Featured Opinion: Q&A: Getting IT security to reach company goals

by Marcia J. Wilson, CCSP Staff Writer
May 04, 2004


"Reprinted from AUGUST 21, 2003 "
Creating a line of sight to reach corporate goals and objectives can result in synergy such that the total effect is greater than the sum of the individual effects. We all get excited about different things. Imagine if we were all excited about the same thing; we could move in the same direction and possibly move mountains.

Mission, vision, values, strategic direction, goals and objectives may be words in the CSO's or CIO's vocabulary, but they aren't commonly heard in the halls of information security departments. The concept of IT security governance is gaining visibility. Security governance, especially in light of laws such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, needs to become a high priority. The implication is that IT security needs to be invited to the executive roundtable.

Every football team knows that the goal of the team is to win. Each player knows what he needs to do to achieve that goal. How does each player know what his role is? On a corporate level, why doesn't the IT security administrator know his role in meeting company goals? Someone needs to have the responsibility of explaining the company's corporate objectives and then informing each employee of his role in achieving them.

I had the opportunity to discuss this topic with an organizational design consultant, , president of Coastwise Consulting Inc. Her firm helps IT companies develop competitive advantage by leveraging organization design, goal alignment and collaboration.

Why do IT, and therefore security departments, have such a tough time aligning with a company's corporate goals and objectives? IT and security are not unique in this regard. Many functions have this problem. Corporate goals aren't always clear. Companies are hoping that each department will set their goals and it will all add up. If you believe in synergy, using scarce resources focused on specific targets, companies will get better results if they will make an investment in how to do this.

Specifically, there is ambivalence about the place of IT and security in large corporations. If your system goes down because of a security incident or a systems failure, your whole business can tank. As an example, Company X was in the process of converting to an ERP system and created a whole function to manage the transition. On paper they did everything right, but what was happening was that managers were actually covering for, signing off on, things that were required (i.e., training). When they went to do the installation or cutover to the new system, the entire manufacturing function became gridlocked. Transactions were taking minutes instead of nanoseconds. Do companywide implementations fail because of goal-alignment issues? Maybe. If implementing a new ERP system or a new enterprisewide security system is a major objective, what happens when you don't have enough collaboration between IT, security and the rest of the company? Because other functions are completely reliant on IT systems, giving the CIO potentially enormous amounts of power, counterdependence often surfaces.

Similarly, the CSO determines who gets access to what, which is another unfamiliar power silo. Historically, IT has been a service function, which means CIOs are accustomed to asking, "How high?" and "What can I do for you?" instead of mandating change. For example, say Company X has 350 custom applications. A major goal of improving operational efficiency includes shifting toward a smaller number of enterprise custom applications via a CRM or ERP solution. You can see a lot of IT strategy, but the trouble is that the business does not want to give up their custom legacy applications.

In the same way, security may have an enterprise security solution implementation on the books, which may restrict access where none existed before, and may have new policies and procedures that feel like a hindrance to the business. The businesses, being the main clients of IT and security, are used to throwing money in the pot to get their custom modifications done, or using back doors to get what they want. Designers and security administrators may be flattered to be involved in such collusion, and besides, it's cool. The major problem here is that with enterprisewide platforms and systems, this kind of process just doesn't work. It's the platform that dictates what can or cannot be done, not individuals. Collusion gets crippled. Maybe that's a good thing.

How do you get everyone to play in the sandbox together? If you have some process to create alignment among various organizations and functions, by definition you have exposed yourself to conflict. High-level guys frequently want to call their own shots and run their own business and don't particularly want to be aligned. Even if they do, or the CEO insists, not everyone will be in agreement. You will end up with a system of conflict, and you will have to be able to sort it out or you will finally give a wink and a nod.

Another issue that seriously impacts goal alignment is getting the right people on the bus. If you don't do that, no one should be surprised when you don't get goal alignment. You want team players, not lone rangers. Another reason why goal alignment is so hard is that it can't happen in isolation. You have to consider what the CEO's agenda, the board's agenda and other stakeholders' agendas are. Nobody is a free agent anymore, everything is changing so fast, and all it takes is something in the external environment to shift and all the agreements get undone or unravel. It's a tough world out there. If senior staff is committed to goal alignment and synergy as a way to create competitive advantage, you have to have processes in place in order to be able to make the adjustments when a shift occurs.

Security is the 500-pound gorilla, and nobody likes big gorillas, especially if you think the gorilla is there to serve. If you want to run on enterprisewide platforms, whether it is IT- or security-related, there must be conformity. One reason why big ERP implementations don't work is because the way people work and interact has to change to mirror the system. Rearranging and renegotiating all those relationships, and more importantly, teaching people to work differently, is an enormously complex task. Goal alignment is hard and it takes time, and no one wants to take the time.

And then there is culture. If you are individualistic and entrepreneurial, you don't like to conform. ERP systems, like SIM [security information management] systems, require conformance. The promise of ERP is significant ROI, and you just can't get the ROI, even with a big consulting company doing the implementation, without seriously attending to the business of people. The reality is that you can't move large complex systems as fast as you'd like, and people, in particular, do not move at the speed of light or at the same rate of change as technology.

Is the problem with people, process or technology? Organizations rarely fail because of problems with the technology. Usually the failure has something to do with the nontechnical side of things—management competence or the design of the organization misaligned with the purpose and goals of the organization.

Due to the globalization of organizations and the accompanying technical complexity, organizations have also become more complex. The average line manager in a technical area finds it hard enough to stay current in his or her area of expertise. Few line managers have the time to pay attention to human and organization systems thinking. But that's what makes it possible to run a successful organization for the long term. If what you want is sustainability, you have to understand how to use your organizational capabilities as a source of competitive advantage.

*Note: Some links to stories may no longer function or now require you to register to view.




by Marcia J. Wilson ComputerCops Staff Writer

Marcia J. Wilson, holds the CISSP designation and is the founder and CEO of Wilson Secure LLC, a company focused on providing independent network security assessment and risk analysis. She is also a free lance columnist for Computer World and Security Focus.

She can be reached at . Corporate website: wilsonsecure.com (see Prime Choice top left)

Copyright ©Marcia J. Wilson All Rights Reserved 2004.