Use the IT Value Chain to embed security in every aspect of IT

michael-garrett2.jpgIn the New Style of IT, security isn’t something you do on the side. It has to be embedded in every aspect of IT.

 

The New Style of IT—the interrelated trends of cloud, mobile, security, and Big Data—is changing the way you deliver IT services and the way IT services are consumed. So certain assumptions no longer apply. For instance, the assumption used to be

 

  • You owned and controlled the end point device. Now you don’t.
  • You owned and controlled the network. Now you don’t.
  • You owned the environment. Now you don’t.

Your perimeter has changed. Instead of being a fence, it’s become like Swiss cheese: full of holes. If your users are on a mobile device and connected to Wi-Fi to look at something in the customer database, they’ve got one leg in the internal network and another on the external network. (If you’re concerned about security, come talk to our HP Software Professional Services experts at HP Protect.)

 

Increasing communication between IT and security

Converged security is the answer to this new reality. Your IT organisation can no longer afford to keep security siloed in one area and IT Ops in another. The two functions are becoming increasingly entwined and each depends on the other for context and speedy remediation. You need end-to-end visibility across both domains to resolve issues with efficiency and speed.

 

As I wrote in my last blog post, (“IT execs: Integrate security and Ops to cut costs and reduce waste”) when you integrate these two functions you become much more efficient and the enterprise is better protected. You’re no longer duplicating activities—each with separate tools and processes.

 

Using the IT Value Chain to get to embedded security

In most organisations, security is another layer; it’s siloed. But the only way for security to be effective is if it’s embedded in everything. How do you start breaking the silos down?

 

In HP Software Professional Services we take an IT Value Chain approach to security. The IT Value Chain is a strategic framework for improving everything that IT does. It comprises four individual value streams. When you take a look at each one you can see where you need to embed security:

                                                                                           

  • Strategy to portfolio: This is the planning and strategy value stream. And this is really the executive function I wrote about in my last blog post about driving change through the organisation.
  • Requirement to deploy: This value stream covers testing. So weave security testing into application testing to make sure you release secure applications (as opposed to releasing applications and then testing them for vulnerabilities).
  • Request to fulfill: Here is where you would look at embedding security into configuration management to prevent vulnerabilities.
  • Detect to correct: This is your event incident and problem management value stream. To embed security, make sure that your monitoring also includes security.

When you tack on security, it has limited effect. As the New Style of IT creates more complexity, security can’t be an add-on. This is the moment to start making these changes. Examine IT from a value stream perspective and start embedding security in each activity performed by IT every day.

 

Related links:

Labels: security
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation