Written by Chuck Leaver Ziften CEO
If your business computing environment is not effectively managed there is no possibility that it can be totally protected. And you cannot effectively manage those intricate business systems unless there’s a good sense that they are secure.
Some might call this a chicken-and-egg scenario, where you do not know where to start. Should you start with security? Or should you begin with the management of your system? That’s the wrong approach. Consider this rather like Reese’s Peanut Butter Cups: It’s not chocolate initially. It’s not peanut butter initially. Rather, both are blended together – and dealt with as a single delicious reward.
Numerous organizations, I would argue a lot of companies, are structured with an IT management department reporting to a CIO, and with a security management group reporting to a CISO. The CIO team and the CISO team have no idea each other, talk to each other only when definitely required, have unique budget plans, certainly have separate goals, check out various reports, and make use of various management platforms. On an everyday basis, what makes up a job, a concern or an alert for one team flies totally under the other group’s radar.
That’s not good, due to the fact that both the IT and security teams need to make presumptions. The IT group thinks that all assets are secure, unless someone tells them otherwise. For example, they assume that devices and applications have actually not been jeopardized, users have not intensified their privileges, etc. Likewise, the security group assumes that the servers, desktops, and mobiles are working properly, operating systems and apps are up to date, patches have been applied, etc
Given that the CIO and CISO groups aren’t speaking to each other, don’t understand each others’ roles and goals, and aren’t using the same tools, those assumptions may not be appropriate.
And once again, you can’t have a safe and secure environment unless that environment is appropriately managed – and you can’t manage that environment unless it’s secure. Or putting it another way: An environment that is not secure makes anything you do in the IT organization suspect and irrelevant, and suggests that you cannot know whether the info you are seeing is right or manipulated. It might all be phony news.
Bridging the IT / Security Gap
Ways to bridge that space? It sounds easy however it can be challenging: Guarantee that there is an umbrella covering both the IT and security groups. Both IT and security report to the very same individual or organization somewhere. It might be the CIO, it might be the CFO, it might be the CEO. For the sake of argument here, let’s say it’s the CFO.
If the company doesn’t have a protected environment, and there’s a breach, the value of the brand and the company may be decreased to nothing. Likewise, if the users, devices, infrastructure, application, and data aren’t managed well, the business can’t work successfully, and the value drops. As we’ve gone over, if it’s not properly managed, it can’t be secured, and if it’s not protected, it can’t be well handled.
The fiduciary obligation of senior executives (like the CFO) is to secure the value of business assets, and that suggests ensuring IT and security speak with each other, comprehend each other’s priorities, and if possible, can see the very same reports and data – filtered and displayed to be meaningful to their particular areas of duty.
That’s the thought process that we adopted with the development of our Zenith platform. It’s not a security management tool with IT capabilities, and it’s not an IT management tool with security capabilities. No, it’s a Peanut Butter Cup, developed similarly around chocolate and peanut butter. To be less confectionery, Zenith is an umbrella that provides IT teams what they require to do their tasks, and provides security groups exactly what they need as well – without coverage spaces that might undermine presumptions about the state of business security and IT management.
We have to guarantee that our company’s IT infrastructure is created on a secure structure – and also that our security is executed on a well managed base of hardware, infrastructure, software and users. We can’t operate at peak performance, and with complete fiduciary responsibility, otherwise.