Maybe a ticked off employee will seek revenge. Maybe someone will accidentally delete critical files or expose data. Take these steps to tighten cloud security.
CIOs must adapt to the era of the consumer
The way most people use technology has changed, and most corporate IT departments have failed to adapt to the era of the consumer, says Tony McGivern, CIO of analytic software company FICO. McGivern shares his thoughts on the changes IT departments must make now.
McGivern: It started with a push to mobile. Consumers began to seriously adopt smartphone technology at home, and that has now entered the workplace. End users consume services on the consumer web — Facebook and Yelp, to name two — and now expect or demand that enterprise applications will work the same way. Unfortunately, enterprise applications haven't evolved as quickly, which has created a bit of a disconnect. And we as an IT department are left to pick up the pieces.
Both internal employees and FICO's customers are looking for ease of use, the ability to access information, and to receive the same functionality no matter what device they are on. Previously, there was an expectation that you'd have to be locked-in on a VPN, and on the network in order to access your applications and information for work. Today, those expectations are now considered obstacles and impediments to productivity instead of the norm.
TEP: How has that changed things for CIOs?
McGivern: My role as CIO has become that of a facilitator. At FICO, we work with external vendors to execute a cloud-first approach, purchasing and provisioning cloud-based solutions as opposed to on-premises solutions. We work with external vendors across almost all facets of our business who provide us with cloud solutions to ensure we have a coherent end-to-end set of solutions. Therefore, IT's role as an integration partner consists of facilitating between ourselves, our vendors and our end users, the consumers. You can now access your information and applications anywhere, on any device, because we're able to deliver that ease of use within our compliance requirements.
TEP: Why is cloud-first the right approach for FICO?
McGivern: My goal is to only run applications that generate revenue for FICO. I don't want to be in the business of running ERP systems, for example. I do want FICO to be a consumer of cloud services when it allows the company to be productive. So my mission is split between ensuring we are productive internally and delivering effective and highly functional applications through a cloud delivery model. And we do all of that while operating within a very tight compliance model.
TEP: The information FICO handles is highly sensitive in nature and comes under regulatory protections. How do you make sure your data stays safe?
McGivern: Of course, we couldn't push a cloud migration unless we as an IT department felt comfortable doing so. We started by establishing the right relationships with our providers so that we could monitor and detect data leakage. Our cloud storage provider, for example, needed to adhere to our compliance framework and satisfy a level of diligence.
In order to handle highly sensitive information, which comes under regulatory protections, you must understand the compliance and regulatory frameworks in which you will be operating. And in order to be fully compliant to that security framework, it is always necessary to add a couple of other layers of security to the "traditional" access models.
Our current paradigm is not about prevention, but protection. While I probably won't be able to prevent some sort of access to a network, I can make it a priority to detect that access; and if I'm able to detect and isolate those breaches and out-of-pattern behaviors, the data can be better protected.
The process of securing our cloud applications is an ongoing exercise, and one that requires us to rely on a lot of great partners — one of them being our identity and access management provider, which helps us to understand who is accessing our services and when. The paradigm helps us to identify and isolate threats to better understand the resources that we have on our network and who is accessing what. This threat detection is fundamentally a question of diligence, as it is a scenario that is never fully completed. We are always looking for our next vulnerability or area that can be exploited, such that we can never rest.
TEP: Moving what must have been quite a lot of data and software to the cloud sounds like a huge undertaking. What challenges did you face?
McGivern: First you have to determine what should go to the cloud and what should not. We actually have a tiered storage model, such that not everything is stored in the cloud, and for good reason. Most sensitive data sets remain on-premises in heavily encrypted file storage, meanwhile our general corporate data and information can be shared based around our product sets. The cloud is an effective medium for facilitating collaboration and data sharing. Documents like RFPs, which inherently require collaboration, are a very compelling use case to drive cloud adoption.
Most of the challenges that we faced when we moved our data and software to the cloud were cultural. We had to convince people that this was the right move. It also helped that we asked each business unit what their primary collaboration needs were, which absolutely increased adoption of our cloud services. And as it happens, when you push out an identity management provider, you're able to uncover a lot of applications that your end users have been utilizing without your permission or knowledge, also known as shadow IT.
Ultimately, we were able to show our end users how to remediate their collaboration issues with our cloud services. Using an identity management provider, we were able to tie together tools like our file storage and cloud storage partners, and the rest was history. Our end users caught the bug.
- Collaborate with your vendor to make the most of the hybrid cloud
- What to do with legacy systems that were never designed to be part of cloud
Tony McGivern is FICO's Chief Information Officer. He joined FICO in 2012 following FICO's acquisition of Adeptra — a company that developed mobile technology to automate interactions between businesses and consumers. McGivern served as both chief executive officer and chief technology officer at Adeptra. Previously, McGivern was the Chief Technology Officer and Senior Vice President of strategy at USinternetworking (USi), a pioneering company in the web-based delivery of business applications. Tony helped guide USi through a successful acquisition by AT&T in 2006. Tony is originally from Australia, where he earned a bachelor's degree in technology management and marketing from the University of Technology in Sydney.