Photo: California Chief Information Security Officer Mark Weatherford
How many of you have ever heard someone from a government IT organization say something won't work because "our IT environment is too complex," "we have a different culture here," "we're not organizationally mature enough," or "we're just different"? In my experience, organizations that foster or accept this outlook probably aren't achieving their full potential.
In most enterprise IT organizations, there will always be a few groups or business units that are truly different, but for the most part, I don't think any of them are all that special when it comes to IT. They all manage a network infrastructure, run some applications and process some data. It's not a complicated concept. Granted, at the individual level, the data is unique - with many variations in the data's sensitivity - and the applications vary in scale and scope. But at the macro-infrastructure and service delivery level, it's all essentially the same. Stuff is stuff!
Which brings me to the point: In large government enterprises, why do suborganizations (departments, divisions, boards, etc.) seem to believe that they need to own and manage so much of their own IT infrastructure and service offerings? Are requirements for e-mail service that different from one organization to the next? Training delivery platforms? Data storage? Help- desk infrastructure? In fact, it's interesting to consider whether delivery of e-mail/data storage/training/etc., even qualifies as a core business function of most organizations.
This is a column about information security, so let's get specific. Are the information security products and services required to control, monitor, scan and alert an organization of security deficiencies and vulnerabilities different between organizations? Outside of things like regulatory requirements, such as the Health Insurance Portability and Accountability Act, Payment Card Industry and Sarbanes-Oxley, I say no. Are the Web-application scanning requirements so different between agencies X, Y and Z that they really must buy, maintain and train staff on multiple Web-application scanning products? What about vulnerability scanning tools? How about Internet hygiene? It doesn't make sense to integrate dozens of these tools into the enterprise IT environment when a subset would provide consistent information, superior visibility, added efficiency and greater savings than the ad hoc approach of decentralized implementation.
Why is all of this important to public CIOs? There are at least four compelling reasons that require consideration:
1. The more infrastructure you have, the more infrastructure you must keep secure.
2. The more data you have scattered across your environment, the more places there are for that data to leak out.
3. The more variations in your security environment, the more technical security training and support are required.
4. The more products and services you have in the enterprise, the higher your overall costs.
Wouldn't it be nice to address all four of these issues with one word? Enterprise. But what does it really mean? In the context of an IT organization, enterprise means "an aggregation of all suborganizations within a larger organization." Since the infrastructure is fairly consistent across an enterprise (thus the term "enterprise architecture"), it becomes increasingly important to recognize information security as one of those horizontal consistencies across the vertical lines of business. Like the standardized nature of e-mail, information security tools and services can be rationalized into the enterprise to provide much more consistent security while decreasing costs and the overall security footprint.
Some people argue that centralizing security introduces the danger of single points of failure. I agree, but layered security and defense-in-depth is another topic. While we should never have just one product or service, we also shouldn't have dozens. The economic reality is that we simply can't afford everything we'd like, so we must make smarter decisions about how to protect the enterprise. Tough economic times and the growing cyber-threat environment make it much more important that we begin losing the "we're different here" mentality and start addressing information security from an enterprise perspective. The question I think many government organizations need to ask is, "Are we really that different?"
The views expressed are solely mine and nothing stated in or implied from the article should or may be attributed to the state of California or any of its agencies or employees.