Janco News Feed
Practical Guide for IT Outsourcing
a HandiGuide®
ISO 27001 & ISO 27002 Compliant
"Handiguide has EVERYTHING that is needed to select an outsourcer, enter into an agreement, and manage the relationship," says a CIO of a Fortune 100 company.
The need to lower cost, increase efficiency and conserve cash has increased the motivation of companies to turn to outsourcing and increased the appeal of alternative delivery models. The disruptive shifts in new demand and supply patterns drives changes for how IT services are bought and from whom.
The Practical Guided for IT Outsourcing Template includes a Sample Outsourcing Contract along with a Service Level Agreement, due diligence questions, and other tools to facilitate the outsourcing process. The template includes Janco's exclusive Business and IT Impact Questionnaire.
The Practical Guide for IT Outsourcing is delivered electronically in WORD and/or PDF format. Included is a 3 page Job Description for the Manager Outsourcing. Sarbanes-Oxley issues addressed directly. Included is an ISO 27001 and ISO 27002 audit program.
The Outsourcing Guide and the Businesses and IT Impact Questionnaire are over 140 packed pages and include everything needed to plan for, negotiate, and manage an outsourcing process within an enterprise. The electronic document includes:
- Outsourcing Management Standard Overview of outsourcing, Service Level Agreements and responsibilities
- Outsourcing Policy Standard Policy that can be used to determine when outsourcing is an option
- Outsourcing Approval Standard Process which can be used in approving an outsourcing agreement. Includes a process flow chart on steps to a successful outsourcing agreement
- Sample Service Level Agreement Includes several sample service level agreements
- Service Level Agreement Metrics Definition of over 150 metrics presented in 18 tables that can be used to manage an outsourcing vendor
- Outline for Contract Negotiation Over 17 pages which issues to be addressed including service to be provided, service level requirements, term of the agreement, enterprise's facilities, enterprise's equipment (owned/leased), intellectual property, third party service providers, IT application project (current / future), responsibilities, training and conversion to mention a few
- Base Case Development Detail listing of factors to include
- Mutual Non-Disclosure Template Template that can be used to create an enterprise's own document for use with outsourcing vendors.
- Job Description for Manager Outsourcing (3 pages)
- Business & IT Impact Questionnaire - Inventory and assess all application - addresses Sarbanes-Oxley Compliance issues.
- ISO 27001 & 27002 Security Process Audit Checklist
- HIPAA Audit Program Guide
Outsourcing by Industry click on image to see full chart
When CEOs and executive management broach the subject of outsourcing, CIOs need to avoid making critical decisions in a state of crisis or panic. Outsourcing decisions made in haste can be simplistic and may adversely impact the ability to deliver real business advantage.
- CIOs should start their sourcing endeavor by building a solid sourcing strategy that focuses on creating short and long term value. This strategy should be aligned with the organization's sourcing management maturity and include business value scenarios, open options and a road map of value creation with a timeline of expected results.
- CIOs must take a long-term view of the developing global presence of countries that can provide high-quality resources at the right price point. If your geographic presence is diverse, seek providers that are not exclusively focused on single country, so that you can mitigate risks (such as geopolitical instability) and also take advantage of the benefits of alternative countries, which may offer opportunities close to your own growth markets.
- CIOs should actively monitor the market to determine the best combination of software and IT services and service provider options to meet their requirements and specify their appetite for risk.
These are the issues that the Practical Guided for IT Outsourcing Template addresses.
Outsourcing and IT Infrastructure News
Hiring and keeping younger workers
Today's young workers are extremely tech-savvy, and the technology they'll have access to is a major consideration for many as they join the workforce. Many are used to having 24/7 access to email and the Internet on their smartphones or tablets. And with extensive knowledge of the Internet and its many services, more are using Web-based applications for many of the solutions they use on a daily basis. As an employer, making sure you have the right technology on hand to both appeal to and keep your younger workers happy is an important consideration when plotting out your technology roadmap.
Keeping workers helps reduce training costs over time, and it could also help you sell your CEO on some product purchases. You know that cloud solution you're dying to implement? Well, tell the CEO about your young workforce being able to take advantage of it to work extra hours, and it might just happen. Want to bring iPads to the office? Tell the top executive that it might just improve productivity. As your company tries to find an edge in a job market filled with educated Millennials, technology could very well be the differentiating factor that helps you attract and retain a young workforce.
- more info
Cloud as an alternative to outsourcing
CEOs at three of India's top ten outsourcing providers recently told the Times of India that they plan to "reduce on-site work by up to five percent over the next year and handle traditional onsite projects such as managing takeover of an existing outsourcing contract& through videoconferencing. (The Times did not name the CEOs or their companies.)
As the whistleblower case against Infosys, alleging that the Indian IT services provider misused B-1 visas to bring offshore staff to the U.S., heads to court later this year, it's unlikely that scrutiny of the temporary worker visa system will subside. And, as of Monday, talks between the U.S. and India intended to address these visa complaints among other issues, were called off indefinitely.
Prepare now for the inevitable effects of reductions in onshore and on-site headcount:
- more info
- Conduct a Process Design Review - Make sure that essential on-site roles required for seamless operation of global delivery will be filled. Consider contract resources to handle short-term gaps, advises Amneet Singh, vice president of global sourcing for outsourcing consultancy Everest Group. Longer term, developing such skills in-house maybe a better bet. "Buyers are picking and choosing certain roles to bring back in-house," says Esteban Herrera, chief operating officer of outsourcing analyst firm HfS Research.
- Invest in Change Management Efforts - Prepare users for potential tweaks in the delivery model and changes in their day-to-day working experience, says Singh, and execute an effective communication strategy to address any uncertainty in the business
Consider Nearshore Alternatives - Providers with alternate delivery locations, like Mexico, do not have the same temporary visa restrictions as a result of the North American Free Trade Agreement (NAFTA), Herrera points out. They can more easily transfer workers across borders to manage projects and knowledge transfer.- Beef Up Your Technology Backbone - Your offshore provider is likely to require more high-end videoconferencing or digitization capabilities to manage future projects. Ensure you have the right infrastructure and software to handle the proposed technology enablers of diminished on-site staff, says Singh. Also, make sure to design and execute effective internal training programs for the new tools.
- Revisit Contract Pricing - If your IT service provider is planning to move on-site roles overseas, it's probably a good time to renegotiate price, but don't play hardball. Sharing the upside of sending more work to less costly locales will result in a happier and healthier relationship long-term.
Half of European companys have no Disaster Plam
Over half of small organisations across the UK, France and Germany are operating without a formal disaster recovery plan in place, according to research.
The survey of 160 IT decision-makers found that 58% of small organisations (50-250 employees) do not have a formal disaster recovery plan, and nearly one fifth of mid-sized enterprises (250- 1,000 employees) are in the same position.
Industry differences became apparent when comparing how prepared organisations are for a potential disaster. companies within the Financial Services sector (90%), as well as those in Communications and Media (81%), have formal disaster recovery plans in place. However, a much smaller percentage of businesses in Retail & Distribution, and Manufacturing, have done the same, with less than 40% having drawn up formal disaster recovery plans.
- more info
Security Template now has electronic forms
Security Manual for the Internet and Information Technology is over 230 pages in length. All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes Oxley compliance). In addition, the Security Manual Template PREMIUM Edition contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley, ISO 27000, PCI DSS, and HIPAA.
The policies and procedures template now has electonic forms including:
- more info
- Blog Policy Compliance
- Company Asset Employee Control Log
- Email - Employee Acknowledgment
- Employee Termination Checklist
- Internet Access Request
- Internet Use Approval
- Internet & Electronic Communication - Employee Acknowledgment
- Mobile Device Access and Use Agreement
- Employee Security Acknowledgement Release
- Preliminary Security Audit Checklist
- Security Access Application
- Security Audit Report
- Security Violation Reporting
- Sensitive Information Policy Compliance Agreement
Federal agencies are not spending as much as private businesses on security
Federal agencies have budgeted $6.5 billion for security in 2012, much less on a percentage basis than other businesses and industries.
Many agencies report they don't feel they have enough money to spend on security and, in general, security investments by the federal government are less than that spent by other business sectors.
In total, federal agencies have budgeted $6.5 billion for all security investments in fiscal 2012. However, the entire IT budget for the feds for that year is expected to top $81.3 billion.
Not surprisingly, the Department of Defense spends more than any other agency on security, according to the report. Its budget in 2012 for security for both legacy systems and development, modernization, and enhancement, in 2012 is $4.1 billion, according to the report, which does not provide data on total IT budgets for agencies. The Department of Homeland Security also is one of the leading security investors among agencies, having budgeted $525.7 million for security in 2012.
- more info
US Senate looking to tax Internet Sales
The US Senate has a new bill on its agenda, The Marketplace Fairness Act, that would allow states to collect taxes on Internet sales, even when the seller does not have a physical presence in the taxing state.
In essence the bill would allow states that sign on to collect sales taxes from Web-based sellers, reversing a widespread practice of no Internet sales taxes since the beginning of the commercial Web.
The new bill would allow states to collect sales taxes from remote sellers if they sign on to the Streamlined Sales and Use Tax Agreement (SSUTA), a 12-year-old effort to meet the Supreme Court's requirements to simplify sales tax collection, or if they adopt a so-called alternative tax simplification plan.
Sponsors of the bill, similar to past efforts to allow Internet sales taxes, said the current system is unfair to small bricks-and-mortar businesses that have to charge sales tax to local customers.
- more info
Correcting Social Media Errors
What matters first with a social media mistake is responding quickly, being transparent and demonstrating sincerity -- all of which should follow a social gaffe committed in person and in public. Social media, though, introduces complications all its own: How you've been using it all along will also affect your ability to clean up after it.
This is why what comes after the mistake is just as important, if not more so: The chance to learn why it happened in the first place and do something about it. You may find better ways to use social media because of this. If you've been spammy or thoughtless, you need to own up to that. If your audience makes good points about your shortcomings (however badly they phrase them), you need to respond to those too.
- more info
Smartphones impact how CIOs implement a secured DR infrastructure
The world of smartphones, tablets and mobile devices is evolving rapidly and is changing the way CIOs think about topics ranging from telework to disaster recovery to information security.
- more info
- Mobile Device Security: Before you can make your users more productive with mobile devices, you need to make certain that those devices are highly secure and remotely managed.
- Custom Applications: The rapid advances in COTS smartphone technology have changed the game for creating custom, multi-platform applications that can dramatically boost your mobile users productivity.
- Disaster Recovery and Emergency Response: New commercial wireless technologies can be a key part of your disaster response/Continuity of Operations (COOP) plans.
- Mandated Mobile Security: While modern cellular networks provide security good enough for everyday usage, there are some situations such as when youre dealing with sensitive or classified information where you need a higher grade of information assurance for your wireless voice communications.
- Mobile Resource Management: Whether youre tracking vehicles or other transportable assets, Wireless asset management systems enables CIOs to increase your asset protection and tracking capabilities and save money at the same time.
- Field Force Automation: Virtually any job process that is done with paper-based forms or on unconnected terminals can be adapted to mobile handheld or tablet devices.
Small businesses have a false sense of security about Internet access
Most small business owners believe that Internet security is critical to their success and that their companies are safe from cyber security threats: but most fail to take fundamental precautions. This is the major finding from a survey of US small businesses.
The survey found that two-thirds (67 percent) of US small businesses have become more dependent on the Internet in the last year and 66 percent are dependent on the network for their day-to-day operations. What's more, 57 percent of firms say that a loss of Internet access for 48 hours would be disruptive to their business, 38 percent said it would be 'extremely disruptive' and 76 percent say that most of their employees use the Internet daily.
The vast majority of small business owners think their company is cyber-secure as 85 percent of respondents said their company is safe from hackers, viruses, malware or a cyber-security breach and seven in ten (69 percent) believe that Internet security critical to their business's success. Additionally, a majority (57 percent) of small businesses believe that having a strong cyber security and online safety posture is good for their company's brand.
Despite this, a closer look reveals that most small businesses lack sufficient cyber security policies and training. 77 percent said they do not have a formal written Internet security policy for employees and of those, 49 percent reported that they do not even have an informal policy. More small business owners also said they do not provide Internet safety training to their employees than said they do - to a tune of 45 versus 37 percent. And a majority of businesses (56 percent) do not have Internet usage policies that clarify what websites and web services employees can use and only 52 percent have a plan in place for keeping their business cyber-secure.
At the same time, small businesses may not understand how to respond to online threats or the danger they pose. For example, 40 percent of small businesses say that if their business suffered a data breach or loss of customer or employee information, credit card information or intellectual property, their business does not have a contingency plan outlining procedures for responding and reporting it. Two-fifths (43 percent) also say they do not let their customers and partners/suppliers know what they do to protect their information.
The survey also found that 69 percent of their businesses handle customer data while about half (49 percent) handle financial records, one-third (34 percent) handle credit card information, one quarter (23 percent) have their own intellectual property, and one in five (18 percent) handled intellectual property belonging to others outside their company. When asked to rank the top concern of small business owners while their employees are on the Internet, 32 percent reported viruses, 17 percent spyware/malware and 10 percent reported loss of data. Yet only 8 percent are concerned about loss of customer information, 4 percent about loss of intellectual property and only 1 percent worry about loss of employee data, even though cyber security experts believe the loss of any of this kind of information would be devastating to a business.
- more info
Data Center Consolidation Impacts DRP and BCP
While this has given IT greater operational control and lower costs, it also can lead to increased risk. Each remote site that accesses the centralized data center creates a potential point of failure. If the new centralized location were to fail, all the applications and services housed therein would be unavailable and its impact - as measured in lost productivity and revenue - could be far greater.
- more info
Security threats to increase according to a University of Georgia report
In 2012 there will be new and increasingly sophisticated ways used to capture and exploit user data, as well as escalated battles over the control of online information which will threaten to compromise content and erode public trust and privacy. In the Georgia Tech Emerging Cyber Threats Report for 2012 reportspecific issues which are expected to cause the most problems to organizations are:
- Mobile applications rely increasingly on the browser, presenting unique challenges to security in terms of usability and
- Expect compound threats targeting mobile devices to use SMS, e-mail and the mobile Web browser to launch an attack, then silently record and steal data.
- While USB flash drives have long been recognized for their ability to spread malware, mobile phones are becoming a new vector that could introduce attacks on otherwise-protected systems.
- Encapsulation and encryption for sensitive portions of a mobile device can strengthen security.
Botnets - the evolving nature of adversaries, tactics, techniques and procedure
- Botnet controllers build massive information profiles on their compromised users and sell the data to the highest bidder.
- Advanced persistent adversaries query botnet operators in search of already compromised machines belonging to their attack targets.
- Bad guys will borrow techniques from Black Hat SEO to deceive current botnet defenses like dynamic reputation systems.
Controlling information online - a new frontier in information security
- Security researchers are currently debating whether personalization online could become a form of censorship.
- Attackers are performing search engine optimization to help their malicious sites rank highly in search results.
- The trend in compromised certificate authorities exposes numerous weaknesses in the overall trust model for the Internet.
- Advanced persistent threats and the intersection of cyber threats with physical and critical infrastructure
Advanced persistent threats will adapt to security measures until malicious objectives are achieved
- more info
- Human error, lack of user education and weak passwords are still major vulnerabilities.
- Cloud computing and computer hardware may present new avenues of attack, with all malware moving down the stack.
- Large, flat networks with perimeter defenses at the Internet ingress/egress point break down quickly in the face of advanced persistent threats.
Data loss in a cloud environment is a major issue for CIOs
IT professionals surveyed reported that 65 percent of organizations frequently experienced data loss from a virtual environment. This represents a 140 percent increase in virtual data loss when compared to a similar survey last year.
Common causes of data loss from virtualized environments include file system corruption, deleted virtual machines, internal virtual disk corruption, RAID and other storage/server hardware failures and deleted or corrupt files contained within virtualized storage systems.
A virtualization data loss can be catastrophic for an organization. Determining the financial impact of a business disruption is difficult because there are both tangible factors, including productivity loss, missed sales opportunities and staff's hourly time, but also less tangible factors such as potential non-compliance penalties, damage to corporate image and weakened customer confidence.
"Successful organizations realize that any disruption within the virtual infrastructure, regardless of how small, will have an amplified impact on the business as a whole," said a manager of data recovery operations. "Virtualization contracts often claim no liability for data corruption, deletion, destruction or loss. As a result, it is critical for IT leaders and business continuity planners to proactively include a data recovery service provider in their contingency plans."
In addition to implementing virtual data centers onsite, organizations are increasingly turning to third-party cloud providers as a means of data storage. When asked about their cloud providers ability to properly handle data loss incidents, 55 percent revealed a lack of confidence. In fact, only 39 percent of respondents said their cloud provider educated their organization on how they would approach a data disaster/data recovery situation from the cloud.
- more info
Data in the cloud puts many enterprise's at risk
Steps that CIO must take
- more info
- Evaluate your enterprise's current database controls to identify gaps and compensatory or mitigating controls for those gaps.
- Conduct a database risk assessment, applying a balanced approach to risk management and mitigation based on risk, criticality, and regulatory and other compliance requirements.
- Identify the monitoring use cases that apply to their enterprise's database infrastructure, and deploy tools to support those use cases effectively and efficiently.
- Develop and communicate a clear policy specifying what database-related behaviors should be audited and why.
CIO who are paid more that $1MM are not that rare
The federal securities laws require clear, concise and understandable disclosure about compensation paid to CEOs, CFOs and certain other high-ranking executive officers of public companies. Several types of documents that a company files with the Commission include information about the company's executive compensation policies and practices. You can locate information about executive pay in: (1) the company's annual proxy statement; (2) the company's annual report on Form 10-K; and (3) registration statements filed by the company to register securities for sale to the public.
As a part of documents that need to be filed by public corporations, the total compensation of the top 3 paid executives in these corporations needs to be published each year. From those records we have identified these information technology executives who fall in that category. This is not an all inclusive list of the highest paid IT executives but a snap shot of their compensation and other CIOs can are paid more.
- more info
What defines cloud computing
Cloud computing is very different from traditional networks and applications. In general, a service or offering is considered cloud computing if it has at least four of these seven traits:
- Internet (or intranet) accessible
- A massively scalable, user-configurable pool of elastic computing resources (such as network
bandwidth, compute power, memory, etc.)- Multitenancy (one large software instance shared by many customer accounts)
- A broad authentication scheme
- Subscription or usage-based payment
- Self-service
- Location indepedent
All of these traits offer new challenges to the computer security professional, but accessibility, multitenancy, broad authentication, and lack of location specificity are the four items responsible for the biggest technology shift and demand for new security solutions.
- more info
How malware gets installed on a computer
Common types of malware delivery mechanisms:
- more info
- Software updates: Malware posts invitations inside social media sites, inviting users to view a video. The link tries to trick users into believing they need to update their current software to view the video. The software offered is malicious.
- Banner ads: Sometimes called malvertising, unsuspecting users click on a banner ad that then attempts to install malicious code on the users computer. Alternatively, the ad directs users to a web site that instructs them to download a PDF with heavily-obscured malicious code, or they are instructed to divulge payment details to download a PDF properly.
- Downloadable documents: Users are enticed into opening a recognizable program, such as Microsoft Word or Excel, that contains a preinstalled Trojan horse.
- Man-in-the-middle: Users may think they are communicating with a web site they trust. In reality, a cybercriminal is collecting the data users share with the site, such as login and password. Or, a criminal can hijack a session, and keep it open after users think it has been closed. The criminal can then conduct their malicious transactions. If the user was banking, the criminal can transfer funds. If the user was shopping, a criminal can access and steal the credit card number used in the transaction.
- Keyloggers: Users are tricked into downloading keylogger software using any of the techniques mentioned above. The keylogger then monitors specific actions, such as mouse operations or keyboard strokes, and takes screenshots in order to capture personal banking or credit card information.
Security and data breaches are on the rise
The financial consequences of such breaches can be severe. Many organizations lose customers and revenue because of the violation of trust incurred from a breach. Due to the growing number of state privacy laws, most breaches require that thosewhose information is compromised must be notified.Most organizations now pay for credit monitoringservices for several years for all those impacted by a breach these services typically cost about $100 per
person per year. And in some cases, organizationsare subject to fines for revealing personal information.The lack of even elementary training is one problem. Another is that people don't get penalized for failure. In the vast majority of cases, neither end-users nor IT professionals face penalties for their role in a security disaster.
- more info
Disaster Planning Needs To Consider Excessive Success of Business Operations
Changing business conditions are a double-edged sword. Almost any risk - whether it comes in the form of an opportunity or a threat - requires a response from your business. If the business responds inappropriately or too slowly, the business could lose ground to its competitors.
For example, while too much success may not sound like a threat to the business, it can become one if the business is not prepared to handle a surge in customer demand. For example, when Victoria's Secret televised a fashion show during the 1997 American football Super Bowl, the company was unable to scale to meet the ensuing demand for access to its Web site, resulting in significant performance degradation and customer dissatisfaction.
On the other hand, a disruption in business operations and services, whether from a natural disaster, a terrorist strike, a cyber attack or a simple malfunction, can seriously reduce your revenues and even do long-term damage to your brand. Industry estimates indicate that upwards of 40 percent of organizations without business continuity and recovery plans will go out of business within a few years of a major disaster.
The best response to the threat of disaster is to combine several disparate risk-management strategies into a single, integrated resilience strategy that will allow your organization to adapt and respond rapidly to opportunities, regulations and risks - in order to maintain security-rich business operations, be a more trusted partner and enable growth.
The Janco Disaster Recovery Plan & Business Continuity Template is just such a solution.
- more info
Employed IT professionals have trouble making ends meet
A significant percentage of employees are living paycheck-to-paycheck, with a notable share of them missing routine bill payments, according to a recent survey from CareerBuilder. Even a six-figure income may not be enough to stave off bad times a surprising number of those making more than $100,000 per year are having trouble in meeting expenses.
- 42% employees live paycheck to paycheck
- 46% of females live paycheck to paycheck
- 38% of males live paycheck to paycheck
- 14% of employees who make more than $100,000 live paycheck to paycheck
- 6% of employees who make more than $100,000 say they cannot make ends meet
- 21% of professionals are making ends meet by reducing 401K contributions
- 34% of employees do not participate in retirement savings plans
- 20% of employees missed a bill payment this last year
- 24% of females missed a bill payment this last year
- 17% of males missed a bill payment this last year
Things that employees will not give up
- more info
- Internet connection 56%
- Driving 46%
- Mobile Phone 42%
- Cable TV 27%
- Eating out 11%
IT service management issues that CIOs face
The key service management business questions facing CIOs and senior IT managers today are:
- more info
- What are the service management impacts with the ever-increasing technical complexity on margins and customer satisfaction?
- Where are the areas where margin-improvement opportunities exist?
- How can IT minimize the maintenance-contract price pressure to drive new service-revenue opportunities to the bottom line?
- How does improved service management translate into a competitive advantage?
What is the future as the IT function moves from fixing problems to driving product value?- What are the challenges of off shoring support and how should the enterprise address them?
Mobile Device Security Policy
Your organization needs to identify and develop mobile security policies to be deployed which will provide adequate protection. The level of protection has to be aligned with the level of risk that your organization is willing to accept. These policies should ensure that the many regulatory or compliance concerns that might be applicable are addressed. The mobile security policy should be integrated within your overall information security policy framework. Key elements to address in the mobile device security policy are:
- Physical security of the device
- Address lost or stolen devices
- Acceptable uses of the device
- Encryption
- Password protection
- Storage
- Backup
- Access Control
- Authentication
- Monitoring
Like every other security policy, your organization must regularly review its mobile device security policy, particularly after the acquisition of new mobile devices, configuration changes and in the wake of security incidents involving mobile devices.
- more info
Microsoft bad mouths US IT Programmers
Redmond giant has been chastised for failing to take the lead when new technology rears its head or for being 'out of touch' in general. On that note, Microsoft took a bit of a hit earlier this week, when the company's general counsel lamented the shortage of good IT workers. His solution? Petition the U.S. congress to raise cap on green cards so it can import more high-tech help.
That caused a kneejerk reaction among programmers, who contend that Microsoft can't find people to fill their apparent 4,551 job openings because they limit their searches to younger, less expensive workers. The idea that older programmers lack modern skill sets (in cloud and mobility for example) has tempers flaring as well, with many doubting that their younger counterparts wield them either. "I doubt the ones they are bringing over on H-1B visas necessarily have those skills," said the communications director for WashTech, an affiliate of the Communications Workers of America, "They give them a three-week crash course and then call them a Java programmer."
- more info
Defining a successful CIO
In order to be successful CIOs need to keep their eyes on the horizon and fostering innovation. Regardless of each CIOs style, there are essential actions that CIOs can take.
- more info
- CIOs must deliver on meeting business operational objectives - Organizations that demand high-performance IT need CIOs to focus on managing essential IT activities and getting information to decision makers faster and more accurately. The business expects CIOs operating with a mandate to concentrate about half of their efforts on the fundamentals of delivering IT services.
- CIOs must focus on delivering quality services - CIOs focused on cross-enterprise growth continuously tune business processes and internal collaboration to gain tighter integration. Like all CIOs, those working with an expand mandate are responsible for the fundamentals - a well-run digital infrastructure that offers data security, integrity and system availability. Yet, they must also continually refine operations to optimize efficiency and seek substantial competitive advantage with the help of IT.
- CIOs must look into the future and be ahead of the enterprise's competition - CIOs look beyond the boundaries of the organization to simplify business processes and generate real-time insights up and down the value chain. Organizations that operate with a mandate expect IT, more than anything else, to be a provider of industry-wide solutions to support business. CIOs need exhibit an entrepreneurial spirit and enable the radical redesign of products, markets and business models. CIOs are seen as critical enablers of the organization's vision and focus on delivering fundamental IT services or business process efficiency.
Compliance versus security
Regulatory compliance is an important corporate initiative as the complexity and scope of the regulatory environment continues to increase. Coupled with the rise in cyber attacks and insider threats, organizations are now searching for a more effective, sustainable, and scalable approach that will achieve their compliance objectives while improving the overall security posture of the organization.
The challenge for security teams is to ensure that security expenditures are directed toward a comprehensive risk mitigation program aligned to the risk tolerance and business objectives of the organization. Allowing the "accredit and forget it" approach to drive security priorities is like cramming for an exam. You may pass the exam (or the audit), but you are unlikely to retain the benefits you would have gained from careful study and planning. Passing an audit for PCI DSS, for example, is a good achievement. But even PCI DSS, considered one of the most prescriptive mandates, is only a minimum security standard and does not guarantee protection against data breaches. Case in point: Both Heartland Payment Systems and T.J. Maxx had achieved or were achieving PCI compliance when their systems were breached by a global identity theft ring, resulting in two of the largest breaches of credit card data in history. Ask yourself: Does compliance drive your security program without always improving security?
- more info
Clouds impact on CIOs and IT departments
CIOs have to deal with business managers who hire the equivalent of several IT departments using a credit card and their normal operational budgets. In fact, 65 percent of all business mangers maintain an IT budget of their own -- carved from their normal operational budget -- for SaaS or cloud services they can buy directly, rather than going through IT.
What does this mean to IT jobs? Some statistics give an indication:
- more info
- By 2014, one-third of all IT organizations will be providing cloud services to business partners rather than providing IT internally.
- By 2015, spending on public cloud services (including SaaS) will make up 46 percent of all new IT spending. SaaS will make up three-quarters of that spending, giving SaaS and cloud providers the leading role in vendor relations with your company.