Security must change with service management: UXC Consulting
- — 18 October, 2011 07:32
- ( 1 Comment )
Security managers must break down their walled-garden mentalities and integrate security deep into the heart of increasingly flexible, BYO computing-driven IT service management (ITSM) environments or risk data death by a thousand cuts, a systems and security consultant has warned.
A UXC Consulting survey, conducted amongst attendees at a recent itSMF Australia conference, found that BYO computing, and the Gen Y and Gen Z service-desk employees that expect it, has become a significant driver for change. And while though 80 percent of respondents suggesting that their ITSM frameworks already support mobile devices, UXC Consulting CEO Nick Mescher says the increasingly fluid movement of data to and from cloud services should force CSOs to ensure they can manage data as well as devices.
"In the past, the security guys have had their control over IT because devices were only really active in the office 9 to 5, Monday through Friday," Mescher explains. "Security started when staff would arrive at 9am and finish when they left at 5pm. But now we're seeing executives in 24x7 activities where they say 'my life is my work and my work is my life, and you'd better be able to securely support me doing my job'. This whole online lifestyle is driving the fact that service desks have to catch up; security is becoming an expected part of the service rather than an independent barrier."
Generational conflict has highlighted younger employees' lack of tolerance for artificial strictures around access to data, with companies expected to leverage new technologies just as the customers they service do. Yet this presents very real problems in the case of cloud services, particularly as cloud-hosted storage services like Dropbox, box.net and Apple's new iCloud compound the problem.
While they may be managing mobile devices themselves, Mescher says, organisations likely won't even be aware that employees are moving data using cloud services. This paradigm shift, coupled with users' growing demand for self-service capabilities that give IT service desks less and less oversight over their activities, means those service desks need to be ready to assist with problems that may have previously been outside their scope.
UXC Consulting recommends companies adapting their service desk to the spread of mobile devices and cloud data paths consider a few key areas. These include:
- Better business-IT understanding, which service desk staff are considered part of the business and quickly provide business-focused solutions rather than just keeping the technology turning over.
- Automated basic support, allowing staff to accomplish password resets, file/printer access, wireless access, and more – all secured in line with company policies, of course – without depending on service-desk staff.
- New communications channels, which consider the need for quick 24x7 response times for staff and customers. "IT marketing and communication needs to be quick, concise, and always relevant," UXC Consulting warns.
- Staying up to date, with service desks empowered to support new employee technologies within existing security and process environments.
- Boost knowledge sharing, in which service desks find innovative ways to access, store and deliver relevant knowledge to customers that want it available in real time.
- Improve customer communication so that impatient and challenging customers can be readily dealt with and expectations managed appropriately.
User education, at every level, is critical to manage this change, explains Mescher, as is the adoption of a proactive mentality by security organisations that haven't been known for their proactivity in the past. "We are going to have to get very good at educating our people about what is corporate data and how you deal with that," he says.
"In the past, security often folds its arms and stays in the tent – but you cannot not deal with these services, or bring down the portcullis. There has always been that trust that users will do the right thing, and we're going to have to extend it to tell them their obligations and risks. Security people won't win in this tension, and they have to take a service-minded approach."
Follow @CSO_Australia and sign up to the CSO Australia newsletter.
Get exclusive access to CSO, invitation only events, reports & analysis. 
Comments
Jack G Jessen
1
Yet again I find myself incredulous at the obviousness that gets stated in security to security communication such as this.
If security practioners are still standing about with arms folded, salivating at the prospect of bouncing punters who aren't toeing the line according to their view of the world; then the board and/or owners need to re-educate and proactively counsel them, on their needs in the brave new world that has unveiled its digital self in the past decade or so.
Of course the other option is to release them into the physical security world where their mindset is likely to better align with the portcullis mentioned.
Security from the kernel outwards is not a new concept. There are fundamental principles that should be communicated and implemented that are utterly independent of technology.
The biggest impact that individuals and organisations can make to effect ownership of the problem is through awareness. How you increase awareness is through positive communication to your users, organisational leaders, colleagues, friends and family. These should be your primary and consistent target audience.
Security practioners should stop warbling on about the lack of understanding to each other and get the message out to the broader community; you know, the ones we service, and do so in a more easily digestable manner than is being done thus far.
Regards,
Jack Jessen