|
Featured Opinion: Featured Opinion: Q&A: Getting IT security to reach company goals |
|
|
 Featured Opinion: Q&A: Getting IT security to reach company goals 
by Marcia J. Wilson, CCSP Staff Writer
May 04,
2004
"Reprinted from AUGUST 21, 2003 "
Creating a line of sight to reach corporate goals and objectives can result in synergy such that the total effect is greater than the sum of the individual effects. We all get excited about different things. Imagine if we were all excited about the same thing; we could move in the same direction and possibly move mountains.
Mission, vision, values, strategic direction, goals and
objectives may be words in the CSO's or CIO's vocabulary, but they aren't
commonly heard in the halls of information security departments. The concept of
IT security governance is gaining visibility. Security governance, especially in
light of laws such as the Gramm-Leach-Bliley Act and the Health Insurance
Portability and Accountability Act, needs to become a high priority. The
implication is that IT security needs to be invited to the executive
roundtable.
Every football team knows that the goal of the team is to win. Each player
knows what he needs to do to achieve that goal. How does each player know what
his role is? On a corporate level, why doesn't the IT security administrator
know his role in meeting company goals? Someone needs to have the responsibility
of explaining the company's corporate objectives and then informing each
employee of his role in achieving them.
I had the opportunity to discuss this topic with an organizational design
consultant, Tracy Gibbons, president of Coastwise Consulting Inc.
Her firm helps IT companies develop competitive advantage by leveraging
organization design, goal alignment and collaboration.
Why do IT, and therefore security departments, have such a tough time
aligning with a company's corporate goals and objectives? IT and security
are not unique in this regard. Many functions have this problem. Corporate goals
aren't always clear. Companies are hoping that each department will set their
goals and it will all add up. If you believe in synergy, using scarce resources
focused on specific targets, companies will get better results if they will make
an investment in how to do this.
Specifically,
there is ambivalence about the place of IT and security in large corporations.
If your system goes down because of a security incident or a systems failure,
your whole business can tank. As an example, Company X was in the process of
converting to an ERP system and created a whole function to manage the
transition. On paper they did everything right, but what was happening was that
managers were actually covering for, signing off on, things that were required
(i.e., training). When they went to do the installation or cutover to the new
system, the entire manufacturing function became gridlocked. Transactions were
taking minutes instead of nanoseconds.
Do companywide implementations fail because of goal-alignment issues?
Maybe. If implementing a new ERP system or a new enterprisewide security system
is a major objective, what happens when you don't have enough collaboration
between IT, security and the rest of the company? Because other functions are
completely reliant on IT systems, giving the CIO potentially enormous amounts of
power, counterdependence often surfaces.
Similarly, the CSO determines who gets access to what, which is another
unfamiliar power silo. Historically, IT has been a service function, which means
CIOs are accustomed to asking, "How high?" and "What can I do for you?" instead
of mandating change. For example, say Company X has 350 custom applications. A
major goal of improving operational efficiency includes shifting toward a
smaller number of enterprise custom applications via a CRM or ERP solution. You
can see a lot of IT strategy, but the trouble is that the business does not want
to give up their custom legacy applications.
In the same way, security may have an enterprise security solution
implementation on the books, which may restrict access where none existed
before, and may have new policies and procedures that feel like a hindrance to
the business. The businesses, being the main clients of IT and security, are
used to throwing money in the pot to get their custom modifications done, or
using back doors to get what they want. Designers and security administrators
may be flattered to be involved in such collusion, and besides, it's cool. The
major problem here is that with enterprisewide platforms and systems, this kind
of process just doesn't work. It's the platform that dictates what can or cannot
be done, not individuals. Collusion gets crippled. Maybe that's a good
thing.
How do you get everyone to play in the sandbox together? If you have
some process to create alignment among various organizations and functions, by
definition you have exposed yourself to conflict. High-level guys frequently
want to call their own shots and run their own business and don't particularly
want to be aligned. Even if they do, or the CEO insists, not everyone will be in
agreement. You will end up with a system of conflict, and you will have to be
able to sort it out or you will finally give a wink and a nod.
Another issue that seriously impacts goal alignment is getting the right
people on the bus. If you don't do that, no one should be surprised when you
don't get goal alignment. You want team players, not lone rangers. Another
reason why goal alignment is so hard is that it can't happen in isolation. You
have to consider what the CEO's agenda, the board's agenda and other
stakeholders' agendas are. Nobody is a free agent anymore, everything is
changing so fast, and all it takes is something in the external environment to
shift and all the agreements get undone or unravel. It's a tough world out
there. If senior staff is committed to goal alignment and synergy as a way to
create competitive advantage, you have to have processes in place in order to be
able to make the adjustments when a shift occurs.
Security is the 500-pound gorilla, and nobody likes big gorillas, especially
if you think the gorilla is there to serve. If you want to run on enterprisewide
platforms, whether it is IT- or security-related, there must be conformity. One
reason why big ERP implementations don't work is because the way people work and
interact has to change to mirror the system. Rearranging and renegotiating all
those relationships, and more importantly, teaching people to work differently,
is an enormously complex task. Goal alignment is hard and it takes time, and no
one wants to take the time.
And then there is culture. If you are individualistic and entrepreneurial,
you don't like to conform. ERP systems, like SIM [security information
management] systems, require conformance. The promise of ERP is significant ROI,
and you just can't get the ROI, even with a big consulting company doing the
implementation, without seriously attending to the business of people. The
reality is that you can't move large complex systems as fast as you'd like, and
people, in particular, do not move at the speed of light or at the same rate of
change as technology.
Is the problem with people, process or technology? Organizations
rarely fail because of problems with the technology. Usually the failure has
something to do with the nontechnical side of things—management competence or
the design of the organization misaligned with the purpose and goals of the
organization.
Due to the globalization of organizations and the accompanying technical
complexity, organizations have also become more complex. The average line
manager in a technical area finds it hard enough to stay current in his or her
area of expertise. Few line managers have the time to pay attention to human and
organization systems thinking. But that's what makes it possible to run a
successful organization for the long term. If what you want is sustainability,
you have to understand how to use your organizational capabilities as a source
of competitive advantage.
*Note: Some links to stories may no longer function or now require you to
register to view.
by
Marcia J. Wilson ComputerCops Staff Writer
Marcia J. Wilson,
holds the CISSP designation and is the founder and CEO of Wilson Secure LLC, a
company focused on providing independent network security assessment and risk
analysis. She is also a free lance columnist for Computer World and Security
Focus.
She can be reached at marcia@wilsonsecure.com. Corporate
website: wilsonsecure.com (see
Prime Choice top left)
Copyright ©Marcia J. Wilson All Rights
Reserved 2004.
|
|
|
 |
| "Featured Opinion: Featured Opinion: Q&A: Getting IT security to reach company goals" | Login/Create an Account | 0 comments |
|
| | The comments are owned by the poster. We aren't responsible for their content. |
|
|
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 0
Votes: 0
|
|
|
