Project Management & The Risks of an Information Economy

Project Management & The Information Economy Risks

Manoush Zomorodi hosts a weekly tech oriented radio show in New York City called “note to self.”  In her March 9th, 2016 episode entitled, “Why You Feel More Productive But the Economy Isn’t” Manoush discusses the curse of growth expectations on the economy (Zomorodi, 2016).  Growth expectations for businesses create a disconnect where the business must work for its customers by providing a competitive product while simultaneously growing the value of the stock for shareholders.  It’s not just enough for Nike just to make good shoes.  Good shoes alone don’t show growth in the business.  Growth happens with expanding profit margins or expanding product line.  The world’s billions in stocks are committed to companies that are fighting to find room for growth in their bottom line.  When the business moves towards creating that space for growth they create a project.  This cycle is one reason why project management will continue to be a highly demanded skill set for years to come.

I have always enjoyed working with computers and for my master’s I’ve selected Information Technology with an emphasis on Project Management.  I won’t be completing my degree until May of 2018 and have some time before I have to commit to any particular industry.  I’ve looked at the saturation of IT tools and projects across the economy and chose this path due to its versatility in a variety of industries.  The project management jobs I’d like to do after training all involve information technology.  I want to transition businesses to open source solutions to give them more control over the production efforts and help them maximize productivity along the production chain.  To facilitate this goal I would like to work in new systems development, new systems training development, and new systems integration.  

The benefits of going open source generally includes a reduced software cost, greater predictability over software feature inclusion, reduced cyber threat, and open communities of information to facilitate adoption.  Working in this field on projects for new systems, training, or integration programs would allow me to leverage my formal and informally developed skill set.  Because these skills span several industries it broadens my opportunities for future employment.  Nearly every industry has an IT project in the works but the industry I am most curious about right now is still in its embryonic stages, cyber insurance.  

Cyber insurance is of particular interest to me because of what it does for quantifying a market’s value and associated risk.  It puts price tags on processes.  I’ve often explained to my coworkers the miracle of price tags in a market.  Price tags are a summary of knowledge.  They communicate the cost of labor and machinery for resourcing, manufacturing, transporting, and selling the wide variety of products available to billions across the globe.  Although we once raised chickens for eggs, I find it amazing how the entire cost of production for a dozen eggs including feed, transportation, life cycle of the hen and refrigeration costs are all summarized in three digits when I approach the eggs at my local grocery store.

Cyber insurance’s role in the information economy will not be just to underwrite risk, but more importantly to calculate good and poor practices within the digital industry allowing quantifiable comparisons between solution implementations.  The scope of this need is enormous although not immediately obvious to all market participants.  Skitsko’s 2016 article on digital logistics is based on the foundation that we are living in an information economy and that for each economic component there is an informational component.  Back in 2009 Bandyopadhyay opined in his article “Why IT Managers Don’t Go for Cyber-Insurance Products” that the issue was on the demand side of the economic spectrum.  “The size of the U.S. cyber-insurance market (annual premiums) was expected to reach $2.5 billion by 2005…. In 2008 the size of the cyber-insurance market was estimated at $450 million” (Bandyopadhyay, 2009).  This under performance of growth has allowed many complacent practices to perpetuate within the IT space.  Target’s 2013 breach was the visible the culmination of several poor practices being implemented across several different levels of business (Roecker, 2016).  

Keith Kirkpatrick cites Target’s breach as one of the major proponents for encouraging businesses to adopt cyber security policies.  In addition to increased awareness he also cites evolving regulatory requirements with the EU’s pending legislation having major impact on the horizon (Kirkpatrick, 2015).  Yu’s 2014 article in Rutgers Computer & Technology Law Journal illustrates the legal challenges of using traditional consumer grade licenses with cyber loses highlighting the complexity of building this industry based upon traditional products and policies.  The risk for any new project must necessarily involve the risk of its digital compromise and creating the tools to evaluate and communicate that risk to the market is something that has me thoroughly intrigued.

References

Bandyopadhyay, T. Mookerjee, V. S., & RAO, R. C. (2009). Why IT Managers Don’t Go for Cyber-Insurance Products. Communications Of The ACM, 52(11), 68-73. doi:10.1145/1592761.1592780

Kirkpatrick, K. (2015). Cyber Policies on the Rise. Communications Of The ACM, 58(10), 21-23. doi:10.1145/2811290

Pilinkiene, V. (2016). Trade Openness, Economic Growth and Competitiveness. The Case of the Central and Eastern European Countries. Engineering Economics, 27(2), 185-194. doi:10.5755/j01.ee.27.2.14013

Roecker, J. F. (2016, April 20). How Big Is Your Target? – Freedom Penguin. Retrieved May 21, 2016, from http://freedompenguin.com/articles/opinion/how-big-is-your-target/

Skitsko, V. I. (2016). E-LOGISTICS AND M-LOGISTICS IN INFORMATION ECONOMY. Logforum, 12(1), 7-16. doi:10.17270/J.LOG.2016.1.1

Yu, A. (2014). LET’S GET PHYSICAL: LOSS OF USE OF TANGIBLE PROPERTY AS COVERAGE IN CYBER INSURANCE. Rutgers Computer & Technology Law Journal, 40(2), 229-255.

Zomorodi, M. (2016, March 9). Why You Feel More Productive But the Economy Isn’t. Retrieved May 21, 2016, from http://www.wnyc.org/story/you-work-harder-why/

Image courtesy of:  http://thefintechtimes.com/wp-content/uploads/2015/12/dominos.jpg

Identity & Access Management

2013 and 2014 were major years for IAM awareness in both government and industry.  The Snowden leaks helped teach government agencies the value of limiting individual access to vast troves of information.  In the private sector space Target’s credit card breach cost the company 46% of its fourth quarter profits and litigation for more than 140 lawsuits (Radichel, 2014).  Although Target’s breach might have been stopped by any number of mitigation efforts, proper IAM would have limited the ability for the intruders to spread from the billing system used by the HVAC company to the more sensitive parts of the network.

The attention received from the breaches has resulted in an increased level of attention on the topic from all levels.  Some parts of the industry such as Staminus Security and NorseCop have responded with security theater (Gallagher, 2016 & Fisher, 2016) while other parts of the industry have taken a thoughtful look at making sure only the right people have access to the right amount of information. 

For local IT IAM often takes the form of a Microsoft Active Directory server or some LDAP variant.  LDAP v3 is described in RFC 4511 released in 2006 and includes a number of key features, namely bind, unbind, unsolicited notification, search operation, modify operation, add operation, delete operation, modify DN operations, compare operation, abandon operation, extend operation, intermediate response message and start TLS operation.  In general these commands are initiated through TCP or UDP port 389.

While RFC 4511 has served the industry well for creating functioning authentication protocols in the nearly full decade since its release has seen a great deal of growth and development.  In December of 2015 the VP of Technology for Advancer Corporation penned his IAM predictions for 2016 giving us an indication of how far the field has developed.  His seven predictions include:

 

  1. Cyber security has become the religion, equally for government and businesses.

  2. Cloud IAM to spread towards provisioning capabilities.

  3. Spreading of IDM systems on on-premise as well as cloud.

  4. Cloud will enable greater utilisation of IAM products by small enterprises.

  5. Safeguarding and securing super users through PAM.

  6. Managing of identity through secure user identity management and access governance will enhance.

  7. Businesses will stay agile by adding more layers of IAM into their IT infrastructure.

(Mittal, 2015)

In addition to SaaS, PaaS and IaaS companies to include Centrify are now talking about Identity as a Service (IDaaS).

All of these technologies are extensions of the need to be authenticated within cyberspace.  For individual users sites such as LastPass step in to help them manage their online identity across a myriad of websites.  SSH, bitcoin and bitmessage all operate using cryptographic keys to ensure sender and recipient identification during transmission. 

For the average user this effort really hits home in the area of social media.  As of 2011 facebook began forcing https connections to reduce the man-in-the-middle attack vector (Stackoverflow, 2011).  Google also adopted https in 2011 to reduce snooping on user search queries (Google.com, 2011).  The robustness and popularity of social media caused Gartner’s research team to predict in 2013 that future customer identities would be based on social media (Gartner Inc., 2013).  Today the spirit of that prediction holds true as social media sites are integrated into sharing economy sites such as AirBnB and educational sites such as Khan Academy.  Google’s developer websites now include easy to follow guides for leveraging their identification services into emerging technology (Google.com, 2016).

In mobile computing just like traditional machines identification management begins with authenticating on the device itself.  Fingerprint readers are now serious features on smartphones.  Although phones do have inherently insecure networking components (Anthony, 2013) they do enable a second layer of IAM, two factor authentication (2FA).  2FA on smartphones works because the phone itself is a part of two separate networks.  The SMS messaging service built around the purely cellular technology is in many ways a separate network from the data connection on the phone itself.  Because of this an attempted login over https can be verified using an SMS message.  Circle finance requires authentication before conducting bitcoin transactions and major social networks now offer 2FA as part of their authentication services.

In the cloud IAM has become a must have as cloud features have grown in popularity and potential.  Google for business accommodates several layers of cloud sharing options with respect to files hosted on Google Drive.  By default they are only accessible to the author.  The default for sharing is to have it shared across the entire organization.  Additional options exist for public read only, public edit and organization read only.  Because the system is cloud based it can respond quickly to new features suggested by user feedback.  Google’s products aren’t the only ones with these features.  Similar access control and identification measures are implemented into dropbox and owncloud and are considered a standard feature set when developing similar tools.

As we move more and more things to the cloud and big data becomes more of a reality for businesses IAM will continue to be a significant part of the organization’s IT strategy.  In the business world Sony’s 2014 breach attributed to an insider threat is a critical example of how big data matched with poor IAM can cause serious problems.  While 2013 and 2014 were significant years for IAM awareness today the industry has matured, but only time will tell of the pace of maturity across the spectrum has kept up with the pace of innovation from malicious actors.

 

 

 

References:

Anthony, S. (2013, November 13). The secret second operating system that could make every mobile phone insecure | ExtremeTech. Retrieved April 12, 2016, from http://www.extremetech.com/computing/170874-the-secret-second-operating-system-that-could-make-every-mobile-phone-insecure

Fisher, C., & Jude, A. (2016, February 4). Hot Norse Potato | TechSNAP 252 | Jupiter Broadcasting. Retrieved April 12, 2016, from http://www.jupiterbroadcasting.com/93496/hot-norse-potato-techsnap-252/

Gallagher, S. (2016, March 11). After an easy breach, hackers leave “TIPS WHEN RUNNING A SECURITY COMPANY”. Retrieved April 12, 2016, from http://arstechnica.com/security/2016/03/after-an-easy-breach-hackers-leave-tips-when-running-a-security-company/

Gartner, Inc. (2013, February 5). Gartner Says Half of New Retail Customer Identities Will Be Based on Social Network Identities by 2015. Retrieved April 12, 2016, from http://www.gartner.com/newsroom/id/2326015

Google.com. (2011, October 18). Making search more secure. Retrieved April 12, 2016, from https://googleblog.blogspot.de/2011/10/making-search-more-secure.html

Google.com. (2016, April 12). Google Identity Platform  |  Google Developers. Retrieved April 12, 2016, from https://developers.google.com/identity/

Mittal, R. (2015, December 18). IAM Tech Trends to watch out for in 2016. Retrieved April 12, 2016, from https://www.linkedin.com/pulse/iam-tech-trends-watch-out-2016-rajesh-mittal

Radichel, T. (2014, August 5). Case Study: Critical Controls that Could Have Prevented Target Breach. Retrieved March 29, 2016, from https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412

Stackoverflow. (2011, January 27). Force HTTPS on Facebook? Retrieved April 12, 2016, from http://stackoverflow.com/questions/4723983/force-https-on-facebook