This is the first issue in an insightful new series from the San Diego Business Journal that features advice and commentary from regional experts on various aspects of technology and its applications in our new digitally-driven business world. Our first section focuses on evolving approaches to data management and storage from the “cloud” to traditional legacy systems. Future issues will feature tech’s influence on the business of health care, real estate, banking and finance.

Stephen Cobb, Security Evangelist

Technological change can be very expensive for an organization involving purchase and installation of equipment, maintenance, training and replacement/upgrading. What advice would you give to companies looking to evolve to a more technologically-driven business operation, but are resistant because of potentially high costs?

One of the biggest questions facing decision-makers today is whether to invest in IT infrastructure or start migrating to cloud services. But let’s face it: there is little need to build and operate your own IT gear when such services can be sourced much more affordably and flexibly via the cloud.

When doing the math of “build vs. buy”, it is easy to overlook factors not directly associated with initial purchase, such as the value of all the time required to source, configure, implement, monitor, upgrade, and troubleshoot equipment; annual hardware and software maintenance fees; ability to ramp resources up and down easily when demand changes; and the need to hire, motivate, and retain dependable IT talent.

Bottom line – the operational and financial reasons for migrating to cloud services are quite compelling. In other words, can you afford NOT to do it? Don’t simply fall prey to the old way.

As businesses move more and more processes and transactions online, IT has taken a central role in some of the most important business-ethic issues of the day – privacy and the ownership of personal data. Changes in technology and business procedures can outpace a company’s ability to train employees to deal with these issues. What should businesses do to establish ethical parameters for managing data?

To ensure the safe and ethical handling of data, companies first need a clear and well-documented understanding of exactly what personal data they handle. Depending on the type of business, a company’s systems may contain personally identifiable information (PII), relating to its customers or employees or both. You need to know where PII in your systems comes from, where it is stored, where it goes, and who needs to access it. You should also know what legal requirements pertain to the information (as these may not align exactly with ethical constraints on the use of PII).

Now you can make informed decisions about what information to protect and what form of protection is appropriate. Typically this means restricting PII access to only those employees who have a need to see it using technologies such as encryption and authentication. In other words, to see sensitive customer information, employees must identify themselves with unique credentials like user name and password, and preferably a second factor such as a token or one-time pass code. The time to train employees on the ethical and legal issues surrounding data is before issuing these credentials. After all, the consequences of mishandling sensitive information are never good and can be very costly. Every breached entity is held accountable in four “courts”: law, press, public opinion, and customer loyalty.

What security issues might my business need to address in planning to migrate our business to the cloud?

Turning to the cloud for IT services can be economically appealing but definitely involves a variety of risks that vary according to the type of cloud. If you use a public cloud approach then some or all of your company data and applications will be in a shared environment, potentially at risk from bad guys attacking that cloud or from the actions of others sharing that environment. You also face potential risks from the actions of the cloud provider itself such as failing to provide sufficient redundancy to cope with weather related outages.

Public cloud providers do make security assurances but those are unlikely to be backed by a Service Level Agreement (SLA). A set of tests run by BAE Systems last year found that several public clouds failed to notice malicious traffic, whether it was inbound or outbound. A private cloud removes some of the concerns of a public cloud but you still need to perform due diligence, asking prospective providers about their security measures, including firewalling, intrusion prevention measures, malware scanning, authentication requirements (should be multi-factor), redundancy, backup, and site security.

Employees are going to download files in their day to day activities of their jobs. How can I ensure that I’m not putting our business’s core data at risk with hidden virus and malware running rampant these days?

A well-designed IT system will provide multiple layers of defense against malicious and unwanted file downloads. You can configure systems to prevent unauthorized downloads, either by type of file or source of file (for example, blocking downloading of unauthorized executable files and blocking surfing to adult sites). You can install antivirus scanning at the file server and email server level, right down to the individual computers or endpoints, including smartphones and tablets. A good antivirus program, properly installed and well-maintained, will block the vast majority of malicious code that is out there in the wild, from viruses and worms to Trojans and time-wasting nuisance apps (sometimes referred to politely as potentially unwanted applications).

Of course, the most critical layer of defense is the human layer. You need your employees to know why they should abide by IT security policies and refrain from downloading unauthorized files. A workforce that understands the risks that such files pose to the well-being of the company, as well as their hopes of continued employment, is less likely to ignore warnings, override settings, or try to defeat your layers of defensive technology.

Tim Caulfield, CEO

What are the risks with moving to cloud-based applications for CRM (Customer Relationship Management), Supply Chain Management, or even genomics sequencing when employees are out in the field with access to valuable data?

Frankly the risks for security breach or data leakage with cloud services are no different than for legacy-sourced services. There are not inherent advantages or limitations due to technology; it basically comes down to access policies, data segmentation, training, trust, and oversight. Indeed, screen captures, copied files, and memory sticks take mere seconds regardless of a person’s actual location; people are still the source of most vulnerability, not the technology.

In fact, from an IT security standpoint, the level of privacy, isolation, and verification on enterprise-class cloud services are often higher than what is found with legacy implementations. Why? Specialization and investment. Because cloud service providers do it for hundreds of clients every month who expect a very high level of assurance, such providers have invested in and “over-engineered” services and procedures to satisfy even the most stringent customers.

With Moore’s Law and the rapid rate of change in computer technology, it seems that commoditization is rampant and business advantage quickly moves to the largest players with the greatest economies of scale – think Amazon, Cisco, Google, Microsoft, and more. What advice can you give to businesses that want to harness this power for greatest value?

Technology is a wonderful tool but it’s important to remember that while necessary, it is certainly not sufficient for a great overall solution. What most firms need is a consultant / partner / provider who takes the time to really understand priorities, skillsets, and business drivers in order to craft a complete service package that meets the entirety of requirements and is not just a bundle of goods.

This is where a hands-on approach with a local firm who’s invested in the community and committed to your success really pays off. Rather than work with a large vendor who might have great brand recognition but isn’t necessarily known for flexible, personalized, or timely service, we advocate local investment with providers employing highly-skilled professional who internalize your needs and go the extra mile to deliver high-touch service and support.