James Turner

Identity management projects do not have a good reputation for successful delivery. Too often, the final implementation fails to live up to promises. Identity management projects can deliver genuine value to a business, including: compliance with regulation, improving customer satisfaction, or reducing risk. But if the business is not driving the project, then the project is probably off the rails and heading for failure. In this situation, CIOs must seriously consider terminating the project because a project not driven by the business is one being imposed on it – it is the tail wagging the dog.

IT security strategies are an invaluable resource as a means of coordinating security efforts and in improving funding approval for security projects – because they can be shown to be following a coherent consistent strategy. The process to create them is an overlooked source of value for the information that it uncovers. An IT security strategy must be closely aligned with what the business believes its security and risk priorities to be. The process of uncovering business impact against various systems is likely to bring up unexpected gaps in knowledge for both IT and the business, and it is here you will find additional gold.

Patching is now considered a standard part of IT operations. Vendors release patches either to mitigate against new risks, or to introduce new functionality. However, the application of a patch can not only result in the intended outcome (risk mitigation or expanded functionality), it can also have unintended consequences. Organisations looking at creating a patching strategy should ensure that the business stakeholders are clear on the potential impact of both patching, and non-patching. Either choice carries risk. What will make the difference for organisations are security professionals who can crisply articulate the balance of these technical risks as they pertain to the business requirements of the organisation.

Up to this point I’ve been a supporter of data breach notification. Coming at the issue as an industry analyst, I think that transparent information on the local experience of data breaches (such as what information is targeted by attackers, how much it costs a company to deal with a breach, the frequency of breaches, the avenues of attack, and so on) would be extremely valuable to the...

As cloud services - typically Software as a Service - become increasingly accepted, the IT industry is gaining valuable experience in the actual risks of putting data in the cloud. Most of these risks centre around data confidentiality. Knowing the actual risks, rather than the fear, uncertainty and doubt that vendors and security consultants can throw at the cloud, enables CIOs to make informed choices and recommendations to the business on cloud usage.

Whether in the domain of IT security, or in corporate fraud, when an organisation has been successfully attacked, what makes the difference is knowing that the attack occurred, and knowing as soon as possible. For organisations working to make their IT security budget go further, having a third party service provider check security logs is proving to be a cost effective form of selective outsourcing. Of course, this service doesn’t make an organisation perfectly secure, but early knowledge is vital to incident response and loss minimisation.

Organisations are finding that there are potentially many benefits to deploying a single smartcard that can perform multiple functions. A unified smartcard carries the possibility to reduce costs, improve security, and improve user experience. However, the complexity of a smartcard deployment is a function of the number of business units and processes that will be touched, and so thorough research and planning is essential. Strong political will from an executive sponsor is also imperative to success, and can be generated with a business case that is explicit on what the intention, and ranked objectives, of the deployment are.

Despite the apparent value of the DSD’s Top 35 Mitigation Strategies report, organisations considering executing its recommendations will have to weigh up the business impact of implementation. In some instances, a mitigation strategy may be too intrusive on business operations. For some, the cost of ongoing support may be too high. However, the most significant barrier will be communicating risk to the business, and the need for a given strategy (particularly the more intrusive ones!). In order to realise the benefits of this resource in improving an organisation’s security posture, the report will need to be translated into business impact in order to gain executive buy-in.

Tim Cook, the new CEO at Apple, is noted for his excellence at managing Apple’s supply chain, and while he has spoken about engagement with the enterprise space, this will only be a token gesture from Apple. Enterprise IT does not play to Apple’s strengths. Apple will continue to focus on being great at what it already does: designing for, and selling to, consumers. This presents a challenge for enterprise IT departments because in the absence of meaningful enterprise support from Apple, enterprise IT must aim at negating the impact of any device’s form-factor.

Just as the influx of personally owned mobile devices is reaching a peak in enterprises, there are new options for mobile device management (MDM) which are being driven by three factors. The three factors are: HTML5, Exchange ActiveSync, and carriers moving up the value chain in an IP-centric world. Ultimately, all three options will have appeal to different types of organisations, and different applications. Due to the rate of maturation of these factors, CIOs should expect that an MDM platform deployment will have a shelf life of less than two years.