenarios.

In the storage arena, in particular, we expect that with growing data streams driving up storage costs, organizations will look to rationalize their storage strategies to keep data costs under control.  We anticipate a two-fold benefit as organizations firstly rationalize storage across their existing tiers of storage infrastructure and, secondly, procure and deploy new storage technologies to further optimize these cost savings.

Data Analytics

The ability to gain insight and competitive advantage from Big Data is both an opportunity and a competitive threat.  Businesses and government agencies alike are adopting advanced analytics technologies to build innovative new services, improve service levels, and drive greater efficiency.  We anticipate that use of Smart Computing and Intelligent Analytics will move beyond well-known areas such as predictive analytics for sales data, and become increasingly adopted within the IT domain in areas such as Data Center Automation, Security Event Analytics, Regulatory Compliance, and Problem Management Automation. This approach will help IT continue to automate critical aspects of its operations such as data center, security and help desk functions and free up staff for more specialized and value-added tasks.  The intelligent analytics component will help IT move further along the automation continuum into new areas previously reserved for human decision makers and will help to alleviate manual bottlenecks where throwing more bodies at the problem is no longer tenable.

In summary, we recommend that organizations consider these predictions when formulating their approach to Big Data in 2012, and develop a strategy that takes a lifecycle approach from data acquisition, to access, to availability, and to analytics.  Big Data is much more than just a storage issue – it’s really about your strategic approach to information management and the business value you’re able to extract across the full lifecycle from acquisition to analytics.  In 2012, the topic of Big Data will not be about the attributes of the data per se (i.e. the much-touted volume, velocity, variety etc.), but about what you do with it – the new attributes such as extreme scale merely drive the business case for transformation and new techniques.

In addition, as cyber crime grows more sophisticated and IT infrastructures become more complex, we predicted organizations would take a more holistic, integrated approach to security across the enterprise. Organizations would increasingly work to integrate their myriad physical and digital systems into single-pane dashboards that enable them to better monitor security threats across their organization and manage overall compliance requirements.

In 2012, we expect that organizations will continue along this trajectory in an effort to integrate their CyberSecurity operations into a proactive enterprise security intelligence methodology that can deal with a wide range of potential threats and vulnerabilities.  These threats are primarily driven by the increasing sophistication, frequency and scale of cyber crime, and the rise of mobile devices and mobile applications as the preferred “new desktop” fueled by the Consumerization of IT.  In addition, the ongoing security and sensitive data protection issues related to the mainstream adoption of cloud and social computing, and the increasing regulatory environment will drive organizations to embrace a proactive security model based on advanced event correlation capabilities.

In this proactive approach, hybrid (physical and cyber) security operations models will employ dedicated analysts coupled with advanced data analytics gathered from an array of sensors to predict and remediate emerging threats before they cause significant damage.  The key aspects of this proactive enterprise security intelligence methodology are the integration of an array of sensors such as intrusion detection, malware and antivirus detection, and data loss prevention coupled with continuous compliance capabilities, forensics and situational awareness all built into the operational model. The focus will be on proactive techniques and intelligent analytics in order to reduce the cycle time between threat detection and remediation. Another step organizations will take will be to follow a defense-in-depth approach and create protected silos within their data operations to prevent access to sensitive information in cases where their network perimeters have been breached.

Notably, as disruptive trends such as cloud, mobile and social computing make the enterprise security perimeter increasingly porous, we expect CIOs and CISOs to employ other disruptive trends such as big data and smart computing to help tighten their defenses.  We expect that big data-style intelligent analytics techniques will be increasingly applied towards fraud detection in financial services as evidenced by some of our recent client work and that advanced data visualization will be increasingly applied to help dedicated analysts identify patterns representing emerging threats to business operations.

An additional focus for 2012 will be on continued cost savings and standardization through consolidation of security systems such as access control and video surveillance particularly in global organizations with a diverse and geographically dispersed amount of infrastructure.

Overall, we anticipate organizations will continue to mature their CyberSecurity frameworks and capabilities whilst at the same time consolidating key systems for cost savings and standardization.  The savings applied through consolidation will then be able to be re-directed towards hardening the CyberSecurity perimeter.

So, what was the motivation for appliances?  Back in the ‘90s, I saw it as a shortcoming of software engineering in the following sense.  It was easier to plug in an appliance than to configure the software on a standard commodity server.  Looking back at the original appliances, the information you had to put into the device was overwhelming.  Imagine getting a router and a set of 8 diskettes (remember diskettes?).  After transferring their information into the device, you needed to choose from a complex set of options to set it up to be “just right.”  Of course picking the options would have been a challenge since the user interface device could cost as much as the appliance.  Given the complexities of configuring software, a shrink-wrapped appliance made a lot of sense.

The design decision for appliances that plagued the early manufacturers was to either pick a custom-made processor or implement functionality on a “commodity server.”  History has shown us that commodity servers consistently increased in performance at a rate that surpassed the performance of the custom server selection.   

This conundrum was eliminated with the adoption of virtual appliances allowing a single commodity server to be used to host multiple virtual appliances. For example, the Unisys Secure Private Cloud appliance hosts over 10 virtual appliances that are all pre-configured to work together to provide a “shrink-wrapped” cloud management environment.

But what really makes an appliance an “IT Appliance?”  The term “Datacenter Appliance” has been used to describe a containerized datacenter that is delivered in toto and includes all IT infrastructure needed to run a customer’s applications.  The Virtual Computing Environment Company (VCE) has introduced vBlock which includes processing, storage, network connectivity and virtualization in discrete units. In general, the term “Datacenter Appliance” seems to apply to appliances that provide the physical and virtual resources for a datacenter.  Today, Oracle’s Exadata is pitched as an “IT Appliance.”  It includes processing, storage, network connectivity, an operating system and applications.  As an all-in-one box (significantly bigger than a toaster), it could perhaps suggest a future direction for appliances.

Imagine a real “IT Appliance” that can manage and host all of the IT resources, along with the necessary automation of processes that are required to maintain steady-state execution of applications.  An example of this would be the current integration of Unisys Secure Private Cloud with the Unisys remote infrastructure management offering, called “Unisys Converged Remote Infrastructure Management Services” or simply c-RIM.    The appliance offers self-service provisioning of infrastructure and automatically updates the back end IT Service Management (ITSM) processes that are managed remotely.  In this way, datacenters can keep their critical information within their datacenter but the care and feeding of the resources and applications, along with operational best practices, are handled through a single appliance on the customer’s premises.

OK, it’s not as simple as a toaster, but we’re getting there…

While mobile online shopping is wonderfully convenient, pre-Christmas frantic buying combined with summer holiday laziness (for those of us “down under”) can put customers at risk of cyber-crime, such as scams and phishing attacks designed to enable identity theft and financial fraud.

Consumers need to be sure they are extra vigilant and take some simple steps to better protect themselves.

Did you know:

More of us are shopping online:

• In America, the number of consumers visiting e-commerce sites on Black Friday this year (25 November – seen as the start of holiday shopping in the US) increased by 35% year-on-year.
• Online retail in Australia is expected to reach AU$30.2 billion by the end of the year.

More of us are using mobile devices to shop online:

• According to Google, Australia has the second highest smartphone penetration in the world (behind only Singapore) at 37%, and is expected to reach 50% by the end of the year.
• No wonder the number of shopping queries coming from mobile devices in Australia has increased 220% year-on-year. In fact, one quarter of all Christmas shopping-related Google searches this year now come from mobile devices.

Yet many of us put ourselves unnecessarily at risk when mobile online shopping:

• Many people don’t take even basic steps to protect the information on the mobile devices – for example the Unisys Security Index found that 6 in 10 Aussies and Kiwis, and almost half of Hong Kongers, don’t secure their mobile devices with a PIN or password (November 2010)
• Ironically, we also know consumers in Asia Pacific are unforgiving when businesses don’t protect their data, with 85% of Australians, 81% of Hong Kong people and 80% of New Zealanders saying they would cease doing business with the company if they discovered a data breach. So surely we should put the same expectation on ourselves as individuals to take steps to protect our personal information.

Below are some simple suggestions to reduce your risk of cybercrime while shopping online this holiday season.

Tips for safer online shopping:

• Protect information on your smartphone or tablet by locking it with a PIN or password.  Even better, choose one that is hard to guess and change it regularly.
• Fully log out of an online shopping account when you have finished with it, so that someone else cannot continue shopping in your name if they get hold of your smartphone or tablet.
• Only shop on trusted and secure transaction sites. Check the site has an SSL certification, and the URL starts with https:// (not just http://). The absence of an ‘s’ is often an indication of a rogue trader.
• Be extra careful when creating online accounts via a smartphone as the limited web functionality and smaller screens can make it more difficult to verify the authenticity of online shopping sites.
• Closely check your bank and credit card statements to identify any purchases that are not yours – if you find any, contact your bank or card provider immediately.
• Don’t action emails that ask you to enter personal information about your online banking access into a website – your real bank would never ask you to do this.

Seasonal scams to avoid:

• Too-good-to-be-true promotions, which are actually phishing sites to access all your data.
• Seasonal screen savers and eCards can carry trojans and viruses, so don’t open them or download unless from a trusted source.
• Be selective when downloading smartphone apps and FaceBook apps – remember all apps are a software program.
• Be wary of ‘spirit of giving’ scams that take advantage of people’s generosity over Christmas, asking for donations via emails, tweets or text messages from sources you don’t know.

Cheers,
John Kendall
Unisys Security Program Director, Asia Pacific

NOTE:  This is an opinion piece and is intended only to provide a summary of the subject matter covered. It does not purport to be comprehensive or to render advice. No reader should act on the basis of any matter contained in this piece without first obtaining specific professional advice.

Navigating this unfamiliar terrain certainly introduces new challenges as it involves a departure from traditional technology and structured process management – the very same factors driving its success. However, the benefits are worth the effort.  For many decades organizations have been working hard to automate the daily enterprise workflow.  We have been successful in transactional, repetitive tasks but missed the mark in human collaboration where expertise, judgment, and intuition are frequently exercised.  Sometimes automation fails as it focuses too much on how work should ideally be done and misses the point on how people actually do the work.

Social computing allows people to communicate their experiences and thoughts in a natural way by taking individual experience, context, knowledge, and relationships into account.  Whether this new method of social collaboration is used to streamline and support a case management process or for customer collaboration or to improve internal knowledge management process, it yields exceptional results.

Allow me to illustrate.  At Unisys we have witnessed the power of social collaboration through our internal social network and knowledge management initiative.  The purpose of this global initiative was to make knowledge sharing and social collaboration an integral part of the corporate culture and improve the reach and quality of internal knowledge exchange.  We used enterprise social computing to enhance the ability of employees to connect and collaborate more efficiently and share knowledge more effectively on our enterprise collaboration platform.  This solution is already being used by 15,000 of our 23,000 employees and fully integrates with our existing global enterprise content management solution.  Plans are to integrate it with our sales force automation solutions and other enterprise applications.

We continue to gain visibility for our progressive use of social media tools internally to build a collaborative, knowledge-sharing environment.  Following the recent case study in Harvard Business Review, Increase Your Company’s Productivity With Social Media, Unisys is one of five companies featured in a new infographic on Five Companies That Are Rocking Social Media where it is featured along with Dell, Morton’s, KLM, and ABC.  You can read more about our social collaboration initiative in Leveraging Social Collaboration to Increase Agility and Competitive Advantage.

While there was hype about the incident, Steve focused on immediate points enterprises should focus on working through.

• Maintaining dialog with solution provider who is under attack
• Preparing for an extended investigation
• Informing user base
• Evaluating internal systems

2011 was a year of unprecedented cybercrime. That is no hype. The scale, sophistication and frequency of cyber crime took most enterprises and governments by surprise.   The pressure will not let up in 2012. So, the question becomes is your enterprise ready for the road ahead? There are so many pathways to that question!

Unisys Security Straight will be here in 2012 to re-engage with you and begin our conversation on the road ahead. Predictions for 2012.

Thank you for your readership, and we welcome your blog topics for next year.

This week I want to bring your attention to one of our most recent additions, Richard Bryant.  He is a passionate man on paper, and if possible to imagine, an even more passionate man in person. What is he so worked up about? -  Hacking threats, and the desire to demystify cyber crime. We had him sit down and talk us through The Six Biggest Hacks and How to Deal With Them.

In this three part series posted this September, Richard goes beyond describing the terminology. He spends time really helping us understand

• Why that threat is even categorized as a threat
• How hackers pull it off
• Why the current IT model fails
• How can you change the dynamics

If hackers are 42 steps ahead of enterprise security, Richard is a one man mission to help enterprises understand the business risk and solve their security challenges. Glad he is on our team!

The goal of Incident Management is to resolve issues before they cause service disruptions, while Problem Management attempts to determine the root cause of incidents after they have occurred. Proactive Problem Management takes it a step further by using Predictive Analytics tools to analyze trends and patterns to prevent incidents from occurring in the first place. The potential benefits are significant (reduced incidents, improved user satisfaction), but many organizations have still not yet adopted mature Problem Management solutions. As indicated in a recent Gartner report, Improving IT Service Support With Incident and Problem Management Integration, 80% of surveyed organizations do not have Incident and Problem Management well integrated from a people, process, and technology perspective.

As I mentioned in a prior blog post, Smartening Up Your End-User Solutions, to cost-effectively reduce incident levels analytic tools collect information from various sources to detect patterns or trends, which provide insight needed to identify and resolve issues before they are noticed by end-users. But to effectively implement a sustainable solution, Incident and Problem Management need to be integrated at the people, process, and technology levels. Armed with known errors, fixes, and workarounds developed by Problem Management, the Service Desk team can more efficiently execute processes to resolve end-user issues. Data produced by the Incident Management (Service Desk) team provides valuable data that helps a separate Problem Management team prioritize workloads and develop fixes that reduce the frequency and impact of incidents. By adopting Analytics tools to identify trends and potential issues early in the process, both Incident and Problem teams will have data needed to prevent incidents rather than react after they have occurred and already impacted business services.

Organizations that successfully mature their Problem Management processes and develop proactive capabilities will recognize benefits including increased customer satisfaction, lower incident levels, improved knowledge management, and improved end-user and analyst productivity. To move forward with proactive Problem Management initiatives, it will be important for IT organizations to clearly justify and link requested investments in people, process, and technology with resulting business benefits. A well formulated business case will help IT communicate the business value of applying Smart Computing to the organization’s senior managers and business leaders.

Unisys has taken a proactive Problem Management approach to delivering services by incorporating use of monitoring, analytics, and resolution optimization in its c-RIM offerings to reduce incident levels, lower costs, and achieve enhanced customer satisfaction for our clients.

In the blog post, Enterprises Beware: Don’t Let Security Fall into the Consumerization Gap, we discussed that the majority of IT decision makers who responded to this year’s survey on the consumerization of IT cited security concerns as a key barrier to enabling employees to use personal devices and consumer applications for work.

So employers realise they need to get on top of the issue but, as they see all actions as urgent, don’t know where to start: from determining the best way to deliver IT support, improving security of data and access, strengthening policies and compliance, setting up employees with mobile devices, and transforming the data centre to effectively deliver data and applications to support the use of mobile devices.

With so many competing priorities it’s no wonder organisations are daunted by the challenge and feel overwhelmed. How do they start proactively managing consumer technology in the workplace?

The following plan of action provides a logical process to bring the influx of consumer technology under control.

1. Take stock – Understand what technologies are being used by employees and address the security risks to gain some control over what’s currently being used.

   Conduct an audit asking employees to identify the technologies they are bringing into the workplace and nominate the others that they would like to use but aren’t yet doing so.

   After doing this you can then create an enhanced security environment comprising a number of elements such as policies, procedures and security software to address the employee-owned mobile devices and any new devices introduced by employees or the organisation, and the use of social media.

   However, balance protection with enough freedom to use the devices and social media in a way that delivers productivity benefits.

2. Identify weakest points – Strengthen security at the weakest points – the devices and the network – to ensure data isn’t compromised. You can do this a number of ways including the use of digital certificates for authenticating users on the network and compulsory PINs to secure mobile devices such as smartphones and tablets.

   Network Access Control (NAC) provides a layer of protection against improperly used, infected or rogue endpoints attempting to connect to internal network segments. NAC does this by requiring devices to prove they are safe to connect to the network (pre-admission), and dictates where endpoints are authorised to go and what they are authorised to do. If the endpoint doesn’t meet the entrance criteria, NAC technology can quarantine and remediate non-compliant, infected or miss-configured systems.

   Create or revamp policies (and enforce them) in combination with IT security solutions to manage employee use of these technologies, and then provide employee education on their appropriate use. 

3. Determine best deployment for business benefit – Look at how to best manage devices and support users. Some ways to support users include self-help portals (covering the most common problems), support via chat/instant messaging, and a virtual service desk with FAQs and training videos is especially good as it can be available 24/7, which matches the ability to “work anytime/anywhere” nature of mobility.

   Decide who in the organisation should get to use consumer-style mobile devices to deliver benefits to the business – it may not be the top brass.

   Integrate new technologies into existing support models rather than create new models just for new devices or applications. Consider building more self-service tools to reduce pressure on the IT support teams.

   As users become more mobile, use remote management technologies such as Mobile Device Management Solutions to deliver security updates, deliver applications and provide support. Consider that managed service providers can support a wider range of new technologies faster than in-house IT teams.

Once the security and support issues have been bedded down, organisations can start to look for innovative ways to modernise or develop new enterprise applications that make use of the mobile devices and social media to improve or replace business processes.

The reality is consumer technology is coming into your organisation in droves; it is time to take control and transform the way you do business to harness the true value these new technologies have to offer.

We would love to hear how you are adopting consumer technology to improve employee productivity or change the way you deal with your customers. Please submit your comments below.

According to Forrester¹, organizations will be spending $7.6 billion by 2015 to re-engineer and re-invent the business processes and back-end systems to implement completely digital end-to-end, “straight-through” mobile business processes. This will be in addition to the $5.6 billion they will be spending on building mobile apps the same year.

The challenge for organizations is to identify which business processes and functions will deliver the most business value for mobile enablement and what is necessary to make the technology work effectively. To answer these questions, organizations should take a step back and look in detail at the routine of daily business workflow. They should try to figure out not only if the business processes can be optimized to make mobile workers more productive, but also if the work can be done in a better way with the use of new mobile technologies.

It is imperative to understand that enterprise mobility is not only about task optimization. If all you are doing is reformatting a web form for a mobile browser or building a mobile app for a standard function which is also available on a traditional PC, you may not be maximizing your opportunities. It is important to rethink how core business services can be delivered on mobile devices end-to-end with value-add. The potential for business process innovation on mobile devices is due to a number of factors which include extreme mobility, new rich sensors, new user experience paradigms, continuous connectivity, and cloud-based services.

For example, you may be able to improve the business value by leveraging sensors on the mobile devices such as using GPS and location-based services for field appraisals, using still cameras to scan bar codes, using video cameras for capturing footage for insurance claims, or leveraging Near Field Communication (NFC) chips for mobile payments. Bluetooth connectivity opens up other possibilities such as adding industry sensors. You may also want to extend standalone applications with cloud-based services such as providing text translation, traffic information, voice recognition, or video analytics services which rely on a range of powerful back-end services and databases. Marrying social computing capabilities with mobile devices creates a web of interconnected devices that are aware of each other in close locations, improving employee collaboration.

Therefore, organizations should not be focusing on building replicas of individual PC-based functions, but instead identify and analyze potential business workflows under the light of the new mobility paradigm and ask the question how new business value can be created. A well executed, mobile-enabled business process will allow you to improve customer satisfaction, supply chain optimization, field service productivity, and employee productivity offering new value potential and revenue streams.

 ¹ Forrester Research, Inc. – “Mobile App Internet Recasts the Software and Services Landscape”, February 28, 2011

Perhaps many of you remember this post’s title as a portion of dialog in “2001 – A Space Odyssey.”  I can’t say I understand all of the messages in the movie, but the theme of automation gone wrong is quite clear.  Only when you hear HAL say, “Stop Dave, I’m afraid” do you realize that the fear of loss of control goes both ways.

A number of our cloud conversations with customers touch on a concern about creating and managing a huge number of Virtual Machine (VM) images for their developers because each developer requests his or her own customized VM.  Developers aren’t comfortable with the standardization that goes hand-in-hand with automation.  During these discussions, we explain that when we first started automating within the Unisys engineering labs, we were in a similar situation.  Provisioning was considered a custom request and required a minimum elapsed time of two weeks to be satisfied. Today, 95% of the requests in our lab are “standard” and, through automation, makes a VM available within 5 minutes. This has given our customers courage.

Other discussions are more general than addressing the customization issue.  An IT director explained that he was calling their cloud initiative a “cloud architecture” since their stakeholders were very uncomfortable with centralizing control of their computing into a cloud that is shared by multiple business units.  This is just one example of what we’ve discovered.

I’m reminded of a situation I found myself in a long time ago.  I was architecting an automated admissions system for a college.  The admissions officer had a box on her desk that was filled with 3×5 cards.  She literally put her arms around the box and said that she could not possibly work without it.

So, as we worry about which cloud technology is best for our customers, we need to understand something that continues to be the maxim regarding data center transformation.  The real competition to our solution is not technical.  It’s inertia and an inability to articulate the value of overcoming this inertia in the eyes of the stakeholders.

Of course, automation is an inexorable trend in our industry.

Nevertheless, customers will not respond to the attitude that “resistance is futile.”

Instead, we have found it beneficial to share our own experiences in our lab, as well as providing insights into how they can guide their stakeholders through a set of manageable steps to achieve the benefits that we have realized for ourselves and our clients.

This year we focused heavily on challenges rising from cyber security, consumerization of IT and social media. Really, how could we not? While most of the content in the blogosphere focused on the “what” are these challenges, I would like to think we added more to the “how” are enterprises going to be begin addressing these security challenges.

Over the next few weeks I want to highlight three bloggers that challenged us to think beyond the “what”, and gave us content to really dive into the “how”. First up, Jan Wiewiora and his September post on Preventing Data Leaks Before They Occur. While most content is focused on the sensationalism of what happens after a data leak, Jan builds a case for enterprises to never have to show up on the front of the newspaper.

Better yet, Jan tackles challenging “how” questions head on! – “How do we get employees to not become inadvertent security threats?”; “How to determine access controls that will truly help protect data without requiring a “lockdown”?; “how to implement policies and have an impact?”.

The idea of knocking out or blocking access to critical infrastructure to weaken an opponent is nothing new. In ancient times attackers would surround cities and cut off access to food, water and other supplies.  Such blockading is common military offensive strategy.

But with our increased dependence on our technology networks in both our work and personal lives, it is no surprise that today’s attackers seek to exploit security vulnerabilities in the cyber world with the aim of disrupting the physical world.  This applies regardless of whether the cyber attack is designed to take down the IT system itself or is used to damage other critical infrastructure such as water supply.

Interestingly, when we polled the public in 11 countries across the globe in March 2011 as part of the Unisys Security Index™, Australia and New Zealand were the only two countries where the Internet was rated as one of the top two national infrastructure assets vulnerable to malicious or terrorist attack.   

This may be because our nations “down under” are very aware of their remoteness and resulting dependence on the internet to be part of the global market.  Or perhaps it is simply because Aussies and Kiwis are less concerned about the vulnerability of other pieces of national infrastructure, such as public transport or places of large gatherings, than people in other countries are.

Either way, it is clear that effective cyber security is now an essential part of protecting national infrastructure and therefore is a vital part of any national security strategy – not just to protect vital information and communication technologies, but also to ensure they are not used to damage or block access to other physical infrastructure.  This is evident in the renewed focus being placed on cyber security by the Australian, New Zealand and other governments.

Cheers,
John Kendall
Unisys Security Program Director, Asia Pacific

Our IT industry has also moved from resource scarcity to resource abundance. The continued improvement of processing and storage densities has fueled the explosive growth in virtualization technologies. Processor virtualization burns CPU cycles and memory to increase overall system utilization. Most don’t notice this trade-off because more, cheaper resources are readily available. The leap to virtualization enabled the programmatic controls necessary for automation. Automation in turn has fueled the growth of large-scale public infrastructure and software as-a-service clouds. Users expect these public clouds will provide them instant access and perceived infinite resources for their future needs.

This abundance has raised expectations of what is possible so these users now have the same expectations of enterprise IT organizations. They reason that these organizations should benefit from the same explosive growth in processing and storage densities. And, since IT organizations have access to the same technologies from multiple providers, users expect them to provide the same capabilities. Why haven’t they?

Enterprise IT organizations benefit from resource abundance, are adopting virtualization, and are raising their utilization rates. However, they have not created the same instant access and perceived infinite resources that users now expect. Virtualization and its follow-on, automation, demand extensive changes in how enterprise IT shops operate. They seldom appreciate the impact that virtualization and automation will have on their organization, operational processes, management tools and decision making. As examples, the instantiation of a virtual machine differs greatly from the acquisition and installation of a physical server. And, the automation of an application’s deployment on a virtual machine requires programmers in operations. These are just a tip of pending changes.

At Unisys, we create clouds, operate clouds, and help enterprises plan their clouds. We use this knowledge and experience to help customers who are seeking to create their own private cloud since they are often overwhelmed by the complexity and the addition of another paradigm to their already full docket. Unisys Isaac Levy’s 4-part blog posts on Preparing for Your Private Cloud outline many of the considerations to help IT organizations that are struggling with these new concepts and how to best implement them.

One thing we know is that abundance creates opportunity. What abundance did in Tuscany during the 14th century is happening to enterprise IT. A renaissance is coming.

This cannot continue. Unless you take a holistic, systems-oriented view of your information system, you’re inviting failure. The compartmentalized approach isn’t sufficiently agile enough to adapt to today’s asymmetric, globally distributed use of information, and will eventually break. This butterfly effect means that even small changes in your network can have a disruptive impact on security.

For example, an increasingly common practice today is to encourage employees to network with customers and partners using social networking sites. This activity often takes place over the organization’s internal network. Unless you’ve thought it through holistically, you have no idea what the consequences might be. You could end up with a real storm in an unexpected area of your network, simply because you allowed access to social networking.

The pace of change continues to accelerate and, with it, so does the evolution of threats. We live in an era where it’s not only possible, but easy, for anyone with an axe to grind to make off with entire libraries of information and, minutes later, share their haul with the entire planet.

A few years ago, it would have required a crew from “Mission Impossible” to make off with millions of U.S. Armed Forces or State Department documents. But as the WikiLeaks incident proves, today it requires only a logon and some portable rewritable storage.

The key to deflecting this risk is to understand that IT security is no longer a technology or people problem. It is an information problem as well. Take a holistic view of your information system. Encrypt your information at rest and in motion. Monitor its use. Respond to anomalies. Update your policies (including how you authenticate). And enforce your procedures.

These properly integrated business process changes must be ready and tied off with the enterprise stakeholders before any data arrives. Otherwise their value won’t be realized. Even worse, the enterprise’s credibility with its customers will be seriously damaged if customers don’t see evidence that their feedback is being taken into account.  A major driver for social enablement is the importance of deeper and deeper customer/stakeholder engagement; not just to monitor views, but to communicate the messages of your activities, products and plans – i.e. to collaborate.  Consider the potential tidal wave of data that could appear through the increase in mobile computing where the integration of social applications is becoming the rule and not the exception.

As in the adoption of any technology-enabled innovation, the ground work has to be done first.  Identify the component of your business that would benefit from customer or internal stakeholder feedback and collaboration, and be clear on why and, most importantly, how the benefits can be continuously measured.  Are the enterprise departments/stakeholders in full agreement with the benefits and how they’ll be achieved?  What changes need to be made to the business processes (automated and manual)?  How will these changes be co-ordinated with your existing people-centric systems – Knowledge Management, Customer Relationship Management and Enterprise Content Management?  How do these plans fit with the enterprise’s strategy for mobile computing?  What are the associated costs and timescales and are they consistent with the return on investment being committed?  Can the changes be harmonized with existing business/system modernization projects?  Make no mistake, in a very short space of time social enablement will become an institutionalized part of the plumbing of every enterprise, so treat it like any other business-led activity.

Particularly in the case of social computing, a slick and continuous marketing activity needs to be in place.  Tell the internal and external stakeholders what you want, what you will do with what you get, tell them as you go along what you’re doing and give them an appropriate and accurate feel for the aggregate of the intelligence/feedback you’re receiving. And, most importantly how the enterprise is taking account of it.  As with the other business process changes that are necessary, this public relations activity must be pre-planned and diligently managed.

Professionally planned and executed Social Computing initiatives will transform the way that we interact with each other in our businesses and with our customers.  As a result, if planned up front and executed professionally, enterprises will improve their productivity, time to market, relevance of products and services, quality and depth of customer engagement, internal collaboration and quality of service. Unisys prides itself in focusing enterprise change upon predictable and measurable business benefit – the integrity of our offerings demands nothing less.

However increased competition through deregulation of many industry sectors such as banking, telecommunications and energy providers, and access to a much wider market to buy from via the Internet, has moved power into the hands of the consumer to decide whether they want to continue doing business with you, or change to someone else.

Customer trust is key to developing customer loyalty.  But it can be quickly eroded if consumers feel that they have been put at risk – such as if they find out that an organisation they have been dealing with has suffered a data security breach. 

This is particularly the case in Asia Pacific where, according to the latest Unisys Security Index™, at least 8 in 10 people in Australia, Hong Kong, and New Zealand would stop dealing with an organisation, such as close their account, if they found out that the privacy of their personal information had been compromised.  Of the 12 countries surveyed in the global research study, Australians are the most likely to say they would take such action, with Hong Kong and New Zealand not far behind.

Of course this is what people say they would do, and some sceptics point out that Sony hasn’t exactly fallen in a heap after its recent PlayStation security breaches.  But Sony’s PlayStation customers have made a significant investment in their console and games software so there is a deterrent to simply swap to another gaming platform.  In contrast, we are regularly bombarded with marketing offers from mobile phone carriers, home loan lenders and energy providers with attractive rewards to change over, often with the offer to manage the administration of changing providers for you.  In these “utility” markets it has never been easier to change – and the customer knows it.

The survey also found that many people say they would consider other actions such as publically exposing the issue and taking legal action.  It is almost as though they want to punish the organisation for putting them at risk.

There are currently no laws for mandatory data breach notification in Australia, Hong Kong or New Zealand.  Given the possible reaction of customers some might argue there is no incentive for businesses to tell customers about a data breach.  But organisations do have a responsibility to inform their customers immediately if there has been a breach so that customers can take actions to minimise their vulnerability to financial or identity fraud.  They may even win some brownie points if they are seen to act quickly and helpfully.  Also, consider the impact if an organisation is caught trying to cover up such a breach – damage to reputation and loss of customer trust.  Better to have quick and transparent communication with customers and work with them to reduce their vulnerability.  You have more chance of retaining your customers’ trust that way.

Mandatory data breach laws would make sense if it is found that businesses (and government organisations) fail to act responsibly off their own bat.  But the focus should be on those breaches where there is real risk of harm as a result of the breach (eg access to financial details; risk of identity theft; access to biometric data etc).

The Unisys Security Index (conducted since 2006 in Asia Pacific) has consistently found that the top two security concerns for the public are data security related:  people obtaining/using credit/debit card details; and unauthorised access to/misuse of personal information.

No wonder they are putting business and government on notice that that they are not going to passively accept privacy breaches.  

Cheers,
John

If we go back ten years to when I wrote “Business Agility: Strategies for Gaining Competitive Advantage Through Mobile Business Solutions,” Consumerization was just starting to fuel mobility and the bulk of solutions were from specialized providers of enterprise mobile devices and mobility software. At the time, the major enterprise value of a standard mobile phone or smartphone, beyond communication, was for basic functions such as personal information management (i.e. e-mail and calendar etc.). Anything else in terms of enterprise functionality had to be accomplished through much more specialized hardware from companies such as Intermec and Symbol.

In today’s world, due to the sheer numbers of consumers with smartphones and their increasing functionality such as location-based services, multi-media and so forth, we’re now well past a tipping point – companies such as Apple and Google can make large profits in the consumer market and direct those profits back into R&D in order to constantly innovate and improve their products. There’s a great article about this in a recent issue of The Economist called Beyond the PC.

These consumer devices are now far more powerful and feature-rich than most of the corporate-issued devices of the past and are beginning to take on broader roles as mobile computing devices beyond personal information management. Unisys has been studying Consumerization of IT over the past couple of years; our recent survey in conjunction with IDC shows some of the challenges and opportunities faced by the typical enterprise as they embrace this trend for business advantage and attempt to close what we call the “Consumerization Gap.”

It could be argued that the R&D fueled by the sheer scale of the consumer market is where the major innovation is occurring within the IT industry. Hence it is directly fueling innovation in the enterprise arena as employees bring these technologies and approaches into the workplace. This extends not just to mobility, but also to social computing and cloud computing as well. In terms of enterprise mobility, the innovation doesn’t stop at the device of course. There’s plenty of opportunity for companies to innovate and differentiate in terms of how they secure, manage and support these devices and how they mobile-enable their internal and customer-facing applications.

So while Consumerization may not have always fueled enterprise mobility in the past, today it is a driving force and is enabling tremendous opportunities for IT to re-think and re-design their strategies, applications and processes through disruptive trends such as mobile, social and cloud computing.

The global network has moved from being geographically based to being mobile. Office workers no longer need to chain themselves to a desk in order to connect to their network, or jump through hoops to establish a poky remote connection. A speedy network is available to them wherever they are.

Data flow has also changed. We used to have to click our way through to the appropriate website, portal, or page to access or update information. Now the data comes to us whenever it’s been updated or when we need to pay attention to it. And we can act on it in real time, without having to navigate back to its point of origin.

These changes in how data flows raise three significant vulnerabilities that need to be addressed:

1. Mobile devices need both strong “end point” security and “identity authentication.” The devices should be monitored remotely by the organization. The information should be encrypted. Authentication should involve multiple factors, including biometrics (such as face, iris, fingerprint, or voice). Expect to see device and software vendors start to work on the biometric as an encryption key; e.g., identity cryptography.
2. Apps that “push” information require a different approach to information assurance. This is where identity authentication plays a crucial role. Organizations need to be confident that the mobile device is in the hands of a person who has the authorization to see the information being pushed. This will take time to develop, but the principles of information assurance still hold strong (confidentiality, integrity, availability, non-repudiation, authentication, and now privacy).
3. Changes in work behavior and work location will demand more attention to securing information, no matter the location. This is not something that we in the IT security field can ignore or prevent. The economics are making these changes unstoppable. There are savings to organizations from not having to house so many workers in so many places. There are savings to workers in terms of travel costs (vehicles, fuel, insurance, expenses, commuting). And there are environmental savings to society from the decline in commuting, national, and global travel. Organizations must understand that they need to secure information at rest and in motion by encrypting it, monitoring its use, and locking down their increasingly dispersed infrastructure.

Part 3, the final chapter of this series, will focus on “Information Security and the Butterfly Effect”.

In the movie, Spock and McCoy debate whether the Genesis Device brings creation or destruction.  Spock notes that using it on a planet where life already exists “would destroy all such life in favor of its new matrix.”  In a very similar vein, the challenge when building a cloud in your data center is to avoid breaking what you already have.

Leveraging a cloud appliance to build your private cloud is an excellent first step.  A pre-configured, pre-installed cloud management environment can simplify the initial implementation and transition.  You need to ensure, however, your newly formed cloud can communicate with and is integrated into your existing infrastructure.  If not, you may end up with two completely separate environments to manage and run when your original goal was to simplify your data center management and lower associated costs. 

There are several areas where your cloud should be integrated with your current environment.  For example, can your new “cloud-in-a box” manage existing resources equally well or does it only manage the resources that came with it?  From a security perspective, make sure it meshes well with your existing identity and access management environment.  A nice plus would be if it provides a “single sign-on” capability avoiding the necessity of having to log in multiple times.  Does it integrate well into your existing ITIL processes and ITSM systems?  These are key areas where your cloud appliance should really be more than just a “black box”.  Ensuring a good fit between your cloud and your data center requires proper upfront planning, else you may end up creating a de facto island in your data center.

It would be nice if a cloud would automatically come into being, fully functional and completely integrated at the press of a button.  Unlike in the movies, however, it takes a bit more than that.  When you choose your cloud appliance, make sure your new infrastructure meshes well with your existing environment.  And recognize that it isn’t just about the appliance.  Choosing the right partner who can help you integrate that environment and guide you around any potential pitfalls is just as important as choosing the right appliance.

Scalable servers on demand provide only a tiny slice of what it takes to provide a production infrastructure. Managing and operating a cloud is a complex task and there are only two choices available to the enterprise: acquire the cloud servers and manage them yourself or let your enterprise outsourcer handle it for you.

Assuming you choose to outsource, then whoever you pick as your cloud supplier will share some level of production operational responsibilities with you. When doing the analysis of who to use, you must remember to factor in not only the cost of the computing resources but also the operational and management environment required around it. For example, you need to determine who does:

• Server Monitoring and Event Notification
• Anti-Virus/Anti-Spyware Services
• Patch Management Services
• Provisioning and initial setup of servers
• Back-up Services
• Incident Management – end-to-end management thru closure of incident tickets
• Availability Management
• Capacity Management
• Service Request Management
• Change Management
• Security Services

There are serious implications of not getting this right – infected servers, operating environments that aren’t patched and up to date, incidents that never get resolved, infrastructure that’s out of capacity and, worst of all, an infrastructure that’s vulnerable to attack.

So it’s really important to pick the right cloud supplier. One that can fulfill the most demanding requirements of the typical enterprise – one that has extensive experience in outsourcing, has global ISO certifications and a worldwide ITIL framework, and uses a seamless and global incident management/logistics system. And, let’s not forget finding a supplier that focuses on quality via a formalized program such as Six-Sigma. The perils of not doing this correctly can lead to unexpected outages, lost business, security breaches etc. In the end, what you really want, from an enterprise point of view, is a supplier that aligns with your business, has the highest levels of support and infrastructure availability and can meet your most demanding production needs.

Bottom line – find the outsourcer that can work alongside your business to help ensure strategic business goals are achieved. Unisys has the capability, maturity and experience to do this.

For example, in the event of a data breach by an organisation holding an individual’s personal information, the willingness to continue with the organisation, but not online, drops with age, from 31% of 18-24 to 16% of seniors who are 65+. These seniors are also less likely to change their passwords (63%), while those in the 50+ category are more likely to say they would publicly expose the issue (62%) than any other age group. This enthusiasm for direct online action came as a surprise.

This action of publicly exposing the issue, perhaps through social media platforms, shows the willingness by not just the young to use the digital world as a democratic tool. This raises a wider question as to whether we are doing enough to create the right avenues for people to easily express their objections to online crime rather than create their own “campaigns” of outrage.

Perhaps unsurprisingly, those that have embraced social media from the start are less willing to see social networks closed down in the event of civil unrest. Over two thirds (72%) of those aged between 18 and 24 would be against the temporary closing down of social networks, with over half (60%) of seniors supporting the temporary closure of social networks. While the findings demonstrate people don’t want to see criminal activity on social networks, the results again demonstrate the need for awareness of appropriate avenues online to help police counter and resolve cybercrime.

All these points suggest that changes in attitude are needed if we are to close the gap created by the digital divide. Only with more effort placed on public awareness and education on how to counter cybercrime (particularly for the older generation) and a better understanding of the definition of what ‘normal’ online behaviour is for the younger generation, can we really take the steps to achieve David Cameron’s vision for an internet that is about freedom of access to all, not a medium for a free-for-all.

Many of these corporate environments are currently running decade old operating systems – in some cases even older – so embracing multiple platforms and devices poses a significant challenge when it comes to managing the interoperability of these diverse systems.  The IT executives we surveyed in our recent consumerization of IT research, 2011 Consumerization of IT Study: Closing the “Consumerization Gap”, are well aware of this fact.  In fact, 77 percent of them believe transformation within their data center environments is a key component of their ability to support the consumerization trend.

It’s evident that, just as consumerization of IT is here to stay, so too are the difficulties this multi-platform trend poses to enterprise IT departments. As my colleague Nick Evans wrote in a Computerworld article on this year’s research, Consumerization of IT: Lessons for enterprise applications:

“Quite simply, the consumerization of IT is a disruptive trend, and the best way to meet a disruptive trend is head-on, anticipating the changes it will bring and exploiting those changes for competitive advantage.”

Here at Unisys, we are uniquely positioned to address the consumerization- related support issues head-on.  Our clients tap our expertise to build IT environments that can adapt and change to new technologies in real-time. As new devices and platforms continue to gain popularity in the enterprise, this flexibility and scalability will be a must for organizations looking to adapt to the consumerization trend.

Another area of concern outlined by the IT executives we surveyed is the introduction of social media channels into the enterprise (see Figure 1). Again, this is an area in which we can help.  With a robust security model in place, organizations are much more likely to feel confident in granting access to various social media environments, knowing that the integrity of their data center infrastructure will be maintained.

Figure 1

Four years ago the iPhone did not exist, three years ago the Android wasn’t on the market and tablets weren’t introduced until 2010.  And we’ve seen how popular these platforms are amongst today’s workforce (see Figure 2).  To keep up with iWorkers’ adoption curve, it’s imperative that IT take steps now to address the technology requirements for consumerization.  And, doing so the right way will ultimately work to your competitive advantage.

Figure 2

Once we had to walk down the hall and into a room to meet with co-workers. Today the Internet is mission-critical to our ability to work with colleagues around the globe. This shift in how we create, move, and consume information poses several challenges for IT security professionals today and in years to come.

The first is helping organizations understand and respond to the increasing value of their information. This need entered the public consciousness through the WikiLeaks controversy. The WikiLeaks website is just the first of many such sites we’ll see in the coming year. And it’s not just a concern for governments.

Big businesses are about to get a hard lesson about the real value of their information — data that, used wrongly or mishandled, can cause significant or even catastrophic damage. Data that once appeared innocuous or inaccessible is becoming more valuable, and potentially more damaging, by the day.

Public and private organizations alike must adopt a contemporary understanding of the value of their information, and the trust they place in the people who use it.

Despite advances in security technology, the sad fact is that IT probably had better control over sensitive information 20 years ago. The reasons? Information was centralized. There was less information to manage. The client technology required to access it was slow. And the clients were incapable of massive mobile storage.

There’s also another reason that should really concern us a lot. Back then – 20 years ago – the internet was just beginning. It was designed by scientists and technologists for scientists and technologists. Ordinary folk were tolerated and had to learn a language that ostracized whole swathes of society. No more. Web 2, Social media, mobile internet – call it what you will – is now using a transparent technology platform and it is being designed by Users for Users. Those users are not versed in Security. Why should they be? It’s a whole new behaviour they are having to learn the hard way, as are their employers.

Our employees now have petabytes of corporate information available to them, search engines that help them quickly find what they’re looking for, high-speed Internet connections to the outside world, and easily hidden storage devices that can walk terabytes of information right out the front door, in plain sight. They can connect wherever they like. They can work wherever they like. And they can steal valuable information wherever and whenever they like.

No longer can we automatically trust employees to handle information with confidentiality and integrity. The protection of information will need to be policed internally, and brought into a clearer legal framework. From a security point of view, this will mean much stronger confidentiality clauses in personnel contracts and better monitoring of data flows into and out of an organisation.

Strongly authenticated employees will need access permissions. Information (including e-mail!) will need to be encrypted. Device use will have to be monitored – including desktops, laptops, smartphones, tablets; anything that taps the organization’s data. Firewalls will have to get smarter to monitor all information to ensure sophisticated techniques, such as steganography, are not being used.

There are some who will say these approaches amount to an invasion of privacy. They do not. The need is for organizations to monitor their proprietary information, not their people. By understanding their organization’s normal information usage patterns, they will be able to identify anomalies in usage. These anomalies will serve as a red flag for quick investigation.

Governments and businesses now in Wikileaks’ clutches might have avoided their fate had they monitored, understood, and acted on their organizations’ information patterns. Sudden, large data transfers to unauthorized persons would have been flagged. With the right processes and policies in place, it is possible the leaks could have been plugged.

For more on this topic watch for my next post: “The Seismic Shift in Security: Part 2 – Information Push, Information Pull.”

Problem Management includes diagnosing the root cause of incidents and determining a resolution; however it is somewhat reactive since the incidents have already occurred. Taking a proactive approach to Problem Management by preventing incidents from occurring in the first place will help reduce overall incident levels and associated support efforts, as well as improve end-user satisfaction and increase productivity. Proactive Problem Management solutions apply intelligent analytics to data and content collected from multiple data sources (i.e. Configuration Management Database (CMDB), Asset Repositories, and Incident Histories) to identify potential service disruptions, which can then be resolved before they become incidents noticeable by the end-user.

End-User Experience Monitoring can help gain increased visibility into real-time application/device performance and end-user productivity metrics, which can be used to identify and resolve issues before they impact end-user operations. As stated by a recent InformationWeek article, many IT managers are now measuring the true quality of the end-user computing experience from the “outside in” (from the end-user’s perspective) and not only by how well data center applications are performing. End-User Experience Monitoring uses data aggregation, analytics, and correlation of end-user and device performance metrics that enable IT to quickly react to performance issues based on real-time business intelligence.

Effective use of Smart Computing to interpret data streams and make appropriate business decisions will improve operational efficiencies and free up end-user support resources to focus on higher value, and more strategic initiatives that support business expansion. I believe that the upfront investment for Smart Computing solutions in the end-user support area will often be justified by savings in future reduced incident levels and increased end-user productivity (improved application performance and increased uptime). As Consumerization of IT/Mobility and other disruptive trends evolve, organizations can expand their ability to leverage new technologies such as Smart Computing to sort, process, and exploit increasing volumes of data to gain a true competitive advantage. At Unisys, we’re incorporating some of these smart computing techniques within our End-User Outsourcing and Support solutions in order to help our customers achieve some of the benefits outlined here.

End-User support groups have an opportunity to use this rapid influx of data to their advantage by exploring Smart Computing benefits, prioritizing potential areas to apply the technology, and deploying solutions where it makes the most sense for their organization.

This suggests that there is an increased expectation from the public about how law enforcement responds to cyber-security concerns and whether the authorities have access to the skills and resources they require. Based on our work with governments and businesses around the world, we feel there are three key areas, which can help progress the debate:

• More expertise in computer forensics – in the past, if you had a witness who saw a crime then you had a good case; but today you need specialist computer experts to gather evidence and to have the knowledge to pick out key trends in discussions on social media channels.  This takes particular skills and there should be a discussion about how to recruit this talent; how it can be funded and which skills should be the priority.
• Encouraging young people tempted to commit online crimes to apply their skills on the right side of computer security – for example, I’m also director at the Cyber Security Challenge, set-up to encourage more people from different backgrounds to consider careers in cyber security.  Each year the Cyber Security Challenge runs a series of competitions testing problem solving and investigative techniques and it demonstrates how diversity in experience can help bring different approaches for solving security challenges.   Legal profession and law enforcement could also draw on different backgrounds to help expand understanding of behaviour in this area.
• Shifting investment in research and development – to date much of the research into computer security has focused on creating unbreakable encryption codes or the toughest perimeter defence.  With so many access points to any kind of modern IT network, there needs to be a shift towards securing information itself rather than building a wall around it which can be breached.  Also investing in new techniques such as behavioural analysis and predictive methods can help prevent or at least pre-empt online criminal behaviour. 

There is no overnight fix to this problem; we can’t fool ourselves into thinking it will quickly dissipate if these measures are in place but they are a good starting point to bring in the right people and talent to close the gap between law and technology.

According to the latest Unisys Security Index, which tracks consumer security concerns every six months and yields valuable insights into the issues that matter to people today, 48% of the public believed that a temporary shutdown of social networks might help to prevent coordinated criminal activity during periods of severe civil unrest. It also found that 46 per cent of the public accept that authorities should utilise social networking data to improve public safety, such as the uploading of real time criminal evidence by the public. In addition, 56 per cent of respondents mentioned they would take legal action against companies which suffer breaches relating to personal data online.

The key debate for governments and law enforcement has been how to cope with the growing influx of social media platforms used in instances such as the London riots, without relinquishing the freedom of speech the UK has become synonymous with – as David Cameron mentioned at the London Cybercrime conference on 1st and 2nd November 2011, the internet is about freedom of access to all, but not as a medium for a free-for-all. It is evident that the public want to see protective measures in place that will safeguard them from a repeat of such instances and guarantee their freedom of access to the internet.  

As devices become increasingly interconnected enabling a swifter and freer flow of information, there is a need for traditional legal structures and corporate governance to adapt accordingly. While governments and law enforcement authorities consider ways of quickly sharing and identifying cyber threats across borders and jurisdictions there is a clear need to have better mechanisms for the swift sharing of criminal info leading to convictions. In addition, the public and business have a responsibility to behave within the law when using cyberspace but to do so the traditional legal framework needs to be brought up to date.

In this ever connected world, the public want to know that they and their data are being protected. The conclusions from the survey show that the public expect law enforcement to have the legal framework to act swiftly to protect society online and that they, the People,  are ready to act if they feel they have become a victim of data and online crime.

Fast Forward to today, the UN announced that we are going to be 7 billion people as of Monday 31st of October, 2011. Nokia just announced a new mobile phone series targeting the next “billion” mobile phone users. And my nephew, just 20 years old this week, shifted my perception on technology adoption.

He just acquired an iPad 2 as his main work device, and is leveraging it with his first “adult” job.  He came to me for a recommendation on how to secure his data and if he needed local backup on top of what he was already using.

My first reaction was “of course you need local backup”.  Indeed, I still remember the pain of losing hours of work in my younger days by not applying this very basic recommendation…then he shared how he structured his approach, with a combination of advanced IT devices and cloud computing:

• Main data capture devices: his phone and iPad, enabling him to use lightweight components to acquire data in document formats, pictures or sounds … this is what Consumerization of IT meant for him
• Main backup areas:

1. For his personal “social” files, Facebook, through the shared Photo albums (and thus in the Facebook Cloud);
2. For his professional data, the Google Cloud service (better response time than a local backup drive for HD photos) with a secondary backup system for personal and professional backup.  This system was bought as a 3-year bundle of Backup as a Service for his iPad and provided by his device vendor … enabling him to benefit from professional-class IT Services (cloud services).

Actually, it was natural for him to establish this setup, and I was hard pressed to suggest something more efficient and cost-effective given his need for mobility, resiliency and openness…

My nephew’s natural adoption and selection of this technology to enhance his new work style leads me to think that there may be win-win options on the horizon with Bring Your Own Devices (BYOD) and consumer-centric flexibility in workplace computing.  

It is not so much of a surprise, as looking back we can realize that most IT shifts occurred through end-user adoption, and propagated to the enterprise space. However, the speed required to handle the generation Y “natural” expectations make me both anxious and excited:

• Anxious because enterprises and  organizations who will not keep pace are going to be left behind and bereft of the bright new talent; 
• Excited to see the enterprise leverage social computing and cloud development in such a way that the technology remains natural, accessible and intuitive, while making CoIT tools / techniques / approaches / work-styles successful at the enterprise level.

This will be metered by the ability to keep the workplace secure and policy compliant. Leveraging the dynamism and innovation, while keeping control, is becoming the key challenge for CIOs of this 7 billion people world.

I’ll keep track and report back on my nephew’s new mobile, social and cloud computing use, and employment innovative exploits.

Mark Cohn, CTO for Unisys Federal Systems shares with us in this video his views on what consumers’ willingness to share biometrics informations means to organizations.

Visit Unisys Security Index findings to learn more about about American consumers’ responses.

The best IT Appliances incorporate new software releases and continue the transparent system integration needed to keep them fresh and competitive. Scalability, high levels of reliability, automated management and security are elements of the most capable IT Appliances.

These characteristics should be the first evaluated when considering an IT Appliance to enrich current solutions. But, the evaluation should consider a variety of other elements as well. Since the IT Appliance is an element of a larger solution complex, it must fit well or it will not deliver the desired benefits.

Fundamentals such as utilization of the proper protocols and physical connections are inherent. System integration factors such as security, resilience/reliability, management, support and qualification with other elements of the overall solution are equally important. Each will play a role in optimizing the total environment.

An example might help put its value into perspective. The ClearPath ePortal IT Appliance provides web services and mobile device integration for ClearPath solutions. It is not the only method of addressing these solution needs, but it incorporates a variety of capabilities that would be difficult (and costly) to replicate through alternate approaches. The native ePortal is a fully integrated IT appliance that qualifies the most current levels of software, enables the most current standards, provides high levels of scalability, leverages open development technology (Visual Studio)  and incorporates local system management.

The ClearPath operating environment manages the ePortal environment, making it a native element of the overall system; independent management of the ePortal appliance is not needed. This capability extends across complex areas such as security and transparent failover. And, it applies across a wide range of ClearPath systems and different system software releases. As a result, the customer focus is on extension of the solution rather than a large investment in integration and ongoing IT Appliance support.

System integration can be a costly and complex element of IT Appliance integration. Those IT Appliances that provide seamless integration and management, based on investments from the supplier, typically deliver the greatest value.

A top-level enterprise mobility maturity model can be represented as a table, such as in Figure-1, that goes from less mature mobile business capabilities on the left, to more mature on the right for each of the major strategic enterprise mobility workstreams represented in the rows. This model is also very action oriented in a way that enables the organization to develop an implementation roadmap to reach its desired target state through enhancing the maturity level of underlying business capabilities.

Each organization will need to build a custom enterprise mobility maturity model to realize their vision for mobility. A basic structure is presented in Figure-1. This model categorizes enterprise mobility capabilities under 3 groups – Organizational Enablement, Infrastructure Enablement and Business Enablement – each of which includes a number of key business capabilities. Each of these capabilities stretches across four maturity levels on the X-axis. Every cell represents a state for a strategic business capability. Moving to a more mature state will require acquiring specific mobility capabilities which in turn will require undertaking a number of projects.

Figure: 1 – Sample Top-Level Enterprise Mobility Maturity Model

Once an enterprise mobility model is developed, organizations can easily plot their current state and identify any number of target states that they want to reach by a certain date as seen in Figure-2. This allows all mobility initiatives to be perfectly aligned with the overall mobility strategy. Since this technique requires the entry and exit criteria of each maturity state to be well defined, projects can be tracked and managed effectively to achieve the high level strategic goals.

Figure: 2 – Using Enterprise Mobility Maturity Model
to Develop a Strategic Roadmap

This technique allows organizations to put all mobility related initiatives in context, identifies the end goals and positions them in relation to each other so that they can be easily understood, tracked and communicated. Enterprise architects can use this roadmap in support of the stated business strategy for mobility to ensure the technical underpinnings are in place for a successful enterprise mobility initiative.

To learn more about the Unisys Security Index Findings please visit http://www.unisyssecurityindex.com/  

Watch the Steve Vinsik video on Consumer Reaction to Data Breaches at http://www.youtube.com/watch?v=4VBXeume6wU.

History has shown us that no matter what you do to secure your place – house, castle, town or even a full country – there is always a way around by those who seriously seek to harm and who will eventually find and exploit.

Why is this? Simply put: it’s the economy, stupid! Or, better, the money to be gained quickly and apparently with not much effort. Indeed, consider one simple fact: the value brought to the Internet is growing exponentially, and the Internet economy – now larger than that of Spain – surpasses global industry sectors such as agriculture and energy. The Internet is pushing a significant portion of economic growth.

A recent report by McKinsey has for the first time tried to measure the impact of the net economy on the GDP of the G8 countries, plus the BRIC countries (Brazil, Russia, India and China). Findings tell us that in the global Net’s growing ecosystem of suppliers, U.S. companies play leading roles in key sectors, while China and India rank among the fast-growing players in the Internet’s global supply chain. It is companies in more traditional industries, however, that capture 75% of the benefits.

Therefore, the stake is huge, and no wonder many are keen to consider cyber criminality a viable option, especially in a situation of legislative uncertainty, and patchy levels of maturity and understanding of the problem at a national, corporate and personal level.

The outlook? Expect yet bigger numbers of attacks going forward. Threats will not go away. We have invented a (brave) new world, and there’s no easy exit option available. Therefore, we have to learn to deal with the problem; which, incidentally, has so far been considered largely a technical one. Only now, after we suffered some 56 million attacks in 2010, are we starting to realise that eliminating threats is impossible, so protecting against them without disrupting business innovation and growth is a top management issue.

I believe that the recent attacks of Stuxnet and Duqu – which have given rise to so much buzz, but we know that newspapers must sell … – are nothing special, as they represent yet another alarming epiphany of (criminal) BaU: business-as-usual.

Cybersecurity – the protection of valuable intellectual property and business information in digital form against theft and misuse – should increasingly be viewed as a critical management issue: CEO’s and other senior executives should consider their priority to protect critical business information without constraining innovation and growth. Hence, the need for a business-driven cybersecurity model that indeed deserves being elevated to the honours and responsibility of a permanent component of any enterprise’s strategy.