6. Keep It Secure

Cybersecurity is no longer a layer that’s added at the end of a project. An increasingly sophisticated threat landscape and more distributed IT environments are forcing organisations to ensure that security is baked into all aspects of their Hybrid IT models, from on-premise systems to cloud applications. A secure, resilient infrastructure is vital to reduce risk and increase the reliability of mission-critical systems and applications.

Security has become one of the top priorities for IT projects. 88% of European CIOs said they are involved in security initiatives to a greater degree than in the past, with 64% of UK CIOs saying their security and IT strategies are tightly integrated. This trend looks set to increase over the next three years, with 66% expecting their security and IT strategies to be closely knitted together.

Although increasing cybersecurity protection is the number one IT investment priority for UK CEOs, it’s a joint-third concern for UK technology leaders, less important than improving operational efficiency and customer experience.

And according to the UK’s 2017 CIO 100 study, the top three areas of IT investment in 2018 and 2019 will be cloud capabilities (84% of CIOs), followed by data analytics (79%) and then security (73%). Security will continue to be a key focus for CIOs going forward, but they clearly have other things on their mind as well.

“Security is within every project, so when it comes to managing and liasing with third-parties there is a lot of understanding around how they manage security.”

– Floriana Molone
Head of IT Customer Services and Deputy Director, London School of Economics

What Matters Most?

Select your most important technology project and see how your choice compares with other CIOs:

IT/network services management
#1
Software, on-premises
#2
Security technologies
#3
Hybrid cloud computing
#4
Software as a Service (SaaS)
#5
Private cloud computing
#6
Internet of Things
M2M/
telematics
#7
Hardware
#8

What Does Success Look Like?

Select the primary goal of your most important technology project:

  • 6Cut costs
  • 3Improve customer satisfaction/experience
  • 2Meet security, privacy, or compliance goals
  • 4Generate new or increased revenue streams
  • 5Maintain or improve expected service levels
  • 1Increase productivity

As the IDG research shows, security has become a focal point for both IT projects and business outcomes. Though interestingly, the single most important technology project UK IT departments are working on right now are IT/network services management (10%) and software, on-premises (10%) followed closely by security technologies (9%).

Source: IDG 2018 Research Survey

Rising threats have led many organisations to integrate security tightly into their overall IT strategies across all platforms and systems, and down into functions such as software development. 64% of CIOs in the 2018 IDG Research Survey said security is now an integral part of IT strategy – up from 37% in 2016.

Integrating IT and security strategies

64%: IT security strategy is an integral part of our overall IT strategy 36%: IT security strategy is loosely incorporated into our overall IT strategy 36% 64% 64%: IT security strategy is an integral part of our overall IT strategy [DD1] 36%: IT security strategy is loosely incorporated into our overall IT strategy 0%: IT security investments are typically reactive in response to IT security challenges or events 0% 36% 64%
Source: 2018 IDG Research Survey

“Security is built into every initiative and every single capability upfront. It’s not something you do at the end of a milestone,” says Anil Cheriyan, CIO at SunTrust Banks. “As you build orchestration between public, private, on-prem, and co-location facilities, security has to be an integral part of that. And when you implement new capabilities, all the different aspects of security, such as access management or vulnerability testing, need to be engineered for every new capability.”

“To me, security is same stuff as normal projects, they absolutely go hand-in-hand. I don't think there's any project you do where you don't have any security considerations.”

– Simon Iddon
Group CIO, The Restaurant Group PLC

Hybrid IT can reinforce an organisation’s security posture because it provides the option to calibrate your decisions and choose the best place for each piece of your data. The challenge, however, is not so much where the data is stored; it’s the added complexity of safeguarding information as it traverses on-premises, public cloud, and private-cloud environments.

“Whenever you make your environment more complex, there’s the potential for more mistakes,” says William Mayo, CIO of Broad Institute. “And ultimately that is the driving force behind dev-ops/no-ops in this whole space. As your environment gets more complex, the old ways just don’t scale.”

A comprehensive security and governance audit is a critical first step in shoring up Hybrid IT security practices. The audit should include an evaluation of all policies and user privileges, as well as of where and how data is stored throughout the organisation.

End-to-end visibility will allow security teams to introduce the right mix of security layers and controls to ensure redundancies and create protections across the entire infrastructure.

Data-centric security techniques, combined with identity-based controls, are gaining traction as better ways to defend against unauthorised access to information and systems across environments. Companies are deploying advanced encryption techniques to protect data at rest, in motion, and in use across public and private clouds and enterprise systems. Identity management adds an additional layer of role-based access rights across service catalogs and enterprise directories.

For example, AmeriPride has integrated identity solutions into its security mix as it moves more applications and infrastructure to the cloud as part of its Hybrid IT transformation, according to Jeff Baken, director of infrastructure at the uniform rental and linen supply company. “We’re trying to establish more role- and profile-based solutions,” he says, “so it doesn’t matter whether users are at home, in the office, or at a plant location. We authorise access based on the user vs. where they are or what they are trying to do.”

“The mindset has shifted over the last five years, where people will probably rightly consider cloud datacentre security has more inherent security than typical on-prem solutions.”

– Simon Iddon
Group CIO, The Restaurant Group PLC

And for Jason Oliver, Director of ICT, Science Museum Group, machine learning (ML) artificial intelligence (AI) is making a difference to their daily security operations.

“We are putting in place machine learning and artificial intelligence to help us understand what is normal within our security environment and what is happening on a day-to-day basis, primarily so it can flag abnormalities and my team can then react to them. But that’s not where the journey ends; the next step is that we then teach the ML/AI to actually respond to those threats that it sees itself, and self-heal our infrastructure, allowing our staff to concentrate on value-added tasks.”

Key Play

6. The Block

6 steps to improve Hybrid IT security
1 2 3 4 5 6 Introduce security into the software development lifecycle to improve security and reduce the cost of vulnerability fixes. Build a data-centric approach to security, with encryption at the core. Deploy to a dynamically hardened infrastructure to reduce risk on virtualized Implement a shared access-management solution that integrates cloud-based identities with corporate identity directories. Proactively monitor, detect, and respond to security threats. Integrate security policies across cloud and on-premises infrastructure to maintain continuous regulatory compliance. 1 Introduce security into the software development lifecycle to improve security and reduce the cost of vulnerability fixes. 2 Build a data-centric approach to security, with encryption at the core. 3 Deploy to a dynamically hardened infrastructure to reduce risk on virtualized data center traffic. 4 Implement a shared access-management solution that integrates cloud-based identities with corporate identity directories. 5 Proactively monitor, detect, and respond to security threats. 6 Integrate security policies across cloud and on-premises infrastructure to maintain continuous regulatory compliance.

Take a Deeper Dive into Hybrid IT

The Strategic CIO’s Playbook

Create a game plan for accelerating digital transformation with the right mix of Hybrid IT.