Lost patience with IT risks creating lost opportunities in security

Businesses are losing patience with IT at the worst possible time: just when companies are becoming more aware of enterprise risk.

Rob Livingston, a private IT consultant addressing the NetIQ Agile Security breakfast in Sydney, told delegates that if IT is having trouble convincing enterprises of the need to deal with security, it's the sector's own fault.

“The IT industry hasn't exactly showered itself with glory when it comes to significant enterprise IT projects,” he said.

Businesses, he said, are demanding that IT comply with the “eternal love triangle” of simplifying projects, accelerating them, and cutting cost – and their lack of faith in IT means these combine to create a pressure that is “already trumping good governance and project management, good application development, and good audit.”

Enterprises are finding it difficult to identify systemic risks – even when risk management is at the core of the business (such as how the finance industry found itself unable to identify the systemic risks that ultimately led to the GFC).

Technical risk, Livingstone said, is much easier to identify – partly because our technologies still tend to align with the business silos that can make it harder to identify systemic risks.

The addition of cloud computing into an already-vulnerable environment is highly volatile, Livingstone noted. A managerial demand for a move to the cloud – because this is seen as simpler and cheaper – can become a crisis when the cloud provider announces on Tuesday that it is implementing a major version change on the coming weekend.

Having made its business and applications dependent on a cloud provider – having embedded the cloud software's API calls deeply into different business applications, for example – the customer will find itself scrambling to comply with the upgrade, and probably fail.

Livingstone offered five guidelines to achieving an agile security policy:

  • An over-reliance on standard methodologies is self-limiting

  • CIOs need to manage the conflicting messages that business is receiving about security

  • Companies need to find a way to both manage and embrace the “shadow IT” BYOD world

  • Businesses need to identify the systemic risks that exist in their IT environments

  • It's dangerous to gloss over complexity just to make your pills easier for managers to swallow.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about AgileLivingstonNetIQNetIQ

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Richard Chirgwin

Latest Videos

More videos

Blog Posts