How to Secure Your Business While Juggling your IT Department
If you are working as an IT professional, manager or director, chances are that you’re wearing many different hats. You are juggling the day-to-day priorities of your IT department all while trying to address security challenges. And somehow, there’s never enough hours in a day, is there?
Back in the days, IT pros were responsible for maintaining and updating an organization’s software and hardware. Nowadays, they are faced with a myriad of operational challenges and must secure their organization’s critical assets against security breaches and intrusions at the same time. In fact, a recent study by Frost & Sullivan revealed that a whopping 32 percent of IT professionals name security concerns as their biggest challenge.
Which security challenges are most critical for IT professionals? What should be prioritized, and what is maybe less relevant? And how can IT professionals continue to get their daily responsibilities done and secure their business at the same time?
We’ve compiled some of the biggest security challenges facing today’s IT professionals and gathered some practical recommendations for how to overcome them effectively.
- Challenge #1: Not enough people
- Challenge #2: Lack of expertise
- Challenge #3: Too many priorities
- Challenge #4: Limited visibility on your environment
- Challenge #5: IT strategy is not aligned with business goals
- Challenge #6: Not enough budget
*Disclaimer: In this article, we focus on some of the most commonly-cited security challenges that IT professionals are facing. This list is not meant to be exhaustive but is intended for guidance only. For a thorough analysis of your security challenges, gaps and overall security posture, please consult with a security expert of your choice.
1. Challenge #1: Not enough people
It comes as no surprise that IT departments are severely understaffed. In many cases, there are no dedicated security functions within the IT function – a phenomenon that relates back to the infamous cybersecurity skills gap.
According to the Cybersecurity Jobs Report 2018-2021, the industry is facing about 3.5 million unfilled cybersecurity jobs by 2021. Although organizations may be actively recruiting security staff to join their IT teams, there may simply not be enough qualified resources out there to fill the positions.
What this means is that IT pros are constantly struggling to fill this gap, juggle priorities and use their existing team to do a security job that may not be qualified for or, simply put, that they just don’t have the time to do.
What to do?
If you don’t have enough people to take care of your security needs, you may want to:
- Prioritize. Make sure to clearly define your objectives and role as an IT department. Ask yourself if you’re spending your time on the right projects. Especially when you’re short-staffed, a solid strategy and project management function are crucial for your IT department’s survival.
- Define what you need to protect. Identify your company’s most critical assets and think about what you’re doing today to secure them. The more valuable the asset and the higher the risk of exposure, the better you should be protecting it.
- Talk to your team. Sit down with your team to find out if any of them has security skills that you can leverage in the interim, until your security capabilities are strengthened with new team members or external expertise.
- Ask for money. Ask your boss for a bigger cybersecurity budget, including more money for staff, technology and services. See challenge #6 for tips on how to get the budget you need.
- Consider outsourcing. Have a look at which security projects or tasks can be outsourced. If you can’t find suitable security experts or don’t have the funds to do so, an external security provider may come in handy.
2. Challenge #2: Lack of expertise
Another critical challenge that IT professionals are facing is the lack of expertise within their teams. IT is becoming an increasingly complex field that brings about many new technologies and concepts such as the Internet of Things (IoT), Big Data, Artificial Intelligence (AI) or the cloud – all of which must be understood in order to be leveraged for business success.
Finding skilled and experienced resources who are well versed in these new technologies is hard, and retaining these resources is even harder. According to recent research, the IT industry has become so competitive and specialized that qualified resources either demand higher salaries, or simply choose to do temporary assignments.
What to do?
- Train your team. If you don’t have in-house expertise to tackle your IT needs, support regular training initiatives for your existing team. By investing in continuous learning such as workshops, industry events or seminars, your team will grow its expertise, develop curiosity and stay motivated to make a lasting difference for your organization.
- Prioritize the expertise you need. Take a close look at what areas of expertise are most crucial to the success of your department and the organization as a whole. If you tie them back to how they will support business goals, your chances of getting funds to enhance your team’s expertise may increase.
- Get help from outside: If your in-house expertise is not sufficient, you can complement it by recruiting external help, such as specialized IT consultants, part-time/ temporary resources or independent security service providers. Engaging with IT experts for a defined period of time will likely not bust your budget, and help keep your team’s focus on value creation and core activities.
3. Challenge #3: Too many priorities
When it comes to juggling priorities, all IT professionals seem to be in the same boat. They are being pulled in many different directions and are trying hard to satisfy the needs of different departments all while putting out fires when dealing with day-to-day emergencies. As the saying goes, “if you have too many priorities, you have none”.
A couple of years ago, the Harvard Business Review dug a little deeper into the importance of strategic priorities with a survey of 1,800 global executives. A total of 64% of executives reported having too many priorities on their plate, and that priorities are often conflicting. An interesting finding from this particular piece of research was that a company’s revenue actually declines as the priority list grows for an executive team. What this means for IT departments is that they are best advised focusing on a small set of priorities.
What to do?
At the beginning of each fiscal year (and at least 1x per quarter following that), make sure to reflect upon the successes of last year and identify areas of improvement for the next one. What’s important here is to engage your IT team and define a clear mission that you’re trying to achieve, as well as a small set of goals that you’re working towards this year. Then, discuss what type of strategies are needed to achieve these goals.
Each member of your IT team should have a defined set of goals or key performance indicators (KPIs) that are “SMART”, meaning they should be:
- Specific (your goals must be clearly defined, not generic)
- Measurable (you should be able to measure progress towards your goal)
- Achievable (make sure that you can achieve your goals)
- Relevant (your goals must support overall business objectives)
- Time-bound (you have a deadline for completing this goal)
If your priorities are well aligned with your capabilities as well as to the overall business strategy, you have a better chance of managing your IT-related responsibilities with ease and confidence.
4. Challenge #4: Limited visibility on your environment
According to recent research, almost 65% of organizations don’t have full visibility into IT, user and third-party activity when it comes to their IT infrastructure. You can’t fix what you can’t see, and you can’t manage what you are not aware of.
Compared to other business functions such as HR, marketing or legal, the IT department is struggling to keep us with what is really happening inside their IT environment. New devices, technologies and applications add increasing complexity to the already complex IT infrastructure, which can result in operational downtime, security risks and wasted resources. Problem areas that come to mind are cloud systems and applications, user activity and behavior analysis, unstructured data and mobile devices.
What to do?
One of the most effective ways to increase your visibility of your IT environment is to have it monitored on a 24/7 basis. Of course, the ideal solution would be to properly sort through your environment and structure it in a way that follows best practices in terms of access control, user segmentation, information security as well as updates and patches, then have it monitored by an internal team of certified security specialists who will be on the lookout for potential breaches and intrusions.
Chances are, though, that neither you nor your team will have time to restructure your IT environment from scratch and monitor it on a 24/7 basis. Instead, you may want to consider partnering with an external security provider who is able to monitor, correlate and analyze your logs effectively and escalate security incidents in a timely manner. Unless you are fully confident in your own ability to monitor your environment, you may want to consider engaging a managed security service provider (MSSP).
Ideally, your MSSP should be able to evaluate your current cybersecurity posture, reveal your weaknesses and develop a clearly-defined action plan that you can implement, in addition to the usual 24/7 monitoring and incident management functionalities.
5. Challenge #5: IT strategy is not aligned with overall business goals
Unfortunately, there are still too many organizations that don’t fully align their IT strategy with their overarching business strategy. In fact, only 1 out of 4 Chief Information Officers (CIOs) reports that their IT team is clear about how their work relates to business goals, and 10% of CIOs state that IT doesn’t connect work with business value at all… these are some dangerous statistics!
The difference between aligned and misaligned organizations is quite clear:
- Organizations that are aligned in terms of IT and business goals are typically more effective – they are dynamic and agile, can react quickly and have a coherent approach in place that will help them achieve their goals and manage their risk.
- Organizations that are misaligned are increasingly becoming left behind – not able to keep up with the Joneses, wasting resources, overspending or underspending on projects, etc.
Only when your IT initiatives are aligned with organizational goals, you will be able to focus on what really matters to your organization, demonstrate effectiveness and justify additional funds for critical IT projects.
What to do?
- Get to know the corporate strategy. If you don’t already know your organization’s overall strategic direction, now is the time to do so! Find out which strategies are most important to the continued success of the business, and how the IT function can support business goals and secure corporate data.
- Define what’s most critical. Every IT department should have a solid understanding of the business functions, assets and data that is most important for your business. Your IT efforts should be centered around ensuring that your most critical elements are adequately enabled and protected.
- Take stock. Have a close look at which projects (out of the many projects you’re working on) actually deliver value to the business, and how. Taking stock of your IT project effectiveness and ROI is an important exercise to impact your IT and security strategy going forward.
- Challenge #6: Not enough budget
Lastly, one of the probably biggest challenges that IT pros are facing is the lack of enough financial resources to implement and manage their IT projects effectively. Not only do IT pros struggle with too few people, too little expertise and too many priorities, they also need to worry about getting enough budget to continue their operations and allow for scalability to meet future demand.
Although global IT spending is on the rise, this does not automatically mean that IT leaders have enough money to run their departments effectively. Instead, they are frequently faced with the question “How should I be spending my IT dollars for maximum results?”.
What to do?
Related Post: How to Optimize Your Security Spend for Maximum ROI
- Align your IT spend with your business strategy. If you want to protect your current budget for your IT initiatives, you have to be able to demonstrate how this budget has helped you achieve overall business goals. If you want to ask for more budget, make sure to demonstrate how this new cost item will benefit your IT team and the overall business performance.
- Review your effectiveness. Have a look at how effectively you are currently spending your money. Do your IT projects actually yield the desired results? Are you achieving what you want to achieve? And what could you do without, outsource or pause temporarily?
- Demonstrate ROI. If you want to convince your boss of approving a bigger IT budget, be ready to know exactly how any new expenses will contribute to the success of the business. Technology should enable the business and, in your position as IT professional, you have to be able create value for the bottom line.
IT Professionals don’t have it easy, that’s for sure. They struggle with a lack of resources, expertise, too many priorities and not enough budget, just to name a few.
We’ve presented some of the biggest security challenges facing today’s IT professionals and outlined some practical recommendations for how to overcome them effectively. Probably most importantly, IT leaders need to focus on their alignment with the overall business strategy.
If IT pros can demonstrate how their initiatives, projects and teams can help drive business goals and manage risk effectively along the way, then they will have a good chance of increasing their efficiencies, deal with change and work around problem areas such as limited budgets and skill shortages.
Especially today, IT should be approached strategically and as a business enabler, not simply as a cost item. Likewise, any IT strategy that is properly aligned with the strategic direction of the business has better chances of succeeding – not only for the benefit of the company, but also for the sake of hard-working IT professionals.