Better Security Starts with Better Business Management

 

By now nearly everybody is aware that Sony suffered quite possibly the worst data breach it’s ever dealt with, the result of hackers angry over the release of The Interview.

 

“Sony Pictures employees and former employees are flipping out about the leak and the unexpected debut of their personal information on screens across the world,” writes Fusion’s Kashmir Hill. “But some former employees, who asked to remain anonymous, have told us that they’re disappointed but not surprised, given Sony’s long-running lax attitude towards security. They say that employees highlighted specific vulnerabilities on company websites and systems that were never addressed.”

 

 

Don’t focus too much on Sony’s vulnerabilities either, though. It’s hardly the only corporation with a less-than-stellar attitude towards information security. It’s not the only business with an underfunded and understaffed IT department. It’s far from the only organization with a CIO that can’t be bothered to care. 

 

As it turns out, recent research shows that a low opinion of IT is very nearly the norm in the enterprise sector. According to Michael Krigsman of Beyond IT Failure, there are scores of studies looking into the changing role of the CIO and his department within the enterprise—and none of them are terribly promising. 

 

Too many CFOs consider IT barely worth the money it brings in, if they think about it at all. Too many employees lack an adequate understanding of information security, or the CIOs role in establishing it. Worse still, nearly half of CEOs think of IT as little more than a commodity service—something they can buy on an as-needed basis.

 

Given the rash of data breaches we’ve seen over the past few years—given how much personal and financial information has been compromised—it’s abundantly clear that something has to change. But what? How can businesses better position themselves to take advantage of a changing technological landscape, and keep themselves safe in the process? 

 

“The CIO and IT must be seen less as merely developing and deploying technology, and more as a source of innovation and transformation that delivers business value, leveraging technology instead of directly delivering it,” explains Dell’s Jim Stikeleather. “This changing image starts in the C-Suite. Currently, CIOs are not engaged in the strategic decision-making that goes on at the executive level.” 

 

“CIOs,” he continues, “must be an integral and vocal part of conversations on new ventures and resource allocation. The role and effect of technology should be a part of conversations on business decisions, and the CIO should have a pertinent and relevant point of view.”  

 

In other words, what needs to happen to solve the current security crisis—what needs to be done to lower the frequency of hacks and cyber-attacks—isn’t a change to the IT department. Not really. Instead, businesses need to change how IT is managed; how it relates to and connects with the rest of their organization. 

 

We can no longer afford to segregate our security experts, to push aside our IT professionals unless something needs to be upgraded or installed. Modern business relies more and more on technologies like the cloud with each passing day. This reliance is being seen everywhere—especially in marketing and analytics.

 

This means that businesses are storing more and more information online—and if that information isn’t properly secured and managed, it’s fair game for hackers. 

 

 

On top of all that is the issue of complexity. For all their simplicity, modern solutions can be surprisingly intricate under the hood, surprisingly difficult to manage without the presence of someone who knows what they’re doing. The cloud is one of the most significant culprits here, but big data and its related technologies also plays a part. 

 

Taken together, the message here should be simple. Businesses need properly funded, properly staffed IT departments that understand their technological needs; these departments need to be helmed by a CIO who actually cares about keeping information safe. Additionally, they need to make these departments a part of their decision-making process—they need to include them in the day-to-day of their business.  

 

This isn’t solely a matter of security—it’s a matter of survival.

 

I think, perhaps, that Sungard put it best: “IT conversations in the C-Suite should never be about technology.” Any organization that believes otherwise is simply ignoring the writing on the wall. Any executive that thinks otherwise has only themself to blame when their business suffers a breach.