Posts Tagged ‘Kathy Stershic

24
Mar
15

Cyber Bill Getting Close…?

Enjoyed a fascinating and very educational trip to Capital Hill last week, calling on various Representatives and Senators to lobby for Silicon Valley interests. The trip was sponsored by Silicon Valley Leadership Group –  I really admire their mission to interact directly with Congress on issues that affect our broad sector – not any one company. While their our many trade associations in DC, the fact that a large group traveled across the country to voice a unified opinion seemed to impress. Our delegation included leaders from large corporations to start-ups, all grappling with the same challenges – immigration, patents, trade issues, and especially high on the list – cyber security.

In light of accelerating attacks, punctuated by the very recent and massive Anthem and Blue Cross/Blue Shield breaches, the word among those we met with was that a bill, a real bill with a real chance of passing, was close. In fact, due to come out of committee within a couple of weeks and go to the House. Senators seem to also understand this is urgent. I felt optimistic that collectively they might actually get something done.

Privacy has been the chief concern about past bills proposed, and why none have made it through to date. We received assurances that the soon-to-be-released reincarnation of CISPA was significantly different and would address many of the previous privacy concerns (why couldn’t they have done that in the first place?).

It was noted that while Government has lots of resources to help defend, Industry must be willing to turn over data needed to enable that defense – 80-85% of malicious code is believed to be in the private sector. Expect the new bill to have safe harbor provisions to protect Service Providers and others who hold our data. We were told that there will be no sharing with the NSA (good they’ve figured that one out) or the DoD – there must be civilian oversight, and all indications were Dept of Homeland Security would be on point.

While it was great to hear optimism among Congress people and their staff who joined the discussions, education of the broader Congressional membership is still a big gap. Hopefully the recent high profile health data breaches, which apparently touched as many as one in four Americans, have been enough to get the attention this issue so critically needs so we could see something fair yet helpful passed this year. Fingers crossed.

IMG_2195

 

 

 

 

On a lighter note, Senator McCain was most gracious to pose with those of us who met with him.

21
Aug
14

Tales from the Silicon Valley Cyber Security Summit – Part Deux

While the policy panel discussion at last week’s Silicon Valley Cyber Security Summit pointed out the many challenges of governments trying to deal with the cyber threat, the second ‘Next Generation’ panel was all about the shortage of qualified talent to deal with the problem.

The good news – cyber presents a great career opportunity! As in, we need lots of help. Now. The not as good news, 40% of open IT security jobs in 2015 will be vacant. There simply aren’t enough qualified people to fill them. Technologies such as new threat intelligence and attack remediation products will continue to advance which will help automate intervention, but there is still a need for people to skillfully apply them, and for others to come up with them in the first place in the face of a never-ending game of new threats. One speaker gave a statistic that only a couple of years ago, a new malware was detected every 15 seconds. Now two new malwares are detected every one second! The speakers expected that pace to accelerate exponentially.

There are a growing number of formal university programs in this area – Mo Qayoumi, President of San Jose State, noted that they are launching new certificate programs in cyber security and big data analysis starting in the Spring 2015 semester, and I found many others online. I was very surprised to hear that only 12% of computer science majors are female, and that population has been steadily shrinking for 2 decades. A marginal percent of those study cyber. So we’ve got a challenge with public engagement in the issue, an inadequate talent pool, and almost half of the student population not even thinking about the problem. Hmmm.

Of course not all software learning is in the classroom and talented hackers do emerge. That is why General Keith Alexandar [former head of US CyberCommand] went calling at least year’s Black Hat Conference – while unconventional, he knew this is a place to find badly needed talent. There are also several incubator initiatives like Cyber Maryland and Virginia’s Mach37, and the many Silicon Valley start-ups trying to make a go.

Another challenge is that CEOs don’t fundamentally understand the complex cyber problem, so delegate off to the CIO. [This reminds me of similar dispositions toward Disaster Readiness and Business Continuity Planning pre-9/11]. Cyber threat is another form of business risk and should be planned for as such. One speaker mentioned that there is expert consensus, even from VCs who are scrupulous about how money is spent, that for a $100M IT budget, 5-15% should be spent on security. While panelists noted cyber threat is a top discussion point for many corporate Boards, there is uncertainty about what to actually do to prepare.

This is obviously a tough issue all the way around. One speaker suggested repositioning the brand message to what regular folk will respond to – protecting national treasures, your home and quality of life, our critical infrastructure and our national security. Nick Shevelyov, Chief Security Officer of Silicon Valley Bank, summarized it thus: ‘the technology that empowers us also imperils us.” Hoping more of us come to understand that and step up.

 

 

18
Aug
14

What I Learned at the Silicon Valley Cyber Security Summit – Part 1

I was fortunate to attend last week’s Silicon Valley Cyber Security Summit, where I spent 4 hours indulging my obsession with this subject while unfortunately increasing my level of paranoia. The panel discussions were excellent, bringing perspectives from security technology providers, pundits, the Dept of Homeland Security, two Congressmen, two Senators and execs from the outstanding Silicon Valley Leadership Group [#SVLG].

The first discussion centered around progress to date with Obama’s Executive Order (EO) issued in early 2013, and the potential for more formal cyber policy or regulation coming from the Congress.The cybersecurity problem offers a rare opportunity for the public sector to lead in a critical technology domain, but all of the day’s speakers emphasized the requirement for public-private partnership in addressing the challenge. There has actually been some good news around the Cybersecurity Framework, an outcome of the EO being driven by NIST, in which participation is voluntary but to which apparently 3000 private sector representatives have actually contributed. While governments actively push such information to the citizenry, companies need to share a lot more about what’s happening to them, what they’re learning and how they’re defending themselves – competitive concerns are keeping this constrained to date. Still, some progress is being made.

One of the biggest eye openers was the claim by several speakers that the public is just not engaged in this issue and therefore practices poor digital ‘hygiene’. I found this surprising and uncanny in the aftermath of the Target and Nieman’s attacks last Fall, and the August 5 revelation that a Russian crime ring had stolen including 1.2 billion user name and password combinations and more than 500 million email addresses. WAKE UP PEOPLE – this is serious stuff!

Senator Saxby Chambliss (R-GA) extolled the virtues of his and DiFi’s Cybersecurity Information Sharing Act bill, which made it through the Intelligence Committee but still faces stiff opposition from privacy advocates. While speaking at length about the urgency of the issue, Sen. Chambliss then went on to say that Congress would only be working a whopping 3 weeks between now and the November Election!!!!!  Two weeks for the Senate, one for the House. Wish I could get paid with great benefits for not working. Post-election will be a lame duck December, then the Freshman class must be educated on the issue. And then of course there were the references to don’t overregulate, etc. that will expose the usual partisan split. Bottom line, passage of a bill is unlikely anytime soon.

Everyone agreed that what would spur Congressional action would be a real crisis – a big attack that causes some real national pain. Let’s hope we don’t have to endure that to get something meaningful . It is also possible for Fed agencies like HHS, DHS, the SEC and others to impose cyber regulations within their domains – some are already doing so. And States are stepping up too, with a plethora of unique policies that will be nigh impossible to follow if you happen to do business nationally. Beyond the US, each country will have its own policies as well.

For me, the core issue behind all of the discussion was TRUST – people don’t trust the government, businesses don’t trust each other OR the government, the government doesn’t trust other governments … One speaker even joked that in the Silicon Valley, the NSA is seen as an ‘advanced persistent threat.’  Everyone is waiting for something BIG to happen, which it will sooner or later. Let’s hope later.

My next post will take up the 2nd worry point – the lack of a talent pool to address this mess!

02
Apr
14

Unconventional Wisdom for Entrepreneurs

At today’s Destination Innovation event sponsored by #NVTC Northern Virginia Technology Council, entrepreneurship and technology innovation in the Northern Virginia / DC Metro area was rightfully celebrated – there is a lot going on here! The event offered mini-pitches from local innovators well beyond government-focused solutions that tend to be associated with this area. Congratulations to award winners @LynxFit, @homesnap, @LMI_org, and especially @KeyCyberSec who is serving a high value social purpose that also has great growth potential!

There were two keynotes. Carly Fiorina gave a sporting mom-and-apple-pie speech that surprisingly, at least to me, centered around policy.  Despite her failed California Senate bid, she clearly still has political ambitions and was positioning accordingly. The second keynote was from local tech hero @Michael Chasen, founder of Blackboard, who nurtured his higher ed start-up service from a garage to a $1.7B selling price. He is now on to a new venture @SocialRadar.  His remarks were resonant for the aspirational attendees, many of whom were start-ups dreaming of making it big. His very personalized speech focused on 5 unconventional wisdoms learned from his journey with Blackboard. While I’m not sure how many of them were truly ‘unconventional’ they were spot-on for what it takes to make it in today’s market.

1) Be passionate about what you’re undertaking [and be an expert in your field]

2) Focus on the business – not the office. In other words, don’t worry about the ‘stuff’ – he showed a picture of his original, ergonomically awful desk chair that he claimed to still use

3) Share the vision – and sell the execution

4) Constantly seek advice [and pay attention to it]

5) Realize that disruption changes everything – and then changes everything again

Whether you are a tech company or any other innovative venture, these were great insights, born from direct experience, by which to run your business. Very proud to have had a small hand in this event, and truly impressed with the level of entrepreneurship to be found in this region. Silicon Valley, take note!

02
Jan
14

BYOD: Where’s the Line Between Your Job and Your Life?

I recently read a very interesting article* on the growing BYOD [Bring Your Own Device] trend. The article touted a Gartner [market research] prediction that by 2017, one half of employers worldwide will stop providing digital devices and require employees to bring their own to work. Wow.

Even if it’s only one quarter of employers by then, the implications of such a change are profound for both parties. Wouldn’t we all love the convenience of one PC for all of our stuff?  Wouldn’t life be simpler if we had a single smartphone instead of one for work and one for personal? Wouldn’t companies like to save all that money by having workers pay for the assets needed to perform their jobs?

Maybe not so much. There are some significant considerations on both sides that will require technological as well as legal solutions before this could work.

Security is most obvious. Employers will rightfully want to and in most cases legally have to protect their systems and their data. Device-based security is found wanting in the age of ultra-sophisticated hacking. But what legal right would an employer have to force an employee to install security technologies on their personal device?

PCs have long been vulnerable, but today’s mobile devices are ever more subject to attack – especially smartphones and tablets where people download all kinds of apps. Employees often use insecure public networks, and goodness knows what their kids might do on devices left around the house. Legitimate users with unknowingly compromised devices could introduce havoc to the corporate network.

Leveraging the Cloud could help, but there are still many security concerns there as well. We can certainly expect cloud security to be greatly improved by 2017, but hackers will never rest. And once corporate data is downloaded to an employee’s personal asset, the employer has lost control.

Privacy is another big issue. How would one confidently partition personal data from employer data? Will your employer be able to see what web sites you visit? What apps you use? As with NSA tracking of private citizens, how would you know where and when you might be compromised? Conversely, what about employees’ family members who go on a little snooping expedition on the company network?

There are also productivity concerns. Certain software could restrict what employees can do with their devices, negatively impacting productivity. And what about the right to work? Will qualified workers be legally denied jobs because they don’t personally own the latest and greatest technology that companies define as mandatory work tools? Perhaps iPads will become the digital equivalent of the uniform. What about when employment ends – what happens to the downloaded data, the company software, the network access?

This is a really complex issue that requires much more thought and vetting before BYOD can be successfully implemented on a broad scale. How comfortable would you be integrating your personal devices into your job?

*Thanks to IEEE’s Computer magazine, November 2013 issue

06
Dec
13

Clowns to the Left of Me, Drones to the Right…?

Interesting time as always at last night’s gala Media Predicts: 2014 (#MP14) – where Silicon Valley PR folk hobnob with tech media elite. Always fun to hear next year’s predictions, catch a little gossip, and look back at what predictions were way off base last year! Shout out to PRSA Silicon Valley for putting on this event – it’s a lot of work and always well done.

One of the hot discussion topics was Amazon’s drone delivery vision – while Bezos went on 60 Minutes last Sunday to describe what he sees as feasible by 2015, a Monday faux news story had floated that such delivery was imminent – it got yuks for the best PR stunt of the week. Still, the visionary Bezos sees this as in the realm of the possible in the not too distant future. Who knows if it will be, but the very idea of it begs policy consideration on multiple levels, and fast.

Seriously, commercially owned flying objects buzzing around my house – or my head? Will have to start carrying a baseball bat! Someone at last night’s event joked about would people have the right to shoot down aircraft that invaded their property without permission. Would the FAA have to regulate? Will we have sky ‘roads’ when competing vendors start sending their little buzzies at the same time? What happens to my UPS guy? I like him!

Futuristic silliness, probably – or is it? As we all know, technology changes quickly and DC has a very hard time keeping up. Consider this advanced warning.

09
Sep
13

Big Data and You – Transparency or Fishing?

Last week, digital data broker Acxiom launched a new service called AbouttheData.com – it is supposed to show you what data is collected about you so you know what marketers see and how you are targeted, and it provides you an opportunity to ‘correct’ your data if any of it is incorrect – ostensibly so you will be targeted with advertising that is more of interest to you than that which is not. In their parlance “Make Data Work for You”.

When I learned of this service, I thought I might check it out to see how I’m profiled. That was until I started looking at the information I would have to give to them just to see what they have on me. Like my full date of birth (to the year), my physical address, my email address, and the last 4 digits of my social. There were red flags all over this which tempered my curiosity. I did not fill in their form, and their records on me remain a mystery.

From what I have read about people who did participate, including a friend of mine’s personal experience, considerable amounts of Acxiom’s data are inaccurate. So how many consumers will be inclined to update their records with correct information – essentially becoming Acxiom’s free and outsourced labor force, providing the cleanest data possible at virtually no cost to them? Such information is worth a fortune in the marketing world. The value proposition is  dubious and the revenue model is sneaky. Digitally savvy consumers may see through this, but there may be many people who won’t.

Perhaps most troubling to me is the ‘get over it’ undertone – they state clearly that your data is and will continually be collected and compiled, that you will be marketed to based on it, and that you have no choice in the matter: One excerpt: “Opting out of Acxiom’s online and/or offline marketing data will not prevent you from receiving marketing materials. Instead of receiving ads that are relevant to your interests, you will see more generic ads with no information to tailor content.” So, their pitch goes, isn’t it better to just give us the accurate information and get marketing messages of relevance to you?

 
There is something brazenly audacious about this to me, a threshold being crossed. The Acxiom site, with their soft colors and friendly font and cute avatars, looks so innocuous.  But in the digital fishbowl, we are giving away our personal information in volumes – so is it just better to know? Maybe some of us would rather give accurate information in hopes of stopping the flood of off-the-mark spam. Opt in or opt out? That will be captured as well, and the implications of either choice will surely further influence what shows up in your mailbox.




%d bloggers like this: