IT Best Practices
Safety First: Information Security
Executives often remind their operations teams of "Safety First": prevent team member injuries, avoid injuries to others, and accidents that damage assets. This is applies to the CIO and the technology team as well: "Information Security First." Regardless of your IT architecture and environment, you are prone to some form of attack. Breaches can be disruptive to operations, costly in remediation, deadly to reputation and destructive to your infrastructure. So, it is incumbent on all IT leaders to put Information Security first.
Once upon a time it was sufficient to secure the perimeter of the enterprise with firewalls, VPNs, and anti-virus software. Now, not everything runs in your data center where those strategies applied. With cloud architectures and multiple hosting locations for applications, new strategies have to be deployed. Intrusion detection needs to be running within your network; data analytical needs to be developed to recognize odd patterns of behavior. Securing the perimeter is still essential but not sufficient.
Next, it is critical that the IT organization execute a continuos educational campaign to help the team understand their important role in Information Security. "Social Engineering" attacks remain a primary intrusion method and they allow an attacker to skirt all the perimeter, intrusion defenses you put in place. Phishing, password attacks, trojans, and more can lead to random-ware attacks, data breaches, and more.
Information security professionals then need to "Secure the Vault": lock down servers, data repositories (such as customer data, HIPAA data, credit cards), and all network devices to ensure that if someone does breach the perimeter or gain access via Social Engineering techniques, they cannot take control or access production systems. This means patching and maintaining all operation systems, using encryption technologies appropriately, and adding additional intrusion or analytical techniques as appropriate. Underlying all of this is series of checks and balances to minimize human error that would introduce vulnerability or exposure assets.
Continuing, the Information Security team has to work with application development teams, software vendors, solution providers to embed appropriate controls into the fabric of the network and the applications themselves. Again, as architectures move to hybrid models of cloud, services, artificial intelligence, and more, the complexity of the solution grows.
Finally, an Incident Response Team and protocol needs to be established, and rehearsed. In larger organizations, this would include representatives from the legal, public relations, perhaps HR department (depending on the nature of the incident), operations, and the IT community.
It is our belief that Information Security must be visible to the highest level of an organization: the Board of Directors, the Executive Committee, or perhaps the owner of a private enterprise. Security strategy and plans should be presented annually. Attack, repel, breach, remediation reporting should be done on a recurring and frequent basis (weekly, bi-weekly or monthly). And the function needs to be appropriately funded and staffed.
It does not matter how good the features and functionality of your software applications are if the systems are not highly reliable, and responsive. Making sure the business, and your customers, can count on the your systems is absolutely critical and must be priority.
This means prioritizing work that is not sexy nor glamorous. Sometimes it means using your political capital to tell the business "No, we can't add those features until we complete this infrastructure work." It means building the importance of reliability into the IT culture. Here are a few techniques to help.
Create processes to log, measure and catalog incidents impacting availability or system performance. Develop metrics and objectives to re-enforce the importance of reliability and performance. Conduct monthly (or more frequently) review meetings to ensure remediation is completed, and future incidents are avoided. The objectives and the review sessions will help build this into the organization's culture.
Instrument applications, servers and network components to be able to proactively monitor and measure performance. Create a dedicated team to monitor the systems and empower them to take proactive measures as needed.
Publish availability and system/network performance measures to the business. Transparency is important. When they see a pattern of strong performance, infrequent issues or outages can then be placed in perspective.
Make sure that mission critical systems are backed up and a recovery plan (whether a disaster recovery site or a business continuity plan)are created, and rehearsed. Not every application has to be immediately available if disaster strikes. Work with the business to ensure the right systems are prioritized for recovery. If redundancy or a disaster site are too costly, make sure there are alternative business continuity plans.
IT Best Practices
Reliability and Performance
Each IT organization needs to be aligned with their business counter parts at each level of the organizational hierarchy. This alignment means IT must understand the priorities of the business; the business must understand the constraints faced by IT - - - resource limitations, budget, competing priorities, regulatory and legal initiatives, and infrastructure needs.
One tool to use to is a ratio of how IT resources are deployed to support the ongoing business (Run the Business) versus IT resources dedicated to work on new capabilities and initiatives (Change the Business). Providing transparency to how IT investment is used helps alignment, and can help in the governance process to drive priorities to the Change the Business side.
Another critical element to ensure business-IT alignment is to create joint governance structures where business and IT manage priorities together. The governance process should include both prioritization of projects and oversight of project progress through main phase gate reviews. It does no good to only prioritize projects and pour more and more work into a funnel. The governance committees must ensure that projects are flowing through the process and exiting, hopefully on schedule and budget!