Cybersecurity in the Wake of Sony
Transcription
Cybersecurity in the Wake of Sony
JOURNAL REPORT THE WALL STREET JOURNAL. © 2015 Dow Jones & Company. All Rights Reserved. Tuesday, February 10, 2015 | R1 Cybersecurity in the Wake of Sony At the annual meeting of The Wall Street Journal’s CIO Network, chief information officers accepted that being hacked was a given. The question was how to react to it. BY JOHN BUSSEY AND STEVEN ROSENBUSH IF THERE WAS one specter hanging over this year’s gathering of The Wall Street Journal’s CIO Network, it could be spelled: S-O-N-Y. Conversation during breaks gravitated to the remarkable destruction of Sony Pictures Entertainment’s network and files that hackers caused in November. This hack wasn’t about stealing intellectual property and slinking away, or pranking a former employer. These hackers broke in and fired up the wrecking ball. The global chief information officers who gathered at the third annual CIO Network in San Diego last week are a chastened crew. When asked who hasn’t been hacked, just one hand went up in the audience, and that CIO got a lot of skeptical looks. And when asked if business and the government were making progress against hacking or were losing the battle, the group overwhelm- ingly said the latter. But the conversation quickly got pragmatic. “Don’t go overboard on security,” one CIO said. “I still have to address other matters.” Company networks need to grow and be flexible, interact with vendors and customers, and accommodate internal innovation. Cybersecurity has become just one more item on the corporate risk-management list—albeit high on the list, several CIOs said. When they weren’t being told by speakers how technology will radically change their jobs, the CIOs swapped advice on radical changes already long under way, most notably the rapid shift of data to the cloud. Determining what data and computing to keep at home and what to outsource to the cloud is no easy calculation. “Finding on-ramps to the cloud is the No. 1 priority on my agenda,” a CIO said. For many CIOs, that on-ramp looks more like a cloverleaf interchange—a complex hybrid of public and private clouds, knit into existing corporate data centers. That more versatile network is needed, in part, to digest the proliferation of data coming in from customers, vendors and internal production. Some 44% of the CIOs said their companies now tackle big data projects “all the time.” Which, of course, brought the conversation back around to security…. Mr. Bussey is an associate editor of The Wall Street Journal. He can be reached at john.bussey@wsj.com. Mr. Rosenbush is the editor of The Wall Street Journal’s CIO Journal. He can be reached at steven.rosenbush@wsj.com. The Software of Life J. Craig Venter on finding the answers to our biggest questions What Drives Us All MR. BUSSEY: You’re in a perfect position to answer a core question for us, which is, what is life? MR. VENTER: The short answer is life is a DNA software-driven system, at least on this planet, as far as we know. Every species is driven by their DNA software, totally and completely. The much more complicated answer deals with energy balance in a cellular system and transporting molecules in and out. But it all gets down to reading your DNA software from second to second in every one of your cells, making new proteins, making new versions of your cells. Without the software, you can’t make new hardware. MR. BUSSEY: You’re trying to sequence one million genomes by 2020, so that you can have a database to look for correlations between disease and genetic makeup. Tell us how that is coming along and the implications. MR. VENTER: The challenge is trying to learn how to read that software that we have. My genome was the first one sequenced 15 years ago. And there’s not that much more that we can interpret today than we could 15 years ago, because there have only been a few hundred to thousand genomes that have been sequenced. What we’re trying to do is not just sequence the genomes. We’re trying to measure every physiological parameter we can. If we record all these variants in people, we can start to understand what parts of the genetic code code for these different pieces. We’re doing 3-D photographs of people’s faces. We measure about 30,000 parameters on your face, different distances, distance between your eyes. We’re trying to use the machine learning to get so we can predict your face, a photograph of you, from your genetic code. Because it is all genetic. We’re trying to do the same with voice. Perfect pitch is genetic. It’s 100% genetic. All these parameters have genetic elements that are coded for. We’re trying to find how to maximally read and interpret that genetic code. MR. BUSSEY: The implications for medicine are that you’re going to be able to show predispositions for various diseases if you have a big enough database from which to draw those relationships. Is that right? MR. VENTER: Absolutely. We can do that now, but to a very limited extent. Part of the problem with the discovery of the so-called breast-cancer genes was that physicians wrongly told women that had the genetic changes associated with the genes that they had a 99% chance of getting breast cancer. Turns out all women that have these genetic changes don’t get breast cancer. Part of what we’re trying to discover, so we can get people the true facts about their situation, is: If you have a risk for disease such as breast cancer, do you have other protective elements that give you a low likelihood that you’ll actually get breast cancer? Gary Fong/Dow Jones J. Craig Venter is in the life business. The co-founder and chief executive of Human Longevity Inc. has had his hand in any number of projects related to the nuts and bolts of existence—from sequencing the human genome to actually creating synthetic life. The Wall Street Journal’s John Bussey spoke with Mr. Venter about his work and what implications our growing knowledge of DNA holds for medicine, human longevity, technology and ethics. Here are edited excerpts of their conversation. The Ethical Questions MR. BUSSEY: Are we going to take that science and that technology and begin to screen out from insurance coverage those who might have some disability as a result of their genetic history? MR. VENTER: It depends on the country and it depends on the system. A CEO of one of the major pharmaceutical companies in Europe had a clinical trial. It was approved. But the single payer in that country sorted through the data and said, “We noticed there were no positive responses in people age 80 to 90. So we’re not going to pay to have any patients in the 80-to-90 range get that drug.” It’s a total misuse of the data. And there’s no competition to keep it right. We’re OK in this country, because we have a lot of competitive systems. If one says they’ll restrict it, you can go somewhere else. MR. BUSSEY: Theoretically, how long can we live? MR. VENTER: I don’t think there’s necessarily any a priori limits. Human lifespan used to be 30 years, 25 years. ‘Our goal is not to increase the lifespan. It’s to try to increase the healthy lifespan.’ But there’s no basic, fundamental reason why it has to be short. MR. BUSSEY: What do we look like when we’re 175? MR. VENTER: Our goal is not to increase the lifespan. It’s to try to increase the healthy lifespan. Because we have a lot of other problems in society that, if we all start living to 140, those problems are only going to get worse. But if we can change medical cost and the quality of people’s lives for 100 years, that’s a huge impact. Life in the Lab MR. BUSSEY: In 2010, you announced that you had created synthetic life. A BURST OF INVESTMENT INSIDE Venture-capital investment in genomics shot up last year, with a focus on biopharmaceuticals companies Venture-capital investment in U.S. venture-backed genomic companies* $700 million 2014 investment by industry segment 500 400 $122 million Health-care services Medical devices and equipment Medical software and information services 600 $398 million Biopharmaceuticals $99 million $73 million 300 200 10 biggest deals of 2014 100 COMPANY INDUSTRY SEGMENT AMOUNT RAISED IN MILLIONS Invitae Corp. Health-care services $120 Human Longevity Inc. Biopharmaceuticals $70 10X Genomics Inc. Biopharmaceuticals $55.5 Syros Pharmaceuticals Inc. Biopharmaceuticals $53.2 BioNano Genomics Inc. Biopharmaceuticals $53 Blueprint Medicines Corp. Biopharmaceuticals $50 CardioDx Inc. Medical Devices and Equipment $35 *Venture capital includes all investments made by venture capitalists or venture-capital-type investors, i.e. those making equity investments in early-stage companies from a fund with multiple limited partners Personalis Inc. Medical Software and Information Services $33 Epic Sciences Inc. Medical Devices and Equipment $30 Source: Dow Jones VentureSource Twist Bioscience Corp. Biopharmaceuticals $26 0 2005 ’06 ’07 ’08 ’09 ’10 ’11 ’12 ’13 ’14 2014 investment by round First round Second round Later stage $116 $182 $393 million million million The Wall Street Journal Walk us through that. MR. VENTER: This is the 20th anniversary of when we sequenced the first genome. Just from that first bacterial genome, we’re trying to understand: What’s the minimal basis of life? Is there a smaller equation of gene sets that all life derives from? We decided the only way to answer that was to take the ones and zeros out of the computer, use four bottles of chemicals, and remake the genetic DNA molecule, and then boot that up. It was a completely chemically made DNA molecule that we put into a cell. It took over that cell. And everything, after a short time, in that cell derived from that new software we put into the cell. Richard Bejtlich and Shuman Ghosemajumder on how the data breach at Sony Pictures is a paradigm shift for cybersecurity. R4 Howard Schmidt on what companies should ask of Washington when it comes to cybersecurity, and what they should be doing themselves. R4 Maarten Sierhuis says we need to understand human behavior on the road better before cars can reliably drive themselves. R5 CIO Network Videos>> George Colony on the challenges the ‘Age of the Customer’ poses for CIOs. R5 John Chambers discusses how the role of the CIO will change in the next few years. R6 Amy Braverman on the need for new methodologies in handling big data. R6 The CIO Task Forces’ recommendations and CIOs’ top priorities R2 For the full lineup of CIO Network video interviews with top technology executives about the challenges of today’s tech world, go to WSJ.com/LeadershipReport. THE WALL STREET JOURNAL. R2 | Tuesday, February 10, 2015 JOURNAL REPORT | CIO NETWORK The Task Forces’ Priorities The technology executives at last week’s CIO Network conference divided into five task forces to debate their management and policy agendas in the following areas. Here are their top recommendations. THE NATIONAL AGENDA 1 FUND STEM Develop and fund an endto-end architecture for STEM to include students, parents, teachers, employers and educational institutions. 2 LEVERAGE LEARNING The government should enact a liability-free zone centered on information sharing around cybersecurity with no penalties. 3 FIX HEALTH CARE Break the current model. Use technology to create an incentive model that drives positive financial and clinical outcomes. 4 IMMIGRATION We need a medium-term increase in H1B visas. STAYING SECURE AND INNOVATIVE CO-CHAIRS Scott Blanchette, CIO, Kindred Healthcare Sheila Jordan, Senior Vice President, Chief Technology Officer, Symantec SUBJECT EXPERT Terry Benzel, Deputy Director, Internet and Networked Systems, USC Information Sciences Institute GETTING THE MESSAGE ACROSS 1 BE A CHANGE AGENT Understand the steps to creating change with the current corporate culture in mind. Pace yourself. Deliver tangible value early. Create a path to change with concrete steps. 2 FOCUS ON VALUE DIFFERENTIATION Always emphasize the value being delivered rather than the cost of technology. The value needs to be visible. 3 TURN RISK INTO OPPORTUNITY Use current challenges such as market conditions, cybersecurity, innovation and data analytics as a catalyst for engagement in the boardroom. Use the opportunity to drive the components of your business agenda. 4 BUSINESS-CENTRIC VISION Create a vision; form a strategy. Communicate that vision to stakeholders in a transpar- ent way. Effectively communicate the right messages to the right individuals, execute, and then measure your success. CO-CHAIRS Anil T. Cheriyan, CIO, SunTrust Banks Inc. Suren Gupta, Executive Vice President of Technology and Operations, Allstate Insurance SUBJECT EXPERT Chris Patrick, Global Leader, CIO Practice, Egon Zehnder TECHNOLOGY’S GOT TALENT 1 BEYOND THE USUAL SUSPECTS Take risks and refrain from simply checking a box. Be open to raw talent who have the smarts, the ambition, the enthusiasm and the curiosity. Also look for people who understand how ‘Year Zero’ works with technology, and who are commercially minded. This strategy requires the CIO to take ownership and develop and install a path for their success. 2 WIRED FOR CHANGE Change is constant; look for people who come at problems from a different perspective. Are we talking about a risk taker? Yes. But not someone who just takes risks. Re- cruit people who are incredibly adaptive to and can drive rapid change, both personally and professionally. 3 LEADERS AND SUPERSTARS Identify and build leaders and superstars. Leadership is the ‘”It” factor. CIOs should invest their time in budding leaders. Let them know they are making a difference in the organization. Create leadership education/mentorships for the top technical talent so they won’t fail when offered more responsibility. Be sure your organization can identify, develop and reward the superstars. 4 CREATE A ‘STICKY’ CULTURE Create an environment for talent to come, stay and grow, and a narrative defining innovation in terms of what your company does best. Build an environment to improve employee work/life balance. CO-CHAIRS Gerri Martin-Flickinger, Senior Vice President and CIO, Adobe Mark Settle, Senior Vice President and CIO, IHS Inc. SUBJECT EXPERT Katherine Graham Shannon, Global Managing Partner, Information and Technology Officers Practice, Heidrick & Struggles THE CIOS’ TOP PRIORITIES The five task forces at the CIO Network conference presented their recommendations to the full conference, which voted these as the top five overall priorities: 1 MAKE IT EVERYBODY’S BUSINESS Make sure everyone in your community—including third parties—knows what the boundaries are, what needs to be protected, and where there’s room to move. Everyone is a cop on the beat. Everyone also is a target. Build a comprehensive education system from top to bottom of the company that includes governance that embraces security at every step. 2 CYBER RISK = BUSINESS RISK Categorize what data in your company is the most critical. Make it clear to everyone how a breach would translate to business impact. 3 BE A CHANGE AGENT Understand the steps to creating change with the current corporate culture in mind. Pace yourself. Deliver tangible value early. Create a path to change with concrete steps. 4 BUSINESS-CENTRIC VISION Create a vision; form a strategy. Communicate that vision to stakeholders in a transparent way. Effectively communicate the right messages to the right individuals, execute, and then measure your success. 5 ANTICIPATE THE CYBER 9/11 Cybersecurity needs to be elevated to an international level; firms across industries and governments across regions must organize for this battle. They should view it as securing a common cyberborder. The Wall Street Journal would like to thank the 2015 sponsors for their generous support of the CIO Network annual meeting. 1 MAKE IT EVERYBODY’S BUSINESS Make sure everyone in your community—including third parties—knows what the boundaries are, what needs to be protected, and where there’s room to move. Everyone is a cop on the beat. Everyone is also a target. Build a comprehensive education system from top to bottom of the company that includes governance that embraces security at every step. 2 CYBER RISK = BUSINESS RISK Categorize what data in your company is the most critical. 1 BE THE BLACK SWAN CIOs should think about how digital disruptors would approach their industry. Understand how to partner with the business. Find radically new revenue models and zerocost supply models. CIOs should partner with earlystage external entities to find new business models. 2 10X CYBER EVENT CIOs should contemplate a 10x cyber event such as a solar flare or massive cloud outage. Continuity plans need to assume the worst-case scenarios. Be sure to test to assure your most important DON’T HUNKER IN THE BUNKER Don’t think of security as the gate at the end of the process that restricts innovation. Put it at the front end of product development to enable the solution. Engineer it into every step of the process. CO-CHAIRS Tammy Jeffery, Vice President and Chief Technology Officer, General Growth Properties Lidia L. Fonseca, Chief Information Officer and Senior Vice President, Quest Diagnostics 4 ANTICIPATE THE CYBER 9/11 Cybersecurity needs to be elevated to an international level, which means companies across industries and govern- SUBJECT EXPERT Richard Bejtlich, Chief Security Strategist, FireEye assets are safeguarded. Make sure you have physical redundancy as well. CIOs should explore unintended opportunities and consequences of new technologies, including impacts on labor. 3 GLOBAL REGULATORY DYNAMICS Countries increasingly dictate where you can store your data and how you use it. As companies move business elements to the cloud, CIOs need to partner with government affairs departments to develop a plan to navigate the changing regulatory landscape. 4 AUTOMATION OF EVERYTHING Automation increases connectivity among new devices. CO-CHAIRS Bask Iyer, Senior Vice President and CIO, Juniper Networks Inc. Meg McCarthy, Executive Vice President of Operations and Technology, Aetna Philip R. Wiser, Chief Technology Officer, Hearst Corp. SUBJECT EXPERT Salim Ismail, Founding Executive Director, Global Ambassador, Singularity University CIO NETWORK MEMBERS (Chief information officers/ chief technology officers, except as noted) Rich Adduci, Boston Scientific Rob Alexander, Capital One Financial Corp. Steven B. Ambrose, DTE Energy Co. John Applegate, KPMG LLP Michael S. Bahorich, Apache Corp. Simon Benney, Rio Tinto Robin Bienfait, Chief Innovation Officer, Samsung Electronics America Scott Blanchette, Kindred Healthcare Keyvan Bohlooli, Ryder System Inc. Michael S. Brown, VP, Global Information Technology, ExxonMobil Global Services Tony Buttrick, Flagstar Bank Robert J. Casale, Massachusetts Mutual Life Insurance Karen Chamberlain, Western & Southern Financial Group Paul Cheesbrough, News Corp Anil T. Cheriyan, SunTrust Banks Inc. Denise Clark, Estee Lauder Ted Colbert, Boeing Co. Keith Collins, SAS Institute Lee Congdon, Red Hat Inc. Craig Cuyar, Cushman & Wakefield Richard Daniels, Kaiser Permanente Dale Danilewitz, AmerisourceBergen Corp. Julia K. Davis, Aflac Inc. Robert Dickie, Zurich Insurance Group Darren Dworkin, Cedars-Sinai Health System Mandy Edwards, CBRE Group Philip Fasano, AIG Victor Fetter, LPL Financial Lidia L. Fonseca, Quest Diagnostics Sonny Garg, Exelon Corp. Michael E. Gioja, Paychex Inc. Stephen J. Gold, CVS Health Bruce Greer, VP, Strategic Planning and Information Technology, Olin Corp. Celso Guiotoko, Nissan Motor Suren Gupta, Executive VP, Technology and Operations, Allstate Insurance William Hills, Navy Federal Credit Union Gil Hoffman, Mercy Health Donald G. Imholz, Centene Sonja Chirico Indrebo, Statoil Chris Isaacson, BATS Global Markets Inc. THE JOURNAL REPORT © 2015 Dow Jones & Company, Inc. All rights reserved. 3C8308 3 ments across regions must organize for this battle. They should view it as securing a common cyberborder. THE BLACK SWANS The Journal Report welcomes your comments—by mail, fax or email. Letters should be addressed to Lawrence Rout, The Wall Street Journal, 4300 Route 1 North, South Brunswick, N.J. 08852. The fax number is 609-520-7256, and the email address is reports@wsj.com. For more information please visit CIONetwork.wsj.com. Make it clear to everyone how a breach would translate to business impact. For advertising information please contact Katy Lawrence at 214-951-7137 or katy.lawrence@wsj.com Bask Iyer, Juniper Networks Guilda Javaheri, Golden State Foods Tammy Jeffery, General Growth Properties Inc. Sheila Jordan, Symantec Corp. Manish Kapoor, NuStar Energy LP Adriana Karaboutis, Executive Vice President, Technology and Business Solutions, Biogen Idec Inc. David Kardesh, Cabela’s Inc. Jay Kerley, Applied Materials Deborah Kerr, Sabre Holdings Dan Kieny, Black & Veatch Stuart Kippelman, Covanta Energy K Ananth Krishnan, Tata Consultancy Services Madelyn Lankton, Travelers Brian LeClaire, Humana Inc. Bruce Lee, Fannie Mae Darryl Lemecha, VSP Global Robert Logan, Leidos Robert Lux, Freddie Mac Krish Mani, JELD-WEN Inc. Jonathan Manis, Sutter Health Michele M. Markham, HD Supply Gerri Martin-Flickinger, Adobe Systems Inc. Meg McCarthy, Executive Vice President, Operations and Technology, Aetna Inc. Kathy McElligott, Emerson Electric Co. James M. McGlennon, Liberty Mutual Insurance Paul Meller, Dow Jones & Co. Jamie S. Miller, General Electric Co. Cynthia B. Nash, Windstream Michael Nelson, Amway Corp. Mike Parisi, Vice President, Information Technology, Illinois Tool Works Inc. Karen Porter-Wolf, Assurant Solutions Banesh Prabhu, Senior EVP and Group Head, Technology and Operations Group, Siam Commercial Bank Larry Quinlan, Deloitte Bob Quinn, Palo Alto Networks Joe Reilly, Zions Bancorp. Craig Richardville, Carolinas HealthCare System Denise Saiki, Lockheed Martin Michael Sajor, Apollo Education Group Inc. Joseph Santamaria, Public Service Enterprise Group Glenn Schneider, Discover Financial Services Stuart Scott, Tempur Sealy International Inc. Tony Scott,VMware Inc. Clive Selley, BT Group PLC Mark Settle, IHS Inc. Janne Sigurdsson, Alcoa Mark Sims, Vice President, Business Transformation, Scotts Miracle-Gro Co. Eric Singleton, Chico’s FAS Joseph C. Spagnoletti, Campbell Soup Co. Tony Stoupas, Moody’s Corp. Luis Taveras, Barnabas Health Tim Theriault, Walgreens Boots Alliance Inc. David Thompson, Western Union Co. Sri Valleru, Nabors Industries Ltd. Sankara Viswanathan, Day & Zimmermann Group Inc. Lanpin Wan, LINN Energy Philip R. Wiser, Hearst Corp. PARTICIPATING GUESTS Richard Bejtlich, Chief Security Strategist, FireEye Terry Benzel, Deputy Director, Internet and Networked Systems, USC Information Sciences Institute Amy Braverman, Principal Statistician, Jet Propulsion Laboratory, California Institute of Technology John T. Chambers, Chairman and Chief Executive Officer, Cisco George F. Colony, Chairman and Chief Executive Officer, Forrester Research Inc. Shuman Ghosemajumder, Vice President, Product Management, Shape Security Salim Ismail, Founding Executive Director and Global Ambassador, Singularity University Chris Patrick, Global Leader, CIO Practice, Egon Zehnder Howard A. Schmidt, CoFounder, Ridge-Schmidt Cyber LLC; former Cybersecurity Coordinator and Special Assistant to President Obama Katherine Graham Shannon, Global Managing Partner, Information and Technology Officers Practice, Heidrick & Struggles Maarten Sierhuis, Director, Nissan Research Center Silicon Valley, Nissan North America J. Craig Venter, Co-Founder, Executive Chairman and Chief Executive Officer, Human Longevity Inc. REPRINTS AVAILABLE FULL PAPER: The entire Wall Street Journal issue that includes the CIO Network report can be obtained for $6.50 a copy. Order by: Phone: 1-800-JOURNAL Fax: 1-413-598-2259 Mail*: CIO Network Dow Jones & Co. Attn: Back Copy Department 84 Second Ave. Chicopee, Mass. 01020-4615 JOURNAL REPORT ONLY: Bulk orders of this Journal Report section only may take up to six weeks for delivery and can be obtained for $5 for one copy, $2 for each additional copy up to 50, and 25 cents for each copy thereafter. Order by: Phone: 1-877-345-6540 Email: JournalReports@dowjones.com Mail*: Dow Jones LP Attn: Mailing Operations Dept. 84 Second Ave. Chicopee, Mass. 01020-4615 REPRINT OR LICENSE ARTICLES: To order reprints of individual articles or for information on licensing articles from this section: Online: www.djreprints.com Phone: 1-800-843-0008 Email: customreprints@dowjones.com *For mail orders, do not send cash. Checks or money orders are to be made payable to Dow Jones & Co. THE WALL STREET JOURNAL. Tuesday, February 10, 2015 | R3 C NNECT Move forward. With confidence. Every C-level role has grown more challenging, but the CIO role stands apart for its complexity and ability to impact business performance. CIOs have to prepare the business for what’s next, in the face of relentless technological change and spontaneous market conditions. Let us help you tackle what’s next – through insights, connections, career support, and services that are custom designed for CIOs. Connect with us at www.deloitte.com/us/cioforum Copyright © 2015 Deloitte Development LLC. All rights reserved. THE WALL STREET JOURNAL. R4 | Tuesday, February 10, 2015 JOURNAL REPORT | CIO NETWORK A Losing LOSINGBattle BATTLE A Executives see a number of ways to significantly improve their companies' information security, but most feel that their efforts are falling short and that they will continue to lose ground to cyberattackers. Easier Said Than Done Gary Fong/Dow Jones (3) Percentage of surveyed chief information security officers and other executives who said the following actions would have a significant impact or be a game changer in reducing the risk associated with cyberattacks, and the executives' self-assessment grade for each action ‘If you’re a sufficiently interesting target, you will be breached.’ ‘There is much greater awareness of security at every single level.’ Richard Bejtlich Shuman Ghosemajumder deep integration of security into the technology 85 Develop environment to drive scalability. GRADE C active defenses to be proactive in uncovering 75 Deploy attacks early. GRADE C differentiated protection of most 74 Provide important assets. GRADE C information assets and related risks in a way 74 Prioritize that helps engage business leaders. GRADE Cincident response and testing. 65 Improve GRADE C+ existing business processes and governance mechanisms, 55 Leverage with strong linkages to other risk/control functions. GRADE C- Advantage: Attackers How the Hacking Scandal At Sony Changes the Picture Richard Bejtlich and Shuman Ghosemajumder say the key is limiting damage rather than preventing attacks Sony Pictures. The Pentagon’s social-media accounts. And now Anthem, the big health insurer. Is nothing safe from hackers anymore? Richard Bejtlich, chief security strategist for FireEye Inc., a network security company, and Shuman Ghosemajumder, vice president of product management for Shape Security, a website security company, spoke at the CIO Network conference about what companies might learn from the spate of recent intrusions to stay a step ahead of trouble. Here are edited excerpts of their conversation with The Wall Street Journal’s John Bussey. Timely Detection MR. BUSSEY: Has the Sony Pic- tures breach changed the game? Everybody in this room has been dealing with hacking incidents, but the Sony case seems to have crossed a threshold. And we’re still not sure how much damage got done. Is it a paradigm shift? MR. BEJTLICH: We’re there. And in the 17 years I’ve been doing incident-detection response, I’ve never seen anything like it. worry about North Korean hackers attacking your company and destroying data? I would say the answer is no, unless you’re going to produce a bad movie about an assassination. The lesson you can take away from this is you need to be in a position where you can detect when something bad happens and stop the bad guy before he accomplishes his mission, whether it’s stealing data, leaking data, destroying data, changing data, whatever the case is. If you’re a sufficiently interesting target, you will be breached. There is no company or organization in the world that can stop it, including the U.S. government. We’ve seen that. But you need to cut off the bad guys before they do what they came there to do. Our current research shows the amount of dwell time—the amount of time a bad guy spends in your enterprise before somebody notices—is a median of 209 days. And two-thirds of the time, somebody else tells you—usually the FBI. We need to bring that way down. Greater Awareness MR. BUSSEY: You’re inside Sony. FireEye Mandiant is one of the consultants in trying to fix things? MR. BEJTLICH: Right, it’s public knowledge. Now, what’s unfortunate about this breach is the techniques that were used are not particularly sophisticated. Does it mean everyone has to MR. BUSSEY: Shuman, are we stuck with this? You’re going to get breached, it’s a matter of mitigation, live with it. Is that where we are? MR. GHOSEMAJUMDER: Pretty much. The problem is that it’s extremely easy for anyone to become an attacker. And they can attack from anywhere in the world. They can compromise machines from any other part of the world in order to be able to make it appear as though the attack is coming from someone else. But what I think is fundamentally changing is that there is much greater awareness of security at every single level. When I studied computer science, we didn’t spend a lot of time on security. When I studied business, we didn’t spend a lot of time on security. But now, we’re seeing that every single CIO, every single CEO in the world, has to have a certain level of knowledge about security and how it affects their business. And that required level of knowledge is constantly increasing. So the view of security is changing from something you add on to your IT to make sure you’re mitigating risks, to something that enables IT. You have to think through it in terms of any IT system requiring security being approached in a thoughtful way in order to be effective. Out of the Wild MR. BUSSEY: Can you reflect on what just came out of the White House, calling for more cooperation within industry, legislation that alleviates the liability problem that companies would have in releasing information to the government if they were cooperating more. Is that behind the curve at this stage of the game, or is that a positive development? MR. GHOSEMAJUMDER: I think it’s both. Government action in general trails what’s happening in the technology industry. But I think it’s incredibly positive to be able to see this sort of effort and to hear the word cybersecurity coming out of the mouth of the president of the U.S. It creates a much more positive environment to be able to invest in security and to elevate consciousness of security at every level of an organization. And, as we’ve seen over the past year, this is something that really is now a board-level discussion that companies are having. It’s very difficult for any type of government action or any sort of law enforcement or legislative action to be able to protect companies against the types of threats that they face, especially from places where that particular government may not have any jurisdiction. Whenever you see a new report about a piece of malware that has been active in the wild for years before it was discovered, that can’t make you feel good in terms of how you’re protecting against the effects of that particular piece of malware and others like it that you haven’t been able to detect, that the entire security industry hasn’t been able to detect yet. But there are steps you can take that make you fundamentally more secure. There are different types of security technologies like using transport-layer security, using two-factor au- What Business and the Feds Must Do About Cybersecurity n How do you believe the relative level of sophistication will evolve for your institution compared to potential attackers over the course of the next five years? 69% | The sophistication or pace of attackers will increase somewhat more quickly than our own—risk will increase somewhat 17% 17% | The sophistication or pace of attackers will increase much more quickly than our own— 8% risk will increase dramatically 6% 8% | We will continue to maintain parity with attackers—the level of risk will remain the same 69% 6% | We will increase our sophistication more quickly than the attacks, making us safer n Who could have the most impact in reducing the overall level of threat associated with cyberattacks in your sector? 18% 16% 23% 11% 32% 32% | Industry and cross-country associations and standards groups 23% | Regulators and policy makers 18% | Technology vendors 16% | Individual companies and institutions 11% | Law enforcement n What impact does government regulation have on your ability to manage cybersecurity-related risks? 40% | It requires a lot of time and effort, but does not really make us more secure 32% 16% 40% 12% 32% | On balance it encourages us to be more secure in a helpful way 16% | It makes us less secure by requiring actions that do not make sense or taking resources away from higher-priority actions 12% | No/Limited impact Source: Global survey of 100 executives in 2013 by the World Economic Forum and McKinsey & Co. The Wall Street Journal thentication. These aren’t things that are trying to identify attacks that you find in the wild and then trying to mitigate them when you see them coming in again. They are things that fundamentally change your security and IT architecture to make you less vulnerable to attacks in general. MR. BUSSEY: This question is from someone in the audience. What companies are you seeing that demonstrate the best practices on how to increase security awareness within the company? MR. BEJTLICH: The top sectors that I’ve seen are the prime defense contractors—the Lockheeds, those sorts of companies—partly because what they do for their own company they can sell to others. And financial companies, because they are hit by everything. They’re hit by disgruntled activists, they’re hit by organized crime. They’re hit by nation-states. Every angle you could imagine. So the financials have to deal. And they have a strong risk-management culture. ‘At every board meeting, cybersecurity should be on the agenda.’ Howard Schmidt offers advice for all parties With every report of a highprofile data breach, alarm over cyberattacks grows, both in Washington and in boardrooms across the U.S. Howard Schmidt, the cofounder of Ridge-Schmidt Cyber LLC and a former cybersecurity adviser in both the Obama and Bush administrations, sat down with The Wall Street Journal’s Noelle Knox to talk about what companies and lawmakers should be doing to fight threats. Here are edited excerpts: Who Do You Call? MS. KNOX: We asked the CIOs in the audience how often they discuss cybersecurity with their boards. Fifty percent said every Mixed Feelings CIO Network members weigh in on government-business cooperation on cybersecurity President Obama's proposed steps to boost cybersecurity coordination between government and business: 52% 48% Would improve my company's ability to protect itself The Wall Street Journal Wouldn't make much difference for my company 90 days. Is that enough? MR. SCHMIDT: At every board meeting, whether it’s monthly, whether it’s quarterly, cybersecurity should be on [the agenda]. If not, you’re going to wind up in a situation where you’re having an emergency board meeting to discuss something that has gone wrong. You have to have a plan. You should have general counsel, public relations, communications, the IT people, the security people—all of them need to have a structure in place to be able to deal with something like this. MS. KNOX: If a company is at- tacked, who should they call? Is there a point person? MR. SCHMIDT: Clearly, we have designated in the U.S. government that the Department of Homeland Security has the role of coordinating with the private sector on threats, vulnerabilities and best practices. So DHS has a dedicated command center and everything else to deal with it. Not everything rises to that level, and most of the things that take place are crimes, so the FBI or Secret Service is involved. But DHS should be the point of contact. They should bring in law enforcement and the intelligence people, as needed. MS. KNOX: We’ve got a new Congress this year. If the CIOs here go back and talk to their government-affairs people to lobby in Washington, what should they be asking for? MR. SCHMIDT: The biggest thing is what the government is going to share with companies. I remember one of the major financial-services firms about three or four years ago was intruded upon—a piece of malware by all accounts. It was held for 109 days before the government released it. And I’d sit there and say, “We have to release this to the other financial services” firms. They go, “No, we have the possibility of a foreign nation involved. We have criminal investigations going.” How many people could have been victimized during those 109 days? Or were they and we just didn’t know about it? So, the ability to share information almost immediately, with some rare exceptions, should be the No. 1 request. Most of this stuff is just a matter of, “Watch out for this IP address. Watch out for this particular piece of malware. Watch out for this phishing email,” and stuff like that. The second thing, and this is my warning to the private sector, if we don’t start telling the government that we are doing things, and everybody in this room is doing something more than they’ve done, the government is going to continue to look down the road of how do we regulate? They’ll start focusing on critical infrastructure first. Then they’ll start looking at the economic world—and not just financial-services companies. Digital IDs MS. KNOX: What three things should the private sector be doing with the government to improve communication and fight breaches? MR. SCHMIDT: It’s interesting. Since 1998, when President Clinton signed an executive order creating ISACs, Information Sharing and Analysis Centers, for all the sectors, we’ve got all those in place. Not everybody participates. Not everybody recognizes it. But No. 1 is that’s the information sharing. There is an information-sharing bill that was originally put together by Dutch Ruppersberger and Mike Rogers who just recently left Congress, but it doesn’t relieve the liability issues that we need in the private sector. If we’re sharing information about something that happened, we need to have some level of protection because we’ve got customers, we’ve got supplychain partners, etc. The second thing is the government released a national strategy for trusted identities in cyberspace, also known as digital identities. We all know how to do it. The technology is there. The government said, and we were very specific, “this is not a national ID card. This is not a driver’s license for the Internet. We want the private sector to develop an ecosystem that gives us the ability to get away from user ID and passwords.” The government said, “We will be your biggest customer.” I’ve got at least seven government accounts—taxes, Social Security, my VA, and all these other things—where I have to create a user ID and account in the government system. You shouldn’t have to do that. So we need to do away with this whole issue of identity management and really get away from user ID and passwords. The third thing, and it’s probably one of the things that’s, once again, not that difficult, is using encryption in conjunction with the digital identity. So, for example, if we fully recognize that at some point we can’t protect everything, like somebody leaving a USB stick somewhere, we want to make sure that whoever gets it doesn’t have the ability to do anything with it. THE WALL STREET JOURNAL. Tuesday, February 10, 2015 | R5 JOURNAL REPORT | CIO NETWORK Researchers Study Mystery of Drivers ‘We need to understand how humans behave on the road.’ Before self-driving cars get the green light, a lot of hurdles need to be overcome. To look more closely at some of those challenges and explore how this research may have broader applicability, The Wall Street Journal’s Gabriella Stern turned to Maarten Sierhuis, an expert in artificial intelligence, a former NASA scientist, and now director of the Nissan Research Center in Sunnyvale, Calif. Edited excerpts of their conversation follow. MS. STERN: A few weeks ago, you announced a partnership with NASA, your former employer. Is Nissan sending autonomous cars to Mars? DR. SIERHUIS: Well, it’s easier to drive on Mars because there are no humans. But it’s more the technology that NASA’s been developing for the last decade, autonomous systems, and what we’re trying to do with autonomous vehicles. They’re very in sync. I think we can do great research together on this topic. MS. STERN: Driving has defined a large aspect of American culture, and the autonomous car will radically change that. As the head of Nissan’s Research Center, you are amassing engineers, experts in artificial intelligence, but also anthropologists? DR. SIERHUIS: Yes, driving is a very human activity. We need to understand how humans behave on the road. How people communicate between cars and bicyclists and pedestrians. I believe there is a language we can un- derstand and create to teach the car how to communicate. MS. STERN: How do your anthro- pologists collect data? Do you put cameras in cars? DR. SIERHUIS: There are two ways. One is you put cameras in the car and try to make it unobtrusive. The other way is just to stand on a corner and videotape. I have a fascinating videotape of an intersection in Amsterdam, and if you see what happens in about 10 minutes it will blow your mind. How people create this, as we say, “coordinated chaos” on the road is fascinating. To teach cars to live within that and drive within that, we have to understand how humans do that. MS. STERN: Is this related to what you have been quoted as calling “human-centered artificial intelligence”? DR. SIERHUIS: Yes. I call it “human-centered computing.” It is about understanding how humans behave, and using that to build computer systems. I have coined this term “lean research.” We do not have the time to spend five, six years studying what humans do, in order to build technology. We have to do it faster. So we’re trying this method where we do observations, we bring in people, we cocreate, design together, then create a prototype and test it. It can be done in simulation, or in a test track, or maybe even on the road. MS. STERN: How is lean research different from, say, “agile” or any of these other buzzwords, describing how to do things quickly and effectively? DR. SIERHUIS: It’s a process where you go into a cycle and you try to improve as quickly as possible. You want to get to a prototype as fast as you can, in order to test it out. One of the hardest things for autonomous vehicles is that it’s difficult to try it on the road, when a pedestrian suddenly crosses the road, when I don’t anticipate what the car will do. I can’t try this out. So, we’re creating a simulation environment, a virtual world of exactly the roads that we’re driving in Silicon Valley, in which we can test things very fast. Then, that same software we can use to now drive on the same roads. This is a way we can try to speed up this research cycle. MS. STERN: I read a study that said most Americans are afraid of the concept of a self-driving car. Then there are people like me, who would welcome a selfdriving car because I am a terrible driver. How do you gauge what the customer will want? DR. SIERHUIS: This is a very difficult problem, to bring technology changes to the world, where we actually do not know yet how people are going to interact and want to use the technology. [Especially] with something like a car, this is not an easy thing. At NASA, we had to study how people will live and work on the new forces bearing on the job of the CIO. ‘The power is shifting away from institutions.’ MR. ROSENBUSH: How does the company’s technology budget evolve over the next few years? MR. COLONY: CIOs should very knowingly look at their companies’ portfolios and say, “OK, how much of my portfolio is IT,” to run the internals of your company, “and how much is BT” [business technology], the technology, systems and processes to win, serve and retain customers. George Colony on ‘BT’ vs ‘IT’ MR. ROSENBUSH: What are some of the biggest technological challenges companies currently face? MR. COLONY: I’ve been around for eons in this business. And the CIO has had a number of challenges during decades of my career. [What’s happening now] is not a technology change. This isn’t going from mainframe to mini computers or mini computers to PCs or PCs to client servers. That was all internal stuff. We’re in what we call “the Age of the Customer,” where the customer is now using technology to price precisely, to be able to critique your products precisely and publicly. And, to be able to buy anywhere. This is kind of an amazing statistic, but according to our data, 18% of U.S. consumers now buy outside of the U.S. once every three months. The power is shifting away from institutions, toward the customers. And that’s really the sea change. That’s really the big deal that’s happened now. And those are MR. ROSENBUSH: There’s a real integration of the CIO with the other members of the leadership team. But your research shows that everyone isn’t so good at that. What are the obstacles? MR. COLONY: To an extent, it’s really about language. I talked about going to your staff meeting and every time the word “customer” is mentioned, thinking about your enterprise architects and your head of application development and whether they really have an awareness of and a view to the customer. So it’s really about language, number one. Two, it’s about the people who work for you. Do they have the actual ability to think about the customer. Three, it’s the ability to think in models not about the internals of your company, but how the customer is actually thinking about you. A NEW DAY How businesses are reacting to the power of consumers Spending Shift Keeping the Customer Happy Business spending on technology is shifting toward more of a focus on customers, as opposed to operational needs. Businesses are determined to make shopping online a better experience. n Percentage of all technology spending by U.S. businesses and governments on products and services that help win, serve and retain customers 35% 30 of business leaders say improving 74 percent the customer experience is a high or critical priority. OK (65-74) 42% 10 ’11 ’12 Source: Forrester Research ’13 ’14* ’15* ’16* ’17* *Forecast BEHIND THE WHEEL Executives at the CIO Network conference were asked the following questions about driving. n Do you think you're a better driver than an autonomous car? No 65% Yes 35% n How often do you text while you drive? (Be honest!) 2% 2% | Always 22% 12% 24% 39% 12% | Often 24% | Sometimes 39% | Rarely 22% | Never The Wall Street Journal MR. ROSENBUSH: Our sense is that the market is moving faster and faster. There’s more data. For most companies, unless they were created recently, their DNA is based in something a bit older. So how do you catch up? MR. COLONY: I’ve always said to CIOs, “Look, if you work for a CEO who doesn’t get it, then quit. Go work for somebody else.” MR. ROSENBUSH: What distinguishes the CIO environment right now? MR. COLONY: As I like to say, you are now in the pockets of your MS. STERN: Because of so many of the contingencies? DR. SIERHUIS: We call it socially acceptable driving. It has to do with the rules of the road, the culture that you’re in. It depends, place by place. And so if you create very difficult intersections, it’s going to be very hard for an autonomous vehicle today to negotiate that. But if you’re driving on the highway and you’re driving straight, I would say that the car is probably faster in its reaction time and knowing how to handle situations more safely than we as humans do. customers all the time. You’re always with them, 24 hours a day. When they need you, if you are there for them, they will love you. If you are not there for them, they will doubt you. If you’re not there for them a second time, they will drop you. WALL STREET CAPABILITIES. MAIN STREET SENSIBILITIES. We created Regions Securities to provide small- to mid-cap companies high-quality service and advice from talented, relationshiporiented bankers. That means your business gets our dedicated “A Team” every time. Our capital markets experience and deep resources enable you to receive creative, customized solutions tailored to meet your company’s strategic and financial objectives. From capital raising in the debt and equity markets to mergers and acquisitions advice, our bankers can set things in motion for your company. It’s time you got the attention you deserve. Terry Katon Executive Managing Director | terry.katon@regions.com 11% 10% Very poor (0-54) 1% Poor (55-64) 5 0 2009 ’10 MS. STERN: Do you think you’re a better driver than an autonomous car? DR. SIERHUIS: I think at the mo- ment, most reasonable human drivers are still better than autonomous vehicles. And this is not because we can’t get to autonomous vehicles that are better. It depends on what situation you are describing. So, if I show you this video about this intersection in Amsterdam, I could guarantee you that I am better negotiating that intersection than any autonomous vehicle that is right now on the road. Excellent (85+) 20 15 will learn where this fine balance is between autonomous or driverless, or autonomous on the highway versus autonomous in a city, autonomous self-parking versus autonomous self-parking in a parking garage. n Forrester Customer Experience Index scores for 175 large North American brands in 2014 Good (75-84) 37% 25 Mars with robots. We did that by going to the desert or the North Pole for a month, trying to live like we would live on Mars to find out what the issues are. With autonomous driving, it’s the same thing. We need to get to the point where we can try this on the road in a safe way to experience what it means. Then, if we can get customers or people in the cars, that’s where we MR. ROSENBUSH: How much typically is devoted to BT right now? MR. COLONY: If you look at tech spending in the U.S., it’s about $1.1 trillion in the year 2015. Of that number, about $780 billion is IT and about $250 billion is going to be BT. So it’s about a 75-25 split. It really depends on what industry you’re in. If you’re in the food industry, you’re going to have a much higher IT. If you’re in retail, you’re going to have a much higher BT. CIOs Face the ‘Age Of the Customer’ Technology has put more power than ever in the hands of customers, and businesses ignore this at their peril, says George F. Colony, chairman and chief executive of Forrester Research Inc. The Wall Street Journal’s Steven Rosenbush interviewed Mr. Colony about business technology in “the Age of the Customer.” Edited excerpts of the conversation follow. Gary Fong/Dow Jones (2) Maarten Sierhuis on the road to autonomous cars Sources: Priority figure, survey of 2,958 global business leaders conducted by Forrester Research January through April 2014. Customer Experience Index, Forrester survey of 7,538 U.S. consumers in the fourth quarter of 2013. The Wall Street Journal Corporate Banking | Capital Markets & Advisory Services | Dedicated Industry Experience © 2015 Regions Securities LLC. Investment banking and business advisory services are offered through Regions Securities LLC, 1180 W. Peachtree St. NW, Suite 1400, Atlanta, GA 30309. Member FINRA and SIPC. Regions Securities LLC is an affiliate of Regions Bank. | Regions and the Regions logo are registered trademarks of Regions Bank. The LifeGreen color is a trademark of Regions Bank. Investment and Insurance Products: Are Not FDIC Insured | Are Not Bank Guaranteed | May Lose Value Are Not Deposits | Are Not Insured by Any Federal Government Agency Are Not a Condition of Any Banking Activity THE WALL STREET JOURNAL. R6 | Tuesday, February 10, 2015 JOURNAL REPORT | CIO NETWORK Why Most Firms Better Get Moving ‘I think in this next decade, IT will be in vogue again.’ John Chambers has been chief executive of Cisco Systems, the world’s largest maker of datanetworking equipment, for 20 years. Although Cisco’s annual revenue has grown to more than $47 billion under his watch, the company’s core networking business is now facing threats from lower-cost competitors. Mr. Chambers sat down with The Wall Street Journal’s senior deputy technology editor, Scott Thurm, to discuss the intense digital disruptions facing all companies. Here are edited excerpts: Back in Vogue MR. THURM: Last year, you said almost in passing that the role of the chief information officer is going to change more in the next year than it has in the past five. Can you tell the CIOs here what you meant by that? MR. CHAMBERS: If your CEO was [at the World Economic Forum] in Davos, I guarantee you that the No. 1 thing on his or her mind is how to make your company a digital company. No. 2 is the “Internet of everything” and the capability of sensors, etc. It has exploded. It’s going to change every country and every business. It’s also about fast innovation, which means fast IT, and then it’s about security. But almost every company coming out of Davos said, “I’m not moving fast enough. I have to become a digital company first, a physical company second.” If that’s on the CEO’s mind, then guess what? That’s on the CIO’s mind. I think in this next decade, IT will be in vogue again. It will be centered all around these new concepts, and the role of the CIO can change dramatically. MR. THURM: Your CIO is Rebecca Jacoby. How has her role changed at Cisco in the last couple of years? MR. CHAMBERS: Every company’s future is going to depend on whether they catch the market transitions right. Forty percent of the companies in this room won't exist, in my opinion, in a meaningful way in 10 years unless they change dramatically. So getting market transitions right is the first issue, and obviously, digitization and the Internet of everything is at the front of that. The second is don’t stay doing the same thing for too long. That’s the second thing that causes a company to fail. You’ve got to move into market adjacencies, and bring what you learned back to your core capability. GE is doing that remarkably well. The third thing, and this is a tough one, you must reinvent Gary Fong/Dow Jones (2) Cisco’s John Chambers on digital disruptions ahead yourself—as a CIO, as a CEO and your company. Most companies struggle do that, especially the more successful ones. And then there is the pace of change. We’ve changed more at Cisco in the last 12 months than at any time in our history. It’s Becky’s job to make sure she leads in this. Making Data Meaningful MR. THURM: The amount of data we’re going to be creating from Internet-connected devices is going to increase exponentially. How are the CIOs of the world supposed to manage all that data? MR. CHAMBERS: This is something CIOs need to lead in. It’s very simple. It’s getting the right data at the right time to the right device or right person so they can make the right decision. That means the role of the network is going to change dra- matically. Contrary to a lot of people’s views on big data, I think the majority of the data will actually be analyzed and acted upon at the edge of the network. And if you write your applications right, they can run in the cloud, they can run in your data center, they can run in the [wide area network], they can run right all the way to the edge. It will transform business at a tremendous pace. WORK IN PROGRESS A look at how far CIOs have come in expanding their roles, what skills they're focusing on and what they see for themselves in the years ahead. Still on the Periphery Focus on Leadership Ambition vs. Perception 17% CIOs cite several management skills more often than technological skills as being crucial to their success. The area cited most as being in need of improvement: communication and influencing skills. Where CIOs see themselves in five years, and where other C-Suite executives see them Other C-suite executives CIOs of CIOs are members of their company's executive leadership team n Percentage of CIOs who say they have strong engagement with the executive management board on these issues n Percentage of CIOs saying each of these is a key attribute for the position Discussing IT budgetary issues and infrastructure management Leadership skills 81% 67% CEO 13% Other C-Suite position 31% Bigger CIO role, within the company or elsewhere 13% Communication and influencing skills Discussing IT's role in business transformation 79% 64% Analytical approach and organizational skills Providing facts as a basis for strategic decisions 77% 52% 63% Project and change management skills Participating in strategic decision making 74% 43% 33% Happy to stay in current position 13% Other Technological skills and know-how on IT trends Discussing business performance and challenges 36% 64% Source: Ernst & Young 2012 global survey of 301 CIOs and others with ultimate responsibility for the IT function in their organizations, as well as 40 C-suite executives not within the IT function The Wall Street Journal 42% of CIOs say improvement in their communication and influencing skills is very important It’s a Whole New Data Game Amy Braverman on the need for new methodologies Companies are getting a flood of new data from customers, vendors and the factory floor. What are some ways to think about big data—and to reduce uncertainty when building a business strategy around it? The Wall Street Journal’s Scott Thurm spoke with Amy Braverman, principal statistician at the Jet Propulsion Laboratory, who comes up with ways to analyze and make accessible troves of information from NASA’s space-borne instruments. Here are edited excerpts of their conversation. ‘Data collection is so different than it used to be.’ Making Sense of It All MR. THURM: What do you do when you don’t have all the data, or it’s not all neatly organized? DR. BRAVERMAN: Two things. Data collection is so different than it used to be. Spacecraft are collecting information on thousands and thousands of variables about the health of the Earth and the atmosphere. Freeways have built-in sensors, so you can go to your smartphone and see how many people are getting on at your on ramp and getting off. The supermarket, every time you scan something, it’s going into a database. This opportunistic data collection is leading to entirely new 11% kinds of data that aren’t well suited to the existing statistical and data-mining methodologies. So point number one is that you need to think hard about the questions that you have and about the way that the data were collected and build new statistical tools to answer those questions. Don’t expect the existing software package that you have is going to give you the tools you need. Point number two is having to deal with distributed data. There’s been a lot of work done on distributed computing, where you have a computation, and you want to farm the computation out in pieces, so that you can get Big Challenges Percentage of surveyed IT and business leaders listing each of these factors as one of their organization's top hurdles or challenges with big data Determining how to get value from big data 65% Risk and governance issues (security, privacy, data quality) 32% Obtaining skills and capabilities needed 30% Integrating multiple data sources 30% Integrating big data technology with existing infrastructure 29% Defining our strategy 28% Funding for big-data related initiatives 25% Source: Gartner Inc. survey of 302 IT and business leaders in June 2014 The Wall Street Journal it done faster. What do you do when the data that you want to analyze are actually in different places? There’s lots of clever solutions for doing that. But at some point, the volume of data’s going to outstrip the ability to do that. You’re forced to think about how you might, for example, reduce those data sets, so that they’re easier to move. What We Don’t Know MR. THURM: One of the projects that you work on is dealing with satellite capture data of CO2 concentrations in the atmosphere. DR. BRAVERMAN: The satellites we work with are in polar orbit, which means they are flying from north to south and then back up the backside of the Earth. A satellite that’s in polar orbit with the Earth turning underneath it is always going to cross the equator at the same time every day. I think for CO2, it’s 1:30 in the afternoon. If we want to draw conclusions about the global distribution of carbon dioxide, we have to know that the data we’re collecting pertains to 1:30 in the afternoon. Plants breathe. And they exhale. Typically, they’re doing photosynthesis during the day. At 1:30 in the afternoon, the plants are going to be sucking up a lot of carbon dioxide. It would be a mistake to draw a conclusion about the global distribution of carbon dioxide, based on those data, for all times of day. You have to be aware of the biases that may be imparted to the data that you have, relative to the data you wish you had. Percentages may not add to 100 due to rounding 18% 3% 5%