Protecting information in a changing world
Is technology getting harder rather than easier to use?
Technology is, without a doubt, becoming increasingly complex and fragmented. Cloud services are competing with in-house systems, staff are using their own devices for work purposes, and different business areas are spending their own budgets on technology without necessarily informing the IT manager.
Undoubted benefits come from adopting new technologies and working practices. Staff are more accessible, productivity increases and the business can become more agile. Alongside such advantages however, the downside can be that IT loses a level of control, potentially compromising security and making service levels harder to assure.
Knowing how to strike a balance between benefits and risks can be quite daunting. Some businesses try to prevent use of external services, restrict use of personal devices or add layers of budgetary control. Others find themselves heading in the other direction: being unable to adopt a manage-everything approach, the risk is ending up with a situation in which anything goes.
Most organisations lie somewhere in between, with IT managers attempting to keep existing technology going while expressing concern at non-jurisdictional IT activity. The concern is valid, not only given the potential for issues but also because it will undoubtedly be the IT department that carries the can if something goes wrong.
Organisations should respond by putting information first.
So, is there a better way?
Rather than trying to do everything, best practice suggests focusing on the core information assets at the heart of every business. Different information types require different levels of protection, depending on how important they are and the risks they face. For example:
- A manufacturer’s discounted price list may be a simple spreadsheet, but its publication would be of major consequence.
- Salary data, unaudited financial information or sales data all need to be kept to certain groups or individuals within the company.
Putting the information first helps the business decide whether information assets are important enough to require centralised management, protection and support – that’s what the IT department is for. By agreeing with the business who should have access to what, the IT Manager then gains a firm foundation to define how such assets need to be protected.
All sides stand to gain from this approach. The IT department can focus on delivering business-critical information in the best way, while business departments are better able to make decisions about device types or web site designs, without increasing business risk.
Of course this still suggests a shift from IT having exclusive control over technology – but this shift is happening, whether the IT manager likes it or not. Better to work with the change, than be left behind.