Written by Chuck Leaver Ziften CEO
If your enterprise computing environment is not properly managed there is no way that it can be absolutely safe and secure. And you cannot effectively manage those intricate enterprise systems unless there’s a strong feeling that they are secure.
Some might call this a chicken-and-egg circumstance, where you don’t know where to begin. Should you start with security? Or should you begin with system management? That’s the incorrect approach. Consider this instead like Reese’s Peanut Butter Cups: It’s not chocolate initially. It’s not peanut butter first. Instead, both are mixed together – and treated as a single scrumptious reward.
Many companies, I would argue too many organizations, are structured with an IT management department reporting to a CIO, and with a security management group reporting to a CISO. The CIO group and the CISO team have no idea each other, talk to each other only when definitely necessary, have distinct budget plans, certainly have different goals, read different reports, and utilize various management platforms. On a day-to-day basis, what makes up a task, a concern or an alert for one team flies completely under the other group’s radar.
That’s not good, because both the IT and security groups should make presumptions. The IT team believes that all assets are safe and secure, unless somebody tells them otherwise. For instance, they assume that devices and applications have not been compromised, users have actually not escalated their privileges, and so on. Likewise, the security team presumes that the servers, desktops, and mobiles are working effectively, operating systems and apps are up to date, patches have been applied, etc
Given that the CIO and CISO teams aren’t talking with each other, do not comprehend each others’ functions and goals, and aren’t using the very same tools, those presumptions might not be correct.
And once again, you can’t have a protected environment unless that environment is appropriately managed – and you cannot manage that environment unless it’s protected. Or to put it another way: An environment that is not secure makes anything you carry out in the IT organization suspect and unimportant, and implies that you cannot understand whether the details you are seeing are correct or controlled. It might all be phony news.
How to Bridge the IT / Security space
Ways to bridge that space? It sounds simple but it can be challenging: Guarantee that there is an umbrella covering both the IT and security groups. Both IT and security report to the same person or organization somewhere. It might be the CIO, it might be the CFO, it might be the CEO. For the sake of argument here, let’s say it’s the CFO.
If the company does not have a secure environment, and there’s a breach, the worth of the brand name and the company may be lowered to absolutely nothing. Likewise, if the users, devices, infrastructure, application, and data aren’t managed well, the company cannot work successfully, and the value drops. As we’ve talked about, if it’s not properly managed, it cannot be secured, and if it’s not protected, it cannot be well handled.
The fiduciary responsibility of senior executives (like the CFO) is to secure the value of company assets, which means making certain IT and security speak with each other, comprehend each other’s priorities, and if possible, can see the same reports and data – filtered and displayed to be meaningful to their specific areas of responsibility.
That’s the thought process that we adopted with the design of our Zenith platform. It’s not a security management tool with IT capabilities, and it’s not an IT management tool with security capabilities. No, it’s a Peanut Butter Cup, created similarly around chocolate and peanut butter. To be less confectionery, Zenith is an umbrella that provides IT teams exactly what they require to do their tasks, and provides security teams exactly what they require also – without coverage spaces that could weaken assumptions about the state of enterprise security and IT management.
We have to make sure that our business’s IT infrastructure is developed on a safe and secure structure – and also that our security is executed on a well managed base of hardware, infrastructure, software applications and users. We can’t run at peak efficiency, and with full fiduciary duty, otherwise.