7 minute read
IS YOUR ORGANISATION A FIT OR A FRAGILE ONE?
THE CIO AND CTO NEED TO BUILD A CONTINUOUS CULTURE OF LEARNING ON HOW TO USE TECHNOLOGY TO SURVIVE UNCERTAINTIES OF TODAY’S GLOBAL ENVIRONMENT, EXPLAINS RANJITH KAIPPADA, MANAGING DIRECTOR AT CLOUD BOX TECHNOLOGIES.
What is the culture of an organisation? Is it the value system of its top executives and the business formula for achieving operational success? Or is it the ability of an organisation’s workforce to utilise technology to adapt to fast moving changes outside and inside the organisation? Increasingly the latter is beginning to become associated as the culture of survival, especially after the enduring months of lockdown, entering the post pandemic phase, and now seeing no end to the volatility in the external environment
Advertisement
Workforces need to develop the ability of being able to recognise uncertainty in the external environment and to plan for internal changes and restructuring. They need to be able to ask the question - is our organisation fragile and what can we do to make it fit?
According to global consulting firm Gartner, a fit enterprise recognises uncertainty as an ongoing situation and is prepared to adapt and navigate its way successfully through the prevailing conditions. Often times such fit organisations even start accelerating in their growth along the way, through a combination of having the right insights, right skills and the right offering for end users at such times of volatility and turbulence.
A fragile organisation on the other hand, with a weak culture of learning and adapting to uncertainty, typically slows down in such a prevailing condition of uncertainty and finally exits.
During the last decade having a visionary management team at the helm, with a far reaching, forward looking strategy,
was believed sufficient for success by its shareholders. During those times the external conditions were not as volatile, the inflexion points on sales models determined by adoption of digital technologies was still in its infancy, and organisational culture was not a decisive survival criterion.
All this is now history!
Readiness to accept risk and failure and determination to find a new approach to survive the external conditions are now a critical part of the overall organisational culture. Managing a volatile external environment implies a workforce that has the ability to transform its skills.
This is facilitated by an internal culture of learning and training, pivoting on insights derived from customer data. Such an organisation, whose workforce can flex and adapt to changing external demands and conditions is increasingly being looked at as a fit organisation.
According to Gartner, more than 25% of fit organisations are built on a pervasive culture of learning. Moreover, the CIO, CTO and the IT organisation are not silent spectators in this run up. Rather than driving the development of specific IT skills, these executives are responsible for building the process of continuing learning and how technology can help drive the business success of an organisation.
So how do you go about it? Changing the culture is a huge task and bigger the task, the less likely that it will be successful. An easier way is to continuously think of how to break routines that define the culture, challenging the teams to adapt and find solutions.
The secret is to find the weak spots in the culture, and break out changes wherever you can make the most impact. # Use real life examples and don’t just talk about data models. # Build proofs of concept and roll them out without delay. # Celebrate failures by discussing learning points. # Encourage every meeting to end with hard hitting questions. # Announce changes in an internal process and block all steps in the old process. # Do not offer answers to all questions, make the team think them out. # Do not announce collaborative status meetings, let project owners document progress and failures. # Set a cut-off time line for any decision and reward quick decision making. # Making a decision, even if it is a bad one, is better than no decision.
By using a multifold approach around continuous learning and adaptation, regional enterprises can anticipate to remain fit and agile, rather than fragile and rigid.
POSTING WARNING SIGNS ON YOUR CLOUD PROPERTY
PRESENTING WARNINGS THAT CLOUD SECURITY TESTERS AND RESEARCHERS ARE UNWANTED AND LIABLE IS ALSO IMPORTANT AND PART OF TYPICAL CLOUD SECURITY MEASURES, EXPLAINS FRANK KIM, FELLOW INSTRUCTOR AT SANS INSTITUTE.
In our real world, we are used to a variety of signs and displays that indicate a certain physical area is privately owned and uninvited visitors are not necessarily welcome to be onsite at these premises. Based on the nature of the ownership and the type of activities being conducted at these premises, there may be additional fences, warning signs of fines and punishments, and protective measures to keep visitors of the premises.
The intention being that the everyday law-abiding citizens will stay clear of encroachment on private property, while any violators are either hostile or unknown.
Today’s world of cloud deployment is in a somewhat similar situation. It is relatively easy to acquire and take possession of a cloud property. But it is relatively challenging to secure the property, and to ensure that only legitimate visitors enter the cloud property and utilize available services.
Cloud is a transformative and disruptive technology, that has shot into the limelight since the arrival of the pandemic. It is a required platform to enable teams to work remotely and collaborate efficiently during the post pandemic and lock down times.
Moreover, cloud will continue to define the technology landscape for years to come.
To manage cloud requires a good blend of skills around applications, code, and automation. Due to the ease of enabling and activating a cloud property, cloud is growing at brisk pace. But cloud security skills and investment that need to be growing alongside are not keeping pace.
How to secure a cloud property remains a specialised role requiring training and experience.
There are various types of skills and roles that go around protecting a cloud property. These include Cloud Security Manager, responsible for leading; Cloud Security Architecture, responsible for designing; Cloud Security Engineer, responsible for building security capabilities; Cloud Security Analyst, responsible for enabling defenses and analyzing issues; and DevOps Professional, responsible for building applications and systems.
By default, when acquiring a cloud property, there are just a few security fences around the property and it is left to the leasers or those who are renting the cloud space to build their own security fences. The ongoing lack of such investment into cloud security creates three types of visitor groups.
The first is the genuine visitor who comes and goes and consumes available services from the cloud property. They do little to threaten the existing cloud security fences. The second group of visitors are those who have no malicious intent but are keen to test the security defences of the cloud property and if fallible offer their own expertise to rebuild the fences of that cloud property. They are cloud security testers and researchers in a manner of speaking. The third are the malicious threat actors who will continue to aggressively threaten the cloud property once they have decided the corporate entity and its assets are of interest to them.
In some ways, the entry of the second group of visitors, that is the visitor who is testing the security of the cloud property, can be damaging similar to the third malicious group. Owners of cloud properties need to take proactive measures such as signs and warnings to ward off the intrusive behaviour of cloud security testers and researchers, as well, who unknowingly and unwittingly may cause damage, similar to malicious threat actors.
Not all cloud property owners invest huge sums of money and sophistication into cloud security fences. For cloud security testers and researchers, breaching cloud security perimeters may give them access to an organisations data and assets. Further exposing the organisation’s vulnerabilities, data and assets to authorities as a way of gaining entry for the cloud testers’ professional services may unknowingly cause damage to the organization, through exposure of its data and assets into the public domain.
Placing warning signs to inform cloud testers and researchers that their activities are unwanted and amounting to infringement with punishment and liability, puts the organisation on the right side of jurisdiction and compliance. The better way for cloud testers and researchers is to approach the organisation with their services of an ethical hack with clearly defined rules of engagement to move forward.
