|
In response to increased corporate growth targets, CIOs are partnering with C-suite peers and line executives to capture market opportunities. Essential to these efforts are application development, process integration and connectivity to partners. This rightfully returns the CIO’s focus to revenue attainment, not simply cost control. Yet it also requires faster-moving IT operations.
To succeed, CIOs must deliver the agility necessary to drive growth -- while assuring that constant change does not compromise network performance, introduce new security risk, or cause the organization to fall out of compliance with industry regulations. Even a single outage or breach can be devastating, both to reputation and revenue.
How are leading CIOs overcoming these challenges? Many free themselves to focus on the top line by minimizing uncertainty about network assets. Based on my conversations with these executives, here are four techniques you can apply to your own organization:
1. Map your network. Repeat regularly.
Information about the location and security of devices, hosts, and connections underpin IT strategies. CIOs must have confidence that yesterday’s assumptions are adjusted to reflect the current network. This is impossible without a complete, regularly updated understanding of the relationship between assets, as well as whether assets are in compliance to security policy.
To achieve this, IT organizations traditionally combined data from multiple, manually updated sources or hired consultants to “sneaker map,” literally on foot. Most organizations now find these approaches too cumbersome and costly, as assets evolve by the hour. Leading CIOs remedy this by applying advances in “network assurance” practices and technologies. Many of the advances stem from efforts to map the Internet itself.
Consider how a major regional bank tests whether its business continuity plans are sound. The bank uses assurance practices to scan disaster recovery infrastructure, determining if assets are appropriately secured and linked to internal resources and third parties. In a matter of hours, the bank’s senior IT executives can validate that the disaster recovery infrastructure is in compliance and not compromised by network change.
Using similar practices, one of the world’s largest drug makers enforces boundaries between its research and administrative networks. IT staff can regularly test connectivity and assure the CIO and other senior managers that intellectual property critical to growth is secure. When necessary, security efforts like patch deployment can be prioritized around related resources.
2. Look before you leap. Understand the implications of change.
With CEOs increasingly dependent on IT to drive revenue, it is even more critical for CIOs to manage projects to expected business outcomes. However, most IT organizations have no reliable way to predict the full impact of network change -- the reason outages and compliance violations often accompany even basic modifications. This problem is compounded by change-intensive activities such as mergers, outsourcing and consolidation.
To manage the “ripple effect,” IT organizations require an accurate understanding of impacted resources. Consider how two Fortune 50 enterprises achieved this in the midst of their merger. The goal was to provide connectivity between their organizations. First, the IT staff identified all entry and exit points within each organization’s network. The IT staff was then able to pinpoint the full security implications of connectivity before any change was rolled out. Network assurance practices were instrumental to accelerating these efforts.
The CIO of a Fortune 150 manufacturing conglomerate used the same practices to plan the re-organization of 140 autonomously managed networks into one corporate network. Without applying these practices, the CIO estimated it would have taken one year simply to understand the resources within each network and their connections to one another. Instead, the planning was completed in a fraction of that time.
Some organizations use their existing audit management and asset products to achieve similar results, particularly when the goal is to understand a small, targeted section of infrastructure. To build an enterprise-wide picture, IT staff must typically compile data from multiple tools.
3. Validate that assets are under management and in compliance.
When managing the security implications of network change, many IT organizations rely on the word of administrators. Others check a sampling of resources, applying algorithms to make assumptions about the remainder. Neither method inspires confidence in the face of an audit.
To better manage change, leading CIOs are combining network assurance technology and practices to validate that compliance policies are reality across headquarter, divisional, partner, and remote networks. This removes or minimizes human input, shifting compliance check-ups from reliance on administrator “best guesses” to auditable, automated processes.
One of the world’s five largest software companies used this approach to document the true boundaries and third-party connectivity of its corporate intranet. A key discovery was an unsecured high-speed WAN connection. Located in a recent acquisition’s infrastructure, this connection opened the software company’s corporate intranet to potential malicious activity. The company also found nearly 100 improperly configured routers in various development labs -- facilities that autonomously managed their IT resources and security. With these findings, IT staff justified centralized control over the labs, closing potential “backdoors” to the corporate intranet.
A top defense agency leveraged comparable techniques to validate compliance to security policies. Officials needed to identify unauthorized connections inside the agency’s designated secure area. Using network assurance tools, the massive network was scanned in hours -- during peak usage, without disrupting service. This ensured connections to external networks were authorized and documented as per security policy, while confirming internal devices were appropriately protected from intrusion. Exceptions to policy were flagged and prioritized, enabling the agency to intelligently address non-compliant resources.
4. Keep score -- globally.
Is your network growing more or less secure over time? The CIOs I talk with address this question not by focusing on the risk associated with specific devices or hosts, but rather by examining the network as a whole. First, their IT staff evaluates the network’s assets and connections, numerically scoring the aggregate level of risk. Staff then repeats these steps periodically and compares the results against the baseline score, determining whether risk is increasing or decreasing.
With a single number in hand, CIOs have an objective way to quantify overall risk or the security impact of specific projects. A score is determined by a mix of elements, including topology, address space, externally exposed devices, the risk profile associated with individual devices, and whether or not devices are in compliance to policy.
Effective network assurance processes and technologies can typically complete a network evaluation and scoring in days, without impacting service performance. An alternative is to compile existing data from audit and asset management tools. The benefit is that these tools may already be in place; the challenge is that the results may be out-of-date or incomplete -- a function of uneven data quality across toolsets and the time the process takes to complete.
No matter how you proceed, the end result should pinpoint your network risk score’s significant contributing factors. This flags problematic network changes or resources, so that they can be managed to improvement before a security breach or non-compliance occurs.
In summary, CIOs can increase their focus on top-line business objectives -- and sleep easier -- when they have a regularly updated understanding of their network assets. Numerous blue-chip organizations have proven this can be achieved without increases to administrative overhead or disruption to operations. Driving growth without this understanding is like a doctor operating without X-rays or an MRI. It can be done, but far less safely and effectively.
About the Author:
David Arbeitel is Chief Technology Officer and Senior Vice President of Product Strategy for Lumeta.
Go Back
|
