How are you maintaining data and system security as IT decision making becomes increasingly decentralized?
Sort by:
I agree that this is actually 2 questions.
For data and system security, we're actually going in a different direction, and I think many others are as well. I used to maintain a dozen different systems from a dozen different vendors, but now everything is centralized with a dedicated 3rd-party specialist company.
For decision-making, it's now done by process-driven committees, rather than simply by the head of IT.
In short, common data and security policies across teams is essential. While some decision making processes may becoming more decentralized, we still have common policies and processes to follow, with approvals in place to ensure we still have some level of central oversight. We also utilize 3rd party tools to help pull some of this information and the related decisions together into an area where it is easy to find and digest. Ultimately, culture and execution is key, and needs to be consistently applied across all levels.
I take that "IT decision making becomes decentralised" as in users and business units having a more say in what systems and tools they want to use and how they use them. I think it is a good thing for obvious reasons: you get more fit-for-purpose systems that are loved by users and it's easier for IT to manage. You can still achieve tight data and system security in such environment. I want to share below learnings: 1) Have clear and aligned IT decision making process with the business, who can request, input, who is to be consulted and who makes the final decision - IT does; 2) Build security considerations and criteria into the above processes and stay firm while balancing security and business needs & practicality; 3) Take every opportunity to educate the business on risk and security; 4) Security is an ongoing journey, pick your battle and celebrate every win!
Interoperable software across data siloes
Automated policies and platforms that enable self service with safety and security built in. Centralised approaches can work but at the cost of inhibiting innovation and causing a huge increase in costs of change. Swinging the pendulum fully the other way creates real risk but it is possible to have both to a reasonable degree