Companies across all sectors have already begun to lay off staff. It may begin with the "dead wood," but inevitably some companies are going to have to lay off talented IT and information security professionals. Illegal activities that once seemed unpalatable to out-of-work technologists may seem better than starving: Just as liquor store break-ins and gas n' go crimes will increase, so will more sophisticated crimes, such as data theft and social engineering. While it may seem hard to imagine, criminal actions are often committed by former employees who rationalize the activity because they're upset about losing their jobs.
The challenge for identity and access management professionals will be securing data from former employees who know the system from the inside out.
Defense strategies: Proactive IAM processes
Locks keep honest people honest, or, in the case of identity and access management, account terminations keep honest people honest. Identity management and information security professionals will need to scrutinize their account-termination processes like never before, because leaving an unauthorized or former employee's account active and enabling access to sensitive or valuable data could be catastrophic. Make sure to have an updated roster of every account owned by every individual in the company so that all those accounts can be deleted or disabled if anyone is terminated.
IAM and budget cuts: Using frameworks and documentation
Another challenge in 2009 will be funding. Budget promises made in 2008 are sure to be forgotten as many companies adjust to the new economic reality. So how will enterprises properly secure data when the funding to do so may seem insufficient? Innovation. Set up a framework that is effective, even if manually intensive. An example of this may be an Excel- or Outlook-based quarterly report for system owners that details accounts with privileged access, identifys owners and partners, establishes roles, and archives emails on a secure file share. This will initiate an ongoing process that can be refined in the future, perhaps with more sophisticated technology, when finances are better.
There are a few other important strategies for making sure the security program doesn't suffer because of financial cuts. If you have documented what your people do on a day-to-day basis in detail, now is the time that information may pay off; it may allow you to not only justify exactly why each person is important, but also clearly demonstrate what the fall-out will be if the staff is reduced. Personnel reductions may still be mandated, but data can help you make those hard decisions in an unbiased way and set management expectations from the start about the consequences of staff reduction.
In such a troubled economy, external threats will increase as well. There will be plenty of talented developers out of work that may discover their skills make them excellent bot programmers or hackers. While these threats are too numerous to detail here, it's still essential to be on guard by making sure the controls for external risk mitigation are assessed as well.
It's clear that 2009 will be drastically different from 2008. Rely on what has been tried and true in the past, but be ready to innovate and improve quickly based on new threats and changing business needs.
About the author:
David Griffeth is the Vice President of Business Line Integration and Reporting at RBS Citizens Bank, a financial institution that is one of the 10 largest commercial banking companies in the United States ranked by assets and deposits. As part of his responsibilities, David manages the Enterprise Identity and Access Management group and is charged with supporting the bank's growth model while maintaining compliance with several regulatory bodies. Prior to his current position, David consulted on major information risk management projects with large companies such as Fidelity Investments and CIGNA. David earned a bachelor's degree in computer science from Framingham State College and holds several certifications including CISSP and CISA.
This was first published in January 2009