Category: technology

iDEAFest2020: Lessons Learned Building an Enterprise Security Program

Posted in CIO, CISO, cybersecurity, leadership, technology1 Comment

iDEAFest2020 is a great new virtual conference, which is a new two day event that started yesterday and will end later today (April 21-22, 2020). It’s a diverse set of speakers talking about Agile, process improvement, cyber security, customer experience, leadership, and many other domains.

While it’s hard for a virtual event to be as powerful as an in-person event, especially missing out on meeting new people, I think iDEAFest does a great job of exposing people to a diverse set of ideas, so you’re not just hearing about domains you’re already immersed in.

I love their tag line:

…Great ideas can’t be quarantined!

It’s been a great conference so far, and I enjoyed presenting (see my slides below) an introduction to, and discussion on lessons learned, from building an enterprise information security program.

2019 Gartner Security and Risk Summit

Posted in CIO, CISO, cybersecurity, strategy, technologyLeave a comment

I recently went to the 2019 Gartner Security and Risk Summit in National Harbor (outside of DC).  This was my second Gartner conference, and so far they’re 2 for 2 at delivering high-quality, impactful, intense 5 day conferences.  The event was jam-packed with great sessions, roundtables, workshops, and keynotes.

I can tell a conference is going to be great when I try to build my agenda before the event and I want to pick 2-3 sessions for many of the time slots.  Fortunately Gartner gives attendees of their events access to the slides and audio of the conference, so you can review what you missed.

I was also very impressed at Gartner’s midsize (companies with $50 million to $1 billion in annual revenue) sessions, where presentations, roundtables, and workshops where leaders from midsize companies could connect, collaborate, (and commiserate sometimes) on best practices related to their size of organization.

My major takeaways (and it’s hard to summarize) were:

  1. Identity is the new perimeter (not the network, not the device)
    • You hear people often now talking about “zero trust networks” (the idea that instead of thinking of the perimeter as your LAN/VPN that you protect and you trust people inside your network, you should instead focus on ensuring your identity and access management (IAM) approach is solid and build security around identify, using things like MFA and risk-based access management)
    • This also means that identity is a critical linchpin to security instead of the idea that devices/users inside a network are trusted devices/users
    • There was also a key point, from Neil MacDonald, here that non-human entities (e.g. DevOps pipelines) need to have unique identities that they authenticate against securely, so they don’t become a huge security hole in your infrastructure
  2. Communicate Risk with Business Perspective: It’s critical to communicate risk to executives/non-IT leaders/board in a way that actually articulates/visualizes risk and how cyber risk affects the business’ value chain/business model (and not talking about security technology at all)
    • It’s important to strike the right balance between quantifying risk and impact (the board demands numbers), and the fact that cybersecurity risk and impact isn’t a statistically mature field, so sometimes qualitative assessments are the only reasonable way to communicate risk (numbers can be overly precise when we don’t have a solid foundation to build them on) — there was a great session where four Gartner analysts debated this intensely, 2-on-2
  3. Information Security fundamentals are critical to do well, and organizations still don’t do them well – organizations spend too much energy on new projects/technologies (shiny new objects) instead of refining the fundamentals they do (e.g. log analysis, change management, asset management, vulnerability management)
  4. Select one primary security framework to orient your Information Security Program around (e.g. NIST CSF (which is dominating the survey data for US and international companies as their standard), ISO 27001) – more than one primary framework leads to confusion, and none means you either have no foundation or you’re trying to reinvent a wheel that industry is rapidly refining
  5. Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) programs are very hard to run well, both technically and from a privacy compliance standpoint — individual state and international privacy legislation requirements make this very complex

If you want to hear more, check out some of the keynotes from the Gartner YouTube Channel; or check out other’s people’s perspective on the event, check out the Tweets from 2019 Gartner Security Summit or other blog posts like this one.

Continuous Quality: Enforcing Quality with DevOps Pipeline Gates

Posted in agile, CMMI, lessons-learned, technologyLeave a comment

At the recent 2019 Capability Counts conference, hosted by the CMMI Institute, I presented a session related to Enforcing Quality with DevOps Pipeline gates, where I provided an introduction to the concepts and technologies of DevOps, and how to use the concepts of Continuous Quality to improve software quality earlier and throughout the application lifecycle.

Here are the slides, published on SlideShare, if you’re interested.

Cyber Security 101 for Small Businesses

Posted in SAFe, technologyTagged Leave a comment

If you’re a small business, the world of cyber security can be very overwhelming and intimidating.  There are infinite articles you can read about, a long list of cyber security maturity frameworks and concepts you could try to learn, and an overwhelming feeling that you can’t possible actually defend yourself from the hackers all over the place!

Cyber is a big, complex thing that is hard to do — if you’re looking to better defend your organization and you don’t know where to start, I recommend this approach:

  • Read the Center for Internet Security’s (CIS) CIS Controls, as they’re a great list of security controls (fancy way of saying todo items) that are already in priority order — so you start at #1 and just keep working your way down the list.  Here are the top 5:
    1. Maintain a current list of all the IT hardware (equipment) you use
    2. Maintain a current list of all of the software applications you use
    3. Invest in, and use frequently, a vulnerability scanning tool (e.g. Tenable.io) to identify security holes and then go fix them
    4. Limit who within your organization has Administrative Access.  Instead limit the access to only those who must have it, and then track who has it and who is using it to do what when.
    5. Configure IT equipment securely and monitor the configuration to ensure these configurations are being changed — for example, you may use an imaging solution to push out a consistent, pre-configured image of Windows 10 for new employee laptops and then use a device management software (e.g. Microsoft SCCM) to monitor the configuration across your organization
  • If you’re ready to keep digging in, read the NIST Cyber Security Framework (CSF), give yourself a red/yellow/green score on each of the 5 core domains and then focus on improving on the areas you think are the best return on your time and money

Audio-only Mode for Video-based Training Products

Posted in technologyLeave a comment

Random product backlog idea:  It’d be awesome if companies that offer online, video-based training (e.g. Lynda (now LinkedIn Learning), PluralSight, O’Reilly Safari, Udemy, etc.) offered:

  1. An audio only mode for their mobile apps (so I could enjoy their content while driving and wouldn’t need to wait for the videos to download or stream)
  2. Better queue/backlog management (Castro does this amazingly well for podcasts), so I could queue up my training modules in a prioritized order, not just an unsorted “Watch List”

 

How Opinionated are your Tools?

Posted in agile, CIO, technology1 Comment

Organizations must intentionally determine how opinionated their collaboration tools (business systems) should be, to align with their culture and business model. Opinionated tools align well with top-down organizational cultures, while non-opinionated tools align well with decentralized, self-organizing cultures.

Organizations struggle at each extreme:

  1. Top-down organizations struggle to scale effectively, creating bottlenecks and issues when decisions constantly require senior leader approvals.  People talk about how our world is more volatile and faster moving (see Half of S&P 500 Companies will be Replaced in next 10 years), and that companies need to be more Agile.  Agility is hard when you need 3 approval signatures to make any changes. scaled-frameworks.PNG
  2. Self-organized teams struggle to stay coordinated, as each team can “wander off” from any centralized approach to things like enterprise priorities, technology architecture, processes.  They struggle to stay aligned with each other, which is why we see so many Scaled Agile frameworks (see icon mosaic to the right) trying to figure out how to keep self-organizing teams aligned with each other.  Self-organizing teams also struggle to stay aligned across an organization related to things like Enterprise Architecture (consistent technologies) and Business Architecture (consistent processes).

Organizations need to find the right balance between these two extremes for their entire organizational culture, and how they select, configure, and maintain tools to align with this approach.  The figure below shows the spectrum I envision, where a company moves the triangle to find the spot they want their organization to be, and then aligns tools with that spot on the spectrum.

opinionated tools spectrum.PNG

Technologies can come out of the box very opinionated (think about a tool like the TurboTax wizard interface, that walks users through a workflow it decides without asking how you want to use the tool) or it can be very flexible (think about Microsoft Word — you can write your letter first, and then format it; or you can setup the page size, orientation, and header before you write your letter).

Technologies can also be configured to be very opinionated — JIRA as an example is an issue/ticket tracking system that has a variety of Agile planning/management capabilities.  Out of the box, the tool comes with a few standard ticket types and workflows, but you could let each team in your organization configure their own ticket types, workflows; leaving all the permissions wide open for the organization.  However, most organizations make JIRA “more opinionated” before they deploy it, only letting a few select leaders/administrators make changes to the system.

On the opinionated this spectrum, I see organizations selecting and configuring tools with a heavy focus on ensuring employees use a tool exactly the way the organization’s senior leaders want them to be used (highly opinionated).   Allan Kelly recently write a great post about how dangerous this power centralization can become for organizations.

On the non-opinionated side, organizations struggle to stay cohesive.  They can become organizations of individual teams or almost a group of consultants who are trying to accomplish things; but can’t leverage the scale of their organization to accomplish great things.  This can devolve into anarchy, where teams don’t help each other.  Think about a team who can’t share talent with other teams, because they’re using different processes or technologies.  Or a leader who isn’t able to report on progress because each of her teams is using their project tracking tool completely differently.

Organizations, and the Office of the CIO organizations that should be enabling them, need find the balance, like a train station where the rules of engagement are clear (Where do I get a ticket? Where do I get on the train? Where do I get food?), but different people can get to their trains in different ways.  Organizations don’t have to be the wild west with teams doing whatever they want (think about a SharePoint site with no governance where you can’t find anything) and organizations don’t need to be top-down culture where no work gets done because everyone has given up on requesting approvals and resigns themselves to the slow-moving status-quo.

Using JIRA to Scale your Business

Posted in agile, CIO, CMMI, Process Improvement, productivity, technologyLeave a comment

I recently spoke at the 2017 Capability Counts conference, put on by the CMMI Institute. David Anderson Keynote 2017.PNG It’s an interesting event that isn’t focused just on CMMI maturity models — instead it’s a conference where a few hundred people get together to discuss process improvement, Agile, software engineering processes, and a variety of other related topics.

The keynote (shown in the picture above) is David Anderson of LeanKanban University talking about the core concepts of Kanban, which go far beyond most people’s understanding of 3 column boards.

I spoke on using Atlassian’s JIRA product to help an organize scale — sharing some best practices/recommendations on how to use a tool like JIRA to get information out of email, hallway conversations, and meetings and into a system where work can be clarified, prioritized and tracked.

CIO 101 for Entrepreneurs

Posted in productivity, strategy, technologyLeave a comment

This morning I got to share IT infrastructure, business strategy, and business
architecture tips and recommendations with some local current and future entrepreneurs at The Capitol Post in Old Town Alexandria.  Capitol Post is a great organization focused on inspiring Veteran entrepreneurs to find professional clarity and scale those visions.  They offer several great things, including  a cool co-working space right in North Old Town Alexandria, classes, and a startup accelerator program.

img_9850

Here are the slides and strategy template I went through with the group this morning, helping entrepreneurs deal with IT.   We talked about:

We talked about how IT for non-technical entrepreneurs can be like personal finance for non-financial people — it’s very important, but it’s hard to motivate yourself to invest the time you need to understand it, make some solid plans, automate it, and then move on to creating value.

It’s been a year since I last taught at Capitol Post (https://mikehking.com/2015/09/11/talking-technology-bunker-labs/), and it’s great to see how much they’ve grown (the office is beautiful and their getting ready for their next cohort to go through the Bunker Labs DC accelerator.

How to Copy Photos from Apple Photos to Google Photos with Correct Dates and Times

Posted in photography, productivity, technologyTagged Leave a comment

I recently wanted to copy a large set of photos (over 10,000) out of Apple Photos (Mac-based photo management application/database) and save them on a USB hard drive so I could import them to Google Photos (cloud-based photo management service).  I did an export of all the photos out of Apple Photos, which saved the date and time information in the EXIF metadata, but not in the file metadata itself.  Here’s how I solved this (which I’m sure isn’t the most elegant solution), using a Mac:

  1. I found this thread, which explains how to use a few different tools to accomplish this, on photo.stackexchange.com
  2. I downloaded jhead for my Mac
  3. jhead for the Mac doesn’t support recursive (e.g. -r) calls, so I needed to consolidate all the images from sub-folders and sub-sub-folders — I did that using this command on the Mac terminal using this command “find ./ -name ‘*.jpg’ -exec cp ‘{}’ ./ \;“, which I found on this forum http://ubuntuforums.org/showthread.php?t=1385966:
  4. Then I deleted the folders and sub-folders, as I don’t need them for organization (I just want to get the photos backed up into Google Photos)

How to Pick IT Systems for your Small Business

Posted in CIO, strategy, technologyLeave a comment

If you’re the CIO, Director of Technology, IT Person, or Only Person (Solopreneur) at your organization, here are 5 areas of questions areas to consider when determining if a specific IT system or process would align with your small company’s needs:

  1. Alignment:  Does this system align with your business model (how you do business) and your current infrastructure?
  2. Lock In:  Would this system lock you (Vendor lock-in) into this vendor or system long-term?  Could you export your data and move to another system as you grow?
  3. Investment-worthy:  Is this system worth the investment of money and time (your time, your employees’ time, your customers’ time?
  4. Get Traction:  Would this system get traction with your employees and/or customers?  Does it align with how you do business, or would you spend your time forcing people to use it?
  5. No Huge Risks:  Are there any significant risks (red flags, deal-breakers) that should drive you away from this system? (e.g. cyber security, loss or productivity, removes future options you want)

align-framework

Shameless plug:  If you’re interested in learning more about setting up the technology for your company, or future startup, check out this free class I’m teaching next week (Thursday, Sept 10, 2015), sponsored by Capitol Post, in Old Town Alexandria:  Technology 101 for Entrepreneurs (How to Choose to the Best Systems for your Business).