I recently read this blog post on Richard Bejtlich's blog (and I am a bit behind the times) but it really rubbed me the wrong way. I am probably misinterpreting the point of the post but the way I read it, Richard was just pointing out that there were some salient points. I guess that I read the points that he highlighted and found that they were either people squabbling over semantics or they were IT nerds that had been promoted to management roles and somehow thought that they were unique, beautiful snowflakes and were different or more important than any other business function.
How is IT any more "special" than say marketing, sales, finance, etc? They aren't.
I want to believe that the aim of the article was to say that IT should seek to be a trusted advisor to the business and serve the meet those ends, but it really read to me like IT should be able to dictate terms to the business and demand what they want.
Now I've worked in some places with IT departments that have been described as an "post apocalyptic backwards IT environment". And those places were paradise compared to some of the hell holes I've seen since. And the worst ones I have ever seen are those that locked into this mindset that they can dictate how/what/why/when and where the business can do what it wants. They dictate what laptops they can use, what applications they can use and so on and so on.
Now don't get more wrong, I understand the reasons why this is necessary to some extent: ensuring standardised operating environment, maximising pricing benefits, maximising process efficiency and so forth. But seriously, if IT is going to be the lynch pin to the business, then dictating terms is the worst thing you can do.
C-level executives are keen to reduce cost and focus on numbers not for the sole purpose of "looking good" to the board or shareholders. They know that but reducing their marginal cost of production, they are able to produce goods at a lower opportunity cost than their competitors. This means that potentially they are able to put their competitors out of business just on pricing alone. And this is simply one tactic can use to crush competition. So any CIO looking to gain efficiency is going to look at reducing the size, complexity and operational overhead of their IT infrastructure, applications and staffing where ever they can. I know I would.
I remember meeting one client ages ago who is quite well known for reducing their IT size to an almost infinitesimally small size. At the time I met this client I thought the concept was in itself, appalling. After knowing what I know now, going through my degree, I'm convinced this guy is actually a visionary.
These goals are a primary driver behind the booming enterprise architecture industry which seeks to bridge IT and business by optimising business process through efficient, robust, scalable and re-usable architectures. Any CIO or IT manager worth his weight who is not seeking to optimise and consolidate and cannot rationalise the cost benefits of doing so, is doing his company a disservice. For every IT manager that fights to retain infrastructure in-house, even when it is more expensive in doing so is also harming the longevity in the company by forcing them to spend money on an area that isn't a core competency.
And for all the bitching in this article that IT isn't focusing on innovation, I will tell you this: For every dollar your company spends retaining and managing IT assets, that is one less dollar your company is spent doing really cool, innovative, exciting stuff that is core to your brand. And for every dollar you spend maintaining something that isn't core to what you do, that's potentially a dollar that your competitor is gaining on you.
Now before I'm stoned to death by my infosec peers, I'd argue that our role is to acknowledge that progressive, forward thinkers are out there and we need to acknowledge that stopping the move to cloud based technologies (IaaS, SaaS, etc), outsourcing, etc, is comparable behaviour to people throwing sabots into textile looms back in the 15th century for fear of losing their jobs to automation.
Are we as an industry really that unevolved and immature?!? Why can't we look at our methods for ensuring that information assets are adequately secured as part of the migration, that they are managed appropriately and in the even they simply can't, that mitigating controls are applied as best as possible and residual risks are understood by all so there is no misunderstanding?
I understand that internal chargebacks are not popular and I understand the argument about the chilling effect it can have, but simply put, this is good economics. It simply proves the point that the business is wasting money on a service that it can get from a third party provider for less (that is of course assuming that the business is comparing apples with apples and not say, a fully redundant SAN storage with a USB hard drive from Dick Smith).
If IT really want to talk innovation and do really cool, exciting stuff, look at how you can get rid of those crappy legacy applications in your environment that are unpatched and unmanaged. Look at sloppy, inefficient business processes and see how you can improve communication, consolidate storage and better facilitate excellent customer service. The cost savings are a secondary benefit and should be obvious in the face of such synnergies.
As security folks we have the potential to be the glue in these discussions, looking at ways we can protect the business. We can ensure that developers build applications using robust methodologies and guides, leverage APIs, etc. We can ensure provisions are included into contracts to enforce minimum standards of security, even influence choices of vendor and/or pricing. We have a lot more to offer the business than we often realise but it really does come down to the approach. In that respect, I think the article hit the money.
Unfortunately working in infosec is not glamorous and we get saddled doing our jobs, working with what we have rather than what we'd like to. This to me is what it is really about - making better use of what we have and looking at how we can help the business rather than hinder it.
In the future, businesses are not going to have monolithic IT shops. The future is going to involved outsourcing on a scale that you or I today can hardly conceive of. Enterprises will have all their applications, infrastructure, development - all outsourced. Other core functions will also become increasingly outsourced (I've already seen this). This enables businesses to become increasingly agile and better focus on their core competencies. IT will become more ubiquitous and pervasive than we can conceive today. Information will fly around in so many directions across so many devices that our very notions of privacy and security will be constantly redefined based on an threat landscape that will beggar belief.
Our role in this world as security professionals will be to constantly adapt and redefine these notions on the basis of the information exchanges needed by business and perhaps more importantly, the speed in which we can do it. The world is not perfect and neither is information security in practise. But if we can help businesses make informed decision of risk, then our work is not in vain.