CanadianCIO Innovation Summit

Artificial intelligence

Jump on AI bandwagon before it starts writing poetry, experts advise CIOs

Brian Jackson Brian Jackson Published: 09/18/2017

Montebello, Que. – Get ready for artificial intelligence to take a leap forward and have a more important role in society and your business in general, two of Canada’s leading machine learning researchers told IT World Canada’s Canadian CIO conference on Sunday.

A new chapter for AI research is about to begin that will see machine learning used to write software instead of humans, said Graham Taylor, a professor at the University of Guelph and academic advisor at Next AI, an accelerator program that supports entrepreneurs with AI applications. Nicolas Chapados, chief science officer and co-founder of Element AI, a startup that’s focused on transferring academic prowess in AI into businesses also spoke on a panel addressing the topic.

The PhD holders went deep on discussing their work in constructing the algorithms involved in machine learning applications that exist today. They also made clear to CIOs that it’s time to get started on examining how AI can fit into an organization’s processes.

Taylor addressed the key moment that machine learning research has reached, first by defining AI as software that is created by machines.

“The amazing thing about machine learning is that you have the software learn with no programming involved,” he says. “It learns just like humans do, from experience.”

Graham Taylor, professor at University of Guelph
Graham Taylor, professor at University of Guelph, speaks about AI at the Canadian CIO Summit in Montebello, Que.

Taylor’s work has focused on computer vision, and the software architecture for his system has reached a staggering level of architectural complexity. It involves hundreds of thousands of layers of depth in its model, akin to other advanced computer vision systems in development. Yet results show that there are no longer improvements to the accuracy of these computer vision systems, despite becoming increasingly complex. That bucks the trend from the research conducted to date and shows the current approach has hit its saturation point.

“We may need a new architecture to improve accuracy over today’s approach,” he says. “There’s an advantage to look at the world like we do as humans, with our eyes, with our ears, and with touch.”

Taylor’s own work is now veering towards a multi-modal approach that combines many different sensory input to teach machines how to learn more like a person learns.

Meanwhile, Chapados says that we’re close to a flipping of the paradigm in the enterprise.

“The current process is human-driven, aided by machines,” he says. “Project yourself 10 years into the future and most organizations will run on AI helped by humans.”

Some industries are more immature than others, he acknowledges. Farming and construction are examples of industries that haven’t implemented AI to assist in core processes, but that’s where new models in AI will make a huge difference.

To get started down the AI path, organizations will need to consider what data is being collected. Since most IT in organizations today is made to support human processes, there may be judgments being made for which data is just not collected. But if you put in the effort to get to a reasonable baseline of data, there’re off-the-shelf AI services that could deliver your process.

“It’s a little bit like when Microsoft delivers a beautiful piece of software to you like Excel,” Chapados says. “But you need to know what numbers to plug in and it takes a lot of time to understand what all the functions available to you can do.”

Nicolas Chapados, chief science officer, Element AI, speaks on a panel at the CIO Summit in Montebello, Que.

Another change to consider is that most AI applications have involved making predictions. Taylor says that other researchers have identified how the first effect of AI adoption will be a reduction of costs for goods and services that require predictions being made. But this may change soon too.

“We’re actually moving into a world where machines are not just predicting, but they’re creating,” he says. “Music, art, poetry, and prose.”

He points to the suggested responses to email that Google suggests on Android. A machine is doing the creation for the emails, but the human control is still there to select the message or write take over and write their own message.

Clutching onto the message of AI change coming, IT World Canada’s CIO Jim Love urged his peers to be visionaries.

“We’re not going to be doing the technical roles anymore,” he said. “It’s time to take the lead on your business vision with AI.”

The conference was sponsored by Cogeco Peer 1. 

Will Canada’s AI moment slip away?

David Crane David Crane Published: 03/03/2017

The artificial intelligence revolution represents “the biggest opportunity since the advent of the Internet,” Jean-Francois Gagne proclaimed when he announced last October the launch of Element AI, a tech transfer and start up factory in Montreal representing that city’s ambition to become one of the world’s leading AI hubs. “AI will change the world” and “Element AI will facilitate this transition to an AI-First world, creating in the process the next generation of large corporations,” Gagne predicted.

Montreal was not alone in seeing AI as the next Big Thing. Two days after Gagne’s announcement, NextAI was launched in Toronto to attract entrepreneurs and investors to build their AI businesses there. “The launch of NextAI means we’ll see the brightest minds from around the world creating industry-leading AI technology in Canada, cementing our place as a world leader in machine learning innovation,” NextAI’s Graham Taylor, promised. NextAI has attracted some $5.15 million of investor support, from companies including auto parts manufacturer Magna International, Scotiabank, RBC and BDC. “Artificial intelligence is one of the most transformational technologies impacting business today, and Canada must remain at the forefront of exploring its commercial and scientific opportunities,” RBC CEO David McKay says.

But can Canada really become a global hub for the AI revolution? While we have a well-deserved reputation for great talent and pioneering research, along with some ground-breaking start-ups, there’s no Canadian grand strategy to make AI one of our key sectors of the future. To succeed, we will need to build a much greater critical mass of talent and enterprise, and that will take significant public and private support.

Failing that, if we will fail to grasp this moment of opportunity to do something big in Canada, we’ll instead simply provide seed corn – talent, research and start-ups – to feed into the growth plans of major multinationals and university research centres of other countries that are hungry for our talent and research and have deep pockets to buy up promising Canadian start-ups, such as Google’s recent purchase of Maluuba, a promising Canadian start-up that had been launched by two Waterloo University grads. The determination to develop a strong domestic AI industry with broad benefits for Canada will require vision, leadership, commitment and money.

One of the greatest risks is brain drain. As one Wall Street Journal headline read not long ago, “Why Silicon Valley Recruiters are Flocking to Ontario.” University of Toronto AI professor Ajay Agrawal was quoted in The Economist as warning that “places like Canada, where universities have been in the forefront of AI development, could see little benefit if their brightest staff disappear over the border.” Bloomberg/Business Week has credited Canadian researchers with developing algorithms used by Facebook for facial recognition and by Google for its Camera app, for example. “Over the past three years, a handful of leading Canadian researchers and professors, superstars whose AI work will underpin everything from self-driving cars to smart prosthetic limbs, have defected to U.S. tech companies and universities, taking their expertise, and often their students, with them,” the business magazine said.

To be sure, major multinationals are also playing a big role in Canada in advancing AI, not just in the IT sector but also, for example, in the auto industry, with General Motors Canada seeking to hire 700 engineers to help develop autonomous vehicles at its research facilities in Ontario. In Montreal, Google and Microsoft are investing in AI infrastructure and research. In Toronto, NextAI is partnering with Google, IBM Canada and NVIDIA, which are providing budding entrepreneurs with access to access to technology and services, access to experts and mentoring.

But as a five AI advocates – including former TD Bank CEO Ed Clark and Toronto AI superstar Geoffrey Hinton (who now spends much of his time at Google in California) recently argued, Canada is underinvesting if it wants to build on its past achievements and make Canada a global centre for AI research and investment. They have called for the creation of a world-leading center for AI research in Toronto, with the goal of graduating the most AI PhDs and master’s students globally and becoming the engine for an AI super cluster in southern Ontario. Similar advocacy can be found in Montreal, while Edmonton and Vancouver are also budding centres.

To make this vision a reality will take significant funding as centres around the world seek to build competitive expertise. “To compete, a very significant funding commitment is necessary to signal our intention to lead in AI research over the long term and to attract the world’s leading minds – faculty, post-docs and grad students,” Clark, Hinton and their colleagues argue. But there will also be a need for industrial partnerships, with universities providing the talent and new knowledge in fundamental AI science to support the talent and knowledge base of Canadian companies and attract foreign investment.

This is a moment of opportunity. But moments can be fleeting. The Trudeau government’s promised innovation strategy will be a major test of whether Canada is capable of thinking big and putting real resources behind a Canadian moonshot.

David Crane can be reached at

Deep learning and AI can create different ethical issues

Alex Radu Alex Radu Published: 09/19/2017

Washington D.C.  – In its most basic form, artificial intelligence is an algorithm that is trained to learn via the data that is fed to it. But what happens what that data is full of bias?

“In traditional model building, even with good data we can introduce biases by not constructing the right variables or picking up nuances. A model is a representative of the mechanism that generated the data. So if we don’t represent that mechanism correctly, then we are not forecasting correctly, but forecasting something else,” explains Oliver Schabenberger, chief technology officer and executive vice president of SAS Institute Inc. to Canadian media at the Analytics Experience 2017.

Oliver Schabenberger, SAS CTO

For instance, deep learning algorithms only learn from the data that is provided. It can’t learn outside of that data. So if that data is correct, it will be able to make correct decisions. Hence the importance of providing clean data to these programs.

“We control and determine the logic of the program. Everything deep learning learns comes from the training data. It is important to understand any biases in the data if they are there, because it will leak into the end result. It comes down to how good our data is,” said Schabenberger.

CEO and founder of SAS, Jim Goodnight, looks at it quite simply. “AI is just making a program that you trained with models to make these decisions,” he told Canadian media.

But if that data fed into those models is incorrect, it isn’t so simple to fix.

Schabenberger explains how ethical use of analytics applies to all forms of analytics, but deep learning and AI shines a different spotlight on it. He can see how a simple statistical model went wrong. He can look at the math and find what happened. It’s not so simple with deep learning.

“A neural network does not give up its secrets. I can’t tell you where something goes wrong if something it predicts is not correct. My ability to correct this is limited. If it’s a model I can examine the math and see how it got there. I can’t step through a neural network and see what happened, or put it through a debugger. The only way to change it is new data,” Schabenberger said.

The fact that it is not so simple to fix can be disconcerting for some, and in certain industries like banking, it means for now there will still be that human element tacked onto any AI technology introduced.

“It needs the right ethics. Biases from the data are where the human aspect comes in. I would love to have machines, but there should be a hybrid structure, so a computer could make the decision with human involvement. The human could override a decision if need be,” said Qaisar Bomboat, IT Risk architect at the Canadian Western Bank.

The Edmonton-based Canadian Western Bank primarily operates in Western Canada where it serves personal in commercial clients. Bomboat is part of the enterprise risk management team.

Taking the human out of a decision like whether or not the bank would give someone a loan would be the ideal scenario, but that requires trust in the data that is being fed to the program making those decisions. That’s easier said than done.

As Goodnight said, AI is just a program that you trained with models to make that decision. And while both Schabenberger and Goodnight are confident in the data behind SAS’ deep learning efforts. That trust may still take some time to reach anyone who is skeptical on the matter.

Taking the hype out of artificial intelligence

Howard Solomon Howard Solomon Published: 08/24/2017

Artificial intelligence is all the rage in IT these days, with vendors rushing out new products and trying to assure CISOs that their products include some element of machine learning. But how much of this is hype?

Quite a bit, cautions Oliver Rochford, vice-president of security evangelism at DFLabs, in a column this week. ” Machine learning by itself solves nothing without being applied to distinct problems,” he writes.

So what’s a CISO to do? Ask a few intelligent questions, Rochford advises.

What does your machine learn? Does the software really learn or just do statistical analysis or correlation.

Where does it learn it? In a lab or in your environment? The former isn’t acceptable, Rochford says, but adds that a hybrid of both can be okay. There is, he adds, another consideration, though: Does it learn on premise or does data have to be sent into the cloud?

How does it learn? A vendor should be able to provide a high-level overview of which machine learning approaches its implementation uses: Supervised, Unsupervised and Reinforced are the keywords to look for , as well the high level algorithmic descriptions.  For the inexperienced Rochford suggests reading cheat sheets provided by Microsoft. This information can help an infosec pro understand if the vendor is using the right algorithm for the problems they are trying to solve.

Why does it learn it? In other words, why use that particular approach.

What does it solve? Does it solve a problem that would be impossible to solve with less sophisticated means, or that would be unfeasible or inefficient to solve any other way. Does it solve more than one problem.

It’s not that machine learning. In a recent interview Forrester Research analyst Joseph Blankenship told me that it has a lot of potential to help in threat detection by overcoming limitations of existing rule-based systems, as well as automating and orchestrating security operations to help analysts in their decision-making. “One of the areas that’s very promising is the notion that we can use the technologies to help make the job of security analyst a little easier,” he said.

“As we add automated components to security operations we’re able to accelerate from minutes to seconds in terms of being able to do more manual aspects of investigations,” he said, particularly to guide more junior analysts on appropriate next steps in incident response.

But, he added, “we’re years away from the Skynet for security operations,” with robots handling cyber security. (Of course, Terminator movie fanatics know that Skynet ended up taking over the world …)

So be careful, says Rochford. Machine learning’s value is in solving aspects of incident response, advanced threat detection, hunting and investigation, he argues — in other words, to specific problems.

Read Rochford’s full column here

University of Alberta and IBM using AI to diagnose schizophrenia

Mandy Kovacs Mandy Kovacs Published: 07/21/2017

While Elon Musk believes artificial intelligence (AI) is the biggest risk we face as a civilization, the technology is already proving its worth in the medical field.

The University of Alberta (UoA) has been collaborating with IBM to use AI and machine learning algorithms to quickly diagnose schizophrenia with 74 per cent accuracy. The technology is also being used to predict the severity of specific symptoms in patients – something that was not possible before, IBM says.

“Using AI and machine learning, ‘computational psychiatry’ can be used to help clinicians more quickly assess – and therefore treat – patients with schizophrenia,” says Guillermo A. Cecchi, principal research staff member in computational neuroscience at IBM Research, in a July 20 press release. “Computational psychiatry provides physicians with tools that enable them to objectively assess patients where most approaches had been subjective up until that point….For the first time, clinicians could be able to quantitatively determine the severity of common symptoms and even identify and measure the progression of the disease, as well as the effectiveness of treatment.”

IBM’s Alberta Centre for Advanced Studies (CAS) and UoA have been partners for more than a decade, and the two organizations conducted this schizophrenia research earlier this year using 95 test subjects – 46 patients with schizophrenia, and 49 patients without.

The goal of the study was to extend IBM’s research with the UoA, and connect the tech giant’s computer scientists with the university’s psychiatry and computer science department, giving them access to a much larger group of patients and data.

Approximately one in five adults in North America suffer from a mental health condition at some point in their lives, ranging from depression to bipolar disease to schizophrenia, but half of those with severe psychiatric disorders receive no treatment. And in the case of schizophrenia, there is no medical testing that can provide an absolute diagnosis.

Going forward, the team hopes to apply this to other diseases, such as Huntington’s, and extend this research model across larger groups of patients, according to Betakit.

Future of Cloud

Hyperscale cloud providers in Canada motivating companies to adopt the cloud

Mandy Kovacs Mandy Kovacs Published: 08/14/2017

Canada’s strict data sovereignty regulations have been a significant deterrent for many Canadian companies looking to move to the cloud. But with all three of the largest global hyperscale cloud providers – Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) – building data centres in the country over the last year, the journey to the cloud has been simplified and Canadian companies have responded well.

IT World Canada’s fifth annual CanadianCIO Census found that while CIOs have been slow to adopt cloud for security and data sovereignty issues, they now rate it as the most productive technology for growth.

Microsoft Azure launched its Canadian region in March 2016, AWS opened its Canada (Central) region data centre in December 2016, and GCP announced plans to join the fray in March 2017, signaling that these hyperscale providers are serious about compliance with Canadian data regulations, which require certain sensitive data of public institutions to be stored within the country.

While their cloud services were available in Canada previously, having a local region means that organizations dealing with sensitive data or strict regulations, such as financial institutions or the healthcare sector, can now take advantage of cloud storage.

Out of the more than 160 senior Canadian IT leaders surveyed, 53 per cent say they are more likely to move to the cloud now that these hyperscale providers have Canadian-based data centres.

“Cloud is the new and growing wave of outsourcing,” the census found. “Cloud services are displacing traditional outsourcing, especially for infrastructure services (e.g., data centres, servers, storage). Further growth in cloud services is expected next year in Canada as vendors have moved to remove the one remaining obstacle to Canadians embracing cloud for their key infrastructure – data sovereignty.”

For example, education technology company Echo360 unveiled at the end of July that its video and active learning platform will now be available in Canada as a cloud service thanks to the new AWS Canadian data centre.

Fred Singer, founder and CEO of Echo360, explains that before AWS’ move into the Canadian environment, it could not deliver the cloud version of its video learning platform to Canadian universities, despite their desire for more innovative technology. Canadian customers were serviced from the company’s other global locations and could only use on-premises software.

But with its new partnership with AWS, it can finally provide Echo360 customers the “golden standard” of data storage and shared services.

“This announcement marks a shift from traditional old-school on-prem video platforms in Canadian schools to leading edge technology thanks to AWS,” Singer tells IT World Canada. “We had clients on our old system but it was challenging to deal with their desire to move to the cloud and to be more cutting edge before AWS was here because of the strict data privacy rules. This partnership really alleviates that and now we can deliver without compromise for the first time, and that’s a big deal to Canadian universities.”

Cloud exceeding expectations as it becomes a less concerning investment

CIOs of companies already in the cloud are speaking out too – 70 per cent of respondents rate the technology “as having met or exceeded expectations” thanks to benefits like increasingly secure, reliable, and flexible platforms with the potential to lower operational costs and improve customer service and company reputation.

These positive reviews are motivating others to move towards utilizing cloud services. This year’s trends point to strong growth in cloud adoption in 2018 and a decline in on-premises infrastructure, which will lead to cost reductions in crucial areas.

“The trend to embrace cloud services will continue to grow, with more organizations using hybrid or public cloud services,” the census expands. “The trend of decreasing ‘Run’ budgets [money used to keep the lights on], and increasing ‘Grow and Transform’ [money for scale-up or new initiatives] will continue, with cloud services contributing to the decreasing ‘Run’ costs, and competitive digital transformation driving the increase in ‘Grow and Transform’ budgets.”

Interestingly, the CIO Census highlights the fact that cloud technology has actually become less of a concern for respondents looking forward, dropping from the number two spot in 2016 to seven in 2017. Big data and analytics were ranked in the census as the issue that will have the most significant business impact in the next five years, followed by digital transformation, customer experience, and security.

However, the census suggests the reason for this is that CIOs see cloud as a technology “more fully adopted within five years, with lesser impact into the future.” With three global hyperscale providers now in Canada and cloud adopters on the rise, this could be an indication that the technology has finally been adopted as a secure and scalable platform for businesses and C-suite executives.

Why public cloud isn’t always the right cloud

Brian Jackson Brian Jackson Published: 07/19/2017

If Goldilocks entered a Tier 3 data centre instead of a bear’s den, which cloud model would she find just right – public, private, or hybrid?

With the likes of hyperscale cloud providers Amazon Web Services and Microsoft Azure opening up Canadian regions over the last couple of years, many Canadian businesses are likely familiar with the public cloud sales pitch by now. It goes something like this: “reduce your capital expenses and shift to operating expenses,” or “stop managing IT and focus on your core business,” or “not only are we cheaper, we’re more secure.”

But it’s just not that simple, according to speakers at the Canadian Data Centre Summit, held in Toronto on July 19. There are times when taking your application to the public cloud will be more expensive. There are times when it’s not a good business case. There are times when it just can’t be done.

“We’re seeing cloud refugees coming back and looking for cheaper solutions,” says J. Mark MacDonald, founder of Canada15Edge Data Centers. “It wasn’t the panacea they thought it would be. It’s more price related than anything.”

Public cloud providers charge just fractions of a cent per GB of storage, for example, but companies are often surprised by extra data transfer costs and other charges. That’s not to say it won’t save you money in some situations, MacDonald acknowledges. The old “capex vs. opex” argument holds true to a certain point. He uses an analogy of renting a car to explain.

“If you were to go out and rent a car from Budget for one day a week, no problem,” he says. “If you want to use that car 24/7, 365 days a year then you’re going to pay for it twice over.”

So anyone that’s looking to run an application that has predictable traffic levels and must always be available should avoid public cloud options for that, he says.

“That’s very expensive under the Azure and AWS pricing model,” MacDonald explains. “Which it should be, because if you have these virtualized server banks and you’re doing pay-as-you-go, then you have to charge a lot to make a profit, because it’s not going to be used all the time.”

Canada15Edge has been in business for about two years, operating one data centre on a colocation model for its clients. MacDonald says he’s hosting a number of managed service providers in his building.

Why banks aren’t cloud crazy

But it’s not just those offering alternatives to the public cloud that see another path. On a panel of end-users, two bank employees responsible for their IT facilities agreed that some applications would just never work in a public cloud model.

“Banking is largely mainframe based,” said Stephan Abraitis, senior director of critical environment at the Royal Bank of Canada (RBC), addressing the crowd. “Mainframe is not going away, so there’s some applications that will never go to the cloud.”

Chiming in on that notion was Kirby Peters, director of critical facilities for the BMO Financial Group. He pointed to data sovereignty as a challenge to move certain data to the public cloud. Abraitis also said the cloud wouldn’t help reduce costs for a bank. But both acknowledged there was enthusiam for public cloud adoption at banks for other purposes.

Public cloud provides immediate elasticity for new projects, so new initiatives no longer require a complicated infrastructure setup, Abraitis said. “If we don’t change the way we operate, we’re going to be disrupted just like Uber has disrupted the taxi industry.”

At BMO, Peters is using public cloud to deliver HR applications,, and email. Back office applications are next on the list for migration.

RBC is exploring a hybrid version of cloud computing and working out whether it should be built in its existing footprint, or segmented out in a dedicated manner.

You wonder what Goldilocks would find “just right.”


CFOs look to cloud, AI for financial reporting

Danny Bradbury Danny Bradbury Published: 12/21/2016

Chief financial officers face significant technology challenges as they struggle to make financial reporting more accurate and efficient, said a report from EY (Ernst & Young) this month. However, they are also looking to emerging technologies that offer breakthroughs in how business operations are reported.

In the document, How can reporting catch up with an accelerating world, the big four consulting firm surveyed 1,000 CFOs or financial controllers in large organizations, including 40 in Canada. Half the financial executives in the report said that legacy IT was the main challenge to changing reporting models, it revealed.

CFOs have high hopes for newer reporting technologies, which they hope will revolutionize the way that their companies crunch the numbers. Fifty-five percent of them see transforming corporate reporting models as a major focus.

Big data technologies topped the list of promising new developments that could enhance financial reporting, according to the report, which placed cloud computing a close second. Further down the list were data visualization tools and the use of mobile devices.

More advanced technologies such as artificial intelligence and blockchain technologies came towards the bottom of the priority list, the report showed, but still had a significant amount of interest in percentage terms.

Among the 84 per cent of firms in the global survey base expecting to increase their investment in reporting technology, 17 per cent expect to prioritize blockchain technology as part of an increased investment in performance.

Almost as many hoped to invest in robotic process automation or artificial intelligence, said the report. Fred Clifford, leader for EY’s financial accounting advisory services operation in Canada, said that this could make both business processes and the reporting of them more efficient.

“The ability to complete tasks and activities that were previously subject to human error enhance[sic] not only the speed, but also the accuracy of reporting. An example of this may be continuous monitoring of internal controls by using new technology that eliminates the possibility of human error,” he explained.

While many of these technologies showed promise, the number one priority was upgrading IT and financial data analytics tools, especially for Canadian companies, said Clifford.

A complex regulatory landscape is the second biggest challenge for Canadian companies, he added.

Twenty-seven per cent of Canadian firms said that the number of regulatory changes locally were an issue, compared with 23 percent globally. 27 per cent highlighted the pace of regulatory change locally as an issue, compared to 21 per cent across the world.

“The complexity of the regulatory environment is having the largest impact on reporting effectiveness in Canada (79 per cent vs. global 68 per cent),” he added. “We found Canadian companies are more likely to have higher numbers (20+) of business units and reporting standards than global counterparts. This means greater complexity in financial reporting and associated risks related to combining those operations for reporting purposes.”

This may be one reason why Canadian CFOs are far less interested than they used to be in prioritizing harnessing data and analytics to create forward-looking insights, the report revealed. Only 23 per cent of them expressed this as a priority, compared to 43 per cent in the company’s previous report.

However, that may be as much to do with the statistical sample in this report, which only surveyed responses from 40 Canadian companies. The survey did not include a margin of error or a confidence interval in its methodology.

Cloud expectations for 2017: reduce work and costs, improve customer satisfaction

Brian Jackson Brian Jackson Published: 01/03/2017
cloud rocky gondola

Cloud growth will continue to grow for 2017, but cloud service vendors are going to be taking some tall orders from executives that are expecting a big return on their investment after years of being guided towards the cloud model by many industry vendors.

The old adages of “turn capital costs into operational costs” and “don’t focus on IT, focus on your core business” are just the minimum point of entry for cloud services looking to win over new customers in 2017. Executives that haven’t made the cloud leap until now are expecting to see additional managed services and improved customer engagement directly linked to their cloud investments.

ITWC’s own CanadianCIO Census for 2016 found that worldwide respondents expect cloud models of IT Service delivery will rise 96 per cent within the next two years. Compare that to the declines of 21 per cent for on-premises models and 23 per cent for traditional or dedicated hosting.

IT executives are mostly looking to reduce the time spent on infrastructure maintenance (63 per cent) and for reduced costs as a result of the outsourcing (45 per cent). Yet many also expect that they’ll be able to improve customer satisfaction with the new approach (34 per cent) and enjoy better access to their own data (34 per cent).

Canadian CIO Census - Benefits from Outsourcing

In other words, business performance using the cloud model has to be better than could be achieved otherwise. In an October interview, Aldo CIO Lance Martel said that the role of a CIO needs to evolve in this way. The Canadian shoes and apparel retailer has been using several different software as a service (SaaS) apps to knit together its in-store and online customer experience.

“A CIO shouldn’t be thinking about infrastructure, or applications. These are solved problems,” he said at’s Dreamforce conference in San Francisco in October. “A CIO should be thinking about building a platform for business to build amazing customer experiences.”

The amount of spending on hosting and cloud services is expected to rise from 28 per cent in 2016 to 34 per cent in 2017, according to 451 Research. The New York analyst firm’s Voice of the Enterprise: Hosting and Cloud Managed Services Study says that the majority of that spending isn’t going to pure infrastructure spending, but to cloud services at a more abstract level. It breaks down the average budget spending like this:

  • 42 per cent on application services
  • 14 per cent on managed services
  • 9 per cent on security services
  • 5 per cent on professional services for cloud enablement

The interpretation by 451 research manager Liam Eagle is that enterprises are looking for cloud computing services that come bundled with managed services, meeting not only their IT infrastructure needs but also their line of business requirements with one monthly bill payment. Public cloud infrastructure providers are the most likely to be delivering this at the moment, but managed hosting providers are also used by more than one-quarter of firms too.

In some scenarios, more established businesses are looking for cloud service providers to help them adapt to industry disruption. German-based Deutsche Bank is doing this by meeting with hundreds of startups in the FinTech space, and then working with some of them to provide their services at scale through its already-established customer base. At the same time, the bank is benefitting from the improved customer experience developed by these startups.

“What we are trying to do is change that whole interaction experience with our customers,” Kim Hammonds, COO of Deutsche Bank, said during a panel at Dreamforce. “All of our customers expect a digital experience.”

Kim Hammonds, Deutsche Bank - Dreamforce CEO panel
Kim Hammonds (left), COO of Deutsche Bank, says a data lab known as ‘The Hive’ has a mandate to improve user experience bases on analytics.

To that end, the bank has set up a data lab in Dublin dubbed The Hive, where 50 data scientists work to improve the customer experience aided by analytics data. It’s also looking to understand how the 150 million processes that are run at the bank can be simplified with the help of machine learning – another service now available from several public cloud infrastructure providers.

The growing expectations of the cloud from businesses show that years of hearing about what the IT delivery model can achieve at industry conferences has sunk in. But now that businesses are embracing it, the services will need to live up to the hype.


Canada is ready for coming surge in cloud traffic: Cisco report

Brian Jackson Brian Jackson Published: 11/10/2016
Global cloud computing

Canada is ready for the cloud and good thing considering that cloud traffic is expected to rise 370 per cent from 2015 to 2020, according to a new report from networking vendor Cisco Systems Inc.

Globally cloud traffic is predicted to rise up from 3.9 zettabytes in 2015 to 14.1 zettabytes in the year 2020, according to the sixth annual Cisco Global Cloud Index. As the cloud model of managing IT resources becomes more popular compared to traditional, siloed data centres, traffic to data centres is the metric indicating that shift. By 2020, public cloud growth (such as that provided by Amazon Web Services or Microsoft Azure) will outpace private cloud growth.

Cisco - Canada cloud prepared stats
A highlights look at connectivity in Canada. Click image for larger view. Source: Cisco Global Cloud Index

To be ready to compete in a world of instantly-scalable infrastructure, Canada’s connectivity need to be ready to transfer data at speed. According to Cisco’s data, it is ready with average download speeds of 25.9 mbps for fixed wireline download and 8.3 mbps for upload. Those speeds are well behind the average speeds seen in the U.S., Russia, China and much of Europe – but according to Cisco, they’re still good enough.

As to wireless speeds, Canada is doing better. It sees download speeds of 24.2 mbps and upload speeds of 9 mbps. Compare that to the U.S. at 17.1 mbps download speeds and 9.9 mbps upload. In Russia, both download and upload speeds are close to 7.5 mbps.

To be able to rely on advanced cloud apps, Cisco’s baseline requirement is a download speed of better than 2.5 mbps download and 1 mbps upload.

Cisco - Growth in the Cloud infographic
Cisco’s infographic shows its projection that data centre traffic will triple from 2014 to 2019. Click for a larger version. Source: Cisco Global Cloud Index.

Cloud’s projected growth in the enterprise

With all cloud data centre traffic growing to 14.1 ZB per year in 2020, it will dwarf traditional data centre traffic at 1.3 ZB per year, which is seeing a more modest growth. Workloads per physical server will also go up from 7.3 in 2015 to 11.9 by 2020 in the cloud. At traditional data centres, workloads per physical server will be at 3.5.

Major sources of data driving the need for more storage and processing power include big data, which will increase 530 per cent between 2015-2020 and the Internet of Things, which may reach 600 ZB per year by 2020.

Company’s private data centres will be used more to deliver applications than as a means to provide infrastructure as a service, as that functionality with be pushed to the public cloud. In North America, Cisco forecasts that in 2020 IaaS workloads will be 11 per cent of total private cloud workloads, down from 36 per cent in 2015.

Meanwhile in North America software as a service workloads will grow both in the public cloud (at a rate of 30 per cent annually) and in private cloud (to 54.4 million workloads in 2020 compared to 16.5 million in 2015).

Workplace Leadership

Why Justin Trudeau and Alibaba’s Jack Ma think the tech industry could use more women

Eric Emin Wood Eric Emin Wood Published: 09/27/2017

TORONTO – Jack Ma didn’t think there was anything out of the ordinary about his company.

During an appearance Tuesday at Gateway ’17, a Toronto event organized by Alibaba, the Chinese ecommerce giant’s founder and executive chair explained how he became a champion for increasing the number of women in the tech industry.

It began in 2007, he said, when Alibaba made its initial public offering in Hong Kong.

“I got some media to visit Alibaba, and they said, ‘Jack, why are there so many women in your company?'” he told reporters during the Sept. 25 event. “I said, ‘really? I did not realize that.'”

It wasn’t the last time he’d be asked that question, and Ma, who started Alibaba in his apartment in 1999 with 17 friends – all of them men – said he eventually learned that in Silicon Valley few companies have more than 25 per cent women among their ranks – and that the numbers among their leadership ranks and among entrepreneurs are even worse.

Alibaba’s workforce, meanwhile, is more than 40 per cent female – including a female CFO and CPO (chief people officer) – as are one third of its managers. According to Ma, the percentage is currently around 47, though it used to be higher – “we acquired some companies who were more men,” he explained – and remains a focus for the company.

The reason, he said, is simple: Men focus on products, while women focus on customers.

“I’m not a tech guy,” he said. “I care about user friendliness. I’m scared of technology. I want to make technology simple… and the first quality controllers I had… were girls. They always say, ‘this is no good. We should do this instead.”

More importantly, he said, most of Alibaba’s buyers are women – and many of the sellers too. And few companies succeed by ignoring their customer base.

Ma’s support for women in the workplace goes beyond their understanding of customers, of course – they tend to make better leaders too, he said, not to mention they’re frequently more care- and detail-oriented than their male counterparts.

“When times are good, men are focused, but very fast,” he said. “When something goes wrong, they disappear. Women don’t rush like that, but they also never disappear. So this makes Alibaba’s culture very resistant.”

“When I’m in trouble, most of the time it’s my women colleagues who… encourage me, saying, ‘don’t worry about it. We can go for another five years,'” he said.

Echoes Trudeau’s support

The subject of women in the workplace was raised during the Gateway ’17 event’s keynote, when tech entrepreneur, Dragon’s Den judge, and event host Michele Romanow asked Ma and one of his special guests, Prime Minister Justin Trudeau, to discuss the lack of female entrepreneurs in Canada.

Romanow has contributed to the Canadian Entrepreneurship Initiative, which asked thousands of Canadians to name their favourite entrepreneurs, and was blunt about the implications of its findings.

“The first problem was that 50 per cent of Canadians couldn’t name an entrepreneur they looked up to,” she said. The second was that three of the top five Canadians named – John Molson, Alexander Graham Bell, and Joseph-Armond Bombardier – were, as Romanow put it, “great entrepreneurs, but deceased, old, and white males.” (The other two were living white males: Saskatoon magnate Jim Pattison and former Dragon Kevin O’Leary.)

“What are you doing to encourage more women to be entrepreneurs?” she asked.

Trudeau said that for the Liberal government, encouraging more women to succeed as both tech industry leaders and entrepreneurs isn’t merely about doing the right thing, but the smart thing.

“You cannot have an economy that is doing as well as it can unless everyone has an opportunity to participate to their fullest degree,” he said. “We talk about understanding diversity and different points of view as an essential ingredients for success… well, making sure that basic diversity – half of us are men, half of us are women – having both of those perspectives represented from the start is an essential path to success.”

Equally important to encouraging women to succeed, Trudeau added, is removing whatever tools and barriers stand in their way, and laying groundwork for their success in the future.

“Before I could name a cabinet that was 50 per cent men, 50 per cent women, it took me a few years to reach out and draw in great women candidates from across the country,” he said. “And then once you have women in business, women entrepreneurs, women in government, the calibre of solutions changes as well.”

Women in charge at Alibaba

Ma said he couldn’t agree more.

“One thing I find very interesting,” he said to Trudeau and Romanow: “Women really care for husbands, parents, and kids… and always ask… ‘I have two kids and I have a career. Which one should I choose?'”

“Men never ask these questions. They only care for themselves,” he continued, to audience laughter. “But then when you’re running the company… men focus on products and technology, and they forget all about the people.”

“Women focus on people… and technology products always include people,” he said, to loud applause. “So that’s why we have a lot of women leaders in our company making sure our products, our services, are people oriented.”


Why Justin Trudeau and Alibaba’s Jack Ma think the tech industry could use more women

Register Now

Canadian CIOs share their top barriers to hiring the best tech talent

Mandy Kovacs Mandy Kovacs Published: 08/22/2017

The IT skills shortage in Canada has been well documented, and this job-seekers market hasn’t made hiring any easier for executives.

For Canadian chief information officers (CIOs), the most common hindrance to securing the best candidates is not being able to meet salary demands (30 per cent), followed by not finding enough qualified applicants (26 per cent), and not being seen as an employer of choice (22 per cent), according to new research from IT staffing company Robert Half Technology.

Kin Lee-Yow, CIO of the Canadian Automobile Association (CAA) Club Group of companies, says that Robert Half’s findings are accurate and ring true for him and his organization.

“High salary expectations and not being a desirable employer are absolutely an issue. In our case, CAA is not known to be a high-tech company from people on the outside even though we do a lot of high-tech innovation internally, so it’s hard to hire tech-savvy people. We’re not Facebook or Google or Apple,” he explains.

As for not finding enough qualified applicants, Lee-Yow notes that while that is absolutely an issue, it’s not necessarily the applicants’ fault.

“There are a lot of people who have the skills for the job but they don’t have any experience, and one reason for that is because technology is moving and evolving so quickly. To hire someone with enough experience is a challenge,” he continues.

How to jump these hiring barriers

The CIO says that to bypass these hiring issues, CAA abides by the motto, “educate and train your employees so that they can leave, but treat them well enough so that they don’t.” He believes in building a company culture that feels like a family so that employees want to be at work. While it doesn’t mean they won’t go, “it reduces the number of people that actually leave.”

Lee-Yow also points out that CAA also began a successful new graduate program two years ago that hires students fresh out of university who may not have any work experience, and trains them in the CAA organization.

“A lot of university graduates don’t get a job right out of school because they don’t have any experience, so we decided that as long as they’re academically sound, we’ll recruit them, train them, and pay them. We have a year to evaluate them and if they do well, they’re moved to a full-time position, and if they don’t succeed, we release them, but at least they’re leaving with a year’s worth of experience,” he says.

Lee-Yow adds that in the two years the program has been running, all the graduates hired got full-time jobs within approximately four months, which helps reduce the stress of finding and hiring new employees outright.

Long hiring processes are the enemy

A lengthy hiring procedure is another barrier noted by IT leaders in the Robert Half study, with 23 per cent of the more than 400 Canadian CIOs surveyed saying their process takes longer than they would like. This is echoed by majority of potential candidates, who say waiting to hear if they got the job post-interview is the most frustrating part of the hiring process and would lose interest in the role if they didn’t hear back within two weeks.

“First impressions go both ways in the hiring process, and it’s important that companies establish a positive relationship with technology candidates early on,” Deborah Bottineau, senior regional manager of Robert Half Technology, says in an Aug. 22 press release. “The more drawn-out or complicated the hiring process, the likelier it is that job seekers will lose patience with the company, and interest in the position. Developing a decisive recruitment strategy that includes a well-rounded, competitive compensation package will keep talented candidates engaged, and prevent them from seeking opportunities elsewhere.”

CAA’s Lee-Yow says his organization’s hiring process follows the same path, and while some positions can be filled in just a couple weeks, others can take months.

“Our hiring process is long and while it does vary, it’s definitely not days and is usually not weeks either,” he notes. “What’s helped is I’ve started to put metrics in place with our human resources department so that we can look to see how we can measure ourselves and improve on how long it takes to hire for certain jobs. Some take months, while others are quick and filled with 14 days after we post the job. Now that we know that, we’ve been able to get a better handle on the challenge of hiring.”

How to hire efficiently

Robert Half offers several tips companies and executives can use to speed up their hiring process:

  • Be prepared – Before posting a job opening, make sure you know exactly what skills and experience you’re looking for, and research the latest trends on salaries, benefits, incentives, and other perks to see what you can offer.
  • Work with a recruiter – If you’re short on time and resources, look into a staffing firm that can give you insights and help with the hiring process.
  • Move quickly – Have key staff meet top candidates as soon as possible so you can make a quick, educated, and well-supported decision.
  • Communicate openly and often – Be transparent throughout the hiring process and describe the role, responsibilities, and compensation as clearly as you can. Giving a candidate updates on where they stand and the next steps in the process will also be much appreciated.
  • Make an offer – Be sure to have discussions with human resources to know your limitations in a salary negotiation situation, and make sure the compensation you’re offering is fair and competitive.

85 per cent of jobs in 2030 haven’t been invented yet

Alex Radu Alex Radu Published: 07/13/2017

If you’re worried that a machine is going to take over your job, don’t fret, because your next job just doesn’t exist yet.

According to a Dell Technologies report titled ‘The Next Era of Human and Machine Partnerships’, an estimated 85 per cent of jobs in 2030 haven’t been invented yet. It takes a look at how emerging technologies like artificial intelligence, robotics, virtual reality, augmented reality, and cloud computing will change every single person’s life over the next decade.

“The idea that 85 per cent of jobs in the future haven’t been invented yet tells you what a gap there is in terms of our understanding of where we are today, and our understanding of how much help customers are going to need to get from point A to point B,” said Gaurav Chand, senior vice president of marketing at Dell over the phone with ITWC.

The idea is that these emerging technologies will ‘recast’ the relationship humans have with machines. Aspects like eliminating mundane tasks will in turn create new jobs that we don’t know about. The report says humans will act as ‘digital conductors’ where technology will work as an extension of people.

Chand points to the smart assistant devices like Amazon’s Alexa and Google’s Google Home as disrupting how we live at home. He points to how these digital platforms that exist to orchestrate human and physical pieces are still growing.

“One simple example is how Amazon and Google have entered the home with AI,” said Chand. “All those mundane tasks that humans have had to do in the past are going to be taken away and replaced by machines, and humans will have to be the coordinators of all the stuff that is available to them through AI and machine learning.”

With the elimination of these mundane tasks, the jobs we have now will not only change, but some will also be eliminated. The idea that 85 per cent of jobs in 2030 haven’t been invented just means that the landscape will look very different, not that technology will take over for humans. Chand says that this is no different than previous technological advances.

He points to the previous jobs of legacy infrastructure like server, storage, and network admins, and how the rise of converged and hyper-converged infrastructure eliminated the need for those jobs, but then in turn created the need for new converged and hyper-converged admins. Various positions will certainly become nonexistent, but new positions will rise in their stead.

“We’ve seen that happen in the last five to seven years in the same way when you look at AI and software development. 85 per cent of those jobs literally don’t exist today, and in a lot of cases we don’t even know what those jobs are,” said Chand. “The report points to that fact that yes, the actions and jobs are going to go away, and then the population is going to have to learn a new skill set in order to embrace them and make themselves competitive in the future.”

Advancements in areas like software, big data, and processing power will reshape human lives without a shred of doubt, but that doesn’t mean those advancements are going to replace humans entirely. It will be up to humans to learn those new skill sets, adapt, and to be flexible and agile, and for business to help perpetuate that.

“It’s one of the only pieces that I have seen that’s not doom and gloom, you know, machines take over and humans become a non-entity. We don’t believe that to be true, and the research does not believe that to be true. Instead, the notion is that the tasks that we are used to doing today are going to be replaced by tasks of the future, some of which we know, and some of which we have yet to discover,” Chand said.

The Next Era of Human-Machine Partnerships report was created alongside 20 Institute for the Future (IFTF) technology, academic, and business experts. You can read the full report here.

Corporate culture is key to digital transformation

Mandy Kovacs Mandy Kovacs Published: 03/29/2017
Business team at the office

Digital transformation is more than just having a plan, experts told the audience at the IDC Directions 2017 event held in Toronto on Mar. 28.

In order for an enterprise to truly transform and be successful in the modern technological age, there needs to be a cultural change along with a practical strategy.

Shawn Slack, director of IT and CIO at the City of Mississauga, speaking during a panel at IDC Directions 2017 in Toronto.

“Culture eats strategy all day long,” Shawn Slack, director of IT and CIO at the City of Mississauga, stressed at the event. “It’s not just about modernizing the technology that you use. To effect real change, companies need to break down the established norms within their corporate culture and modernize them as well.”

Continuing the conversation was Steve Heck, global IT director at Microsoft, who said that in particular, executives need to understand this point before they embark on a digital transformation journey.

“Executives need to understand what they have in terms of business culture – and be realistic – and what they want to achieve in the transition, and then how to get from one to the other,” he explained. “If they don’t acknowledge that, or have a plan to navigate around the people in the company who don’t [acknowledge the corporate culture], they lose the ability to enact real change.”

Steve Heck, global IT director at Microsoft, speaking at IDC Directions 2017.

He added that for those dealing with unwilling execs, boards or stakeholders, the first step is “understanding why they may be resisting letting go of traditional business methods and embracing the future.”

“Once you understand the reasoning behind their stance, you can work on changing their views,” he said.

Even in the public sphere, changing an organization’s culture is important. Samantha Liscio, senior vice president of enterprise planning and reporting at eHealth Ontario, explained that the biggest challenge for public leaders is also breaking down cultural barriers.

“Organizational culture is key to digital transformation – everyone needs to be on board for it to work, from ministers and C-suite executives to employees,” she told the audience. “If you don’t do the legwork on making culture changes, no matter how compelling your vision is for change, you won’t get there.”

Samantha Liscio, senior vice president of enterprise planning and reporting at eHealth Ontario.

She said that oftentimes, governance and bureaucracy make the road to digital transformation “bumpy,” but by identifying barriers and where they are in a business or organization, they can be fixed, avoided, or removed altogether.

“Leaders need to make the transition as frictionless as possible internally,” she continued. “When you’re asking employees to fundamentally change what they do and how they do it, you need to be aware of the challenges they will face and offer up a support system to help, as well as keeping an open line of communication.”

In an interesting counter point, Dan Donovan, a technology and cloud strategy consultant and former vice president of technology at Porter Airlines, explained that he actually had the opposite problem while at Porter.

Dan Donovan, a technology and cloud strategy consultant and former vice president of technology at Porter Airlines.

“We didn’t have anyone opposing digital transformation because we were such a young company, we had many individuals and groups who were eager for change and eager to innovate,” he said. “It was great and we liked having people like that on board, but we didn’t have a strong structure on how to prioritize and assign resources to put this transformation in motion.”

He told the crowd that many of the groups went off on different paths and had to be reigned in with assigned roles within the digital transformation process.

“I guess it was part of the process of going from a rapid high growth startup to a mature company,” he said. “The culture for change was there but we needed a foundational plan first.”

Women are seriously under-represented in the Canadian tech sector and it’s not improving: new report

Mandy Kovacs Mandy Kovacs Published: 07/05/2017

Gender parity in the technology sector still has a way to go, according to a new report from Women in Communications and Technology’s (WCT) Up The Numbers campaign.

The study, “Where are the women in the Canadian ICT industry,” highlights the fact that women are still incredibly under-represented in the technology sector in Canada, despite making significant headway in many industries, such as accounting, law, and medicine.

Since the end of the first two world wars, most Western democracies have experienced a feminist revolution, which has encouraged the rising rates of women seeking post-secondary education and changed how society views women and their place both at home and in the workplace.

The report points to the accounting, auditor, and investment fields, where women make up more than half of all professionals, and medicine, with women making up just under 50 per cent of physicians practicing in Canada (and more than half, again, among those aged 44 and younger). Even the legal sector has seen growing gender parity, with 39 per cent of Canadian lawyers female and the younger cohort equal in several provinces.

However, just a quick glance at the science, technology, engineering, and mathematics (STEM) professions and it’s a completely different story. Only 13 per cent of engineers in Canada are women, and the most significant under-representation of women is actually in computer science. The WCT report quotes data from the American Association of University Women, saying that the number of female students majoring in computer science has fallen from 37 per cent in 1984, to a mere 18 per cent today. And while based on US numbers, Canada is experiencing the same dramatic drop.

“Women are still seriously under-represented in technology in Canada,” says the report. “They have been for some time and there is no reason to expect this situation will improve. Put another way, the post-war surge in women’s employment in Canada appears to have swept right past the ICT industry.”

And in the information and communications technology (ICT), women represent just slightly over 27 per cent, according to the Canadian Labour Force Survey in 2016 – but that number, too, has dropped from almost 30 per cent in 2011.

WCT’s report also mentions that women in ICT roles are actually more successful and see more upward movement into management roles when working in the broader economy, rather than in the ICT sector itself.

It suggests that from the data it reviewed for the study, “when it comes to attracting and retaining female technology professionals, the ICT industry is lagging the competition.”

Women occupy just over 21 per cent of ICT management positions in the ICT sector, but approximately one third of the management workforce in the broader economy.

Why does this matter?

Beyond the social benefits of inclusion and equal opportunity, more women in the workforce improves corporate performance, WCT says.

“The correlation between diversity and corporate performance is well documented,” it continues. “McKinsey’s ground-breaking Diversity Matters study stated the case clearly. ‘Companies in the top quartile for gender diversity are 15 per cent more likely to have financial returns above their respective national industry medians. Companies in the bottom quartile for both gender and for ethnicity and race are statistically less likely to achieve above average financial returns than the average companies in the data set.’”

And in a time where the Canadian ICT industry is facing a severe and chronic shortage of highly skilled talent – not to mention the ageing Canadian workforce in general – the tech industry cannot afford to be picky.

“The growth in digital jobs has outpaced the overall economy in the past two years by over 4 to 1, leading to a strong demand of 182,000 skilled ICT workers by 2019,” the study adds. “Unfortunately, the domestic supply of ICT graduates and workers will be insufficient to meet this demand. Engaging all available talent, including women, youth, immigrants and indigenous persons and persons with disabilities will be critical to mitigating the talent shortage.”

This number has even increased: the Information and Communications Technology Council (ICTC) indicates that Canada will need to fill approximately 216,000 technology-related positions by 2021.


This cyber attack gives new meaning to the word ‘sophisticated’

Howard Solomon Howard Solomon Published: 10/11/2017

Security experts recently have taken to noting the increased sophistication of the tactics of threat actors. A column this week from Cisco Systems’ Talos threat intelligence service about a new attack vector gives new meaning to the word.

Briefly, it used DNS TXT records to create a bidirectional command and control (C2) channel to directly interact with the Windows Command Processor and gain control of an enterprise DNS server. The technique is being copied.

The attack investigated by Talos started in a traditional way, with a spoofed email that contained a document with malware. In this particular attack, the email was made to appear to be from the U.S.  Securities and Exchange Commission’s EDGAR document filing system for publicly traded companies. When opened the Microsoft Word attachment would initiate a multi-stage infection process leading to infection with DNSMessenger malware. “Rather than leveraging macros or OLE objects, which are some of the most common ways that Microsoft Word documents are leveraged to execute code, these attachments leveraged Dynamic Data Exchange (DDE) to perform code execution,” say researchers.

When opened, Windows does warn the document contains links to external files and asks the recipient to allow/deny the content to be retrieved and displayed. If the user said yes the malicious document would reach out to attacker-hosted content to retrieve code that will be executed to initiate the malware infection. In this particular case it retrieved code — downloaded and executed directly using Powershell.– that the attacker had initially hosted on a hacked Louisiana state government website.

Screen shot of Word warning. Image from Cisco Talos

That downloaded code executes the next stages of the infection process. It is also responsible for achieving persistence on systems, including determining the access privileges of the user to determine how to proceed with achieving persistence.

Through some trickery the malware creates a  hostname that will be used to start making DNS requests.

“This attack shows the level of sophistication that is associated with threats facing organizations today,” write the researchers. “Attackers often employ multiple layers of obfuscation in an attempt to make analysis more difficult, evade detection and prevention capabilities, and continue to operate under the radar by limiting their attacks to only the organizations that they are targeting.

“It is also important for organizations to be aware of some of the more interesting techniques that malware is using to execute malicious code on systems and gain persistence on systems once they are infected. In this particular case, the malware featured the capability to leverage WMI, ADS, scheduled tasks, as well as registry keys to obtain persistence. The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace.

One lesson — valuable during Cyber Security Awareness Month — is to again hammer home to employees the danger of opening attachments and links. In this case one warning sign was the brief email message. “Important information about last changes in EDGAR filings. ” It might have been hard for a staffer to hold off since the attacker went to a lot of trouble to make communications look authentic, but the Word warning should have been enough to at least ask a manager if going further was safe. One clue staff should watch out for: Is the message one they were expecting?

CISOs should also take away the importance of having Web and email gateways that not only help detect malware but also prevent users from connecting to known malicious domains, IPs, and URLs.

malware, cyber crime, data theft, network security

Cyber security not just an IT problem: Experts

Howard Solomon Howard Solomon Published: 10/02/2017

The number and size of cyber attacks continues to increase but Canadian organizations still lag in seriously dealing with the problem, say two experts.

“The awareness level [of cyber security] is higher than I’ve ever seen it in 15 years that I’ve been in security,” said Jason Doel, co-founder of Toronto-based Tracker Networks, which makes information and business risk management tools. “In terms of maturity, though, other than really large enterprises, generally Canadian enterprises are not as mature managing it as U.S. and European firms. Certainly, mid-size companies have been later getting serious about it.”

Jason Doel, Tracker Networks


“To a large extent I think the legal and regulatory framework is behind in Canada. Ultimately that is what drives a lot of the security marketplace: Being forced to do it. That is why in Canada large banks are quite mature, but they’ve been driven by their regulators for some time.”

That may in part be because cyber security has been seen as an IT problem, he said. “The more enlightened view is the business is the first line of defence, there’s responsibility at business level for identifying and assessing risk, and then overseeing and providing governance to make sure risk is adequately managed.”

Dave Masson, who has worked for both British and Canadian intelligence agencies and now manages the Canadian division of Darktrace, which makes threat detection solutions, said a major problem is CISOs don’t have enough visibility into their networks. “They quite simply don’t know what’s going on in the network now,” he said, “and they don’t actually know what is on the network. If you don’t know what you have how are you going to detect it?”

Since leaving to the public sector last year he’s surprised at the naivety in the private sector here about the size of the cyber threat environment. Perhaps, he said, that might change if a Canadian organization suffers “a big hack.”

“I would suspect if ransomware became a big pain in the neck that might push people to do something about it.”

Doel and Masson are two members of a cyber security panel being moderated by IT World Canada CIO Jim Love at the annual Canadian Wireless Trade Show, Oct. 17-18, in Mississauga, Ont. Other panelists are Brian Kocsis, director of information security at Meridian Credit Union, which has 80 branches in Ontario and Quebec; and Bob Steadman, vice-president of security and compliance consulting at the Herjavec Group, a consulting firm with offices in Ontario, Alberta, Quebec and B.C.

Masson has also been an adviser to Ottawa on dealing with insider threats. Estimates of the number of employees who fit in this category vary. In its annual data breach investigation report, which compiles information from a number of security vendors around the world, Verizon Communications says on average 20 per cent of attacks are caused by insiders.

Dave Masson, Darktrace

About 20 per cent of what Darktrace sees on customer networks is lateral movement, Masson said, meaning someone deliberately moving about the network. “The issue is whether you’re talking about a malicious insider or people who just make mistakes, and unfortunately there’s a good fraction who just make mistakes – people who dislike phishing training and still click on the link and download malicious software and all hell breaks loose. Having said that, let’s not underestimate the damage that can be done by a malicious insider. … You cannot ignore the insider threats.”

Masson also has an opinion on the need for speedy patching in light of recent exploits of vulnerabilities. IT administrators wrestle with the problem because in some environments patches need to be tested before being implemented to ensure a fix doesn’t bring down other applications.
“Accept there will be intrusions, accept that people will get in,” he said – and be ready. “Come up with a technology that allows you to see what is happening now, because when you see subtle changes now deal with it when it’s a small problem rather than wait until its a bigger problem.”

The are four key things organizations should do to improve their security profile, Doel said.

“First, make sure the organization has an enterprise risk program in place, and cyber security is aligned with it … What goes along with that is recognition that executives and lines of business have a role to play in cyber security. They set the risk tolerance of the org, they have to be part of the risk identification and risk assessment process. You can’t just put it on the technical people.”

Also CISOs have to pay more attention to protecting the critical data types and systems, he said. “What you often see in companies is they’ll have organizational policies and practices, but they don’t take the extra step of identifying what are the crown jewels –and are we verifying these best practices in our policies are being done.”

Another key defence is assessing third party/supplier risk, Doel said. “You can outsource an operation but not risk,” he noted. He believes few companies do a good job of this. While they may do an initial risk assessment but not update it. The infamous 2013 Target breach was accomplished by hacking the chain’s ventilation (HVAC) consultant, he pointed out, which had network access.

Encryption-breaking quantum computers getting closer, warns Canadian expert

Howard Solomon Howard Solomon Published: 09/13/2017
Ten tips for more secure sofware

With research accelerating around the world on next-generation quantum supercomputers, the odds of someone creating a new machine able to crack current encryption methods protecting data has increased in the last 12 months, says a Canadian expert.

Last year at this time, when experts from around the world gathered in Toronto for the fourth annual Quantum Safe Workshop, it was estimated there was a one in seven chance that by 2026 a quantum computer will be built that can break RSA-2048 encryption.

That’s now down to a one in six chance, says Michele Mosca, co-founder of the University of Waterloo’s Institute for Quantum Computing, program director and a speaker at this year’s conference in London, which starts today. So perhaps within a decade, or, perhaps longer.

“I’m not saying there’s humongous unexpected breakthroughs and we should all panic,” he says. “But it’s more significant progress than I expected.”

And CISOs have to be prepared now to start protecting sensitive data better.

The conference brings together researchers, security vendors and C-suite executives to help prepare for new suite of standardized tools resilient to quantum computers in the future to protect data being encrypted now.

Mosca doesn’t expect this week’s conference to reveal any surprising breakthroughs. However, it will suggest where progress is being made both in the creation of quantum computers and defensive solutions.

Presenters will include an official from China’s Innovation Center for Quantum Information and Quantum Technology, expected to talk about a quantum cryptography experiment in space conducted earlier this year which could pave the way for unbreakable quantum key distribution. A Swiss-based company called ID Quantique says it is working on a similar satellite-based solution, and an official from that firm will also speak about its QuSat project.

“One of the reasons for founding this workshop was to have a higher level discussion” on defending against quantum computers, Mosca said. “We knew the technical people will have to figure out how to get these things to interoperate and interface , but now it was time to engage the broader community to figure this out together.” such as governments, the C-suite and vendors.

And while the technical tracks include sessions such as “A Brief Introduction to Techniques for Solving Lattice-Based Quantum-Safe Schemes,” and “Zero Knowledge Authentication for RLWE Samples and New Robust Key Exchange Allowing Key Reuse,” the conference also has sessions for business executives on why quantum computing is important now.

“This is not intended to be another academic conference,” Mosca stressed. “This is about how do we get these tools ready for showtime – how do we get them from our whiteboards and labs to deployed products protecting citizens.”

“Quantum computers will break the way we do cyber security, the way we do cryto(graphy) today, and we need to solve it.”

Briefly, quantum computers take the theory of quantum mechanics to change the world of traditional computation of bits represented by zeros and ones. Instead, a bit can be a zero OR a one. In a quantum computer such basic elements are called qubits.

Mosco sees the quantum computing world from two sides. On the threat side, “a lot has happened in the last six to eight months in terms of progress towards scalable quantum computing” by public and private researchers in Canada, the U.S., Australia, England, Japan, the Netherlands and China.

Researchers have created as many as 10 physical qubits, he said, but the real advance will be the creation of logical qubits chaining physical ones that can scale, be fault-tolerant and therefore threaten current cryptography.

On the solution side Mosca admits researchers are getting closer to creating security tools that would keep up with the speed of a quantum computer. This side has been slower, in part because until the threat can be shown businesses see no reason to act. Most technology purchasers assume their security vendors will have a solution, Mosca said.

Some are working on one. In addition, the U.S. National Institute for Standards and Technology has welcomed ideas for quantum-resistant public-key cryptographic algorithms. The deadline for submissions is Nov. 30.  However, it will take some time for any algorithm to be verified. The European Telecommunications Standards Institute (ETSI) and the International Standards Organization (ISO) are also working on a standard. The topic is also increasingly on the agendas of cryptography conferences, he said.

However, Mosca warns CISOs that “you need to have a [quantum-safe] plan. You need to start your planning immediately. You don’t need to panic – a plan doesn’t mean you need to buy lots of stuff. But if you haven’t already you need to develop a roadmap and start a conversation with the other stakeholders” in your organization. “Then it will become clearer whether you need to step up the pace.”

To that end Mosca and a colleague have posted a six-step quantum risk assessment methodology for CISOs. The methodology can be integrated with common risk management frameworks from NIST, ISO or other groups.

Those steps involve creating a mathematical formula doing this:

1- Identify and document information assets, and their current cryptographic protection;

 2- Research the state of emerging quantum computers and quantum-safe cryptography.  Estimate the timelines for availability of these technologies.  Influence the development and validation of quantum-safe cryptography;

 3- Identify threat actors, and estimate their time to access quantum technology “z”;

 4- Identify the lifetime of your assets “x”, and the time required to transform the organization’s technical infrastructure to a quantum-safe state “y”;

5- Determine quantum risk by calculating whether business assets will become vulnerable before the organization can move to protect them.  (so, is x + y > z ?)

6- Identify and prioritize the activities required to maintain awareness, and to migrate the organization’s technology to a quantum-safe state.

Warning to CISOs: Industrial cobots need to be watched

Howard Solomon Howard Solomon Published: 08/22/2017

It’s hard enough for CISOs to deal with humans in their enterprises. A new report from a security vendor warns increasingly they have to deal with cobots, slang for collaborative robots that work alongside peoples in workplaces.

The report, from researchers at IOActive, cites a study by the control and robotics laboratory at Montreal’s Ecole de technologie superieure (ETS) showing even a small model is powerful enough to harm a person beside it if it loses control. And it might for a number of reasons, including being hacked remotely if the cobot is connected to the public Internet.

The short version of this is that CISOs have to treat cobots like any other device that might connect to a public network, which includes conducting a risk assessment and talking to the manufacturers about the device’s operational code.

What the report says is — like SCADA devices also found in industry — manufacturers may not be using the best cyber security coding practices. In a blog today describing the report, researcher Lucas Apa says in one manufacturer’s cobots an attacker could chain vulnerabilities to remotely modify safety settings, violating applicable safety laws with the result nearby workers could be hurt.

Unlike robots, who operate in a fixed environment, cobots assist humans by seeing through HD cameras and listening through microphones. They can also be guided by operators. Cobots are already in use around the world, and while they will come with safety features they are machines and come with the threats all such devices have: Sharp instruments and the ability to use force.

The cobot analyzed by IOActive had a Linux source code. Briefly, researchers discovered an authentication vulnerability in the server-based management dashboard, exploited a stack-based buffer overflow, modified the safety.conf file, restarted the machine and them moved the cobot in a dangerous way.

This report is a follow-up to one Apa and fellow researcher Cesar Cerrudo did in January (link here. Registration required)  on home, business and industrial robots and cobots. In that paper they found  nearly 50 critical security issues. All were reported to manufacturers. Some have been patched, but this latest paper was issued because one vendor has been tardy.

“Once again, I see novel and expensive technology which is vulnerable and exploitable,” writes Apa. “A very technical bug, like a buffer overflow in one of the protocols, exposed the integrity of the entire robot system to remote attacks. We reported the complete flow of vulnerabilities to the vendors back in January, and they
have yet to be patched.”

The most obvious response from CISOs is to make sure industrial systems run on a segregated network fully protected from Internet attacks. But also the must check with manufacturers to ensure source code isn’t vulnerable.

Not an IT World Canada subscriber?

Table of Contents