IT Security and the Art of Saying ‘No’
The widespread adoption of cloud-based systems has elevated their importance to daily business transactions. As a result, threats from cybercriminals have also grown dramatically. The breech of Target’s IT systems points out the undeniable vulnerability of organizations, which can damage the business and cause a loss of customer faith in the safekeeping of sensitive information.
The “cloud” phenomenon is now gaining traction in local government. Cities and counties are moving many of their mission critical applications (e.g., ERP, GIS, and Court Case Management) to the cloud. Traditionally, local government IT organizations have deployed fairly straightforward security protocols, mostly at the outer edges of the organizations. This has sufficed since many of the systems in local government operate with legacy-based applications and databases that are mostly out of the realm of attack or access by cybercriminals. The transition to the cloud will change this status quo, as well as the way that IT interacts with users regarding securing these systems.
IT organizations wanting to provide full access to their users and at times have been lax in enforcing stringent security protocols; however as critical data becomes more exposed, IT must become more vigilant controlling information access. They must learn the art of saying, “No.” Users accustomed to a free reign on the use of “their” systems will react when IT implements draconian rules on the use of systems. The IT organization may be viewed as inhibiting progress, and even limiting the ability of City Management to interact with their constituents. This uncomfortable situation may be disastrous to an IT manager.
In order to effectively manage the transition, IT departments must educate their users to the evolving risks, and work with management to ensure they understand the shared responsibility. IT must also invest in technologies that allow them to centrally secure and monitor access points, such as wireless and mobile device management. Network management staff must also be motivated to adopt a much greater role to information security management, rather than just periodic firewall configuration changes.
As in any sales process, the IT manager must communicate as to why “No” is the first step to facilitating “Yes” through proactive technology management.
Partner, Sciens Consulting