29 March 2017
This week David Lacey was the guest of the BCS DevSecOps Specialist Group presenting his ideas around the collection of data required for Governance, Risk, and Compliance and security. How will this influence the future of IT management and IT governance, DevOps and our preferred approaches to development whether they be agile, waterfall, or whatever?
David Lacey’s work provides a blueprint for a data model that joins up the metadata on cyber security and GRC data. As such he sees it providing the links between risk assessments, incidents, vulnerabilities, compliance requirements, and physical controls. It would provide the basis for status reporting, audits, questionnaires and underpin compliance with evidence of implementation. He found that traditional data categorisations in this area hadn’t been helpful and he had rejected a number of technologies as being inappropriate, e.g. Java, AI, Big Data, and Blockchain. His categorisations were the result of three years’ work and claims that this is the start of the industrialisation of GRC. The presentation prompted discussion about the level of detail that must be maintained and whether this was necessary or practicable. This is where I would like to contribute.
Management and governance
History has taught us that often by the time we have defined something in absolute detail it has changed. On the other hand we need to manage the detail as well as the overall direction or we never arrive. I believe that David’s work provides a useful underpinning of the linkages between management and governance on the one hand and Agile, security and DevOps on the other. The drawback is that data collection may never be complete; where it is complete the content may be useful but even where data doesn’t exist there still has to be management and governance.
If we are serious about changing the way we work then our management and governance of IT must not only be better than it is today but continuously fit for all emerging and future technologies, the extended enterprise, the expansion of the IoT, massive complexity, internationalisation of operations, business departments doing their own thing, creating the agile business, etc. Given the increasing risk of cyber-attacks and the potentially devastating consequences the David Lacey proposal must be part of the mix.
Technology for the security, management and governance of IT
Technology management, security and governance are all of crucial importance to a successful business but there is still little understanding in the boardroom of how these should be measured or controlled. Whilst much of the information needed can be defined in advance and sourced automatically, much is unstructured or takes effort to collect.
We need to introduce more automation in order to manage the scale and complexity of IT and to avoid the failures that have characterised IT management over the years. Managing the unstructured and hard to gather information is crucial to a successful outcome. This is now possible. We researched the problem and we are working on a prototype system that will introduce automation to the management and governance of IT that is suited to the digital world, that is consistent with the latest broader management thinking, and which will enable IT to be managed and controlled from the boardroom.
Copyright© 2017, Dr David Miller, ITDYNAMICS Ltd All rights reserved