Information Security and IT Leadership Business Accountability

Information Security and IT Leadership Business Accountability

IT leadership get aligned.

In my last article, I discussed the need for IT leadership to start transitioning accountability to the business, but I primarily focused on security-related aspects of this transition. In this article, I highlight broader IT-related culture and process changes that can help organizations begin to deliver greater capabilities by engaging with the business. Since security is now top-of-mind within IT and the business, it naturally benefits from this transition.

Becoming a business focused IT department requires a holistic change in approach throughout several areas of IT. Plus, it will require strong commitment and IT leadership throughout the organization to drive and enforce business unit accountability around technology decisions. In many situations, business units are more than willing to choose the types of solutions they want to use, but they are unwilling to engage in risk-based discussions around those choices. Therefore, processes changes must be implemented to ensure an equal mix of controls exist for both IT and the business.

Adapting existing IT project management methodologies to include the business requires considerable effort, but projects today drive most IT efforts around new solutions. Therefore, developing strong partnerships with the business throughout an entire project helps place accountability with the business while also ensuring IT understands requirements and delivers the appropriate solution for the business. If the business is not engaged throughout the entire project and held accountable through various stages of the project, the chances of accomplishing the goal of business-focused IT will not be realized.

Obviously, there are issues that can occur with Shadow IT outside of projects, but you need to start creating formalized processes that pull the business in and establish business relationships so you have visibility to all their needs. Through stronger engagement and partnering, Shadow IT will slowly fade, but it will require ongoing engagement from IT to ensure Shadow IT will not return.

Within strategy roadmaps and project delivery, there are several IT-related capabilities that must mature and become intertwined in order to improve business accountability. These include:

  • Enterprise architecture/Standards
  • Information security
  • IT Business partner functional development
  • IT Leadership

Enterprise Architecture/Standards

Without established architecture standards defined, it will be difficult to gain trust in the business when IT leaders question a proposed business solution. Educating the business on basic technology standards and reasons behind those standards (in financial and risk-related terms), will help them understand why certain technologies might not be a good fit for the organization. Defined architectural standards provide an easy cheat sheet for business units to use when they venture off and look at solutions on their own.

Security needs to be engaged with architecture so that security requirements and standards are also defined. This will also help educate the business and relieve some of the “bad guy” stigma surrounding the security team.

Information Security

Along with defining security standards, security personnel need to be engaged early on in any solution discussion. Security questions that focus on access, authentication, encryption, process changes, DR, integration with existing IAM or other security technologies and compliance concerns are all-important. If business users are not involved during an actual vendor/product evaluation, it is very beneficial for the security team to brief the business users on all of these topics and how specific risks could impact their business. These reviews need to be formally embedded in SDLC/project methodologies. An escalation procedure should be defined so a specific role/person is ultimately accountable for accepting or declining risk when the business does not agree with the answer from the security team.

Of greater importance is the need for security professionals to speak in risk terms and offer alternatives and compensating controls when a solution might not meet all of the requirements on paper. Often times, security professionals take the black or white approach to evaluating security, which ultimately builds barriers between themselves and the business and even IT.

IT Business Partners

An IT business partner is a growing role in organizations today, and it is important to implement this type of function to ensure business requirements are translated appropriately to IT. A business partner does not necessarily need to be a full-time, defined position, but it should be a functional duty within IT to build business relationships and understand business processes. These business partners should help enforce accountability within the business as well as manage IT effectively so that IT delivers business capabilities rather than just technology.

IT Leadership

In order to become closely aligned with the business, IT leadership must take the lead to sell the benefits of a business approach. At the same time, IT leadership must be strong enough to say no to the business when appropriate. Gathering support from C-level executives and other business unit leadership will be required to reach this vision, but it will ultimately benefit the organization by lowering risk, placing some accountability in the hands of the business and ensuring they have some skin in the game to help deliver projects successfully.

Tighter business and IT alignment is needed today in order for businesses to compete. IT leadership needs to loosen the reins of control around solution decisions and pull the business into IT projects so risk is reduced and business needs are met. Engaging the business will force them to be accountable throughout the initial project and beyond. It will also reduce finger pointing when projects go awry.​

identity management analysts white paper. Get the Free KuppingerCole Identity Management Analyst White Paper

Learn the role IT automation and business driven self-service administration play in creating lean operations. KuppingerCole’s Assignment Management — Think Beyond Access describes the shift in IT operations from tightly controlled identity management processes to workflow enabled administration.

Request the White Paper

Written by Ryan Ward

Ryan Ward is CISO at Avatier, responsible for security initiatives as well as strategic direction of IAM and security products. A sixteen-year veteran of the security industry, Ward comes to Avatier after five years with MillerCoors where he served as Enterprise Security Manager of the brewing company and USA Information Security Officer for the public company SABMiller. In those positions Ward was responsible for all Information Security initiatives for MillerCoors. Prior to MillerCoors, he served as Senior Information Security Leader at Perot Systems while supporting the Wolters Kluwer account. He previously held the position of Vice President of Information Systems for Allscripts. Ryan is also a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).