Last week I participated in an IT executive roundtable in New York, where we asked the audience what subjects were currently top of mind. The initial talking points for the roundtable were both security and open-source software, but, clearly for this audience, security was the more dominant issue on their minds that day.
Now, that didnt surprise me, as security has been identified as a Top 3 issue in virtually every survey that I have seen about IT executive concerns. I assume the predominance of financial services companies in the audience also had something to do with their focus on security-related issues. What was intriguing was the scope of the security issues that were top of mind—specifically, the question of conflicts of interest. Another issue had to do with reporting and monitoring compliance. In short, here were a group of technology leaders coming to grips with the realization that many security concerns are not technology-related.
Several attendees of the roundtable, which was sponsored by Experture, a newcomer to the IT research and advisory market, mentioned conflicts of interest. Like most companies, they are struggling with organizational reaction to new and impending regulatory legislation. Theyre responding to the threat of infiltration or simple human error that will expose sensitive customer data in a fashion most embarrassing to the company. The problem is that to address these issues, organizational changes are required and darn it if those humans arent more difficult to configure than software!
The frustration among the audience members was palpable, and its easy to see why. Fundamentally any type of security officer role created within any company is geared toward restricting access not creating it. Even more to the point, IT executives are geared to provide, not to restrict, services. Which begs the question: Should corporate security officers even report through the IT chain of command?
The question itself is a red herring of sorts. Organizations could spend months or years rearranging corporate staff or hiring outside czars, but it would not fundamentally solve the problems of conflict of interest. Instead, what we should be asking is: How do we get everyone in the organization (IT and non-IT) passionate about security? How does data security impact our companys results? How does data security impact our ability to be the very best at whatever we do as a company? In other words, companies need to find a way to align the need for data security within the scope of other activities that fuel the very growth of the company.
If you are a financial services company, say a low-cost brokerage firm, you are passionate about streamlining the process and lowering the cost for a customer to buy or sell stock. What drives your economic engine is profit per customer; the lower the cost per trade and the easier it is to make trades, the more trades a customer makes. To be the best in the world, you want to provide the easiest interface (lower the human contact), the most information available and tools to help the average customer make better decisions. It sounds simple enough, but how does security fit into that? Well, the answer of course is trust. Customers wont use your service if there is no trust as to the accuracy and secrecy of their personal information and account transactions. No trust, no customers.
That is but one example, but each organization must begin by asking these questions. Only when everyone in the organization understands how doing something well enables us to achieve what we most strive for will we actually see true results. Of course, before that can occur, the management team has to have the right people in all key positions. People who believe that security is as important as developing the best code or implementing that ERP system or building the largest data warehouse. Concern for security has to be baked into your corporate DNA. Getting the right people means finding people who reject the notion that you can have either fast development or good security. They must embrace the and. We will have rapid development and strong security in-depth.
So if you are an IT executive struggling with security issues, start by looking in the mirror. Are you the right person? Do you have the right team? Is there a clear benefit/alignment between having the best possible security processes and the driving business motivators to becoming a great company? When you answer that, you will be on your way to addressing the security issue.
Charles Garry is an independent industry analyst based in Simsbury, Conn. He is a former vice president with META Groups Technology Research Services. He can be reached at cegarry@yahoo.com.