Monday, January 28, 2013

The Open Group Keynoter Sees Big-Data Analytics Bolstering Quality, Manufacturing, Processes

Transcript of a BriefingsDirect podcast on how Ford Motor Company is harnessing multiple big data sources to improve products and operations.
Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hello, and welcome to a special BriefingsDirect thought leadership interview series coming to you in conjunction with The Open Group Conference on Jan. 28 in Newport Beach, California.

Gardner
I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be your host and moderator throughout these business transformation discussions. The conference will focus on "Big Data -- The Transformation We Need to Embrace Today."

We are here now with one of the main speakers at the conference, Michael Cavaretta, PhD, Technical Leader of Predictive Analytics for Ford Research and Advanced Engineering in Dearborn, Michigan.

We’ll see how Ford has exploited the strengths of big data analytics by directing them internally to improve business results. In doing so, they scour the metrics from the company’s best processes across myriad manufacturing efforts and through detailed outputs from in-use automobiles, all to improve and help transform their business. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Cavaretta has led multiple data-analytic projects at Ford to break down silos inside the company to best define Ford’s most fruitful data sets. Ford has successfully aggregated customer feedback, and extracted all the internal data to predict how best new features in technologies will improve their cars.

As a lead-in to his Open Group presentation, Michael and I will now explore how big data is fostering business transformation by allowing deeper insights into more types of data efficiently, and thereby improving processes, quality control, and customer satisfaction.

With that, please join me in welcoming Michael Cavaretta. Welcome to BriefingsDirect, Michael.

Michael Cavaretta: Thank you very much.

Gardner: Your upcoming presentation for The Open Group Conference is going to describe some of these new approaches to big data and how that offers some valuable insights into internal operations, and therefore making a better product. To start, what's different now in being able to get at this data and do this type of analysis from, say, five years ago?

Cavaretta: The biggest difference has to do with the cheap availability of storage and processing power, where a few years ago people were very much concentrated on filtering down the datasets that were being stored for long-term analysis. There has been a big sea change with the idea that we should just store as much as we can and take advantage of that storage to improve business processes.

Gardner: That sounds right on the money, but how did we get here? How do we get to the point where we could start using these benefits from a technology perspective, as you say, better storage, networks, being able to move big dataset, that sort of thing, to wrenching out benefits. What's the process behind the benefit?

Sea change in attitude

Cavaretta: The process behind the benefits has to do with a sea change in the attitude of organizations, particularly IT within large enterprises. There's this idea that you don't need to spend so much time figuring out what data you want to store and worry about the cost associated with it, and more about data as an asset. There is value in being able to store it, and being able to go back and extract different insights from it. This really comes from this really cheap storage, access to parallel processing machines, and great software.

Gardner: It seems to me that for a long time, the mindset was that data is simply the output from applications, with applications being primary and the data being almost an afterthought. It seems like we sort flipped that. The data now is perhaps as important, even more important, than the applications. Does that seem to hold true?

Cavaretta
Cavaretta: Most definitely, and we’ve had a number of interesting engagements where people have thought about the data that's being collected. When we talk to them about big data, storing everything at the lowest level of transactions, and what could be done with that, their eyes light up and they really begin to get it.

Gardner: I suppose earlier, when cost considerations and technical limitations were at work, we would just go for a tip-of-the-iceberg level. Now, as you say, we can get almost all the data. So, is this a matter of getting at more data, different types of data, bringing in unstructured data, all the above? How much you are really going after here?

Cavaretta: I like to talk to people about the possibility that big data provides and I always tell them that I have yet to have a circumstance where somebody is giving me too much data. You can pull in all this information and then answer a variety of questions, because you don't have to worry that something has been thrown out. You have everything.

You may have 100 questions, and each one of the questions uses a very small portion of the data. Those questions may use different portions of the data, a very small piece, but they're all different. If you go in thinking, "We’re going to answer the top 20 questions and we’re just going to hold data for that," that leaves so much on the table, and you don't get any value out of it.
The process behind the benefits has to do with a sea change in the attitude of organizations, particularly IT within large enterprises.

Gardner: I suppose too that we can think about small samples or small datasets and aggregate them or join them. We have new software capabilities to do that efficiently, so that we’re able to not just look for big honking, original datasets, but to aggregate, correlate, and look for a lifecycle level of data. Is that fair as well?

Cavaretta: Definitely. We're a big believer in mash-ups and we really believe that there is a lot of value in being able to take even datasets that are not specifically big-data sizes yet, and then not go deep, not get more detailed information, but expand the breadth. So it's being able to augment it with other internal datasets, bridging across different business areas as well as augmenting it with external datasets.

A lot of times you can take something that is maybe a few hundred thousand records or a few million records, and then by the time you’re joining it, and appending different pieces of information onto it, you can get the big dataset sizes.

Gardner: Just to be clear, you’re unique. The conventional wisdom for big data is to look at what your customers are doing, or just the external data. You’re really looking primarily at internal data, while also availing yourself of what external data might be appropriate. Maybe you could describe a little bit about your organization, what you do, and why this internal focus is so important for you.

Internal consultants

Cavaretta: I'm part of a larger department that is housed over in the research and advanced-engineering area at Ford Motor Company, and we’re about 30 people. We work as internal consultants, kind of like Capgemini or Ernst & Young, but only within Ford Motor Company. We’re responsible for going out and looking for different opportunities from the business perspective to bring advanced technologies. So, we’ve been focused on the area of statistical modeling and machine learning for I’d say about 15 years or so.

And in this time, we’ve had a number of engagements where we’ve talked with different business customers, and people have said, "We'd really like to do this." Then, we'd look at the datasets that they have, and say, "Wouldn’t it be great if we would have had this. So now we have to wait six months or a year."

These new technologies are really changing the game from that perspective. We can turn on the complete fire-hose, and then say that we don't have to worry about that anymore. Everything is coming in. We can record it all. We don't have to worry about if the data doesn’t support this analysis, because it's all there. That's really a big benefit of big-data technologies.

Gardner: If you've been doing this for 15 years, you must be demonstrating a return on investment (ROI) or a value proposition back to Ford. Has that value proposition been changing? Do you expect it to change? What might be your real value proposition two or three years from now?

Cavaretta: The real value proposition definitely is changing as things are being pushed down in the company to lower-level analysts who are really interested in looking at things from a data-driven perspective. From when I first came in to now, the biggest change has been when Alan Mulally came into the company, and really pushed the idea of data-driven decisions.
The real value proposition definitely is changing as things are being pushed down in the company to lower-level analysts.

Before, we were getting a lot of interest from people who are really very focused on the data that they had internally. After that, they had a lot of questions from their management and from upper level directors and vice-president saying, "We’ve got all these data assets. We should be getting more out of them." This strategic perspective has really changed a lot of what we’ve done in the last few years.

Gardner: As I listen to you Michael, it occurs to me that you are applying this data-driven mentality more deeply. As you pointed out earlier, you're also going after all the data, all the information, whether that’s internal or external.

In the case of an automobile company, you're looking at the factory, the dealers, what drivers are doing, what the devices within the automobile are telling you, factoring that back into design relatively quickly, and then repeating this process. Are we getting to the point where this sort of Holy Grail notion of a total feedback loop across the lifecycle of a major product like an automobile is really within our grasp? Are we getting there, or is this still kind of theoretical. Can we pull it altogether and make it a science?

Cavaretta: The theory is there. The question has more to do with the actual implementation and the practicality of it. We still are talking a lot of data where even with new advanced technologies and techniques that’s a lot of data to store, it’s a lot of data to analyze, there’s a lot of data to make sure that we can mash-up appropriately.

And, while I think the potential is there and I think the theory is there. There is also a work in being able to get the data from multiple sources. So everything which you can get back from the vehicle, fantastic. Now if you marry that up with internal data, is it survey data, is it manufacturing data, is it quality data? What are the things do you want to go after first? We can’t do everything all at the same time.

Highest value

Our perspective has been let’s make sure that we identify the highest value, the greatest ROI areas, and then begin to take some of the major datasets that we have and then push them and get more detail. Mash them up appropriately and really prove up the value for the technologists.

Gardner: Clearly, there's a lot more to come in terms of where we can take this, but I suppose it's useful to have a historic perspective and context as well. I was thinking about some of the early quality gurus like Deming and some of the movement towards quality like Six Sigma. Does this fall within that same lineage? Are we talking about a continuum here over that last 50 or 60 years, or is this something different?

Cavaretta: That’s a really interesting question. From the perspective of analyzing data, using data appropriately, I think there is a really good long history, and Ford has been a big follower of Deming and Six Sigma for a number of years now.

The difference though, is this idea that you don't have to worry so much upfront about getting the data. If you're doing this right, you have the data right there, and this has some great advantages. You’ll have to wait until you get enough history to look for somebody’s patterns. Then again, it also has some disadvantage, which is you’ve got so much data that it’s easy to find things that could be spurious correlations or models that don’t make any sense.

The piece that is required is good domain knowledge, in particular when you are talking about making changes in the manufacturing plant. It's very appropriate to look at things and be able to talk with people who have 20 years of experience to say, "This is what we found in the data. Does this match what your intuition is?" Then, take that extra step.
We do have to deal with working on pilot projects and working with our business customers to bring advanced analytics and big data technologies to bear against these problems.

Gardner: Tell me a little about sort a day in the life of your organization and your team to let us know what you do. How do you go about making more data available and then reaching some of these higher-level benefits?

Cavaretta: We're very much focused on interacting with the business. Most of all, we do have to deal with working on pilot projects and working with our business customers to bring advanced analytics and big data technologies to bear against these problems. So we work in kind of what we call push-and-pull model.

We go out and investigate technologies and say these are technologies that Ford should be interested in. Then, we look internally for business customers who would be interested in that. So, we're kind of pushing the technologies.

From the pull perspective, we’ve had so many successful engagements in such good contacts and good credibility within the organization that we've had people come to us and say, "We’ve got a problem. We know this has been in your domain. Give us some help. We’d love to be able to hear your opinions on this."

So we’ve pulled from the business side and then our job is to match up those two pieces. It's best when we will be looking at a particular technology and we have somebody come to us and we say, "Oh, this is a perfect match."

Big data

Those types of opportunities have been increasing in the last few years, and we've been very happy with the number of internal customers that have really been very excited about the areas of big data.

Gardner: Because this is The Open Group Conference and an audience that’s familiar with the IT side of things, I'm curious as to how this relates to software and software development. Of course there are so many more millions of lines of code in automobiles these days, software being more important than just about everything. Are you applying a lot of what you are doing to the software side of the house or are the agile and the feedback loops and the performance management issues a separate domain, or it’s your crossover here?

Cavaretta: There's some crossover. The biggest area that we've been focused on has been picking information, whether internal business processes or from the vehicle, and then being able to bring it back in to derive value. We have very good contacts in the Ford IT group, and they have been fantastic to work with in bringing interesting tools and technology to bear, and then looking at moving those into production and what’s the best way to be able to do that.

A fantastic development has been this idea that we’re using some of the more agile techniques in this space and Ford IT has been pushing this for a while. It’s been fantastic to see them work with us and be able to bring these techniques into this new domain. So we're pushing the envelope from two different directions.

Gardner: It sounds like you will be meeting up at some point with a complementary nature to your activities.

Cavaretta: Definitely.
There are huge opportunities within that, and there are also some interesting opportunities having to do with opening up some of these systems for third-party developers.

Gardner: Let’s move on to this notion of the "Internet of things," a very interesting concept that lot of people talk about. It seems relevant to what we've been discussing.

We have sensors in these cars, wireless transfer of data, more-and-more opportunity for location information to be brought to bear, where cars are, how they're driven, speed information, all sorts of metrics, maybe making those available through cloud providers that assimilate this data.

So let’s not go too deep, because this is a multi-hour discussion all on its own, but how is this notion of the Internet of things being brought to bear on your gathering of big data and applying it to the analytics in your organization?

Cavaretta: It is a huge area, and not only from the internal process perspective -- RFID tags within the manufacturing plans, as well as out on the plant floor, and then all of the information that’s being generated by the vehicle itself.

The Ford Energi generates about 25 gigabytes of data per hour. So you can imagine selling couple of million vehicles in the near future with that amount of data being generated. There are huge opportunities within that, and there are also some interesting opportunities having to do with opening up some of these systems for third-party developers. OpenXC is an initiative that we have going on to add at Research and Advanced Engineering.

Huge number of sensors

We have a lot of data coming from the vehicle. There’s huge number of sensors and processors that are being added to the vehicles. There's data being generated there, as well as communication between the vehicle and your cell phone and communication between vehicles.

There's a group over at Ann Arbor Michigan, the University of Michigan Transportation Research Institute (UMTRI), that’s investigating that, as well as communication between the vehicle and let’s say a home system. It lets the home know that you're on your way and it’s time to increase the temperature, if it’s winter outside, or cool it at the summer time.

The amount of data that’s been generated there is invaluable information and could be used for a lot of benefits, both from the corporate perspective, as well as just the very nature of the environment.

Gardner: Just to put a stake in the ground on this, how much data do cars typically generate? Do you have a sense of what now is the case, an average?

Cavaretta: The Energi, according to the latest information that I have, generates about 25 gigabytes per hour. Different vehicles are going to generate different amounts, depending on the number of sensors and processors on the vehicle. But the biggest key has to do with not necessarily where we are right now but where we will be in the near future.

With the amount of information that's being generated from the vehicles, a lot of it is just internal stuff. The question is how much information should be sent back for analysis and to find different patterns? That becomes really interesting as you look at external sensors, temperature, humidity. You can know when the windshield wipers go on, and then to be able to take that information, and mash that up with other external data sources too. It's a very interesting domain.
With the amount of information that's being generated from the vehicles, a lot of it is just internal stuff.

Gardner: So clearly, it's multiple gigabytes per hour per vehicle and probably going much higher.

Cavaretta: Easily.

Gardner: Let's move forward now for those folks who have been listening and are interested in bringing this to bear on their organizations and their vertical industries, from the perspective of skills, mindset, and culture. Are there standards, certification, or professional organizations that you’re working with in order to find the right people?

It's a big question. Let's look at what skills do you target for your group, and what ways you think that you can improve on that. Then, we’ll get into some of those larger issues about culture and mindset.

Cavaretta: The skills that we have in our department, in particular on our team, are in the area of computer science, statistics, and some good old-fashioned engineering domain knowledge. We’ve really gone about this from a training perspective. Aside from a few key hires, it's really been an internally developed group.

Targeted training

The biggest advantage that we have is that we can go out and be very targeted with the amount of training that we have. There are such big tools out there, especially in the open-source realm, that we can spin things up with relatively low cost and low risk, and do a number of experiments in the area. That's really the way that we push the technologies forward.

Gardner: Why The Open Group? Why is that a good forum for your message, and for your research here?

Cavaretta: The biggest reason is the focus on the enterprise, where there are a lot of advantages and a lot of business cases, looking at large enterprises and where there are a lot of systems, companies that can take a relatively small improvement, and it can make a large difference on the bottom-line.

Talking with The Open Group really gives me an opportunity to be able to bring people on board with the idea that you should be looking at a difference in mindset. It's not "Here’s a way that data is being generated, look, try and conceive of some questions that we can use, and we’ll store that too." Let's just take everything, we’ll worry about it later, and then we’ll find the value.

Gardner: I'm sure the viewers of your presentation on January 28 will be gathering a lot of great insights. A lot of the people that attend The Open Group conferences are enterprise architects. What do you think those enterprise architects should be taking away from this? Is there something about their mindset that should shift in recognizing the potential that you've been demonstrating?
Talking with The Open Group really gives me an opportunity to be able to bring people on board with the idea that you should be looking at a difference in mindset.

Cavaretta: It's important for them to be thinking about data as an asset, rather than as a cost. You even have to spend some money, and it may be a little bit unsafe without really solid ROI at the beginning. Then, move towards pulling that information in, and being able to store it in a way that allows not just the high-level data scientist to get access to and provide value, but people who are interested in the data overall. Those are very important pieces.

The last one is how do you take a big-data project, how do you take something where you’re not storing in the traditional business intelligence (BI) framework that an enterprise can develop, and then connect that to the BI systems and look at providing value to those mash-ups. Those are really important areas that still need some work.

Gardner: Another big constituency within The Open Group community are those business architects. Is there something about mindset and culture, getting back to that topic, that those business-level architects should consider? Do you really need to change the way you think about planning and resource allocation in a business setting, based on the fruits of things that you are doing with big data?

Cavaretta: I really think so. The digital asset that you have can be monetized to change the way the business works, and that could be done by creating new assets that then can be sold to customers, as well as improving the efficiencies of the business.

High quality data

This idea that everything is going to be very well-defined and there is a lot of work that’s being put into making sure that data has high quality, I think those things need to be changed somewhat. As you're pulling the data in, as you are thinking about long-term storage, it’s more the access to the information, rather than the problem in just storing it.

Gardner: Interesting that you brought up that notion that the data becomes a product itself and even a profit center perhaps.

Cavaretta: Exactly. There are many companies, especially large enterprises, that are looking at their data assets and wondering what can they do to monetize this, not only to just pay for the efficiency improvement but as a new revenue stream.

Gardner: We're almost out of time. For those organizations that want to get started on this, are there any 20/20 hindsights or Monday morning quarterback insights you can provide. How do you get started? Do you appoint a leader? Do you need a strategic roadmap, getting this culture or mindset shifted, pilot programs? How would you recommend that people might begin the process of getting into this?
Understand that it maybe going to be a little bit more costly and the ROI isn't going to be there at the beginning.

Cavaretta: We're definitely a huge believer in pilot projects and proof of concept, and we like to develop roadmaps by doing. So get out there. Understand that it's going to be messy. Understand that it maybe going to be a little bit more costly and the ROI isn't going to be there at the beginning.

But get your feet wet. Start doing some experiments, and then, as those experiments turn from just experimentation into really providing real business value, that’s the time to start looking at a more formal aspect and more formal IT processes. But you've just got to get going at this point.

Gardner: I would think that the competitive forces are out there. If you are in a competitive industry, and those that you compete against are doing this and you are not, that could spell some trouble.

Cavaretta: Definitely.

Gardner: We’ve been talking with Michael Cavaretta, PhD, Technical Leader of Predictive Analytics at Ford Research and Advanced Engineering in Dearborn, Michigan. Michael and I have been exploring how big data is fostering business transformation by allowing deeper insights into more types of data and all very efficiently. This is improving processes, updating quality control and adding to customer satisfaction.

Our conversation today comes as a lead-in to Michael’s upcoming plenary presentation. He is going to be talking on January 28 in Newport Beach California, as part of The Open Group Conference.

You will hear more from Michael and others, the global leaders on big data that are going to be gathering to talk about business transformation from big data at this conference. So a big thank you to Michael for joining us in this fascinating discussion. I really enjoyed it and I look forward to your presentation on the 28.

Cavaretta: Thank you very much.

Gardner: And I would encourage our listeners and readers to attend the conference or follow more of the threads in social media from the event. Again, it’s going to be happening from January 27 to January 30 in Newport Beach, California.

This is Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator throughout this thought leadership interview series. Thanks again for listening, and come back next time.
Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: The Open Group.

Transcript of a BriefingsDirect podcast on how Ford Motor Company is harnessing multiple big data sources to improve products and operations. Copyright The Open Group and Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

Monday, January 14, 2013

The Networked Economy Newly Forges Innovation Forces for Collaboration in Business and Commerce, Says Author Zach Tumin

Advanced business networks are driving innovation and social interactions as new technologies and heightened user expectations converge.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ariba.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion on how new levels of collaboration have emerged from an increasingly networked world, and what that now means for business and society.

Gardner
We'll hear from a Harvard Kennedy School researcher and author on how deeper levels of collaboration -- more than ever -- can positively impact how organizations operate. And we'll learn from a global business-commerce network provider how these digital communities are redefining and extending new types of business and collaboration

To learn more about how new trends in collaboration and business networking are driving innovation and social interactions, please join me now in welcoming Zach Tumin, Senior Researcher at the Science, Technology, and Public Policy Program at the Harvard Kennedy School. Welcome, Zach.

Zach Tumin: Good morning, Dana.

Gardner: Zach, you're also the co-author with William Bratton of this year’s Collaborate or Perish: Reaching Across Boundaries in a Networked World, published by Random House. We welcome you to the show.

Tumin: Thank you.

Gardner: We're also joined today by Tim Minahan, Senior Vice-President of Global Network Strategy and Chief Marketing Officer at Ariba, an SAP company. Welcome back, Tim.

Tim Minahan: Thanks, Dana. Good to be here. [Disclosure: Ariba is a sponsor of BriefingsDirect podcasts.]

Gardner: Gentlemen, let's set the stage here, because we have a really big topic. Zach, in your book "Collaborate or Perish," you're exploring collaboration and you show what it can do when it's fully leveraged. It's very interesting. And Tim, at Ariba you've been showing how a more networked economy is producing efficiencies for business and even extending the balance of what we would consider commerce to be.

I’d like to start with looking at how these come together. First, we have new types of collaboration and then we have the means to execute on them through these new business networks. What should we expect when these come together? Let's go to you first, Zach.

Tumin: Thanks, Dana. The opportunities for collaboration are expanding even as we speak. The networks around the world are volatile. They're moving fast. The speed of change is coming at managers and executives at a terrific pace. There is an incredible variety of choice, and people are empowered with these great digital devices that we all have in our pockets.
Tumin

That creates a new world, where the possibilities are tremendous for joining forces, whether politically, economically, or socially. Yet it's also a difficult world, where we don't have authority, if we have to go outside of our organizations -- but where we don't have all the power that we need, if we stay within the boundaries of our charters.

So, we're always reaching across boundaries to find people who we can partner with. The key is how we do that. How do we move people to act with us, where we don't have the authority over them? How do we make it pay for people to collaborate?

A lot of change

Gardner: Tim, we've seen lots of change in last 20 years, and a lot of times, we'll see behavioral shifts. Then, at other times, we'll see technology shifts. Today, we seem to be having both come together. Based on what Zach has described in this unprecedented level of change in adaptation, where do you see the big payoffs for business in terms of leveraging collaboration in the context of a vast network?

Minahan: Collaboration certainly is the new business imperative. Companies have leaned out their operations over the past couple of years and they spent the previous 30 years focusing on their internal operations and efficiencies and driving greater performance, and getting greater insights.

Minahan
When they look outside their enterprise today, it's still a mess. Most of the transactions still occur offline or through semi-automated processes. They lack transparency into those processes and efficiency in executing them. As a result, that means lots of paper and lots of people and lots of missed opportunities, whether it's in capitalizing on getting a new product to market or achieving new sales with new potential customers.

What business networks and this new level of collaboration bring is four things. It brings the transparency that’s currently lacking into the process. So you know where your opportunities are. You know where your orders are. You know where your invoices are and what your exposure to payables are.

It brings new levels of efficiencies executing against those processes, much faster than you ever could before through mostly automated process.
It brings new levels of efficiencies executing against those processes, much faster than you ever could before through mostly automated process. It brings new types of collaboration which I am sure we will get into later in this segment.

The last part, which I think is most intriguing, is that it brings new levels of insights. We're no longer making decisions blindly. We no longer need to double order, because we don’t know if that shipment is coming in and we need to stockpile, because we can't let the refinery go down. So it brings new levels of insight to make more informed decisions in real time.

Gardner: One of the things I sense, as people grapple with these issues, is a difficulty in deciding where to let creative chaos rein and where to exercise control and where to lock down and exercise traditional IT imperatives around governance, command and control, and systems of records.

Zach, in your book with William Bratton, are there any examples that you can point to that show how some organizations have allowed that creativity of people to extend their habits and behaviors in new ways unfettered and then at the same time retain that all-important IT control?

Tumin: It's a critical question that you’ve raised. We have young people coming into the workforce who are newly empowered. They understand how to do all the things that they need do without waiting online and without waiting for authority. Yet, they're coming into organizations that have strong cultures that have strong command-and-control hierarchies.

There's a clash that’s happening here, and the strong companies are the ones that find the path to embracing the creativity of networked folks within the organization and across their boundaries, while maintaining focus on set of core deliverables that everyone needs to do.

Wells Fargo

There are plenty of terrific examples. I will give you one. At Wells Fargo, for the development of the online capability for the wholesale shop, Steve Ellis was Executive Vice President. He had to take his group offline to develop the capability, but he had two responsibilities. One was to the bank, which had a history of security and trust. That was its brand. That was its reputation. But he was also looking to the online world, to variability, to choice, and to developing exactly the things that customers want.

Steve Ellis found a way of working with his core group of developers to engage customers in the code design of Wells Fargo's online presence for the wholesale side. As a result, they were able to develop systems that were so integrated into the customers over time that they can move very, very quickly, adapt as new developments required, and yet they gave full head to the creativity of the designers, as well as to the customers in coming to these new ways of doing business.

So here's an example of a pretty staid organization, 150 years old with a reputation for trust and security, making its way into the roiling water of the networked world and finding a path through engagement that helped to prevail in the marketplace over a decade.

Gardner: Tim Minahan, for the benefit of our audience, help us better understand how Ariba is helping to fuel this issue of allowing creativity and new types of collaboration, but at the same time maintaining that the important principles of good business.

Minahan: Absolutely, Dana. The problem we solve at Ariba is quite basic, yet one of the biggest impediments to business productivity and performance that still exists. That's around inter-enterprise collaboration or collaboration between businesses.

We talked about the deficits there earlier. Through our cloud-based applications and business network, we eliminate all of the hassles, the papers, the phone calls, and other manual or disjointed activities that companies do each day to do things like find new suppliers, find new business opportunities as a seller, to place or manage orders, to collaborate with customers suppliers and other partners, or to just get paid.

They can connect with known trading partners much more efficiently and then automate the processes and the information flows between each other.
Nearly a million business today are digitally connected through the Ariba Network. They're empowered to discover one another in new ways, getting qualifying information from the community, so that they know who that party is even if they haven’t met them before. It's similar to what you see on eBay. When you want to sell your golf clubs, you know that that buyer has a performance history of doing business with other buyers.

They can connect with known trading partners much more efficiently and then automate the processes and the information flows between each other. Then, they can collaborate in new ways, not only to find one another, but also to get access to preferred financing or new insights into market trends that are going on around particular commodities.

That’s the power of bringing a business network to bear in today’s world. It's this convergence of cloud applications, the ability to access and automate a process. Those that share that process share the underlying infrastructure and a digitally connected community of relevant parties, whether that’s customers, suppliers, potential trading partners, banking partners, or other participants involved in the commerce process.

Gardner: Zach, in your book and in your earlier comments, you're basically describing almost a new workforce and some companies and organizations are recognizing that and embracing it. What’s driving this? What has happened that is basically redefining a workforce and how it relates to itself and to the customer or, in many cases, for businesses across the ecosystem of the suppliers and then the channels and distribution? What’s behind this fairly massive shift in what workforces are?

It's the demographics

Tumin: It’s in the demographics, Dana. Young people are accustomed to doing things today that were not possible 10 years ago. The digital power in everyone’s pocket or pocket book, the digital wallet in markets, are ready, willing, and able to deal with them and to welcome them. That means that there’s pressure on organizations to integrate and take advantage of the power that individuals have in the marketplace and that come in to their workforce.

Everyone can see what's going on around the world. We're moving to a situation where young people are feeling pretty powerful. They're able to search, find, discover, and become experts all on their own through the use of technologies that 10 years ago weren’t available.

So a lot of the traditional ways of thinking about power, status, and prestige in the workforce are changing as a result, and the organizations that can adapt and adopt these kinds of technologies and turn them to their advantage are the ones that are going to prevail.

Gardner: Tim, with that said, there's this demographic shift, the shift in the mentality of self-started discovery of recognizing that the information you want is out there, and it’s simply a matter of applying your need to the right data and then executing on some action as a result. Your network seems ready-made for that. I know that you guys have been at this for some time. It seems like the events, these trends, have coalesced in a way that that really suits your strength.

Tell me why you think that’s the case that this vision you had at Ariba a decade or more ago has come about. Is there something fundamental about the Internet or were you guys just in the right place at the right time?


The reality of the community is that it is organic. It takes time to grow.
Minahan: The reality of the community is that it is organic. It takes time to grow. At Ariba we have more than 15 years of transactional history, relationship history, and community generated content that we've amassed. In fact, over the past 12 months those, nearly a million connected companies have executed more than $400 billion in purchase, sales, invoice, and payment transactions over the Ariba network.

Aggregate that over 15 years, and you have some great insights beyond just trading efficiencies for those companies participating there. You can deliver insights to them so that they can make more informed decisions, whether that’s in selecting a new trading partner or determining when or how to pay.

Should I take an early-payment discount in order to accelerate or reduce my cost basis? From a sales standpoint, or seller’s standpoint, should I offer an early payment discount in order to accelerate my cash flow? There are actually a host of examples where companies are taking advantage of this today and it’s not just for the large companies. Let me give you two examples.

From the buyer side, there was a company called Plaid Enterprises. Plaid is a company that, if you have daughters like I do who are interested in hobbies and creating crafts, you are very familiar with. They're one of the leading providers for the do-it-yourself crafts that you would get at your craft store.

Like many other manufacturers, they were a mid sized company, but they decided a couple of years ago to offshore their supplies. So they went to the low cost region of China. A few years into it, they realized that labor wages were rising, their quality was declining, and worse than that, it was sometimes taking them five months to get their shipment.

New sources of supply

So they went to the Ariba Network to find new sources of supply. Like many other manufacturers, they thought, "Let’s look in other low cost regions like Vietnam." They certainly found suppliers there, but what they also found were suppliers here in North America.

They went through a bidding process with the suppliers they found there, with the qualifying information on who was doing business with whom and how they performed in the past, and they wound up selecting a supplier that was 30 miles down the road. They wound up getting a 40 percent cost reduction from what they had previously paid in China and their lead times were cut from more than 120 days down to 30.

That’s from the buy side. From the sell side, the inverse is true. I'll use an example of a company called Mediafly. It's a fast growing company that provides mobile marketing services to some of the largest companies in the world, large entertainment companies, large consumer products companies.

They were asked to join the Ariba Network to automate their invoicing and they have gotten some great efficiencies from that. They've gotten transparencies to know when their invoice is paid, but one other thing was really interesting.

Once they were in the networked environment and once they had automated those processes, they were now able to do what we call dynamic discounting. That meant when they want their cash, they can make offers to their customers that they're connected to on the Ariba Network and be able to accelerate their cash.
You have extraordinary volatility on your network and that can rumble all the way through.

So they were able not only to shrink their quote-to-settle cycle by 84 percent, but they gained access to new financing and capital through the Ariba network. So they could go out and hire that new developer to take on that new project and they were even able to defer a next round of funding, because they have greater control over their cash flow.

Gardner: Zach, in listening to Tim, particularly that discovery process, we're really going back to some principles that define being human -- collaboration, word of mouth, sharing information about what you know. It just seems that we have a much greater scale that we can deploy this. As Tim was saying, you can look to supply chains in China, Vietnam, or in your own neighborhood that you might not have known, but you will discover.

Help me understand why the scale here is important? We can scale up and scale down. How is that fundamentally changing how people are relating in business and society?

Tumin: The scaling means that things can get big in a hurry and they can get fast in a hurry. So you get a lot of volume, things go viral, and you have a velocity of change here. New technologies are introducing themselves to the market. You have extraordinary volatility on your network and that can rumble all the way through, so that you feel it seconds after something halfway around the world has put a glitch in your supply chain. You have enormous variability. You're dealing with many different languages, both computer languages and human languages.

That means that the potential for collaboration really requires coming together in ways that helps people see very quickly why it is that they should work together, rather than go it alone. They may not have a choice, but people are still status quo animals. We're comfortable in the way that we have always done business, and it takes a lot to move us out.

It comes down to people

When crisis hits, it’s not exactly a great time to build those relationships. Speaker of the House Tip O'Neill here in United States once said "Make friends before you need them." That’s a good advice. We have great technology and we have great networks, but at the end of day, it’s people that make them work.

People rely on trust, and trust relies on relationships. Technology here is a great enabler but it’s no super bullet. It takes leadership to get people together across these networks and to then be able to scale and take advantage of what all these networks have to offer.

Gardner: Tim, another big trend today of course, is the ability to use all of this data that Zach has been describing, and you are alluding to, about what’s going on within these networks. Now, of course, with this explosive scale, the amount of that data has likewise exploded.

As we bring more of these coalescent trends together, we have the ability to deal with that scale at a lower cost than ever, and therefore start to create this dynamic of viral or virtual benefit type of effect. What I'm alluding to is more data, the more insight into what’s going on in the network, the more the people then avail themselves of that network, the more data they create, and therefore the better the analysis and the more pertinent their efforts are to their goals.

So, am I off in la-la land here or is there really something that we can point to about a virtuous adoption pattern, vis-a-vis, the ability to manage this data even as we explode the scale of commerce?
One of the reasons we're so excited about getting access to SAP HANA is the ability to offer this information up in real time.

Minahan: We've only begun to scratch surface on this. When you look at the data that goes on in a business commerce network, it’s really three levels. One is the transactional data, the actual transactions that are going on, knowing what commodities are being purchased and so on. Then, there's relationship data, knowing the relationship between a given buyer and seller.

Finally, there's what I would call community data, or community generated data, and that can take the form of performance ratings, so buyers rating suppliers and suppliers rating buyers. Others in the community can use that to help determine who to do business with or to help to detect some risk in their supply chain.

There are also community generated content, like request for proposal (RFP) templates. A lot of our communities members use a "give a template, take a template" type approach in which they are offering RFP templates to other members of the community that work well for them. These can be templates on how to source temp labor or how to source corrugated packaging.

We have dozens and dozens of those. When you aggregate all of this, the last part of the community data is the benchmarking data. It's understanding not just process benchmarking but also spend benchmarking.

One of the reasons we're so excited about getting access to SAP HANA is the ability to offer this information up in real time, at the point of either purchase or sale decision, so that folks can make more informed decisions about who to engage with or what terms to take or how to approach a particular category. That is particularly powerful and something you can’t get in a non-networked model.

Sharing data

Gardner: To that same point, Zach, are there some instances in your book, where you can point to this ability to share the data across community, whether it’s through some sort of a cloud apparatus or even a regulatory environment, where people are compelled to open up and share that is creating a new or very substantial benefits?

I am just trying to get at the network effect here, when it comes to exposing the data. I think that we're at a period now where that can happen in ways that just weren’t possible even five years ago.

Tumin: One of the things that we're seeing around the world is that innovation is taking place at the level of individual apps and individual developers. There's a great example in London. London Transport had a data set and a website that people would use to find out where their trains were, what the schedule was, and what was happening on a day-to-day basis.

As we all know, passengers on mass transit like to know what's happening on a minute-to-minute basis. London Transport decided they would open up their data, and the open data movement is very, very important in that respect. They opened the data and let developers develop some apps for folks. A number of apps developers did and put these things out on the system. The demand was so high that they crashed London Transport, initially.

London Transport took their data and put it into the cloud, where they could handle the scale much more effectively. Within a few days, they had gone from those thousand hits on the website per day to 2.3 million in the cloud.
You need governance and support people, and people to make it work and to trust each other and share information.

The ability to scale is terribly important. The ability to innovate and turn these open datasets over to communities of developers, to make this data available to people the way they want use it, is terribly important. And these kinds of industry-government relations that makes this possible are critical as well.

So across all those dimensions, technology, people, politics, and the platform, the data has to line up. You need governance and support people, and people to make it work and to trust each other and share information. These are the keys to collaboration today.

Gardner: We're coming up on our time limit, but I wanted to put myself in the place of a listener, who might be really jazzed by the potential here, but is still concerned about losing control. How do you take advantage of the mobile extended networks of social media and networks, but without losing your basic principles of good business practice and governance?

Is there something that you're seeing Tim, through your network and the way you're approaching this, that is a balancing act? How can you give some advice to someone who can start to enter these waters, but not drown or get lost?

Minahan: First, I want to talk about the dynamics going on that are fueling B2B collaboration. There is certainly the need for more productivity. So that's a constant in business, particularly as we're in tight environments. Many times companies are finding they are tapped out within the enterprise.

Becoming more dependent

The second is the leaning out of the enterprise itself with outsourcing more processes, more supply, and more activities to third parties. Companies are becoming more and more dependent on getting insights and collaborating with folks outside their enterprise.

The third is what Zach mentioned before, the changing demographics in the workforce, the millennials. They're collapsing the hierarchal command and control. They don't stand for sequestering of information with only a given few. They believe in sharing and in the knowledge of crowds. They want more collaboration with their peers, their bosses, and their business partners.

When you take that within a business context and how you put controls on it, obviously there needs to be some change. There is some change going on. There is change going on towards this wave of collaboration. Zach said before that it needs a good leader. There is change management involved. Let's not fool ourselves that technology is the only answer.

So policies need to be put down. Just like many businesses put policies down on their social media, there needs to be policies put down on how we share information and with whom, but the great thing about technology is that it can enforce those controls. It can help to put in checks and balances and give you a full transparency and audit trail, so you know that these policies are being enforced. You know that there are certain parameters around security of data.

You don't have those controls in the offline world. When paper leaves the building, you don't know. But when a transaction is shared or when information is shared over a network, you, as a company, have greater control. You have a greater insight, and the ability to track and trace.
When a transaction is shared or when information is shared over a network, you, as a company, have greater control.

So there is this balancing act going on between opening the kimono, as we talked about in '80s, being able to share more information with your trading partners, but now being able to do it in a controlled environment that is digitized and process-oriented. You have the controls you need to ensure you're protecting your business, while also growing your business.

Gardner: Zach, last word to you. What do we get? What's the payoff, if we can balance this correctly? If we can allow these new wheels of innovation to spin, to scale up, but also apply the right balance, as Tim was describing, for audit trails and access and privilege controls? If we do this right, what's in the offing? Even though it's early in the game as you pointed out, what's the potential here? When can we expect this payoff?

Tumin: I think you can expect four things, Dana. First is that you can expect innovations faster with ideas that work right away for partners. The partners who collaborate deeply and right from the start get their products right without too much error built-in and they can get them to market faster.

Second is that you're going to rinse out the cost of rework, whether it's from carrying needless inventory or handling paper that you don’t have to touch where there is cost involved. You're going to be able to rinse that out.

Third is that you're going to be able to build revenues by dealing with risk. You're going to take advantage of customer insight. You're going to make life better and that's going to be good news for you and the marketplace.

Constant learning

The fourth is that you have an opportunity for constant learning, so that insight moves to practice faster. That’s really important, because the world is changing so fast, you have the volatility, a velocity, a volume, variability, being able to learn and adapt is critical. That means embracing change, setting out the values that you want to lead by, helping people understand them.

Great leaders are great teachers. The opportunity of the networked world is to share that insight and loop it across the network, so that people understand how to improve every day and every way the core business processes that they're responsible for.

Gardner: Well, great. I am afraid we'll have to leave it there. I'd like to thank our audience for joining us. We've been discussing new levels of collaboration and how they have emerged within an increasingly networked world and how that's all coming together to impact both business and society.

I’d also like to thank our guests for joining us. Zach Tumin, Senior Researcher at the Science, Technology, and Public Policy Program at Harvard Kennedy School. He is also the co-author with William Bratton of this year's Collaborate or Perish.: Reaching Across Boundaries in a Networked World, and that’s published by Random House. Thanks so much Zach.

Tumin: Thank you, Dana.

Gardner: And, of course, Tim Minahan, Senior Vice-President of Global Network Strategy and Chief Marketing Officer at Ariba, an SAP company. Thanks so much, Tim.

Minahan: Thanks, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions and you’ve been listening to a sponsored BriefingsDirect broadcast. Thanks again for listening and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ariba.

Advanced business networks are driving innovation and social interactions as new technologies and heightened user expectations converge. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

Tuesday, January 08, 2013

Learn How a Telecoms Provider Takes Strides to Make Applications Security Pervasive

Transcript of a BriefingsDirect podcast on how perimeter security is no longer adequate to protect enterprise data that resides in applications, and how one services provider is taking a different approach.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion on IT innovation and how it’s making an impact on people’s lives.

Dana Gardner
Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end-users alike.

I'm now joined by our co-host for this sponsored podcast, Raf Los, who is the Chief Security Evangelist at HP Software. Welcome back, Raf. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Rafal Los: How do you do?

Gardner: And where are you coming to us from today on your travels?

Los: We're in beautiful Nashville, Tennessee, the home of Opryland and country music. We're sitting right here at HP Protect, from HP Protect 2012, Day 2.

Gardner: We have a fascinating show today. We're going to be learning how the telecommunications industry is tackling security, managing the details and the strategy -- that’s both the tactics and the strategy simultaneously -- to an advantage and extending that value onto their many types of customers.
We definitely are at the time and place where attacks against organizations have changed.

With that, allow me to please introduce our guest, George Turrentine, Senior IT Manager at a large telecoms company, with a focus on IT Security and Compliance. Welcome, George.

George Turrentine: Thank you.

Gardner: I'd like also to point out that George started out as a network architect and transitioned to a security architect and over the past 12 years, George has focused on application security, studying vulnerabilities in web applications using dynamic analysis, and more recently, using static analysis. George holds certifications in CISSP, CISM, and CRISC.

George, many of the organizations that I'm familiar with are very focused on security, sometimes at a laser level. They're very focused on tactics, on individual technologies and products, and looking at specific types of vulnerabilities. But I sense that, sometimes, they might be missing the strategy, the whole greater than the sum of the parts, and that there is lack of integration in some of these aspects, of how to approach security.

I wonder if that’s what you are seeing it, and if that’s an important aspect to keeping a large telecommunications organization robust, when it comes to a security posture.

Attacks have changed

Turrentine: We definitely are at the time and place where attacks against organizations have changed. It used to be that you would have a very focused attack against an organization by a single individual or a couple of individuals. It would be a brute-force type attack. In this case, we're seeing more and more that applications and infrastructure are being attacked, not brute force, but more subtly.

The fact that somebody that is trying to effect an advanced persistent threat (APT) against a company, means they're not looking to set off any alarms within the organization. They're trying to stay below the radar and stay focused on doing a little bit at a time and breaking it up over a long period of time, so that people don’t necessarily see what’s going on.

Gardner: Raf, how does that jibe with what you are seeing? Is there a new type of awareness that is, as George points out, subtle?

Los: Subtlety is the thing. Nobody wants to be a bull-in-a-china-shop hacker. The reward may be high, but the risk of getting caught and getting busted is also high. The notion that somebody is going to break in and deface your website is childish at best today. As somebody once put it to me, the good hackers are the ones you catch months later; the great ones, you'll never see.

That’s what we're worried about, right. Whatever buzzwords we throw around and use, the reality is that attacks are evolving, attackers are evolving, and they are evolving faster than we are and than we have defenses for.

They are evolving faster than we are and than we have defenses for.
As I've said before, it’s like being out in a dark field chasing fireflies. We tend to be chasing the shiny, blinky thing of the day, rather than doing pragmatic security that is relevant to the company or the organization that you're supporting.

Gardner: One of the things I've seen is that there is a different organization, even a different culture, in managing network security, as opposed to, say, application security, and that often, they're not collaborating as closely as they might. And that offers some cracks between their different defenses.

George, it strikes me that in the telecommunications arena, the service providers are at an advantage, where they've got a strong network history and understanding and they're beginning to extend more applications and services onto that network. Is there something to be said that you're ahead of the curve on this bridging of the cultural divide between network and application?

Turrentine: It used to be that we focused a whole lot on the attack and the perimeter and trying to make sure that nobody got through the crunchy exterior. The problem is that, in the modern network scenario, when you're hosting applications, etc., you've already opened the door for the event to take place, because you've had to open up pathways for users to get into your network, to get to your servers, and to be able to do business with you. So you've opened up these holes.

Primary barrier

Unfortunately, a hole that's opened is an avenue of an attack. So the application now has become the primary barrier for protecting data. A lot of folks haven't necessarily made that transition yet to understanding that application security actually is your front row of attack and defense within an organization.

It means that you have to now move into an area where applications not only can defend themselves, but are also free from vulnerabilities or coding flaws that can easily allow somebody to grab data that they shouldn't have access to.

Gardner: Raf, it sounds as if, for some period of time, the applications folks may have had a little bit of an easy go at it, because the applications were inside a firewall. The network was going to be protected, therefore I didn't have to think about it. Now, as George is pointing out, the applications are exposed. I guess we need to change the way we think about application development and lifecycle.

Los: Dana, having spent some time in extremely large enterprise, starting in like 2001, for a number of years, I can't tell you the amount of times applications’ owners would come back and say, "I don't feel I need to fix this. This isn’t really a big risk, because the application is inside the firewall.”

Raf Los
Even going back that far, though, that was still a cop-out, because at that time, the perimeter was continuing to erode. Today, it's just all about gone. That’s the reality.

So this erosion of perimeter, combined with the fact that nothing is really internal anymore, makes this all difficult. As George already said, applications need not just to be free of bugs, but actually be built to defend themselves in cases where we put them out into an uncertain environment. And we'll call the Internet uncertain on a good day and extremely hostile on every other day.

Turrentine: Not only that, but now developers are developing applications to make them feature rich, because consumers want feature-rich applications. The problem is that those same developers aren't educated and trained in how to produce secure code.

Los: I think nothing illustrates that point better than looking at the way we built legacy applications in extremely large enterprises that were introduced by a fantastic technology in 1976-1977 called the Rack app. It was really well built for the applications of the time, maintaining data access and authentication at a reasonable level.

Then, some of the applications continued to be built and built and built and built over time. We decided, at some point that we make them accessible “outside the firewall.” We slapped the web interface on them and blew all those controls out. So something that was once a solid technology is now a dumb database where anybody can access it, once they get back some spaghetti code in HTML.

Turrentine: The other thing is that too many organizations have a tendency to look at that big event with a possibility of it taking place. Yet hackers aren’t looking for the big event. They're actually looking for the small backdoor that they can quietly come in and then leverage that access. They leverage the trust between applications and servers within the infrastructure to promote themselves to other boxes and other locations and get to the data.

Little applications

We used to take for granted that it was protected by the perimeter. But now it isn’t, because you have these little applications that most security departments ignore. They don’t test them. They don’t necessarily go through and make sure that they're secure or that they're even tested with either dynamic or static analysis, and you are putting them out there because they are “low risk.”

Los: The lesson learned is that organizations that have 500, 600, 1,000, 1,200, or 2,000 applications in the corporate space have to make a decision on what’s going to be important, what they are going to address, what they are going to let fall behind. There are a certain number of apps you can review, a certain number of assessments you can do, and everything else just has to fall away.

What you've just highlighted is the extreme need to understand, not just the application as a singular entity, but interconnectedness, data interchange, and how data actually flows.

Just because you are developing a marketing app over here, that app may be no big deal in a vacuum, but because of server consolidation, virtual machines (VMs), or the cloud-computing environment you are deploying it to, it now shares space with your financial system.

You have to know that, when you're doing analysis of these things. And this actually makes it a necessity that security people have to have these types of analysis skills and look just past that one autonomous unit.
The fact is that many developers are going to take the low path and the easiest way to get to what is required and not necessarily understand how to get it more secure.

Turrentine: It may actually be more diverse than that due to the fact that there may be an intermediary system that both the non-secure app and the “risky” app talk to, and just by the fact that they are interconnected, even though it's not a direct interconnection, they are still exposed.

Gardner: Let’s chunk this out a little bit. On one side, we have applications that have been written over any number of years, or even decades, and we need to consider the risks of exposing them, knowing that they're going to get exposed. So is that a developer’s job? How do we make those older apps either sunsetted or low risk in terms of being exposed?

And on the other side, we've got new applications that we need to develop in a different way, with security instantiated into the requirements right from the get-go. How do you guys parse either side of that equation? What should people be considering as they approach these issues?

Turrentine: I'm going to go back to the fact that even though you may put security requirements in at the beginning, in the requirements phase of the SDLC, the fact is that many developers are going to take the low path and the easiest way to get to what is required and not necessarily understand how to get it more secure.

This is where the education system right now has let us down. I started off programming 30 years ago. Back then, there was a very finite area of memory that you could write an application into. You had to write overlays. You had to make sure that you moved data in and out of memory and took care of everything, so that the application could actually run in the space provided. Nowadays, we have bloat. We have RAM bloat. We have systems with 16 to 64 gigabytes of RAM.

Los: Just to run the operating system.

We've gotten careless

Turrentine: Just to run the operating system. And we've gotten careless. We've gotten to where we really don’t care. We don’t have to move things in and out of memory, so we leave it in memory. We do all these other different things, and we put all these features and functionality in there.

The schools, when they used to teach you how to write in very small areas, taught how to optimize the code, how to fix the code, and in many ways, efficiency and optimization gave you security.

Nowadays, we have bloatware. Our developers are going to college, they are being trained, and all they're learning is how to add features and functionality. The grand total of training they get in security is usually a one hour lecture.

You've got people like Joe Jarzombek at the Department of Homeland Security (DHS), with a Software Assurance Forum that he has put together. They're trying to get security back into the colleges, so that we can teach developers that are coming up how to develop secure code. If we can actually train them properly and look at the mindset, methodologies, and the architecture to produce secure code, then we would get secure applications and we would have secure data.

Gardner: That’s certainly a good message for the education of newer developers. How about building more of the security architect role into the scrum, into the team that’s in development? Is that another cultural shift that seems to make sense?
It's just a reactive move to the poor quality that’s been put out over the last couple of years of software.

Los: We can probably see some of that in the culture that’s developing around the DevOps movement. To some extent, it's just a reactive move to the poor quality that’s been put out over the last couple of years of software, the reactive move by the smart people in the software development industry to build tribes of knowledge and of intelligence.

It goes all the way up and down the development and software lifecycle chain, from the person who makes requirements happen formally, to the people who write the source code, to those who package it, test it, deploy it, monitor it, and secure it.

It’s a small agile group of folks who all have a stake in, not just a piece of the software development lifecycle, but that software package in general. Whether they own 1 or 10 pieces of software or applications, it’s almost immaterial. That ownership level is the important part, and that’s where you're going to see maybe some of the changes.

Turrentine: Part of it also is the fact that application security architects, who I view differently than a more global security architect, tend to have a myopic view. They're limited, in many cases, by their education and their knowledge, which we all are.

Face it. We all have those same things. Part of the training that needs to be provided to folks is to think outside the box. If all you're doing is defining the requirements for an application based upon the current knowledge of security of the day, and not trying to think outside the box, then you're already obsolescent, and that's imposed upon that application when it’s actually put into production.

Project into the future

You have to start thinking further of the evolution that’s going on in the way of the attacks, see where it’s going, and then project two years or three years in the future to be able to truly architect what needs to be there for today’s application, before the release.

Gardner: What about legacy applications? We've seen a lot of modernization. We're able to move to newer platforms using virtualization, cutting the total cost when it comes to the support and the platform. Older applications, in many cases, are here to stay for quite a few number of years longer. What do we need to think about, when security is the issue of these apps getting more exposure?

Turrentine: One of the things is that if you have a legacy app, one of the areas that they always try to update, if they're going to update it at all, is to write some sort of application programming interface (API) for it. Then, you just opened the door, because once you have an API interface, if the underlying legacy application hasn’t been securely built, you've just invited everybody to come steal your data.

So in many ways, legacy applications need to be evaluated and protected, either by wrapper application or something else that actually will protect the data and the application that has to run and provide access to it, but not necessarily expose it.

I know over the years everybody has said that we need to be putting out more and more web application firewalls (WAFs). I have always viewed a WAF as nothing more than a band aid, and yet a lot of companies will put a WAF out there and think that after 30 days, they've written the rules, they're done, and they're now secure.
A WAF, unless it is tested and updated on a daily basis, is worthless.

A WAF, unless it is tested and updated on a daily basis, is worthless.

Los: That’s the trick. You just hit a sore spot for me, because I ran into that in a previous life and it stunk really bad. We had a mainframe app that had ported along the way that the enterprise could not live without. They put a web interface on it to make it remotely accessible. If that doesn’t make you want to run your head through a wall, I don’t know what will.

On top of that, I complained loud enough and showed them that I could manipulate everything I wanted to. SQL injection was a brand-new thing in 2004 or something, and it wasn’t. They were like, fine, "WAF, let’s do WAF." I said, "Let me just make sure that we're going to do this while we go fix the problem." No, no, we could either fix the problem or put the WAF in. Remember that’s what the payment card industry (PCI) said back then.

Turrentine: Yeah.

Los: You could either fix the problem or put mitigating control WAFs into the slipstream and then we were done, and let’s move on. But it’s like any security control. If you put it in and just leave it there, tune it once, and forget that it exists, that’s the data that starts to fail on you.

Gardner: I think there is even more impetus now for these web interfaces, as companies try to find a shortcut to go to mobile devices, recognizing that they're having a hard time deciding on a native interface or which mobile device platform to pursue. So they're just "webifying" the apps and data so that they can get out to that device, which, of course, raises even more data and applications in this field for concern.

Los: I liked that word, "webifying."

Tactics and strategy

Gardner: So let's get back to this issue of tactics and strategy. Should there be someone who is looking at both of these sides of the equation, the web apps, the legacy, vulnerabilities that are coming increasingly to the floor, as well as looking at that new development? How do we approach this problem?

Turrentine: One of the ways that you approach it is that security should not be an organization unto itself. Security has to have some prophets and some evangelists -- we are getting into religion here -- who go out throughout the organization, train people, get them to think about how security should be, and then provide information back and forth and an interchange between them.

That’s one of the things that I've set up in a couple of different organizations, what I would call a security focal point. They weren’t people in my group. They were people within the organizations that I was to provide services to, or evaluations of.

They would be the ones that I would train and work with to make sure that they were the eyes and ears within the organizations, and I'd then provide them information on how to resolve issues and empower them to be the primary person that would interface with the development teams, application teams, whatever.

If they ran into a problem, they had the opportunity to come back, ask questions, and get educated in a different area. That sort of militia is what we need within organizations.
I've not seen a single security organization that could actually get the headcount they need.

I've not seen a single security organization that could actually get the headcount they need. Yet this way, you're not paying for headcount, which is getting people dotted lined to you, or that is working with you and relying on you. You end up having people who will be able to take the message where you can’t necessarily take it on your own.

Gardner: Raf, in other podcasts that we've done recently we talked about culture, and now we're talking organization. How do we adjust our organization inside of companies, so that security becomes a horizontal factor, rather than group oversight? I think that’s what George was getting at. Is that it becomes inculcated in the organization.

Los: Yeah. I had a brilliant CISO I worked under a number of years back, a gentleman by a name of Dan Conroy. Some of you guys know him. His strategy was to split the security organization essentially uneven, not even close to down the middle, but unevenly into a strategy, governance, and operations.

Strategy and governance became the team that decided what was right, and we were the architects. We were the folks who decided what was the right thing to do, roughly, conceptually how to do it, and who should do it. Then, we made sure that we did regular audits and performed governance activities around it's being done.

Then, the operational part of security was moved back into the technology unit. So the network team had a security component to it, the desktop team had a security component to it, and the server team had security components, but they were all dotted line employees back to the CISO.

Up to date

They didn’t have direct lines of reporting, but they came to our meetings and reported on things that were going on. They reported on issues that were haunting them. They asked for advice. And we made sure that we were up to date on what they were doing. They brought us information, it was bidirectional, and it worked great.

If you're going to try to build a security organization that scales to today’s pace of business, that's the only way to do it, because for everything else, you're going to have to ask for $10 million in budget and 2,000 new headcounts, and none of those is going to be possible.

Turrentine: I agree.

Gardner: How would we describe that organization? Is there a geometric shape? You hear about T or waterfall or distributed, but how do we describe the type of organization you just described for our security?

Los: An amoeba, or to be more serious, more like a starfish really. If you're looking at the way these organizations are, you have the central group and then tentacles that go out to all the other components of it. I don’t have a flashy name for it, but maybe security starfish.
Any time you move data outside the organization that owns it, you're running into problems.

Gardner: George, how would you describe it?

Turrentine: I don’t know that it would be a single organism.

Gardner: More of a pond water approach, right?

Turrentine: Yeah.

Gardner: Moving to looking at the future, we talked about some of the chunks with legacy and with new applications. What about some of the requirements for mobile in cloud?

As organizations are being asked to go with hybrid services delivery, even more opportunity for exposure, more exposure both to cloud, but also to a mobile edge, what can we be advising people to consider, both organizationally as well as tactically for these sorts of threats or these sorts of challenges?

Turrentine: Any time you move data outside the organization that owns it, you're running into problems, whether it’s bring your own device (BYOD), or whether it’s cloud, that is a public offering. Private cloud is internal. It's just another way of munging virtualization and calling it something new.

But when you start handling data outside your organization, you need to be able to care for it in a proper way. With mobile, a lot of the current interface IDEs and SDKs, etc., try to handle everything as one size fits all. We need to be sending a message back to the owners of those SDKs that you need to be able to provide secure and protected areas within the device for specific data, so that it can either be encrypted or it can be processed in a different way, hashed, whatever it is.

Then, you also need to be able to properly and cleanly delete it or remove it should something try and attack it or remove it without going through the normal channel called the application.

Secure evolution

I don’t think anybody has a handle on that one yet, but I think that, as we can start working with the organizations and with the owners of the IDEs, we can get to the point where we can have a more secure evolution of mobile OS and be able to protect the data.

Gardner: Raf, any thoughts before we close out on some of these pending opportunities or challenges when it comes to moving to the mobile edge and to the cloud and hybrid services?

Los: To echo some of the things our executives have been saying, without sounding too much echo, I agree that every decade or so, we hit a directional point. We make either a hard right or a hard left, or we take a turn as an industry, maybe even as a society.

That does sort of coincide with the fact that technology takes roughly 10 years to understand the full impact of it, once it has been implemented and released, as I read somewhere a while back.

We're at one of those points, as we sit here right now, where many of the people, the kids going through school today, don’t know what a cassette tape is.

When I mention my Zip drive from back in my technology days, they look at me funny. Floppy disks are something they have only heard about or seen in a photo. Everybody texts now. So technology is evolving at a pace that has hit a fever pitch, and society is quickly trying to catch up or pretend like it’s going to catch up.

Meanwhile, enterprises are trying to capitalize on those technology changes, and security has to transform with it. We've got to get out of the dark ages of, "What do you do for the company? "Oh, I do security." No, you don’t. You serve the business, in whatever capacity they tell you to. If you can’t understand that, then you're going to get stuck in those dark ages, and we just won’t go forward. That’s my line of thinking.

We're at the point where something has to happen. Being here, walking through the show floor, and having conversations with people like George, John South, and other people who are leading security organizations throughout the big industry players, and some really small ones, I am hopeful. I think we actually get it. It’s, "Can we scale it and teach others to think this way fast enough to make an impact before it all goes wrong again?"
Enterprises are trying to capitalize on those technology changes, and security has to transform with it.

Gardner: All right. I am afraid we will have to leave it there. With that, I would like to thank our co-host, Rafal Los, who is the Chief Security Evangelist at HP Software. It’s always a pleasure, Raf, thanks so much.

Los: Thanks for having me.

Gardner: And I'd also like to thank our supporter for this series, HP Software, and remind our audience to carry on the dialogue with Raf through his personal blog, as well as through the Discover Performance Group on LinkedIn.

I'd also like to extend a huge thank you to our special guest, George Turrentine, the Senior Manager at a large telecoms company. Thank you so much, George.

Turrentine: Thank you.

Gardner: And you can gain more insights and information on the best of IT Performance Management at http://www.hp.com/go/discoverperformance.

And you can also always access this and other episodes in our HP Discover Performance Podcast Series on iTunes under BriefingsDirect.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast on how perimeter security is no longer adequate to protect enterprise data that resides in applications, and how one services provider is taking a different approach. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in: