The biggest issue for any organisation – large or small – is its increasing operational complexity. It is not just about reacting to a situation, or training staff for quality outcomes, but doing it in such a way that it is replicable and consistent with the company’s goals and procedures.
In a complete reversal of the old adage "to err is human; to really foul things up requires a computer," it seems that operational complexity is now way beyond what mere mortals can manage and computers need to take this task on.
In December a number of security companies provided iTWire with their 2017 predictions. Two things were common to most and stood out as “solvable” issues. First that the majority of data breaches were caused by human error – using simple passwords, misplaced passwords, installing malware and many more “stupid” things that could be “trained” out of them. Second, that in the case of an emergency you need to break the glass and access well thought out action and recovery plans – not run around like a chook with its head cut off.
With that in mind, iTWire spoke to Sydney-based Bruce Nixon, CEO of Holocentric about how business process management, or as he calls it Business Management Systems (BMS), can record procedures and reduce the human stuff up element, especially in data security. Nixon is not a security expert – he is a business process and procedures expert.
{loadposition ray}
Nixon knew all too well the human factor issues, “Companies invest a fortune in writing procedures (stored in Word or Excel), drawing flow charts (in Visio) that sit on electronic or physical shelves never to be referenced again. The bigger you get the bigger the problem. I have seen staff freeze by not knowing what to do when there is a problem, let alone a massive data breach and how to get over one.”
Q. Why has data security become a critical issue for business leaders?
A. The move to cloud computing has created concerns about the protection of data, in terms of data reliability and availability as well as the protection of the content within the data. Whether hosted in the cloud or in-house behind a firewall, data security has become a major issue.
This concern is also being driven by headlines of data breaches involving high profile companies like Dropbox, Yahoo and more locally, the Australian Red Cross. The risks associated with data security affect a range of areas including revenue, operations, reputation and compliance.
According to the 2016 Ponemon Institute Cost of Data Breach study, the average cost of a data breach to a company is $2.64 million, with the biggest consequence of data breach being lost business. The 2016 Ponemon Institute Data Protection Benchmark Study showed that organisations around the world deal with an average of 20 data loss incidents every day.
In addition, the Australian Government is developing legislation to create a mandatory data breach notification scheme. Under this scheme, businesses would be required to report a “serious data breach” to the Australian Information Commissioner and notify individuals whose data is affected by the breach.
Q. Why are organisations finding it difficult to manage data security risk?
A. The majority of data breaches are attributed to ‘human error’ or even mistakes made by outsourced IT providers. However, quite often it is a failure to follow defined processes that lead to breaches. This happens because front line workers are left to follow outdated and unreliable information on the procedures they should be following to ensure adequate data security.
Most organisations go to inordinate lengths to minimise data security risks, but because of so much operational complexity, much of this effort is wasted.
Most organisations manage data security risk like this:
- Data security risk experts define policies and controls to adhere to, for instance, the use of encryption.
- Operations personnel determine the appropriate procedures and operating instructions so these policies are met.
- The training and development team defines the training to teach employees the correct procedures.
With each department operating in a silo and maintaining an independent set of documents, it becomes extremely difficult to ensure there is alignment among all these aspects. Documents are very ineffective when it comes to managing information, even if they are great at presenting it. One reason for this is documents result in the duplication of information. For example:
- A document outlining the policy on the use of encryption is created.
- Another document is created to explain the procedures employees need to follow to meet this policy.
- Yet another document is created to be used when training employees about the procedure on encryption.
These documents quickly become out of date, and as changes occur, documents are altered, redundant information is not synchronised, the documents become unreliable, and the risk increases.
Why does this happen? Because it’s easier that way. People can operate happily in their silos, organised to support their capability, despite risk, operations, training or systems. They can write documents for a specific purpose and not have to consider other needs throughout the organisation. This all sounds good as a document can be written for a specific audience. It may be accurate when written (though this cannot be guaranteed), however, it will not be accurate for long.
The result of this is crucial issues, like data security, are dealt with using outdated, ineffective techniques. Not to mention the confusion to front line workers caused by a lack a clear understanding of their roles and responsibilities in regards to the access, modification, management and storage of data.
Q. What can be done to improve data security risk from an operations perspective?
A. Reduce complexity. Stop relying on documents as a means to manage such important information. They do not work. They cannot be managed and they just increase risk.
Businesses have become more complex and this demands a more sophisticated solution. Choose a tool appropriate for the task at hand. Have one source of information [truth] that clearly shows how regulations are implemented via policies, how these policies are implemented via processes, where controls are embedded and who is responsible for performing these processes.
How data is treated across the entire organisation must be aligned and streamlined to help build resilience against data breaches and cyber threats. We don’t transport goods with a horse and cart so why do we use outdated techniques for managing information?
It comes down to how an organisation can achieve simplification and transparency to deal with operational complexity. A lack of clarity of how data management policies are linked through the value chain to employee actions, not only poses significant risk factors but the extent of that risk will be difficult to assess.
At the macro level of the organisation, complete transparency is required across the operational environment encompassing people, processes, systems and controls, as well as a robust framework which links this environment with data security polices, controls and regulations.
None of this can be achieved through documents alone as it’s impossible to keep them up to date and synchronised across the organisation.
Q. How can this transparency be achieved?
As discussed, stop trying to manage data security using documents. Since data security risk is an issue that affects the entire organisation it should be managed in a holistic and integrated manner.
Transparency across the operational environment can be achieved using tools like business management systems. They can help to create a single source of truth while also showing the relationships between processes, procedures, policies, regulation and risk.
Document management systems can help but they can’t operate as a single source of truth and are merely a repository for multiple sources of contradictory and outdated information.
Communication is also vital to educate employees on the correct processes in relation to data management, data security and ensuring compliant and safe practices. A business management system can also help to manage documents throughout the organisation so employees can easily lookup which procedures and policies relate to their role and documents can be updated centrally.
Data security is not a simple, straightforward or static issue. It has many moving parts and requires a comprehensive strategic approach to its management across the entire organisation. If there is no link between operational risk and operations in regard to data management, then an organisation will find this an almost impossible area to manage effectively.