Can you share examples of how you've balanced stability with agility? How are you equipping teams to innovate without compromising operations or security?
Sort by:
Automation and engineering excellence are central. Site reliability engineering practices maintain stability, while teams operate within guardrails set by reliability engineers. Automated CICD pipelines, testing, and security scanning ensure code meets operational standards before production, enabling both innovation and agility.
Security standards are strictly enforced, even if they pose challenges for infrastructure. Employees may only use public AI tools with strong business cases and security approval. Innovation is encouraged within established guardrails, focusing on solutions and proactive service.
From a security standpoint, one of the biggest challenges with innovation and leveraging third-party services is managing the risks introduced by integrations, especially through APIs. Integrating tools like Outlook Online or Exchange Online with other calendaring systems can create security risks, as APIs often require both read and write access to sensitive data. The extended supply chain, where enterprise applications connect to external services via APIs, is a significant risk area. Many organizations underestimate what third-party providers can access and do through these integrations.
To maintain balance, it is essential to conduct thorough risk assessments as part of third-party vendor management and to revisit these assessments frequently, especially as technology evolves rapidly in the era of AI.
A recent example is with OpenAI. Initially, their terms of service stated that they would not train on customer data, but due to a court order related to litigation, OpenAI is now required to preserve data unless there is a zero data retention agreement in place. This change affects corporate customers who may have assumed their data was not being retained. Terms of service can shift quickly, and organizations must stay vigilant.
Additionally, it is increasingly difficult to negotiate customized enterprise agreements with large AI vendors, given the high demand for their services. At Laserfiche, I was able to secure a zero data retention agreement with OpenAI, but many CIOs struggle to get the necessary attention from these vendors. Protecting data shared with foundational AI models is a challenge, and organizations must be proactive in managing these risks.
Our approach is to provide guardrails rather than handcuffs for our development and innovation teams. We create environments where teams can experiment and innovate with considerable freedom, within reasonable boundaries. The days of locking everything down or imposing heavy restrictions are behind us. We use sandbox environments and other standard elements to support this flexibility. Importantly, these environments are not limited to IT; we actively involve business users as well. For example, in CRM development, business users participate alongside IT, forming cross-functional teams that collaborate within these environments.
Partnership between IT and IT security leadership is vital. Collaborative solutions ensure innovation while maintaining security. Minimum controls are established, and executive approval is sought for exceptions, preventing shadow IT and fostering secure innovation.