CIO CIO

At the start of the Australian Red Cross’ digital transformation journey, CIO Brett Wilson quickly realized they had a data issue. “We have around 250 applications across the organization, and they all create massive amounts of data,” he says. But the information wasn’t doing anything for them. Much of it was siloed or ineffectively segmented, leading to making some business decisions and investments on incomplete or misinterpreted data. “When you don’t have a good understanding of your data, you can’t use it well,” he says. So they set out to build a customer data platform (CDP) capable of aggregating, cleaning, and organizing data. This CDP, provided by Optimizely, combines their donors’ transactional history with behavioral data — from the website, email, social, and other sources — to create marketing automation campaigns capable of driving fundraising efforts, and designed to engage with each donor on a more personal level. Data, done right There’s the saying that data is the new oil, but you can only use oil once, says Wilson. “I prefer to think of data as a renewable resource that can be used repeatedly and can link with other data sources to uncover fresh insights,” he says. “The goal of our digital transformation efforts was to create a digital spine so the many different systems across the business can work together and enhance each other.” source

Are you prepared for the end of Windows 10 support in October 2025? With 67% of devices estimated to still be running on Windows 10, the time to act is now [1]. With our enterprise know-how and industry expertise, HP Professional Services [2] can help you simplify the complexity of migrating to Windows 11 and modern management with Microsoft Intune by offering a dedicated portfolio of services to ensure your applications [3], devices and infrastructure are Windows 11 ready. Ensure your workforce is a force of growth Wherever people are working, having the latest devices and the right experiences to do the job are central to employee productivity, engagement, and satisfaction. As support for Windows 10 nears its end, a well-defined strategy and plan for the migration to Windows 11 is now an urgent imperative. Windows 11 migration challenges Migrating to Windows 11 can be time-consuming and complex, requiring the need for specific expertise to ensure a smooth migration. A scalable, agile, and automated approach to application testing is much needed to de-risk change and accelerate application readiness for Windows 11 and Microsoft Intune. Infrastructure complexity Windows 11 is designed for modern work. Navigating legacy systems and shifting IT workloads to the cloud requires a strategic and collaborative approach. A scalable vision grounded in best practices is essential to avoid pitfalls and ensure customers can confidently invest in their Windows 11 migration journey. Windows 10 upgrade burden Refreshing or upgrading devices to Windows 11 requires an in-depth assessment of the fleet to optimize expenditure and ensure smooth rollout at scale. Migrate without the migraines Fulfill your innovation potential with our trusted experts and proven Windows 11 transformation framework to achieve your modern workplace goals [4]. With our Windows 11 Transformation Framework, you can: Turn innovation into outcomes Bridge the gap between where IT is today and where your business needs to be. With our proven transformation methodology, we work with you to define and design a Windows 11 solution that aligns your strategy and technology investments with business outcomes. Work with trusted experts [5] Draw on HP’ enterprise know-how to meet your Windows 11 readiness needs for hardware [6], applications [7], and infrastructure. Our technical experts will work with you to accelerate change with less risk through powerful telemetry11 and automation. Enable your modern workforce Unlock the potential of your people by modernizing IT and enabling employees to get their best work done with the right HP Windows 11 hardware, software and services—now powered by AI-enabled capabilities, wherever they are. For more information about the benefits of HP with Windows 11 and Copilot click here. And, for additional information, visit here. [1] 1 Statcounter, Desktop Windows Version Market Share February, 2024[2] HP Professional Services require workshops, including the implementation of technical enablement capabilities, and are available in all countries where HP conducts business. Service not available in China. Workshops are in English and may be in-person or virtual. Please contact your HP representative for more details and options for local language support. HP services are governed by the applicable HP terms and conditions of service provided or indicated to Customer at the time of purchase. Customer may have additional statutory rights according to applicable local laws, and such rights are not in any way affected by the HP terms and conditions of service or the HP Limited Warranty provided with your HP Product. HP Service Expert(s) are assigned for the duration of the project as set forth in the terms and conditions of the contractual agreement. Please consult with your HP Representative for more details.[3] Application readiness is provided by a third-party service provider[4] HP Professional Services require workshops, including the implementation of technical enablement capabilities, and are available in all countries where HP conducts business. Service not available in China. Workshops are in English and may be in-person or virtual. Please contact your HP representative for more details and options for local language support. HP services are governed by the applicable HP terms and conditions of service provided or indicated to Customer at the time of purchase. Customer may have additional statutory rights according to applicable local laws, and such rights are not in any way affected by the HP terms and conditions of service or the HP Limited Warranty provided with your HP Product. HP Service Expert(s) are assigned for the duration of the project as set forth in the terms and conditions of the contractual agreement. Please consult with your HP Representative for more details.[5] HP Service Expert(s) are assigned for the duration of the project as set forth in the terms and conditions of the contractual agreement. Please consult with your HP Representative for more details[6] Service is available for HP and non-HP devices[7] Application readiness is provided by a third-party service provider source

IT leaders need to consider how AI can benefit both their organizations and humanity as a whole, says former chief strategist for responsible technology at Alphabet. source

Compliance is becoming personal — personal in the sense that cybersecurity compliance regulations increasingly include provisions that make it possible to hold individuals personally liable for oversights that lead to issues like cybersecurity breaches. This means that the stakes of noncompliance are becoming steeper. Although charges or fines directed at individuals have not yet become a common occurrence, regulators in certain jurisdictions have the power to impose this type of penalty against CIOs, CISOs, and other IT and business leaders. Here’s a look at which compliance laws include personal liability provisions, why they matter, and what leaders can do to help protect themselves, along with the companies they represent, from fines and other penalties. The rise of personal liability compliance penalties Historically, the penalty for violating compliance regulations in the IT space boiled down to fines against companies. This is the primary mechanism that regulations like the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) use to punish businesses for failure to uphold adequate security and data privacy standards. Yet, newer compliance regulations are coupling penalties for businesses with provisions that allow regulators to hold individuals personally liable. The individuals can face personal fines and, in some cases, criminal charges. To date, two prominent compliance laws have emerged that give regulators the option of penalizing individuals: Version 2 of the Network and Information Security Directive, more commonly known as NIS 2. NIS 2 is a European Union regulation designed to enforce high cybersecurity standards. The Digital Operational Resilience Act, or DORA. DORA is also an EU regulation designed to strengthen cybersecurity, although it focuses on the finance industry. While the details vary somewhat, the general premise in both of these regulations is that leaders whom regulators deem grossly negligent in overseeing functions related to cybersecurity can be held personally liable. On balance, it’s important to note that the regulations are not written in a way that suggests that personal penalties will be commonplace. Instead, it is likely that regulators will exercise this option only in cases of extreme or willful negligence. These are also, of course, EU regulations; so far, there is no indication that regulators in other parts of the world are working to introduce personal liability provisions to their laws. Nonetheless, the simple fact that personal penalties have become an option for enforcing compliance regulations in a limited context sets a precedent that is interesting, to say the least. Other regulations have occasionally allowed regulators to fine compliance officers for gross failure to enforce compliance standards within their organizations. And in rare cases, individuals who have carried out malicious activities using their employers’ IT systems or data have faced criminal charges. But never before have regulations opened the door to personal liability for any leader or manager deemed guilty of playing a hand in cybersecurity failures, including in cases when there is no evidence of criminal or deliberately malicious intent. It is worth noting, too, that these regulations don’t include provisions for penalties against individuals who are not in managerial or executive roles. In other words, individual contributors who are responsible for cybersecurity failures cannot be held personally responsible, even if their companies are fined. This suggests that IT and business leaders may be found liable even in situations where they do not personally make mistakes that lead to cybersecurity breaches, but where employees they supervise do. How steep are personal compliance penalties? NIS 2 and DORA are quite new. Regulators began fully enforcing NIS 2 in October 2024, and DORA does not take full effect until January 2025. Because of this timeline, there have so far been no reported cases of personal penalties for executives or managers based on NIS 2 or DORA violations, and no precedents currently exist for determining which types of fines or other penalties regulators might impose on individuals. But in theory, the consequences could be steep. DORA allows for fines against individuals of up to 1 million euros. The NIS 2 penalty structure is more complex because the law gives individual countries latitude to determine exactly how to punish violations, but it appears that personal fines are a possibility, as are potential bans against individuals from continuing to hold managerial positions. Avoiding personal liability The lack of precedent surrounding NIS 2 and DORA enforcement makes it hard to say what, exactly, executives and other business leaders can do to avoid personal liabilities. For now, the best that businesses can do is ensure they are prepared for these new regulations, if they operate in jurisdictions and industries where they apply. Many companies, however, appear not yet fully prepared. As of late 2023, IDC found that a minority of organizations across the EU were actively preparing to meet NIS 2 requirements (Countdown to NIS 2: What’s the State of Play in Europe? IDC, December 2023). Readiness efforts varied widely between countries, but in states like Belgium and Poland, fewer than 20% of businesses said they had begun exploring the impact of NIS 2 on their operations. IDC research also shows that in more than a few cases, IT leaders may simply be fabricating or exaggerating claims about preparing to meet new compliance mandates. For instance, according to a February 2024 report, 10% of companies based in Poland said they had already completed a gap analysis as part of NIS 2 preparedness efforts (IDC CISO Hub, February 2024: Security Predictions, AI Research, and Risk Management Concerns, March 2024). But at that time, Poland had yet to publish draft legislation related to enforcement of NIS 2 within its borders, so no meaningful gap analysis could have occurred. If findings like these are any indication, the typical business has a long way to go to ensure that the organization as a whole, as well as its executives and managers, won’t end up on the wrong side of new compliance mandates. The consequences of noncompliance are higher than ever, which means enforcing excellent cyber hygiene standards in response to regulations like

The human touch In addition to his focus on digitalization and transformation, Reitz places just as much value on social skills, such as openness, honesty, respect, and trust. He sees it as his job, as a manager, to develop his team professionally, motivate them, and lead them to take responsibility. He also emphasizes the challenge of maintaining humanity and motivation in a global, culturally diverse team and relies on respectful interaction on an equal footing. And naturally being critical of the status quo and emerging trends, he contrasts being a sparring partner and mentor, which is emblematic of his leadership style. The success of this approach is reflected in company loyalty, as there’s been minimal turnover for 10 years, he says. “By implementing a cloud-based, globally valid process and application model, we’ve sustainably transformed the Norma Group, made it more profitable, and prepared it for modern technologies,” he says. “But I’d like to see more differentiation between advanced analytics, machine learning, and AI to better use and understand functions, areas of application, and potential.” source

Artificial Intelligence (AI) is transforming an endless number of industries and business processes, a fact not lost on cyber security threat actors. AI is already being used by cyber adversaries of all kinds, from amateurs to nation states. A popular technique is to use AI to craft more believable phishing and spearphishing content. By gathering information easily available in sources such as social media posts, AI can craft malicious emails, documents and websites that are both targeted to individuals, and highly credible. The goal is to make it even harder for employees to reliably spot these fakes, so that the attacker can penetrate the network faster and easier. It is axiomatic that end users struggle to consistently identify phishing emails and fake websites, even with periodic security awareness training. The attacker only needs to be successful once to get in, and many staff roles (accounts payable, public-facing government employees) require that emails from unknown sources be opened. Given that successful phishing attacks were common without AI, the conclusion must be that new approaches are required to cope with the avalanche of AI-enhanced attacks. Zero trust protection against AI-enhanced attacks The rise of AI-enhanced social engineering attacks necessitates a Zero Trust approach. All incoming email, or clicks on untrusted websites, must be considered risky. This is exactly the assumption used by HP’s Threat Containment technology. This approach assumes all such content can’t be trusted, and therefore only opens them in isolated “micro virtual machines” (micro-VMs) created in software on the endpoint PC. A micro-VM, enforced by the CPU’s hardware, is opened for each webpage tab or email attachment. The micro-VM’s tightly controlled attack surface makes it next to impossible for an attacker to compromise the endpoint PC, or any other device on the network. When the task completes, the micro-VM is destroyed, taking the malware instance with it. Five crucial benefits Unlike other cybersecurity technologies, Threat Containment delivers five benefits that span risk management, user experience, and operational efficiency: Inherent protection – Protects by default, without attempting to detect attacks. By assuming all content is malicious, Zero Trust security is achieved, including against AI-based attacks. Visibility – Monitors activity within the micro-VMs and transmits threat intelligence information to the centralized Wolf Controller. This facilities analysis and integration with threat intelligence analysis platforms using industry standards such as STIX and TAXII. Positive user experience – Users are relieved of the burden and anxiety associated with trying to spot phishing attacks or fake websites designed to steal credentials. They can “work without worry” knowing that HP Threat Containment will prevent attackers from using social engineering to trick them. Security operations efficiency – Lowers the volume of urgent tickets due to false positives caused by detection technology failures. It also lowers the amount of remediation required for compromised endpoints. Lastly, there is less reliance on security awareness training to spot phishing, so training time can be re-purposed to highervalue objectives. Efficient compliance control – Compliance and audit directives require proof that security controls are continuously active. Threat Containment works without a complex process, making it trivial to operationalize, and therefore to demonstrate compliance when requested by auditors. Conclusion: a superior defense against AI-enhanced attacks AI is empowering threat actors with more credible content at increased volume and velocity. HP’s Threat Containment used in Sure Click Enterprise and Wolf Pro Security is well-suited to defeating such attacks. Its Zero Trust, hardware-enforced isolation of content assumes everything is suspect, eliminating the impossible task of accurately “detecting” each and every attack. It also provides comprehensive benefits across visibility, user experience, security operations, and compliance. Organizations of all sizes seeking to improve their defenses against AI-based attacks should consider HP’s Threat Containment for the best combination of protection and operational efficiency. Read here to discover how HP can help boost your endpoint protection. source

Customized responses Dhaval Gajjar, CTO of SaaS text marketing platform Textdrip, agrees that these two types of gen AI implementation require different strategies. For example, successful use of AI tools, which tend to be easier to deploy, hinges on user training, says Gajjar, also CEO of Pranshtech, a website and mobile app development firm. “Standardization by vendor should go along with guidelines and best practices for their effective use,” he says, echoing recommendations from MIT CISR. Solutions like AI-driven fraud detection or predictive analytics systems are more complex, he adds. “For my part, any AI solution would require a structured and formal approach to the launch,” Gajjar adds. “It will therefore take cross-functional collaboration to deliver this value in scale, with rigorous testing and clear governance.” source

It was a typical conversation with a client when the question came up: “What’s the average security spend for organizations like ours?” I’ve heard variations of this query countless times. Knowing this was coming, I responded, “On average, most organizations spend around 3-6% of their IT budget on security.” “Great, we’re at 3%,” the client replied, satisfied with their position. But I wasn’t finished. “Yes, but your IT spend is significantly lower than the industry average for companies of your size. So, in reality, your 3% is like spending 1.5% in a more typical organization. Security spend as a percentage of IT budget is meaningless without understanding your overall IT investment.” Silence. This is a common scenario: A client reaches for benchmarks and metrics without fully grasping the larger context. They assume that as long as they’re hitting a “normal” percentage, they’re in good shape. But benchmarks, while useful in certain cases, are often misleading when taken out of context. The dangers of misusing benchmarks In a similar conversation, we discussed the allocation of resources between maintaining day-to-day IT operations and fostering innovation. I told the client that most IT organizations, particularly mature ones, typically operate on a 60/40 split — 60% maintaining current systems and 40% driving innovation. Their response? “We’re at 40/60.” That’s when I pointed out that they’d just gone through a significant digital transformation. Their current focus on innovation made sense — right now. But I cautioned them that as their systems stabilized, that ratio would likely flip to the standard 60/40, as they focused more on refining and optimizing what they had built. So, if they defined 40/60 as success, when they inevitably flipped to 60/40, would that indicate failure? (Spoiler: No. Just a cycle.) These exchanges highlight a key issue: While benchmarks can provide helpful reference points, relying on them without context can lead to poor decision-making and misplaced confidence. The allure of the benchmark: Why companies ask In the fast-paced, high-pressure world of IT management, leaders are often asked to justify their decisions, spending, and strategic priorities to the business side of the organization. Executives and boards want hard data, and benchmarks offer an easy way to provide seemingly objective metrics. But here’s the challenge: Business leaders tend to look for quick comparisons. They want to know whether they’re spending too much or too little on IT and how they stack up against competitors. Under pressure, IT leaders often reach for the same easy comparisons — benchmarks that tell them how their spending or innovation stacks up. The problem is those benchmarks often don’t take the unique characteristics of the company into account. Whether it’s security spending or operations/innovation splits, generic benchmarks ignore the broader strategic context. Understanding why context matters Let’s break down why using benchmarks without considering the context can be misleading, starting with the example of security spending. It’s easy to say that 3-6% of an IT budget should be allocated to security. But what does that percentage actually represent? A company with a robust IT budget, with mature systems, cloud architecture, and automation, will likely be spending 3-6% on advanced security measures, including threat detection, real-time monitoring, and vulnerability management. But what if your IT budget is comparatively small? Your 3% spend on security might mean you can afford only basic firewall protection, patching systems, and outdated monitoring tools. In this case, the 3% benchmark means little because you’re not comparing apples to apples. The organization with a bigger IT budget can do far more with their security spend — even at the same percentage — because their overall IT investment is higher. Therefore, simply hitting the “right” percentage isn’t enough to ensure proper security posture. A broader view: Benchmarking for innovation and operations Similarly, in the case of IT innovation versus operational spending, a 60/40 split is a useful benchmark, but only for organizations that are in a stable, mature phase of their technology life cycle. For a company that just went through a digital transformation, like the client in my example, the ratio is going to skew toward innovation — likely closer to 40/60 or even 30/70. That’s not a problem because the organization is focused on building new capabilities. The issue arises when the leadership sees this 40/60 ratio and assumes they’re either behind or ahead of the industry based on a benchmark without understanding their unique situation. Inevitably, as the company stabilizes and refine its new systems, the balance will shift. Operations will require more resources, and the ratio will move toward the traditional 60/40. It’s a natural, cyclical process. How to use benchmarks effectively While benchmarks can be helpful, the key is to use them intelligently. Here are some guiding principles for ensuring that benchmarks are a tool for insight, rather than a distraction: Understand the strategic context: Before you reach for benchmarks, ask yourself: What phase is my organization in? Are you in the midst of a transformation, or are you operating in a steady-state environment? This will dramatically change how relevant any given benchmark is to you. Analyze your specific needs: Don’t just compare percentages — understand what’s behind the numbers. If you’re looking at security spend, don’t just aim for 3-6%. Instead, ask what capabilities your company needs to defend against its specific threats, and then calculate how much investment those capabilities require. Avoid one-size-fits-all comparisons: A company that’s undergoing rapid growth will spend more on innovation than a legacy company trying to maintain aging systems. Benchmarks for one organization may be completely meaningless for another. Use benchmarks to inform, not dictate: The best way to leverage benchmarks is as a tool to inform your decision-making. They should not dictate your strategy. Understand the “why” behind the numbers, and don’t be afraid to move away from the benchmark if your situation demands it. When benchmarks should be ignored Finally, there are times when benchmarks simply don’t matter. When facing business pressures to meet specific benchmarks, ask yourself: Is this number

This also benefits security, Haug said, because as a partner you can query the data, but it is not exported. In addition, you can go into the system and specify that you no longer want to share a certain type of information, which then also applies to historical information. Of course, Celonis could not avoid the topic of artificial intelligence and genAI in particular at its company event. It unveiled AgentC, a suite of AI tools, integrations, and partnerships that allow users to build AI agents themselves or leverage AI agents pre-configured by partners. Celonis’ process intelligence provides the data and relevant business context to improve processes across systems, departments, and organizations. The first platform integrations include Microsoft Copilot Studio, IBM watsonx Orchestrate, Amazon Bedrock Agents and open-source development environments such as CrewAI. For example, Celonis’ cooperation with Microsoft Copilot Studio enables customers to develop AI agents for specific use cases, with which users can then interact via Microsoft programs they use every day, such as Microsoft Teams. source