Security must change with service management: UXC Consulting

Security managers must integrate security deep into the heart of increasingly flexible, BYO computing-driven IT service management (ITSM) environments

Security managers must break down their walled-garden mentalities and integrate security deep into the heart of increasingly flexible, BYO computing-driven IT service management (ITSM) environments or risk data death by a thousand cuts, a systems and security consultant has warned.

A UXC Consulting survey, conducted amongst attendees at a recent itSMF Australia conference, found that BYO computing, and the Gen Y and Gen Z service-desk employees that expect it, has become a significant driver for change. And while though 80 percent of respondents suggesting that their ITSM frameworks already support mobile devices, UXC Consulting CEO Nick Mescher says the increasingly fluid movement of data to and from cloud services should force CSOs to ensure they can manage data as well as devices.

"In the past, the security guys have had their control over IT because devices were only really active in the office 9 to 5, Monday through Friday," Mescher explains. "Security started when staff would arrive at 9am and finish when they left at 5pm. But now we're seeing executives in 24x7 activities where they say 'my life is my work and my work is my life, and you'd better be able to securely support me doing my job'. This whole online lifestyle is driving the fact that service desks have to catch up; security is becoming an expected part of the service rather than an independent barrier."

Generational conflict has highlighted younger employees' lack of tolerance for artificial strictures around access to data, with companies expected to leverage new technologies just as the customers they service do. Yet this presents very real problems in the case of cloud services, particularly as cloud-hosted storage services like Dropbox, and Apple's new iCloud compound the problem.

While they may be managing mobile devices themselves, Mescher says, organisations likely won't even be aware that employees are moving data using cloud services. This paradigm shift, coupled with users' growing demand for self-service capabilities that give IT service desks less and less oversight over their activities, means those service desks need to be ready to assist with problems that may have previously been outside their scope.

UXC Consulting recommends companies adapting their service desk to the spread of mobile devices and cloud data paths consider a few key areas. These include:

  • Better business-IT understanding, which service desk staff are considered part of the business and quickly provide business-focused solutions rather than just keeping the technology turning over.
  • Automated basic support, allowing staff to accomplish password resets, file/printer access, wireless access, and more – all secured in line with company policies, of course – without depending on service-desk staff.
  • New communications channels, which consider the need for quick 24x7 response times for staff and customers. "IT marketing and communication needs to be quick, concise, and always relevant," UXC Consulting warns.
  • Staying up to date, with service desks empowered to support new employee technologies within existing security and process environments.
  • Boost knowledge sharing, in which service desks find innovative ways to access, store and deliver relevant knowledge to customers that want it available in real time.
  • Improve customer communication so that impatient and challenging customers can be readily dealt with and expectations managed appropriately.

User education, at every level, is critical to manage this change, explains Mescher, as is the adoption of a proactive mentality by security organisations that haven't been known for their proactivity in the past. "We are going to have to get very good at educating our people about what is corporate data and how you deal with that," he says.

"In the past, security often folds its arms and stays in the tent – but you cannot not deal with these services, or bring down the portcullis. There has always been that trust that users will do the right thing, and we're going to have to extend it to tell them their obligations and risks. Security people won't win in this tension, and they have to take a service-minded approach."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityIT security managersIT Service Management (ITSM)BYOT

More about AppleDropboxitSMFUXC Consulting

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place