We’ve all been there before: helpdesks deluged by calls from irate users, constant complaints about buggy apps, complicated login procedures or passwords no one can remember. Much-overdue investments in security patches and updates for heirloom software have to be postponed time and again because maintenance and support eat up all the money, and still the boss is under pressure to tighten the belt another notch by slashing the IT budget yet further.
And after all: Isn't IT supposed to be all about reducing costs? What about all those productivity gains and slick business processes? Yes, but tampering with IT budgets in general isn't a very good idea. IT security departments in particular tend to be run on a per-project basis. Despite laudable efforts towards following ITIL and project portfolio management procedures, this way of working can easily distract those in charge from keeping their eye on the big picture.Tons of resources are routinely consumed by projects emanating from the operational departments which continue to clamor for quick solutions to their specific problems. And since these guys are pretty good at describing their "business needs" in dramatic terms, they tend to be seenby the powers that be as highly relevant. As a result, budget tends to flow to them and not into badly needed repairs to the IT infrastructure itself.
IT departments need to get two things right. For one, they must focus on the overall needs of the enterprise itself. That's what business-IT alignment is all about. But they must also take the lead in defining strategic projects instead of letting themselves be herded along by business interests.
IT security is a perfect example. Most projects that originate within the business units of the company either neglect security concerns completely or merely pay lip service to them. The suits somehow assume that IT will somehow solve the problem somewhere along the way. Isn't that part of their job as providers of infrastructure?
Unfortunately, this attitude can force IT departments to shoulder substantial capital investments that don't seem to belong to the project in question. The whole thing can quickly sink to the level of a classic chicken and egg dilemma.
Anticipating the needs of business
For CIOs and IT department heads, the first challenge is how to anticipate the real needs of their "customers" in the business units. This calls for a deep understanding of the business itself - something that many technicians, who are experts in their own fields, find difficult, to put it mildly.
Besides struggling with the realization that technical expertise isn't always enough to handle the demands of business professionals, IT people are also under pressure to fund the necessary research in order to understand what is driving the other side. This can evolve attending meetings or travelling to conferences, reading additional literature and delegating certain tasks to members of their staff who, of course, always seem to have more important things to do. IT departments need to pencil in extra time for this kind of thing above and beyond the actual hours budgeted for the actual project work. Team meetings are a good venue to exchange views and information between business units and IT, and they should be used as such.
Web Services and Service Oriented Architectures are a good place to start putting these anticipated business needs to use. That way, IT can ensure that everything is well documented and that security issues are properly addressed from day one. Sadly, in many enterprises such "miracle" technologies as SOA turn out to be just another evil for IT to live with since business unit can't be bothered with things like strategic planning or security architectures - all they want is an application that must be up and running P*R*O*N*T*O! IT departments are left to try and clean up the resulting mess by painstakingly unbundling sloppy SOA systems and adding security as an afterthought.
Poor planning can be habit-forming
Many existing IAM (Identity and Access Management) installations also turn out to be examples of poor strategic planning. Yes, as a rule they can handle the technical requirements, but too often they fail to integrate with newly-developed business projects both in terms of long-term planning and overall control. Instead, they are implemented the way things used to be done back in the 20th century: identities and privileges are stored in silos and have to be jury rigged to the IAM system.
IT departments should demand strict policies and rules for administering and replacing legacy silos as part of the planning and updating process within existing applications, and new ones should be avoided at all costs. Viable alternatives include identity federation or even claim-based identity management. Both can reduce the load on IT and solve the issues that decentralized identity management brings with it. For IT to take the helm in formulating appropriate guidelines and policies they need to demonstrate their business acumen and their understanding of the underlying forces that shape decisions within the operative departments of the company.
Transparency is an important factor in establishing a true partnership between business and IT. It can help in establishing the right IT strategy and achieving agreement on the necessary security measures. The results of in-depth risk analysis and internal audits may be painful; they enable those responsible to best judge the eventual business impact of various threat scenarios such as breakdowns, attacks or data leakage.
These meetings need to be meticulously planned. IT professionals should take care to identify low-hanging fruit such as of defense measures that can be implemented quickly and easily, and they should aim at raising the level of awareness on the "other side" for risks are being taken. IT can provide vital orientation, which in itself is a first step towards avoiding uncoordinated and hasty reactions and stop-gap measures like point solutions that can cause more trouble than they are worth in terms of overall security management. IT should always be ready to pull a solution out of their hat for the problems that are sure to crop up at meetings like these.
Identifying and controlling risk
These individual solutions need to be augmented by a comprehensive security strategy that has the support of the company CSO. Risks that have been recognized and properly evaluated should be addressed through coordinated internal procedures. A good way of doing this is to add up the dollar values of the risks involved and to "monetize" the risk incurred by each stakeholder demanding that they make corresponding contributions to the overall risk management budget. By accepting budget responsibility, security and IT departments can act in tandem to ensure not only compliance to governance guidelines, in other words full risk management, but to also active mitigation and avoidance of such risks.
By being able to draw on a separate "budget pot", IT can finance appropriate infrastructure investments or improvements meant to facilitate risk management. It can also help reduce indirect IT and infrastrcture costs which hitherto had to be apportioned throughout the company; never a good way for IT to make itself popular and win friends. Once a framework of IAM and GRC tools has been created, IT can reuse them again and again for new applications and systems at no or little extra cost.
Application and lifecycle management systems are also important elements in any future-facing IT (security) management environment. It helps to define requirements for the applications themselves, as well as for their implementation, improvement, customization, and deactivation. This brings obvious advantages from an IT security perspective: obligatory updates such as moving from an old Java environment to the latest version can be accomplished in a controlled fashion and under an established budget.
Similarly, IT departments can exercise better control over weak points in client and server operating systems (in case this isn't already part of their asset and license management solutions) as well as in applications and tools. This will enable them to discover, evaluate and eliminate the corresponding risks, either manually or automatically. Web-based applications, which are growing increasingly popular, should also be monitored in this way.
Getting more traction from IT innovation
In sum it can be said that IT managers must increasingly be ready to accept direct responsibility as opposed to simply providing a service. This calls for a new awareness, literally a new self-image, both on the part of IT and information security professionals. This in turn will go far towards correcting the imbalance between the performance delivered by IT and the esteem in which it is held within the company. Today, most IT departments find themselves in the role of low man on the totem pole. Climbing up the acceptance ladder will require commitment and hard work along with the determination to drive innovation. The part IT plays in enabling the business units needs to be highlighted in order to make them appreciate the contribution being made by IT to the company as a whole. CIOs and IT heads need to communicate these contributions more aggressively instead of hiding their light as usual under a bushel.
But first, IT professionals need to themselves understand just how important their daily work is to the success of the company and how vital IT security is to the ongoing, uninterrupted running of its business. IT has a big role to play in creating innovation of its own, and not just when business tells them what to do.