E-Guide CONSIDER SECURITY IN YOUR DAILY BUSINESS OPERATIONS
T his e-guide teaches you the importance of collaboration on a micro level for defending against cyber threats. Learn how to embed security practices in your daily business practices and embrace a flexible mindset as your business needs change. PAGE 2 OF 12
SECURITY THINK TANK: SECURITY NEEDS TO BE PART OF CHANGE MANAGEMENT PROCESSES Mike Gillespie How can development, operations and security teams collaborate around change to ensure security is maintained and even improved? Collaboration is a buzzword in the world of cyber security. International collaboration is seeing countries working together to successfully bring down cyber terrorists and hackers. Domestic collaboration is seeing leading businesses and governments striving to implement common cyber security practices such as ISO27001, PCI-DSS and Cyber Essentials. So, if we can all work so well together on a macro level, why is it we seem to struggle at the micro level with our own internal teams? Whether it is for digital, operating system upgrades, new networks, acceptable use policies changes or just introducing a new user, collaboration is a key factor to the success of any project and ensures the security of information assets stored, managed or processed as part of that activity. Yet still we do not seem to be singing from the same hymn sheet as our PAGE 3 OF 12
colleagues. So where do the challenges lie? When data is compromised, it is often because security has not been considered as part of the change and configuration framework. We build secure technological infrastructures and conduct penetration testing to identify vulnerabilities, but there is often no ongoing security maintenance and security failures ensue. Failures can be put down to a number of inherent issues: Disparate systems with no oversight or joined up ; Slow change leading to being circumnavigated, ignored or no joined up decision-making; Security not built in, but bolted on after the event; Legacy thinking rather than agile planning; Poor succession planning for legacy platforms; Lack of security process maintenance; Management out of the loop with corporate protection. Change and configuration should be a business-centric process that involves all appropriate stakeholders and ensures the maintenance PAGE 4 OF 12
and integrity of security controls. Basically, this means make it secure, check it s secure and keep it secure. All stakeholders need to be involved in discussions about business change. Security teams are often marginalised as they are seen as trouble-makers, when in reality they are business enablers helping create secure environments and improve asset protection. When collaboration does not occur, that is when breaches occur. change its mindset and be more flexible, working in harmony with the business needs and ways of working agile working rather than the traditional waterfall approach where projects are managed by timescales and milestones. Even if we are working in an agile, iterative manner, this does not mean always mean we do governance and change right. Indeed, the definition of done right should always include elements of security, change and testing. In the same vein, Business needs to change its mindset and embrace security, understanding that it is there to deliver a business-centric service to realise benefits, enable business and ensure that change is introduced in a logical, safe and, most importantly, risk-managed manner. In short, when all teams collaborate, security will be successfully maintained PAGE 5 OF 12
and ultimately improved as teams become more security-conscious and embed it as part of business as usual change. MIKE GILLESPIE is director of cyber research and security at The Security Institute. THE ROLE OF IT IN MAKING DIGITAL TRANSFORMATION PROJECTS WORK Gareth Eynon More companies are embracing digital as an essential component of their overall business strategy for the future. But what is the role of IT? Digital can be a nebulous term and, like cloud and big data, it can mean different things to different people. But what is a common factor around this topic is that more companies are embracing digital as an essential part of their overall business strategy for the future. The likes of John Lewis have led the way in implementing large-scale digital programmes in the private sector, and similar moves are taking place across PAGE 6 OF 12
the public sector. From local government and non-profit organisation projects by the likes of Camden Council and the Student Loans Company through to central government initiatives by the Government Digital Service, bodies are rethinking how they use digital channels to interact with the public. While IT will be at the heart of digital services, there is also a requirement for collaboration with other teams within the business that are customer-facing. Marketing and customer service professionals are already staking claims to leadership roles within digital projects alongside IT. However, digital projects are not clean slates. While they aim to provide new ways to interact, digital programmes will often require access to information stored in existing IT silos. These data sources can go back decades. So how can organisations marry the best digital options for serving internal and external customers with these legacy IT assets? At the heart of this is a need to think differently around digital, based on the right mix of people, tools, frameworks and experience around collaboration. It involves creating a mindset change around IT and the business from the beginning, including moving away from conventional approaches to IT operations and towards more agile methods. Digital projects on their own have tended to be more iterative than PAGE 7 OF 12
traditional IT implementations. Part of this is historical: they have been focused on online services and websites to deliver information, where the service can be changed in response to market developments without huge additional expense. Taking a lead from agile, goals are ongoing, rather than fixed and immutable. Contrast this with the big investments that, for example, a large ERP project would entail, both on hardware and software. Making changes in the middle of a project leads to scope creep, change requests and potentially large additional costs. The impact of cloud computing and open source has made this less of an issue, because the cost of implementing these technologies is much lower. In many cases, both open source and agile will need to complement legacy IT for the foreseeable future. To build on legacy, there are approaches that can help make this work. Alongside technical integration around data formats and programming interfaces, there is also the side rather than large-scale projects that take months or years to see through, agile projects are delivered in sprints, usually lasting two weeks. This difference in project length is one of the biggest challenges for traditional IT in its interaction with the business. The ability to provide rapid showcases to demonstrate project progress will become the norm. There are PAGE 8 OF 12
more digital natives in the workplace, and there is an increasing number of people in business roles who are tech savvy. TWITTER MENTALITY This has led to more of a Twitter mentality around IT, which demands faster and more visible project progress and updates. Alongside this, business opportunities move at a much faster pace in the digital world, so IT outputs must keep pace in order to remain competitive, as well as pacifying senior and stakeholders. Managing this mix of projects involves thinking hard about what is presented back to the business over time. By being able to manage the digital front office that is available for everyone to see and evaluate services, IT can improve its ability to collaborate with business teams. At the same time, this front office can help the business side to collaborate with IT by streamlining requirements. This approach is essential to successful collaboration between business and technology stakeholders because it breaks down some of the walls that can exist within an organisation. Another element of digital programmes is the willingness to experiment with new tools and approaches. The perception in many organisations is that PAGE 9 OF 12
IT projects are either successes or failures, with no middle ground. This breeds a risk-averse mindset. Consequently, organisations are losing the ability to make pivots around these new projects and experiments in the way start-ups do. DEGREE OF EXPERIMENTATION One approach to this problem is to look at how the interface with the business stakeholders can enable a degree of experimentation, without it representing a perceived failure. Managing these expectations on the business side can also free up IT to try out new avenues, reducing the risk of exploring solutions with low cost and flexible tech environments and tools. This is an important way to begin collaboration around agile projects with line-of-business teams, if this is not something IT does already. Creating this degree of freedom can make IT more productive and more empowered to take risks. But, at the same time, there must be an awareness of how far that experimentation can go. This ability to make go/no-go decisions quickly is fundamental to the future success of digital projects. For companies looking at digital projects, there are a number of strands that have to be brought together to make their initiatives PAGE 10 OF 12
successful. Just as cloud computing led to CIOs having to flex new muscles around SLA and integration across different platforms, so digital will require the development of new skills and knowledge. This will typically include building a greater understanding around other business units and their requirements, looking at working in more agile and collaborative ways, and learning more about customer needs and behaviours. For CIOs that are willing to embrace a new way of working, digital represents a great opportunity to have a big impact on the future direction of the organisation. GARETH EYNON is digital director at CDG, a digital integrator that helps organisations to implement new strategies and technologies PAGE 11 OF 12
FREE RESOURCES FOR TECHNOLOGY PROFESSIONALS TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. WHAT MAKES TECHTARGET UNIQUE? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. PAGE 12 OF 12