When it comes to enterprise security, bad habits, shortcuts, and oversights can have the power to do major, irreparable damage to a company.
CIOs and CISOs shouldn't look at IT like a box of Legos
With the term 'innovation' seemingly on the tip of every corporate executive's tongue it's difficult to identify those efforts that really can lead to some kind of positive change for the enterprise. Whether suggestions come from the C-suite, staff members, or vendors, the proposals need to be properly evaluated. Rick Doten, Chief Information Security Officer of DMI thinks the right way to bring innovation to life in the enterprise is to lead rather than follow.
"Innovation is unfortunately more rare in the enterprise than we’d like. The reason is the industry has productized the process, and IT and Security management are being led by the product vendors to identify what is needed and how to use it. What should happen is for IT and Security leaders understand their IT and security goals based on the “business” requirements, not technical requirements.
"These are unique to each organization. They then must ask questions to understand “what technology do I need to have to allow my organization to perform their business requirements?” Then “What questions do I need to know to understand if these systems, networks, and applications are secure?” At that point you go research and find technology and develop processes to answer those questions.
"Doing it that way, you will discover there might be a gap in a technology, which you will need to develop a capability to meet your needs. Or you might search to find a unique little company that isn’t widely known, who developed a capability that solves that requirement. As a CISO, many of my technologies are from small firms, who I then can assist in their product roadmap that will both improve their product, and align with my requirements.
"I view innovation starting at the top, with a leader who wants to do what’s best, not just what’s available, then he or she pushes that approach down to technical staff to research, develop or acquire, test, implement, and manage it. But like I said, most folks look at IT and Security like getting a box of Legos and following the directions to put them together. Instead of thinking first what they want to make, and considering all building media options to be able to create it."