Written by Charles Leaver Ziften CEO
If your enterprise computing environment is not correctly managed there is no way that it can be totally safe and secure. And you can’t efficiently manage those intricate enterprise systems unless there’s a good feeling that they are secure.
Some might call this a chicken and egg circumstance, where you do not know where to start. Should you begin with security? Or should you start with system management? That’s the wrong technique. Consider this rather like Reese’s Peanut Butter Cups: It’s not chocolate first. It’s not peanut butter first. Instead, both are mixed together – and treated as a single delicious treat.
Numerous companies, I would argue too many companies, are structured with an IT management department reporting to a CIO, and with a security management group reporting to a CISO. The CIO group and the CISO team do not know each other, talk with each other only when definitely required, have distinct budget plans, certainly have separate priorities, read different reports, and use different management platforms. On a day-to-day basis, what constitutes a task, a problem or an alert for one team flies completely under the other team’s radar.
That’s not good, since both the IT and security teams need to make assumptions. The IT group thinks that all assets are secure, unless somebody tells them otherwise. For example, they presume that devices and applications have not been jeopardized, users have actually not intensified their privileges, etc. Similarly, the security group assumes that the servers, desktops, and mobiles are working correctly, operating systems and applications fully updated, patches have actually been applied, and so on
Because the CIO and CISO groups aren’t talking with each other, don’t understand each others’ roles and concerns, and aren’t using the same tools, those assumptions might not be correct.
And again, you cannot have a protected environment unless that environment is correctly managed – and you cannot manage that environment unless it’s safe and secure. Or putting it another way: An environment that is not secure makes anything you perform in the IT group suspect and unimportant, and implies that you cannot know whether the info you are seeing is appropriate or controlled. It may all be fake news.
Bridging the IT / Security Gap
How to bridge that gap? It sounds easy however it can be difficult: Guarantee that there is an umbrella covering both the IT and security groups. Both IT and security report to the exact same person or structure someplace. It might be the CIO, it might be the CFO, it might be the CEO. For the sake of argument here, let’s state it’s the CFO.
If the company doesn’t have a protected environment, and there’s a breach, the value of the brand and the company may be lowered to absolutely nothing. Likewise, if the users, devices, infrastructure, application, and data aren’t managed well, the business can’t work efficiently, and the worth drops. As we’ve discussed, if it’s not properly handled, it can’t be secured, and if it’s not protected, it cannot be well managed.
The fiduciary obligation of senior executives (like the CFO) is to safeguard the worth of company assets, which indicates making sure IT and security talk with each other, comprehend each other’s goals, and if possible, can see the very same reports and data – filtered and shown to be meaningful to their specific areas of duty.
That’s the thought process that we adopted with the development of our Zenith platform. It’s not a security management tool with IT abilities, and it’s not an IT management tool with security capabilities. No, it’s a Peanut Butter Cup, developed similarly around chocolate and peanut butter. To be less confectionery, Zenith is an umbrella that gives IT teams exactly what they require to do their tasks, and provides security groups exactly what they need as well – without coverage gaps that could weaken presumptions about the state of business security and IT management.
We need to guarantee that our company’s IT infrastructure is built on a protected foundation – and that our security is implemented on a well-managed base of hardware, infrastructure, software and users. We cannot operate at peak efficiency, and with complete fiduciary obligation, otherwise.