“How the @&!K did my cyber and IT guys leave me SO exposed to that flawed Crowdstrike update?”

That’s the question that hundreds of thousands of business executives are asking of themselves and their teams.

At one level, the answer is pretty simple… in the business, we have neither the time nor the expertise to select the ‘right’ endpoint security solution, so we’ll delegate that decision to those who do it professionally. We’ll feed in our requirements to that team, and we’ll ask them to balance the operational and financial risks, the costs, the flexibility and the resilience of a solution to meet our needs. Since every other part of the business is asking for the same, the Cyber and IT guys end up looking for an enterprise-wide solution to fit everyone – including themselves, ie fits with their standards for such solutions – as a result of which, it’s possible that there are some exposures or compromises in one area or another.

Typically, the vendor selection would have gone through a strenuous and rigourous qualification regime driven by those experts, arriving at a decision that balanced these factors in the appropriate way. They would have assessed that the likelihood of a failure of this nature was sufficiently low to mitigate that the impact of such a failure was extremely high. And then the worst case scenario happened, and over 8 million Windows endpoints were impacted.

OK, everyone learns something…albeit at extremely high expense.

But let’s flip the script. What if we were talking about selecting employee systems, customer development systems, financial systems, facilities management systems, supply chain and procurement management systems, product development systems and the host of other business systems that an organisation might need to operate?

Different story, right? Here, ‘The Business’ was in the driving seat of selecting the features, functions and capabilities of each one – highly active in the requirements definition, closely integrated (and probably having ‘signoff’) for the selection, and a key stakeholder at the deployment stage. The budget was probably agreed as being tied to a company improvement initiative and the ‘outcomes’ for the sponsoring departments were closely tracked against their predicted benefits.

Cyber and IT involvement was probably limited to the definition of some key architectural building blocks such as selecting the appropriate hosting environment, authentication and role segmentation standards, database and data storage/security and governance options etc. Application or Service owners were defined from the business, IT partners were allocated and Hey Presto…the transformation came to life! These systems then became the default solutions for any ‘similar’ requirements – even if it meant a tweak or customisation here or there to fit needs.

Sadly, one size never fits all…as future requirements emerged, the business found that these tools, chosen for one scenario, couldn’t be extended to precisely support another. Moreover, since, for example, the CFO was not ready to signoff on new bespoke customer success tooling if they’ve just invested in a CRM solution, workarounds were needed!

I’ve observed 2 scenarios here.

The first: the applications become really ‘bloated’ – meaning that clunky extensions were put into place that struggled to handle any data held and managed externally. As a result processes became even more entangled with multiple places that the ‘system of record’ existed.

The second: Cut&Paste as a business tool! People end up cutting the fields from one application, and pasting them into another (sometimes with some intermediate processing) – extremely frustrating for the person having to do it, error prone and, let’s face it, pretty lame in this day and age! Imagine what your latest graduate recruit is going to think!

In both scenarios, people in the business start to become forced to execute based on the operating model, capabilities, risks and limitations imposed by those solutions – a similar context to being told to operate with the organisation’s endpoint security solution – but instead of being exposed to the risk of service disruption, they are now being exposed to difficult to navigate, slow and sub-optimal practices to work around the shortcomings. Worse still – these practices become built-in as “that’s how we do it here”…

The question now becomes…

“Why the @&!K is it so hard to do any more than the basics, when we’ve already spent gazillions trying to make it easy?”

By no means can I claim to have “the answer” – this is a thorny one, and since change is both constant and inevitable, it becomes more and more complex to resolve. But I have some observations:

• There seems to be a need for technology layer which can overlay existing applications and data stores so that emerging new practices have the supporting workflows, reporting capabilities, simplified GUI and User experience and data integrity to impact the business quickly.
• The business needs to be in the driving seat for selection of this technology layer AND ALSO there needs to be enterprise architectural governance to ensure that a solution for one part of the organisation can be extended easily to cover the needs of another without an underlying change of the data model or compromising the organisation’s security perimeter. IT should not be driving because the challenges to manage such a solution must not outweigh the business’ need for agility, simplification and an outcome-driven transformation.
• Such a technology needs to run in the cloud – it can’t rely on internal infrastructure and processes that were designed to deal with handling systems even of the past 5 years. They simply aren’t designed to cope with the challenge. That said, it’s likely that this layer will become business critical, and so the governance and resilience of any cloud-based provider needs to match that of any other business critical system.
• AI – There we are, I’ve finally become buzzword compliant in this blog. How an organisation plans to embed AI depends on how well it understands the opportunity (and threats?) as well as how well it understands itself. But one thing is for sure, working out how to apply AI techniques and technologies to business systems is a big challenge. My simple thinking is that if you can ‘workflow’ it, you can apply AI to that workflow to optimise it – whatever this new technology layer is, it needs to be able to imbed AI capability so that we can overlay our existing tech choices.

So, in conclusion, we just have to accept that our past technology choices were made for the best of reasons, using our best judgement to consider risk mitigation and our best efforts for predicting future flexibility and expansion needs… given what we knew at the time, they were the best decisions we could make at the time. However, the pace of change being what it is, these choices evolved from being our business enablers to also becoming a contributor to our organisational friction.

What we need now is a business-led solution that overlays our existing estate to bridge the gaps in our workflows, allow real-world integration of AI capabilities, provide reporting across the siloes and protecting our data integrity without us having to go through an enterprise-level upheaval like we had when we put in something like our ERP. BUT it needs to be small and iterative – by that, I mean that it needs to be applied with quick turnaround and aimed at problem-to-problem so that costs stay low and benefit return is super fast. It also means that the cost/benefit is seen department to department without triggering big procurement governance processes which will simply slow us back to where we were already whilst being applicable across departments so that we don’t end up with yet more silos.

So let me ask you something….given that ‘starting over’ is just not an option, what application or capability would you create that would bring the most immediate value to your business?