Have you heard of the Technology CEO Council? Neither had I until recently. The council is made up of a strange mix of tech CEOs from organizations including Applied Materials, , , IBM, Intel, Micron, and Motorola. Why this group and not Adobe, Cisco, HP, Juniper Networks, Microsoft, Oracle, and Symantec? Beats me.
Anyway, the group published a paper in early October called, “One Trillion Reasons: How Commercial Best Practices to Maximize Productivity Can Save Taxpayer Money and Enhance Government Services.” The paper stresses the need to reduce federal spending and suggests some IT initiatives in support of this objective. The initiatives include:
The paper is available at www.techceocouncil.org.
I agree with the spirit of this paper as there are plenty of ways to use IT costs savings to reduce overall federal spending. That said, the paper is pretty weak and self-serving. Specifically:
The CEOs also need to remember that their own internal IT organizations are far different than those in the federal government. When EMC executives mandate a massive VMware project, all of IT jumps into formation. It doesn’t work that way in the public sector.
There were certainly some good points in the paper, but overall it is really a marketing piece put out by a lobbying organization. In my humble opinion, there is some irony in this paper and organization–while the Technology CEO Council puts out a paper about how the federal government can save money on IT, companies like Dell, EMC, IBM, and Intel are happily wasting dough on a half-baked lobbying/PR organization. Funny world.
Tags: Applied Material, CIA, Cloud Computing, data center consolidation, Dell, DHS, DISA, EMC, Federal Enterprise Architecture, FedRAMP, FISMA, IBM, Intel, Klinger-Cohen Act, Micron, Motorola, NASA, Technology CEO Council, Vivek Kundra Posted in Uncategorized | No Comments »
The waiting and guessing games are over; today, HP announced its intent to buy security management software leader ArcSight for $1.5 billion. I didn’t think HP would pull the trigger on another billion+ dollar acquisition before hiring a new CEO, but obviously I was wrong.
ArcSight is a true enterprise software company. As I recall, many of the early ArcSight management team members actually came from HP OpenView. With this model in mind, ArcSight went beyond technology and invested early in top field engineers, security experts, and sales people. This vaulted the company to a leadership position and it never looked back.
For HP, ArcSight fits with its overall focus on IT operations software solutions for Business Technology Optimization. In the future, security information will be one of many inputs that helps CIOs improve IT management and responsiveness. It won’t happen overnight, but think of all sources of IT management data (i.e., log data, SNMP, network flow data, configuration data, etc.) available for query, analysis, and reporting in a common repository. This is what HP has in mind over the long haul.
In the meantime, HP should get plenty of ArcSight bang-for-the-buck over the next 12-24 months by:
In spite of its security services and thought leadership, HP’s name has been notably absent from IT security leadership discussions in the past. ArcSight should change that.
A few other quick thoughts:
Tags: ArcSight, Check Point, CNCI, F5, FISMA, HP, Oracle, Riverbed Posted in Uncategorized | No Comments »
While it may seem like cybersecurity issues have taken a back seat in Washington, there is actually a lot of work happening on Capitol Hill. Senate majority leader Harry Reid (D, NV), is pushing all Senate committees with any type of cybersecurity or industry oversight to get on their legislative horses and address the existing mess.
To that end, Senator Joseph Lieberman (I, CT) is working with colleagues Susan Collins (R, ME) and Thomas Carper (D, DE) on a fairly comprehensive cyberseurity bill called the Protecting Cyberspace as a National Asset Act. The bill seeks to revamp the paper-centric FISMA Act of 2002, centralize cybersecurity management in DHS, and establish a more proactive public/private partnership for cybersecurity risk management.
The essence of the bill is certainly welcome. We need to address cybersecurity issues ASAP like President Obama promised he would do more than a year ago. Unfortunately, the Lieberman bill has a few significant flaws, in my opinion. One major problem is with the bill’s link to federal procurement. The Lieberman bill seeks to legislate security in federal IT spending by “creating a system that requires acquisition officers in the federal government to have the knowledge that they need about the vulnerabilities in products.” This in itself is a good idea but:
I don’t claim to be an expert on the Lieberman bill but it seems to me that we are falling into the old Washington scapegoat mentality of looking for a villain (i.e., the IT industry). Don’t get me wrong, lots of vendors should be called to task for unacceptable security practices but these provisions seem overly simple or impossible to enforce to me.
While the Feds figure out the next act in the cybersecurity play, it is really up to the IT industry to step up and establish its own security best practices and self-certification methodology. Strong examples already exist from vendors like , HP, IBM, and Oracle. While some folks will certainly flame me for saying so, Microsoft’s SDL is also a model for the rest of the industry.
Legislators are caught between a rock and a hard place. They have to do something but these are uncharted and highly technical waters. This being the case, the IT industry has to do a better job of stepping in and demonstrating leadership. If this doesn’t happen, the U.S. IT industry will face difficult, costly, and confusing legislation that could impact financial results for years to come.
Tags: Cybersecurity, EMC, FISMA, HP, IBM, Microsoft, Oracle, Senator Joseph Lieberman Posted in Uncategorized | No Comments »
I’m in Washington co-chairing a Cloud Computing summit along with my colleague Mark Bowker. Thus far, we’ve covered cloud computing drivers, virtualization, cloud computing governance/compliance, and new skill sets needed for the cloud.
The audience is made up of federal IT workers, for the most part. These folks are under the gun since the Obama administration is pushing cloud projects and setting aside budget dollars to persuade federal agencies to get on board with proof-of-concept efforts. Federal CIO Vivek Kundra has added fuel to the fire, acting as the poster child for federal cloud computing as a way to save taxpayer money and improve IT service.
The federal audience is certainly hungry for knowledge, but very leery about the cloud in general. The feedback today indicates that:
Federal IT people really want more basic information and education about the cloud; vendors should note this and ramp up their knowledge transfer capabilities. Furthermore, it is important to talk in federal terms like FISMA and NIST rather than a more generic presentation. Think security and governance from the get-go.
Finally, the feds are really afraid of vendor lock-in, so standards are important here. When and if the federal government agrees upon cloud standards, vendors must go along to get along. If the feds fail to agree upon standards, all bets are off and the federal cloud becomes a big free-for-all. The private sector, public sector, and technology industry should all work together to make sure that this won’t happen.
Tags: Cloud Computing, FISMA, NIST, Vivek Kundra Posted in Uncategorized | No Comments »
Over the past few years, I’ve seen anecdotal evidence suggesting a change in the way large organizations approach information security. Regulatory compliance has been the primary driver in the past but my instincts told me that many enterprises were moving away from a “check box” mentality toward a more formal IT Risk Management framework.
Recently, I read a great report from Ernst & Young that supports this thesis. The report can be downloaded here:
According to the report, 78% of large organizations have a formal IT Risk Management function and that investments in these programs is increasing.
That’s the good news. The bad news is that many of these programs remain immature works in progress. When respondents were asked which factors posed a challenge to their IT risk management program:
* 42% responded, “competing objectives” * 40% responded, “multiple risk assessments” * 31% responded, “staff resources to support information technology risk management” * 29% responded, “level of risk tolerance”
My takeaway is that many IT risk management efforts are still performed tactically in silos rather than in a standard fashion across the enterprise. Skills and resources remain scarce, and large organizations are still unsure what the output data tells them.
This report is very insightful and should be a “must-read” for CISOs, CIOs, and Chief Risk Officers as it provides a clear assessment guideline. What’s more, it could be used as a roadmap for fixing some urgent problems.
To me, this is very important. The checkbox mentality doesn’t work — just ask Federal government agencies how effective FISMA is. That said, IT risk management remains more art than science.
We as a security community and industry need to put our collective heads together to solve this problem soon.
Tags: Ernst & Young, FISMA, IT Risk Management Posted in Uncategorized | No Comments »
Your email:
