Securing An Empowered Enterprise

I am very excited to introduce a new report — hot off the press — “Securing An Empowered Enterprise." If you haven’t read “Empowered," I highly recommend that you go here for a summary of this fantastic book by Josh Bernoff and Ted Schadler.

CISOs across the country are telling us that their jobs are becoming increasingly more difficult (as their power to veto is becoming increasingly diminished) when faced with the business’ needs to support consumer technologies, such as social, video, mobile, and cloud. This is the groundswell movement depicted in Bernoff and Schadler’s “Empowered." Bernoff and Schadler described that businesses are empowering their employees with these new technologies to optimize operations or better serve customers. In this era of empowerment, corporate data are going into the cloud. Mobile devices are edging out traditional PCs; social technologies are enabling ad hoc collaborations anytime, from anywhere. As a result, the enterprise risk landscape has changed and will change further.

My report, “Securing An Empowered Enterprise," co-authored with Ted Schadler, takes a look at the consumerization phenomenon from the eyes of an IT security professional. We interviewed many security and business folks; two things stood out from all the interviews:

  • Empowerment is a challenge worth tackling. The empowered movement is an important source of innovation for the organization. At the same time, this represents an opportunity to reinvent the role of IT security from a back-office function to a crucial business function — the fulcrum for innovation.
  • IT security needs to adopt an empowered mindset or risk becoming obsolete. The empowered movement will happen with or without IT’s blessing. If IT security does not align its strategies with business initiatives, the corporate security function may become irrelevant.   

We believe that an empowered organization can actually be safer and more secure than a traditional enterprise. There are a number of reasons why this might be the case:

  • New requirements foster innovations: An empowered enterprise will demand a more nimble protection strategy that decouples protection from infrastructure (thinking virtualization). This not only adds agility to the system but may also allow the enterprise to easily incorporate new technologies as they become available.  
  • Focusing on threats incite the right  behavior for security: Since consumer technologies change at a rapid pace, security functions must focus on threats, rather than the actual technology itself. At a conceptual level, this puts substantial value on secure software, data-aware application controls, and threat mitigation techniques built directly within the application, which are all things that the security industry has been advocating for a long time.    

This is indeed an opportunity to not only redesign your security architecture to mitigate risks, but also usher in fundamental changes that will make the environment a safer and more secure place for enterprise computing.

The report goes into detail about a new way to design your security architecture for an empowered enterprise. I won’t go into details here. But at a conceptual level, you need to follow these directions:

  • Decouple risk management from control
  • Keep security assessment light and agile
  • Trust business to do the right thing, but verify the results

The report is especially meaningful, timing wise, as I am about to travel to DC for a World Economic Forum workshop where industry thought leaders are gathered to make recommendations to the WEF organizers for the 2011 forum agenda. I will be participating in the cloud computing workshop. As cloud is one of the “empowered” technologies, the report could not have come at a more opportune time.  

I would love to hear what you think of the report and in particular, your experience with securing an enterprise that has empowered its employees with the consumer technologies. 

Categories:

Comments

Risk and compliance in the Empowered enterprise

Great post and report, Chenxi. I especially liked your point at the end about extending risk mitigation strategies beyond technical controls to include consideration of security in contracts, education/awareness, and changing behavior.

I wanted to point clients to another great report focusing on the Empowered trend as well... this one by our colleague Claire Schooley, who published a case study for business process professionals highlighting Stanley Black & Decker's Empowered training programs. (http://www.forrester.com/rb/Research/case_study_stanley_black_%26_decker...)

I spoke at a conference last month to a group of compliance professionals about our Empowered research, and we discussed many ways that the technologies of an Empowered enterprise are currently supporting compliance programs (e.g. through enhanced training programs) and how they could be used even more in the future.

For those of you interested in this subject, I will be presenting a teleconference on this subject later this week called Compliance Professionals Need To Leverage Empowered Employees. You can register at http://www.forrester.com/rb/teleconference/compliance_professionals_need...