Evaluating cybersecurity risk

INDUSTRY INSIGHT

A call for governance and risk abatement, not just system integration

Let’s say you’re a buyer of enterprise-class systems, and you’ve just assumed an acquisition posture for a multisite deployment. Like many of your contemporaries these days, you are conducting due diligence for an IT service provider that can assemble storage, analytics/cyber, networking and computing. Like any informed consumer, you want to find a system that is future-ready and exceeds specification. What’s more, you’re looking over the horizon at next-generation hyper-converged solutions. There’s no shortage of options, and all appears to be well. Yet, while you’re in acquisition mode, system governance may not be top of mind … and that’s where systems and reputations are won or lost.

At this stage in the search, acquisitions are typically focused on corrective efforts and addressing known system deficits. Looking forward to setting up governance policies and practices is not nearly as prevalent.  It’s common that many IT buyers look to the original equipment manufacturers for designing and implementing system governance, but often OEMs may focus only on the element of the system they deliver (e.g. storage, cyber, computing) and not provide an over-arching governance strategy that ties them all together.  

System governance is not just about who gets admin rights and whether permissions should be centralized or distributed. That’s part of it, but governance is equally about risk -- including  confidentiality, security, data retention, disaster recovery -- compliance and a framework for best practices and system control. In short, the goal is to harmonize the IT strategy and business objectives, in the broadest possible sense.

Guidance for governance

When implementing system governance, there is no shortage of third-party guidance.  The field has its own impressive array of acronyms, including Control Objectives for Information and Related Technologies (COBIT), IT Infrastructure Library (ITIL), Committee of Sponsoring Organizations (COSO), Capability Maturity Model Integration (CIMMI) and Factor Analysis of Information Risk (FAIR).  No matter what standard is ultimately adopted, an atomized view of your new IT network, even when OEMs are doing stellar jobs, will generally not automatically implement the requisite risk-assessment and compliance protocols a good governance system requires.  

In your procurement searches, you may even have engaged in a longitudinal solution search through so-called “marketplace” providers, who increasingly offer only as-a-service solutions -- especially if they serve government clients who are increasingly mandated to select as-a-service solutions.  These providers allow access to multi-vendor solutions, serving as a brand-neutral systems integrator. 

Working as the customer advocate, these third-party providers will wrangle multiple top-performing OEMs, get the prices right and deliver the solution -- storage, computing, networking -- all in one environment.  Because they engage top OEMs, it’s easy to make an assumption that governance is somehow being taken care of.  As implementation wraps up, you, the customer, are probably feeling relieved because the network exceeds your specification, the computational power is exceptional, the active archiving solution performs as promised and the remote access works as proposed.

Eventually, though, reality sinks in.  The practical implications of governing a multisite implementation are many.  Problems are common, particularly when there are multiple vendors, with overlapping service and support teams. If your system design distributes overarching governance to each of the nodes, rather than concentrating it in a central location, where managing the multiples service-level agreements should take place, there may be major gaps.

As a result of this common mistake, a kind of chaos takes hold for the simple and (in hindsight) obvious reasons that too many people have localized governance, yet no one person has been deputized for systemwide governance. Practically speaking, at this point in your implementation, there’s tons of activity: Support tickets are flying, but ticket escalation staff are confused as to which concerns are major systemwide bugs, which are minor site-specific issues and which fixes have implications for larger issues of security and compliance. Paralysis can set in.  And while the enterprise could be at legal or existential peril, the admin teams can easily lose sight of that risk.  The idealized vision you had of a harmonized, multivendor system can buckle under a round robin of who’s responsible for what.

Clearly, this governance issue dilemma is motivating more IT consumers to integrate their platforms with system governance as an aforethought, not an afterthought.  Moreover, marketplace-model, as-a-service providers are especially well-positioned to bridge the gap from technology to implementation to governance, preferably in that order, taking on the hard work on the customer’s behalf and predicting the pitfalls of, say, ill-advised governance distribution/concentration, while offering tools to make that governance easier, across a spectrum of providers.

In fact, the very best as-a-service providers are those that prove their worth through implementation of customized solution governance in a way that takes into consideration all the facets of technology and implementation from leading manufacturers, as well as the needs of multisite organizations.  These providers --sometimes called “last mile providers” -- leverage the marketplace model to give the buyer greater control, while removing the chaos of decentralized governance.  These brand-agnostic aggregators price, manage and integrate the manufacturers' technology, while remaining focused on the client’s desired outcome, advising just as actively on IT integration as on best practices for system governance, compliance and risk abatement.

About the Author

Rob Davies is executive vice president of operations at ViON.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.