...and how traditional IT must change its behaviour
You already know this, but Cloud Technology has kind of changed the business world—not just the lives of IT professionals.
Cloud-enablement, and the proliferation of SaaS systems, has advanced to a point where start-ups can harness enough capacity from leased technology to challenge industry titans without actually needing a staff of IT support engineers.
Technological components now rarely sit inside an organization’s network nor are they commonly developed in-house. Whereas IT once held the keys to an operation’s many applications and data, the path of least resistance for new enterprises is to rent software and storage from third-party vendors for the sake of convenience and speed over absolute, end-to-end ownership.
Some call it the “consumerization of IT”.
But what are the risks of employees carrying out tasks using methods based entirely outside a network? How must Enterprise Architects and IT managers supervise the personal devices and self-acquired applications that are just as good—if not better—for business dealings than the ones officially prescribed by management?
Problematically, consider also that as organizational data gets sent to the cloud and put within SaaS systems, not even large-scale organizations with longstanding and expansive IT programs fully own the internal analytics tools to measure their digitalized operations. These mature businesses, much like their emerging competitors, are embroiled in a very modern fight to acquire the most accurate analytics software in order to translate flurries of customer data in ways smarter, faster, and more comprehensive than whatever business appears next to them on the front page of Google.
“People aren’t moving to the cloud,” says Larry Biagini, former CTO of General Electric, in a webcast for Zscaler. “The cloud came to them. Whether they like it or not.”
In this same webcast, Biagini summarizes how traditional IT must shift to respond to the sea change brought upon by cloud-based technology. As follows:
From controls-based to risk-based
- Decisions related to IT must be based less on practical requirements and protection than on risk appetites. Just like any business strategy (e.g., exploring new markets), IT should be seen in terms of missed opportunities.
From “No, you can’t” to "Sure…and here’s how we can help”
- Moving from a “No, you can’t” attitude where bold ideas are dismissed to a “Sure, and here’s how we can help” mentality where IT applies creativity and specificity to create individual solutions.
From building value to discovering the value
- Cloud technology has fostered an unprecedented culture of cloud-enabled solutions. No single IT department can compete against this innovation pool. IT must learn how to exploit the resources of this world in the best way possible.
From security prevention to security detection and response
- IT traditionally focused on security prevention. Today, however, it is important to focus equally on swift detection and response measures (e.g., hunting, anomaly spotting, etc.). There is no set of tools that can create absolute prevention.
From excessive requirements to innovation and fast iteration
- Re-examine the processes in place to deliver faster innovation. Decrease development requirements to bring products to market faster and thereby initiative more experimentation. Fail upwards!
From network-centric to user-centric
- If you believe that your company network is not the center of the universe, or if you alternately think that there is only one network in the world and you are already part of it, IT must focus on protecting user information.
From IT on its own to IT and Ops together
- IT departments are no longer stand-alone entities and must integrate with operations to facilitate faster iteration.
SIX THINGS YOU NEED TO KNOW ABOUT IT TRANSFORMATION INTO THE CLOUD.
So, related to Biagini's thoughts, we've put together this list of six things to consider about IT transformation into the cloud...
1. Speed is the new currency
The quicker your organization can deliver products, the better. In this sense, money is less a deciding factor than how well you can keep pace with the speed of consumers. Think of it this way: if you can't fundamentally produce goods quickly, no amount of cash will make your company relevant.
2. Invest in identification and access management
This focus point is key. When organizations move to the cloud and (inevitably) adopt a policy-based access model, identification and access management become paramount. Identification and access management technology can be used to initiate, capture, record, and manage user identities and their related access permissions in an automated fashion—all of which is essential for cloud computing.
Truly great identity access management authenticates individuals and services according to a single interpretation of policy. Failing to implement such an overarching cloud access policy can lead to devastating compliance errors during auditing as it is difficult to argue your information is not being misused.
3. Gain visibility into cloud services used in your environment
Learn which cloud services are in your organization, and learn where your data is going. Under EU GDPR, companies will be required to perform a Data Protection Impact Assessment (DPIA). During the DPIA, organizations will be required to demonstrate compliance readiness. Being fully compliant with GDPR means that your organization knows exactly where your data is stored, how to access it, and how to manipulate it if necessary. A clear view of your company's cloud services is key to compliance.
4. Don't confuse security and compliance
Learn how to separate security and risk preparedness from compliance readiness. Security and risk are all under an organization’s control; being forced to accept regulatory compliance is not. Distinguish one from the other.
5. Detection and response is stronger than pure prevention
Similar to the point mentioned earlier, it is impossible for one security prevention system to safeguard all company assets. Spend the time and resources to develop a dependable detection program that can respond to potential risks—and spend the time to educate your workforce on how to be vigilant rather than passively assured.
6. Create a risk assessment and set a risk appetite
Don't become an IT department responsible only for security. Become an organization that can show operations the consequences of misaligning with the digital world and the dangers of not innovating nor adopting new technologies. Note: a risk assessment is not a security assessment. Translate the imperatives of IT into a language of business!