The IS Department: a leading force in cyber development?
24 04 2019
After years of being seen as a mere provider of IT services to business units, the IS Department is now at the vanguard of corporate digital transformation. Its role is now to advise, evangelise and instil a healthy IT culture at all levels. And its central role is lent added prominence by growing cybersecurity issues and risks.
Switching on your computer at work, connecting to the internet, saving your documents ... none of these simple everyday tasks would be possible without your company’s Information Systems (IS) Department. The IS Department is responsible for the company’s IT infrastructure, handling all the hardware and software it comprises, whether application, data and infrastructure for storage, backups, printing and telecommunications. In short, if you can work and read this article in your office today, you have your IS Department to thank.
The IS Department: a strategic role
In other words, the IS Department acts as the interface between people and machines. Long regarded as a mere provider of IT services to business units, the IS Department is now at the vanguard of corporate digital transformation, driven by new work practices and technologies. The result: this key position, at the crossroads of technology, project management, general management, security and strategy, has developed to incorporate new roles and new skills. “It’s not so much about technical skills, more the ability to communicate and listen, notes Franck Nielacny, Stormshield’s IS Director. You have to be able to converse with an accountant, a logistics expert, an HR manager ... to be familiar with their roles and their vocabulary. In short, you need a "business partner" philosophy. This is critically important, because business units are increasingly involved in IT decisions.”
It’s not so much about technical skills, more the ability to communicate and listenFranck Nielacny, CIO at Stormshield
The IS department has moved from being an operational function to a strategic role supporting the company’s major projects. “The IS department is increasingly expected to be conversant with technological developments, anticipate the requirements expressed by business units, and able to co-ordinate the two coherently,” Nielacny points out. “Previously, IT had to keep step with business strategy. With digital transformation, the opposite is now true,” comments Frédéric Lau, Mission Director at Cigref (see quote here).
Today, the IS department is building the company of tomorrow, and gradually taking on board issues which go beyond the traditional IT of man-machine interfaces. The growing challenges of corporate cybersecurity require not only security solutions resources, but also employee awareness. The IS department’s role is now to advise, evangelise and instil a healthy IT culture at all levels. This calls for no small amount of teaching work. “At Stormshield, for example, all employees have a strong digital culture and a good awareness of security issues. But no-one can afford to be complacent in terms of accidents or mistakes, which means awareness training is a constant necessity, in conjunction with the CISO and HR,” confirms Nielacny.
As the CIO of France’s CEA atomic and alternative energies commission, Louis Arrivet places a strong emphasis on awareness training. “Researchers are a unique group: their job is to seek out, research, develop and innovate. Consequently, they sometimes make use of exotic protocols which aren’t always right for integrating into a secure IS. I have teams whose job is solely and constantly to raise awareness within the whole CEA,” he explains. After all, with cybersecurity issues coming to the forefront, the IS department is in the front line when it comes to protecting its company.
Cybersecurity: a daily preoccupation for IS departments
When we think about cybersecurity, we have an image of large-scale attacks, destructive malware and media security flaws. But this is only the tip of the iceberg; for an IS department, the cybersecurity arena covers everything that is unseen. “Cybersecurity affects every company employee and department; we view it less and less as a series of discrete silos, emphasises Nielacny. It’s an issue of daily concern which requires monitoring and control work, and updates to devices to protect the company. This is all part of every IS department’s daily life.”
Between a quarter and a third of all daily tasks are related to cybersecurity.Louis Arrivet, CIO at France’s CEA
Louis Arrivet estimates that between a quarter and a third of daily tasks relate to cybersecurity. “All our projects have a cybersecurity element at one point or another, regardless of the application in question. Cybersecurity inputs form a key part of our thinking even before the design phase. When I discuss a requirement with a department, we start raising security questions even at the earliest stages of the project.” And every CIO knows they are expected to answer such questions. “Cybersecurity’s importance among the IS Department’s business processes is rising exponentially. In the United States, experts estimate a shortage of nearly 200,000 cybersecurity experts. In 10 years’ time, that figure will be 500,000,” says Emmanuel Dupont, Global Chief Security Officer at oXya.
SaaS and new technologies, IS Department challenges
But the paradigm shift in security in the IS Department is also affecting the world outside of the company. In his 17 years as CIO, Arrivet has seen this change: “20 years ago, perimeter security was the name of the game. We talked in terms of the IT objective. We designed fortresses and thought that putting up walls would keep people out. Now, everything is centred on data: we’ve realised that what matters is not the information system, but the information itself.” The days of developing on your own physical in-house server are gone. Today’s approach is to virtualise, to outsource; everything gives way to the SaaS (Software as a Service) model, driven – it must be said – by new practices. In short, opening up is the norm. But not without due precautions. The IS Department is also responsible for the security of any company information processed externally. Delegating technical control of a system in SaaS mode? Yes. Delegating the responsibility for protecting company information stored in that system? Out of the question.
“We’re in an area in which everything moves very quickly, and so one thing is obvious ... our business is changing. But the basics still remain the same, insists Arrivet. Today, just like 20 years ago, the role of the IS Department is to exercise control over its company’s information system. And the same will be true tomorrow, even if technologies change.”
And what will tomorrow be like?
Blockchain, IoT, cloud computing, serverless computing, machine learning… The electronic playing field on which the IS Department operates will change rapidly in future. “In the very short term, the challenge comes from the cloud: IS departments need to ensure that the chosen solutions are reliable and compatible with user requirements, but also sufficiently secure and able to be incorporated in to the information system,” notes Nielacny.
“My feeling is that companies will push SaaS providers to host infrastructure and applications at their own premises, but in a way that ensures data remains within the company”, is Arrivet’s analysis. Alternatively, suppliers will have to provide an absolute guarantee that the companies will retain full control over their information, make their own decisions as to what is and is not sensitive, and what they do and do not want to share. “Outsourcing doesn’t have to mean losing your understanding of these mechanisms and how to control them, he continues. If you let that happen, you really put yourself at risk. A company that loses control of its information is in great danger. In future, company directors everywhere will still need an IS department which is able to deliver this control.”
And the same applies to artificial intelligence. “With the advent of tools based on AI and machine learning, there is – by analogy – a shift from a digitally-centred model to a "human"-centred one. AI will enable more precise detection of anomalies, and will be able to invent scenarios to respond to threats, maintains Dupont. And it will enable the IS Department to be ready. "IS departments always lag a little behind. We’re often playing catch-up. AI should help to remedy that situation," continues Dupont. But then you have to consider AI-driven attacks that target AI-based systems.”
Although AI is supposed to make IT more efficient and easier, it isn’t (yet) ready to replace the IS Department. “It will continue to fulfil the role of an interface between a business need (such as sales/care/production) and a range of technologies being offered to markets and companies, concludes Nielacny. The task of combining these two will always require a human being.”