For far too long, information technology departments have been deploying solutions that are overly-technical and that require ongoing involvement from IT to maintain. As changes are needed in these enterprise applications, distinct projects are often required just to update the solution to meet the ever-changing business requirements because they were not built with business accountability in mind. This often leads to difficult prioritization decisions between investments in application management vs. investments in new solutions. To meet business efficiency and growth requirements, Information Technology departments need to adopt a mindset of building processes and solutions where the Business is ultimately accountable for their desired solutions and information.
There are still considerable gaps between the archaic capabilities of Enterprise IT solutions and the latest Internet-based applications business users personally leverage on a daily basis. Evidence of these cumbersome internal enterprise apps is often revealed when you contact a support line or customer service number and the operator begins complaining about the application they must use. I know I have heard complaints such as, "Sorry, I can't seem to find your information" or "My system is running slow" or "I do not have access to that right now, so I will need to get my manager to assist."
A great first step in moving toward business-centric solutions is to focus on investing in applications with intuitive interfaces even if this means losing one or two complex features. If your grandma and grandpa (or great grandma and great grandpa) can order products from Amazon.com or eBay, think how efficient intuitive business applications could be with business users at the helm. This includes the security components of the application.
If there is one aspect of IT accountability that should definitely reside in the business, it is the act of approving access to business applications. Organizations who still leverage a central security administration team to approve and grant access requests are feeling the pain during every audit. This approach is outdated. It is illogical to think a security admin has enough information about users, theusers' functional roles, and the requested business application functionality to appropriately grant access for every worker. Access approvals must reside in the business to ensure appropriate access is granted. The most effective approach is to assign application owners for each application and make them accountable for approving requests to their applications.
IT rarely knows how to make the appropriate decisions around access of applications so they simply mirror other users in similar functions or rubberstamp the approval in order to grant the access. This increases the likelihood of inappropriate access and can also result in Segregation of Duties conflicts as people move throughout the company and acquire additional access.
Assigning business application owners and holding them accountable for approving access requests to their applications is a big win for security. While it helps ensure all new requests for access as appropriate, it also provides a foundation to perform access certifications. Almost every security audit today asks when the last access certification has occurred. Once application owners are assigned to audited applications, those owners can now be responsible for performing the audit. This takes the burden off of IT and places it in the hands of the business owners who truly understand who should have access to their information.
CIOs need to adapt and put accountability in the hands of the business in order to thrive in today's world. This holds true for ongoing management of applications as well as workflow-related aspects of security approvals. While the future will trend toward allowing the business to fully manage their apps, a quick win today is to force the business to be accountable for access to their apps. Gain support for business approvers, and you will establish a framework for greater capabilities to come.
About the Author
Ryan Ward is CISO at Avatier. He is responsible for security initiatives as well as strategic direction of IAM and security products. A sixteen-year veteran of the security industry, Ward comes to Avatier after five years with MillerCoors where he served as Enterprise Security Manager of the brewing company and USA Information Security Officer for the public company SABMiller. In those positions Ward was responsible for all Information Security initiatives for MillerCoors. Prior to MillerCoors, he served as Senior Information Security Leader at Perot Systems while supporting the Wolters Kluwer account. He previously held the position of Vice President of Information Systems for Allscripts. Ryan is also a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).