7 hot IT career trends — and 7 going cold
The growing IT skills gap and demand for data pros and hybrid roles are disrupting the traditional IT career path. The following heat map of career trends with help you cash in and avoid dead ends.
October 31, 2017 By Paul Heltzel
There’s a major IT skills gap in the country and it’s only expected to widen. According to the Bureau of Labor and Statistics, there will be 1 million more computing jobs than applicants by 2020.
And while this poses a problem for organizations without a plan to address it (two-thirds don’t, according to a recent CompTIA report), the skills gap can also be viewed as an opportunity. For IT pros and for businesses, there’s a chance to get ahead of your competition by matching supply and demand.
If you’re up for the challenge, read on to find out which areas are trending — in education, soft skills, networking, and hot technologies among others — and which are cooling down.
As budgets across all industries tighten, IT workers, like other enterprise groups, are increasingly expected to multitask.
“Organizations are putting IT staff in front of customers to share product insights and gather information,” says Kyle Gingrich, vice president of IT and certifications at Skillsoft. “They’re being asked to run Scrum teams. They need to present to peers or managers and may also be learning how to work with virtual teams. Whatever the new hat is that’s being added to their skills stack, it requires training in soft skills to be effective and it’s not typically the place that IT professionals are comfortable with.” Technology now shapes leadership trends, says Donna Kimmel, senior vice president and chief people officer at Citrix. And so it’s crucial for IT staff to learn leadership skills as well.
“Technology becomes more meaningful when it’s put to work to address human needs, solve problems and help achieve goals,” Kimmel says. “Maintaining this human element in the enterprise will be much easier if the IT teams deploying big data, machine learning and IoT solutions have strong leadership and people skills, in addition to technical ones.”
Cold: Dev and ops in silos
In part because of workload migrations to the cloud, it’s less likely to see traditional user support and networking services separated from the dev team.
“The days of infrastructure and application development teams operating separately are dwindling as businesses look to operate in a more lean, agile way,” says Tim Leylek, branch manager of the IT direct hire practice at Addison Group.
Todd Vernon, CEO and co-founder of incident management services provider VictorOps, says proactive operations staffers are developing skills in software reliability engineering (SRE), with the idea of embedding in software development teams and focusing on speed, security and customer service — and avoiding a potentially dead-end career.
“If your career is in purely system administration and software operations, your technical job will be the first casualty of the high-velocity digital age,” Vernon says.
Hot: Soft skills
According to New Jersey-based HR software provider iCIMS, the top three soft skills recruiters are looking for are “problem solving (62 percent), adaptability (49 percent) and time management (48 percent).”
These stats come from their recent soft skills survey, which interestingly found that 1 in 3 recruiters are seeing soft skills on the decline in the past five years. “Ninety-seven percent of recruiting professionals agree that colleges and parents need to do a better job of teaching kids soft skills before they enter the workforce,” the survey reports.
James Stanger, chief technology evangelist for CompTIA, says the answer to boosting soft skills may be close by. “Get a mentor who knows business and who knows how to communicate well,” Stanger says. “That mentor can be someone on the job, a neighbor, or someone you meet in a class or a good trade show. No one today wants to have a talky techie in the room who doesn’t know business. Likewise, no one wants a blathering businessperson in there, either. Put together key tech, business, and soft skills, and people will beat a path to your door.”
Cold: Ability to pursue soft skills
While most tech pros agree developing soft skills could boost their careers, just over half, according to CompTIA’s “Assessing the IT Skills Gap” report, are working on this skill set.
Part of the issue may be a perceived lack of support from employers to pursue professional development. About 40 percent of the CompTIA study respondents disagreed that their company supports their career growth.
About the same said they didn’t have the tools or resources to do their jobs. “These two matters may be quite frustrating for IT pros, especially given their desire for continued learning,” according to the report. “Though many organizations may support IT employee training and professional
development to some degree, it’s simply not enough.”
Spiceworks, a social network for IT pros, recently put out its “2017 Tech Career Outlook” report, which suggests most IT staffers, understandably, working on their tech skills but aren’t brushing up on people skills.
“While soft skills are considered the second-most important IT skill to have,” the report says, “only 29 percent of IT pros plan to work on them next year. Instead, technology professionals are more likely to brush up on technical areas including networking, virtualization, and cybersecurity.”
Framed a different way, IT staff might see an opportunity to leapfrog 71 percent of their colleagues who aren’t making the time for deepening their soft skills.
Hot: Analytics certifications
Companies swamped with data from the cloud and IoT devices are struggling to analyze that information in a way that helps their business make decisions. So there’s an increasing push for analytics and automation to help firms succeed.
“Of course, any skill set that touches data is hot,” says Rick Sullivan, vice president at technology staffing firm CTG. “BI, analytics, IoT programming and development, big data, machine learning, AI, block chain and ERP.”
“Analytics is king in terms of generating value from data and the more that can be done to improve analytics, the better, for example improvements in curating data for analytics,” says Gavin Robertson, CTO of software company WhamTech. “Dumping copies of operational data without addressing fundamental data management processes can lead to actually losing value or not realizing as much value as could have been realized — up to 80 percent of difficult-and-expensive-to-obtain data scientists’ and analysts’ time is wasted on data preparation.”
This demand for data chops has many IT pros tackling data analytics certifications — or a career switch into data science.
Cold: Vendor-specific certifications for security
Earning certifications for vendor-specific technologies is seeing less demand, at least in the area of cybersecurity, according to CompTIA.
“Cybersecurity involves myriad technical and business issues,” Stanger says. “Vendor-specific training tends to focus on features rather than critical issues facing companies today. In security and networking, the more performance- based and hands-on the credential, the more it’s valued. Folks in the IT industry — and, more importantly, the companies who hire IT folks — tend to value certifications that validate and require proof of hands-on learning.”
Hot: Personal relationships with contacts
CompTIA’s Stanger says tech pros should be focusing on what he calls “quality conversations” — and the more the better.
“Use good blogging and communication skills to communicate on a one-to- many basis with your contacts,” Stanger says. “Don’t simply self-promote.
Stream valuable, curated content and thoughts to people in your network.
You’ll find that what interests you will generally interest them.”
It’s a two-way street: IT staff excel when they make personal connections, and their managers need to work those same muscles to get the best from their team.
“Having authentic performance and development conversations that are frequent and just-in-time, rather than high-stakes conversations annually, will motivate people toward creativity and excellence,” says Citrix’s Kimmel.
Cold: Padding LinkedIn connections
Recruiters, including AI-based headhunters, still rely on well keyworded
profiles. But relying on those alone isn’t advised.
“Simply growing your LinkedIn numbers and padding your profile is out,” says
IT pros who can meld personal connections with tech skill will outperform even those with more traditional hard skills, says David S. Patterson, president of IT staffing and executive search firm The Kineta Group.
“It’s not only the understanding of technology, but it’s the understanding of technology and how to creatively weave that into the business landscape that will be the real difference maker in the coming job market,” Patterson says.
Hot: Business skills
Innovating in today’s IT workplace, our experts say, means developing business smarts for those who want to advance their careers.
“We’re starting to see more roles in business competencies, like in marketing or operations, that reward an IT background or competency,” says Lev Lesokhin, executive vice president of strategy and analytics at software intelligence firm CAST. “As software continues to permeate everything we do, it’s becoming more imperative for ops people to at least have a baseline understanding of what technology does for the business.”
Even hot areas like analytics don’t exist in a vacuum. “Almost any function in the business has a lot of data they are dealing with on a regular basis and need the analytics function to ensure that data can tell the story,” says Mona Abou-Sayed, vice president of organizational development and talent at telecommunications company Mitel. “This requires a minimum level of business understanding to be able to pull out relevant stories from the data.”
Cold: Moving from tech to finance
While business skills are increasingly expected of IT staff, most tech workers like where they are and aren’t as interested in moving to the business side of the office as they may once have been.
“In fact, we see the opposite,” says Mitel’s Abou-Sayed, “where workers from other segments are shifting into more tech-centric roles.”
“Most developers are still very interested in tech-centric job opportunities,” says Lesokhin. “There’s an interesting flux of talent going between organizations with a more ‘startup-y’ vibe like what Google has, versus working at a financial services organization or a bank that’s willing to pay more to recruit top talent. The tradeoff is between having a more exciting job where you’re working on innovative projects like self-driving cars, or taking a more traditional role where you may be compensated more for a more dull day-to-day environment.”
Hot: Hybrid roles
Jesus Pena, VP of sales and services at United Data Technologies, says in the past few years he’s definitely seeing a transition to more hybrid IT roles.
“No longer are the days for technical resources to be in silos,” Pena says. “They need to be retrained and be thinking more about business outcomes, ROI conversations and vertical expertise.” But it’s not always easy. “This is an uncomfortable conversation for most technical people,” Pena says, “because they usually play in the IT department and this will push them outside of that comfort zone.”
Todd Loeppke, lead CTO architect at Sungard Availability Services, says market changes and the rise of devops have paved the way for more and varied hybrid roles. “It’s critical that IT people know when, where and how to leverage and monetize new technology,” says Loeppke. “We are seeing this right now with machine learning and blockchain. Machine learning requires large data sets to learn from and test with. Business insight is critical for guiding how ML is implemented. Similar to the career path for IT staff, the business side also has an added technical career path — data scientist.”
Cold: Jumping ship (vs. moving up)
Nearly 80 percent of IT pros in a recent CompTIA report said they were very or mostly satisfied — and just over a third said they were very satisfied with their jobs. And those numbers are up slightly from a survey taken in 2015.
“Generally, IT professionals consider an internal promotion to be a new job,” says Cliff Milles, lead technical recruiter for Sungard AS. “I think a major driver regarding this decision is whether the person wants to remain with their current company or get a fresh start.”
Hot: Developing security skills
Our experts say IT pros are developing cybersecurity skills to broaden their tool kit, advance their careers and protect their firms.
“We’ll see huge growth in security and compliance,” says CTG’s Sullivan. “IT has to address the safety component as we adopt technology exponentially faster.”
Part of the problem comes from a lack of security training in computer science programs and boot camps. Schools are racing to adopt related coursework, but that’s just one part of the problem, says Lesokhin.
“Some universities are still in the process of bolstering their secure development courses, and over 40 percent of IT developers don’t have computer science or engineering degrees to start with,” Lesokhin says. “In 2015, the U.S. graduated 60,000 computer science or equivalent majors, and in 2016 we had 18,000 people go through online coding schools that are 12- week crash courses in the basics of programming. You do the math.”
The gap for security, compliance and governance focused on apps, cloud and systems will continue to widen.
“We expect this trend to continue,” says Sullivan, “particularly as high-profile security breaches unfold, like the one seen at Equifax where failure to put an important patch in place was a key factor.”
Cold: Traditional benefits (vs. work-life balance)
There’s no question that salary seals the deal on most successful IT hires, but we’re hearing a steady buzz about the need for benefits that go beyond retirement plans and vacation.
“Entry-level engineers value being recognized and the sense of being a part of something larger than themselves,” says Joe Vacca, CMO and EVP of strategy and innovation at IT recruiting and training firm Revature. “They want to work on projects that they believe in and make a difference. As for benefits, non-traditional benefits seem to resonate, as well as employment structures that are flexible and promote work-life balance.”
“It continues to be a competitive environment in hiring technical talent,” says Alex Robbio, president and co-founder of Belatrix Software. “Of course salaries are a key factor, but the opportunity to build a strong career and have an enjoyable working environment are also critical.”
Interestingly there appear to be some differences in the way American and European IT pros look at their compensation.
“According to our data, salary is the top driver for 62 percent of developers in the U.S., whereas in Europe with countries like France, salary was only the top driver for 25 percent of respondents,” says Lesokhin. “Building something innovative, getting recognition and seeing an opportunity for advancement were also among the top drivers for developers across the board.”
Read the entire story from CIO.
Hack attacks show that Florida schools are vulnerable
The attempted infiltration of some school districts, including Miami-Dade’s, was aimed at stealing Social Security numbers and other ID info but also at trying to access state voting systems, says a cybersecurity firm.
June 18, 2017
By Kyra Gurney
The operations center at United Data Technologies, the cybersecurity company that investigated the attempted hackings.
Two months before the U.S. presidential election, international hackers slipped into the computer systems of at least four Florida school district networks in the hopes of stealing the personal data of hundreds of thousands of students.
They infected the systems with malware — malicious software — that turned off the logs recording who accessed the systems, according to United Data Technologies, the Doral based cybersecurity company that investigated the incidents. For three months, the hackers probed the systems, mapping them out and testing their defenses. At one point, they even posted photos of someone dressed as an ISIS fighter on two school district websites.
They weren’t just looking for the names of kids and valuable Social Security numbers, UDT found. The hackers were also searching for some way to slip into other sensitive government systems, including state voting systems.
Luckily, the hackers — from Morocco, not Moscow — never found one or managed to get their hands on personal data. But the attempted hacking exposed the vulnerabilities of Florida’s school district networks: vast computer systems that store sensitive information on thousands of students, and their parents, and could potentially provide a back door into other government systems. Amid the national obsession with the alleged Russian hacking during the U.S. election and the constant stream of headlines on corporate data breaches, like the ones at Target and Chipotle, experts say the dangers of cyber attacks targeting school districts are being overlooked.
School districts around the country have been hit with cyber attacks in recent years.
In 2015, for example, the computer system of a New Jersey school district was held for ransom by a foreign hacker who demanded 500 bitcoins — about $128,000 — to hand control of the system back to school administrators, according to the technology news site FedScoop.
In a separate incident that year, three high school seniors in New York were accused of hacking into their school’s computer system to change grades and schedules.
And in Florida, state standardized testing was interrupted in 2015 when hackers overwhelmed a testing vendor’s server with traffic, making computer screens go blank. Students in Florida, like their peers in other states, have also broken into school servers to change grades.
Verizon’s 2017 Data Breach Investigations Report, which provides a snapshot of cybersecurity incidents across the country, recorded 455 “security incidents” in the education sector last year.
There are hackers — like students seeking to change grades — who specifically target schools. But in most cases, they aren’t after a particular government agency or company, said Mike Sanchez, chief information security officer at UDT. “Unless they have a real motivation to bring you down, they’re looking for the low-hanging fruit, they’re scanning for vulnerability,” Sanchez said.
And for hackers, school networks are a gold mine.
A large school district like Miami-Dade, which was one of the districts targeted in the attempted hack last fall, handles the personal information, including Social Security numbers, of hundreds of thousands of current and former students, along with data on thousands of employees and parents.
Unlike corporations with trade secrets and data to protect, many school districts have set up systems to make connectivity easy. With free Wi-Fi in school buildings and a generation of students glued to their smartphones, there are thousands of opportunities for a hacker to gain access to a school network. Students downloading free apps on their phones or hopping from one school computer to the next can spread a computer virus faster than the flu during flu season.
“There’s always this want to have open access and it is a learning environment so some things that corporate America does just by rule we wouldn’t apply in an education environment,” said Paul Smith, the Miami-Dade school district’s director of data security. “We’re talking hundreds of thousands of devices on our network. That’s one of the challenges that we face.”
And the data school districts handle is particularly valuable to cyber criminals.
“If you’re trying to steal identities or cobble together identities, if you can get a person’s name, date of birth, home address, you’re starting to get a fairly complete record,” said Michael Kaiser, the executive director of the National Cyber Security Alliance. “Think of the things school districts have — it’s more than many businesses.”
Students’ Social Security numbers are particularly valuable, said Yair Levy, a professor at Nova Southeastern University who researches cybersecurity.
“High school kids, almost all of them have a very clean slate when it comes to credit scoring. So they’re trying to gain access to a large volume of teenagers’ [information] that can help them down the road,” he said. “These guys have time. They’re willing to wait a year, two years before they can actually monetize that data.”
And on the dark web, these Social Security numbers sell for $25 to $35 a piece, Sanchez said. The information from just one school could easily be worth more than $10,000.
HACKERS DRESSED AS ISIS FIGHTERS
That appears to have been one of the principal motivations for the hackers who sent malware to Florida school districts last fall — the promise of thousands of untarnished Social Security numbers.
The attacks began with an email message containing an image that, once clicked, activated a code that sent malware into the system.
The malware went undetected for several months as the hackers conducted reconnaissance, according to UDT.
Then in November, a photo of someone who appeared to be one of the hackers dressed as an ISIS fighter went up on a school district website. It stayed there for about 24 hours. The following month, the same photo flickered onto another school district’s website.
The districts contacted UDT, and in early December the company discovered the malware.
What they found was troubling.
The hackers had been able to turn off the logs recording who entered certain computer systems and what they did while logged on. That made it difficult for the UDT analysts to know, with total certainty, what the hackers had done. It was a sophisticated maneuver that Sanchez and his team had never seen before.
UDT contacted the FBI and re-engineered the malware so it was no longer a threat. The analysts found no evidence that any data had been taken. The FBI declined to comment on the incidents or on cyber crimes in general.
Smith said Miami-Dade was one of the districts targeted in the attempted hack, but UDT would not identify the other school districts. The hackers also targeted a Florida city network with a similar attack.
In Miami-Dade’s case, Smith said, the hackers put one of the ISIS-inspired photos on a school district website, but Miami-Dade didn’t find any evidence of malware or access to its computer systems. “I would say if anything, it was an attempted hack,” Smith said. “But it was raised up to law enforcement and we did go through all the systems.”
SEARCHING FOR STATE VOTING SYSTEMS
As UDT conducted its investigation, the company learned that Social Security numbers weren’t the only thing the hackers appeared to be after.
On a site hackers use to brag about their exploits, the hackers said they were trying to get into voting systems hosted by Diebold voting platforms. They wanted to bring down what they thought were state voting systems.
But in this case, the hackers did not appear to be Russian. Instead, UDT identified them as a Morocco-based group called MoRo. UDT said there is no evidence the hackers had any connection to the Moroccan government.
The Moroccan hackers were far from the only ones trying to access election systems last fall. Russian hackers tried to break into the computer systems of at least five Florida county elections offices days before the 2016 presidential election.
By the time the Moroccan hackers posted online about voting systems, in December, the election had come and gone. The hackers never found what they were looking for. But their message was clear, Sanchez said. If they wanted to, the hackers could get into school district systems. And once they get into one government network, cybersecurity experts say, it’s easier for hackers to find a back door into others.
“That is a very common tactic,” Kaiser said. “A school district network almost likely is attached to other networks in the town or city or even the state, depending on how the network is set up.”
For example, a hacker could steal the log-in information for a system administrator who also has access to other government networks, Kaiser said, or use that person’s email account to send emails infected with malware to government employees at other agencies, tricking the recipient into believing the sender also works for the government.
“There are a lot of different techniques that they might use in that situation and getting into the network opens all of that up,” Kaiser said.
Sanchez from UDT said that in mapping out school district networks, the company has discovered connections between school computer systems and different county and city systems. The connections are easy for school districts, “caught up in the day-to-day stuff,” to miss, Sanchez said.
“Sometimes the school districts don’t have all of the right tools in place or the right knowledge to map out these networks,” he said.
It’s impossible for school districts to protect against every potential threat, experts say.
For one thing, everyone from the cafeteria worker to the school principal has access to at least some student information.
In 2014, a fired Miami-Dade schools cafeteria worker was sentenced to almost seven years in prison for stealing the personal information of hundreds of students from a school computer network and using it to commit income-tax fraud. A few years earlier, a Broward Schools employee was sentenced to five years in prison for selling teachers’ Social Security numbers and dates of birth to identity thieves.
School districts also typically have tight budget constraints, which impact their ability to hire a big enough cybersecurity team and pay for the necessary tools to protect school networks.
“Security is always a tough item in the budget because a lot of it is proactive,” Smith said. “A lot of it isn’t things that you see huge benefits or direct results from. It’s almost like insurance. You’re buying it hoping that you’re going to prevent things in the future.”
Miami-Dade has a team of six people focused just on cybersecurity, and another 20 who help with cybersecurity issues in addition to other tasks.
The district has dumped older operating systems and applications that are difficult to secure and added new tools to identify where attempted hacks are coming from, said Debbie Karcher, the district’s chief information officer. Miami-Dade has also made an effort to educate employees and students about cyber threats, Karcher said, and even offers cybersecurity programs at some high schools.
“People need to become acutely aware that their digital security is as important as their home, valuables in their home,” Karcher said. “They take great care to lock their homes, lock their cars, but then they’ll click on emails that they don’t recognize the sender, they don’t use good passwords.”
The district has also restricted the data employees have access to in order to prevent breaches like the ones carried out in the past by unscrupulous employees, Smith said.
But, like any large organization, Miami-Dade still worries about cyber attacks. “As far as breaches through our data systems, we haven’t seen evidence of that on our side,” Smith said. “That’s always a big fear. We hold every student’s [personal information].”
It’s a worry Sanchez wishes more school districts shared. To effectively prevent cyber attacks, he said, administrators first have to recognize the seriousness of the threat and prepare their employees accordingly.
“Sometimes I just scratch my head and think, ‘Are these people asking the right questions or do they just not want to know? Is it safer not to know?’ I think for me we’re messing with kids’ information. Little Johnny, by the time he finds out his credit is ruined, it’s too late.”
Security firm finds flaws in CELPHIE website
Drew: Information taken down while concerns are addressed
May 17, 2017
By Michael Miller
Flaws in a testing website at the heart of a $1 million state appropriation to administer mental-health screenings in Nassau County schools left the site open to a number of exploits, including the ability to access students’ test results and other personally identifiable information, according to a report by a technology company working in cooperation with the News-Leader.
Florida Psychological Associates, owned by Dr. Catherine Drew, the wife of Nassau County Tax Collector John Drew, received about $600,000 of that state appropriation since August to implement the screenings locally using CELPHIE, an online tool developed by Drew and Dr. Laura Hume, another FPA employee.
Following a recent review of the site, Florida-based United Data Technologies produced the report, which details more than a dozen security gaps, most of which it labeled “high” and “critical” in severity.
“Although no exploitation of the vulnerabilities was performed (by UDT), an experienced attacker would be able to find enough clues within the application’s code to easily reach databases containing sensitive information. In short, the likelihood the website can be breached and the negative impact caused by intangible and tangible costs is potentially high,” Mike Sanchez, the chief information security officer for UDT, stated when he delivered the company’s report to the News-Leader.
The company did not use any specialized software to identify the security issues.
Shortly after the News-Leader provided the report to Catherine Drew and Hume on Monday morning, the website – hosted on a subdomain of celphie.org – went offline and continued to be inaccessible as of Tuesday afternoon. The main celphie.org web- site, which presents marketing materials about the mental-health screening tool, remains online. According to American Registry for Internet Numbers records, the two websites are hosted on separate IP addresses belonging to different hosting companies.
Responding to News-Leader requests for comment, Drew wrote Tuesday morning in an email, “Patient safety and privacy are crucial issues for Florida Psychological Associates. FPA senior staff members have reviewed the UDT report provided by the News-Leader, and we share some of the concerns raised about the system’s vulnerability to malicious users and the possibility that hackers could access server side architecture and/or database information through brute force attacks.”
“We have taken the system and its information offline while we work with the owners of the system, American Screener Corporation, to address these concerns to our satisfaction,” she also stated.
According to emails between Drew and officials at Florida State University’s College of Medicine, which received the state appropriation and funneled it to FPA as payment for a study of the CELPHIE screener, Drew and Hume jointly own 20 percent of American Screener. In earlier emails to FSU, Drew stated that she and Hume were the owners of American Screener, which was organized in Nevada, but did not name any others. Nevada allows the names of the owners of companies to remain confidential in most cases.
Drew also stated in her email to the News-Leader, “It is important to know that, to our knowledge, none of the information on the site has been compromised. Also, before any more screenings are conducted, FPA will contract with an independent, third-party internet security firm to review whatever changes are made to address the security concerns raised by UDT and the News- Leader.”
The News-Leader also pro- vided a copy of the report to Nassau County School District officials.
Superintendent Dr. Kathy Burns wrote in an email to the News-Leader, “We have reviewed the report from UDT and believe the findings identify legitimate concerns. We will discontinue access to the Celphie project until all identified vulnerabilities have been mitigated.”
Burns also noted, “The safety and security of students at all levels is a top priority for the Nassau County School District. The District has recently implemented procedures for Vendor Risk Assessment to ensure that software applications meet the highest level of security … We continue to work every day for the success of students and the improvement of our schools.”
Mark Durham, the school district’s executive director of curriculum, instruction and school improvement, said last month that district officials had not reviewed the content of the CELPHIE screener or how it was implemented before granting FPA permission to use it in Nassau County schools.
In addition, School Board member Dr. Kimberly Fahlgren expressed concern at a board meeting in February that the request to screen students district-wide had not come before the board.
According to an interview with Drew earlier this year, retired superintendent Dr. John Ruis asked her to provide a letter explaining the mental-health screening program and then approved the use of the screener in Nassau schools.
The News-Leader sought information from FSU officials about any security reviews the school might have made of the CELPHIE screening tool before approving its use by FPA, but Browning Brooks, the assistant vice president for university communications, issued the following statement instead:
“Florida State University has rigorous policies on the security of research data. We cannot validate the findings of the technology firm hired by the newspaper but will certainly look into the matter immediately. It is important to note that FSU is in the process of ending our contract with FPA as directed by the Florida Legislature.”
According to reports to FSU, FPA staff administered the CELPHIE mental-health screening to up to 400 students ranging in age from 8 to 18 whose parents had signed a permission form handed out in classrooms.
ensued, according to the NCSO report.
“The suspect (Dimaio) then physically engaged (the male victim) in the living room and stabbed him three times to include the neck, left shoulder and left upper back,” the report states. “During the attack and while armed with the knife, the suspect also threatened to kill his estranged wife (victim 2), placing her in fear for her life.”
During the altercation, Dimaio’s estranged wife and two other witnesses came into the living room. Both victims were able to gain control of the knife to disarm Dimaio and then forced him to leave the residence, according to the report.
Dimiao is being held in the Nassau County Jail on a bond of $177,508, according to the NCSO inmate database.
Mixed response from IT security pros following release of Cyber Security Executive Order
By Greg Masters
In a week filled with controversy surrounding the Trump administration, including the unexpected and abrupt dismissal of FBI Director James Comey, the president’s executive order on cybersecurity has been somewhat obscured in public forums but has drawn immediate, if mixed reactions, from cybersecurity professionals who either praise it for providing much-needed guidance or criticize it for falling short.
The Cybersecurity Executive Order (EO), “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” meant to bring efficiency, clarity and additional protections to government IT systems, charges the government with reviewing its cyber posture and pins responsibility for cyber risk on those officials who lead federal agencies.
While some praise the directive for its guidance, others say its guidance falls short.
Phil Dunkelberger, CEO, Nok Nok Labs, says his firm appreciates the sentiment behind the EO and the need to understand the current gaps within the cyber capabilities of the government and where the departments are from a budget standpoint. And, he acknowledges there are a lot of good, talented individuals that have been working on these problems for a long time both behind the scenes and in the spotlight.
But, he told SC Media, “There is really nothing new here, it is a continuation of what we’ve already been doing (and in many cases failing).”
He says the industry needs nothing short of a revolution, citing the cyber EO as an evolution and continuation of the same frameworks and reports put forth the last 10-15 years.
“We have made strides, Dunkelberger said. “The question is, are we moving fast enough? Unfortunately, the threat factors around us are evolving at a much faster pace. We need to be much more assertive and aggressive as our adversaries aren’t playing by any rules.”
Mike Kail, co-founder and chief innovation officer, Cybric, told SC that the devil is in the details. “We need to focus on modernization and making smart investments versus trying to protect what’s already there and vulnerable. If we keep trying to put controls around critical and failing infrastructure, that’s not a good strategy.”
Instead, he says, “we should take an offensive approach by investing in the modernization of our infrastructure.”
“While the executive order does address some of the potential issues involved with adequately managing cybersecurity risk, the White House still runs the risk of doing too little too late,” Gidi Cohen, CEO, Skybox Security, told SC Media. “Per the order, while the general cybersecurity framework for each agency and department is based on NIST standards, each group is left to define and manage their own cyber risk, leaving the potential for a fragmented and incomplete point of view of the nation’s overall attack surface.”
Attacks – whether from a nation-state, hacktivist, or commercialized cybercriminal attack – target vulnerabilities that provide the easiest path into a network, Cohen said. “Without visibility into the attack surface as a whole, the government is put in the position of reacting to breaches – relying on strong wall defenses and other indicators of compromise to determine a course of action – rather than avoiding them. What’s more, these exposures could be exploited by different parties than most might think.”
State-sponsored activity gets all the attention, Cohen explained, but there are more pernicious threats out there today. These may initially have a lower impact than those involving international espionage but could eventually have an extremely negative effect on national security, public confidence, and our economy, Cohen told SC.
“As the agencies and departments responsible for protecting critical cyber infrastructure now begin to shift their focus to make sure they are aligned with the official White House perspective, it is unfortunate the executive branch hasn’t decided to take a more holistic approach,” Cohen said. “A centralized focus on government-wide indicators of exposure would empower a proactive, unified cybersecurity program. To accomplish that would be no simple task. Just like in the commercial sector, gaining this deep level of understanding is difficult in the ever-shifting cyber landscape.”
Cohen’s prescription for successfully guarding crucial cyber infrastructure has the government making use of every tool it can – including network modeling, attack vector analytics and threat-centric vulnerability intelligence – to identify the most critical exploitable attack vectors in real time. “Once it has been identified, security weaknesses that could enable the continuation of an attack allowing agencies to proactively find and fix exposed security risks before it can be exploited and potentially sold to the growing network of commercialized cybercriminals.”
Daniel Castro, vice president of The Information Technology and Innovation Foundation (ITIF), said, “We are disappointed to see that this executive order is mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country actually needs to address its most pressing cyber threats.”
Cybersecurity should be a top priority for the Trump administration, Castro said. “The last administration put together a commission which left a comprehensive set of action items for the new administration to pursue that should have been the starting point for this order. While the executive order checks most of the boxes thematically, it generally kicks the can down the road instead of taking any decisive actions.”
He adds that its incumbent upon the administration to implement its stated goals for cybersecurity. “Notably, this order leans heavily on the government for ideas and implementation rather than a public-private partnership approach. This is somewhat surprising given this administration’s belief that the private sector can generally do things better than government.”
Additionally, Castro said, the private sector has the deepest bench of cybersecurity talent, so the federal government will likely need to look outside its ranks to stay on top of these issues.
He does have praise for the White House including much-needed government IT modernization and consolidation as part of the executive order. “While there are many reasons to pursue IT modernization, the administration is likely to have the most success getting this done as a cybersecurity mandate rather than as a push for efficiency.”
“The President’s executive order does not propose a concrete plan for cybersecurity, it merely calls for a top to bottom review of where things stand,” Sanjay Beri, CEO, Netskope, told SC. “While this is a step in the right direction, kicking the can down the road leaves remaining questions about what exactly the administration’s plans are for tackling what has arguably emerged as the single most existential threat to our livelihood: defending our cyber infrastructure.”
What’s more, Beri said, the administration has yet to fill the federal CISO vacancy, leaving the government without a leader at the helm to help implement and enforce security policies and practices. “For a president so concerned about establishing a positive legacy, this seems an obvious – and critical – area to address.”
Mounir Hahad, senior director, Cyphort Labs, told SC Media that there isn’t much to write home about in this executive order. “It is basically asking for a status report from the various agencies of the executive branch, something that should be taking place on a regular basis if our administration were to establish an adequate maturity level and exercise self-introspection as defined by the Carnegie Melon Capability Maturity Model for organizations.”
However, he said he welcomed the initiative nonetheless and looks forward to what recommendations will be funded from the outcome of all the reports. “I am not sure that the head of any agency has ‘for too long accepted antiquated and difficult-to-defend IT.’ By choice. I hope the reports will shed the light on what regulation has imposed draconian restrictions on the agencies’ freedom to act and stay on top of a threat landscape that changes at neck-breaking speed.”
Philip Lieberman, president, Lieberman Software, told SC that if there is no budget from Congress for the order, it will have little real effect. “All plans have to be funded and accompanied with laws and regulations that are specific. No question cybersecurity is critical, but the devil is in the details and specifics.”
Unfortunately, NIST does not provide specific guidance on how to solve problems, only on pointing out the problems to be solved, Lieberman said. “Some of their guidance is a little off-base and not helpful – for example, they recently put out a report stating that they no longer believe that users should change their passwords regularly.”
Tim Erlin, VP, product management and strategy, Tripwire, said that even with this long-awaited executive order, the essential priorities of cybersecurity remain the same. “We know that maintaining a critical set of foundational controls is a proven strategy for minimizing the attack surface and reducing risk of cyberattack,” he told SC. “Even the most elaborate cybersecurity program can ultimately fail if it doesn’t get the basics right. It’s a positive sign to see the executive order address foundational controls like vulnerability management and secure configuration management.”
Critical infrastructure must be addressed at the highest level, Erlin noted. “The executive order calls for a number of reports to be produced assessing the current state of information security across agencies. The truly telling results will only come after the production of these reports and be measured by the actions they initiate.”
“This is a good step in the right direction,” Jeff Engle, VP, government sector, United Data Technologies, told SC Media on Friday. When it comes to assessing the cyber workforce Engle said he believed the focus is a bit acute on the personnel who may have cyber in their title rather that the evolution in the general workforce. “Even now we are all part of the cyber workforce and can either be a conduit for vulnerabilities or part of an active defense. Lack of education of both this generation and the next on cyber risk awareness has to be addressed or no technological solution will keep us safe.”
Will Ackerly, co-founder and CTO, Virtru, is glad to see the president focused on bolstering cyber defenses. “It is very reassuring to see the Executive Order call out the need for interagency and international cooperation,” he told SC. “It is also great to see the topic of cloud storage presented so centrally. The cost and collaboration benefits of the cloud are undeniable, and, when combined with data-centric protections, such as strong encryption, government information will be even more secure. Finally, the ‘open and transparent process’ in identifying / promoting action by stakeholders to improve resilience of internet communications is highly encouraging!,” Ackerly told SC.
But there’s a caveat. Ackerly believes that the specific methods outlined in the Order are necessary but not entirely sufficient to protect the nation. “Each department should have an experienced CISO in place who may report day-to-day to the agency chief, but should also have accountability to a cross-agency authority. This would encourage collaboration between agencies and ensure that critical information including threat intelligence, vulnerability assessment, and best practices for cyber-defense are rapidly and completely shared.”
Additionally, Ackerly said the Executive Order is missing any mention of intellectual property protection. “While an EO cannot force companies to do things directly, outlining the need for our businesses to have strong privacy protections in place would speak volumes. Government support for these kinds of endeavors would ensure that the fruits of our economic labors are not appropriated by nation state actors or other hostile parties. Until we focus on specific protections for our business and consumer data, including strong encryption, we will continue to be vulnerable.”
Steven Grossman, VP of strategy, Bay Dynamics, told SC that it is great to see that the President’s executive order supports a risk-based approach to cybersecurity. “That means prioritizing agencies’ most valued assets, such as critical infrastructure, and tackling the threats and vulnerabilities that could compromise those assets first. The order makes references like ‘commensurate with risk and the magnitude of harm,’ which ties to the necessity of measuring the mission impact of an asset at risk were compromised and prioritizing mitigation actions based on those that reduce impact the most.”
Further, the EO uses the NIST Cybersecurity Framework as the core framework agencies should follow, Grossman said. This also supports a risk-based approach. However, he added, it may not be detailed enough in the long run.
“Another great feature is that the order promotes accountability, assessment and remediation of cyber risk across many stakeholders in the agency, those in and outside of security,” Grossman said. “Cyber risk management cannot solely be the IT and security team’s problem. Stakeholders across the business from application owners who govern highly valuable assets to upper management who make investment decisions, must be involved in taking action to reduce risk.”
The order contains many positive steps that, when implemented, should significantly help reduce risk, Grossman said. “However, we would like to see more continuous monitoring requirements instead of just periodic compliance like assessments and remediation. The order should not be viewed as yet another compliance checkmark; it should be a continuous process.”
Finally, Grossman saif that focusing on building up skills and competency in the workforce is a critical activity, but there needs to be a more immediate plan in place for response until that ramp up occurs.
Stephen Coty, chief security evangelist, Alert Logic, agrees that the EO is using a risk-based approach for the U.S. government and its suppliers. “The order is mandating that all departments complete full technology audits and put together a plan for improvement and modernization of their current IT infrastructure,” Coty explained.
“They identify unmitigated vulnerabilities as one of the highest risks facing the executive departments and other agencies. These known vulnerabilities that they’ve identified include operating systems and hardware that are beyond the vendor support lifecycle. They also include declining to implement a vendor’s recommendation on patching and configuration guidance. All agency heads will be held accountable by the president for implementing these risk management measures.”
Coty is keen on the move to the cloud, citing the NIST Framework. “Government can now feel assured that cloud computing is a secure option for storage and access of their data.”
Larry Payne, head of Cisco’s U.S. public sector, told SC Media on Friday that the EO represents a renewed commitment to protecting federal IT networks. “With the NIST Framework as a guide, agencies can improve enterprise risk management capabilities and simplify their approach to security. A key piece of this effort will be continuing the push to modernize government systems, including rooting out unpatchable legacy hardware and better lifecycle management.”
Payne said his company looks forward to working with agency leaders to implement a strategic security approach, rather than deploying project-based solutions in response to incidents or compliance.
The EO is a tall order to accomplish in the timeline set forth, said John Kronick, director ATG Cybersecurity Solutions, Stratifrom, a PCM Company. “Since the NIST Cybersecurity Framework has been out for several years (2014), it has gone through revision, but has not been implemented on a consistent or comprehensive basis, and the efforts to measure the effectiveness of its use still under development,” he said. “That being said, it is one thing to initiate a risk assessment utilizing the CSF, but it’s quite another to initiate action to remediate the issues identified in the risk assessment.
Kronick listed a number of steps that should be done, including nitiating mandatory CSF training for agency executives, risk managers and cybersecurity staff; developing a uniform method for assessing the effectiveness of the CSF implementation and use; requiring mandatory escalation of critical and high risk issues such that they are resolved in a timely manner; initiating cybersecurity awareness training for all citizens, making it mandatory for all employees and workers of federal agencies and critical infrastructure entities – and require it more frequently than once per year; establishing a cybersecurity training and recruiting program to facilitate short-term and long term staffing within the agencies; requiring budgetary funding for remediation of CSF findings/gaps such that agencies will execute remediation measures with sufficient budget for tools, resources, etc. As well, he said, metrics should be established for centralized tracking of agency CSF risk assessments and centralized risk register to track remediation efforts.
Click here to view full article.
Trump Executive Order Tackles Concerns About Cybersecurity
By Kelly Phillips
On the same day that Daniel R. Coats, Director of National Intelligence, testified in front of the Senate Intelligence Committee hearing committee about the danger of cyber threats to our national security, President Donald Trump signed an executive order intended to “strengthen the cybersecurity of federal networks and critical infrastructure.”
Cybersecurity has been a concern for many Americans of late – not just because of allegations of Russian hacking during the elections – but also because of the increased risk at home. Phishing and identity theft, for example, were #1 and #3 respectively on the Internal Revenue Service (IRS) list of the Dirty Dozen Tax Scams for 2017.
In response to increased concerns, Trump touted cybersecurity as an issue during his campaign. Shortly before taking office, in January, he promised, “I will appoint a team to give me a plan within 90 days of taking office… Two weeks from today I will take the oath of office and America’s safety and security will be my number one priority.”
On his 111th day in office, the President finally delivered. The order focuses on three areas:
- Cybersecurity of Federal Networks
- Cybersecurity of Critical Infrastructure
- Cybersecurity for the Nation
Cybersecurity of Federal Networks.
To address cybersecurity of federal networks, the order requires the heads of each federal agency to use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology (NIST) to manage cybersecurity risk. Each federal agency will also be required to provide a risk management report for evaluation within 90 days. The report will include, among other things, “unmet budgetary needs necessary to manage risk to the executive branch enterprise.”
The order also directs federal agencies to show a preference for shared IT services, where allowable and feasible, including email, cloud, and cybersecurity services.
Security of federal agencies has been a concern following hacks which included the theft of more than 20 million records from the Office of Personnel Management (OPM) and attacks on individual taxpayer records at the Internal Revenue Service (IRS).
Cybersecurity of Critical Infrastructure.
When it comes to critical infrastructure (think power grids, water, and telephones), the order calls for a report on those infrastructures which are at “greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The report, which is to be submitted with six months, must also identify how risks to those systems could be mitigated.
The order also requires that strategies be developed to reduce cyberthreats perpetrated by botnets. Botnets can basically “hijack” computers for the purpose of carrying out automated tasks such as stealing valuable information and launching distributed denial of service (DDoS) attacks.
An issue that has been raised multiple times – the specter of a prolonged power outage associated with a significant cyber incident – is also addressed in the order, which calls for an assessment of not only the potential scope of such an outage but also the readiness of the country to manage such an event. The order requires similar assessments be made with respect to a cyber attack on the military, including the supply chain, as well as systems, networks, and capabilities, as well as recommendations for mitigating those risks.
Cybersecurity for the Nation.
Finally, the order calls for developing a strategy for “deterring adversaries and better protecting the American people from cyber threats.” The strategy is expected to include education and training for the “American cybersecurity workforce of the future.” The order also seeks to establish policies that will serve as deterrents for foreign nations targeting Americans, a move some suggested might be a direct response to the allegations of Russian hacking. At a press briefing held earlier today, White House Homeland Security Adviser Tom Bossert downplayed that suggestion, noting “the Russians are not our only adversary on the internet.”
You can read the order here.
Responses have been mixed. Some security experts welcomed the order as a good start while others suggested it was merely “a plan to make a plan.”
“This is a good step in the right direction,” said Jeff Engle, VP, Government Sector, United Data Technologies in response to the order. “When it comes to assessing the cyber workforce I think the focus is a bit acute on the personnel who may have cyber in their title rather that the evolution in the general workforce. Even now we are all part of the cyber workforce and can either be a conduit for vulnerabilities or part of an active defense. Lack of education of both this generation and the next on cyber risk awareness has to be addressed or no technological solution will keep us safe.”
The Information Technology and Innovation Foundation (ITIF), the top-ranked U.S. science- and tech-policy think tank, issued a statement which began, “We are disappointed to see that this executive order is mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country actually needs to address its most pressing cyber threats.” The statement went on to say, “We’ll have to wait to see how well this administration can implement its stated goals for cybersecurity. Notably, this order leans heavily on the government for ideas and implementation rather than a public-private partnership approach. This is somewhat surprising given this administration’s belief that the private sector can generally do things better than government. Moreover, the private sector has the deepest bench of cybersecurity talent, so the federal government will likely need to look outside its ranks to stay on top of these issues.” ITIF concluded, however, that it is “a good sign though that the White House included much-needed government IT modernization and consolidation as part of the executive order.”
(Author’s note: The article has been updated to include a statement from Jeff Engle, VP, Government Sector, United Data Technologies.)
Click here to view full article.
As Fafsa Tool Outage Continues, Lawmakers Investigate Why It Happened
By Adam Harris
The Internal Revenue Service’s data-retrieval tool will be back online for borrowers in income-driven repayment plans by the end of the month, James W. Runcie, chief operating officer of the Education Department’s Federal Student Aid office, told a U.S. House committee on Wednesday. But he offered no respite to those who would like to use the tool to fill out the Free Application for Federal Student Aid, the Fafsa, as it will continue to be offline, for them, until October.
The tool mysteriously and abruptly went offline on March 3. It was later revealed that the tool’s absence stemmed from a breach that may have affected the data of up to 100,000 people. The IRS estimates that 8,000 potentially fraudulent claims led it to issue tax refunds amounting to more than $30 million. Wednesday’s hearing, of the Committee on Oversight and Government Reform, sought to uncover how the breach of the tool had occurred, but ultimately, it raised more questions than it answered.
Lawmakers in both the House and the Senate have pushed the IRS and the Education Department to hasten the process of getting the tool back online for both Fafsa applicants and people in income-driven repayment plans.
On Monday, Sen. Lamar Alexander, Republican of Tennessee, and Sen. Patty Murray, Democrat of Washington, requested weekly staff briefings on the status of the tool in a letter to Betsy DeVos, the education secretary. The two senators, who serve as the chair and ranking member, respectively, of the chamber’s education committee, also asked that the department create an action plan to reinstate the tool before the previously stated deadline of October.
“It’s definitely a good sign that they are working to put the … tool back online as quickly as possible,” said Clare McCann, a senior policy analyst at New America, in an interview with The Chronicle. But it’s bad news for the millions of Fafsa filers who won’t be able to use the tool — which makes the process much easier because it imports existing tax data — to file the student-aid form, she said.
The Path Not Taken
Some legislators on the committee argued a different point, echoing the written statement of Justin S. Draeger, president of the National Association of Student Financial Aid Administrators. “Perhaps most troubling” about the current status of the tool, he argued, “is the fact that this situation could have been avoided with better decision making in September 2016, when the potential for abuse of the DRT was first identified.”
Why, they asked, was something not done sooner?
Gina Garza, chief information officer at the IRS, told the committee that her agency “took immediate action” and that no data was lost in September, when an attempt was made to view the tax data of an individual using the tool. The IRS began working with the Department of Education in October to strengthen authentication measures in the system.
The Federal Student Aid office “sought to determine the best approach to minimize the vulnerability” — that the IRS had identified — “without causing major disruption to students, parents, and borrowers,” Mr. Runcie wrote in his prepared testimony.
The agencies agreed to keep the tool in use while the IRS increased monitoring to detect suspicious activity. In February an IRS employee told the agency that the data had been compromised. The tool was eventually taken offline in March, when there was clear evidence that the tool had been used for criminal activity.
“The problem is that people don’t understand where to start in terms of securing their platforms, and what to protect,” said Mike Sanchez, a cybersecurity expert who was part of the initial team that investigated the Office of Personnel Management’s breach, in 2015. “They want to protect against everything,” which is impossible for technical and logistical reasons. Instead, agencies should zero in on specific problems as opposed to letting them build into major incidents, said Mr. Sanchez, now chief information-security officer at United Data Technologies.
“We did not take lightly the decision to disrupt the DRT,” said Ms. Garza, adding that she believes the IRS made a sound decision, and that protecting taxpayer data is the agency’s highest priority.
“While the IRS was able to identify 100,000 individuals impacted by the data theft, it may not be possible to measure the impact of the DRT outage on students who may have missed a financial-aid deadline or never even completed a financial-aid application because of this issue,” wrote Mr. Draeger.
At the conclusion of the hearing, some legislators said they were upset that Congress had not been alerted to the breach sooner, and with the winding responses of the people who testified. “It has been extraordinarily difficult to get any kind of specific answer out of any of you,” said Virginia Foxx of North Carolina, chair of the House education committee.
In a memo issued on Wednesday, the Education Department said it would provide further details about a solution and its impact on students and borrowers in the “coming weeks.”
Click here to view full article.
Cybersecurity: Defending Against Technology’s Dark Side
By Jeff Swords
Beyond maintaining the physical safety of their guests, today it is imperative for hospitality industry companies to protect their customers’ personal and financial information. Security breaches also affect a company’s reputation and even its ability to function. The following are practical guidelines to help hospitality industry companies identify and mitigate the ever-growing risks associated with cyberattacks.
Security is a philosophy, not a product. At the root of an effective security strategy is your organization’s culture. That includes more than concealing specific types of data from the outside world and from competitors; it means understanding potential threats to that information. My company holds envisioning sessions at no charge to help companies formulate comprehensive security strategies.
When determining where you want to take your services and your business in the next two to five years, we outline security areas that are prominent today–and tomorrow. It is critical to examine the threats that exist in the market and in the Dark Net world. We look at security frameworks a business has in place now, and what you will need in the future.
The first step is to identify security parameters for critical data that gives you a competitive advantage — client lists, credit card information, personal and family information, length of stay and more. High guest ratings are the goal of every hotel, and we show how security affects guest experience. This goes directly to a company’s governance, its philosophy about who is involved in security systems; oftentimes CEOs get involved in this fundamental part of the vision.
A typical security assessment covers governance, wireless security policies, insurance response, change controller, and approval processes, among other concerns. We may find that a client has nine of the ten most critical elements in place, but our specialized knowledge base may reveal the one area that leaves them exposed. Knowing and eliminating this weakness can avert a business disaster.
Identifying security gaps is particularly critical in today’s climate of mergers and acquisitions. A professional security analysis can help guide hotel executives in deciding when it is not practical to merge business models as they are currently configured, when creating a secure new model is the way to go, and the paths to take moving forward.
As experts in emerging technologies in all area of cybersecurity, we have credit industry specialists. They understand the importance, as well as the vulnerabilities, of the PCI (private credit card information) and PII (private individual information) that hospitality companies handle daily. Our Capabilities CISO (chief information security officer) came to United Data Technologies following years on staff at VISA. There he was involved in drafting the federal government’s initial PCI regulatory documents, which are now in their fourth iteration to keep pace with the field’s fluidity.
The question for top brands is when, not if, their data will be hacked. Compliance with government regulations that protect data is a starting place, but fines and laws will never deter those who want to steal data or hijack facilities systems for monetary gain. That is why external firms, including UDT, are engaged in helping the biggest players in the hospitality industry address and deal with threats in both the business and guest experience environments.
A positive guest experience is every hospitality company’s goal. Hotels now offer a wide range of wireless operations, including access to maps that help guests navigate the property to take advantage of a wide range of amenities. These same online maps can direct hackers to the location of critical mechanical rooms and infrastructure control systems, because guest credit card information isn’t the only target of the Dark Side.
Security is all about knowing what’s out there. Our deep knowledge of the ever-proliferating hacker underworlds and what they are trying to do can be an incalculable benefit to our clients. Hospitality employees, even those in security operations, must focus on supporting the company’s day-to-day business initiatives; few have the time to scour the Dark Side for the next peril. Our certified ethical hackers are constantly looking for threats and exposures, bringing these to our clients attention, and deploying our infinite response teams whenever and wherever they are needed.
Building customer trust enhances brand value. That is one of many reasons we are dedicated to helping businesses identify and fill cybersecurity gaps every day. When hospitality companies of all sizes decide to merge, a seamless transition is essential. That means making decisions from the top down that are closely attuned to every aspect of the customer experience. In a world where cybersecurity breaches have the power wreck both budgets and reputations, the wise leave nothing to chance.
Click here to view full article.
Reps prepare to reintroduce IT modernization bill
By Joe Uchill
Decades-old government IT systems could be in for an overhaul.
Both original co-sponsors of the Modernizing Government Technology (MGT) Act say they will soon reintroduce the bill aimed at ridding the government of outdated IT systems.
The bill sailed through the House last year in the lame duck session but hit a snag on its way to Senate. The Congressional Budget Office (CBO) priced the bill’s cost at $9 billion over five years, slamming the door on its chances.
Though modernizing IT infrastructure would save money, the CBO does not speculate about those savings, resulting in a cost estimate that did not take into account the bill’s cost benefits.
“What we’ve been doing is understanding CBO and how CBO scored it and figuring out how we can tweak the bill so it doesn’t get an outrageous CBO score,” said Rep. Will Hurd (R-Texas), who co-introduced the bill with Rep. Gerry Connolly (D-Va.).
“We think we have a potential fix, and we’re going to sample that around with all the relevant staff and members and hopefully get this reintroduced fairly soon”
The executive branch is full of horror stories about outdated, decades-old systems. The Treasury and Defense departments each have systems that are more than 50 years old.
Both parties have backed IT modernization. When the Trump administration briefed the press about its still-unsigned cybersecurity executive order, bolstering IT infrastructure was one of its initiatives. And the modernization act contains what may be the last Obama administration priority still under consideration in Congress — a $1.5 billion fund to upgrade agencies’ equipment, paid for with money saved by using the new equipment.
Upgrading systems is popular because it generally allows agencies to fulfill their functions more effectively, safely and cheaply. New technology can provide better features and security, and can pay for itself by reducing maintenance costs.
The longer agencies wait for funding to upgrade, the more difficult it will be to make the upgrades.
“In five years, over 30 percent of the people who understand [our] system will be eligible to retire. If we want to upgrade, this is the last chance to do it while people who know the legacy system will be around to help,” Social Security CEO Robert Klopp told The Hill in 2016.
Social Security still uses 40-year-old systems.
Klopp noted that, while his funding has been cut since 2012, the demand on Social Security’s systems continues to grow. He did not believe upgrades would be feasible without specific federal funding.
The IT modernization act actually contains two mechanisms to pay for upgrades, each of which was introduced in competing bills. A general funding pool stumped for by former President Obama Chief Information Officer Tony Scott was introduced by Rep. Steny Hoyer (D-Md.) last session. Meanwhile, Hurd backed a plan to let agencies keep the cost savings from IT upgrades and use that money to purchase more upgrades.
Richard Spires, a former chief information officer at both the Department of Homeland Security and the IRS who now heads IT training company Learning Tree, believes that Hurd’s additions could have been particularly useful because it produces a fund that would not be at risk during year-by-year budget deliberations.
“If we had ‘one-year’ money, we could not guarantee to a contractor that we would be able to fund the program. When we received special appropriations — ‘three-year money’ — it made a huge difference,” Spires said.
He points to e-filing taxes as something that could only be achieved by knowing the money would continue to be there every year.
“My only concern is that MGT is focused too much on savings. Sometimes you are looking to improve mission capabilities in ways that don’t save money,” he said.
The move to reintroduce the IT modernization act comes during a government hiring freeze. Though the freeze could expire before the act would take effect, a focus on cutting costs could still cut down on new hires.
“We’re already seeing increased demand,” said Jeff Engle, vice president for the government sector of the Florida-based United Data Technologies.
“IT modernization would only increase that. There are opportunities for contractors whenever there is increased demand to be innovative but an inability to hire new talent.”
President Trump’s administration appears to have latched on to security concerns over outdated IT.
In one leaked draft of the executive order — one that the administration neither publicly confirmed nor denied — the president calls for upgraded IT equipment to improve cybersecurity.
“Effective immediately, it is the policy of the United States to build a more modern, more secure, and more resilient Executive Branch IT architecture,” the draft read.
The order goes on to encourage consolidation of information technology and commissions a study on how to modernize systems.
Out-of-date software and hardware are often no longer supported by their manufacturers and don’t receive security updates. Modern security platforms frequently cannot be retrofitted to run on older systems.
Intel Security Chief Technology Officer Steve Grobman believes that improving security through modernization and other means should be the first item on the legislative cybersecurity agenda, which frequently focuses on law enforcement issues, including encryption, instead.
“Every ounce of energy we put into the encryption debate, we’re removing opportunity costs to focus on other issues. The front and center thing we need to be talking about is making sure our government systems and critical infrastructure systems are able to lower their overall risk profile,” he said.
Click here to view full article.
People On The Move – Jeff Swords, Regional Sales Director at United Data Technologies
EDUCATION: Samford University (Birmingham, AL)
Swords will manage client services and the company’s ongoing hiring of top sales and engineering talent for its growing team in the region. He also will oversee the company’s continued expansion into new service lines and industries.