How to decode & sequence your IT department’s genome

Companies generally depend on their IT departments to provide a core foundation of computing and data services.

Employees need new machines, upgrades, patches and maintenance along with a permission-based level of access to specified parts of the company database, depending on the level of sensitive information that any single individual is agreed to allowed to be exposed to.

These are known truths in the general flow of the IT universe.

But deeper inside the IT function there runs a specific stream of DNA that tells us what type of tech function the business is really running on. If we can decode this IT departmental genome, then we can understand where the business stands in terms of system security vs. functionality and power.

Decoding the IT genome

Examining the core DNA of your IT function should be a process of working out exactly how risk averse your IT function is.

What becomes important now is being able to assess how the IT function ‘behaves’ in general terms.

Some industry sources have suggested that external factors such as security breaches covered in the news and changes in legislation (along with regulatory rulings) are the top influences for cyber security strategies — and that IT professionals are very often only fixated on being reactive i.e. they will follow up a breach and alert when (and only when) it has been flagged.

The business-technology proposition here is that two distinct tribes of IT decision makers exist: ‘Protect First’ and ‘Business First’.

Protect First IT shops have been estimated to represent the nearly half of businesses. These are operations who claim to put cyber security above all else, even if it slows down user productivity. They’re fixated on threats, perhaps at the expense of business transformation and wider business goals.

Serve and (sometimes) protect

Business First on the other hand are IT shops driven by business functionality requests in the purest sense. They exist to serve and serve (as opposed to serve and protect) and protect as much as is reasonably possible within commercially allowable parameters.

Business First IT departments are ground-breaking, focused on all contemporary forms of digital transformation and always looking for the next platform-level paradigm shift (such as the next Twitter, the next Internet of Things and so on) that they can start shaping the firm’s IT backbone towards to start reaping advantages related to speed, innovation and new digital workflows.

Estimates have suggested that as many as two out of three IT and security decision makers say their security program is ‘continuously reactive’ due to constantly changing legislation, threats and other external factors… these are the Business First mavericks who want to reinvent the wheel, even if it’s not broken.

The proliferation of mobile applications has had a significant impact on business – even more so than the need to understand gaps in current security programs…. and this is thought to be one of the major reasons behind the disconnect that exists between ‘Protect First’ and ‘Business First’ in the first place.

Business buy-in is a challenge. As many three in five IT leaders feel that obtaining buy-in for their security programs is tough, primarily because of a lack of understanding from the board.

The middle way

Given the disconnect that exists between these two core approaches, it would be natural ask which way might be best… which is the most prudent course of action?

As with so many things, it comes down to the middle way i.e. taking a combined (and perhaps more considered) approach to total IT project strategy is likely to be the most sensible approach.

Analyst house Gartner famously coined the term bi-modal IT to describe the notion of running a) your business functions on a safe backbone (Protect First) and then also experimenting with new streams of applications in safe sand-boxed areas (Business First) that might be less secure if they were running throughout the heart of the business.

Digging into your IT department’s DNA to decode and sequence its genome does require a blood test i.e. this might hurt. But it will be worth it… and you can almost certainly declare a cleaner bill of health afterwards.