The Future of Corporate IT: Implications for Information Risk, Part 1

Two weeks ago we shared with you findings from the broader IT practice research effort about five trends that will reshape corporate IT functions in the next five years. In the next few posts we want to discuss with you risk and security implications arising from those trends. Here we tackle the first of the three trends postulated by the future of corporate IT.

1) Information over process. Rather than providing business process automation, IT organizations will be tasked with providing information and value will be added by linking multiple different sources including legacy and unstructured sources to help with critical business decisions. With data becoming easily accessible and combined in useful forms there is always danger that: a) there are additional sources of data leakage, and b) data could be combined to reveal individual identity (i.e. “date of birth”, zip code, and gender could help you uniquely identify a person). Risk assessments that currently focus only on applications or even business process will need to be updated to include data based risk assessments and the scope of these assessments will need to double click on contextual data loss risk. Updating and training end users on data classification will also become more critical.

2) IT Embedded in Business Services. Rather than continuing to exist as a large standalone functions, infrastructure and applications will be embedded into business services. Over the past 2-3 years CISOs have retaken responsibility for security operations that had previously been devolved to IT, with ~ 80% of CISOs currently owning operations. As IT gets embedded into business services, the pendulum may swing the other way again, where CISOs will have to rethink the delivery of security without true ownership of operations.

3) Externalized service delivery. As delivery becomes predominantly externalized, internal functions will become brokers and not providers. For CISOs this would mean a renewed focus on third party risk assessments, with special focus on surfacing and triaging third party relationship, as well as increased use of certifications to manage the volume of assessments conducted by CISOs. In addition this will also require people with skills can effectively manage third party assessments which includes expertise in project management plus a hybrid of legal/audit/security expertise.

Do you see some of the overall trends affecting IT as outlined in the future of corporate IT and how do you think this impacts your function? Send us your thoughts, we would love to hear from you.

Denotes content for IREC clients. Following the link will log you in automatically or take you to a page to determine whether your firm holds a membership.

Advertisement

Explore posts in the same categories: Information Risk Governance, Strategic Planning, The Future of IT, Third-party risk