With management IT security risks, there is really no such thing as a sure thing. As in the case of burglary or theft, if someone wants it bad enough and has the means of getting in, there’s not a lot one can do to stop the intrusion. An article for CIO.com by Brad Egeland showcases some startling examples of how unpredictable risk can be.
Disaster Security Demos
Egeland was in charge of a $30 million program that handled sensitive financial data for millions of people across the world. His job was to convince his government client that, in the case of a colossal security breach, his company could resume normal operations in a matter of hours:
Yet, I knew how to bring it all down in the blink of an eye if I was so inclined. I wasn’t…but I could have. The disaster recovery proof we gave them – it was real and we were successful – did not mean we could pull it off no matter what. And we never proved what could be done in case of a major data security breach or hack…I wonder from time to time…how they convince the government that the data is, indeed, safe. It isn’t completely safe. It can’t be.
Egeland relates how, at annual Black Hat conferences, he has witnessed professionals demo how to hack into ATM machines, and apparently even the pacemakers and insulin devices in living individuals can be hacked.
Plan, Pray, Live to See Another Day
What is a project manager to do then? There’s always planning. Planning works to hedge against risk with the caveat that budgetary restrictions often limit the extent to which planning may be executed.
Sometimes security risks come from the inside. Again, Egeland pulls another incredible story from his hat, one that involves a fraudulent CEO who fabricated clients and machinery to gain bank loans for an otherwise credible company. The point he tries to make is that the upper thresholds of risk are simply beyond our ability to plan for. One can never expect such fantastic problems when running a project. The best one can do is to wear a brave face and climb stoically out of the rubble.
Read the original article at: http://www.cio.com/article/2925775/risk-management/security-is-a-myth-your-project-is-never-safe.html