How the Zero-Trust Model Helps IT Asset Managers Protect Their Organization (And Their Jobs)
My mother worried about who I hung out with, especially in middle school. She constantly warned me that people are judged by the company they keep.
It turns out she was right. 20 years in IT asset disposition has shown me that when you surround yourself with troublemakers, you typically wind up guilty-by-association.
Unfortunately, that’s the situation that many of today’s IT Asset Managers are finding themselves in. When things go wrong, executives often blame them when the problem actually lies with their disposal vendor.
So, what’s the solution? How can ITAMs remain security superstars while also protecting themselves if things go south?
Let’s take a look.
Bringing Disreputable Vendors to Light
Media coverage has helped increase awareness regarding the prevalence of fake electronics recyclers and the issues they cause. These include:
● Environmental harm
● Regulatory fines
● Sensitive equipment being discovered in third world countries
● Valuable data falling into the wrong hands
In response, the ITAD industry has developed environmental and regulatory standards to help safeguard companies against these problems. Leading electronics recyclers now adhere to best practices and voluntarily become R2 and e-Steward certified.
Despite this progress, however, thousands of fake recyclers still flourish, and some have been busted for falsifying R2 certificates in an attempt to win contracts. “Certified” recyclers have pled guilty to illegally shipping material overseas, wire fraud, tax evasion, criminal trafficking in counterfeit goods, unlawful storage of hazardous waste, falsifying records, lying to the government, and more.
I cringe whenever a certified recycler has a violation. The vast majority of certified recyclers are honest, ethical, and committed to improving the integrity of the ITAD industry. But bad actors are out there.
Don’t Let Vendors Make You Their Scapegoat
While the ITAD industry has evolved, procedures used by corporate America to manage the internal process of asset disposition have not kept pace. Internal ITAD activities are often performed by employees who are given little or no guidance from senior management.
Individual IT Asset Managers are typically responsible for developing processes that support lifecycle management. These unsung heroes of the IT world are then left to track and manage each of their organization’s assets — including during disposal when the risk of a breach increases significantly.
And unfortunately, most vendors do very little to shield these ITAMs should a breach occur.
That’s because their business is based on a traditional, trust-based approach that:
● Fails to prevent or detect incidents until it is too late
● Exposes your organization to more significant fines and penalties
● Lets them off the hook while you’re left holding the bag
Fortunately, there’s a simple yet effective way for ITAMs to combat trust-based issues that plague disposal vendors: by taking a page from security’s playbook and recommending that their organization switch to a Zero-Trust ITAD Framework.
Protect Your Organization (And Yourself) By Switching to a Zero-Trust ITAD Framework
The Zero-Trust security model has gained acceptance as the go-to framework for network security. The point of Zero-Trust is not to make networks more trusted; it’s to eliminate the concept of trust.
Likewise, the point of Zero-Trust ITAD is not to make disposal vendors more trusted; it’s to eliminate the concept of trust from ITAD.
Never trust, Always verify.
Zero-Trust ITAD takes the burden of responsibility off of ITAM and places it back where it should be: with the vendor. It’s the most effective way for asset managers to limit their exposure while safeguarding their organization from liability.
To avoid guilt by association, ITAMs must maintain a strict policy of professionalism such that no criticism can be made. A Zero-Trust approach keeps ITAM beyond reproach and above suspicion.
Advocating a Zero-Trust approach positions ITAM as part of the solution. If the worst happens and your company is protected, you’re a rockstar. If management instead wants to stick with a trust-based model and is left exposed, you’re off the hook.
Of course, you’ll need a strategy in hand before bringing it up with your organization’s decision-makers.
How to Implement Zero-Trust IT Asset Disposition
Whereas Zero-Trust network access is about permission (Do you have permission to be on this network?), Zero-Trust ITAD is about possession (Do you have possession of this asset?).
There are 4 crucial steps companies need to take in order to implement an effective Zero-Trust model for their ITAD program. These are:
• Maintaining separation of duties: Establishing processes that validate chain of custody helps foster accountability and eliminate potential losses.
• Not sharing inventory reports with vendors: Disposal vendors must provide an accurate inventory of equipment they received from you. Remember, third-party verification is legally required — don’t let them convince you otherwise.
• Having your equipment held: To prevent problems, require your ITAD vendor to quarantine equipment until all assets have been accounted for. Never allow a vendor to resell or destroy equipment until chain of custody has been established.
• Using disposal tags to establish chain of custody and deter theft: Tracking equipment solely by cataloging serial numbers creates reporting gaps that can make it easier for equipment to be lost or stolen. Disposal tags increase tracking accuracy to nearly 100% and help deter theft by reminding vendors that each piece of equipment will need to be accounted for.
With these precautions in place, executives and IT managers can limit their exposure and help protect themselves in the event of a breach.
Zero-Trust Is a Must for IT Asset Disposition
New challenges will always require new ways of thinking. No matter how effective your data security has been in the past, it’s imperative that your organization keeps up with industry shifts in order to remain protected.
That’s why Zero-Trust is a must for network access — and why it should extend to your decommissioned IT assets. After all, if you can’t trust devices while they’re on your network, why would you trust them after they’ve been disposed of?
How ITAM Benefits by Treating ITAD as a Threat
The Final Check-Out: 8 Lessons Learned from 8,000 Projects
Box Cutters Don’t Bring Down Buildings: A Lesson for IT Asset Disposition from the Tragedy of 9/11
About the Author
Kyle Marks is an ITAD enthusiast and CEO of Retire-IT, an independent consulting firm specializing in Zero-Trust, vendor-neutral ITAD management. Over the past 18 years, Kyle has managed more than 10,000 disposal projects. Kyle served Arrow Electronics as President of US Micro. Ages ago, Kyle was an executive with WEGO Systems, a consultant with Bain & Company, and a marketing manager with Maybelline L’Oréal. Kyle has a degree in Economics from Rhodes College and an MBA from Harvard Business School. Kyle is also an IAITAM CHAMP and proud father of two wonderfully inexhaustible kids.