Understanding Why Process is Key to IT Security

Process excellence is a topic that has often dominated executive conversations, but not been a huge part of the IT industry. This is beginning to change as complexity rises across the industry and IT teams face mounting pressure to improve operational efficiency without sacrificing security. This is the rub, though, as efforts to work faster can lead to organizations cutting corners and creating risk. Such problems are especially evident when it comes to making IT changes, and the right ITSM tools can help organizations improve processes and avoid security problems.

Considering the relationship between process advancement and security
Process improvement alone can play a huge part in improving IT security because human error is such a major culprit in data loss incidents. Reducing data breaches is a huge issue across the IT industry, especially as security problems are only getting worse. The recently released Gemalto 2014 Breach Level Index found that more than one billion records were breached in 2014, a 76 percent increase over 2013. At the same time, approximately 106 data breaches were rated as extremely severe and possibly catastrophic.

You can't afford to put your business at risk when completing change process. Somebody clicking on the wrong destination for data can send that information outside of corporate firewalls. A poorly executed application update can cause a glitch that leads to data loss. Failure to quickly release a patch could allow a hacker to take advantage of an existing vulnerability. On the surface, these issues look like technologyu problems. However, they are really process issues.

Human error is a reality of life. Businesses that want to avoid human error need to refine their processes so that they can enact proper oversight without sacrificing efficiency. This is the key. If you put authorizations into place, but fail to streamline processes around those operations, changes will slow to a crawl and you may run even more risk. You need to use process automation and optimization tools that are built into modern service desk platforms to truly gain the combination of control and efficiency you need to protect data.

Understanding the importance of internal controls
The recent Lenovo Superfish disaster emphasizes the importance of having process checks and balances to make sure technology decisions don't create opportunities for security threats to emerge. A recent NetZero report explained that Lenovo added Superfish as pre-downloaded software on laptops that shipped to retailers during the period between September and December of 2014. Superfish was meant to be a targeted advertising tool that gathers user information, shares it with online advertisers in a secure way and allows those marketers to show users more intelligent pop-ups and page ads.

In reality, Superfish ended up shutting down built-in web security controls and using the same, relatively simple, encryption code across all devices. This makes it easy for hackers to intercept sensitive user data, and while there are no reports that the vulnerability was exposed before Lenovo could respond, the incident highlights the potentially disastrous nature of a lack of oversight before releasing new technology.

Businesses need internal controls to avoid problems like what happened to Lenovo - or to avoid releasing devices with Superfish or similarly problematic solutions in their own configuration - and efforts to improve control hinge on effective change processes. The ideas of IT saying how everything will work and making business users comply have been replaced with an era of consumerization. If IT teams are too slow or restrictive, their internal customers will go elsewhere. Businesses that want to improve security need to optimize processes so they can build internal control into everyday IT operations without sacrificing efficiency or the end-user experience.

Previous Article
Change Management Applications: NERC/CIP Tracking
Change Management Applications: NERC/CIP Tracking

NERC/CIP regulations create a situation in which the organizations that handle the energy power infrastru...

Next Article
Evaluating Your Security Options in 2015
Evaluating Your Security Options in 2015

A number of recent data breach events have once again put negative attention on the IT world, and busines...