The Largest Risk in IT? Digital Transformation and the Careless Retirement of Data Center Hardware.

Digital Transformation creates the largest risk to any organization: the retirement of data center hardware. Sitting on the hard drives of this gear are customer records, proprietary software, financial records and more. And though this risk seems obvious, there has been inertia built over the last two decades to treat hardware/data retirement simply as a trash exercise. In fact, when companies unplug this hardware, the risk begins in earnest. 

For years, a cadre of insiders (employees, partners, even data center employees) have viewed retired hardware as their own personal piggy bank, trash that the company turns a blind eye to that can provide them monetary benefits. I've seen this first-hand and have been personally propositioned for gear.

Though this pilfering of data center hardware is rarely done maliciously, it belies a greater concern, that the business does not comprehend the risk inherent in retired data center hardware. This stands in stark contrast to the security around this hardware/data while the environments are still live. In live environments, the physical security is impressive - access is tightly managed/monitored, the hardware is locked in cabinets/cages.

Similarly, the virtual access to data is managed by huge investments in security (IDS/IPS, Firewalls, and more). Further, the companies that service this industry are highly specialized and trifurcated - some remove the gear from the floor, others physically destroy the data and still others resell it. The handoffs between each insert significant risk to the equation that only a well-trained employee can mitigate.

Unfortunately, the employees tasked with managing this IT trash disposal see it for what it is, the least-respected job in IT, and spend little time or energy overseeing the work. These jobs happen so infrequently that there is no codified process to follow, so the pitfalls that lead to data loss/theft are rarely avoided. And the biggest red herring of all, the Certifications of Data Destruction (CODs) that the data destruction companies provide are only as good as the paper they're written on.

As a Global 2000 CIO told me in late 2018, "one day internal audit will wake up and ask me to prove that the work done on the COD was done, and I will have no answer. That keeps me up at night."

Michael Orell
President, Figure 8 Onsite