Why organizations should revisit security responsibilities
[[{“value”:”
In the age of hybrid IT infrastructures, responsibilities within IT departments are less transparent than they used to be. Previously, one central team managed all things IT. Today, there are a variety of specialist roles spanning everything from end-user computing, infrastructure and security to cloud management and transformation strategies.
Within this expanding IT landscape, making sure everyone knows who is responsible for what, with roles and responsibilities clearly marked out, has become increasingly challenging.
Take Microsoft Active Directory (AD) as an example – an identity service used by more than 90% of Fortune 1,000 companies to manage their endpoints and assets, providing access to key services such as Office365. For Microsoft AD alone, there may be one team responsible for keeping it operational, another for managing the security aspects and associated configurations, and a third looking after upgrade schedules and dependencies with other aspects of the environment.
And this is just one example of an essential piece of IT infrastructure that depends on several teams sharing their responsibilities. The problem is that a lack of clarity means gaps over ownership can emerge within increasingly convoluted IT structures, resulting in security risks and operational issues.
Looking at mergers and acquisitions, we can also see how these gaps in responsibilities can emerge and grow. Businesses and their boards often strive to get deals completed and ironed out as quickly as possible. In these instances, appropriate levels of security and IT due diligence can be sacrificed in the name of operational uptime. However, such an approach naturally causes problems.
IT is fundamental to a successful M&A. It is the key to accelerating transition periods, ensuring that new colleagues can access both previously business-critical data and new standard systems as they get up to speed in their new roles. However, organizations often find themselves in a rush and end up trying to weld together two different ways of working, naming conventions and unknown histories together in a marriage fraught with problems.
Without the necessary care and attention needed to mitigate these issues, several security problems can arise. Going back to the AD example, organizations may inherit misconfigured systems and accounts that would become the parent company’s liability.
In some instances, there may even be threat actors already present in the acquired company’s environment that then gain the opportunity to enter the parent environment. For these reasons, due diligence must be prioritized, with security responsibilities mapped out to maximize visibility and mitigate potential threats.
Establishing a responsibility matrix
Of course, that’s easier said than done. So, how exactly can companies reduce a lack of clarity over responsibilities, reduce business disruptions and close security gaps as they surface?
Here, creating a responsibility matrix can pay dividends. By going back and reviewing roles, and mapping out exactly who is responsible for what, firms can identify and eliminate any gaps that might exist. Who manages a piece of software, and the configurations associated with it? What are these configurations supposed to look like? And who should be informed if something changes? These are some of the critical questions that a responsibility matrix can help to answer, enhancing clarity for IT and security staff. Furthermore, a responsibility matrix is also a particularly important resource for those organizations planning on making major infrastructural changes, such as moving into a new cloud environment.
There’s a perception that by creating something new or modernizing something old during digital transformations, all previous technical debt is erased. However, in many instances, that is not the case. You can’t just rebuild an entire new IT stack and delete the old one – it simply doesn’t work like that.
Often, there’s significant plumbing that occurs between the old and the new, and everything needs to work seamlessly. If there are poor configurations, process issues, or security gaps caused by unclear responsibilities, then any new technologies will simply import and exacerbate problems.
Preventing “severe” or “catastrophic” outcomes
Simply put, you must first ensure the security and IT hygiene associated with foundational systems such as AD are sound, and then work to find a way for new applications to be connected back to core databases in a secure, seamless, and safe manner.
If you don’t, then gaps will emerge. And if these gaps are exploited, the consequences can be significant. According to a survey conducted by Semperis at Infosecurity Europe in June 2023, 69% of organizations said the impact would be “severe” or “catastrophic” if a cyberattack compromised their domain controllers and AD was down. And the financial impacts of downtime can be significant. Indeed, it’s estimated that 60% of outages preventing businesses from operating cost more than $100,000.
To avoid such costly outcomes, it’s important to revisit security responsibilities and eliminate any potential vulnerabilities that might be present. Prioritize understanding assets and their associated configurations, and make sure they’re right.
We’ve featured the best business VPN.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
“}]]