I’m a security professional, but I’m also an MBA graduate and student of organizational design and behavior. It’s my business background that has shed the light on a few major trends that are changing organizations as we speak. Like most major changes, they are happening at an incremental pace, and not obvious to the naked eye. But they represent a tectonic shift that will define how security professionals operate in the decades ahead.
Consider, for example, the fragmentation of centralized IT. Today, more and more IT services are delivered by technologists embedded within business units, not via centralized IT organizations run by all-powerful CIOs. This used to be referred to and dismissed as “shadow IT.” But what might have been thought of as a rogue operation is now an accepted approach to delivering IT services across the enterprise.
Several trends are combining to accelerate this metamorphosis. Topping the list is the adoption of outsourced cloud services. Cloud services are bought and implemented by business chiefs without the prior approval or buy-in of CIOs – think salesforce.com being contracted by a VP of sales, or online job application SaaS platforms being adopted by HR. Couple the cloud transition with the consensus for businesses to move faster, embodied in system and product development delivered via Agile and DevOps approaches.
Goodbye to Imperial CIOs
The old model of centralized IT and business units with well-defined organizational boundaries are changing by embedding IT production inside the business units via cross-functional teams that spin up and spin down as projects begin and end. A likely outcome of this change is the gradual weakening of what I call “the imperial CIO” – the all-powerful IT leader who can drive business agendas and tolerate long-term development cycles for key business projects.
The challenge for security professionals will be to recognize this dispersal of centralized IT and to adapt a coverage model for security services that reflect the new reality. Perhaps the highest priority will be to stay close to business initiatives and company-wide capital expenditure (CAPEX) projects to understand how new operating models and technology platforms will need to be secured. These are typically well-funded, have CEO support, and provide the opportunity for security professionals to embed protections early in the development process to get upstream of potential weakness. This means strengthening relationships with business line owners and provides security leaders the opportunity to add value on important projects instead of being perceived as saying “no” to potential risks.
In addition to fragmentation, organizations are restructuring to be more project- and product-driven. This complexity will strain static identity management constructs, and put positive pressure on security leaders to understand who is doing what, what they need to access to be successful, and when they need to be deprovisioned afterwards. Simply put, security leaders need to better understand where security functions are needed, irrespective of organizational charts, and focus even more on embedding security protections at the earliest stage of the project. More broadly, we need to adapt for change, or to steal a popular metaphor in use in business circles, to skate where the puck is headed.
The Faster Tempo of Business
Competitive pressures, breathtaking technological changes, and a variety of other external pressures have increased the pace of business substantially. This speed is embodied along a progression of two steps. First, organizations are moving from inflexible waterfall methods to Agile development methods in order to better integrate application development and business concerns. The second step is the onward evolution of DevOps where Agile developers break down barriers between the development and operations teams. Automating the entire software development process from code commit to deployment highlights how DevOps approaches can further squeeze cycles out of the software deployment process.
These changes represent a challenge and an opportunity to security leaders because they turn the existing ‘waterfall’ approach to software development upside down. It will be more important for security leaders to make sure they are invited to the earliest design meetings, so they can inject security use cases into the software development process. Up front security guidance will be needed because opportunities to test new features before they get deployed may simply not exist. Instead of 11th-hour vulnerability scans before products go live, we now have an opportunity to architect in security scans, getting upstream of the deployment process. Finally, security experts should focus more energy on identifying attack patterns in live environments.
The Evolving Worker
In the not too distant past, most companies were staffed by employees, or what we now call FTEs (full time equivalents) or “badged” employees. That employment model mirrored the relatively static nature of the enterprise networking environment that security was tasked to protect. A defined network perimeter protected everyone inside the network from outside the network. Today’s employment model has turned this upside down. Now you have full-time employees, part-time employees, temp-to-perm hires, long-term contactors, short-term staff augmentation, offshore resources, interns, and other types of employment categories that your HR department can describe for you. To make matters more confusing, internal organizations are changing to be more project and product-based, reflecting the fluid nature of the business itself.
For the security worker, the challenge will be to identify who has access to what, when. An evolving organization drives more complex identity management, which is the foundation and starting point for security. But it will also demand tighter coordination with the business to understand how employment and contract roles have changed in order to harmonize access controls. Supporting project-based IT capabilities that are built up and torn down on a weekly basis is also key to adapting. The SharePoint collaboration site to support the CEO’s secret M&A project is a good example of this type of quick requirement capability. Understanding how and when to turn off access to protect the business will also be increasingly important in this ever-changing environment.
The businesses we serve as security practitioners are changing at a faster pace today than at any other time since technology was introduced in the 1980’s. Some changes are obvious, others less so. Savvy security leaders must learn to take advantage of these changes to further security goals and to protect their evolving organizations.