Tag Archives

4 Articles

National Security and Personal Privacy – Both Are Possible

Posted by Editor on
0
Business
National Security and Personal Privacy – Both Are Possible

pexels-photo-867345.jpegWith the data the U.S. government has, it could write detailed biographies on nearly every resident. 

While it’s true the U.S. government requires access to information to keep our nation safe, it need not be at the expense of personal privacy. Unfortunately, in the case of the National Security Administration’s (NSA’s) leaked Ragtime files, personal privacy appears to have taken a back seat. Was this data truly collected “incidentally” as claimed by the NSA?

The Ragtime program collects the contents of communications, such as emails, online exchanges and text messages, of foreign nationals under the authority of several U.S. surveillance laws. Until recently, there were four known variants of the program. These variants were originally revealed by the leaks of whistleblower Edward Snowden:

  • Ragtime-A, involving the U.S.-based collection of foreign-to-foreign counterterrorism data
  • Ragtime-B, collecting foreign government data that travels through the U.S.
  • Ragtime-C, focusing on the nuclear counterproliferation effort
  • Ragtime-P, standing for Patriot Act and authorizing the collection of bulk metadata on calls and emails sent over the networks of telecom providers

However, recently released information indicates the amount of data collected may be larger than previously thought. There now appears to be 11 total variants. One is called “Ragtime-USP,” which may stand for “U.S. person” and target Americans.

These findings resurface an age-old question:

Where should we draw the line between personal privacy and national security?

Of course, the government needs to use all applicable and appropriate data possible to help military efforts and keep our nation safe. At the same time, the government must strongly secure data and protect individual privacy. Unfortunately, to date, its practices have leaned toward sacrificing data security and personal privacy in the name of national security. It does not have to be this way; the government CAN get insights from data without sacrificing national security when the guidelines below are followed.

These same principles also apply to the private sector.

Limit data-gathering programs to their stated purposes. When the NSA gathers communications from foreign nationals, the data inherently includes information on individuals the foreign nationals communicate with – including U.S. citizens. The stated purpose of the Ragtime program is to capture the communications of foreign nationals. However, the reality is that individuals who are brought into a conversation by others are subject to having their communications collected, monitored and analyzed. If the NSA can continue to claim, without opposition, that this breach (by design) of the program’s stated purpose is a byproduct of keeping the U.S. safe, it will take no actions to re-engineer systems and processes.

Private sector businesses should keep the data of those within arm’s reach of their clients in mind as they craft their own data security and privacy policies. Gather only the data of those with whom you have a relationship, and discard the rest. If you don’t you could run afoul of the growing numbers of data protection laws and regulations that require you to obtain explicit consent prior to collecting personal information from individuals.

Hold agencies accountable. Government agencies should be held to the same security and privacy standards as the private sector and, importantly, be accountable for following those standards. Only entities that have a proven record of implementing and maintaining strong security and privacy controls should be allowed to hold such gigantic repositories of sensitive and privacy-impacting data. So far, the NSA has not demonstrated accountability for the data it has collected. And lawmakers show little desire to implement security and privacy controls that may get in their way of reaching as much data as possible in the name of national security.

Regulators hold your agencies accountable; those of us in the private sector must insist on the same from them.

Private sector businesses also need to be responsible and accountable for implementing and maintaining strong and effective information security and privacy controls. They should also know and be in compliance with applicable data protection laws, regulations and other legal requirements.

Examine data retention policies. Another issue that has not been addressed through these surveillance programs is data retention. The programs suck up all the data possible and then keep it forever. The amount of data the NSA has on U.S. residents could be used to create detailed biographies of nearly every person in the U.S. This is a dangerous position for an organization without the proper security measures in place. Unfortunately, hundreds of millions of personal data records have been compromised in recent years due to vulnerabilities at the NSA and its associated vendors.

Private sector businesses with similar stores of data must perform regular information security and privacy assessments (SIMBUS360 can help!) to ensure they are doing everything they can to protect clients and customers.

Implement strong security controls and privacy protections. The NSA has not demonstrated these capabilities to date. Furthermore, the majority of government lawmakers have long enabled the NSA’s lack of security and privacy controls. An objective, validated and non-partisan entity with ongoing audit oversight would be best to provide the security protections required.

Similarly, businesses and other organizations should consider working with neutral third parties to affirm they are following all required compliance statutes, as well as thinking through how their evolving technologies, systems and business models may be opening their firms up to new threats. Certainly, such organizations can do their own ongoing assessments internally, but bringing in objective third parties to do assessments every now and then (at least once every year or two, and when significant operational changes occur) allows for a different perspective. Objective eyes often find things missed by those in the environment each day.

Indeed, when it comes to personal privacy and national security, we need to change it from an “either/or” conversation to an “and” conversation. While the NSA and your average law firm, accounting practice or health care provider may not have the same objectives, they do have much in common. Today’s growth-minded businesses understand data is a powerful currency, and will only increase in value as time goes on. As they are collecting, analyzing, storing and sharing data, there must be just as much strategy applied to protecting data.

Innovative Leaders Driving Thriving Organizations By Maureen Metcalf

Posted by Editor on
0
Variety
Innovative Leaders Driving Thriving Organizations By Maureen Metcalf

This post reflects a collaboration between Dr. Dale Meyerrose, major general, U.S. Air Force (retired), president of the MeyerRose Group and Maureen Metcalf, founder and CEO of Metcalf & Associates, and is written in conjunction with a VoiceAmerica interview that aired on August 16, “Emerging Roles of the Board and Cybersecurity.”

Many aspire to join boards, and other leaders aspire to manage their boards in order to promote organizational success. Much has been written about responsibilities of boards of directors, but few distinguish those task lists from the essential roles of a board and its directors. By understanding those few, basic requirements of a board, the savvy leader can maximize effectiveness in driving organizational success.

Dan walked into the board meeting to discuss the company’s performance and strategy going forward. He was confident that this would be a smooth meeting because he meets regularly with board members and has a clear understanding of their values and past guidance. As a veteran CEO, he understands the importance of working closely with his board and that progress means that the entire senior leadership team is working from the same “sheet of music.” Key to his success as a senior corporate official is to comprehend everyone’s role and anticipate the board’s needs as they work together to ensure the organization’s success. So, what does Dan know regarding “board basics” and roles that allow him to have this confidence?

1. He understands the importance of a collective corporate conscience. Board members must ensure that the entire organization acts in a socially responsible and ethical manner. While it is true that public corporations have the primary goal to deliver stockholder value and create sustained value, they must also act in a legal and responsible manner in the process. We submit that corporations that over-emphasize profit (some people would argue there is no such thing) can put the organization at risk by “cutting ethical corners.” A single, historical example says it all:  Enron. While the complete case study of Enron is beyond our purposes at hand, their clear fixation of profit over ethics and unnaturally fast growth over sustained growth provided business schools with the stereotypical example of an organization lacking a corporate conscience or ethics.

2. Shareholder advocacy is self-evident to most business people. However, Dan knows that stakeholder considerations go beyond just the shareholders. Leaders and boards are always making trade-offs to ensure all key stakeholder interests converge in the right way for the right reasons, at the right time for the good of the organization. The board is responsible for creating the strategy and oversight to instill trust of all stakeholders in the corporate culture. Shareholders can vote with their feet if they feel that their interests aren’t taken care of, as can rank-and-file employees and management. Further, partners and suppliers have options of price and contractual protections that potentially make the cost of doing business with the company problematic. While profit remains the main measure, it is not the only performance assessment of overall health and trends of the enterprise itself and its eco-system of stakeholders. We believe that John Mackey, co-founder of Whole Foods, embodies these principles. He is clear in his passion about his company making a strong and sustained profit—and that he sees part of that equation being fulfilled through the creation and nurturing of a healthy eco-system of employees, suppliers, partners, customers, and the environment. The results of his company in his market sector validate this approach by successfully meeting ALL stakeholder expectations.

3. To ensure sustainability, Dan recognizes that the board serves as a “strategic compass” for the organization to safeguard corporate well-being and long-term growth. This means organizational focus is on the long-run and is constantly attuned to changes in the company, the industry, consumer tastes, technology, and society in general. The key is differentiating that which matters from that which is merely interesting or important, and anticipating future roles and values for the corporation. Again, there are many epic failures of a board being less aware, or completely unaware, of the conduct and performance of their company. We find that there are relatively few organizations with both the board and senior management capable of weathering changes over time. In 1950, the average company stayed on the S&P 500 for half a century. By 2012 the average company stayed on the S&P 500 for thirteen years. The dynamic forces facing corporations in the 21st century are changing the nature of business—and the speed with which change occurs compounds the complexity.

If you are part of senior management, like Dan, do you have confidence in dealing with your corporate board? If you’re one of “Dan’s” board members, do have the reciprocal trust in him? Understanding “board basics” is critical in today’s challenging business environment. If you are senior management, it is important to understand the roles that your board fills and to leverage them to ensure the success of the enterprise. If you are a board member, are you fulfilling these roles? Or, has the “to do list” and urgency of the present obscured your focus on these basics that rule? Or, as many in the workforce might say: “Basics rock!”

AUTHOR INFORMATION

Dr. Dale Meyerrose, major general, U.S. Air Force (retired) is president of the MeyerRose Group—a cybersecurity, executive training/coaching, and eHealth technology consulting company. He is an adjunct instructor at Carnegie Mellon University, Institute for Software Research running their Cybersecurity Leadership Certificate program. General Meyerrose, a Southwest Asia veteran, was the first Senate-confirmed, President-appointed Chief Information Officer for the Intelligence Community after over three decades of military service.

Maureen Metcalf, founder and CEO of Metcalf & Associates, Inc., is a renowned executive advisor, consultant, author, speaker, and coach.  Maureen designs and teaches MBA classes in Leadership and Organizational Transformation. She is also the host of an international radio show focusing on innovative leadership, and the author of an award-winning book series on Innovative Leadership, including the Innovative Leaders Guide to Transforming Organizations, winner of a 2014 International Book Award.

Corporate Conscience

 

Cybersecurity — Thriving in a High-threat Environment: Five Key Tenants by Maureen Metcalf & Dr. Dale Meyerrose

Posted by Editor on
0
Business
Cybersecurity — Thriving in a High-threat Environment: Five Key Tenants by Maureen Metcalf & Dr. Dale Meyerrose

This post reflects a collaboration between Dr. Dale Meyerrose, major general, U.S. Air Force (retired), president of the MeyerRose Group and Maureen Metcalf, founder and CEO of Metcalf & Associates, and is written in conjunction with an interview on VoiceAmerica aired on May 24, “Cybersecurity: Thriving in a High Threat Environment.”

Big data cc infocux technologies
Dale sees “cyber” as much a language as the medium over which data flows. In turn, cybersecurity is about ensuring trust in virtual functions and services.

One often thinks cybersecurity is the job of specialists working in an information technology (IT) services organization, or of analysts in the security shop. Yet, when something goes wrong, it cannot only affect the very health and reputation of an entire organization, but possibly its existence.

Over the past five years, the headlines have been replete of examples of high-profile organizations and individuals who have had their data, records, and identity compromised by criminals, terrorists, governments, and “evil doers.” As a consequence, many have formed opinions based on impressions created by the media—many of those impressions may not be grounded in fact. So, what is the proper context?

There’s a tendency to focus on the large number of compromised records in some of the more infamous cases, particularly involving retail and entertainment firms, and the U.S. government. Yet, these sensational cases aren’t necessarily the largest in numeric terms. We are familiar with these cases for reasons other than strictly the number of compromised records and/or identities. The publicity of these crises were likely for other reasons, such as participant notoriety, shock value, timing, potential liability, among other aspects. We tend to forget that cybersecurity issues exist in the context of the outside world and the human experience in general. Inserting “cyber,” or “e,” or “I” in front of a criminal act, doesn’t change the motivations behind the theft, espionage, or destruction.

“Evil doers” act in their own self-interests and are, by-and-large, rational.  However, they aren’t necessarily more intelligent or infallible. Just like in other forms of crime, they take the path of least resistance in committing cyber attacks. Like other manner of crime and conduct, whether cyber is involved or not, the perpetrator’s motivations are the same. And, increasingly it’s difficult for any crime not to have some kind of cyber facet or implication as we, as a society, have become more dependent on cyber capabilities in both our professional and personal lives.

Additionally, specialists spend most of their “security cycles” worrying about not becoming the next “poster child” for a breach. They build layers of detection aimed at penetration alerts so that the culprits can be ousted and the vulnerability that permits the breach repaired. This reactive approach spawns much of the current computer security industry and network-centric thinking. It persists today under the rubric of cybersecurity—in the language that we hear in the media and from the security industry.  In fact, by all appearances most of these previous policies were updated using a universal word search of “network” and “computer,” and merely replaced what are now considered passé terms with the more modern word “cyber.”  They did so without adjusting their thinking to take into account a vastly changed, dynamic environment.

To better understand some key facets of cybersecurity, we compiled five foundational tenants that organizational leaders should know when learning about cybersecurity. This understanding prepares you to be driven by the “art-of-the-possible” than be paralyzed by the “fear-of-the-inevitable.”

Five key cybersecurity tenants
1. “Evil doers” and “good guys” value the same things. The former looking to gain access to, and the latter trying to protect the same. What you’re proudest of, criminals covet most. The value of the information architecture now supporting the global economy likely runs into the trillions of dollars—if you are not protecting your organization, an infiltration could threaten your data, your reputation, and even your existence. For most businesses and organizations, if not all, critical information is created, manipulated, accessed, transmitted, and stored electronically—and subject to infiltration, exposure, and exploitation.

2. Cybersecurity is a people issue, not a technical one.  Cybersecurity strategy is more about organizational resolve than devising a great plan for the future. Cybersecurity is inseparably linked with every strategy and investment. Human talent is the only true competitive differentiator in business or any walk-of-life. This applies not only to your technical staff, but the trainability of the entire organization. Security is what you do, not something you have, buy, or install.

3. The workforce has largely moved outside the firewall to do their jobs. An enterprise is only as secure as its least protected device or point of access. If we think about someone trying to hack into a home computer, an intruder would likely choose to gain access through another device that is connected to the computer, thus circumventing the traditional security measures.  As the “Internet of Things” becomes more of a reality, backdoor access to that home computer will most likely come through a networked appliance like a thermostat, refrigerator, baby monitor, or alarm system. In a similar fashion, a mobile and agile workforce will expose organizations to similar risks and potential exploitation.

4. Organizations need to first look inward. Most cyber attacks come from careless employee actions and gaps in security protocols rather than brilliant data thieves. Most, maybe as high as 90 percent of cyber attackers, gain their initial infiltration through insider behavior such as phishing e-mail, social engineering, or employee carelessness. So, irrespective of intent, most modern-day compromises, even the biggest ones, start out “low tech” in other domains and then migrate to “high tech” cyber once behind the firewall or inside an organization’s network.  In essence, modern cybersecurity is an “inside-out” proposition, not the “outside-in” that we are led to believe.

5. Cybersecurity is a leadership responsibility. Board directors and senior executives across the leadership team should recognize that all cybersecurity compromises constitute an organizational crisis—the resolution of which needs to be led by the most senior echelons. Top-level leadership is accountable for every aspect of an organization, particularly a crisis. And, there should be no such thing as a security or cybersecurity response—it is a crisis response. The reputation and future operation of the entire organization is at stake.  This is a non-delegable responsibility that requires not only a complete remediation of the current situation, but—especially in the case of cybersecurity—constructing the “new normal” for future operations.

To date, many in leadership have ignored the potential impact of cybersecurity. We proceed with our key business processes and pay little attention to cybersecurity as an organizational priority. We are often focused on operating the business, while relying on IT or cybersecurity specialists to take care of the rest. It is time to update how we think about cybersecurity—and specifically what we do about it.

AUTHOR INFORMATION

meyerrose250
Dr. Dale Meyerrose, major general, U.S. Air Force (retired) is president of the MeyerRose Group—a cybersecurity, executive training/coaching, and eHealth technology consulting company. He is an adjunct instructor at Carnegie Mellon University, Institute for Software Research running their Cybersecurity Leadership Certificate program. General Meyerrose, a Southwest Asia veteran, was the first Senate-confirmed, President-appointed Chief Information Officer for the Intelligence Community after over three decades of military service.
Maureen 2014 cropped

Maureen Metcalf, founder and CEO of Metcalf & Associates, Inc., is a renowned executive advisor, author, speaker, and coach who brings thirty years of business experience to provide high-impact, practical solutions that support her clients’ leadership development and organizational transformations. She is recognized as an innovative, principled thought leader who combines intellectual rigor and discipline with an ability to translate theory into practice. Her operational skills are coupled with the strategic ability to analyze, develop, and implement successful strategies for profitability, growth, and sustainability.

In addition to working as an executive advisor, Maureen designs and teaches MBA classes in Leadership and Organizational Transformation. She is also the host of an international radio show focusing on innovative leadership, and the author of an award-winning book series on Innovative Leadership, including the Innovative Leaders Guide to Transforming Organizations, winner of a 2014 International Book Award.

photo credit: www.flickr.com infocux technologies

CIO Tomorrow – Leadership is About Results that Matter

Posted by Editor on
0
Business

Lincoln Selfie

The following post was written by Dr. Dale Meyerrose as part of the Columbus Business First’s CIO Tomorrow Conference. Dr. Meyerrose is one of the featured speakers in the Voice America Innovative Leaders Driving Thriving Organizations interview aired on April 26, 2016.

If you were to take a “professional selfie,” what would you see?  What would others see?  How would the perceptions of each correlate—or not?

Many of us in the technology business built reputations on our ability to keep the IT running, perform miracles on shoe-string budgets, manage IT projects, understand enterprises and processes, and respond to emergencies.  Our view of that selfie would likely reflect pride in our technical acumen and ability to deliver on many things.  Important, yes.  But in the macro-scheme of business, do those things really matter?  Do they earn you a seat at the decision tables within your respective organizations?  Do they compel the Board of Directors to seek you counsel?  The evidence over many years, lo decades, is clear—they don’t!

Why don’t others, looking at that same selfie, see you as necessary for setting corporate strategy?  Linked with company performance and customer satisfaction?  Value your contributions as cultivating opportunities and revenue, vice as a cost center to be minimized?  A crucial player in the “big” decisions over the course of time?  Hmmm.
In my view, the reason is that many CIOs (and CSOs and CISOs for that matter) don’t move beyond the “plumbing” of their younger years.  Make no mistake, the plumbing has to work and work well.  However, the skills that made us good technicians and program managers early in our career, don’t translate into the talent needed to lead complex organizations in today’s demanding business world.  Consequently, I believe it critical for CIOs to differentiate what matters from what’s merely important.
• Assigned roles and responsibilities are important, but being able to tell the “big picture” story, in a language meaningful to senior leadership is what matters.
• Leveraging the best technology ideas is important, but execution on the chosen investments is what matters.
• Fear-of-the-inevitable is important to consider, but the art-of-the-possible and operational success are what matters.
• Risk and gap assessments are important, but determining the “net benefit” calculation is what matters.
• In-sourcing and out-sourcing IT issues are important, but having the talent at the intersection of understanding both purpose and technology is what matters.

I talk to many CIOs who are frustrated by their lack of influence on major decisions made within their organizations.  Many of these very capable folks have yet to realize that people relationships and determinations are more important than the technical ones.  They lack the experience or orientation, to relate, in business terms, the criticality of their input.  And demonstrate that it is inseparably linked with major decisions and investments—and the company’s success.  Lastly, they don’t understand that strategy is more about resolve than brilliance.

Does your professional selfie look “up and out”—or “down and in?”  With almost forty years of experience in this discipline, I conclude that the former “selfie pose” is one of a successful CIO.  These are leaders that focus on the few results that matter, while leading others who take care of the myriad of other important tasks.

Dale Meyerrose
AUTHOR INFORMATION
Dr. Dale Meyerrose, Major General, U.S. Air Force (retired) is President of the MeyerRose Group—a cybersecurity, executive training/coaching, and eHealth technology consulting company.  He is an adjunct instructor for Carnegie Mellon University, Institute for Software Research running their Cybersecurity Leadership Certificate program. General Meyerrose, a Southwest Asia veteran, was the first Senate-confirmed, President-appointed Chief Information Officer for the Intelligence Community after over three decades of military service.

Enjoy this blog? Please spread the word :)

RSS
Follow by Email