During the launch of the new iPad, Tim Cook called this the post-PC era. Data proves that the post-pc era is definitely here. Tablets and smartphones are expected to overtake desktop and laptop sales this year. Not just that. IDC estimates that 1.8 billion networked computers would access the Internet this year, while 3.5 billion networked products will do the same. The landscape of end user computing devices has changed dramatically.

Mark Benioff spoke about bridging the social divide at the Cloudforce event. Social divide is the gap between individuals using social media and enterprises adopting them. For instance, social network users have outstripped the number of e-mail users and about 25% of online time is being spent on social networks like Facebook. So, to remain competitive, build brand awareness and meet the growing social divide, companies must alter the way they collaborate, communicate and share information with customers, employees and the public. This, in a nutshell, is Mark’s concept of a social enterprise. Several good case studies were also discussed ranging from Burberry to Toyota, and HP. As an aside, I thought it was interesting that the HP case study was called, “HP One, moving from the garage to the cloud”!

A social enterprise uses social media and networks for all aspects of its business, employee communication, performance management, sales, marketing, customer support etc. Burberry was a good example leveraging SAP at the backend and Salesforce at the frontend.

This combination of the post-PC era and social enterprise affects risk management and security postures in a big way. We left behind the concept of the perimeter a while ago. Now, it looks like we need to reconsider the “trust model” concept as well. The state of being “trusted or untrusted” was the premise on which we built many of our control postures in the recent past. With the current trend towards social enterprises, such an approach will not be relevant. Information assets lost their physical representation a few years back. Now, it looks like their logical view is also under threat. That’s because, in this post-PC era with its world of social enterprises, we can’t predict how our information assets would be used and modified.

So, life is certainly not getting any easier for us risk managers. As we continue to work on various security control postures, we need to keep our focus on two key areas:

• "Secure by design": Security should be inbuilt into information assets, data, software and applications.
• "Security resilient": In case of information asset compromise, how quickly can we spring back to business as usual?

A lot has happened since my last post. Apple launched IOS 5 & iCloud, Skype was bought by Microsoft, Facebook is moving into a new campus once owned by Sun, in June we saw some major cyber attacks, Microsoft acquired Nokia’s mobile business, Linkedin went public, Apple bought HP’s campus in Cupertino and I moved to the Bay area. Agreed the last one is not as major as others, but it has an impact on my learning’s as I share them over the next few posts.

I often think how real is the Consumerization theory? It is a passing phenomenon, which would lose its momentum as we move on? Would business adopt it? Would it remain a B2C technology, would it impact B2B transactions? This post is my attempt to think through this.

Over the last two months I have seen extreme examples of consumerization in use. Part of my departure process from India involved me going to a family event in my village. Technology & consumerization is the last thing I could relate to the village where continued electricity supply was a challenge. During the event I saw my cousin use his smart phone to update this Facebook status on 3G! Now this guy is a successful businessman, who I didn’t think knew how to use a computer and I know had a hard time getting through his graduate studies.

The other extreme was my experience in moving to the Bay area, setting up my home and office in Cupertino, California. Yes Cupertino, the home of Apple. Not many believe me that that was not the reason for me to choose Cupertino. Living in the US has its own set of learning’s, one among them is as my friend says “Your home may not have water, but it needs to have internet”.  At home I have a basic internet service (22Mpbs download speed, yes that’s basic). There is not a single aspect of our life which is not powered by an Internet service or for that matter a smartphone application, which is on the cloud.  Some examples:

• TV (Netflix)
• Phone (Vonage)
• Maps / GPS (Mapquest, Google Maps)
• Banking (mobile app, e.g. I can simply take a photo of a cheque for it to be deposited)
• Tennis (joining weekly practice sessions, court bookings and USTA league)
• Library (online booking, RFID check-in and check-out)
• Books (ebooks)
• Travel (online booking and smart phone boarding passes)
• Music (Pandora)
• Home remote (yes that’s an app on my ipad to control multiple devices)
• News (We don’t get any “newspaper”)
• Skype (video calls)
• Google Places to find stores and restaurants
• Movie ticket bookings
• Online shopping (Craiglist, Walmart etc.)
• School updates
• Insurance
• Medical services
• Etc.

We add to the list almost every day AND each one of the above has an Apple App! So having an Apple App is like a basic must have channel for business to reach its customers. I must add that the above are basic services; our family is not the most technically advanced, yet.

So each of these “consumers” who become “users” inside the enterprise are being exposed to such services and channels, they seem to expect the same type of services from the enterprise. Enterprises are now creating “internal applications” using the consumerization channel and are distributing them to users and customers.

This seems to be an irreversible phenomenon, the adaptation across users and businesses is just growing and in areas which are beyond imagination. I recently read about a company in the Bay area which has created technology to open the car using an iPhone app. You don’t need to carry anything now, cash, cards, keys, contacts, books, newspapers, addresses, GPS, music player, remote control etc. All you need is an iPhone and the internet.

Consumerization is real, it’s here to stay and we are going to find ways to use it, beyond what we can imagine now.  It’s also not possible to de-couple the CSM (Cloud, Social and Mobile) elements of Consumerization. One is going to drive the others and the cycle will continue. So will the need to build security strategies as these services are rolled out, which would help me pay the bills for services I am using!

The United Nations has been advocating making “Right to Internet access” a human right, which some countries like Estonia, France, Finland, Greece and Spain have already implemented. This got me thinking about how we would look at “Right to Internet use”, e.g. social networking.

We all know the power of Social networking, its adaption and growth; Facebook statistics say that they have more than 500 million users who spend over 700 billion minutes per month on Facebook. However not many of us could have imagined its impact on reshaping the political landscape of countries. Most talked about example is that of a 26-year-old woman worried about the state of her country wrote on Facebook, “People, I am going to Tahrir Square”. The message was soon to snowball into a movement to oust Egyptian President Hosni Mubarak. China’s reaction to what’s called as the “Jasmine revolution” was swift with filtering and monitoring on popular social media websites and services.

Lots is being talked about the CSM (Cloud, Social Media, Mobile) phenomenon which is reshaping the world of Internet. It’s already established that social networking has overtaken search as the primary reason for users to access the internet, Facebook has more than 200 million active users who use mobile for access and these users are twice as active as non-mobile users.

I wrote about Consumerzation of the Enterprise in the earlier post, that combined with the CSM phenomenon and recent political events makes me feel that this is not just about adaption of new technologies but more about changes and impact on the history of mankind. It’s not just about using new technologies and models to provide better services at lower cost to a larger user base, but it’s about a medium to communicate, participate and influence changes in the world.

One can think of several positive and negative uses of this phenomenon, if used well this can be used to bring about change and revolutions. This can also be used to spread panic and lead to concepts like “Social networking terrorism”.

The CSM phenomenon is too strong and important for anyone of us to ignore, would censoring of this medium be possible? More likely than not like the internet, CSM too could be considered as a human right, leading to positions on “right to internet use”.

At an Enterprise level, blocking and not adopting CSM is not a risk management control which is sustainable. Users and business would not accept this posture. We would need to find answers for the two main reasons why some Enterprises are staying away from adoption of CSM, which are “Confusion and Fear”.

I recently read an interesting article “John Sculley on Steve Jobs”, which as the name suggests was an interview transcript of John Sculley the former CEO of Apple. John Sculley talks about “The Steve Job’s Methodology” on how to build great products, he says Job’s always looked at things from the perspective of what the user experience is going to be. He didn’t believe is asking consumers what they want, but rather built beautiful products which people ended up wanting. Similar to what Henry Ford had said about consumer views on the car, “If I had asked people what they wanted, they would have said faster horses”.

Over the last several years Steve Jobs and Apple have completely transformed the industry segment they entered be it the iPod, the iPhone or the iPad. The experience of the Apple products, the hardware, the software, the color (white!) the packaging everything is about user experience. The hype before an Apple product launch, the queues outside Apple stores are simply amazing examples of how consumer behavior is being driven.

How is this changing the “Enterprise” behavior? While its people who work in Enterprises the way an Enterprise looked at end user technology and how individuals in their capacity as consumers looked at it were different. I guess that’s why end user technologies like laptops or operating systems had enterprise range products and consumer range products. Enterprises used to determine what specific laptop or mobile product models could be used for corporate IT services.

Apple I think is changing this, consumerization of the Enterprise is happening. I was involved in an Information risk management framework transformation project for a service provider in Japan. While the Management, IT, Business and Security teams had their own requirements and expectations from the project, the end users hoped the project would enable use of the iPhone for business communication and email (Only one specific mobile device was allowed to be used for company email). Incidentally the transformation of the risk framework did allow iPhone type devices to be used by modifying the process and control framework.

Several organizations are now allowing or thinking of ways they can let the users choose the end user technologies to access IT services in a secure form. The advent of the iPad or the tablet phenomenon would only make it impossible for companies to stay away from this change. It’s not just Apple, but other companies and technologies are also driving this change. We now see interesting ads from “Enterprise” technology firms like RIM getting more consumer friendly (“Blackberry Boys”) or the younger generation doing special behavioral changes to get “their first android”.

Apple released the iPad on 3^rd April 2010; it sold 1 million units by 3^rd May 2010. Analysts predict close to 8 million iPad’s will sell in 2010. Rumors are that the iPad 2.0 would be released early year with a prediction of selling 6 million units a month! Now consider this in context that the iPad is available for sale in only select countries and other tablets are also making their mark. Mobile applications are expected to touch revenue’s of $35 billion by 2014, Gartner has predicted 10% drop in their PC sales predictions for 2011 mostly on account of the increased interest in tablets.

Hence I am of the opinion that consumerization of the enterprise is a foregone conclusion and organizations need to modify their risk management postures to allow for a range of “consumer” devices and applications (e.g. social networking) to be used within the enterprise.

“Adapt or perish, now as ever, is nature’s inexorable imperative.” - H. G. Wells.

In August I had the opportunity to participate in a NASSCOM delegation to China; it was a good learning experience about the changes in China in recent times. The timing was interesting as the same week China had overtaken Japan as the second largest economy in the world. Another highlight of the visit was the Shanghai Expo (http://en.expo2010.cn); it was a live demonstration of the developments made by China and their will to be the best in what they do. The Indian pavilion was nice to visit, however I wish we could have displayed the advances made by our country and not just the culture and heritage. Some pavilions like the ones from China and Saudi Arabia used new age audio visual technology to showcase their history, which was very good.

The dynamics of the political and business relationship between India and China was another interesting learning; the trade between the two countries is expected to reach US $60 billion in 2010. Although the balance of trade doesn’t favor India.

Getting back to the subject “The Curse of Compliance”, it’s a well accepted fact that compliance and regulations are the biggest drivers for risk management and security invetments. I should not be complaining about it, being a co-founder of a risk and security services company. However somehow I always feel uncomfortable about it. I guess I come from the school of thought that risk management should be done to mitigate risks our business faces as opposed to doing it because some compliance or regulation asks us to. Needless the say few organizations have been able to create a good balance between risk management view and compliance view.

Now the link between the curse of compliance and China! China is very keen to develop its ability to provide global BPO and KPO services; they see India as a world leader in this space and want to come close to India as early as possible. There are Government agencies that have been specifically setup to achieve this and they are driving the Chinese companies towards this goal. E.g. The Government is developing 20 provinces and providing all kinds of facilities like infrastructure, power, education, tax breaks etc. I think of this as an “Inside-out” view. I call it that because the “inside” the Government (people) wants to do it.

A good example of this is when I tried for a direct flight between Bangalore and Beijing; I was told that Air China has a stopover at Chengdu, a place I hadn’t heard of. I learned later that last year Wipro started a development center in Chengdu!

>When the ITES/ BPO industry developed in India, the industry or companies had to convince the Government to make policies that help the Industry and provide support, which it did. This was opposite to what’s happening in China and I call it as “Outside-in” view. “Outside” since the market had asked us to do it.

Which approach would win? India has a big lead over China in the ITES/BPO space hence direct comparison may not be possible, maybe we will never know the answer. However the “Inside-out” approach of China seems to be helping them in other areas. An example is that China has the largest network of high speed rail in the world. They have an ambitious program to have 16,000 kms of high speed rail lines by 2010. I read articles which argued the utility of the high speed rail systems as the common rural population in China can’t afford it. However this has positioned China as the world’s leader in high speed rail technology and is getting contracts from countries such as Saudi Arabia.

>Back to security, I think of compliance way as “outside-in” view and the risk management way as “inside-out” view. In theory “inside-out” view seems to be more sustainable and “right”, however I am not sure if the “curse of compliance” will allow us to think and act that way.

It looks like a victory of the “real” over the “right”.

No writing about China can be complete without the mention of “IP” protection. I am no expert in this area; however I did find a shop selling an “ipad” running cracked android OS at less than US $80!

I recently had the opportunity to speak at a conference organized by the STeP-IN forum (http://www.stepinforum.org/) on Application Security Testing. I spoke about two attributes used in psychometrics “attitudes” and “personality traits” with regards to software developers and security testers. The presentation is available at http://www.aujas.com/presentations.html

During the conference various speakers spoke about the need to look at security earlier in the SDLC, we talked about security standards etc. which would lead to reduction in the cost of security testing. It’s well accepted that the cost of fixing software buys (including security bugs) rises exponentially as the development lifecycle progresses. One of the attendees asked an interesting question, he said “this is a conference for testers, and what you are saying will reduce the work for us and might impact our jobs”.

This question reminded me of the book “Hidden in Plain Sight” by Erich Joachimsthaler, which gave examples of companies which failed to look at or accept the future and the change it brought. One such example was SONY, which pioneered the concept of music on the move or portable music with the Sony Walkman. For years it was an undisputed leader in the market segment. SONY was also big in the music industry with interest across the industry segment. The advent of the Apple iPod and digital music, simply destroyed SONY’s market leadership in this space. While SONY also created products in the digital music space, it was not prepared for the paradigm shift digital music, iTunes and the iPod brought in the consumer behavior. Incidentally Apple was not from the music industry !

As the story goes, in 2005, senior Sony executives were shocked to see Sir Howard Stringer, then chief of Sony’s US operations, listening to an Apple iPod while riding an elevator in the company’s US headquarters.  The New York Times summarized Sir Howard’s cheekiness as a “visible if unstated rebuke to the technologies [at Sony] for falling behind the curve in downloadable music by concentrating on various proprietary formats for storing and playing music.”

Likewise it’s not going to help any of us turn a blind eye to the changes happening around us and not adapt to it. Security testers cannot hold on to their jobs of “testing” by hoping that developers will continue to write buggy software. They need to evolve and look at their role not as “testers” but “enablers” to release secure software.

Some day somehow the industry will find ways to develop secure software, hence testers should try and influence and add value that change, since it’s the most obvious thing to do. Like the very apt title of Eric Joachimsthaler book “Hidden in Plain Sight”.

The impact and adoption of Social Networking as a media of communication, information sharing, interaction etc. is a given in today’s world. Facebook now talks about having 400 million users, 50% of which access the service every day! LinkedIn the so to say “professional social networking service” has 60 million users. Since inception in 2003, LinkedIn took 1.4 years to reach the first million and the last million was reached in only 12 days. India has over 3 million users on LinkedIn and yes India is the fastest growing user base across the world.

There have been several discussions around the security of the social networking sites, user risks, should the services be allowed by organizations etc. To me the benefits and adaptation of these services is so high that it would eventually be classified as a must have service on the internet, very much like email. Hence it would not be possible for organizations to block or curtail users from using social networking services.

Most if not all social networking service providers are taking active measures to protect their services and users, e.g. is the Safety Center of Facebook, which provides secure usage tips to several types of user profiles. Most of us follow the basic secure usage guidelines like:

• Don’t disclose private information
• Changing passwords
• Not accepting invites from unknown people
• Antivirus protection
• Checking privacy policies of the service providers
• Checking default configuration and settings etc.

However I think we need to focus a lot more on what I term as the “legitimate mistakes” which we commit. I call these legitimate as there seems to be nothing apparently wrong with what we have done, but it still leads to a security risk. I would provide few examples to illustrate the point.

During a specific project one our security specialist was testing a customer’s core application website.  The website was configured well with proper security on the deployment environment. Hence the specialist was not able to find the usual vulnerabilities which he could exploit. His interim report said that site is secure and he doesn’t think that there are any vulnerabilities. However the next day he reverted that he was able to crack the admin password and hence the complete web service were exposed. The method he used as the first step to the credentials was very simple but effective. He used another low profile website of the customer and tried to login with the administrators name. He used the “forgot password” option, the security question for which was “Where did you go for your honeymoon”. He then searched for the administrators account on Facebook, got to know his wife’s name, who in turn had posted their honeymoon pictures on Flickr. It was easy for him to guess that they had gone to Kumarakom for their honeymoon.

From the administrators point of view, he doesn’t seem to have done anything wrong from a secure usage standpoint and nor his wife. Maybe her Flickr album should not have been public. This is an example of a “legitimate mistake”.

Lets take my own example, the only social networking service I use is LinkedIn. I use it not only for connecting with my professional contacts but also for “serious” services such as hiring, initiating contacts with business prospects or partners, using the TripIT add-on to plan my travel and to know who are in the vicinity etc. I have derived several benefits from LinkedIn e.g. lower higher costs, initiation professional contacts leading to business or partnerships, better utilization of time during travel etc. But time and again I tend to use LinkedIn to exploit “legitimate mistakes”.

E.g. when I see someone joining a job group, I can guess that he/she might be looking for a change. When I see one of my contacts connect with someone from competition, I know it’s time to act. I can review the profile of potential contacts to know their background, or I can go to the part where it tells me who has seen my profile and come to know who has been checking on me. I am sure others are exploiting my “legitimate mistakes” as well.

In summary the message is clear, none of us can stay away from social networking services, it’s important to use a service which seems secure and credible. It’s also important to follow the basic secure usage guidelines. However we still need to look at the “legitimate mistakes” we might make and be more careful and aware. All good services need users to consider “responsible usage” seriously, it’s always easier to watch out for the big mistakes, the smaller ones slip through and sometimes cause major damage.

We have always talked about the need for a proactive approach to security and its effectiveness and benefits in managing risks. E.g. it’s always more effective and economical to build secure software rather than testing and fixing it after development or in production. In fact we even learned in school with lessons which said “Prevention is better than cure”.

In risk management we come across controls which are:

Preventive: Controls which ensure than exposure don’t or can’t occur

Detective: Controls which help us capture exposures if they happen or are happening

Corrective: Controls which enable us to correct exposures

Nowadays there is lot of focus on Detective controls which includes deployment of technology solutions which detect and capture unwanted network activity, access attempts, patterns etc. Needless to say these investments and focus is fine, but we need to move our risk management posture more towards the preventive side. Which is we must do more to ensure we don’t have weak areas which can be exploited.

I recently read the book “Superfreakonomics” by Steven Levitt and Stephen Dubner. I am usually apprehensive of sequels as they never match up to the original, but gladly this book was a good read. I came across two examples in the book which illustrate the point about preventive controls.

After the 7/7 terrorist attacks in London there was a team formed to use statistical information to identify terrorists. Data points used to identify suspects were banking usage patterns such as:

-          They make large deposits in cash and withdraw small amounts

-          PO boxes are used as addresses and they often change

-          There are regular wire transfers to other countries but always below the threshold for Bank   triggering requirements

-          They never use savings accounts or fixed deposits even though the account had idle money

-          Transactions don’t show normal living expenses and regular out flows such as insurance payments etc.

As one can imagine it would be difficult to come up with a algorithm to make the system accurate. Let’s say a system is developed with 99% accuracy and that there are 500 terrorists in the UK, 495 of them would be identified which would be great. The problem is that with 50 million adults living in the UK the system would also wrongly identify 1% of them which is 500,000 people. This would be huge problem to manage, which is similar to the “False positive” issue in the information risk management world. Hence the best detective control system or technology would always have a false positive issue which would significantly reduce the benefits from the system.

Another example is the detective control deployed at airports which require us to remove our shoes at the security check / scan. This started after one Richard Reid tried to ignite a shoe bomb; fortunately he failed but statistically succeeds in killing equivalent of 14 lives a year in the US!

Let’s say it takes on an average one minute to remove the replace the shoes in the airport security line. In the US this happens for about 560 million times a year, which is equal to 1,065 years. Average US live expectancy is 77.8 years, which yields a total of 14 person-lives a year.

The above examples may sound dramatic (statistics and economics can be used to communicate any message depending on which side you are!). However the underlying theme makes sense, we have to focus on proactive approach to security to be more effective and economical in comparison to other approaches.

I had the opportunity to watch “3 Idiots” which in my view is one the best Hindi movies of all times. Several things in the movie stood out, the basic theme from Chetan Bhagat’s book, the amazing adaption and modifications by Raju Hirani, the concept of “be the best in what you do and success will follow”, the astonishing transformation of Aamir Khan to a 22 year old student etc.

One interesting element of the movie is the use of “All is well” and the story behind it. Rancho (Aamir Khan) uses the words “All is well” whenever he is in trouble (including the highly melodramatic child birth!)  and explains the logic behind it. When he was small they used to have an old watchman who used to roam around the streets shouting “All is well” and every one used to sleep peacefully. Only later did they realize that the watchman was actually night blind! The “All is well” shouts used to give great level of comfort to all and as he says it’s required to fool the heart once in a while.

In lot of ways we risk managers are like the watchman. Our job is to provide assurance to our organizations that “All is well”. This “All is well” feeling is seen by the general users and employees of the organization by the “visible” controls and their implementation. We often come across controls which are not “real” but more “visible”, maybe more deterrents than controls. E.g. the checking of underbellies of cars by guards at shopping malls or hotels. These guys seldom have any clue on what they are looking for; they are doing it just because someone has instructed them to do so. Worst of course is when we are asked to open the boot, they shove a metal detector inside and wait till it makes some noise and then let you pass!

In an ideal situation we should have controls which are specific, manage the risks effectively, are visible, are easy to manage, are not too expensive and don’t cause too much inconvenience. Since most of us don’t operate in the ideal world, it’s important to balance the real and visible controls. It is important to visibly inform the users that security is taken seriously and any deviation would be captured. It’s not about getting it 100% right; it’s about having something in place instead of nothing. As they say “it’s better to be approximately correct, that completely wrong”. Needless to say only having “visible” controls would be disastrous, it’s about having the right balance.

It’s our responsibility to provide assurance and the “All is well” feeling to our organization and users. Hopefully we would be doing it consciously and not as the night blind watchman of 3 Idiots.