CIO CIO

Vendor support agreements have long been a sticking point for customers, and the Oracle Applications Unlimited (OAU) program is no different. The high costs and lack of flexibility associated with OAU puts its value into question and affects enterprises running on Oracle E-Business Suite, JD Edwards Enterprise One, PeopleSoft, Siebel CRM, Hyperion, and more. As security remains high on the priority list for companies and IT leaders,1 and increasingly so with the rise of cyber-attacks, IT executives are put into a tough position – trying to find the funds to keep their systems secure while having enough left to invest in innovation and growth. While the OAU program gives customers access to security patches and application updates which may be delivered through periodic upgrades at a cost of typically 22% of the annual license fees, applying changes to software introduces risk of compatibility issues with existing applications and customized software. That, in turn, can lead to system crashes, application errors, degraded performance, and downtime.2 These challenges and contradictions are prompting OAU customers to seek alternatives – including third-party support – to reduce cost, skip unneeded upgrades and consider strengthening their security posture without a dependency on vendor patches.    Increasing security risk and business impact The security aspect can’t be overstated, with security risks increasing daily as cyber threats evolve and IT environments expand. Over 40,000 vulnerabilities were reported to NIST in 2024, an increase of over 10,000 vulnerabilities YoY.3 Breaches are also expensive. IBM put the latest global average cost of a data breach at $4.88 million, a 10% increase over 2023 and the highest total ever. Much of that cost is reputational in nature, as IBM reports “lost business” accounts for 30% ($1.47M) of the costs of a data breach on average. 4 Security strategies and proactive vulnerability management Most companies implement multiple levels of protection using specific solutions to protect against specific risks. While patching individual vulnerabilities may be one part of that strategy, an alternative (or complementary) approach is to proactively remedy whole categories of weaknesses that lead to vulnerabilities. Rimini Street, the global leader of third-party support for Oracle, forms a partnership with its clients and helps them identify such weaknesses. The team offers ongoing guidance and detailed, regular reviews of clients’ security posture, as well as proprietary information on how to stay protected.   With a long history dating back to 2005, securing thousands of clients in tightly regulated industries to address both their business and technical needs, Rimini Street’s security offering, Rimini Protect™, provides guidance and support in 3 primary ways: Establishing an advisory relationship. Staying on top of active threats and vulnerabilities demands resources and expertise that organizations generally don’t have. The Rimini Protect team continually tracks cyber threats on a global basis, providing threat intelligence research that gives users options for addressing the vulnerabilities they face that go well beyond industry best practices. Understanding your current security posture. The Rimini Protect team conducts a security assessment to evaluate the risk posture of a client’s enterprise software as well existing security controls, network configurations, deployed applications, and policies. It follows and expands upon security guidance including the Open-Source Intelligence framework (OSINT), the Center for Internet Security (CIS) Benchmarks, and the Defense Information Systems Agency Security Technical Implementation Guides (STIGs). Addressing the remaining risk. Some risks cannot be mitigated through hardening guidance or security patches (if available). The Rimini Protect portfolio addresses security vulnerabilities as well as the underlying weaknesses that lead to those vulnerabilities, offering protection even against vulnerabilities that have yet to be discovered – and without requiring changes to the software being protected. “A proactive defense strategy helps to protect against unknown or yet-to-be-discovered vulnerabilities that can be exploited at some point in time,” said Gabe Dimeglio, SVP & GM of Rimini Protect and Watch Solutions. “By getting ahead of bad actors and having a robust, proven method to immediately combat security breaches, organizations can help prevent the devastating impacts of cybersecurity breaches and the threats that lie-in-waiting for the perfect moment to attack.” Breaking free from vendor support Many companies that have elected to switch to third-party support and services typically no longer receive new patches – and they have not looked back.  For Ricoh, the Japan-based provider of integrated digital services, selecting Rimini Support™ and Rimini Protect™ for its Oracle EBS applications proved to be a powerful combination that helped keep systems secure while freeing up critical resources for other strategic projects. “Rimini Street offers an attractive service that has saved us hundreds of millions of yen in upgrade costs. They provide highly skilled support engineers who can cover major ERP and database systems and protect them too,” said Keisuki Hamanaka, Deputy General Manager, Process, IT and Data Management at Ricoh. “Rimini Street is the only partner that can support the Japanese market with the high-quality support and protection we need, at a price that aligns with our financial goals.”5 The dilemma of what to do about risk mitigation shouldn’t be a barrier to any organization’s growth. Rimini Street gives organizations a robust third-party support option for turning application support into a competitive advantage. “Our proactive approach reduces support costs, provides critical security support, and allows our customers to make the most out of their significant application investments,” Dimeglio says. “It’s a sound alternative when new enterprise software features lack any business imperative, and more priority projects can be delivered leveraging those unlocked funds and resources by choosing Rimini Street.”   No need to sacrifice innovation for security As cyber-crime continues to rise, IT leaders must evolve their security strategy. Embracing a proactive, multi-layered approach to protecting enterprise software investments, including Oracle applications, can provide organizations with peace of mind. At the same time, the approach frees up resources needed to invest in the strategic IT initiatives that matter most to the business. With the right third-party support, no longer do IT leaders need to choose between protection and innovation. Follow the path of hundreds of Oracle

The mission of aligning Cerealto’s IT with business objectives is the ongoing responsibility of CIO Juan Manuel García Dujo. After more than a decade leading the digital transformation and cybersecurity initiatives of the services company, he’s managed to forge a synergy where tech and information security are established as fundamental pillars for business success. His mission, after all, has always been to turn tech into an enabler that drives business objectives, and never treat it as an end in itself. “Technology must be agile, easy, and secure so people can extract the greatest value from it,” he says. This approach has led him to oversee strategic projects with key tech providers, and foster continuous innovation in the organization — and all of this with the purpose of ensuring Cerealto remains at the forefront in a constantly evolving digital environment. The framework of a digital strategy Under García Dujo’s leadership is the technological layer that must be organized to deliver measurable successes, which includes other aspects such as infrastructure, applications, and IT services. “We’re an industrial company, which can be a handicap since we manufacture food products, so the focus is on customer service and production, and how technology can help,” he says. In this sense, one of the main lines of the transformation plan he’s structured is to fit tech in as a catalyst for the business. “We want to provide solutions that add value to the organization.” source

Risk assessment is more than a box-checking exercise. The right framework is an essential part of proactive risk management designed to protect against data breaches or prevent non-compliance with regulations. CSO recently explored six popular risk assessment frameworks, including COBIT, NIST Risk Management Framework, and ISO/IEC 27001. Want to know what your peers are using and how they approach risk management? Register now for the IT Governance, Risk & Compliance summit, a virtual conference taking place March 6. Offered free for qualified IT and security professionals, the event will tackle a range of issues including risk frameworks, AI data governance, the changing regulatory environment, and AI ethics. source

Instead of digitizing processes quickly, many companies in the manufacturing industry are standing still — and thus are in danger of falling further behind. source

“Second-tier cloud providers like Vultr, Akamai, IBM, Alibaba, Tencent, and Huawei differentiate themselves by focusing on niche markets and specific customer needs, as opposed to the hyperscalers’ broad, one-size-fits-all approach,” says David Linthicum, a cloud and AI thought leader who previously served as managing director and chief cloud strategy officer at Deloitte Consulting. “These providers thrive in areas where specialization, flexibility, and cost efficiency matter most.” Intellectual property protection was a significant reason behind Athos’ move to Vultr’s GPU cloud, Guo says, as doing so would better protect its model IP, while conforming with industry regulations and compliance. The GPU-as-a-service model also minimizes the constantly evolving maintenance requirements of an AI infrastructure, including downloading massive amounts of genomics data, internet updates, and swapping Nvidia cards in and out, he says. Athos could have opted for one of the big three hyperscalers — AWS, Google Cloud, or Microsoft Azure — but training its algorithms and scaling various types of scientific omics data would be prohibitively expensive on those platforms, Guo says. source

Multiple business imperatives are driving CIOs to re-examine and re-invent their approach to network infrastructure, including the mission critical backbone that supports highly complex, bandwidth-intensive, multi-cloud environments. One emerging alternative: backbone-as-a-service (BBaaS) offerings. As with other “as-a-service” offerings, the idea behind BBaaS is to simplify the process of providing secure, high-performance connectivity across geographic regions. It’s especially attractive as an alternative to MPLS, promising to do for wide-area backbones what the cloud did for compute, storage, and application development. The business pressures prompting the need for such a service are many, including: M&A/Business Expansion: Enterprises are constantly changing, whether through sudden mergers and acquisition, digital transformation efforts, or growth into new markets. Networks need to be designed to help organizations accelerate the pace of change, rather than slow things down. Edge: The proliferation of IoT devices in industries such as manufacturing, retail, energy, utilities and oil and gas is generating new demands for high-bandwidth, low-latency edge-to-data center and edge-to-cloud connectivity. Hybrid multi-cloud: The debate over cloud vs. on-prem has been pretty much settled; and the answer is both. Organizations are living in a hybrid, multi-cloud world where some applications are moving to the cloud, others are remaining on-premises, and many are using multiple hyperscalers and SaaS providers. Connectivity across this complex ecosystem needs to be resilient, secure and seamless. AI: The emergence of AI as a C-level priority creates new requirements for network capacity to move large data sets between on-prem and cloud locations, and to deliver high-bandwidth, low-latency connectivity for traditional apps that now have an AI component embedded in them, such as Microsoft 365 Copilot. Out with the old, in with the new Historically, enterprises relied on a MPLS for much of their wide-area connectivity requirements. Provided by traditional telecom vendors, MPLS is a reliable, secure technology, but it is also expensive and inflexible — it can take months to get a new circuit provisioned. The scattering of employees to remote work sites, the migration of applications to the cloud and the requirements for networks to provide agile, flexible, cost-effective, any-to-any connectivity have rendered MPLS obsolete. In its place, enterprises are looking for a cloud-based service that features one-click provisioning, on-demand scalability, consumption-based pricing, a self-service portal, and, best of all, no hardware to own or manage. Alkira CBaaS delivers connectivity and more for today’s AI-driven networks One such offering is Alkira Global Backbone-as-a-Service. It provides high-capacity, low-latency, site-to-site, elastic connectivity between core data centers, edge locations, remote sites and any multi-cloud site – with no equipment to manage or software to download. Customers connect their sites to Alkira Cloud Exchange Points (CXPs) located in different regions around the globe and get encrypted IP connectivity on hyper-scale cloud infrastructure, providing high performance. The service also enables enterprises to migrate their SD-WAN fabrics to the cloud. Through the Alkira portal, enterprises can build, deploy, manage and monitor their entire network from a single interface. Alkira also offers integrated security services and provides visibility and governance. The benefits are increased speed and agility, a shift from Capex to Opex for funding, and the ability to scale up or down with a single click. Offerings such as the Alkira Global Backbone-as-a-Service support digital transformation efforts, help drive innovation, and enable organizations to reap the full benefits of the AI revolution. To learn more about Alkira Global Backbone-as-a-Service, visit: https://www.alkira.com/global-backbone-as-a-service/ source

Getting ready for agentic wars? Analysts also said that SAP’s strategy to champion BDC as the foundational data layer is another step towards getting ready for the agentic wars — a phase where rival vendors such as Salesforce, Oracle, Microsoft, Workday, and ServiceNow, among others will try to get a majority share of enterprises’ expenditure. “Enterprises are already using multiple products across their businesses. If an enterprise uses both Salesforce and SAP across different departments, the real question is which agentic offering are they going to choose: Agentforce or Joule? That’s what vendors are preparing for,” IDC’s Parker explained. As for competition in other domains, SAP executives said the company is not planning to compete with other data platform providers such as Snowflake or any of the hyperscalers. Rather, they said that they want to help enterprises unlock the value of their data by providing a unified data layer and tooling on top to unearth insights. source

Coined in 2010 by Forrester Research, the term “zero trust” has long been hijacked by security vendors eager to take advantage of the hype that surrounds the concept. Today, it’s so overused and misused that many see it as a meaningless buzzword—but that’s far from the truth. In fact, its widespread misappropriation demonstrates the power of zero trust security. Why else would countless vendors try to capitalize on it? As they say, imitation is the sincerest form of flattery. Zero trust is not a mere label. Rather, zero trust is an architecture—though you’ll also hear of a zero trust methodology, framework, paradigm, and infrastructure—and it’s based on the idea of zero implicit trust, meaning no one should be trusted by default. The key zero trust principle of least-privileged access says a user should be given access only to a specific IT resource the user is authorized to access, at the moment that user needs it, and nothing more. Hence the zero trust maxim, “never trust, always verify.” As a networking and security strategy, zero trust stands in stark contrast to traditional, network-centric, perimeter-based architectures built with firewalls and VPNs, which involve excessive permissions and increase cyber risk. To learn about their weaknesses in more detail, you can read this ebook. The main point is this: you cannot do zero trust with firewall- and VPN-centric architectures. Those approaches were not designed for today’s world or its sophisticated cyberthreats, and that is why zero trust is now key for cybersecurity. So, what sets zero trust apart and makes it a good fit for modern organizations? Not all segmentation is equal Lateral movement is a step in the attack chain that occurs when a threat makes it past an organization’s defenses and onto the network, where it moves across connected apps and expands the reach of the breach. This is an inherent weakness of perimeter-based architectures, which connect users to the network as a whole, giving them wide access to the resources therein. The solutions to this problem are often assumed to be network segmentation and microsegmentation, whereby the network and its contents are split into smaller segments that are separated by (fire)walls. But this strategy is complex and expensive to set up and maintain, and tries to lessen a symptom of yesterday’s architectures without solving the underlying problems: the architectures themselves. The actual solution is zero trust segmentation. A zero trust architecture connects users directly to authorized apps in a one-to-one fashion—nobody receives access to the network as a whole. As a result, the potential for lateral threat movement is eliminated, along with complexity and cost. Plenty of people hear “zero trust” and assume it’s the same as zero trust network access (ZTNA). But ZTNA is a specific solution, not an architecture. What ZTNA does, despite its inaccurate naming convention, is provide users with zero trust access directly to private apps hosted in data centers and private clouds—it does not give access to the network. ZTNA is certainly a key part of any platform providing zero trust architecture, but it is not the whole story. Users access more than private applications alone. They also access the web, SaaS apps, and other IT resources across a variety of environments. Beyond that, it’s not just users that need secure access. There are also workloads, IoT and OT devices, and B2B partners that regularly connect to IT resources. As such, having a complete zero trust architecture means securing any of these entities as they access any IT resource. This is why one will often hear the analogy of an intelligent switchboard that provides secure any-to-any connectivity in a one-to-one fashion.  From the moment we are handed our first devices, we are conditioned to see identity authentication as the standard for cybersecurity. That typically carries through to conversations about identity and access management (IAM), where verifying user identity is seen as the ideal means of determining whether someone should be granted access to a resource. But identity alone is not enough—even if it involves consideration of user group. There are two reasons for this. First, users’ identities can be stolen, as evinced by countless breaches involving the theft of VPN credentials. Second, users who are who they say they are can still engage in malicious or careless behavior that exposes organizations to cyberattacks and data loss. Instead of sticking to this risky status quo, zero trust uses context to assess risk and govern access. That does include identity (which is a core part of zero trust architecture), but it goes far beyond it to consider other variables like device posture, destination and content risk, user behavior, and more. As an added point, this contextual analysis typically requires a heavy dose of AI/ML.  Zero trust architecture stops cyberattacks in four key ways (some of which we’ve already mentioned): Zero trust eliminates firewalls, VPNs, and their public IP addresses, which are attractive targets for cyberattackers. Instead, apps are hidden behind a zero trust cloud, eliminating the attack surface. In other words, inbound connections are replaced with inside-out connections.  Zero trust prevents compromise through context-aware policies and, unlike hardware and virtual appliances, a high-performance cloud with the scalability necessary to inspect encrypted traffic (where most threats hide (but more on that below (aren’t parentheses fun?))).  Zero trust gives direct-to-app connectivity rather than network access, preventing the potential for lateral movement across resources.  Zero trust stops data loss by, once again, inspecting encrypted traffic (where most data loss occurs), and protecting all modern data leakage paths, including SaaS app sharing, removable storage on endpoints, and a lot more. In addition to the above, a fully featured zero trust platform should provide cyberthreat protection functionality like cloud sandboxing, DNS security, browser isolation, and more. Similarly, it should provide data protection capabilities like SSPM, out-of-band CASB, EDM, and more. To dive a bit deeper into something alluded to above, zero trust is a cloud native architecture. That is, it cannot be achieved merely by deploying another appliance in a data center

Opportunity and advancement in IT are anything but equal. Survey data sheds light on the roadblocks Black IT pros still experience in trying to get ahead. source