If you take a look at any of the web sites that maintain lists of security breaches in which personally identifying information (PII) is made available inadvertently to the public, you will find that there are two categories of organizations that are responsible for most of the breaches - Higher Education and Government.
Being involved with both over a number of years, I have my theory as to why they are particularly vulnerable to security breaches and I believe the biggest culprit is IT decentralization done wrong. I am explicitly saying "done wrong" because I have written in the past and still believe that there is a correct way to have decentralized IT and the wrong way to have decentralized IT. I will explain the right and wrong way of IT decentralization and then explain how this leads to security breaches.
IT decentralization done correctly has the following qualities:
- It is planned.
- There is a clear distinction of roles, responsibilities and services between central IT and the organization's decentralized counterparts.
- Control and responsibilities are delegated to the decentralized units not abdicated.
- Even though control and responsibilities are delegated, central IT performs a strong oversight role.
- The "buck" stops with central IT and central IT has the authority and management backing to enforce policy and procedures down through the organization.
- Funding of IT for the organization is controlled in some fashion by central IT, whether by sign off on purchases or projects or by direct control over funds.
- Decentralized units are neither rogues nor orphans.
- There is a strong governance process in place.
- IT security and auditing are not an afterthought of the organization.
- The organization takes IT seriously and the organization's CIO is a member of the senior management team.
Now one could look at the above and say that it smacks of too much central control, but I will argue that you can have autonomy and strong control at the same time and that done correctly the above model is a strong method for the delivery of IT services.
Now, let's look at characteristics of what I term IT decentralization done wrong - which I call Laissez-faire Decentralization.
- It is unplanned and IT has "grown up" in various areas of the organization - often through disparate funding sources.
- There is no clear distinction between central IT and the various decentralized units in regards to roles, responsibilities and services provided.
- If there are standards at all, they are mostly followed by central IT and the decentralized units either follow their own or have none at all.
- Central IT usually has little or no control over the decentralized units and if caught in a battle with a decentralized unit will often lose to the decentralized unit.
- The central IT unit has authority over itself only and its oversight capacity is advisory only - with no way to compel a decentralized unit to cooperate.
- Funding for decentralized units is independent of central IT and is often used as the main reason for the decentralization in the first place - as in - "it's my money, you aren't going to tell me how to spend it."
- There are IT haves and have nots within the organization because of IT funding mechanisms.
- The IT governance process is weak or non-existent.
- Central IT is seen as a requirement for administration - running finance/payroll etc. and is not viewed as a true business partner.
- Politics plays a strong role in the delivery of IT services.
Referring back to my original statement, much of the government and Higher Education IT that I have come across in my career looks and smells more like Laissez-faire Decentralization than it does "decentralization done right." IT in both of these industries tend to grow up on an as needed basis and evolve into highly decentralized IT organizations. Why is this a problem and how does it lead to security breaches?
The laissez-faire model can work to deliver IT services. Sometimes well, sometimes not so well. While every one of us can point to a decentralized unit that did it better and faster and cheaper than central IT - there are more out there that barely get the job done. Often staffed by people that are wearing an IT hat in addition to their "real" job and view IT as a hobby, a right, or a requirement depending on why they are in the business in the first place - IT is not their profession. They want and need IT to get their jobs done and do what it takes to do so - but they have neither the time nor the resources to run IT like a business or a profession.
This model has worked for many years to provide IT services but the world has changed. IT run by "amateurs" and I am not saying that in a derogatory way, have and continue to deliver necessary services but they cannot keep up with the level of sophistication that the "bad guys" have evolved to nor the responsibilities and liabilities that come with IT in this day and age. Once upon a time an organization could do mediocre IT and only be a danger to itself - now it is a danger to others.
Combine this lack of quality and sophistication with a highly desirable product (the PII of hundreds of thousands of individuals) and you can see why higher education and government are ripe for data loss.
Ultimately it is the CEO of the organization who is responsible for how IT is performed in his/her organization. There are those that get it and put the authority and resources where they need to be to produce an IT organization - no matter centralized or decentralized that is both accountable and effective or those that don't and are waiting for a disaster to force them to wake up and smell the coffee. It's too bad that the "disaster" often comes in the form of the exposure of PII of lots of innocent and unsuspecting people who placed their trust in those organizations.