Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘CIA’

Technology CEO Council’s Lightweight Federal IT Recommendations

Wednesday, November 3rd, 2010

Have you heard of the Technology CEO Council?  Neither had I until recently.  The council is made up of a strange mix of tech CEOs from organizations including Applied Materials, , , IBM, Intel, Micron, and Motorola.  Why this group and not Adobe, Cisco, HP, Juniper Networks, Microsoft, Oracle, and Symantec?  Beats me.

Anyway, the group published a paper in early October called, “One Trillion Reasons:  How Commercial Best Practices to Maximize Productivity Can Save Taxpayer Money and Enhance Government Services.”  The paper stresses the need to reduce federal spending and suggests some IT initiatives in support of this objective.  The initiatives include:

  1. Consolidate information technology infrastructure
  2. Streamline government supply chains
  3. Reduce energy costs
  4. Move to shared services
  5. Apply advanced business analytics to reduce improper payments
  6. Reduce field operations footprint and move to electronic self-service
  7. Monetize government assets

The paper is available at www.techceocouncil.org.

I agree with the spirit of this paper as there are plenty of ways to use IT costs savings to reduce overall federal spending.  That said, the paper is pretty weak and self-serving.  Specifically:

  • The Feds are already doing most of these things today.  Federal CIO Vivek Kundra is already driving data center consolidation.  Agencies were asked to submit initial input on June 30, 2010 and finalized plans are due on December 31.  Lots of federal agencies including CIA, DHS, DISA, and NASA are well along the road to cloud computing as well.  Perhaps the Feds should be more aggressive, but the same could be said of any organization.
  • The paper ignores legislative challenges.  The paper suggests things like consolidating common IT services like payroll, finance, and human resources.  Once again, this is nothing new as this type of consolidation was suggested in 2001 as part of Karen Evan’s Federal Enterprise Architecture.  Moving beyond inter-departmental cooperation toward a federal IT organization could indeed save money, but it would require overhauling (or at least tweaking) the Klinger-Cohen Act of 1996.  This could be a long arduous process.
  • What about security?  Federal IT spending is dominated by military and intelligence agencies with deep security requirements.  You can’t just consolidate around these.  Yes, security standards and regulations should be changed to keep up with the times–this is exactly what’s happening with FISMA 2.0 and the FedRAMP strategy to streamline cloud computing certification and accreditation (C&A).  Again, these things take time, thought, and care–not ideas and papers.

The CEOs also need to remember that their own internal IT organizations are far different than those in the federal government. When EMC executives mandate a massive VMware project, all of IT jumps into formation.  It doesn’t work that way in the public sector.

There were certainly some good points in the paper, but overall it is really a marketing piece put out by a lobbying organization.  In my humble opinion, there is some irony in this paper and organization–while the Technology CEO Council puts out a paper about how the federal government can save money on IT, companies like Dell, EMC, IBM, and Intel are happily wasting dough on a half-baked lobbying/PR organization.  Funny world.

The CIA and the Encrypted Enterprise

Friday, October 29th, 2010

The international horse show wasn’t the only event in Washington DC this week; I participated in the Virtualization, Cloud, and Green Computing event in our nation’s capital. One of the guest speakers was Ira “Gus” Hunt, CTO at the CIA. If you haven’t seen Gus speak, you are missing something. He is very strong on the technical side and extremely energetic and entertaining.

Gus focused on cloud computing activities at the CIA (I’ll blog about this soon), but I was intrigued by one of his slide bullets that referred to something he called the “encrypted enterprise.” From the CIA’s perspective, all data is sensitive whether it resides on an enterprise disk system, lives in a database column, crosses an Ethernet switch, or gets backed up on a USB drive. Because of this, Hunt wants to create an “encrypted enterprise” where data is encrypted at all layers of the technology stack.

The CIA is ahead here, but ESG hears a similar goal from lots of other highly regulated firms. When will this happen? Unfortunately, it may take a few years to weave this together as there are several hurdles to overcome including:

  1. An encryption architecture. Before organizations encrypt all their data, they have to understand where the data needs to be decrypted. For example, remote office data could be encrypted when it is sent to the corporate data center, but it needs to be decrypted before it can be processed for large batch jobs like daily sales and inventory updates. There is a balancing act between data security and business processes here demanding a distributed, intelligent encryption architecture that maps encryption/decryption with business and IT workflow.
  2. Key management. Most encryption products come with their own integrated key management system. Many of these aren’t very sophisticated and an enterprise with hundreds of key management systems can’t scale. What’s needed is a distributed secure key management service across the network. Think of something that looks and behaves like DNS with security built in from the start. The Key Management Interoperability Protocol (KMIP) effort may get us there in the future as it is supported by a who’s who of technology vendors including EMC/RSA, HP, IBM, and Symantec, but it is just getting started.
  3. Technical experience. How should I encrypt my sensitive Oracle database? I could use Oracle tools to encrypt database columns. I could encrypt an entire file system using Windows EFS or tools from vendors like PGP. I could buy an encrypting disk array from IBM, or I could combine EMC PowerPath software with Emulex encrypting Host-based Adapters (HBAs). Which is best? It depends on performance needs, hardware resources, and financial concerns like asset amortization. Since there is no “one-size-fits-all” solution here, the entire enterprise market is learning on the fly.

A lot of the technical limitations are being worked on at this point, so the biggest impediment may be based upon people and not technology. We simply don’t have a lot of experience here, so we need to proceed with research, thought, and caution. To get to Gus Hunt’s vision of the “encrypted enterprise,” we need things like reference architectures, best practices, and maturity models as soon as possible. Look for service providers like CSC, HP, IBM, and SAIC to offer “encrypted enterprise” services within the next 24 months.

Venture Capitalists MUST Invest More in Cybersecurity

Friday, April 16th, 2010

There is a glimmer of good news on the venture capital front. In Q1 2010, venture funding rose 38% from a year ago to $4.7. What’s more, the pool of VC money is spread over 681 companies–a 7% increase from Q1 2009.

Good, but not great news. Most of the dough is going to biotech companies while investment in clean technology tripled.

The bad news? Investment in software declined 1% year over year. Remember that in Q1 2009, we were preparing for runs on banks and Hoovervilles.

While I have no data, there is anecdotal evidence suggesting additional bad news. I speak with security companies all the time and I simply don’t see VCs investing heavily in this space.

Perhaps they got burned investing in the 5th NAC, anti-spyware, or UTM vendor. Maybe they think that Cisco, Check Point, Juniper, McAfee, Symantec, and Trend Micro have everything covered. It could be that many believe that the whole tech space is mature, so they are chasing the new new thing in other technical areas.

I’m not sure why the VCs are eschewing security investments, but I do know that this is a problem. Why? At a time when attack volume is steadily increasing, cybercriminals operate like Fortune 500 companies, and FBI directors characterize cybersecurity attacks as “an existential threat to our nation,” the VCs are moving on to perceived greener pastures. In other words, there is serious demand for next-generation security skills and technology, but the supply-side continues to invest elsewhere. Bad economics and bad for the digital assets we all depend upon.

Okay, I understand that the VCs are in it for the money and nothing else, but something is wrong with this picture. It seems to me that when demand exceeds supply, there is money to be made. I’d like to see the VCs invest in security as a patriotic act, but I’m not optimistic. Therefore, I have a few ideas for the “smartest guys in the valley” on Sand Hill Rd.

  1. Co-invest with In-Q-Tel. In-Q-Tel is a VC firm that came directly out of the CIA. On its web site, the firm’s mission statement reads as follows, “In-Q-Tel identifies and partners with companies developing cutting-edge technologies to help deliver these solutions to the Central Intelligence Agency and the broader U.S. Intelligence Community (IC) to further their missions.” The key here is to find the smartest security firms whose technology is good enough for the CIA, DOD, and NSA and can be adapted for commercial use. Given the recent string of private attacks, the private sector would welcome military-grade protection.
  2. Explore other direct federal funding. It’s likely that DARPA, NSF, DOE, and other agencies will have money to spend on cybersecurity research and development. Smart VCs will figure out ways to hedge their risks by getting these agencies involved.
  3. Partner with Universities. UC-Berkeley, Carnegie-Mellon, MIT, Purdue, Johns Hopkins, and Cornell are all doing advanced research in various security disciplines. The VCs need to buddy up to these prestigious institutions and find investments that provide mutual benefits.
  4. Seek out Israeli money. Educated at Tel Aviv University and Technion and then saturated in security in the IDF, Israel produces some of the smartest security minds in the world. I’d like to see more American investment in Israel and more outreach to Israeli VCs from Sand Hill Rd.

The lack of VC investment in security could have broad implications moving forward, so the VCs can’t sit on the sidelines. It’s time for the rich guys to get more involved and proactively champion security innovation and investment rather than sit back, drink Merlot, and wait for business plans to come in. Our digital security may depend upon this.

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site