Applications are a key part of the success of companies these days. An organization's ability to create new capabilities and deliver new products often lies in the ability to execute on delivering new services with applications. It makes sense that we have applications, and even many applications. I've been thinking lately about the cost of supporting applications and infrastructure. As a security leader, I'm frequently thinking about what it costs to protect the organization from known and unknown IT security threats. The most significant threat is probably those same applications we all implement and use in an organization to propel the business forward.
I believe many organizations, and specifically leaders, have a bad habit of implementing things. I've inherited half-baked SIEM tool implementations 3 times now, for instance. Some organizations have processes to try to curb overall spend on IT implementations, as well as ROI calculators that help in determining if that product is a good idea for the company to implement. Regardless of these processes, and despite these processes, if leaders are not careful and
intentional about product implementations, organizations
become like hoarders we see
on reality TV shows on A&E or TLC. (Truth be told, I've watched
a number of them. Hoarders: Buried Alive, for example.)
Hoarders
love to collect. Hoarders love to buy something, "own" it and bring it home. Organizations,
meaning IT and the business, purchase and
collect applications that feel (and maybe are) really valuable and really
meaningful to the work that they perform. They are all beautiful and valuable when they're new to an organization. Leaders get credit for implementing new technology and enabling new capabilities in the organization. There is an all too common life cycle of products however:
- The teams implementing the product go
from "fighting for it" (insert appropriate long pause for the typical long implementation here) to "its implemented!"
- Now
the organization settles into a time where the operational teams are getting to
know the product and working on operationalizing it; building processes, workflow, troubleshooting, etc. (some should have happened prior to implementation, for sure, but lots will happen after)
- At this point, it is "installed" and probably "operational". This product
will sit in a portfolio of other applications that have been implemented and collected over the
years.
- Various teams pay various levels of attention to the, now old, apps. So, over time, they sit and rot. They may be maintained...or not.
Hoarders are not good at assessing the value of something in
relationship to what it costs to keep and maintain it. Eventually, you have a house full of things
you've bought and no where to sit or sleep. In a company, the analog of running
out of space is running out of budget. No organization can afford to
keep every application going that they've purchased over the years, because:
- You may no
longer have the budget to pay for the staff with the numerous and varied skills
needed to maintain a diverse and sprawling application environment.
- You may not find that the vendors will support the application versions you're running, security updates included.
- You may find that vendors are not willing to support out of date core IT infrastructure older platforms sit on.
- I, as an IT security function, will point out the affects of #2 and #3 on what is in the environment on a regular basis.
Leaders are then forced to make a decision, which is a great thing. We need to consider what doesn't need to be maintained and can be removed from the environment. Unfortunately, leaders do not get much credit for dismantling old platforms. Sometimes they get credit for reducing overhead, but there's much more value than just reducing overhead. That is a culture problem that we need to change. Leaders should be rewarded for reducing complexity, reducing risk and reducing overhead. "A penny saved is a penny earned!" said Ben Franklin.
Unfortunately, we can't just call 1-800-Got-Junk and get rid of old applications. But I'd suggest some good directions to base actions:
- create threshold for purchasing applications that involves exposing the risks and fully loaded expenses for an application, and use that to slow down expense sprawl.
- create standards for the business and IT to follow, and be diligent about growing and tending those standards to meet and be predictive about the organization's needs.
- make sure that the cost of maintaining systems is appropriately attributed to where in the organization that system/application supports the business.
- make decisions to consolidate like applications.
- make decisions to consolidate vendors .
- make decisions to simplify the infrastructure.
In the end, I think the primary information security concern about the environments we operate in can be boiled down to being intentional about what we put into the environment. Know what the risk and commitments are before you take action and implement.
Chris
