Annotations from Fortune 10 CIO Diaries
(Authored by Ullas Tharakan - Draft Version)
A decade back in the early 90’s, I had woken up one morning and went to office on a bright Sunny Day and somebody told me that we need a security strategy. What would have been the reaction “Gosh – What are you talking about – “Security and Strategy. This is not business “. Idea and thoughts on a Security Strategy would have been easily shoved in the corner of the corporate wardrobe, burying with the epitaph “The Utter Nonsense “
But today, as the dependence on IT increases, a new role model is emerging.” The utter Nonsense of yesterday is making sensational sense”. With predictability and on a note of high probability the organizations will keep focusing on Business but will lag behind unless and until the focus is driven at the CIO or Top Management Level. A buoyant force is required to keep up and sustain.
The IT Line
On May 2nd 2005, Information Architecture Manager call me up and explains me that there has been attack and the main revenue generator system was down ~ Just 2 hour down time and a 20 MUS $ loss. One would be forced to think that at middle of night – How can be there a loss of 20 MUSD. Voice emerges from the backend – We are a global company and the sun never sets for us.
On Nov 3rd 2005, IT helpdesk receives a mail from the Database Administrator that a person named Ron Shilling has sends an email from the company’s official email id soliciting administrators for user id and password. Database Administrator was a security aware guy and hence validated with the IT Help desk. Then a reactive action was taken to dissect the incident response. Post mortem revealed that this Ron was a fired from the company around 6 months back and had a disgruntled status and too the horror – couple of CXO Sectary has already compromised critical information of the Top Management
On Dec 31st 2005 ~ the company’s database was hacked and a huge Identity theft occurred. SSN, Patient Profile, Credit card information was compromised. Company has been sued millions by the consumer and have been already grappling with loses though they did good in volume sales
On Jan 2nd 2006 ~ Financial Auditors don’t want to sign as the company grapples with material weakness. The is on the verge to be thrown out of business without it,
The Business Line
CEO of the company on a Sunny day of April 1994 – “Today we are Global Company and reckoning to change the world. Today we announce our new vision – Either we are number one or number two or out of that business. We believe whatever we do we want to define excellence.
CEO of the company on Jan 26th 2006 ~ a cold gloomy day - Ladies & Gentleman- Due to unfortunate series of events we have to file for Bankruptcy protection with the Federal Government
The above is a very true story that’s a classic of bringing the fame to Shame from a truly successful Global company that got lost in the dust.
How do we avoid such events? With the advent of Business driven technology, more and more IT Systems are falling in place to make the organizations more competitive and customer centric. Let us relate Michael Porters Value Chain in the changing Landscape.
(Authored by Ullas Tharakan - Draft Version)
A decade back in the early 90’s, I had woken up one morning and went to office on a bright Sunny Day and somebody told me that we need a security strategy. What would have been the reaction “Gosh – What are you talking about – “Security and Strategy. This is not business “. Idea and thoughts on a Security Strategy would have been easily shoved in the corner of the corporate wardrobe, burying with the epitaph “The Utter Nonsense “
But today, as the dependence on IT increases, a new role model is emerging.” The utter Nonsense of yesterday is making sensational sense”. With predictability and on a note of high probability the organizations will keep focusing on Business but will lag behind unless and until the focus is driven at the CIO or Top Management Level. A buoyant force is required to keep up and sustain.
The IT Line
On May 2nd 2005, Information Architecture Manager call me up and explains me that there has been attack and the main revenue generator system was down ~ Just 2 hour down time and a 20 MUS $ loss. One would be forced to think that at middle of night – How can be there a loss of 20 MUSD. Voice emerges from the backend – We are a global company and the sun never sets for us.
On Nov 3rd 2005, IT helpdesk receives a mail from the Database Administrator that a person named Ron Shilling has sends an email from the company’s official email id soliciting administrators for user id and password. Database Administrator was a security aware guy and hence validated with the IT Help desk. Then a reactive action was taken to dissect the incident response. Post mortem revealed that this Ron was a fired from the company around 6 months back and had a disgruntled status and too the horror – couple of CXO Sectary has already compromised critical information of the Top Management
On Dec 31st 2005 ~ the company’s database was hacked and a huge Identity theft occurred. SSN, Patient Profile, Credit card information was compromised. Company has been sued millions by the consumer and have been already grappling with loses though they did good in volume sales
On Jan 2nd 2006 ~ Financial Auditors don’t want to sign as the company grapples with material weakness. The is on the verge to be thrown out of business without it,
The Business Line
CEO of the company on a Sunny day of April 1994 – “Today we are Global Company and reckoning to change the world. Today we announce our new vision – Either we are number one or number two or out of that business. We believe whatever we do we want to define excellence.
CEO of the company on Jan 26th 2006 ~ a cold gloomy day - Ladies & Gentleman- Due to unfortunate series of events we have to file for Bankruptcy protection with the Federal Government
The above is a very true story that’s a classic of bringing the fame to Shame from a truly successful Global company that got lost in the dust.
How do we avoid such events? With the advent of Business driven technology, more and more IT Systems are falling in place to make the organizations more competitive and customer centric. Let us relate Michael Porters Value Chain in the changing Landscape.
A successful Company X would have this thing driving its core engine – The Horizontals and Verticals, in the new paradigm security is a evolving correction in the IT Landscape
The traditional model of value chain has been existing and driving business with a focus on core competence. With the new advent the core competence needs to be ramped and managed with better control and with a focus on information management.
The new projection looks for efficient grip under to sustain the business model through continuous evolution of the IT Governance system. The Extended value chain needs to be complemented by adapting a framework and an internal organization to drive. As governance and Security are viewed as a Non functional direction, it is imperative that the commitment and force to channel the same should come from the CIO office.
Expecting the business to carry forward and sponsor will be a genuinely unwarranted expectation and is bound to fail. End to End Enterprise Wide Security is nobody business.
At the end, one has to understand that “Security is a like an insurance business, it’s not the cost of having it, it’s the cost of not having it”. Hence the cited clipping in the monologue above will dramatically drag and increase as the time moves on, if the reverence of understanding is not made scared.
With the evolving business line and improving IT infrastructure to support the business line, IT governance model will never be static and will follow a continuous evolution model with the change in business. A base Security Charter with a flexibility to adapt with time is required. Out of box thinking is required to drive the governance model with passion and wisdom. The extended value chain framework will help to drive and control the model
A “how to” High level model to implement the Extended Value chain –
1. Pickup warning signals: Look for clues of patterns on what could have happened over the last few months; the length of data can be decided at a CIO level.
2. Best practices Adaptation: Best practices implementation give a focused and disciplined approach for implementing and sustaining program. Look out for standard security regulatory requirements that your industry domain may have to be in compliance. Following good regulatory compliance methodology will automatically enforce a good control around the framework. Engage good external consultants who can give a drive to this force.
3. Audit to Reinforce: The best suited adaptation needs to be judged through timely audit and remediation that will come through. Audit results will be more genuine if its executed through an external entity
4. Create Awareness Program: Security is best at awareness and vigilance. Ensure your organization have a focus to carry out the change management program creating great awareness across the users in the Enterprise
5. Policy Enhancement Program: With the changing IT Landscape, policies are something which needs to be monitored, validated and retuned. Policy needs to be understood, awareness program is the key to enforce
6. IT Security Governance Team: An organizational structure under the CIO Office is the key to drive such implementations
7. Enterprise Data Classification – Develop a centralized data dictionary use in the Enterprise and define standards that needs to be mandated while using the data based on there sensitivity.
8. Define Security Metrics : Security metrics needs to be defined for the organization to give a quantitative and qualitative inference
No comments:
Post a Comment