Leveraging The User To Improve IT Solutions

I’ve spent the last 20 years analyzing the Information Technologies market. My work with vendors has ranged from developing business strategies and honing messaging to defining product requirements and identifying significant trends. My work with IT enterprise decision-makers has been to help define requirements, identify and evaluate alternatives, and recommend solutions, etc. We’ve always worked closely with our clients to understand first what they are trying to accomplish, then providing the advice, support and services that we believe will be most effective in achieving those goals.

Over the years I’ve noticed there are recurring cycles to solutions and how they are developed and sold. Certain themes which reappear are: centralization of resources vs. decentralization; work from customer wish-lists but don’t miss the next ‘big thing’! My personal favorite of the recurring themes is ‘listen to and understand the customer’. This is actually really good advice, but it must be executed correctly. It requires active listening, interaction, and learning in-depth how the customer uses the product as well as what is not being used. Clearly its time in the cycle has come around again.

Over the last 18 to 24 months, I’ve seen more of our clients spending significant time making a concerted effort to work with and gain feedback from customers. They’re not shy about discussing the depth and breadth of their efforts, and the rapid, recursive changes to the product that we find interesting and highly beneficial.

So, what’s the big deal about listening to clients? There are a variety of ways to acquire and process data from customers. The issue isn’t about a failure in these but in the changes taking place in the processes of data is collection, the focus of the inquiry and how the data is used and applied.

Data Collection: Social media, agile development and consumerization change it all! What was once a structured and prolonged process of meetings, discussions and eventual integration into a development plan, has become a looser, more interactive and faster track to development and integration of new features and capabilities. Social media facilitates and speeds communications between the vendor and the user. Agile development allows user comments and requests to more directly influence the product and feature development process and workflow. One client described how data from users were streamed into their process of continuous development. Teams were able to make incremental adjustments during the development process. Customers provided ongoing feedback about what worked, didn’t work and what almost worked based on evaluating snapshots and prototypes. Today’s technologies and workflows allow for a continuous input to improve the product during the development cycle. It turns out that it can be economically more efficient to facilitate potentially disruptive communication that allows those adjustments to meet customer needs, than discovering a major gap between delivered functionality and need at the end of the development cycle.

Focus of the Inquiry: Speeds n’ feeds don’t cut it anymore! It used to be about shaping tools, adding features and functionality. Today, changes in technology, capacity expansion and the change in the operations environment shift the focus to simplicity of use, integration of capabilities and consistency across platforms. Users have more responsibility and, frequently, less training. Over-specialization makes less sense from both an economic perspective with the advent of virtualization. IT staff need management and administrative tools that integrate tasks and functions and leverage the capabilities of the technology to to optimize the delivery of reliable services. They need solutions that will help them to anticipate, and identify the source of disruptions wherever it occurs and help them to provide the best user experience. This means vendors must work more closely with their users to acquire deep understanding into how their products are used and how to improve them.

Applying the data: Integration, intelligence and leverage what is known! Features and functionality enhancement remain important, but now the focus is easier to use and to apply to changing circumstances. IT staff need to be able to use and integrate what is available in terms of data and tools, as well as usage patterns, customer behavior, and knowledge about change. The focus is on moving beyond simply collection, aggregating and reporting to using patterns, analytics and acquired expertise to make the user more effective and proactive (when appropriate) in the use of the tool. The extension can be as straightforward as building the ability to group, search, correlate and manipulate massive amounts of data or feedback with a new user interface. Or, it can involve the automated correlation and analysis of data to pinpoint a potential failure during a simulated service delivery, then using simulation to suggest repair or work-around alternatives to avoid the problem.

The point of all this is that vendors and users are becoming more closely linked. The consumerization of IT and penetration of social media provide more opportunities for interaction and collaboration that benefits both. The partnership between vendors, channel and technology partners and the consumer provide a rich ground for cooperative efforts that will benefit all three. In our practice, we are seeing more and more of such collaboration. It is both highly welcome and much needed. The results that we have seen so far lead us to believe this will continue.

Five myths about PCI-DSS

In the spirit of the Washington Posts’ regular column, “5 Myths,” here we “challenge everything you think you know” about PCI-DSS Compliance.

1. One vendor and product will make us compliant

While many vendors offer an array of services and software which target PCI-DSS, no single vendor or product fully addresses all 12 of the PCI-DSS v2.0 requirements. Marketing departments often position offerings in such a manner as to give the impression of a “silver bullet.”   The PCI Security Standards Council warns against reliance on a single product or vendor and urges a security strategy that focuses on the big picture.

2. Outsourcing card processing makes us compliant

Outsourcing may simplify payment card processing but does not provide automatic compliance. PCI-DSS also calls for policies and procedures to safeguard cardholder transactions and data processing when you receive them — for example, chargebacks or refunds. You should request an annual certificate of compliance from the vendor to ensure that their applications and terminals are compliant.

3. PCI is too hard, requires too much effort

The 12 requirements can seem difficult to understand and implement to merchants without a dedicated IT department, however these requirements are basic steps for good security. The standard offers the alternative of compensating controls, if needed. The market is awash with many products and services to help merchants achieve compliance. Also consider that the cost of non-compliance can often be higher, including fines, legal fees, lost business and reputation.

4. PCI requires us to hire a Qualified Security Assessor (QSA)

PCI-DSS offers the option of doing a self-assessment with officer sign-off if your merchant bank agrees. Most large retailers prefer to hire a QSA because they have complex environments, and QSAs provide valuable expertise including the use of compensating controls.

5. PCI compliance will make us more secure

Security exploits are non-stop and an ever escalating war between the bad and good guys. Achieving PCI-DSS compliance, while certainly a “brick in the wall” of your security posture, is only a snapshot in time. “Eternal vigilance is the price of liberty,” said Wendell Phillips.

Does Big Data = Better Results? It depends…

If you could offer your IT Security team 100 times more data than they currently collect – every last log, every configuration, every single change made to every device in the entire enterprise at zero cost – would they be better off? Would your enterprise be more secure? Completely compliant? You already know the answer – not really, no. In fact, some compliance-focused customers tell us they would be worse off because of liability concerns (you had the data all along but neglected to use it to safeguard my privacy), and some security focused customers say it will actually make things worse because we have no processes to effectively manage such archives.

As Micheal Schrage noted, big data doesn’t inherently lead to better results. Organizations must grasp that being “big data-driven requires more qualified human judgment than cloud-based machine learning.” For big data to be meaningful, it has to be linked to a desirable business outcome, or else executives are just being impressed or intimidated by the bigness of the data set. For example, IBMs DeepQA project stores petabytes of data and was demonstrated by Watson, the successful Jeopardy playing machine – that is big data linked clearly to a desirable outcome.

In our corner of the woods, the desirable business outcomes are well understood.   We want to keep bad guys out (malware, hackers), learn about the guys inside that have gone bad (insider threats), demonstrate continuous compliance, and of course do all this on a leaner, meaner budget.

Big data can be an embarrassment of riches if linked to such outcome.   But note the emphasis on “qualified human judgment.”   Absent this, big data may be just an embarrassment. This point underlines the core problem with SIEM – we can collect everything, but who has the time or rule-set to make the valuable stuff jump out? If you agree, consider a managed service. It’s a cost effective way to put big data to work in your enterprise today – clearly linked to a set of desirable outcomes.

Are you a Data Scientist?

The advent of the big data era means that analyzing large, messy, unstructured data will increasingly form part of everyone’s work. Managers and business analysts will often be called upon to conduct data-driven experiments, to interpret data, and to create innovative data-based products and services. To thrive in this world, many will require additional skills. In a new Avanade survey, more than 60 percent of respondents said their employees need to develop new skills to translate big data into insights and business value.

Are you:

Ready and willing to experiment with your log and SIEM data? Managers and security analysts must be able to apply the principles of scientific experimentation to their log and SIEM data. They must know how to construct intelligent hypotheses. They also need to understand the principles of experimental testing and design, including population selection and sampling, in order to evaluate the validity of data analyses. As randomized testing and experimentation become more commonplace, a background in scientific experimental design will be particularly valued.

Adept at mathematical reasoning? How many of your IT staff today are really “numerate” — competent in the interpretation and use of numeric data? It’s a skill that’s going to become increasingly critical. IT Staff members don’t need to be statisticians, but they need to understand the proper usage of statistical methods. They should understand how to interpret data, metrics and the results of statistical models.

Able to see the big (data) picture? You might call this “data literacy,” or competence in finding, manipulating, managing, and interpreting data, including not just numbers but also text and images. Data literacy skills should be widespread within the IT function, and become an integral aspect of every function and activity.

Jeanne Harris blogging in the Harvard Business Review writes, “Tomorrow’s leaders need to ensure that their people have these skills, along with the culture, support and accountability to go with it. In addition, they must be comfortable leading organizations in which many employees, not just a handful of IT professionals and PhDs in statistics, are up to their necks in the complexities of analyzing large, unstructured and messy data.

“Ensuring that big data creates big value calls for a reskilling effort that is at least as much about fostering a data-driven mindset and analytical culture as it is about adopting new technology. Companies leading the revolution already have an experiment-focused, numerate, data-literate workforce.”

If this presents a challenge, then co-sourcing the function may be an option. The EventTracker Control Center here at Prism offers SIEM Simplified, a service where trained and expert IT staff perform the heavy lifting associated with big data analysis, as it relates to SIEM data. By removing the outliers and bringing patterns to your attention at greater efficiencies because of scale, focus and expertise, you can focus on the interpretation and associated actions.

Seven deadly sins of SIEM

1) Lust: Be not easily lured by the fun, sexy demo. It always looks fantastic when the sales guy is driving. How does it work when you drive? Better yet, on your data?

2) Gluttony: Know thy log volume. When thee consumeth mucho more raw logs than thou expected, thou shall pay and pay dearly. More SIEM budgets die from log gluttony than starvation.

3) Greed: Pure pursuit of perfect rules is perilous. Pick a problem you’re passionate about, craft monitoring, and only after it is clearly understood do you automate remediation.

4) Sloth: The lazy shall languish in obscurity. Toilers triumph. Use thy SIEM every day, acknowledge the incidents, review the log reports. Too hard? No time you say?     Consider SIEM Simplified.

5) Wrath: Don’t get angry with the naysayers. Attack the problem instead. Remember “those who can, do; those who cannot, criticize.” Democrats: Yes we can v2.0.

6) Envy: Do not copy others blindly out of envy for their strategy. Account for your differences (but do emulate best practices).

7) Pride: Hubris kills. Humility has a power all its own. Don’t claim 100% compliance or security. Rather you have 80% coverage but at 20% cost and refining to get the rest. Republicans: So sayeth Ronald Reagan.