Businesses involved in internal security projects stoked by the high-profile rogue trader incident at Société Générale should balance technology and procedural change to increase the likelihood of project success, according to a survey carried out by KPMG.
Data security project failures are often the result of too much attention being focused on technology and a resultant lack of focus on procedures during the implementation of identity and access management projects.
According to the survey, companies are failing to address procedural changes when introducing projects to secure data. It also found that the IT department and the business were not engaging enough.
The survey found that about 50% of respondents said most projects fail because the business was not ready, compared with 21% who said the integration with existing IT was to blame for failures. Some 15% cited budgetary constraints. Only 11% said they were satisfied with their identity and access management projects.
The security breach at French bank Société Générale, when a trader used internal systems to make trades that were unauthorised, highlighted the problems caused by failures in identity and access management.
The bank lost a total of £3.6bn as a result of the activity of rogue trader Jerome Kerviel.
Malcolm Marshall, head of information security services at KPMG, said there is a common misconception that identity and access management is about dealing with user IDs and passwords. "It is 80% process, policy and governance, and 20% technology. Recent control failures have shown that failing to get the governance of policies and processes right can lead to serious security breaches," he said.
He said projects should focus on business processes that relate to staff joining, gaining appropriate systems access to do their jobs, moving around the organisation and eventually leaving.
"Frequently, only the technical operation side of the system is considered", he said. "Failing to get buy-in across the business for the non-IT changes these systems will require to be effective is preparing to fail."
KPMG's recommendations for successful data security projects
- Define the aim of the project and set realistic goals. A project that does not achieve the expected benefits may have had unrealistic goals or an unclear scope.
- Introduce identity and access management by a process of standardisation and consolidation.
- Cover the business aspects as well as the technical aspects of projects. IT systems should be there to support the business requirements.
- Seek to produce benefits early and frequently so that the project can prove its added value.