Why IT Security Projects Fail

Sean Glynn
No one sets out to fail unless they are clinically depressed or have watched too many episodes of The Fall and Rise of Reginald Perrin, particularly the remake. So why do so many information technology (IT) security projects fail completely? And why do so many mobile data protection (MDP) projects, "designed" to seal the gaps in an organization's defences, fail to deliver, leaving egg all over the faces of the IT department and a management team facing the commercial and legal consequences of non-compliance and catastrophic data breaches?

There is no easy answer to these questions but even a cursory glance at some high-level failures detects the truth of that old adage: 'Failure to plan is to plan to fail.' The UK government's nearly $32 billion National Health Service (NHS) National Programme for Information Technology (NPfIT) was the classic example of a top-down master plan dictated from on high that presumed that clinicians would accept what they were given by their IT superiors. The result was a Mexican stand-off between the British Medical Association (BMA) with the support of clinicians who merely wanted input into the basic design of the system they would be using. NPfIT failed and the tax payer is now picking up the pieces.

Security of an organization's data is vital. It is therefore puzzling that so many organizations fail to successfully encrypt their data. There is barely a week that goes by without a story in the media about unencrypted lost USB sticks, laptops, personal digital assistants and corporate smartphones (to name only a few and now we can add iPads to the list). According to Gartner:

Each year, hundreds of thousands of laptops, phones and removable media devices are estimated by various sources to go missing through loss or theft, to have their data copied without consent, and to be upgraded or exchanged without having their data removed.

Gartner also reports that sales of unprotected PC systems continue to outrun the provisioning of MDP.

The MDP is approximately a $1 billion market and growing 20 percent annually, according to Gartner. MDP products secure data on movable storage systems in notebooks, laptops, smartphones and various removable media. They may also be used on desktops and servers. A $70 USB drive can hold the names of every person on the planet; a $1,200 laptop could contain nearly 200 million worth of critical information. This is why encryption is the one security technology that you absolutely cannot afford to have fail.

The end user has to examine why current encryption strategies have failed to protect data, and what steps they will have to take to adopt best practices to effectively shield themselves from the consequences of a significant-and often costly-data breach. According the Ponemon Institute, the loss of a single record can cost a company upwards of $225 to remediate. One of the largest mobile data breaches to date exposed 26 million records from one lost laptop-the potential costs of non-compliance are staggering. Since 2005 over half a billion people have potentially had their identities exposed due to a data breach according to Privacy Rights Clearinghouse.

As a result, organizations are required to protect data by encryption and to also provide evidence that the protection is working. Buyers who want common protection policies across multiple platforms, minimal support demands and proof that data is protected must do their research and only turn to the trusted experts. What can organizations do to avoid these costly mistakes?

Encrypting sensitive data is now one of the most important safeguards to protect organizations against security breaches, particularly those that arise from loss of hardware. Encryption provides a simple yet effective way of ensuring that lost information is unusable by malicious third parties and reduces both the risk of an actual breach occurring and the cost of remediation if one does.

As the nature, complexity and seriousness of threats grow, and as concerns over loss of sensitive data through removable media and by insiders or disgruntled business partners grow, the regulatory pressure to protect sensitive information-especially in health care, finance and retail-has also become acute.

However, despite the avowed interest in encryption of many organizations and the large number of them that have attempted to deploy encryption technology, the size and frequency of data loss and theft continues to grow. Why, if encryption technologies for the PC have been around for almost 30 years, is this the case? The answers may lie with some commonly held assumptions.

Common Mistakes to Avoid

The IT security industry has grown up over the years with some assumptions about the deployment of encryption solutions, which are now outdated (if they were ever true in the first place). Many encryption deployments are often based around the assumption that a single solution can meet the needs of all types of users, resulting in failure to provide 100 percent coverage. The problem is that while there may be some degree of conformity within the IT infrastructure (although this is increasingly no longer the case), there is not nearly as much uniformity across types of users and data.

Attempting to force the adoption of any one single encryption technology across an enterprise environment is very unlikely to work. The factors contributing to these include:

  • Hardware inconsistencies that are incompatible with device-centric encryption
  • A constantly changing Operating System environment (multiple versions of Windows OS, Mac OS, External Media, Symbian, iPhone, Palm OS, Linux, Android etc.)
  • The impact on end users of deploying encryption solutions
  • Difficulties in managing the encryption technology
  • The impact on current IT management processes
  • Challenges in integration with the broader IT infrastructure
  • The cost of end user training
  • The unique problems of a rapidly burgeoning mobile workforce
  • Addressing emerging risks such as those posed by removable media, smartphones and mobile devices

The difficulties in using a single encryption technology to meet all these challenges, and the increased pressure to provide more robust security for sensitive data wherever it resides, are now causing many large organizations to rethink their approach to encryption and adopt a far more flexible, risk-oriented strategy.

The key question is how do you select an approach that will meet the needs of your whole organization and its culture? The key to success in your IT security project is to accept, no matter what anyone else tells you, that there is no single solution that is likely to be the "best fit," as demonstrated by unsuccessful enterprise encryption rollouts over the past 20-plus years. What is needed is an approach that enables the right encryption solution to be deployed to meet the needs of different parts of your organization, but to be managed centrally, simply and with the lowest total cost of ownership.

Full disk encryption will be necessary for some users-policy-based for others-while self-encrypting drives will be more suited to a different user. If you implement full disk encryption across the entire enterprise you risk neutralizing your solution for some users and breaking the encryption for others. Even if this is what the market generally is telling you at the moment, take this advice with a large grain of salt. A trusted supplier will recommend the correct blend for your organization-not the same approach for all users. That approach may be the flavor of the month but it will rarely work.

The security project leader or chief technology officer (CTO) will have to come to terms with all of the new approaches to encryption and understand the implications of policy-based encryption, self-encrypting drives, Microsoft Bitlocker and other yet-to-be released offerings for their organizations before they can roll them out.

When choosing a supplier it is wise to avoid those who have dozens, even hundreds, of different products and are, as they say: 'Ten miles wide and ten inches deep' on any one product. The CTO will have to do his or her due diligence and ensure that the provider has real expertise in desktop and mobile data protection.

Companies can help plan each project in conjunction with a customer's specific operational requirements in mind and not cut corners to provide a "one-size-fits-all" solution. That is the road to ruin. Any unlucky CTO who does cut corners will be joining Reginald Perrin for his final dip in the ocean of failure.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.