Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning.

—Albert Einstein

The Web has existed for two decades, yet it’s only in the last few years that we’ve gained a clearer picture of what the Internet may become, and how the emerging capabilities may shape the future.

As early as 1993, companies like AOL started offering access to online newsgroups, soon followed by dial-up Internet access using early web browsers. As laptops became more affordable, many people started accessing the Internet while on the move. The rise of smartphones introduced built-in sensors, such as cameras, global positioning system receivers, and touch-sensitive screens, into consumers’ everyday computing experiences. Businesses began using the information gathered from users’ devices to offer personalized experiences, ranging from location-based driving directions to selected advertisements. The variety of Internet-connected devices rapidly expanded to include tablets, home DVRs, appliances, and cars. Devices also became smarter, with improved voice and gesture recognition.

We’re now entering a world in which these elements will be combined to create much richer context-aware experiences for users and new opportunities for businesses. Our devices will know us, and they will know other devices. In fact, devices may almost become part of us: many companies are already shipping wearable computers, including smart athletic garments that work with smartphone apps to monitor your biometrics and suggest ways to improve your performance.

Each day, billions of computing devices will perform functions on our behalf, often communicating among themselves to get the job done. Much more information will be collected from sensors such as cameras, microphones, and GPS receivers embedded into the user devices. This data will be combined with other information to create context-aware experiences that are far more personalized and compelling. Already, cameras and image recognition technology, combined with behind-the-scenes analytical software, can be used to identify a user’s age bracket and gender, and tailor their experience accordingly. Early applications based on this technology are being piloted and in some cases deployed by large companies, including retailers (see sidebar).

Estimates of the projected size of the context-aware computing market continue to grow. When the first edition of this book was printed, Gartner, Inc. (2011) expected context-aware technologies to create huge business opportunities affecting an estimated $96 billion in annual consumer spending worldwide by 2015. In 2013, forecasts suggested the market would reach $120 billion by 2018 (MarketsandMarkets 2013). And a report in late 2015 forecast the market will swell to $185 billion by 2020 (Global Industry Analysts 2015). During this period, it’s expected that a significant percentage of all payment transactions will be validated using contextual information.

FormalPara Richer Experiences in The Retail Environment

As people buy more goods online, retailers are seeking to entice shoppers into brick-and-mortar stores by using technology to create richer, context-aware experiences.

Macy’s and some other big-name stores are already using beacons, which detect the smartphones of nearby shoppers and, if they have opted in, send them targeted offers or mobile games with gift-card prizes (Tode 2015). Brands including Kate Spade and Levi’s use smart display tables and shelves that sense when customers pick up a product and engage them with relevant videos and product information. The technology tracks every interaction, so stores can analyze shopper behavior and measure the impact on sales (Perch Interactive 2016). LEGO stores use augmented reality video screens to show kids what they can build with each LEGO box. The screens recognize each box and display a 3D image of a toy that can be created from it, blended into a real-time video of the child in the store. Canadian sports retailer Sport Chek’s flagship stores integrate hundreds of screens in displays up to 16 feet tall, using gesture, touch, and RFID to sense customer input and display customized interactive content.

As an Advertising Age column noted, technology may ultimately help transform the physical store into a venue for interactive experiences that increase brand affinity—acting as an event space, gallery, help desk, or even a test kitchen. If that happens, online sales may work in tandem with, rather than as a substitute for, a physical store (Fulford 2015).

These new technologies also introduce new risks, as I described in the discussion of emerging threats and vulnerabilities in Chapter 6. The sensors and other new capabilities embedded into millions of intelligent new devices can be exploited for dangerous purposes . Malicious individuals might be able to remotely access home security surveillance systems to determine when you’re not at home. Researchers have already demonstrated the ability to remotely control the brakes and other functions of an Internet-enabled car . After remotely hijacking a Jeep Cherokee driven by a reporter, researcher Charlie Miller commented, “Right now I could do that to every [Chrysler] car in the United States on the Sprint network (Pagliery 2015).” The hack prompted Fiat Chrysler to recall 1.4 million vehicles to fix the issue (Greenberg 2015b).

As security professionals , we may tend to focus obsessively on this darker side of the picture. Looking for threats and vulnerabilities is part of our role. We’ve seen that attackers find ways to exploit new technologies almost as soon as they appear. Analysis of emerging threats by many firms indicates that this trend will continue. As attackers adapt, we must adapt, too. Our role will be more important than ever. As more aspects of people’s daily lives are based on technology, it will become increasingly important to secure the technology. The Protect to Enable mission will expand accordingly; in fact, it is becoming a corporate social responsibility, as I will explain further in Chapter 9.

The positive news is that new technologies can also be used to enhance security. As information risk becomes an even more high-profile concern, suppliers are building more security into their products and services. Devices will include a greater level of baseline security hardening to reduce the likelihood of compromise and minimize the impact.

Context-aware computing also introduces new privacy concerns. By definition, context-awareness involves taking advantage of information about the user to create personalized experiences. This makes it even more important to appropriately protect users’ information and privacy. A clear organizational commitment to privacy will be important to ensure this protection. A growing number of other organizations have formally committed to complying with a single set of privacy principles worldwide—although this is becoming difficult due to the proliferation of localized privacy laws and the elimination of the EU safe harbor agreement (see Chapter 1).

An organization’s privacy commitment must also extend to applications and systems. Suppliers are becoming increasingly aware of this, and some are already taking additional steps to ensure user data is collected anonymously. The new baseline security capabilities built into products, such as hardware-enforced protection and accelerated encryption , may also help enhance privacy by protecting user data. In addition, the information provided by sensors can be used to create context-aware security . Today, some cars can automatically adjust seat, mirror, and pedal positions to suit different drivers. They adjust these settings when they detect the presence of the driver’s personal car key. In the future, as cars become more intelligent and include more sensors, they might identify the driver using a camera and microphone. If they don’t recognize the driver, they might disable the car and alert the owner via their built-in wireless Internet connection. Cars might include a maintenance mode that lets mechanics drive it while when it’s being serviced, but only within a radius of a few miles. Similarly, as I’ll discuss later in this chapter, the sensors in an enterprise-class device, such as a business laptop PC, could be used to prevent theft and help protect the information it contains.

From the perspective of the enterprise information security team, these emerging capabilities will allow increased trust in users and their devices. When we have a higher level of trust, we can provide the user with greater access to sensitive enterprise information and other resources.

I believe that this dynamic evaluation of trust is a key capability that new security architectures should include, as I discussed in Chapter 7. Employees may want to access our systems from a variety of devices and locations, including personal smartphones and tablets as well as business PCs. When a user requests access to enterprise systems , the architecture should dynamically calculate trust based on contextual information such as the user’s identity, the security features of the device they’re using, their physical location, and the resources they’re trying to access. The architecture then will decide whether to grant access and the level of access that should be allowed. As manufacturers increase the security capabilities in their devices, the model will be able to take this into account. We’ll have increased trust in a device, and we’ll be able to provide a correspondingly greater level of access.

In this chapter, I’ll take a closer look at some of the emerging security capabilities that we can expect in products and services. First, though, I’d like to set the stage by examining some of the key underlying trends that make these security capabilities both necessary and possible.

Internet of Things

Many everyday objects are becoming more intelligent. They’re acquiring processors, sensors, software, and the ability to communicate. This trend is made possible by Moore’s Law : processors and other hardware components continually become faster and less expensive, and, therefore, ubiquitous as a result. This accelerating trend is creating the Internet of Things, a massive expansion of the Internet as it swells to include billions of devices and household objects. Intelligent devices in cars, home electronics, and other “things” will far outnumber those in more conventional computing platforms and even those in mobile devices such as smartphones. Gartner, Inc. estimates that during 2016, 5.5 million new “things” will be connected every day. Juniper Research expects 38.5 billion connected devices by 2020 (Loechner 2015); Cisco expects an even higher number of 50 billion (Cisco Systems 2015b).

Gartner, Inc. (2011b) identifies several key technologies and capabilities contributing to this trend, including sensors, image recognition, and wireless payments using near field communications (NFC ) technology. Sensors that detect and communicate changes in their environment are being embedded not just in mobile devices, but in an increasing number of places and objects. Emerging applications will take advantage of this information. For example, camera-based image recognition technologies are expanding from mainly industrial applications to broad consumer and enterprise uses. These systems gather information about users and then analyze this information to personalize the user experience. Wireless NFC , based on a communications standard analogous to the Radio Frequency Identification (RFID ) technology used for product-tracking, lets users make payments by waving a mobile phone or smartwatch in front of a compatible reader.

With technologies such as NFC, the concept of the Internet may broaden to include an even wider variety of “dumb” objects, like drink cans or fertilizer bags (Gartner 2011b). This trend will provide opportunities for innovations that were not previously possible. Today, items in stores may include 2D bar codes that can be read by smartphones. In the future, store items may include NFC on the packaging or shelf label allowing them to wirelessly identify themselves to nearby devices, such as a shopper’s smartphone . The shopper will then be able to learn not only about the product, but also alternatives, and could even view cross-selling and up-selling suggestions.

Devices such as the Nest Learning Thermostat have provided a glimpse of the future. This home heating controller is designed to be intuitive and simple to operate, replacing complex menus and instructions with a single big button and a dial. Users can remotely monitor and set the temperature from their smartphones, so they know the house will be warm by the time they get home. But perhaps the most interesting capability is that, as its name suggests, it can learn. The Nest monitors use of the heating system and attempts to learn the user’s preferences—when the heating is switched on and off, and the desired temperature. After studying the use patterns for a while, the Nest begins to predict and autonomously set the temperature and timing itself. Since Nest launched many other companies have followed suit with similar devices not only for home heating but also for other sensors and alarms, including water sensors, motion sensors, and do-it-yourself internet-based home security systems.

I believe that devices like this are early examples of a much larger trend. As the Internet of Things grows, more interactions will occur directly between devices, rather than between people and device. Devices and objects will interpret and act on information provided by other objects. This will enable much more intuitive and streamlined experiences in many different fields. Consider the following scenario, described by Plantronics CTO Joe Burton (2012). A doctor visits a patient in a hospital room. A smart device the doctor is wearing turns on the doctor’s workstation in the room, then authenticates the doctor to the patient management system, detects which patient is near the doctor, and pulls up the patient’s record. When the doctor leaves the room, the information accumulated during the visit is saved and the workstation powers down.

Consistent User Experience Across Devices

Users now demand the same quality of experience in the workplace that they’ve become accustomed to in their personal lives. This includes the ability to access information across a continuum of devices, including PCs, smartphones, and tablets. They expect to be able to move from one device to another. They also expect intuitive applications on all of these devices, with the application’s features tailored to the device’s size and capabilities.

IT therefore needs to provide users with a consistent experience across devices and the ability to seamlessly transition between them. As enterprise information security professionals, we need to focus on the user experience and on enabling this broader range of devices while managing the risks.

Cloud Computing

The cloud is as much a new business model as it is a technology shift. The ability to obtain flexible IT services on demand lets businesses operate more dynamically—quickly taking advantage of business opportunities and growing or shrinking infrastructure capacity to meet demand. Cloud services can also potentially reduce cost.

However, cloud computing can also add new security complexities and data-protection concerns. Organizations may use multiple cloud providers, while also operating a private cloud for the most sensitive applications. Users need to be able to easily access services delivered from any of these multiple environments. From the enterprise perspective, we need to enable a seamless user experience while minimizing risk. This implies a federated model in which the user needs to log in only once; the user’s credentials can then be used to access multiple applications. However, this also means that an attacker may only need to gain access once in order to compromise several environments.

Big Data Analytics

Businesses have quickly realized the value of analytical tools for real-time analysis of massive amounts of unstructured data. In the future, these analytic capabilities will increasingly be used to interpret data from sensors as well as from databases, social media, and other sources. The analysis of this information will then be used to create new personalized experiences, like the retail examples discussed in the “Richer Experiences in the Retail Environment” sidebar.

This analysis can also be integrated with existing enterprise systems to create sophisticated customer-focused services. Here’s a scenario described by Accenture (2012): a rental car company automatically detects when an accident with one of its cars has happened, initiates emergency services if needed, and issues a replacement rental car to meet the renter at the scene, greatly improving the chances of creating a loyal customer for life.

Artificial Intelligence

Artificial intelligence is rapidly maturing, and it’s now clear that AI will help all of us in a variety of ways, both in business and our personal lives. AI is already used to identify meaningful patterns in data for many purposes, including information security, and to understand and translate speech. AI will certainly play a role in self-driving cars. Over time, AI will become capable of taking on broader and greater responsibilities. As Alphabet Inc. executives Eric Schmidt and Jared Cohen put it: “Eventually it will be possible to give a computer unstructured data—say, spreadsheets used to manage business records—and receive quality advice on improving operations.” (Schmidt and Cohen 2015) In our personal lives, perhaps we’ll have a helper like Jibo, a “social robot” that recognizes your face, converses with you, helps manage your calendar and basic tasks, and learns your preferences so it can adapt and help you better.

Business Benefits and Risks

By now, it should be apparent that the richer experiences enabled by these capabilities are as important to businesses as they are to users. New, context-aware experiences may attract customers and create new revenue. Furthermore, focusing on the user experience may be essential for business survival. If we don’t provide rich and appealing user experiences, customers may gravitate toward competitors that do.

Our challenge is to manage the risks associated with these new experiences. The good news is that new security capabilities are emerging to help us do so.

New Security Capabilities

The IT ecosystem is increasingly focusing on building security into hardware, software, and services. We’ll all be able to take advantage of this security to protect users and the enterprise. I think of these capabilities as the equivalent of termite-resistant building materials used in construction. They may not prevent termite attacks altogether, but they can stop some of them and minimize the impact of others. For example, Dell is using technology from Cylance to protect the BIOS firmware in its business PCs. The technology is designed to check if systems are secure when users boot them up; after the PC boots, the software checks a hash of the BIOS against a known good version stored in a secure cloud.

Suppliers will need to frequently enhance these defenses to ensure they remain effective. As I noted in Irrefutable Law #6 in Chapter 1, security controls operate in a dynamic environment in which attackers are constantly learning and adapting their approach. Unless the defenses also adapt, they will lose their effectiveness over time.

I expect the ecosystem will increasingly view these security features as a way to differentiate products to meet the needs of distinct categories of customers. As a parallel, think about how the auto and other consumer industries developed. Initially, manufacturers focused on getting the public to buy cars en masse. Accordingly, the focus was on mass-producing just a few models at the lowest cost. As Henry Ford famously said, "Any customer can have a car painted any color that he wants so long as it is black" (Ford and Crowther 1922). Ford’s mass-production strategy was enormously successful in popularizing cars among the American public. By 1918, half of all cars in the United States were Model Ts (The Henry Ford Museum 2003). But once consumers became more familiar with cars, they started demanding models that met specific needs. As manufacturers responded, the industry began to develop the huge variety of models that we see today.

In the same way, suppliers will offer a range of products or services with differing levels of security, including higher-security versions for the most sensitive enterprise uses and less-secure versions for consumers. This trend has already been evident for some time in products such as servers and PCs, and we’re beginning to see it in cloud services.

In a closely connected trend, we’ll see increasing use of contextual information to improve security. Some of this context will be provided by the sensors built into devices, such as cameras and GPS receivers. In addition, analytical and monitoring tools will be able to gather valuable contextual information from the environment. For example, they may examine databases containing information about users’ access history and other relevant data.

Baseline Security

A greater level of baseline, hardware-enforced security features will be important in all categories of devices, from smartphones to full-featured PCs. These capabilities will protect the information on the device itself, and the information that is accessed from the device. They’ll enable greater trust in the device, and because of this trust we’ll be able to provide users of the device with access to more resources, as I described in Chapter 7. The potential business benefits include increased user satisfaction and productivity.

I believe that these features will become particularly valuable as the Internet of Things takes shape. Many new, connected devices and objects won’t be powerful enough to run traditional software security controls. Do I expect the computers that control my car or my home to run full intrusion prevention systems or traditional antivirus suites? No, but it is possible to run lightweight AI-based agents that can determine good from bad in milliseconds. This capability has already been demonstrated: in the summer of 2015, Cylance showed its AI-based anti-malware agent running on a Raspberry Pi platform, which is based on the ARM processors that are in many appliances and other IoT devices (Bradley 2015). I also believe that many of these new devices should include protection that limits their functions to the desired purpose, reducing the risk that they could be successfully attacked and manipulated via the Internet or a wireless network.

For enterprise security, these baseline hardware security capabilities will provide help in key focus areas, including threat management, ID and access management, data protection, and remote monitoring. Some expected baseline capabilities include protected environments, encryption, hardware acceleration, enhanced recovery, and integration with security software, as described next.

Protected Environments

Increasingly, hardware will provide protection for essential functions and data in the form of trusted layers and execution environments. I think of this approach as analogous, at the hardware level, to the way organizations are implementing network security zones within an enterprise environment (as described in Chapter 7). The most valuable and critical functions receive the greatest protection, as well as increased monitoring and recovery capabilities.

Attackers have become increasingly adept at compromises using tools, such as rootkits, that operate at or below the operating system level, making them harder to detect and prevent by most traditional security applications. Implementing protection at the hardware level can help prevent compromise of firmware, operating systems, hypervisors, and other fundamental system components. Hardware-level protection can also help alert security professionals to attempted attacks and aid in system recovery. However, hardware-level protection must be designed, developed, and implemented correctly or it could actually do more harm than good, because compromise at this level can give attackers wide-ranging access to the software and data on the system. Concerns have already begun to surface and are growing. Researchers demonstrated the ability to hack the microcontroller inside flash cards, enabling the execution of code that can be used to perform a man–in-the-middle attack (Paganini 2014). Networking equipment supplier Juniper Networks found that its firewall operating system contained “unauthorized code” that surreptitiously decrypted virtual private network traffic (Goodin 2015). MIT researchers suggested there are weaknesses in the implementation of key provisioning for Intel Software Guard Extensions (SGX), a set of hardware instructions designed to improve security by sealing software into hardware-protected enclaves (Chirgwin 2016).

Encryption

Many organizations already use disk encryption to protect data against loss or theft. But in a world where devices are always on and always connected, traditional software-based hard disk encryption is not sufficient. New capabilities will make encryption an even more pervasive technology used to protect information throughout its life, both when it is stored and when it is transmitted. Devices will include self-encrypting drives that maximize protection while minimizing the performance impact; encrypted input-output will help protect data during communications. Capabilities that currently exist in larger systems, such as total memory encryption, will become common in PCs and other end-user devices.

Hardware Acceleration

There’s often a trade-off between security and performance. Controls, such as software-based encryption and malware scans, certainly help increase protection, but the performance impact can also increase frustration for users, to such an extent that some may avoid using the security features altogether (see the discussion of control friction and the 9 Box of Controls in Chapter 7). Accelerating functions in hardware can shift the balance in favor of security by decreasing the impact, both on users and on enterprise systems. For example, complex calculations required by standard encryption algorithms can be accelerated using hardware instructions rather than executed entirely in software.

Enhanced Recovery

As I’ve discussed in previous chapters, we must assume that attempts to compromise are inevitable, despite our best efforts. As attacks become increasingly sophisticated, the ability to recover from compromises will become even more important. Future capabilities will help organizations recover from low-level attacks that target fundamental system components such as firmware or the BIOS. The system will be able to detect changes in these components, whether due to malicious attacks or accidental corruption. It will then be able to take steps to restore the components to a known good state, alerting users and the security team when necessary. Other anticipated recovery features include enhanced capabilities to revoke cryptographic keys to reduce the spread and impact of compromise.

AI-Based Security and Automation

AI-based security applications will play valuable roles in preventing attacks. Today, for example, Cylance uses AI-based agents to distinguish good from bad in milliseconds. These applications will be able to provide an even greater level of protection when they are integrated with hardware-based security, as exemplified by the Dell-Cylance BIOS protection agreement described earlier in this chapter. This kind of integration will enable software to more closely monitor the underlying hardware and firmware for attacks that might otherwise go undetected. For example, security software could use hardware features to detect symptoms, such as memory state changes, caused by specific types of attack. Companies are also researching better ways to authenticate users by employing behavioral biometrics: identifying users based on a combination of hard-to-duplicate characteristics such as they way they swipe characters on a smartphone or even how they walk when carrying the device.

AI will be used more broadly over time to enable a greater level of automation in threat detection, prevention, and response. In the future, AI might be used to dynamically evaluate trust and the corresponding level of access that’s provided to a user (see the granular trust model in Chapter 7).

Context-Aware Security

The theme of context awareness underlies many of the rich user experiences described in this chapter. Context awareness can also enhance security: the same sensors and analytical tools that help organizations create personalized experiences can also be used to mitigate risk.

In the home, TVs might be able to recognize when a child is watching, and show only appropriate channels. In supermarkets, cameras that are already used for physical security could help increase the efficiency of automated checkout stations. As I described, image recognition technology can determine a shopper’s approximate age. By using this information, perhaps in conjunction with data from a scanned driver’s license, the system could help avoid the need for cashiers to manually approve alcohol sales, leading to faster checkouts for consumers and reduced costs for stores.

The sensors in portable devices , such as mobile PCs and smartphones, may also be used to help protect against theft and unauthorized use. A simple case might utilize the device’s camera, microphone, and GPS receiver to help authenticate you as the device’s owner. If the user looks and sounds like you, and the PC is at your house, we have more confidence that the person using it is really the owner.

Additional technologies in portable devices, such as NFC, will allow more sophisticated examples of context-aware security. Devices will know when they’re no longer in proximity of their owner, and may enter a protected state to prevent data loss. If your phone is near your laptop, we have greater confidence that you are the user trying to access the information on the laptop. When your phone moves away, the laptop deduces that you have moved away, too, and begins to armor itself by locking the screen. As you move progressively farther away, the laptop first goes into standby to save power, and then begins encrypting its contents for protection.

The GPS receiver in a portable device can also be used to geofence the device and the data it contains. If the receiver detects that a PC has moved outside a specific area, the device could alert the owner and the enterprise support team. The same capabilities could help protect data whose movement is restricted by specific geography-related requirements such as export controls. The device could detect when it’s in a country subject to these controls, and encrypt the data it contains to protect it.

Cloud Security and Context Awareness

Cloud service providers recognize that some organizations are still reluctant to move critical data to external clouds due to security, regulatory, and privacy concerns. Suppliers have been working to add security capabilities designed to address these concerns. As they do so, we can expect more cloud services that are differentiated based on the level of trust they offer.

Suppliers might offer a “plain vanilla” cloud service for noncritical applications, along with a more expensive high-trust cloud service. Besides offering additional technical controls, secure clouds might include guarantees that the supplier will meet specific privacy and other data-protection regulatory requirements. This tiered strategy resembles the zoned approach to network security that organizations are implementing as part of their evolving security architecture. Zones that host critical applications are protected by a variety of controls, ranging from network segmentation and hardened virtualization host servers to additional monitoring.

In the future, client-aware cloud services will be able to tailor the access they provide based on the security capabilities of the client in order to mitigate risk. A fully managed device that includes hardware-based enterprise security features and a full software security suite may get more access than an unsecured personal device. At the same time, a cloud-aware client will be able to validate that the cloud service it is accessing is genuine, and that it offers the required level of security.

As businesses use a growing number of cloud services, security requirements become more complex. A single enterprise may use multiple external cloud services while also operating a private cloud and a traditional computing environment. It will be important to streamline access for users. We can expect more emphasis on technology that eliminates the need for users to authenticate to each individual service.

Security Analytics and Data Protection

Security context can be provided not only by sensors, but also by analyzing information about the enterprise environment and the threat landscape. As attackers become stealthier, this analysis will become an increasingly important part of an organization’s defenses. Within the industry, many are moving toward the use of security analytics tools to analyze patterns of network traffic and system use. I expect to see increasingly sophisticated external services that analyze a broad range of information in order to thwart attacks.

As information is used on more devices outside the enterprise network perimeter, it will also be increasingly important to focus on controls that are integrated with the data itself. Many organizations are already protecting information with technologies such as enterprise rights management. In the future, these capabilities are likely to become more sophisticated and automated, allowing businesses to define policies that automatically store sensitive data in highly secured locations.

Conclusion

New technologies bring challenges, but they also bring opportunities for the CISO and for the organization overall.

The rich context-aware experiences that I’ve described in this chapter are entirely dependent on IT. To deliver these experiences, organizations will need to understand and manage the risks. As the experts in information risk, CISOs and other security professionals should have opportunities to become closely involved in the development and implementation of key business initiatives. This will result in a higher profile for the information risk and security team across the entire organization.

To fully take advantage of these opportunities, CISOs will need broad business and people skills as well as a thorough knowledge of security controls. With the addition of these skills, I believe the role will evolve into the chief security and trust officer (CSTO), with broad responsibilities to enable the business through trusted infrastructure, applications, and business processes. As this transition occurs, the CSTO becomes the essential enterprise architect, with the IT organization becoming a peer or perhaps a subordinate. I’ll discuss these skills further in the next chapter.