The Management Side of IT: Are Our Systems Secure?
“Are our systems secure?”
I would guess that most CEO’s or board members of small to medium sized manufacturers have not posed this question to their internal IT department.
However, I would also argue that it might be the most important question that they should be asking. The reason is due to the enormous damage that could be done to the corporation should its internal systems be compromised. What would happen if the internal processing systems were unavailable for a day? A week? A month? What would happen if sensitive payroll or credit information was stolen? How about the loss of customer data?
There are several outage scenarios that can occur in the modern IT environment. The first is a physical disaster. Fires, floods, hurricanes and tornados are the most common possibilities, but terrorist attacks are also today’s cause célèbre. This type of disaster must be planned for, technologically tested, and then mock tested by all internal departments to assure some level of service can be quickly restored. Some companies use alternate data centers, some have agreements with other companies and some use hot sites. All of these have pros and cons that should be carefully considered. It can be the most disruptive of all possibilities, but it is also hard to prevent. Planning is the key.
The second potential problem area is the system bug that brings down one or many systems. This type of problem is usually confined to one system area rather than affecting all of the systems in the enterprise. It can usually be resolved relatively quickly by applying IT resources in a rapid manner. There is always the risk of some data or sales being lost, but it is usually minimal.
The third area, system breaches, is the most challenging since it results from someone trying to do damage to the system environment. It is hard to plan for since the variations are infinite. As soon as defenses are increased, the bad elements find a new way to cause trouble. It can also be very stealthy and very hard to isolate and repair.
Manufacturers have an even more critical problem in this area than the average company because of the process control computers that run some, if not all, of the production environment. I’m sure you have all heard of the Stuxnet virus that incapacitated the nuclear centrifuges in Iran. This shows the vulnerability of this area of computing. Experts say that many vulnerabilities are present in these systems that are not routinely patched by vendors.
Just imagine the uproar that would ensue, especially if your firm is publicly held, if any of these possible scenarios actually happened. In some cases it may have minimal impact but in others it may actually threaten the survival of the company.
As a former CIO, these kind of potential problems are what kept me awake at night. In most cases, the CIO understands the disaster scenarios and the “bug” scenarios, but does not have an intimate knowledge or understanding about the defensive measures that are taken by the internal security person or staff in the case of a security breach. It is a very arcane area that has moved into prominence only recently. CIO’s rely on the internal staff to keep the systems safe.
However, if and when an outage does occur, there will be demands from every department, every officer and even the Board, to let them know the extent of the damage. A system outage will quickly become the most important issue facing the company and everyone will want answers. That is not the time for the CIO to get a briefing on the extent of the defenses. Instead the CIO must understand the issues and understand how and why the defenses failed.
It is important that company management, including the board, understand the steps that IT has taken to minimize the impact of any of these scenarios. Here are the questions that I would be asking of IT:
• What are the backup protocols for our data? Where is our offsite storage?
• Is our disaster plan tested on a regular basis and what have been the results?
• If we lose our data center, what is the backup plan?
• Have the users participated in developing the disaster plan?
• Is the call list kept up-to-date to assure IT people can be found quickly in case of a system bug?
• What is the procedure should the bug occur in a system that is run “in the cloud.”
• What is the competency level of the system security staff should a system breach occur?
• What is the communication plan should a breach occur?
• Are we providing sufficient resources to prevent systems breaches?
• How can we minimize damage to our company?
• What is the plan should our process control equipment is breached? Is there a manual override that could be effective? If not, what do we do? Do we need to call some type of SWAT team to repair the damage? Would the vendors respond? Has it been tested? Do the vendors routinely upgrade their software when vulnerabilities are discovered? Do we upgrade whenever we are given patches to our systems?
I don’t want to be a bearer of bad news but I think that this is an area where companies need to be more vigilant. Just imagine what some companies had to go through in the aftermath of 911. It will happen again and it may happen to you.