Without IT process documentation, companies risk being held 'hostage' by IT
As cybersecurity breaches surge, it's important that company leadership know what IT is up to. Kevin McDonald explains why IT process documentation is a must-have best practice.
It seems that not a day passes without news of another high-profile hack, embezzlement of monies and data, or even the sabotage of a corporation or government entity. These events are shining a light on weak efforts to avoid cybersecurity breaches, and how company owners and executives are sometimes targeted for shareholder revenge. As Zurich Insurance Group reported in 2014, "Shareholders within several companies recently victimized by cybersecurity breaches have launched lawsuits against the enterprises' boards, claiming that executive management breached its fiduciary duty by failing to ensure that the companies implemented adequate security measures."
As an executive, meeting your fiduciary responsibilities with regard to technology decisions and preventing cybersecurity breaches can be extremely difficult. In fact, without the honest and committed assistance from the IT team -- in particular, the documentation of IT processes -- it is actually impossible. Without IT process documentation, the business risks being held hostage by IT.
I have worked with executives from small businesses to large enterprises, governments, and high-net-worth individuals, some of whom were being held hostage by IT and didn't recognize what was happening. I have led cases with individuals and companies that suffered millions of dollars in losses to insider theft and embezzlement by highly trusted and long-term employees. I have worked with executives who were assured everything was great and their companies were secure, while in reality they were not only less than secure but also lacking the fundamental best practices.
While these cases may seem extreme on the surface, they are startlingly common. Each starts with the withholding of information, typically over an extended period of time, as more and more control is handed to IT and less and less transparency is demanded. IT might fail to deliver requested information in a timely manner or it might not deliver it at all. IT might intentionally or unintentionally use overly technical language that you can't understand. Or, the IT leaders might be simply incompetent or lazy.
Held hostage? Ten warning signs
To help determine whether you're a hostage to IT, ask yourself the following questions:
- Do you believe you are being told the truth about your systems?
- Do you truly understand what is being presented so you are confident in your decisions?
- Are you confident that you are not legally exposed and out of compliance with state and federal regulations?
- Do you possess the IT process documentation necessary to run the company without your current IT staff or would you be lost without them?
- In the event of a natural or technical disaster, or major cyberattack against your company, would your organization survive?
- Can your IT staff account for all expenditures?
- Are you ever afraid to make changes because you don't know what the real impact might be?
- Do you wonder where the money is going and maybe even feel like your technology department is a financial black hole?
- Do you believe your staff or even key players are the only ones who really understand your systems, and anyone else would struggle or undoubtedly fail?
- Do your systems seem sluggish or fail frequently?
If you answered no to any of the first six questions or yes to any of the last four, you may well be an IT hostage.
Why you need IT process documentation
Taking a closer look at the IT process documentation example in No. 4 above, if you do not possess the documentation of your systems' inventory, configurations, dependencies, partner integrations, etc., the impact can be enormous. Lack of IT process documentation enables unfettered theft of time and property. It allows staff to buy equipment, software and services on the company's dime and then use it for themselves, friends or family. They can use it to run a side business delivering IT services, run an online website or even sell the items on public commerce sites while they should be working. Besides the direct loss of these assets, this can also cause major liability through tax ramifications and even potential export violations if employees sell the stolen equipment to individuals in embargoed foreign countries.
Without documentation, where would you be in the event of sudden employee loss? How would you move forward? I have personally worked with companies that had employees in critical positions who had not produced documentation and either left suddenly, voluntarily or involuntarily. I watched these companies (including large enterprises) struggle not only with the personal loss of the employee but with extremely damaging and expensive inability to access systems, maintain applications, change or update websites, get control of website domain names, and more.
What's worse is watching companies suffer with incorrigible, unqualified, non-productive and even violent staff or providers for years, because management was terrified of the unknown alternative. This is often perpetuated by statements like, "You would be lost without me," and "I wish I could find someone to help me with our custom application, but no one knows how to work on the systems besides me." These are both examples of comments designed to make others feel reliant on them. In one particularly severe case, even the company's employees suffered and in some cases left the company because of the IT culture. In exit interviews they would make statements like, "They are so abusive and condescending. I am tired of treating IT like royalty just to get what I need to do my job."
Securing IT process documentation: Six steps
So, what can you do to not become a hostage to IT?
- Never allow one person or group too much power.
- Demand complete documentation and change control from your staff and service providers. Be sure documentation includes:
- Credentials such as usernames, passwords, certificates and so on to the network, servers, applications and all services
- Hardware and software inventories, media, access and license information
- Accurate and complete network diagrams
- Application inventory and configuration information
- Custom application development documentation
- Process and integration workflow diagrams
- Internet service provider names, contacts, passwords and configuration information
- Domain registrars' names, contacts, passwords and configuration information (administrative and financial contacts should never be IT)
- Contact and other information for all service providers used for all systems implementation and support. These can include integrators, hardware resellers, managed service providers, software consultants, security consultants, air-conditioning, power management, and more
- Records of all changes made so that the original documentation is maintained as true and accurate
- Be sure that you (or someone assigned to this duty) have current domain-level systems access at all times and test randomly.
- Demand and sponsor independent assessments of the network's configuration, security and reliability. Be sure:
- The assessment covers aspects of information technology from a confidentiality, integrity and availability perspective
- IT staff members are instructed to cooperate fully and support the initiative
- The assessment vendor is not chosen or managed by IT
- The results of assessments are not filtered through IT
- The results provide clear and concise input on current conditions and potential changes recommended
- Utilize outside support that can be your backup in the event of sudden staff absence.
- Insist on re-interview and consideration of staff as the company grows or your technology advances. Don't set or support the expectation that they are somehow guaranteed the top spot because they were first on the ground.
The rescue: Five action items
Now, what if you suspect or, better yet, know you are an IT hostage?
IT hostage rescue is a particularly sensitive situation. If you make the wrong move, you may alienate good staff who have just let some things go undone because they are too busy, reticent to ask for help or have been shot down in the past. You may also trigger very bad and even dangerous behavior if a bad actor gets wind of your campaign before you are ready to act. They may do damage or create ways to do damage in the future. They may begin to cover their tracks, making termination or potential prosecution much harder. Treading carefully, here are some steps to take:
- Request a full situational update and documentation from staff. If this is an out-of-the-ordinary request, it is important to find a reason for this that will not alarm people.
- Verify No. 1 with an independent assessment and documentation project. Professional staff that are doing things right will have no qualms with this request. In fact, many will relish the second opinion. There are many strategies to request this without raising flags.
- Be sure that assessment comes with a geek-to-English translator that will ensure you understand the results.
- Review financials and inventory records for disparity.
- If you suspect the situation could go bad quickly, call a professional.