Is our current approach to IT and Business Design building a House of Cards?
Why have so many large companies had major business disruptions because of IT and security issues?
That was the question I asked of my colleagues over dinner one night at a favourite bistro (pub).
Over the last three years, there have been large failures caused by cyberattacks at Maersk, Merck, Hydro, Toll, JSB Meats, Colonial Pipeline, to name just a few (see lessons from Life for more information on each of these cyberattacks).
Surely these large companies have enough expertise. It isn’t like IT has just arrived or that cyber attackers are new? I am sure they also have great risk managers and IT teams as well.
Are our current approach to IT and business design building a house of cards? The answer to that question in terms of the above-mentioned, large companies and the resultant business disruption and associated costs would have to be yes!
Do these failures have anything in common? Not a lot of detail is known about each of them but what we can deduce is they all have a large attack surface. The attack surface is the degree to which the organisations IT systems and infrastructure is available for attackers for exfiltrating information, for monitoring an organisations business, or to enable extortion through ransomware, amongst other crimes.
The size of the attack surface is the reason the above-mentioned companies have suffered greatly.
Why are the attack surfaces so large?
That is an interesting question and the reasons are many which I will expand upon over the next few months.
Can we reduce the attack surface and limit the disruption to business and other associated risks?
The answer is yes, but for many firms, it will require a different approach to that which is sometimes being employed.
How did we get to this point?
The last 30 or so years have seen many changes in the way organisations have chosen and implemented systems and changed their business operations. In particular, the changes have been very dramatic over the last 5 or 6 years. The changes have not uniformly affected everyone and some organisations have even managed to change and develop good practices over time.
Before we look at what might need to change, what we can do about it and some implications for the future, let’s consider the major influences over the last 30 or so years.
The Major Influences on IT in last 30 Years
The 1990s
The 1990s were a period where organisations transitioned from in-house developed systems to buying packages or having software development houses develop either bespoke packages or generic packages to suit many organisations.
The focus became best of breed and generally led to centralised systems around a central database.
There was some security but not compared to today’s security focus as most organisations were using private networks for their main systems. Internet was in its early days and security interfaces were relatively simple and the threats were a lot lower in magnitude.
The possibility of using ICT to a much larger extent than previously, led to a vast increase in usage and higher gross costs to an organisation.
IT was seen to be a cost driver for the organisation.
While some functions (e.g., Finance, HR) had been using software packages for some years, the development of ERPs was a significant development to outsourcing systems development and what was hoped to be lower costs.
The network
“Ok, we’ll add you to the network”.
A common response from IT Department to all your queries.
Registering new employees and contractors usually came with that request. This account creation was easy and not much interrogation of the request occurred, apart from what specific access was to be granted.
When new facilities are added, they are sometimes just added to the network.
The ability to connect everything to everything was enabled by the internet and internal networks.
However, just because you can, doesn’t necessarily mean you should.
Connecting everything to everything or connecting to things you shouldn’t just enlarge the attack surface.
Systems Integration
People tend to integrate things.
Integration can increase the number of people connected to a network and applications. It can also make databases the single point (source of truth). On one hand, this makes life a little more convenient but also increases the attack surface.
Integration of information is good; it just needs to be in the right place and at the right time.
Integration of Business systems with OT (operational technologies) and IoT (Internet of things).
Why organisations do this is beyond me!
Look at the impact on Merck, Colonial Pipeline, Hydro, among others in Lessons From life). Just because you can connect things together, doesn’t mean you should.
Functional Consolidation
Similarly, consolidation of functions might lower operating costs but may also increase the attack surface or reduce resilience.
Mergers & Aquisitions
Many M&A opportunities occur based on stripping out costs (usually at the back-office functions) which leads to reduced resiliency and consolidation.
Cost containment of IT
The focus on reducing IT costs leads to more integration and reduced resiliency.
IT Environment
The focus has often become focused on meeting budget and timelines with quality of design and implementation a subsequent outcome.
On top of this is the general lack of quality resources with experience.
More expertise is needed, and more mentoring of staff is required to help them acquire both expertise and experience.
There is still too much of a hands-off approach to IT.
This shows in the lack of coordination between the design of IT systems and networks, and that of the organisation.
It also shows in places as in 2/3 rd of organisations hold the CISO or CIO responsible for security breaches.
Cyber Security
As indicated in the point above,
Over 60% of organisations hold the CISO and CIO responsible for Data Breaches
IBM Report on Data Breaches
This really is unfair as while they can do their best, adopting security frameworks, complying with standards, educating staff, monitoring intrusions, and hunting for intruders, they are dealing with vulnerabilities that occur in all software and firmware, and intrusion will inevitably occur.
In the security world, it is often stated that “it’s not a matter of if an attack may occur but when”.
There is a shortage of critical IT resources in security. As well as the expertise, it is one area where experience really matters.
Several reports indicate there is a shortage in this area of security skills of several million across the world.
Belief in external Suppliers
I am of the view that many people believe that by outsourcing IT functions to external suppliers, whatever problems they face and whatever lack of expertise they have, those problems go away.
A surprise to me is the revelation that in the well-researched IBM report (reference below), that
18% of data breaches occur from misconfigured cloud implementations
IBM Report on Data Breaches
The reason for this is unclear but it is good to remember, that suppliers are staffed by people having a range of expertise and experience.
At a security supplier function not too long ago, I asked a client of the security firm, their opinion of the service they were receiving. Their response was “well, it depends on who you get, and we are not renewing the contract”.
It pays to do more due diligence when selecting suppliers.
It is also a reminder that while you might outsource the function, you cannot outsource the management of it.
Management of an outside resource must be managed as though it is an internal resource.
Summary
I have no doubt some people will dispute what I have been writing.
I am not accusing of everyone being tarred with the same brush either. However, I believe many of the characteristics above are evidenced in some of the cyberattacks we have seen over the last few years.
Organisations now live in a different environment to the one experienced 5 years ago (longer in some sectors).
We need to take stock and think differently about our organisations for the future.
While many believe that IT is better integrated with business goals than they have in the past, there are many cases where this is not the case with huge consequences.
It’s time to rethink what we are doing.
The next part of this document will cover what organisations should be doing differently and why even boards need to have a voice in determining the design approach to organisations and associated security and IT implementation.
Attribution:
IBM: Cost of a Data Breach Report 2021: Download the Report here https://www.ibm.com/au-en/security/data-breach
