Improved IT security must begin with a cultural shift
- 26 September, 2017 01:44
For many years, IT departments and their infrastructures were managed under a strict command-and-control structure. This situation is now rapidly changing, and CIOs need to change with it.
With the rise of cloud computing, a host of new IT services are now on offer to business users. Rather than needing to go cap-in-hand to the IT department to request new capacity or capabilities, they can simply go shopping for it themselves.
The trend has been dubbed Shadow IT and occurs when a team or department goes directly to a service provider to secure required technology resources. It might be additional data storage or a hosted CRM system to support a planned marketing campaign, or teams might need extra server capacity to support product development.
In such cases, the corporate IT department can find itself bypassed. Users establish a relationship with a suitable provider, and pay for their services as an operational expense.
A shift in culture
When shadow IT initially appeared, the knee-jerk reaction taken by many CIOs was to try and stamp it out. Keen to maintain their commanding position, and the security of their infrastructure, they wanted to remain the gatekeeper for all technology used within their organisation.
It didn't work out that way. Today, increasing numbers of CIOs are recognising that shadow IT projects are going to continue to appear as businesses undergo a process of digital transformation.
The modern CIO needs to put agility and serving the needs of the business ahead of any inherent desire to control every aspect of technology. Any who continue to regularly say ‘No’ to business requests will, at best, become less relevant and at worst be shown exit door. The primary responsibility of the CIO and IT department is to understand what the business needs to do to succeed, and find ways to make that happen.
While some CIOs will jump at the opportunity to partner more fully with the business, others may never make the transition. Any who cannot rise to the challenge are likely to see the CEO and board of directors turn to others for strategic IT insight and planning. This could result in a Chief Strategy Officer or Chief Digital Officer rising to the top, while traditional IT chiefs find themselves relegated to a supporting role.
The challenge of security
The rise of shadow IT also requires a shift in security strategy away from the setting of goals. The reality is that security doesn’t have goals - the business has goals, and security metrics and actions must fold into those goals.
What effective security requires is rules based on clear business goals. However, if you set security goals that don’t resonate and align with the business goals, users and customers will simply find ways around them.
This can be a tough message to deliver to a CEO and the board, especially given the fact that they have made significant security investments over the years based on goals created by the IT department. If, for some reason, IT and security chiefs are not being invited by the board to advise and consent, it’s a sure sign they’re already out of step with the business. This is a clear warning sign that it’s time to change the cyber security culture.
The job of the CIO, and CISO, today is not to lobby for budgets to purchase more endpoint protection or network hardware. It is to help the business grow while managing risk, and the sooner they come to grips with that, the more manageable the challenge will become.
Most CIOs and CISOs today are, in all likelihood, focusing on mitigating against security incidents, without factoring in the impact of that incident. As a result, they default to a lowest common denominator factor, where equal protection of least-critical assets actually exposes to harm the most-critical assets.
The competitive environment, and the impetus driving digital transformation, are not conducive to placing security barriers in the path of business strategy. The job description of tomorrow’s CIO and CISO will be less about certifications, and more intensely focused on business enablement.
Topping the list of job requirements will be the ability to confer with business counterparts to find ways to foster business growth and innovation, while protecting infrastructure components to the appropriate level of risk acceptance.
The ongoing challenge is to provide secure enablement for the business without creating a false expectation of fool-proof prevention - and this requires a change in culture that can only come with a fundamental rethinking of the ways we manage IT and security.