As they say, hindsight is 20/20 — and panelists at this week’s virtual Iowa Technology Summit had the benefit of tough lessons from the year 2020 to share with Iowa companies tuned in for seminars on cybersecurity, leadership, business analytics, and diversity, equity and inclusion. Below, read a few takeaways shared by business representatives. The Iowa Technology Summit is hosted annually by the Technology Association of Iowa.
Online and off-premise
In the last two years, businesses have seen a 41% reduction in on-premise workloads, a strategy supported by business use of cloud storage, said Bruce Younts, vice president of infrastructure and cloud services at Zirous.
The cultural shift to work-at-home during the start of the 2020 COVID-19 pandemic also changed the scope of reach for company IT departments, said Matt Butler, information security officer at CRST International. Now, teams evaluating cybersecurity measures need to design for a different working world than when all company equipment operated in the same building.
“We literally had people pick up their desktop computers and take them home with them, but those desktop computers didn’t have all of the remote access titles, all of the web filtering tools, things we put on the perimeter edge of [our] network,” Butler said. “Now we know that we’re getting away from the perimeter. The perimeter doesn’t exist anymore, so why pretend that it does?”
How common are cyber incidents? ‘Part of daily life’
“Incidents are a part of daily life. Hopefully, breaches are not part of daily life,” said Shari Lewison, chief information security officer at the University of Iowa.
Every organization can expect to face a cybersecurity incident, when an attack attempts to infiltrate the organization’s network. A cyber breach happens when the attackers make it inside the network.
“We’re still always learning. It seems like when we identify one threat scenario or one response scenario, something different pops up on a different front,” Lewison said. “I don’t know if there’s a health care organization out there that hasn’t had to address that ability to do public notifications, notifications to patients. The environment has changed so much, that’s just a reality.”
“One of our major cold storage partners had a very public ransomware event, and we probably spent two or three weeks of significant internal effort recovering from that and managing through it with them,” said Ryan Schaap, chief technology officer at Wells Enterprises.
“Most people’s incident response plans deal with ‘What’s going to happen to me if I get attacked?’ But I think in the new world of incident responses, ‘What’s going to happen to me when my partners have issues, and all of my supply chain has issues?’ needs to be the thing people start working into their plans,” Schapp added. “The more we can open up the conversation about what really works, and share with each other, the better.”
Inviting the whole team to dance
On a panel on diversity and inclusion, Delight Deloney and Kingsley Gobourne put together a picture-perfect metaphor for true inclusion, based on one shared initially by Deloney, field services director at SHRM.
“Diversity is inviting everyone to the dance, but inclusion is being asked to dance,” Deloney said.
“We not only want to invite you to the dance and ask you to dance, but every once in a while we’re going to play some of your music, and we’re going to let that reflect your culture and your contributions to it. That gets us to the point of belonging,” added Gobourne, senior consultant of diversity, equity and inclusion at UnityPoint Health.
Companies that want to ensure progress need to build in meaningful metrics to achieve individual goals in staff education, recruitment and the retention of employees, said Denise Earley, executive administrator at Principal Financial Group.
“Holding leaders accountable to those results as part of their goals is success that we’ve seen at Principal. And there’s no substitute for education to get to the metrics that you want to have,” Earley said.
Viewing data as an asset
Fifty percent of Fortune 1,000 company leaders don’t treat their data as an asset, said Madison Lang, director of machine learning and artificial intelligence services at Zirous. Ninety-three percent of executives identify people and process issues as prevalent obstacles to successfully using artificial intelligence and advanced analytics in operations.
“Alignment, bringing the right people to the table and having proper communication lines open across teams within your organization are really critical. So much of this strategy work is upfront,” Lang said.
Turning regular meetings into staff check-ins for a remote team
More than a year of remote work during a pandemic challenged the way Manatt’s Inc. had to build and support relationships with employees, Chief Technology Officer Bridger Moreland said. To stay motivated and trust each other, Manatt’s Inc. had to be direct in asking employees what they felt and what they needed during a year full of emotional challenges.
“Most of us probably utilize daily stand-ups to make sure work is progressing and we’re aware of any impediments,” he said. “Two things that we wound up adding during that very long year of 2020 that helped us stay engaged with each other was checking on the welfare of each other — that simple question of ‘how are you doing?,’ only we asked it in a way that actually prompted something other than the typical American ‘fine’ response.”
“There were a few very honest answers at weekly team meetings, and those answers brought us a new understanding that there were human beings on the other end of those Zoom calls. … That might be a bit much for a daily stand-up, and you might be wondering how that fits into a weekly stand-up. It’s a bit out of the ordinary, and we do want to limit meeting time. But in a virtual environment, it was necessary.”
To pay a cyber ransom or not?
When a major cyberattack happens at an organization, the final approval for action often lies at the feet of leaders who might feel ill-equipped to make decisions in the emergency, said Lewison.
“Oftentimes the people who have to make those decisions are not technical. They feel even more ransomed — they feel ransomed by the actual event, but I think there is an overwhelming sense of not understanding what all the options are,” Lewison said. “My responsibility in that space will be to make sure that we clearly communicate what the status is, and what our capabilities are — if we do or don’t have backups, what options we may have. That’s our responsibility to be clear and put it in nontechnical terms.”
Some proposed public policies across the U.S. would potentially ban taxpayer-funded institutions from paying ransom. For institutions like the University of Iowa, which operates the University of Iowa Hospitals & Clinics system, that could leave health care facilities with ethical challenges while treating patients during a cyberattack.
“I think having that avenue taken away would almost victimize the victim even more,” she added. “If it’s a matter of bringing your health care operation back online or paying a ransom — there’s a real ethical decision that has to be made in those cases.”