Category: Transformation

InnovationTransformation
The Innovation Paradox

It is hardly “breaking news” that technology is radically changing almost every aspect of our lives and the world around us – but we talk far less about the challenges that come along with this rapid evolution. And we certainly don’t know the answer to the important question: what is the ultimate outcome of this Digital Revolution?

To understand this issue, we should recognize exactly how fast things are really changing. A good metric for this purpose is the floating-point operation: a single mathematical calculation (like addition or multiplication) on two numbers that have decimal points.

In 1954, IBM introduced the first mass-produced computer with dedicated floating-point arithmetic hardware. The IBM 704 was regarded as the only computer that could handle complex math at that time: it could execute up to 12,000 floating-point operations per second, or FLOPS. It also weighed 15 tons and cost approximately $20,000,000 inflation adjusted U.S. dollars.

In 1984, thirty years later, a supercomputer called the Cray X-MP/48 was released, boasting a peak system performance of over 800 million FLOPS. It cost $36,000,000, adjusted for inflation.

Today, 36 years later, a single iPhone 11 claims up to one TRILLION FLOPS, about 1,250 times faster than the Cray supercomputer. Yet it costs 20 thousand times less and takes up a tiny fraction of the space. High end graphics chips (GPUs), for just a few thousand dollars each, can perform over 10 trillion floating point operations per second.

To try to comprehend this, that is approximately one billion times faster than the first IBM 704. If it had started running a computation on the day it was released, which just finished today, 66 years later, it would take a single modern GPU under TWO SECONDS to complete that same calculation.

And with little more than a credit card, anyone can spin up hundreds or even thousands of times this power in the Cloud, providing easy access to quadrillions of FLOPS. For the record, quadrillion means “one thousand million million” (in case you forgot). This is a trillion-fold increase in computing power from that 30,000-pound calculator.

If you didn’t care much for math in school, you may be wondering why anyone should give a damn about how fast we can multiply numbers together. Well, it turns out that all these FLOPS form the basis for what may turn out to the most disruptive technology of all time: they power the neural networks that are responsible for rapid advances in machine learning and artificial intelligence.

Ok, so maybe all those big numbers are important after all. And yet – what has this unprecedented explosion of raw power gotten us? To be sure, we now have many conveniences that might have seemed like magic a few decades ago, such as the amazing capability that a smart phone delivers to the palm of our hand. And things like autonomous vehicles, while not quite widespread, are steadily marching forward – relatively few people would have predicted it 10 years ago.

But if you have been paying attention to world recently, you might also have seen some less magical things. For example, the contents of our private lives are being spilled out into the open, for profit and political gain. Major technology platforms have been corrupted to sow disinformation and division in service of geopolitical conflict. Digital media is driving increasing polarization of ideology and isolation of thought. And of course, increasing dependence and addiction to technology is driving actual physical and social isolation.

And perhaps even scarier, over the last few years we have seen cyber-criminals holding countless enterprises and even local governments hostage with ransomware attacks. We’ve found evidence of nation-state actors conducting cyber-attacks against U.S. critical infrastructure, including nuclear power plants. And generally, we have witnessed an ongoing escalation of criminal and nation-state cyber activity across the board, leaving us in a perpetual state of “cyber arms race”.

I have always been fascinated by the power of technology to solve problems, but recent events continue to highlight that as the entire world is becoming increasingly dependent on rapidly evolving technology, most of our most critical institutions are not keeping up. And it’s not clear they can fix it.

To make matters worse, everything is accelerating – not just raw computing power, but advances in platforms and techniques that build upon one another to make the next advance even faster. An ever increasingly connected ecosystem that allows knowledge and capabilities to be shared effectively, driving even more rapid innovation.

Acceleration is defined as an increase in the rate of change. When the rate of acceleration changes, that is called “jerk” (like when you are driving a sports car and hit the gas from zero). I personally believe we are currently experiencing a technological “jerk”, in which the rate of acceleration is increasing sharply.

Consequently, instead of taking 60 years for another trillion-fold increase in computing power, maybe it only takes 25. With things like Quantum computing on the horizon, this is not remotely far-fetched. What happens then? For starters, we need to start looking up the names of really large numbers that nobody ever uses, like octillion and nonillion.

But famous futurist and fellow MIT alum Ray Kurzweil has applied some serious thinking to this matter. He predicted that in less than 25 years (2045 to be exact), $1,000 will buy a computer a billion times more intelligent than every human combined. He claims this will lead to something called the “technological singularity”, as artificial intelligence surpass human beings as the smartest life forms on the Earth. Technological development is taken over by machines, who can think, act and communicate so quickly that normal humans cannot comprehend what is going on.

These machines enter a “runaway reaction” of self-improvement cycles, with each new generation of A.I.s appearing faster and faster. From this point onward, technological advancement is explosive, under the control of the machines, and thus cannot be accurately predicted (hence the term “Singularity”). According to Kurzweil, the Singularity is an extremely disruptive, world-altering event that forever changes the course of human history. But he has a rosy view on potential “Terminator” like outcome – he thinks the extermination of humanity by violent machines is unlikely because sharp distinctions between man and machine will no longer exist. This will be thanks to the existence of cybernetically enhanced humans, as well as humans “uploaded” into machines.

Some others don’t have such an optimistic outlook. Elon Musk’s comments on the dangers of A.I. alarmed many when he spoke at MIT in 2014—speculating that it was humanity’s biggest existential threat. “With artificial intelligence, we are summoning the demon. You know all those stories where there’s the guy with the pentagram and the holy water and he’s like, yeah, he’s sure he can control the demon? Doesn’t work out.” Musk thinks things like autonomous weapon systems have the potential in the relatively near term to rapidly escalate kinetic conflicts and possibly lead to global world war.

So, are we headed for a Digital Apocalypse that destroys the world? Or is there a Digital Utopia in our future somewhere instead? We have been talking primarily about computers and information technology, but its worth mentioning that advances in many other areas have been impressive. Of course, in many cases these advances are enabled by IT in one way or another.

Gains in chemistry, biology, and materials science – things like nanotechnology, 3D printing, robotics, & medicine – have to potential to radically improve human heath, well-being, and quality of life. It is likely that the technology “jerk” will drive rapid advancement in these areas, possibly leading to reduction or elimination of hunger and poverty, and large increases in longevity.

But for a moment, think through the consequences of these kinds of changes. If our institutions are having a tough time keeping up now, how will they adapt to even greater and more disruptive changes? How will our businesses, governments, laws, and societal norms account for unintended consequences of amazing and seemingly positive changes in our world? How will they deal with intelligent machines?

What has become clear in all this uncertainty is that there is a disconnect between the rate of change of technology, and the rate of change in our most important institutions. There is also a lack of necessary technical expertise and human capital across many different parts of these institutions. Simply put, this is not good, and it is likely getting worse.

This presents a central paradox of this explosion in technology innovation: The faster we innovate and create ever more amazing possibilities for businesses, governments, and the whole human race, the harder it is for critical organizations to digest these changes. This creates an increased risk of major structural failures in these organizations, and society at large.

This presents an obvious and critical question: what exactly can we do about it? I believe it starts with leaders and policy makers who understand the broader changes, threats, and opportunities associated with the rapid advancement of technology across the globe. We need leaders both in government and commercial industry that understand how to build organizations which can survive and thrive through disruptive change.

Many such leaders are the driving force behind Digital Transformation initiatives across the world. This is a term that often gets diluted and co-opted for marketing purposes, but it is actually a critical imperative. What does it really mean?

Digital Transformation is fundamentally about using technology, data, and design to radically improve business and mission outcomes. It means leveraging modern practices to develop true organizational agility. It requires rethinking customer/user experience and how organizations engage with these groups. It demands that organizations empower employees and enhance their collaboration and productivity. It drives the optimization of processes through re-engineering and aggressive automation. And it means creating products and business models with new digital capabilities that never before existed.

In the end, I believe it is only through the successful transformation of our critical organizations and industries that we can make the necessary ongoing adjustments to laws, policy, and behaviors to ensure a safe, productive, and prosperous future in the Digital Age!

Transformation
Technology Transformation: 5 Easy Steps to Master Your Digital Future

As rapidly evolving technology drives disruptive changes in business, government and society (The Fourth Revolution), many organizations are struggling to reconcile two strategic objectives that often seem in conflict. On one hand, they must become more agile and innovative, delivering new capabilities and/or products to market more quickly than ever before, or they risk becoming irrelevant. On the other hand, they must rapidly (and in some cases radically) improve their cybersecurity posture across the entire enterprise, or risk devastating fallout from data breaches or other cyber-attacks.

In many large enterprises, this boils down to a tension between business equities that want to go faster and consequently accept more risk, and cybersecurity equities that want take less risk and therefore go slower. While this is a significant oversimplification, many traditional CISO organizations are indeed focused on control and compliance, and are perceived by business/product lines as a drag on innovation and time-to-market, if not an outright obstacle.

This stems from a legitimate need – CISOs are responsible for ensuring that production systems, networks and data are as secure as possible. To do this, they need to understand how proposed changes or additions impact that security posture, and in large organizations with complex systems, this can be difficult and time-consuming. The threat of attacks is very real, and the impacts can be catastrophic – the recent Equifax breach is a prime example.

Is the reconciliation of this tension an insurmountable challenge? Many experts do talk about the benefits that IT modernization can have on cybersecurity, and this is a good start. It is indeed true that legacy infrastructure, applications, and operating systems pose some of the greatest risks to information security. Upgrading endpoints, network and server hardware, and all layers of the software stack can result in vastly improved cybersecurity.

Unfortunately, this is a classic case of something that is necessary but not nearly sufficient, because it doesn’t address the core conflict between velocity and risk. When people discuss IT modernization, they are usually focused on upgrading technology to be “newer and better”, not transforming processes and people to be “faster and more agile”. This type of modernization doesn’t change the relationship between the security organization and the business and/or development organizations.

It turns out, however, there is an area where the interests of these “competing” agendas are rapidly converging: automation. Development organizations are aggressively trying to automate build and deployment pipelines, and operations groups are seeking to automate the provisioning and management of infrastructure. Forward-leaning security organizations are quickly realizing that both are a very good thing for cybersecurity, if done properly with security in mind. For this reason, an increasing number of leading practitioners are discussing not just DevOps, but DevSecOps (or SecDevOps, or DevOpsSec!).

In many organizations, it is the CIO or CTO seeking to drive the DevOps transformation, often to satisfy business stakeholders who want capabilities faster and with higher quality. To be successful, it is clearly necessary for the CISO to support and adapt to this change, but there is a much bigger opportunity to be seized. I believe the most progressive organizations will undergo the Cybersecurity Inversion.

Instead of being perceived as compliance police who impede speed and agility, CISOs must begin to turn the tables and invert that perspective. The security team in many organizations has or is quickly gaining significant authority, influence, and resources. This puts them in an ideal position to drive transformation efforts that benefit the organization greatly, while also improving cybersecurity posture – and the move to DevSecOps is a wonderful place to start. Instead of being dragged along (in some cases kicking and screaming), the CISO should be doing the dragging – driving the CIO and IT organization to move aggressively towards modern techniques and technologies for success in a digital world.

For any CISOs that aren’t quite convinced of the value of taking a leading role in the Digital Transformation of their respective organizations, consider the following:

  • Automation of software build and test processes allow for continuous integration of information assurance and cybersecurity compliance activities, generating real-time data based on ground-truth, as opposed to manual paperwork-based compliance
  • Automated provisioning and deployment using virtual infrastructure (think Cloud and Infrastructure-as-Code) allow for repeatable “deterministic deployments” that can guarantee a trusted state
  • Systems that leverage container technology can ensure that applications are assembled from signed, immutable instances that have been certified to meet security standards.
  • Modern, loosely-coupled application architectures built on “throw-away” virtual compute infrastructure can make it significantly harder for Advanced Persistent Threats to dwell and migrate
  • Investments in emerging technologies such as Artificial Intelligence, advanced data analytics, and adaptive networks promise massive payoffs in the cybersecurity realm.

To put this in context, let’s return to our prime example. While it is still early, the recent Equifax breach (one of the worst in history) is believed to be the result of poor basic application security combined with the exploitation of a vulnerability in a popular open source software (OSS) framework. A reasonably mature DevSecOps approach, including embedded security expertise, automated code scanning, and configuration management of the software supply chain (such as OSS frameworks and libraries), would almost certainly have mitigated both issues. Note: OSS frameworks are a very good thing, but can have vulnerabilities just like commercial off-the-shelf software. In many cases, the vulnerabilities in OSS are found, reported, and addressed much more quickly and consistently than in some proprietary software.

Like all worthwhile endeavors, pulling off the Cybersecurity Inversion will not be easy for most organizations. It will require significant and difficult changes in IT’s holy triumvirate: people, processes and technologies. The CISO organization will likely need to develop or acquire expertise in several new domains, and drive major shifts in attitudes and relationships across the enterprise. It will require adopting a customer-centric mentality while preserving the ability to enforce desired behaviors and practices.

In the end, though, the payoff could be huge: an organization that increases velocity, agility, and innovation – while reducing risk at the same time – an excellent recipe for thriving in the modern digital era!

CybersecurityTransformation
The Cybersecurity Inversion

As rapidly evolving technology drives disruptive changes in business, government and society (The Fourth Revolution), many organizations are struggling to reconcile two strategic objectives that often seem in conflict. On one hand, they must become more agile and innovative, delivering new capabilities and/or products to market more quickly than ever before, or they risk becoming irrelevant. On the other hand, they must rapidly (and in some cases radically) improve their cybersecurity posture across the entire enterprise, or risk devastating fallout from data breaches or other cyber-attacks.

In many large enterprises, this boils down to a tension between business equities that want to go faster and consequently accept more risk, and cybersecurity equities that want take less risk and therefore go slower. While this is a significant oversimplification, many traditional CISO organizations are indeed focused on control and compliance, and are perceived by business/product lines as a drag on innovation and time-to-market, if not an outright obstacle.

This stems from a legitimate need – CISOs are responsible for ensuring that production systems, networks and data are as secure as possible. To do this, they need to understand how proposed changes or additions impact that security posture, and in large organizations with complex systems, this can be difficult and time-consuming. The threat of attacks is very real, and the impacts can be catastrophic – the recent Equifax breach is a prime example.

Is the reconciliation of this tension an insurmountable challenge? Many experts do talk about the benefits that IT modernization can have on cybersecurity, and this is a good start. It is indeed true that legacy infrastructure, applications, and operating systems pose some of the greatest risks to information security. Upgrading endpoints, network and server hardware, and all layers of the software stack can result in vastly improved cybersecurity.

Unfortunately, this is a classic case of something that is necessary but not nearly sufficient, because it doesn’t address the core conflict between velocity and risk. When people discuss IT modernization, they are usually focused on upgrading technology to be “newer and better”, not transforming processes and people to be “faster and more agile”. This type of modernization doesn’t change the relationship between the security organization and the business and/or development organizations.

It turns out, however, there is an area where the interests of these “competing” agendas are rapidly converging: automation. Development organizations are aggressively trying to automate build and deployment pipelines, and operations groups are seeking to automate the provisioning and management of infrastructure. Forward-leaning security organizations are quickly realizing that both are a very good thing for cybersecurity, if done properly with security in mind. For this reason, an increasing number of leading practitioners are discussing not just DevOps, but DevSecOps (or SecDevOps, or DevOpsSec!).

In many organizations, it is the CIO or CTO seeking to drive the DevOps transformation, often to satisfy business stakeholders who want capabilities faster and with higher quality. To be successful, it is clearly necessary for the CISO to support and adapt to this change, but there is a much bigger opportunity to be seized. I believe the most progressive organizations will undergo the Cybersecurity Inversion.

Instead of being perceived as compliance police who impede speed and agility, CISOs must begin to turn the tables and invert that perspective. The security team in many organizations has or is quickly gaining significant authority, influence, and resources. This puts them in an ideal position to drive transformation efforts that benefit the organization greatly, while also improving cybersecurity posture – and the move to DevSecOps is a wonderful place to start. Instead of being dragged along (in some cases kicking and screaming), the CISO should be doing the dragging – driving the CIO and IT organization to move aggressively towards modern techniques and technologies for success in a digital world.

For any CISOs that aren’t quite convinced of the value of taking a leading role in the Digital Transformation of their respective organizations, consider the following:

  • Automation of software build and test processes allow for continuous integration of information assurance and cybersecurity compliance activities, generating real-time data based on ground-truth, as opposed to manual paperwork-based compliance
  • Automated provisioning and deployment using virtual infrastructure (think Cloud and Infrastructure-as-Code) allow for repeatable “deterministic deployments” that can guarantee a trusted state
  • Systems that leverage container technology can ensure that applications are assembled from signed, immutable instances that have been certified to meet security standards.
  • Modern, loosely-coupled application architectures built on “throw-away” virtual compute infrastructure can make it significantly harder for Advanced Persistent Threats to dwell and migrate
  • Investments in emerging technologies such as Artificial Intelligence, advanced data analytics, and adaptive networks promise massive payoffs in the cybersecurity realm.

To put this in context, let’s return to our prime example. While it is still early, the recent Equifax breach (one of the worst in history) is believed to be the result of poor basic application security combined with the exploitation of a vulnerability in a popular open source software (OSS) framework. A reasonably mature DevSecOps approach, including embedded security expertise, automated code scanning, and configuration management of the software supply chain (such as OSS frameworks and libraries), would almost certainly have mitigated both issues. Note: OSS frameworks are a very good thing, but can have vulnerabilities just like commercial off-the-shelf software. In many cases, the vulnerabilities in OSS are found, reported, and addressed much more quickly and consistently than in some proprietary software.

Like all worthwhile endeavors, pulling off the Cybersecurity Inversion will not be easy for most organizations. It will require significant and difficult changes in IT’s holy triumvirate: people, processes and technologies. The CISO organization will likely need to develop or acquire expertise in several new domains, and drive major shifts in attitudes and relationships across the enterprise. It will require adopting a customer-centric mentality while preserving the ability to enforce desired behaviors and practices.

In the end, though, the payoff could be huge: an organization that increases velocity, agility, and innovation – while reducing risk at the same time – an excellent recipe for thriving in the modern digital era!

InnovationTransformation
The Fourth Revolution

Unless you have been hibernating over the last few years, you are probably aware that advances in information technology are causing disruptive changes in business, government and society – impacting almost every aspect of our lives. You may not be aware, however, that the effects are so deep and far reaching that we may be in the initial stages of a Fourth Industrial Revolution.

I say ‘initial’ because the pace of these changes is accelerating. Revolutionary advances in software development and computing infrastructure have enabled rapid development of new platforms and capabilities, that are themselves enabling others. Continued breakthroughs in micro-electronics have given rise to an increasingly connected world, where everything (and everyone) is a data source. Breakthroughs in Artificial Intelligence, including deep machine learning, are built on this foundation, and have the potential to increase the acceleration further, causing massive disruption in areas previously left unscathed.

This extremely dynamic environment creates enormous opportunity for organizations that understand and adapt to these changes, leveraging the power that technology brings to bear. But it comes with a price: there are major challenges and risks, both to large incumbent industry players as well as smaller businesses. There is a near-constant threat of competitive disruption, and it seems impossible for leaders to digest the fire-hose of new technologies, innovations, and concepts emerging monthly. And if that weren’t challenging enough, there is one topic that looms omnipresent, threatening to envelope everything and everyone: Cybersecurity.

Information security is an overarching concern because the dynamics that have enabled this Fourth Industrial Revolution have also amplified the threat of malicious actors inflicting damage on organizations. There are three primary drivers for this:

  • The value and importance of data and information assets have increased significantly as businesses have become increasingly digital
  • The size and complexity of the Internet of Everything has resulted in a cyber-attack surface area that is exponentially larger
  • Advances in technology give threat actors incredibly powerful capabilities to leverage for cyber-attacks and exploitation, making them harder to defend against, and creating a virtual arms race.

So how do organizational leaders navigate this complex and ever-changing environment? They are charged with ensuring the success (and survival!) of their respective business or mission, but many have not fully come to terms with the scope and pace of changes that are occurring. In addition, most organizations often lack the supporting expertise to make the decisions and drive the changes necessary to adapt successfully. Like with all difficult problems, there is no magic solution, but organizations should consider these three critical pieces of advice:

  1. Elevate Information Technology and Information Security to first-class strategic concerns. This begins with hiring or identifying leaders with the appropriate skill-sets and focus, but that is not sufficient. Technology expertise must have a seat at the table for all important decisions and processes, and be incorporated into the strategic DNA of the organization. Many organizations have elevated cyber-security to some extent due the extreme risk perceived, but the focus is typically on reducing or quantifying that risk, not optimizing for organizational success.
  2. Adopt a change-oriented mindset from top to bottom. It is difficult to adapt to revolutionary change without making revolutionary changes. Unfortunately, there are no quick fixes here; a sustained focus on leading and managing transformation across multiple enterprise domains is required from senior leaders, middle management, and staff members. This includes fundamental shifts in how systems and products are delivered, how all work is managed, and how teams and employees operate. And don’t forget the ever-important cultural changes: people must have the permission and the support to take risks and innovate.
  3. Maintain focus on outcomes! The complexity and scope of changes occurring, both internally and externally, can create a lot of confusion and “noise”. This sometimes lead to teams (and leaders) developing myopic focus on driving change for change’s sake. If the organization loses sight of “why” it is changing, it will not achieve the desired outcomes. These goals need to be tangible enough to guide resource and prioritization decisions effectively. While “increase bottom line” or “enhance mission performance” are usually the high-level outcomes desired, focus on things like driving customer experience, enhancing collaboration, optimizing operational processes, or transforming products and businesses is often useful.

The challenge to organizations is real and present: adapt to the large-scale changes being driven by technology, or follow an increasingly well-worn path toward irrelevance and obsolescence. Leaders must harness the power of technology to succeed in the modern digital era, so that organizations can innovate, transform, and thrive in the face of the Fourth Industrial Revolution.