Category Added in a WPeMatico Campaign

The promise of pair programming: Fewer defects, faster dev cycles

Using a single computer and keyboard, two developers sit side by side and jointly analyze the project at hand, strategizing and combining strengths to solve problems faster and expand their skill sets. Called pair programming, it’s an ill-advised work set-up during a pandemic.  

Yet a number of digital tools, such as Visual Studio Live Share, Teletype or GitHub’s Codespaces, enable pair software development between remote engineers.

Fangda Wang, software engineer at Indeed, said her team began implementing a pair programming technique called pair rotation, in February. The technique is a variation on pair programming, in which developers switch partners frequently. As a result, the team was able to execute a faster development cycle, improving developer efficiency.

“When you pair, it feels like you and your partner both have some pieces of the puzzle,” said Wang, speaking last week at a Women in Tech Virtual Summit session. “You leverage each other to make a beautiful picture. And at the same time, learning is easy.”

Pair programming can improve team dynamics and efficiency at a time where teams are experiencing longer development cycles as a result of pandemic-induced disruption. Whether used sparingly for educational purposes or more engrained into the workflow, it can lower the learning curve for new employees and distribute team knowledge more evenly. 

But leaders should deploy the technique in a way that maximizes the potential of software development teams and prevents resource waste. Adding too much bandwidth to pair programming can mean an inefficient allocation of developers’ time.

In Wang’s case, pairing with a front-end developer colleague allowed her to observe “how he composed a task into a subtask and how he made decisions among different implementations.” The exercise reduced development time to two weeks on a project where Wang had not made progress. 

“One of my team members said, ‘a week’s pairing makes me learn more than a month solo,'” Wang said. 

The upper hand of pair programming

Extreme programming was proposed in 1999 as an agile framework. There are three key collaborative development techniques teams can adopt, according to Peter Hyde, senior research director at Gartner:

  • Pairing: A driver and a navigator sitting together at one work station
  • Swarming: The whole team collaborate to complete each change, each from their own stations
  • Mobbing: A whole team working together on the same item, at the same time, at the same computer.

The use of pairing can deliver a 15% decrease in escaped defects, and helps developers leverage brainstorming, said Hyde, in an interview with CIO Dive. In pairs, focus on the task at hand increases. 

“Team dynamics will be improved by working closely together,” said Hyde. Pair programming lets teams “break down silos by working with others with different skills,” which also reduces individual points of failure.

Continuous learning practices, such as pair programming, innovation sprints and hackathons help employees become proficient with agile processes, Gartner said in its research note, titled “Adopting Agile? Do What Successful Agile Teams Do.”

Extreme programming techniques aren’t all that common at the enterprise level, with just 11% of companies including pair programming among the agile methods they used in 2019, according to the study.

But pair programming adoption is 13% higher among teams with successful agile development when compared to teams with unsuccessful agile practices. In a separate study, titled “Agile in the Enterprise,” Gartner found 87% of companies use Agile for at least some of their application development.

The concept of pair programming can face resistance in the current economic context since managers can perceive two employees on the same workstation as a waste of resources. Business leaders are seeking to maximize efficiency while lowering costs, with eight in 10 CIOs facing pressures to shrink budgets, while half of CIOs report having already slashed IT spend, according to data from Apptio.

“It’s always been a challenging concept for management because they see two people in one machine,” said Hyde. “We have to explain why it’s a good idea and an advantage.”

When adopting pair programming techniques, leaders must address the correct use cases in order to reach results. “Pairing is like coriander,” said Wang. “By nature, you can love it or hate it, but if you’re looking to add a spice to your meal you need to know when to use coriander. Similarly you need to know when to use pairing.” 

In considering where to apply pair programming, Wang recommends focusing on tasks that aren’t “too straightforward,” but instead tackle more complex projects that might benefit from a diverse set of skills.

“That’s the worry of many product managers,” said Wang. “Are we wasting resources by putting two developers on a single task? Sometimes, absolutely yes.”

Building your own SaaS billing system not for the faint of heart

A technology company Laurie Fleet worked with several years ago had some of the best computer engineers in the world, so it was a no-brainer to company finance leaders to use in-house talent to build its software as a service subscription billing system. It was a project that took three years longer than expected and the system still required updating after completion.

“At the outset, they thought this was easy,” says Fleet, a partner with PricewaterhouseCoopers, who consults with companies on their SaaS billing systems. “‘I just have to do some calculations, slap them on a piece of paper, and send it out to my customers. How hard can billing be?'”

The company estimated an 18-month build time, but the project took five years and still only captured about 85% of the company’s pricing models. It took another three years to get the system to 100% and also incorporate flexibility to accommodate pricing models the company expected to use in the future. 

“Subscriptions are a little harder in the back office than one-time sales,” said Fleet during a CFO Live virtual conference session. “You have recurring pricing. You have fixed pricing. Or you have a combination of both. You can have different billing frequencies: monthly, quarterly, semi-annually, or annually. And then after customers have signed up, contracts change. You might have multiple amendments a year. And the way the relationship is ongoing, you have to manage renewals.”

Subscription models on rise

Most technology companies today launch as subscription-based SaaS businesses, and most existing companies, in technology as well as other sectors, are moving to a subscription model if they haven’t already made the move. The reason is a predictable revenue stream and the chance to upsell or cross-sell at renewal.

Because of the variety and complexity of subscriptions, though, billing presents a challenge, especially for companies transitioning from a traditional model in which the customer relationship ends after the purchase is made.

Finance leaders have three options if they’re looking to create or upgrade their billing system to accommodate a growing subscription business, Fleet said.

They can build their own, but that will likely take longer, cost more and consume more resources than expected, or they can buy an off-the-shelf solution and use their in-house resources to customize it to their needs. But that can be just as fraught as building it on their own. 

“When we were looking at the billing system [of a company that customized an off-the-shelf solution], we estimated they were spending roughly $20 million a year just to maintain that system,” said Fleet. “And that was just to keep up with point-in-time requirements and not give them flexibility for whatever came up in the future.”

The third option is to buy a robust off-the-shelf solution that integrates with the finance organization’s ERP and has flexibility to accommodate any pricing variant company executives might conceive in the future.

“You never know what that next new way of pricing a product is going to be,” she said.

New models

One trend she’s seeing is usage-based pricing, which involves pricing that fluctuates up and down based on how much of the service the customer consumes. 

“You might have started off with a simple subscription model, but now, to get even more revenue and more margin, you start adding consumption-based models to your portfolio or go-to-market offerings,” she said.

Another trend is advanced subscription billing, in which subscribers pay upfront for their use of services, maybe in exchange for a better deal. 

Complexity increases when you combine an advanced billing model with a consumption billing model. “Now you have a subscription model that bills in advance and a consumption model that bills in arrears,” she said. 

Additional complexity is added as you merge with or acquire other companies and incorporate their billing processes into your own, or move into other countries, each with its own currency, language, and billing rules. 

“In Brazil, they’re very specific that you invoice on paper that you have to buy from the government,” she said. “They also have many reporting requirements as well.”

Moving upmarket can also increase complexity, especially if you add enterprise solutions, which tend to come with greater pricing customization.

“You’re going to do every acrobatic you can to get that sale,” she said, “And your backend office, particularly your billing system, cannot hinder you from getting to that growth strategy.”

Key features

Fleet recommends companies evaluate billing systems against five criteria:

  • Automation. Anything that can be done by bot should be done by bot, so finance staff can spend more time on the analytical side of the work, especially as finance teams shrink in future years, as they’re expected to do. 
  • Agility. The system should accommodate whatever pricing model is conceived without requiring IT staff to make changes to accommodate it. “It needs a user interface that is intuitive and simple enough that [sales staff] can go in and make changes, whether that’s promotional changes or pricing changes,” she said. 
  • Analytics. Subscription pricing uses a different set of metrics than traditional pricing, so the system should be built to isolate annual recurring revenue, average revenue per account, churn, and lifetime value, among other SaaS measures. 
  • End-to-end functionality. The system should integrate with your other systems, including your ERP and CRM.
  • Flexibility. The system should also be customizable to accommodate all of your use cases. “The reality is, no out-of-the-box system will meet 100% of your use cases,” she said. 

Investing in too many cybersecurity tools could hurt defenses

Editor’s note: The following is a guest article from Samuel Bocetta, a former Department of Defense security analyst and technical writer focused on network security and open source applications.

Overinvesting in cybersecurity tools can hurt corporate defenses, a new study shows. 

Companies that use over 50 cybersecurity tools scored 8% lower in their ability to mitigate threats, and 7% lower in their defensive capabilities compared to other enterprises employing fewer toolsets, according IBM’s annual Cyber Resilient Organization Report released in June.  

Although it seems counterintuitive, the statistics make sense. While programs, software and tools are essential to any cybersecurity defense plan, these must work in tandem with employees who are adequately educated.

Employees who do not understand the basics of cybersecurity and struggle with complex and fragmented cybersecurity tools are a risk to any enterprise.

What emerges is the importance of educating employees about proper cybersecurity practices, developing and communicating a cybersecurity incident response plan (CSIRP), and having cybersecurity experts in your company. 

How to educate employees about cybersecurity

Although companies that invest in cybersecurity tools have increased by 18% in the past five years, many of these same companies are reporting they are 13% less effective at containing active threats. 

Companies must keep in mind that education is still the best tool in protecting from digital attacks. If employees have access to cybersecurity programs they don’t know how to use and are never trained in best practices for cybersecurity, the investment will remain pointless.

Keep in mind cybercriminals frequently look for the weakest link within organizations, and may actively target workers who they feel may be less informed about cybersecurity protocols and more likely to fall for their traps.

Ironically, sometimes the easiest actions have the most impact. It is vital to have a conversation with employees about the importance of password management. Many people use simple passwords over and over again to prevent the hassle of forgetting them, but this is actually a common way cybercriminals hack into accounts. 

It is difficult for even the best cybersecurity program to prevent a user with the correct password from accessing an account. Companies who are serious about protecting their assets, clients and employees will invest in a password manager and the necessary training in how to use it.

Password managers are an inexpensive way of ensuring workers have complex, strong passwords that never get forgotten and don’t need to be recorded somewhere that is at risk of being discovered. 

Developing company policies for cybersecurity and enforcing them is also crucial. 

One important company policy to consider is requiring all employees to update their software when prompted. It is easy for workers to ignore software updates because of the inconvenience of having to download them and restart their computers, but these updates are created due to the constant evolution of new cyberattacks.

Consider asking IT teams to conduct random audits to ensure everyone is following the policies.

The best cybersecurity tool is your people

Companies should consider investing in a cybersecurity analyst, or train existing IT staff so they can become proficient in cybersecurity. Although hiring a cybersecurity analyst with a degree and professional certifications is preferred, many self-taught white hat hackers have more relevant experience and skills than those with college degrees. 

If you don’t already have one, a goal for your IT team should be to develop a CSIRP. Successful CSIRPs should include a communication strategy with a clear chain of command and address the top security problems within your industry or company. 

Appropriate procedures and protocols should be planned prior to an attack, and each plan should be individualized depending on the type of incident. 

Take care to develop and monitor KPIs that are specific to cybersecurity incidents. Some KPIs that will gauge a company’s current effectiveness at security risk mitigation address how many security incidents are reported in a specific time frame, whether they are increasing or decreasing, and what is the average time it takes to address a security concern.

If your company has already fallen victim to a cyberattack, don’t despair. Security breaches are excellent learning opportunities.

You can take this time to take an in-depth look at what went wrong, how your company can handle this situation better in the future, and document and communicate new CSIRPs based on your experience.

Coronavirus, remote work and the survival of the fittest

The onslaught of the coronavirus has revealed which companies are fit and which are fragile in terms of digital protection.

Quickly quitting offices in favor of work-from-home arrangements has been a shock for enterprises that are not digitally savvy. Those companies are not likely to survive in the long term.

This is not only because of the delay in the ability to work caused by the recent stay-at-home advisories but because of the increasingly competitive landscape that will demand adaptability.

Healthcare has been the hardest hit of all industries. This is due to clever cybercriminals taking advantage of an already-hectic situation in the industry, and the treasure trove of personal data healthcare companies frequently have access to.

Many businesses have allowed their employees to work from home without ever giving them access to the proper resources. Employees are working remotely from their personal laptops, connected to public Wi-Fi connections, and sharing their computers with family members and friends who may download or click on risky files unbeknownst to anyone else. 

It is important to teach your employees to be mindful of any unexpected work-related links, files or invitations to video conferences: Cybercriminals frequently send these disguised-as-work-related emails from a colleague.

Remind employees to double-check email addresses before opening a link or file. If a suspicious video conference request arrives from an unknown email address, encourage workers to call their supervisor to confirm that this is a legitimate virtual event. 

Most importantly, companies with remote workers must demand the use of a VPN. The most effective VPN applications today use a form of encryption called AES, which masks a user’s IP address, so their online actions are untraceable.

This is great for those working from home on their own internet connections but absolutely essential for those who work in cafes or in other public Wi-Fi spots. 

Be sure to request that employees use a VPN on their smartphones as well, so there is no danger to your company’s data as they scroll through emails while out and about. A company that does not require and enforce the use of a VPN, one of the easiest and cheapest cybersecurity tools out there, is asking for a cyberattack.

Once again, education is key to ensure employees know how to properly use a VPN. 

Don’t throw money at the problem

It is important for companies to invest in a wide array of cybersecurity tools and programs. However, this will never replace the importance of educating and empowering all employees regarding the use of these programs, and training them in basic cybersecurity practices. 

Companies who want to compete in the future must ensure that they are adaptable to new technological developments.

The coronavirus pandemic has revealed which companies have cybersecurity protocols and safe remote work policies, and which ones are scrambling to get their act together. The key to this is not only having the right tools but educating employees and having solid CSIRPs in place to quickly respond to a security incident when it arises. 

Don’t be fooled into thinking cybersecurity is a complicated matter that can only be handled by professionals and expensive tools. The best cybersecurity practices start with employees and are easy to implement with the right levels of communication and enforcement.

‘More complex by the day’: Leaders turn to automation to sustain IT efficiency

Dive Brief:

  • Automating part of IT teams’ workflow will help leaders sustain the effectiveness of their work even as tech spend budgets dwindle, said 72% of decision makers in a report from software company LogicMonitor. The report surveyed 500 global IT executives.
  • Among leaders who say there is a “great deal” of automation within the IT team, half are very confident in the organization’s ability to overcome an unanticipated crisis.
  • In the aftermath of a global shift to remote work, 80% of IT leaders say the infrastructure they manage is getting “more complex by the day,” and 94% of IT leaders expect IT automation to become a focus over the next three years.

Dive Insight:

Responding to the pandemic heightened interest in automation adoption, a strategy that allowed companies to sustain operations in times of disruption. 

Strained IT teams leveraged automation to uphold the massive shift to remote work, pushing previously in-person processes to the digital realm and letting bots handle routine tasks such as onboarding and IT support.

Customer support outfits turned to chatbots to manage repetitive claims. RPA company Automation Anywhere cites the technology helped one airline customer deal with a surge in cancellations that went from 500 requests daily to 4,000. 

IT teams are concerned with the complexities of remotely handling outages among their workforce, according to 49% of respondents in the LogicMonitor study. More than half of IT leaders said teams experienced “initial disruptions or outages with their normal software, productivity or collaboration tools,” as operations moved to a distributed model.

Roberto Torres / CIO Dive, data from LogicMonitor.

Almost half of business leaders say their companies are gearing up to introduce automation to the traditional IT helpdesk, according to a study by Inference Solutions. Despite uncertain economic forecasts and pressures on leaders to cut costs, two-thirds of IT decision makers say automation budgets are set to grow. 

Challenges in onboarding staff remain as companies continue operating remotely, but automating access to knowledge for incoming employees can smooth out the challenges of remote onboarding. The value automation can deliver is allowing teams to focus on higher-value tasks while routine operations are automated.

Paradigm shift left VPNs, edge security awaiting long-term strategy

Dive Brief:

  • Edge security company Akamai was in the process of redesigning its office space into a more open concept, when COVID-19 eliminated the office environment entirely, said Maha Pula, VP of Solutions Engineering at Akamai, while speaking on a virtual panel Wednesday. 
  • Within the last 30 to 60 days, CIOs and CISOs “are starting to take a step back and thinking, ‘all right, that was a reactive approach we did in the early days of the pandemic. Now, what do we need to do?,'” said Pula. 
  • As companies settle into the idea of an indefinite remote work landscape, Akamai had to rethink the enterprise edge, reconfiguring security to balance where employees reside, where customers sit and what consists of the edge of the internet, according to Pula. 

Dive Insight:

The upswing of a majority remote workforce was removing the inequities between in-office and already remote employees, she said. For existing remote employees who might have felt detached from the headquarters or company culture, “that feeling is now removed.” 

Even with a renewed sense of “understanding and empathy” for remote workers, the paradigm shift forced companies into reactive strategy-making, as opposed to forward-reaching goals.

In some cases, the shift required a reversion to past security techniques. Customers told Akamai they had “to take the original approach,” and use traditional VPNs. 

Prior to state shutdowns, only 3% of organizations had three-quarters or more of their workforce working remotely. Most organizations used antivirus and firewall solutions as their top work-from-home security tools, in addition to existing VPNs, according to a Pulse Secure report. 

VPNs grant users access to their digital applications but the tool can’t always accommodate scaling for storage without an expensive price tag. IT has faced an on-going issue during the pandemic, administering VPN patches and updates. 

In May, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued a warning for “routine” VPN exploits in 2020. “Arbitrary code executive” flaws in Citrix VPNs and an “arbitrary file reading” vulnerability in Pulse Secure were among the most common targets for bad actors. 

Dealing with traditional security measures like VPNs months after initial shutdowns is multifaceted, according to Pula. IT is balancing new processes in terms of physical readiness for devices, and endpoint protection and access. 

Companies are coming to terms with the reality or inability of securing every employee’s network. It moves the focus toward endpoint protection. “We are seeing about a 40% increase in consumption of internet services over enterprise connected devices, which means more and more of your employees are using their work laptops,” said Pula. 

Employees would not be doing this as much if they were still in office, accessing applications outside a company’s network. The result is an unusually high inundation of cyberthreats. 

“Companies have to stop and think about what they have done in the first 60 days to what they want to be doing in the next 60 to 90 days as well,” she said.

The Growing Need to Consolidate Multi-Tenant Environments

Over the past four months, countless businesses and universities have scrambled to the cloud to enable their employees and students to work remotely during the global coronavirus pandemic. Managed service providers (MSPs) and IT service providers have been busy spinning up cloud tenants to quickly address urgent needs– often for individual groups or divisions within a larger organization and without an organization-wide cloud enablement plan in place. As a result, many organizations have found themselves with an excess of multi-tenant environments or public and private cloud resources to manage, resulting in a less-than-optimal cloud footprint.

As businesses and universities start to settle into the new normal of remote operations, they are beginning to look for opportunities to streamline operations and take fuller advantage of what the cloud has to offer. Consolidating multi-tenant environments can enable them to make their cloud solutions work more efficiently, improving security, collaboration and overall cost management.

The Complexities of Multi-Tenant Environments

Maintaining multi-tenant environments is more complex for IT to manage, requiring more resources and driving up IT costs. To complete even simple IT tasks for end users, they must first figure out which cloud tenant the user is operating in before executing the work or they may have to pull data from multiple tenants. Maintaining proper security and compliance across multi-tenant environments is an additional challenge. For example, organizations in the finance and health care sectors must follow strict guidelines to stay compliant with regulations. Organizations with fragmented, multi-tenant environments can find that managing security and compliance becomes more difficult with data dispersed across different cloud environments, making it more likely to have gaps in compliance. For end users, multi-tenant environments can lead to confusion and lost productivity as they are forced to use multiple logins, access their workloads in multiple locations, and may have trouble synching applications and data between tenants.

Optimizing the Cloud Footprint

To reap the full value of a cloud environment, organizations must create a comprehensive cloud enablement plan. Organizations that started with a siloed approach can still create a plan and execute consolidations to get there. There are many benefits in taking this important step. It sets the organization up to seamlessly scale with future growth, it helps ensure compliance, and it improves the ability of IT to monitor and control user activity, the cloud environment, and associated costs.

When working with organizations to consolidate multi-tenant environments, there are best practices MSPs can follow to ensure a smooth process. First, create a checklist to ensure the project implementation is seamless. One important task is to fully assess the scope and details of the project. For example, how many users are there? Does the company have specific compliance needs? Does all company data need to be moved or will there be a limit due to an excess of data? What is their current operating environment? What email platform do they have? Do the users operate in the office or in the field? Next, it’s important to consider the user experience before the consolidation and whether any aspect will change for individual users. The goal is to minimize disruptions to workflow and productivity and create a change management plan to help users adapt as needed. Another important detail is to make sure licenses are appropriately accounted for and applications are appropriately deployed to end users. Taking this step will help ensure that the company is not overpaying for licenses that will go unused, such as paying for Microsoft Teams for roles that do not require team collaboration tools.

Multi-Tenant Consolidation Outlook

Even after the first wave of consolidations, as businesses and universities get organized following rushed cloud migrations, there is likely to be a high need for consolidations moving forward for a variety of reasons. Those that only partially migrated specific roles or teams to the cloud will look to take greater advantage of the benefits and continue their push into the cloud, which could result in consolidating to a new cloud tenant. Continued improvements in technology from cloud providers will also spur consolidation of tenants as organizations look for the best combination of offerings and price from cloud service providers. Also, markets that were hesitant to move to the cloud previously are now embracing cloud technologies as societal norms change around the way business is done. Finally, further business impact from the pandemic will result in increased mergers and acquisitions, which will, in turn, spur consolidation of cloud tenants as companies or universities merge.

While the cloud has enabled organizations worldwide to pivot quickly and adapt to new operational imperatives, taking the step of consolidating multi-tenant environments will lead to more efficient operations, optimized collaboration and engagement, and improved management of resources. By creating a comprehensive cloud enablement plan, businesses and universities will be well-positioned to operate as efficiently as possible in the years ahead.

By Lauren Brunson

5 charts that show the impact, and cost, of data breaches

When a data breach occurs, an organization’s primary goal is to stop the bleeding of an unauthorized intrusion. 

But on average, data breaches usually last 280 days, according to IBM’s Cost of a Data Breach report in partnership with Ponemon Institute released Wednesday. The survey included responses from more than 3,200 individuals involved in data breach incidents, across 17 industries and 524 breached organizations. 

With every passing day a breach goes undetected or unresolved, costs mount, customers lose patience, and a company earns a reputation of neglect.

Each breach comes with a different price tag based on several conditions, including: 

  • Cause of the breach
  • Actions taken following an incident, including prevention
  • If there was a history of data infringements
  • What data was compromised or used
  • How an organization worked with authorities or regulators

Costs can balloon following a breach, from audits and investigations, consumer notifications, third-party investigations, legal expenses, tarnished reputations, and potential fines. 

IBM’s report found a 1.5% decrease year-over-year in total average cost a breach, but other costs have increased too. Companies or industries that have lagged in security compliance or innovation face the steepest prices. 

Here are key figures to note from IBM’s annual report: 

 $3.9M: Average cost of a data breach

Data breach response, including forensic investigations and lost business, historically reaches millions of dollars for companies suffering a data breach.

If a security system is more complex, “created by the number of enabling technologies and the lack of in-house expertise,” breach response will cost almost $292,000 more, according to the report.

Samantha Ann Schwartz/CIO Dive, data from IBM and Ponemon Institute

Cloud migrations were responsible for “higher than average” costs, raising costs by $267,469. If a breach was caused by a cloud misconfiguration, the total cost of recovery increased to $4.4 million.

As developers and engineers work remotely with off-kilter business hours, the chances of misconfigurations increase. Half of developers and engineers bypass cloud security or compliance policies when deploying updates and products, according to a DivvyCloud report.  

But half of data breaches are caused by malicious cyberattacks, which increases the cost of each compromised record. Eight in 10 breaches contain customer personally identifiable information.

On average, it costs $150 per lost or stolen PII record. If the attack was malicious, the price increases to $175 per record. 

The value of data varies across sectors too. “When it comes to a manufacturing assembly line to build a widget, the risk of losing PII and [sensitive personal information] is not as high as in the financial sector,” Chris Scott, director of Security Innovation and Remediation at IBM, told CIO Dive. 

46%: Respondents who think the CISO is responsible for a data breach

While responsibility of a breach might fall on the CISO, overall security is more distributed. 

Half of the blame falls squarely on the CISO’s shoulders, but only 27% of respondents said the security executive is “most responsible for cybersecurity policy and technology decision-making,” according to the report.

One-quarter of respondents said the CIO or CTO carry the burden of security decision-making. “There is an oxymoron there” because only one of the executives is expected to take the heat of a breach, said Scott.

Samantha Ann Schwartz/CIO Dive, data from IBM and Ponemon Institute

Less than 1% of CISOs are actually fired due to a breach, according to an IDC study. Twelve percent of CISOs who oversaw a breach feel the incident would cause them to let go. 

“There’s no template or timeline with regard to changes in an organization’s structuring post breach,” said Scott. “I believe that organizations that suffered a breach need to reflect on the processes, practices as well as culture that led them to the incident … Some organizations do this, some don’t.”

77%: Data breach expenses incurred within the first year of discovery

Less-regulated industries, including retail and media organizations, pay 77% of breach-related expenses in the first year. But those in highly-regulated fields, such as health, education or pharmaceuticals, paid 44% of their costs in the first year. 

“I’ve been doing this for 20 years, and 20 years ago, there was not a lot of regulation. Only the most sophisticated, most highly funded organizations are capable of really thinking about information security,” because their resources and compliance force them to, Andy Riley, executive director of security strategy at Nuspire, told CIO Dive. 

IBM analyzed the “longtail costs” of 101 companies that “captured two or more years of data breach costs” and found the first year of a breach accounted for 61% of data breach costs in 2020.

Samantha Ann Schwartz/CIO Dive, data from IBM and Ponemon Institute

The report concluded lingering legal and regulatory costs lead to a longer tail of breach-related expenses for heavily regulated industries. 

“Even today some healthcare providers are still pretty unaware of what the requirements are under HIPAA and fly under the radar, which is pretty shocking,” said Riley. However, new regulations, including the California Consumer Privacy Act, upped the ante of penalties, and “raised the consciousness of information security.” 

280 days: Average time to detect and contain a breach

How long it takes a breached company to respond to an incident depends on its industry, degree of regulation, geography and security capability. Costs are lower among companies with more mature security solutions, including automation and incident response processes. 

“The breach cost difference between companies that are all-in on security automation, and those that have yet to deploy it is $3.58 million,” which continues to grow by millions annually, said Scott.

Samantha Ann Schwartz/CIO Dive, data from IBM and Ponemon Institute

It takes companies 315 days to detect and contain breaches rooted in malicious attacks. If a company can respond to a breach in less than 200 days, they stand to save up to $1.1 million, compared to those which take more than 200 days. 

“We can’t determine based off the report’s findings the frequency by which companies struggle to overcome breach costs,” said Scott. However, the report indicates that “slowly but steadily” more companies have fully deployed security automation.

76%: Organizations that predict breach response will take longer because of remote work

Organizations expect the “lifecycle” of a breach to extend due to a distributed workforce. 

Samantha Ann Schwartz/CIO Dive, data from IBM and Ponemon Institute

“The saying ‘time is money’ applies here,” said Scott. 

Because organizations were accustomed to monitoring security at the edge, a remote workforce turned security on its head. “Data is moving through less controlled environments today,” said Scott.

Unregulated data movement requires visibility. Companies should be asking whether their security organization has cloud-based visibility services or if employees have guidelines on how to safeguard sensitive data in remote environments. 

“Remote work models can create many new security blind spots if an organization doesn’t put the necessary technologies and controls in place,” he said. 

Pandemic paradox: Businesses want more IT at lower costs

Dive Brief:

  • Before COVID-19, improving operational excellence was a business priority for most companies, according to a survey of 100 IT leaders from Apptio conducted between March and June 2020. But amid disruption, executives’ priorities shifted to focus on cost-cutting. 
  • For almost two-thirds of organizations, the pressures of the pandemic increased demand for IT capabilities. Three-quarters of CIOs said the ability to quickly shift gears became critical in dealing with the pandemic.
  • Half of CIOs report having already slashed IT budgets, while 80% are under pressure to reduce spend. Across industries, the median cut to tech budgets was a 25% reduction. 

Dive Insight:

Technology became the backbone that supported company operations, enabling distributed work and the shift to digital processes wherever possible.

Tech leaders are joining the rest of the C-suite in companywide cost optimization strategies, with 20% of finance chiefs expecting tech investments to help with cost reduction, according to data from PwC.

For 72% of CIOs, COVID-19 and the disruption it introduced altered their priorities. Execs came into 2020 with planned digital transformation roadmaps that no longer matched the context businesses operate in.  

Tech executives are tasked with managing costs as they push forward with innovation, “particularly in an environment where cash is king and plans can change on a daily basis,” said Jarod Greene, general manager of the Technology Business Management Council and VP of product marketing at Apptio, in a release accompanying the survey.

In the context of the pandemic, two-thirds of decision makers sharpened their focus on cost optimization, while another 34% said they prioritized operational efficiencies, according to TBM Council data.

The shift is slated to impact global tech spend, according to Gartner projections. Worldwide IT spend will reach $3.5 trillion in 2020, marking a 7.3% decrease from 2019 levels. Amid the contraction, infrastructure as a service is expected to grow 13.4%. 

The Remote Playbook: Navigating the virtual job fair scene

The Remote Playbook is a regular column for people who manage and oversee remote teams. As a remote worker, CIO Dive’s Roberto Torres can help shed light on the issues and trends impacting the management relationship. Want to read more on a topic? Email him directly at [email protected]

College career fairs add an influx of talent into the hiring pipeline for organizations. Posted up at booths, company representatives await budding professionals for in-demand roles. 

In the age of COVID-19, lengthy in-person chats and resume handoffs faded for jobseekers. At least for now.

For the Fairfax County Economic Development Authority (FCEDA), the pandemic brought opportunity. On May 28, the agency threw a virtual job fair, using remote conferencing technology to connect recent grads with hiring companies.

“It provides companies with access to a talent pool they may not normally see,” said Victor Hoskins, president and CEO of FCEDA, in an interview with CIO Dive. The fair connected local employers with grads from 13 higher-education institutions, seven of them historically Black colleges and universities, as well as diversity-focused professional organizations. 

The virtual setting removes geographic barriers and expands the top of the hiring funnel. Managers looking for tech talent need to ensure most in-demand skills are targeted while adapting to the virtual setting.

The new way of hiring

Traditional job fairs, in a virtual iteration, are pushing forward across the country. National Career Fairs, one such organizer of virtual job fairs, will host over 100 virtual job fairs through the end of the year.

During the pandemic, the kinds of tech positions employers need to fill remains unchanged. Software engineers still top the list, with a particular focus on data and cloud, according to data from Indeed. Product managers and quality assurance engineers are also on the list. 

Top tech jobs on, June – July 2020
Rank Position
1 Software engineer
2 Senior software engineer
3 Software architect
4 Full stack developer
5 Developer
6 Front end developer
7 Development operations engineer 
8 Data engineer
9 Principal software engineer
10 Software test engineer


Joe Marhamati, co-founder at solar technology company Ipsun Solar, came to FCEDA’s most recent job fair — this one focused on mid-career professionals — looking for an IT administrator with broad skills. The company has done sales virtually for years, so it already had experience in building rapport and getting to know people from behind a screen.

Once or twice a week for the past three months, the company has made hires remotely. To identify talent effectively while remote, Marhamati said managers need to watch for signs of reliability in the virtual setting, much like during in-person interviews.

“Do they look presentable? Are they articulate in the way they carry themselves on Zoom? Basically all the things you look for in person,” he told CIO Dive. 

Hiring when you can’t meet in person

Spotting talent remotely, managers face three key hurdles, according to Salil Pande, CEO and founder at VMock Inc., makers of a talent assessment and development tool:

  • Finding the right kind of talent: “How do I reach out to candidates who are going to be of high significance to me, and who value the position that I have?” Finding a targeted set of candidates proves complex in the virtual arena. 
  • The technology itself: “I don’t think anyone has the technology which can truly solve the problem of virtual recruiting, where you can offer as good a solution as face to face,” Pande said.
  • Fair and balanced recruiting: Removing bias remains a challenge in the virtual sphere as well.

The first step to effective hiring in the context of remote job fairs is focusing on skill over pedigree, said Vivek Ravisankar, co-founder and CEO at HackerRank. Especially in new college graduates, the metric to watch is the candidate’s ability to grow, as opposed to what college they graduated from or what their GPA was.

HackerRank customers such as Twilio have created in-house programs to foster developers who don’t come from traditional professional backgrounds, such as those who are self-taught. Apprentices enter the six-month program to develop skills before shipping production-level code.

Free from time constraints, companies can improve their approach to virtual job fairs by spreading them out to a full week instead of a day, said Katy Tynan, principal analyst, employee experience at Forrester. Seeking to engage with top applicants, managers can tailor company touchpoints by role or area.

The pivot to distributed work allows companies the opportunity to rethink hiring strategies in general, said Tynan. This applies especially to tech jobs such as software engineers, who need to prove they have the skills to deliver value.

“Companies are thinking about their interview process end to end, what that’s going to look like, and how they’re going to evaluate people’s skills,” said Tynan. “Some of that might involve using technology or talent assessment tools they weren’t using in the past.” 

IBM offers 1K paid internships to prepare diverse students for STEM careers

Dive Brief:

  • Creating diversity in the technology field can begin with preparing students for STEM careers at an early age, according to IBM. The tech giant is offering 1,000 paid internships to students and graduates of its Pathways in Technology Early College High Schools (P-TECH) program, IBM announced July 20. The internship program will run through Dec. 31, 2021. 
  • IBM’s P-TECH program, established in 2011, is a public-education model that provides an opportunity, at no cost, for students to earn their high school diploma and a two–year associate degree linked to STEM fields. The company usually has about 150 interns a year from P-TECH. In the expansion, the paid internship program is a 10-time incremental increase from the company’s most recent internship goals, according to IBM.
  • “Today, 220 P-TECH schools are serving 150,000 students worldwide, with a heavy focus on students of color in educationally underserved areas in the United States,” IBM CEO Arvind Krishna said in a letter to Congress in June. “From Brooklyn to Chicago, from Dallas to Baltimore, these schools are creating real opportunities and real jobs for young people today.”

Dive Insight:

IBM is increasing its internships when overall internship hiring dropped amid the COVID-19 pandemic.

Three-quarters of respondents in a College Reaction survey of 822 students April 10 to April 12 said the internships or post-graduate jobs they secured had been canceled, moved remote or delayed.

The survey also found 71% of respondents said they were concerned about job and internship opportunities, and almost all of the respondents (90%) were at least moderately concerned about the pandemic’s impact on the U.S. economy and employment opportunities. An April 28 report by Glassdoor found that internship hiring on the platform in April 2020 decreased by 39% compared to April 2019.

IBM’s P-TECH internship program aims to provide technology training for future generations of employees at the company. The apprentices at IBM will spend much of the year learning about corporate culture, and acquiring more technology skills aided by managers who provide coaching, Joel C. Mangan, IBM’s executive director for P-TECH, said according to a company blog post

Krishna’s letter to Congress outlined a policy proposal to advance racial equality in the U.S. He called on lawmakers to consider national policies to expand the number and reach of programs such as P-TECH and Pell Grants, “an important pathway for students of color to go to college,” he said.