Shared Responsibility or Shared Fate? Decentralized IT Means We Are All Cyber Defenders

We Keep you Connected

Shared Responsibility or Shared Fate? Decentralized IT Means We Are All Cyber Defenders

Does your organization truly understand the shared responsibility model? Shared responsibility emerged from the early days of cloud computing as a way to delineate responsibilities between cloud providers and their customers, but often there’s a gap between what shared responsibility means and how it is interpreted. With the decentralization of IT, this gap is getting worse.
Our applications, servers, and overall technology used to be under the purview and control of the IT department, yet with the shift to cloud, and specifically software-as-a-service (SaaS), this dynamic has changed. Whether it’s the sales team bringing in a customer relationship management (CRM) system like Salesforce, or the HR department operating a human resources information system (HRIS) like Workday, there’s a clear “expanding universe” of IT that no longer sits where it used to. Critical business workflows exist in separate business units far from IT and security and are managed as such. Our corporate IT footprints have become decentralized.
This is not some minor, temporary trend. With the ease and speed of adopting new SaaS applications and the desire to “lift and shift” code into cloud-based environments, this is the future. The future is decentralized.
The shift to business-owned and -operated applications puts security teams in a position where risk management is their responsibility; they are not even able to log in to some of these critical systems. It’s like asking your doctor to keep you healthy but not giving her access to your information or having regular check-ups. It doesn’t work that way.
Beyond the challenging human skills gap, there’s technical entropy and diversity everywhere, with different configuration settings, event logs, threat vectors, and data sensitivities. On the access side, there are different admins, users, integrations, and APIs. If you think managing security on Windows and Mac is a lot, try it across many huge applications.
With this reality, how can the security team be expected to combat a growing amount of decentralized business technology risk?
We must operate our technology with the understanding that shared responsibility is the vertical view between cloud provider and customer, but that enterprise-owned piece of shared responsibility is the burden of multiple teams horizontally across an organization. Too often the mentality is us versus them, availability versus security, too busy to care about risk, too concerned with risk to understand “the business.” This must change.
An incident in security doesn’t just impact security. We’ve heard “united we stand, divided we fall.” We need to say that more in cyber — we win or lose together. This is why the horizontal view, across the org for the “customer-owned” piece of shared responsibility, must be viewed as a shared fate.
Great, we must do more. We all hear that a lot. But what specifically can we do immediately to improve our situation?
While our IT universe is expanding, with some collaboration, thoughtfulness, and discipline, we can have a more productive and a more secure future. It’s on us to make sure our shared fate is a positive one.
Copyright © 2022 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE