Guest blog by Info-Tech Research Group.
Everything you know about Information Technology (IT) will change in the next five years. Everything. A perfect storm of technology trends (Mobility, Social Media, Cloud, Big Data and Security) is pushing technology beyond the IT department and into the business itself. Did someone in your organization ‘forget’ to tell you about a cloud service they purchased for their department on their credit card? Did they only ‘remember’ you once they needed it to integrate with a core system?
If this has happened to you, you need to change both the value you are delivering and the way you are delivering IT. Your goal should be to get involved in the conversation earlier. To do that you need to be seen as a business enabler, not a business inhibitor. IT used to be asked to “count the beans”. Now your job is to help the business grow more beans.
CIO reality check: If you don’t innovate, you’ll become irrelevant.
Let’s talk about your role in innovation. At one time, you were probably a Firefighter – reacting to problems all day long. In time you established some processes, got your feet under you, and became a Trusted Operator. In a recent study conducted by Info-Tech Research Group, 52% of CIOs still self-identified as Firefighters, 40% as Trusted Operators, and only 8% as Innovators. Imagine the results if you asked their CEOs instead.
If you want to remain relevant you are going to have to cross the Innovation Chasm.
Why does the Innovation Chasm exist? As a CIO, you have been charged with protecting your organization’s valuable assets, and with providing a reliable and stable infrastructure. As a result, you have become the “CI-No”:
- “No, we can’t buy that application you saw in an airplane magazine.”
- “No, we can’t have a new Web site built in two weeks.”
- “No, we can’t do that because it will expose our customer data.”
You could be the CI-No because you were the only game in town: if the business wanted access to technology, they had to come through you. That’s not the case anymore. One of the byproducts of the perfect storm is that the business can now access technology directly from the Cloud without your involvement, and without your knowledge. It happens in companies of all sizes, in every industry, regardless of your IT or security stance. When business has access to that technology, it widens the chasm.
IT has to up its game, and smart CIOs are on a path to help the business use technology to innovate both what they do and how they do it.
Let’s look at this a different way.
Chasms can be daunting, so it’s easier to approach innovation as a series of steps. Traditionally, CIOs have focused on those bottom steps, on helping to get the fundamentals right to provide highly available and highly secure computing platforms that support the business.
But increasingly CIOs efforts have to be focused on the next steps – what we at Info-Tech Research Group call the CIO Sweet Spot. Focus on achieving quick wins in the CIO Sweet Spot to earn a broader innovation mandate. You’ll know you’ve earned your mandate when the CEO, CFO, CMO and other members of the C suite look to you for technology-enabled business innovation that will help them lower costs, increase process efficiency and garner significant revenue gains.
To become an Innovator, you need to challenge your own organizational inertia, stay ahead of trends, and sustain and grow a disciplined process of innovation throughout your company. Info-Tech Research Group’s 3R’s of Innovation were designed to help you meet this challenge.
Reality. A business needs assessment of where you are today, and a mandate of what you need to do to remain relevant tomorrow.
Role. As a CIO, you are lucky enough to have a unique end-to-end view of your business and you should be the driving force behind much of what it takes for your company to innovate.
Results. Innovation does not just happen. It takes focus. It takes discipline. It takes process. We call it institutionalizing innovation. Info-Tech Research Group has a governance model, framework and hands-on tools and advice to help you make this happen in your organization.
By following the 3R’s of Innovation, you will find opportunities to drive innovation within your company, you will position your company for the future, and you personally will be seen as an innovator within your organization, which will reenergize you and give you new opportunities.
Info-Tech Research Group is a practical and tactical research and advisory firm that works with over 28,000 IT professionals to help deliver measurable results. If you would like to know more information about Info-Tech, please contact Jason Esler at email@example.com
by guest blogger Ken Grady, CIO, New England BioLabs
I had been in my job here exactly 6 months. How did I know? Because my password had just expired according to the company’s password policy. So, I had to reset it, and reteach my muscle memory the chosen new password for the next two weeks, swearing softly (or not so softly) under my breath every time I logged in.
I recently oversaw a change in password policy at my company. To be fair though, the old policy was not that far off the “norm”:
- Required changing twice a year
- Minimum of 7 characters
- It couldn't contain your first name or last name.
- When changing it, you couldn't repeat any of your last 3 passwords.
- It had to contain at least 3 of the following 4:
- An upper case letter
- A lower case letter
- A number
- A special character ($, !, *, etc)
This is fairly typical of the password policies you find at most corporations. And I've definitely seen worse. But with these policies, all most IT departments succeed at is making users write their passwords down on a sticky note, or place calls to the Help Desk unnecessarily.
"And by the way, changing the password every so often does absolutely nothing to make you more secure. "
This isn't to say that requiring passwords is a bad idea: identity theft and theft of intellectual property are increasingly common. You hear about it all the time on the news these days (which is another indication that most password policies are ineffective).
You just need a good password policy. And by the way, changing the password every so often does absolutely nothing to make you more secure. Changing the password only helps if it was already hacked. It doesn’t change the math required to hack it in the first place, and offers little to a company like ours besides increasing the number of help desk calls we receive. That’s why, to me, that requirement in a password policy seems useless and unnecessary.
READ THIS PART IF YOU LIKE MATH
The overall complexity of a password can be calculated and expressed in mathematical terms. To understand what makes a good password (at work or at home), mathematicians and security people talk about the concept of "entropy." In essence, it's the algorithm that combines the total number of possibilities for each character, and the total number of characters, and figures out how long it would take to go through them to get the right one.
With our old password policy, the complexity, or "entropy", as expressed in mathematical terms of my password hovered around 7.56 * 10^12. Which sounds like a fairly big number, right?
Not so much. Such passwords take about 2 days to break through using run-of-the-mill hacking programs downloaded off the internet (I wish I was making that up). It would take less than 2 minutes for a reasonably modern hacking algorithm to break.
READ THIS PART IF YOU ONLY LIKE MATH WHEN IT COMES WITH PICTURES
(Image Credit: xkcd.com)
Here is the new password policy I have since implemented here.
Computer passwords are required to be at least 20 characters long.
That's right. 20. Spaces count. Trust me, it’s not as crazy as you think. And once we explained it, everyone was fine with it. Our users can make nifty little sentences they’ll never forget, and special characters or numbers aren’t required. They are exponentially harder to break than their old passwords. Here are some good acceptable examples:
• I have really bright children (30 Characters. Complexity: 9.08 x 10^55)
• Tom Brady is super dreamy (25 Characters. Complexity: 1.74 x 10^48)
• Watch out for terrapins (23 Characters. Complexity: 2.41 x 10^44)
• I am methylation sensitive (26 Characters. Complexity: 1.48 x 10^50)
Don’t worry about calculating the exact password complexity. I just did that above for illustrative purposes. The important thing is that the number is crazy-high compared to what's possible with typical password policies. (For comparison, the complexity of our old passwords was 7.56 * 10^12).
This policy is exponentially more secure, and every example shown above is far easier to remember than a typical password.
And perhaps the best part is that passwords need never expire! As mentioned above, that policy adds nothing to the overall security.
Along with ensuring every authorized device has a digital certificate, this has created a much more secure and stable policy, backed up by reasons that our users understand and can get behind. They no longer experience the frustration of changing and forgetting their passwords, and we have reduced calls to the Help Desk.
It's not exactly peace in the Middle East but it certainly will make life a little easier, and more secure, for our users.