IT Leadership | Sten Vesterli's Blog

Public Incompetence

April 28, 2021April 28, 2021IT LeadershipCompetence, Security

California shows why you don’t want to entrust your government with more data than it absolutely needs. California is building a database with all donations to political and non-profit organizations. Free-speech advocates from a Charles Koch foundation to the NAACP are against it, and the Supreme Court will soon rule whether this is okay. As a European, I don’t much care either way.

The IT security part is interesting, though. It is fairly sensitive information whether someone dontated to Donald Trump or Black Lives Matter. California of course promises to protect it, but they have built a website where you can simply change the URL to get access to every donation record in the entire database.

That is mind-boggling incompetence. I am not blaming the individual developer, though an experienced lead programmer could have spotted this glaring vulnerability. But I am blaming the IT leaders in the organization that have failed to put any kind of security review in place, even for highly sensitive data. That is a firing offense in my book. Maybe a competent CIO should run against Governor Newsom in the California recall election.

Are you Trusted?

April 26, 2021April 26, 2021IT LeadershipTrust

Trust is a fragile thing. The University of Minnesota (UMN) broke it and are now struggling to contain the fallout. How do you ensure your IT organization remains trustworthy?

UMN researchers submitted a Linux patch containing a known bug in order to see whether the Linux community would spot the problem. This kind of uninvited security testing is ethically a gray area and is frowned upon by most IT professionals. The researchers wrote a paper with their findings and then submitted more buggy patches.

The Linux community was not amused by being experimented on, and decided to block all further contributions from the University of Minnesota. Furthermore, they decided to rip out several hundred past contributions to the Linux kernel by the UMN because they no longer trusted them. University leaders are belatedly scrambling to apologize, but the community has rejected their apology.

As a CIO or CTO, do you know if your users trust the systems you roll out? One unhelpful supporter unable to explain a data discrepancy can make the entire Finance department lose trust in your expensive Business Intelligence dashboard. IT only creates business value if it is used and trusted. Make sure you measure trust.

Are your AI Projects Legal?

April 22, 2021April 26, 2021IT LeadershipAI, Regulations

Because the IT industry has failed to agree on any meaningful guidelines for AI usage, regulators are now stepping in. In order to get the attention of the global giants, the proposed EU regulation is threatening with GDPR-style fines of up to 6% of global sales. The rules outlaw some usage, like real-time facial recognition, and place strict limits on other uses. For “high-risk” use by police and courts, companies must provide risk assessment and documentation of how the system comes to its recommendations.

In the US, the Federal Trade Commission has also just weighed in. In a blog post, they clarified that selling or using biased AI might constitute “unfair or deceptive practice” and be subject to fines.

As a CIO or CTO, check who is responsible for ensuring your AI projects adhere to all relevant regulations. Each individual project cannot be responsible for keeping up with rapidly developing global regulations. If you have not appointed someone to keep watch over your AI project, the blame will end on your desk when your organization is found to violate AI regulations you weren’t even aware of.

Beware of Un-updatable Devices

April 15, 2021April 18, 2021IT LeadershipIoT, Robots, Security

A hundred million IoT devices are open to hacking. It turns out there is a whole slew of flaws in four different basic TCP/IP implementations. Since many IoT devices don’t have auto-update capabililty, and many don’t have updatable firmware at all, all of these devices are simply waiting to be subverted by hackers.

In order news, a startup has produced an autonomous robot that drives around the farmer’s field all by itself, zapping what it considers weeds with lasers. What could possibly go wrong?

If you are deploying any IoT technology, consider carefully how the devices will be updated with new software. Parts of the IoT industry have a sell-and-forget mindset, and that will embed ticking timebombs in your infrastructure.

The Intern Did It!

March 1, 2021February 28, 2021IT LeadershipSecurity

The intern did it! Solarwinds’ new CEO just added another top contender to the pantheon of bad excuses. This one is right up there with “the dog ate my homework” and is destined to become an instant classic.

Testifying before a U.S. Congressional Committee, Solarwinds came out looking like bungling amateurs. First, they had a system that allowed a password like solarwinds123. Second, they had an externally accessible system where that password worked. Third, they didn’t do anything about it when security researchers pointed it out. Fourth, they try to pin the blame on an intern that created that password.

As a CIO, you can either isolate your public-facing systems completely from the internal ones, and allow username/password access. Or you can use two-factor authentication or other additional security. The time when you could secure a non-trivial, externally-facing system with just a username and password are long gone.

Beware of Data Collectors

February 25, 2021February 25, 2021IT LeadershipData collection, Privacy

The days of untrammelled data collection “for the common good” might be ending. At least the watchdogs are yapping a little louder, as a new court case in London shows. The British National Health Service apparently has a contract with secretive American data analyst company Palantir, and they are being sued by a private privacy watchdog.

I would probably not choose to name my company after the device with which the dark lord Sauron subverted the wizard Saruman. However, the Lord of the Rings reference is obviously lost on investors, who value Palanatir at around $50 billion even though they have yet to make money.

As a CIO, you need to know where your data goes. If you have third parties analyzing them, you need to have someone make an independent assessment of whether you can expect your data to be safe with them. You need to balance the reward against the reputational risk if you are found cooperating with shady operators.

Do You Know Where the Problems Are?

February 24, 2021February 24, 2021IT LeadershipLeadership

In Arizona, there are prisoners still behind bars who should have been released. The reason: The software that calculates their release date hasn’t implemented a 2019 law change. With this being just one of the 14,000 bugs (!) reported on the system, these people can potentially stay locked up for a long time yet. Officials claim there is no problem and their manual process flawlessly implements a complicated rule estimated to take 2,000 hours to program.

It is a leadership decision to decide what gets implemented first. And this one should be at the top of the list – right after the bug that means gang affiliation is not properly recorded, and members of warring gangs might end up in the same cell…

A desparate whistleblower finally went to a local radio station with this story after having been ignored internally for a year. As the CIO, do you have a method in place that ensures concerned programmers and users have a way to point out critical issues?

Missing AI Results

February 22, 2021February 23, 2021IT LeadershipAI

It turns out AI was not about to cure cancer. There was no shortage of hyperbole when IBM’s Watson AI beat the best humans at Jeopardy, but IBM has been unable to create a viable business from their AI prowess. Now their AI-powered health department is for sale if anybody wants a slightly used AI with one careful owner.

AI has proven its worth in many places, also in healthcare. But they have been narrow, well-defined areas like examining X-rays or flagging possibly fraudulent insurance claims. Just throwing a bunch of data scientists and an AI at a problem does not work.

If you have AI projects like Watson that has not delivered the results they promised, you can re-scope them try to harvest some value from solving a smaller and more well-defined problem. Or you can shut them down. The age of unquestioned spending on AI is over.

Use Real Intelligence Instead of the Artificial Kind

February 18, 2021February 23, 2021IT LeadershipAI, Data Science, Leadership

If you can leverage real user intelligence in your systems instead of the artificial kind, you get a better result with less effort. But it takes some intelligent thinking by your developers to get to that point.

The new Microsoft Edge (version 88) that rolls out soon has crowdsourced the difficult decision of which browser notifications to allow. Users are tired of constant “Allow this website to send you notifications?” prompts, but it didn’t work to just make all of them more unobtrusive. Microsoft tried that first with “quiet” notification requests, but that meant many users were missing out on the notifications they did want. Instead, the upcoming version will use the decisions by all Edge users to decide which notification requests to show. If everybody else has refused notifications from a specific website, the Edge infrastructure learns that and defaults to not show notification requests from that site.

Do you have ways to harvest the decisions your users are already making and use that data to improve your systems? Put your data scientists to work on the challenge of using human intelligence instead of continuing to try to train AIs.

Are you Releasing Sub-Standard Systems?

February 17, 2021February 23, 2021IT LeadershipLeadership, Quality, Systems List

Out of a sample of 5,000 apps, 80% did not live up to a reasonable standard. Are you releasing sub-standard apps or systems?

A company the reviews healthcare apps for the UK National Health Service found many bad examples, including apps that provided complex medical advice without any expert backup, or apps without security updates for several years. They’ve been though 5,000 apps, but there are 370,000 health-themed apps out there.

As a CIO, look in your systems list for information about applicable regulation. For every system, you should see a list of what regulations (GDPR, CCPA, HIPAA etc.) apply to that system, and the name of the person who has certified that this list is complete. For every regulation, you should also see the name of the person who certify that the system complies. If you don’t have that information in your systems list, you are probably releasing sub-standard systems.