The IT Security Hot Potato
I recently witnessed a real-life case of the ‘hot potato’ game between IT Security, the Line of Business and Corporate Compliance at one of my long time and loyal customers.
I recently witnessed a real-life case of the ‘hot potato’ game between IT Security, the Line of Business and Corporate Compliance at one of my long time and loyal customers. The scene, almost as if directed by a Hollywood professional, illustrated the conflicts organizations face when it comes to rolling Identity and Access Governance projects involving many groups.
To set the stage, in my work, I speak with IT and Security personnel whose ultimate goal is to support the business in which their company functions. Whether it is a retailer, bank or an internet company, IT is there to make sure the backend processes are running efficiently and in a timely manner.
In conversations, this is a common discovery: IT doesn’t think its organization is ready to support personal mobile devices (BYOD), but yet people already are using their personal tablets to connect into the VPN. Another example: IT doesn’t think its company is ready to move to the cloud, but it found out that a line of business has recently purchased a new cloud application using a vice president’s corporate AMEX. In both cases, it becomes IT’s job to make sure that corporate standards and regulations are still met, but rarely does IT get more people to handle the growing load.
As a result, they let the Business take responsibility when possible. A Ponemon study on cloud security showed that 77 percent of respondents believed that ensuring the security of cloud computing providers was the responsibility of the end users or business unit management. And this presents the conflict among the departments.
Technology, run by IT, helps organizations in addressing compliance needs when business managers approve employee access. It is part of an Identity and Access Governance solution and the process is usually referred to as ‘user attestation’ (also known as ‘certification’).
User Attestation is a growing requirement of all major regulations like HIPPA, SOX, PCI and now also FERC. The challenge for IT is translating into business terms some of the IT Security jargon that business managers need to understand. How can you make a business user understand that RACF transaction “SMF12a” allows users to approve payments while “SMF12c” lets them initiate a payment, and the combination of the two is a Segregation of Duties violation which can end up in an audit finding? If the business is now responsible, how can we bridge this language barrier so IT and the business can easily collaborate?
This issue is not new to organizations. In fact, my colleague Phil Kenney recently blogged about this need as he asked the question: how does IT gain more relevance to the business leaders? One way is to start speaking the same language – or at least provide a dictionary. We need a Business Glossary or a friendly business description instead of showing things in IT terms. For example, instead of “AD Group EX12FIN,” you could show a description of ”Expense system for non-managers.”
Playing out the scene above once in a real conversation, I explained the benefits of enriching technical entitlements with business glossary and everybody seem happy. But then I asked, “Who should be the owner of this business glossary? Who will provide and maintain the data to make sure it is current and relevant?“ That’s when the fireworks began.
In the end, we finally recognized that while IT Security can own the process of updating the data within the application, the data has to come from the Business side of the house because they are the ones who can deem it accurate. For example, they know that they need to make sure their employee has access to the expense portal as a non-manager.
However, getting the Business to cooperate in these types of processes can be extremely difficult and can cause some of these processes to fail. This is where we need to get Corporate Compliance to make a strong mandate. It is the cooperation of IT Security, Compliance and the Line of Business that will transform IT silos into meaningful business-relevant actions and operations.
Is this the same in your organization? Comments and feedback are welcome.