The state should not dictate cybersecurity policies to businesses

I read the Handelsblatt this morning and its headlines were all about IT security and what an immense threat such attacks represent for both corporations and government agencies. While I agree with the diagnosis of the situation -IT security is indeed critical- the response from the German government seems to me completely absurd.

Thomas de Maizières (CDU – Christian Democrat), the German minister of interior declared that Germany should take a leadership role in Europe to fight cybercrime and develop a comprehensive regulatory framework. This would make it compulsory for businesses to update and maintain their security infrastructure through an “IT security law”.

One should, however clearly differentiate whether the state wants to protect itself or German businesses. The former is a legitimate and perfectly acceptable mission, the latter can only lead to an increase of bureaucratic burden and costs and will most certainly not bring the expected benefits.

Thomas de Meizières announced an investment plan of 300€ millions in the cybersecurity infrastructure of the German secret service (Bundesnachrichtendienst, BND). This measure seems to make sense for three reasons. First, more and more people have an access to the Internet (which increases the pool of potential attackers, professional or not). Second, the increased sophistication of attacks makes it urgent to make sure that the intelligence agency is well protected. Finally, it is no secret that state agencies from various countries stand behind large scale attacks in order to gain access to technology or information.

The German government, however, also wants to help protect businesses through a law creating mandatory guidelines aiming at improving the information security, and hence the competitiveness of German companies.

I believe that this approach is completely ill-suited and will fail. Why? Because it is a company’s duty to protect its confidential information and there are probably as many ways to protect information as there are companies. One of the IT departments of a very large French bank, provides a key component of their security infrastructure. As one would expect from a financial services institution, they tend to be quite conservative, not applying the last updates to their systems. They simply favor stability over new features. A couple of months ago, Heartbleed, a security bug in an encryption system called OpenSSL was disclosed. This failure allowed an attacker to decipher any message presumably safe and hence get access to confidential information. This Heartbleed bug was only applicable to the OpenSSL versions 1.0.1 and above. The bank, however, ran an earlier version of OpenSSL that was still supported, which means that they were safe against this attack. With such an IT security law, the government would have had the authority to force a German bank in a similar case to use a pre-defined software versions. What would have happened if the state, for one reason or another, would have forced the bank to apply non-security related updates to the software, although they did not need it? It could lead to a situation where the bank is forced to update its software against its will and its interest, for a more than dubious advantage.

Moreover, the law would apply to all companies running an IT infrastructure, and it is almost impossible to create a baseline for companies that differ to such great extent. The electrical toothbrush company should have a similar security policy as Airbus, that builds fighter jets?

Finally, who will enforce the law? Will state agencies have to audit every company in Germany to make sure that security updates are applied? Where will they find the security experts for not only Linux, Windows, but also antiquated operating systems, such as OpenVMS (which runs some of the critical operations of many companies)? You can count people who understand this type of software (supported by their vendors) one two hands in Europe. Maximum. This law will lead either to a bad compromise, based on the lowest common denominator that will change nothing, and to a bureaucratic burden for companies that will reduce the competitiveness of Germany companies. Literally the opposite of what the government intended.

So what should the government do? US president Obama, according to the Handelsblatt, declared that “the government cannot do everything, because most of the IT infrastructure lies in the hand of the private sector. But the private sector alone can also not deal with everything, because the government very often has the most current in formation about threats.”. In my opinion, if the government is in possession of this type of information, it should release it as soon as possible to all. It is the responsibility of the government to protect itself against attacks, it is also a proof of being a good world citizen to alert as many people as possible of a possible security bug. This of course benefits businesses, who can protect themselves. Openness is the key and collaboration with IT providers and companies will help the latter become more aware about security threats that might endanger their competitiveness. Whether they do something about it or not is their prerogative and should be implemented according to their priorities.

Not state coercion, but full openness and collaboration between the state, IT providers and businesses will make Germany a leader in cybersecurity.

One year in Lausanne

As I mentioned a year ago, I was accepted at IMD (International Institute for Management Development) to participate to the one-year MBA program. I graduated in December 2014 and am looking back at very intense year, filled with work, challenges and friendships.

I moved to Lausanne from Munich at the beginning of January 2014, left a “regular” life and made a significant financial commitment to take on a challenge that would reveal itself the best decision I ever made in my life.

The program itself was extremely intense, and that is what made it so interesting. The first six months were absolutely horrific in terms of workload, but the classes were so interesting that it was not at the expense of the learning experience. The fact that we were a tight-knit group of only 90 people really helped bonding with everybody. I definitely enjoyed the wide variety of classes, such as operations, finance or entrepreneurship. My natural curiosity was constantly satisfied with case studies and learning experiences that made me discover the wide range of business challenges beyond the IT world with which I was familiar given my background.

After the first six months during which we were prepared to have a better understanding of the business, we had the chance to make a discovery trip to Singapore and Kuala Lumpur, where we met business and government leaders. We learned from people of Singapore’s economic development board, the private equity practice of Bain, and many others. We then participated to a so-called “International Consulting Project”, during which we worked as a team of five students for 2 months to help a global company define its Big Data strategy. The topic, the team I worked with and the interaction with senior executives of the company made the project absolutely thrilling!DSC_2541

Beyond the “regular” learning, one of the strongest points of the IMD MBA is the leadership component. During this year, I had multiple opportunities to learn about myself and, most importantly, receive feedback about the perception that others had of me. This helped me increase my self-awareness and will definitely have an impact in business situations.

Finally, this IMD MBA would be nothing without the friendship I built with my 89 classmates. Through all the work, the sports and the fun, I can really say that I have 89 friends around the world. The bonds that form between us are simply incredible and I’ll keep them with me all my life. They made my MBA experience what is really was and I’ll be forever grateful to them for that.

During the graduation ceremony, Mark Cornell, a 1999 MBA alumni congratulated us for receiving “the finest MBA in the world”. It certainly was the best decision in my life so far and I look forward to applying what I learned in my future positions… and see my friends again.

Software-Defined Datacenter ? No thanks, I prefer Open and Standardized

I recently did a presentation at HP Discover in Barcelona, Catalonia, called Red Hat’s vision for an open-hybrid cloud (the slides are also available). When preparing the presentation, I thought at first calling it “Red hat’s vision for a Software-Defined Datacenter”. The term “Software-Defined Datacenter” (SDDC), first coind by VMware, has become extremely popular in the IT industry in the past months. There are very few parts of the datacenter that cannot be “software-defined” anymore. The first element was the Software-Defined Networking (SDN), then followed by Software-Defined Storage (SDS), Software-Defined Computing (SDC),  that led to the SDDC.

However, during the preparation of my session, I stepped back a little and thought about what this “software-defined” trend was about and I asked myself this question: what datacenter today runs no BIOS ? no hypervisor ? no operating system ? no application server ? and no application ? None, of course. Why ? Because a datacenter has always been defined by software ! The difference with today’s IT industry are two factors that are driving efficiency: openness and standardization.

  • What is software-defined networking ? It is about taking a standard x86 server, connecting it to the network, and, through software, make it a controller for the network environment using open protocols.
  • What is software-defined storage ? It is about taking standard x86 servers and using the capacity of their internal disks and, through software, put their capacity at the disposal of clients through open access protocols.
  • What is software-defined computing ? It is about taking standard x86 servers and consolidating hundreds of servers virtualizing the standard x86 processors instructions.

A software-defined datacenter is nothing but an open, standardized datacenter.

But what about the cloud ? To me, cloud is the automation layer that will manage resources on top of this infrastructure. Be it public or private, a cloud creates an automated way to provision services by offering a service catalogue to users through a self-service portal.

The question is now with whom do you want to work to implement this open, standardized datacenter ?

After having freed yourself from proprietary, hardware-centric and purpose-built hardware, what would be the point of locking yourself again with a software vendor ? Openness on the infrastructure side can only be matched by openness on the software side, and Free and open-source software (FOSS) is the key for you to keep the control on your environment, and especially have the choice of different vendors to choose from. Open protocols are key to provide access to all part of this type of infrastructure, and that is the beauty of FOSS: there can be no proprietary protocol, as the way applications talk to each other is known by everyone. No secret sauce, no voodoo magic and no “trust us, everything is going to be fine”, just plain openness, from which you can only benefit.

Who do you think can help you building this open standardized datacenter ? In terms of vendors, think of one who’s been standardizing Unix platforms onto standard x86 servers with an open-source operating system for the past 20 years. Think of a vendor that provides storage solutions based on x86 servers and open protocols. Think of a vendor heavily involved in all of OpenStack’s modules, including Neutron, that manages networking. This is what Red Hat has been doing for the past 20 years: opening and standardizing.

The future might bring surprises. The trend toward ARM-based servers, SoCs, and hyperscale computing might create new silos of technology. Software-based storage on top of x86 servers will probably co-exist with fibre channel SANs for some time. But as long as your environment is as open (in hardware and software) and as standardized as possible, you are in good hands. But do not blindly trust vendors who claim they are open. Trust the open-source communities and the vendors who contribute the most to them.

Toastmasters contests

Back in May, I attended a Toastmasters conference in Antwerp, Belgium. During this conference, I attended the International speech contest and the evaluation contest. I saw wonderful speakers, such as John Zimmer and many others give great speeches, impress and inspire their audiences.

As I was Public Relations Officer of the District, I could not participate to the contests, but during the awards ceremony, seeing the joy of the winners, I thought to myself “in six months, I want to stand at the same place !”. And so, a couple of weeks after, I started to work on three humorous speeches for the upcoming contests. One in English, one in French and one in German. Different speeches are needed because the type of humor is different in every language. Also, as the contests happen during the same day, it is important to offer different jokes, otherwise any surprise effect or twist that creates a funny situation does not have the same impact. It was a lot of work, but also a lot of fun to see the audience at different levels of the contest laugh at my jokes.

I made it to the contest at District level (Continental Europe), in Budapest, Hungary, in impromptu speeches in English and in humorous contests in German and French. It was a great experience to speak in front of hundreds of people in a larger environment with a microphone. I really enjoyed it and the feedback I get from my fellow Toastmasters will help me improve my public speaking skills.

In the end, I finished second in the humorousBudapest_French_Speech_Contest_Winners speech contest in French and won the humorous speech contest in German. I realized what I had promised myself a couple of months before: to win a District contest. To me, these contests are everything Toastmasters is about. If you are willing to work hard and listen to the feedback given to you, then you can truly make progress in public speaking. I can only recommend this experience to anyone.

 

To conclude this post, I’d like to thank a couple of people who helped me on my way to the finals:Budapest_German_Speech_Contest_Winners
– Thanks to Mel Kelly, who’s been a wonderful sparring partner, a great winner in the English humorous speech contest  and who took the time to help me improve my German speech
– Thanks to the members of the CRFM, and especially Elisa, Jean-Marc and Lucienne for their support and advice
– Thanks to all Prostmasters and especially Ineke and Christopher for their support across all contests and in Budapest.
And of course thanks to the whole Toastmasters organization, to all the people who spend an enormous amount of time organizing conferences and helping others grow as speakers and leaders.

Road to a MBA

After a couple of years of preparation, I finally applied at the beginning of this year to two MBA programs. The reason why I want to study again is that I want to broaden my scope of responsibility beyond only technical relationships and know-how, to learn about business in a structured way and also to challenge myself in an intense academic experience.

The first step I took was to prepare my GMAT. It is a very interesting test: although it does not really require a lot of knowledge, it does, however, definitely test your ability to think both fast and under pressure. The exercises are an excellent brain workout, even outside of an intense preparation. I mainly used the Manhattan GMAT books and the Newton preparation. My advice is: work hard and do not discourage yourself if you get a bad score. Dust yourself off and get back to work !

The second part was to write my essays. These essays are meant to give more depth and another perspective to your professional profile. It really helped me that I have been part of Toastmasters and Round Table. I experienced leadership positions at Toastmasters : I ran the Public Relations for the District 59, which spans all over Continental Europe and serves 6000 members. With Round Table I had the chance to organize a large-scale charity event for impoverished children from East Europe and definitely had a couple of stories to tell about these experiences. If you are applying for a MBA, an advice I can give you is to let as many people as possible read your essays and give you feedback. You will have to share stories with people you would not have thought you would, but I am grateful that I received feedback and suggestions for improvement from friends and family members.

Finally, I also had to ask my previous manager from HP and my current manager at Red Hat to endorse me. In my case, I decided to be very open about my intentions to stop working to go study again and had the chance that they supported me.

I applied to IMD and got the chance to be invited for the famous assessment day, along with 5 other applicants. I was amazed by the quality and diversity of their professional background. And all of them were very nice people. The day was divided in three parts:
The first part was a traditional individual interview that lasted 45 minutes
The second part was a business case, for which each of us had 30 minutes to prepare and to make some business decisions, based on the given case and data. Each of us had to give a 5 minutes presentation about his conclusions. That is when I realized that Toastmasters is an invaluable learning experience. I had to give a somehow impromptu presentation in 4 to 5 minutes in a structured manner to convince my audience: this is pretty much what I have been doing every two weeks in my club for the last 6 years ! Thanks Toastmasters !
The last part was another business case that we had to prepare in advance and discuss together, in order, again to make a business decision.

All these three activities were monitored by three members of the IMD faculty.

This assessment day was both exciting and interesting.
– Exciting because you want to prove how interesting and smart you are, as well as a leader and a team player. You have to be aggressive enough so that others hear you, whilst knowing when to stay quiet and listen to others.
– Interesting (for me) because the two business cases were radically different from the industry I work in on a daily basis. I thought it was very, very refreshing and thought provoking.

My advice if you are accepted to this assessment day is to stay true to yourself. Yes, you need to be heard and to make suggestions, but as I am more an introvert, being too loud would have seemed unnatural.

IMD called me back and I got accepted into their MBA, which I am really proud of, as it is ranked #1 International one-year MBA (i.e. outside the US) program by Forbes. I am going to move to Lausanne in Switzerland in January and will start on January 6th. And of course, I’ll try to keep this blog up to date to share my impressions of the program !