Many enterprises today are making dramatic changes throughout their data center that impact technology, people, and processes as they aim to increase agility and enhance service levels by taking advantage of both on-premises and off-premises platforms.
But such a move comes with a set of information security challenges that many IT and security executives will need to address—or risk putting their companies in danger of a growing array of threats. In this post we’ll examine some of these key challenges, and in a follow-up, we’ll take a look at best practices for addressing these hurdles.
One major challenge is something many CIOs and security chiefs can probably relate to: loss of control when it comes to cyber security and IT governance. With the growth of “shadow IT” and the rising use of consumer devices in the workplace, many IT executives no longer feel as if they’re in charge of what goes on at their organization from a technology perspective.
Line-of-business managers and even individual departments or employees in many cases are “going rogue,” deploying and using systems, services and applications without the explicit approval of central IT.
While these efforts might lead to innovative approaches to solving business problems, they might also fail to align with corporate requirements for security, privacy, documentation, and control. That can leave the company exposed to threats and vulnerabilities without the knowledge of IT and security management.
Shadow IT is only one aspect of the loss of control. In general, at some organizations IT leaders are getting less support from business executives who see IT and security management as roadblocks to progress. Business leaders decline to collaborate with IT on technology initiatives, which can lead to added cyber security vulnerabilities that could be avoided.
Another factor that makes security difficult today is the emphasis on speed to market for new applications, products, and services. Because of the pressure to get out there first with new offerings, cyber security oftentimes gets short shrift. In the rush to push projects to completion, the need for strong security becomes overshadowed and sometimes forgotten.
Also, hindering the development of a strong cyber security program is the fact that many enterprises have never really defined the degree of risk they are willing to accept with regard to security. Companies traditionally have had a good grasp of operational risk and financial risk, but they fall short when it comes to information security.
They have little sense of how to manage the risks associated with technology in general and cyber security specifically, and neglect to extend risk management programs into IT and IT security. At a time when so many organizations have been devastated by data breaches in very public ways, this lack of risk management for security is perplexing—and reckless.
One other challenge that makes comprehensive cyber security difficult is that companies have placed an emphasis on technology tools but have had less regard for issues related to people and processes. There’s a need to educate and train employees in the proper use of systems and applications, as well as a need to develop and enforce stronger policies.
The lack of effective security policies and training programs is a symptom of the problem of companies not making cyber security a part of doing business and a component of the corporate culture.
This is a daunting list of challenges that many cyber security and IT executives are facing today as their organizations prepare for digital transformations. But these challenges can be effectively addressed, as we will examine in the next post.
Learn more in our white paper: Strong Cyber Security Program During IT Transformation