Why IT needs to drive the risk conversation
No one is having an honest conversation about risk -- and that's putting IT between a rock and a hard place. Here are seven ways to change the dialogue.
Computerworld - It's a familiar complaint: Executives from a business department learn about a new, often cloud-based product and they want to try it. Only they can't, because IT has decreed that this wonderful new product creates too much risk. The frustrated business execs gripe that IT is standing in the way of progress. As one business executive said, IT is "where dreams go to die."
The problem might not lie in some stubborn dislike by technology professionals for innovative new products. The problem, CIOs and other experts agree, is that most organizations don't have a realistic, balanced or mature system for evaluating and making decisions about technology risk. Especially the risk that always comes with implementing something new.
"Somebody, typically in a line of business, has some SaaS product they want to use, and they provide a business case for it: 'Here's all the good stuff that can result from the use of this. It'll make my numbers. I can access it from anywhere,'" says Jay Heiser, an analyst at Gartner.
At that point, IT is asked to determine whether the software in question is safe to use. "Then starts a farcical attempt to prevent something bad from happening," says Heiser. Ensuring complete indemnification for any losses suffered in the event of a breach likely means inserting provisions into the vendor's standard contract. "These are cookie-cutter products; the company has 30,000 customers. They're not going to negotiate contracts," he says.
Next come questions about the cloud provider's security practices, but here again, Heiser says, it's difficult or impossible to construct a questionnaire that will fully determine that the provider will keep data secure. A site visit might be helpful, but the sheer volume of customers will make it impossible for the provider to welcome most of them. And even when you are standing at a provider's facility looking straight at its servers, that doesn't give you access to the person who wrote the code.
In short, there is no way to guarantee security, especially that of a cloud-based product, Heiser says. And therefore, IT professionals tend to take the simplest path and decline to give their approval, which in turn earns them a reputation as dream-killers. It's a setup that guarantees frustration on all sides, and one that's more than ripe for adjustment.
But changing it requires seriously rethinking how businesses work with IT to make technological decisions. That won't be easy, but here are some places to start.
1. Let CIOs Off the Hot Seat
Talk to any CIO long enough on the subject of technology risk, and one company name is likely to come up: Target. The retailer suffered a widely publicized data breach compromising a total of 110 million credit cards in December and January -- a number that's equivalent to more than one-third of the U.S. population, assuming all the cards belonged to different people. As the dust settled and lawsuits were filed, no one was surprised when Target CIO Beth Jacobs tendered her resignation.
Jacobs had been on the job about six years, putting her right at the average CIO tenure according to CIO magazine's 2014 State of the CIO survey. That's a fact worth noting because behind it lies a darker truth: Most CIOs assume they're always one big tech failure away from losing their jobs. "I don't know if she did a good job or not, but she got fired," Heiser says. "In practice, if something breaks, they'll go looking for a scapegoat." Because CIOs face that reality, he adds, it's easy to see why most of them are motivated to make "extremely conservative decisions."
- VDI and Beyond: Addressing Top IT Challenges to Drive Agility and Growth This paper explores a collection of compelling FlexCast services to highlight how XenDesktop can drive a modern, mobile workforce toward greater agility and...
- Mission Critical: Managing Mobile Applications & Content Smartphones, tablets and other mobile devices have become embedded in enterprise processes, thanks to the consumerization of IT and a new generation of...
- The Challenges and Opportunities of Mobile Application Development Nearly all business users now demand mobile devices--their own or company-owned--along with anywhere access to corporate applications and data. What turns mobile devices...
- Maintain Less. Create More. Spend less on maintenance and spend more time creating with Red Hat Enterprise Linux. Read on to learn how Red Hat can help...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different.... All Management White Papers | Webcasts