CXO / IT Leadership , IT Spending & Budgets , Technology
Spotlight: ChatGPT, FAA Outage and Technology Spend
CIO.Inc Editors Discuss Important Lessons Suparna Goswami (gsuparna) • April 5, 2023Four editors at ISMG's CIO.Inc review this month's most important technology conversations with leaders and their thoughts on some significant developments in the tech world in the latest episode of Spotlight.
See Also: The State of Enterprise Mobile App Security 2023: Results Analysis
The editors - Suparna Goswami, associate editor; Rahul Neel Mani, VP, editorial and community engagement; Shipra Malhotra, managing editor; and Brian Pereira, director, global news desk, discuss:
- The lessons on the incident response from the FAA outage;
- Pros and cons of ChatGPT in cybersecurity;
- Reasons for the sustained level of technology spending.
Spotlight is a monthly video series where editors highlight topics that matter to the CIO community. Catch up on our previous episode, where editors discuss how CIOs' priorities have changed amid the current economic crisis.
Suparna Goswami: Hello there, and welcome to yet another episode of Spotlight. This is the third episode, and we will discuss today what's in the mind of CIOs, what are the plans for the year ahead and are they slowing their spend on technology? We'll discuss this and much more in today's episode of Spotlight, where we highlight everything related to tech. The elite editors joining me in today's episode are Rahul Neel Mani, who is vice president - community engagement and editorial; Shipra Malhotra, who is the managing editor; and Brian Pereira, who is director at global news desk. A warm welcome to all of you, as usual. Thank you so much for joining.
Rahul Neel Mani: Thanks, Suparna.
Shipra Malhotra: Thank you, Suparna. Looking forward to it.
Brian Pereira: Glad to be here, Suparna.
Goswami: Thank you. Shipra, let me start by complimenting you first on an excellent blog that you wrote on the FAA outage that took place in January, if I recall. So you wrote on the importance of having an effective incident response plan. Most companies, I'm assuming, do have an incident response plan, but when an actual incident happens, they're often lost. We'd love to understand from you what are some of the factors that derail an incident response strategy?
Malhotra: Thanks, Suparna. When it comes to any incident response plan, like you rightly said, companies might have that in place, but when it's time for action, that is when they realize that some of the action items that they had put in the plan did not work on ground. And there are various factors, which actually derail any incident response plan. And sometimes it just boils down to the basics, because they haven't got the basics, because they were just focusing on the high-level action items. So sometimes it's factors like lack of clear and transparent communication to both the internal and external stakeholders. So, therefore, communication is the area where they often fail. Then, another factor is absence of clearly defined responsibilities for each individual or team that is involved in the response process. So while overall, they might have the checklist in place, that this is how we are going to be responding in case of a cyber incident or an IT failure, but individuals might not know or they might not have a clear definition of how they are supposed to respond at their individual level and the same goes to the team. So while the organizational response mechanism might be in place, sometimes the individual and team level response mechanism is lacking. Another area of failure is the lack of having well-defined standard operating procedure. So while you have the overall procedure being defined, and well defined, but the standard operating procedure at very minute level or at the very basic level might be missing. The fourth and the most important factor that derails any incident response program is the lack of skilled manpower that is trained on incident and contingency response. And this goes back to what you say whether they are ready when the action happens on ground. So therefore, it's very important that not only are they trained, but they also have regular drills of how they need to respond when there is an actual contingency. And to this, I also want to add one more factor, which is that you may have the manpower trained on response, but do you have the manpower that is trained in all the areas so whether it is communication team, whether it is the legal team, and whether it is the IT team, so the communication and the response should not be in silos.
Goswami: Shipra, so you did quite a bit of research for the blog that you have written, it's clearly visible. So what was missing in the incident response plan, when it comes to FAA?
Malhotra: Coming to this specific incident of the FAA outage, there was considerable time lost between when the failure happened and when they could lift the ground stop on the flights. Now, the bigger the time gap in responding, the more damage it causes. And we have seen in this case with the thousands of flight being grounded. It not only had effect or impact back on those particular flights, but a cascading impact on various other sectors of the economy. So there was an overall economic implication. So what happened or rather what went wrong in this particular incident or rather in the response to this incident is handling the importance of clear incident communication. And this was one of the points that I made, in my answer to what derails. Now, in this case, the FAA communicated updates quickly and frequently. So there was no problem with that. Yet many people did not understand the messages because key terms were not explained and potential impacts were not immediately clear. So one lesson is that the CIOs and CTOs must make sure that messages are both correct, and easily understood by those impacted by an outage. So clear communication, clear messaging, was the particular reason for delayed incident response in this case.
Goswami: Well, thank you, Shipra, thank you so much, I thoroughly enjoyed it. But as they say, not only communication, but sometimes over communication also does no harm. But Rahul, you have been covering this space for a long time. So what would be quickly just your advice on a good incident response strategy, because, as she said, they did have the plans in place, but at the end of the day, if people do not understand, there's no point in having those strategies in place.
Neel Mani: Yeah, I mean, it's a longer debate, Suparna. You cannot do justice with this in shorter period of time. However, just to add to what Shipra just said, and what she has written in her blog, I have carefully read that, it all began with a very honest confession of a mistake by an engineer, who replaced one file with another and he didn't realize that he has made I mean, a terrible mistake, which can cause not only grounding of multiple aircrafts for a very long period of time, but also cause millions and millions of dollars of losses to both government and airlines. So, it all emanates from the fact that an incident response plan will remain a plan. It will remain a fantastic plan on papers, if you are not regularly going for live drills.
Goswami: Rahul, now moving to your interview of very good interview with John Lovelock from Gartner. And unlike common perception, and I'm equally guilty of that, he says that the technology spending has not come down, at least when it comes to fulfilling the short term goals. And he also spoke about some interesting trends on how CIOs are handling the long term projects. So would you like to share some more details with our audience?
Neel Mani: Yes, in fact, it was a great revealing interview with John, when I spoke to him. Generally, we go with the facts which are published in terms of figures, and we all look forward to such data coming from agencies like Gartner. However, before I answer your question, I would admit that we are in very interesting times. All of us, I mean, both journalists and the technologists. And the times that we are in is a mix of both challenges and excitement. It is only during such times that the real word of wisdom is put to test. It is all about how you extract opportunities out of the challenges that you're facing. And there's no denying the fact that there are very degrees of economic headwinds, which are blowing across the spectrum of businesses. In some parts of the world, businesses are under a slightly tighter grip. While in other parts, they haven't yet witnessed something as grave as recession yet. However, coming straight to your point of technology spending, I mean, let me just clarify that CIOs have always been tasked with one particular KPI and that has become a part of their DNA now and what is that KPI that is creating value and an efficiency without much increase in costs. So they've always been very cost conscious and most progressive CIOs that you talk to or I talk to or anyone else talks to, they use technology to actually carve some really ingenious innovations that are aimed at not only saving dollars, but also for creating, you know, newer products that are directly linked with generating more revenue for their organizations, and also spurring growth in long term. Now, during my conversation with John, I mean, who also happens to be their chief forecaster at Gartner, he actually clarified on the fact that, why is it looking like a slowdown, it's not because the spending is getting less. It is because of a few reasons. One is that the U.S. dollar is becoming stronger in comparison to other currencies, and therefore it will look like or it will be perceived as if the spending is going down. At the same time, if we see in terms of constant currency growth, the spending will be 7% higher than the previous year. And that's what the clarification was, and it was quite convincing to me, however, to talk about the tech investments, they will certainly get prioritized. For example, projects that have longer deployment cycles, let me give you a few examples like, you know, SAP implementation or any ERP implementation will be broken into smaller pieces. These are called manageable components of a large project, which not only help in reducing the cost burden on an organization, but also give a greater efficiency. At the same time, the users get familiarized with smaller modules, and then they quickly pick up on the on the larger ones. Another myth that John kind of broke during the conversation was the investment on on-prem infrastructure, and applications. We generally feel that most of the investments are now going into cloud and therefore on-prem infrastructure will slowly wither away. Now, according to him, and most of the agencies that's not the truth. And when I say it's not the truth, it is getting an incremental investment, and what it means is that the critical core applications, which are sort of lifeline for organizations and businesses, such as core banking app in a banking organization, or ERP in a manufacturing company, they are still likely to be hosted on-prem. And therefore, the investments in the data center, storage, networking will continue to grow.
Goswami: So, Rahul, you mentioned about cloud. And remember, he said that how increase in price by cloud vendors off late has not really impacted the market much, because he said, historically, cloud vendors have either kept the price of the same level over the years, they decreased it or added more service at the same price. So price has always been a very pull factor. A low price has been a pull factor for people. But now even despite increase in price, the market very much is very cloud-centric.
Neel Mani: I mean, this is an interesting question and slightly trickier one, because it involves a lot of conversation on economics of cloud. Now, generally, when any one of us speaks to a CIO, more often than not, they would they would they would come up with an answer that cloud is only good until it is used only for specific purposes, such as platform services, or maybe sporadic, small SaaS solutions. The moment you start using cloud at scale for core infrastructure solutions or deployment, the costs actually start spiraling. And that is when the economics of cloud start making little or no sense for CIOs. Now that's a premise. However, to me, that's not entirely correct. And at any stage I'm not suggesting that the economics of cloud is an easier calculation to do. It involves a lot of stakeholders, including the whole of CFO's office. And frankly, cost is one of the key reasons why exceptionally large corporates are still shying away from or hesitate to spend much on infrastructure as a service or IaaS. However, things are gradually changing. And the reason for that is that most of the legacy technologies or what we call as technology debt has got inherent issues of tech-tech obsolescence. The upgrades are very tricky. I mean, either they will cost you a lot of capital, or you get locked into the hardware for a very long time, depending on your technology life cycles. The lack of compute and storage available on demand is one of the biggest reasons why most organizations are looking at cloud first strategies and spending more on cloud. Another best option in such a case, I mean, such scenarios is, of course, moving towards cloud gradually, if an organization uses cloud wisely, and uses a relatively large portion of cloud stack, then it becomes more economical and more affordable, rather than using smaller chunks of cloud. Until now, the cloud service providers have actually kept the cost under wraps and under control, even if the user organizations went to their CSPs, asking about the rationale behind the cost, they always gave through some value added services, while keeping the cost constant. Now 2022 was an exceptional year when CSPs across, I mean, all the large major CSPs decided to raise the price. And it actually created a lot of conversations among other organizations across the spectrum. And the cost was increased across the production services. But since the dependency on cloud has gone so higher, retracting or going back to an on-prem solution is nearly impossible. And therefore, CIOs will absorb or the organizations will have to absorb that cost. However, that's where John suggests that CIOs need to do a newer ROI calculations for both the ongoing and new cloud projects. The question that they need to ask is that can I get the similar or a better ROI with the new pricing? That's the question the CIOs need to ask.
Goswami: So Brian, moving to you, you have now become our in-house ChatGPT expert. So your latest feature touches upon how generative AI models can be used for cyberattacks and cybersecurity. So what needs to be done to keep all this in check?
Pereira: Yes, Suparna, the story was titled ChatGPT: The Good, the Bad, and the Ugly. So like every other technology, this also is a double-edged sword, there's the good side, as well as the bad side. So I spoke to a number of experts around the world, for writing the story. And the general consensus is that we need to have some governance and some controls in place before we put this extremely powerful technology in the hands of users. And of course, the models will need to be continuously trained to understand what is acceptable, and what is not; what is ethical and what is not ethical. But then the general consensus among all the participants for the story is that the creators of this technology - that is Microsoft, OpenAI, Google and others - have to collaborate with government, with industry, with the universities, and define standards and controls for regulation. Also, all these stakeholders, they need to share threat intelligence among themselves. And this is the only way that we will be able to fight the bad guys who are now exploring ways for misusing AI and machine learning.
Goswami: So Brian, what are you seeing on the good side? And how do you think AI and GPT can improve cybersecurity?
Pereira: Suparna, interestingly, two days ago, I was watching this Microsoft webinar, and they were showing a demo on Security Copilot technology, which is not yet released to the public, but has a lot of potential. And as I was watching the demo, I got a sense that GPT and AI can undertake voluminous tasks for security analysts, like scanning through logs, looking for unusual behavior in the logs, in the SIEM, etc. And Security Copilot can also help in forensics, because it can generate a nice flowchart, a nice graph that traces the path of the attack from the source to the target. Now apart from that the experts that I spoke to for the story, they say that AI has certain capabilities that can be leveraged to improve security. For instance, AI can be voluminous, with scale. It can be applied managing the scale or volume of attacks. And right now, that's putting a lot of pressure on security practitioners. And there's even burnout and people are quitting, because there's just too many attacks. Another expert tells me that ethical hackers and security teams can use AI to increase the efficacy and save time on repetitive tasks that are less impactful towards the accuracy of security, testing outcomes. So that's the good side of it. And of course, the bad side of it straight are seen very convincing phishing emails being written. Because of the quality of this generative AI, it can generate very human like text, which is very convincing. But there are other frightful possibilities, which I won't go into right now. Because I don't want to give the bad guys the wrong kind of ideas. But, it's going to it's, it's something that we have to be afraid of.
Goswami: Yes. With Microsoft coming out with this new product Copilot, I'm sure there are a lot of new possibilities with AI on the defender side.
Pereira: Absolutely. It can definitely take a load of what's happening right now that you know, all the repetitive tasks, all the voluminous task, you could certainly do with a helping hand so that we can focus on we could prioritize on a few things, and the security analysts can only tackle those tasks. So yes, it's not perfect yet. It's still a work in progress. I saw during the demo that it did make mistakes. Microsoft did admit that it's not perfect yet. But eventually down the line. I think in a few years' time, this technology is really going to be useful for security analysts, Suparna.
Goswami: Thank you, and my final question, Brian, Rahal and Shipra, to you all, as you all have been interacting with CIOs for many years every day for the site. So who is the CIO with whom you look forward to interacting the most or with whom you have learned the most? I know, it's a tough question to answer to pick up one person.
Neel Mani: For me, it's a very easy question. And I always go back to one CIO when I have to gain more wisdom and worldly wiseness, both in terms of agility and innovation. I mean, he is one of the CIOs who has got three terms' extension in his role. I'm talking about a gentleman called Rajesh Uppal, who is the CIO of Maruti one of the largest automobile manufacturers in the world. And whenever I talk to him, his mindset is that of an innovator and not of a person who deploys technology only, and therefore, wherever I get a chance to talk to him, I come back enriched with a lot of ideas as to what technology is capable of, and what CIOs can do to become more like business enablers than just the technology deployers.
Goswami: Thank you, Rahul. Thank you for your answer. It was an easy one for him. Shipra, what about you? An easy one for you as well?
Malhotra: No, not really. I second what Rahul spoke about Mr. Rajesh Uppal. Suparna, for me, it's very difficult to choose just one CIO, who has been a great influence. So I've decided to go buy a book, which is Truth from the Trenches: A Practical Guide to the Art of It Management. This book has a lot of lessons from the practical experience of Mark Settle, who has been a six-times CIO, and a lot of learnings from this book. And one of the big learnings is that he says that CIOs often believe that strong technical understanding and management is sufficient, not realizing that developing social bonds with one's colleagues inside and outside of IT can make or break one's experience. So this is something which was interesting, because while we talk of the technical competence, as well as the manage competence of CIOs, I think this was the first time that I was reading about the social competence - the need to build, and of course he has shared a lot have lessons from his various stints with the different companies. And these are all practical experiences that he has shared. And therefore, I think that is one book, rather than one CIO, that has inspired me.
Goswami: Thank you, Shipra. Brian, quickly.
Pereira: Yeah. For me, the CIO, who inspired me most is Arun Gupta. So he's a very famous CIO in the Indian community, and he's no longer CIO. But he was formerly the CIO of illustrious organizations like Cipla, DHL, Shoppers Stop, and many other organizations. So as I interviewed Arun Gupta over the years and many interviews, I learned how the CIO role evolved. There was once no such thing as a CIO, it was just an EDP manager, or an MIS (management information systems manager). And over the years, Arun told me how the CIO role evolved and how you arrived at CIO. What I also learned from Arun Gupta was how CIOs think strategically, and what are their responsibilities, and what they have to do to earn a seat at the table, and win board respect. So a lot of conversations with Arun Gupta and I began to understand the CIO mindset. And he's a friend today, we occasionally meet and we continue to exchange notes. So for me, that was the CIO who inspired me the most.
Goswami: Thank you so much, friends, Rahul, Shipra and Brian, for taking time out for today's Spotlight and sharing your views on some of the stories you have worked on this month. Thank you. Until next time!
Neel Mani: Thank you, Suparna. It was great talking to you and all my colleagues.