Forbes contributor Steve Andriole provides his analysis of Top CIO priorities in which he advocates unorthodox approaches to Security & Privacy. Specifically, he floats the idea of aligning the budget for Security & Privacy to the organization that is tasked with protecting Security & Privacy. Andriole also cautions against companies which “buy, install and support monster enterprise applications”.
We argue that this line of thinking certainly applies to homegrown tools as well. In the links below we give our view on supporting Security & Privacy goals by centrally controlling changes to sensitive application, database, middleware and OS configurations.
Aligning Budgets and Responsibility for Security & Privacy
Andriole argues that
- “Security spending should move to Audit, ultimately managed by the CFO.
- Audit should demand additional, continuous spending for security at all operational and strategic levels.
- Boards of Directors should make digital security a priority (right alongside earnings) – or suffer the consequences.
- Accountability for security breaches should shift to the Board of Directors, Audit and the CFO.”
By consolidating both the budget and responsibility for Security & Privacy within a single group, specifically the CFO, C-suites and Boards of Directors prevents the familiar excuse-making.
“Well if we had sufficient budget
this wouldn’t have happened.“
“Well if you made better allocations with the budgets you are given
this wouldn’t have happened.”
Our take: Orca improves Security, Compliance and Business Risk
For companies that want to pursue this org structure Orca offers a few benefits worth considering.
Visibility: “big picture” graphical summaries and granular reporting on out-of-compliance situations for related application, database, middleware and OS configurations.
Central, secure change control: Orca centralizes inventory of change detection and configuration data from multiple sources and delivers it in a convenient, human-friendly format. Users manage drift by setting their own custom compliance rules. “Dry Run” mode validates whether configuration changes will be successful before they’re actually executed.
Audit-ready reporting: tells you What happened, When it happened, Where it happened, Who changed it, Who approved it, Whether it worked and Why it happened. Teams no longer have to struggle to deliver status reports, recaps and configuration audits. Flexible, convenient and powerful RBAC system that helps teams control via API or web interface precisely which teams and individuals can manage or even view important ecosystems. With automatic configuration change logging, teams no longer rely exclusively on policy-based record keeping.
Eliminating risks: By providing a third-party supported platform from DevOps and IT automation veterans Orca helps companies eliminate fire-fighting episodes that result from non-compliant changes. Long-term, Orca eliminates reliance on custom-built, one-off solutions and the loss of key staff that support and maintain them.
Minimal training investment: Unlike scripting-centric tools, Orca does not require scripting to operate. In fact Orca does not require learning any new syntax, declarative or scripting languages at all.
Whether in a traditional organizational structure or the new accountability that Andriole adovocates (which reports to the CFO organization), Orca enhances security and enforces compliance by centrally controlling configuration changes and preventing unauthorized, even well-intentioned changes. It does so via an intuitive interface which promotes strict change control policies which impact security and privacy.