by Angie Singer Keating – CEO
I am a geek. I love information technology (IT) and just about anything (person or gadget) related to it. But when I read this recent article in the Chicago Tribune, my blood boiled and my head almost spun around like some demonic possession. Why? Because “IT guys” are not necessarily experts in security. And you don’t have to be a rocket scientist to adopt a vigilant “trust-but-verify” mentality about your organizations most valuable asset – your DATA. But then again, maybe lawsuits like this one will force organizations to realize that security risk assessments by unbiased, highly trained security professionals are the only true measure of true risk exposure for data breach, hacking, or data theft.
Much as you wouldn’t hire an architect to install your home security system, or hire a general practitioner to operate on your brain tumor, nor should your IT consultant be the sole assessor of your organization’s IT security. IT systems installation, maintenance and repair is a complex and specialized area of technology practice. It requires skill sets unique to the needs of the clients and it requires professional expertise that is highly valuable. Today, IT professionals even specialize in areas such as databases, networks, and a wide array of programming languages and platforms. While all of them have to know about security, their key job responsibilities are knowing the system, maintaining it, and troubleshooting it when it’s not working properly so that your team can focus on getting their work done efficiently, collaboratively, and professionally.
Likewise, IT security is a separate, highly complex specialty of technology practice. It requires unique skill sets beyond just technology i.e. auditing and controls fundamentals, risk impact analysis, crisis management, change management, corporate governance and the legal aspects of data breach and privacy violations. Even in security, many professionals today specialize in certain areas such as computer forensics, incident response, ethical hacking, or web applications security. While all security professionals need to know about systems design, database management, programming languages and networks, their key job responsibilities are information security assurance, risk mitigation, and basically trying to ethically break into your systems so the bad guys can’t, keeping your company out of the data breach spotlight, avoiding costly litigation, and complying with all data security and privacy regulations.
Having an IT consultant install your network and audit it is the proverbial “fox guarding the hen house”. Will they point out lax security settings or their own failure to reset default passwords? How likely are they to recommend a particular security tool if it happens to be manufactured by a company for which they are not a reseller? And if a security flaw can be fixed by a simple setting change or other no-cost control, how likely are they to recommend that if it doesn’t make money for them?
There is good history to back up my strong opinions on this. Didn’t we learn anything from the Enron scandal? Poor auditing practices and conflicts of interest led to the bankruptcy of both Arthur Andersen and Enron.
The good news is that many ethical IT systems consultants, resellers and integrators realize that they do not want liability for security assurance. To this end, they proactively partner with firms like Reclamere. And when clients ask us for hardware, software, or engineering services recommendations, we are thrilled to refer business to our ethical, professional, and highly dedicated strategic partners. They build and maintain the hen house. Reclamere secures and guards it. Win – Win – Win for everyone!
To find out what the security risk profile of your organization might look like, click here to take our no-cost, no-obligation security risk assessment.