In an increasingly fragmented IT ecosystem, knowing who manages each element becomes a real headache. This lack of transparency can undermine security and create serious risks for businesses. The accountability matrix can then help close security gaps and optimize operations.
Written by Baptiste Rech, VP EMEA South, Semperis
In the era of hybrid IT infrastructures, responsibilities within IT departments are less transparent than they used to be.
Previously, a centralized team managed everything related to IT. Today, a range of experts cover different aspects, from individual IT, infrastructure and security to cloud management and transformation strategies.
In this growing IT environment, it is increasingly difficult to ensure that everyone’s attribution is known to everyoneclearly defining the roles and responsibilities of each person.
Take an example Microsoft Active Directory (AD), the identity service used by more than 90% of Fortune 1000 companies to manage their desktops and resources, providing access to key services such as Office 365. For Microsoft AD alone, it is not uncommon for one team to be responsible for securing its proper functioning, while another takes care of security issues and related configurations, and a third takes care of update schedules and dependencies on other aspects of the environment.
And this is just one example of a piece of IT infrastructure that relies on multiple teams sharing responsibilities. an issue, is that lack of clarity creates gaps within increasingly complex IT structuresincreasing security risks and operational issues.
Page Mergers and acquisitionsit is clear that these lapses of responsibility can also occur and multiply.
Companies and their boards of directors often seek to finalize and close these types of transactions as quickly as possible. Therefore, compliance with appropriate security levels and prior IT auditing are sometimes sacrificed in the name of operational availability. In any case, such a procedure naturally creates problems.
Hybrid IT infrastructures are fundamental to the success of mergers and acquisitions. Key to speeding up transition periods, they ensure that new colleagues can access both previously strategic data and new reference systems when they take on their new roles. However, often pressed for time, companies end up trying to accommodate two different working methods and so many naming conventions and cryptic paths through a union full of pitfalls.
Without paying attention to these aspects and without giving them the attention they deserve, several security issues can arise.. Using the AD example again, companies could inherit poorly configured systems and accounts for which the parent company would then become responsible.
In certain cases, the acquired company’s environment is sometimes even contaminated by malicious actors who then take the opportunity to infiltrate the parent company’s environment. Reasons why it is essential to prioritize prior auditing, clearly defining security responsibilities to optimize visibility and limit potential threats.
Establish a matrix of responsibilities
Of course, the task turns out to be more complicated than it seems. So how exactly can companies clarify ambiguities around the division of responsibilities, limit business disruptions, and close security gaps when they arise?
In this case, the creation of a responsibility matrix can bear fruit. By reviewing everyone’s roles and responsibilities, companies can isolate any gaps and correct them.
Who manages which software and corresponding configurations? What should these configurations look like? And who to notify if there is a change? These are some of the key questions that an accountability matrix can answer, providing clarity to IT and security staff.
In addition, the value of the accountability matrix is also particularly evident for companies planning to make major infrastructure changes, such as adopting a new cloud environment.
They feel that by creating something new or modernizing something old as part of their digital transformations, they will erase any previous technical debt. However, in many cases this is not the case. It’s not enough to rebuild a brand new IT stack and delete the old one: that’s not how it works.
Many bridges are often built between the old and the new to keep everything running smoothly. If a lack of clarity around everyone’s responsibilities is the cause of bad configurations, process errors, or security breaches, relying on new technologies will only acknowledge and exacerbate those problems.
Prevent “serious” or “catastrophic” impacts
You simply need to ensure that IT security and integrity is achieved across core systems such as AD, and then work to find ways to connect new applications to key databases in a secure and seamless manner.
Otherwise, defects will appear. And if this is exploited, the consequences can be noticeable.
According to research conducted by Semperis at the Infosecurity Europe exhibition in June 2023. 69% of organizations say the impact would be “severe” or even “catastrophic” if a cyberattack compromised their domain controllers and caused an outage of their AD service. And the financial consequences of those disruptions are likely to be serious. Fact, price 60% disruptions that prevent businesses from operating are estimated to cost more than $100,000.
To avoid these costly consequences, it is important to review everyone’s security responsibilities and eliminate any vulnerabilities that may be present. As a priority, get a clear idea of your resources and their related configurations and verify that they are correct. If that doesn’t work, find a competent person who can help you with this task.
READ ALSO:
READ ALSO: