Written by Chuck Leaver Ziften CEO
If your business computing environment is not effectively managed there is no chance that it can be absolutely safe and secure. And you can’t efficiently manage those complicated enterprise systems unless there’s a strong feeling that they are protected.
Some may call this a chicken and egg circumstance, where you do not know where to start. Should you start with security? Or should you start with the management of your system? That’s the wrong technique. Think of this rather like Reese’s Peanut Butter Cups: It’s not chocolate first. It’s not peanut butter initially. Instead, both are blended together – and treated as a single scrumptious reward.
Lots of companies, I would argue too many companies, are structured with an IT management department reporting to a CIO, and with a security management group reporting to a CISO. The CIO group and the CISO team don’t know each other, talk with each other just when definitely essential, have unique budgets, definitely have different goals, check out various reports, and make use of different management platforms. On a day-to-day basis, what makes up a task, a problem or an alert for one group flies totally under the other team’s radar.
That’s bad, since both the IT and security teams need to make assumptions. The IT group thinks that everything is protected, unless somebody tells them otherwise. For instance, they assume that devices and applications have not been compromised, users have not escalated their privileges, and so-on. Likewise, the security team presumes that the servers, desktops, and mobiles are working correctly, operating systems and apps fully updated, patches have actually been used, etc
Because the CIO and CISO teams aren’t speaking to each other, do not understand each others’ roles and priorities, and aren’t using the exact same tools, those presumptions might not be right.
And again, you can’t have a secure environment unless that environment is properly managed – and you cannot manage that environment unless it’s protected. Or to put it another way: An unsecure environment makes anything you carry out in the IT group suspect and irrelevant, and suggests that you can’t know whether the details you are seeing are appropriate or manipulated. It may all be fake news.
Bridging the IT / Security Gap
How to bridge that gap? It sounds easy but it can be difficult: Guarantee that there is an umbrella covering both the IT and security groups. Both IT and security report to the same person or structure someplace. It might be the CIO, it might be the CFO, it might be the CEO. For the sake of argument here, let’s say it’s the CFO.
If the business does not have a protected environment, and there’s a breach, the value of the brand and the company may be lowered to nothing. Likewise, if the users, devices, infrastructure, application, and data aren’t well-managed, the company cannot work efficiently, and the value drops. As we’ve gone over, if it’s not properly managed, it can’t be protected, and if it’s not protected, it can’t be well managed.
The fiduciary responsibility of senior executives (like the CFO) is to secure the value of business assets, and that indicates ensuring IT and security talk to each other, understand each other’s goals, and if possible, can see the exact same reports and data – filtered and shown to be meaningful to their particular areas of obligation.
That’s the thought process that went into the creation of our Zenith platform. It’s not a security management tool with IT abilities, and it’s not an IT management tool with security abilities. No, it’s a Peanut Butter Cup, designed equally around chocolate and peanut butter. To be less confectionery, Zenith is an umbrella that offers IT groups exactly what they require to do their jobs, and provides security groups what they require also – without coverage gaps that might weaken assumptions about the state of enterprise security and IT management.
We need to make sure that our organization’s IT infrastructure is created on a secure foundation – and that our security is executed on a well managed base of hardware, infrastructure, software and users. We can’t operate at peak performance, and with complete fiduciary responsibility, otherwise.