Should you go around the IT department?

Replies to This Discussion

Permalink Reply by Tino Marquez Jr. on July 6, 2009 at 11:42am

Maybe you are just a bit too good :)

Nope, just extremely biased in my own skills maybe. :)

▶ Reply to This

Permalink Reply by Mike Seidle on July 6, 2009 at 8:58pm

Nothing wrong with a little self confidence.

▶ Reply to This

Permalink Reply by Robby Slaughter on July 6, 2009 at 11:27am

Tino, just because many SaaS vendors (and many corporate IT departments) might have a lack of competence doesn't mean that the idea of outsourcing software functions is bad idea.

I just think if a division decided that it wanted to purchase all of it's own furniture or manage it's own payroll, there would be trouble from purchasing or payroll. But if a business unit wants to use a third-party hosted software solution, they can do so without as much trouble.

So, is this a double standard? Or is the analogy a poor one? That's my question.

▶ Reply to This

Permalink Reply by Tino Marquez Jr. on July 6, 2009 at 11:37am

I think it should depend on how the company's organization is setup. Some companies, anything technology related automatically falls under the IT dept's (technology) budget including the necessary staff to support those services, etc.

Outsourcing software functions is fine, as long as you involve the IT Dept in the process. I'm not saying you have to ask the IT dept for permission, just involve them in the process, evaluation, etc.

I think you're anology may need some tweaking, but I can't think of anything better as I will offer only a slighly different version of what you are already saying. There is a double standard, as IT Depts most certainly can NOT go behind HR's back and give the IT employees different benefits packages outside of what the company normally offers. An IT Dept can not solicit (and should not) outside Marketing or Accounting companies to do needed services for them just because they find Marekting and Accounting cumbersome to deal with. Which is

▶ Reply to This

Permalink Reply by Patrick Sullivan on July 5, 2009 at 9:42pm

A couple of notes-

"Enterprise software sales reps have been end running the CIO for decades"- that's why security *management* folks like me will be permanently employed. Any company in which outside sales reps can get around at least a half-dozen security controls I can think of is a company in which there are systemic problems. And no, network or application vulnerability scans alone are NOT risk assessments (though they are input data)

"Most IT departments are dramatically underfunded, chronically understaffed, can't keep up with software patches"- one of the reasons most states have security breach notification laws

"So the VP of Sales is the guy who will buy your CRM"- cross-functional information security management is not well defined or maturely developed in a lot of organizations. That's one of the problems. But even in a marginal organization, the purchase should be subject to security review and change management controls.

"For most companies the lowest risk path may be external because hosting providers..."- bet they haven't done a comprehensive risk assessment to determine whether transferring the risk is an acceptable risk treatment option with acceptable residual risk. I'll bet they really don't know what the lowest risk is. See points above about what isn't a risk assessment

"hosting providers, professional data centers and especially SAAS vendors are better at everything (privacy, security, etc...)"- no, they're not. This claim is only as good as the vendor due diligence and risk assessment procedures of the organization, and the security practices of the vendor. See points above about what isn't a risk assessment, and statistics on data breach incidents and the high number of vendors who are responsible for the loss.

"you get the bonus "blame the vendor" card when things go wrong"- no you don't. Current information security and privacy law and regulation holds the data owner responsible for protection of regulated data under their control- and it's still under their control when they bring in a third party. That's why all of those laws and regulations have something in them about vendor due diligence and management. So, the vendor may have done it, but you're still the one left holding the FTC consent order in you hand, and it 's got your name, not the vendor's, on it.

▶ Reply to This

Permalink Reply by Mike Seidle on July 7, 2009 at 9:54am

Patrick -

I actually agree with you as a business owner and IT pro. I did spend about 10 years of my career selling enterprise solutions to midsize and large companies. In the interest of furthering the conversation, though, I'm going to go back into ruthless sales person mode so you can get a better idea of why vendors avoid IT. It's the brutal truth, and hopefully it can help someone better understand the grand game of selling solutions to large organizations for really smart people:

"Enterprise software sales reps have been end running the CIO for decades"- that's why security *management* folks like me will be permanently employed.

There's a lot of truth to this... But it does lead to a problem that security professionals often face: they don't have the clout to control access to the buyer. Also, in other news, why should some security manager in IT be able to control who sees the CEO?

Any company in which outside sales reps can get around at least a half-dozen security controls I can think of is a company in which there are systemic problems.

Have you found a solution to "wine and dine," "golf cart data exchange," "wife's best friend's husband," "FREE SUPERBOWL TICKETS," "human trojan horse," "buttered up executive assistant" and other Executive access vulnerabilities? This is where IT really gets it wrong - by creating and expensive and adversarial process for vendors, they make the least cost, best results option to simply avoid IT until it's too late and all you have left looks like an egghead trying to defend his turf.

But even in a marginal organization, the purchase should be subject to security review and change management controls.
Meanwhile, the competition is eating your lunch because they are getting to all the big accounts before your CRM-less sales persons do. Your hot-shot VP of sales leaves the company. The VP of marketing has his resume out. In twelve months your company is dying on the table and is sold to a competitor and the analysis isn't finished. IT department, save that programmer in the back room is laid off. This is why IT folks are sold around. IT creates costs and complexities that don't exist or that others don't understand.

Current information security and privacy law and regulation holds the data owner responsible for protection of regulated data under their control- and it's still under their control when they bring in a third party.
That's why the third parties offer indemnification and other assurances that this will not be an issue. So the solution is sold on a financial protection instead of real security (tragic, but that's how the ball bounces).

bet they haven't done a comprehensive risk assessment to determine whether transferring the risk is an acceptable risk treatment option with acceptable residual risk.
Bet they never will because third party hosting for five years costs less than the risk assessment will. Plus, all the hosting center will do is pay to have their own white paper written on third party hosting risks, quote Gartner, IDG and some blogger and again, the in house security guy or IT guy
looks like a complete wingnut.

At the end of the day, you've done a great job of illustrating why companies avoid IT if you want to sell anything. If I'm buying, I want you at the table to protect the company - unless you appear to be standing in the way of progress. Someone selling, well, they will humor you, then they will try to persuade you, discredit you up to and including trotting out more experienced, better credentialed or more famous experts than you.

It's brutal out there, and I hope that this helps people understand why IT people are important to any software buy decision - the sales guy does not have your company's interests at heart.

▶ Reply to This

Permalink Reply by Robby Slaughter on July 7, 2009 at 10:40am

the sales guy does not have your company's interests at heart.

Wow, that's a pretty brutal and honest admission! So that tells me that SaaS is a double whammy: selling to people who don't understand and don't care about IT issues, and salespeople who don't have the client's best interests at heart.

We need an SaaS person to get on this forum! (I started it because Chris Baggott asked me to---so, where are you guys?)

▶ Reply to This

Permalink Reply by Mike Seidle on July 7, 2009 at 4:08pm

Robby, I used to sell SAAS - UpShot (which was SalesForce.com's competitor before Siebel bought it). Reality is that most business solutions exist to solve business problems, not IT problems. Business people, not technology people make the business decisions. My post isn't an indictment of SAAS, nearly every enterprise solution that isn't an upgrade ever sold over IT objections. The real problem is that most IT organizations have not evolved from being cost center geek-in-a-box outfits that are out of touch with the direction of the company. At this point IT should be cross functional and integrated with profit producing business units instead of a silo of control under the CFO (out of Indiana) or COO (in Indiana).

Wow, that's a pretty brutal and honest admission!
This isn't a revelation. How old is the saying, "Caveat Emptor?" Sales people not having your best interest in mind isn't a brutal and honest admission, it's reality, no matter what the veneer is. It's a fact. I own a business. People call on me to sell stuff they think will help me because I'm more likely to buy something that will help me. Sure, they would love to know that what they sold helps, and they know if the solution works for me, it's a good thing because I'll buy more or refer people to buy the solution. But at the end of the day, if they don't get enough sales they are fired or out of business.

▶ Reply to This

Permalink Reply by Patrick Sullivan on July 7, 2009 at 4:54pm

"most business solutions exist to solve business problems, not IT problems" Reminds me of something a friend of mine once said- IT solutions aren't made to solve compliance problems, they're made to solve business problems. His point was that the privacy and security compliance folks needed to start looking in that direction if they wanted to come up with realistic policies and controls that would achieve desired levels of information protection while optimally supporting business objectives and processes.

▶ Reply to This

Permalink Reply by Mike Seidle on July 7, 2009 at 6:27pm

Amen, brother.

▶ Reply to This

Permalink Reply by Patrick Sullivan on July 7, 2009 at 11:37am

Good comments. I've been watching this thread, and mulling over the points, especially Robby's restatements of the initial question. I still think the issue comes down to security management, but what may be the key phrase in your reply above is this: "some security manager in IT". Why should security be managed from IT? Because it always has, given that it grew up with a focus on protecting facilities and infrastructure? Well, it's become much more complex than that, lately.

There is no (good) reason why information security shouldn't support business objectives. To Robby's question, the issue may not be that of "going around" IT, but of building out the appropriate security management processes and embedding them into the business operations in ways that allow more departmental autonomy in some areas of software acquisition without compromising the risk management objectives and decisions of the organization. That requires organizations to take a more governance-driven approach to information security management, which is, to your point, not something many of them really like to do. Most of them are content to think of information security as a tactical IT problem, rather than as a strategic business problem. This leads to a kind of myopia where information security "management" is a checklist-driven activity striving to meet the next compliance deadline with the minimal amount of effort, and confusing audit reports with continual improvement processes (it's a cost center with no demonstrable ROI, right?)

So, for example, major companies can pass their PCI-DSS audits and still loose record amounts of personal data through vulnerabilities that weren't directly covered by PCI controls, because anything outside of getting to PCI compliance -completing that checklist- wasn't on the (tactical) radar screen. The opportunity to look strategically -and comprehensively- at how effective information security management could improve performance, as well as address risk in a more business-driven way is simply lost in this kind of approach.

On the other hand, there are few, if any, critical business processes in any organization that aren't dependent on information and information assets of some kind. And in a lot of organizations and industry sectors, information and information assets are regulated either because of what they are (personal data) or what they do (financial reporting systems, pharmaceutical manufacturing systems, etc). In this environment, not looking at information security as a strategic management process that supports business objectives is more than shortsighted. After all, we are talking about confidentiality, availability and integrity of information and information assets- information security isn't just about completing checklists and avoiding fines, it's about the processes necessary to deliver one's products and services. One short way of saying it is that information security is about the organization's reputation and business continuity.

Security risk management is as much about how you maintain and deliver business as it is about anything else. Comprehensive information security risk assessment (see OCTAVE, ISO 27005 and NIST SP 800-30 for examples), together with well-developed effectiveness metrics for controls (how well do they manage risk to expected or required levels), and measurable continuous improvement can give you a basis for calculating a meaningful ROI for security investment. I'd argue that without those, ROI discussions for security are pointless.

But, accepting this means changing a lot of things that many organizations don't want to change- like relegating (siloing) security to IT, tolerating the circumvention of security controls (if there's even awareness of that), or leaving vendor risk management up to "endeavor-to-take-reasonable-steps-to-do-pretty-good-things-to-protect-our-assets" contract language. And indemnification language or no, the current laws and regulations are pretty clear about responsibility for regulated data- yeah, your vendor has to report breaches to you (and in Indiana, to state authorities), but it's still your problem in the end. Check out the running list of security breach incidents at www.privacyrights.org and count up the number of those attributed to vendors. (HITECH ups the ante for business associates under HIPAA- they now must implement the same controls as covered entities). Similarly, under European data protection law (the model for most of the rest of the world outside the US), you can't hand off the problem to vendors- as the data controller, you're the one with legal accountability for the data.

But, back to the point. Information security management shouldn't hinder business, but when it gets left to "some security manager in IT" it probably will- not because the security manager is obstructive, but because the organization hasn't elevated information security management to the level of effective governance. To answer one of the variations of Robby's question, it's the organization. And, in part, it's the analogy- letting a department buy furniture that doesn't match the corporate branding scheme is not as great a risk to the business as is an application that hasn't been brought in and installed through defined acquisition, change management and configuration management controls, from a vendor who hasn't undergone appropriate risk assessment and due diligence.

Anyway, I think we're pretty much on the same page- you've sort of underscored why the problems are security problems, and shed some light on why they're difficult to fix. And, of course, given me the opportunity to rant about some of the key shortcomings of approaches to security (there's a really good article on the emerging legal concept of reasonable security by Tom Smedinghoff- if it isn't up in the SI Information Security Exchange Group, I'll put it there in a few minutes)- just because something's always been the case is no argument that it should continue to be so ;-)

Here's another question- back to my "Vulnerability as a Service" remark: Excluding for the moment security as a service, should a vendor knowingly sell and install a software (infrastructure, platform, etc) service in a customer environment that has a weak security environment?

▶ Reply to This

Permalink Reply by Robby Slaughter on July 7, 2009 at 11:49am

Should a vendor knowingly sell and install a software (infrastructure, platform, etc) service in a customer environment that has a weak security environment?

That's like asking if you should sell a car to someone who you know is a reckless driver. It's ethically questionable, but if sales people had to make sure that every client was truly meeting the necessary standards for using their tools they would never sell anything.

Furthermore, sales people have an incentive to sell to weak security environments. These are places that have less understanding and therefore more interest in outside expertise, and they are areas where more is likely to go wrong, meaning they will need to spend some consulting dollars.

From the perspective of a short-sighted sales professional, it seems the best clients are the most ignorant and incompetent. They need your help the most and are willing to move the most quickly. Customers who are cautious, conduct formal analysis, and work to understand your product are a pain.

▶ Reply to This

• First
• Previous
• Next
• Last