Content Copyright © 2006 Bloor. All Rights Reserved.
Let’s face it, doing IT security is a tough gig. You face pressures from users, from your boss and from legislation. And then you have to stay on top of constantly changing technology.
Those involved with building secure IT infrastructures are sometimes, through no fault of their own, badly supported for the task. This lack of support can often promulgate from the executive team, who have little or no knowledge of security issues and see related tasks as big cost centres with little fiscal return.
It is only by recognising and then carefully addressing this issue that IT managers and the IT security team, working in partnership with vendors, can build an Assured business.
The Assured Business—a Definition
By Assured we mean a business that is capable of being successful, in conventional terms, without fear that the supporting physical and logical IT infrastructure will be wiped out.
This could be by external threats such as a hacker thousands of miles away producing malware or, even more worryingly, systems brought down by an irate employee with a point to prove.
There are a number of indicators that would suggest a business is anything but Assured and, as such, vulnerable to security breaches. These include:
- No IT security policy and no acceptable use policy for users.
- IT security ignored by the board as being too costly and a distraction from running the core business.
- User anarchy, with inappropriate use of email and web sites.
- Use of illegal or inappropriate software.
- Poor or non existent password usage and client security.
- Proliferation of virus/malware attacks and excessive spam email traffic.
- Theft of corporate data such as customer lists.
- No use of software patching or maintenance programs.
- Response to security breaches completely random placing extensive pressure on junior IT staff.
- High turnover of IT staff, high sickness levels, low morale.
- IT budget, if it exists, allocated in one pot with no contingency.
Creating an Assured business can often be a battle of wits between threats and internal politics. The implementation and subsequent ownership of an IT security policy can be seen by non-IT managers as a threat to their powerbase as decisions about user access and activity are seen to rest with technical rather than business people.
For many the executive board will be the biggest challenge they face in implementing an Assured business. Both the security team leadership and vendors have a part to play in successfully engaging with an executive board and deploying an Assured business.
Vendors and the Assured Business
The temptation for many vendors in the IT security market is to over complicate and obfuscate. Some believe that the 1980’s strategy of creating fear, uncertainty and doubt will scare business decision makers into buying their products by the bucket load. In reality this game was finally rumbled in the early 2000’s with the crash of Web 1.0 and the realisation by the business world that information technology had been taking some of them for a ride for the previous 20 years.
Business decision makers nowadays are savvy buyers that will not upgrade to the next version of word processing software just because it has more “smart features” or “wizards”. Instead they want cold bottom line business benefit. The last resort of the desperate vendor, to withdraw support for the software, only ups the stakes and forces decision makers to go else where. Look at the growing number of organisations evaluating open source operating systems and office productivity tools, many on the basis they are fed up with an incumbent supplier forcing their hand against their business needs.
There should be honest and accurate data made available to the business to demonstrate when an IT security investment will see a return. If the return is over five years then vendors must say so. Trying to fool the board will only backfire, if not immediately then sometime in the future.
The IT Security Manager and the Assured Business
As IT security experts it’s in all of our interest that we work to advise business budget holders to spend their IT money wisely. The guiding hand of the IT security manager should be seen as friendly and helpful, working in the same direction as the business. Operating as a security “droid”, strictly applying petty rules can quickly destroy respect and lead to ridicule.
We need a breed of security technician that is capable of evaluating the business rationale for a piece of technology, intelligently weighing up the pros and cons of an investment and then clearly articulating this to the board, balanced against those executives’ objectives and measurables.
The IT security manager must be an influencer first and an engineer second. They need to be adept at the psychology of management and leadership and be able to clearly and simply explain their proposition to the board. For many this may be a harsh process and go against their passions for the latest technology.
For others it will be more straightforward.
IT professionals involved in the procurement process will be quickly sidelined if they fail to demonstrate these skills. Those that are skilled as an influencer will see their careers significantly enhanced.
It is suggested that the IT security industry consider and debate the following questions;
- How do we get a board fully behind IT security? For those committed to the security cause it is manifest craziness that others “don’t get it”. Maybe the reason is that the industry is failing in its duty to communicate effectively?
- How can the vendor community help when selling to a disinterested board? This needs to be tangible and practical assistance in producing well thought out and articulated cost benefit studies. The days of a three hour PowerPoint presentation winning a deal disappeared a long, long time ago.
- How can we turn an executive team into raving fans of what we do? If we can’t then we are doing something very wrong. IT is often seen as a function that only ever achieves its objectives, rarely exceeds them. We need strategies and tactics in place that demonstrate what a great job the IT security team are doing.
- What tools and assistance can an IT manager rightfully expect from a security vendor when trying to introduce new technology? This needs to be way more than a set of collateral and a case study. We should expect our vendors to truly understand our business and political issues and be part of the solution process. If a vendor cannot offer you a suitable level of engagement then their involvement needs to be questioned. Remember that this support needs to be ongoing—that includes after the contract has been signed.
- How is failure to achieve a successful procurement managed to ensure that both the vendor and IT manager remain with reputations intact? We all make mistakes; purchases that look compelling one day may fail to gain the support of the board the next for a host of reasons. As long as the IT security team and vendor do their job, matching technology to business drivers and formulate an honest appraisal of the technology then they should be able to ride out any potential reputational issues.
There is no one answer for every organisation when it comes to IT security. What there does need to be is an energetic debate that helps answer some of the key questions and in turn equips IT managers and vendors alike with the skills to sell, implement and deliver business benefit from IT security—and the Assured business.