Been Thinking about Control of IT Systems

I’ve been talking to myself lately(I do this a lot) about control in the IT environment. That is, change control and security of the information systems from an audit point of view. There are two viewpoints that seem to be discussed.

I’ve heard one viewpoint that says think about it like a manufacturing process where you put processes and controls in place to get a high-yield (or a low excursion rate) on control breakdowns. That is, you can’t achieve 100% control and just like a real-world manufacturing process, you are going to always have events that seem to be out of control. One will always find excursions, there will always be exceptions, there will always be special cases or emergencies where changes are made outside the normal control processes.

On the other hand, from an audit point of view, one should expect the assets to be ‘in control’ with no exceptions. Any excursion where someone has access they are not supposed to be have or a change is made outside of the normal change control processes is significant and should not happen. There is no yield concept and exceptions should never happen.

What do you think? What is the correct answer?

Realize that 100% perfection is hard to obtain and very expensive.

Security is Personal

Mark McDonald wrote a great post on his GartnerGroup blog about security that you must read: Security is personal and professional more than technical.  The money quote for me is:

Security is an asymmetric game from a technical perspective where the attackers will always have the advantage.  They have the advantage because there are always more attackers who collectively have more resources than the single company seeking to thwart their attempts.  Yes each attacker may be small, but that is not always the case given recent stories regarding attacks on email systems.

The only way a company can start to address the imbalance is to change the game from many attackers against a single company, to many attackers against every person in the company.  Mobilizing and reminding your people about their role in security is not a technical issue.  It is a personal and professional issue.

IT definitely has the responsibility to do all it can to address security vulnerabilities but all members of an organization  must be responsible for the decisions they make daily. Behavior is just as important as technology.

Follow Mark’s work.

Changing Landscape of Enterprise Software

Lots of interesting articles appearing lately about changes to the Enterprise software landscape.  Here is one called Why Oracle May Really Be Doomed This Time and another one called The End of ERP. Both suggest that the era of the huge software installs is coming to an end. Or perhaps better said that it has to come to an end. I’ve said I’d rather chew off my arm than do another ERP upgrade yet CIOs are faced with those situations. One must either upgrade an ERP instance or pay ever-increasing maintenance costs or no support. And it is not just ERP instances, but there are other cases where huge low value IT projects are required in an organization.

We are seeing companies embrace SalesForce and Google/Microsoft cloud applications and companies like Workday get more and more traction. I think that CIO are 1) being forced to move these directions and 2) want to move that direction to lower costs and ease support. Resistance if future.

What are your thoughts on big ERP migrations and upgrades? Are these articles right?

Fragile Security

Forbes has a short piece by Hugh Thompson on security in information systems that I’ve read in a long time. In the role of CIO, we need to be talking about the ideas that are summarized in his great article. We’ve got to expect people mistakes and system failures, assume your system is being attacked, create safety nets and just have a general security mindset in all our applications and thinking. This article does a nice job at summarizing these thoughts.

The Era of Security Fragility

Enterprise Risk

The past few days I’ve reflected on enterprise risk. The recent news reports about flooding in Thailand and the resulting impact on supply chains is certainly cause for reflection. You can read more about those issues here and here and here. What is interesting about this is that companies frequently know some things(locations) about their suppliers, but they likely know almost nothing about their suppliers and then their supplier’s suppliers, etc. Even trying to find out that information and develop of dependency map of some kind quickly becomes a hugely complex problem.  It just explodes in size.

Consider the tsunami in Japan and its impact on supply chains where the same problem happened. That event affected factories, transportation and employees as well as local services around affected facilities. Auto manufactures are still struggling to catch up.

Frequently risk conversations in the enterprise is limited to just the financial risk around the financial systems and their control. Auditors like to focus on access control, segregation of duties and mitigating controls. Audits frequently zoom into huge detail in these areas to prevent and lower risk due to fraud or insider actions.

I’m now thinking the risks in other areas like securing the intellectual property of the company and assuring business continuity due to ‘black swan’ events affecting the supply chain are likely the bigger risks.  Funny thing to me today is that I wrote about this Risk in IT back in 2009. I wrote about IT Hard Problems a few times, but I didn’t include understanding the supply chain risks and mapping dependencies.

More to think about here. Would love to hear your thoughts.