Fernando Labastida
The speed at which technology is changing – and disrupting – the corporate IT environment can sometimes be a little mind-boggling.
The ‘Age of Disruption,’ as described by Clayton Christensen in his book The Innovator’s Dilemma , the phenomenon by which well-funded established technologies are rendered obsolete by “cheaper, simpler, smaller, and, frequently, more convenient to use” upstarts, is creating a sometimes unwelcome revolution in the IT department.
This recent Information Age article illustrates the disruptive effects for today’s hapless CIO:
“There are a number of disruptive forces attacking IT management today, not just the movement to the cloud, which is primarily an infrastructure play. Other forces include big data and analytics, the Internet of Things, mobility, IT service management and cyber security. All of these have created a perfect storm of disruption for current CIOs and IT managers to contend with.”
This is especially true for security. The 2014 Global Top of Mind Survey of 500 C-suite and senior executives globally found that 47% of the respondents cited data security as being very or critically important to their business, and 29% said it will be one of their biggest challenges over the next 12 months.
In my last post I cited two harrowing examples of messy security breaches that became mainstream news – a stark reminder of the consequences of disruptive innovation running roughshod over IT security processes.
It seems as though IT managers are on the defensive – and increasingly losing control.
How To Regain Control of Your IT Security Processes
The solution to today’s industrial strength security problems often seems to be to institute czar-like control over the IT environment. However, extreme measures like these often have the unfortunate side-effective of stifling innovation in the data center.
What can you do to regain control while also keeping on the cutting edge?
Organizations need to:
- Identify IT systems that support the core of their business processes
- Identify top risks based on security threats
- Prioritize the top risks based on impact
- Identify security controls that mitigate risks
- Evaluate if security controls are mitigating risk
The Pareto Principle, or the 80/20 rule, can help you discern which security risks to focus on, a type of “lean analysis” on your IT organization that keeps a balance between security and innovation.
As you probably already know, you should look at these risks in at least the following three areas so you can make a security plan for each of them:
1. Identity and Access Management
Focus first on the people side of things. How do you manage identities and HPA utilized in your organizational systems and applications? In role changes how do you assure that digital permissions will be updated? How do you speed up the provisioning process to increase productivity and reduce risks?
2. Vulnerabilities and Application Infrastructure
How do you assure that the source code your team develops and/or the code you purchase from third parties is risk-free? How do you include security controls throughout your Software Development Lifecycle? How do you ensure that security vulnerabilities found in your code and/or systems are fixed?
3. Supply Chain and Vendor Security
How do you ensure your third party integrations are secure? What type of personnel and security controls can you verify with your vendors? What type of service level agreements are in place with third party software currently in use?
These are the three core security processes in any organization you at least should focus on.
So Who Is Really In Control of Security?
Despite the scary scenarios illustrated by recent examples of catastrophic security breaches, organizations can still maintain control over their IT security without having to resort to drastic top-down measures.
By focusing on the most important risks using the 80/20 rule, and applying them to the above three core security processes of focus, you can regain control of your IT environment – and your peace of mind.
