Written by Kevin McDonald, Alvaka Networks. Originally published April 2016 on TechTarget. Kevin discusses the crucial role of IT Process Documentation.
It seems that not a day passes without news of another high-profile hack, embezzlement of monies and data, or even the sabotage of a corporation or government entity. These events are shining a light on weak efforts to avoid cybersecurity breaches, and how company owners and executives are sometimes targeted for shareholder revenge. As Zurich Insurance Group reported in 2014, “Shareholders within several companies recently victimized by cybersecurity breaches have launched lawsuits against the enterprises’ boards, claiming that executive management breached its fiduciary duty by failing to ensure that the companies implemented adequate security measures.”
As an executive, meeting your fiduciary responsibilities with regard to technology decisions and preventing cybersecurity breaches can be extremely difficult. In fact, without the honest and committed assistance from the IT team — in particular, the documentation of IT processes — it is actually impossible. Without IT process documentation, the business risks being held hostage by IT.
I have worked with executives from small businesses to large enterprises, governments, and high-net-worth individuals, some of whom were being held hostage by IT and didn’t recognize what was happening. I have led cases with individuals and companies that suffered millions of dollars in losses to insider theft and embezzlement by highly trusted and long-term employees. I have worked with executives who were assured everything was great and their companies were secure, while in reality they were not only less than secure, but also lacking the fundamental best practices.
While these cases may seem extreme on the surface, they are startlingly common. Each starts with the withholding of information, typically over an extended period of time, as more and more control is handed to IT and less and less transparency is demanded. IT might fail to deliver requested information in a timely manner or it might not deliver it at all. IT might intentionally or unintentionally use overly technical language that you can’t understand. Or, the IT leaders might be simply incompetent or lazy.
Are you being held hostage? There are ten warning signs that will help you determine if you are.
Read the full article at TechTarget Search Security…
Kevin McDonald, COO & CISO – Alvaka Networks
Kevin B. McDonald is the chief operating officer and chief information security officer at Alvaka Networks. Kevin is a trusted technology and security practitioner and public policy advisor to some of America’s most influential people and organizations. He advises corporate executives, federal and state legislators, law enforcement, high net worth individuals and other business leaders. He is a sought after consultant, writer, presenter and trainer on the issues surrounding personal, physical and cyber security, compliance and advanced technology. Kevin has written for and been interviewed by dozens of national publications and on major television, radio and digital outlets.
Chairman, Orange County Sheriff/Coroner’s Technology Advisory Council (T.A.C)
Member, OC Shield
Member, FBI InfraGard
Member, O.C. Home land Security Advisory Council (OCHSAC)
Member, US Secret Service’s LA Electronic Crimes Task Force (LAECTF)
Smoke testing is a term used to describe the testing process for servers after patches are applied. 
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.