Category

IT Security

Is Latin America the Emerging Region for Technology Services Delivery? | Blog

By | Blog, IT Security

For years, India has been the epicenter of offshore technology services delivery for U.S.-headquartered enterprises. But our Market Vista Annual Report 2019 and Predictions for Global Services Delivery Locations 2019 reports show that a host of factors are driving a much closer look at Latin American countries as a destination for the delivery of IT services.

So, what’s making Latin America click with companies of all sizes, including some of the world’s biggest brands, like Amazon, Facebook, Google, HP, Intel, and Microsoft?

Proximity with the U.S.

The time zone differences between India and the U.S. are impeding demand for agile development. But because Latin America and the U.S. share similar time zones, the delivery and client teams can collaborate in real time.

Availability of skilled IT professionals

Due to strong government and educational support, Latin American countries are producing an ever-growing number of talented professionals with relevant, and often advanced technology skill sets, like blockchain, artificial intelligence, and machine learning.

Rise in technology start-ups

The abundance of low-cost technical talent is driving a surge in Latin American country-based technology start-ups through accelerator programs such as 500 Startups, Techstars, and Y Combinator. Investors are also betting high on tapping the potential of technology start-ups in the region. For example, SoftBank Group in March 2019 announced a US$5 billion Innovation Fund, touted to be the largest-ever technology fund in Latin America.

Less competitive intensity

Although India is far more cost competitive than Latin American countries, competition in India is increasingly intense given that it is home to more than 1,100 shared services centers and thousands of service provider delivery centers. Because there are fewer service delivery centers in Latin America, competition for talent is comparatively lower, making it easier for companies to hire the best talent.

Language proficiency

Most Latin American countries have significantly improved in English language proficiency over the years. And their Spanish language skills are valuable to the U.S. market given the large Spanish population residing in the country.

Most leveraged countries for technology services in Latin America

What are the top five Latin American countries doing to advance their attractiveness to technology services clients?

Mexico — #1

  • Passed new regulation for its FinTech sector, which is the largest FinTech ecosystem in Latin America
  • Established INADEM to support establishment of start-ups
  • Launched 500 Startups Latin America, Startup Mexico, and Startup Weekend Mexico to develop tech start-ups
  • Launched the world’s largest free economic zone along the US-Mexico border to attract tech investments.

Argentina — #2

  • Passed the Entrepreneur’s Law, which accelerates businesses’ registrations
  • Launched programs such as Startup Buenos Aires and IncuBAte to support entrepreneurship
  • Provides free university education to everyone.

Brazil — #3

  • Established Start-Up Brasil, a federal program to support start-ups
  • Launched TechD, a public-private partnership, to fund emerging technology companies
  • Initiated a national plan on digital transformation, IoT, and information, communications, and cyber security strategy
  • Launched STEAM courses to develop a large pool of engineers and technical talent
  • Passed a law to hire temporary workers on a longer contract term.

Colombia — #4

  • Rebranded Colombia as a technology center, and offers tax incentives and a professional training program
  • Established a Ministry of Science, Technology, and Innovation, and a High Council for Innovation and Digital Transformation to support tech initiatives.

Chile — #5

  • Launched a centralized web system that allows one-day business registrations
  • Established Start-Up Chile to support development of start-ups and boost the local tech ecosystem
  • Launched a tech visa facility to help technology talent and investors acquire a visa in 15 days
  • Introduced a blockchain-based platform for public payments.

With their strong trade links, nearshore advantage, and growing technology talent pools, several of the Latin American countries offer a multi-pronged value proposition to enterprises seeking an IT services delivery destination.

To learn more about the region, please read our Market Vista Annual Report 2019 and Predictions for Global Services Delivery Locations 2019 reports.

Protect Yourself from Cyber-breaches: Digital Forensics and Incident Response | Blog

By | Blog, IT Security

According to the Identity Theft Resource Center, a staggering 1,200+ breaches were reported in 2018. A breach can wreak havoc on a business, including – but not limited to – loss of revenue and reputational harm. And poor incident response can compound that damage, as demonstrated by breaches at Deloitte, Equifax, Uber, and Yahoo.

Some enterprises are recognizing the importance of being prepared and able to respond to attacks: 22 percent of respondents to a 2018 Everest Group survey rated “reduction in time/effort to detect, respond, and recover from breaches” as their top strategic priority in next 12-24 months.

But given the dangers, 100 percent of enterprises need to think through and create an effective risk mitigation strategy. This is where Digital Forensics and Incident Response (DFIR) can be essential. Combining incident response with deep forensic analysis to collect and examine digital evidence on electronic devices, an effective DFIR strategy can help mitigate business risks in the early stages of an attack.

Twin Forces Driving DFIR adoption

Starting on the DFIR journey: an enterprise perspective

The first step in the journey is establishing forensic analysis and incident response teams responsible for reporting, incident handling, and monitoring when a breach is detected.

The incident response team should have specific training in areas such as file systems and operating system design, and have knowledge of possible network and host attack vectors.

After a breach is detected, the forensic analysts must work closely with the incident response team to address several issues, such as isolating affected systems and making containment decisions, based on existing device, access, and data security policies. Enterprises must also update their policies regularly to stay ahead of attackers.

Putting DFIR into action

An effective incident response plan should include the following components:

Enterprise action items following breach detection

A guided approach to creating a DFIR strategy

Enterprises without a cyber-attack incident response plan leave themselves open to potentially insurmountable losses. Despite the danger, they often face significant challenges in creating a plan. These challenges include:

  • Limited budget for plan development and forensic analysis
  • Lack of built-in approval systems to kick off incident response
  • Lack of support for cyber insurance policies
  • Lack of adequate skill sets to perform forensic analysis.

Our guided approach to developing a DFIR strategy can help enterprises evaluate and onboard digital forensics as part of their overall cybersecurity strategy.

DFIR strategy for enterprises

Specialist DFIR offerings can help

As many enterprises aren’t equipped to improve their security posture and reduce incident response times on their own, specialist DFIR vendors – such as CrowdStrike, Cylance, and Mandiant – can assist with suites of holistic offerings. In contrast with managed security services (MSS) players, specialist DFIR vendors lead with localization as their core value proposition. Their product-centric service offerings, localization, and a guided approach help enterprises build resilient business are valuable resources for enterprises.

In fact, DFIR capabilities are becoming a deal clincher/breaker in large security transformation deals between enterprises and MSS providers. Enterprises need to carefully analyze the value proposition of their current/potential MSS partners serving as their DFIR vendor. The following checklist can help enterprises determine if their MSS providers can provide DFIR services.

Enterprises MSS Partner checklist for DFIR capabilities

Approaching DFIR in the digital world

Today’s business environment has dramatically changed the way enterprises need to address DFIR. Adoption of digital technologies such as cloud, IoT, mobility, software defined everything (SDX), etc., has made traditional forensics techniques obsolete. And issues such as evidence acquisition, validation, and cataloging are just the tip of the iceberg.

The following new approach can help enterprises effectively protect themselves against cyber attacks in the digital world.

The new approach to DFIR

Given what’s at stake, enterprises must understand that remaining in the dark about potential breaches can prove significantly more devastating than the time and resources required to build or onboard competent digital forensics capabilities. DFIR can be a challenge, but it’s worth it.

Please reach out to us at [email protected] and [email protected] if you are interested in exploring DFIR in further detail.

Enterprises Must Bake “Contextualization” into Their IT Security Strategies | Sherpas in Blue Shirts

By | Blog, Cloud & Infrastructure, IT Security

Given the rapid uptake of digital technologies, proliferation in digital touchpoints, and consumerization of IT, traditional enterprise security strategies have become obsolete. And challenges such as security technology proliferation, limited user/customer awareness, and lack of skills/talent are making the enterprise security journey increasingly complex.

Against that backdrop, the key thrust of our just released IT Security Services – Market Trends and Services PEAK Matrix™ Assessment 2019 is that the conventional, cookie cutter best practices prescribed by service providers no longer cut it. Indeed, we subtitled this new assessment “Enterprise Security Journeys and Snowflakes – Both Unique and Like No Other!” because the complexities of today’s technological and business landscape are forcing enterprises to use a much more guided and contextualized approach toward securing their IT estates.

What does this mean? To achieve success, enterprise IT security strategies must focus on three discrete, yet intertwined, levers.

Enterprise-specific Business Dynamics

In order to prioritize their investments in next-generation IT security, every enterprise needs to understand which assets it considers its crown jewels, how the business – and its security investments – will scale, and how to best mitigate risk within budgetary constraints. For example, a traditional BFS enterprise has far different endpoint security needs than does a digital-born bank.

Enterprises must also determine how delivery of superior customer and user experiences and exceptional security can co-exist. For example, a BFS enterprise’s introduction of an innovative new payments service backed by multi-factor authentication must operate without degrading the customer experience with delays.

Vertical Considerations

Enterprises need to take an industry-specific, value chain-led view of IT security that ensures optimal budget control without compromising the overall security posture.

For example, BFS firms must invest in security measures that protect their transaction processing and control/compliance capabilities. And building security controls for user access management, introducing behavioral biometrics into an integrated authentication process, and developing identity controls for anti-money laundering compliance are essential safeguards for sustainable competitive advantage.

Regional Considerations

Stringent regulatory environments (such as GDPR for customer data protection in Europe, PCI DSS for payments in the U.S., HL7 for international standards for transfer of clinical and administrative data between applications) and geography-specific nuances require a circumstantial approach to IT security. This means that geography-specific compliance around data protection, protectionist measures undertaken by the government, enterprises’ digital demand characteristics, and enterprises’ priorities in specific regions need to be taken into account. And global organizations must adhere to a well-defined strategic roadmap to address multiple variants of IT security standards across the globe.

For service providers, this essentially implies delivery of localized services in their focus geographies.

Taking a Phased Approach

While bolting-on IT security capabilities may lead to unnecessary – and valueless – sprawl, enterprises can avoid this challenge by investing in their IT security strategies in a phased manner, as outlined in the figure below.

To learn more about IT security contextualization, please see our latest report delves deeply into the important whys and hows of contextualizing IT security, and also provides assessments and detailed profiles of the 21 IT service providers featured in Everest Group’s IT Security Services PEAK Matrix™.

Feel free to reach out us to explore this further. We will be happy to hear your story, questions, concerns, and successes!

Enterprises Should Jump – Carefully – on the Cloud Native Bandwagon | Sherpas in Blue Shirts

By | Blog, Cloud & Infrastructure, IT Security

With enterprise cloud becoming mainstream, the business case and drivers for adoption have also evolved. The initial phase of adoption focused on operational cost reduction and simplicity – what we call the “Cloud for Efficiency” paradigm. We have now entered Wave 2 of enterprise cloud adoption, where the cloud’s potential to play a critical role in influencing and driving business outcomes is being realized. We call this the “Cloud for Digital” paradigm. Indeed, cloud is now truly the bedrock for digital businesses, as we wrote about earlier.

This is good and powerful news for enterprises. However, to successfully leverage cloud as a business value enabler, the services stack needs to be designed to take advantage of all the inherent benefits “native” to the cloud model – scalability, agility, resilience, and extendibility.

Cloud Native – What Does it Mean Anyway?

Cloud native is not just selective use of cloud infrastructure and platform-based models to reduce costs. Neither is it just about building and deploying applications at pace. And it is definitely not just about adopting new age themes such as PaaS or microservices or serverless. Cloud native includes all of these, and more.

We see cloud native as a philosophy to establish a tightly integrated, scalable, agile, and resilient IT services stack that can:

  • Enable rapid build, iteration, and delivery of, or access to, service features/functionalities based on business dynamics
  • Autonomously and seamlessly adapt to any or all changes in business operation volumes
  • Offer a superior and consistent service experience, irrespective of the point, mode, or scale of services consumption.

Achieving a true cloud native design requires the underlying philosophy to be embedded within the design of both the application and infrastructure stacks. This is key for business value creation, as lack of autonomy and agility within either layer hinders the necessary straight-through processing across the integrated stack.

In this regard, there are salient features that define an ideal cloud native IT stack:

Cloud native applications – key tenets

  • Extendable architecture: Applications should be designed for minimal complexity around adding/modifying features, through build or API connections. While microservices inherently enable this, not all monolithic applications need to be ruled out from becoming components of a cloud native environment
  • Operational awareness and resilience: The application should be designed to track its own health and operational performance, rather than shifting the entire onus on to the infrastructure teams. Fail-safe measures should be built in the applications to maximize service continuity
  • Declarative by design: Applications should be built to trust the resilience of underlying communications and operations, based on declarative programming. This can help simplify applications by leveraging functionalities across different contexts and driving interoperability among applications.

 Cloud native infrastructure – key tenets

  • Services abstraction: Infrastructure services should be delivered via a unified platform that seamlessly pools discrete cloud resources and makes them available through APIs (enabling the same programs to be used in different contexts, and applications to easily consume infrastructure services)
  • Infrastructure as software: IT infrastructure resources should be built, provisioned/deprovisioned, managed, and pooled/scaled based on individual application requirements. This should be completely executed using software with minimal/no human intervention
  • Embedded security as code: Security for infrastructure should be codified to enable autonomous enforcement of policies across individual deploy and run scenarios. Policy changes should be tracked and managed based on version control principles as leveraged in “Infrastructure as Code” designs.

Exponential Value Comes with Increased Complexity

While cloud native has, understandably, garnered significant enterprise interest, the transition to a cloud native model is far from simple. It requires designing and managing complex architectures, and making meaningful upfront investments in people, processes, and technologies/service delivery themes.

Everest Group’s SMART enterprise framework encapsulates the comprehensive and complex set of requirements to enable a cloud native environment in its true sense.

Smart Cloud blog image

Adopting Cloud Native? Think before You Leap

Cloud native environments are inherently complex to design and take time to scale. Consequently, the concept is not (currently) meant for all organizations, functions, or applications. Enterprises need to carefully gauge their readiness through a thorough examination of multiple organizational and technical considerations.

Cloud Key Questions blog image

Our latest report titled Cloud Enablement Services – Market Trends and Services PEAK Matrix™ Assessment 2019: An Enterprise Primer for Adopting (or Intelligently Ignoring!) Cloud Native delves further into the cloud native concept. The report also provides the assessment and detailed profiles of the 24 IT service providers featured on Everest Group’s Cloud Enablement Services PEAK MatrixTM.

Feel free to reach out us to explore the cloud native concept further. We will be happy to hear your story, questions, concerns, and successes!

The Equifax Data Theft: What if GDPR were in Force? | Sherpas in Blue Shirts

By | Blog, IT Security, Outsourcing

The high entropy data protection space has once again gained headlines after Equifax, the U.S- based consumer credit reporting agency, revealed that a July 2017 theft compromised more than 143 million American, British, and Canadian consumers’ personal data. The data breach incident, one of the worst cyber-attacks in history, was conducted by hackers who exploited a vulnerability in the company’s U.S. website and stole information such as social security numbers, birth dates, addresses, and driver’s license numbers. (Equifax maintains and develops its database by purchasing data records from banks, credit unions, credit card companies, retailers, mortgage lenders, and public record providers.)

Much about the situation would have been considerably different had this breach happened after May 2018, at which time the General Data Protection Regulation (GDPR) – a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU) – goes into effect. Even though it is not headquartered in the EU region, Equifax would have come under the purview of GDPR, because it maintains and reports the data of British citizens. And the stringency of requirements and degree of implications would have been significantly higher for the credit rating agency.

GDPR and Equifax

Although not directly related to GDPR, another significant business impact is the sudden “retirement” of Equifax’s CEO less than three weeks after the breach was announced.

This massive cyber-attack is a wake-up call for the services industry. Starting today, operations and businesses must regard data protection regulations with the utmost importance. Non-compliance will not only harm firms financially, but also expose them to brand dilution and business continuity risks.

Some of the key imperatives for enterprises operating in the ever-so-stringent data protection space include:

  • Know and understand the data security laws under which your enterprise falls, especially those such as GDPR that have far reaching impacts
  • Redesign your business processes to incorporate privacy impact assessments to identify high risk processes
  • Implement necessary changes in the contracts with third parties to incorporate the stricter requirements of consent
  • Achieve process transformation to inculcate privacy by design; this includes risk exposure reduction by technological changes such as data minimization
  • Appoint a Data Protection Officer to align the business goals with data protection requirements
  • Make suitable changes in contracting and governance practices to ensure adequate emphasis on data protection

To learn more about the strategic impact of the EU GDPR on the global services industry, please read our recently released viewpoint on GDPR: “EU GDPR: Is There a Silver Lining to the Disruption.”

The “War” in Ransom“war”e – Service Providers will Feel the Pain of Clients’ Tougher Security Policies | Sherpas in Blue Shirts

By | Blog, Cloud & Infrastructure, IT Security

In the immediate aftermath of last week’s Wannacry ransomware attacks around the world, many organizations will consider how quickly and effectively to update older Microsoft operating systems and apply the necessary patches. The longer-term effects, however, will be more far reaching as governments and other organizations review their security policies to protect their systems against future attacks. This spells tougher requirements on IT services as well as service providers’ connections to client systems.

Tougher government policies on suppliers

The Wannacry attack in the UK crippled the National Health Service (NHS), putting people’s lives at risk. It is going to cost billions to put right, not only in terms of upgrading systems but also rescheduling operations and treating people whose condition will have worsened after the delay caused by the attack. The UK government must act and be seen to act to better protect vital services in the future. It is likely to unveil new stringent policies for cyber security.

While this spells new business opportunities for IT service providers to enhance the public sector’s cyber security, other service providers will feel the pain of even more longwinded procedures to connect to client’s VPNs when working on system integration or business process services. Many already have to apply to clients’ IT departments on a daily-basis to be allowed to connect to VPNs. More stringent requirements are likely to come into force.

Microsoft must face the music

Let us not forget that it was a Microsoft Windows vulnerability that enabled this attack. Microsoft must face pressure to continue to support its older operating systems for longer. There are often legacy systems that work only with older operating systems. A Windows upgrade can therefore be very costly. A cash-strapped organization, the NHS prioritises patients care over keeping up with Microsoft’s timetable for Windows upgrades and discontinuing support for older operating systems. This is something that the UK government must address. It has enough buying power to demand action from Microsoft.

Upgrade pressure on government agencies

Government bodies such as the NHS will be put under renewed pressure to upgrade their systems and keep them up-to-date. The organizations will no doubt demand extra cash to deal with the situation. Spending on cyber security is set to increase whether agencies find new money or redirect funds from other activities. This ransomware attack will therefore boost the IT market for end-point security if not the wider security sector.

Pressure on users

Users too will feel the pain of ransom“war”e. Tougher usage policies are likely to get enshrined in IT department guidelines. Users are likely to experience reduced flexibility as more organizations adopt desktop lock downs with workspaces become more centrally controlled and monitored to reduce risks.

With numbers and varieties of attacks increasing, all aspects of IT security will be tightened up. Even the most laggard of organizations will look to build better security controls across their broad IT services or risk loss of business, revenue, reputation and in some cases, the wellbeing of their customers.

Why Healthcare IT Security Must Be at the Forefront of the CIO Agenda | Sherpas in Blue Shirts

By | Blog, IT Security

Considering the nature of regulations and the sensitivity of personal information, one would assume that IT security is a top priority in the healthcare space. However, an estimated 29 million+ patient health records have been compromised, (classified as HIPAA data breaches,) since 2009. The number of health records breached in 2013 jumped a whopping 138% over 2012. Serious security flaws have even been detected in Obamacare’s much-touted flagship health insurance exchange website, HealthCare.gov, including severe lapses spanning JSON injection, unsanitized URL redirection, user profile disclosures, cookie theft, and unprotected APIs.

An Afterthought

Healthcare IT security challenges

The pace at which IT is changing the healthcare landscape makes it a prime target for malicious activity. Industry headwinds such as big data, payer-provider convergence, BYOD, HIX, EHR/EMR, and the Internet of Things (IoT) are adding to the healthcare information security conundrum. Patient records have become increasingly common in the fraud marketplace. When combined with other data sources such as insurance and medical data, the problem assumes more alarming proportions.

And it’s not a case of absence of punitive measures. Under the new HIPAA Omnibus Rule (effective from September 2013), firms face fines of up to US$1.5 million in the event of a violation (“willful neglect that was not timely corrected”). Europe has enacted several data security measures. Even before the latest regulatory rulings, insurer WellPoint was fined US$1.7 million after its online application database exposed information concerning more than 600,000 patients.

Feeding the problem

Although CIOs often list security as a priority imperative, it just doesn’t translate into actual spending. This discrepancy can be attributed to a confluence of reasons. The problem originates in a lax culture regarding IT security. The majority of information security breaches are highly avoidable, and most lapses can be traced back to sloppy system administrator password practices, careless sharing of sensitive information, failure to change default login credentials, among others. Healthcare information security is still not a top execution priority for most personnel, and most security programs are hampered by lack of relevant expertise and attention. Regulatory inconsistencies compounds the issue, i.e., multiple agencies are involved (FTC, FDA, FCC, to name a few), and their often divergent mandates contribute to the travails of healthcare IT security stakeholders.

Healthcare IT security roadmap

Stakeholders – both buyers’ internal IT teams and third-party service partners –face an increasingly complex technology conundrum. Any mitigation strategy should incorporate leading practices utilized in similar initiatives:

  • Conduct a thorough risk-assessment to proactively identify and secure vulnerabilities
  • Establish clear level-driven permission policies (on a need-to-access basis) applicable to data, applications, and devices (keeping in mind expanding BYOD policies)
  • Institute appropriate staffing practices to make sure personnel with relevant skills are given charge of security tasks
  • Ensure adequate personnel training and sensitization toward information security
  • Implement best-in-class encryption standards
  • Collaborate with business associates (held to the same standards as HIPAA-covered entities) to establish processes and enforce standards
  • Evaluate the security strategy along a security versus accessibility paradigm
  • Drive synergy between the business and IT vision to avoid incoherent implementation resulting from disparate imperatives

Ultimately, any healthcare IT security policy has to encapsulate the individual needs and challenges of various stakeholders – patients, providers, payers, and third parties – to ensure equitable access and health information exchange for coordinated care. The unenviable task of securing healthcare information in the onslaught of exploding devices and touch points calls for a carefully thought-out and implemented approach. But first, healthcare IT security must make a monumental shift from being an afterthought to being a primary strategic imperative in any plan design.