The Brandeis GPS blog

Insights on online learning, tips for finding balance, and news and updates from Brandeis GPS

Tag: industry insights (page 1 of 2)

Governance and the case for bringing cybersecurity out of IT

By Joseph Dalessandro

October is National Cyber Awareness Month, and we’ll be spotlighting cybersecurity content on the blog all month long.

Information security governance is perhaps the most challenging aspect of cybersecurity.

Governance, while not a four-letter word, is often discussed with the same grumble that one uses when speaking about the dentist or aged fish. The basics of governance revolves around the advancement that simple accountability and transparency deters calamity. One cannot predict and avoid all disasters — think volcano here — but at the same time, one cannot grade one’s own homework.

It works well until there is a real test and someone else has the red pen. I think it was the queen of corporate governance, Nell Minow, who said, “watched boards change.” I agree, and would say this observation can be applied all the way down the corporate chain into an organization: those that change are the ones who are watched as objectively as possible.

So what does this have to do with cybersecurity, and why is governance hard in the cybersecurity space? There are a number of reasons for this perception. First, boards have been bamboozled by jargon and an IT executive tier that has been unclear and unsure of what and how to report on security. (For those of you on boards, when was the last time you had a security executive discuss the direct link between spend and the measured reduction of risk?). Indeed, in a Bay Dynamics/Osterman Research survey, “the majority (85%) of board members
believe that IT
and security executives need to improve the way they report to the board.”

While I am not a fan of standards for standards’ sake, the ISO/IEC 38500:2008 Corporate governance of information technology has the following useful definitions:

  • Corporate governance: The system by which organizations are directed and controlled.
  • Corporate governance of IT: The system by which the current and future use of IT is directed and controlled. Corporate governance of IT involves evaluating and directing the use of IT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organization.
  • Management: The system of controls and processes required to achieve the strategic objectives set by the organization’s governing body. Management is subject to the policy guidance and monitoring set through corporate governance.

Security leaders should tack these definitions to their wall.

When it comes to how security leaders can set the right direction for the board and make sure the Board has the right information for strategic oversight, I think it is a “two-way street.” Boards need to come to the security business and ask questions and security leaders need to come to the Board with improved reporting. Perhaps an improvement would be an approach that keeps the security report separate and distinct from that of technology. For organizations where information security, or cybersecurity, does not report to IT— bravo! You have taken a step toward greater transparency. The inherent mission of IT is accessibility and availability and the inherent mission of security is possession (control), protection and integrity. These missions are often in conflict, and managing them under the same leader (often a technology leader), could result in a Head of Security who does not have the chance to challenge or push back against the IT Executive who writes their performance assessment and controls their compensation.

We can better coordinate, manage and govern our complete security capabilities by bringing cybersecurity out of IT and taking a more holistic approach to incorporating physical and facility security, fraud and loss mitigation, and the other components converging security capabilities, data collection, management, and ultimately governance.

An organization’s board and business management must be in alignment where spend and the use of emerging technology are converging for the business. Security leaders should consider the following approach to champion governance:

  1. Above all, be transparent and accountable. Don’t tell the board what they want to hear or what you think they want to hear (they know when they are being managed). Represent the security program objectively. Characterize how security investments support the delivery of value for the business and supports organizational objectives.
  2. Do the hard work to consistently measure, monitor and report on security risk, and to provide the analysis between security investments and the execution to mitigate or manage risk and reduce or limit potential impact.
  3. Share performance and achievements of security resources — these drive the execution of a program and they are where the rubber meets the road for execution of the security program. Just like other business function, people are what drive success for a security program.
  4. Demonstrate how cybersecurity is aligned with and supports the strategic planning and objectives of the business and the expected business outcomes. Often the inherent conflict between the IT mantra of constant access and availability will be in conflict with cybersecurity’s mission of possession, protection and integrity, but the two do not have to be contentious, but IT needs a peer who can hold IT accountable if needed, not a lackey who does what they are told.

Joseph (Joe) Dalessandro is the program chair of the Information Security Leadership program at Brandeis University Graduate Professional Studies, and the Head of Security & Technology Audit and Audit Data Analytics, Australian Unity.

Brandeis GPS offers a Master’s of Science in Information Security Leadership. The part-time, fully online program prepares graduates for leadership roles in information security with a cutting-edge, industry relevant curriculum that builds leadership savvy and skill in leveraging technical know-how. For more information, contact gps@brandeis.edu, call 781-736-8787 or visit www.brandeis.edu/gps.

Security and the Internet of Things

By Joseph Dalessandro

October is National Cyber Awareness Month, and we’ll be spotlighting cybersecurity content on the blog all month long.

Love it or despise it, the Internet of Things (IoT) has forever altered human thinking and interaction. Increased telemetry from our bodies through wearable tech and app analysis of data about our health and personal space has led to discovery, identification and interactions with others through apps and smart devices that is the new norm. How will this explosion of devices change our mission objective as security leaders and professionals?

The term IoT is generally applied to “endpoint” objects such as devices, wearables, cameras, chips, toys, and other objects that can be accessed through a connection such as WiFi or other carrier signals and interacted with via the internet. Examples that have become pervasive would be FitBit wearable’s, iWatches, Alexa or Google Home devices, Nest thermostats, and medical devices such as insulin pumps. While these devices are limited in capability, often just one or two functions or a binary state of on/off, the numbers of devices and the absence of uniform minimum security standards from manufacturers present a problem (several actually) for our IT departments Infrastructure management and security professional.

We can easily find statistics about the number of devices that have emerged in earnest since 2008. The 2017 Cisco Visual Networking Index provides a comprehensive view of some of those numbers. Two of my favorite highlights from this report include:

  • There will be 3.5 networked devices per capita by 2021 (global population 7.875 times 3.5)
  • IP traffic in North America will reach 85 EB per month by 2021 (And North America will not be the highest trafficked global region)

While I am not sure where that bandwidth comes from (I cannot get great consistently streaming bandwidth for Netflix sometimes), what worries me more is patching, tracking and controlling devices. Now, I am not suggesting we control all devices, but I need to control the ones that are on my network because they will increase the potential surface of attack for our networks by orders of magnitude. The more devices you add, outside of implemented and effective controls, the quicker your organization will suffer a breach. Therefore, if you don’t get roles such as patching right you will be lost under the crushing weight of IoT adoption rates. We have to get the “basics” right to ensure we have a foundation capable of integrating IoT devices. We will also need to assess risk and device configuration and a number of other areas we will not venture into here.

In the world of cyber security, people and data are what we most are accustomed to thinking about protecting and defending against. How do we wrap our heads around the potential problems of IoT where the numbers are so much higher? I would submit that we undertake the following approach:

  1. Get the basics right. There will be a lot of debate about what “get the basics right” means but at a high level, I am referring to:
  • Have a comprehensive security program based on risk, with regular assessments
  • Identify where all your data is located and ensure it is appropriately categorized
  • User access, and privileged access, is controlled and re-certified (access for IoT devices as well)
  • Network traffic is premeditated and segmented and network information is logged and monitored (must also scale)
  • Systems management has KPI’s and documented configuration baselines or employs a CMDB
  • Change Management and patching are religiously observed and followed
  • There is a formal incident management/response process (and adjust and augment IR for IoT)
  • There is a crisis and contingency management plan that is tested and updated annually

Yup, that was just step 1. Get all this right and you can start to think about being able to control IoT in your ecosystem.

2. Determine the level of increased risk, or changed risk, related to data loss or breach from #3.

3. Augment your information management or data governance policies and processes to encompass IoT increased data creation and interaction.

4. Determine the physical limits or extensions of IoT devices. Can users outside your physical location use devices or access devices inside your physical location? Do you need to limit (or attempt to limit) the carrier signal outside your four walls?

5. Hire a competent and qualified leader to bridge between security and IT. Brandeis Information Security Leadership graduates are great candidates.

IoT is a big problem that can seem overwhelming, where unpatched devices can increase your threat surface by orders of magnitude. Remember, getting the basics right will see you treating IoT with the same risk strategy that has allowed you to manage technology risk.

Joseph (Joe) Dalessandro is the program chair of the Information Security Leadership program at Brandeis University Graduate Professional Studies, and the Head of Security & Technology Audit and Audit Data Analytics, Australian Unity.

Brandeis GPS offers a Master’s of Science in Information Security Leadership. The part-time, fully online program prepares graduates for leadership roles in information security with a cutting-edge, industry relevant curriculum that builds leadership savvy and skill in leveraging technical know-how. For more information, contact gps@brandeis.edu, call 781-736-8787 or visit www.brandeis.edu/gps.

Image source: https://www.personneltoday.com/wp-content/uploads/sites/8/2015/06/wearable-tech-wearable-technology.jpg

Information Security has the perfect mindset to facilitate decision-support red teaming

By Joseph Dalessandro

October is National Cyber Awareness Month, and we’ll be spotlighting cybersecurity content on the blog all month long.

We hear the term “red team” liberally used these days, applied in the security space for both force-on-force scenario testing (subverting hardened facilities and assets) and in the information security space, primarily referring to “white hat” hacking to assess security posture for systems, devices, network perimeters and web applications.

A “red teamer” in the decision support or strategic space is formally trained and uses critical thinking tools and techniques to provoke analysis, stress test strategies, plans and perspectives. At the heart of this work is the modeling or reframing of the problem space from the adversaries perspective.  Red teamers and Security Pros are by nature contrarians, and it is this contrarian mindset we want to capitalize on.

While cybersecurity “red teaming” as penetration testing is vital to an organization’s testing of its security and data protection posture, it has a narrow scope. However, everyone these days in this space wants to refer to his or her work as red teaming. The practice of decision support red teaming is the area that I am submitting an organization can immediately benefit from and are not currently employing. This is an area where your security team can add value by adopting the tools and techniques to facilitate red teaming. Information security professionals are diverse thinkers and often “see” across the entire enterprise. Equipping them with red team tools and techniques can enhance their value in guiding the organization to make better decisions.

Red teaming and the value of a premortem

So how do we do it?  How do we immediately capitalize on our existing stance as contrarians to serve as strategic red teamers? There are a number of available tools such as the U.S.Army’s Applied Critical Thinking Handbook, and Bryce Hoffman’s Red Teaming. We start with, most importantly, is buy-in and genuine support from the top of the organization, and the admission that we will trust our decision to conduct red team analysis and we will be true to the results. There are a number of short tools to use to try this, one of the most straightforward is to have your security staff conduct a premortem on your most important security project for the upcoming year.

The basic approach of the premortem is to visualize, prospectively, about the project failing and using this to illuminate the cause(s) of the failure.  This is not a risk assessment. We are not speculating on what could harm our project, we are identifying what actually caused the failure. This is pathology; we are engaged in diagnosis, not prognosis. Supplies needed are easy to acquire, you will need paper or index cards and pens/pencils and a white board or projector.

  • The leader (security staff facilitator) level sets with the group by reading out the summary from the business case or a summarized version of the project. The leader tells everybody that they should assume that their team, the project team, has made the decision to go forward and that the project has gone forward and has concluded. We are in the future now, a year into the future, and the project has been an utter failure. It has crashed and burned with no redeeming outcome or benefit.
  • Exercise: Each player (project team member) takes the paper in front of him/her and writes a brief narrative or cause of the failure. Take 5 minutes and work in silence.
  • The facilitator collects the paper or cards and generates a list of all the points on a whiteboard or projector. The facilitator can now work with the group to solicit further failure ideas, inspired by the list.
  • Engage in a game to further determine the top five causes for the failure. [A practical note here: if you conduct a premortem and determine a set of failures that are agreed universally by the group as being actual failures, you have a fundamental problem with your project. Stop it immediately and take a step back and rethink the plan.]

Red teaming is best conducted with as diverse a group as possible, and often times those who have had the least to do with the project plan formation can provide insights into points of failure. As you look to expand your tool set in the future, a master’s degree in security leadership can help engender this contrarian mindset and improve the value of security in your organization.

Joseph (Joe) Dalessandro is the program chair of the Information Security Leadership program at Brandeis University Graduate Professional Studies, and the Head of Security & Technology Audit and Audit Data Analytics, Australian Unity.

Brandeis GPS offers a Master’s of Science in Information Security Leadership. The part-time, fully online program prepares graduates for leadership roles in information security with a cutting-edge, industry relevant curriculum that builds leadership savvy and skill in leveraging technical know-how. For more information, contact gps@brandeis.edu, call 781-736-8787 or visit www.brandeis.edu/gps

Image source: LeadX.org

What’s next for EdTech

Education technology is constantly evolving alongside the development of new tools, processes and resources. Each year, an expert panel of community members publishes the NMC Horizon Report, which lays out the latest trends and developments in EdTech and identifies new impacts on learning, teaching, and creative inquiry.

This year’s key findings include:

  • In the short-term, a growing focus on measuring learning and new learning spaces;
  • In the mid-term, an increase in open educational resources and the rise of different forms of interdisciplinary studies; and
  • In the long-term, advancing cultures of innovation and cross-institution and cross-sector collaboration

The report predicts that analytics technologies and makerspaces will likely influence EdTech in 2019. Within the next five years and beyond, educators can expect to see the adoption of more adaptive learning technologies and artificial intelligence, mixed reality and robotics.

Be at the forefront of EdTech

Brandeis University is proud to offer master’s degrees for practitioners seeking to make an impact on the future of education technology:

MS in Instructional Design and Technology

MS in Strategic Analytics

MS in Robotic Software Engineering

Brandeis GPS programs are part-time, and 100% online. To learn more about our master’s degrees, request more information or contact the GPS office: 781-736-8787, gps@brandeis.edu.

FinTech in Boston

With hundreds of startups and some of the world’s largest asset managers, custodial banks, and insurers, it’s no surprise that Boston is a hub for financial technology. Boston is home to many companies in the financial services industry, large and small, including Circle, MassMutual, Flywire, and FinTech Sandbox. In the upcoming week, September 10-14, 2018, these organizations and more will come together for Boston FinTech Week 2018. The theme of this year is: Moving Beyond Volatility.

As part of a collaboration between Boston’s accelerators, institutions, startups, universities, firms, and co-working spaces, events will highlight content on new models and technologies that move markets forward. Throughout the week there are more than 35 free events across downtown Boston celebrating FinTech innovation. Events range from Fintech for Social Impact to Innovation in Insurance. See the full list of the events taking place and register for each event individually here.

For those in the financial sector looking for the technical skill-sets necessary to build a FinTech career, Brandeis GPS will be offering the following course this fall: FinTech: The Evolution of Technology for Financial Services. The 10-week, fully online course will explore FinTech as a solution to challenges facing an inter-connected global marketplace. It will address the evolution of the financial industry landscape, the challenges and opportunities this new era presents, and the drivers behind the change.

At Brandeis GPS, you can take up to two courses before enrolling in one of our 12 master’s degrees. If you’re interested in exploring the MS in Digital Innovation for FinTech, or would like to explore technology for FinTech as part of your own professional development, contact the  GPS office for more information or to request a syllabus: 781-736-8787, gps@brandeis.edu, or submit your information.

Top 10 data scientist Charles Givre becomes new Strategic Analytics program chair

Headshot of Charles GivreBrandeis GPS is delighted to announce the appointment of Charles Givre, MA, CISSP, as the new chair of our online MS in Strategic Analytics program.

In his role as chair, Charles ensures high course quality and provides the industry insights that keep the program’s goals and outcomes current and relevant. He also recruits and mentors faculty, and advises students on program and course requirements.

Charles is a Vice President and Lead Data Scientist at Deutsche Bank in the Chief Security Office (CSO), where he leads an international team of data scientists working on security challenges. He has a passion for solving difficult problems with data and using data in unique ways to drive business decisions. In fact, Charles was recently named as one of the Top 10 Data Scientists you need to know right now by Enterprise Management 360.

With over 10 years of experience in the intelligence community in various organizations, Charles has a lot to share with the data science community. Charles regularly presents classes and presentations at international conferences including Strata, BlackHat and the Open Data Science Conference. His research interests include adversarial machine learning as well as improving analytic efficiency. He is a committer to the Apache Drill project and has co-authored a book on the topic.

Charles received undergraduate degrees in Computer Science and Music from the University of Arizona before getting his MA from Brandeis University. Then, he went on to work at the CIA and Booz Allen Hamilton before starting in his role at Deutsche Bank.

Learn more about the part-time, online Master’s of Science in Strategic Analytics here.

Faces of GPS is an occasional series that profiles Brandeis University Graduate Professional Studies students, faculty and staff. Find more Faces of GPS stories here.

Right kind of graduate study can give current biotech staff boost we seek

In their June 4 op-ed, Mayor Marty Walsh and Vertex Pharmaceuticals President, CEO and Chairman Dr. Jeffrey Leiden make a compelling case for strengthening the biotech workforce pipeline in Massachusetts. Establishing strong public-private partnerships with Boston Public Schools is a necessary strategy for developing and retaining young talent for the state’s growing biopharmaceutical sector.

It is equally important, however, that we not overlook alternative pipelines for workforce development. Professional master’s degrees can help research assistants, engineers, lab technicians and other qualified biotech professionals transition into the more advanced bioinformatics positions that Massachusetts relies on to remain competitive.

As we continue prioritizing investments in economic growth and innovation, we must remember that there is more than one educational pathway toward closing the biopharma skills gap. The right type of graduate education can equip professionals who already have a foothold in the industry with the technology and expertise to advance their careers, producing a new wave of talented employees who can take on this complex and incredibly important work.

 

This letter first appeared in the Boston Globe on June 10.

UXPA Boston Student Recap | Part 2

Brandeis GPS was a proud sponsor of the 2018 UXPA Boston annual conference. This week, we’re featuring a two-part series on how the conference was experienced through the eyes of two students in the MS in User-Centered Design. Read Part 1 here.

By Craig Cailler, as told in his own words:

The Boston Chapter of the User Experience Professionals’ Association held their annual conference at the Sheraton Boston Hotel on Thursday, May 10, 2018. I have attended this event for many years and watched it grow from a few hundred people hosted at local university, to over one thousand people attending sessions occupying multiple ball rooms in a large hotel in downtown Boston. This year was something special as the team at UXPA Boston was able to promote an appearance by industry veteran, Rolf Molich, from DialogDesign in Denmark in Europe. President of UXPA Boston, Dan Berlin, posted this to his Twitter account about the occasion, “Rolf Molich presenting CUE-10 results at #UXPABOS18 makes me feel like we’ve finally hit the big time.” It was truly a special moment for the team, and the conference, as they prove again that this has become one of the premier annual events with the industry.

This first session I attended this year was, “CPUX – A Serious (and Usable?) European Attempt at Certifying UX Professionals” presented by Rolf Molich. The International Usability and UX Qualification Board is composed of UX professionals from across Europe that develop and maintain the curricula for the purpose of introducing usability to new practitioners, keeping active practitioners current and establishing common terminology and technologies across the industry. The CPUX offers several levels of certification, covering topics such as Human-centered design process, Definitions, Understanding of context of use, User requirements, Design solutions, Usability tests and Inspections and user surveys. During the session, Rolf “quizzed” the audience with sample questions used in the certification process using an online live polling software. Rolf closed out the session by telling the audience that the team at UXQB were looking for sponsors here in the United States to begin providing this training, so keep your eyes out for future CPUX classes in our area.

I was also introduced to several new tools as part of other presentations. In the session entitled, “Through Their Eyes: Using VR to Simulate Retinal Diseases”, Jessica Holt-Carr and Weiwei Huang walked the audience through the process they used to build empathy for disabled users who suffer with visual impairments by using low vision simulation kits. Jessica and Weiwei explained how they used an Android application called SimViz (In My Eyes – iOS alternative) in conjunction with a hand-made cardboard device that held the mobile device comfortable on participants while blocking out all light sources. Jessica summarized the benefits of this approach as:

  • Identifies accessibility barriers
  • Seeing the world from their view
  • Raises awareness to the issue

In another session entitled, “Digital whiteboarding and other techniques for remote collaboration and ideation”, the team of Kristina Beckley and Ethan Perry from IBM spoke to the audience about a digital whiteboarding tool called “Mural” as part of the presentation. They discussed how they used the tool to collect input from global team members as part of their global design process that includes “Hills, Playbacks and Sponsor Users”. They provided the audience with some best practices based on their use of the tool including…

  • Timebox the process
  • Make sure people are contributing
  • Setup separate rooms, 8-12 people each

UXPA Boston Student Recap | Part 1

Brandeis GPS was a proud sponsor of the 2018 UXPA Boston annual conference. This week, we’re featuring a two-part series on how the conference was experienced through the eyes of two students in the MS in User-Centered Design. Read Part 2 here.

By Roslyn Jones, as told in her own words:

I had a great experience at the UXPA Boston conference. There were so many great professionals and organizations to network with. My most important takeaways derived from the organization networking space, Making Websites Readable discussion and the Mentoring forum.

Within the organization networking space, I was able to connect with multiple companies that were either offering User Experience (UX) job positions or showcasing tools valuable to the UX industry. The pictured MPACT game-like persona builder, which is picture below, is a creatively innovative tool that aids teams in creating persona profiles. The representatives at each table were so pleasant and were eager to speak to each attendee about the services that their businesses provide. Also, it was a pleasure meeting student advisor Daniel Mongeon at the Brandeis GPS table. As I continued to explore the different tables, I stumbled upon the National Society of Black Engineers (NSBE), an academic, professional, service based engineering organization. It was great connecting with them and speaking with other conference attendees about its purpose.

The Making Websites Readable session provided methods to enhance the readability of a website in a fun and engaging way. They incorporated storytelling, comic strips, and a web-redesign exercise to deliver their 7 Tips for Web Style. The session started off with an animated reading of a Pearls Before Swine comic strip, which was nothing short of entertaining. This led us into analyzing a poorly designed website created specifically for this demonstration. I like how Jen Kramer and Martha Nichols continuously engaged the audience, maintained high energy throughout the presentation and presented takeaways that were short, simple, and useful. Their 7 Tips for Web Style are:

  1. Keep it short
  2. Add snappy headings
  3. Find your focus
  4. Make a list
  5. Get specific
  6. Adjust visuals
  7. Use your words wisely

During the Mentoring Session, I obtained perspectives from two professionals who have years of UX experience. Our mentee group consisted of seven individuals who are new to UX.  Throughout this session we received great tips on how to position ourselves to impress a manager or other UX hiring executive. My key takeaways from this session involved tips for figuring out how to make yourself more marketable in the field. This includes, being able to communicate with industry professionals, understanding and portraying knowledge of the process, showcasing your relative skills, and participating in events that strengthen and highlight these relative skills.

Susan Carman brings decades of expertise, leadership to Health and Medical Informatics

Susan Carman, HMI chairBrandeis GPS is thrilled to announce the hiring of Susan Carman, MS, CHCIO, PMP, as program chair of the online MS in Health and Medical Informatics.

In her role as chair, Susan serves as the subject matter expert for the program, providing the industry insights that keep the program’s curriculum and outcomes current and relevant.

Susan is the Chief Information Officer at UHS Hospitals and has served in the healthcare information technology and informatics industry for a total of 28 years. Prior to her current role, Susan was the VP of Information Technology at Wingate Healthcare, implementing an EMR system and building a HIPAA security plan for their 19 Post Acute Care facilities.

Susan spent 15 years of her career at Medical Information Technology (MEDITECH) implementing Electronic Medical Records throughout the U.S. and Canada. She transitioned to the Healthcare Provider sector in 2004 starting with the Massachusetts Department of Public Health and more recently at Hebrew Senior Life, leading her team to complete the implementation of Stage 6 EMR system. Susan is certified as a Healthcare CIO (CHCIO) and Project Manager (PMP) and is an active member of HIMSS (Health Information Management Systems Society) and CHIME (College of Healthcare Information Management Executives). She is also an active participant in the Executive Mentorship Program with ACHE (American College of Healthcare Executives). Susan completed her Master’s degree in Healthcare Informatics at the University of Massachusetts in 2013.

Learn more about the part-time, online Master’s of Science in Health and Medical Informatics here.

Faces of GPS is an occasional series that profiles Brandeis University Graduate Professional Studies students, faculty and staff. Find more Faces of GPS stories here.

Older posts

Protected by Akismet
Blog with WordPress

Welcome Guest | Login (Brandeis Members Only)