My case study examined Nameless Company, a medium sized non-profit with the primary business to deliver services in partnership with a federal program. Nameless worked closely with a US federal agency, and provided innovative technologies to provide better service to its customers. The business model was generally stable, with subtle changes coordinated over time with its federal partner.
Nameless had created a large software development shop to create distinctive products for its institutional customers. Its infosec compliance burden was reasonable, with FTC-regulated Gramm Leach Bliley requirements. Nameless did have it brush with data breach infamy more than 10 years ago during the age of the lost laptop, but the impact of the event was fading in corporate memory. Nameless leadership forecast changes to the regulation of the work it was doing for its federal partner, and began to implement a security program that used the NIST Risk Management Framework. This framework would be required should Nameless pursue a federal contract. It’s implementation was seen as guidance rather than requirement by both the information security and audit teams.
The forecast was correct, and Nameless’ federal partner terminated the program Nameless performed. The federal partner then solicited bids for the new replacement program. Nameless stepped up its FISMA compliance game, complete with consulting from Large International Consulting Firm, investments in new hardware and software, and an expansion of the security team, so it could be FISMA-ready should it win a bid for the new program. The old program was still around, and would be for another ten years or so, but revenue would decline.
After a few years, Nameless didn’t appear to be closer to winning a part in the new replacement program. There was a change in leadership at Nameless, and a corresponding change in strategy. Nameless would build a new business, pursue new markets, and maintain the legacy program. Significant staff reductions were made, primarily to the IT area. The layoffs and sympathetic departures left the information security team barely there.
A couple months after the layoffs, Nameless’ federal partner published a letter to Nameless and other similar organizations. “Y’know that FISMA thing you didn’t have to comply with? Yeah, it’s a thing now.” So Nameless now had to get serious about implementing a control catalogue, while significantly resource constrained.
At this point, my research question comes back around. What will happen to the actual security outcomes? Were they better when the compliance was optional and well-funded, or when mandatory and resource constrained? Place your bets.
Stay tuned to find out!
Catch up on
The One In Five 