Something is preventing management from understanding the need to secure its electronic data.
Editor's note: This article introduces the white paper "When Management Turns Its Back on Security: The Business Effects" available free at the MC White Paper Center.
One of the great mysteries as we walk into an IBM i shop is the lock on the computer room door. Often, when we first start consulting engagements, we are given a tour of the facility, and inevitably it includes a tour of the "raised floor" computer room, outfitted with expensive air-handling equipment and protected by a door that requires specific authorization to enter. The mystery is that, while all this expensive hardware needs physical protection, the company's most valuable assets are wide open to people who don't need access to them.
That's right. We're talking about the data kept on the hardware. That data is a corporate asset, yet time and time again we are confronted by management that does not see a need to protect that data. What's more valuable to a company? Is it the hardware that can easily be replaced or the inventory records, customer lists, private information, credit card numbers, etc. that are stored on the hardware? Beyond the computer room, the need to guard the physical safety of an asset is obvious in almost every business we work with. Retail stores are locked during off hours, and alarms are set. Guards are posted at entry doors, bags are checked before entering corporate headquarters, and sensors are placed around inventory in warehouses to detect theft. So why, when it's a physical asset, is the need for security obvious, but when the asset is in electronic form, the same considerations aren't made?
We all remember the TJX (parent of T.J. Maxx and Marshalls) data breach. Undoubtedly, the hardware on which this data resided was dutifully protected behind locked doors. Looking back, do you think the cost of the hardware can even come close to the cost of the breach (which is known to be at least $250 million and quite possibly more)? Doubtful. Yet with all the physical safeguards to their hardware, the data was left unprotected and the rest is history. While many of us would like to be written up in the history books, it's unlikely that being the poster child for data breaches is what we want to be known for. Perhaps it's time to adjust our strategy.
Back to our "great mystery." Repeatedly, we are confronted by management that doesn't understand the need to correct the issue. Often, additional security controls need to be applied to the data residing on the IBM i, yet the organization's management refuses to allocate the resources to correct the issue. How can this happen when the need is so clear? The answer: The need is clear from a technical perspective, but it's not obvious from a business perspective. In other words, the importance of the decision to the business is not understood.
In this white paper, we hope to explain why the decision to secure—or not secure—data on the IBM i needs to be a business decision, not a technical decision.
Something is preventing management from understanding the need to secure the electronic data. So let's explore why we think this happens.
Want to know more? Download the free white paper "When Management Turns Its Back on Security: The Business Effects" from the MC White Paper Center.