IT organizations have a lot on their plates, and keeping the data center humming is only part of the equation. Factor in the threats coming at IT from every direction, and you can see why IT pros have ample reason to be paranoid. The invasion of consumer devices into the workplace, the rush toward cloud computing, the constant vigilance to prevent data spills, all while managing a meager budget in an era when your career can be cut short at any time can cause even the most level-headed IT pro to start looking over his shoulder.
“I met with the CIO at a Fortune 30 company recently and asked him, ‘What keeps you up at night?'” says Jon Heirmel, director of strategic security for Solutionary, an enterprise security and compliance consultancy. “He answered, ‘The things that keep me up at night are the things I don’t know.’ And that’s the answer: the unknown. If you don’t know what to worry about, that’s what you should be worrying about.”
Here are the top five things that should be keeping you awake at night, if they don’t already.
IT paranoia No. 5: Your data center will go down
It’s the pulsing heart of your IT organization. If your data center goes down, it can take the entire enterprise with it. For many IT pros, keeping the data center running 24/7 is enough to keep them awake 24/7.
What could go wrong? How about what couldn’t go wrong? From natural disasters to massive power outages, loss of connectivity, server meltdowns, cyber espionage, insider sabotage, burglaries, and more, the threats are as varied as the types of organizations that have to deal with them.
Simon Taylor knows this firsthand. In his career, he’s lost two data centers because of nearby terrorist attacks: one to an IRA bombing in the mid-1990s, and the other on 9/11. He’s now chairman of Next Generation Data, a U.K.-based wholesale data center operator that provides facilities for major wireless carriers, banks, government agencies, and other top-tier clients.
When Next Generation Data built its new state-of-the-art facility near Cardiff, Wales, it constructed what Taylor describes as “the Fort Knox of data centers” — a fortress-like structure deliberately located far from urban centers, flood plains, highways, and the flight path. The perimeter is ringed with prison-grade barbed-wire fence and infrared sensors. The 75,000-square-meter building also features ram-proof concrete barriers and bullet- and bomb-proof glass; employee access is controlled via retina scans; and security is provided by former British special forces personnel.
“These people are vetted at the highest level, to make sure no one’s got a dim and distant past that might prove worrisome — which can prove quite difficult with ex-servicemen, many of whom have blood on their hands,” Taylor says. “We do all this to attract customers who require the ultimate in security.”
Power outages? Not likely. The facility sits on top of a substation with the ability to draw up to 180 million volt amperes directly from the grid — enough to power a small city, says Taylor. An added benefit, South Wales is naturally temperate, keeping cooling costs low, and unlikely to suffer earthquakes, hurricanes, brush fires, or other natural disasters.
And if the unthinkable happens, NGD will be ready. It’s building a second secure site to offer data replication and disaster recovery to existing clients.
Yet simply keeping the data center running (and armed to the teeth) isn’t enough. IT managers are also under constant pressure to reduce data center costs, says Gary Marks, VP for Raritan, a provider of power management and remote access solutions.
“I think data center managers still worry in the back of their minds about somebody accidentally smacking that button by the door that shuts everything down,” says Marks. “But with primary power redundancy and checks and balances in place for generators, I think the assurance you’re going to have some form of reliable power has gone up exponentially. Today the worries go beyond the delivery of power and more to the cost and efficiency of the power you have delivered.”
IT paranoia No. 4: Gadget fever will infect your network
Remember that well-defined perimeter you established around your network to keep good data in and the bad guys out? It’s melted like cotton candy in the mouth of a five-year-old. You can thank the Apple iPhone and its mobile cousins for breaching the great corporate barrier against personal smartphone use in the workplace environment.
“Mobile devices are coming at us faster than any technology since the rock,” says Winn Schwartau, chairman of the board for Mobile Application Development Partners and founder of InfoWarCon. “It’s scaring the bejesus out of IT organizations that do not know how many rogue devices they have connected to their network or how badly they are out of compliance. They’re scared out of their minds about this.”
What can go wrong? Devices containing sensitive data can be lost, stolen, or compromised by malware. As with infected PCs or laptops, the entire network can be at risk.
“The app store is the best hostile code delivery system ever invented,” says Schwartau.
Your options aren’t pretty. Banning consumer devices in the work place? Good luck with that, says Scott Archibald, a managing director for Bender Consulting.
“Like it or not, mobile is a reality — in both our personal and professional lives,” says Archibald. “Many companies are still trying to implement policies and regulations that keep personal devices off the enterprise network. That’s a dead end. Gen Y doesn’t make a distinction between using a smartphone for personal reasons or professional reasons. The sooner policies are created and frameworks are implemented to positively integrate mobile technologies into the enterprise, the better.”
Issue secure devices to every employee? It’s a costly option that probably still won’t keep them from using their own devices if they can. Or you can expand the security of your enterprise by adding BlackBerry BES-like controls around these consumer devices that allow them to safely handle sensitive data via tools like encryption, secure tunnels for connecting to the Internet and the enterprise, content filtering, managed firewalls, and remote-wipe capability, says Schwartau.
“Absolutely no data should ever sit unprotected on a mobile device,” says Dan Zeck, CTO for Antenna Software, a mobile enterprise solutions vendor. “A minimum of two-factor authentication with a timeout to reset the log-in should be required for any mobile-based application. This would help mitigate the issue of stealing data sitting on any device.”
Even then you run the risk of data pollution, where employees inadvertently share sensitive corporate information over a public network.
“The introduction of multifunctional advanced devices is yet another example of why the perimeter extends no further than each individual device,” notes Steve Santorelli, director of global outreach for Team Cymru (pronounced “kum-ree”), a nonprofit Net security research team. “What keeps me up at night is all the stuff that goes on unnoticed day in and day out right under our noses.” The insider is you, and you may not even know it.
IT paranoia No. 3: The cloud will obscure the mountains behind it
The cloud is on the horizon, yet most enterprises are unprepared for it.
On one hand, cloud computing can dramatically reduce capital expenditures and allow IT to outsource bread-and-butter internal ops so that internal expertise can be applied to innovative and differentiating projects, says Kurt Underwood, managing director of the global IT solutions practice for risk and business consultants Protiviti.
“The cloud gives you another lever to throw,” he says. “It allows you to shift more of your attention and IT talent from mundane IT tasks into strategic technology initiatives that enable business innovation, while driving costs out and adding value to the company.”
At the same time, the cloud poses unique security risks, adds Scott Gracyalny, managing director for Protiviti’s risk technology services. Even if your cloud vendor scores high for security and regulatory compliance, there are multiple places where control breakdowns can occur, such as data location and segregation, recovery, or support for investigations.
“Companies should ask tough questions and have a risk assessment performed by an independent party,” says Gracyalny. “There are still a lot of breakpoints in how and where you interface with all of that. You’ve opened yourself up to a whole new set of vulnerabilities.”
Operating in the cloud changes everything, from software asset management to user authentication, says Rob Juncker, vice president of technology operations for Shavlik Technologies, a provider of cloud-based IT services. And it all relies on a single point of vulnerability: the Web browser.
“Capable of running whatever code it downloads, our browsers now become a new application delivery platform which IT admins have to pay due attention to,” he notes. “With an explosion of security patches for IE, Firefox, Adobe, and other Internet-based delivery mechanisms, are you really secure?”
As with the invasion of mobile consumer devices into the enterprise, however, IT pros aren’t likely to have much of a choice, says Scott Archibald.
“A good cloud computing implementation can make you a hero,” says Bender’s Archibald. “A bad cloud computing implementation or strategy can go horribly wrong and cost a company hundreds of millions of dollars. The reality is this: Cloud computing is here to stay — and the sooner the IT pro gets his/her arms around this concept and develops a strategy that is good for the company, the better. Because the question about cloud computing is going to come from upper management at some point.”
IT paranoia No. 2: Data will leak from your network unseen
Everyone in IT knows sensitive information on company hard drives and network storage devices must be secured. But where the real IT paranoia lies is with all the other places data might be lurking.
According to an August 2007 survey by the Ponemon Institute, 70 percent of data leaks come from equipment that isn’t connected to the network, and not just surplus PCs, but flash drives, mobile devices, backup tapes — even the hard drives found inside old copiers and printers.
For example, in April, CBS News reported on a warehouse in New Jersey that contained more than 6,000 used copy machines, many of which housed hard drives that contained medical records data, Social Security numbers, pay stubs, and other sensitive information.
It’s the hidden security breach a lot of people don’t even think about, says Bob Houghton, CEO of Redemtech, an IT asset recovery and disposition firm that performs lifecycle management on devices for Fortune 500 firms.
Even organizations that think they’ve done a good job removing sensitive data from aging equipment often don’t check their own work, he says. One out of four machines Redemtech receives still contain some amount of residual data.
“Most IT folks are not focused on this stuff,” says Houghton. “They just go down a list and tick things off without scrutinizing the results. People tell you they’re doing everything the right way, but the actual outcomes are never audited and reviewed for effectiveness. If you’re at a senior level in an IT organization, this should keep you awake at night.”
It’s not just surplus equipment that IT should worry about, says Michael Howard, a security strategist for HP’s imaging and printing division. Most multifunction machines come with embedded Web server software for administrative access. If left unsecured, a knowledgeable attacker can log onto the server via the device’s control panel and gain administrative rights to the network. Without an admin password, these machines leave an open path to the heart of the organization.
“Lots of security breaches happen because people think, ‘Oh, it’s just a printer’,” says Howard. “In reality, it’s not just a printer; it’s a computer sitting on your network.”
IT paranoia No. 1: Management will never understand your value
You’re working 40, 50, 60 hours a week keeping the bits flowing and handling last-minute and often ridiculous requests, and what do you have to show for it? Best case: You’re invisible. Worst case? You’ve got a big red bull’s-eye on your back.
Welcome to a wonderful career in IT in the new millennium.
“A lot of the paranoia I see in IT shops revolves around the questions, ‘Will I have a job down the road? What will IT funding look like?'” says Bender’s Archibald. “Every organization is living year to year, and some are living quarter to quarter. People aren’t getting reassurances from upper management that IT is important. That causes a lot of angst.”
IT professionals face three big problems, says management consultant Patty Azzarello, CEO of Azzarello Group. One is that the suits usually have no clue what the IT folks actually do, and they like it that way. The second is IT is usually a big, fat juicy line item in the budget that management always wants to cut (in part because they have no idea what IT does). And the third is that management is often afflicted with what Azzarello calls “business amnesia.”
“When the IT org does something wonderful, like roll out an ERP or CRM system that brings in more customers and higher profits, those efficiencies get absorbed into the business,” she says. “For one quarter, management cheers, then they forget about it. But they also forget that IT has to continue to pay for that system. So IT becomes a black hole that spends a lot of money on things nobody understands.”
But IT pros also deserve some of the blame. If all you’re doing at work is keeping the lights on, you’re not doing enough to make yourself recession-proof, says Dave MacKeen, CEO of IT recruiting firm Eliassen Group.
“CIOs look for A-level players who can solve problems,” he says. “Even if they don’t know the answer, they leverage internal and external resources, think systematically, and consider edge conditions. B- and C-level players just show up and get the job done.”
In a tough economy those jobs are the first to get outsourced, he says.
It also helps if you can speak in a way that business leaders respect and understand, says Azzarello.
“You have to listen to the exact words business stakeholders use to describe what’s important to them, and then use those words yourself,” she advises. “It doesn’t help if you’re talking about ‘SAP financials’ when the business people call it the ‘order entry process.'”
If you’re really listening, she adds, you will see that the businesspeople are talking about two distinct services — plain-vanilla order entry and high-priority order entry for the last 48 hours of each month — and you will know to create different IT services for each.
“If IT people want to improve their visibility and their credibility, they need to take it upon themselves to step up and connect with the business side through relationships and communication,” says Azzarello. “It’s never going to happen any other way.”