“Where does security fit in bi-modal IT departments?” asks Mary K. Pratt on CSO Online. She explores the question with IT leaders from a handful of organizations, opening her discussion by noting:
“The bi-modal idea has its benefits and its pitfalls but the determination seems to come down to the size of the enterprise. In the mid to smaller companies, there is not the luxury of splitting the security group out into subgroups. In the bigger companies the question becomes where do the security folks belong.”
Though the CIOs she speaks to take different approaches to managing bi-modal or two-speed IT, they generally agree on two points:
1) It’s best to perform both speeds or modes of IT–innovation and operations–in one centralized group, rather than two separate teams where the innovators “throw things over the wall” to operations as applications are developed.
In this structure, the same individuals work on both innovation initiatives and day-to-day operations tasks, though overall a greater share of time is spent on operations, and employees vary in how much time they spend on each type of work.
2) Security has become so important, as cyber threats have multiplied, that it must be baked into new projects, not added later as an afterthought. Ultimately though, security “should sit in operations.”
Structurally, that approach seems to makes sense. Security needs to be a core element, but needn’t affect the speed of IT. Here are three additional considerations when determining where security fits in IT functions.
Centralize, Don’t Departmentalize
Security takes different forms (physical, system, and data access), and frequently over time in large organizations, different functional groups develop their own specific security practices. While each group’s security precautions may be effective on their own, a decentralized approach is inefficient and can leave “gaps” in protection (e.g., employees having access to email accounts of ex-employees).
A better approach is to use an enterprise request management (ERM) strategy to centralize security efforts, improving both data security and efficiency. In this approach, all of the information needed to grant appropriate physical and systems access to a new employee (or to shut down such access when an employee leaves) is entered only once, and back-end processes (setting up email accounts, assigning temporary passwords, etc.) are automated using predefined rules and workflows.
This white paper explains in more detail how to apply the ERM approach to enterprise data security.
Use Process Automation to Enhance Security
Automating security aspects of employee onboarding and offboarding is, as noted above, one way process automation can help protect corporate information assets.
But automating processes can also improve security in areas like BYOD (by triggering remote installation of required software to devices, as they are registered, using third-party tools) and enforcing security training requirements, periodic password resets, and installation of software updates and patches.
Have a Plan to Respond to Data Breaches
While proactive security measures are vital and will prevent most intrusions, the increasing level and sophistication of cyber crime makes it nearly inevitable that most organizations will get hacked at some point.
But even hoping you never need it, it’s crucial to have a plan and collaboration software in place to respond to a data breach, identify the point(s) of failure, apply necessary patches or fixes, and get mission-critical applications and networks back up and running (securely) as quickly as possible.
While there’s no single right technology or structural approach to information security for every organization, there are general principles with broad application. As the IT leaders quoted by Pratt note, “security has to be part of every discussion” now given the severity and variety of cyber threats.
In addition, “It’s easier to maintain security when you’re more centralized. It sort of bakes (security) into the way you do these (operations and innovation) processes.” Take advantage of process automation to minimize threats from common risks. And just in case a breach does occur, have a plan and collaboration capabilities in place to react quickly and effectively.