Due Diligence

I have been with IT managers sometimes who don't want to know anything about security because this is a field with a lot of obstacles to make an effective InfoSec Program Management like poor support from management, insufficient money and inadequate human resources and after all, it's useful for them because when they have any incident they can blame to the security field. Therefore, they don't “waste” time and money to build an InfoSec Program Management because this mean that they'll have to write policies, procedures and standards to try to manage efficiently the Information Security.

IT managers who don't care about security have a lack of due diligence because they don't involve resources in investigating their business, systems or individuals while these investigations should be done by managers before any decisions are made. As a result, they make decisions without data and statistics, and if something goes wrong they blame to the budget saying that they need more money to buy more technology what it's wrong many times because what they need is to use efficiently their resources and buy cost-benefit technologies.

This is also related to a concept called “standard of due care” which is basically the idea what there are steps and processes that we must take, and reasonable people take, in similar circumstances to make sure that everything is on the up and up. As Information Security Managers this means the basic components of our security program are in place. We should make due diligence and not sweeping things under the rock, we shouldn't hide security holes and vulnerabilities from management because for example this doesn't fit in the budget or because we want to save our job.

Due diligence can be done on a voluntary basis, which is the best case scenario, but it also may be a result of legal obligation.

Information Security Due Diligence is typically going to occur during procurement process. In other words, it's going to take place when we are actually acquiring and procuring hardware, software, operating systems, applications, personnel, etc I mean … when we are acquiring the funds to get our programs and projects rolling.

With regard to risk, why should we do due diligence? Because risk must be known and managed to fill those holes and mitigate the vulnerabilities.

Due diligence also occurs during a merger or an acquisition of companies. In this scenario we are going to do due diligence to make sure we have identified and we are assessing security risk to our business and reporting that risk and making that knowledge to potential buyers. We can also belong to a risk, consultants or audit team to assess a potential company before the purchase is made. This is typically a process that's gone through for an entire macro-business standpoint.

Best regards my friend and remember, if you want to sleep without nightmares you should do due diligence.