A few years ago, IT could have been thought of as a department of “no”. Today he is an unsung hero. The work of IT is very complex, and it is central to the efficiency and success of the organization. They must be innovators, firefighters and provisioners of resource deployment, as well as maintaining the governance, cost control and safety of their ecosystems.
Security, in particular, has been an eternal thorn in IT’s side – specifically, the complex task of providing secure infrastructure resources across an increasingly distributed and porous enterprise periphery.
In 2019, the problem was clearly illustrated by several news stories of high-profile data breaches. One of the most notable was the Capital One incident in which the accounts of more than 100 million customers and applicants were exposed – an AWS misconfiguration error was being exploited. The Marriott hotel chain started 2019 with a catastrophic security failure, when hackers accessed the records (including passport numbers and credit cards) of 380 million guests.
More recently, the pandemic has become a cybercriminal’s dream, and coronavirus scams are spreading rapidly. It is quite difficult to defend an already porous distributed perimeter. Now, a new reality of working from home has made IT security increasingly more important and difficult.
Protecting the perimeter becomes infinitely difficult.
The coronavirus era has greatly expanded the already distributed workforce, creating millions of unprepared and distracted users. With IT teams battling complex family scenarios atop an overcrowded work platter, it’s a guarantee attackers will add to their burden, eagerly waiting to exploit an enterprise’s clouds, databases, and systems.
If securing an enterprise IT perimeter is monumentally challenging under normal circumstances, it has become a nightmare in the new work-from-home, where an organization’s attack surface has suddenly expanded to unprecedented levels.
The burden of shadow IT.
The added pressure of the pandemic comes at a time when IT decisions are no longer centralized only within IT. Larry Ponemon, founder of the Ponemon Institute, has said that “many IT decisions are now distributed at the line-of-business level throughout the organization. It’s a security nightmare.”
Gartner believes that these behind-the-scenes decisions that lead to “shadow IT” are a huge problem. In 2018, he predicted that this year, more than a third of cyberattacks would be on shadow IT and IoT resources.
Shadow IT is expensive, to start with; Having a bunch of separate, ad-hoc services running in the background and consuming valuable infrastructure resources can eat into any IT budget. Gartner estimates that shadow IT accounts for 30-40% of all IT spending in large organizations. The Everest group puts it at an even higher 50%.
However, the biggest costs associated with shadow IT come in the form of security risks. In fact, a recent report from IBM cites the average cost of a data breach at $3.92 million, a 12% increase over the past five years. How can you protect assets you don’t know about?
How can you ensure the safety of your enterprise when you have all these unsecured assets? To answer these questions, IT needs to start thinking and acting differently – they need to rein in shadow IT before attackers can take advantage of it.
Thinking and Acting Differently: Customer CentricityWith all of IT’s responsibilities—fighting fires, provisioning resources, closing tickets, providing the hardware and software needed for employees—they make sense for the time being.
When people in other departments, such as engineering or development, can provision cloud resources with just a credit card and the click of a mouse, it’s tempting for them to do so instead of waiting on IT.
It is not out of malice; Really, who can blame them for quickly spinning up test servers on AWS if IT is busy? To accommodate this chaotic new reality, IT ops need to change. Specifically, it needs to become customer-centric.
For example, developers already have enough on their plates like IT. If they require on-demand resources in a constantly changing and rapidly changing environment, ordering them through IT and within company policy should be as simple as do it yourself.
Hence outdated policies and procedures should be updated to reduce friction and accelerate IT services without compromising on security.
Eliminating friction with a self-service model.
One way that enterprises can solve this problem is by implementing a self-service IT model: building an IT-approved list of services that users can provision with a click of a button. The concept of frictionless self-service means that IT can build and leverage an inventory of resources (computation, storage, etc.).