The Committee of Sponsoring Organizations of the Treadway Commission, better known as COSO, is akin to the high priests of internal controls. In 2013, COSO updated their Internal Control Integrated Framework to put an emphasis on technology controls. Since data breaches suggest weak controls, CFOs need to improve their understanding of technology and work more closely with IT to get their houses in order.
We learned some of the most important life lessons in kindergarten. “Clean up your room” is just as relevant a call to action across organizations of all sizes and sophistication. Poor housekeeping is evidence of weak controls, and leads to security and compliance shortcomings as well as unnecessarily high costs. While not an exhaustive list, here are some notable problem areas and ways to address them.
Start with IT asset management. ITAM’s traditional mandate to keep track of licensed software and physical hardware may lack the visibility (and budget) that Information security enjoys. But it’s no small feat to accomplish and can drive strong cyber security and lower costs.
Licensing rules are hard to interpret, and virtualization and shifting workloads from on-premises to the cloud compound the challenge. Accurate data on resident software publishers, versions, usage, and entitlements is elusive. Siloed business units may resist sharing underused licenses with other units. Unsupported, vulnerable software can linger undetected for years.
IT departments are appropriately anxious about the prospect of upcoming ITAM audits. Microsoft, Oracle, IBM and other traditional licensed software publishers derive large sums from penalties and true-up payments that these audits yield. The best defense here is a good offense. Become well organized, and demonstrate competence.
Hardware is just as important an asset to manage. From smart phones to servers, hardware should be tracked throughout its lifecycle, from provisioning to disposition and all the configuration changes made to them along the way. Many companies still leave valuable data on hard drives that have not been appropriately decommissioned. Photocopiers are returned after lease expiry laden with recorded images of sensitive documents. Every company can do better.
ITAM is more of a journey than a destination. Installing one of the popular asset management tools is just a start. ITAM needs to be integrated into responsive service management and provisioning processes, and must be considered a core aspect of the security and compliance mission. It takes senior level support, thoughtful processes, and the right people.
Get your arms around the cloud. The rapid shift away from the use of licensed software forces us to expand the traditional definition of “asset” in ITAM to include software-as-a service applications (SaaS apps) and cloud hosts (infrastructure).
More than a third of a typical large organization’s data now runs through the cloud, and visibility and control over this activity is sorely lacking. Popular sanctioned SaaS apps like Office 365, Salesforce.com, and Workday are just beginning to recognize the need to bring necessary transparency with regard to user activity.
Employees access SaaS apps because they are easy to use and tend to be innovative, single-point solutions that are unique or superior to licensed software alternatives. Employees are often frustrated by slow, internal, licensed software provisioning processes. They may not recognize or respect policies designed to police this activity. The resulting “shadow IT” phenomenon can create significant security and compliance risk. The typical large organization can now have more than 1,000 SaaS apps running on their networks, and only 6% of them are considered to be enterprise-ready.
An emerging group of companies that Gartner calls “cloud access security brokers” (CASBs) now shine a light on shadow IT. Unique cloud risks require a new set of questions to answer and governance policies to audit. Cloud risk categories include certifications and standards, data protection, access control, auditability, business continuity, legal, and privacy issues, and vulnerabilities and exploits.
For example, a SaaS app that many people use instead of PowerPoint admits, in the fine print of its user agreement, that it owns any of the data uploaded to the site. That should be troubling to anyone interested in safeguarding sensitive information. Good housekeeping in the cloud requires you to identify, risk assess, control, and optimize the use of cloud-based services.
Treat your data like a key asset. Good housekeeping requires yet a further expansion of the definition of “asset” to include data and information.
Every company should create and sustain a data map. Data and information are among a company’s most vital assets, yet few companies have a good understanding of where they’re located. If you don’t know where your data reside, you cannot protect them or create the most value from them.
Companies sit on vast data landfills. Two-thirds of company data are redundant, obsolete, or trivial (ROT). Eliminating ROT data can dramatically reduce storage costs. The remaining data will be easier to find, protect, and use, and is more likely to be of sufficient quality to drive big data opportunities. Any company looking to lift and shift their workloads to AWS, Azure, or other cloud hosts should clean out their closets first.
Classification technologies help to distinguish sensitive data from everything else. Companies can best enforce data-loss protection policies (for instance, employees are barred from downloading customer lists to their Dropbox accounts) if they have first classified their data.
Look at your house from the outside. A handful of rating firms has emerged to answer an important question: What does “good” look like when we talk about cyber security? These ratings firms size up a company’s cyber hygiene like a hacker would, and create a FICO-like score based on continuous, objective, non-invasive assessments of vulnerability.
While not a comprehensive measure of a company’s security posture, weaknesses based on these external scans can indicate vulnerabilities that can be confirmed through internal scans. The cyber risk ratings phenomenon is ushering in a new age of cyber transparency.
The risk factors measured by these firms cover basic housekeeping issues that can be easily rectified. Are your ports configured correctly? Do you unnecessarily reveal too much information about the type and version of server software in use on your network? Do you adhere to appropriate email protocols to combat phishing expeditions? Are you attentive to vulnerable or outdated software by patching deficiencies promptly? Do you maintain certifications for sufficiently potent forms of encryption?
Cyber risk ratings firms draw attention to housekeeping issues that previously went unrecognized, sometimes even to the IT staff. Hackers got access to Target Corp through a vendor with poor cyber hygiene. Since reported data breaches are often attributable to weak third parties, cyber risk ratings are an indispensable tool for measuring a vendor’s or partner’s attention to good housekeeping. Even board members can follow the story, with easily digestible reporting that doesn’t require a technology background to decipher.
It’s a truism to say that most success comes from just showing up. Similarly, strong technology controls are largely attributable to basic, good housekeeping. CFOs cannot afford to wait for their external auditor to throw up enough red flags to motivate action. Hacker activity is, sadly, reason enough to strengthen technology controls and operate in a more secure, cost-effective way.
Craig Callé is CEO of Source Callé LLC, a consulting firm that makes organizations more data-centric. He is a former CFO of Amazon.com’s Digital Media and Books businesses and other companies, and was an investment banker at Salomon Brothers. Prior to starting his firm, he was chief strategy officer at SHI International.