Where Data Security Fits in Two-Speed IT

“Where does security fit in bi-modal IT departments?” asks Mary K. Pratt on CSO Online. She explores the question with IT leaders from a handful of organizations, opening her discussion by noting:

“The bi-modal idea has its benefits and its pitfalls but the determination seems to come down to the size of the enterprise. In the mid to smaller companies, there is not the luxury of splitting the security group out into subgroups. In the bigger companies the question becomes where do the security folks belong.”

Though the CIOs she speaks to take different approaches to managing bi-modal or two-speed IT, they generally agree on two points:

where security fits in 2-speed IT1) It’s best to perform both speeds or modes of IT–innovation and operations–in one centralized group, rather than two separate teams where the innovators “throw things over the wall” to operations as applications are developed.

In this structure, the same individuals work on both innovation initiatives and day-to-day operations tasks, though overall a greater share of time is spent on operations, and employees vary in how much time they spend on each type of work.

2) Security has become so important, as cyber threats have multiplied, that it must be baked into new projects, not added later as an afterthought. Ultimately though, security “should sit in operations.”

Continue reading “Where Data Security Fits in Two-Speed IT”

New CIO Role: Eight Ways to be a Chief Integration Officer

The confluence of disruptive business models, emerging technologies (cloud computing, IoT, wearables) and the consumerization of IT has dramatically redefined the role of the CIO. While there’s no question the CIO’s job description is evolving (a Google search for “changing role of the CIO”–in quotes–yields more than 30,000 results), there’s no clear consensus on exactly what that means.

The CIO as Chief Integration OfficerBut a recent research report from Deloitte and accompanying summary suggest a new twist on the title: the CIO as “chief integration officer.” In this role, the CIO “integrates” technology, ideas, and processes across business functions to drive innovation and improve business performance.

The full report is well worth investigating, though it runs to 150 pages; the summary is an informative, quicker read. Continue reading “New CIO Role: Eight Ways to be a Chief Integration Officer”

New Definitions Added to the Ultimate ITSM Glossary

As noted here previously, there are numerous words, phrases, and acronyms which are either unique to the IT service management and ITIL world, or have a specific meaning within those contexts.

To help clarify these terms and concepts, Kinetic Data has compiled definitions for nearly 60 items in our ITIL – ITSM glossary.

ITSM-ITIL glossary - new terms addedBut the IT discipline is constantly evolving, with new practices, technology, concepts, models, trends and ideas being introduced. Reflecting these ongoing changes, four new entries were recently added to the glossary of ITSM terms.

DevOps

Few terms in the realm of ITIL and IT service management are as controversial to define as DevOps; there seem to be nearly as many definitions as the number of people trying to define it. Continue reading “New Definitions Added to the Ultimate ITSM Glossary”

Five Ways to Use Process Automation to Prevent Corporate Data Breaches

The increasing sophistication of data thieves, proliferating number of potential breach points, and growing value of stolen data combined to drive the number and cost of data breaches to new highs last year. And the risks to enterprises continue to expand.

How automation can prevent data breachesBut despite the growing threats, many enterprises remain woefully unprepared—even after investing in IT security solutions. According to recent research from Lieberman Software reported in Infosecurity magazine, “69 percent of (IT professionals) do not feel they are using their IT security products to their full potential. As a result, a staggering 71 percent…believe this is putting their company, and possibly customers, at risk.”

Continue reading “Five Ways to Use Process Automation to Prevent Corporate Data Breaches”

How to Improve Enterprise Data Security AND Increase Efficiency

From serious breaches of customer data at Target, Home Depot and other major retailers to leaked private celebrity photos, data security issues seem to be everywhere in the news.

The circumstances and causes behind each intrusion vary. But the costs to business are substantial and nearly always include lost sales, legal expenses, and reduced customer confidence.

Improve data security and process efficiency with ERMAs the malicious exploits become more sophisticated, enterprises must constantly reassess their tools, policies and processes to keep sensitive information secure. In some instances, security improvements require significant new investments. But often, access—both digital and physical—can be made more secure while efficiency is simultaneously improved.

Frequently, organizations optimize security based on best practices within each functional area. This may (or may not) be effective, but from the perspective of the enterprise, it’s clearly not efficient.

A new white paper explains how enterprise request management (ERM) provides a a better approach to securing access, both to facilities and systems. An ERM strategy combines a single, centralized web portal for requesting any type of enterprise service with a workflow automation engine that orchestrates approvals, scheduling and fulfillment by communicating with and between in-place enterprise and department management and control systems.

In the ERM approach, all of information needed to arrange for specific security clearances for a new employee, contractor, or project team, is entered (and validated) only once. All back-end tasks (e.g., conducting background checks, setting up a corporate email account, printing a security badge) are automated per pre-defined rules and workflows.

The result is more accurate information, reduction or elimination of manual tasks, and reduced risk of any aspect of the secure access process being missed. Security and efficiency are both enhanced.

Download the new white paper, Safe and Sound: How Enterprise Request Management Improves Process Efficiency While Reducing Security Risks, to get the complete story.

Four Ways CIOs Can Embrace Consumerization 2.0 and Help the Business

Consumerization is the most sweeping change in IT in the past 20 years. Millennial workers, who’ve grown up with mobile phones, social networks and ecommerce sites are bringing their personal technology to work—and not just asking IT to adapt, but increasingly working around it.

As Frank Palermo notes in his InformationWeek article, Hey CIOs, Stop Saying ‘No’ To Consumer Tech, “According to Gartner, in 2012-2013, 64% of enterprises said mobility projects forged ahead without the full involvement of IT.” Employees are bringing their own mobile devices to the office, storing company data with consumer online services like DropBox, and in some cases developing custom cloud-based apps, even in heavily regulated industries which have resisted these trends until recently.

How CIOs can embrace consumerization 2.0Of course, consumerization 2.0 and its manifestations do not mean the end of IT as a vital function. Recent high-profile data breaches such as those at Target and Home Depot serve as bracing reminders that it’s imperative to keep corporate data secure, and that requires management by IT professionals.

Contending that “Security and other new challenges arising from the consumerization movement mean that CIOs need to make sure that services are secured, tested, reliable, and integrated into the enterprise application stack,” Palermo outlines four best practices CIOs can use to “establish themselves as a formidable business partners, avoid shadow IT, and, most important, remain relevant.”

Design for mobile first. Considering that smartphones and tablets now account for more than half of all Internet access, that’s not a bad strategy. At the very least, mobile access should be taken into consideration in the early stages of designing any new business applications.

One valuable approach is to design what Forrester Research calls smart process apps, or SPAs. The technology advisory firm defines these as “a new category of business application software designed to support processes that are people-intensive, highly variable, loosely structured, and subject to frequent change. Smart process apps fill the gap between systems of record and systems of engagement by automating both structured and unstructured work activities in support of collaborative processes.”

By narrowing what is truly needed by your users due to the restrictions of screen size, application designers are forced to simplify what are often complex user experiences.  This simplicity is often what consumers crave and is seldom found in enterprise applications.   These core processes can then often be translated to desktop interfaces leading to a cleaner, more flexible approach.

Leverage the cloud. As noted here previously, “Business application developers working within large enterprises want to build applications in the cloud. But they would prefer to spend their time coding and testing, not managing cloud infrastructure.” Users, too, often favor cloud applications for functions like file storage, collaboration, and project management.

IT needs to provide users either with safe ways to utilize commercial services or with company-approved alternatives that protect vital data. Whether providing cloud services and applications to developers or users, IT can use an enterprise request management (ERM) approach to provide users with a single, intuitive portal through which they can compare and request those services and apps based on their capabilities, costs, and other information.

Protect and secure mobile devices. Interest in using personal mobile devices at work (BYOD) skyrocketed starting in late 2011. Many IT groups initially resisted this movement, but as remote management tools improved and the potential for cost savings became apparent—not to mention strong preferences on the part of employees to utilize their personal smartphones over company-supplied Blackberrys—they began working to accommodate these devices rather than shun them.

Though security concerns remain, the use of training and awareness-building, combined with improved tools for securing devices and their data, have increased business and IT acceptance of BYOD. Generally, organizations that have embraced BYOD have reduced their mobile access and hardware costs, improved flexibility, and make their employees happy.

Be social. Palermo recommends enterprises use internal social discussion tools such as Yammer “that invite all levels of the organization, without hierarchy, to exchange ideas or voice concerns.”

Facebook and Twitter aside, social capabilities can also be built into business tools and applications for functions such as discussing business metrics and collaboratively resolving enterprise-level problems.

Though consumerization adds challenges and complexity to the roles of the CIO and IT staff, it also provides new opportunities to respond to user needs and even proactively offer new capabilities that are an extension of cloud, mobile and social technologies.

Next Steps

 

Practical Ways to Bridge the Gap Between IT and The Business

Every successful enterprise, obviously, relies on a range of skillsets within the organization: strategic, financial, promotional, technical, managerial, inspirational, and interpersonal. But why is the “technical” component–IT groups in particular–so often criticized for being disconnected or out of sync with “the business”? In contrast, no one ever complains that their company’s accounting department is holding back the organization’s forward progress.

Mark Thiele, in the InformationWeek article Sync IT And Business Like A School Of Fish, writes:

How to bridge the gap between IT and the business“Keeping IT and business in sync is not a new goal — it’s been discussed for years…Even when the business removes political and functional barriers, there are serious limitations in how quickly and effectively IT can respond. The limitations of legacy IT relate to the difficulty of effecting change…The fact is, businesses have historically always acted faster than IT, and new digitally driven business models will only widen the chasm.”

His recommendation is an approach he terms “composable IT”–essentially, basing the delivery of operational capabilities “on services outside the enterprise datacenter” in order to more deftly adapt to  “mobility, cloud, SaaS, wearable tech, the Internet of Things,” and other emerging trends in this era of disruptive IT change.

The recommendations in this article are, for the most part, thoughtful and productive; particularly in terms of how training and incentive systems will need to change in order to accelerate adoption. But discussions of the “chasm” between IT and the business too often paint IT professionals as resistant to change, or even opposed to new business technologies.

That’s nonsense, of course. Everybody in business (that includes IT professionals) wants to be the hero: to exceed expectations, improve the bottom line, bring new capabilities to the enterprise, enhance productivity, reduce costs, and still be home in time for dinner.

Given the wave of new cloud-based and mobile capabilities washing over the business world, IT groups undeniably need to evolve practices to be more nimble and agile. But business leaders and users in other functional areas also need to understand that sometimes there are extremely valid reasons to wait, or at least proceed with caution, that are indeed in the best interests of “the business.”

Here are three practical ways to productively bridge the perceived gap between IT and other business functions, and move forward in ways that embrace change without discarding prudence.

Recognize the importance—to the business—of system and data security. As noted here previously, the attitude of IT groups in general toward the BYOD trend changed dramatically in just 24 months; in some companies, from forbidding the use of employees’ own devices for work to demanding it.

IT leaders weren’t wrong to be cautious of employees using their personal devices to access business systems back in 2011 when data security, anti-theft, data backup, and device management tools were weak or lacking, any more than they’ve been wrong to shift to a more embracing approach as those tools have matured (though somesecurity concerns remain).

Data security is a business concern, not just an IT worry. The average cost of a data breach is $3.5 million, and includes not just direct loss but also loss of customers (and customer confidence) and, in many cases, negative media coverage.

The challenge for IT leaders is to communicate the risks of poor data security in business terms. It’s not that the latest mobile business intelligence app isn’t really cool and useful, it’s that CIOs don’t want to risk millions of dollars and the company’s reputation on an untested and insecure connection to corporate data.

Don’t “throw out the baby with the bathwater.” Without delving into the origins of that idiom, in this context it means: don’t presume it’s best to throw out those dusty old legacy applications and replace them all with cloud-based apps. In many mature enterprises, core legacy applications remain vital in storing customer and financial data and running fundamental business processes.

That said, applying intuitive, web-based, mobile-friendly systems of engagement to legacy management and control systems of record increases enterprise agility and flexibility, as well as the speed with which IT can respond to changes in the business, without the difficulty and risk of modifying core legacy application code.

Empower business users to create their own solutions (using approved tools). One example of this is in enterprise request management (ERM) rollouts; graphical mapping tools enable business process owners in any department (e.g., HR for PTO requests, facilities for conference room reservations) to design, test, optimize, and deploy their own workflow processes–with minimal IT assistance.

ERM represents, in many ways, the ideal approach to the new IT paradigm; give users information about the options, capabilities, and costs of different approaches to solving business problems, then enable them to choose from a (tested and approved) set of alternatives.

To respond to rapid change, in both business practices and technology, IT groups need to adopt approaches and processes that support speed and flexibility. As Thiele and other authors point out, some old beliefs and practices will need to be discarded. But prudence, maintaining a clear-eyed view of data security, and leveraging existing investments wherever possible will never become obsolete.

Next steps: