Why IT needs to drive the risk conversation
No one is having an honest conversation about risk -- and that's putting IT between a rock and a hard place. Here are seven ways to change the dialogue.
Computerworld - It's a familiar complaint: Executives from a business department learn about a new, often cloud-based product and they want to try it. Only they can't, because IT has decreed that this wonderful new product creates too much risk. The frustrated business execs gripe that IT is standing in the way of progress. As one business executive said, IT is "where dreams go to die."
The problem might not lie in some stubborn dislike by technology professionals for innovative new products. The problem, CIOs and other experts agree, is that most organizations don't have a realistic, balanced or mature system for evaluating and making decisions about technology risk. Especially the risk that always comes with implementing something new.
"Somebody, typically in a line of business, has some SaaS product they want to use, and they provide a business case for it: 'Here's all the good stuff that can result from the use of this. It'll make my numbers. I can access it from anywhere,'" says Jay Heiser, an analyst at Gartner.
At that point, IT is asked to determine whether the software in question is safe to use. "Then starts a farcical attempt to prevent something bad from happening," says Heiser. Ensuring complete indemnification for any losses suffered in the event of a breach likely means inserting provisions into the vendor's standard contract. "These are cookie-cutter products; the company has 30,000 customers. They're not going to negotiate contracts," he says.
Next come questions about the cloud provider's security practices, but here again, Heiser says, it's difficult or impossible to construct a questionnaire that will fully determine that the provider will keep data secure. A site visit might be helpful, but the sheer volume of customers will make it impossible for the provider to welcome most of them. And even when you are standing at a provider's facility looking straight at its servers, that doesn't give you access to the person who wrote the code.
In short, there is no way to guarantee security, especially that of a cloud-based product, Heiser says. And therefore, IT professionals tend to take the simplest path and decline to give their approval, which in turn earns them a reputation as dream-killers. It's a setup that guarantees frustration on all sides, and one that's more than ripe for adjustment.
But changing it requires seriously rethinking how businesses work with IT to make technological decisions. That won't be easy, but here are some places to start.
1. Let CIOs Off the Hot Seat
Talk to any CIO long enough on the subject of technology risk, and one company name is likely to come up: Target. The retailer suffered a widely publicized data breach compromising a total of 110 million credit cards in December and January -- a number that's equivalent to more than one-third of the U.S. population, assuming all the cards belonged to different people. As the dust settled and lawsuits were filed, no one was surprised when Target CIO Beth Jacobs tendered her resignation.
Jacobs had been on the job about six years, putting her right at the average CIO tenure according to CIO magazine's 2014 State of the CIO survey. That's a fact worth noting because behind it lies a darker truth: Most CIOs assume they're always one big tech failure away from losing their jobs. "I don't know if she did a good job or not, but she got fired," Heiser says. "In practice, if something breaks, they'll go looking for a scapegoat." Because CIOs face that reality, he adds, it's easy to see why most of them are motivated to make "extremely conservative decisions."
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Defense throughout the Vulnerability Life Cycle with Alert Logic Threat and Log Manager New security threats are emerging all the time, from new forms of malware and web application exploits that target code vulnerabilities to attacks...
- QA Automation: Reducing Test Execution While Improving Coverage A leading capital investment firm in the US was in need of a comprehensive, cost effective and flexible solution to reduce their existing...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Expert Panel: Enterprise Mobility and Data Loss Prevention When it comes to enterprise mobility, it's not just about devices, it's about the way people work. Hear this expert panel discuss the... All Management White Papers | Webcasts