August 4, 2020 Alan Kepper

Governance and the Rush to Trust

As our cyber security practice grows, we are increasingly being asked to complete audits and provide advice on cyber security measures.  We hear of so many tales of woe!

What I am noticing is that even before COVID-19, boards and management of clients are grappling with the digital disruption going on globally.  This is driving the enthusiasm to innovate and compete in a business environment where technology is advancing at an increasing rate.  That is, the speed is not just relentless, but the rate is increasing or accelerating in some sectors.  I think this drives up competitive spirit and the fear of missing out.

So, this in turn can create a “rush to trust”.  I have heard stories of boards disregarding Chief Information Security Officer (CISO) recommendations, releasing products only to withdraw them after security events occur.  We also see many smaller organisations grapple with the basics like crypto-locker and email duped fraud.

I hear board members regularly say, “I don’t even know what questions to ask”, when it comes to managing their responsibilities.  I encourage boards and senior management to treat information like cash!  The same disciplines and governance can be used for company information.  Asking the same questions can reveal interesting results.

“Where is it kept; who has access to it; if we lose it what happens?”

So how does an organisational leader manage the rush to adapt and implement technology with the risks associated with cyber security?  My approach is to start with what all boards lean on – GOVERNANCE.

I met with a CISO of a large organisation and he shared some of his challenges especially as he took on the responsibility of the role.  I was shocked to hear about some of the things he found and some of the systemic measures that nearly prevented him from making changes to save the organisation.

I have recently also had many discussions with small business owners about their fears about other people having control of their IT systems and how they feel helpless in addressing their concerns with them.  Typically, IT contractors who started out with them many years ago.

One of the key things I like to focus on when building IT systems is the governance in the account set up.  We normally suggest first establishing the super administrator account (some call this the god account).  Using this account, we create roles and accounts for people who will be managing the systems – the administrators.  Everyone gets an account and there are no accounts where people share the password, even if it costs you an extra $10/month.

The administrators will usually be the IT team, a board member (just in case) and contractors.  Once they are set up, then make the super administrator account password very complicated and utilise the emergency recovery systems offered by the service/software vendor – storing the details in the company safe and maybe the company’s lawyer’s safe.  That is, the super administrator account should never be used (except in an emergency).  This governance architecture should be created by the board and include emergency recovery options as part of their overall governance.  This should not be left to the IT team.

Every organisation is different and once the basics are set up, the account structure will adapt with the organisation.  What I see as very fundamental and simple; is something I see regularly not being implemented and it has a very high cost.