August 24, 2010 By Dan Lohrmann
Everyone's talking about Intel's pending acquisition of McAfee for $7.7 billion. The list of questions is long. Did they pay too much - or too little? Is this the beginning of a new trend or a one-off acquisition? What does this say about the security industry and/or about the state of cyber security in general? What will the impact be for government technology professionals? What can we learn from this action? Bottom line, why did Intel do it?
Leslie Fiering, research VP at Gartner, told SC Magazine , "The goal is to collect and develop IP that can go directly to silicon and bring security down to the hardware level. The embedded security will run outside the OS with a broad variety of software developer hooks. It is highly unlikely that Intel will make any of these proprietary or in any way specific to McAfee.... Bringing security down to the hardware level is particularly critical at a time when exploits at the OS level are getting more sophisticated on PCs and mobile OSs are still highly immature in the security arena."
Renee James, Intel's senior vice president of software and services, told USA Today , "It's true in mobile solutions that we will have more enhanced security hardware, It is an accurate assumption that in the mobile devices market we will be doing integration into the chip."
Rich Mogull from Securosis.com had a very interesting perspective . He said that Intel bought McAfee for three reasons:
1) The name - " Yes, they could have bought some dinky startup or even a mid-sized firm for a fraction of what they paid for McAfee, but no one would know who they were. Within the security world there are a handful or two of household names; but when you span government, business, and consumers the only names are the guys that sell the most cardboard boxes at Costco and Wal-Mart: Synamtec and McAfee...."
2) Virtualization and Cloud Computing - " There are some very significant long term issues with assuring the security of the hardware/software interface in cloud computing. Q: How can you secure and monitor a hypervisor with other software running on the same hardware? A: You can't. How do you know your VM is even booting within a trusted environment?"
3) Mobile Computing - " Meaning mobile phones, not laptops. There are billions more of these devices in the world than general purpose computers, and opportunities to embed more security into the platforms."
So what does this mean for government? I'm staying out of the analysis of how this will affect medium-term products, pricing and competition with Symantec, Trend Micro and other security companies. However, it does underline three trends that express the central importance of cyber security for the next decade.
1) Cyber security is still hot - and getting hotter. This reality may seem obvious, but recent Gartner surveys of priorities from CIOs has seen security drop to the bottom half of the top ten list. A few years back, security was the #1 issue. To illustrate this point, here's another 2010 priority list - from a different source. The same trend can be seen in the 2010 NASCIO list of top State CIO priorities - with security at #6.
However, a deeper look at these lists and the technologies reveal that security is an important component of all the items at the top of these lists - in areas such as virtualization and data center consolidation. The fact is that technology leaders are demanding that security be built-in for these solutions and projects. In many ways, security has evolved into something new.
2) More specifically, this cyber security trend is heading up and down at the same time. In the second decade of the 21 st century, security will be moving into "the cloud" (or cloud computing) and into mobile devices that are getting smaller and more powerful. It remains to be seen if Intel can be successful with building effective security into their chips in the same way that anti-lock brakes and air-bags are getting safety built into newer cars. It is pretty clear that Intel (and others) want to try and build more security into the chip sets. Security is becoming more of a "must-have" and less of an "optional extra" in order for new technology offerings to succeed.
3) Prepare for more acquisitions and an evolving landscape in the security space. Over the past few years, Symantec and McAfee have been buying smaller security companies on a regular basis and filling in holes in their offerings. This trend will continue, but now even bigger companies (like Intel) are buying the largest security companies (like McAfee). Will other large communications and/or technology companies buy security companies? Will the likes of AT&T, Microsoft, Google, IBM, HP, EMC, AMD and/or others keep buying into this space? Probably - in fact this is already happening with smaller security companies. A blog on Symantec's website asked if Symantec would be bought next?
These are interesting (and exciting) times. I certainly did not see this pending acquisition coming. Nevertheless, it looks like more change is coming. Hold on to your seat belts.
What are your thoughts on this pending Intel purchase of McAfee?
August 15, 2010 By Dan Lohrmann
Are recent announcements of product offerings from Google, Microsoft and others going to fundamentally change government technology service delivery? Has the long foretold government paradigm shift now begun? Will we look back at 2010 as the pivotal year? Or, is this just another over-hyped tech story?
Lately, I am thinking that the answer may well be yes - we are witnessing a fundamental shift in technology service delivery for government. However, I think the full transformation could take up to a decade (or more) to complete.
In my opinion, the tech giants are starting in the email and office suite space and will succeed in making these commodity purchases for governments over the next few years. Meanwhile, more complex applications and mission-critical data will be moving into "government clouds" which are private and more secure. Bottom line, we have started down this new "yellow brick road" but certainly have a ways to go to arrive at the "Emerald City."
There are many people saying that recent announcements are game-changers. Here's a quick rundown on several interesting articles and related research on this cloud topic:
Government Technology Magazine recently did this story on the Google certifications for government . I have also written several blogs and other articles on Cloud Computing security issues and offered recommendations to government technology executives on the cloud. A few months back, CIO.gov released the Federal CIO Council's report on the " State of Public Sector Cloud Computing ."
Last week, the Digital Daily pointed to recent implementation challenges in LA, in this article Cloud Computing: Good Enough for Government? Microsoft told us back in February that FISMA-compliant cloud offerings are coming this year. I expect to see those offerings over the next few months, which will mean that they will match Google's FISMA-compliant offerings - with a similar price. These offerings also ensure that data is stored in the USA to help us with potential legal issues.
(One side note of caution: true FISMA compliance requires much more that just secure hosting by Google or Microsoft or others. It requires end-to-end security which includes our databases, PCs as well as office environment policies, procedures and even training. I worry a bit that these "compliant answers" are somewhat over-hyped in that government officials who may not know any better will think that they "done" with security if they just use one of these FISMA compliant services.)
For more technical details on this topic, you can also read this PC Magazine blog entitled: The Changing Cloud Platforms: Amazon, Google, Microsoft, and More
Meanwhile IBM and smaller companies like Secure-24 are focusing on private cloud offerings. The International Business Times highlighted IBM's offerings , but almost every tech company I speak with now has one or more cloud offerings.
So what can readers do to learn more? I like these six questions that Accenture recommends IT Executives ask regarding cloud computing. (Click on the recommendations and conclusions boxes when you get to this website.)
My view is that as we see even greater pressure to cut costs in 2011 and beyond, all of us will incorporate elements of these new cloud computing services into our offerings, if you don't already have them implemented. There's is no doubt that government technology execs will also need to improve their contract monitoring and vendor management skills in this new online world.
What are your thoughts on these new, improved "cloud offerings" in government?
July 30, 2010 By Dan Lohrmann
"We need your help to stop online thieves."
This surprising message from many banks to their customer base is becoming more popular as online bank robbers are getting more sophisticated, patient and dangerous. Gone are the days when marketing brochures insisted that online accounts were just as safe as traditional banking with a teller. The new message seems to be: "We're in this battle together, so can you please lend a hand?"
USA Today's headline entitled: Banks seek customers' help to stop online thieves offered a fairly bleak assessment of current abilities to stop the bad guys - unless we all work together.
"Cyberattacks against individual online accounts have become so sophisticated and pervasive that the American Bankers Association (ABA) is now asking consumers to 'partner' with banks to keep cyberrobbers in check.
The banking industry wants consumers to monitor their online accounts for unauthorized transactions on a "continuous, almost daily, basis," says Doug Johnson, the ABA's vice president of risk-management policy. "
The article goes on to offer a scary story to illustrate the point that this has become the new normal in online banking. With 80% of US households now participating in online banking, this issue is very serious. More than that, this call to share the security load is a 90-degree turn, in my opinion. A decade ago, banks and other financial institutions insisted that the online risks were as low (or lower) than conducting your bank transactions at branch offices - with the convenience of staying at home and not waiting in line.
So does this issue affect government? Absolutely! Here's how.
Cybersecurity experts in government have been working with our banking partners for years regarding technology and processes for securing online transactions. We attend many of the same meetings and security conferences. We work with the same vendors. The banking industry has generally been leading cybersecurity activities, and they have often offered the way forward for online government. Bottom line, we are all in the same boat as partners.
I have seen several respected colleagues go back and forth between these two communities, such as Greg Garcia who went from US Cyber Czar at the Department of Homeland Security (DHS) to a senior executive position at the Bank of America working on identity management and cybersecurity. Other banking colleagues participate on the same panels at security and technology conferences such as RSA and GovTech South Africa.
Beyond security community interaction, we all know that more government transactions go online every day - involving citizens, businesses and other governments. For efficiency and customer service reasons, e-government has been hot for a decade and continues to get hotter in tough budget times. This trend is only accelerating online as services ranging from tax preparation for businesses to camp ground reservations for families are placed on the Internet. These services offered are the vital backbone for government technology professionals, and the scope of this issue is rapidly expanding.
So should governments follow the leading of banks? I predict that this will happen over time. In order to ensure the integrity of our online government processes, we will need to work end-to-end to secure online transactions. This means that consumers and providers will need to get involved. [One side note, many governments have offered end-user training for citizens, schools, businesses and more for years - such as Michigan's cybersecurity training .]
How fast will this new trend develop? What will be the next step(s)? How far will the banks go in counting on customers to help? Will government online transactions move to two factor authentication like European banks did years ago?
I'm not sure, but I think that our colleagues at US banks will continue to show us the way - since they are in the hottest part of this cyber battle. I do think that we'll be hearing more lines like "All Aboard!" when it comes to securing online transactions. So yes, it's back to training our children and neighbors.
What are your thoughts on this topic?
July 18, 2010 By Dan Lohrmann
How much email is too much? New survey results from Harris Interactive found that 50 emails a day may be the breaking point for employees. Other key findings include:
· Small-business users are feeling the brunt. A staggering 94% of small-business employees said 50 emails is their limit.
· Gender makes no difference. Men and women are equally stressed -- 94% of men and 95% of women cited the number 50.
Despite numerous studies and reports suggesting that too much email is a bad thing, is anything really changing? Not yet.
I've known for a decade that email was a critical app. What's become even clearer to me lately is that Blackberry support for executives is now the must-have (7x24x365) " Super" app. That's right, when the messaging system is down (and yes, this includes iPhones Xs, Droids, or whatever new device is coming next), no one is comfortable in the exec suite.
Nevertheless, this is the new normal. I see no helpful trends in sight. In fact, I think our challenges are increasing with newer, faster (4-G) mobile devices. (My teenage daughter wants me to up her number of IM messages on her cell phone, so the next generation isn't slowing down.)
Some staff are feeling burned out . Almost two years ago the LA Times proclaimed that our email Inbox has become an In(sane)-box. " It happened with cigarettes. It happened with red meat. And carbs. And SUVs. And now it's happening with e-mail. The preferred communication channel of millions of Americans is no longer cool ." Some companies even declared email bankruptcy - and started over with new accounts.
There's no doubt that, as a society, we've come a long way from the days when Tom Hanks and Meg Ryan captivated America in the movie You've Got Mail .
In Michigan State Government, we block over 90% of incoming email from the Internet. (We've determined that these messages are either spam or contain viruses.) And yet, I still receive an average of between 100 and 200 emails every business day. I sometimes wonder how I get anything done when I add in text messages, tweets, social networking sites like LinkedIn and Facebook, phone calls and more.
Last summer, I wrote about work-life balance and some strategies to unplug on vacation, but I must admit that it has been very difficult to disconnect over the past year. (Note to self: there must be a reason why I seem to return to this subject every year right before summer vacation.) Meanwhile, Americans continue to spend more time online at home and work. The number of night and weekend (work-related) contacts (or family interruptions) has certainly grown for me. A few months back, we had an email outage over one weekend in two government agencies which resulted in my weekend being blown up.
So what can we do now regarding messaging? There are plenty of helpful tips for managing email. One of Ross Mayfield's best points in Forbes is to move from a push technology (anyone can send you an email whether you want it or not) to a pull technology where you subscribe or access what you want.
My advice is to take a step back once or twice a year and examine your email and other online habits. Is your email inbox working? Are changes needed? For important contacts and trusted partners who contact you via email, establish a protocol or working pattern that allows you to work on the most important priorities first.
What about your inbox? How many emails do you receive daily? Any strategies to help others?
Please leave a comment below and share your thoughts on email at home and work.
July 5, 2010 By Dan Lohrmann
Earlier this week I received an email from an out of state friend and respected colleague who I haven't heard from in a while. He got straight to the point. "I just discovered that I'm only three hops away on LinkedIn from one of the suspected Russian spies . But guess what, you're even closer. You're only two hops away."
Put in the other terms, my (real life) friend was telling me that I was linked (had a connection which is similar to a "friend" on Facebook) to someone who had an online connection to one of the alleged spies.
I immediately checked out my friend's facts. It was true. I had accepted an invitation last year to connect to a person who was in one of the security groups that I was also in. At the time, this individual wanted to make me aware of several "hot job openings" for senior executives in my field. That contact never went anywhere, but now I was kind of "guilty by association." I presume that many others are in the same boat, since the recruiter has thousands of LinkedIn connections.
This is not the first time something like this has happened to me. But the previous time, I was a bit more culpable. Once I gave an upbeat LinkedIn recommendation to a colleague that I knew well and liked as a person. This government staff member did good work and had a good reputation - until he committed a crime and went to jail. (It turned out that I didn't know him as well as I thought.) I quickly learned that I could undo (withdrawal) my online recommendation for this person, and I did so.
As I researched "the good, the bad and the ugly of social networks" further, I found out that many HR professionals and lawyers have suggested that online recommendations are a bad idea in the first place. That is, recommendations are not recommended , for a variety of reasons. Even when there are no negative employee/boss situations that arise, some bloggers suggest that these recommendations can be seriously flawed - due to conflicts of interest. Some managers may even recommend staff so that they are more likely to leave.
So here I am on 4 th of July weekend, wondering if I should stop accepting LinkedIn invitations. Should I change my social networking habits? Should I stop connecting to other professionals online? I meet many people at conferences and often try to establish a connection with them on LinkedIn within the next month. Does this still make sense?
After more research, I've also discovered that LinkedIn has even clamped down on super connected users . Most experts say that quality matters more than quantity . And yet, I have always used LinkedIn as a good substitute for keeping track of business cards which can become out of date. Using LinkedIn, I can easily keep track of friends and colleagues that I worked with in England, back in Maryland and even former State of Michigan employees who move one. This pattern has served me well, and best of all, my database of contacts updates itself with the latest contact information automatically.
What conclusion did I reach? Should I fear being "guilty by association" online? Should I encourage others to stop using these social networking tools? I've decided to march on - with a few minor modifications.
Why? If you're not guilty there is nothing to fear. I think a consistent "middle of the road" approach still makes sense. As long as we don't go overboard with these tools, they can help us to become more productive, well-informed and (yes) connected. They can even lead to new opportunities - like joining interesting online groups, speaking at conferences or writing for magazines.
Sure, we need to to keep an eye on how things evolve to protect our professional online reputation and our virtual integrity . But let's not throw the baby out with the bathwater. I say keep using social networking tools like LinkedIn, when supported by company or government policies.
Meanwhile you can ask me to connect online - but I might say no or hit that archive button.
How about you? Have any stories you can share about online "friends" or "connections" gone bad?
Building effective virtual government requires new ideas, innovative thinking and hard work. From federal stimulus projects to enterprise architectures to cloud computing, Dan Lohrmann will discuss what's hot and what's not in the world of technology infrastructure.