Consumer Technology is inside the perimeter. Its been an invasion of devices, apps and cloud services. Enterprise data has found an easy bridge to cross the perimeter and free itself. None of this is unknown to us, though have to admit its been a sensational development at a sensational pace and technology adoption and work style adaptation has happened with passion that has never been witnessed or experienced by an enterprise app or project. As a CIO one only hopes and wishes that these virtues be associated with enterprise IT initiatives we lead. All of this has caught us off guard as most of this is unplanned induction and some definitely see it as an intrusion.
The CISO's role is all the more critical against this backdrop. The CISO, to be really effective, will have to don a new avataar or rather add a few more facets to their personalities. While setting the ground rules and policing to ensure adherence to policies have been the only traits CISOs have shown, and while some have undertaken branding and advertising to ensure awareness, nobody has seriously stepped into the shoes of a educator and a protector. Every organization has policies around ownership, distribution and life-cycle management of all its enterprise assets; specially data. Data is all over the place - documents, data in the enterprise database, spreadsheets, scribbles and notes on note pads. Employees create data on the go.
.jpg)
Consumer Technology has placed in the hands of employee, tools and devices that come to their aid in doing their jobs effectively. In this process, enterprise data is not just passing thru these personal devices and cloud storage, it is actually being created on them and then , hopefully, getting into enterprise systems. There is ample scope for data theft and data leakage. While enterprise governance is all about checks and balances to safeguard corporate assets and contain risks, employees are all about productivity, speed, quality of service and delivering the wow factor with attitude in their deliveries. Governance need to ensure employees can bring all of that onto the table in a secure environment as employees find lot more exciting tools outside the secure environment. One way to get around this is to step up the act on awareness and education.
The CISO is in a fantastic position to map the spirit and the letter of the corporate policies to these consumer technology choices that are all around us and highlight, clearly, in simple language, with examples, the possible damage that could happen to the enterprise if some of these apps were used. I reached out to 12 senior CISOs in the industry before I penned this blog post and everyone thought that it was a good idea and some called it innovation. I was actually a bit miffed. I reminded them, that this had always been an expectation from their chair, but all that one got was policies and policing. CISOs need to be aware that they are here to support the employees conduct their business in a safe and secure environment. Along with education and awareness, the CISO needs to push the CIO's team to fund small labs that can discover the best way to leverage these consumer technology ideas within their enterprise to achieve business goals.
It would be nice to see CISOs bring out videos and literature that shows how enterprise data and hence the personal credibility of employees could be at risk by unabated and un-mentored use of apps like Dropbox and Evernote. At the same time the CISO should work with the CIO to figure out ways of accommodating such features and functionality within the enterprise. CISOs needs to bring their expertise on the table in a lot more ways than just policing. This happens when CISOs wed their agenda with business objectives beyond just securing the enterprise and extend their expertise to areas around employee productivity and morale enhancement by support agility in the employee personal productivity space. Everyone loves carrying and showing off not just cool devices, but how they use it to deliver value. Most of the the time, the wow factor created is targeted around their individual selves, no harm in supporting it, if it does result in value to the organization.
A well thought and amicably written article.
ReplyDeleteI believe for a CISO to be successful, s/he has to have clarity of organizational objectives and these should be well integrated with CIO needs and business demands. One can't have flexibility at the cost of security as a breach can lead to loss of business reputation amongst others. A CISO has to protect a host of services including few that s/he may have no direct control on. A flexible approach to security and/or deployment of lowly tested/ minimally utilized application tools can lead to misadventures.
It is imperative today to have staff carry all sorts of technology products and seek business services and support. However to maintain consistency across the board and not create economic divides satisfying the need of a few, provided a combination of end user devices/software is found to improve user productivity, it would be worthwhile to investigate risks and formally adapt the technology.
While organizations may implement latest tools and secure network perimeters, the weakest link in the chain still happen to be people. It is utmost to engage staff and make them a part of ongoing & lively training programmes with specific emphasis on techniques used by "people" to secure information. The better equipped and armed the staff are with generic security knowledge, easier would it be to adapt and support productive technologies.
Posted by Rajesh Pandita CISSP CISM CISA
In my mind I have a few disconnects...and I am fully seized of the fact that I could end up being wrong.
Delete1)Your sentence "One can't have flexibility at the cost of security as a breach can lead to loss of business reputation amongst others." is not the way I look at things. I look at it as " If some initiatives do make business sense then we need to figure out how we could deliver a secure environment around those". This is a significant change in one's objective and stand. End result of playing in a secure enterprise arena remains sacrosanct.
2)Your sentence "A CISO has to protect a host of services including few that s/he may have no direct control on." is a complete no-no for me. A CISO is a C level player and they need to step up in more ways than they do now, to secure everything across the enterprise. As a CIO I am ok if with passage of time some of the security cordon becomes meaningless as long as CISO is accountable for everything around IT Security and is always on the job. I am not ok if CISO fails to identify these areas to work upon.
3) You view on economic divide, might just not be feasible. In a performance driven culture and role based resource allocation , there will be divides. They also drive aspiration. There are divides on everything from car policy to entitlements based on performance and responsibilities.
4) I like the spirit of your last paragraph, however I see people as a important link and not weakest link. They are important, because IT assets don't innovate, people do. One cannot view innovation that cannot be accommodated in the It security cordon status -quo as something that needs to be discarded in the interest of IT Security of the enterprise. We need to incubate these and evolve a security cordon that makes sense. the reason innovation labs exist, is to give an amicable climate that encourages experimentation and support for productionizing these innovations, before they are rolled out.
Shakti Saran •
ReplyDelete"The level of business acumen and leadership has soared among top leaders currently managing security for their organizations. Their contribution to the overall success of the organization is understood, measured and rewarded at the board level. The time and opportunity to leverage that skill at the COO or an international business unit head position has arrived. Similar to the IT world where John Reed, the visionary CIO at Citibank who championed ATMs, became their CEO in 1984, I expect to see ‘the business leaders who are currently managing security for their organizations’ be moved to broader executive roles." http://www.securitymagazine.com/articles/83796-predicting-securitys-next-moves-in-2013