Object security and backup
Cloud baselining to join classic IT and new digital unit in a holistic roadmap. Identification of cooperation potentials, breaking of barriers.
ABOUT THE COMPANY
The customer is an internationally active specialist for security systems and access solutions. About 350 IT employees support the company worldwide in over 50 countries.
In the course of a merger, many new challenges arose. Among other things, responsibility in IT was newly planned and the often-duplicated structures had to be adapted and redesigned accordingly. In addition, various parameters led to the desire to become even more active in the public cloud sector and to offer end customers a broader service portfolio.
For this purpose, a new unit was established to drive forward digital projects (Public Cloud – AWS). This digital unit naturally has little „old baggage“ and old processes, but rather acts like a start-up. Challenges arise as this digital unit is partly tied to the rules of the central IT unit with its old specifications, processes and responsibilities.
A specific and particularly central problem arose in the classic IT’s data protection and compliance unit. This unit was severely understaffed and significantly overloaded. If the digital unit then requested advice on data protection and compliance rules with regard to AWS and, for example, encryption specifications, it only received an answer after a waiting period of approx. 2-4 weeks, as the topic is very new and the unit first has to deal with it.
Since the digital unit must finish an MVP in one sprint, it cannot wait for the answer, evaluates the problem independently and thereby creates its own facts. This causes frustration for the central data protection and compliance unit which feels that the digital unit is now interfering with its own competencies. The geographical separation of the individual roles and responsibilities caused by the merger, sometimes even within the individual units, complicates the situation further.
In escalations and debates over the past months and years, no solution could be found that would satisfy both parties. The conflict was even intensified by further units, whose previous competencies were also undermined by the digital unit.
The company’s management is aware of this but has no concrete solution as to how to build a resilient model for the future to distribute tasks in such a way that resources are invested in finding solutions and not in escalations.
OUR PROPOSED SOLUTION
We were asked by the company’s management to address the issue. The company’s challenge became clear at the very first meeting, and we recommended that all parties be brought together one after the other to find a common solution.
To this end, we applied Cloud Baselining in a slightly modified form and outlined a solution in six workshops.
The IT security and compliance workshop was split into two dates, which will be described in detail below. The first date was held with the support of an AWS security specialist. In the second part of the workshop, topics were then discussed without this AWS specialist.
In both dates we emphasized the relevance of the specifications and approvals in order to support the digital unit and enable a concrete configuration of the services. This is precisely where the digital unit depends on the support of the security and compliance units and has not yet been provided with the necessary inputs. In the second appointment, without AWS as vendor, the remaining questions were processed openly by direct gruppe and the corresponding units and a plan was created as to how the resource situation in the units could be mitigated. Here, the approach of the direct group Compliance Factory was taken up, which in this context can reduce many efforts in the units compliance, IT security and data protection.
In other workshops such as architecture, operating models and usability, we supported the customer with our experience and with the right consultants on site to develop their own ideas and learn from our experience. We developed a common idea on how both areas (classic IT and digital unit) can work with each other and which services can be obtained from each other. It quickly became clear that both sides could benefit and that especially the classical IT, if skilfully positioned, can be changed from a cost driver’s point of view to an enabler for other areas such as the digital unit.
We carried this idea over to other discussions, so that all sides formulated their requirements for such a transformation. After sorting and grouping, the idea gained further mass, new ideas and encouragement as a supporting pillar in further discussions.
With regard to responsibility across unit boundaries and the rapid realization of successes, our proposal to set up a CCC (Cloud Competence Center) was also well received. This enables the customer to remove blockades and create a goal-oriented unit with defined responsibilities that works on solutions instead of dealing with competence distributions.
All recommendations presented, and others, were discussed with the customer and adapted to their needs so that the customer’s current problems corresponded to the adapted solution. It was important for the customer to see these offers as support and to use them as a method to find a solution faster.
We were able to do this because the internal project team was able to identify with the jointly developed results and to present, derive and „defend“ these proposals during the final presentation.
AWS AS A CENTRAL PART OF THE SOLUTION
As a special feature in this Cloud Baselining, we divided our associated workshop in the area of IT security and data protection into two parts. In the first part we could count on the active participation of many customer employees and engaged an AWS Solution Architect (specialized in IT security and data protection) from our partner AWS directly on site. He was able to clarify open questions of the units regarding data protection, IT security and compliance etc. The units thus received answers directly from the vendor. This generated trust and the realization that Public Cloud and AWS in particular have an extremely high level of IT security and data protection. This helped the departments understand that AWS services can and will meet many standard requirements.
On the other hand, the very good level of documentation and the models and methods created, such as the Shared Responsibility Model, should of course also be mentioned. These make it very easy even for non-experts to identify their own tasks and, with our support, to derive a strategy and action tasks from them.
AWS’s many very well-designed IT security services are professionally organised so that the responsible units have clearly understood AWS’s motto: „Security is Job #1“.
REALISED RESULTS AND POTENTIALS
The following measurable results, which were agreed in advance, were generated in the project:
- Roadmap for the next six quarters with corresponding milestones and integration into external schedules (ISO27001 certification, GDPR issues and others)
- Granular task description and role assignment. For this purpose
- 60 measures were defined
- six Action Packages were defined and grouped together
- measures were allocated to the current strategic objectives of IT to ensure consistency
- 35 necessary roles were jointly identified that are necessary to achieve the objectives (internal/external and partly overlapping roles, therefore several roles can be fulfilled by one person)
- Identification of the largest current pain points and factualising them
- Cost estimate, which was submitted to the management in a jointly agreed and derivably justified manner.
However, the project also achieved the following non-measurable results, which, according to the direkt gruppe’s project manager and enterprise cloud architect in charge, offer an even higher added value for the customer:
- The first constructive discussions and agreements were made.
- The individual responsibility of the different units for the success of the entire company was understood and accepted, as well as the fact that one unit alone cannot lead the entire company into the future with the cloud.
- New arrangements were made and many goals were discussed together – during the workshops and coffee breaks.
- The view of AWS and of IT security aspects was significantly changed by our workshops. The basic attitude in relation to other internal units also changed significantly, as the potential of the cloud and the AWS was now understood.
- Previous assumptions on how to proceed were validated by the experiences of the direct gruppe and our consultants and we were able to contribute new ideas and perspectives to develop a common reliable picture.