A tremendous amount of money and time is spent every year on IT systems. This money goes towards new tools, new software, equipment upgrades and ‘so-called’ improvements. The problem is that a significant amount of this expense does not provide nearly enough value for the organization. In addition, we are seeing that the focus on the function of a system is often made at the expense of due consideration of the security requirements. There have been a lot of proposals on how to change this situation over the years – often through new development methodologies and new standards, but the reality is that this cannot be changed by just changing the process. It can only be changed by providing better oversight and alignment between the business and the IT development efforts. Changing the process requires a new attitude, more accountability and a new perspective. This requires audit, management focus, and objective review of systems design, development and maintenance.
For this reason the field of system authorisation is emerging. System authorisation is the objective and independent review of systems development throughout the systems lifecycle with the final accountability not with IT nor with the IT system owner – but with a senior manager that provides the balance and organization-wide oversight of IT risk and development.
Every organization should consider this approach and see where it brings about a good result in ensuring that investment in IT does support the business and provide more value to the organization.
Infosecprofs provides excellent training in IT security and organization-wide architecture, and is one of the world leaders in the development of security authorisation educational progams.
