Written by Charles Leaver Ziften CEO
If your enterprise computing environment is not appropriately managed there is no way that it can be absolutely secure. And you can’t successfully manage those intricate business systems unless there’s a good sense that they are protected.
Some may call this a chicken and egg circumstance, where you do not know where to start. Should you start with security? Or should you begin with system management? That’s the incorrect approach. Think of this instead like Reese’s Peanut Butter Cups: It’s not chocolate initially. It’s not peanut butter first. Rather, both are mixed together – and dealt with as a single delicious reward.
Numerous companies, I would argue a lot of organizations, are structured with an IT management department reporting to a CIO, and with a security management team reporting to a CISO. The CIO team and the CISO team do not know each other, talk with each other only when definitely needed, have distinct budgets, definitely have different priorities, read various reports, and use different management platforms. On an everyday basis, what makes up a task, a concern or an alert for one team flies completely under the other group’s radar.
That’s bad, since both the IT and security groups should make assumptions. The IT group thinks that all assets are safe and secure, unless someone tells them otherwise. For instance, they presume that devices and applications have not been compromised, users have actually not escalated their privileges, etc. Similarly, the security team assumes that the servers, desktops, and mobiles are working properly, operating systems and apps are up to date, patches have been used, and so on
Given that the CIO and CISO groups aren’t talking to each other, do not comprehend each others’ functions and goals, and aren’t utilizing the same tools, those presumptions might not be appropriate.
And again, you cannot have a secure environment unless that environment is properly managed – and you can’t manage that environment unless it’s secure. Or to put it another way: An environment that is not secure makes anything you do in the IT organization suspect and irrelevant, and implies that you cannot understand whether the information you are seeing is correct or controlled. It may all be fake news.
How to Bridge the IT / Security Space
Ways to bridge that gap? It sounds easy but it can be difficult: Ensure that there is an umbrella covering both the IT and security teams. Both IT and security report to the very same individual or structure somewhere. It might be the CIO, it might be the CFO, it might be the CEO. For the sake of argument here, let’s state it’s the CFO.
If the business doesn’t have a safe and secure environment, and there’s a breach, the value of the brand name and the business can be reduced to zero. Likewise, if the users, devices, infrastructure, application, and data aren’t managed well, the business can’t work effectively, and the value drops. As we have actually talked about, if it’s not properly handled, it cannot be secured, and if it’s not protected, it cannot be well handled.
The fiduciary duty of senior executives (like the CFO) is to secure the value of company assets, which implies making certain IT and security speak to each other, understand each other’s concerns, and if possible, can see the exact same reports and data – filtered and displayed to be meaningful to their specific areas of responsibility.
That’s the thinking that we adopted with the design of our Zenith platform. It’s not a security management tool with IT abilities, and it’s not an IT management tool with security abilities. No, it’s a Peanut Butter Cup, developed equally around chocolate and peanut butter. To be less confectionery, Zenith is an umbrella that provides IT groups what they need to do their tasks, and provides security groups exactly what they need also – without coverage spaces that could weaken assumptions about the state of business security and IT management.
We have to make sure that our business’s IT infrastructure is built on a protected foundation – and also that our security is executed on a well-managed base of hardware, infrastructure, software applications and users. We can’t operate at peak performance, and with complete fiduciary duty, otherwise.