Gerry Chng, partner, Ernst & Young solutions
 |
| |
 |
||
| Keep cloud computing on your agenda over the next two years as the market consolidates and matures. | ||
 |
Q: What technology was under- or over-hyped last year?
2008 saw cloud computing as a contender to be an over-hyped technology. That's not saying that there aren't clear benefits of cloud computing. With cloud computing, businesses can focus on their competencies rather than worry about keeping the systems running as they start using infrastructure and/or applications as a service in the cloud. Functionalities can also be enabled or disabled as required in a more flexible manner to suit the market conditions and strategic intents of the business.
However, with the buzz created around cloud computer, we have seen technology companies rushing to align their solutions to be cloud-enabled, resulting in solutions that only address very specific needs. This often causes confusion as to what the cloud really is, the extent of its coverage, and what business benefits can be derived from it.
Taking an internal view, most infrastructures and applications are currently built up on-premise, and are usually heavily tailored to each organization's needs. It will be an upheaval task to dismantle the entire core facilities and move it to the cloud, and it will take several years before organizations can reasonably justify switching the capital build-up to an expense model through cloud computing.
Even if such a task can be achieved now, such a migration will likely happen in a very disconnected manner due to the niche nature of existing industry players, for example different providers for incident management, email and communications, customer relationship management. At its current stage, there are likely more inefficiencies than promised as each solution plays a niche role, and there will be greater challenges in getting two service providers to inter-operate when the organization does not actually own the equipment.
Do not disregard cloud computer totally though. Keep this on your agenda over the next two years as the market consolidates and matures. The hype is likely to clear up and leaders will emerge with a sufficiently broad coverage. And that’s when the industry will see the full promise of cloud computing.
The biggest security/risk management challenge facing businesses in 2009 is...
...managing information security in a cost-effective manner. Compliance has been a primary driver for information security over the last few years and organizations have benefited from more robust controls and processes. CIOs now need to turn their attention to making IT a business enabler, and transforming the risk management initiatives into one that is sustainable and cost-effective. This current climate makes it even more important for IT to prove its value to the business by truly being an enabler of business processes.
The cliché of doing more with less cannot be more true. At the same time that IT discretionary budget is reduced, organizations find themselves needing to be more innovative in its use of IT to enable the business to reach out to new channels and achieve new possibilities. This antagonizing situation of reduced budgets, and increased information mobility and system complexity, places a heavier burden on the information security function. This challenge becomes more complicated for organizations that are undergoing restructuring or mergers where two different risk cultures, policies and controls, and IT systems are brought together.
Organizations need to adopt a holistic view of how their security initiatives are performing through rationalization of controls, mapping of policies to controls, and management of security events by exceptions. This will require a system of identifying necessary security requirements, understanding how these requirements are achieved through system controls, establishing cost-effective means to monitor controls effectiveness, and alerting management to key exceptions.
How do you expect the current economic climate to impact the security posture of enterprises?
Given the general uncertainties and increasing demands precipitated by the current economic climate, there may be increasing probabilities of fraud or insider theft of information. Hence, organizations need to be ever more vigilant to possible information security lapses and be prepared to deal with recovery should such incidents occur.
One of the beauties of technological evolution is the mobility of information. However, information security practices may not necessarily have kept pace, as some organizations still hold a traditional view of information security, where the focus is on keeping the bad guys out, and less emphasis is placed on monitoring how and where information is being exposed by internal resources. By internal resources, we mean both employees with privileged access to information, as well as outsourced vendors that have been contracted to handle various processes such as facilities management or backup media management.
The information security policies of today need to be as mobile as the flow of information--it should follow the information throughout its lifecycle, regardless of whether it is residing with trusted employees, business partners, or outsourced vendors.
With the pressures caused by the economic climate, leading organizations will start to identify and classify their business data, and subsequently establish processes and technological controls to monitor and safeguard information against accidental or deliberate loss or theft. The current climate will likely be a catalyst for organizations to start focusing on possible losses due to insider threats, resulting in a more holistic view of information security – which is to protect the information, and not just the infrastructure.
There are currently no comments for this post.