Ever heard of a tarpan?
In case you haven’t, the tarpan is the ancestor of the modern domesticated horse. They roamed the forests and steppes of Europe and Asia for thousands of years — all the way from southern France to central Russia.
Over time, everything around them changed — their habitat diminished to make room for cities, crops now grew where their food sources once were, and everywhere they went they were hunted for food. They slowly became fewer and fewer in number until the last tarpan ultimately died in a Ukrainian wildlife preserve. The species went extinct in 1876.
The history of the tarpan is a sad one, but there’s a pretty important lesson in it. To the tarpan, the changing environment was both a danger and an opportunity — the same forces that led the tarpan to extinction also (ultimately) led the tarpan’s progeny (the horse) to becoming one of the most biologically successful creatures on the planet.
If you’re in IT, you probably already know where I’m going with this. Our environment is changing. We have a choice: we can be like the horse and capitalize on the changes, or we can be like the tarpan and fade away. I don’t know about you, but I’m picking the horse.
Is This Really an IT Problem?
So what are these changing conditions? First and foremost, we in IT have to deal with all sorts of regulatory and legal issues that we didn’t have on our plate a few years ago. Remember Enron and WorldCom? Nobody’s ever alleged that the root cause of the accounting scandals in these firms had anything to do with IT. However, in the post-SOX (Sarbanes-Oxley Act) world, we find ourselves in the position of documenting, demonstrating and justifying the “effective business controls” in use within the financial and accounting systems that we support.
Was it IT’s fault that these scandals occurred? Absolutely not. However, in the interests of due diligence, we now have the burden of ensuring that these systems have sufficient controls to give our management the data that they need to make accurate and informed decisions.
For many of us, this represents quite a bit of extra overhead that we didn’t have before. We have to work with the business to define the controls, we have to find technical ways to implement them, and we have to track them to make sure that they operate as we intend, and SOX is just the tip of the iceberg.
The New Rules
If you didn’t have internal audit on your speed dial a decade ago, you almost certainly have it there now. All sorts of new regulations have arisen that carry specific requirements about what data you can store, where you can store it, how you transmit it, and who has access to it.
If you’re a health care or insurance provider, HIPAA has specific requirements for ensuring the security and privacy of patient records and health-related information. If you accept credit cards, the PCI (Payment Card Industry) Data Security Standard has a list of specific required technical measures for IT to implement. If you do business in California, New York, or numerous other states, there’s breach disclosure laws that you have to account for. Federal data? There’s FISMA (Federal Information Security Management Act).
As new regulation comes out, we in IT find ourselves in the position of having more and more requirements to find technical solutions to. We find ourselves facing off against internal and external auditors on a regular basis. To do our jobs well, very often we need to understand the regulations we’re subject to almost as much as the auditors do themselves — and that’s just audit. Recent changes to the Federal Rules of Civil Procedure (FRCP) governing the discovery of electronic evidence also means new efforts for IT as well. Whereas before, IT might be called in on a rare occasion to help investigate an incident or to help establish a time line, now IT shops find themselves working directly with lawyers to establish processes for retaining evidence in the event that the firm is litigated.
Audit. Corporate counsel. These are all extremely high visibility areas of the firm. IT is operating under the more-or-less direct scrutiny of the highest-level executives — for those who can keep up, success happens right in front of key decision-makers. For those who can’t — no failure is more disastrous than one that happens right when everybody’s watching.
It’s Not About Technology Anymore
I remember not so long ago, IT was all about technology — particularly in information security. We spent most of our days dealing with technical challenges. Issues like malware prevention, vulnerability remediation and cryptography were top of mind.
Today, however, most shops are light-years from that. We used to use acronyms like VPN (virtual private network) and RADIUS (remote authentication dial-in user service). Now, we use acronyms like GRC (governance, risk and compliance) and CobiT (control objectives for information and related technology). Not only do we have to understand technology, but we have to understand something about audit, compliance and the legal process as well.
Given the visibility of what we do, more and more of our time is spent using the tools and language of the business. We chart efficiency using performance metrics, we create graphs to track compliance with various regulations, we talk to lawyers, auditors, and executives about how business gets done. Back in the day, the only thing I knew about Excel was how to patch it. Now I use it every day.
It’s not just different inside the enterprise; it’s all across the industry. Take a look at where the current buzz is in the industry press — metrics and program maturity — definitely not where we started from.
Let’s face it, whether we like it or not, IT is moving from the basement to the boardroom — and that means we have to learn the language of the business to be successful. For those of us who started out as “propeller heads,” dealing with CEOs and boards of directors on a day-to-day basis is not where we thought we were going to wind up, but as opportunities go, this is a darn good one.
Ed Moyle is currently a manager withCTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner of Security Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.
Diana Kelley is a founding partner of Security Curve and previously served as vice president and service director of Burton Group’s Security and Risk Management Strategies Service.