TechTurns

Technology and more....

Data Privacy – the biggest emerging challenge for companies

According to Gartner’s “Emerging Risk Monitor Report” for the first quarter of 2019, Accelerating Privacy Regulation is now a top issue for the third quarter in a row. It is regarded by many as a greater challenge than cloud computing or even the pace of change. That is astounding!

With the European GDPR (General Data Protection Regulation) now in its second year – and a myriad of other regulations being considered around the world in Brazil, India, Japan, South Korea and Thailand – data privacy is now a costly and complex requirement that all companies will have to deal with soon.

Globally, there is a powerful pro-consumer course correction underway. The continuing bad press associated with daily breaches of personal data is creating a landscape where consumers are beginning to finally understand that they are the ‘products’ in the world of free social media and online advertising. Digital businesses built on this freemium model are seeing their business under increasing pressure from regulations and consumers. Facebook is the prime example of such a company and has been reeling with disclosures of poorly secured consumer data and a clarion call to have their business model altered.

Dilbert

How will this effect tech companies?

It may be too early to tell. One might think that it will take huge fines to a slew of marquis companies before the industry will take notice. A large fine in the billions is expected on Facebook any day.

Many believe that companies that collect user data, and monetize it, could be the target of mass class-action litigation.

GDPR vs. CCPA (California Consumer Privacy Act)

In the USA, California has already announced the CCPA, which goes into effect in January 1, 2020. Other states are pushing similar legislation through their system.

Who must comply?

The GDPR applies to all businesses that process data of EU citizens, irrespective of their location or size. The CCPA is only applies to California-based businesses with a revenue above $25 million USD or those whose primary business is the sale of personal information.

Financial penalties

The GDPR mandates penalties for non-compliance which can reach up to 4% of the company’s annual global turnover or 20 million euros (whichever amount is greater). CCPA fines are applied per violation (up to a maximum of $7,500 USD per violation) and are not capped.

Consumer rights

Both regulations endow the consumer with specific rights such as the right to have information deleted or accessed.

The use of encryption is addressed in both laws

Both laws call for data encryption, making this an essential privacy protection component for businesses.

Could we see one Privacy Regulation for the USA in 2019?

The prospects of this happening are slim to none.

GDPR took between 6-10 years to be promulgated. Legislation traditionally moves at a snail’s pace in the USA, and that process is just beginning. A U.S. House of Representatives hearing on consumer privacy largely dismissed the EU’s General Data Protection Regulation and the California Consumer Privacy Act as the basis for future federal privacy legislation.

Tech companies are calling for regulations.

We are in a new world where some of the same companies that monetize personal data, now believe that regulation is inevitable. Besides Facebook and Google in that category, others like Apple and Microsoft, are also now calling for privacy regulations.

The prospect of having to navigate a labyrinth of privacy regulations – one for every country – is a daunting challenge for every company.

In a release on May 21, 2019 Microsoft stated that any new legislation in the USA should be compatible with GDPR so that companies do not have to build separate systems for conflicting regulations.

Whereas such alignment would certainly be more efficient and less costly, the chances of this happening are low. That is why Accelerating Privacy Regulations remains a clear and present danger for most companies.

Change Management – the CIO’s Currency of the Future

 

Digital Transformation & the Fallout

Look around. Digital disruption is on a tear! The new business models are heavily dependent on technology for delivering products and services. In fact, digital transformation is the main catalyst for extraordinary change in most companies, challenging everyone’s ability to keep pace. For those that were hoping for some respite, the velocity of technology change is only getting faster.

Since technology leaders are the impetus for most of this change, they are also blamed for too much too fast, leading to change fatigue in their companies.

CIOs are struggling with the number of changes that they need to implement. In fact, according to Gartner, 64% of CIOs expect their very role to evolve into change leaders. Many are sensing the rolling eyes of their colleagues on them, as they bring in yet another technology change to which everyone must now adapt.

Under the best of circumstances, leading change is a high-risk and low probability proposition. Only 34% of changes are successes, 16% are partial successes, and 50% are abject failures (Gartner).

Thus, in many organizations, the skepticism associated with more changes is reaching a crescendo, as the benefits from such digital transformation efforts do not seem to materialize.

The sad truth is that most IT leaders are not well versed in change management techniques. Many are mystified by the resistance they encounter as they bring in all the “wonderful” technology into the enterprise.

Unless, CIOs recognize their role as change triggers – and begin to manage that change – failure is likely.

The Challenge

You cannot step twice into the same river, for other waters are continually flowing in. – Heraclitus

As we move to cloud-based platforms – and Everything-as-a-Service models – changes are no longer occurring once a year or quarter, as they used to occur in the past. Today, vendors make changes to their solutions often – sometimes many times in a single day!

The technology environment you walk into when you come to work may not be the same one you leave at the end of the day. Solutions, functionalities, fixes etc. are flowing in and out all day…..

In these fast moving rapids, CIOs need to become masters of change and understand the nuances of change management. Otherwise, the speed of digital transformation is likely to consume all their efforts in a losing cause.

ContinuousNext

At the October 2018 Gartner Symposium in Orlando – one of the largest gatherings of CIOs – Change and Culture were two of the main themes.

Gartner even coined a new paradigm that they call ContinuousNext. Here, the gaps that once allowed us to assimilate and consolidate before moving to the next change – have vanished!

We are now in a perpetual, high-velocity change cycle, and ContinuousNext seeks to position organizations to foster perpetual innovation, change, integration and delivery.

In 2018, an astonishing 62% of companies have a major digital transformation project underway. This is the new paradigm. As a result, Change Elasticity for the ordinary user or customer may soon be at a breaking point.

At a keynote at the Symposium, Ginni Rometty, the IBM CEO, confessed that managing change remains one of her highest priorities and one of her biggest challenges.

Change programs inevitably lead to changes in the company culture. In fact, 46% of CIOs consider culture as the biggest barrier to scale digital business transformation. How you transform, and what kind of culture you create, is now what leaders like Jeff Bezos and Rometty focus on. To them, creating an agile culture capable of rapid change, is not only a prerequisite for future success, but it is the key to survival.

Some guidelines for Successful Transformation Projects

Create the Story

Why change?

“The Vision” is the critical groundwork for any change project. It requires developing a consistent, rational and “shared” change story that everyone understands. Recognize that whereas you may have spent weeks and months on transformation issues, employees have no such context. They need time and repetition to become steeped in the new vision. You may have to pause many times, before you can go faster.

Set the general direction, not the destination. Destinations invariably change. Unless everyone aligns with the change story, success is difficult. Work with key influencers who can form the informal network to diffuse the key elements of the story throughout the company.

From what to what?

Most of us respond best when we can acknowledge the present and the future state. Thus, be clear about what needs changing, and to what? For example, we need to move from being right the first time to learning to fail fast. Can you create a safe to fail testbed in your company?

Avoid using “enterprise speak” which is vague and abstract. Don’t forget to emphasize what is working and needs to remain. Make sure that everyone knows where to begin and how the company will help them in making the transition.

Buy-in

Change creates fear and anxiety. In the extreme, it deflates morale and kills productivity. Co-creation creates buy-in and is the secret-sauce for lasting change. Empower staff to feel in control of their own destinies and to determine what kinds of behavior changes they will need to make, and you have a foundation for organic change.

Listening carefully and openly is necessary for buy-in. You may even be surprised by the questions of the employees.

The goal should be to move the organization from the angst associated with “one more change is coming” to the excitement of experiential learning, where the latter becomes a perpetual activity and gets ingrained into the organizational culture to become an accelerator of change.

Cross-functional, diverse teams tend to co-create far better than monolithic groups because they are already adapting at a high level.

Fix the operational issues that inhibit change

Listen to the employees. Ask them what they think is likely to impede the transformation and address the shortfalls. Often, process changes must go together with behavior changes in order to be successful. And yes, make sure that budgets and resources are available to make this work.

Communication & Prioritization

Employees must know the program’s communication cadence, and who they can go to for clarity. Make sure that a “master” of the change plan is available to all staff. This will prevent conflicting narratives. Great communicators are sensitive to different audiences and calibrate the messaging to be most effective.

Prioritization, with tangible outcomes, helps create a clear vision as well as helps manage the pace of change. Focusing first on customers and their outcomes is one way to rank transformation tasks. Another way to prioritize is to look at quick wins first and create a momentum shift before taking on the more complex phases of change.

Everyone does not change at the same pace

Calibrate change efforts to different groups of stakeholders. Changing behaviors is not easy. Don’t be too quick to label employees resistors. Recognize that what you may see as change resistance may be an individual’s unique absorption pace.

New behaviors and core skills take time to establish. Embracing change and uncertainty is not in our nature – yet, that is what is required of all of us. Change elasticity must be built as a core skill. Provide the training opportunities to help employees shift to the needs of the transformed organization.

 

In the current environment, speed and agility are some of the most important markers for relevance. How you change, is just as important as what you change.

The very nature of digitization and change at this pace means that even the most proficient among us, will be challenged. CIOs need to recognize this.

To take advantage of the opportunities, we all must get a little more uncomfortable with the status quo and more comfortable with uncertainty related to change.

 

Is the Internet Killing Truth?

 

An unintended and explosive outcome of the internet is only now emerging. Thanks to technology, information is free and ubiquitous. But discerning what is fact and what is fiction, has become a huge challenge.

Today, we live in a world of “my truths” and “your truths,” and many other variations including “truth is not truth”.

When attribution is no longer possible, truth dies. And when that happens, it has disastrous consequences for free societies.  We are still in the early stages of understanding this fallout. But the impact has already been substantial.

The world reacts

Earlier this year, the French proposed a new law that would allow the government to either delete ‘fake news’, or even block sites if needed. A decade ago, this would have been unthinkable in a free society because this type of action has always been the domain of authoritarian regimes. Yet, the French parliament passed the law in July 2018. (https://politi.co/2KOwDwG).

In India, vigilante groups lynched innocent people after believing rumors on WhatsApp. This created a national outrage and the CEO of WhatsApp had to travel to India to meet with Indian officials and discuss attribution. The politicians in India demanded to know “Who sent those messages?” WhatsApp said that they could not answer that question (due to encryption) and they were subsequently annihilated in the press. Finally, WhatsApp had to pay for radio campaigns to tackle, yes, what else – Fake News! (https://bit.ly/2wlpP4H) Another Americanism went global, for all the wrong reasons.

Many other countries now have laws against disinformation and more are considering them (https://bit.ly/2Auh2ln). These include diverse geographies like Germany, Brazil, Kenya, South Korea and Singapore etc.

But is a government best positioned to arbitrate truth? Human history is replete with the fascists and autocrats who salted the truth to exploit people and, in the process, started wars that killed millions.

In the USA, you would have to be living in a cave not to have seen the “Truth-vs-Fake News” drama playing out daily like an endless loop from a terrible movie.  In August 2018 Pew found 78% of Americans say Democrats and Republicans disagree not only on “plans and policies” but on “basic facts”.

The world is divided by the digital content we consume and choose to believe! Unlike 20 years ago, today we don’t need expensive media channels to get our word out. There are plenty of free platforms that enable us to reach out to millions in seconds. None of this leaves time to create the attribution that we had used to discern motive, intent and truth. In our fast-moving times there seems no time for the truth.

Now reality has a million Popes – each telling us why they are the anointed ones – and why we should believe them. They have unlimited access to powerful free megaphones that stoke the us-vs-them mentality. Sadly, it doesn’t take much for tribalism to become the old, new norm.

There is enough evidence that we are being manipulated by nation states who are purveyors of this new disinformation art form. According to one report, nearly 80% of the Twitter accounts that influenced the 2016 race, are still around (https://politi.co/2QuxyVH).  Using low-cost influence campaigns to change the way people are thinking is the new normal. And it is very effective in undermining the key tenets of the social and political fabric.

How do we fix this?

Without some intervention, it is hard to see how this gets better.

There, unfortunately, the news gets worse. The sad truth is that there are no easy and effective solutions on the horizon. And yet, to prevent immense social and political upheaval – we have no choice but to find them and do so urgently.

Recently a couple of alternatives have been considered.

Self-regulation by technology companies has been in the news. This seems like a fool’s errand because the business model of such companies is antithetical to that kind of self-restraint. Last month, congress threatened Facebook, Twitter and Google executives with imposed regulation (https://usat.ly/2wQbOMx). Many believe such regulation is a matter of time.

Eduardo Saverin, co-founder of Facebook, was recently quoted as saying that “social networks are heading for more regulation and change, as political pressures mount and users fragment into specialized interests”.

Senator Warner (D-VA) acknowledged First Amendment problems in seeking to control what can and can’t be posted on social media platforms but said that these problems do have to be tackled.

If we are looking for some magical intervention by the luddites who are our elective representatives, look no further. Sadly, many of them are of a generation where they are completely overwhelmed by the same technology that school children use with mastery. In the highly partisan dog-eat-dog atmosphere we find ourselves in, politicians are looking for every short-lived advantage they can find, even if it is truth that becomes a casualty in this zero-sum game.

Fact checking and arriving at some way to an accepted truth is the new holy grail for technology companies, regulators and consumers of content.

Many argue that the central problem is that the pace of change being brought about by technology exceeds our ability to counter its negative impact on society. There is merit to that hypothesis. Unfortunately, the pace of change is only going to accelerate in the future. Our ability to deal with that change, and the disruptions it causes, is crucial to the survival of many of the bulwarks of our society, including where truth lies.

Our united survival may depend on it.

Equifax now synonymous with Category 5 breaches

 

This week, the company to whom we had given our most sensitive information – Equifax – has now been compromised. That breach has the potential to ruin a lot of lives, perhaps for a lifetime.

Equifax is one of the leading credit reporting companies that collects personally-identifiable-information (PII) on 144 million people in the USA and many others in Canada. In the UK the number of people compromised may be as high as 44 million in a country of 65 million, an astonishing percentage. This PII includes birth dates, addresses, social security numbers, names – and everything a bad actor needs to begin to impersonate you. This data is used for all kinds of loans, credit cards, mortgages and dictates the interest rates you are charged.

What caused the breach at Equifax?

As of this writing, Mandiant (recently acquired by FireEye) is rumored to be involved with the forensics on this compromise. Quite likely, a brigade of vendors are at the scene of the crime.

Very early on, Brian Krebs, one of the foremost cyber journalists in the world, predicted what Equifax would say about the breach. He postulated that they would say that they may have fallen behind in applying security updates to their Internet-facing Web applications”.

Why? Because increasingly, this excuse is somehow considered to be less culpable simply because it happens so frequently. We have become immunized against the active negligence involved in not keeping systems patched and secure. Virtually every day, more companies get breached due to unpatched systems. And Equifax, after all, is just another one.

We cannot, and should not, accept a situation where the simplest security hygiene is considered to be too onerous, is easily overlooked; and hence has become just “normal noise”.

Brian was right. Equifax promptly blamed unpatched internet facing systems with Apache Struts, blaming Apache for the vulnerability, which Apache denied. Apparently, there is some debate as to whether a known vulnerability in the systems (CVE-2017-9805) had been patched in a timely way. Reuters reports that an Apache spokeswoman said that Equifax had not applied any patches for flaws discovered this year. That would be all of 2017!

Chalk yet another breach to poor patching. Patching systems so that they are secure, is security 101.

Even before its massive breach, Equifax was fighting to disallow victims from suing them. And this was not the first breach they had either. According to Krebs, Equifax’s TALKX payroll division was exploited in 2016/17.

And now, Equifax, the same company that lost all your data, wants you to sign up for one year of free credit monitoring through – who else – Equifax! To do this you have to enter more personal information into their web form. Their proposal is: “We would like more information from you to protect the information which we lost!” Great.

When you sign up for monitoring, two things happen. First, you cannot sue them. That text is buried in their legal mumbo-jumbo. After a lot of negative comments, Equifax now says that clause will not be applied to this incident. Equifax is now on the hook for a class-action lawsuit that could cost as much as $ 70 Billion. But what is really appalling is that those that sign up, are likely to be solicited before that one year is over, to extend monitoring with Equifax – thus providing a potential new revenue stream to Equifax, the company that until recently did not even have a CISO. And let’s not even talk about the Equifax executives who sold their stock before the disclosure went public.

It is time that we as consumers demanded more from those that have our data. In that respect the European GDPR privacy regulations will create punitive penalties for those companies that do not safeguard data appropriately, and then, as was the case with Equifax, do not acknowledge the breach for over 6 weeks.

As Bob Dylan would say, beginning May 25, 2018 when GDPR kicks in, at least for Europe “The times they are a’changing”. The US needs to step up with similar legislation. Otherwise we have many more Equifax hurricanes in our future.

Qubits, coming to a computer near you

 

What are qubits?

In classical computing, data is stored in bits. These bits can exist in one of two states – 1s or 0s; off or on. Quantum computing, on the other hand, uses “qubits” (quantum bits). Unlike bits, qubits can store more information than just a 1 or 0. They do this because they exploit unique quantum features and can thus exist in 1, 0 or asuperposition of these values, allowing a qubit to be in both states at the same time!

A detailed explanation would get us mired in quantum mechanics which even Einstein called “spooky”. For our purpose, imagine a sphere where in the classical state, the 1 and 0 are at the poles. A qubit, on the other hand, can be on any point on the sphere, thus making a quantum computer much more powerful.

And, because qubits can be in multiple states at once, they exhibit inherent parallelism. That means while your current computer can work on one thing at a time, quantum computers can work on millions of things all at the same time.

What’s all the buzz?

In 1981, Richard Feynman, the Nobel Prize winning physicist, first proposed quantum computers.

Experts see quantum computing as a major disruption to computing.  According to Purdue University President Mitch Daniels, whose university just signed a 5-year quantum collaboration agreement with Microsoft, quantum computing is “another explosion of computing power like that brought about by the silicon chip”.

D-Wave, a Canadian company, recently began selling quantum computers. Price points to make quantum computers commercially viable, are still a little ways away. But a fierce race is already underway for quantum supremacy and scientists are making great progress. Here is a short-list of some of the companies involved with quantum computing (most big players are all in):

IBM with IBM-Q (quantum computing as-a-service), 1Qbit, Rigetti Computing, Intel, Microsoft, AT&T (working on quantum networking with CALTECH) etc. – have all jumped in the fray. NSA is said to be building its own quantum devices, and In-Q-Tel, the venture company funded by the CIA, is also in on the game.

Google is looking to get to a 49-qubit processor by the end of 2017, a landmark breakthrough that would double current 20-qubit processors. Softbank’s $ 100 billion Vision Fund is actively searching to back the next “Microsoft” of quantum computing. Most experts now agree that building quantum computers is now an engineering challenge and not a conceptual one.

Advantages and disadvantages of quantum computing

Initially, quantum computers are likely to be used to crunch really large data sets – something they do very well. Cancer research, drug design, financial portfolio design, genetic engineering, weather forecasting, particle physics – will all be positively impacted.

How do you code a quantum computer? Companies are busy developing tools to code such devices. Microsoft is developing LIQUi|> (pronounced “liquid”) for execution on a quantum computer. On the downside, due to superposition, programmers will not be able to observe the path that their data takes from input to output, making debugging a serious complication.

While quantum computers are expected to lead to astounding breakthroughs in medicine, manufacturing, artificial intelligence, machine learning etc., rogue states or actors could also use quantum computers for destructive purposes too.

Quantum computers and security

Most current cryptography that drives online commerce, banking etc., is dependent on using complex math problems that are too difficult to solve in a realistic time period by today’s computers. But that is not so for quantum computers. In fact, they are especially good at that kind of thing.

The non-profit Cloud Security Alliance says that within 15 years, all PKI (public-key-infrastructure) which drives online security, would be broken with devastating effects on global economy. The Global Risk Institute in its own study, says the same thing. NIST has begun a 4-6 year public evaluation of quantum resistant cryptography.

Some companies are already working on quantum-resistant encryption using qubit-cryptography. Google is one of them. Last week, China launched “Micius”, the first quantum technology satellite, which they say is unhackable.

A new era of computing is just over the horizon. And as we grapple with information security challenges with the computers we have today, the hope is that effective quantum computer security will strengthen and not further weaken our digital worlds.