Meet the Tech Exec: Jim Phillips, SVP & CIO, SchoolsFirst Federal Credit Union

[vc_row gmbt_prlx_parallax="up" font_color="#ffffff" css=".vc_custom_1501859784808{padding-top: 170px !important;padding-right: 0px !important;padding-bottom: 190px !important;padding-left: 0px !important;background: rgba(55,82,161,0.66) url(https://managedsolut.wpengine.com/wp-content/uploads/2017/08/CIO-Interview-header-Managed-Solution-1.jpg?id=) !important;background-position: center !important;background-repeat: no-repeat !important;background-size: cover !important;*background-color: rgb(55,82,161) !important;}"][vc_column][vc_column_text]

MEET THE TECH EXEC
Jim Phillips
SVP & CIO
SchoolsFirst Federal Credit Union

[/vc_column_text][/vc_column][/vc_row][vc_row css=".vc_custom_1501859913491{background-color: #e0e0e0 !important;}"][vc_column][vc_column_text]

To download the full magazine and read the full interviews, click here.

Jim Phillips has over twenty five years of experience in financial services in both banking and insurance. Prior to joining SchoolsFirst Federal Credit Union he was the SVP & CIO at Stanford Federal Credit Union where he led enterprise transformation efforts including a core system conversion, infrastructure upgrades, and deployment of innovative new online and mobile technologies. Before Stanford Jim served as SVP & CIO at Arizona Federal Credit Union in Phoenix Arizona managing infrastructure upgrades and large scale projects around disaster recovery and data analytics. Jim previously served as President of a banking consulting group working with mid-sized Banks and Credit Unions around the country. He was a Senior Manager in the Financial Service practice at Accenture, and a Vice President at Bank of America for Business, Commercial and Trust systems. Jim’s is best known for development of enterprise technology strategies that add value to the business units he serves.

[/vc_column_text][vc_column_text]

What did you want to be when you were a kid? 

Growing up, my dad managed a small, regional bank. I thought it was really cool and professional and wanted to follow his footsteps. After developing a new IT system for a life insurance company, I discovered that combining my love of development with helping people achieve financial security was the right direction for my career.

Now, serving as the CIO for SchoolsFirst Federal Credit Union - and helping our Members’ better their financial lives - I am doing exactly what I’d dreamed of all those years ago.

What’s the #1 area of focus CIOs should concentrate on?    

In today’s world, I believe every CIO’s top focus should be on keeping their customer’s information safe – I know that’s what keeps me up at night. In our case, our Members have trusted us with their personal information so that we can help them fulfill many of their financial dreams. It is our responsibility to keep their information protected in an increasingly connected retail environment. More and more consumers are using their debit and credit cards through wallets, apps and smartphone “pays.” With hacking and cyber attacks becoming more prevalent, sophisticated and agile, IT areas must focus on continuous improvement of security programs to keep both their customer’s information and their brand’s reputation secure.

Have you experienced any challenges in hiring millennials?   

Compared with online gaming companies, startups and tech giants, financial services is not always perceived as the coolest place to work. However, as an industry, we are progressively evolving away from a more traditional work style to one that allows flexibility to attract the many different generations in the workplace today.

For the most part, millennials are looking for organizations that allow them to learn and develop. They want their job to fit their life and are looking for their work to have meaning and purpose.

This aligns very well with the credit union principles and philosophies that have been part of our culture since our founding. We are a not-for-profit financial cooperative owned by our Members, living the “people helping people” philosophy each day while supporting the educational communities and cities in which we operate. Because we’re an educational-based credit union, training, developing and providing opportunities for intellectual growth for our employees is very important to us.

For these reasons, I believe we’re a great fit for millennials.

What’s your take on public cloud? 

The benefits of using a public cloud are increasing from price to access and configuration. While we are still primarily an on-premise shop, that is changing for us and other financial institutions as well. A few years ago we were hesitant to move services to the cloud because of the sensitive nature of the data that we manage. We’ve gotten to the point that we are fully confident in the security of hosted cloud solutions and are looking to move some of our mobile services to the cloud. Historically, we've managed our own data centers, but now many banks and credit unions are moving to colocation facilities that are better maintained and managed by leading data centers.

We are hearing so much about the internet of things – what does or could the internet of things for your business look like? 

We started to see the internet of things pop up about two years ago. There are some pretty exciting things happening and we’ve been evaluating opportunities to leverage that would make it even easier for Members to transact with us. We’re exploring integration opportunities with Fitbits, the Alexa app with capabilities for simple transactions like transferring funds that would improve our Members’ experience. There’s also a lot going on in the financial payments space with the ability to pay with your watch or fingerprint, so we’re also talking to our vendor partners about IoT embedded information.

What kind of messaging is coming down from the CEO/Key Executives about their partnership with IT?  What are they expecting you to look at? 

Our CEO relies on IT to be an advisor for the entire organization. We’re here to provide our internal partners with more than just technical deliverables. They need us to be consultative, take the time to understand the objectives they’re trying to accomplish and come up with the right solutions. Often IT departments have a back office mentality - that needs to change.

If you could give guidance to any CIO, IT Manager, Director about how they position their careers what would you tell them?   

Let’s face it – us IT geeks love technology, and it’s easy for us to become enamored with developing and launching technology for technology’s sake. What’s most important is to stay focused on meeting the needs of your audience with relevant technology that helps make their lives better. At SchoolsFirst FCU, we begin with our Members; seeking their feedback and reviewing their input to implement technology that makes it easier and safer for them to interact and transact with us.  

[/vc_column_text][/vc_column][/vc_row][vc_column][/vc_column]

All IT Jobs Are Cybersecurity Jobs Now

[vc_row][vc_column][vc_column_text]

All IT Jobs Are Cybersecurity Jobs Now

By Christopher Mims as written on wsj.com

The rise of cyberthreats means that the people once assigned to setting up computers and email servers must now treat security as top priority

In the Appalachian mountain town of West Jefferson, N.C., on an otherwise typical Monday afternoon in September 2014, country radio station WKSK was kicked off the air by international hackers.

Just as the station rolled into its afternoon news broadcast, a staple for locals in this hamlet of about 1,300, a warning message popped up on the screen of the program director’s Windows PC. His computer was locked and its files—including much of the music and advertisements the station aired—were being encrypted. The attackers demanded $600 in ransom. If station officials waited, the price would double.

The station’s part-time IT person, Marty Norris, was cruising in his truck when he got the call that something was amiss. He rushed to the station. “I immediately pulled the plug on his computer,” says Mr. Norris.

In a quick huddle, the possibility of paying the ransom was raised, but the idea didn’t get far. “We’re a little bit stubborn in the mountains,” says General Manager Jan Caddell. “It’s kind of like being held up. We thought if we paid, they’d just ask for more.”

Security experts believe this particular strain of ransomware has netted criminals at least $325 million in extorted payments so far, but the real figure could easily be twice that.

The global “WannaCry” ransomware attack that peaked last week, and has affected at least 200,000 computers in 150 countries, as well as the growing threat of Adylkuzz, another new piece of malware, illustrate a basic problem that will only become more pressing as ever more of our systems become connected: The internet wasn’t designed with security in mind, and dealing with that reality isn’t cheap or easy.

Despite all the money we’ve spent—Gartner estimates $81.6 billion on cybersecurity in 2016—things are, on the whole, getting worse, says Chris Bronk, associate director of the Center for Information Security Research and Education at the University of Houston. “Some individual companies are doing better,” adds Dr. Bronk. “But as an entire society, we’re not doing better yet.”

Ever greater profits from cyberattacks mean cybercriminals have professionalized to the point where they are effectively criminal corporations, says Matthew Gardiner, a cybersecurity strategist for Mimecast, which manages businesses’ email in the cloud. Instead of hackers fumbling their way through complicated financial transactions, or money whizzes fumbling their way through malware design, there is true division of labor. As in any other industry, specialization begets efficiency.

Large (legitimate) corporations have the resources to hire talent to protect their digital assets, but for small- and medium-size businesses, it’s harder. There’s no shortage of good advice on how to perform basic security hygiene, but who’s there to implement it? The solution is resource management, with a focus on cybersecurity. Dr. Bronk lays it out like this:

1. Retrain IT staff on security—or replace them. In today’s world of ever-multiplying threats and dependence on connected assets, all IT staff must now be cybersecurity staff first. “The good news is that you don’t need that dedicated person to run your email server anymore—they can run security,” says Dr. Bronk.

2. Push everything to the cloud. It used to be the job of IT personnel was to build and maintain the tools employees need. Now, pretty much anything can be done better with a cloud-based service.“I mean, even the CIA uses Amazon’s web services,” says Dr. Bronk. “If there’s a best of breed, why not use it? If you want a safe car, go buy a Volvo.”

Marty Norris tests program back up at WKSK in West Jefferson, N.C. Photo: Andy McMillan for The Wall Street Journal

3. New IT investment will need baked-in security. Data from the Bureau of Labor Statistics indicates jobs in IT security are one of the fastest-growing categories in tech, up 33% in the past four years alone. That’s probably due to companies simply catching up on investing in cybersecurity after years of under-investment, says Mr. Gardiner.

Diana Kelley, global executive security adviser at IBM Security, a division ofInternational Business Machines Corp. , compares the current state of network security to graphical user interfaces in their earliest days, when they weren’t particularly intuitive. Collectively designers and engineers learned to prioritize and improve them. “Security can be like that, too,” she adds. “We can think about it upfront and weave it into the process in a much more effective way.”

The cloud isn’t perfect, of course. A , disclosed last week, exposed customer email addresses, allowing attackers to target them with convincing emails that included a malware attachment disguised as a Microsoft Word doc. And then there’s the fact that massive denial-of-service attacks like Mirai can make the cloud inaccessible at critical times.

WannaCry is a good example of how increasing cybersecurity can be relatively simple—thwarting it was as simple as keeping Windows up-to-date. On the other hand, it used a sophisticated exploit lifted from a hack of National Security Agency tools that allowed it to spread directly from one computer to another, infecting systems in companies that might have been prepared for other kinds of attacks. These kinds of systemic

weaknesses employed by or stolen from governments have led Microsoft to plead for a “Geneva Convention” on cyber weapons

President and general manager Jan Caddell, program director Nathan Roland and IT staffer Marty Norris monitor things at radio station WKSK in West Jefferson, N.C., on Friday. Photo: Andy McMillan for The Wall Street Journal

As for West Jefferson’s own WKSK, the station was lucky. Mr. Norris, its IT consultant, had backed up the computers. He was able to wipe the slate clean and get everyone back on the air in a few hours. It’s a good illustration of how prioritizing even the most basic cybersecurity practices can be a life-saver.

Since then, he has implemented offline backups of the station’s computers, just in case. He’s also become a keen student of the kind of attacks, such as WannaCry, that can affect small organizations. As soon as he read that it could hit older systems, he rushed to protect them at his day job—as the IT person for the local school district.

Appeared in the May 22, 2017, print edition as 'All IT Jobs Are Security Jobs Now.'

Looking for a technology partner to assist with a specific project? Call Managed Solution at 800-208-3617  or contact us to schedule a full analysis on the performance of your network.

Network Assessment & Technology Roadmap

[/vc_column_text][/vc_column][/vc_row]

My excellent cloud adventure: first steps, first mistakes

By Brad Wright as written on microsoft.com

Early in my career, I gave up photojournalism for computing. I worked in a small town, and across the square from my newspaper office was a computer center. They had a mainframe computer and five customers – banks, all of them. The guy who ran it was ancient: a grizzled, chain-smoking veteran who’d worked in computing since its dawn 30 years earlier. He offered me a 50 percent raise and all the free sodas I could drink if I learned how to run the bank processing every night.

I did.

This was 1985, and it was for me the beginning of an itinerant journey from one bleeding edge of the business to another. Fast forward approximately 30 years, and I am at Microsoft, stepping once again onto new terrain. As a Principal Software Engineering manager in Microsoft IT, I’ve spent the past three years immersed in the most interesting and unexpected ride of my career: helping Microsoft move our entire IT footprint to the cloud.

We’re making solid progress. Along the way, we’ve unearthed a lot of hard-earned wisdom. Our lessons are frequently the results of unforeseen problems, gnarly issues, and flat-out mistakes. Not surprisingly, our customers are quite curious to hear about this stuff in order to avoid experiencing the same pains themselves.

For today, let me share one of the first great lessons we learned.

As we built the strategy to move as fast as we could, one of the first and seemingly obvious things to do was to “lift and shift” our virtual machines (VMs) into the cloud. At that point, we had about 60,000 VMs running in on-premises servers across the company. It seemed rather logical that we could just “lift” them off our resident hardware and “shift” them onto the Azure IaaS (Infrastructure as a Service) cloud platform. Pick ‘em up, move ‘em on, shut down the hardware, and it’s all good, right?

Wrong.

It wasn’t long before we discovered that “lift and shift” in and of itself doesn’t work out too well. First off, it can increase your costs if you don’t know what you’re doing. VMs aren’t simple and nor do they operate independent of other factors. All that complexity can lead to a lot of unforeseen expenses. Your apps use data – a lot of which might remain on premises for some time in-house – and that can require expensive ExpressRoute connections to ensure security and compliance. Subscription costs, management challenges, and the many moving parts associated with a move to the cloud all represent potential problems that not only threaten to add costs but also to send you in unwanted directions.

After a couple years of wrestling with these problems, we finally came up with the right strategy.

Todd Himple, one of the senior engineering leaders on the team, and I managed to get it all onto one single slide, with the simple headline of “Microsoft IT’s Cloud Strategy.” We literally drew it on a whiteboard one day. And it’s probably one of the most viral slides in the company over the past couple years. It’s basically an inverted funnel:

You proceed from the top down, starting with “Retire it, right-size, eliminate environments.” In other words, just kill off as much as you can. Typically, this is more than 25 percent of everything in your datacenter – just garbage. Toss it out.

Going down the funnel, you move through the processes of using Software as a Service (SaaS), converting to Platform as a Service (PaaS), optimizing IaaS, and at the bottom, remaining on-premises. Literally, the last step in the roadmap is “lift and shift” – ironically, one of the first things we did when we started our cloud journey. There’s a place for it, but it should be done in the context of a comprehensive approach.

If this piques your interest or you’d like to know more, please don’t hesitate to reach out to your local Microsoft representative to arrange a visit to our Executive Briefing Center. And of course, we’re happy to share a whole universe of knowledge with you on IT Showcase.

That’s it for now. Thanks for reading!

To Learn More about Professional Services, contact us at 800-208-3617

Microsoft will reveal Project Scorpio Xbox console details at E3 on June 11

By Darrell Etherington as written on techcrunch.com

Microsoft just sent out invites to members of the media for its big reveal of Xbox Project Scorpio, the upgraded console that will be the “first true 4K console for gamers” according to the company. We’ve long expected E3’s press event to be the big consumer debut for Scorpio, but Microsoft spelled out that it will indeed be the star of the show in a blog post on Thursday.

The E3 press event will happen on Sunday, June 11 at 2 PM PDT (11 AM EDT), and will fully unveil Scorpio to the world. We’ve seen a lot in terms of technical details behind the forthcoming console, thanks to comprehensive reports about what the developer kits for the Scorpio contain, and the specs developers have been provided in order to help them prepare software for the device’s consumer launch.

Some topline specs to get you excited – Scorpio’s GPU is around 4.5x as powerful as the Xbox One, and 1.4x more powerful than the PlayStation 4 Pro. It’ll also have an integrated power brick so you just have to hide a single, svelte cord, and it’ll feature an integrated 4K Blu-ray player.

We’ll find out what the final consumer console looks like at E3, and hopefully when to expect it and how much it’ll cost. For now, here’s a peek at what the developer kit hardware looks like, courtesy of Gamasutra, which could provide some hints about the shipping console’s industrial design:

Attack of the Apps

Attack of the apps

By Robbie Forkish as written on techcrunch.com

It seems like a fair trade: Get your favorite mobile apps for free, be shown annoying ads in return.

But that’s not all you’re doing in return. In reality, this trade has you giving up a great deal of personal information. Mobile apps collect a massive amount of personal data — your location, your online history, your contacts, your schedule, your identity and more. And all that data is instantly shared with mobile advertising networks, which use it to determine the best ad for any given user at any given time and place.

So, the trade-off isn’t really ads for apps — it’s intrusive mobile surveillance for apps. By agreeing to free, ad-sponsored mobile apps, we’ve consented to an economic model that entails continuous and comprehensive personal surveillance. It’s what Al Gore accurately characterized as the stalker economy.

Why is our personal, locational and behavioral data so coveted by marketers? Because a smartphone is something that we as consumers carry everywhere we go, and it’s constantly broadcasting personal data of all kinds. If advertisers know who we are, where we are and what we’re doing, they can deliver more effective ads. It’s called proximity marketing. It’s the Rite Aid ad that pings your phone as you walk through the aisles: “Save 10% now on mouthwash.”

Sounds innocuous, if annoying. But it goes much further than this. We’ve now enabled a system where a major retailer can know, for example, that a teenager is pregnant before her parents do simply by correlating her activity, search and purchase data. That retailer can then reach out via mail or email, or target her via phone when she is near a point of sale. This intrusion on our collective privacy isn’t going away anytime soon (if ever), as the economic incentives for app developers and advertisers are too strong.

A compromised smartphone represents a threat not just to the targeted employee but to the entire company.

OK, agreed, this kind of consumer surveillance is intrusive and creepy. But how does it threaten enterprise security? Simple. As more personal mobile devices invade the business world, leaks from those devices are opening the door to corporate hacks, stolen business data and crippling cyberattacks.

For instance, if a company lets its employees sync their corporate calendars and email accounts to their personal mobile devices, this opens up all sorts of risks. Suddenly, employees’ phones contain or can access the contact information of everyone in the organization. Further, any other mobile app that requests access to the employees’ contacts and calendar also gets access to the names and titles of company employees, as well as the dial-in codes for all private conference calls. This information can easily be put to effective use in a spear-phishing attack by a malicious app or hacker.

Worse, many apps monetize their user bases by sharing data with ad networks that share and combine data with other networks, so it’s impossible to know where exactly data is going and whether it’s being handled in a secure fashion by any of the many parties that have access to it. All of this sharing means a malicious hacker doesn’t even have to directly access an employee’s phone to attack a company. He can hack an ad network that has information from millions of users and go from there.

Stolen information can also be used to attack an enterprise through a watering-hole attack. Say a small group of executives have lunch regularly at a local restaurant. An attacker with access to their geolocation data could easily know this. The attacker correctly assumes that some of the execs are accessing the restaurant’s website to make reservations and browse the menu before lunch. By placing malware on the lightly defended site, the attacker is able to compromise the office computer or mobile device of one or more company executives. From there, a successful breach is launched.

A compromised smartphone represents a threat not just to the targeted employee but to the entire company. Information about employees’ activities, both on the job and elsewhere, combined with any company-related emails, documents or sensitive information, can be devastating to an organization if it gets into the wrong hands.

So what should enterprises do to combat the threat?

The first step is to get visibility into your mobile environment. Your organization needs to know which apps employees are using, what those apps are doing and whether or not they comply with corporate security policies. For example, is there a particularly risky file-sharing app you don’t want employees to use? Is it already being used? If you don’t know the apps employees are using for work, you are flying blind and taking a huge risk.

It is imperative that your enterprise include mobile threat protection as part of its overall security strategy.

Second, you’ll need a policy for managing the use of mobile devices. Most organizations already have policies for other platforms, including managing firewalls and sharing data with partners. It’s equally important to create these policies for mobile. For instance, if employees are using free versions of apps that are approved by the company but ad-supported, create a policy that requires employees to upgrade to the paid version to minimize, if not eliminate, unsanctioned data in the form of ads being sent to employees — though it doesn’t eliminate the relentless collection of personal and private data.

Next, your organization should educate employees about the risks of the apps they download. It’s in your best interest to empower users by arming them with tools and training to make better decisions about which apps they download. For instance, coach your employees to question apps that ask for permission. There are lots of apps that want to access location, contacts or camera. Employees don’t have to say yes automatically. Most apps will work fine if the request is denied, and prompt users if a permission is actually needed. If an app does not say why it needs access, that’s a big red flag.

Finally, all of these areas can be addressed with a good mobile security solution. Any enterprise without a mobile threat protection solution is by definition unaware of what information is leaking and from where, and unable to address the risks that exist in its environment. It is therefore imperative that your enterprise include mobile threat protection as part of its overall security strategy in order to protect employee privacy and company data from the ever-growing threat of mobile surveillance and data gathering.

Instagram will now let creators add URL links, tag friends, and create Boomerangs in Stories

By Fitz Tepper as written on techcrunch.com

Instagram is adding three new features to Stories in what they are calling the biggest update to Stories since its launch.

Starting today the company will let creators add URL links to their stories that viewers can navigate to without leaving Instagram, add the ability for users to be “@ mentioned” in someone’s story, and add the ability to add a Boomerang to your story without having to go create one in the separate Boomerang app.

Mentions

The second feature Instagram is adding to Stories today is Mentions. The feature will let creators use @ to “tag” any other Instagram user in their story.

Here’s how it works:

After taking a picture or video for a story users can tap to add text, and instead of typing a message they just type @, followed by someone’s Instagram username. And just like in comments and captions, Instagram will autocomplete their username.

Once “tagged”, the username will be underlined and tappable in the story. When tapped, the tag will take users to the profile of whoever is tagged in the picture. And also like comments and captions, users will receive a notification if they are tagged in the story of someone they follow. If they are tagged in a story by someone they don’t follow, it will show up in their “requests” folder.

You will able to tag up to 10 people in one Story. But remember that you’ll have to actually add everyone’s username in a text box, which could mean that lots of usernames will clutter up your picture or video.

Unlike Links, Mentions will be available to all users.

Boomerang

The last feature is that Instagram is adding Boomerang, its stand-alone app that creates one-second video loops, to Instagram Stories. So when you go to create a new story you can just swipe from “normal” (which lets you capture photos or videos) to Boomerang mode, and capture a Boomerang. Previously users had to leave Instagram Stories and navigate to Boomerang’s stand-alone app.

Interestingly, Instagram is only adding the ability to create Boomerangs to Stories, and not regular Instagram. This means if you want to add a Boomerang to your Instagram feed you’ll still need to use their separate app.

These features launch today, and besides Links (which is now only available to verified users) you can start playing with them today.