#rowhousellc

Only 31% of organizations discovered IT security compromises through their own resources last year, according to Mandiant.

These days, it seems, one of the most important jobs of an IT staff would be to detect a cyber attack.

Actually, though, companies are increasingly reliant on third-parties to notify them that their security has been compromised, according to a new report from FireEye’s Mandiant unit.

Companies are continuing to find cyber attackers sooner. In its latest annual cyber-threat report, Mandiant, an incident response service, said the average time a company takes to detect a data breach fell to 205 days in 2014, down from an estimated 229 in 2013 and 243 in 2012.

But as cyberattacks increase in complexity and sophistication, companies don’t always have the in-house resources to detect them. As a result, only 31% of organizations discovered they were breached through their own resources last year, compared with 33% in 2013 and 37% in 2012.

Business and professional services and retail operations saw the most online intrusions from malicious hackers in 2014, with Mandiant finding that a common thread in these breaches is a lack of basic security protocols, such as two-factor authentication. Without two-factor authentication safeguards, a single stolen credential — obtained through phishing campaigns or social engineering — can leave an entire network vulnerable.

Other emerging targets for hackers include government and international organizations and healthcare. Media and entertainment was down to 8% of intrusions from 13%—despite the much-publicized hack of Sony Pictures.

“There is no such thing as perfect security,” Kevin Mandia, senior vice president and COO of FireEye, told ZDNet. “Based on the incidents that Mandiant investigated in 2014, threat actors have continued to evolve, up their game, and utilize new tools and tactics to compromise organizations, steal data, and cover their tracks.”

An increasingly popular trick among phishers, Mandiant found, is to pose as IT employees asking for updated credentials. Such impersonations accounted for 78% of all phishing in 2014, compared with just 44% in the previous year.

Mandiant also said that once they have infiltrated a network, more cybercriminals are using “complex” tactics to avoid detection, such as hiding away through Windows Management Instrumentation, a set of specifications from Microsoft for consolidating the management of devices and applications in Windows.

Written by Matthew Heller. To read the full article, click here. For more information on operations and information technology management, please visit us at www.rowhousellc.com and follow us everywhere @rowhousellc.

Gene Kim was bitten by the entrepreneurial bug early. In 1992, while still a student at Purdue, Kim co-authored an open source tool called Tripwire, which would become a free software security and data integrity tool useful for monitoring and alerting on specific file changes on a range of systems. Kim would become the Chief Technology Officer of Tripwire, a role he would have until mid-2010.

In 1999, while still at Tripwire, Kim began to formally study IT organizations, noting the methods used by high performing organizations.  One observation was that these organizations often had IT operations, security, audit, management, and governance working together to solve common business objectives. This research would eventually lead to a number of books that Kim would co-author.  Visible Ops Security was released in 2004, and The Visible Ops Handbook was released in 2009.  When Kim left Tripwire, it was to dedicate himself to this research, to speaking, and to consulting with companies around the world.  

In 2013, Kim (together with  Kevin Behr and George Spafford) authored The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win. As the title suggests, the book is told as a novel.  The hero of the story is Bill, the IT manager of a company called Parts Unlimited. The company is pursuing a critical IT initiative that is over budget and late. The CEO tells Bill that he has 90 days to fix the mess, or IT will be outsourced.  The notion of DevOps is born, referring to a development method that pushes communication, collaboration, integration, automation and measurement of cooperation between software developers and other IT team members. DevOps also highlights the interdependence of software development and IT operations. It aims to help an organization rapidly produce software products and services and to improve operations performance.

Though Kim and his co-authors did not create the idea of DevOps, their novel has helped to popularize it.

As Kim notes from his study of over 14,000 IT professionals worldwide, high-performing organizations are two and a half times more likely than their peers to exceed profitability, market share, and productivity goals.

(To listen to an unabridged podcast version of this interview, please visit this link. This is the ninth interview in the IT Influencers series. To read the past eight interviews with leaders such as President Vicente Fox of Mexico, Walt Mossberg, Salman Khan, Jim Goodnight, and Yves Behar, please visit this link. To read future interviews in the series, please click the “Follow” link above.)

Peter High: Gene, what is driving demand for DevOps?

Gene Kim: I have been studying high performing technology organizations since 1999. I think the reason everybody is so interested in DevOps is that it solves a problem that we have all experienced in our careers, which is how do we simultaneously enable the fast flow of features from delivery through test and operations while preserving world class reliability, stability, and security. I think most of us felt these were mutually opposed; you could either get fast flow or great reliability. What DevOps really represents to me are the cultural norms and the technical practices that enable us to finally get both. We know that organizations can do this because companies like Amazon, Google, Etsy, and Netflix have been able to replicate this. We can get incredibly high rates of flow from Dev to Ops, as measured by high frequencies of deployments and short lead times, while also preserving great reliability. We phrase it like this because it is part cultural and part technical. My area of passion is really codifying what are those necessary steps to get from here to there.

High: How does one get “from here to there?” What are some of the people and process changes that an organization has to think about in order to explore DevOps more fully?

Kim: Part of it is cultural, part of it is incentive structures between Dev, Test, and Operations, and part of it are the technical practices like continuous testing and delivery. These are all the preconditions that get one to compress dev-test cycle from months to, ideally, minutes, as the high performers do.

High: From a staffing perspective, do you find that there is a certain type of person or set of skills that organizations should recruit in order to achieve this?

Kim: There are certain characters that we see in every one of these high performers. In the Phoenix Project we framed it in three ways, which tended to be a set of principles from which one can derive all of the observed DevOps patterns. The first is all about accelerating flow as you go from left to right, Dev to Ops, in the value stream. The second is the flow of feedback, how do you create effective feedback from Ops back to Dev so that when something goes wrong you can either prevent it or detect it more quickly. The third is about creating a culture of continual learning and experimentation using the notions of high trust culture. The most competitive organizations are ones that can learn, those who can turn local improvement into global solutions.

Broadly speaking, that means we need managers and practitioners who can work not only in their Dev, Testing, or Ops siloes, but can optimize outcomes for the entire value stream. The goal is the fast flow of idea to production, as well as fast feedback when something goes wrong. That sets the stage for doing things like AB testing and creating organizational learning not just through dev, test, and operations but through the entire business value stream. Ultimately, I think that is how we win in the marketplace. Create a learning environment. That has been in the literature for decades but has never been more relevant than in IT, specifically DevOps.

High: Is there a common denominator—size, scale, or speed—in organizations that you have found have been able to leverage DevOps? It goes across industries, but are there certain kinds of companies that are best suited for this?

Kim: That question is what set us out to run the DevOps Enterprise Summit back in October. The goal was to not have the “unicorn” companies (Amazon, Netflix) present, but the horses. What we were interested in was how large, complex organizations that have been around for decades—maybe even centuries—are adopting DevOps practices and replicating outcomes that we have seen with the unicorns.

The stories that were told were, in my mind, breathtaking. It was organizations like Disney, GE Capital, Nationwide Insurance, the Department of Homeland Security. All of these organizations that have the legacy of success, yet they are all realizing that winning in the marketplace will require them to focus not on control costs but optimize for speed.

There were three takeaways for me. The principles are very much the same, but level of savviness and sophistication required to actually mobilize the subversive and innovative effort like DevOps is breathtaking. Essentially, it takes a courageous leader to mobilize an organization. Often they have to take on the naysayers; it takes a very special person to be able to drive a transformation like that.

Written by Peter High. To read the full article, click here. For more information on operations and information technology management, please visit us at www.rowhousellc.com and follow us everywhere @rowhousellc.

Security management best practices – The top 10 network  Security management best practices if not followed expose a company’s assets and reputation to unnecessary risk.

10 Security Management Best Practices

This top 10 list is one that has been proven in practice.  NO organization that follows all of them has ever been attacked with their know that an attack is in progress and can react to it before it becomes a major media event.

Centralize Malware Management

Establish Boundary Control

Centralize Provisioning and Authorization Management

Implement Acceptable Use Policy

Build Security into Applications Starting in the Design Phase

Understand and Implement all Compliance and Audit Requirements

Implement Monitoring and Reporting Processes

Manage security deployment and Infrastructure Processes

Implement Network and Host Defenses

Constantly Validate Network and System Resource Integrity

Written by Victor Janulaitis. To read the full article, click here. For more information on operations and information technology management, please visit us at www.rowhousellc.com and follow us everywhere @rowhousellc.

When it comes to being a boss, there are plenty of scary statistics out there–especially for CIOs. Nearly three out of 10 large IT projects fail. And the average cost overrun on IT projects is 27%, with one out of six IT projects having cost overruns of 200%. To get to the root of the causes behind these and other leadership issues, APQC has released a survey that lists the biggest challenges within six key management categories: process, performance, change, quality, project, and financial. As for the top challenges faced within those categories? The list includes employee and leadership engagement, benchmark identification, success measurement and performance delivery. If CIOs are to ascend as strategic leaders–as opposed to those who simply oversee tech maintenance–they must carefully examine each challenge and come up with an effective response. APQC is a member-based nonprofit group which helps organizations improve productivity and quality through business benchmarking, best practices and knowledge management. More than 300 business executives took part in the research.

Written by Dennis McCafferty. To read the full article, click here. For more information on operations and information technology management, please visit us at www.rowhousellc.com and follow us everywhere @rowhousellc.