Recently I attended another great Evanta CIO event, and in the course of a day packed with excellent talks and knowledge-sharing opportunities, I had the opportunity to sit down and discuss the topic of network and security transformation with Stuart Hughes, the CIDO at Rolls-Royce. Stuart shared his experiences over the past 18 months, discussing how the pandemic—among other things—had changed his strategic approach to security. The following are three key observations and quotes I took from the discussion and my thoughts.
“This year has often required us to focus on practicality rather than perfection”
Rolls-Royce operates in a highly regulated market and so security has often edged usability when trade-offs are being made. The value of the organisation’s IP and government relations often have to outweigh the value of improved productivity and so IT architectural decisions had to be security-centric. This year, however, the multi-component architecture proved to be complex and complicated for employees when they required more freedom and flexibility. “It became difficult for people to actually work. What changed in our strategy was the increased importance of user experience.”
“Concerns around insider threat grew, so security was no longer just about keeping outsiders out of our systems”
This topic of insider threat is coming up more frequently in the conversations I have with fellow CIOs and CISOs. In opening up our systems to new models of working (through cloud applications, remote workers, and personal devices) organisations are seeing that the user should not be afforded complete and open access in the way we often allowed within office-based systems. This is a healthy realisation because in practice a disgruntled (or careless) employee can cause problems that are in every way as damaging as a malicious external actor. It is a realisation that has led to the accelerated adoption of Zero Trust data-centric security for many organisations.
This comment of Stuart’s entirely matches my own experience. Stuart talked about the fact that his strategy now specifically focuses on removing complexity and concentrates on improving the consolidation of technologies. We spoke on getting approval for IT projects and Stuart asserted that consolidation is a useful option in proving a business case. He told me, “Our executives see the complexity in how we secure things. They also experience the frustrations as a user. We use the pains they are personally familiar with as part of our explanation of the business case for change projects.”
I will conclude with another quote of Stuart’s—where he outlines the three phases of the IT team’s reputation over the last 12 months. It will feel very familiar to many…
“First IT were the heroes. Then IT became the target of ‘why doesn’t it work’ conversations. And now IT is driving change to enable the new way we need to work.”