Introduction
I’ve been working with technology and its security for a while, I have travelled to different parts of the world, I’ve worked with major organisations, and I’ve worked with a whole range of organisations both from strategic advisory and at the coal face perspective. Now over the last twenty years I thought about how much has changed… and honestly, I don’t think much has.
Technology innovation, miniaturisation and adoption rates are through the roof, but I still see massively similar patterns. I’m not going to try and quote statistics, but I think it’s a fair to say the threat landscape has changed somewhat (for the worse!)
Back in the 2000s era we had networks running Windows 2000 and Windows Server 2000/2003, we had clients with open services which could largely be accessed from anywhere on the network. We had host-based firewalls from third party vendors, but these were rarely implemented, MSBlaster and Windows XP changed this dynamic somewhat, to say things haven’t improved on one front would be a lie, however the level of crime and access to technology globally has changed massively.
But I digress, I want to sort of call out some of the major challenges I see, I’m not going to write an essay and, in this post, I’m not going to even begin to look at solutions (not because there aren’t any but I think that needs more thought than I can currently give the subject). So, what common challenges do I see in organisations today that I’ve generally seen for my whole career, well let’s try what comes to my mind, this isn’t meant to be well thought out, I’m just going to go on an adventure and see what comes out of CPU Daniel!
“The Basics”
Fundamentally there are ingredients required for our recipe for managing technology and its risks. At the hear of this are people, not assets or resources, actual living breathing people with feelings, with families with jobs.
An enabled team need more than good tools, they need leadership, they need guidance, they need support. They need this because I think that at the heart of good technology and security management requires something…
It needs:
- Leadership
- Direction
- Guidance
- Mentoring
- Coaching
- Time
People need to also have the required skills but key to all of this they need the required time to do a quality job.
A major challenge I see in so many organisations are the requirement to do more, faster, quicker, and cheaper.
So, in the face of increased business/organisations demands, a massive explosion of new technology and a more prevalent and committed threat landscape I see this:
- People are not given adequate training
- People are not given adequate time
- People are not given guidance and coaching to a level that enabled them to effectively overcome their technical debt challenges
- People are constantly asked to do more with less
From a strategic point of view one common finding, I see is this. There’s often a lack of strategic direction, strategy documents are out of date, fail to communicate how initiatives translate into actionable changes. This creates a problem both from an investment and business case perspective, it leaves portfolio management down the “what is popular” but also it leads to the team on the ground without a joined-up view of the world. Without sufficient leadership and organisational support, we see the following outcomes:
- Overburdened technology teams
- Huge pressures to deliver ‘working’ but not working well
- Focus on the now not the tomorrow, this leads to high levels of technical debt
- A lack of joined up thinking. A key technology and security capability I see lacking from so many organisations is around architecture (all forms).
To me being able to operate with direction, purpose and meaning is one of the most important drivers in enabling an organisation to succeed. If we look at this from an IT point of view, what do we so often want but often end up chasing unicorns?
- Time to organise
- Time to plan
- Time to educate ourselves and learn
- Time to network and learn from our peers
- Time to research
- Time to test (you know in a dedicated environment that’s safe, so we aren’t playing roulette with production systems)
This is often a catch 22, if the world is constantly fire fighting and adding more technology to the mountain of technical debt, how can we expect people to be able to improve the quality of the outcomes? Surely if our strategy, leadership, and governance does not provide a suitable environment for change, we shall be constantly living in the hamster wheel of break, fix, add, break, fix add etc.
Change
To get different outcomes we need to work differently, we need to change the small behaviours of the everyday, by doing this we can enable teams and organisations to get out of the cycles they are, to slay the dragons of technical debt, to reduce the business risk. If we don’t change our approaches we will be surely here in the same place, surrounded by risks, attacked by threats, and living in a not so safe cyber future!