Recently I attended another great Evanta CIO event, and in the course of a day packed with excellent talks and knowledge-sharing opportunities, I had the opportunity to sit down and discuss the topic of network and security transformation with Stuart Hughes, the CIDO at Rolls-Royce. Stuart shared his experiences over the past 18 months, discussing how the pandemic—among other things—had changed his strategic approach to security. The following are three key observations and quotes I took from the discussion and my thoughts.
“This year has often required us to focus on practicality rather than perfection”
Rolls-Royce operates in a highly regulated market and so security has often edged usability when trade-offs are being made. The value of the organisation’s IP and government relations often have to outweigh the value of improved productivity and so IT architectural decisions had to be security-centric. This year, however, the multi-component architecture proved to be complex and complicated for employees when they required more freedom and flexibility. “It became difficult for people to actually work. What changed in our strategy was the increased importance of user experience.”
“Concerns around insider threat grew, so security was no longer just about keeping outsiders out of our systems”
This topic of insider threat is coming up more frequently in the conversations I have with fellow CIOs and CISOs. In opening up our systems to new models of working (through cloud applications, remote workers, and personal devices) organisations are seeing that the user should not be afforded complete and open access in the way we often allowed within office-based systems. This is a healthy realisation because in practice a disgruntled (or careless) employee can cause problems that are in every way as damaging as a malicious external actor. It is a realisation that has led to the accelerated adoption of Zero Trust data-centric security for many organisations.