Security and manageability by standardization in global IT infrastructure

www.gsens.nl

The globalization and digitization of society have been in full swing for the last three decades. The 24-hour economy requires an ‘Always On’ company culture. The business expects IT to be constantly able to respond to innovations that are emerging at a rapid pace.

— Whitepaper

Executive summary

The importance of technology is increasing exponentially, and its potent role as a building block for the foundation of corporate business processes is undeniable. Developing a high degree of reliability and robustness of IT infrastructure is an absolute must for every organization. The main challenge lies with the fact that these companies, regardless of their size, must also show the flexibility and agility required by today’s environment. Multinationals, medium-sized and small companies are certainly facing similar challenges for the most part. However, when it comes to multinationals, lacking flexibility and agility in their IT infrastructure will have greater consequences on security, compliance and risk management on an international scale. When multinationals deal with many IT facilities across the globe, which do not have the same IT foundation and standards, manageability and stability are jeopardized. When requests for changes need to take place across different continents but to locally differing systems, responding quickly and adequately becomes complex. Thus, standardization in IT infrastructure is an essential condition to solve the above challenges. Standardization in itself requires a degree of centralization in decision-making, which needs to take into account the local specific requirements and wishes at the workplace, in the network and data centers. It also requires for a Corporate IT team to have the mandate to enforce the defined global standards.

2

As the geographical reach of an organization in terms of customers and suppliers expand across the globe, the leaders of Infrastructure & Operations (I&O) must provide ‘infrastructure everywhere.’ The question then becomes: How can I&O leaders deliver standardized and centralized ‘infrastructure everywhere’ within a realistic budget?

— Whitepaper

This white paper focuses on the reasons why standardization and centralization are vital for multinationals, its benefits, and how they bring essential support to global organizations in the fields of security, compliance and risk management. It also offers a ‘Best Practices’ section based on experience working with many organizations that have already completed that transition from a local-to-local decentralized model.

Will hardware always be relevant? Standardization of data center infrastructure will happen, one way or another. The importance of the traditional data center is rapidly declining as the move of workloads to the cloud is increasing. Yet, moving workloads to the (public) cloud is a way of standardization and centralization in itself. However, edge computing presents a whole different set of complexities. Studies show that web-facing companies lose customers after just 2 seconds of slow loading time. Additionally, employees are similarly impatient when using slow and lagging ERP applications. Even the slightest network issues or a non-performing laptop will heavily impact productivity. Edge computing can be used to reduce latency and therefore will experience growth to satisfy the demand for high-quality digital experiences moving forward. Imagine a production employee in Vietnam with a hand scanner connected to a global SAP ERP environment, what would be the acceptable latency for the system to recognize the scanned barcode? Implementing efficient edge computing can only be done following rigid standards to achieve user satisfaction while maintaining manageability and enforcing security policies. All performance investments in core infrastructure over the past decade might be wasted when a diversity of edge infrastructures have to coexist. Gartner statement Edge Computing: Edge computing allows workloads to be located in closer proximity to the customer to solve a specific business problem. It touches on the laws of physics, economy and land, all of which are contributing factors to how and when to use edge.

3

Why global centralization and standardization? Making a company efficient and successful does not depend on chance. A business strategy entails careful consideration given to planning, preparation and execution. An ‘always on’ organization is a must nowadays and IT plays an important role in this. We would even say it is an essential lifeline within corporate business processes.

1

As you know, today, business-critical ERP environments are frequently hosted on external (cloud) platforms and physical IT infrastructure is often seen as a commodity. However, local networks and workplace devices remain essential elements that directly impact productivity within an organization.

2

IT performance is an important factor of success for every (global) company. If problems occur in the IT foundation (e.g. workplace, network, data center, cloud) they can lead to negative economic and publicity consequences. Yet, even more threatening or concerning consequences are the loss of intellectual property (IP). The outcomes of losing strategic IP can lead to the loss of relevance, or even pose existential risks for the future of the entire organization.

3

Then the question one should answer is: how do you as a global company, ensure that the entire chain of IT environments remains manageable and secure? A strong focus on simplicity and reliability is not easily combined with the necessity to support the continuously changing environment and digital transformation in an agile manner.

4

Although the question may be overwhelming, the answer to having a manageable and secure IT environment is simple: to standardize all IT processes worldwide.

The moment a certain application runs on a range of different systems worldwide, the complexity of the entire IT environment, including its hardware infrastructure, increases. For instance, imagine adjusting a hundred different systems in as many different locations, it is time-consuming, isn’t it? Also, bringing knowledge and competencies together is extremely difficult when you have different locations with their own unique IT environments managed by different points of view. It surely becomes a challenge to keep the unique environments up and running in an efficient manner. Now, imagine being able to make one update from a centralized location and having it automatically implemented in those one hundred locations. It would be a timesaver, wouldn’t it? Not only having a more manageable process would save you time, but it would also bring increased safety and security. In addition, the possibility of human error decreases and changes are easier to implement. Standardization is therefore the answer. Standardization across multiple locations can only take place after a top executive decision has been made to define and implement global standards. It also has to be communicated across the various entities involved. To give proper shape to standardization standards, central control is needed. Processes, applications and infrastructure can all be standardized depending on the size of the mandate given to corporate ICT. Once standards are defined and implemented, central control and execution will be more manageable. Centralization and standardization will have a definite positive impact on both the ‘Cost of Change’ and ‘Speed of Change’ of IT processes.

5

— Whitepaper

Global centralization and standardization of IT Infrastructure is the answer

— Whitepaper

Centralization and standardization: Benefits 1. Reduced complexity The time corporate IT teams spend responding to needs from within the business is substantial. For instance, the following situations are very demanding in terms of time, cost and human resources:   New applications are emerging   Digital sales channels are growing in importance  Optimizations in automating production processes which require continuous attention   Development of architecture for new offices locations  Back and forth communication with internal users about the unique specifications of their workplace By keeping it simple, organizations will stop reinventing the wheel! Corporate IT teams will no longer spend time each day on the last two examples and will no longer spend time on responsibilities that can be automatized and simplified.

This is the equivalent to putting on your clothes in the morning: you won’t have to knit your sweater before heading to work.

6

— Whitepaper

Centralization and standardization: Benefits

2. Enhanced manageability

3. Increased security

Similarly, fixing even the simplest issue in a branch office network can become incredibly time- consuming if you first must identify the specific technology used at that location.

There are plenty of examples where malicious parties attack the IT infrastructure of large international organizations. There are three main target areas which, depending on the general nature of the business, are attacked:

However, service desk team members can easily support troubleshooting on a standard file and print server at a regional sales office if they can re-use best practices and guidelines from one hardware vendor. Proactive measures such as firmware updates and/or patches can be applied globally. This positively enhances business continuity, security and IT efficiency. An IT infrastructure based on corporate standards provides exhaustive insights, which means that stability and business continuity can simply be better guaranteed. If an organization implements corporate standards correctly, it immediately benefits from increased manageability, control and security.

  Privacy information of clients and staff   Financial and operational information   Company’s IP Breaches in any of these areas can have far stretching consequences both in terms of image and revenue. As you already know, security can never be guaranteed. Yet, it can be optimized through standardization. From a security standpoint, it is much easier to manage and control an IT infrastructure with a single standard than it is to handle multiple infrastructures that have been developed locally.

7

— Whitepaper

Centralization and standardization as support tools for privacy, compliance, and risk management Compliancy As you know, compliancy is essential. Every company must conform to legislation requirements, follow processes, and internal and external standards. The importance of information security within the domain of compliancy has increased exponentially in recent years. The security team writes security policies and works with the IT team to implement and enforce the changes needed within the IT infrastructure. Standardization makes it easier to implement and enforce the changes needed to meet the security policies because you only have to implement the adjustment in a limited number of places. Implementing security measures worldwide becomes easy as it can be automated. Remaining compliant with laws and requirements enacted by entities such as the Dutch Central Bank or the European Union (e.g. GDPR law), becomes then a much easier endeavor.

8

— Whitepaper

Risk management Risk management is just as important. The increasing complexity of the digital society offers many new business opportunities and possibilities, but it also introduces a range of new business risks. To minimize risk to the lowest level possible, a company must be able to:   accurately identify risks:  assess the (business) impact of these risks on the company and its business:  define and implement risk mitigation measures based on the risk appetite of the organization. Determining the impact of many risks is complex and time-consuming when such analyses have to be performed across a wide variety of IT platforms. Standardization simplifies the function of the Chief Risk Officer (CRO) and Chief Information Security Offer (CISO). This enables an organization to look at risk management from a more strategic angle, instead of being operationally focused.

Privacy Privacy is tightly linked to Compliancy and Security. Failure to adequately secure the personal data of customers, employees and other stakeholders can have significant consequences. Recent legislation has made organizations increasingly liable both legally and financially. A centralized approach is needed to prevent local business organizations from having to spend their own time and energy in defining and adhering to privacy policies. However, this is only achievable if the IT infrastructure, ultimately the digital ‘carrier’ of customer data, is also managed centrally. It is undeniable that centralization will ultimately simplifies the processes in place to guarantee the privacy of stakeholders involved.

9

In this white paper we have made it explicit that the magic word is standardization. However, we know many global firms do not have experience yet implementing standardized and centralized IT. Here are some important steps to follow to ensure that the worldwide implementation of standardization and centralization will run smoothly and problem-free.

— Whitepaper

Best practices: from strategy to global implementation

1

Dare to enforce global standards

When local IT managers spend valuable time determining IT architecture, handling procurement, managing implementation and acting as service delivery managers, it is obvious that the level of overreach is putting the business at stake. A concrete example: Local IT teams sometimes spend a lot of time and energy selecting a laptop configuration that can be sourced 20 or 30 EUR cheaper compared to the global standard. However, they tend to forget that the corporate image validated by the security officer is not automatically applicable after a minimal change in hardware configuration. Thus, they tend to underestimate the costs and complexity that the whole process entails. The good news is that scalability and reduced complexity have come within reach of almost every CIO. Enforcing global agreements starts with letting local teams shift the focus on supporting the local business instead of managing and defending their own unique IT environment, which do not meet the corporate standard. Start by defining the IT architecture as the framework for your global standards. The standard infrastructure will be defined, and it will then be clear in which frameworks it will be implemented. Re-inventing IT architecture every month is time-consuming and undesirable. Keep it simple!

10

— Whitepaper

Best practices

2

Create support for global standards within the entire organization

Support and mandate are vital to a successful implementation of any standard. The balance between support and mandate of Corporate IT is perhaps the most difficult to define in advance. A hierarchical top-down mandate rarely guarantees success. A global standard is often seen as a limitation in the autonomy of local teams and often encounters resistance. Clear communication related to the decisions made by corporate IT is crucial for the acceptance of standards by them. To be successful in this endeavor, it is important to include local stakeholders in the creation of the global strategy and take into account their cultural backgrounds and differences. Do not forget to also include them in later phases such as the creation of the rollout schedule and the implementation of the processes. You will remove nearly all reasons for resistance. Make no mistake, deploying a new laptop model or brand can result in an equal amount of employee resistance as HR communicating a new PTO (paid time off) process.

3

Cost allocation – aligning budget with corporate IT strategy

The position of corporate IT towards local business units must be very clear regarding the distribution of IT costs. Ideally, local IT budgets should be transferred to a shared cost center within corporate IT, which would give them more decision power. However, not every organization can or is willing to switch to this kind of organizational system. Where centralization of IT budget is not feasible or desirable (as of yet), a payper-use settlement model based on global standards can be a good alternative. Such an internal billing system gives local business units the opportunity to use their IT budget to purchase IT services from corporate IT.

Security & Compliance Use the Compliance and Security policy in enforcing corporate standards. A Risk & Security Officer can state that access to the corporate domain is only permitted for devices that fall under the corporate IT standard.

11

The Last Mile – How to select a partner to walk the last mile with you? The journey towards a standardized and centralized managed infrastructure is long. Architecture, standardized kit list, corporate IT with a mandate in hand, correct cost allocation, are all required and important aspects of the journey. But, without someone hanging the server in a rack to physically divide two domains or installing the access points in an office or production facility to enable WiFi, the project stays a model and might never materialize. Thus, one of the most important, yet often overseen, aspects of this journey is what we call ‘the last mile’. The last mile consists of all of the nitty gritty facets of the last stages of implementation.

When choosing a provider to walk the last mile for you, you need to ask yourself the following questions:  Who is going to guard the procurement of the chosen standard kit list to enforce the global standard?   Who is going to guide logistics to the sites in scope?  Who is going to manage the physical implementation or migration of equipment on site?  Who will coordinate with the local operating companies maintaining the defined optimal deployment schedule?   How to deal with service SLAs in remote locations?  How to deal with GDPR regulations in case of deinstallations? Selecting a global partner solely based on their number of locations around the world will not be enough though. We recommend instead to select a partner by also using the following three criteria: 1. Their capabilities and experience with global centrally mandated corporate IT organizations. 2. Their skills to operate even in the most remote locations with an exhaustive built-in network of partners. 3. The capability to act as an efficient liaison that will facilitate communication between corporate IT and various operating companies in the organization, as well as between corporate IT and the hardware vendors.

Global Systems & Software

Global Systems & Software USA

Rondweg 29 6515 AS Nijmegen The Netherlands [email protected] www.gsens.nl

225 Millburn Avenue Suite 207 Millburn NJ 07041 [email protected] www.gsens.nl

12