For privacy professionals to appropriately serve their organizations, they often delve into obscure, unexpected functional rabbit holes. One rabbit hole is the current conflicted dynamic between information technology asset management and IT asset disposition, which hides ongoing regulatory noncompliance and results in a growing and unsustainable risk.
The ITAM/ITAD status quo
Modern organizations are brimming with IT assets that require management. Organizations batch this into two big buckets: software licensing, which can be extremely complex, and hardware management, including device procurement, onboarding and tracking.
To understand how complex this job can be, consider an organization with hundreds or thousands of employees, many with multiple devices, each device with multiple licenses, and each device rotating in and out of service every three to five years.
Adding to the complexity of this responsibility, the already overwhelmed IT asset manager is then responsible for managing the secure disposal of thousands (or tens of thousands) of physical IT assets annually.
Most IT asset managers are not compliance-centric functionaries. Many rose to their current positions through the IT or procurement department ranks. They tend to be practically motivated and are often unaware of, or underappreciate, the imperatives of privacy and data protection regulatory compliance.
It may surprise some readers, but it is more common than not for organizations to lose track of a significant percentage of their IT assets. This typically becomes apparent when there is a discrepancy between the device inventory generated by procurement, accounting or some form of IT asset tracking software, and the devices that can be physically located when the time comes for their disposition.
This is where the low priority on regulatory compliance comes into play.
Because it is highly probable that unresolved or missing IT assets contain regulated personal information, there is a regulatory obligation to investigate and resolve their absence. How else would an organization know if a missing device constituted a reportable data security breach?
Instead of investigating and resolving the possible incident, however, overwhelmed, pragmatic IT asset managers typically shrug their shoulders, either unaware of the compliance imperative or unwilling to trigger an investigation that could reflect poorly on them. Either way, the IT asset disposal process can avert the required investigation by allowing the assumption that any unresolved devices were among those that were securely retired.
The shame of this blatant disregard for basic regulatory compliance is that experience has shown most IT asset discrepancies can be resolved. And, even where resolution is not achieved, the organization can take steps to mitigate future risks. Without acknowledging the incident, however, there is perpetual potential risk that the errant device will turn up somewhere else, leading regulators to ask questions, which can only end badly for the organization.
This risk is more than hypothetical.
Conflicted ITAD caused recent Morgan Stanley breaches that cost the firm, all told, close to USD200 million for ITAD failures that the Securities and Exchange Commission characterized as "astonishing."
And the quickly changing regulatory climate only makes the prevailing ITAM/ITAD paradigm more hazardous.
According to the SEC's final rule on newly required cybersecurity disclosures, as of December 2023, publicly traded corporations will have four business days to disclose material cybersecurity breaches. These corporations must also annually disclose an aggregated summary of material cybersecurity incidents, define their overall cybersecurity postures and the board's role, and attest it can assure appropriate cybersecurity reporting and preparedness.
The National Institute for Standards and Technology, American Institute of Certified Public Accountants, Financial Industry Regulatory Authority and Payment Card Industry Data Security Standards all specifically include ITAM and ITAD as elements of cybersecurity. As a result, the mandatory public disclosures and board accountability now codified by the U.S. Securities and Exchange Commission will extend to ITAM and ITAD as well.
Returning to the new SEC disclosure requirements, the key determinant of a reportable cybersecurity incident is whether it is "material," meaning unauthorized access to personal information is possible. Organizations will have to demonstrate how they came to that determination. And, because such a determination can only be demonstrated by acknowledging and investigating the missing asset, not doing so directly contravenes the new SEC requirement, as well as existing data breach notification regulations.
While the forthcoming SEC disclosure requirements put a fine point on the issue, the SEC's recent settlement with Blackbaud demonstrates its intention to hold boards accountable for failure to ensure they are informed of data security incidents and, equally significant, to hold organizations responsible for allowing knowable potential risks to persist even when nothing dire has yet transpired.
The current conflicted ITAM/ITAD paradigm fails on both points, given unresolved assets are not being reported to boards and those same boards are failing to ensure they are made aware of resulting cybersecurity risks.
A traditional solution for an emerging risk
As described above, the problematic ITAM/ITAD paradigm to a large degree results from the conflict of interest created when the person responsible for the integrity of the IT assets tracking process is also responsible for the integrity of the disposition process. It is unrealistic to allow a single department or individual to hold themselves accountable.
Of course, potential conflicts of interest are nothing new to the business world. Disciplines such as accounting and auditing have long recognized segregation, or separation, of duties as the solution.
In fact, the concept of SOD is so integral, its absence is one of the most common deficiencies cited in financial audits, one of the most common points of failure in the AICPA's Service Organization Control I and II attestations, and usually the first thing forensic auditors look for when investigating internal fraud.
More specific to data security, within the globally recognized International Organization for Standardization's standard 27001:2022 on information security controls, control 5.3 is "segregation of duties." It stipulates that organizations should identify and segregate responsibilities when conflicts put information security and compliance at risk.
Resistance and improvement
It should come as no surprise that the integration of SOD between ITAM and ITAD will not be welcome by the current functional actors. In many cases, they will fail to acknowledge the problem exists.
Notwithstanding the fact that change is inherently scary, there is the added perceived threat of such change drawing attention to past omissions.
This fear, however, is unfounded.
First, there are hundreds, maybe thousands, of examples where changing regulatory requirements lead to the implementation of new procedures. The SEC's new cybersecurity disclosure requirement offers the perfect opportunity to correct the process. Certainly, there are implementation nuances and subtleties to consider, but neither the organization nor the manager need worry. Frankly, any concern over making corrections should be far less than those of allowing the current dysfunctional dynamic to persist.
Second, while those directly responsible for ITAM are likely the most threatened initially, the proposed modifications actually elevate their role within the organization. IT asset inventory integrity, reconciliation and resolution will require an organization to aim more resources at physical asset tracking. The goal, after all, is to have fewer missing IT assets to investigate. Positioned and presented properly, the IT asset manager would be among those who benefit most from the new priority and additional required resources.
The writing is on the wall
It is impossible to argue that those responsible for IT asset management are not conflicted when it comes to IT asset disposition. It is equally impossible to argue that organizations can continue to ignore unresolved IT assets.
Arguments aside, however, correcting both is not ultimately a matter of choice.
With the SEC requiring cybersecurity disclosures of public companies, auditing fiduciaries cannot afford to ignore the issue. As mentioned, the absence of warranted SOD is already one of the most commonly cited auditing deficiencies and, given that such fiduciaries must sign off on filings, ignoring the cybersecurity risk of unresolved IT assets or overlooking ITAM/ITAD conflicts of interest constitutes a dereliction of duty.
Similarly, when such fiduciaries are advising clients, especially when disclosure requirements are changing, failure to inform clients about the risks of unresolved IT assets and ITAM/ITAD conflicts of interest is irresponsible at best. Such a failure damaging a client could be devastating to both the client and the fiduciary.
Conclusion
Clearly, privacy pros have varying and sometimes limited abilities to influence deeply engrained functional processes. As mentioned, personalities and guarded operational silos are likely to resist the existence of any conflict of interest between ITAM, ITAD and/or any problem with unresolved IT assets.
What is common to all privacy pros, however, is the obligation to ensure new regulatory requirements, responsibilities and hidden noncompliance do not blindside their organizations and clients. With the issues and solutions described above, that imperative is even more acute for public companies where boards of directors are now in the crosshairs.
Recognizing the intersection of ITAD and cybersecurity is vital to ensuring the secure disposal of retired assets and maintaining robust data protection. Implementing SOD in ITAM and ITAD enhances accountability and minimizes the risk of data breaches.
Whether they are championing needed practical procedural modifications or raising the issue with those who can, privacy pros best serve their organizations, and themselves, by recognizing something must change.