Twice a year our X-Force team releases their insights and observations on the security landscape, and today we�re announcing the release of the IBM X-Force 2010 Trend and Risk Report.� In 2010 we saw the continued rise in the number of disclosed vulnerabilities as well as the continued prevalence of web application vulnerabilities.� However, 2010 also gave us a lot of new things to mull over.� We�re seeing sophisticated threats and attackers become more prevalent then ever before.� Mature exploit code for mobile devices, while not yet commonplace, is becoming increasingly more available.� We saw spam volumes rise dramatically before tapering off and the SQL slammer completely vanished.
This week I sat down with Tom Cross, Manager X-Force Threat Intelligence and Strategy to discuss in a bit more detail some of what we�ve seen over the course of the past year as well as what we should be looking for in years ahead.
Bryan: So, let�s start with this number.� 8,562 vulnerabilities disclosed last year.� This is a 27% increase from 2009 and is the most ever disclosed in a single year�What�s driving this rapidly increasing number and is it something that is necessarily cause for concern?
Tom: We think this increase is a consequence of software development houses taking the security of their software more seriously. Many companies that develop software are currently investing in improvements to development and quality assurance processes that are intended to identify and eliminate security vulnerabilities before products are shipped to customers. However, there is a lot of code out in the field right now that didn�t benefit from the latest in software engineering practices and so vulnerabilities are getting discovered that have to be patched.
It�s not necessarily a cause for concern. It represents progress toward a safer internet � but for those of us who work on remediating vulnerabilities and defending networks from attacks that target them, it means we�ve got a lot more work to do.
Bryan: Do you anticipate that vulnerability disclosures will continue increasing in 2011 at the rate they did in 2010?� Will we reach 11,000 next year?
Tom: As improved software engineering practices result in better code out there I think that we will eventually round the corner and start seeing sustained decreases in these numbers, but it is hard to predict exactly when that will happen. We thought we were already on the way last year, and then this year surprised us. The total number of vulnerability disclosures has been up and down for the past 4 years, so next year�s totals are anybody�s guess.
Bryan: The� new report mentions that often exploits are released tens to even hundreds of days after the public disclosure of the vulnerabilities they target.� Why does this happen? Are exploit writers just slow?
Tom: We think that the bad guys develop exploit code quickly after vulnerabilities are disclosed. In some cases exploits are circulating before disclosure. But they aren�t made public. They are used to break into computers. Eventually, as systems get patched, these exploits become less valuable as attack tools, and some of them find their way onto public websites and mailing lists that we track.
The fact that this is taking a long time indicates that people aren�t patching quickly enough. The window of opportunity for an attacker has two components: the amount of time between vulnerability disclosure and patch release, as well as the amount of time between patch release and installation. In some cases it can take a long time for software vendors to release patches, but they are often made available quickly, particularly for critical issues. We think that attackers are holding on to exploits for a long time primarily because those patches aren�t getting installed everywhere that they need to be.
Fixing this requires improvements in endpoint management. Network managers need to know what computer systems are on their network, what software is on those computer systems, what vulnerabilities are in that software, and what patches are available. This is an area that is going to be a focus for both technological and operational development over the next 5 years. Of course, it also makes sense to have good threat prevention in the network as well.
Bryan: We see some recurring year to year trends in this report, such as the significance and prevalence of web application vulnerabilities.� However, I�m curious what�s new this year.� What�s changing in the security landscape that people need to be aware of?
Tom:� Lots of new technologies � such as Mobile and Cloud, Virtualization, IPv6 and DNSSec. We keep making new software and software systems that have new security implications. While we�re getting better at making software, it still has a maturity lifecycle. When a new software program is released there are very few vulnerabilities that have been disclosed in it, but the code hasn�t had much of an opportunity for independent audit and real world use. Over time, people find bugs, and the number of known vulnerabilities in that software increases. Eventually, if the software remains static, it can reach a stable state where few new vulnerabilities are being discovered. However, most commercial software doesn�t remain static. New features are added. Things are changed. Product management occurs. Entirely new technologies like IPv6 can present large code bases to the Internet that haven�t been subject to much real world use. There are bugs in there, and also people need to learn how to deploy these technologies safely and that takes time as well.Another notable thing that happened this year is broadening awareness of sophisticated, targeted attacks that may be state sponsored. These kinds of attackers are hard to keep out of a computer network. They really do their homework on the organizations they are targeting and they are very patient. They are also coming at you with vulnerabilities that no one else knows about and custom trojans with covert command and control protocols. It�s a hard problem. A few years ago it was a problem that only governments and other critical sites had to worry about, but the sorts of organizations dealing with this today seem to be widening.
Bryan:� It seems like there�s a lot happening in the security world right now.� From the continued rise of advanced persistent threat, to mobile platforms and cloud computing each introducing new risks and challenges, to the scale and sophistication of an attack like Stuxnet�security seems to be everywhere and I�m hoping you can boil some of this down for us.� As we look back on 2010, what were the key things we learned?� What should we expect to see in 2011?
Tom: Concerns about things like Advanced Persistent Threat are driving the adoption of different approaches to network security, which includes more physical network segmentation, better endpoint management and awareness, better log retention and analysis, and a more forensics driven approach. All of these developments make networks more resilient against everyday threats.I think that Stuxnet also shined a light on the risks that customized industrial control systems face. Computer security people are familiar with being ignored when we point out potential risks until a real event occurs. People have been talking about the computer security risks of Internetworked control systems for years. Hopefully now those warnings will not be ignored.
What should we expect to see in 2011? I think Wikileaks has gotten people thinking about information control in their organizations. What stuff does your enterprise know that is just sitting out there on internal file servers and could easily be leaked on the Internet by a disgruntled employee? A clear set of best practices has yet to emerge around this but people are starting to think about how Data Loss Prevention and Watermarking technologies might be brought to bear on the problem.
But, I expect 2011 to surprise us. Every year there are developments that we don�t anticipate. A few weeks ago the SQL Slammer worm all but disappeared from the Internet. Computers infected with that worm have been a reliable source of malicious traffic on the Internet since the worm first emerged back in 2003. One day in March, poof, the thing just disappears. We�re currently looking through the evidence that we have to see if we can find an explanation, but so far it is proving illusive. The Internet is a big place � it�s unpredictable.
For other Trend Report highlights, including interactive graphics, please see my recent post on the IBM Institute for Advanced Security.� It can be found here.��
Dr. Howard Rubin, CEO and Founder of research firm Rubin Worldwide, has found a couple of messages in the years of data he�s collected from companies around the world, in virtually every industry:
1. Choosing the right computing platform can result in powerful returns;
2. In cases where the mainframe is the right platform, those returns are particularly massive, and measurable not just in technical terms (like cost per server or MIP), but in raw business terms, such as cost per transaction in banking, cost per bed in healthcare, etc.
Watch Rubin make his case in the video below (if the video doesn't appear below, you can find it here). Then read a brief report (PDF) that details the TCO benefits for multiple industries (and makes clear the Ferrari reference).
Most midsize companies have shifted their strategic focus and are looking for ways to improve profitability and drive growth. And many are viewing business analytics as their number one priority.
But what is the best way to get started with a business analytics solution? More than 95 percent of customers who have purchased IBM Cognos Express have done so through IBM Business Partners.
There are good reasons why. Our Business Partners have deep analytics and industry-specific expertise. They provide fast and personalized assistance in your region, and they offer value-added services that help you streamline implementation and achieve quick business results.
Thousands of IBM Business Partners worldwide specialize in midmarket solutions. (See the IBM Business Partner locator for a business partner near you.) So how do you find the one that�s right for you?
1. Identify your needs. Business Partners provide a wide range of services, including implementation, customization and training. Does your company need help with fast deployment? Business user training? Customized dashboards and reports? Be sure to match your needs to their strengths.
2. Look for industry expertise. Some partners have deep experience in specific industries such as healthcare, banking, or government. If your industry has unique requirements, find a partner who understands those needs. Check out IBM Cognos Express in Action for a collection of partner demos that showcase some of these industry-based solutions.
3. Get all your questions answered. It can take time to find the right partner who can deliver the most value to your business. Discuss your specific requirements in detail with different Business Partners before you make a final selection. Attend events such as the IBM Cognos Business Analytics Midsize Business Virtual Summit for easy access to a variety of partners.
4. Have them show you the value. Good partners have great references. Ask them to put you in touch with other midsize companies that they have helped. Look for quantifiable results such as time savings, costs savings, and revenue generation.
5. Set clear goals for success. One IBM Business Partner, Philadelphia-based ISA Consulting, recently saved Concept One Accessories, a midsize wholesale manufacturer of accessories, two weeks of time per quarter on time otherwise spent manually gathering data and developing reports. With IBM Cognos Express and consulting services from ISA, Concept One Accessories is now able to quickly tap into ongoing performance results then analyze sales and corresponding inventory figures and budgets before building quarterly forecasting. You should set similar goals that are specific and measurable so you and your partner stay focused on results.
IBM is celebrating its Centennial year with 100 Icons of Progress � ideas, inventions and events that have transformed a century. And behind several of the Icons is clever IBM software that helps make everything work.
Ireland�s Galway Bay is a fragile ecosystem of many interconnected parts. And its health and sustainability are dependent on understanding an abundance of marine data that, until recently, could only be collected and analyzed by going out to sea.
Hazards like pollution spills cause damage more quickly in confined waters like Galway Bay than in the open sea; therefore, scientists and environmental agencies need to access and decipher information about the bay quickly and react to any signs of distress without delay.�
The solution the IBM team came up with involved turning volumes of raw data into intelligent information through a network of sensor-equipped buoys and analytics, and then delivering it to multiple stakeholders on the bay � from scientists, to ocean energy developers, to fisherman, to the harbormaster.
The technology at work here � called InfoSphere Streams � is a clever piece of stream-computing software from IBM that enables massive amounts of data to be correlated and analyzed for patterns and trends at more than 200 times a second � faster than a hummingbird can flap its wings!
InfoSphere Streams was one of the technologies making everything work inside the Watson supercomputer, and its strength is that it can handle very large volumes of data and do real-time analysis as it happens.� Another magical thing about this software is its ability to embed complex predictive modeling into its real-time analysis work.
We see this capability at work in Galway Bay, where scientists were able to help predict water conditions and provide an early warning system for pollution, harmful algal blooms, and the long term effects of global climate change, among other things.
Plans for the project's next phase includes extending the system out over Ireland�s continental shelf and down into the sunless depths of the abyssal ocean plain � more than two miles below the ocean surface � as well as incorporating the information collected by SmartBay into Web-based lesson plans for schools in the Galway area.�
Thanks to InfoSphere Streams and other innovative technologies, the people of Galway Bay are offered a unique window into the underwater world . . . and the wonder of a complex and changing ecosystem.����
Wow. We're already talking about Vegas.
Yesterday the Call for Papers for Information On Demand and Business Analytics Forum opened. This year, attendees will be keenly interested in best practices to accelerate their deployments; innovative strategies to drive more business value from their data; tangible, proven techniques for using analytics more effectively, and; success stories that highlight business benefits and ROI.
From October 23 to 27, Information On Demand (henceforth "IOD") and Business Analytics Forum 2011 will bring together the best business and technology leaders for four days of in-depth education that spans the Business Analytics Enterprise Content Management and Information Management offerings from IBM. Last year saw the launch of IBM Cognos 10 and broke the 10,000 attendee mark (a record), and this year's event is bound to impress on an equally impressive scale.
Good question. It's actually a pretty good gig. Consider the benefits:
You'll get a free conference pass on us.
You'll have one-to-one access to a wide range of IBM product experts,
And, you'll increase your organization's visibility (as well as your own), and expand your network of professional connections.
Business Analytics conference tracks for 2011 include:
Business Intelligence (We're looking for Cognos 10 implementations)
I could tell this was a tool for grownups. This was a serious machine, built to do serious, grown-up work. That�s why my library put it in the reference department � that quiet, serious room where quiet serious people did quiet, serious things.
I knew because each hour I used it cost me 25 cents. I was only 12 years old. But when I first flipped the switch on that big black beauty and brought it to life I knew I had entered a new stage. From then on, all my essays would be proudly and impeccably typed.
The IBM Selectric � yesterday�s IBM Centennial Icon of Progress � was introduced in 1961 and immediately disrupted the typewriter market. Suddenly and almost overnight, people saw unprecedented increases in the speed, accuracy and flexibility at their disposal to create the written word.
Don't believe me? Check out the charming video commercial below.
Like the rest of my peers, I learned to type on a manual machine - and very quickly I learned its shortcomings. It was always loud. It jammed when I typed too quickly. It made errors nearly impossible to correct.
The Selectric changed all that.
This thing was fast. Faster than anything I�d ever used. That little silver ball jumped excitedly at even the slightest touch. This thing was alive. And fun. And a blast to use. And after I had used it, I�d never go back.
The Selectric is yet another example of that remarkable through line connecting the IBM achievements of the past with the innovations of today � and the remarkable effectiveness of the IBM approach to making us and our world work better. It�s a willingness to bring the best people, the best thinking and the the best ideas to bear on challenges others say can�t be solved.
If you're one of the millions filling out a bracket this year (all for fun of course), I'm sure you've been asked or have asked that question.
Yes, it's time when the NCAA men's basketball tournament distracts us from our jobs as we maniacally scan the internet and listen to so-called experts hoping to get that edge and finally master the ancient art of bracketology. Sadly,Paul the Octopuspassed away recently so that �secret weapon� is no longer viable.
Sure, accurately predicting which teams are in the Final Four is important, but what separates the masters from the novices is predicting the winners/upsets in the early rounds. You can play it safe and pick the higher seeds to win, but that's a silly strategy. Besides, all four top seeds have only advanced to the Final Four once in 30 years. (Sorry President Obama.)
Rely on the data. On Monday, Nate Silver's FiveThirtyEight ran anarticle entitled, "How We Made Our NCAA Picks," which took an analytical approach to predicting the winners.
Like IBM, he sees the value in analyzing historical data to make informed � and better � decisions.
And let's be honest, everyone is looking for that competitive edge � whether its bragging rights for the brackets, or outmaneuvering the competition in business. The answers are as simple as mining mountains of data to find Key Performance Predictors (KPPs) � those 15-20 data variables that are the most relevant.���
KPPs then help guide any organization to build an amazing level of intimacy and knowledge, allowing them to determine how a specific customer is likely to behave at a precise moment in time.�
In the NCAA tournament, Nate analyzed the results for all tournament games since 2003 (a total of 512 games) and evaluated which factors best predicted success. As Nate pointed out, "The goal is to have a system that makes good statistical sense and also makes decent basketball sense, as opposed to identifying a bunch of spurious correlations."
Not all data is created equal.In fact, sometimes the correlations you think exist, turn out to be counter-intuitive. That's where KPPs come into play. And, it's why predictive analytics makes good business sense. For instance, one of our insurance customers learned that clients who remove pets from the house prior to a fire are often convicted of claims fraud. And, phases of the moon are a predictive indicator of when crime is likely to occur.�
In the NCAA setting, Nate discovered that teams playing games within 50 miles of their campus have a 24-2 record; and, conversely, teams traveling at least 1,000 miles are 121-174.
Does this change the way you think about your bracket?
That's why IBM is "betting" big on predictive analytics.IBM is hoping businesses will realize that picking "winning" customers based on mascots, team colors or flipping a coin is also a silly strategy.
Today, it's better to rely on the data to be told how to take action than making a haphazard decision that could seemingly be based on unnecessary bias (like picking an alma mater such as Boston University over Kansas). Sorry Terriers!
What if you could determine when a part might fail in a car?� Or the right time and conditions to perform surgery?�Or when a crime will occur in a specific part of town?
Or, what if a call center agent at a communications service provider could quickly and easily determine which inbound customer calls are the best candidates for an up-sell, cross-sell or retention offer, and then deploy personalized, real-time recommendations that have the greatest likelihood of acceptance by the customer?
Thousands of these types of daily decisions can now be automated and optimized for significant � and measurable � benefit.�No longer are the same bad decisions made over and over again.�
As commerce becomes more global, connected and social, there�s a new mindset emerging that is all about trying new approaches, expanding one�s social media repertoire, and serving the connected customer�s needs at every turn.
Here�s a video that explains how smarter commerce works using simple narration and hand-drawn illustrations:
Organizations today only half-listen to their customers. Sort of like a teenager only half-listens when a parent asks him/her to take out the trash or walk the dog.
Sure organizations might hear a customer complaint or praise of a new product, but do they really understand these comments?� Are they able to capture customer dialogue and then use the interactions to better inform the business?
According to a recent report fromHypatia Research, �Operationalizing Voice of the Customer (VOC): How Top Performers Create Actionable Insight,� only 4 percent of all companies surveyed have attained a visionary level of maturity in using VOC. (Download a free copy of the report here or register for an upcomingwebinaron March 22 to learn more.)
�The good thing is that organizations have an incredible opportunity ahead of them. And, the technology to enable successful VOC best practices. In fact, according to the report, IBM SPSSwas ranked as the top vendor for providing VOC technologies.
I recently caught up with Leslie Ament, vice president, research and client advisory, at Hypatia Research to discuss the report, VOC best practices and measuring these programs:
What was the biggest surprise you uncovered from your research?
Companies seek to monitor both social media and capture survey data in order to track VOC and capture a 360-degree customer viewpoint.�However, nearly all organizations lacked the maturity, expertise, processes, organizational structure, appropriate incentive programs and enabling technologies to do so. Most focused on either multi-channel survey capture for VOC or utilized social media for monitoring or listening without analysis or taking action on contextual VOC.
Given these findings, what is the best advice you'd give to organizations thinking about implementing a VOC solution?
Create one or two measurable goals and operational plans for execution. Don�t try to boil the entire ocean.
Establish standard performance metrics, benchmarks and processes to help improve consistency of VOC practices.
Improve the ability to collect, analyze and apply feedback more frequently targeting one or two business applications.
Hire expertise and train employees and/or create a Customer Intelligence Center of Excellence.
IBM talks about how customer intimacy/intelligence (CI) is an organization's new intellectual property. �Would you agree with that?
While I agree building the capacity for customer intimacy / intelligence is a positive step and certainly a type of intellectual property, the ability to consistently operationalize this CI through standardized decision-support rules is what creates a true differential competitive advantage. As we foodies are fond of saying, �the proof is not in the pudding, but rather in the enjoyment derived from eating it.��An organization that operationalizes VOC via the creation of CI establishes a win-win scenario of customer intimacy that benefits both the customer as well as the company itself.
Almost 50 percent of those surveyed said a barrier of investment in VOC programs was management buy-in. �Why doesn't management see the value in developing deeper customer intelligence?
Au contraire mon ami!�Management absolutely realizes the value of VOC.�However, getting management buy-in is a very different issue. Quoting from our research study, �Multiple views and diverse expectations exist as to which business processes, technologies, organizational structure and expertise are necessary to effectively leverage and operationalize VOC across a department, geographic region, product line or enterprise.�Currently, corporate-level alignment in regards to the following seems hard to achieve:
���������Have we identified a clear business case(s);
���������Which customer touch points qualify for VOC capture;
���������Which role or function is accountable for customer information management and analysis;
���������Which VOC tool(s) do we have in-house and should we compliment, upgrade or augment our portfolio; and,
���������How should we establish and standardize our customer insight processes.
Given this lack of alignment, it was not surprising to find that the top barrier to investment in VOC is management buy-in.�
What is the best way to measure if these VOC solutions are providing value?
Measure metrics aligned with the business application or objective! Case in point � don�t use Net Promoter Scores to measure agents� call center performance! More than 430 end users said they seek VOC tools and services for four primary business applications, and yet most are uncertain as to which metrics should directly correlate to these VOC initiatives.�Is it a wonder attaining management buy-in is such a challenge?
The research showed that only 4 percent of companies attained a visionary level of VOC processes. �What makes them visionary?
Visionaries do the up-front strategic and operational planning before executing on closed-loop (continuous improvement techniques) VOC initiatives.�Visionaries have addressed the granular issues (e.g., what data sources should we utilize or how should we organize for VOC initiatives) and are more rigorous in continuously refining how VOC insights are operationally applied.
In other words, visionaries design, embed and operationalize effective customer intelligence strategies with the goal of enhancing corporate performance and/or accelerating growth. And, VOC insights direct decision-support rules that operationally guide business processes. Oftentimes these rules are configured or embedded in enabling technologies.
When evaluating a vendor, what are the three most important questions an organization should ask?
Hypatia briefed more than 20 technology vendors and even more end-user organizations while researching this study. Regardless of which VOC vendor(s) a company considers, they should thoroughly understand:
���������Software capabilities and functionality, consulting services and/or training offered.
���������Terms of service.
���������Underlying infrastructure and compatibility with existing architecture and systems.
We also urge potential purchasers to evaluate vendors against internal business requirements coupled with this checklist.�Vendors that already have enabling VOC technologies in use by current customers should also be willing to provide multiple references for your specific industry, function or role-based application and similar volume and velocity of daily data.
What is VOC panacea?
Most companies, regardless of size or industry, have a sales cycle and concerns about customer retention, product or service quality and profitability. Structured VOC programs provide companies the opportunity to track their progress, using key performance indicators, with baselines and milestones in a way that may not have been possible in the past. Ultimately, the brass ring is for organizations to turn these customer insights into structured business processes � either manual or automated � designed to address customer issues rapidly.�
I love the smell of a new book. I also love the pull of a new idea.
Lucky for me then, that Enchantment has both.
Enchantment: The Art of Changing Hearts, Minds, and Actions is the ninth and latest book by tech legend Guy Kawasaki � former chief evangelist for Apple, co-founder of Alltop.com and founding partner of Garage Technology Ventures.
Enchantment � the concept � is the process of delighting people with a product, service, organization, or idea. The outcome of enchantment is voluntary and long-lasting support that is mutually beneficial. Kawasaki says his first enchanting moment was meeting his wife. His second enchanting moment was seeing the Macintosh, which convinced him of its ability to make people more creative and productive than they�d ever dreamed.
Enchantment � the book � distills Kawasaki�s experiences as an evangelist into valuable lessons and examples that you can put into practice in your own career.
Enchantment � the concept � can happen anywhere, Kawasaki writes, whether you�re trying to win over a skeptic, attract new followers to your cause, or even change the world.
At 224 pages (including a quiz), Enchantment � the book � is a short enough to consume over a weekend, even for a slow reader such as my self. It�s divided into 12 chapters including �Why Enchantment?,� �How to Make Enchantment Endure,� and �How to Enchant Your Boss.� Each chapter is further divided into several sub-topics that make for remarkably easy navigation and easily digestible bits of content. Kawaski writes in a breezy and personable style whose simplicity belies the hard-won lessons underneath. And it comes with one word of caution: It can take weeks or months for enchantment to occur, Kawasaki writes, so prepare for a marathon, not a sprint.
Given that adherents of IBM Business Analytics software spend a lot of their time trying to convert more people to their cause for better business outcomes, I thought it appropriate to highlight some of the more pertinent passages from the first 90 pages.
Enchantment � the concept � rests on two fundamentals that everyone must master: likability and trustworthiness. Kawasaki devotes an entire chapter to each and in each includes specific activities to help you along. For example:
To be more likable, perfect your handshake, use simple words, project your passions, and swear- but only when your audience supports you.
To be more trustworthy, it�s important to �Bake a bigger pie.� Kawasaki divides the world into �eaters� and �bakers.� Eaters think that if you win, they lose. Bakers think everyone can win with a bigger pie. Twitter, for example, made a bigger pie because anyone can provide news and updates. Google made a bigger pie by taking advertising out of hte hands of big ad agencies and giving it to small businesses. When you�re baking up a business analytics deployment, think of how eveyrone can benefit, not just you or your immediate team.
I found chapter four � "How to Prepare" � particularly useful for its discussion of a �Premortem.� It�s an idea Kawasaki borrows from Gary Klein, author of Sources of Power: How People Make Decisions. Companies rarely conduct post-mortems on a failed product because there�s usually no money or people left to investigate. Premortems, on the other hand, are useful because they can help you prevent failure rather than explain it. To conduct a Premortem, Kawasaki suggests assembling your team and asks everyone to assume the project failed. Your task is to find out why the failures occurred and come up with ways to prevent them from happening.
Chapter 5 � "How to Launch" � is useful for its discussion of storytelling. Enchantment runs on inspriation, not information, Kawasaki writes. And the ones with the best stories are the ones who win. When you�re pitching your product, find the narrative that best suits your goals: Will the world be a better place because of your project? Is this David vs. Goliath, or perhaps a Profile in Courage? Structure your proposal with a beginning, middle and end and you�ll increase your chances of success.
The chapter is also useful for its suggestions for demos: if you�re trying to wean people off their spreadsheets, make sure your TM1 demo shows these attributes:
Easy � people must be able to try it without much training, guidance, expertise or time.
Immediate � When people are interested, let them try it out right away. Don�t waste their time with forms and approvals to get started.
Inexpensive � Ideally, the only cost should be time.
Concrete � at the end of a trial, people should observe concrete changes in the way they work. (think back to the importance of stories).
Reversible � if people try your cause and still don�t like it, they should be able to reverse their decision.
There�s lots more I could cite, but I�ll stop here for now. With any luck I've already enchanted you. If I haven't, you can always check out Guy's site or these reviews. If you're trying to enchant people with IBM Business Analytics, our Champions' Kit has bountiful resources that can help.
Dateline NBC ran asegmenton Sunday night discussing how bullying has become a worldwide epidemic, reporting that 1 in 3 teens were bullied while at school causing failing grades, depression and even suicide.
In fact, in the United States it has even reached the attention of the White House. On Thursday, March 10, President Obama will be hosting a conference on bullying prevention with students, parents and teachers to discuss ways to address the issue.
As a new parent, I hope our policymakers begin to create better prevention programs and help young people empower themselves to stop bullying, especially online.
In the United Kingdom, I know it�s already well underway led byBeatbullying, aleading bullying prevention charity. The organization has developed innovative, evidence-based and highly successful prevention programs across the UK.
Beatbullying is using IBM SPSS predictive analyticsto build in-depth profiles of children most at risk of being bullied � including the ability to map how bullying is most likely to occur.
This analysis has helped the charity shape their programs and assist educators, parents and guardians and other professionals in understanding the short-, medium- and long-term effects that bullying has on children and young people everywhere.
And, they haveestablished the statistical significance of its findings lending significant weight to calls for action from policymakers.
The results have been tremendous as well � with schools, youth groups and community organizations announcing that incidents of bullying are down by up to 39 percent, and the reporting of bullying by young people is up by more than 60 percent.
Understanding Attitudes and Behaviors to Combat Bullying
Beatbullying is no different than successful commercial and government organizations (healthcare, police departments, insurers, retailers, etc.) that collect and analyze data to spot trends and make better decisions.Beatbullying believes that to maintain momentum on anti-bullying strategies, it�s vital to capture and monitor attitudinal and behavioral changes in the outlook of young people, and identify relationships, trends and patterns of bullying.
A crucial part of their work involves conducting a large number of surveys across many schools and communities. Through this feedback, they understand the nature of bullying and evaluate the impact of its initiatives.
By using IBM SPSS predictive analytics, Beatbullying:
���������Can go beyond simple analysis and measure actual attitudinal change, motivations, prejudices and relationship confliction concerns in adults, as well as children and young people.
���������Disproved the assumption that bullying is a character trait. That viewpoint made children and young people who were being bullied feel even more hopeless and convinced that no one can help them.
���������Saw a marked shift in the government response to bullying through the vigorous campaigns developed to ensure youth are educated and empowered to defend themselves.
���������Uncovered the most frequent online venues for bullying were the social network bebo.com and Microsoft�s instant messaging service MSN Messenger. This lead to bebo.com introducing a button allowing users to report incidents of cyber-bullying to the Child Exploitation and Online Protection Centre.
Beatbullying now has a quicker and more precise way of analyzing patterns among young people, and understanding and deploying successful bullying intervention tactics. They also can now better monitor and assess other strategies in their ongoing effort to beat bullying.
Thanks to organizations like Beatbullying, young people have a better chance in an increasingly challenging world.
It�s not so crazy to think that the number of people accessing the internet from mobile devices will very soon outnumber those accessing the internet using traditional computers.� It makes sense because mobile devices offer lots of new opportunities from both a personal and enterprise perspective when we think about efficiency and convenience.� However, as these devices develop in popularity, and they are increasingly used to access sensitive information, we must also consider some of the emerging security questions.� Is my my mobile phone protected?� Is my data and information safe?
While its true that vulnerabilities and attacks associated with mobile phones aren�t currently widespread, it�s worth noting that they do exist and that the best practices for securing mobile computing devices are still immature.� When we start thinking about the approach to establishing these best practices, we need to really focus on the ways that we actually use these devices.� Security for mobile phones should be strategically, and pragmatically, approached with the understanding that people are likely to use the phone for both personal and business purposes.� As such, being successful will mean striking a balance between ease of use and proper security controls.
Earlier this week I sat down with David Merrill, a mobile security expert within the CIO�s organization here at IBM and had the opportunity to talk with him about some of the topics that we�ll be covering in the upcoming IBM X-Force 2010 Trend and Risk Report.� The following is the discussion that I had with him.
Bryan: So, how real is the threat to everyday smartphone users? Should only high value targets likes C-Suite executives be concerned about mobile security attacks?
David: Well, we know that we see malware on some smartphones and we know that employees do lose their devices so both of those risks exist and are present today. Certainly the current concern is primarily around data protection (rather than malware) but we certainly feel the risks here are very real based on the data points we have today. As it applies to Senior Executives � or any employee holding high value data- we believe in intentionally taking a more conservative approach. This type of approach would include the selections of platforms that we�d advise them to use as well as the use of web browser-based mail and calendar versus approaches that allow the data to reside on the device itself. I think it would be naive to not acknowledge that Senior Executives could be targets of mobile attacks so taking a more conservative approach to this community makes sense to us.
Bryan: What risks are involved in allowing enterprise employees to use their personal smartphones for personal use while at work?� What controls should be put in place for personal smart phone use while at work?
David: At IBM, we believe that you should not lower or differentiate the security requirements based on device ownership. The same security requirements should apply to personally owned as well as company owned computing devices.� As such, all of this really points back to the need for well documented and well managed security requirements as they apply to mobile devices.� Additionally, companies should be weary of even beginning pilots until the platform under consideration can be secured to the requirements in their standards. I think the broader primary question as it applies to the use of personally owned smartphones is the employee�s willingness to allow their company to manage their device.� Companies should look to be very clear in the Terms and Conditions of their program.� This way, employees immediately acknowledge that their company will enforce required security controls, including, but not limited to, the right to wipe all data.
Bryan:� Building on that idea of foundational platform security, in the upcoming trend report you said that there will be years of vulnerability disclosures ahead of us because the platforms are untested.� What are some ways that we can proactively address this issue and try to shorten this length of time?
David: I think much of what we can do proactively revolves around engineering of the mobile security ecosystem. Let me explain what I mean. Today there are some fundamental hurdles that need to be overcome and I feel it starts with an ecosystem that allows security vendors to monetize their research in this area by way of products and services. While I absolutely acknowledge that a lot of great security research occurs in our universities and by independent researchers- the real heavy lifting- the bulk of a lot of research in the area falls to the security vendors in the field � and not just in the discovery of new vulnerabilities, but also in the development of proper security models to address concerns. If these vendors don�t have a marketplace that allows them to monetize their work, I feel it will occur at a much slower pace, if at all. Of course, this circles back to their customers, the enterprises and our understanding of our requirements in this area. Obviously, if we don�t understand the problems, it is unlikely we�ll be willing the spend the money � again, development of the ecosystem is very important in my opinion. I also think we all should have a secondary concern � and one that I�ve discussed with a number of the involved platform vendors and carriers in this space � that being our collective ability to close vulnerabilities thru �patching� when they are discovered. While security vendors can certainly develop products that help protect us before we can patch, ultimately, these are computer operating systems and the notion that a 1-2 time per year firmware upgrade will satisfy the closure of vulnerabilities as they�re discovered is ill-advised. I think this will challenge all of us because the current model is really not aligned to rapidly address vulnerabilities as they are discovered.
Bryan:� In the report you mention that there hasn�t been any significant attacks targeting mobile platforms specifically.� Do you expect that to change in the next 2-5 years?
David: Significant is obviously a relative term and perhaps a better term might be pervasive. While we�ve definitely seen small amounts of malware on smartphone as detected by our malware protection solution, it has been very small in comparison to what we see attacking Windows-based machines. Personally, I feel that the shift to seeing pervasive attacks to smartphones is probably related to a couple of factors; primarily the ramp toward End-of-Life for Windows XP machines and secondly, the marketshare battle between smartphone platforms. The reason behind the shift will largely be dictated by financial opportunities for the actors that typically exist as part of the underground economy. As their opportunity for Windows XP compromises starts to dry up, I think we should expect that at least a portion of that will be focused to smartphone attacks. Certainly things like the development of malware toolkits to support those mobile platforms as well as the discovery of smartphone vulnerabilities will directly influence their shift.
Bryan:� Ok, last question.� As smart phone security matures, and people more frequently use this platform to access sensitive information, doesn�t this make them a more attractive target for attackers?� Essentially, does enhanced security make them a bigger security risk?
David: It is my belief that people will use these platforms to access sensitive information regardless of the level of protection we can provide. Most users of smartphones are not even aware of attack vectors, vulnerablities and what could be done to improve security so I think that they will use their devices regardless. In fact, I�d suggest as enterprises, we really have a very simple choice; we can spend our money in implementing the proper security measures for our employees or we can spend that money developing ways to prevent them from circumventing controls to enable it themselves. While I think this could vary from corporate culture to corporate culture, I firmly believe folks will invent ways to circumvent controls that exist � and rather than end up in an arm race with our employees in preventing them from what they want to do, we�re all better served to properly educate as well as implement security programs that allow the proper use of this technology. That isn�t to say that we all have all the controls figured out as it pertains to best practices � I think this is a journey � but not unlike the previous generation of personal computers. Let�s face it, things like IPS and DLP were not part of best practices in 1982 either.
And there you have it folks, your first look into the new mobile security section of the upcoming 2010 IBM X-Force Trend and Risk Report.� Keep your eyes peeled and your ears open because the full report could be coming any day now.
A quick recap on some important reading for Finance pros that you may have missed the first time around.
Last week was "Finance Week" here on Performance Perspectives and in those five days (well, four if you count Family Day in Ontario) we featured a heady mix of news, insights and information about some pretty important events in the Business Analytics universe. The first is IBM Finance Forum, our global roadshow for Finance professionals. It's happening now and you can see the dates and locations here. The second is Vision 2011, the annual conference for customers of Clarity Systems, which is now an IBM company. Do check out the posts below and consider one of these events, won't you?
David Axson interview, Part 1 of 2: Going the "last mile" in Finance: Our keynote speaker for Finance Forum events in North America borrows a metaphor from telecom to explain the value of business analytics
�At Pulse, we�ve all seen hundreds, if not thousands of Smarter Planet slides detailing how our world is rapidly becoming more instrumented, interconnected and intelligent. �Steve Robinson�s keynote Tuesday morning was no exception to that.�
As the General Manager of IBM Security Solutions, his talk took a bit of a different angle on the conversation though.� He wanted to ask the question...
We've seen a lot over the course of the past year in terms of internal and external security incidents.� From stuxnet...
...to Wikileaks, to the recent events at Nasdaq, to patient records being breached in Arizona.
One of the questions that we have to ask ourselves is, "what do these events mean?"� At IBM, we have an entire advanced research team dedicated to looking at these single incidents and understanding them in the context of the broader security landscape.� Twice a year, IBM X-Force publishes their findings in the annual IBM X-Force Trend and Risk Report.� Their job is to be constantly evaluating the question...�
There are a few things that they've noted and that Steve focused on during his talk.� There's a lot of debate around whether internal or external threats represent the greater threat, but one thing is for certain- a good security strategy will take both into account.�
Mobile devices offer lots of new opportunities from both a personal and enterprise perspective when we think about efficiency and convenience.� However, as these devices develop in popularity, and they are increasingly used to access sensitive information, we must also consider some of the emerging security questions.
Steve also spoke about the continued rise of government regulation.� Every company is dealing with extensive compliance mandates and that trend doesn't seem to be slowing.� However, at Pulse we've started to notice a subtle shift in the way executive level security professionals are thinking about the relationship between security and compliance.� While in the past they may have been focused on becoming compliant, organizations today are starting to think about doing whatever it takes to become secure, with compliance following from that.� Again, the shift is a subtle one, but it's interesting once we realize that this is really a change in who is actually driving security requirements.� It's transitioning from governments, to the individual organizations.�
One of the most significant points that Steve made is that security professionals can no longer say "no."� Security needs to become an enabler of...
Cutting edge security is ultimately what allows organizations to confidently adopt emerging technologies. � With that in mind, the question you're probably asking is,
IBM recently released the IBM Security Network Intrusion Prevention System.� Boasting 100% inspection and speeds twice that of our closest competitors, this product is an enormous step forward in network security.� It is also just one example of how IBM has a significant focus on what we would consider to be traditional security.� We...
With 9 security operations center around the world, we are also focused on...
..so that our clients can consume security in the way that's right for them.�
We're seeing a convergence of systems management and security management with the endpoint being prime example of this.� Built on Bigfix technology, Tivoli Endpoint Manager was designed with the philosophy that a well managed endpoint is a secure endpoint.
The real key is to take these technologies and practices and deploy them in a way that is focused on
Security is all about building in that top layer of visibility, automation and control, but to do that, to make security "operational," we need to first build security into the core foundational elements of the IT Infrastructure, into the elements of the IBM Security Framework (people and identity, data and information, application and process, network, server and endpoint and the physical infrastructure) .
Listening to Steve talk reminded me of a quote from one of the recent IBM Centennial videos.� A former Director of IBM Research made the comment that, "doing science in isolation will not work."� Both Steve's discussion, and IBM Security seem to be built on that foundational understanding.� Our technology and approach is based on, and driven by the world we live in.� IBM X-Force takes information about security events and vulnerability disclosures and turns that information into real intelligence.� They then turn around and build that intelligence into our products.� These products are then deployed into environments that are often under the management of our Managed Security Services team.� As mentioned earlier, IBM has 9 security operation centers around the world, and from these centers we managing over 4,000 clients and 13 billion security events every single day.� We take that first hand information and experience and funnel it back into our X-Force research team.� The cycle of information, intelligence and innovation begins again.�
The circular nature of our approach to security helps to ensure that our technology is constantly being evaluated and created with an understanding of the world it will be deployed into, your world.�
1.It�s a convenient way to learn what IBM means by Smarter Systems. IBM defines smarter systems as fully-integrated hardware, software and services optimized for particular workloads. The Virtual Event keynote features a terrific presentation by industry analyst Merv Adrian, who very clearly explains what we mean by a �workload,� and how workload-optimized systems can mean faster time-to-value, improved performance and lower short- and long-term costs. Adrian does a terrific job of translating technical concepts into plain English (without lapsing into marketing-speak).
2. It gives you access to a HUGE store of educational resources. Eighteen (18) analyst papers. Six (6) e-books. Sixteen (16) IBM technical white papers. That�s a very partial list of what you�ll find in the Virtual Event�s Resource Center, which is packed with media and information related to Smarter Systems in general, and the individual IBM technologies from which Smarter Systems are composed. You would have to fill a whole mess of separate registration forms to get this information otherwise, but you get access to all of it when you register for this one Virtual Event.