Leadership

Decentralization of IT key to security breaches

Higher Education leads all industries in loss of personally identifying information. One driving factor in this statistic is how IT is organized. Decentralization done wrong is an accident waiting to happen. Is your organization at risk due to its structure? Read the following characteristics of IT decentralization done right or wrong to see what category your organization falls into.

If you take a look at any of the web sites that maintain lists of security breaches in which personally identifying information (PII) is made available inadvertently to the public, you will find that there are two categories of organizations that are responsible for most of the breaches - Higher Education and Government.

Being involved with both over a number of years, I have my theory as to why they are particularly vulnerable to security breaches and I believe the biggest culprit is IT decentralization done wrong. I am explicitly saying "done wrong" because I have written in the past and still believe that there is a correct way to have decentralized IT and the wrong way to have decentralized IT. I will explain the right and wrong way of IT decentralization and then explain how this leads to security breaches.

IT decentralization done correctly has the following qualities:

  1. It is planned.
  2. There is a clear distinction of roles, responsibilities and services between central IT and the organization's decentralized counterparts.
  3. Control and responsibilities are delegated to the decentralized units not abdicated.
  4. Even though control and responsibilities are delegated, central IT performs a strong oversight role.
  5. The "buck" stops with central IT and central IT has the authority and management backing to enforce policy and procedures down through the organization.
  6. Funding of IT for the organization is controlled in some fashion by central IT, whether by sign off on purchases or projects or by direct control over funds.
  7. Decentralized units are neither rogues nor orphans.
  8. There is a strong governance process in place.
  9. IT security and auditing are not an afterthought of the organization.
  10. The organization takes IT seriously and the organization's CIO is a member of the senior management team.

Now one could look at the above and say that it smacks of too much central control, but I will argue that you can have autonomy and strong control at the same time and that done correctly the above model is a strong method for the delivery of IT services.

Now, let's look at characteristics of what I term IT decentralization done wrong - which I call Laissez-faire Decentralization.

  1. It is unplanned and IT has "grown up" in various areas of the organization - often through disparate funding sources.
  2. There is no clear distinction between central IT and the various decentralized units in regards to roles, responsibilities and services provided.
  3. If there are standards at all, they are mostly followed by central IT and the decentralized units either follow their own or have none at all.
  4. Central IT usually has little or no control over the decentralized units and if caught in a battle with a decentralized unit will often lose to the decentralized unit.
  5. The central IT unit has authority over itself only and its oversight capacity is advisory only - with no way to compel a decentralized unit to cooperate.
  6. Funding for decentralized units is independent of central IT and is often used as the main reason for the decentralization in the first place - as in - "it's my money, you aren't going to tell me how to spend it."
  7. There are IT haves and have nots within the organization because of IT funding mechanisms.
  8. The IT governance process is weak or non-existent.
  9. Central IT is seen as a requirement for administration - running finance/payroll etc. and is not viewed as a true business partner.
  10. Politics plays a strong role in the delivery of IT services.

Referring back to my original statement, much of the government and Higher Education IT that I have come across in my career looks and smells more like Laissez-faire Decentralization than it does "decentralization done right." IT in both of these industries tend to grow up on an as needed basis and evolve into highly decentralized IT organizations. Why is this a problem and how does it lead to security breaches?

The laissez-faire model can work to deliver IT services. Sometimes well, sometimes not so well. While every one of us can point to a decentralized unit that did it better and faster and cheaper than central IT - there are more out there that barely get the job done. Often staffed by people that are wearing an IT hat in addition to their "real" job and view IT as a hobby, a right, or a requirement depending on why they are in the business in the first place - IT is not their profession. They want and need IT to get their jobs done and do what it takes to do so - but they have neither the time nor the resources to run IT like a business or a profession.

This model has worked for many years to provide IT services but the world has changed. IT run by "amateurs" and I am not saying that in a derogatory way, have and continue to deliver necessary services but they cannot keep up with the level of sophistication that the "bad guys" have evolved to nor the responsibilities and liabilities that come with IT in this day and age. Once upon a time an organization could do mediocre IT and only be a danger to itself - now it is a danger to others.

Combine this lack of quality and sophistication with a highly desirable product (the PII of hundreds of thousands of individuals) and you can see why higher education and government are ripe for data loss.

Ultimately it is the CEO of the organization who is responsible for how IT is performed in his/her organization. There are those that get it and put the authority and resources where they need to be to produce an IT organization - no matter centralized or decentralized that is both accountable and effective or those that don't and are waiting for a disaster to force them to wake up and smell the coffee. It's too bad that the "disaster" often comes in the form of the exposure of PII of lots of innocent and unsuspecting people who placed their trust in those organizations.

9 comments
dawgit
dawgit

While certain controls should naturally be in place, the actual funding should be dictated by the needs of the satilite sites. They're the ones who are aware of what is needed at their sites. -d

dean.owen
dean.owen

Having worked in higher education IT for many years, I can say I've seen every one of the Laissez-faire Decentralization examples and then some. Item number 10 always confused me. We were held responsible but didn't have the 'power' to stop bad and dangerous practices. I gave up and moved on. Thanks for a great view on the topic.

Matt Larson
Matt Larson

I am amazed that the government is listed as one of the main "informationally loose" sources, it's usually so efficient (to be read with sarcasm). A plan and it's delivery are equally important, and most great leaders have a plan and can execute it. Information security should not be handled like you were attending a Grateful Dead concert. There should be a sure route to decentralization. In the end you are ultimately securing trust from those who are entrusting. The problem is that some people just do not care.

JonnyDee
JonnyDee

Please give me some leads. I have doubts about this part of your assertion.

Ramon Padilla Jr.
Ramon Padilla Jr.

There is always a great debate as to whether structure can play a role in organizational effectiveness particularly when it comes to IT. I have argued both sides of the centralization/decentralization battle of IT in the past and simply put - either model done wrong leads to problems. However in today's changing environment, organizing badly - particularly when it comes to decentralization - is now considered a risk factor - not just a knock on performance.

dawgit
dawgit

I won't argue with your statistics, nor do I dissagree with you either. But, could the reported instances (that reflect in the statistics) be, in a big part, due to the openness of the instutions affected. I think that the private sector, and the gov sector in particular are reluctant to acknowlege breaches. (usually under the guise of investigations, maybe rightfully so) -d

jasilvasy
jasilvasy

I agree that any IT management style, centralized or decentralized, done wrong is a risk. However, I don't think the structure itself is the issue as much as the management of the structure. A poor manager as CIO at the most centralized level is a danger to everyone and every unit below that level. And talk about wearing multiple hats, consider the CIO who is also a CFO or a CEO or a CPO (Chief Privacy Officer). The wearing of multiple hats issue is even more of a problem at the central management level than at a subordinate unit.

Editor's Picks