The C Suite approach to Cyber Survivability

Can we keep the bad guys out of our networks? – “NO”, Says the former Senior Policy & Strategy Advisor for the US Department of Defense, Mr. Anthony Bargar

Instead we must shift our strategies to Cyber ‘Resilience’ and Cyber ‘Survivability’, to ensure that our most essential business functions can continue in a trusted way despite operating in a hostile information and communications technologies (ICT) battle zone some call “the internet”.

Anthony Bargar has spent a better part of his career in Washington DC, in the US Intelligence Community, and Department of Defense where he started out as a white-hat hacker hacking into military intelligence command and control (C2) systems to demonstrate weaknesses and design more secure architectures, and has since worked on sensitive counter-espionage cases to gather digital evidence to identify and prosecute spies. He quickly moved up the ladder eventually landing at the US Office of the Secretary of Defense (OSD) where he supported the Department’s Chief Information Officer (CIO), and was assigned to National Security Council where he helped the White House re-write the US Cyber Strategy. Mr. Bargar left government service in 2010 and went to Wall Street, where he was the chief consultant to the NASDAQ OMX and helped safeguard the high speed trading networks from Nation state level hackers, he and his team were instrumental in assessing and enhancing NASDAQ’s security program.

Asked about keeping the bad guys out, Anthony said, “We cant afford to protect everything, our networks are getting more complex and the adversary has to spend very little in developing an attack, while the cost of defense can be a factor of 10 if not more”, he went on to tell us, “The industry has led us to acquire ‘blinky box’ syndrome, that is throwing too much technology at the problem – organizations need to look within and first think more strategically about what is important to keep the mission running, and about where there information is at all times”. Adversaries are now shifting their tactics to attack trust, and take our data hostage—as evident in the global ransom ware attacks---- this is an escalation and the more dependent we become as digital societies, this will give rise to increased attacks on our data networks, and information that we depend on for our daily lives--- the stakes will just get higher and higher as time goes on.

Mr. Bargar leads a consulting group comprised of similarly experienced experts working with the private sector and governments worldwide on resilient architectures, effective strategies, and leap ahead technologies to reduce risk and create business opportunity. Anthony is currently focused in SE Asia enhancing cyber maturity to counter for next generation adversaries. He launched CSCG’s SE Asia HQ in Singapore and has recently inked a collaboration with CIO Connect Pte Ltd to educate Boards of Directors, CIOs, other C level executives and senior leaders on Cyber Security, the ever increasing risks and how they can be thwarted.

CIO Connect is a boutique advisory firm that brings pragmatic tangible advice from tenured advisors with extensive experience of working in IT and the business. We provide advice to technology and business leaders on the opportunities and challenges that digital technology developments create.

“Effective Cyber Security Leadership, starts of course with a well informed board of directors, and their management team who can quickly understand the risks, consequences, and cascade effects of a cyber threat and the decisions they make”—said Anthony Bargar.

“We have been searching for the right senior level cyber security expert who can discuss Cyber strategies with C suite members and the technical implications for IT people. There are many people positioning themselves as experts who aren’t.” – said Barb Dossetter

Working with CIO Connect, the Cyber Security Consulting Group will offer a series of Master Classes on the following subjects:

  • Data Breaches and Cyber Resilience– Strategies, tactics and countermeasures to today’s ransomware and other sophisticated cyber threats.

  • Controlling Cyber Risks from 3rd Parties and Outsourcing ICT Operations– Recognizing risks to your organizations resulting from the growing trends of cloud computing, outsourcing ICT operations, and increasing dependence on 3rd parties.

  • Executive Management of Cyber Security – Build a plan to manage board communications, ask the right questions as leaders, evaluate the effectiveness of your programs (Cyber Maturity Analysis), and implement a governance program that is flexible and adaptable to the cyber threats tailored to your organization.

If you would like to talk to us to understand more, please contact Emma Burrows emma.burrows@cio- connect.com or you can find out more by visiting our website at www.cio-connect.sg

CIO Connect Masterclass - Building the Brand

As IT,  you deliver every day - day in and day out. However, it seems that the only time your business colleagues seem to take an interest is when something goes wrong. This is a common ‘brand issue’ with most IT departments. The effect on the organisation as a whole, is that the organisation has not leveraged the investment in technology. While that might have been ok 20 years ago, now this means that the organisation is not leveraging the huge investment (between 1 and 6% of revenue) in technology. By taking control of your brand, you can reposition IT in the corporate mind.

This can start with a masterclass as a catalyst for change. As a result clients have repositioned themselves as partners to their business colleagues with measureable improvements to the bottom line.

On this masterclass we cover:

  • The Power of the brand
  • Managing stakeholders
  • Communicating for success

Email me at emma.burrows@cio-connect.com to find out more.

CIO Connect Expert View - When Things Go Wrong

Options for a CIO in Resolving Contractual Problems

The Challenge

Organizations increasingly rely on a complex and fast moving network of third parties including ‘as a service’ or cloud providers to implement and support critical IT services. And so they should - out-tasking removes many technological risks from businesses not best equipped to deal with them. CIOs are also rightly encouraged to embrace disruption and ‘start-up’ vendors to maximize opportunities from innovative ways of working.

At the same time we must recognize that these positive trends introduce a significant level of commercial risk that cannot be left unmanaged. In a dynamic multi sourced network there is a greatly increased risk of vendors failing to deliver the required level of integrated services. The three most common areas that give rise to problems are vendors

  • Not adopting collaborative behaviours when working with competitors to deliver an integrated service
  • Being resistant to proposing innovation and change to the benefit of the client
  • Not adopting constructive approaches to resolving disputes which can arise even in the best managed relationships

The increasingly volatile nature of the vendor market and the lower capital strength of new vendors in the market also present increased risks to service continuity from failure to stay in business or from being absorbed into stronger – potentially less attractive - competitors.

There is much good advice especially from CIO Connect around how to manage vendors to mitigate these risks. I do not intend in this article to repeat that rather to explore what options exist for a CIO and team when prevention has not worked.

Managing the Conflict

Technology failures and human errors cannot be avoided completely even in Tier 1 providers. In a complex outsourced service model these invariably lead to disputes over who is responsible and who should pay. The contract may appear to be clear on this but very often day to day service delivery depends on important intangibles not covered by the legal allocation of responsibilities and liabilities. From my own experience as a CIO I am clear that naïvely hoping that disputes don’t happen doesn’t work. We need to accept that a constructive approach to managing conflict is essential to maximizing value from key and long term vendor relationships.

My current role as an arbitrator has taught me that positive dispute management should be based on very clear processes for escalation of a problem within the party organizations. In many cases the problem will be resolved eventually by an agreement between individuals and it is essential that good communication lines are kept open throughout the dispute.

We save you time We help you & your leadership team excel We focus on your key business imperatives We ensure you have a return on your investment We are your local boutique partner

However it is naive to assume that parties to a dispute will be able to take an entirely objective view of the problem unaffected by their own corporate pressures and interests. Inter-party negotiations should be supported by early recourse to a professional third party able to provide an independent view before parties become too entrenched. It is important to ensure during contract negotiations that such recourse is incorporated in a valid arbitration clause.

There are two main approaches to independent involvement in a dispute. In the first category the parties to a dispute may commission an independent analysis of the causes of a dispute and a report containing an objective assessment of the dispute and a proposed framework for resolving the dispute. This is known as early neutral evaluation or ENE, and is often the forerunner to the appointment of an independent mediator between the parties who will endeavour to facilitate an agreed settlement between the parties.

However if an agreed settlement is not possible through ENE or mediation, the parties may agree to the appointment of an independent arbitrator. An arbitrator will conduct a formal resolution process and the parties must agree in advance to accept the outcome of the resolution. Arbitrations for contracts concluded under English Law will be conducted within the Arbitration Act 1996 but other jurisdictions have similar legislation and sets of arbitral rules governing the conduct of the dispute.

Why Arbitration?

An arbitration is not a court case and need not involve legal representation. However it still provides an effective resolution as it is a legally binding process, rules of evidence apply and an arbitrator’s awards are usually legally enforceable.

Managed correctly, arbitration should always be more cost effective than litigation. With the agreement of the parties it is possible for the arbitrator to fix in advance how much the case will cost and how long it will take.

In addition the parties are able to select an arbitrator who is qualified to understand the professional and technical context of their dispute. In many cases the arbitrator can deal with the case without a hearing but even if one is required the arbitrator will seek to minimise the adversarial nature of a court case and concentrate on establishing the merits of each case using the facts rather than points of law.

The arbitrator is also legally bound to conduct the resolution with strict impartiality and also ensure confidentiality unlike a court case which of course is in the public domain.

In short taking a dispute to arbitration means that it can be resolved in a legally binding way but as it is conducted confidentially, impartially, and relatively swiftly at a known cost the matter can very often be resolved without undisputed areas of the contract being affected.

Summary

Prevention is always better than cure and, to ensure effective management of the risks arising from reliance on external sources for key business services, CIOs should have good vendor management processes and a clear understanding of vendor risks in place.

However CIOs also need to be aware that problems will arise even in the best managed contracts and having a constructive approach to managing disputes in place is essential. Early recourse to an independent mediator or arbitrator is part of a constructive approach and this will often be crucial in ensuring that vendors deliver the business value that was anticipated during the procurement and sales process.

About the Author:

Stephen Hand is a Fellow of the Chartered Institute of Arbitrators and a member of the Institute’s Business Arbitration panel. He is the former CIO of a global marine organisation with many years senior IT management experience. 

 

CIO Connect Masterclass: The World of 2020 - Harnessing the Future in a Fast Changing World

Our business colleagues expect IT to deliver technology led innovation. The aim is to make innovation an integral part of what IT delivers to their business community.

This masterclass reviews technologies in the context of the business’s future and uses scenario planning as a way to uncover ideas and define how to ‘sell’ them to the business community.

Why is this so important? Click here & take a look at this recent Forbes article

Overview:

  • One day results orientated masterclass
  • Focussed for the CIO and their Leadership Team
  • Tailored specifically for the organisation
  • Actionable outcomes

The masterclass covers:

  • What is Innovation?
  • Leading Innovators
  • Testing for Innovation
  • How do we manage innovation?
  • Shadow IT or Citizen Developer?
  • Scenario planning 
  • Disruptive technologies or opportunities?
  • Business exercises
  • Disruptive business or new business opportunities?
  • Further reading material 

The Result: 

  • IT positioned as forward thinking on business strategy

 

Exploiting the power of business and technology fusion

I do so love our Technology Leadership in a Changing World Programme! We had the second session this week and our morning session, led by Dr John Kenworthy covered Understand your Business. This still is a challenging subject but progress was made when the participants moved from speaking about 'us and the business'  to ' us'. It's so easy to see our business colleagues as from a different place.

We started with the discussion on the different types of business cultures and discussed our own businesses in that light. We looked at the changing roles and expectations of IT and the value that IT delivers to different parts of the organisation. The session is always conducted under Chatham House Rules, so I can't share some of the more juicy bits!

There are three takeaways that I can share though.

  • The critical activity going forward is for IT to shift its role from commodity provider to trusted advisor, from a target to be outsourced to becoming involved in the development of the business strategy and therefore key to the organisation. We looked at some actions that we can take to make that happen. While this is often happening at the c-level, it is important to understand that all senior executives have a role in contributing to the business strategy.
  • There are various ways to influence stakeholders. We discussed several of them. The area that was new to me was the chemistry of influence. I must say, it definitely appealed to the nerdy side of my nature!
  • Probably the most immediately relevant is the way to hold more powerful meetings. That is not to be interpreted as more meetings. As we all run from meeting to meeting, we are really delivering less value than we can or should. We discussed ways to reduce the number of meetings we attend and make sure the ones we attend, and more importantly the ones we run deliver clear actions and benefits.

With the second of these sessions, the benefits of sharing experiences, led by a domain expert in a safe environment with the coaching and mentoring which we deliver between sessions was more obvious. If we are going to make a difference, we need to do more than attend a session. We need to inhale the experience, and make it an integral part of our DNA before we get absorbed back into the day to day madness that is most of our lives.  Otherwise, there will be no change and we will continue to do the same thing with the same result.

Preparing Yourself for Leadership

Yesterday we had the first session of 'Technology Leadership in a Changing World' here in Singapore. This has been a very successful programme in the UK and HK and run for many years in both places, so not so much a new programme - more a new venue.

The first session was about us preparing ourselves for leadership. Led by Dr John Kenworthy, he had us tap our inner selves and inner strengths. As we know, IT people are notoriously nerdy, and we tend to focus on others rather than ourselves, problems and solutions rather than promoting ourselves. No wonder the marketing people get the big bucks, they know how to ask for them! So what did we learn? Some key takeaways were:

  • How to bring our unconscious competence to the fore, and to use it day in and day out to be successful leaders
  • Key aspects of emotional and cultural intelligence
  • How to have presence  

We covered a lot more in the session and will pick up on some of these themes and areas over the next 3 sessions in the next 3 months of the programme. By taking this approach with a combination of workshops and mentoring, the attendees have a chance to embed the lessons into their professional DNA.

C-suite members cite their leadership teams as one of their most critical success factors. By giving people a chance to build their leadership skills in this way, they are investing in the future success of their organisations.