The Puchi Herald Reblog

A reblogging blog

GDPR and the technology market

GDPR and the technology market

Question: will the new privacy policies and laws impact the technology market?

This is an interesting question to ask ourselves; whether we are consumer of the technology market or technology vendors the impact of the new technologies (from cloud to IoT, from industry 4.0 to big data just to name the most acknowledged from a marketing point of view) privacy regulations can affect heavily our behaviours and the market.

so let try to understand what could be the implications of this new focus on privacy and data protection.

First of all we should try to understand what we are talking about.

Privacy, GDPR and the rest.

Privacy: the state of being alone, or the right to keep one’s personal matters and relationships secret:

In nowadays environments the presence of data related technology is pervasive: from business to  personal life technology play a big part of our life.  data related technology means we use technologies that is able to manipulate information: informations are collected, changed, communicated, shared all in form of data. Bit and bytes that describes our job, our business, our personal life.

Although in the past privacy was mainly a physical issue, and therefore legislation was focusing on those aspects, this increasing presence of data collection and sharing makes people realize that there is a new abstraction layer that involve privacy that is no more related to be alone or in a confined physical space, but in a undefined and without borders digital virtual space.

Email, Blogs, social networks, chat, E-commerce, electronic payment, smart phones all this and more shifted the same perception of privacy from a simple concept to something more hard to be defined.

Rulers and consumers started to deal with those issues in the last years whole enterprise and technical world has been remained almost frozen waiting for indications. the first indications that this would have been a wakeup call for enterprise has been the ending of the safe harbour agreement, privacy was not longer a secondary issue even for the economy.

The latest development can be easily identified in the new  European Union’s General Data Protection Regulation (GDPR), which comes into effect in May 2018, has far-reaching implications that extend far beyond the EU.

Businesses that fail to meet the new mandates aimed at protecting personal data face severe consequences. They can be fined up to $20 million, or 4 percent of global revenues — a cost that makes this regulation impossible to ignore.

But other areas of the world are moving toward a more cautious approach toward data privacy, not only Europe. While it is not yet clear how will be the new USA administration approach toward this subject, it is out of doubt that data privacy is becoming a major issue in the next years; how this will impact business is, although, not yet clear.

For sure is that GDPR will enforce companies to deal with a tremendous amount of data to be protected. Any data used to make inferences linked tenuously or otherwise to a living person is personal data under GDPR. Cookie IDs, IP addresses, any device identifier? All personal data. Even metadata with no obvious identifier is caught under the GDPR’s definition of personal data. Truth be told, such assertions are not entirely new. The difference under GDPR is that they will be enforced and the non compliance fined.

Today swathes of business practices unlocking data monetization rely upon data not being considered personal. So they apply weak consent, onward transfer and data reuse concepts. These models are going to change; either by choice, or by obligation.

Data Privacy , Data Protection and Cyber Security

One aspect that is not yet completely perceived and understood is the correlations between data privacy, data security and cyber security. The requirements that enforce the companies to respect data privacy legal requirements are intrinsically bound with the explicit request for data protection and, therefore, cyber security.

GDPR clearly define data should be fairly processed and protected: the implications are not only in terms of procedure to adopt inside the enterprises, but also technical in terms of data manipulation, retention, storage and security.

Recent security outbreaks as the one related to ransomware are an example of how basic cyber security threats can impact directly on this area, as well as common and well known cyber attack directed to data exfiltration.

This is a growing phenomenon and is affecting not only the classical online services (think of classic dating site attacks, as an example, to collect username and passwords) but, as an example, extensively the healthcare industry.

While in the past those outbreaks could have been just a relative minor issue, the new GDPR structure of fines could affect in a heavy way any company, regardless its sector, and some departments that in the past have never considered those issues as a business imperative, as marketing or Human Resource, will have to face a difficult transaction in terms of awareness, policies to be implemented and technology approach.

It is easy to forecast that this situation will shape in the next years the technology market in different areas.

Impact on the technology market

When we talk about the technology market we face different aspects, “technology” as a term can cover a wide range of things. We can talk about hardware vendors or software vendors. We can talk about service vendors (cloud, CRM or whatever you like more), IT enterprise or carrier HW providers, Security vendors, End user HW providers (as smart phone makers).

Recently the trend is to aggregate functions and offering, making those areas overlapping in the same company although not often integrated.

Since all the industry will have to face the new privacy requirements it is to be expected a increase on data privacy expertise requests hitting the market, and a growing demand for IT solutions that will help companies to manage the requirements. this could, as an example, give a small impulse to historically neglected areas as DLP solutions, data categorization solutions and so on.

Some little advance and effort will be probably put also on more traditional areas as backup.

An heavier impact will be seen in the growing online market with the need to protect not only privacy of users but also to save the economic transactions, content providers, social or gaming platforms will be heavily impacted too.

In a second run we will probably see a renewed interest for baseline security solutions, as the stakeholders will, sooner or later, realize that there is no compliance without data protection and there is not data protection without cyber security.

The request for expertise and consulting services will be mostly redirected outside to technology vendors (here considering HW\SW vendors as cisco, hp, huawei, SAP, Microsoft; service vendors as cloud providers – azure, AWS, google –  but also app stores, CRM online providers), consulting companies and technology integrators.

On the other end technology vendors will have to face a strange situations where they will be both requested to provide solutions compliant with the new rules, be the driver of the new requirements and implementations (public-private partnership basically means this)  and in need to implement solutions to protect themselves in different areas as:

Product and Services development

Here vendors will have to start developing products\services considering data protection a major issue. It is clear the impact on cloud or services, where data protection can be easily identified, but also the HW product side will have to face issues. Although it can seems trivial we can remember the problem related to GPS tracking in apple and, at some extension, android happened some years ago. privacy implication with products can be wider than expected, since we have to protect not only the data per se, but also the metadata (this is the wider range of GDPR and new privacy regulations).

Usually we tend not to consider, as an example, system logs as a problem in terms of privacy, but in effect they are if they contains data that can point to a physical person and being used to track somehow the person behaviour.

Firewall and router logs, as an example, could be used to determine what is someone doing online, and therefore can expose information that are subject to GDPR realm. minor features apparently but the truth that also metadata are object of GDPR.

Privacy By design and Privacy Enhanced Technology will be mandatory component of any product\service developement.

Marketing and Sales

Marketing(and or  sales)  has always been considered agnostic towards technology, but the ultimate scope of marketing is to get in touch with the market, this means customers and ultimately people. Marketing activities will get a huge impact towards GDPR requirements both in terms of operations, since is up on marketing to manage a large amount of data coming from outside the company, and communication.

Technology vendors, somehow, will be expected to lead and drive the request both in terms of consulting and example. The result of a breach or misinterpretation of GDPR guidances will impact severely the business from a brand point of view and undermine vendor credibility.

Internal protection

As any other company there will be a direct impact on business operations of any vendor dealing in the technology field. But this case the extension of the problem will not focus just on the standard cyber security procedures, since technology vendors enter, somehow, almost directly on customers IT or data processing infrastructure the request will be to implement an end to end protection system which include GDPR compliance and cyber security application. This will require technology vendors to operate on:

  1. supply chain
  2. production and vulnerability disclosure
  3. product and service delivery

all three area are still trying to develop standards and good practice although something is moving.

So what are the changes expected under the new regulation?

There are around a dozen headline changes which technology companies should be aware of.

Some of the key areas include:

  • Privacy by design and Privacy enhancing technology – privacy by design calls for the inclusion of data protection from the onset of the designing of systems. Companies must also only hold and process data which is absolutely necessary.

Privacy enhancing technology (PET) and Privacy by Design (PbD) are obligatory and mandated requirements under the GDPR. There remains no generally accepted definition of PET or PbD, but PbD is considered an evidencing step for software development processes to take account of privacy requirements. So the incorporation of what can broadly be defined as PET in such solutions represents PbD.

Two particular PET techniques that control downside and enable upside risk are differential privacy & homomorphic encryption.

  • Differential privacy counters re-identification risk and can be applied to anonymous data mining of frequent patterns. The approach obscures data specific to an individual by algorithmically injecting noise. More formally: for a given computational task T and a given value of ϵ there will be many differentially private algorithms for achieving T in a ϵ-differentially private manner. This enables computable optima’s of privacy and also data utility to be defined by modifying either the data (inputs to query algorithms) or by modifying the outputs (of the queries), or both.
  • Searchable/homomorphic encryption allows encrypted data to be analyzed through information releasing algorithms. Considered implausible only recently, advances in axiomatizing computable definitions of both privacy and utility have enabled companies such as IBM & Fujitsu to commercially pioneer the approach.
  • Data processors – those who process data on behalf of data controllers, including cloud-providers, data centres and processors. Liability will extend to these and businesses that collect and use personal data.
  • Data portability: Empowers customers to port their profiles and segmentation inferences from one service provider to another. This is a reflection by lawmakers that data is relevant to competition law, whilst not conceding an imbalance between a companies ability to benefit from data at expenses of us all as citizens.
  • Data protection officers – internal record keeping and a data protection officer (DPO) will be introduced as a requirement for large scale monitoring of data. Their position involves expert knowledge of data protection laws and practices, and they will be required to directly report to the highest level of management.
  • Consent – explicit permission to hold any personal data in electronic systems will become mandatory. It will no longer be possible to rely on implied consent with individuals having the option to opt-out.Customers consent to privacy policies that change. Being able to prove which contract was agreed to, in court or to a regulator, requires  registration time stamping and tamper resistant logs become de rigueur.As we move into an opt-in world of explicit consent and ubiquitous personal data, data transmissions beyond a website visit must be explicitly permissioned and controlled. In this world, default browser values de-link machine identifiers from search queries. In other words, in this new world, online advertising to EU citizens is in line for fundamental change.And given particular regulatory emphasis on profiling, explicit consent will require loyalty programs to differentiate consent between general and personalized marketing consents. Those consent flags must cascade through registration, reporting and analysis, targeting and profiling, contact center operations and all other processes that handle such data.
  • Breach notifications – the notification of a breach, where there is a risk that the rights and freedoms of individuals could become compromised, must be reported within 72 hours of the breach being identified. it is underestimate the relationship between breach notification and vulnerability disclosure. While for an end user those two aspect seems to be unrelated, there could be a higher impact on vendors for, at least, a couple of factors:
    • The breach notification could expose the vendor as the main source of the breach itself due to lack of vulnerability management and disclosure.
    • The victim could consider liability against the vendors which “vulnerabilities” caused the breach redirecting to them part of the costs.
  • Right to access – data subjects will now have the right to obtain confirmation from you of what personal data is held concerning them, how is it being processed, where and for what purpose.
  • Right to be forgotten – data subjects will now have the right to be forgotten which entitles the data subject to have you ensure that information is deleted from every piece of IT equipment, portable device and from server back-ups and cloud facilities.A framework to comply with this obligation would include the following steps:
    • Spot identifiers which tie together datasets, e.g: machine identifiers link together our social media experiences;
    • Prescribe how re-identifiable data flows in and outside the organization;
    • Document a scalable process to overwrite identifiers in all datasets where re-identification can be established, upon the validated request of a user, and
    • Third party contracts and SLAs should be adjusted to ensure compliance with validated requests.
  • Data Bookkeeping: Field level data, linked to an identifier, flows across geographies and legal entities, processed by machines and people. Organizations will account for these flows with evergreen reporting. It stands to reason that these flows will be threat-modeled for integrity and confidentiality so controls can be readily evidenced upon request.


GDPR impact

Privacy regulations as GDPR and the growing awareness and concerns related to data privacy and security are related to the expanding presence in everydays life and business of smart mobile devices able to process data, the growing online market, consolidated trends as cloud services or newcomers as IoT.

Technology market face this transition in front line, and will see the impact of new regulations and customer reactions in several ways. This is both a chance and a problem; implementation of new mandatory requirements will impact all areas, from design and production to sales and delivery. But this will means also new area of business in the consulting area, in the technologies to support GDPR and privacy compliances in the market where data analysis technology, artificial intelligence and other high end technology areas could provide a competitive\price insensitive advance vs the consolidated technology market.

The key success factor is to embrace this change and drive it acquiring internally the needed competences, implementing the correct corrections and driving the needed improvement related to product and services provided.

Future trend will see a prevalence of  technologies related to “data” processing and services related to data vs products. The new Data paradigm is already visible nowadays as example in the Big Data market (take data lake implementation as an example). in terms of technology market this will means to focus on Data Science which will pose a new and somehow unpredictable relationship with privacy regulations.

GDPR Risks and “Data Science”

The term data science describes a process from data discovery, to providing access to data through technologies such as Apache Hadoop (open source software for large data sets) in the case of Big Data; and distilling the data through architectures such as Spark, in-memory and parallel processing. That data science creates value is understood. What isn’t are the risks it exposes investors to under the GDPR, of which there are principally three:

Risk 1: The Unknown Elephant in the Room – Unicity: a general misunderstanding in monetization strategies is that stripping away identifiers of a data model renders the data set anonymous. Such a belief is flawed. So-called anonymous data sets can often, without implausible effort, be re-identified. Unicity is a measure of how easy it is to re-identify data. It quantifies additional data needed to re-identify a user. The higher a data set’s unicity, the easier it is to re-identify. Transactional and geo-temporal data yield not only high monetization potential, they carry statistically unique patterns which give rise to high unicity.

Risk 2: Relevance & Quality: Income, preferences and family circumstances routinely change, and preference data on children is difficult to ethically justify processing. While this creates a problem for predictive analytics, that data and the inferences it engenders can be considered inaccurate at a given point in time, which creates a GDPR cause-of-action. Data quality needs to stay aligned to business objectives.

Risk 3: Expecting the Unexpected: When data science creates unexpected inferences about us, it tends to invalidate the consent that allowed data to be captured in the first place, which, again, is a big deal. Data collected today, particularly from mobile devices, is subject to a constant stream of future inferences that neither the customer nor the collector can reasonably comprehend. Consider a car-sharing app that can model propensity for one-night-stands from usage patterns. While that data may not result in propositions today, the market will consider upside risk/option value to have been created (the market still does not seem to believe in GDPR impact), but this incremental data coming into existence creates downside risk (such data is difficult to find a legal-basis for, given the vagaries of a given consented disclosure).

More generally, the problem of negative correlations is brought to the fore by algorithmic flaws, biased data and ill-considered marketing or risk practices, the enduring example being U.S. retailer Targets’ predictive campaigns to pregnant teenagers, spotted by parents. These are examples of a new form of systemic control failure, leading to potentially actionable GDPR claims.


Related articles

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = '',
    ru = '';

GDPR and the technology market was originally published on The Puchi Herald Magazine

Managers and Leaders are not the same thing

Managers and Leaders are not the same thing

Managers and Leaders are not the same thing

There is always a lot of talk about managers and leadership, but I sometimes have the feeling there is a little confusion on the subject.

I can agree that a manager needs to have leadership qualities, as some other key soft skills, but leadership, per se, is not enough.

Wait, this means that a great leader can’t be also a great manager?

Exactly, a manager need leadership skills to be good, but this is only one of the several skills he need.

He should be able to understand the job heshe is asked to do, this means to have the correct technical and soft skills.

There is a risk connected with leadership: leadership needs to walk hand in hand with honesty and ethics, otherwise we risk to have leaders without soul.

Think about Charles Manson, or Adolf Hitler or some of the most evil serial killers, were they not also leaders?

Manipulative attitude common to many sociopaths are often seen as leadership skills, so leadership has to be one but not the only skills required to a manager.

Lack of empathy toward others are often a sign also of many successfull “managers” that makes their career on many other bodies, and is quite a common portrait in the financial sector (but not only), where dehumanization is at the basic of the speculation activities (it is business, workforce are just numbers on a spreadsheet).

So are we talking too much about leadership? Probably yes, we should talk about leadership in a context that require other strong soft skills, and mostly we should talk about management.

what do you think?

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = '',
    ru = '';

Managers and Leaders are not the same thing was originally published on The Puchi Herald Magazine

The IoT Files – Privacy

The IoT Files – Privacy

In the previous post “The IoT Files – intro and security” I started to talk about Security issues related to the IoT world.

Security imply a wide range of elements, one of them is Privacy. But since the nature of this topic is particularly sensitive I will talk about it separately.

Privacy in the Internet of Things assume a different taste than we used to think. We should think again what IoT means. A lot of objects that are able to communicate and process data,  equipped with sensors that make them aware of the neighborhood.

Those sensors will be able to track where we are (geolocalization) what we buy and eat (smart fridge) how often we shower or be at home (smart meter for gaselectricity), our taste in terms of media, show (smart tv) and so on.

When we go out our smart cars will communicate in our smart roads about our position destination and driving skills, our smart medical devices will keep track of when we sleep, or make exercise…

Forget to have an affair, or just a little moment for yourself, all will be monitored by something, somehow.

This open a completely new scenario in terms of privacy, the amount of data available will be way bigger than what we have today.

but who will be able to protect our privacy? how we will be able to monitor who will access our data?

Personal data

for sure we will need a clear definition of personal and sensitive data. but in an environment where every move or choice is registered, or can be deducted analyzing the output of different sensors and systems, the extension of “personal” will grow from direct data to metadata, to deducted data.

This is somehow a more complex environment of a already complex dilemma: how to handle all this?

As of now there is not even an agreement on the definition of personal and sensitive data, nor how to handle those data.

Some countries have strict controls, other lousy, and it is not just a matter of developed or not developed country. Take as an example the querelle between Europe from one side and USA (plus UK) from the other on mass surveillance rights.

EU approach on Data privacy is way more restrictive than the lousy USA ones. But even in EU we can see difference form country to country, and the recent statement of Austria against the new GDPR agreement is a clear sign that we are moving in a really complicated area.

Medical records

And not all personal data are the same, some can have a really “personal” connection. Not only sexual orientation or political and religious believes, but think as an example about your medical record.

If we will use IoT medical devices, those will be able to help us to stay alive, but at the same time will collect, process and send a lot of really sensitive and private data about our physical condition. those data if not managed correctly could expose us to unpleasant situation but how to control the flux of those data?


Same concerns can be found in the geolocalization. Sure it can be useful to find the place where I have to go, or being found if I wantneed to, but at the same time tracking our move can expose us to risks. may be I am going during my vacation to an interview and I don’t want my boss knows, or I tell my mom i can’t go to visit her because I am at work while I am actually watching something on TV I don’t want to miss (lousy reason I know). No matter what is the reason I would like to be sure I can get control of who is accessing those information.

Consumer Preferences

On the other end those data can have a great value for third party, interpolating the result coming from different sensors it can be possible to track consumer behavior to a level we cannot imagine right now.

We can understand mixing geolocalization data with actual purchases, how much time we need to choose a product, how we choose and why.

So it is not only governments, police enforcement agencies, that want to know all about us, it is a bigger entity: marketing.

Personal Communication

If we sum all the data we can have in the IoT even communication, personal communication, assume a whole new significance. Using the so called metadata nowadays it is possible to understand a lot of people behavior (ask GCHQ).

But with localization, hart beat rate, may be we will be able to tell if you are lying or if you are nervous and we don’t knows what more. Again it is not Science Fiction, but just the evolution prospect by IoT.

Privacy can be simply disintegrated because all of those sensors, the incredible amount of data will make able no know, see, listen or deduct all we do.

Privacy of Things

Probably we will have to introduce the Privacy of Things among the Internet of things, and create rules that allows us to stop interpolating data that can expose critical information, and not only direct personal or sensitive information as we do today.

What more?

A scenario that is open to new unexpected evolution, no so different from the one I presented for the security space.

What we should consider is not only the simple data, but the data that can be extrapolated analyzing other stuffs apparently unrelated.

In the age of Safe harbor 2.0 (aka Privacy Shield)

I wrote in the past on Safe Harbor and the problems related to data privacy in our age, now we have a safe harbor 2.0 (Privacy Shield), that we don’t know how long will stand.

Even with the relative small amount of personal data (compared to the IoT) we face problems nowadays, how we will manage the next to come?

There are sensible questions that have to be addressed in order to, at least, start to analyze the impact of privacy on IoT.

A few points are the following:

  • Where my data are stored?
  • How my data travel?
  • Who is storing my data?
  • How I will control who is managing my data?
  • Who can access those data?
  • How my data are used?
  • What if I want to change something?

Since there is not a common understanding on the basic definition this will be hard. and the questions does not have a simple solutions, and will require a sound technological approach.

Consider the problem of how data travel. In a world where data can travel trough different countries and stored “in the cloud” that means somewhere we do not actually control any control will be difficult.

Storing the data is just one of the aspect, because data, as an example, can be legally sniffed if the passed in certain countries that allow this. Take, as an example, USA. All data that physically pass trough the USA are subject to USA federal laws, this means USA government can check those data, even if will be stored somewhere else. The simple transit put privacy at risk no matter what “privacy shield” state.

And so may be some encryption will be not allowed.

A solution, may be, would be implementing geotraking of every single packet, in order to determine the path that the packet is allowed to take, but this is at the moment far form our real implementation capabilities.

Legal, technological, cultural frames are still missing ….

We are moving in a slippery field, where legal, technological cultural frames are still missing.

In the absence of indications, some implementations could be not privacy aware and can create problems in the future, as the safe harbor things showed us.

Alas politics and governments are not still on this boat, too technical probably (it is a sarcastic comment).

But it is the cultural lack that is the major obstacle to understand those issues, a knowledge gap that is related to  lack of experience, lack of real technical knowledge, lack of interest. Alas Security and Privacy suffer of the same problems, they are multidimensional and require a holistic approach (with technical, legal, economical, cultural basics) and not the compartmentalized ones we still have on those subjects.

Next Post will be on the infrastructures required by IoT.

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = '',
    ru = '';

The IoT Files – Privacy was originally published on The Puchi Herald Magazine

Time for enterprises to think about security, seriously

English: A map of Europe divided into countrie...
English: A map of Europe divided into countries; where EU member states are further divided by NUTS level 3 areas. The NUTS 3 areas are shaded green according to their GDP per capita in 2007 at current market prices in euros; darker green denotes higher GDP per capita and lighter green, lower GDP per capita. (Photo credit: Wikipedia)
View image |

UE directive on Attack against information systems  give us no more excuse to deal seriously,

Under the new rules, illegal access, system interference or interception constitute criminal offence across the EU. But while the legislator is working to create tools to address cybercrime as a Whole system problem, that is affecting EU economy, what are enterprise doing on this side?

The problem is that if enterprises does not align their cyber security defence to the correct approach every legislation will be useless, because the target will be always too easy.

Makes absolutely no sense to start a security system while internally you use Explorer 8 and Windows 7 as default OS. make absolutely no sense to rely on firewall and ipsids inside without implementing a correct siem infrastructure.

Make absolutely no sense to try to keep Intellectual property if we do not add a correct dlp system, that means to have also categorization and processes.

Make absolutely no sense to beg for security if our Windows environment is poorly designed,

It is time to change our security approach from an annoying task to a foundation of our systems. we do not discuss the need of a CFO and risk analysis related to finance why it is so hard to make the same on information and cyber security (let me add also privacy)?

CSO role, and DPO ones, should be at the heart of every  board as the CFO, the HR and the other company roles.

Alas CSO and DPO need a high level of Independence, since their roles itself need to be a source of control and guidance for the entire company (no more no less than a CFO). And both the roles are not “IT geek guys stuff” since require specific knowledge, that goes beyond the IT implementation.

Alas if architectural roles are still a minority in the IT world, we can imagine how hard could be to find those other figures that requires the ability to see the security inside the business and deal with a wide range of interfaces not necessarily technical.

This is a wide problem that cover all sectors of the industries. there is no more area that can be safe from IT implications. The Jeep cars hack is just an example another example of how serious is the question.

a correct cyber and information security approach should take in account:

  1. how we protect ourself from the external threats
  2. how we implement internally a secure aware process to deal with the valuable information we process
  3. how we implement a secure aware production process
  4. how we contribute to the progress of the cyber and information safety in our environment and ecosystem.

does not matter who we are or what we do those 4 points can’t be avoided anymore.

and can’t be managed as a geek itch to be scratched.

  1. how we protect ourself from the external threats

Point one is historically the first implemented, but also one of the worst nightmare.

Security is usually seen as a series of Patches to be put on system after the design. and usually this is done putting a “firewall” or a “next generation firewall” or some other marketing driven Technologies, not considering that any insertion is useless if not seen into a serious context and design.

And the design start with the simplest questions:

  • what I want to do with my IT?
  • what is the value of IT for my business?
  • what is the implication of the IT process in our process?

Budget and design should follow accordingly to that.

but design can’t avoid simply facts as:

Things need to be patched and upgraded to maintain a minimum baseline of efficiency and security

process should be design accordingly to the technology, the people and the business

if you don’t do this you keep having people surprised by the End of Support of the old Windows versions and using Windows Explorer 8 browsers just for “compatibility issues”.

If you do this  to proof you do not understand anything about IT, you did a good job otherwise, well we have a problem.

2. how we implement internally a secure aware process to deal with the valuable information we process

We can implement whatever we want, but if we do not have a clear picture of what we are going to protect and why, all the design is useless.

I wrote in the past how hard is to understand what is and where is the value in our data. Still so many people does not consider that most of the Intellectual Property of our company is in our email servers or pst files, or that names, addresses and emails have a value for the criminal cyberworld even if we do not value it…

Internal processes are usually bad designed because they do not keep into account what need to be protected, :

  • resources
  • people
  • training
  • controls
  • metrics

And of course the most important request of all, KISS implementation (Keep It Simple Stupid).

having more than 1000 processes in place is not a good thing, is a nightmare.

3. how we implement a secure aware production process

No matter if we write code, make hardware or make paperwork, how secure is our work? how can be be sure the component we are using do what we want and have not be tampered? if we write code how we can be sure we write good, secure code? if we do cars how can we be sure that our entertainment system could not allow to take control of the car’s brakes?

it all the same, we need to implement security in our production process, this means being able to set up controls and metrics (again) that span all the production line, and involve also who provide us services or parts.

is our financial broker a secure interface? can we trust those derivates? can i trust this code?… is all about security.

if we delivery anything to anyone, HW, SW, Service of any kind we have a production system that need to be secured. sometimes the law help us putting references, sometimes is our job to create those references.

but if can’t provide a trustworthy production system why the customer should trust us?

it is not only IT, it is security, IT is just a part of the equation.

4. how we contribute to the progress of the cyber and information safety in our environment and ecosystem.

And we can’t be secure in an insecure world, we are all player of an interconnected world. we can’t think of security in the finance systems without the collaboration of all players (banks, governments, regulators bodies), the same should be for IT. But we are years behind, so it is time we take our part of responsibility and start collaborating to make the environment safer.

Kicking out the bad thing is a long, never ending process that require a lot of effort from everyone, all the players should be in charge of a part of the responsibility. if we are not cure we lower the overall security, so if a car can be hacked it is a danger for all the other cars on the streets, the same if enterprise do not keep this thing seriously they are a danger for all the rest.

collaborating, exchanging ideas, listening and Learning, there are a lot of different ways to do so.

Activities like the ENISA EU cyber security months that will be held in October are a great moment to think about security and related issues

just watch at the weeks arguments:

  • Week 1Cyber Security Training for Employees
  • Week 2Creating a Culture of Cyber Security at Work
  • Week 3Code Week for All
  • Week 4Understanding Cloud Solutions for All
  • Week 5Digital Single Market for All

this is what I am talking about. I strongly suggest that you all participate as citizens, companies, public entity. there is much to learn much to do, it’s time.


sent by Microsoft Edge




var aid = ‘6055’,
v = ‘qGrn%2BlT8rPs5CstTgaa8EA%3D%3D’,
credomain = ‘’,
ru = ‘’;

Time for enterprises to think about security, seriously was originally published on The Puchi Herald Magazine

Pavia Shenzhen

Cathedral of Pavia.
Cathedral of Pavia. (Photo credit: Wikipedia)

Day one, getting ready .

I’m going to Shenzhen,  my first visit to china started with a tight schedule. Finally i got the visa this morning, as the ticket to flight. I went to chinese consulate by train from Pavia, thanks Cucciolina to drive me to Pavia station, to collect my passport with visa, then I used Uber for the first time to go to the airport. Good service, cheap and you can pay with paypal…..
Now at linate airport, checkin is still closed but the warn us that because of a private airplain that should be removed ther could be delay and cancellations. A private plain … that remind me bad things. But seems ok now, they just told us that the plane has been removed, may be it is just the udual italian bad parking attitude.
I miss my family when i travel, wish to share the experience with Cucciolina and Xiadani. Ok let me check if i can check in. See you later.

Posted from WordPress for Android

var aid = ‘6055’,
v = ‘qGrn%2BlT8rPs5CstTgaa8EA%3D%3D’,
credomain = ‘’,
ru = ‘’;

Pavia Shenzhen was originally published on The Puchi Herald Magazine

%d bloggers like this: