What is the Spatial Web and why should your company care?

First things first. What is the Spatial Web?    

Technically it is a three-dimensional computing environment that can seamlessly combine layers of information gathered from countless geo-located connected devices to create seamless immersive experiences. If that sounds a lot like the Metaverse, you’re right. The two terms are often used interchangeably. However, I prefer to use the name Spatial Web instead of Metaverse, believing the former is both more accurate and descriptive.  

Whichever term you use, the best way to understand it is to experience it. The good news is you can do that right now with your smartphone!  

Head outside for a short walk using Google Maps with Live View enabled. What you will see is an Augmented Reality (AR) view of your walking path. The traditional map view will be on the bottom the screen, and the main screen area is using the camera and placing icons and directional information intelligently on top of the real-world camera view.   

This is the Spatial Web! It’s cool on the smartphone, but imagine if all sunglasses magically projected this as a layer and you did not have to hold the phone at arm’s length as you walk. This is a great way to start imagining what the Spatial Web will be in the near future as new devices seamlessly integrate into our lives. 

Ok, so why should your company care? 

The Spatial Web is coming. There’s no question about that. In fact, many of the component elements such as AR, VR, and the Internet of Things are already in use across multiple sectors. 

The gaming industry and the entertainment sector are the most visible leaders in harnessing the Spatial Web. And Facebook (now Meta) has become, perhaps, the most well-known proponent of it. 

But forward-thinking organizations in many other industries are piloting Spatial Web projects that demonstrate the expanse of potential use cases. 

There are good reasons for pursuing those use cases, too, with pilots already delivering benefits and good returns on investments. 

Let’s take an example where a complex critical system is down, say a Wind Turbine, and a mechanic working on it. The mechanic could use AR-enabled goggles to pull up instructions to guide on-site repairs. Or that mechanic could use the goggles to see design schematics that, using artificial intelligence programs, help pinpoint problems. The mechanic could also use those AR-enabled and internet-connected goggles to collaborate with an engineer from the manufacturer, with the engineer being able to see in real-time exactly what the mechanic sees and does on the machine. 

Such capabilities are already here and improving all the time, giving us a glimpse of what’s on the horizon.  

So, what’s ahead? A future where the Spatial Web will simply be part of how we live, work and engage. 

When that day arrives, these metaverse-type technologies will feel like an extension of yourself, just as smartphones have become ever-present ubiquitous tools that constantly inform, guide and connect us.  

And when that time comes, seeing someone wearing smart glasses will be the norm, not the exception. 

The timeline for that future state is years away. Gartner, a tech research firm, has predicted that widescale adoption of metaverse technologies is a decade away

There are, for sure, technical hurdles that need to be overcome on this Spatial Web journey. 

There have been concerns, for example, about the heat generated from the compute processing in smart glasses, the battery life in connected devices and the vertigo some suffer when using virtual reality. 

But tech companies are working on those issues, and it’s only a matter of time before they have them worked out. After all, they have the incentive to do so as there’s existing market demand for these technologies. 

And we’re already seeing tech companies deliver big advances. They are developing audio technologies to ensure immersive audio experiences. They’re maturing haptic technology, or 3D touch, so you’ll be able to actually feel those actions happening in a virtual world. Some companies are trying to do the same thing with smell. 

These technologies will work with existing ones, such as geolocational tech, sensors, artificial intelligence, 5G and eventually 6G, to instantaneously deliver layers of information to users. 

While a fully-realized Spatial Web is still years away, you shouldn’t wait to start making plans for how you will harness its potential; you can’t wait to think about your strategy until everybody starts buying connected glasses. 

If you do, then you’ll already be behind. And if you wait too long, you’ll miss out. 

The reality today, right now, is that you will have to respond to the Spatial Web as it evolves and as it delivers new ways for organizations and individuals to interact. 

This new technology-driven realm will enable increasingly frictionless services to consumers, seamless B-to-B services and new potential applications that some are already starting to imagine. 

Here at Strive, we are exploring the component technologies that collectively make up the emerging Spatial Web. 

And we’re partnering with clients to envision their Spatial Web strategies, outline the infrastructure and skills they’ll need, and devise the optimal business cases to pursue – all so they’re ready to move as the technologies mature and the Spatial Web moves into the mainstream.

Connect with Strive! 

Here at Strive Consulting, our subject matter experts’ team up with you to understand your core business needs, while taking a deeper dive into your organization’s growth strategy. Whether you’re interested in the Spatial Web or an overall Technology Enablement assessment, Strive Consulting is dedicated to being your partner, committed to success.  

Contact Us

 

Proposed Federal Law Would Boost Security Training for Utilities, Critical Infrastructure Operators

Legislation aims to bolster cyber defenses, but operators should still act now to strengthen security skills

Congress wants to require organizations deemed critical infrastructure to have a cybersecurity awareness training program. And it’s pushing through legislation that would provide such training for free.

More specifically, the Industrial Control Systems Cybersecurity Training Act requires the Cybersecurity and Infrastructure Security Agency – better known as CISA – to provide cybersecurity workers with no-cost training on best practices for securing industrial control systems.

It also calls for CISA to provide both virtual and in-person training, with courses targeted to workers at various skill levels.

These programs would be available to security workers in government entities as well as the private sector.

This new training initiative would supplement a raft of existing training programs already offered by CISA.

The government’s goal here is to ensure security professionals know about emerging threats and how they can most effectively mitigate them – an essential skill in a world where adversarial tactics and techniques are constantly evolving.

Indeed, the bill’s sponsor – U.S. Rep. Eric Swalwell, a California Democrat serving on both the House Select Committee on Intelligence and the House Homeland Security Committee – introduced the bill in May in response to the increasing number of cyberthreats coming out of Russia, saying that the country “must be cognizant of cyberwarfare from state-sponsored actors.”

He noted that this legislation “would help train our information technology professionals in the federal government, national laboratories, and private sector to better defend against damaging foreign attacks.”

Members of both parties agreed: The House on June 21 passed the bill with strong bipartisan support, sending it to the Senate for its approval.

This training initiative has Strive’s vote of confidence, too, as we have long believed that a well-trained, well-informed cybersecurity workforce is essential to protecting both operational technology (OT) and information technology (IT).

And we expect this bill to be enacted into law – as it should be.

Our country needs more training to counter the growing number and sophistication of attacks coming at us here in the United States and at the critical infrastructure sector in particular.

We also recognize that this training could help address some of the challenges that organizations face on the talent front.

First, there’s a lack of cybersecurity professionals in general. A report from the International Information System Security Certification Consortium, or (ISC)², puts the number of unfilled cybersecurity jobs at 377,000 in the United States alone. (It’s about 2.7 million globally.)

The nonprofit Cyberseek puts the number of unfilled U.S. cybersecurity positions even higher, at 714,548 as of mid-August.

At the same time, many of the existing cybersecurity professionals lack some of the essential skills needed to be most effective in their roles – a lack that’s particularly acute in the area of OT cybersecurity, where practitioners must have an understanding of both IT and OT systems as well as the policies, procedures and tools that can protect them.

Consider the findings from The 2022 State of Operational Technology report, which surveyed 3,500 OT security professionals across the globe and found that 69% believe the lack of OT security staff “is diminishing the effectiveness of their organization’s OT security.”

The ICS training act, if passed by the Senate and then signed into law by President Biden, could help alleviate some of those dire findings.

That said, we see no need for critical infrastructure owners and operators to wait for Congress to finalize this act.

Upskilling your existing staff and providing ongoing training to your team is one of the most effective investments you can make – and it’s one you should be making now.

Your security pros already know your environment and have a good handle on the components that present the highest risks and, thus, need the highest levels of protection. So give them the additional skills they need to perform at their best and to their top potential.

As mentioned above, CISA already offers numerous free training programs, including both independent study and instructor-led courses, tailored for critical infrastructure owners and operators. That’s in addition to the training programs offered by multiple other sources, including (ISC)² and SANS as well as colleges and universities.

At the same time critical infrastructure owners and operators should review their cybersecurity awareness training program for their overall workforce to ensure its comprehensive and up-to-date.

It’s worth the effort.

According to the World Economic Forum’s Global Risks Report 2022, 95% of cybersecurity issues can be traced to human error. And the 2022 State of Operational Technology report found that 79% of survey respondents think human error poses the greatest risk for compromise to OT systems.

With figures like that, it’s easy to demonstrate why solid cybersecurity training programs for both security pros and general staff pay off. We see it. The U.S. House of Representatives sees it. And you should know, too, that an investment in security training delivers real returns by decreasing your risk and increasing your security posture.

So, if and when the ICS security training act becomes law, take advantage of the free courses. But don’t feel you should wait for it. Training and up-skilling should be an ongoing activity, and you should be doing it now.

Looking for more information?

Our Cybersecurity & Compliance solutions ensure that your business is protected and secured from cyber threats whenever, wherever. Minimize your risk to cyber attack exposure and regulatory fines without impacting your business operations – Strive can help.

Contact Us

How to Modernize A Data Strategy Approach

Modernizing your company’s data strategy can be a daunting task. Yet making this change — and doing it right — has never been more important, with torrents of data now dictating much of the day-to-day in many organizations.

Missing the boat on making this change now can hold your business back in meaningful ways down the line. Changing your approach to capturing, sharing, and managing your data can help you avoid many of the pitfalls that befall businesses today, such as duplicating data across the organization and processing overlaps.

Implementing an effective data strategy will enable you to treat data not as an accidental byproduct of your business, but an essential component that can help you realize its full potential. Setting out clear, company-specific targets will help you tackle these challenges effectively.

Before you embark on this journey, however, it is crucial to understand why you want to modernize and where you are now and identify the most efficient path to the finish line.

Strategic Vision – Future of Your Data

The first step is to define a vision for your own data modernization. Do you know why you want to modernize your data strategy and what your business can gain in the process? Do you have an aligned strategy and a clear idea of what a thriving  Data ecosystem will entail?

Defining your goals — whether that is to gain a better grasp of your data, enhance accuracy or take specific actions based on the insights it can provide — is paramount before initializing this process.

Equally essential is to ensure early on that executive leadership is on board, since overhauling your data strategy will require significant investment in time and resources. This will be needlessly difficult without full buy-in at the very top. Figuring out how better data management will tie in with your overall business strategy will also help you make your case to leadership.

Ways of Working – Operating Model

Next, you need to figure out how this modernization will take place and pinpoint how your operating structure will change under this new and improved system.

Setting out ahead of time how data engineers and data scientists will work with managers to shepherd this strategy and maintain it in the long run will ensure a smooth process and help you avoid wasting time and resources.

Identifying what your team will look like and gathering the required resources to implement this project will lead you directly into implementation.

Accessibility & Transparency — See the Data

Gaining access and transparency, at its core, is about implementing new systems so that you gain better visibility of the data you have. You want to make sure that your structured and unstructured content — and associated metadata — is identifiable and easy to access and reference.

Putting the infrastructure in place to ingest the data your business already creates, and format it in a way that lets you access it efficiently, might appear basic. But figuring out how to achieve this through data integration or engineering is a vital step and getting this wrong can easily jeopardize the entire project.

Data Guardianship — Trust the Data

Once you have brought your data to the surface, determining ownership within your organization will ensure both that accuracy is maintained, and that data is managed and updated within the correct frameworks. 

This includes applying ethical and data sharing principles, as well as internal governance and testing, so that you can ensure your data is always up-to-date and handled responsibly. Making sure that you can trust the data you are seeing is essential to guarantee the long-time benefits you are hoping to gain through data modernization in the first place. 

Plus, you can rest easy knowing that your reporting data is accurate instead of worrying about falling foul of external compliance metrics and other publication requirements.

Data Literacy — Use the Data

Tying back to your internal data management, literacy is all about making sure that you have the right skillsets in place to make savvy use of the insights you are gaining from your data.

You and your team need to make sure you are trained and equipped to handle this process both during implementation and once your new system is in place — so you can leverage the results in the best possible way and make it easier to access and share data throughout the company.

After all, making secure financial and operational decisions will depend on how much you trust in your own core capabilities. Ideally, a successful data management strategy will enable you to understand every part of your business. This applies not just internally, but also spans your customers, suppliers and even competitors.

Take the First Step with Strive

Our experts at Strive Consulting are here to help you assess whether you are ready to embark on this journey and provide you with a clear perspective of where you are, what’s involved, and how to get there. We are ready to walk you through this process and make sure the final product ends up in the right place, so you can be confident that your data is in safe hands — your own. Learn more about Strive’s Data & Analytics and Management Consulting practices HERE.

Contact Us

Cybersecurity for Utilities: Compliance Does Not Equal Security

The utilities industry remains one of the most heavily regulated sectors in the United States. In fact, every utility must demonstrate its compliance with a significant number of rules and regulations designed to ensure that they each can deliver clean, reliable and safe energy, water or related services.

Given such regulatory obligations, utility executives are intensely focused on ensuring that their organizations comply with the guidelines established by the Environmental Protection Agency, the Federal Energy Regulatory Commission and other such entities. Similarly, utility executives are diligent in making sure they align with frameworks such as the North American Electric Reliability Corporation’s Critical Infrastructure Protection standards (NERC CIP).

That attention to regulations is well-placed. Compliance is non-negotiable, not only because it’s required but because it certifies that you as a utility are performing at the highest levels of safety and efficiency. However, you should not assume that being compliant with all relevant rules and regulations means you’re safe from cyber threats. Compliance does not equal security.

Organizations in the utilities space – and indeed in all other industry verticals – are finding that even when they meet regulatory requirements, they still can have vulnerabilities that unduly expose them to cyber risks.

How can this be? Just consider, for example, that CIP didn’t regulate low-impact assets until recently. In that case, a utility could have been fully compliant with all CIP standards yet still have unprotected low-level assets – a gap that hackers could have exploited and used as entry points to higher-impact assets that, if successfully breached, could have hindered utility operations.

The proof of the compliance vs. security gap can be seen in figures from Verizon’s 2021 Data Breach Investigations Report. It tallied 546 incidents this year (including 355 with confirmed data disclosures) in the mining, quarrying, oil & gas extraction, and utilities sector. Furthermore, the report found that social engineering accounts for 86% of the breaches in the sector, followed by system intrusions and basic web application attacks.

Such statistics indicate that organizations remain vulnerable to cyber attacks even when they’re fully compliant with all the rules and regulations that pertain to this industry. Note, for instance, that phishing attacks and other similar social engineering hacking strategies could possibly succeed even if just one single person in a fully-compliant enterprise falls for the scam.

We see a few other reasons for this dichotomy between being compliant and not necessarily being secure.

As stated earlier, some utilities continue to falsely believe that they’ve adequately secured their environments against cyber threats if they are compliant with all the rules and regulations. Therefore, they’re not investing in needed security measures that fall outside of regulatory requirements.

Similarly, some utilities focus more on compliance and thus invest there to the exclusion of adequate security investments. In such cases, executives often want to ensure that the utility doesn’t encounter negative findings and subsequent fines from regulators; they may not realize that the cost of a cyber incident could be significantly more and bring much more disruption than any regulatory action would.

In other cases, utilities combine security and compliance in one function and task the same people with both jobs – even though those two functions require different skills and expertise and must know and implement completely different strategies and standards. In such circumstances, organizations run the risk of doing neither security nor compliance well and thus falling short in both areas.

On the other hand, some utilities have compliance teams and security teams working independently of each other, each in its own silo. That practice can lead to duplication of efforts, wasted resources and missed opportunities to create a strategic risk management approach that addresses both needs in the most efficient, effective manner.

None of these scenarios is acceptable in an era when the number of cyber threats is growing – one study counted 304 million ransomware attacks worldwide in 2020, a 62% increase from the 2019 tally – and the impact of such attacks is also on the rise.

Companies in critical industries such as utilities are facing a constant threat to their ability to maintain operations and deliver essential services. Given that reality, you must devote the same high-level diligence to security as you commit to compliance.

That means having a security team with the resources needed to think comprehensively about the threats that could impact your utility, the likelihood and potential impact of those threats, and how to guard against them.

It means, too, having a security team capable of implementing, maintaining and maturing the people, processes and technology required to protect the enterprise.

At the same time, you must create an environment where your security and compliance teams can work collaboratively. This helps both departments stay on top of needed actions, as regulators are constantly updating standards to meet new challenges and address emerging threats. It also allows both teams to devise strategies that meet all relevant rules and regulations in a holistic fashion that eliminates gaps but doesn’t waste resources by duplicating efforts.

Keep in mind the payoff for such efforts. You’ll have an environment that delivers the reliability and security the company needs and your customers expect, where compliance requirements inform the security strategy and vice versa. Indeed, in the end you’ll have security and compliance in lockstep to effectively counter their common foe: those bad actors who seek to harm your organization.

If your utility is compliant it could still be ripe for a cyberattack. Let’s talk about how we can help!

3 Ways to Improve Collaboration in the Remote / Hybrid World

We’ve all been in that meeting. There were probably too many people invited, the agenda is vague, 90% of folks are remote and off camera (10% of those are probably folding laundry or some other household chore while they listen in). Then you hear the inevitable words “Let’s brainstorm this.”  2 or 3 enthusiastic participants end up doing most of the talking and the conversation takes on a circular characteristic until a senior leader or manager tries to stop the swirl by making a suggestion of their own. Everyone else is inclined to fall in line, and the meeting moves on to the next arduous loop. After over an hour, you’re left wondering: What did we actually accomplish? 

It’s time to face facts that collaborating in the remote and hybrid world requires different ways of working together. The natural structures of the office that act as palaces of accountability, collaboration, and innovation have been replaced by impersonal video calls in far flung home offices.

Current trends would suggest that the reality of remote and hybrid work isn’t about to end anytime soon, but there are things you can do now to make your virtual meeting time more efficient and enjoyable.  

Here are 3 tips to start improving your virtual meetings.

  • Never start from scratchStructure and visual starting points are always in style

One thing that most people dislike is uncertainty. People are more willing to engage when they know what to expect and feel confident their time will be spent effectively. By providing agendas, objectives, and materials to review before the meeting, you’ll prime your audience or colleagues to start thinking about topics you want to discuss (even if subconsciously) and get better feedback and participation when the time comes.   

About 65% of people are visual learners 1. Having visual aids to help provide context and bring people up to speed quickly will always supercharge your meeting efficiency, particularly in virtual settings, where you can’t draw pretty pictures on whiteboards. Having something to react to will always elicit more effective feedback and progress than trying to start from scratch

  • Use design thinking techniques to unlock diversity in brainstorming sessions

Idea generation and innovation are some of the most difficult things to accomplish in a virtual setting. At Strive, we often leverage ideation techniques from design thinking practices such as affinity mapping, mind mapping, or SCAMPER (among many others) to make brainstorming more enjoyable and participatory for your team. By introducing individual brainstorming and voting principles within these techniques, you’re able to increase participation and better democratize decision making. Using these methods will help your team quickly align around creative ideas everyone can get excited about. Turning boring meetings into fun workshops helps bring some variety and intrigue to your colleague’s days – and they’ll thank you for it.

  • Leverage a virtual collaboration tool like MiroTM

Virtual white-boarding tools have made huge improvements since being thrust into the limelight during the COVID-19 pandemic. We leverage tools like MiroTM with many of our clients to help facilitate engaging workshops, capture requirements, and build relationships. The features of the infinite virtual white-boarding canvas help you capture some of the magic previously only possible when working in person. On top of the real-time collaboration these tools enable, they also provide access to a universe of templates and ideas for creative ways to effectively facilitate a variety of types of meetings (including design thinking techniques mentioned above).

Whatever your role may be in the corporate world, meetings are practically unavoidable, but with these tips and tools, you can become the meeting hero that saves your team from boring and unproductive virtual meetings.

Strive has become experts at virtual collaboration… Need help?

Here at Strive, we take pride in our Management Consulting practice, where we can assist you in your initial digital product development needs, all the way through to completion. Our subject matter experts’ team up with you to understand your core business needs, while taking a deeper dive into your company’s growth strategy.

An Example of a Living Data Mesh: The Snowflake Data Marketplace

The enterprise data world has been captivated by a new trend: Data Mesh. The “What Is Data Mesh” articles have already come out, but in this publication, I want to highlight a live, in production, worldwide Data Mesh example – The Snowflake Data Marketplace.

As in every “new thing” that comes down the pike, people will change the definition to suit their purposes and point of view, and I am no different. Zhamak Dehghani, a Director of Emerging Technologies at ThoughtWorks, writes that Data Mesh must contain the following shifts:

  • Organization: From central controlled to distributed data owners. From enterprise IT to the domain business owners.
  • Technology: It shifts from technology solutions that treat data as a byproduct of running pipeline code to solutions that treat data and code that maintains it as one lively autonomous unit.
  • Value: It shifts our value system from data as an asset to be collected to data as a product to serve and delight the data users (internal and external to the organization).
  • Architecture: From central warehouses and data lakes to a distributed mesh of data products with a standardized interface. 

It is on this principal that I take departure and advocate the Snowflake Data Cloud. I believe that the advantages that have always been in a centralized data store can be retained, while the infinite scale of Snowflake’s Data Cloud facilitates the rest of the goals behind Data Mesh.

With so much to understand about the new paradigm and its benefits, or even grasping what an up and running Data Mesh would look like… to date, even simplified overview articles are lengthy. As I wrestled with coming to my own understanding of Data Mesh and how Strive could bring our decades of successful implementations in all things data, software development, and organizational change management to bear, I was hit by a simple notion. There is already a great example of a successfully implemented, world-wide, multi-organization Data Mesh – The Snowflake Marketplace.

There are more than 1,100 data sets from more than 240 providers, available to any Snowflake customer. The data sets from the market become part of the customer’s own Snowflake account and yet are managed and kept up to date by providers. No ETL needed and no scheduling. When providers update their data, it is updated for all subscribers. This is the definition of “data as a product”.

In effect, The Snowflake Data Cloud is the self-service, data-as-a-platform infrastructure. The Snowflake Marketplace is the discovery and governance tool within it. Everyone that has published data into the Marketplace has become product owners and delivered data as a product.

We can see the promised benefit of the Snowflake Marketplace as Data Mesh in this – massive scalability. I’m not speaking of the Snowflake platforms near infinite scalability, impressive as that is, however considering how every team publishing data into the market has been able to do so without the cooperation of another team. None of the teams that have published data have had to wait in line to have their priorities bubble up to the top of IT’s agenda.  A thousand new teams can publish data today. A hundred thousand new teams can publish their data tomorrow.

This meets the organizational shift from centralized control to decentralized domain ownership, and the data as a product, and technically with data and the code together as one product. 

Data consumers can go to market and find data that they need, regardless of which organization created the data. If it’s in the Snowflake Marketplace, any Snowflake customer can use the data for their own needs. Each consumer of the data will bring their own compute, so that nobody’s use of the data is impacting or slowing down the performance of another team’s dashboards.

Imagine that instead of weather data published by AccuWeather and financial data by Capital One – it’s your own organizations customer, employee, marketing, and logistics data. Each data set is owned by the business team that creates the data. They are the team that knows the data best. They curate, cleanse, and productize the data themselves. They do so on their own schedule and with their own resources. That data is then discoverable and usable by anyone else in the enterprise (gated by role-based security). Imagine that you can scale as your business demands, as new businesses are acquired, as ideation for new products occur. All facilitated by IT, but never hindered by IT as a bottle neck.

With Snowflake’s hyper scalability and separation of storage and compute, and its handling of structured, semi-structured, and unstructured data, it’s the perfect platform to enable enterprise IT to offer “data as self-serve infrastructure” to the business domain teams. From there, it is a small leap to see how the Snowflake Data Marketplace is, in fact, a living example of a Data Mesh with all the benefits realized in Zhamak Dehghani’s papers.

As a data practitioner with over 3 decades of my own experience, I am as excited today as ever to see the continuous evolution of how to get value out of data and deal with the explosion in data types and volumes. I welcome Data Mesh and the innovations it is promising, along with Data Vault 2.0, cloud data hyper-scale databases, like Snowflake, to facilitate the scale and speed to value of today’s data environment.

Strive is a proud partner of Snowflake!

Strive Consulting is a business and technology consulting firm, and proud partner of Snowflake, having direct experience with query usage and helping our clients understand and monopolize the benefits the Snowflake Data Platform presents. Our team of experts can work hand-in-hand with you to determine if leveraging Snowflake is right for your organization. Check out Strive’s additional Snowflake thought leadership HERE.

ABOUT SNOWFLAKE

Snowflake delivers the Data Cloud – a global network where thousands of organizations mobilize data with near-unlimited scale, concurrency, and performance. Inside the Data Cloud, organizations unite their siloed data, easily discover and securely share governed data, and execute diverse analytic workloads. Join the Data Cloud at SNOWFLAKE.COM.

Where Is Ransomware Most Prevalent?

Fact: Over 50% of ransomware attacks are introduced to networks via internal enterprise or IT networks. Strive’s VP of Cybersecurity & Compliance, Dominick Birolin, CISSP, CISA, NSE3, explains how the best way to prevent ransomware attacks is to have a formal cybersecurity process in place.

Transcript:

I think that ransomware is most prevalent in Industrial Control System environments due to the culture of not having proper cybersecurity controls in place to mitigate against the propagation and the infiltration. You have to remember that over 50% of attacks actually are introduced to networks via your enterprise or IT network, and then they propagate across to the OT ICS boundary.

It used to be that these networks were air gapped, but that’s no longer the case. The need to pull data out of these networks has increased attack vectors that we previously hadn’t seen.

Security is not convenient. You do have to be diligent about the way you approach your defense in depth. Within these networks, the culture is to run lean and to remain operational. This makes it increasingly difficult to apply cybersecurity controls such as patch mitigation, perimeter defense, network segmentation, etc.

Does your ICS environment need help protecting it from ransomware?

Let’s Talk! 

Migration to the Cloud Needs Experienced Help

Executives are already sold on the benefits of moving to the cloud. They know that they need cloud computing to be agile, fast, and flexible; they know cloud allows them to successfully compete in this digital era.

Yet, many enterprise leaders struggle to advance their cloud strategies, with plenty of companies still working to migrate away from on-premise applications and out of their own data centers.

Here at Strive Consulting, we aren’t surprised by such reports: We know that cloud migration comes with numerous significant challenges…. and research backs that up.

Consider the figures from the 2022 State of the Cloud Report from the software company Flexera.

It found that understanding application dependencies is the no. 1 challenge to cloud migrations, with 53% of respondents listing this as a pain point.

Other top challenges include assessing technical feasibility, assessing on-premise vs. cloud costs, right-sizing/selecting best instance, selecting the right cloud provider, and prioritizing the applications to migrate.

Such challenges deter and derail many cloud migration plans.

Many companies don’t have the technical skills they need to address those specific challenges to move their cloud strategies forward, as their staff has, understandably, been trained and focused on supporting their on-premise and legacy systems.

On a similar note, organizations don’t have in-house workers with the experience required to analyze and assess all the available cloud options and to select the best architecture for current and future needs.

As a result, companies slow-walk – or outright put off – their cloud migrations. Or they move forward as best they can, only to realize that they need to redo their work when their new cloud infrastructure fails to yield the financial or transformational benefits they expected.

Those scenarios demonstrate why companies need an experienced hand when they migrate to the cloud and why they need people who can advise them on the right architecture for their own specific environment and their industry’s unique needs.

At Strive, we understand the myriad cloud options – from serverless, containers and virtual machines to infrastructure-as-a-service, platform-as-a-service, and software-as-a-service. We understand the nuances and requirements associated with each choice, the strategic reasons that would make one better than another, how they work together, and the supporting pieces needed to optimize each one’s performance.

Take virtual machines, for example. Going that route requires the creation of automation scripts to spin up and turn off based on use. Companies without much experience or expertise in virtual machines may overlook this critical component and, thus, end up with infrastructure that doesn’t deliver on its objectives.

Companies find that this is often the case, particularly when they’re embarking on their own.

In fact, selecting the wrong cloud option and implementing suboptimal cloud infrastructure are two of the leading reasons for poor outcomes and failed initiatives.

When we partner with companies to advance their cloud adoption, we start by understanding their own unique environment, their enterprise needs, and any industry-specific requirements that could impact their choices around cloud.

We work with our clients to determine whether, for example, they want to modernize by re-architecting their systems and using platform-as-a-service.

Whether the right move is shifting everything as is to the cloud.

Whether going with IaaS or SaaS provides the features, functions, and cost benefits they’re looking for.

Whether and when to go with hybrid, multi-cloud, multitenant, private, or public cloud.

Or whether it’s better to go the serverless route, leveraging features like containers, so they’re not paying for consumption when apps aren’t in use.

We help clients understand the financial implications of their cloud strategy decisions, and we build monitoring tools to track both performance and consumption, so they can detail what they’re using and how much that usage costs. We know from experience that finance departments are particularly interested in that information. But we also see how it benefits IT leaders, who want to allow their developers the freedom to innovate, but still want visibility into the resources being used and at what cost.

We also know from experience the importance of building a cloud environment that’s both secure and scalable, with automation in place to build that infrastructure over and over so organizations can easily build up and tear down as often as needed.

Furthermore, we advise companies on the change management that’s required to successfully migrate to the cloud. As such, we work with developers and engineers to understand new processes and to support them as they develop the expertise they’ll need to maintain, manage, and eventually mature an organizations cloud strategy.

There’s one more point I want to address: Strive knows that a cloud migration plan is not just about technology, that it’s also – and, in fact, more so – about what the technology can do for the business.

The right cloud environment enables companies to pivot quickly. Companies can rapidly and cost effectively create or adopt new functions or test and tweak proof of concepts because they can spin up and wind down computing resources.

All of this enables faster time to market with products and services and an overall more responsive organization.

Our experienced teams help clients achieve that kind of transformation by helping them design and implement the right cloud infrastructure to support those bigger objectives.

Thinking about Migrating to the Cloud? Strive can help!

We take pride in our Technology Enablement practice, where we can assist your organization with all of your cloud enablement needs. Our subject matter experts team up with you to understand your core business needs, while taking a deeper dive into Platform Assessment, Platform Migration, and even Platform Modernization.

Contact Us

Exercising Data Governance Best Practices – How to Stay the Course

Have you ever planned to wake up early in the morning to work out, but instead chose to lie in bed and catch up on some sleep? This can happen even after you have committed—mentally, at least—to a new workout regimen.

That’s because the hard part isn’t resolving to do something new; it’s adjusting your daily habits and generating enough momentum to carry the changes forward. This requires discipline and drive.

The same challenges apply to data governance initiatives. If you have ever been part of a data governance program that hesitated, backfired or stopped completely in its tracks, you know what I’m talking about. Companies are accruing ever-increasing amounts of data and want to be able to transform all that information into insights the same way you want to get in shape. The first step is data governance, but getting your organization to buy-in to a new program conceptually is the easy part. Taking action and sticking to it can be much more challenging.

Indeed, many organizations believe that simply implementing technology—like a Master Data Management system—will improve the health of their data. But if you simply buy workout equipment, do you get healthier? Tools will help streamline your organizational processes and complement information governance and information management, but building and maintaining a culture that treats data as an asset to your organization is the key to ongoing success.

Below are some key factors to building good habits to generate momentum once your data governance program is underway:

1. Impart a sense of urgency for the program.

For every organization with a plan to manage its data assets, there needs to be a sense of urgency to keep the plan in place. The reasons are unique from organization to organization, but they might be driven by compliance, customer satisfaction, sales, revenues, or M&A. Regardless of the reason, it needs to resonate with senior leadership and ideally be tied to the company’s strategic goals in order to be most effective.

2. Communicate, communicate, communicate.

The cornerstone to a successful data governance program is a well-organized (cross-departmental) communication plan. A solid plan helps remove the silos and maintain cross departmental support for the initiative. Seek your champions throughout the organization and meet with key stakeholders regularly to document their pain points. It is important to get people engaged early to keep the excitement going.

3. Operationalize change within the organization.

Your delivery will need to be agile in nature because the plan you put in place will naturally evolve. The goal is to learn what works within your organization early on to ensure you deliver value quickly and the process is sustainable moving forward. Complete tasks iteratively and agree upon a small set of high-value data attributes to aid in validating your data governance process. In addition, manage your data elements to ensure their best quality.

4. Make the plan as RACI as possible.

Actively listen to your supporters and put together a plan that encompasses a RACI (Responsible, Accountable, Consulted & Informed) model so that everyone on the team knows their role across the process. This plan will keep your team focused and guide your initiatives moving forward. You’ll raise your odds of success by forming a strong governance organizational structure with roles and responsibilities in place (for data ownership, stewardship and data champions), along with approvals that complement your existing change management process.

4. Measure, Communicate, Repeat.

Keep in mind that “you can’t manage what you don’t measure.” You’ll need to face the facts and communicate your findings. It’s wise to document and implement KPIs (Key Performance Indictors) so that you can measure the progress of your initiative over time. Linking the KPIs to revenue or sales loss, for example, can be a strong indicator to help drive change. As you learn more about your data, it’s important to communicate what’s meaningful to your stakeholders and continue to move forward.

Similar to continuing on a workout regimen, data governance demands a discipline that takes time and patience to fine tune. This requires changing years of undisciplined behaviors regarding data within your organization, and the change will not happen overnight. Changing these behaviors is an ongoing process that needs to resonate throughout an organization’s culture in order for success to occur.

In addition, it’s important to keep things fresh. When working out, you need to rotate though different core muscle groups and vary the routine to keep things interesting and progressive.  It’s the same with data governance initiatives. Don’t let people get bored with the same repetitive activities day in and day out. Try conducting data discovery sessions where team members present findings from an internal or external dataset that would be interesting to other team members. You can also share successes and learnings from past data related projects to drive discussion.  Another suggestion is to discuss future cross-departmental data projects (or “wish list” items) that can lead into great data roadmap discussions.  The objective is to keep everyone engaged and finding value in meetings so that the team continues to show up and make progress.

Remember that data governance is a journey that requires commitment and hard work. As with exercise, just working out for a month is a great start, but it’s with continued dedication that you really start to notice the change. If you want to take your organization to the next level, you need to develop the discipline toward information management that your organization requires for long-term sustainable success. For those with little experience in implementing or maintaining a data governance plan, experienced consultants can be of great value.

Strive Can Help With Your Data Governance Needs! 

Here at Strive Consulting, our subject matter experts’ team up with you to understand your core business needs, while taking a deeper dive into your organization’s growth strategy. Whether you’re interested in modern data integration or an overall data and analytics assessment, Strive Consulting is dedicated to being your partner, committed to success. Learn more about our Data & Analytics practice HERE.

Contact Us

State of the Industry: Russia-backed Cyberattacks are Targeting the Country’s Critical Infrastructure

Russia has shown us the damage it’s capable of inflicting.

In April, Russian hackers hit a Ukrainian energy company with malware that, had it successfully destroyed the targeted computers, would have caused a blackout for 2 million people.

A suspected Russian hacker in December of 2015 successfully attacked a Ukrainian power grid, knocking out power for more than 200,000 consumers for hours.

And, of course, there was the Russian-backed attack against Colonial Pipeline here in the United States in May 2021, which shut down the company’s distribution operations and led to fuel shortages along the East Coast.

Unfortunately, as the recent warnings indicate, we know the Russians are escalating their cyber activities against American critical infrastructure, including our electric grid. And the potential for another successful attack leading to another round of shortages or power outages exists.

Utility owners and operators report that they are seeing more scans against their firewalls and external-facing web application services, both indications that hackers are looking for open ports and known vulnerabilities that haven’t been patched. We know that this kind of activity is often a prelude to an attack.

The industry is better defended than it was just a year ago, as the Colonial Pipeline attack served as a real wake-up call for many. As a result, we saw many utilities strengthen their cybersecurity postures by investing in their security teams, tools and policies.

But those investments aren’t enough to adequately harden security at all – or even most – of the critical infrastructure entities in this country.

In fact, researchers with Gartner have estimated that “less than 30% of U.S. critical infrastructure owners and operators will meet newly-mandated government security requirements for cyber-physical systems” through 2026.

We must recognize that for too long the industry has had a culture of running extremely lean, which in turn, has led to a chronic underinvestment in security. At the same time it continues to run operations on legacy systems that cannot be patched.

That combination has left utilities overly vulnerable to attacks today.

Now is the time to change that.

CISA lists a number of recommendations as part of its Shields Up guidance to organizations. It advises CEOs and other executives to empower their CISOs, include CISOs in decision-making and prioritize security investments. CISA also advises executives to lower reporting thresholds, test their incident response plans, focus on continuity and – ominously – “plan for the worst.”

CISA also recommends a series of proactive defense actions, such as implementing multifactor authentication and prioritizing software updates, to help reduce the likelihood of a damaging cyber intrusion.

Here at Rokster, we endorse such moves and are advising utility owners and operators to tighten their defenses and strengthen their security posture. Those are always necessary moves, but they’re more critical today than ever before given the Russian-backed hacking activities we’re seeing.

Indeed, we’re also recommending that utilities take additional steps, such as:

  • disabling nonessential connectivity to business-critical systems
  • increasing the security of remote-access capabilities
  • increasing the sensitivity of SIEM tools to reduce the threshold for alerting potentially suspicious activities
  • paying more attention to anomalies that could hint at compromise
  • adding or increasing both endpoint detection and threat detection capabilities
  • automating security responses as much as possible to bring speed and efficiency, while decreasing the chance of alert fatigue
  • adding staff to ensure the security team has the capacity to perform the work needed today

We’re also advising owners and operators to, first, review their incident response plans and then run drills using them. These two exercises should reveal any shortcomings with the plans, allowing those to be addressed now instead of during an actual event. They also help teams develop some muscle memory and understand the procedures they must follow to ensure continuity and recovery.

Advisors and owners also want to build into their incident response plans the procedures to follow for simultaneously conducting a root cause analysis. This is a critical step that you don’t want to skip. Hackers often return to where they’ve had success, and if you don’t address the vulnerabilities that the hackers exploited the first time, you could find yourself victimized again.

Given the state of the world, we agree with government officials and other security leaders that there’s a high likelihood of attacks. And given the existing vulnerabilities within critical infrastructure, we unfortunately think we could see something like last year’s Colonial Pipeline incident happen again.

However, we don’t accept that as an inevitability. We know that the more actions we take now, the more investments we make in a defense-in-depth security strategy, the better we can get at thwarting attacks – wherever they come from.

Worried about how cyber attacks may impact your business? Let’s Talk