- About the risks that abound, in the world of technology when everything is connected and snooped upon, one way or another. Are you safe?

Follow by Email

Wednesday, December 28, 2016

Digital Banking





What is 'Digital Banking'?

For simple understanding, call it 'Uber-Banking' - that of customers having a myriad of choices of cheap financial services at their fingertips, literally a call away. It is safe to assume that banks in their current form, will be not be able to compete with the disruptive and innovative financial products (Fintech) popping up ubiquitously. 



These disruptive technologies cover a wide range of services like crowdsourcing (donations, investments, or loans), new payment gateways, tailored healthcare insurance, wealth management...etc.

Here are two examples:


1. Microbanking - A smart card value storage application system that operates among small corner convenience stores, that accepts the low income groups as customers - a category that conventional  banks would consider as 'unbankable'. That means the lower income have values stored in their smart cards where they can either purchase goods or withdraw/deposit cash at convenient stores. 

2.Small Farmer Trading - A Over-The-Counter Small Farmer trading system that is authenticated and verified using BlockChain Technology. For more about blockchain, click here. This means that small farmers can work as a cooperative to sell their produce directly to their customers, by passing the middle man.

Note that both examples above do not necessarily need to transact through conventional banks.


Banks vs Fintech

At the moment, Fintech is mostly unregulated, while in contrast, banks are heavily regulated. This is akin to freewheeling Uber cabs versus regulated taxi companies. Some central banks are planning to regulate Fintech,  albeit lightly, so as not to strangle them to an early death.

It is inevitable that banks must change, or die. That said, many Fintech startups are not immune to the tough world of commerce either, eventually, many will die too, like most startups do. Besides, their scalability, extensibility and resilience against regulatory compliance, are yet to be truly tested.

I liken Fintech to be experimental films, where most are wild and imaginative, with only a few managing to find their symbiotic positions in the ecosystem.



Technologies: There are three areas that banks may like to dip their toes in the waters to get a feel of the Fintech revolution, namely:

1. BlockChain Technology. For simple understanding, a Block Chain is a chain of hash values. Each hash value correlates to a transaction. Hash values are non-repudiatable , so it is possible to mathematically demonstrate that the chain of transactions did indeed happen. For more about one-way hash, click here.

2. Internet of Things (IOT). Soon billions of devices will be intelligently interconnected, generating tetrabytes of data and meta data.  Vending machines, for instance, may be connected to suppliers' inventory systems, that are in turn connected to outsourced fulfillment vans plying the roads every hour; that in turn have navigation systems connected to GPS....etc.  And it goes on....

In time, Artificial Intelligence will be required to monitor the tetrabytes of data generated and passing through every few hours into perpetuity.

3. Common APIs. These will emerge among major players so that any bank or Fintech developer can use them to connect to the financial services eco-system.



What does this mean for Information Security?

The weakest links have to be identified. Where is the weakest link in the Block Chain Transaction? It is unlikely to be in the one-way hash algorithm, but more likely in the processes, perhaps processes that are vulnerable because of their need to interoperate with legacy systems, or the need to fulfill customer experience requirements.

How are we going to make sure that IOT is doing what it is supposed to be doing and not used as part of a Distributed Denial Of Service (DDOS) attack? With such volumes of data, it is not humanly possible to monitor manually. Inevitably, Artificial Intelligence (AI) will have to come in. Then the task will be to check the AI to make sure that they do not run tangent to the original plan. An AI rebellion or mutiny will be scary.

With Common APIs, we have to ensure that they are programmed to Secure Programming Standards and changes in control infrastructures will be necessary, since these APIs are now exposed to the outer and wider Cyberspace.


There are a lot more details we can go into, but the above is a good start.




Note:

The term 'digital banking' is superfluous. Banks have gone digital since the early 1980s. The real revolution in banking is in the decentralisation and democratisation of information. 

The prolific author and futurist Alvin Toffler had predicted the above trends, plus the odd problems of overchoice and mass customisation in the economy. These are mentioned  in his books "Future Shock" and "The Third Wave" back in the 1970s.

These trends are turning conventional economies on its head, disrupting the finance, transportation, travel, education, news and information, software development and film production industries; with many more others to follow. 

Automation in many industries will soon render many jobless, causing unemployment in big cities and workers returning to subsistence living in the countryside, this time aided by technology. So, more neo-hippie communes will sprout in the next fifteen years with their own system of barter, digital currencies, energy generation,...etc.

We are indeed living in exciting times.



For more about the changing trend of the: 

TV and Film industry, click here.

Future of information security, click here.

Management of one such disruptive startup, click here.


For more about the future of cryptography

click here.








Wednesday, June 15, 2016

Augmented Security





The following are notes I have taken from the book launch of "Augmented - Living Life in the Fast Lane", by Brett King on the 8th June 2016 in Singapore. I have taken efforts to make sure that the information here is as close to what he had said during the launch as possible. If there are any misrepresentation of facts, they are probably mine.  Please accept my apologies in advance.
========

Fundamentally Moore's Law has been proven right since it was coined - that computer processing power will double every two years. What we have in our pocket mobile phone is many times the processing power of the early computers that occupied an entire basement of a large building.

Four points that the book is based on:

1. Artificial Intelligence (AI) - that it will take over many aspects of our life. It executes many tasks better than humans. For instance, automatically driven cars are safer. It has a lower accident rate than cars driven by humans; AI diagnoses cancer with a 90% certainty, whereelse a  human oncologist can achieve only a 50% certainty. This is because AI is fed a lot more information to execute the tasks than a human being can handle. Besides, AI remembers the data and a human-being may forget some data during his analysis or diagnosis.

2. Internet Of Things (IOT) - Everything will be connected via the internet by the year 2030. There will be more robots than humans by then, though the former comes in different forms. That is, not all robots will look like humans, nor should they be. It depends on the tasks the specialise in.

3. HealthTech and Genome - The progress of HealthTech and Genome, thanks to the computer processing power will result in more early detection of diseases and fixing the problem via genetic engineering. This may cause a upheaval with Big Pharmacies, who now face a challenger that can fix health problems better and faster.

4. Smart Infrastructure - Solar power will be half the price of the nearest cheapest fuel by the year 2030. Coal mines will not be economical. Eg. Recently, China has laid off 1.5m mine workers. They know that it will not be economically feasible to mine coal.

The cheapness of solar energy and other alternative free energies, will disrupt the commodity markets and decimate it.

-----


Every leading company will be a technology company by 2030. If you are not, than you are not making profits. Profitability in large technology companies like Apple, has a profit per employee of around $0.5m, compared to $30k for walmart or $50k for banks.

The service industry will be disrupted dramatically in employment patterns. People will not live their life "working for a living". Governments may be compelled to give a universal basic income (covering lodging, food, electricity...) to everyone for free. Humans will adjust to this new state.  There will be new jobs like geo-engineering, that aims at reversing the climate change, while many traditional jobs or jobs that are here now, will be gone. Perhaps some of us will be re-invented as robot psychiatrists to counsel misunderstood and mishandled robots!

Global population growth will flatten by the year 2050 at around 9.5 billion people. People will be living longer and longevity itself will be a challenge. For instance, if we are all going to live till 200 years old, then all of us here in this hall are mere 'teenagers' within our lifespan. Major culture shifts will be needed.

If you do not have a digital persona, you may be treated with suspicion, pay a lot more for things,...etc. It will  be impractical. In ten years time, 60% of our online purchases will be handled by an AI agent.

Banking will be required in the future, but not banks. Banks that base their business on the conventional business streams of credit cards, POS,... etc will be gone. There will be contextual credits evaluated when you walk into a store that will handle your transaction.

Not all entities that hold a bank account will be humans. For instance, autonomous driving cars will have bank accounts to get on with their 'life', like to pay for their Electronic Road Pricing (ERP) fees, electricity top ups, for receiving payments for ferrying people around like an Uber cab,...etc.

AI, robotics...etc will become so much part of the system that we will not even think about it, like electricity - we just switch it on and use it and hardly (if at all) think of it as 'technology'.



Governments will be the last industry to be disrupted and replaced by technology.
---------

Do you agree with Brett King's projection of the future?

But let's just say we take it just as an exercise for now. That should the projections come true, how will we protect our information?

Some of the security issues that I predicted 15 years ago are now a reality.

  • For instance, wearable computers are now easily available and affordable by the man-in-the-street, so it won't be practical to check them at the gates. 
  • About collaborating for collective intelligence among big companies, especially banks. This is now happening via cloud-based Web Application Firewall providers.


Pervasive Security

With IOT, the hacker playground has enlarged. Whoever hacks in will have connectivity to hack the next adjoining device, affecting another community which will be likely dispersed worldwide. Surely this sounds much more fun to the hacker than it is now.

With device getting very small and many of them embedded, it will be impossible to rely on perimeter security. Security controls will have to be pervasive. Already in the present day, every business process will trigger six or seven other security processes. 

For instance, just to transfer money in an ebank, the following non-business processes are triggered:

  1. Identification - the user is a bot or human.
  2. Authentication - if the user is the user he claims to be.
  3. Double authentication - to make sure that the user device is not hijacked. This possibly using technologies like cognitive biometrics. 
  4. Authorisation  - to check the extent of the privileges the user is entitled to access.
  5. Central data logging - to log all transaction data such that if need be the transactions can be easily reconstructed.
  6. Prediction - with the large amount of data logged, it becomes possible to predict if the transaction is a fraud. If suspected, then transaction logging will be stepped up.
  7. Notification - notifying the user by an alternative channel of his transaction. 
Many more processes will be added over time to make the transaction even more secure. And even item 1, will have to be re-assessed when non-human entities legitimately have bank accounts, eg. autonomous cars. 

How will we be able to safely identify one robot from another? Do they have unique characteristics and behaviour, like humans, beyond their (encrypted) id tag? Will accumulated machine learning in the robot develop habits and character in them?

Data Ownership

Also, in an IOT world, who owns the data? When there is a hack, who is the custodian that has not kept the data well and had resulted in some people (or robots) violated? With so much data generated, it will be impossible to manage data ownership. To compound the problem, some legitimate data owners may not want to own the data, as ownership comes with responsibilities.

Quantum Computing
When Quantum Computers come into the market, many computers will be hacked in the interim period, before information systems had time to convert to quantum cryptography to protect their systems.


What are your thoughts?

I am sure you can come up with many other scenarios from now to the next ten years and how we can pre-empt security breaches.


----

Brett's view of the future seems to be solely based on the advance of Moore's Law. That computers will get more powerful and progress is mostly enabled by more number crunching and processing. 

There are other visionaries that embraces, in my opinion,  a wider scope of how progress may come about, like Buckminster Fuller, Alvin Toffler and Peter Schwaltz. They dwell into the future with scientific fundamentals and a scope beyond computers. Not surprisingly, many of their projections have even come true.

Here are other technologies that we may see in the future:






Saturday, April 16, 2016

Pre-empting Cyber-Fraud in Investment Banks


An investment bank is a hive of activities helping businesses or banks to raise capital by issuing stocks or bonds; and finally underwriting and distributing the issue. They also sell securities, manage assets/personal wealth of high networth individuals and help in corporate mergers and acquisitions. These activities expose them to a myriad of operational risks, legal risks, market risks, credit risks and reputational risks.

A common thread among all these risks is CyberFraud, amid today's highly computerised and networked world.

CyberFraud is multi-dimensional and it is targeting citizens, businesses, and governments at an alarming rate. They can also be conduits for organised crime and terrorism, and pose a threat to national security.

Stolen financial data is now an illicit commodity. With the required data, money can be siphoned through fraudulent credit card transactions, bank transfers, or other instruments. Given the impersonal nature of the crime and that the fraudsters can be seated at a physically remote location, an underground industry for Cybercrimes have rapidly grown. To compound matters, fraud can also originate both from outside and inside the bank.

The broader aspects to contain the growth of CyberFraud have to be worked together with the police, central banks and cloud-based security services like web-application firewalls, online biometric services,...etc. Sharing of such information among banks via central authorities is key.

Within the bank, besides having a secure IT infrastructure, it is  essential to have a centalised log server, where if need be, is capable of reconstructing any transaction to provide sufficient forensic data to bring the fraudsters to court. (This is a regulatory requirement stipulated by many central banks, like the Monetary Authority of Singapore). With the wealth of data in the log server, it is possible through data analytics to predict where the fraud will come from, and pre-empt them from occurring. It would be useful to use software like Splunk to facilitate the indexing, searching and monitoring of the logs, some of which may not even be structured.

For more details on a secure banking architecture, click here.

The common patterns of suspicious activities usually exhibit abnormal transaction volumes, trading volumes, fluctuating data feeds,... etc. A rules engine will have to be agreed between the businesses, fraud management department and cybersecurity department of the bank. 

For more details on applying data analytics, click here.

There are also cognitive patterns of user behaviour that can be captured and analysed. Several cognitive biometric systems, like BioCatch, are now capable of differentiating an online bot from a human user; and for the case of a human user, the capability to authenticate his identity.

These new implementation will require more sophisticated technical and awareness training. In a world where the criminals are connected with shared expertise, banks will need to have all their staff educated in an effective manner.

Many banks have resorted to quick online multiple-choice quizzes to measure the awareness level of their staff.  But truly, how many cases in our lives work the same way as such multiple-choice tests? Hardly, to say the least. Therefore, realistic scenarios must be written and rehearsed to leverage on the participants' other cognitive senses. To be effective, the training methods must be experiential and immerse the participants in role play, to truly understand the scope of managing CyberFraud and applying the knowledge in their daily work.

For more details of how to apply role play in cybersecurity training, click here.

Naturally, the above activities will take time to implement. Senior management will have to be convinced that they are worthy to commit the necessary resources.  The savings from CyberFraud management will have to be enumerated and quantified. But it is no longer just the case of preventing or managing financial losses to Cybercrime, banks now also have the moral duty to prevent funds from reaching terrorists and organised crime, for national security.

Conversely, if you are in the Senior Management of the bank, you may like to read about the 5 types of technology salesmen out there waiting to pull the wool over your eyes. :) 
Cick here.


Last but not least, while it is crucial to have the technical infrastructure and controls, predictive analytics and  technical and awareness training; no fraud cases can be effectively closed without the good old fashion offline work of committing troops to the ground. Common detective work of recognising clues, hints and motivation of crime are equally important. So are cultural understanding and language skills. The latter being particularly useful for high tech big data keyword searches and interpretation. Ultimately, the investigator will need to be able to hear a conversation in a noisy room, has a concern for detail and a sense of urgency. 















Tuesday, August 18, 2015

5 Types of Technology Salesmen




This post is a little light hearted, but I hope it helps you too.

I have met many technology salesmen in my time, and can group their techniques into five categories, namely:

1. Selling by Sex
These are the good lookers who would try to seduce you with sex, or at least let you think that you are going to 'get it'. Sex sells and this works for many people, both men and women.

2. Selling by Bossing Around
These are the motherly/fatherly types, who curiously close sales by bossing their client around. It works for clients who are short of confidence or  paternal/maternal love.

3. Selling by Fighting for the Customer
These ones are fiercely loyal to their customer. They will fight for the customer rights, until they win, even if it means that they lose their job.  Consequently, they have a loyal following and customers follow them when they change jobs.

4. Selling by Fear (and Dropping Names)
These are the ones that give a strong show of dutch courage, threatening the client that their project will fail without buying his product. He will further strengthen his claim by dropping some of his (purported) big name clients. It works for buyers who need big names to cover their ass.

5. Selling by Technical Know-how
Of the five, these ones are the most honest. They know their technology inside out and so hide behind their strengths to go into monumental details of the product, unaware that the buyer may be looking for something else. This works for clients who already know what they want and are delighted to hear direct from the seller's mouth.

You may have met other types of salesmen. Tell us about them. :)



Tuesday, July 14, 2015

Data Analytics and How We Think.


I found this interesting syndicated article "Algorithms may echo human bias, study finds", on Today 14-July-2015, page 36. 

Basically it says that eventually, algorithms are created by humans, together with the human influences and biases. In other words, data analytics algorithms are merely human attempts to model a scenario mathematically with the help of very large amounts of data.

For instance, by applying graph theory on a social network platform, we can assign weightings on links to friends that have common interests with us and find who our closest friends are, who our best friends are or even who our spouse is. In plain language, we are looking for 'birds of a feather that flock together'.

There is also an algorithm that detects expense claim fraud, that analyses the first digit of each expense claim item. So if only a few  digit values are used and very repeatedy so, the expense claimant is flagged for further investigation. This probably based on the tendency that human beings will not think of  broad ranges of numbers when cheating. 

I trust that algorithms for data analytics have a symbiotic relationship with human psychology. So, it pays to observe patterns of human thinking through the data they manifest. May be some old proverbs may offer inspiration.


--------------------------------------------------------------------
Algorithms may echo human bias, study finds 

NEW YORK — There is a widespread belief that software and algorithms that rely on data are objective. But software is not free of human influence. Algorithms are written and maintained by people, and machinelearning algorithms adjust what they do based on people’s behaviour. As a result, algorithms can reinforce human prejudices, researchers say. 

A new study by Carnegie Mellon University researchers revealed that Google’s online advertising system showed an ad for high-income jobs to men much more often than women. Research from the University of Washington also found that a Google Images search for “CEO” produced 11 per cent women, even though 27 per cent of chief executives in the United States are women. 

Algorithms, which are instructions written by programmers, are often described as a black box; it is hard to know why websites produce certain results. Often, algorithms and online results reflect people’s attitudes and behaviour. The autocomplete feature on Google is an example — a recent search for “Are transgender” suggested, “Are transgenders going to hell”. 

“Even if they are not designed with the intent of discriminating against those groups, if they reproduce social preferences even in a completely rational way, they also reproduce those forms of discrimination,” said Mr David Oppenheimer, who teaches discrimination law at the University of California, Berkeley. 

The Carnegie Mellon researchers built a tool to simulate Google users who started with no search history, and then visited employment websites. Later, on a third-party news site, Google showed an ad for a career-coaching service advertising “US$200k+” executive positions 1,852 times to men and 318 times to women. The reason for the difference is unclear. It could have been that the advertiser requested that the ads be targeted towards men, or that the algorithm determined that men were more likely to click on the ads. 

Google declined to say how the ad showed up, but said: “Advertisers can choose to target the audience they want to reach, and we have policies that guide the type of interest-based ads that are allowed.” The New York Times

Monday, June 15, 2015

Information Security Across New Frontiers


New technology and business motivations
Consumer devices are getting smaller, faster and cheaper. With that, they have become mobile and convenient to execute online purchases, payments, administration and a host of other chores swiftly, many of which were not possible just a few years ago. Such consumer conveniences also generate massive amounts of data. Not just transaction data, but also other personal data, like location, user behaviour, and user relationships with other entities. These information are valuable for businesses to profile, target their potential customers and cross-sell products.

What is Valuable?
Data means different things to different people. One man's information is another man's bland data. For instance, company staff directories are treasure coves to executive headhunters, but are merely data to the layperson. In other words, data is 'King', but data in context is information - a 'bigger King'. Further, in the online world of rapidly flashing ether, data in context in immaculate timing is 'King of Kings'. For example, time-sensitive market data exploited for high frequency trading in the financial markets, is a 'King of Kings'. They make millions of dollars literally within seconds. Here, we are referring to immaculately precise and timely operations happening in orders of nano-seconds.

Who are the CyberThieves?
And there are those who lurks in the dark side of Cyberspace, waiting to deceive, steal and disrupt. While the bulk of hackers are 'script kiddies', the ones that we should be worried about are the determined, clever and focused, who vies for  monetary, non-monetary, business, political or social objectives.  It may also be worthy to note that the bulk of security breaches still comes from within organisations. Inside, it is easier to hack. Being in the system, it is easier to know the loopholes and how to clean the tracks once the intrusion is complete. A survey of 100 banks across 30 countries by Kaspersky estimated that internal hackers may have stolen up to a $1 billion in the year 2013.

Future devices now
New consumer devices easily available in the retail market are getting smaller and harder to detect. Wearable computers are gradually creeping into our daily life, in the form of spectacles (eg. Google Glass), wrist watches or wrist bands (eg. Apple Watch), spy pens,...etc. It will not be practical to restrict employees and workers from using such wearable computers.

New control doctrines
As such, information security controls will no longer be perimeter defence, but checks and controls pervasive throughout the system. No entity is completely trusted. There will be numerous cross-verification among users, processes, servers and technologies. Cloud-based intelligence sharing and collaboration will be paramount to keep the system secure.

And so we must implement: more adaptable supervisor-and-executor dual controls for transactions; persistent checks against user account takeovers; centralised loggings capable of reconstructing transactions; and leverages on Cloud-based Cyber-intelligence services.

Eventually, you will notice that for every business function, say a "Make Payment" request,  the application system will invoke six or seven security processes of identification, authentication, verification, logging,...etc. So be prepared for added computing power or suffer a deterioration in application response time.

New Controls
In moving across new electronic frontiers, merely implementing the conventional firewalls, intrusion detection system, malware detection system, encryption and identity access management is no longer sufficient.

Increasingly, new controls will be based on different root technologies, as it is difficult to arrest an intrusion with the same technology. For instance, it is difficult to use web technology to detect the Man-In-The-Browser attack. Such attacks are so elusive that they can happen right under the user's nose, without the realisation that his transaction is compromised. The user would be under the impression that he is safe, having observed all the secure procedures like, entering his id, password and even one-time code generated from a secure physical token, but oblivious that he has been attacked.

To detect such attacks, other technologies such as, cognitive biometrics and trend analysers, among others,  have to be deployed.

Cognitive biometrics recognises the usual pattern a user touches and moves his devices, and differentiates if it is from a Cyberbot or a human intruder. Trend analysers detect usage anomalies, like sharp jumps in frequency of usage, or the sums of money being transacted.

Extending beyond Security
Trend analyses require broader aspects of data collection and mining, leading to what is called 'Big Data' processing. And with the ubiquitous use of the Internet and the growing ambitions of businesses, Big Data gets bigger everyday.

Back in the early 1990s when I was in oil and gas exploration, we thought the seismic trace interpretation data we were processing were massive. These were data of induced and echoed sound captured from vast oil exploration sites stretching thousands of square kilometres in surface area and kilometres deep into the subterranean. Think of it as a gigantic 3-dimensional volume of sound amplitudes at one-hundred metre grid intervals. Upon collection of the data, we cleaned up the noise, modeled an algorithm and mined them for useful information with the goal of discovering oil and gas deposits. Much the same as in modern day generic Big Data operations. However, while those Petabytes of data were notoriously large to handle with the technology those days, they are no longer considered big by today's standards.

Besides the intimidating size of the data, diversity, data properties and data locations, are some of the other challenges. Data can come from varied sources, in structured and unstructured, formal and informal formats. In my opinion, using data just from the organisation's daily transaction gravitates towards 'Business Intelligence'. It is not just a matter of definition, it does have semantic differences in scope. In Big Data operations, data comes from many sources, and sometimes we may not even know what the real question is when we stumble upon unexpected and interesting patterns. When that happens, basic assumptions are challenged and re-established. We will then have to go back to the basics to clarify our objectives, before  moving forward.

The extent of Big Data is powerful. It can be used not only to detect fraud, but also to (for the case of banking) verify that clients are clean enough to bring onboard and and yet comply to central bank regulations against anti-money laundering (AML).

Implementation
Before proceeding to implement, make the aforesaid benefits clear to your stakeholders. Start your security controls small within the less ambitious goals, but make it known to your sponsors and stakeholders that these technologies can be extended to offer a lot more in the future.

Now, go down to basics  and define the Proof of Concepts (POCs) of the technologies that can solve your problems.  The challenge here is to define what constitutes a successful POC. For instance, if we are testing a cognitive biometric system to weed out fake users, is the product coming up with a lot of suspected users a better one than the one that comes up with lesser suspects? How do we know which one has more or less False Positives and False Negatives? It is all well and good if we are testing them on simulated data, but how would simulated data be of any real help? Ultimately, the real proof is in the pudding - that is, with real-time transactions, and for that, the results may be difficult to ascertain.

Then, we will have to dwell into the fundamental science the product is based on. If the vendor's description of what their product is based on are fuzzy and ill-defined (granted that they have to keep their trade secret), then chances are that they are not to be trusted.

Ultimately, a quantitative and qualitative POC definition success indicators is essential, before each technology is tested.

Once the POCs are proven, it is now time to take stock of your existing system to make sure that it is fundamentally sound. For instance, to ensure that the user authorisation, centralised log server and the fraud management rules engine are operating smoothly and securely administered, before the new technologies are added.

As usual, implement the new controls in stages starting with the quick and easier wins to convince your stakeholders, to secure the approval of the next phases of development.

Conclusion
New devices are attractive because they bring in new businesses and opportunities. Data cleverly harnessed are valuable and can literally make you millions of dollars in seconds. As with all treasures, there will be thieves lurking. Given all these new technological frontiers opening, we need better and more sophisticated controls. These controls, unlike in the past, comes from varied technologies and must no longer be perimeter defences, but pervasive throughout the information system. New pervasive controls are powerful and can serve beyond the objectives of data protection. These new controls can be leveraged to analyse business trends and manage fraud. Implementation must be approached step-by-step and iteratively, while keeping the management informed of their massive potentials for the future.


This article is a very brief summary. It dwells on the salient points of the new frontiers of information security and how we can proceed to implement the technical controls. There are a myriad of other business and managerial considerations in a real life situation. Given the limitation of space here, we shall leave those other discussions in another article, another time.



Note: We are now an official media partner with BIGIT INSIGHT. This article will be published in their magazine.

Sunday, April 19, 2015

5 Survival Tips when dropped into the ‘Deep End’






Instead of the usual technical blog posts, this one is a pragmatic survival guide. If you have been around for a while, chances are that you have been thrown into the 'deep end' of a project before.

With rapidly changing markets and business requirements, this is becoming more common, with budgets approved late, but with the expectations for a quick  delivery. This usually means a mad scramble to fill the project team, with the eventual result of the unfortunate new hires dropped into the ‘deep end’  a few months after the project had started. These latecomers, however, are still expected to hit the ground running.

So, here are some survival tips:

1. Update your knowledge of industry acronyms and products.

No matter how experienced you are in the industry, new acronyms and products are created every day. Google them and make a list, ready for you to refer to when required. But not to worry, a lot of them are just  new marketing slangs for old technologies, like “Cloud Computing”. So don’t panic. You just need to know the right slangs quick and appear cool.

2. Learn the business and project acronyms

Businesses and projects love acronyms and the people involved use them liberally, as if they are also second nature to you. Make a comprehensive list of such acronyms quickly early in the project, grab an old hand in the organization and sit down with him uninterrupted for one hour to establish the glossary.

3. Learn the organizational structure, the relevant departments and their spokesperson.

In the old days, the development team did everything from conception, programming, testing to acceptance stages. These days, organizations are structured to have specialized departments deliver various components in your project, for the benefits of economies of scale and efficiency. For instance, there may be a permanent generic testing team that tests all projects before they are released into production in the organization. Or may be some tasks are outsourced to a third party company situated in another country and another time zone, from a different culture and speaking virtually a different language.

When you have mastered points 1 to 3, you are now able to follow what is spoken in project meetings and appear intelligent. However, you have not moved much yet, but merely holding your head above the water.

4. Build a rapport with the key persons in the project

Develop relationships. It is relationships that make things happen quickly and fairly trouble free. But develop appropriate relationships. Doing otherwise, will have repercussions later on. Karma is such a bitch.

5. Stick to officially sanctioned activities

In the old days, it is fine to help your team members with their work and sometimes with some informal tasks. Such tasks are usually safe short cuts necessary to make things happen quickly, but overlooked by the managers. However, it is more risky to do so these days, because all activities are owned, given milestones and deadlines. If you really want to help out, do so in the quiet. Don’t pen them down anywhere. The moment any activity is penned down, someone will come and ask you where this activity falls under. That to me, is a bother you and I do not need. If you are not careful, it can also make you look bad.



There are of course much more that needs to be  done in a project, but knowing the aforesaid five points is a good start.

You will then not feel lost in meetings and discussions, stop looking stupid and start to produce useful work.

Happy working!