Businesses are losing patience with IT at the worst possible time: just when companies are becoming more aware of enterprise risk.
Rob Livingston, a private IT consultant addressing the NetIQ Agile Security breakfast in Sydney, told delegates that if IT is having trouble convincing enterprises of the need to deal with security, it's the sector's own fault.
“The IT industry hasn't exactly showered itself with glory when it comes to significant enterprise IT projects,” he said.
Businesses, he said, are demanding that IT comply with the “eternal love triangle” of simplifying projects, accelerating them, and cutting cost – and their lack of faith in IT means these combine to create a pressure that is “already trumping good governance and project management, good application development, and good audit.”
Enterprises are finding it difficult to identify systemic risks – even when risk management is at the core of the business (such as how the finance industry found itself unable to identify the systemic risks that ultimately led to the GFC).
Technical risk, Livingstone said, is much easier to identify – partly because our technologies still tend to align with the business silos that can make it harder to identify systemic risks.
The addition of cloud computing into an already-vulnerable environment is highly volatile, Livingstone noted. A managerial demand for a move to the cloud – because this is seen as simpler and cheaper – can become a crisis when the cloud provider announces on Tuesday that it is implementing a major version change on the coming weekend.
Having made its business and applications dependent on a cloud provider – having embedded the cloud software's API calls deeply into different business applications, for example – the customer will find itself scrambling to comply with the upgrade, and probably fail.
Livingstone offered five guidelines to achieving an agile security policy:
- An over-reliance on standard methodologies is self-limiting
- CIOs need to manage the conflicting messages that business is receiving about security
- Companies need to find a way to both manage and embrace the “shadow IT” BYOD world
- Businesses need to identify the systemic risks that exist in their IT environments
- It's dangerous to gloss over complexity just to make your pills easier for managers to swallow.