About this podcast
B2BiQ features personal conversations about the business disciplines of Process Excellence, Shared Services, Customer Experience and Customer Management.
About this podcast
B2BiQ features personal conversations about the business disciplines of Process Excellence, Shared Services, Customer Experience and Customer Management.
Jett Oristaglio, DataRobot
Data Scientist Jett Oristaglio joins us to talk about Humble AI. Trusted AI and asks, What is everything you need to trust in AI for your life? He goes on to share that trust is not binary- it’s multi -dimensional - and so, there are a number of criteria that should be evaluated. Performance- or, does the model predict the problem being solving for well- otherwise known as accuracy. Operations- or, how reliable is the system that the model is deployed in. And Ethics- or, how well does the model align with the values of the organization. Of course, most talked about is accuracy in that the model has to be fast enough, has to be stable (have strength). Not surprisingly- all of these aspects, you want in a human decision maker.
Christine Vanderpool, Florida Crystals
Christine Vanderpool is an Executive Board Member for Cyber Security Hub. She was Inteligenca’s 2019 Woman Cyber Security Leader of the Year and Molson Coors’ CISO before being whisked away to the world’s larges sugar cane refiner- Florida Crystals (which includes Domino Foods). So Christine is certainly an excellent current example of a CISO. Her company is an industry leader, she’s the ultimate cyber security leader at her organization and she’s winning awards for her work. But her background doesn’t add up to what we once understood as a good example of a cyber security leader. She doesn’t have any military experience and “well, I'm definitely an extrovert.” Business case It’s safe to say that the ‘old guard’ of cyber security leaders is not a group of extroverts. “I love to use analogies and storytelling. It's really important for me that my user community, my executives, my leadership, they understand what it is that I'm trying to do. They don't just blindly believe me because I'm scared the bejesus out of them, but they actually get what I'm trying to tell them. They understand what our risks are. They understand how I want to mitigate those risks. And I try to do it in ways that are appropriate for our business at hand.” Budgets In describing her mission, Christine doesn’t use the word technology. And it’s not because she’s some marketing person- her formative years were spent with IBM, Hitachi and SAP technology- she’s a technology person. But she realizes that just talking tech won’t get the job done. As noted, her job is for her stakeholders to understand what she is doing. The Cyber Security Hub Mid Year Report showcased the fact that budgets are mostly flat or down. If Christine was arguing for budget, tech first- she would not find success. Her executives and leadership understand the risks and how to mitigate those risks in a way that’s appropriate for the business because she’s made the business case. Enabling business “I'm not going to buy the latest and greatest gadget just cause it's really cool, if we don't need it. My philosophy is you could take that same budgetary funding and use that on a say marketing project or a product development project that is going to increase your revenue. If your revenues increase, then my bonus increases. So I'm not stupid.” She says she’s not stupid- which of course, is obvious. But that statement actually shines a spotlight on her brilliance. She’s going in to budget meetings and telling her leadership to spend money on product development and marketing based on the confidence she has in the business case she’s made. She is not worried about losing her needed budget. Doctrine In Depth And there’s depth to that doctrine. She does things “that elevate and help the business is rather than just saying no.” As the interview with Bob Turner informed us, she’s leading the Department of Know, not the Department of No. When asked if she’s a BISO- a Business Information Security Officer with a CISO title, she responds, “I wouldn't have a job if, if we weren't doing what it is that we do as a company. I work for a consumer packaged goods organization. So I need to always remember that that is the purpose of why we are here. We are not here because of security. We are here because we make a product that is sold to consumers. And that should be the focus.”
Bob Turner, University of Wisconsin
Bob Turner- a friend and Board member of the Cyber Security Hub- as well as the University of Wisconsin-Madison CISO - was kind enough to make some time for an interview. The following is an overview of the past, the present and perceptions of the future cyber security reality. The University of Wisconsin is a research one level university with about 23,000 staff, roughly 44,000 students during the normal part of an old-normal year. This number jumps to a total of 80,000 users overall, when considers affiliates and ancillary personnel which means roughly a hundred thousand end points. Thus Bob notes that the University has a large amount of important research. His resources are focused- he's got 38 full time staff with about 20 students that are supporting governance, risk management, incident response, vulnerability and what they call the common system Cyber Security team- which focuses on the big ERP-type systems, HR, Finance and Student Information. During the March, 2020 migration off-prem- Bob's team was responsible for protecting that research, rolling out the BCP and moving 3,700 classroom courses to online delivery- to name a few initiatives. The BCP did in fact roll out well- Bob was happy with the team and confident in the execution, “the X factor, I think, was trying to understand how many of the different collaboration tools were out there and understanding about those tools that we may not have looked at very close in the past. We had to do that on the fly and we had to do it rapidly.” The Past: Shop in order It was confirmed for Bob and his team that ‘the past’ was secure. There were not issues in rolling out the business continuity plan, which was secure. There were not issues with the systems in place, which were secure. The team continued with business-as-usual, “daily security routines run a playbook and a SOC and the regular pattern and pace of risk assessments and policy management, as well as trying to ensure that our users are aware of issues.” The Present: Work to be done Now 100% remote, with business-as-usual going smoothly, on a dime- ‘the present’ presented a threat matrix, which could not have been anticipated based on the fact that a 100% remote global workforce was not anticipated by anyone. And so Bob and the team “had to put together a provisional policy on how to manage collaboration tools: What do you record? How do you record it? What type of data can you talk about over the air? Do the solutions have encryption in transit and encryption at rest, and is that encryption a suitable standard?” As Bob tells it, beyond collaboration tools, “COVID brought with it a whole bunch of fun, little scams, a lot, a dramatic increase in the phishing attacks, business, email, compromise attacks and anything social engineering happening in real time.” With digital machete in hand, Bob slashed through all of those new issues to ensure that he and his team could take a step back and have a big picture focus on what he’s always focused- people, process and technology. The Future: The Department of Know With a big picture focus on people, process and technology- technology could be construed as your tools and process could be construed as your tactics. Tools and tactics can be improved or replaced to fit better with a new reality. But changing people is a more delicate and more gradual shift. “If it's face to flat screen, not face to face, we need to be able to see the person on the other end and understand if they're stressed or if they're, calm and cool and collected. It's about listening very carefully to those indicators. We have staff who are spending part time as parents which means part time as a teachers and part time as the custodial staff in the house. And, and then they're also working for us.” “So the eight-hour workday is not contiguous. We have to make sure that we're compensating for that appropriately.” Truly understanding the human dynamic on his team is only the beginning. Bob is focused on understanding what each user needs and ensuring that user can appropriately and flexibly do their job with his support. He knows that his job is to ensure access with security. If he blocks access, the user will simply work-around with no security. As the future is now, he knows he cannot make decisions that negatively impact the work of his hundred thousand users. He has to be “thinking as a business enabler.” The department of no must become the department of know.
Suresh Chowdary, Nokia
During this digital summit panel, Suresh Chawdhary, head of security & privacy for Nokia, stresses the importance of a layered, multi-pronged cyber security approach to best protect from phishing and whaling. This layer defense mechanism moves away from a one-size-fits-all strategy, ensuring that everyone across the enterprise is well equipped to stay protected against threats. Three Cyber Security Defense Layers To Consider By baseline testing employees for their susceptibility to phishing, an enterprise gathers statistics and builds an actionable and measurable improvement plan. Even within this layer, different departments are responsible for different deliverables. That means that malware threats and other vulnerabilities will affect separate industries and divisions within that industry to varying degrees. By customizing phishing tests—much like bad actors do—a holistic and accurate pattern emerges. A second layer is to have targeted training sessions for employees so that they understand what is anticipated and expected from them, how to report phishing attempts properly, and how to make sure that they are not processing payments or sending these kinds of sensitive personal information on emails when they get these kinds of emails. A third approach is targets key executives. Suresh warns that this can get tricky. Leadership team members are often global, meaning they’re traveling frequently to meet customers and vendors or participate in seminars and conferences. They also have a multiset of technologies at their disposal. With all these touchpoints, it is difficult for a CSO or an information security organization to inform executives of the varying degrees and types of risks. In this case, Suresh suggests relying on proactive, reactive, and detective controls to safeguard them. Because awareness alone doesn’t cut it for these busy individuals, multifactor authentication mechanisms and email encryption are a must. For example, a two-factor mechanism for approving invoices through email mitigates risk considerably. Things To Consider When Developing A Cyber Security Plan Finance and HR employees are particularly vulnerable due to their payment processing duties. An email spoofing the head of finance or the CEO may expertly convince an employee to urgently transfer money at the click of a button. The possibility of getting that money back is nearly zero. Additionally, HR has a massive amount of sensitive data at their fingertips. Data is the new oil in the cyber crime industry. All it takes is one slip or a single lapse in judgment for a breach to expose personal data so sensitive—such as credit card and social security numbers—that it creates a lawsuit or enough bad press to devastate an organization. Examining the big picture and important factors of an organization helps build a plan that fits the company in terms of cost, risk profiles, and the size of the organization. Considerations may include: Cloud service encryption packages Appropriate number of training sessions per year Regulations and limitations of certain technologies across different geographies A security plan isn’t going to be the same across an organization. Still, there are certain baseline technologies that build the foundation of security—namely an antivirus solution and a personal firewall for every employee across the globe. While email encryption is a nice-to-have for all employees, it is a must-have for people who are prone to whaling attacks, including the C-suite and leadership team. Other departments to keep in mind for customized control mechanisms are finance, HR, legal procurement, and suppliers. It is important to have a combination of proactive and reactive controls when dealing with these hidden enemies. Advanced Persistent Threats The obvious goal to a phishing or whaling attempt is an immediate financial gain. However, an advanced persistent threat can do much more damage. In this scenario, a bad actor gains access to an organization’s network by confiscating credentials. Once inside, they can find and extract data while remaining undetected for long periods of time. Of course losing money hurts, but the loss of IP like propriety algorithms or software can be a nail in the coffin. The Business Case For Proactive Controls Suresh estimates that only about half of all organizations have a solid baseline of security, although that estimate goes up to about 80% for middle and large sized companies. Unfortunately, too many companies make significant investment into cyber security reactively. The ROI and business case for a primary, proactive cyber security strategy often isn’t obvious until it’s too late—that is, a breach has occurred. It is a CSO’s job, then, to build and communicate a strong business case around why a security technology investment is worth it. Also, while training is a worthy and necessary investment, humans are only human, and phishing and whaling attempts will sometimes work. That is why a CSO must argue for build-on reactive honeypot technologies. Honeypot is a security mechanism that deploys within a network and spots malicious traffic patterns in an out of the network. Honeypot can be set up to divert traffic to particular devices that slow the traffic down and even forensically investigate the source, destination, and the TCP or UDP port numbers. It identifies the types of files and time of the breach as well. Closing Thoughts Suresh closes with a reminder for CSOs: they are responsible for not only protecting and safeguarding critical information assets, but also to mitigate these kinds of threats that might be underpinning on certain specifics or functions. Beyond security talent, management and business skills are required.
Jim Brady, Fairview Health Services
During this digital panel session, Jim Brady discusses real-time change in incident management. His extensive experience in a multitude of security roles throughout his career means he has seen a lot of changes in the healthcare cyber security field. Naturally, the latest change to make its mark is the new remote work environment COVID-19 has deemed nececessary. A New Reality in Cyber Security In the past, incident response plans are created and workshopped on location—in the case of healthcare, at the hospitals, command centers, etc. Now, with most of IT, the administration staff, and even doctors working remotely, new considerations must be taken. Now that vendors, legal counsel, and staff are working from home, are they vulnerable to new threat actors, or are the bad guys giving healthcare a break during this global pandemic? Unfortunately, opportunistic phishing scams are increasing as the world is combatting COVID-19. For example, some phishing attempts run under the guise of PPE equipment vendors. Additionally, while telehealth works as a good alternative to in-person doctor appointments, is it secure? Three Main Threats A well, executed cyber security incident has the possibility to severely disable or even take down organizations. In the healthcare field—especially during this time—it is imperative that hospital doors remain open. CSOs are especially on alert for the following three threats: Data breaches Ransomware and wiperware Medical device and IoT tampering There are a few key things CSOs can do to effectively mitigate these areas of vulnerability. The first challenge is managing the environment remotely now that key security staff is working from home. System access needs to be the same as it was onsite. Home networks require an appropriate amount of bandwidth and the right VPN access must be granted. Home workers need the proper security for their home router firewall. Incident Response Plans A holistic cyber security plan not only works to prevent incidents but respond to them as well. In the way that fire departments educate on fire prevention while also maintaining the ability to put fires out, responding quickly to a breach is imperative. For example: Knowing who to go to if a critical IT system needs to be shut down Knowing who the decision-makers are and having their contact information up to date and accessible Creating a communication plan across departments that includes at-home employees’ contact hours and preferred forms of communication. Keeping contact methods such as video chats on secure platforms Architecting a command center is difficult enough on prem with a team. It has only gotten harder with everyone spread out remotely. A communication grid helps clarify who communicates what to who. The C-suite needs regular high levels of communication. Clinicians on the front lines delivering care need access to the technologies that are required to do their jobs. Educating the administration staff on how to stay safe at home is also imperative. These non-technical positions are more prone to insecure home network and firewall setups. BOYB devices must not be used by family members or left insecure. All of these things need to be considered when developing an incident response plan during this pandemic. Staying Physically Safe While Keeping The Network Secure The health and safety of employees is also tied closely into cyber security. For example, is there a contingency plan if a large number of IT staff get sick? Are hospital-issued laptops and repurposed IT equipment disinfected properly? Are vendors shipping safe goods? If a cyber security attack affects technology tools at a hospital, who retrieves that device for forensics purposes? Do they have protective equipment to keep them safe? All of these considerations must be a part of an incident response plan. The business and IT side of healthcare banded together and willingly risked their health to set up the technological side of medical tents and drive-through testing. Jim considers the possibility that such a positive and efficient crisis response will set an impossible precedence in the future. Healthcare After COVID-19 If ever there were a silver lining to Coronavirus, long-term healthcare changes going forward may be it. Traditionally, healthcare is an industry that lags behind in technology adoption. Telehealth--a method of healthcare that brings down cost and increases patient satisfaction—will be the new way forward. Jim expands on this idea before answering live-audience questions.
Jamal Hartenstein, Cyber Security Expert
Jamal Hartenstein is prior unified security management (USM) in military intelligence. He’s worked with the department of defense on military bases, as a part of joint task forces and has experience with every branch of service. He’s helped with cyber security and data privacy initiatives for hospitals, federal agencies, pension funds and other private sector industries. The Past: Not best in class Jamal is wary of thinking that everything was ‘wine and roses’ prior to the global pandemic. He’s aware that some organizations had it right- they were leading edge thinkers as far as cyber security. But most organizations were (by definition) not best in class. “The reality was that the threat vectors were more so contained within an enclave or an enterprise of a known like end points. There was easy to wrap your head around BYOD or CYOD policy. There was a CMDB [configured management database] that was probably accurate at one point but that’s if you were a mature enough organization.” The Present: Not prepared And so even if you’ve gotten to today without a major breach Jamal points out that with a completely new and 100% remote technology stack, “there is not an understanding of what data is entering our enclaves or enterprises.” He quickly follows that there is also not a complete understanding of where it's entering from via what equipment. That ‘completely new’ terminology is not for all, but it’s for most as, “not every organization was capable or mature or had a sophisticated remote work toolkit in place.” This has all lead to a threat landscape that has “expanded exponentially.” It’s not that Jamal’s outlook is bleak; he’s just concerned that those that have not been subject to major incidents do perhaps not understand the past correctly which means that they’re not dealing with the present with a suitable approach. He focuses on a would-be executive who feels that they remain prepared for CCPA or GDPR because they just had an assessment done in January. “Well in January, your work from home workforce and your threat landscape was dramatically different.” Beyond dealing with the traditional issues associated with a breach, “the settlements and fines and fees or payouts after data security, breach litigation are oftentimes much more than the cost of remediation or mitigating audit findings or a Cyber Security assessment. The Future: Still time to improve Jamal’s industry assessment is that there are some that have not felt the actual tectonic shift that’s occurred for humanity and thus, cyber security. His point is that everything is different now- whether you feel it yet or not. And so, with that understanding, he parts with... Five Pieces Of Advice Investigate new forms of data protection Ensure you have multifactor authentication Focus on encryption at deeper layers in the OSI model Realize the protection data in transit and data at rest Revisit your mitigation factors The bottom line- prepare yourself to address the new threat vectors on your new landscape
Robert Welborn, GM
Robert Welborn is the Director, Data & Data Science for General Motors. As he sees it, global corporate enterprise has- for the most part, seen data as a luxury, “we'll get to reporting when we get to reporting, we'll upsell, we'll monetize.” Not that monetizing is a bad thing, but Robert’s point is that we haven’t been using data as the ultimate element of decision-making. Sure- data-driven decision-making has occurred, but not to the extent of managing enterprise existence. The global pandemic had a particular effect on Robert’s company. For over 100 years General Motors manufactured motor vehicles. Then on April 8th, 2020- General Motors became a ventilator manufacturer. What used to be a fun data dance that Robert and his team would do privately suddenly became precision choreographed ballet of the highest order with every decision-maker involved. “What we had used as a luxury before suddenly was driving everything. We're having conversations with our suppliers, with the UAW and with the plants showing them through data what we're going to do next.” And the data told them just what to do. Robert and his team were seeing vehicle-level data as the pandemic burst across the globe and made it’s way to the East Coast of the United States. “The data is saying we can shut down. And the data that we're getting from the state of New York in specific is saying that we, if we were doing anything right now- we should be building ventilators. If there's anything that we would do, we should build insulators and we should build masks.”
AIIA: AI BFSI Panel
This BFSI Panel features key industry experts who share their strategies around pushing their organization into the future. They note that the technology available is user-friendly and rarely the barrier to entry. It is the mapping, the process, and post-implementation that makes or breaks a digital transformation. Agile development and change management are both initiatives that work. Automation has the potential to save time, money, and improve the customer experience, but if it isn’t applied in a purposeful way, it is useless. The panelists share their personal journey through transformation, offering insights and advice along the way.
CX: Fred Reichheld (Employee Engagement)
Fred Reichheld joins us again, this time to discuss employee engagement. The business benefit to ensuring a positive employee experience is because that translates to a positive customer experience. As Fred discussed last time, a good customer experience means an increase in profit. However, Fred is careful to clearly define what make a good employee experience. Is it lots of vacation time, the ability to shirk difficult customers, and taking on only the best shifts? Of course not, as this would lead to a bad customer experience. Fred instead focuses on “helping your employees lead great lives of meaningful service.” Technology is used as a tool to automate unfulfilling tasks that humans used to be responsible for. In turn, human talent is freed up to inform, innovate, and provide meaningful change to the customer experience. Finally, Fred makes suggestions on to achieve such a lofty goal. Ultimately, Fred says, “I think what inspires people to do their best is when they feel like they are being listened to, they have a voice, and that the team is consistently being put in a position where they can enrich the lives of customers and see that as the core purpose in their work.”
AIIA: Max Just/Julie Seitz (Future of Work)
Max Just is accompanied by a special guest on this episode of Future of Work. Julie Seitz is an expert on all things workspace, which makes her the perfect partner for the topic of—you guessed it—the future of workspaces. While she notes that an enterprise can’t necessarily futureproof themselves in this regard, she encourages them to get out of their insular spaces for the sake of spotting trends in how people are working in universities, airports, etc. Flexibility and simplicity in a workspace make more practical investments than technological ones that will become outdated. Julie also reflects on the evolution of the public school classroom and how examining that process helps illustrate how different generations work differently. Max jumps in with the ah-hah moments he had while working with Julie, including the importance of providing collaborative workspaces for collaborative work. Ultimately, Max and Julie agree: workspaces matter.
CX: Fred Reichheld (Customer Centricity)
Fred Reichheld, the creator of the Net Promoter System (NPS), joins us to discuss the task of building a customer-centric culture. Companies that do the best at enriching the lives of their customers are growing two-and-a-half times faster than their competition. Today, word of mouth and truth spreads like wildfire. The modern enterprise can no longer depend on clever advertising campaigns to mask their shortcomings. Building a customer-first culture isn’t always easy, though. Legacy companies have to fight through their capitalistic pasts. Metrics need to change. Shareholders must get on board with the new nature of business. The Net Promoter Score is successful because it provides data that proves the effectiveness of customer-centricity to the bottom line. It is a modern-day metric that replaces the ones that no longer serve today’s landscape. Fred offers both suggestions and examples on how to successfully pivot to a customer-centric business model during this insightful conversation.
PEX: Gary Pilacinski, L.A. Care Health Plan
Gary Pilacinski, director of business process improvement engineering with LA Care Health Plan, discusses the importance of cultural transformational change. From start-ups to legacy organizations, Gary stresses how critical culture is for the success of an enterprise. One common stumbling block to a successful culture change is a lack of buy-in from the C-suite. Conversely, if upper management sees a need for change but doesn’t effectively implement it, employees who have been with the organization for years—or decades, even—may get stuck in their ways. If that is the case, empowering frontline staff is key. Gary discusses ways to do just that. He also elaborates on how he is working to implement Lean and PI within his organization and how healthcare at large can approach the same issues. Hint: training the trainers is key. Change is uncomfortable. But with transparency, engagement, and most important, keeping the interests of the patient front and center, Gary believes Lean culture transformations are not only possible, but necessary for the success of the healthcare sector and those it serves.
AIIA: Roland Haefs, Henkel
Roland Haefs, with Henkel, discusses enterprise evolution and the shift from having purely transactional relationships to becoming a true business solutions provider. It takes strong leadership and an entrepreneurial spirit to pull off such a transformation, which Roland details. In order to demonstrate his point, Roland lays out Henkel’s approach to the shared services process of master data management. Next, the conversation turns to RPA and AI more specifically, including its role in shared services and how to make sure it is being deployed effectively. Further, Roland discusses Henkel’s four business priorities: fund growth, drive growth, excel at digitalization, and increase agility.
CX: Deena John, McDonalds
McDonald’s senior director of innovation, Deena John, joins us to talk about digital transformation. While definitions vary, Deena describes digital transformation as “transforming through integration of technology” with the goal of generating maximum value for the customer. End-to-end disruption means looking into the future and creating a transformation road map that leads to a new operating model. Deena discusses the differences and similarities between agile and lean, and the iterative process that makes scaling sustainable. Deena frames her key points with specific examples. Next, she asks and answers the question, “In an innovation culture what’s the importance of failing fast?” Ultimately, this insightful conversation with Deena focuses on the future of the enterprise and what needs to happen now to ensure corporations can keep up with the ever-changing landscape that technology brings to business.
PEX: Karen Tilstra, Florida Hospital
Karen Tilstra is the co-founder of the Florida Hospital Innovation Lab. In this conversation, Karen emphasizes the intent of the Innovation Lab, which, not surprisingly, is innovation. However, the process to innovation is often overlooked. Karen describes it as a “multifaceted journey of learning, of discovery, of openness.” In other words, innovation isn’t instantaneous, nor does it happen in a silo. When a brand thinks they know what’s best for their customers—instead of interacting with those customers—it’s often the beginning of the end. Karen details Sears’ downward spiral as an example. Next, Karen questions the value of the typical enterprise growth mentality. Is “grow or die” a myth or a reality? True, meaningful innovation involves the application of certain soft skills that aren’t immediately apparent. Karen drives their importance home in this insightful, outside-of-the-box conversation.