Tag Archives: it

Increased Threats for Manufacturers

Let’s be honest: Operational motivations are about speed and efficiency, not security. For manufacturing organizations to effectively manage cyber risk, they first need to understand that the global digital transformation making businesses run smarter and more efficiently is also creating a widening security gap that must be addressed. 

Creating Industry 4.0

In manufacturing, investments are largely motivated by the pursuit of increased operational effectiveness and efficiency: doing more for a lower per-unit cost. Often, these investments manifest as new operational technology (OT), for instance to enable higher degrees of automation, accelerated assembly timelines and improved real-time insights. New OT gets added to a large information technology (IT) stack, which has often been built over several decades; in that time, the IT stack has become a complex mix of legacy, aging and modern solutions held together by vulnerable protocols and a “don’t touch what isn’t broken” stability strategy.

Industry 4.0, driven by the pursuit of OT, is the connection of industrial equipment that accesses and analyzes centralized operational data. In essence, this is the next industrial revolution in advanced manufacturing and smart, connected, collaborative factories. This new paradigm is characterized by the action of the physical world becoming a type of information system through sensors and actuators embedded in objects and linked through networks. Beyond having the potential to completely change material and manufacturing processes, Industry 4.0 is expected to contribute to more efficient operations by aggregating data across all facilities, letting companies monitor, measure and improve performance. 

This digital transformation introduces new generations of intelligent solutions and integrates these solutions into existing manufacturing processes and technologies including SCADA/ICS and PLCs. In many cases, this collection is controlled by a manufacturing execution system (MES), which is tightly integrated into the manufacturing organization’s ERP system.

See also: The Rules of Digital Transformation

The Threats Grow

Unfortunately, this pursuit of improved operations comes with an unintended consequence: a widening security gap. As manufacturing has become more connected, the threat surface—the collection of points an attacker can use to try to gain access—has increased substantially and now extends from endpoints and networks into cloud services. In fact, the entire manufacturing process (and, by extension, the company that depends on that process running effectively) is more vulnerable to cyberattacks. From opportunistic attacks using commodity malware as a service, to sophisticated hands-on-keyboard attacks that surgically evade defenses, to advanced persistent threats that can operate for years undetected, to industrial espionage using legitimate credentials harvested from phishing campaigns—the list is long, and the consequences can be devastating. 

Modern threats can readily bypass legacy antivirus solutions and take advantage of vulnerability windows. Organizations need solutions that can harden endpoints, prevent polymorphic malware and fileless attacks, mitigate malicious code execution and provide investigation and remediation capabilities with dynamic response to security incidents. 

As the knowledge of the growing threat landscape solidifies, tension develops between two core factions: OT and IT. Security was a distant priority when vendors created their new OT solutions, yet IT understands the security risks and best practices and wants to take the time to do things as safely as possible. OT is under pressure to hit targets and can feel like IT is slowing them down by unnecessarily overstating the risks. Plus, manufacturers must grapple with systemic vulnerabilities in operating systems and control systems. For instance, it’s important to recognize that many industrial communication standards don’t even consider security because they are based on the old firewall model of complete trust within the network. 

But from the shadows comes a third party: attackers. These bad actors see highly connected, unprotected systems built by vendors that know very little about system security and that are content to pass risk to their customer—the manufacturing organization. 

Additionally, the supply chain is vulnerable. As trusted partners, third-party vendors often become the overlooked or unwitting accomplice in criminal activities. A Spiceworks survey of 600 IT and security decision-makers that asked about supply chains highlights this risk. 

While the majority of respondents felt confident in their vendors to keep data safe, nearly half (44%) of firms had experienced a significant, business-altering data breach caused by a vendor. Human error and stolen passwords accounted for 26% of the breaches, while malware played a key role in half of the attacks. 

While past attacks against major manufacturers and industrial facilities were espionage believed to be sponsored by nation states and based on ideology, many of the latest attacks are the work of cyber criminals motivated purely by profit. Of course, criminals don’t need to shut down a facility to extract payment. In many cases they exfiltrate sensitive information (trade secrets, proprietary data and intellectual property, financial details, private emails, account credentials) and then threaten to release it publicly if a ransom isn’t paid. In some cases, attackers have even weaponized regulations like GDPR, which impose fines when breaches compromise personal information. 

See also: Will COVID-19 Be Digital Tipping Point?

As operation and information technologies converge following an almost predictable path of profit-driven natural selection, the leaders of each group have yet to attain a similar level of integration. The operational groups lack the security expertise of their IT counterparts, and IT experts are often excluded from operational decisions, creating an inherent vulnerability that reaches to the top of the organization.

Cybersecurity is not an IT problem to solve; it’s a business risk to manage. Until manufacturers realize that OT and IT are not in competition with each other, they will remain easy prey for cybercriminals who recognize this philosophical flaw and are willing to exploit it.

4 Ways to Avoid Being a Foolish Leader

April Fools’ Day is just one day a year, but there are common mistakes an insight leader is prone to (and that could end up making him look like a fool) all year ’round.

This isn’t surprising when you consider the breadth of responsibility within the customer insight leadership role. Such leaders have multi-disciplinary technical teams to manage and an increasing demand across from areas of modern business to improve decisions and performance.

Like most of the lessons I’ve learned over the years, the following has come from getting it wrong myself first. So, there’s no need for any of my clients or colleagues to feel embarrassed.

Beyond the day of pitfalls for the gullible, then, here are four common — but foolish — mistakes I see customer insight leaders still making.

1. Leaving data access control with IT

Data ownership and data management are not the sexiest responsibilities up for grabs in today’s organizations. To many, they appear to come with a much greater risk of failure or at least blame than any potential reward. However, this work being done well is often one of the highest predictors of insight team productivity.

Ask any data scientist or customer analyst what they spend most of their time doing, and the consistent answer (over my years of asking such questions) is “data prep.” Most of the time, significant work is needed to bring together the data needed and explore, clean and categorize it for any meaningful analysis.

But, given the negative PR and the historical role of IT in this domain, it can be tempting for insight leaders to leave control of data management with IT. In my experience, this is almost always a mistake. Over decades (of often being unfairly blamed for anything that went wrong and that involved technology), IT teams and processes have evolved to minimize risk. Such a controlled (and, at times, bureaucratic) approach is normally too slow and too restrictive for the demands of an insight team.

I’ve lost count of how many capable but frustrated analysts I have met over the years who were prevented from making a difference because of lack of access to the data needed. Sometimes the rationale is data protection, security or even operational performance. At the root, customer insight or data science work is, by nature, exploratory and innovative, and it requires a flexibility and level of risk that run counter to IT processes.

See also: 3 Skills Needed for Customer Insight

To avoid this foolish mistake, I recommend insight leaders take on the responsibility for customer data management. Owning flexible provision of the data needed for analysis, modeling, research and database marketing is worth the headaches that come with the territory. Plus, the other issues that come to light are well worth insight leaders knowing well — whether they be data quality, data protection, or something regulation- or technology-related. Data leadership is often an opportunity to see potential issues for insight generation and deployment much earlier in the lifecycle.

2. Underestimating the cultural work needed to bring a team together

Data scientists and research managers are very different people. Data analysts, working on data quality challenges, see the world very differently from database marketing analysts, who are focused on lead performance and the next urgent campaign. It can be all too easy for a new insight leader to underestimate these cultural differences.

Over more than 13 years, I had the challenge and pleasure of building insight teams from scratch and integrating previously disparate technical functions into an insight department. Although team structures, processes and workflows can take considerable management time to get working well, I’ve found they are easy compared with the cultural transformation needed.

This should not be a surprise. Most research teams have come from humanities backgrounds and are staffed by “people people” who are interested in understanding others better. Most data science or analysis teams have come from math and science backgrounds and are staffed by “numbers people” who are interested in solving hard problems. Most database marketing teams have come from marketing or sales backgrounds and are more likely to be motivated by business success and interested in proving what works and makes money. Most data management teams have come from IT or finance backgrounds and are staffed by those with strong attention to detail, who are motivated by technical and coding skills and who want to be left alone to get on with their work.

As you can see, these types of people are not natural bedfellows. Although their technical expertise is powerfully complementary, they tend to approach each other with natural skepticism. Prejudices that are common in society and education often fuel both misunderstanding and a reluctance to give up any local control to collaborate more. Many math and science grads have grown up poking fun at “fluffy” humanities students. Conversely, those with a humanities background and strong interest in society can dismiss data and analytics folk as “geeky” and as removed from the real world.

So, how can an insight leader avoid this foolish oversight and lead cultural change? There really is no shortcut to listening to your teams, understanding their aspirations/frustrations/potential and sharing what you learn to foster greater understanding. As well as needing to be a translator (between technical and business languages), the insight leader also needs to be a bridge builder. It’s worth remembering classic leadership lessons such as “you get what you measure/reward,” and “catch people doing something right.” So, ensure you set objectives that require cooperation and recognize those who pioneer collaboration across the divides. It’s also important to watch your language as a leader — it should be inclusive and value all four technical disciplines.

3. Avoiding commercial targets because of lack of control

Most of us want to feel in control. It’s a natural human response to avoid creating a situation where we cannot control the outcome and are dependent on others. However, that is often the route to greater productivity and success in business.

The myth still peddled by testosterone-fueled motivational speakers is that you are the master of your own destiny and can achieve whatever you want. Collaboration, coordination and communication are key to making progress in the increasingly complex networks in today’s corporations. For that reason, many executives are looking for those future leaders who have a willingness to partner with others and to take risks to do so.

Perhaps it is particularly the analytical mindset of many insight leaders that makes them painfully aware of how often a target or objective is beyond their control. When a boss or opportunity suggests taking on a commercial target, what strikes many of us (at first) is the implied dependency on other areas to deliver, if we are to achieve it.

See also: The Science (and Art) of Data, Part 1

For that reasons, many people stress wanting objectives that “measure what they can control’.” Citing greater accountability and transparency for their own performance can be an exercise in missing the point. In business life, what customer insights can produce on their own is a far-smaller prize than what can be achieved commercially by working with other teams. Many years ago, I learned the benefit of “stepping forward” to own sales or marketing targets as an insight leader. Although many of the levers might be beyond my control, the credibility and influencing needed were not.

Many insight leaders find they have greater influence with their leaders in other functions after taking such a risk. Being seen to be “in this together” or “on the spike” can help break down cultural barriers that have previously prevented insights being acted upon and that generate more profit or improve more customers’ experiences.

4. Not letting something fail, even though it’s broken

A common gripe I hear from insight leaders (during coaching or mentoring sessions) is a feeling of suffering for “not dropping the ball.” Many are working with disconnected data, antiquated systems, under-resourced teams and insufficient budgets. Frankly, that is the norm. However, as aware as they are of how much their work matters (because of commercial, customer and colleague impact), they strive to cope. Sometimes, for years, they and their teams work to manually achieve superhuman delivery from sub-human resources.

But there is a sting in the tale of this heroic success. Because they continue to “keep the show on the road,” their pleas for more funds, new systems, more staff or data projects often fall on deaf ears. From a senior executive perspective (used to all the reports needing more), the evidence presents another “if it ain’t broke, don’t fix it” scenario. They may empathize with their insight leader but also know they are managing to still deliver what’s needed. So, requests get de-prioritized.

In some organizations, this frustration can turn to resentment when insight leaders see other more politically savvy leaders get investment instead. Why were they more deserving? They just play the game! Well, perhaps its time for insight leaders to wake up and smell the coffee. Many years ago, I learned you have to choose your failures as well as your successes. With the same caution with which you choose any battles in business, it’s worth insight leaders carefully planning when and where to “drop the ball.”

How do you avoid this foolish mistake? Once again, it comes back to risk taking. Let something fail. Drop that ball when planned. Hold your nerve. If you’ve built a good reputation, chances are it will also increase the priority of getting the investment or change you need. You might just be your own worst enemy by masking the problem!

Phew, a longer post than I normally publish here or on Customer Insight Leader. But I hope those leadership thoughts helped.

Please feel free to share your own insights. Meanwhile, be kind to yourself today. We can all be foolish at times….

How to Make IT Efforts Strategic

Has your IT come out of the proverbial and actual basement to be an integral part of your business strategy? Too often, business leaders assign IT a task and expect an initiative to be delivered. End of story. The truth is, business owners must engage and own the outcomes of their IT investments, driving them to a strategic value that can be measured.

What is IT strategy? Think about any infrastructure initiative (building highways, public transportation or urban development). Without the requisite strategic investment of time, funding and planning, these initiatives face delays, cost overruns, diversion from desired strategy and failure. True partnerships between IT and business operations insure that the best thinking of both can be applied to a given situation to produce strategic results.

See Also: The 7 Colors of Digital Innovation

Business value

IT should be viewed as a business strategy. Today, not a single discussion in the workers’ compensation industry relating to claims management or medical management does not include IT. As workers’ comp focuses on outcomes (both cost and quality), it is the only new strategy around. Moreover, it is the most effective and efficient strategy to achieve business goals. The following six elements are necessary to generate business value by leveraging the IT strategy. 

1.    Define the project—Describing how new technology or a new data application will function is only the first step in integrating IT into the business strategy. However, defining the project can be tricky. Remember, IT professionals talk a different language and appreciate different measures of success than those involved in operations. Business owners cannot assume their IT requests are understood as they were intended. Even slight misinterpretations of requests can result in frustration, cost overrides and a useless tool.

I recall one time, early in my career, when I submitted specifications for a development project. I used the word “revolutionary” to describe the powerful impact it would have on the business. However, the IT person, who was younger and male, interpreted “revolutionary” in an aggressive, military sense, which was not even close to what I had in mind. Always verify that you have an understanding and clarify of all elements of the IT project. 

2.    Design for simplicity—If the IT project outcome is complicated or requires too many steps, people will not use it.

3.    Define the expected business value—As a part of defining the IT project, define its expected business value. Both the business unit involved and the IT team need to align their expected outcomes. Not unlike evaluating ROI (return on investment), identify the financial investment and rewards of the IT project. Make sure to also describe the anticipated collateral outcomes of the IT project, such as PR, business growth or client involvement. Figure out how to measure the expected business outcomes when the project is complete.

Design the project outcome value measures at the beginning. Too often, business leaders do not articulate their expectations of value and, therefore, can never prove them. If you do not know where you are going, you could end up somewhere else.

4.    Commit resources—Funding and other resources such as personnel should be allocated at the beginning; short-shrifting resources will guarantee less-than-satisfactory results. Know from the beginning how the IT project will be implemented and who will do and be responsible for the work. Establish accountabilities and create procedures for follow-up.

5.    Monitor progress—Continuously monitor and manage the project, even throughout the IT development process. Discovering deviations from the plan early on minimizes damage and rework. Obviously, rework means cost and delay.

6.    Measure value—Once the project is accepted and implemented, begin continuous outcome evaluation. Execute the value measures outlined at the beginning. Make the necessary adjustments and keep your eye on the business value.

Not everyone can be an IT expert, but everyone can become an expert in how IT advances the strategies of their domain.

How to Resist Sexy Analytics Software

Who’s made the mistake of buying apps or sexy analytics software just based on appearance?

Go on, own up. I’m sure at one time or other, we have all succumbed to those impulse purchases.

It’s the same with book sales. Although it should make no difference to the reading experience, an attractive cover does increase sales.

But if you approach your IT spending based on attractiveness, you’re heading for trouble.

Now you may be thinking. Hold on, that’s what my IT department is there to protect against. That may be the case in your business, but as Gartner has predicted, by 2017 the majority of IT spending in companies is expected to be made by the CMO, not the CIO.

There are advantages to that change. Software will need to be more accessible for business users and able to be configured without IT help, and the purchasers are likely to be closer to understanding the real business requirements. But, as insight teams increase their budgets, there are also risks.

This post explores some of the pitfalls I’ve seen business decision makers make. Given our focus as a blog, I’ll be concentrating on the purchase of analytics software on the basis of appearance.

1. The lure of automation and de-skilling:

Ever since the rise of BI tools in the ’90s, vendors have looked for ways to differentiate their MI or analytics software from so many others on the market. Some concentrated on “drag and drop” front ends, some on the number of algorithms supported, some on their ease of connectivity to databases, and a number began to develop more and more automation. This led to a few products (I’ll avoid naming names) creating what were basically “black box” solutions that you were meant to trust to do all the statistics for you. They became a genre of “trust us, look the models work” solutions.

Such solutions can be very tempting for marketing or analytics leaders struggling to recruit or retain the analysts/data scientists they need. Automated model production seems like a real cost saving. But if you look more deeply, there are a number of problems. Firstly, auto-fitted models rarely last as long as ‘hand crafted’ versions, and tend to degrade faster as it is much harder not to have overfitted the data provided. Related to this, such an approach does not benefit from real understanding of the domain being modeled (which is also a pitfall of outsourced analysts). Robust models benefit from variable and algorithm selection that are both appropriate to the business problem and know the meaning of the data items, as well as any likely future changes. Lastly, automating almost always excludes meaningful “exploratory data analysis,” which is a huge missed opportunity as that stage more often than not adds to knowledge of data and provides insights itself. There is not yet a real alternative to the benefits of a trained statistical eye during the analytics and model building process.

2. The quick fix of local installation:

Unlike all the work involved in designing a data architecture and appropriate data warehouse/staging/connectivity solution, analytics software is too often portrayed as a simple matter of install and run. This can also be delusory. It is not just the front end that matters with analytics software. Yes, you need that to be easy to navigate and intuitive to work with (but that is becoming a hygiene factor these days). But there is more to consider round the back end. Even if the supplier emphasizes its ease of connectivity with a wide range of powerful database platforms. Even if you know the investment has gone into making sure your data warehouse is powerful enough to handle all those queries. None of that will protect you from lack of analytics grunts.

See Also: Analytics and Survival in the Data Age

The problem, all to often, is that business users are originally offered a surprisingly cheap solution that will just run locally on their PCs or Macs. Now, that is very convenient and mobile, if you simply want to crush low volumes of data from spreadsheets or data on your laptop. But the problem comes when you want to use larger data sources and have a whole analytics team trying to do so with just local installations of the same analytics software (probably paid for per install/user). Too many current generation cheaper analytics solutions will in that case be limited to the processing power of the PC or Mac. Business users are not warned of the need to consider client-server solutions, both for collaboration and also to have a performant analytics infrastructure (especially if you also want to score data for live systems). That can lead to wasted initial spending as a costly server and reconfiguration or even new software is needed in the end.

3. The drug of cloud-based solutions:

With any product, it’s a sound consumer maxim to beware of anything that looks too easy or too cheap. Surely, such alarm bells should have rung earlier in the ears of many a marketing director who has ended up being stung by a large final “cost of ownership” for a cloud-based CRM solution. Akin to the lure of fast-fix local installation, cloud-based analytics solutions can promise even better, no installation at all. Pending needing firewall changes to have access to the solution, it offers the business leader the ultimate way to avoid those pesky IT folk. No wonder licenses have sold.

But anyone familiar with the history of the market leaders in cloud-based solutions (and even the big boys who have jumped on the bandwagon in recent years), will know it’s not that easy. Like providing free or cheap drugs at first, to create an addict, cloud-based analytics solutions have a sting in the tail. Check out the licensing agreement and what you will need to scale. As use of your solution becomes more embedded in an organization, especially if it becomes the de facto way to access a cloud-based data solution, your users  thus license costs will gather momentum. Now, I’m not saying the cloud isn’t a viable solution for some businesses. It is. But beware of the stealth sales model that is implicit.

4. Oh, abstraction, where are you now I need you more than ever?

Back in the ’90s, the original business objects product created the idea of a “layer of abstraction” or what was called a “universe.” This was configurable by the business (but probably by an experienced power user or insight analyst who knew the data), but more often than not benefited from involvement of a DBA from IT. The product looked like a visual representation of a database scheme diagram and basically defined not just all the data items the analytics software could use, but also the allowed joins between tables, etc. Beginning to sound rather too techie? Yes, obviously software vendors thought so, too. Such a definition has gone the way of metadata, perceived as a “nice to have” that is in reality avoided by flashy-looking workarounds.

The most worrying recent cases I have seen of lacking this layer of abstraction are today’s most popular data visualization tools. These support a wide range of visualizations and appear to make it as easy as “drag and drop” to create any you want from the databases to which you point the software (using more mouse action). So far, so good. Regular readers will know I’m a data visualization evangelist. The problem is that without any defined (or controlled, to use that unpopular term) definition of data access and optimal joins, the analytics queries can run amok. I’ve seen too many business users end up in confusion and have very slow response times, basically because the software is abdicating this responsibility. Come on, vendors, in a day when Hadoop et al. are making the complexity of data access more complex, there is need for more protection, not less!

Well, I hope those observations have been useful. If they protect you from an impulse purchase without having a pre-planned analytics architecture, then my time was worthwhile.

If not, well, I’m old enough to enjoy a good grumble, anyway. Keep safe! 🙂

Insurers Can Boost Resilience on Cyber

Research by Accenture on the extent of cyber risk suggests how carriers can steel themselves against threats to their IT and cyber security.

Knowing your exposure is always critical. But the Accenture survey, Business Resilience in the Face of Cyber Risk, found just 5% of carriers run simulated attacks and system failures to test their systems’ resilience. Just more than half—52%—of insurance executives surveyed reported that their organizations have produced threat models for existing and planned business operations. Less than half of the executives—47%—map and prioritize security, operational and failure scenarios. And only 14% said they consistently design resilience parameters into the operational models and technology architectures.

The survey also found that just a little more than one-third—38%—of executives “strongly agreed” that their organizations balance spending on iron-clad security measures and growth and innovation strategies. Some 49% “merely agreed,” indicating there is room for improvement in this critical area.

View the infographic that provides details of the insurance specific results.

Accenture’s 2015 Global Risk Management Study: North American Insurance Report provides more insight on how insurers can better prevent IT failures and cyber security breaches. For example:

  • 50% of respondents “strongly agreed” and 36% more “slightly agreed” that digital presents an opportunity to present the risk function as a business partner.
  • 44% of North American respondents say that their risk management functions, to a great extent, have the necessary skills to understand cyber risk. While that level of confidence was nine points higher than among insurers elsewhere in the world, it demonstrates that the risk functions at more than half of North American insurers either do not have this expertise or have not demonstrated it.

We also suggest insurers consider:

  • Embracing the digital ecosystem—Take advantage of digital capabilities and technologies outside of the enterprise to strengthen strategic decision-making.
  • Managing digitally— Develop the ability to orchestrate, in real time, the myriad internal and external services required for a multi-speed business and IT.
  • Institutionalizing resilience, because it is not a point-in-time initiative—Resilience must be part of the fundamental operating model, engrained into objectives, strategies, processes, technologies and the culture.

To learn more about the study, download Business Resilience in the Face of Cyber Risk (PDF).