A fresh post in a long while ..
So, after writing for clients and my research being all consuming this past year I am re-focusing time in my day to share observations and thoughts. Why? Quite simply I learn more when I write; share, and get feedback then living in an echo chamber. How will this benefit the world/you.. simple, you will share in the knowledge I gain from sweat and toil and learn through the same iteration cycle as I. I also will begin focusing my posts on my dedicated portal for such topics and (attempt) to limit my writings here to on-topic. I hope you will continue to join me on the new(er) site and the other media platforms.
Also, I am trying to aim for a high iteration format instead of the long form of old. Meaning, shorter (I hope) posts that are succinct on ideas without the typical pre/post writings that are common in most write-ups. My ask, please share, challenge, and seek to understand my perspective – as I will do for you.
Onward then …
Today is RSA day and 2 themes that are evident and of most importance based on several large client discussions; analyst discussions; and a few researchers I had the privilelege of speaking with today:
- Communicating the WHY is of paramount importance today (WHY are we spending security budgets on X assets? WHY are our practices for managing enablement between development, operations, and security out of sync? Etc..)
- Passive Resistance (my phrase, but after a day of hearing about NSA, RSA, Crypto architects disowning responsibility for operational deployment, and “enable” privacy, security this is where I landed) is the idea of persons and organizations being asked to respond to these threats in a manner that impings their capabilities. There are many problems with this stated position, but I shall leave that for another day and your own pondering
Businesses must address #1 and be extremely cautious with #2, and #2 will be a heavy discussion during my RSA session on Thursday for all that are present. If you are unable to attend, I will as usual post my work and research in note form online. Looking forward to learning and expanding my thinking with you.
Posted in Compliance
Tagged 2014, analysis, bank and technology, best practice, cio, ciso, Compliance, rsa, rsa conference, rsac, rsaconference
A recent article on Bank Systems and Technology highlights a very difficult and often misunderstood need and method of aligning technology projects to core business requirements. The author is a thought leader in the space and provides great information to consider. There are specific enhancements I would make to their approach.
A common mistake in the technology world is to engineer for engineering’s sake. This is followed based on the idea that if we add more features and increase the throughput, surely the business will be enamored by the results and grateful for the effort undertaken (whether we are buying a product or having developed it internally). This is fundamentally the problem with the discrepancies that result. Technology does not need to simply extend itself, but should be evolving to meet the new challenges – i.e., the same appliance configured and deployed in the same manner may not be appropriate.
Considering this discrepancy in thought, I would suggest an alternate set of project prioritization checklist for business and technologists:
- Technologists and Lines of Business owners should collaborate on the near term challenges of the business -> i.e., identify the problems holding back the business
- Based on this business problem list, identify the possible solutions – considering existing technology and alternate deployments
- Identify the low hanging fruit – i.e., sort the technology solutions by cost/effort with that of the business problems, and tackle the quickest returns first.
- Projects should show returns in weeks, not months
- Projects should be accountable to the Line of Business Owner, and it should be reflected in their P&L
- Repeat steps 3 – 6, and every couple of months restart at the beginning – especially as the business environment and operating environments change (As the business changes, so must the technology contributing to operations).
Thank you to Deb Smallwood and Karen Furtado of SMA for contributing the article that inspired my own process.
James DeLuccia IV