We learned some of the most important life lessons in kindergarten. “Clean up your room” is just as relevant a call to action in IT environments across organizations of all sizes and sophistication. Poor housekeeping leads to security and compliance shortcomings and unnecessarily high costs. While not an exhaustive list, here are some problem areas and ways to address them.
Start With IT Asset Management (ITAM). ITAM’s traditional mandate to keep track of licensed software and physical hardware may lack the visibility (and budget) that Information Security enjoys, but it is no small feat and can drive strong cyber security and lower costs.
Licensing rules are hard to interpret, and virtualization and shifting workloads from on-premises to the cloud compound the challenge. Accurate data on resident software publishers, versions, usage and entitlements is elusive. Siloed business units may resist sharing underutilized licenses with other units. Unsupported, vulnerable software can linger undetected for years. ITAM is challenging but the payoff can be considerable.
IT departments are appropriately anxious about the prospect of upcoming audits. Microsoft, Oracle, IBM and other traditional licensed software publishers derive large sums from penalties and true-up payments that these audits yield. The best defense here is a good offense. Become well organized, and demonstrate competence. Publishers target the largest and weakest sheep first, and dedicate resources where they think they’ll get the best return on their effort.
Hardware is just as important an asset to manage. From smart phones to servers, hardware should be tracked throughout its lifecycle (with clear access controls), from provisioning to disposition, and all the configuration changes made to them along the way. Many companies still leave valuable data on hard drives that have not been appropriately decommissioned. Photocopiers are returned after lease expiry laden with recorded images of sensitive documents. Every company can do better.
ITAM is more of a journey than a destination. Installing one of the popular asset management tools is just a start. ITAM needs to be integrated into responsive service management and provisioning processes, and be considered a core aspect of the security and compliance mission. It takes senior level support, thoughtful processes, and the right people.
Get Your Arms Around the Cloud. The rapid shift away from the use of licensed software forces us to expand the traditional definition of Asset in ITAM to include software-as-a service applications (SaaS apps) and cloud hosts (infrastructure). More than a third of a typical organization’s data now runs through the cloud, and visibility and control over this activity is sorely lacking. Popular sanctioned SaaS apps like Office 365, Salesforce.com and Workday are just beginning to recognize the need to bring necessary transparency with regard to user activity.
Employees access SaaS apps because they are easy to use and tend to be innovative, single point solutions that are unique or superior to licensed software alternatives. Employees are often frustrated by slow, internal, licensed software provisioning processes. They may not recognize or respect policies designed to police this activity. The resulting ‘shadow IT’ phenomenon can create significant security and compliance risk. The typical large organization can now have more than 1,000 SaaS apps running on their networks, and only 6% of them are considered to be enterprise-ready.
An emerging group of companies that Gartner calls cloud access security brokers (CASBs) now shine a light on shadow IT. Unique cloud risks require a new set of questions to answer and governance policies to audit. Cloud risk categories include certifications and standards, data protection, access control, auditability, business continuity, legal and privacy issues, and vulnerabilities and exploits. For example, a SaaS app that many people use instead of PowerPoint admits, in the fine print of its user agreement, that it owns any of the data uploaded to the site. That should be troubling to anyone interested in safeguarding sensitive information. Good housekeeping in the cloud requires you to identify, risk assess, control and optimize the use of cloud-based services.
Treat Your Data Like a Key Asset. Good housekeeping requires yet a further expansion of the definition of Asset to include data and information.
There are at least eight reasons why you need a data map. Data and information are among a company’s most vital assets, yet few companies have a good understanding of where they are located. If you don’t know where your data reside, you cannot protect them or create the most value from them.
Companies sit on vast data landfills. Two-thirds of company data are redundant, obsolete or trivial (ROT). Eliminating ROT data can dramatically reduce storage costs. The remaining data will be easier to find, protect and utilize, and is more likely to be of sufficient quality to drive big data opportunities. Any company looking to lift and shift their workloads to AWS, Azure or other cloud hosts should clean-out their closets first.
Classification technologies help to distinguish sensitive data from everything else. Companies can best enforce data loss protection policies (e.g., employees cannot download customer lists to their Dropbox accounts) if they have first classified their data.
Look at Your House From the Outside. A handful of firms have emerged to answer an important question: what does good look like when we talk about cyber security? These ratings firms size up a company’s cyber hygiene like a hacker would, and create a FICO-like score based on continuous, objective, non-invasive assessments of vulnerability. While not a comprehensive measure of a company’s security posture, weaknesses based on these external scans can indicate vulnerabilities that can be confirmed through internal scans. The cyber risk ratings phenomenon is ushering in a new age of cyber transparency.
The risk factors measured by these firms cover basic housekeeping issues that can be easily rectified. Are your ports configured correctly? Do you unnecessarily reveal too much information about the type and version of server software in use on your network? Do you adhere to appropriate email protocols to combat phishing expeditions? Are you attentive to vulnerable or outdated software by patching deficiencies promptly? Do you maintain certifications for sufficiently potent forms of encryption?
Cyber risk ratings firms draw attention to housekeeping issues that previously went unrecognized, sometimes even to the IT staff. Hackers got access to Target Corp through a vendor with poor cyber hygiene. More than half of reported data breaches are attributable to weak third parties, so cyber risk ratings are an indispensible tool for measuring a vendor’s or partner’s attention to good housekeeping. Even Board members can follow the story, with easily digestible reporting that doesn’t require a technology background to decipher.
Maybe it’s true that 80% of success comes from showing up. Similarly, a lot of cyber security is attributable to basic, good housekeeping. If this paper got you thinking about other ways you can exercise good IT housekeeping at your company, please share your stories below.
Craig Callé is CEO of Source Calle LLC, a consulting firm that makes organizations more data-centric. He is a former CFO of Amazon’s Digital Media and Books businesses and other companies, and was an investment banker at Salomon Brothers. Prior to starting his firm, he was chief strategy officer at SHI International.