Security and Change (pt. 3): White Knights

There are many events that are disruptive to business operations and about which you generally know well in advance. Such events include all manner of IT and business process outsourcing, friendly and hostile mergers and acquisitions, the relocation, consolidation and dispersion of facilities, migrations from one set of computer systems to another, introduction of new technologies and technology infrastructures, and the like.

Because many details of such events are often known in advance, you would think that preparations for such changes would be complete and would include appropriate security measures. But that, as you might suspect, is not always the case. Security is often an afterthought, bolted on at the end and given scant attention and inadequate resources. This is not what one would hope for, particularly as it is during such disruptions that operations are most vulnerable and exposed to misuse and damage.

Let’s look at several situations. One that is near and dear to my heart is outsourcing and security, especially since I wrote a book on the topic. Outsourcing Information Security (Artech House, 2004) examines security risks inherent in the conversion to, and running of, IT or business process outsourcing arrangements, whether they be onshore or offshore. I also address particular issues relating to the outsourcing of security functions. In many respects, such activities as mergers and takeovers, consolidations and breakups, and technology changes are often similar to outsourcing, especially when it comes to security risks. When planning any of these types of changes, you need to establish appropriate interim security measures and procedures to get you through the transition period safely. At the same time, you should be planning robust security measures for the post-transition business operations.

Here are some of the risk areas that you need to do something about:

Access Management – Whenever you have substantial changes in organizations and computer systems through migration, consolidation or dispersion, you can have issues not only with authenticating users (“Who’s that guy over there? He said that he is with [the acquiring company]. Better give him access.”), but also with authorization (“She probably needs these access rights. After all, she’s on the transition team.”). Since normal access management workflow and approval mechanisms may not be applicable, new ones will have to be developed to ensure that sensitive data and confidential information is not exposed.

Human Factors – In nearly all change situations, there are groups that are delighted with the changes and others who are not. The disgruntled employee has always been a security risk, since he or she has authorized access to systems and facilities and is knowledgeable about procedures – the Kevier case [link to Ken Belva’s article] is a good example of this. In times of upheaval, the population of unhappy campers can grow precipitously and consequently the risk of fraud, damage and other willful acts can increase dramatically. As I describe in my book, there are ways to lessen the likelihood of such destructive behavior, including being honest about the situation, offering incentives to cooperate, and making everyone aware that misbehavior and lawbreaking will be severely dealt with (i.e., the carrot and stick approach).

Data Protection – The hermit crab is exposed to predators when it seeks to move its fleshy body from the protection of the shell that it has outgrown to a larger one. So it is with data and other valuable and sensitive resources. Whenever you have to transport sensitive information, physically or electronically, from one location to another, such data become vulnerable to compromise and theft. Movement of data and other resources picks up considerably during mergers, acquisitions, consolidations, outsourcing and other similar situations. Consequently exposure will be that much greater than under normal steady-state conditions as the data travel more from place to place, over cables or on trucks, and are handled by many more human beings and computer systems. This means that even stricter rules and stronger precautions need to be in place during disruptive events and destabilizing incidents.

Technology Challenges – It seems that we are always behind when we are trying to secure new technologies, which take on lives of their own as they rapidly proliferate ahead of the implementation of strong security measures. Even when better security means are available, it takes time to implement them, as witnessed by the TJX breach [links?], which might have been avoided altogether had available and recommended stronger wireless encryption been installed in their stores. Newer technologies and approaches, such as VoIP, SOA, SaaS, collaborative systems, and Web applications, present interesting security challenges, which are generally addressed well after the technologies have become commonplace. A blatant case of too little too late.

While there may be many excuses as to why you didn’t prepare for unanticipated incidents, there aren’t any excuses for not installing adequate security for events that are known well in advance. It is important for the security professional to seek a place on the planning committee and inject security concerns and risk mitigation into the mix. Not only does it make for better project plans but it also helps to avoid future headaches.

Post a Comment

Your email is never published nor shared. Required fields are marked *