Cover Your Ass

Duck and Cover—Incoming!!
How the IT guy can cover his ass when management doesn’t give a damn.

In September 2022, the Suffolk County government in New York suffered a ransomware attack that shut down county and municipal services and has cost over $5M…so far. 

An investigation performed by Palo Alto Networks revealed poor IT management, a series of technical blunders, delayed security upgrades, unsuitable management structures and “obstructive behavior” from an IT director who was initially suspended but then fired.  The fired IT director does not deny culpability, but says he warned county officials repeatedly of the vulnerabilities and was ignored. 

We understand from one of our clients in NY that the IT director will be suing the county. Perhaps more dirty laundry coming out on this…stay tuned. 

A Wall Street Journal article about this situation can be found here:

https://www.wsj.com/articles/suffolk-county-n-y-leaders-blame-clerks-office-for-cyberattack-11671673082

In reality, the IT Director is likely culpable, but so is county leadership. But who got the blame? The  IT Director…and NOT the county officials. 

This type of situation will repeat itself again and again in the future. So how do IT directors (or the equivalent) cover their butts and reputations in similar situations?

  1. Make sure all your cybersecurity and privacy responsibilities are clearly defined and described in your work contract.
  2. Make sure that any responsibilities assigned to you are correctly funded and supported by top management.  In the case of the public sector, that means both your administrative supervisor and your political bosses.
  3. Make sure that whomever you are supposed to report to with respect to these responsibilities is clearly defined in your work contract.
  4. Meticulously perform your job responsibilities and DOCUMENT your activities with respect to your cybersecurity and privacy responsibilities.
  5. Identify and document any managerial weaknesses with respect to organizational management of cybersecurity and privacy risks.
  6. Carefully document any organizational vulnerabilities.
  7. Save copies of everything. Funny how when there’s a problem, emails and other digital documentation starts to disappear. Paper copies are a good idea. 
  8. Make sure you’re covered by the company’s directors and officers liability policy. If they don’t have D&O then ask them to do so and document that. 
  9. Also, you can consider using the whistleblower law. You should understand what the whistleblower law rules are in your particular state. Each state is different. That may require advice from a lawyer. Not one who is paid for by the company. That will determine whether or not you leak certain information, who you are legally allowed to leak it to and what protections you have.
  10. If an incident occurs, inform everyone immediately and save all documentation.
  11. Request time at all major organizational management meetings so you can present risk management issues to the right people.  Make sure that you explain risk as a risk to the business and not some abstract technical risk.
  12. Ensure that regular reviews of your performance are conducted and that your risk management activities are reviewed and approved. If there are any shortcomings identified, aggressively mitigate them and document your work and get that acknowledged and approved. 
  13. Your posture regarding risk management, cybersecurity, and privacy should be recognized by all stakeholders as an evangelist for doing better…and sooner.
  14. Build relationships with and work closely with any compliance officers.
  15. Build relationships with your peers at other organizations in your industry to learn what they are doing successfully…and not so successfully and share what you learn with coworkers and management.

Leave a Reply

Your email address will not be published. Required fields are marked *