Ever since I read Megatrends in 1988, I’ve been fascinated by predictions about how technology will alter our daily lives in the near-future.  One area that is evolving quickly is our shopping experiences both online and offline.

 What’s next? Get ready for the reinvention of the cash register – with competing visions for how that will happen. What’s fairly certain is that our smartphones, iPads and/or other mobile devices will become an integral part of the new check-out process.

 Almost everyone knows about Amazon.com and online retailers offering free shipping of Christmas presents, but there is another transformation occurring at grocery stores and malls around the world.  As each innovation occurs, there are corresponding security challenges that must be addressed at the same time. For example, the self-serve check out process is reducing the need for staff, offering more customer convenience but creating new theft concerns.   

 How can these obstacles be overcome? It appears that the self-serve checkout process is only an intermediate step towards the real goal of no lines at all. If this seems impossible, read on.  

 There’s an excellent article by Mike Elgan over at Computerworld which offers a glimpse into our likely future (offline) shopping experiences. The article, Inside Apple’s secret plan to kill the cash register, raises some very intriguing points about the use of new technologies such digital wallets, near field communications (NFC) chips and more. Here’s an excerpt:

  When people talk about the future of digital wallets -- electronic smartphone-based replacements for credit cards, debit cards and cash -- you're likely to hear the initials NFC in the same breath. NFC, for "near-field communication," is a set of technologies that makes it possible to pay for purchases using smartphones, among other things.

The idea is that all smartphones will contain special NFC chips that enable you to use your phone as a credit card. To make a transaction, you pass your phone over or near a special gadget that's hooked up to a cash register as an equivalent to swiping a credit card…

Apple’s potential vision is described further by Research Farm’s Pablo Saez Gil in this article at cultofmac.com:

“Apple will eschew adopting NFC because it’s embraced Bluetooth 4.0 and it’s excellent Bluetooth Low-Energy capabilities. Apple has already sold millions of iPhone 4Ses that come with Bluetooth 4.0, and Gil argues that it’s a much better fit for mobile payments for Apple than NFC.

[Bluetooth Low Energy] allows low-consumption chips to act passively in the form of stickers in a similar fashion to NFC tags and devices can automatically and passively connect and transfer information seamlessly. The technology also enables long distance connections between devices of up to 50m. This feature will eventually enable payments on the go, without the need of fixed POS and traditional checkouts.

Why’s Bluetooth Low Energy a better fit for Apple than NFC? Look at how payment works at your local Apple Store. You walk in, flag down a Genius, you tell him what you want, he swipes your card on his iPhone and you walk right out the door. You don’t wait in line at a register. There’s no till. It’s all done wherever. That’s how Apple believes retail shopping should be done.”

 So those commercials that show people grabbing items off of grocery shelves and walking out of stores with the security guards helping them with their receipts may be accurate a few years from now. What’s clear is that we will have a new paradigm in mobile payments. This new world will also impact governments and small businesses which accept credit cards, debit cards and other forms of payment.

 Why should we take notice now? From current and future BYOD programs to redesigning how customers pay for campground reservations or driver’s licenses, the implications of these changes are enormous. True, governments tend to lag the private sector in retail innovation, and we can probably wait to see what standards emerge. Nevertheless, I urge security pros to read up on new payment approaches to age-old problems.

 “Don’t stop thinking about tomorrow.” As the song goes, “it will soon be here.”

Another thing is clear: security will need to be reinvented – again.

  Most of us are trying to do multiple activities at the same time. But is it really working?

  For example, I like to keep “to do” lists. I get special satisfaction when I complete one action item and the result is that multiple items come off of my list. More often than not, I’m tempted to multitask, especially at work. On top of that, I’m instinctively looking for new tips and shortcuts that can help me gain a further edge in accomplishing my personal and professional goals.

These are just some of the reasons that reading the recent Harvard Business Review (HBR) blog entitled: The Magic of Doing One Things at a Time by Tony Schwartz was eye-opening and relevant for me. Here’s an excerpt with some questions worth considering:

“Do you answer email during conference calls (and sometimes even during calls with one other person)? Do you bring your laptop to meetings and then pretend you're taking notes while you surf the net? Do you eat lunch at your desk? Do you make calls while you're driving, and even send the occasional text, even though you know you shouldn't?”

I’m certainly guilty at times. More than that, I tend to think of multitasking as a virtue. If I can do 3-4 things at the once, I’m getting more done. I’m closer to the finish line.

Not so, says recent research. This perspective has been shown to be a fallacy, and multitasking usually leads to less productivity and not more. If you have a hard time believing this, check out this piece and corresponding study which says that multitasking makes us feel good but delivers fewer meaningful results. Or, read one of the thousands of articles about the dangers of multitasking.

But back to the first blog - Schwartz has some great tips for workplace norms around meetings, constant urgency of tasks and the importance of taking regular breaks.

Here are some personal takeaways:

1)     Do the most important thing at the beginning of the day with dedicated (uninterrupted) time.

2)     Establish dedicated time to think creatively, strategically and long-term.

3)     Take real and regular vacations.

These items make sense to me. Still, they are hard to build consistently into my life as habits. On the last point about vacation, I was astounded recently when a well-respected vendor colleague told me that he has not taken a vacation of two days or more in over seven years. He regularly just gives up his vacation days and cannot carry them over to the next year. Nor is he even paid for his sacrifice. He’s just too busy to take time off and relax.

Side note: I told him that I saw this as was one advantage of being a government employee on a salary and not on a commission. I am just as driven to work hard and accomplish things as my friend, and I would be tempted to never stop working as well. Bottom line, I need my vacations way more than I’ve realized, but I often need to be pushed by my wife and children to take them and truly disconnect or focus on other important things offline. 

Perhaps you’re wondering: what does any of this have to do with technology or cybersecurity? Quite a bit, I think. Rising stress and feelings of being overwhelmed are serious concerns for security professionals, and I wrote about this topic as problem 6 for security professionals in my list of the top seven reasons security pros fail. 

More than that, the explosion of mobile devices such as iPhones and iPads has only increased temptation to multitask more in 2012. In addition, many large governments organizations still manage cybersecurity as an "other duty as assigned" for technology professionals rather than dedicating a team to focus on tasks related  to cybersecurity. This multitasking approach can make it difficult to perform tasks with the required level of vigilence and expertise. Even government groups that have good centralized cyber teams that focus on Internet threats and mitigating enterprise risks can be pulled in multiple directions at the same time and need to take note of this research.

In an interesting twist, Tony Schwartz actually starts his blog off with the ever-so-common theme of being burned out at work. We can all relate to this topic at some point in our careers. Last year, almost half of the employers surveyed said that their employees felt burned out.

Bottom line, no matter what career track or professional role we are in, the “How can we truly be more productive?” question is worth contemplating. Whether I’m working with my kids, my staff, my customers or my smartphone, LESS (activity) and a singular focus on the task at hand is actually MORE (productive and effective).

What are your thoughts on multitasking? Are employees in your office feeling burned out? What strategies have worked for you? I’d love to hear your stories.

How much attention should cyber pros pay to comments from the "noobs" about technology and security?

I started thinking about this topic after reading an intriguing Computerworld article entitled: Dispatch from the technology culture wars: What geeks and noobs need to understand about each other.  In case you’re wondering, a noob is slang for newbie or, as Erin Elgin describes in this piece, “nontechnical people who want gadgets to just work.”

This is a thought-provoking article that is worth reading – covering the “technology cultural wars.” Here’s an excerpt:

“Computer technology used to be the exclusive province of geeks. You couldn't get anywhere near a computer before 1977 unless you were a certifiable, card-carrying geek.

Things started to change in 1977 with the introduction of the Commodore PET, the first relatively mass-marketed personal computer. Later came the graphical user interface, the Mac, Windows and the Internet. With each new generation of technology, computers became more "user friendly" and in rushed the noobs.

After the turn of the millennium, the noobification of the technology scene accelerated. The rise of "Web 2.0" and the mobile revolution were all about simplification. Creating a website was replaced by blogging. Blogging was replaced by microblogging. The cloud eliminated the need to install and manage desktop applications. The post-PC revolution, as exemplified by the Apple iPad, embodies the noobification of technology to an unprecedented extreme.

With each advance, there's an increase in the percentage of noobs who use technology.

Today, geeks are a beleaguered minority, almost strangers in their own house.”

 The article goes on to describe how this difference in viewpoints has a dramatic impact on many areas of life and what we do at home and work - from predicting new product adoption success rates to Facebook’s stock price.

But taking a slightly different twist on this topic, allow me to suggest that security and privacy experts often have the same issue as the geeks – probably because many (not all) security pros are actually geeks. (Yes, I know most prefer to be called hackers.)

 Put another way, what’s the right balance between easy to use, easy to implement, easy to modify and on the other hand “secure.” In many cases, security seems to be at odds with a simple user interface. For example, longer, complex passwords are a pain to remember and are viewed as a hindrance to most noobs.

Another aspect of this question regards mobile device (smarphone) security. There is an ongoing debate about what operating system is more secure – and Symantec reported that iOS is more secure than Android. This has led most enterprises picking iPads over Android-based devices.   

Finally, there are those within the security field that believe that cybersecurity itself is way too complex. Our network architectures, firewalls, zones and more make securing the enterprise almost impossible against an agile enemy. There have been several papers written on this topic of radically simplifying security. Should we even start over on cybersecurity?

What do I think about this “technology cultural war?”

I’ve found that I learn a ton from my family and non-technical church friends regarding technology, security and work. (Yes, they are all noobs.) To say my wife Priscilla really likes her iPad would be a vast understatement—like saying Mount Everest in a tall hill. My daughters are digital natives. I watch them and see what they do online and how they do it. I check-up on their Internet security, and we interact on tough questions that fall into the “grey zone.” This is part of who I am and how I was wired – (see the end of this CSO blog post for more on this topic). I’ve heard from many others around the world that think and act the same at home and work. It’s in our DNA, and I guess that makes us security geeks.

But I also realize that good customer service is essential for security professionals, and we need to listen to the noobs. As Elgin describes, they are the majority. They have really good points and the power of the wallet. They predicted this iPad craze way better than I did. I’m fascinated by how they think and interact.

I suspect that there will always be somewhat of a struggle between the noobs and the security organizations in most enterprises. Like the love/hate relationship that most citizens have with the police, security pros are often admired (after stopping a hacker attack) and sometimes despised (after you forget to bring your 2-factor hard token along on vacation). The feelings can also be similar to being pulled over for a traffic ticket when doing 42 on a 30 mph road.   

But that’s what makes life interesting, challenging and fun. It means we rarely have a dull moment in our government work – and it keeps me coming back for more.

What are your thoughts on the noobs in your life?

Opinions are all over the map on "Bring Your Own Device" (BYOD) to work. I've heard those who insist that 80% of us will adopt this new approach to mobile devices within a few years. Others believe that the letters BYOD stand for "Bring Your Own Disaster..."

Here are a few viewpoints and a quick poll to gauge your opinion.

Is Bring Your Own Device and Inevitable Trend?

"... Government Executive’s recent article outlining '5 Trends in Mobility' includes the BYOD wave front and center, a phenomenon seemingly buoyed by U.S. Chief Information Officer Steven VanRoekel’s vocal embrace of the power of mobility: “Going mobile doesn’t just increase productivity, but it’s a huge cost saver too.” Leading government analysts agree, calling BYOD the 'dominant trend in many civilian agencies” and 2012 “the year that tablets become firmly embedded in the government space.'”

WSJ: Should Employees Be Allowed to Use Their Own Devices for Work?

_{"... The quickening pace of breakthroughs in consumer technology is helping fuel the trend. Accustomed to managing their personal lives with the latest and most-innovative technology tools, people are becoming less patient with the older, clunkier hardware and software they have to use at work...."}

_{TECHNOLOGY SPECTATOR: Bring-your-own-device disaster}

"... Yet while BYOD is on our doorstep and the pressure to cave into the trend is overwhelming, cyber security companies like Symantec are more than happy to elucidate what will happen if a CIO gets their BYOD policy wrong.

According to the latest Symantec report on data breaches, a hacked mobile device in an organisation can be a serious security issue, with hackers looking to piggyback employee devices into a workplace’s network...."

Now it's your turn. I'd like to know your thoughts and experience with BYOD:

Over the past few weeks, there have been several high-profile breaches announced involving state government systems - one in South Carolina and one in Utah.  I say “high-profile” because the coverage of both incidents has been widespread, with tech magazines, blogs and even major newspapers and TV stations covering the situations in detail.  The headlines have not been very encouraging for our respected government colleagues, with Computerworld reporting that the Utah breach 10x worse than originally thought.

My first reaction, and the thoughts of many government CIOs, CTOs, CISOs and CSOs around the nation, was to think: “There but for the grace of God go we.” Anyone who thinks they are not susceptible to similar cyber incidents (whether from insider threats or external hackers) has not been paying close enough attention to the growing threat in the cyber world we live in. (I covered this topic briefly in the piece: Is America Outgunned in Cyber?)  

My thoughts go back to about this time last year when we experienced two major computer outages in Michigan, and the national spotlight was shining on us. True, those were mainframe computer outages and not the same as a data breaches. But I can tell you that you don’t sleep much and it is not a fun time. To be fair, Amazon, Google, Microsoft and others have also experienced extended outages and large corporations such as Sony have experienced major breaches.

As far as breaches go, Alabama, the CIA and other federal, state and local government agencies have also faced similar headline-grabbing breaches.  These are very serious situations that affect citizen data, and I am confident that the matters are being handled professionally and with care.

Here are some additional thoughts and comments that I have:

1)      Although these two (Utah and South Carolina) breaches were very different (in cause), they were similar in that they involved Medicaid systems. One involved an internal disgruntled employee and the other an external attack made easier by a lack of appropriate system controls.  Regardless, government technology teams around the nation are now on alert and checking their systems for specific protections and appropriate processes.

2)      The national network of cyber coordination and controls got the word out fast and organizations like the MS-ISAC have kept people informed on a “need to know” basis. The call from government officials to “double-check” and “take additional precautions” has been loud, because citizens are asking “what are we doing to ensure that our systems are protected ….?”

      We all need to be “plugged-in” to the right organizations, since we are in this global cyber battle together.

3)      These are teachable moments. We need to take this (and every other) breach opportunity to demonstrate the importance of cyber protections to our extended IT teams. Make lemonade out of these lemons. Communicate more by sending out newsletters, alerts, emails or whatever you need to do to get the attention of the appropriate people to reinforce the policies around people, process and technology to secure systems. Have you made your IT teams aware?

4)      Breaches will happen again. We need to keep asking: are we ready? What do we need to do to prepare? Where is our cyber program?  Is there a sense of urgency?

5)      The pundits who say that state governments are not targets are wrong. Preparation as a top priority is needed from CIOs, CTOs, CISOs and others in government.

6)      The mid-year NASCIO conference will provide an opportunity for CIOs to be briefed by intelligence community officials on cyber threats facing the nation. These types of briefings are important for all government technology and cyber leaders. Do we understand the threat? What is our risk level?

7)      Someone asked me once: What does it feel like when major outages or breaches occur on your watch? Answer:  It hurts. Like the pain you feel after losing a championship game in sports, your team regroups and commits to never let it happen again. But you wonder: can you get the genie back in the bottle? It’s tough with your reputation being tarnished a bit.

I could say more, but I have no desire to “pile-on” or criticize these states. They have excellent technology teams, and incidents like these are very difficult to stop over the long run. They will no doubt get better and learn from their particular situations as Virginia did after their major outage a few years back.

One final thought: I just returned from speaking at the CSO Confab event in California this week, and I had the chance to speak with CSOs and cyber leaders from the top companies and security teams in America. The mood is pretty pessimistic, with many speakers acknowledging that we have failed –so far.  Several of the side conversations with consultants and other experts were equally as depressing – with stories of major US companies that were recently breached and are now recovering and rethinking their approaches to cyber attacks and business processes. This trend is happening to most major enterprises – whether government or private sector.

Bottom line, the cybersecurity battle has not yet peaked or turned the corner in my view. If your government is not taking this threat seriously yet (and I mean top-level attention), now is the time to act aggressively. We each need a pragmatic cyber plan to improve. I believe that we are still in the opening innings of a long baseball game, and we (as a nation) are behind by more than a few runs. Unlike baseball, the public trust in government and other institutions is at stake.

What are your thoughts on these incidents?