IT is changing..Again?

In the past few years IT organizations have seen multiple organizational transformations: some have centralized and others have decentralized. So when I heard a senior researcher talk about another transformative organizational change, I had the usual reaction of “yawn” followed by healthy skepticism. What got my attention though were the following three trends and potential implications for CISOs:

1) Business units will bypass IT to directly buy both devices and software. We have already seen examples of these in the social media space where human resources used facebook for recruiting and sales organizations bought 500 salesforce licenses without having discussions with corporate IT and CISOs. This has major implications for CISOs as they loose their traditional listening posts from inside centralized IT and ability to provide prevent risky technology and software from entering the corporate IT infrastructure.

Some CISOs already have lists of approved consumer devices but they should also start including SaaS type applications that could be realistically purchased by the business in that list. Assurance for these applications might involve conducting third party assessments for “future third parties”. NAC’s maybe another technology that CISO’s would consider deploying further to ensure that only approved devices are connecting to the network.

Gamma’s Third Party Assessment Questionnaire
Teleconference on Network Access Control Implementation

2) Data will become more critical than business processes. Rather than providing automation IT organizations will be tasked with providing information and value will be added by linking multiple different sources: from legacy and unstructured sources to help with critical business decisions. With data becoming easily accessible and combined in useful forms there is always danger that the same data could also be combined to reveal individual identity i.e. “date of birth”, zip code, and gender could help you uniquely identify a person.

Risk assessments that currently only focus on applications or even business process will need to be updated to include data and the scope of these assessments will need to double click on contextual data loss risk. Updating and training end users on data classification guides will also become more critical.

DuPont company’s data focused risk assessment

3) IT is embedded in a newly created business services organization. Rather than IT offering end user computing, a new business services organization will be created consisting of corporate functions like Finance, HR, and IT that will offer business service titled “ New Employee Hiring” that includes the human resources (interviewing, hiring, orientation, background…) , information technology (identity management, provisioning, laptop…), and Finance (payroll, bonus….). These are the units of services that business will order rather than the individual components. This calls for high degree of integration between information security both at the IT level and at business level.

This trend while causing angst around org structure and governance may actually help CISOs by providing cross functional perspective on risk. The downside is that IT risks may not receive the same weight and therefore the resources when compared some of the other risks in the enterprise.

Top 10 Enterprise Risks

Explore posts in the same categories: Cloud Computing, Information Risk Governance, Strategic Planning

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: