got privacy? Musings on the state of Privacy in a connected world.
Marcus Morissette, Managing Director, Concise Consulting Group.
We all know the IT guy/gal (IT Director, network administrator, “IT guy”) (let’s call him/her “IT Joe” for the rest of this post) who is your company’s “Radar O’Reilly” or “go to guy” when it comes to your network. He is the guy who knows how everything works, why the firewalls and routers are configured the way they are, and where all the bodies are buried. He is the guy you call when something goes wrong, and the guy that keeps things going, sometimes through sheer will power.
You (fill in blank here with your applicable C-level title) may think this is great! That it is such an efficient way to run an IT shop. You may have reduced staffing and think that this guy/gal represents such a great level of efficiency. Why have three people around that have the same skill set/knowledge, when you can have one? In this economy, many IT organization have had their numbers cut, and many are probably faced with a Single Point of Failure (SPOF). Or several (which is not necessarily an oxymoron, but is a really bad idea).
With over 20 years of information security experience, including assessments of over 100 organizations, we have seen many different approaches to IT. One constant is that EVERY IT shop has a SPOF. Some are known, some are unknown. SPOF’s not only violate multiple tenets of good information practice, but is just a bad idea. Just a few examples of the potentially negative aspects of a SPOF in your IT organization:
Separation of Duties
Depending on where IT Joe works, he/she may have control over system, system configurations, change management, patch management, etc. that would allow him/her to make any changes without anyone. Do you remember what happened to the City of San Francisco last year? http://www.pcworld.com/businesscenter/article/148469/it_admin_locks_up_san_franciscos_network.html
Going Rogue
What would happen if IT Joe suddenly lost his or motivation or sense of corporate loyalty? Doesn’t get the raise he/she was expecting, or just decided his retirement plan needed to be moved up 15 years at your expense? What damage could they do, what “secrets” do they have that might be of use to your competitor? Also – see above re: San Francisco.
Win the Lottery
What if IT Joe gets wins the lottery? How would your IT organization function without him/her? Who knows how everything works? Is it all in a file somewhere, or did your IT organization just head off to the Caribbean on permanent vacation?
The Solution?
The solution to the SPOF in your IT Organization will vary depending on your company’s particular situation and the size and complexity of your IT Organization. The first step, just like most 12 step programs, is admitting you have a problem. Identify your SPOF or SPOFs, and what factors that led to them becoming a SPOF.
Some specific actions you might consider to address your SPOF problem may include: hiring/grooming more involved CIOs, implementing technology oversight boards, documenting job descriptions, roles & responsibilities, implementing backup-roles, cross-training your IT personnel, and not gutting your IT shops to their bare minimum.
SPOFs need to be handled carefully. Make sure that in trying to resolve the SPOF you don’t cause the issue that you are trying to avoid.
We all know the IT guy/gal (IT Director, network administrator, “IT guy”) (let’s call him/her “IT Joe” for the rest of this post) who is your company’s “Radar O’Reilly” or “go to guy” when it comes to your network. He is the guy who knows how everything works, why the firewalls and routers are configured the way they are, and where all the bodies are buried. He is the guy you call when something goes wrong, and the guy that keeps things going, sometimes through sheer will power.
You (fill in blank here with your applicable C-level title) may think this is great! That it is such an efficient way to run an IT shop. You may have reduced staffing and think that this guy/gal represents such a great level of efficiency. Why have three people around that have the same skill set/knowledge, when you can have one? In this economy, many IT organization have had their numbers cut, and many are probably faced with a Single Point of Failure (SPOF). Or several (which is not necessarily an oxymoron, but is a really bad idea).
With over 20 years of information security experience, including assessments of over 100 organizations, we have seen many different approaches to IT. One constant is that EVERY IT shop has a SPOF. Some are known, some are unknown. SPOF’s not only violate multiple tenets of good information practice, but is just a bad idea. Just a few examples of the potentially negative aspects of a SPOF in your IT organization:
Separation of Duties
Depending on where IT Joe works, he/she may have control over system, system configurations, change management, patch management, etc. that would allow him/her to make any changes without anyone. Do you remember what happened to the City of San Francisco last year? http://www.pcworld.com/businesscenter/article/148469/it_admin_locks_up_san_franciscos_network.html
Going Rogue
What would happen if IT Joe suddenly lost his or motivation or sense of corporate loyalty? Doesn’t get the raise he/she was expecting, or just decided his retirement plan needed to be moved up 15 years at your expense? What damage could they do, what “secrets” do they have that might be of use to your competitor? Also – see above re: San Francisco.
Win the Lottery
What if IT Joe gets wins the lottery? How would your IT organization function without him/her? Who knows how everything works? Is it all in a file somewhere, or did your IT organization just head off to the Caribbean on permanent vacation?
The Solution?
The solution to the SPOF in your IT Organization will vary depending on your company’s particular situation and the size and complexity of your IT Organization. The first step, just like most 12 step programs, is admitting you have a problem. Identify your SPOF or SPOFs, and what factors that led to them becoming a SPOF.
Some specific actions you might consider to address your SPOF problem may include: hiring/grooming more involved CIOs, implementing technology oversight boards, documenting job descriptions, roles & responsibilities, implementing backup-roles, cross-training your IT personnel, and not gutting your IT shops to their bare minimum.
SPOFs need to be handled carefully. Make sure that in trying to resolve the SPOF you don’t cause the issue that you are trying to avoid.
Add Comment
