Small Business IT Governance:
You really need it now
Big changes are going on in the world of information technology and business. Where social computing and mobility are no longer purely consumer concerns, enterprise IT departments face a growing requirement to embrace user devices and access in environments which were once strictly and closely controlled. Enterprise IT may be challenged when presented with user personal devices and demands for remote access to enterprise data, yet the governance of systems is generally well-defined and strictly performed. In small business, however, the people, policy and process issues (collectively incorporated into “governance”) tend to be more organic, and the use of personal devices and open access is more frequently considered to be a normal part of the overall business IT profile.
It is a focus on defining controls and processes, and influencing the activities and attitudes of the people involved, which has become an essential requirement in small business. Where management of information technology resources was not of great concern to the small business owner before, increased device and information mobility (removal of physical boundaries) and erosion of logical boundaries around personal and business computing have become a really big deal for everyone in business. Small businesses just don’t often have departments of people working on the problem.
Technology use in business has always come at a price, and as various influences continue to change how users interact with devices, applications and systems, business owners and IT managers will continue to face difficult choices between balancing security of information resources and providing a productivity-enhancing user experience. Too many security barriers result in avoidance of security protocols, slow or immobile company computers result in users working on their own machines and portables, and restricting access for mobile users results in “shadow IT” implementations of mobile sync and other data access approaches.
Yet “shadow IT” tends to be the norm with many small businesses, where there are often fewer barriers to implementing solutions which address individual user issues or problems. Lacking the resources or understanding to develop a strong plan for managing information systems and technology within the business, small business owners often consider the computer systems and computerized data to be tools to get jobs done rather than strategically valuable assets to be strictly controlled and protected. These business owners are not recognizing the ever-increasing need to not simply secure business information, but to establish processes and rules which will govern how users and devices access and interact with the information and systems.
Enterprise IT departments have often viewed their small business counterparts (customers, suppliers, etc.) as potential points of vulnerability, an attitude which was once considered to be centered not on real assessments of the risk but more in terms of ego, level of sophistication, and hierarchy in the food chain. In today’s world of real risk introduced by myriad technological and human elements in every link in the supply chain, enterprise IT conclusions regarding the risk potential of doing business with anyone – including small businesses – may not be entirely unfounded. Whether it be commentary and information distributed by individuals via social media or malware or corruption introduced inadvertently (or not) via computerized interaction, there is the possibility of risk introduced with every system, person and process involved. Enterprise to enterprise, these issues may be more often recognized and remediated; where the SMB is involved, not always so much.
This is a brave new world of computing, and there is truth in that even the smallest of businesses can “compete with the big guys” when the right mixture of technology and process is applied – for good or bad. Technology enables businesses to be more productive, get more done with fewer resources and perform at higher levels. IT Governance in small business is no longer an optional area of focus, addressed only during infrequent discussions with the local contract IT guy when he comes in to defrag the hard drive on a slow computer. Establishing the proper processes and controls to wrap around IT use in the business has become an imperative; a necessarily specific and considerate approach to how information technology is used within the business, who uses it, and what IT is composed of.
Just about every business, and most individuals, are connected in some manner via some type of network, representing a dramatic and dynamic change to the traditional composition of business IT and the landscape of vulnerabilities which threaten it. The increased connectedness, capability and complexity of systems and networks requires a greater focus on overall IT governance – exercising authority and controls – as the impact (just like the information) can easily and unintentionally reach far beyond the boundaries of the individual business.
“People are nothing more than another operating system”, says Lance Spitzner, training director for the Securing The Human Program at SANS Institute. “Computers store, process and transfer information, and people store, process and transfer information,” How Hackers Fool Your Employees