Topic 5- Enterprise Security Architecture

Topic 1- Social Engineering Killed the Cat

Social Engineering has been one of the critical topics of cybersecurity hacks and organizations fear it because us humans are the weakness. It is an interesting topic because it’s all about psychology and understanding the person you are trying to use to assist. There are endless ways of social engineering activities which can be utilized to attempt to gaining access, but I will list the 3 main ones which I continuously hear and read about repetitively:

  1. The Flash drive- this is one of many psychological tests of curiosity where the hacker leaves a USB drive laying anywhere in public or even in a cab and the curious person takes the device and plugs it into their home or even on a work computer to see what is on it. Once the unit is plugged in it automatically triggers the malware on to the computer. Some people would think they can outsmart it by plugging it into a computer not connected to the internet, so the hacker has no way of communicating with the malware; however, it usually shows that there is no activity done to the device but once it is connected to the internet, the malware is triggered.
  2. The FREE Wi-Fi- Everyone loves to get free internet access and especially those individuals who have a limited internet plan package so their attempt is to minimize the consumption from their plan and trying to connect to whatever they can get to get free Wi-Fi. This is another popular psychological trick for those individuals into thinking they are getting free internet and sometimes they are lured to desperately connect because they read the “FREE PREMIUM WIFI” and they attempt to connect to it. This is the part where hackers are monitoring your activities since you are connected to them or even may ask you to “SIGN UP” to get the Wi-Fi___33 accessibility. This is where many individuals make the simple mistake of reusing their typical password and now the hacker has an attempt to know your password to other services you use whether it is your email, social media accounts or even financial services.
  3. The QR code- This is one of the newly trending ones because we are starting to see a lot in different places that we may go to whether it may be a restaurant where the individual scans the QR code to get access to see the menu (very popular especially after COVID-19), at the gym to see the schedule for the classes offered, or even at a mall to get the list of store directory or may be offers and after scanning what usually happens is that individuals are very excited to see the “offered” services that they click “Yes” or “Allow” to any pop ups; this is where the hacker takes advantage of triggering the attack by using a pop up message to the content of the device or even has full accessibility.

Topic 2- Security Awareness

This is one of those topics that many organizations neglect and overlook because it is classified as operational expenses with no tangible value to the organization. Year on year the security team requests a specific amount to budget for security awareness for the organization staff and this is the best practice for it because as a SRM leader you have to make sure that individuals within the organization are constantly reminded about the critically of this issue and how all it takes is one individual to cause a state of emergency and may even shut down their entire operations.  These awareness activities can be as follows:

  1. Video Content or awareness message via email– This may be one of the easiest methods since it may have cost minimal or no cost at all and security leaders may create content or reuse available content to distribute using the company’s email. It may raise awareness with the right amount of recurrence frequency.
  2. Physical/ Remote Training- The recurrence of this activity might be less frequent to achieve; however, it provides the basic understanding of how and why you need to follow the protocol when it comes to cyber security to keep the organization safe.
  3. Social Event within the organization– This may be a once-a-year activity and usually achieve though a third part. In my current organization, it was achieved though one of the outsource contracts for its cyber security operation. It was a great success; it was conducted on premises and invited all the employees to go through different booths and learn about cyber security.

I believe there are a lot of similarities between the practice of Cyber Security and Enterprise Architecture in terms of gaining the continues support to ensure the organization achieves a higher level of return for their investments. Both practices require continues efforts to develop their maturity levels within its domain’s fields.

Topic 4 – Technology infrastructure architecture

Topic 1 – Manage Service Contract Renewal

I came to notice that with every blog topic reading assignment there is something relevant going on in my organization. For this week, while I was reading the article “Key Considerations When Thinking About Insourcing or Changing IT Service Providers” and this was written back in 2013 (10 years ago) majority of the points mentioned are very useful to be used in today’s operations since many organizations like mine must deal with this depending on which style of operations they are managing. For my organization, our operations’ manpower is outsourced to local vendors for both infrastructure operations as well as application lifecycle development and administration. The contracts are renewed every 3 years, and I will elaborate why it is 3 years later when I go over the interview points, I had with the Digital Transformation advisor. As I mentioned, the organization outsources its operations for many diversified reasons, and I will highlight the key reasons as follows:

  1. Government Restrictions- As a government entity, only nationals are eligible for such job vacancies if they were to recruit for the position.
  2. Financial Restrictions- To have a high available high reliability team due to the nature of organization, a lot of investment will be made toward availing the necessary manpower.
  3. Rapid technology updates- In order to ensure the organization infrastructure and applications are to date, the organization will require a dedicated to ensuring all the updates are in place without operational disruption.

As I mentioned earlier this is one of the current hot topics within the department as we are currently undergoing the outsourcing contract through tender since a contract renewal with the current vendor is not an option. I had the opportunity to meet and interview one of the digital transformation advisors who is also serving on the Bid review committee. We were able to informally discuss the following topics in relation to the subject:

  1. Outsource History- When I asked, was there ever a time where staff were hired instead of outsourced? Answer: There has never been a recruiting strategy to fulfill the position’s need, the HR attempted to convince the committee to avoid the outsourcing expense but when the numbers were calculated there was minimal difference between the two. There was an attempt during the last contract to tender the infrastructure as a different contract than the application; however, during the contract period a lot of communication related issues took place as well as taking on the responsibility of fulfilling their duties.
  2. Cost- Unable to disclose the figures but during I was informed that this figure takes a big chunk of the annual operation cost percentage and in order to maintain the high availability and high reliability, this figure will continue to stay as is if not higher when contracting with the new outsource vendor.
  3. Control- As part of the high cost, all intellectual property (IP) remains with the organization as per the contract.
  4. Change- The contract amendments enable change within the infrastructure and adapts any new changes needed technically or as driven by the business.
  5. Contract- When discussing the duration of the contract as it is currently 3 years every tender cycle, when I asked why not extend the duration to 5 years or more to avoid operational disruption? The answer was to ensure that our contract fulfills the rapidly changing field of infrastructure and applications.
  6. Alignment- Continuing from the “Contract” point # 5, the 3-year tender cycle is to ensure alignment is placed between the business needs and the scope of the contract.
  7. Frustration with Service Quality- Since the contract relates to inclusion of manpower, it is natural that every contract has a poor performer; however, the contract must ensure that such an action must be dealt with within a specific timeframe.

Topic 2- Creating a Digital Workspace Strategy

Creating a digital workplace and investing in the tools and capabilities has been one of the main areas many organizations have invested in during and after the Covid-19 pandemic. The level of investment depended on the industry type and doing so some organizations’ operational performance was boosted with remote operations while others were dependent on face-to-face interactions. A lot of thoughts and going down memory lane while I was reading the Gartner article titled “Crafting a Digital Workplace Strategy That Matches Your Technology Adoption Profile” during the early stages of the covid-19 pandemic the organization that I work for took the early initiative of ensure that all staff members have the necessary tools and capabilities to operate.  One of the early digital workspace adoptions was providing all staff members with laptop devices and collaboration management tools even though it was considered a commodity item (we were in 2020- kids in elementary school had laptops) and operational for some companies. This was a keen step for the operation and was already in the road plan to do so; however, with covid-19 this transition of moving from traditional desktops to laptops was expedited at triple the speed. Everyone in the organization had a received a laptop configured and had all the necessary business and collaboration software installed. This was all achieved within a 2–3-month time frame.

This triggered a digital initiative within the organization to ensure minimal manual procedures are in place and that over 90% of its procedures were automated. In addition, the organization aimed to ensure the software license for all its users were available whereas previously it was limited to a few users within each department who had the license available to them. This was the trigger and start of creating the digital ecosystem environment within the organization and it was continuously building its capabilities such as infrastructure and address any security issues to avoid disruptions. The organization continues to develop the digital workplace maturity by ensuring all services are available to users whether it is on premise or working remotely anywhere globally. In Addition, it had invested in an application and services hub to encapsulate all the applications and services under one application. A year initiative is now in place and ensures that the team is on the continues look out for trends to further enhance the digital workplace.