Blogger: Ramon Krikken
We keep hearing and writing about the ailing economy, lay-offs, and other bad news concerning vendors (and partners) we do business with, so we’re generally not all too surprised or worried. The news in late December that banking regulators allowed IndyMac bank to skirt regulations wasn’t necessarily surprising, but somewhat worrisome in terms of being able to accurately assess a company’s health. However, this week’s news about Satyam Computer Services cooking their books and overstating their cash balance by $1 billion marks a new high in “things you didn’t quite see coming.” For some it hits particularly close to home because it’s an IT consultancy.
When we talk about risk aggregation – when dependencies cause compounded risk – we often think of hierarchies where we depend on vendor A, vendor A on vendor B, and so on. It’s a great way to simplify the risk calculations, but it ignores the fact that there actually is a complex, intertwined vendor ecosystem. We often assume that our simplified calculations are good enough and the best we can do, but as we hand off ever more critical business operations to others we keep losing visibility, and thus lose accuracy in our assessment. Because we can’t check everything, we rely on third parties – audit firms and the like – to help fill in the details, but in the case of Satyam (audited by PricewaterhouseCoopers) this seems to have been ineffective.
To further compensate for we rely our yet another set of third parties to create regulations, audit compliance with those regulations, and to let us know when something is amiss. Different vendors, different industries, different geographies, different regulations, different uncertainties and risk – something that’s apparent from Satyam’s ability to cook the books unnoticed, which for many large IT consultancies would be difficult due to Sarbanes-Oxley. It’s almost like trying to make sense of structured investment vehicles (SIVs,) collateralized debt obligations (CDOs,) derivatives, and socio-political influences in “the global economy” … and see how well that worked out, despite regulation and purportedly careful analysis by financial analysts.
The short of it is that – like the economy and life itself – we can’t map all dependencies, identify all weaknesses and threats, and take a purely proactive stance. Even when all indicators are green (and assuming you have some faith in these metrics to begin with) it is wise to accept that uncertainty exists and have that good old “plan B” as a backup, “plan C” in case plan B doesn’t work, and maybe even something all the way through “plan Z.”
Don’t get me wrong, there is nothing wrong with being proactive, but often the security world – in its infinite wisdom – often shifts focus from one extreme (old-school reactive security) to another (new world preventive security.) On top of that the current metrics we use for measuring “security” are not necessarily conducive to even moderately good (i.e. acceptable) predictions, but I’ll hold that thought for another blog post. The result is that we think we know what the ecosystem looks like, but don’t know how accurate we are, and so risk of instability ensues.
It’s precisely the unpredictability of it all – and it doesn’t take a financial or IT analyst to see that things have become more unpredictable – that necessitates some good reactive planning to deal with risks of instability. In the case of vendors, this means ensuring that business continuity and disaster recovery (BC/DR) plans are reviewed, adjusted, and tested more often in times like these. There is of course some preparation required to achieve this: business impact analyses (BIAs,) and careful design and testing of the BC/DR processes – including how to replace one vendor’s services with another’s – to name a few activities.
It is always a good idea to keep these plans up to date anyway, but when vendors are announcing cost-cuts left and right you know you need to be prepared. We should expect more events to the likes of Satyam and the Madoff investment scandal – less noticeable during an economic boom, a downturn is where many of these fraudulent schemes will have to come to light.
One of our 2009 themes is taking a fresh look at security programs, how security is organized within the business, and how we assess their efficacy. In light of economics, consumerization, and the cloud, to name a few, vendor management and BC/DR are sure to be as high on the priority list as ever.
Comments