Security is all about trust. Many organisations talk about trust in various ways, especially where systems and processes intersect. Trust in people, in processes and in the accuracy of data are all terms which we deal with on a daily basis. SAP even use STRUST as their transaction to create secure connections between systems. Security is all about trust.
So, knowing that trust is defined as “having confidence in the veracity, integrity or other virtues of someone or something”, how would you rate the trust you have in the following:
- The accuracy of your data?
- Integrity of the systems which store your data?
- Security of communication between systems?
- The integrity of the people in your organisation?
- The organisations which work to support you?
- The processes which are in place?
If any of the above gave you pause for thought, you are probably not alone! I have seen examples of all of these being called into question at some point and, like all of us, have worked to improve the trust in the people, companies, systems and processes involved.
Once trust or confidence has begun to be eroded, it can be extremely difficult to re-establish, if it can be regained at all. It is possible to handle a lack of trust, establishing proper governance and control processes, supported by tools can help us to continue to operate in environments where trust is an issue.
Trusting the people
We trust the employees in our company with the data they require to perform their job function. We do, however, still establish mechanisms to protect both the organisation and the employees themselves from the ability to realise risk. It is important that this protection is understood to work both ways – the company can have faith that “John Doe” cannot commit fraud and “John” is confident that he will be blameless in the event that fraud were to happen. Establishing the employees’ responsibilities in managing risk are key to achieving our governance and compliance goals.
Maintaining control of segregation of duties risks, whether through role design, or supplemented with GRC access controls, is one mechanism by which we can establish trust between the employer and the employee. This is even more relevant for managed service organisations, where they are being trusted as the custodians and protectors of their clients’ business-critical information and systems.
Trusting the systems
Ensuring the integrity of the systems and data your business relies upon is key. Anything which undermines confidence in those systems needs to be addressed and there are a number of procedures which can improve the reliability of, and confidence in, those systems.
Ensuring correct change controls are in place for enhancements should ensure that nothing untoward is introduced into the live systems, however this needs to be backed up by robust testing from the correct stakeholders, with particular emphasis on integration testing, as nothing will erode trust in new systems faster than negative UAT or live issues.
We often see cases where functionality tested (and working) in isolation in pre-production systems does not “play well” with live data, or other functionality. Making sure that issues with integration are addressed before go-live will increase business confidence in the IT systems and the organisation which supports them.
The bottom line is: Ensure you have the processes in place to protect the people and systems your business needs, supported by the appropriate tools and you will improve the trust, truth and confidence in those people, systems and your own organisation.
Please feel free to comment on your own trust issues, or examples of what’s worked well using the section below.