SlideShare a Scribd company logo

Interesting Times: Will Business Survive?

Download as PPTX, PDF
Ben Tomhave
Ben Tomhave

Cloud computing. Mobile computing and Bring your own device (BYOD). Global collaboration and communication. Big data. Governance, risk management and compliance. Rapidly escalating regulatory requirements. The world is changing faster than we can keep pace. Attackers evolve methods more rapidly than we can develop defenses, amplifying the asymmetric threat. These are, indeed, interesting times. The question is not how to win, but how to survive in the ever-changing risk landscape.

TechnologyEducation
1 of 29
Will Business Survive? INTERESTING TIMES Ben Tomhave, MS, CISSP
DISCLAIMER The views expressed during this talk are not representative of any employers, whether past, present, or future.
Society of Information Risk Analysts SciTech Information Security Committee
HYPOTHESES 1. A traditional approach is insufficient and not commercially reasonable 2. A tech-heavy approach is not commercially reasonable 3. A legally defensible position requires changing the game
“Those who cannot remember the past are condemned to repeat it.” (George Santayana) HISTORICAL PERSPECTIVE
1969 – First packet transmitted 1979 – Online transaction processing invented 1981 – First online home banking services (US) … (lots of standards dev work) … 1990 – First Successful HTTP communication 1994 – First pizza ordered online 1994 – Amazon founded 1996 – NIST FIPS 161-2 EDI released; HTTP v1.0 1997 – First mobile commerce (SMS Coke) 1998 – PayPal launches, Google incorporated 2007 – iPhone released 2010 – Square releases first card reader product HISTORICAL PERSPECTIVE The Good…
HISTORICAL PERSPECTIVE 1962 – Malware invented … 1981 – First widespread virus (Elk Cloner) … (lots of activity over this period) … 1996 – CERT SYN Flood advisory 1998 – Forerunners of botnets emerge 2000 – DDoS attacks take down major sites 2001 – DoCoMo mobile malware outbreak 2003 – SQL Slammer wreaks havoc 2005 – First mobile worm (Commwarrior-A) 2008 – Cold Boot attack published 2012 – NFC exploits demonstrated The Bad…
HISTORICAL PERSPECTIVE 1980 – IDS concept emerges 1983 – Orange Book published 1988 – First paper on the firewall; X.509 issued 1989 – IBM releases Viruscan; COPS released 1991 – PGP created 1992 – ISS; first commercial disk encryption 1994 – First commercial NIDS, Netscape SSL 1995 – IPsec published (RFCs 1825, 1829) 2001 – Vontu (DLP) founded; ASLR defined 2002 – Mobile AV emerges (Symantec) 2005 – SIEM coined by Gartner >2005 – ??? (evolution, but not innovation?) The Ugly…
HISTORICAL PERSPECTIVE The Uglier… 1934 – Communications Act 1973 - HEW Fair Information Practices 1974 – Privacy Act 1980 – OECD Privacy Principles 1986 – ECPA; CFAA 1994 – CFAA (networked abuses added) 1995 – EU Data Protection Directive 1996 – Telecom Act; HIPAA 1998 – PIPEDA (Canada); DMCA; COPPA 1999 – GLBA 2000 – ESIGN Act 2001 – USA PATRIOT Act; FERC Standard Market Design (Appendix G) 2002 – Homeland Security Act; FISMA; Sarbanes-Oxley 2003 – California SB 1386; FACTA 2004 – PCI DSS v1.0 2005 – FFIEC Guidance 2006 – Budapest Convention on Cybercrime 2009 – HITECH Act; EU Cookie Directive 2010 – Dodd-Frank; MA 201 CMR 17.00 2011 – SEC “cyber risk” disclosure guidance
HISTORICAL PERSPECTIVE The Ugliest… As of Oct. 9, 2012…
JUST HOW BAD IS IT?
INEVITABILITY
“A long habit of not thinking a thing wrong gives it a superficial appearance of being right.” (Thomas Paine) OUR APPROACH IS FLAWED
OUR APPROACH IS FLAWED What’s of value? What control can we exert? Where’s the accountability? http://www.flickr.com/photos/digitalcurrency/2438118655/sizes/m/in/photostream/ http://www.flickr.com/photos/global-jet/2124785243/sizes/m/in/photostream/ http://www.flickr.com/photos/ensh/6204837462/sizes/m/in/photostream/
HOW DID WE GET HERE? “Never complain of that of which it is at all times in your power to rid yourself.” (Adam Smith)
A LITTLE BIT OF EVOLUTION Undefined Emerging Organized Optimized Managed
RISK MANAGEMENT FAILURES Today… Business Survival Assets
BLIND LEADING THE BLIND? http://www.flickr.com/photos/cmogle/2907198746/sizes/m/in/photostream/ http://www.flickr.com/photos/nakrnsm/3898384586/sizes/m/in/photostream/ CSA Guide 3.0. “NIST Visual Model of Cloud Computing Definition” http://www.flickr.com/photos/25692668@N06/3428784441/sizes/m/in/photostream/ It takes a generation… Big data… Rapidly changing environment
WHAT NOW? “We have it in our power to begin the world over again.” (Thomas Paine)
WHAT NOW? Objective 1: Jump to the next curve – a mature GRC program Objective 2: Jump to the next curve – better “security” awareness Objective 3: Establish a culture of accountability
3 STEPS FORWARD “Common sense is seeing things as they are; and doing things as they ought to be.” (Harriet Beecher Stowe)
1. GRC PROGRAM BUILD-OUT Undefined Emerging Organized Optimized Managed 1. Elevate it 2. True, legally defensible enterprise risk management 3. Return security operations to IT, governing accordingly
2. AGGRESSIVE AWARENESS For Business Leaders For Legal For Everyone http://cache.marriott.com/propertyimages/l/laxcv/phototour/laxcv_phototour20.jpg?Log=1 http://www.flickr.com/photos/crobj/4312159033/sizes/m/in/photostream/ http://www.flickr.com/photos/jurvetson/2487910168/sizes/m/in/photostream/
3. ACCOUNTABILITY FOR ALL Monitor Detect Correct http://www.flickr.com/photos/highwaysagency/6281302040/sizes/m/in/photostream/ http://www.flickr.com/photos/reneeviehmann/4320360120/sizes/m/in/photostream/ http://www.flickr.com/photos/cefeida/4714238826/sizes/m/in/photostream/ http://www.flickr.com/photos/oregondot/3853990076/sizes/m/in/photostream/
Context AssessmentTreatment Monitor & Review DEVOPS, RM, AND THE 3 WAYS Images: http://itrevolution.com/ Communication
THE THREE WAYS The First Way: Systems Thinking The Second Way: Amplifying Feedback Loops The Third Way: Culture of Continual Experimentation & Learning Holistic, No Silos, Understand Value Streams Communication, Rapid Response, Embed Knowledge Innovate, Fail Fast / Learn Fast, “Freedom & Responsibility” Image: http://itrevolution.com/the-three-ways-principles-underpinning-devops/
IN SUMMARY “The mind once enlightened cannot again become dark.” (Thomas Paine)
IN SUMMARY The status quo is undermining business survivability. It’s (past) time to jump the curve – we cannot wait any longer. 3 Steps Forward: 1. “GRC” Program Build-Out 2. Aggressive Awareness 3. Accountability http://www.flickr.com/photos/extranoise/350901033/sizes/z/in/photostream/
Ben Tomhave @falconsview www.secureconsulting.net

Recommended

Mcc 2018 leveraging the tightly connected aviation ecosystem for ai based mai...
Mcc 2018 leveraging the tightly connected aviation ecosystem for ai based mai...Mcc 2018 leveraging the tightly connected aviation ecosystem for ai based mai...
Mcc 2018 leveraging the tightly connected aviation ecosystem for ai based mai...Nikolaos Vasiloglou
 
Technology -- the first strategy to startups
Technology -- the first strategy to startupsTechnology -- the first strategy to startups
Technology -- the first strategy to startupstechmaddy
 
To Google or Not To Google
To Google or Not To GoogleTo Google or Not To Google
To Google or Not To GoogleOnline_Librarians
 
Del Blog al PLE y a las Redes Sociales
Del Blog al PLE y a las Redes SocialesDel Blog al PLE y a las Redes Sociales
Del Blog al PLE y a las Redes Socialeserubio
 
The Drought Tolerant Garden - Monterey, California
The Drought Tolerant Garden - Monterey, CaliforniaThe Drought Tolerant Garden - Monterey, California
The Drought Tolerant Garden - Monterey, CaliforniaDanousis85z
 
Connecting Web 2.0 with learning
Connecting Web 2.0 with learningConnecting Web 2.0 with learning
Connecting Web 2.0 with learningMaggie Verster
 
The Digital Humanities
The Digital HumanitiesThe Digital Humanities
The Digital HumanitiesClaudine Chionh
 
CP Presentation
CP PresentationCP Presentation
CP Presentationboylesea
 

Recommended

Mcc 2018 leveraging the tightly connected aviation ecosystem for ai based mai...
Mcc 2018 leveraging the tightly connected aviation ecosystem for ai based mai...Mcc 2018 leveraging the tightly connected aviation ecosystem for ai based mai...
Mcc 2018 leveraging the tightly connected aviation ecosystem for ai based mai...Nikolaos Vasiloglou
 
Technology -- the first strategy to startups
Technology -- the first strategy to startupsTechnology -- the first strategy to startups
Technology -- the first strategy to startupstechmaddy
 
To Google or Not To Google
To Google or Not To GoogleTo Google or Not To Google
To Google or Not To GoogleOnline_Librarians
 
Del Blog al PLE y a las Redes Sociales
Del Blog al PLE y a las Redes SocialesDel Blog al PLE y a las Redes Sociales
Del Blog al PLE y a las Redes Socialeserubio
 
The Drought Tolerant Garden - Monterey, California
The Drought Tolerant Garden - Monterey, CaliforniaThe Drought Tolerant Garden - Monterey, California
The Drought Tolerant Garden - Monterey, CaliforniaDanousis85z
 
Connecting Web 2.0 with learning
Connecting Web 2.0 with learningConnecting Web 2.0 with learning
Connecting Web 2.0 with learningMaggie Verster
 
The Digital Humanities
The Digital HumanitiesThe Digital Humanities
The Digital HumanitiesClaudine Chionh
 
CP Presentation
CP PresentationCP Presentation
CP Presentationboylesea
 
Elevator pitch for Next09 - twidox
Elevator pitch for Next09 - twidoxElevator pitch for Next09 - twidox
Elevator pitch for Next09 - twidoxtwidox
 
Learning And Teaching Portfolios
Learning And Teaching PortfoliosLearning And Teaching Portfolios
Learning And Teaching PortfoliosGerlinde Buchberger
 
Leven In Media 2010
Leven In Media 2010Leven In Media 2010
Leven In Media 2010Mark Deuze
 
Drupal 7 and RDF
Drupal 7 and RDFDrupal 7 and RDF
Drupal 7 and RDFscorlosquet
 
02 problem solving_02
02 problem solving_0202 problem solving_02
02 problem solving_02Nika Stuard
 
Police.power
Police.powerPolice.power
Police.powerJohn Wible
 
Wikiworld for TETC
Wikiworld for TETCWikiworld for TETC
Wikiworld for TETCCarrie Thornthwaite
 
seo-150 edu site
seo-150 edu siteseo-150 edu site
seo-150 edu sitesami dib
 
Introductory Talk at COSTAATT
Introductory Talk at COSTAATTIntroductory Talk at COSTAATT
Introductory Talk at COSTAATTJeff Sonstein
 
Anti communism propaganda
Anti communism propagandaAnti communism propaganda
Anti communism propagandalexilovesstarwars
 
Privacy And Copyrights
Privacy And CopyrightsPrivacy And Copyrights
Privacy And Copyrightsmuhammad-Sulaiman
 
Dukengineer2012
Dukengineer2012Dukengineer2012
Dukengineer2012鋒博 蔡
 
Blogtaller
BlogtallerBlogtaller
Blogtallerlucenac
 
Sample_Energy_Survey_Report
Sample_Energy_Survey_ReportSample_Energy_Survey_Report
Sample_Energy_Survey_ReportBrian T. Gaudet
 
Culminating Project
Culminating ProjectCulminating Project
Culminating Projectboylesea
 
7 Things You Should Know About Flipped Classrooms - Educause
7 Things You Should Know About Flipped Classrooms - Educause7 Things You Should Know About Flipped Classrooms - Educause
7 Things You Should Know About Flipped Classrooms - EducauseLuciano Sathler
 
Probleemoplossen & Ontwerpen
, ICT-werktuigen: 

Les 1
Probleemoplossen & Ontwerpen
, ICT-werktuigen: 

Les 1Probleemoplossen & Ontwerpen
, ICT-werktuigen: 

Les 1
Probleemoplossen & Ontwerpen
, ICT-werktuigen: 

Les 1Erik Duval
 
Kiran Mirchandani Cv oct 2012 lifetime
Kiran Mirchandani Cv oct 2012 lifetimeKiran Mirchandani Cv oct 2012 lifetime
Kiran Mirchandani Cv oct 2012 lifetimeArif Anwar
 
Citizen science project list (Europe & worldwide) v1
Citizen science project list (Europe & worldwide) v1Citizen science project list (Europe & worldwide) v1
Citizen science project list (Europe & worldwide) v1Egle Marija Ramanauskaite
 
Nature of bank_deposits_in_canada
Nature of bank_deposits_in_canadaNature of bank_deposits_in_canada
Nature of bank_deposits_in_canadak_khetarpal
 
Updated! -- #AIIM16 keynote -- Why the H**** Should You Care About Informatio...
Updated! -- #AIIM16 keynote -- Why the H**** Should You Care About Informatio...Updated! -- #AIIM16 keynote -- Why the H**** Should You Care About Informatio...
Updated! -- #AIIM16 keynote -- Why the H**** Should You Care About Informatio...John Mancini
 
Privacy and Ubiquitous Computing
Privacy and Ubiquitous ComputingPrivacy and Ubiquitous Computing
Privacy and Ubiquitous Computingmikeart
 

More Related Content

Viewers also liked

Elevator pitch for Next09 - twidox
Elevator pitch for Next09 - twidoxElevator pitch for Next09 - twidox
Elevator pitch for Next09 - twidoxtwidox
 
Learning And Teaching Portfolios
Learning And Teaching PortfoliosLearning And Teaching Portfolios
Learning And Teaching PortfoliosGerlinde Buchberger
 
Leven In Media 2010
Leven In Media 2010Leven In Media 2010
Leven In Media 2010Mark Deuze
 
Drupal 7 and RDF
Drupal 7 and RDFDrupal 7 and RDF
Drupal 7 and RDFscorlosquet
 
02 problem solving_02
02 problem solving_0202 problem solving_02
02 problem solving_02Nika Stuard
 
seo-150 edu site
seo-150 edu siteseo-150 edu site
seo-150 edu sitesami dib
 
Introductory Talk at COSTAATT
Introductory Talk at COSTAATTIntroductory Talk at COSTAATT
Introductory Talk at COSTAATTJeff Sonstein
 
Dukengineer2012
Dukengineer2012Dukengineer2012
Dukengineer2012鋒博 蔡
 
Blogtaller
BlogtallerBlogtaller
Blogtallerlucenac
 
Sample_Energy_Survey_Report
Sample_Energy_Survey_ReportSample_Energy_Survey_Report
Sample_Energy_Survey_ReportBrian T. Gaudet
 
Culminating Project
Culminating ProjectCulminating Project
Culminating Projectboylesea
 
7 Things You Should Know About Flipped Classrooms - Educause
7 Things You Should Know About Flipped Classrooms - Educause7 Things You Should Know About Flipped Classrooms - Educause
7 Things You Should Know About Flipped Classrooms - EducauseLuciano Sathler
 
Probleemoplossen & Ontwerpen
, ICT-werktuigen: 

Les 1
Probleemoplossen & Ontwerpen
, ICT-werktuigen: 

Les 1Probleemoplossen & Ontwerpen
, ICT-werktuigen: 

Les 1
Probleemoplossen & Ontwerpen
, ICT-werktuigen: 

Les 1Erik Duval
 
Kiran Mirchandani Cv oct 2012 lifetime
Kiran Mirchandani Cv oct 2012 lifetimeKiran Mirchandani Cv oct 2012 lifetime
Kiran Mirchandani Cv oct 2012 lifetimeArif Anwar
 
Citizen science project list (Europe & worldwide) v1
Citizen science project list (Europe & worldwide) v1Citizen science project list (Europe & worldwide) v1
Citizen science project list (Europe & worldwide) v1Egle Marija Ramanauskaite
 
Nature of bank_deposits_in_canada
Nature of bank_deposits_in_canadaNature of bank_deposits_in_canada
Nature of bank_deposits_in_canadak_khetarpal
 

Viewers also liked (20)

Elevator pitch for Next09 - twidox
Elevator pitch for Next09 - twidoxElevator pitch for Next09 - twidox
Elevator pitch for Next09 - twidox
 
Learning And Teaching Portfolios
Learning And Teaching PortfoliosLearning And Teaching Portfolios
Learning And Teaching Portfolios
 
Leven In Media 2010
Leven In Media 2010Leven In Media 2010
Leven In Media 2010
 
Drupal 7 and RDF
Drupal 7 and RDFDrupal 7 and RDF
Drupal 7 and RDF
 
02 problem solving_02
02 problem solving_0202 problem solving_02
02 problem solving_02
 
Police.power
Police.powerPolice.power
Police.power
 
Wikiworld for TETC
Wikiworld for TETCWikiworld for TETC
Wikiworld for TETC
 
seo-150 edu site
seo-150 edu siteseo-150 edu site
seo-150 edu site
 
Introductory Talk at COSTAATT
Introductory Talk at COSTAATTIntroductory Talk at COSTAATT
Introductory Talk at COSTAATT
 
Anti communism propaganda
Anti communism propagandaAnti communism propaganda
Anti communism propaganda
 
Privacy And Copyrights
Privacy And CopyrightsPrivacy And Copyrights
Privacy And Copyrights
 
Dukengineer2012
Dukengineer2012Dukengineer2012
Dukengineer2012
 
Blogtaller
BlogtallerBlogtaller
Blogtaller
 
Sample_Energy_Survey_Report
Sample_Energy_Survey_ReportSample_Energy_Survey_Report
Sample_Energy_Survey_Report
 
Culminating Project
Culminating ProjectCulminating Project
Culminating Project
 
7 Things You Should Know About Flipped Classrooms - Educause
7 Things You Should Know About Flipped Classrooms - Educause7 Things You Should Know About Flipped Classrooms - Educause
7 Things You Should Know About Flipped Classrooms - Educause
 
Probleemoplossen & Ontwerpen
, ICT-werktuigen: 

Les 1
Probleemoplossen & Ontwerpen
, ICT-werktuigen: 

Les 1Probleemoplossen & Ontwerpen
, ICT-werktuigen: 

Les 1
Probleemoplossen & Ontwerpen
, ICT-werktuigen: 

Les 1
 
Kiran Mirchandani Cv oct 2012 lifetime
Kiran Mirchandani Cv oct 2012 lifetimeKiran Mirchandani Cv oct 2012 lifetime
Kiran Mirchandani Cv oct 2012 lifetime
 
Citizen science project list (Europe & worldwide) v1
Citizen science project list (Europe & worldwide) v1Citizen science project list (Europe & worldwide) v1
Citizen science project list (Europe & worldwide) v1
 
Nature of bank_deposits_in_canada
Nature of bank_deposits_in_canadaNature of bank_deposits_in_canada
Nature of bank_deposits_in_canada
 

Similar to Interesting Times: Will Business Survive?

Updated! -- #AIIM16 keynote -- Why the H**** Should You Care About Informatio...
Updated! -- #AIIM16 keynote -- Why the H**** Should You Care About Informatio...Updated! -- #AIIM16 keynote -- Why the H**** Should You Care About Informatio...
Updated! -- #AIIM16 keynote -- Why the H**** Should You Care About Informatio...John Mancini
 
Privacy and Ubiquitous Computing
Privacy and Ubiquitous ComputingPrivacy and Ubiquitous Computing
Privacy and Ubiquitous Computingmikeart
 
TDWI Keynote: Outside In - The Future of Business Intelligence innovation
TDWI Keynote: Outside In - The Future of Business Intelligence innovationTDWI Keynote: Outside In - The Future of Business Intelligence innovation
TDWI Keynote: Outside In - The Future of Business Intelligence innovationmark madsen
 
Data and Ethics: Why Data Science Needs One
Data and Ethics: Why Data Science Needs OneData and Ethics: Why Data Science Needs One
Data and Ethics: Why Data Science Needs OneTim Rich
 
Regulatory Theory in Social Media Society
Regulatory Theory in Social Media SocietyRegulatory Theory in Social Media Society
Regulatory Theory in Social Media SocietyMathias Klang
 
Raoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economyRaoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economyCRS4 Research Center in Sardinia
 
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...blogzilla
 
[AIIM16] Leaning into the Future: What the h*** is an information professiona...
[AIIM16] Leaning into the Future: What the h*** is an information professiona...[AIIM16] Leaning into the Future: What the h*** is an information professiona...
[AIIM16] Leaning into the Future: What the h*** is an information professiona...AIIM International
 
New challenges to secure the IoT (with notes)
New challenges to secure the IoT (with notes)New challenges to secure the IoT (with notes)
New challenges to secure the IoT (with notes)Caston Thomas
 
Introducing the Internet of Things: lecture @IULM University
Introducing the Internet of Things: lecture @IULM UniversityIntroducing the Internet of Things: lecture @IULM University
Introducing the Internet of Things: lecture @IULM UniversityLeandro Agro'
 
Connected Reality 2025 – Intro/Talk @ IoTPeople Berlin – IoT/IoE
Connected Reality 2025 – Intro/Talk @ IoTPeople Berlin – IoT/IoEConnected Reality 2025 – Intro/Talk @ IoTPeople Berlin – IoT/IoE
Connected Reality 2025 – Intro/Talk @ IoTPeople Berlin – IoT/IoEWilli Schroll
 
The Global Implications of Intellectual Property (IP) Theft
The Global Implications of Intellectual Property (IP) TheftThe Global Implications of Intellectual Property (IP) Theft
The Global Implications of Intellectual Property (IP) TheftDamian Niolet
 
Tech Boom - Beginning or End War Room Slides
Tech Boom - Beginning or End War Room SlidesTech Boom - Beginning or End War Room Slides
Tech Boom - Beginning or End War Room Slideshiddenlevers
 

Similar to Interesting Times: Will Business Survive? (20)

Updated! -- #AIIM16 keynote -- Why the H**** Should You Care About Informatio...
Updated! -- #AIIM16 keynote -- Why the H**** Should You Care About Informatio...Updated! -- #AIIM16 keynote -- Why the H**** Should You Care About Informatio...
Updated! -- #AIIM16 keynote -- Why the H**** Should You Care About Informatio...
 
Privacy and Ubiquitous Computing
Privacy and Ubiquitous ComputingPrivacy and Ubiquitous Computing
Privacy and Ubiquitous Computing
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
So what if it's a bubble?
So what if it's a bubble?So what if it's a bubble?
So what if it's a bubble?
 
TDWI Keynote: Outside In - The Future of Business Intelligence innovation
TDWI Keynote: Outside In - The Future of Business Intelligence innovationTDWI Keynote: Outside In - The Future of Business Intelligence innovation
TDWI Keynote: Outside In - The Future of Business Intelligence innovation
 
Data and Ethics: Why Data Science Needs One
Data and Ethics: Why Data Science Needs OneData and Ethics: Why Data Science Needs One
Data and Ethics: Why Data Science Needs One
 
Regulatory Theory in Social Media Society
Regulatory Theory in Social Media SocietyRegulatory Theory in Social Media Society
Regulatory Theory in Social Media Society
 
Stanford Ee380
Stanford Ee380Stanford Ee380
Stanford Ee380
 
Raoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economyRaoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economy
 
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...
 
[AIIM16] Leaning into the Future: What the h*** is an information professiona...
[AIIM16] Leaning into the Future: What the h*** is an information professiona...[AIIM16] Leaning into the Future: What the h*** is an information professiona...
[AIIM16] Leaning into the Future: What the h*** is an information professiona...
 
New challenges to secure the IoT (with notes)
New challenges to secure the IoT (with notes)New challenges to secure the IoT (with notes)
New challenges to secure the IoT (with notes)
 
Cio Exchange08
Cio Exchange08Cio Exchange08
Cio Exchange08
 
Sovereignty in Cyberspace
Sovereignty in CyberspaceSovereignty in Cyberspace
Sovereignty in Cyberspace
 
Introducing the Internet of Things: lecture @IULM University
Introducing the Internet of Things: lecture @IULM UniversityIntroducing the Internet of Things: lecture @IULM University
Introducing the Internet of Things: lecture @IULM University
 
Mobile August 2011
Mobile August 2011Mobile August 2011
Mobile August 2011
 
Connected Reality 2025 – Intro/Talk @ IoTPeople Berlin – IoT/IoE
Connected Reality 2025 – Intro/Talk @ IoTPeople Berlin – IoT/IoEConnected Reality 2025 – Intro/Talk @ IoTPeople Berlin – IoT/IoE
Connected Reality 2025 – Intro/Talk @ IoTPeople Berlin – IoT/IoE
 
The Global Implications of Intellectual Property (IP) Theft
The Global Implications of Intellectual Property (IP) TheftThe Global Implications of Intellectual Property (IP) Theft
The Global Implications of Intellectual Property (IP) Theft
 
Tech Boom - Beginning or End War Room Slides
Tech Boom - Beginning or End War Room SlidesTech Boom - Beginning or End War Room Slides
Tech Boom - Beginning or End War Room Slides
 
05 the blockchain technology 2019 summer
05 the blockchain technology 2019 summer05 the blockchain technology 2019 summer
05 the blockchain technology 2019 summer
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

Interesting Times: Will Business Survive?

  • 1. Will Business Survive? INTERESTING TIMES Ben Tomhave, MS, CISSP
  • 2. DISCLAIMER The views expressed during this talk are not representative of any employers, whether past, present, or future.
  • 3. Society of Information Risk Analysts SciTech Information Security Committee
  • 4. HYPOTHESES 1. A traditional approach is insufficient and not commercially reasonable 2. A tech-heavy approach is not commercially reasonable 3. A legally defensible position requires changing the game
  • 5. “Those who cannot remember the past are condemned to repeat it.” (George Santayana) HISTORICAL PERSPECTIVE
  • 6. 1969 – First packet transmitted 1979 – Online transaction processing invented 1981 – First online home banking services (US) … (lots of standards dev work) … 1990 – First Successful HTTP communication 1994 – First pizza ordered online 1994 – Amazon founded 1996 – NIST FIPS 161-2 EDI released; HTTP v1.0 1997 – First mobile commerce (SMS Coke) 1998 – PayPal launches, Google incorporated 2007 – iPhone released 2010 – Square releases first card reader product HISTORICAL PERSPECTIVE The Good…
  • 7. HISTORICAL PERSPECTIVE 1962 – Malware invented … 1981 – First widespread virus (Elk Cloner) … (lots of activity over this period) … 1996 – CERT SYN Flood advisory 1998 – Forerunners of botnets emerge 2000 – DDoS attacks take down major sites 2001 – DoCoMo mobile malware outbreak 2003 – SQL Slammer wreaks havoc 2005 – First mobile worm (Commwarrior-A) 2008 – Cold Boot attack published 2012 – NFC exploits demonstrated The Bad…
  • 8. HISTORICAL PERSPECTIVE 1980 – IDS concept emerges 1983 – Orange Book published 1988 – First paper on the firewall; X.509 issued 1989 – IBM releases Viruscan; COPS released 1991 – PGP created 1992 – ISS; first commercial disk encryption 1994 – First commercial NIDS, Netscape SSL 1995 – IPsec published (RFCs 1825, 1829) 2001 – Vontu (DLP) founded; ASLR defined 2002 – Mobile AV emerges (Symantec) 2005 – SIEM coined by Gartner >2005 – ??? (evolution, but not innovation?) The Ugly…
  • 9. HISTORICAL PERSPECTIVE The Uglier… 1934 – Communications Act 1973 - HEW Fair Information Practices 1974 – Privacy Act 1980 – OECD Privacy Principles 1986 – ECPA; CFAA 1994 – CFAA (networked abuses added) 1995 – EU Data Protection Directive 1996 – Telecom Act; HIPAA 1998 – PIPEDA (Canada); DMCA; COPPA 1999 – GLBA 2000 – ESIGN Act 2001 – USA PATRIOT Act; FERC Standard Market Design (Appendix G) 2002 – Homeland Security Act; FISMA; Sarbanes-Oxley 2003 – California SB 1386; FACTA 2004 – PCI DSS v1.0 2005 – FFIEC Guidance 2006 – Budapest Convention on Cybercrime 2009 – HITECH Act; EU Cookie Directive 2010 – Dodd-Frank; MA 201 CMR 17.00 2011 – SEC “cyber risk” disclosure guidance
  • 11. JUST HOW BAD IS IT?
  • 13. “A long habit of not thinking a thing wrong gives it a superficial appearance of being right.” (Thomas Paine) OUR APPROACH IS FLAWED
  • 14. OUR APPROACH IS FLAWED What’s of value? What control can we exert? Where’s the accountability? http://www.flickr.com/photos/digitalcurrency/2438118655/sizes/m/in/photostream/ http://www.flickr.com/photos/global-jet/2124785243/sizes/m/in/photostream/ http://www.flickr.com/photos/ensh/6204837462/sizes/m/in/photostream/
  • 15. HOW DID WE GET HERE? “Never complain of that of which it is at all times in your power to rid yourself.” (Adam Smith)
  • 16. A LITTLE BIT OF EVOLUTION Undefined Emerging Organized Optimized Managed
  • 17. RISK MANAGEMENT FAILURES Today… Business Survival Assets
  • 18. BLIND LEADING THE BLIND? http://www.flickr.com/photos/cmogle/2907198746/sizes/m/in/photostream/ http://www.flickr.com/photos/nakrnsm/3898384586/sizes/m/in/photostream/ CSA Guide 3.0. “NIST Visual Model of Cloud Computing Definition” http://www.flickr.com/photos/25692668@N06/3428784441/sizes/m/in/photostream/ It takes a generation… Big data… Rapidly changing environment
  • 19. WHAT NOW? “We have it in our power to begin the world over again.” (Thomas Paine)
  • 20. WHAT NOW? Objective 1: Jump to the next curve – a mature GRC program Objective 2: Jump to the next curve – better “security” awareness Objective 3: Establish a culture of accountability
  • 21. 3 STEPS FORWARD “Common sense is seeing things as they are; and doing things as they ought to be.” (Harriet Beecher Stowe)
  • 22. 1. GRC PROGRAM BUILD-OUT Undefined Emerging Organized Optimized Managed 1. Elevate it 2. True, legally defensible enterprise risk management 3. Return security operations to IT, governing accordingly
  • 23. 2. AGGRESSIVE AWARENESS For Business Leaders For Legal For Everyone http://cache.marriott.com/propertyimages/l/laxcv/phototour/laxcv_phototour20.jpg?Log=1 http://www.flickr.com/photos/crobj/4312159033/sizes/m/in/photostream/ http://www.flickr.com/photos/jurvetson/2487910168/sizes/m/in/photostream/
  • 24. 3. ACCOUNTABILITY FOR ALL Monitor Detect Correct http://www.flickr.com/photos/highwaysagency/6281302040/sizes/m/in/photostream/ http://www.flickr.com/photos/reneeviehmann/4320360120/sizes/m/in/photostream/ http://www.flickr.com/photos/cefeida/4714238826/sizes/m/in/photostream/ http://www.flickr.com/photos/oregondot/3853990076/sizes/m/in/photostream/
  • 25. Context AssessmentTreatment Monitor & Review DEVOPS, RM, AND THE 3 WAYS Images: http://itrevolution.com/ Communication
  • 26. THE THREE WAYS The First Way: Systems Thinking The Second Way: Amplifying Feedback Loops The Third Way: Culture of Continual Experimentation & Learning Holistic, No Silos, Understand Value Streams Communication, Rapid Response, Embed Knowledge Innovate, Fail Fast / Learn Fast, “Freedom & Responsibility” Image: http://itrevolution.com/the-three-ways-principles-underpinning-devops/
  • 27. IN SUMMARY “The mind once enlightened cannot again become dark.” (Thomas Paine)
  • 28. IN SUMMARY The status quo is undermining business survivability. It’s (past) time to jump the curve – we cannot wait any longer. 3 Steps Forward: 1. “GRC” Program Build-Out 2. Aggressive Awareness 3. Accountability http://www.flickr.com/photos/extranoise/350901033/sizes/z/in/photostream/

Editor's Notes

  1. IANAL!
  2. Disclaimer: It will seem at times like I’m wandering off track, but I assure you that everything ties back together in the end! 
  3. Framing the discussion is important… we’ll come back and add some narrative around this in a little bit…http://en.wikiquote.org/wiki/George_Santayana
  4. On EDI, note that UNCITRAL did considerable work in the late 80s that led to NIST 161-2, which itself was preceded by 161-1 (1995)… and EFT preceded this in the early ‘80s…About Square… note that they’re now advertising on TV and give the swipe device away for free!http://speckycdn.sdm.netdna-cdn.com/wp-content/uploads/2011/11/shopping_infograhic_large2.jpg << (this graphic incorrectly state eBay and Dell founding years)
  5. http://speckycdn.sdm.netdna-cdn.com/wp-content/uploads/2011/11/shopping_infograhic_large2.jpghttp://www.baselinemag.com/c/a/Security/A-Brief-History-of-Malware-291930/http://en.wikipedia.org/wiki/Mobile_virus
  6. In fairness… there have been some evolutionary advances… sandboxing, micro-virtualization and virtual machines, improved ASLR, improved PRNG (Futura), intrusion deception, endpoint protection, signature-less next gen AV, UTMs, etc.http://csrc.nist.gov/publications/history/ande80.pdf – James P. Anderson “Computer Security Threat Monitoring and Surveillance”http://www.baselinemag.com/c/a/Security/A-Brief-History-of-Malware-291930/http://www.symantec.com/connect/articles/evolution-intrusion-detection-systemshttp://en.wikipedia.org/wiki/Comparison_of_disk_encryption_softwarehttp://www.securelist.com/en/analysis?pubid=170773606http://en.wikipedia.org/wiki/Address_space_layout_randomization
  7. IRB – 3rd chapter of report is on eDiscovery and Commercially Reasonable SecurityAlso mention EU “Safeguarding Privacy in a Connected World ­ A European Data Protection Framework for the 21st Century” and U.S.Cybersecurity Act of 2012Wikipedia (e.g., http://en.wikipedia.org/wiki/Cyber-security_regulation)On recent COPPA enforcement: http://www.infolawgroup.com/2012/10/articles/childrens-privacy/bieber-fever-gets-a-dose-of-the-ftc-operator-of-bieber-fan-site-among-others-agrees-to-one-million-dollar-settlement-for-coppa-violations/http://cwec.ucdavis.edu/rpsintegration/library/FERC%20RM01-12-000-SMD.pdfSEC CF Disclosure Guidance on cyber risk - http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
  8. Let’s not forget the impact of ESPIONAGE and SUPPLY CHAIN RISK as highlighted by the recent House Intel Committee report on Huawei!http://datalossdb.org/statisticshttp://www.privacyrights.org/data-breach
  9. US Report: “In this year’s study, the average per capita cost of data breach has declined from $214 to $194.”On 10/9/12 per PrivacyRights.org: 19,353,797 records have been reported compromised.That amounts to an estimated $3,754,636,618
  10. Data exfiltration – particularly via mobile devices and cloud services – is not only inevitable, it’s already happening.http://images.allmoviephoto.com/2003_The_Matrix_Revolutions/M3_Hugo_Weaving_008.jpg
  11. A transitional period in timeAccelerated expansion of risk environment, threat vectorsRapidly decreasing ability to directly manage risk factors
  12. Today: lots of focus on vulns and threats, but to what end?Business Survival: How does your business function?Assets: The people, processes, and technologies that support business functions
  13. It takes a generation (evolution is a slow process)Big data (lots of silos, but how do we aggregate, let alone monitor/detect/correct?)Rapidly changing environment
  14. “jump the curve” comes from Guy Kawasaki’s “The Art of Innovation”http://blog.guykawasaki.com/2006/01/the_art_of_inno.html#axzz29Z6XHLpz
  15. GRC program build-outElevate it (peers with CFO, GC, COO, etc.)True enterprise risk management (understand business functions, understand assets picture, manage to business tolerances, legally defensible)Returns sec ops to IT, governing accordingly
  16. Aggressively train and educate *all* personnel (including execs and legal)Training for business leaders (RM, contract concerns, etc.)Training for legal (understanding tech concerns)Training for everyone (basic security, spearphishing, RM processes, etc.)
  17. Hold *all* personnel accountable
  18. Practical Application - DevOps, RM, & The 3 Ways * The First Way: Systems Thinking * The Second Way: Amplify Feedback Loops * The Third Way: Culture of Continual Experimentation and Learning
  19. The Three Ways - The First Way: Systems Thinking – The performance of the entire system is paramount. Silos must be eliminated in favor of managing the business as a whole, including looking at all business value streams and how they are enabled (or, conversely, hindered) by ICT. Defects cannot be allowed to flow downstream, and optimization must be considered globally instead of locally, in order to achieve a Deming’esque understanding of the system . - The Second Way: Amplify Feedback Loops – Communication is vitally important, with a premium placed on ensuring that feedback is provided and incorporated quickly and at all levels . An interesting benefit of the second way is to also embed knowledge, which helps improve overall performance and quality while diminishing bottlenecks (as anticipated by the “theory of constraints” ). - The Third Way: Culture of Continual Experimentation and Learning – One of the largest challenges facing enterprises today is the notion of “technology debt.” How many ICT projects have languished, deprioritized by competing new work, only to crop up as a legacy failure point that introduces defects, continuously undermines performance, and, ultimately, business value? At the same time, experimentation and growth is of equal importance. As an example, consider the core values of Netflix corporate culture, which thrives on the “Freedom & Responsibility” mantra, and which encourages experimentation provided that problems are fixed quickly. Put another way, failing fast means learning fast , which not only enables creativity and innovation, but also results in more resilient code and operations.