As part of the previous instalment of this discussion, it was discussed how to successfully deploy large IT security projects so they don't fail during the deployment phase. This final part of the discussion will look into how to make sure the solution continues being a success once the deployment is a success.
As with the deployment, the continuing success of a solution is dependant on having the right skilled people maintaining the system. The unfortunate thing with most solutions is that once the solution is deployed, it is normally palmed off on some junior support staff within the organisation to support and handle the day-to-day operations of the system, with some overseeing from senior personnel, with any luck. This is barely acceptable if the system requires a fair amount of ongoing interaction such as an IDM solution. Managing users constantly within a large organisation allows the junior to quickly build up experience and maintain the skill learnt on the system.
The problem arises with the more automated systems, which manage and update themselves. These systems still need a bit of TLC every now and again and, of course, they do generate reports, which from a security perspective should be monitored and checked on an ongoing basis.
To the point
Even the most automated systems need to be checked on a regular basis to maintain the individual's skills on it and keep the system running.
Andrew Ochse is product manager of SecureData Security.
Also they need to receive major updates occasionally. The problem with these systems is that the junior 'techie' gets assigned to maintain the system, and might never have even worked on the system before something breaks.
The point is that even the most automated systems need to be checked on a regular basis to maintain the individual's skills on it and keep the system running. It also brings me to a further point that is to update and maintain the system and keep it on the latest versions where possible. That is why companies pay that maintenance on the solution every year so they can keep it updated and get all those nice to have new features.
The other option is to outsource the management and maintenance of the system to the system integrator. This is not an entirely bad idea for the more automated security systems, since generally that system integrator would be servicing several clients so they will be able to maintain the necessary skills on the system. However, they will also assign more junior individuals to this task. The important thing here is to contractually ensure that the person working on the system is certified on the product. This is achieved through the service level agreement with the system integrator, whereby it is specified that the personnel working on system has to be certified on the latest version of the solution, with remedy periods and subsequent penalty clauses for non-compliance.
Getting together
As a final thought, it would be advisable that over and above the usual post deployment interaction that happened between the various parties involved, a quarterly solution review session be undertaken, whereby all relevant parties from the original deployment team with new members meet for a status and update session.
This can vary between a one-hour meeting to a full-day workshop, depending on the size and type of the solution. This will ensure the integrity of solution is maintained during its lifetime.
In closing, I hope through this series of Industry Insights there will be a few more successful security projects. And remember, it is never too late to get a project back on track.
* Andrew Ochse is product manager of SecureData Security.
Share