A little over a year ago I wrote an article about the challenge of managing security risk when IT is managed in silos (Security Risk and Overcoming IT Silos in ISSA 09/08). Branden Williams (then at Verisign and now at EMC/RSA) quickly followed up with an article ( Crushing Cross-Dysfunctionalism in ISSA 10/08) in which he amplified my position. My daily work has also strengthened my perception that silos are a fundamental issue contributing to IT Risk.
There is a very interesting recent discussion initiated by Michael Krigsman including a nice picture of a silo with a bridge on the very top – representing enterprises where only top management interacts. The blog entry and the ensuing reader discussion brings up a few good points:
- IT silos are still being created to organize the communication within an enterprise — if everybody communicates to various groups and sub-groups it will create a rapidly growing communication overhead.
- Mapping IT onto business needs and structures rather than organizing by IT internal structures might naturally erode silos. This point was also recently made by Jonathan Eunice on his blog “Apps meet Opps”.
These two points are worth examining.
It is certainly true that having random communication patterns prohibits efficiency. But so do walled off silos, especially if they are no longer consistent with the overall business objectives. Advances in system management technology now allow different groups to communicate much more efficiently. Management and workflow platforms provide dashboard views that can be customized and consumed by many constituencies to obtain a shared and consistent view of IT. Enterprise 2.0 applications allow sharing of information without a lot of meeting time overhead or e-mail inbox overload.
The blogs reference the second point in terms of applications, which now no longer map neatly onto IT silos, but rather embody the interconnectedness of the IT-based services powering the business. Just think about virtualized applications. Their mapping onto a IT structure can change frequently without human intervention. Similarly, security risk of the business no longer maps into any IT silo. Security risk is the result of the interplay of security controls from all IT silos. The risk posture can easily change based on the state of virtualized data and apps.
In summary, I am hopeful that external forces, such as business-centric applications, virtualization and clouds, enterprise risk assessments, enterprise 2.0 information sharing will eat away at the ugly silos.
