Skip navigation
1 2 3 4 Previous Next

Verified Expert

46 posts

ISacolick.jpg“When I grow up, I want to be a CIO”, said no child...ever! Fireman, policeman, doctor, just about anything...but not CIO! Isaac Sacolick wanted to build...bridges, buildings, trains. His love for erector sets eventually led him to Radio Shack and engineering of a different kind. By the age of 12, he was on a path, doubtful he knew it at the time, but he was on...The Path to CIO.

I started following Isaac after he was named to the Top 100 Most Social CIOs by Vala Afshar (a list to which I aspired, but never quite made it...come on Vala, give a brother a break!). As I read more of Isaac’s posts (he blogs at Social, Agile and Transformation on topics for CIO), I found myself agreeing with just about every concept he shared. I was thrilled when he agreed to be a part of this series.

Jeff: Isaac, thank you again for taking the time to be interviewed for this series. You credit your father for your interest and passion in computers. How did he influence you and start your down this path?

Isaac: I grew up in the Atari 2600, Intellivision generation and with some of the older tv console game machines. But my dad was an engineer and saw the games as expensive and of limited educational value. He bought me a Commodore Vic 20 and later a Commodore 64 to learn programming in Basic and other computing basics. I learned how to program and how computing systems functions, but what grabbed my attention the most was dialing into various Bulletin Board Services (BBS). I eventually got my hands on some software and opened a couple of my own including a BBS for dungeons and dragons playing and another for Commodore enthusiasts. One had a rudimentary dating site that a handful of people paid for access. I was 12.

Jeff: So, at the age of 12 you set the foundation for THAT truly is a different path to CIO! I can hear your acoustic coupler modem from here! Seriously, I find it fascinating, this is the third profile in this series and the common theme thus far is...Commodore 64. A zillion years ago, I had one as well. I wanted to learn machine language but couldn’t afford an Assembler, so I wrote one...but I was in my 20’s, not 12!

Many people who spend a career in IT are eventually faced with a ceiling of sorts. At some point they are faced with the decision to “stay technical” or move into managerial roles. Was this a conscious decision on your part?

Isaac: After grad school, I was hired as an engineer to join a team of five working on commercial genetic analysis software. I stayed almost two years developing software that enabled comparing genetic samples. It was a great experience, but when the company went up for sale, I went looking for new opportunities.

I made a decision that I liked working for startups and that the internet had huge growth potential, so I joined a startup that was helping newspapers build websites to search classified ads online. I was the second technologist hired and offered the role of Director of Software Development.


Being in a startup in the early days of the internet, I was able to be technical, managerial, and develop business skills. One day I might be configuring servers, the next day designing new search algorithms, and the last day working with product management on the next set of features.

Jeff: As you moved more into management, what were the influences on the management style you adopted?

Isaac: I had many influences. Hands on managers that knew how to do the work, improve process and organize teams. Marketing leaders that knew how to collaborate with engineers to get optimal solutions. Business leaders that knew how to handle difficult transitions and transformations when there was strong conflicting viewpoints. CIOs that developed enterprise solutions and developed practices and governance so that business unit teams elected to adopt them.

Jeff: Was there a moment in your career when you knew you wanted to be a CIO?

Isaac: When the founding CTO, Ian Lintault decided to move on a few years after I joined, I knew I wanted the role. It was a big step because we had just closed a strategic round of funding andLego.jpg there were a lot of questions from newspaper executives about how the internet worked, how we would scale, how much funding was required, and ultimately how we would develop digital products that complimented their print offering.


I knew few other CTOs at the time so he was and remains one of my early influencers.


After another round of startups, I decided to try bringing startup speed, agility, innovation, and digital capabilities to the enterprise. I went looking for enterprises looking to transform and joined McGraw Hill as a business unit CIO first at BusinessWeek and then with McGraw Hill Construction (now Dodge Data and Analytics). There were a good number of people who influenced me at McGraw Hill on being a CIO including Keith Fox who was BusinessWeek and Construction's President, Linda Brennan who who VP of Marketing and Operations at these businesses, and Adriaan Bouten who was the CIO of the Information and Media sector.

Jeff: Thinking back over your career, what key learnings or discoveries about yourself did you uncover and how did you use those to propel yourself into a leadership role?

Isaac: I learned to trust my instincts. There is no definitive guide on how to partner with business leaders and run efficient technology teams that can execute an agenda of transformation and product innovation. I stuck with several basic principles and have evolved them over time and experiences:

        • Build an agile practice.
        • Challenge business and technology assumptions and provide new solutions
        • Develop a data driven culture and technical capability
        • Enable experimentation to get more innovation.
        • Develop transparency around project portfolios, investments, status, and KPIs
        • Take steps to learn client needs, workflows, and opportunities
        • Collaborate and share what you’re thinking.

Jeff: Those are great principles. Building blocks, if you will. Sounds like you still like to build! What advice would you have for someone considering a career goal of CIO? What new skills should they hone to be a CIO in 2020 and beyond?

Isaac: A CIO needs to lead through a variety of experiences in order to be successful, so those aspiring to the role need to make sure they are always learning, taking on a variety of new challenging responsibilities, and demonstrating wins. In doing so, aspiring CIOs have to develop a playbook of how they will lead organizations, manage people, and enable transformation. For me I applied practices like agile development, self-service BI programs, and innovation practices to be successful in a number of CIO positions.


I firmly believe that CIOs need to have a technical foundation and have the ability to architect and communicate solutions. They need to be able to review platforms and make technology investments that can be applied to multiple business needs. They then have to be a consultant to business stakeholders, listen to their needs, consult with them on options but most importantly, sell them on a solution. This is essentially how CIO can “learn the business”.


But learning and partnering isn’t sufficient because today’s CIOs are expected to lead transformational efforts. To do this successfully, it takes a whole new set of skills to master starting with understanding industry dynamics, customer needs, and competitive factors. CIOs then need to be able to challenge the existing operating model and propose new ways to deliver solutions that customers value.  


Jeff: Isaac, I noticed you mentioned marketing several times in our conversation. I find that interesting, in so many cases IT and marketing are almost adversarial. You’ve broken those walls. Case in point, you have really embraced social media. In fact, you and I actually met in the Twittersphere. I have really enjoyed reading your blog and have implemented some of your ideas in my own shops, so first of all, thank you for sharing your insights! As a final question, how did you come to embrace social media in general and blogging specifically?

Isaac: I founded a travel social networking company and then developed a link sharing product at BusinessWeek. Both products required a strong understanding of how to develop social networks by providing value to contributors, participants and consumers. To understand the dynamic, I decided to embrace social networking first by creating the blog Social, Agile, and Transformation and then by being an active contributor as @nyike on Twitter and other networks.

I use the blog to share knowledge and insights on agile, business intelligence, digital transformation and other topics. I have almost 300 posts over ten years of blogging, and have also contributed to other websites and publications. On Twitter, I share what I am reading and participate in various conversations. I’ve met some very special people through these interactions and it’s a great way for CIOs to share their knowledge.

The series, “The Path CIO” explores the careers of CIOs from around the globe in a variety of industries. Each month we will feature the story of their journeys and answer the question, “How DID you become a CIO?” (If you have held the role of CIO and are interested in telling your story, please reach out to me via the links below!)

Jeffrey Ton is the Executive Vice President of Product and Service Development for Bluelock. He is responsible for driving the company’s product strategy and service vision and strategy. Jeff focuses on the evolving IT landscape and the changing needs of our customers, together with the Bluelock team, ensures our products and services meet our client's needs and drives value in their organizations now and in the future

Find him on LinkedIn.

Follow him on Twitter (@jtonindy)

Check out more of his posts on Intel's IT Peer Network

Read more from Jeff on Rivers of Thought

Also find him in People Development Magazine

Operation.jpg“When I grow up, I want to be a CIO”, said no child...ever! Fireman, policeman, doctor, just about anything...but not CIO! For Will Lassalle his dream of being a surgeon started with a game...a game of Operation. But like many, his first contact with a PC sent him down a new path...The Path to CIO.

Will and I first met (virtually) while doing the Transform IT show with Charles Araujo for Intel’s IT Peer Network. Recently we reconnected to chat about his path to CIO.

Jeff: So, Will, let me ask you...when you were a kid did you dream of being a CIO?

Will: When I think back to my childhood, up until the age of about 12, I wanted to be a surgeon. I was always a gifted and talented student. At the time growing up in the 80s about the only careers teachers and schools introduced you to was Doctor, Lawyer, Policeman, Teacher, etc. Pictures of these careers were strung along the classroom walls. Me? Since I was pretty good at the game Operation with very steady hands and wouldn’t let pressure get to me, I figured surgeon would be the way to go.

Jeff: When did this change for you?

Will: I was set on being a surgeon until, my father bought us a Tandy 1000TL in 1990. Up to that point, I had played a lot of video games on a Nintendo, Sega, Coleco, Arcades but my dad showed me video games on the computer and I was hooked. At this point I knew I loved computers and wanted to work in computers. I gave up on the dreams of being a surgeon (or playing in the NFL or NBA) and wanted to become a video game programmer.

In High School, a buddy of mine and I got in trouble and almost suspended for hacking the library computers. At this point I realized, I was really good with WIllHSPic.pngcomputers. But I also realized I did not want to use my skills to wreak havoc, I wanted to use my skills for positive purposes. I applied to colleges with the intent of going for a Computer Engineering degree, with the dream of landing a job with the FBI in computer forensics after college.  I was accepted into Penn State, but life happened and my High School girlfriend became pregnant. I never started Penn State and instead began immediately working at 17, in what I knew best to support the situation...computers.

I was working for Circuit City. One of my co-workers left to venture out on his own and start his own company. During our time at Circuit City, he saw how talented I was with computers, servers and networking and offered my a position with his new firm. I worked as a systems admin/engineer and project manager with him for a few years before the company went belly-up and I went to work at Iron Mountain in a similar role.

Jeff: Traditionally, career paths in IT are categorized in one of two ways: technical vs. management. When did you take the step into the management world?

Will: I still am technical. I believe this this has been one of the biggest plusses in my management career. Other technical folk would always come to me for help and guidance. I naturally lead people and had a friendly helpful demeanor. Leading by example is key with me as well. So, my work ethic of getting to work early and not leaving till the job was done stood out to senior management as well.

I never said no. Senior managers would say, “OK Will, you’re the point person on this project” and I would go with the flow. Which lead to me being a hands on project manager mostly working on infrastructure projects.  For me, getting into management was thrust upon me because I was a natural leader.

Jeff: As you progressed in your management career, what were the major influences on your management style and are their individuals that stand out for having a major impact on your leadership?

Will: I would say my management style is based upon a variation of the golden rule at that time in my career. I treated employees and others as I would want to be treated. And, just as important, I didn’t treat them in ways that I would not like to be treated. Meaning: no micro-managing, not being an *******, not providing work life balance, or taking credit for other's work or ideas. In other words, I took my lessons from the worst managers I had and tried to do the complete opposite. It worked with mixed results but, it did help develop my own style later on in my career as I worked my way up.

Later on in my career, influences on my style on the path to CIO were my mentors Frank Wander and Charles Araujo, their respective books, conversations with them, and watching them work and present at events. I always call Frank “Your Favorite CIO’s, Favorite CIO”.

To this day I remain technical, too I make it a point to take at least two training courses a year, one in management and one in a technical subject. And, honestly, since computers are still my hobby, I like doing projects hands on sometimes as the technical person. As an example, most recently was an Office365 migration, where I did the entire project myself including the engineering and execution.

WIllHS.jpgJeff: What was that moment that you knew you wanted to be a CIO? Were there circumstances or individuals that led you to that point?

Will: The moment in my career I knew I wanted to become a CIO was a combination of a couple of things. First, I had reached point where I felt I could no longer learn or be led by the IT management I was under. The second thing that happened was in my personal life, I met the woman who eventually become my wife.

When I met this young lady, I knew she was the one I wanted to be with for the rest of my life. She was studying to become a lawyer and I was “Just an IT guy”. I can remember attending a wedding as her plus one. At our table, I was surrounded by doctors, lawyers, dentists and Wall Street Investors, and me? I was “just the IT guy”.  I realized at that moment that I no longer wanted to be just an IT guy, but THE IT guy! This meant starting a journey to be a CIO.

I enrolled back in school and within four years had knocked out both my Bachelor's and MBA. I also married that girl and we have been married for 10 years this past February. While finishing my degrees, I also began marketing myself. Within my organization, I took on all kinds of projects and gained a reputation as a person that can deliver successfully. Externally, I leveraged social media using the hashtag #NextGreatCIO. Many self-development books encourage you to dress for success,  instead I wrote, blogged, and tweeted for the job I wanted.

So, again for me, my wife unintentionally influenced me on my path to CIO as she sparked that fire burning in my belly to succeed.

Jeff: You most recent CIO gig was for North Star Resort in Green Bay. I am sure that was an interesting assignment and challenge, but what I really want to know is, what was it like to live in Packer-town?

Will: Green Bay is an amazingly friendly place. Packer fans are probably the friendliest fans of any sports team in the world. Before we moved to Green Bay, I traveled there many times. Every time I visited, everyone was so friendly to me. It really made the relocation there easier.

Friendly...except maybe that one time. I was still commuting between Jersey and Green Bay. When I landed, something seemed off. The people weren’t as friendly. No one said, “hi”. Even the staff at the car rental counter seemed very aloof. I wondered about this all the way to the casino. As I walked through the resort to the IT offices, no one would even look me in the eye.

I mentioned my concern to one of my staff. He looked at me and said, “uh, Will, you do realize you are wearing a New York Giants shirt, right?” In my rush to the airport, I had not even realized it! I grabbed a sweater and put it on over the shirt. Magically, the midwestern hospitality returned immediately!

Of course, during the football season, at the Casino, at my kids school, everywhere in town, any time the Packers play, it's considered Packer day and everyone dresses in Packer gear. Everyone that is, except me. I come to work in a Giants Jersey. Yes, everyone busts my chops, but I just smile and remind them the Giants own Lambeau Field in January!

Speaking of Lambeau’s a great stadium with lots of history. I have had the opportunity to visit several times IT shows and expos while out in Wisconsin. I would recommend anyone visiting the area to schedule a visit Lambeau...take a tour or watch a game (but, not in January when the Giants are in town). It truly is an amazing place. 

Jeff: Ok, Will. One last question. Your tagline in LinkedIn describes you as a "Digital Transformation Expert". Tell me a bit about how that came about in your career and what you think that means for theWillGeek.jpg future of IT and your future as an IT leader. 

I’ve always been a futurist technologist. Seeing the forest for the trees. Change is inevitable and in Information Technology it's quite possibly the only constant. Digital transformation is not only about IT, but business transformation, as well. It’s really about preparing organizations for a digital economy.

Now what does that mean? Well, as a CIO that has worked in many organizations I have always been tasked with helping those organizations through their pain points, including keeping them up to date, not only on technologies, but on what their business should do to keep up with their customers.

So, as digital enabling technologies and processes come out like Social Media, Cloud Computing, IoT, Mobile, Big Data, Business Intelligence, Agile, DevOps, Automation, etc organizations that don’t keep up with the technologies or are not early adopters end up falling behind. As more time passes they fall further and further behind. My experience of helping various organizations through digital transformations has allowed me to understand and gain valuable experience. I now use that experience and understanding to help other organizations through their own digital transformation initiatives. This helps them to remain competitive and in many cases become disruptive in their own market segments.

Change is hard and requires change management. In a data driven economy, this leads to the need to be agile enough to keep up with the rapid pace of change.

Having this knowledge, combined with my knowledge of Security, Operations and Application development really helps me be a well rounded cross functional CIO that has no fear of ending up like the CIO acronym joke- Career Is Over.

The series, “The Path CIO” explores the careers of CIOs from around the globe in a variety of industries. Each month we will feature the story of their journeys and answer the question, “How DID you become a CIO?” (If you have held the role of CIO and are interested in telling your story, please reach out to me via the links below!)

Jeffrey Ton is the Executive Vice President of Product and Service Development for Bluelock. He is responsible for driving the company’s product strategy and service vision and strategy. Jeff focuses on the evolving IT landscape and the changing needs of our customers, together with the Bluelock team, ensures our products and services meet our client's needs and drives value in their organizations now and in the future

Find him on LinkedIn.

Follow him on Twitter (@jtonindy)

Check out more of his posts on Intel's IT Peer Network

Read more from Jeff on Rivers of Thought

Also find him in People Development Magazine

Bio Vulns - crop.jpg

Authentication in the modern enterprise is becoming more difficult.  The risks are rising, but adding more security controls can impede workers and are difficult to integrate into legacy systems.  Biometrics may be a better path to improve security while not adversely impacting the user experience.  But there are risks.  Biometric systems are not without vulnerabilities themselves. 


ABI Research has recently published an infographic showing a comprehensive view of biometric system vulnerabilities as well as a whitepaper talking to the recommendations for enterprise environments.   


The traditional username/password method is entrenched in most businesses, but in desperate need of improvement.  A sole reliance on passwords to gain access to devices, networks, and data is proving to be weaker as attackers are getting better at undermining them.  Passwords can be hacked, social engineered, and are a major source of vulnerabilities.  Once compromised, they open a vast number of doors for attackers. 


Passwords alone simply are not good enough.  Users as well as system administrators find them difficult to manage.  Changing the status quo is difficult, as the majority of business processes are built to support passwords and workers typically adverse to new security practices. 


Biometrics have been in use for some time in limited ways.  Considerable advances have brought the technologies forward to meet some of the challenges to drive broader adoption.  This has created very complex ecosystems to satisfy a variety of demands.  But like any technical authentication system, there are potential vulnerabilities at every step.  The key to improved biometrics security may be to simplify the technology to lessen the number of vulnerable points of attack.  Cost, user experience, and risk aspects must be recognized and proactively addressed for any additional controls.


Reducing risk.

Multi-Factor Authentication (MFA) reduces the risk of compromise as it does not suffer from the reliance on just one method to grant access.  Attackers must compromise at least two different controls.  The downside is by adding additional factors, it can undermine the user experience to the point of affecting productivity and acceptability.  Having biometrics satisfy one of the factors in MFA, holds the potential of reducing the friction users must endure, while improving the overall security of the system.


User Experience. SSG_16_02_EvangelistProgram_CyberSecurityImages_Final_B.png

Automating the awareness of the user can make authentication a seamless experience.  We automatically carry our biometrics with us.  Nothing to forget, lose, or break.  Advanced technology can make the process even easier.  For example, the tracking of a user’s face while in front of their laptop can make the device aware when they walk away to get a cup of coffee and leave the system unattended.  The system can automatically lock the screen.  Conversely, when the logged-in user returns, the system can recognize the familiar face and automatically unlock the system.  Such an experience is beneficial to the user while keeping the device safer.


Managing Costs.

Nobody wants to spend money on identity security.  Yet, there are a plethora of peripherals and secondary devices which enterprises purchase, maintain, manage, and service.  Fingerprint scanners, hardware card readers, and digital USB keys are popular but incur additional costs and frustrate users who have to carry the gadgets and cables.  What if devices themselves had integrated and trusted components which could do the authentication work?  Specialized cameras, microphones, fingerprint scanners, and electronics to securely match the profiles locally on the machine may be the path forward.  Hardware which is optimized and secured, supplanting the need for users to deal with secondary peripherals, could lower the overall total cost of ownership for enterprises.



Is biometrics the answer?  Well, it is one answer which is growing in popularity with organizations seeking better security, employee productivity, and paths to reduce costs. 



Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

5G security.jpg

5G holds the potential for massive immersion of technology into the lives of people and businesses. It is an evolution of technology which could allow bandwidth for 50 billion smart devices, driving towards a world where everything that computes will be connected.  Such transformative technology opens great opportunities, but comes with new unimaginable risks.  The scalability of improved speed, connections, and responsiveness will fuel unprecedented growth of data from more sensors and devices in our cities, homes, vehicles, and close to our bodies.  These will have access to our personal events, conditions, and provide new experiences of convenience, entertainment, and productivity; all of which, have amplified security, safety and privacy concerns. 


The fifth generation of networking represents an important technology enabling the next wave of computing devices to be connected for the benefit of users.  Upcoming 5G networks are designed to be vastly superior to our current 4G LTE mobile networks by increasing data speeds potentially 30 to even 100 times faster, shorten the latency for responsiveness, and perhaps most importantly scale to connect the billions of devices anticipated in the coming years.  Cars, smart clothing, ingestible health sensors, home appliances, drones, street signs, light posts, industrial equipment and many more in just about every field imaginable will connect and share data.  In many ways, it will bring computing to a more personal level.  The wearables, embedded sensors, smart vehicles, home automation, individualized healthcare and monitoring, and environment-aware entertainment devices will connect communities and enrich lives.  Devices will more easily and reliably share information, and work together to enhance our convenience, productivity, safety, health, and interpersonal connections with the people we care about. But such powerful tools can also be leveraged by those with malice or insensitivity. 


We must protect our technology, data, and privacy from those who intend or would do harm.  The value of 5G networks and devices must include aspects of security, trust, and privacy.  We will embrace technology that vastly improves the way we communicate and interact with the world, and at the same time act responsibly to support the establishment of protections for systems and people. 


As devices become more intelligent and capable, we trust them to complete physical-world assigned tasks.  In doing so, people relinquish a certain amount of control.  In most cases this is positive, could drive sweeping benefits, enhance productivity, and promote safety.  Having a smart car parallel park for me is much safer than my bumbling attempts to do the same.  I have never really mastered the task which results in delaying other traffic, higher stress levels, and eventually higher insurance rates due to the small dents I will likely cause.  So having a car respond to my request to park, measure the space and quickly maneuver the vehicle safely into the spot is nothing short of blissful magic for those like me who normally drive in endless circles waiting for an easier parking spot.  But to gain such benefit, I must understand that the vehicle is engineered in a way so it has the ability to sense immediate surroundings, accelerate, brake, and turn.  This is fine at a slow speed when I want to squeeze into an advantageous parking spot, but not so good for passenger safety if a malicious attacker takes control while traveling down the highway.  In the end, technology is a tool.  As 5G rapidly advances the connectivity and capabilities to open the possibilities of a better world, we cannot be ignorant or complacent when it comes to the risks and necessary security.



The biggest risks of 5G networks

Safety and Privacy, specifically for emerging IoT devices, represent the greatest risk. The Internet of Things will bring new levels of convenience, automation, awareness, entertainment, and productivity to people’s lives.  However, in the wrong hands, such connected smart devices we come to treasure, may be turned into tools to undermine our security, invade our privacy, and be misused to become a safety risk. 


Some would argue industrial controls hold the greatest risk.  But I would challenge such positions.  Industrial Control Systems (ICS) have long been in place in our power plants, water treatment, and chemical facilities.  Over time these systems gradually get connected to the internet, but in my opinion the introduction of 5G is not terribly important in this space from a risk perspective.  ICS operators have recognized the risks and realize they have been under attack for years.  To compensate, they have tried to limit the exposure of these systems and in many cases not upgraded connectivity capabilities on purpose.  Smart devices in ICS facilities could in theory be exploited, but it is more likely more sophistical control computers like servers and PC’s would be targeted. 


As 5G begins to roll-out, in the 2018 to 2020 timeframe, I think it will be the consumer devices which will hold the greatest risks.  I predict it will be the transportation, healthcare, and drone industries that will be the source of the most talked about abuses to security, privacy and safety.


Here are some examples where benefits accompany risks:

Scenario: Automobiles/Autonomous-Vehicles

Next generation automobiles and public transportation can use 5G networks to communicate with other vehicles and road sensors to avoid collisions, shorten travel times, and improve fuel economy.  But under the control of a malicious attacker, such vehicles may slow the flow of traffic or even worse, actually cause a serious accident. 


Scenario: Healthcare

Health monitors can enhance fitness, warn of impending medical conditions, summon help when the user is unable, assist doctors in fine tuning medications, and aid researchers in finding patterns across dispersed groups for improved treatments to some of the most severe chronic conditions.  But such power can also be abused.  Personal privacy can be undermined and tampering with data can cause an opposite effect with potentially serious consequences for patients under medical care.


Scenario: Drones

Drones are rapidly being adopted to extend the reach of a variety of services and capabilities.  They deliver medicines quickly over difficult terrain, assist with the detection and fighting of forest fires, explore hazardous environments, conduct military missions in dangerous zones, give artists new capabilities to capture expressive viewpoints, and may become the workhorse for the rapid package-delivery service of the future.  Conversely, they are a risk to passenger planes during takeoff and landing, they have impeded firefighting efforts, could be used as weapons of terror, be a hazard during social protests, support narcotics smuggling, and we have already seen how they can be a nuisance to privacy when watching people in what would normally be considered personal settings.



Securing 5G devices

Users, devices, software, networks, and back-end infrastructures must all play a role to improve the security of 5G devices.  The improved scalability of connectivity allows for a greater number of devices to communicate and results in the generation of much more data.  The devices, applications, and data form a chain which must be protected.  The problem is similar to the challenges we currently face with the Internet, just amplified to a much larger scale.  Emerging IoT devices represent a new challenge, as they are not as powerful and capable of defending themselves as PC’s, servers, and smartphones.  Most lack the power and speed to run sophisticated feature-rich security solutions.  So, more emphasis will need to be placed in other areas, such as hardware, networks, application validation, and back-end infrastructures to compensate.


Establishing trust as a foundation in 5G begins now

Cooperation among technology leaders to define robust standards which embed aspects for stronger security, improved privacy, and greater controls for life-safety related systems is imperative.  If security is not proactively addressed, the value proposition for IoT on 5G may be undermined by an erosion of the appeal and adoption by customers. 


Trust is hugely important.  Security must be designed into the 5G standards as part of the foundation, especially when considering its use in IoT connectivity.  Privacy aspects, to give end-users more oversight, default anonymity, and choice, must be included in product and software designs.  Systems which may represent a threat to the life-safety of people should possess elevated levels of security, administration, and control.  As consumers embrace technology, such as automated transportation and medical management systems, the level of trust must rise to compensate for the risks. 


The industry is at a point where security can be woven into the fabric, rather than suffer as a bolt-on afterthought.  Leaders in technology must work together now, to establish trust in the foundations and usages for 5G.  Consumers must do their part and be vocal in such expectations.  The demand for security is a critical driver for the delivery by suppliers who want to be competitive and service their customers.



How will top technology leaders play a role in supporting security, safety, and privacy?

Technology innovation and influence must occur in 3 areas to support 5G security, safety, and privacy. 

  1. Develop architectures and platforms to embed security and trust into the foundations of 5G connected devices and the back-end infrastructures which will handle the vast amounts of data from those devices.   
  2. Influence industry best practices and collaboration to establish robust frameworks and technology standards which implement strong security, safety, and privacy principles.  Intel’s automotive team is a great example where security recommendations and an industry consortium are driving the development of best practices.
  3. Deliver best-in-class security software solutions to protect from rapidly evolving threats on devices and in applications.  Software has the greatest flexibility to attune to new threats and the risk appetite of how devices are being used.  These solutions will be tailored to run within the potentially constrained computing environments for smaller or fixed-function devices as well as on the manageability infrastructure which provides oversight to groups of systems.



In the end, 5G is coming and it brings with it tremendous advancements to connect more and smaller devices to our electronic ecosystem.  This opens unforeseen opportunities as well as risks.  To reap the benefits and minimize the risks, technology leaders and security professionals must work in concert now to make the foundations and subsequent implementations of 5G networking safe, private, and secure. 




Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

VBiACU8KJu-5gDIvZ3U9LatdaReFVgMeTLXVlm7Pp4mtZPqqUDD0nbxY5eIozcoL_7wXGGGIBKFFYkDJcxRsd9qs3p8=s2048-1.png“When I grow up, I want to be a CIO”, said no child...ever! Fireman, policeman, doctor, just about anything...but not CIO! Me? I was going to be a rock star! From the moment I first heard the Beatles and the Stones in the fifth grade, all I ever wanted to do was play guitar (after a brief stint on the drums) and write music. My path fromRock ‘n Roll to CIO was indeed a long strange trip!

Looking back on an almost 35 year career in IT there were countless people, countless events, and countless decisions that led me to the office of CIO. It would take a book to mention them all. However, there a few that stand out as inflection points in my journey.

One of the biggest inflection points came in early 80’s when I went from playing a Les Paul to playing keyboard...a 3270 computer terminal keyboard to be precise. As the 70’s came to a close, I was finally coming to the realization that as a guitar player I basically sucked! That, combined with the fact that, although I had written hundreds of songs, not one song had ever been published or even performed for that matter.

I was working as a bill collector for the credit card division of a large bank when the planets aligned. I was given the opportunity to represent our department on the project team that was building a new computer system to run credit card operations. While I was “just” the user representative, I had the opportunity to work along some great developers. I was even given access to the reporting writing system and began to build some reports.

About this same time the Commodore 64 was released. I bought one and was hooked! From that moment on all I wanted to do was write software. I devoured every textbook I could find on coding, SDLC, database theory and design. Eventually, I was given the opportunity to move from being a user representative on the project to actually being a developer on the project. I can’t begin to thank my peers (Joan, Bob, Glenn, John, Lynda, Jane and countless others) on that team for their patience and mentoring as I developed from being a novice to writing damn good code! I couldn’t play guitar like Keith, George or Eric, but I soon learned I could make that mainframe jump, jive and wail! facebook_1456705517445.jpg

Fast forward about a decade and half. I was the lead developer for the order management system at Thomson Consumer Electronics. I had been there about five years as a contractor...a self-described long-haired hippie COBOL programmer...and I LOVED it! We had a team of about 5 programmers keeping the mainframe going and another 15 or 20 building a new warehouse management system using a “new” platform called “client-server”. My team and I were responsible for the mainframe side.

For a lot of reasons, the project was in trouble. It was years behind schedule and millions of dollars over budget. The company made a change and brought in a new manager, Dennis Cuffel, to run our teams. He was not new to the company, just new to us. The first move he made was to hire me off contract. Then it started. “You need to be a manager. You’d be good at it.” I always replied with the same thing. “Nope, don’t want to play the games”. I’ll give him credit. He was persistent.

A few months later, Carmen Hillenburg, the account manager for a national consulting company and I were having lunch. About five minutes into lunch she said, “You ought to be in management. You’d be good at it!” I just shook my head and asked, “Dennis put you up to this, didn’t he?” She denied it. (She has been denying it now for over 20 years, you see, we’ve been married now for almost 15 years, so I guess I have to believe her!). She was as persistent as he was. Months later, I finally agreed and became the application manager for the team when my boss was promoted.

It was now post Y2K. I had been promoted from application manager to director. At this point, I had a team of over 50 employees and dozens of contractors. The team was spread across four different continents. I think for about five years, I spent more time in airports and hotels than at home...Paris, Mumbai, LA, Brussels, Poland, I had enough stamps on my passport I had to get it replaced. I found that they were right...I was good at it...and, I LOVED it!

I am not sure when or how the idea of being a CIO crept into my head. I don’t recall thinking about it much. The company I worked for was huge, the CIO was in Paris. The highest position in North America was General Manager. That role was filled by my boss, Tom Kerby. I learned a lot about management and leadership from Tom. He was a good boss and an incredibly nice guy. However, I wanted more. Our company was downsizing. It seemed like our entire job revolved around budgets and more specifically, budget cuts. I was faced with a decision. I could either move to Paris as an ex-pat or move to Southern California. Spending a few years in Paris sounded very appealing, but after a couple years, you come home and everything and everyone would have changed. Then what? Southern Cal didn’t really appeal to me. Too crowded. So, I made the decision to look elsewhere.

I drafted and sent an email to about 20 people I knew throughout the area letting them know I was interested in making a move. Within minutes, I received a response from a former colleague who was now General Counsel for a real estate developer. He said I had to talk with them. They were looking to “upgrade” their IT department and I would be perfect to help do it. Within days I was interviewing. Several weeks later, I left my job of 14 years to become the VP of IT for Lauth Group, reporting to Ron West.

It was an intense few years on skyrocketing growth, both for the company and for me. Ron was into personal development. Ron was REALLY into personal development. I know I fought a lot of it, it was TOO intense. But looking back I can say it was those few years that turned me from just another “IT Guy” into a leader and into a CIO. One of the books he had me read was “Leadership and Self-Deception” by the Arbinger Institute. Basically, it helps you look at yourself without the guises of self-deception, full transparency. Your strengths AND your weaknesses.

There is an adage in business that you should look for ways to maximize your strengths and make your weaknesses irrelevant. Leaders are encouraged to surround themselves with people that have complementary skills to compensate for their weakness. I do believe in the second part, but I think making your weaknesses irrelevant isn’t done by focusing exclusively on your strengths. I believe you need to assess your weaknesses and identify those that can NOT be “outsourced”. There are somethings on your list that can NOT be done by someone else.

For me, one of those was public speaking. I HATED getting up in front of groups and talking. Heck, I hated talking in meetings. Why? Because, what happens when you speak up in a meeting? Everyone turns to look at you! I couldn’t stand it. I would stammer and stutter, I would freeze up. I couldn’t do it. However, I knew in order to achieve the things I wanted to achieve I would need to overcome that fear. I could not have someone else do all my speaking for me. It would never work. I spent years intentionally putting myself in situations that forced me to speak to groups, all sizes of groups. It was easy and it wasn’t fun, but today I can speak to a room full of hundreds of people. Now, instead of petrifying nervousness, it’s a rush of positive energy.

I spent 10 years of my career as CIO for two different organizations. How did I go from rock ‘n roll to CIO? Through a lot of supportive people, learning from some great leaders and from some not so great bosses (no one I have mentioned here would fit into the latter category), a lot of hard work and determination, and focus on lifelong learning and personal growth.

The series, “The Path to CIO”, explores the careers of CIOs from around the globe in a variety of industries. Each month we will feature the story of their journeys and answer the question, “How DID you become a CIO?” (If you have held the role of CIO and are interested in telling your story, please reach out to me via the links below!)

Jeffrey Ton is the Executive Vice President of Product and Service Development for Bluelock. He is responsible for driving the company’s product strategy and service vision and strategy. Jeff focuses on the evolving IT landscape and the changing needs of our customers, together with the Bluelock team, ensures our products and services meet our client's needs and drives value in their organizations now and in the future

Find him on LinkedIn.

Follow him on Twitter (@jtonindy)

Check out more of his posts on Intel's IT Peer Network

Read more from Jeff on Rivers of Thought

Also find him in People Development Magazine

Amplify Your Value.jpg

The Final Step on our journey to Amplify Our Value was also the most uneventful: we moved our entire production, test, and development environments to the cloud.

What?!!? You moved your entire data center to the cloud and it was uneventful?

Yep, uneventful. In fact, on the night of January 10, 2015, the night we moved 75 Servers, over 200 applications, several THOUSAND device addresses and 15 terabytes of data, I, the CIO, was home in bed sound asleep!

Now, before you accuse me of being derelict in my duties as CIO, let me explain the level of confidence I had in the execution of this final step. If you’ve been following along with this series of “Amplify Your Value” you know it had been a five year journey to get this far. Our team was hitting on all cylinders. Our Senior Architect, Jason Fisher, was (is) a rock star. He is one of those gifted individuals that can see the big picture AND all the minute details. I was confident he and Daniel Whitmyer, our Systems Admin, had it covered.

I was also confident in our partner in this endeavour. We had now been a client of Bluelock for a couple of years. I knew the level of talent they brought to the project as well. Each and everyone of them were the top in their areas. Confidence.

One of the essential steps we had taken along our path to Amplify Our Value also added to my confidence. In “Amplify Your Value: A Tale of Two Recoveries” I told the story of our move to Bluelock for disaster recovery. This not only made the decision to trust them with our production environment an easy one, but it made the transport of all of our applications and data “easy” (remember I WAS home asleep) as well. You see, they already had all of our data and applications in their Las Vegas Datacenter. Moving production was a matter of pointing the replication from one site to the other.

With all those moving parts, we only had two issues. One was with an outdated building automation system that had a hard-coded IP address, and the other was a typo on another IP address. Both of these issues were quickly identified and resolved.

The end result was that our headquarters truly was just another spoke on our hub and spoke topology network. The server room now only contains the switches and routers required to connect the employees there with their applications and the internet. Now a power outage like we had experienced the year before would be a non-event. Our stores could still sell merchandise, our schools could still teach our children and adult students, our nursing program could still help first time expectant mothers give birth to healthier babies, our manufacturing facility could still meet the needs of their customers and all of our other mission-based programs could still help our clients.

Confidence. That sounds so much better than “It was so uneventful it put me to sleep!”

This Final Step completed our journey to Amplify Our Value. I’ve written elsewhere about the tremendous accomplishments this team achieved, so I won’t repeat all of them here.But, here are just a few:

  • Opened 20 new retail stores
  • Developed and launched a loyalty card program with now over 500,000 customers
  • Added 500 new jobs to the Central Indiana area
  • Grew from one high school to 12 with over 3,500 students and 1,900 graduates
  • 26 new B2B customers
  • 150 former inmates served by our New Beginnings program
  • Over 800 babies born to first time mothers
  • Fully automated our online auction processing growing it to a $10 million business
  • Implemented BYOD for smart phones
  • Partnered with Netfor to provide a 24x7 Service desk
  • Dozens of new SaaS-delivered applications including: Workday, Domo, Facility Dude, Wealth Engine, Salesforce Marketing Cloud, and Director’s Desk.

The series, “Amplify Your Value” explores our five year plan to move from an ad hoc reactionary IT department to a Value-add revenue generating partner. #AmplifyYourValue

Author’s note: In the interest of full transparency. To paraphrase the old Remington Shaver commercial from the 70’s, “I like it so much, I joined the company”. In October of this year, I left Goodwill to join Bluelock as the EVP of Product and Service Development. My vision is to help other companies experience the impact Goodwill has felt through this partnership.

We could not have made this journey without the support of several partners, including, but not limited to: Bluelock, Level 3 (TWTelecom), Lifeline Data Centers, Netfor, and CDW. (mentions of partner companies should be considered my personal endorsement based on our experience and on our projects and should NOT be considered an endorsement by my former company or its affiliates).

Jeffrey Ton is the Executive Vice President of Product and Service Development for Bluelock. He is responsible for driving the company’s product strategy and service vision and strategy. Jeff focuses on the evolving IT landscape and the changing needs of our customers, together with the Bluelock team, ensures our products and services meet our client's needs and drives value in their organizations now and in the future

Find him on LinkedIn.

Follow him on Twitter (@jtonindy)

Check out more of his posts on Intel's IT Peer Network

Read more from Jeff on Rivers of Thought


With announcements of Microsoft Azure’s plan to establish a Canadian presence and the build-out of network infrastructure by local companies to support more cloud computing, one thing is certain, cloud is here to stay.


And while there’s been a lot of chatter about cloud, I think there’s still a little confusion about what cloud computing is and why businesses, particularly SMBs, need to take note. Here’s why it gets confusing: software delivered over the internet is sometimes referred to as a cloud-based solution, and so is an offsite server infrastructure. Since both solutions are described as cloud services, it can be hard to understand what the cloud really is. Cloud can be a hardware solution (sometimes called hardware as a service), it can be a software solution (software as a service) or it can be a combination of the two.


Regardless of the format it takes, whether hardware, software or both, think of cloud as a flexible, agile resource for your business. It can easily expand to respond to a successful campaign, or contract during slower seasons.


Having that flexibility to rapidly respond, scale up to meet uncertain demand, and the agility to quickly and securely deploy new or expanded service offerings, could make the difference between business growth and an uncertain future.


Why is this kind of flexibility important, particularly now?  Once again we’re faced with recessionary indicators in the Canadian economy. The current rollercoaster in the stock market (fueled in part by China’ financial turmoil) has only added to global economic uncertainty.


If there’s one truth about hard or tumultuous economic times, it’s that they often drive change.  During a recession, sales drop and competition for customers increases. To respond, companies need to reassess their investments and strive for greater efficiencies – to do more with less and to do it better than their competition if they want to ultimately survive.  When times are lean, the status quo is not an option. Optimistically, a recession presents an opportunity for businesses to behave differently, change the way services are delivered or to do things better, faster, and smarter.


While other countries around the world were hit hard by the Great Recession and were forced to adapt to new market realities by becoming more efficient and effective, we could look at this latest recessionary trend as Canada’s chance to evolve. The timing could be right for Canadian companies to make a significant business transformation.


Cloud services present an inexpensive model from which to deploy a dynamic, responsive environment. Let’s say a company launches a marketing campaign to drive online sales and doesn’t really know how the new push will be received by its customers. The cloud provides scalability to respond quickly and securely whether the company gets a few hits or a deluge, allowing them to meet the incoming need at a reasonable cost, while testing and growing a new service option. In other words, cloud provides a lot of answers in situations where the workload required is uncertain.


Another benefit is that cloud computing is not a ‘one size fits all’ model. You can select a very, very basic service that provides online access to specific tools, like running payroll, or far more complex solution that also delivers built-in security and encryption. While you will pay more for the more sophisticated services, you are only paying for what you use but you’re getting the guarantees that your data is protected and encrypted to the level you need.


Here’s the stark truth about security: one data breach can put you out of business so it’s really not worth the risk of getting it wrong.  Selecting cloud service providers who have the experience to keep customer information secure lets businesses stick to their knitting and do what they do best – delivering excellent products and services.


With all these benefits, why aren’t Canadian businesses latching onto cloud services in droves?  I think one barrier may have been concerns over where data and your sensitive company documents reside, known in the industry as ‘data sovereignty’.


With a large majority of cloud service providers previously located outside of Canada, businesses might have been concerned about where their data was residing, where it could have been accessed and where workloads were being executed.  While many business don’t care where their data processing is happening, for others such as government, health care, and financial services, geography is critical. Without a clear solution for controlling where data resides, these industries were resistant to embrace cloud in all its forms.


News about the build-out of a 'made in Canada' cloud infrastructure has started to remove this barrier to adoption, but technology has also continued to evolve and create solutions to many of the barriers or concerns facing businesses which may have been preventing them from accessing the benefits of these solutions.  For example, to respond to data sovereignty concerns, Intel has partnered with organizations like HyTrust to build a hardware and software platform that allows businesses or governments to set criteria for where their data can actually be viewed and decrypted based on its geographical location. This presents an answer to businesses’ and governments’ anxiety around data sovereignty. Whatever your boundaries are, technology now can protect data and limit authorized access only within those boundaries.


Are the innovations, growing local infrastructure and mature cloud solution offerings enough to expand the Canadian cloud experience?


I truly believe that cloud is (or will be) at the centre of everything we are going to be doing. It has the capability to expand and contract on demand. And, as we see businesses start to increase investment in Internet of Things to drive smart buildings, track fleet data and cargo status, control and customize marketing and signage, as well as needing to be able to perform detailed analytics on all that incoming data to empower effective decision-making (but more on this at a future date), they will need a way to manage an unpredictable level of data coming at them.


So the biggest question remains: is Canada ready and are businesses ready to take the leap? Companies like Microsoft believe we are ready or they wouldn’t be making this major investment, and their entry into the Canadian marketplace is a real game changer.  I also think the timing is right. To continue to succeed in the uncertain times ahead, companies will need to make changes to adapt to new market realities driven by recessionary trends and withstand the onslaught from global competitors.  Cloud could be one of the most valuable tools businesses need to establish a foundation for the future.

GP-Cloud CTA_151217.jpg

Amplify Your Value.jpgOne of the most dramatic steps we took to becoming a Value-add revenue generating partner was to completely throw out our existing network. Wow! As I write that it sounds a little “harsh”. Let me explain.

Our network ties together over 80 locations in Central Indiana. A year or so before we embarked on our five year plan, we had implemented an MPLS network, most of the 80 locations were connected with a T1.

Our Corporate Headquarters housed our servers, storage and the head-end of our network. Out of that same building, not only did we have corporate operations, but we also ran two charter high schools.

While this was a solid network providing four 9’s of uptime, we were limited. Already our Loss Prevention department wanted to view hi-def video from the stores, but over a 1.5 Mbps pipe viewing those video streams would bring the network to its knees. We certainly couldn’t let them view one store’s video from another store. So...they were locked out from doing so.

We were already streaming music to the stores over the T1; however, we wanted to be able to push a video stream to our TV walls (the area in which TVs for sale were displayed). We were sure we sell more TVs if shoppers could see them in action. Again, we were stymied by the network bandwidth, so we put a DVD player in each store and mailed them a DVD every month.

Forget doing a sales floor digital signage. No way was that going through a 1.5 Mbps needle.

Finally, even though we were on an MPLS network, we were essentially a hub and spoke network, with all of the traffic coming back to corporate before going out to the internet or to another location. If we were going to achieve our vision, if we were going to achieve our company’s vision, we had to find a better way.

Our first step was to sit down with our telecom provider, TWTelecom (now Level3) and put our cards on the table. We could put in bigger pipes but even the T1s were several hundred dollars a month. How could we afford to put 10 or even 20 Mbps pipes in? Believe it or not, the plan we came up with would dramatically reduce their Monthly Recurring Revenue (MRR), but we all agreed it was the right thing to meet our needs. So we embarked on Phase I of our Network Redesign.

Over the course of the next two years, we converted all of our retail locations to business-class cable. I can hear you now, “but what about Quality of Service, you don’t get that with cable!??!” True. But to ensure we had the resiliency we needed, we put Verizon 4G in each store as our failover. In a very real sense, we multiplied our bandwidth over 10 fold, and added a back-up circuit both for 80% LESS a month than the cost of a T1. For our larger sites (E.g. schools, nursing, etc.), we put in larger point-to-point ethernet pipes (when possible fiber-based) with business-class cable as the failover.

The project was drawn out over two years for a variety of reasons. Primarily, we wanted to time the retirement of the existing connection with its renewal. However, we also ran into issues with getting Right of Entry from some of the landlords where our stores resided. We also had one store that was adjacent to a major highway construction project which made it impossible for us to get cable service to the location. When we had finished moving all the other locations, we punted and put in a 10 Mbps point-to-point in that location. In 2017, when the highway is complete we will revisit that store.

As we were nearing the end of Phase I, we kicked of Phase II with the help of our networking partner, Sinewave. Phase II, was to move the head-end of our network out of corporate and into a state of the art, fully compliant, fully certified data center. We chose Lifeline Data Centers. Specifically, we chose their eastside location. The data center was built in the old Eastgate Consumer Mall. This mall, long abandon, had been built as an emergency bomb shelter during the cold war. During the Super Bowl that was held in Indianapolis, Homeland Security used the data center for their command center.

The initial step was to swing all of our connections to Lifeline and land on Sinewave’s stack. This would enable us to reuse some of our existing gear to build out our new fully-redundant stack. Once all of the traffic was successfully running through Lifeline, we swung it to run through our own gear.

As you might imagine, there were some complications with the migration. However, we were quickly able to resolve (with a LOT of help from Sinewave) the issues as they cropped up. Actual downtime to the stores or our schools was minimal. Most of the issues we encountered caused excessive latency in some locations. Once we identified the offending traffic and changed its routing, response times returned to pre-migration levels.

Once the network redesign was complete, we were able to help develop our new prototype retail store, complete with two 90”+ flat panels streaming hi-def content, TV wall content that can now be centrally managed, SIP trunking to the stores to improve the phone systems, and a “Best-Buy-esque” queuing system to speed checkout.

All of this left us with one final step on our journey. If we truly wanted our headquarters to be “just another spoke on the wheel”, we had to do something with all those servers. Next month, Amplify Your Value: Just Another Spoke on the Wheel Part Deux tells the story of moving our production environment to the cloud.

The series, “Amplify Your Value” explores our five year plan to move from an ad hoc reactionary IT department to a Value-add revenue generating partner. #AmplifyYourValue

Author’s note: In the interest of full transparency. To paraphrase the old Remington Shaver commercial from the 70’s, “I like it so much, I joined the company”. In October of this year, I left Goodwill to join Bluelock as the EVP of Product and Service Development. My vision is to help other companies experience the impact Goodwill has felt through this partnership.

We could not have made this journey without the support of several partners, including, but not limited to: Bluelock, Level 3 (TWTelecom), Lifeline Data Centers, Netfor, and CDW. (mentions of partner companies should be considered my personal endorsement based on our experience and on our projects and should NOT be considered an endorsement by my company or its affiliates).

Jeffrey Ton is the Executive Vice President of Product and Service Development. He is responsible for driving the company’s product strategy and service vision and strategy. Jeff focuses on the evolving IT landscape and the changing needs of our customers, together with the Bluelock team, ensures our products and services meet our client's needs and drives value in their organizations now and in the future

Find him on LinkedIn.

Follow him on Twitter (@jtonindy)

Check out more of his posts on Intel's IT Peer Network

Read more from Jeff on Rivers of Thought


Here’s the truth about big data: it’s a means to an end, not the end in itself.


Big data is nothing more than a huge collection of bits and bytes. It is only when you are able to analyse it, and gain some value from it, that it is actually of any use to you in your organization.


It is the insights businesses can derive from these bits and bytes of information, such as reducing customer churn to increase loyalty in the telco space, identifying buying trends in retail stores to maximize profitability or product placement, or even running algorithms to predict and mitigate pipeline failures in the oil and gas sector, that hold the promise of significant value.


Before we talk about whether the concept of big data has overpromised or under delivered, I believe it is critical to remember this one point: Big data is not about the information being collected, it’s about how businesses can transform that information to speed decision making.


One of the first decisions a company looking to start a big data initiative will inevitably face revolves around what data exists and how much data to keep.  Applying too many filters and narrowing down your raw data too early may be detrimental down the road.  Let’s say a few years from today, you need to investigate a very specific buying pattern.  You then discover the information you were wanting to investigate isn’t there because it was thrown away (or filtered out) years ago.  That lost data could have helped you derive important insights.


In reality, you can solve data storage concerns in an economical manner, but it’s equally important to contrast the storage costs against the value you could realize from some of this data.  And since businesses are continually evolving, it is very difficult to pinpoint what will or won’t be relevant into the future.  Investing in more storage will be less expensive in the long run than missing out on an opportunity that could be uncovered through future data analysis.


With companies starting to collect this big lake of data, how do you jump into the deep end without drowning in random details?


The short answer is partnership. Bringing together the right people can help you take that lake of data and extract the droplets of critical information that can help you to identify trends or reshape aspects of your business.  If you don’t have the internal expertise to derive the insights you need from the information you are collecting, seek help.


I believe partnerships are a business reality of the future and a business model we will see play out in many different forms as companies strive to be more competitive, bring new services to market and respond dynamically to changing customer demands. Businesses, particularly SMBs who form a large percentage of the Canadian economy, may struggle to develop internal skills in all the areas that are becoming mission critical including security, big data analytics, cloud computing and the Internet of Things.


Best in class partnerships can give smaller companies a leg up, give them access to much-needed expert resources and help them progress more rapidly along the path of extracting meaningful information from a lake of data.

Go big or go home


If there’s one downfall to big data initiatives in many organizations it is that they’re too small. Quite often, big data projects are launched by the IT department as a bit of an experiment; a trial of how data can be collected and used.  This narrow view is precisely why they will fail. 


To be a truly useful process, lines of business, sales, marketing, and departmental leadership teams  need to brainstorm with IT on areas where having deeper insights could help radically benefit the business. For example, knowing why customers behave in specific ways, purchasing patterns that secure or lose the sale or even what communications methods keep customers engaged with us.  There should be a clear business proposition, established at the outset, for big data project that goes beyond an IT-driven initiative. 

You need to think big about the opportunity this could present to transform your business by leveraging the insights locked away in your data.


It might be a scary proposition for some.  There is an enormous amount of information out there and the prospect of trying to analyse and understand it all could be daunting, but I would argue we’re reaching a stage where to stay progressive, businesses don’t have a choice. Businesses today have three options: You can sit on your hands and enjoy the fruits of your labour changing nothing around your business (and hope nothing new appears to challenge your stagnant offer), you can drive change yourself, or you can wait for someone else to come along and change your business for you (which may leave you on your back foot trying to catch up or going out of business).


I’ve always believed in controlling the future so I guess you could say I like to be in the driver’s seat where change is concerned. The best time to drive change in your business is when you are successful as opposed to when you are under competitive threats and your business model is being challenged. 


When you are talking about big data analytics, the information revealed can be truly transformative for the company willing and able to gain those insights.  The technology is available; the only barrier is a willingness to begin. Investing in big data is not a prohibitively expensive activity as long as you couple the initiative with clear objectives and an eye on areas where your future business success could derive benefit from deeper insights.


Imagine as a telecommunication company, you can see the patterns leading up to customer churn and can take action to identify then intervene before customers make the decision to move to another carrier.  That could be very valuable to a business.  Or if in the pipeline industry, they can analyse sensor readings and identify the patterns that signal pipeline failures so they could initiate maintenance or shut down processes sooner to reduce spill risks.  In the financial sector, credit card companies have done a lot of work to identify fraud but refining purchase pattern recognition could further mitigate the huge losses facing this industry.


We have a unique ‘made in Canada’ example of big data at work, and it’s in the agricultural sector. GrowSafe Systems Ltd. has developed a solution that helps producers track and analyse livestock data to maximize growth, but also identify potential health issues sooner so they can treat the animal faster.


All these examples have one thing in common, it’s not about what or how much information is being collected; it is about the insights derived from that data.


We are really at the tip of the iceberg. The amount of data we will be gaining access to is growing exponentially through the increased adoption of wearable devices, internet of things and the evolution of technology that is enabling us to collect more raw data. The opportunities are boundless for where this data, if we can tap into its insights, can lead us.

Sophisticated organizations defend themselves against cyber attacks with tools, products, services, and perhaps most importantly highly capable security professionals.  But it is becoming very difficult to attract and retain good talent.  The pool of qualified available resources has run dry and it is now up to the academic institutions to replenish the workforce population.  It won’t be easy, but higher education must save cybersecurity!

Cybersecurity may be fought with technology.jpgThe demand for security professionals is at an all-time high, but the labor pool is largely barren of qualified candidates.  Various data sources paint a similar picture with estimates hovering around ~70% of security organizations are understaffed, ~40% of junior-level jobs are vacant and senior-level roles are unfilled ~50% of the time.  A lack of security talent, especially in leadership roles, is a severe impediment to organizations in desperate need of staffing in-house teams. 

Hiring a quality cybersecurity professional is not as easy as you might think.  Universities are trying urgently to fill the gaps but are having difficulty in delivering the needed knowledgeable and experienced personnel.  Some experts have described cybersecurity as a “zero-unemployment” field.  In fact, the gap is widening, with 2020 predictions expecting the shortfall to reach 1.5 million workers.  Adding to the challenge, with demand high and supply low, security technology salaries are going up fast and are far outpacing their IT counterparts.  Specialty positions show strong double digit growth in salary over last year’s figures.  Leadership roles are in great demand as well, with compensation rising to match.  Relief of this situation will only come about by balancing the supply side of the equation.

Barriers to resolution

Higher education institutions and governing bodies are working feverishly to fill the tremendous demand with significant numbers of new security graduates, but serious barriers stand in the way.  Academic structures are not well aligned to the needs of the industry, there is a lack of consistent degree and curriculum standards, and educating students with relevant content, in a rapidly changing field, is proving difficult with traditional practices.

Positions within the industry are constantly evolving, with new roles and responsibilities emerging at a rapid pace.  The titles are changing as are the expectations for education and experience.  A recent inventory of federal job responsibilities showed more than 100 occupation-series which include a significant amount of cybersecurity work, representing ~1.6 million employees or roughly 4% of the workforce.  Adding to the mix are new industry jobs emerging around privacy, big data, internet-of-things, policy, customer protection, product design, testing, audit, investigation, and legal aspects of security.  Education institutions are having a difficult time in aligning the skillsets of graduates with the shifting landscape of what employers truly need at any given moment.

Ponemon Report - 2014 Best Schools for Cybersecurity.jpgConsistency across different higher education institutions is a separate problem which must be addressed.  A nationally recognized degree in cybersecurity does not exist.  Instead, most programs are customized and can have a vastly different emphasis and graduation requirements depending upon the host university.  There is not even a consensus on which departments such programs should reside. A 2014 Ponemon report showed a variety of academic departments where cybersecurity is situated, ranging from engineering, computer science, library, military, business, and legal studies.  The result are clusters of graduates entering the workforce possessing vastly different sets of educational knowledge and security skills.  This is problematic for both potential employers trying to fill a position and prospective applicants desiring to show competitive aptitude.

Teaching cybersecurity is difficult in of itself.  The technology, threats, and attack methods rapidly shift.  It seems every eight to twelve months, the industry swings to an entirely new focus.  A fellow security professional stated “if they are learning from a book, it is already outdated”.  Traditional rote teaching styles are insufficient to train professionals as they rely heavily on static material.  More dynamic sources of information, and processes to integrate them into the classroom, are needed.  Cybersecuirty instruction must be agile and stay very close to the pulse of what is happening in the real world. 

Expectations are not being realized by both recent hires into the field as well as companies who are investing in college graduates.  Students told me it was the last six months of schooling which was most relevant.  Before that, most describe the knowledge as an interesting history lesson, but not very practical.  Learning the fundaments are always required to understand the landscape and establish base skills, but the real value is in the pragmatic application of knowledge to supporting risk mitigation.  I have seen frustration with many companies who have hired graduates, only to discover they are not prepared for day-one.  They are glad to have them as part of the team, but the organization must start near square-one to teach them the current challenges and methods to be successful.  Simply put, both sides expect more.

With the vast differences in programs, teaching backgrounds, and content interpretation, sometimes even the basics are overlooked.  Many graduates don’t understand the practical distinction between obstacles versus opposition.  I have found that most, with the exception of those with a statistical background, don’t adequately grasp the relational difference between vulnerability and risk-of-loss.  Most concerning is how many students have a very narrow viewpoint and overlook how cybersecurity is both a technology and behavioral based discipline.  Far too many technical graduates see security as solely an engineering problem, where the right hardware, software, or configuration will achieve the goal and forever solve the puzzle.  This is just not realistic.  Cybersecurity weaves both technology and human elements together in a symbiotic way.  Only addressing one aspect may improve the situation, but will ultimately fail as an isolated stratagem.  These are fundamental constructs every security professional should be fluent in before entering the labor force.   

The solution is apparent

Higher Education Asks.jpgThe solution will arrive in three parts.  First, partnerships between higher education and the industry will need to attract more talent into cyber sciences, including women and underrepresented minorities.  The current numbers of students are just not enough to satisfy demand and expanding diversity adds fresh perspectives to creatively tackle difficult problems.

Second, students must be trained with relevant aspects and materials that take into account the highly dynamic subject-matter and environment.  Optimally, this should extend to post-graduates as part of continual learning programs.  The professionals of today also have a role to play.  They must contribute to the growth and security of tomorrow by advising and mentoring students, assisting educators, and contributing to the development of curriculums.  In a recent presentation to educators and academia administrators at the NSF Cybersecurity Summit, I recommended both an expansion of traditional topics and engaging industry practitioners to help provide timely insights and discussions for students.  Teamwork across academia and the private sector is mutually beneficial and will help raise the effectiveness of graduates as they enter the workforce.

Third, the curriculums must be designed to align to the security roles in the market.  An adequate level of consistency across teaching institutions, attesting to a completion of applicable studies is required.  In short, a recognized degree program for cyber sciences must be established.

Progress toward the goal

The shortfall in talent is no surprise as the industry has seen this coming for some time and a number of groups have been working diligently to change the academic system which supports cybersecurity professionals.  The US National Initiative for Cybersecurity Education (NICE) is a strategic organization tying together education, government and the private sectors to address cybersecurity education and workforce development.  The Association for Computing Machinery (ACM) is an international society for computing working to develop uniformed knowledge content for cybersecurity roles.

Working independently, many higher education institutions are taking the initiative to bring in experts to help teach and advise students to deliver more relevant education and better prepare them for the jobs they will be seeking.  They are reaching out to industry professionals to help staff and students stay current on latest trends, research, and best-practices. 

The Cyber Education Project (CEP) Industry Advisory Board is leading a national academic accreditation program effort to formally establish a Cyber Science degree and necessary certification criteria.  Institutionally, we should see a formal Cyber Science degree be approved in 2016 to establish consistent guidelines for graduates across the landscape of higher education.

Cybersec for HR.jpgIn the meantime however, businesses must adapt to the challenging employment environment.  Hiring of technical and leadership cybersecurity staff will continue to be difficult for the foreseeable future.  Human Resource (HR) departments can play a crucial role in planning and addressing problems.  In a presentation to a Chief Human Resources organization last year, I outlined a number of different areas where HR can facilitate practices to both hold on to good talent already in place and plan accordingly to hire qualified candidates.

HR team must staying on top of competitive salary reviews for current security professionals to insure compensation is at the right level to retain talent in the face of headhunters who are currently circling like sharks, hungry for any opportunity to harvest security professionals.  HR representatives should also be prepared to have candid discussions with managers asking to hire new security staff, as the market price may be misaligned to budgets, compensation disparity could be disruptive to current staffing expectations, and it may take an unusually long time to successfully fill a role.  In some cases, outsourcing may be the best option which should be up for consideration.

Must save cybersecurity

The industry is in trouble as a huge deficit of available professionals continues to grow.  Without well trained personnel, most organizations cannot establish or maintain a sufficient cybersecurity posture.  Academia is the gateway to prepare the next generation of professionals and universities are working purposefully to fill the gaps but are having difficulty in delivering the needed knowledgeable and experienced personnel.  Progress is slow, but inroads are being made by the best of academia.  Cybersecurity may be fought with technology, but it is people who triumph.  We must invest in the future generations of professionals who will carry-on the fight.  Higher education must save cybersecurity.

Industry colleagues, I will be speaking at a CIO roundtable luncheon in San Francisco CA on September 10th, discussing how in pursuit of a balanced security posture, organizations need capabilities which deliver smarter and not necessarily more security.

I will be joined by a number of other roundtable members from Apple, Oracle, Zappos, Guidepoint, Freddie Mac, and Barclays.  It should be an informative discussion covering a number of different topics and viewpoints for CSO, CISO, and other executives that set security strategy and architectures.

The event is hosted by Prelert and seating is very limited.  Registration page:

Prelert Luncheon.jpg

sandbox.jpgMalware is working hard to undermine and punish those who employ security sandboxes.  Security innovators are working hard to stay one step ahead.

Security sandboxes are a crucial tool in the battle against the constantly evolving efforts of malware writers.  Suspicious files can be placed in a digital sandbox where security can watch, look, and listen to determine what the code does, who it communicates with, and if it plays nice as expected.  This helps determine if file is benign or malicious.  The sandbox itself is a façade, designed to look and feel like a vulnerable system, yet in reality it is an isolated laboratory which is reinforced to allow malicious files to execute but not cause any real damage.  It is all under the control and watchful eye of the security toolset.  After analysis is complete, the entire digital sandbox is deleted, with whatever potentially harmful activities and changes disappearing with it.  

Many security vendors incorporate this technology to conduct analysis of downloads, executables, and even software updates to prosecute the malicious or allow good files to flow.  Similar tools are employed by forensic experts to dissect malware and unravel the inner workings.  The stratagem has proven worthwhile at confidently detecting dangerous code.  So much so, malware writers began embedding features into their software to detect when they have been put in a sandbox.  In order to remain elusive, upon detection the code either goes silent, temporarily acts innocent, or takes the preemptive measure of deleting itself, in hopes of avoiding being scrutinized by security researchers. 

Security has responded by making sandboxes stealthier to avoiding detection and allow malware to show its true nature, in a safe environment.  This hide-and-seek game has escalated, with new features being employed on both sides to remain undetected while attempting to discover their counterpart. 

In most instances it is passive contest.  That is, until Rombertik.  Given the adversarial nature of the industry, nothing stays secure forever, even security tools.  Rombertik takes a different approach and goes on the offensive to cause harm, incurring a discouraging cost on those employing security tools. 


Our security colleagues at Cisco have done a great job highlighting the anti-sandbox advances of the Rombertik malware in the Cisco 2015 Midyear Security Report.  They show how the creators of Rombertik have taken a divergent path from their more docile predecessors.  Instead of being passive and self-deleting or remaining quiet, it lashes out at the very systems attempting to analyze it.  It contains a number of mechanisms to undermine, overflow, and detect sandboxes.  Once it believes it is under the microscope, it attacks.  It attempts to overwrite the machine’s Master Boot Record (MBR) or destroy all files in the user’s home folder, with the goal of making the system inoperable after reboot.  

The Cisco report states “Rombertik may be a harbinger of what’s to come in the malware world, because malware authors are quick to adopt their colleagues’ successful tactics”.  It is an insightful report and I strongly recommend reading it. 

The idea of a safe area to test suspicious code is not new.  The original instantiation was simply an extra PC, which could be isolated and completely wiped after the analysis.  But that was not a very scalable or terribly efficient practice.  The revolution really came when software could create virtual sandboxes as needed.  Such environments are quick to create, easy to configure, and simple to delete and start anew.  Dozens or even hundreds could be created and be running simultaneously, each testing for malware.  But software has some inherent security limitations.  Malware can sometimes ‘jail break’ and escape the protected sandbox to cause real harm.  Additionally, the most sophisticated attackers can actually turn the tables to get under the virtual environment so the security environment is running in a sandbox managed by the attacker!

This maneuvering gets more complex over time as both sides escalate their tactics through innovation.  How much longer can software created sandboxes remain one step ahead?  Nobody is sure. 

What is needed is a more robust means of building improved sandboxes.  Beneath software resides the hardware, which has the advantage of being the lowest part of the stack.  You cannot get ‘under’ the hardware and it is much more difficult to compromise than operating systems, applications, and data which run above.  Hardware advances may revolutionize the game with better sandboxes, more difficult to detect and undermine.  I think time will tell, but it seems to be where the battle is heading.  What cannot be foretold is if changes in hardware will be the winning salvo or just a new battlefield for the attackers and defenders to continue to maneuver in the game of cybersecurity.


Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts


Security Napkin.jpgRecently I was asked for advice from a passionate professional who is establishing a security company. They asked for strategic insights to help guide their organization. With a quick pen to cocktail napkin, I produced three nuggets of wisdom.

I want to share with the community my thoughts and more importantly hear from others what your advice for this emerging leader of security practices. Share your knowledge and insights.

My three pieces of advice:

  1. The measure of success for a security company is how you can make a meaningful impact on your customers ability for them to manage their security posture
  2. In security, customers must balance three aspects: Risk, Cost, and Usability. Risk mitigation is obvious, as it directly ties to the purpose and benefit of security. Cost must be a consideration as no customer has an unlimited budget. They must seek a level of cost, both initial and sustaining, which is appropriate for the level of risk they want to maintain. Thirdly, usability factors are important as they can impede business and make for a poor end-customer experience. For enterprises, it can also lower employee productivity, create worker frustration, and place greater demands on the IT infrastructure. For consumer facing organizations, security demands can cause customers to dislike products or services, which is greatly detrimental for business. Help customers determine and achieve the right balance for their business objectives.
  3. Risk is about risk of loss. This could be loss of assets, reputation, customers, IP, system uptime, litigation fees, regulatory barriers, etc. Tie the value of what you provide to the real/actual potential losses your customer is currently or will likely experience. Don’t use fear, uncertainty, and doubt, but be realistic to build trust with your customers. In the end, providing security is about trust. Be trustworthy.

Do you agree with my advice. Did I miss the mark?

Be bold and share your cocktail napkin of wisdom!

Security Salary Dice Report Image-500x657.jpgA recent report from shows how tech security jobs are far outpacing their IT counterparts.  It is part of a bigger trend as we see demand outstrip supply for cybersecurity professionals.  The cost of hiring or retaining talent continues to climb as organizations struggle in a market with depleted quantities of quality resources.  In highest demand are the security leaders, managers, and skilled engineers.  These roles are the anchors to a healthy security organization and critical for success.  They provide the mentorship, direction, expert guidance, and skills necessary to deliver against challenging tech obstacles, meeting the expectations of concerned executives, and countering the acts of creative cyber opponents.

The rise in salaries should come as no surprise.  Security experts have been predicting this for some time and there is not likely any relief for at least a few years.  The increase in compensation is a result of a hiring pool which is basically dry and demand for security capabilities continues to rise quickly.  The need for cybersecurity is growing in almost all industries, as attacks, breaches, and regulations continue to rise.  Some estimates predict a deficit of over a million computer security jobs by the end of 2020.  This is effectively driving up the salaries.

It is great news for the professionals already in the field.  Job security is at an all-time high.  It is commonplace for top and even medium tier talent to be pursued with enticements to change employers.  They are being lured with bigger paychecks and companies are defensively responding with improved compensation to retain the talent they have.  Else they will be in the unfavorable position of themselves trying to attract resources in a very competitive environment.

Human Resource departments can help by staying on top of competitive salary reviews for current security professionals to insure compensation is at the right level to retain talent.  In a presentation to a Chief Human Resources organization last year, I outlined a number of different areas where HR can play an important role in cybersecurity, including overcoming the challenges of hiring of new talent.  HR should be prepared to have candid discussions with managers asking to hire new security staff, as the market price may be misaligned to budgets, compensation disparity could be disruptive to current staffing expectations, and it may take an unusually long time to successfully fill a role.

HR for Cybersecurity Hiring.jpg

2015 International Security Education Workshop.jpgThis is also a great opportunity for higher education institutions to retool and prepare the next generation of security pro's to fill the needs of the industry.  In May, I spoke at the International Cyber Education Workshop, hosted at Georgia Tech in Atlanta, where educators from top academic institutions were working together to figure out how to upgrade their programs to best prepare their cybersecurity graduates to take management and technical leadership roles in the industry.  Additionally, I see a great direction set by the Cyber Education Project (CEP) initiative, which is a diverse group of computing professionals representing academic institutions and professional societies developing undergraduate curriculum guidelines and a case for accreditation for educational programs in the “Cyber Sciences”.  Education programs are the key to increasing the capabilities and numbers of professionals entering the field.

Until the supply of security professionals can come close to meeting demands, the salaries will continue to rise.  Where deficits in hiring quality staff exist, the risks of loss will remain elevated, reinforcing even greater demand.  It is a vicious circle and the only way to break free is with more security talent in the field.

Matthew Rosenquist is a Cybersecurity Strategist at Intel, an Advisory Board Member of the Graduate Professional Studies for Brandis University, and contributor to the Industry Advisory Board of the Cyber Education Project organization

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts


HR and security? Don’t be surprised. Although a latecomer to the security party, HR organizations can play an important role in protecting assets and influencing good security behaviors. They are an influential force when managing risks of internal threats and excel at the human aspects which are generally snubbed in the technology heavy world of cybersecurity. At a recent presentation given to the CHO community, I discussed several overlapping areas of responsibilities which highlight the growing importance HR can influence to improve the security posture of an organization. 


The audience was lively and passionate in their desire to become more involved and apply their unique expertise to the common goal.  The biggest questions revolved around how best they could contribute to security.  Six areas were discussed.  HR leadership can strengthen hiring practices, tighten responses for disgruntled employees, spearhead effective employee security education, advocate regulatory compliance and exemplify good privacy practices, be a good custodian of HR data, and rise to the challenges of hiring good cybersecurity professionals.  Wake up security folks, the HR team might just be your next best partner and a welcomed advocate in the evolving world of cybersecurity


Pivotal-Role-of-HR-in-Cybersecurity from Matthew Rosenquist



Presentation available via


Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts


My Blog: Information Security Strategy