Enterprise Information Technology: Skip the Sexy

Monday, May 16, 2011

Mike Meikle


Cloud computing, virtual desktops, online collaboration via social media, slick hardware and hipsters with fauxhawks may look and sound cool.  

However, like a hot tub outside a single-wide trailer on an overgrown lot, they are all flash with little substance.

If your foundational IT infrastructure and practices have been ignored or are termite-ridden then slapping an ultra-cool coat of techno-wizardry on your organization will just add to your problems.

Like any IT pro who has done time in the bowels of an organization’s infrastructure I have seen executives cheer-leading the latest pet rock technology that has been showcased in the trade rags.

Yet mission critical IT and business components like disaster recovery, business continuity, asset management, vendor management and standard policies and procedures are either nonexistent or half-baked and have been for years.

So who is at fault? Well, information technology executives are partially to blame.  They have not communicated the value of having foundational policies and procedures in place to key decision makers in the organization. That’s their job and they aren’t doing it.

Senior executives are at also to blame. They may have relegated the CIO to the leadership “kid’s table” and that person doesn’t have any say strategy or final decision making. What is the point of having a Chief Information Officer if they have little to no executive authority?    

IT may not even be a part of the organization’s strategic plan.  So IT is inundated with wave upon wave of executive sponsored projects that have never been vetted for Return on Investment (ROI), have a Cost Benefit Analysis (CBA) or even seen if needed resources are available.  

I’ve seriously heard senior leadership say that “company X has this technology so we need to move on this now”. Meanwhile, they have never tested their disaster recovery plan, patch their servers in a timely fashion or have service level agreements with their vendors.

However, if this new technology is attached to a framework that is half-complete or stretched beyond capacity, then a public relations nightmare may be waiting. Consider the latest developments on the PlayStation Network security breach.Three separate data breaches caused by poor housekeeping and general lack of preparedness.  

Sony had some great online features, was billed as the superior alternative to XBOX Live due to it being free and made Sony around $500 million a year. Yet, basic management and information technology principles were ignored or half-implemented with disastrous consequences.

Granted, businesses have to take risks and expand their service offerings to remain competitive in the global marketplace. Newer technologies allow for companies to provide quicker, cheaper and more customized products to their customers. Companies that don’t read the tea leaves and take calculated risks end up like Circuit City, General Motors or Kodak.

This is all the more reason to ensure IT leadership is at the executive table as a full partner when it comes to organizational strategy. Also, CIO’s and IT leadership are going to have to step up their game and make the case for all those unsexy yet so very necessary IT practices that keep the lights on and doors and windows locked.

Finally the crown gem of the organization, the data, has kept secure yet accessible so new opportunities can be sorted from it.  This isn’t solved with the latest firewall technology or business intelligence reports delivered on your iPad.

It’s the snooze-inducing yet critical scut work that senior leadership has to make a priority and devote the necessary resources (dollars and people) to help ensure you have the critical bases covered when a crisis comes calling.

Of course executives could always wait for the inevitable disaster and go cap in hand to the media or wonder when they are going to get their life back.

I’d like to hear folks thoughts and opinions in the comments below.  So please feel free to fire away!

Cross-posted from Musings of a Corporate Consigliere 

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Management Leadership Information Technology Chief Information Officer Information Security
Post Rating I Like this!
R Kapil I agree with the premise of the article, but is there any evidence that Sony sacrificed best security practices in favor of a hot new technology like cloud computing?
Mike Meikle Mr. Kapil,

Thank you for your valuable input sir. Sony has been steadily adding features to the PlayStation Network over the course of it's life-cycle yet only created the CISO position after the breach incident. In my eyes this shows a negligence in addressing core issues (DR, BCP, InfoSec, etc.) while adding new bells and whistles to its service. Sony has to add new features to remain competitive however, not at the expense of maintaining a robust and secure infrastructure for its customers.

Additionally there were multiple issues that lead to the compromise. The chief cause appears to be that Sony was lax about routine maintenance of the PSN infrastructure. This includes:

• Server patching and hardening
• Monitoring the network and servers for suspicious activity
• Disjointed or missing breach response procedures
• Lack of security leadership in the organization
• Lack of breach communication plan

Can I pinpoint a specific technology that Sony pursued in lieu of securing and maintaining the PSN framework, not really. However, with the current available data, I can extrapolate what was missing based on their response and follow-up to the breach.

In an article I contributed to in PCWorld, I mentioned that since Sony didn't have a CISO and fumbled communications during and after the incident, it showed they were unprepared to react or respond.

Thank you once again for your comment sir. I appreciate it.
R Kapil "Sony has to add new features to remain competitive however, not at the expense of maintaining a robust and secure infrastructure for its customers."

Not sure I understand. Sony's new features are functional business requirements for improving the product. CISO and the rest of the security bad practices are non-functional requirements. Assuming Sony sacrificed one for the other is a pretty big leap unless you have specific information that supports that theory.
Mike Meikle I agree with you on the functional/non-functional comparison sir. However, in my experience and I mention this in the article, leadership will often pursue new technology or features (functional) and ignore core non-functional requirements that supports their product or service.

Normally it's a matter of cost and perception. Does the business want to spend dollars on a product they believe will generate revenue or expend capital on processes and infrastructure they believe is a cost center?

Do I have definitive proof that Sony pursued a specific technology to the detriment PSN security, no I do not. However, based on the information available and on my experience with other large organizations my conclusion is that they directed their investment toward new features and skimped on creating a secure infrastructure for their service.

I personally do not believe it's a big leap to view the PSN breach in this fashion. However, I may be jaded due to similar issues I encounter with other clients over the years.

Thank you again for your comment sir. I appreciate it.
Ken Major R Kapil

I think the concept we are dancing around is referred to as 'willful negligence.’
They chose to continue with new business initiatives in light of significant industry trends and pressure.
The industry trends and pressure would be the expected ‘due diligence,’ privacy law and breach law awareness, earnest GLBA and PCI Compliance.

Did SONY choose to adopt and knowingly implement technology that introduced significant risk to customer data and intellectual property? Not sure that is what the author is asserting.
What I believe he is asserting is that SONY executives refused to accept the value of sound risk management practices and how that process would factor into their organization and who would be responsible.
By not accepting the need to adopt sound risk management practices and strategies they committed willful negligence. Their post mortem actions and statements support the notion.
Consider the swift manner in which a CISO position was created and then consider the whiny attitude regarding “everyone else’s” need to step up their cyber security game woven into their public statements.

Very Weak Kool-Aid SONY, very weak.
Mike Meikle Mr. Major,

Thank you for clarifying the discussion sir. Like I stated in the article and follow-up comments, I believe Sony was not concerned enough about the boring yet necessary steps to provide a sound infrastructure for their offering. This goes beyond information security practices in my view.

Like you mentioned, when they quickly created and filled the CISO slot, it just showed they had not considered infosec or risk management important.

Of course after three breaches and millions of dollars in losses Sony now realizes the importance of a strong infrastructure and IT best practices. Is this type of event the only way to pierce the "executive bubble" that seems to encapsulate senior leadership in so many organizations?
koen vandeghinste I would even take it one step further...
Having those basic underlying processes, policies and procedures in order (on technical, organizational and process level), will give the organization a greater flexibility to go along with those 'sexy' opportunities arising everyday.

And, as you mention, it is all about impact and risk assessment. Something we are apparantly not good at...or (in some cases) executives refuse to acknowledge...
Mike Meikle Mr. Vandeghinste,

I agree. If your core framework exists then implementing complimentary products or services to your business is much easier. If your house's foundation is missing or incomplete it's probably a bad idea to add another floor.

As for impact and risk assessment, I believe it's more basic than that. Lack of standard housekeeping is what got Sony in the end, in my view. They weren't prepared because it wasn't a priority. That is the fault of senior leadership.
mahmoud yassin very true you have reach to the point the key factor is balance between new technology and standard
Mike Meikle Mr. Yassin,

Yes sir, it is hard to strike the right balance between implementing the latest technology and maintaining the structural information technology that supports the organization.

More times than not, an organization's leadership either takes on far too much risk or is far too risk adverse. Both cases are usually due to the lack of planning by senior leadership.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.