[Editor’s Note: This piece appeared as a sidebar to a larger feature entitled “The Digital Oilfield Has Arrived,” appearing in the October 2014 issue of PBOG Magazine as Part 1 of a 2-Parter.]
It takes buy-in to have information security. Buy-in from everyone in the company, from the top brass to the folks in the trenches.
Lance Tolar is talking about potential breakdowns in information channels and he comes to the topic of well monitoring, which he uses to illustrate the need for buy-in at all levels.
“Let’s say a company wants to do well monitoring,” Tolar says. “They hire a company that specializes in well monitoring. That company does its job very well. But questions still remain. You have to ensure data integrity and security not just at the monitoring device, but throughout the transport process of that information.”
This is where a lot of things fall down, Tolar says. The oil company that hires a monitoring company faces an unseen, unanticipated risk—perhaps that monitoring company’s database may not be secure. Accordingly, maybe the transport of the data is not secure. In such a scenario, information going from point A to point B to the person who needs it in Houston or Midland at the corporate office—that information is not secure.
“Companies need experienced, qualified personnel at the highest level looking at each piece of a project. The required players must sit at the table and discuss the critical questions,” Tolar said, “That’s what we do.”
But who, exactly, are the “players at the table”?
“It depends on the project,” he remarked. “You might have to confer with the company that’s providing well monitoring. You might have yet another vendor that’s providing communications—maybe AT&T, Verizon, or whoever your communications provider is. You’re going to have your in-house I.T. person who’ll need to be sitting at the table. And you’re going to have whoever is providing application support.
“Is the solution Cloud-based? Do they meet or exceed industry standards with their SLA, privacy, and certifications? A company person used to write [their information] on a piece of paper and deliver it to a company office. It was pretty secure.
“Now we use an iPad or whatever device someone’s using out in the field. The information could travel through several vendors and third parties before arriving at its final endpoint. You must ensure the information is secure from the field all the way to the top point, where it’s going.”
The information usually has several stops or layers, Tolar said, so it’s essential to make sure that every one of those steps or layers is secure along the way.
“We make sure that all the players are at the table and they ask the right questions, so that we have a good smooth process,” he said. “That goes all the way from workflow—that is, to making sure that it does what it needs to do from a workflow standpoint—all the way through the communications system and through each layer of technology.
“I think people fail to ask the right questions early. Organizational security, I.T. security, is about establishing and practicing good processes as much as it is about investing in good solutions. If you don’t have corporate buy-in and a good culture to not only create good I.T. policies, but also practice them, users are going to find ways to circumvent. That’s what you want to avoid.”
But what is the problem with a user circumventing a system?
“When users operate outside of a process they increase the risk of a breakdown or failure. The consequence depends on the process that was circumvented,” Tolar said.
“First, users within an organization are going to try to find ways to shortcut it. If they can find shortcuts, it’s a bad policy. But worse than that. If a user can circumvent a system, then hackers will have done so already… they’re already there.”
Therefore, it’s necessary to start with good policies within the company itself, even apart from the business of mounting defenses against unseen threats.
“Create good policies that protect you. Practice those policies. But you’ve got to have buy-in from the corporate culture,” Tolar said. “The organization has to have buy-in and believe in your process, so that they will use it and not try to circumvent it. It’s as much about vision and selling your users on a good solution as much as it is about buying a piece of technology.”
Tolar said he believes companies often try to mandate good I.T.
“You can mandate some things, but you can’t mandate morality,” he said. “You can try, but you’ve got to have good buy-in. You’ve got to have good information and good education and good training on why we’re doing things. You’ve got to ask those questions before you invest in a solution. Often companies will buy a piece of equipment and they’ll try to implement it and then ask questions. They feel as though an investment is the answer.
“But we don’t want that,” he continued. “We want to ask the questions before we buy the equipment versus afterwards. It’s common in any industry. We will buy a product, but it doesn’t fit strategically into a plan. It never works well. You can’t get buy-in because the solution you purchased never worked well. One of the things that we try to do is to come in and ask these very basic but very important questions in the beginning, so that we can strategically answer the questions that you have. When [the solution] naturally fits into the organization, then people will use it. We get the best I.T. when users enjoy it, it’s user-friendly, and it’s secure. It does what they need.
“The important questions are these: ‘What are your goals? Will the solution make me more efficient? Obviously, you’re changing something for a reason. Why are you changing it? Will installing the solution interrupt my business? Can my current staff be trained to use the solution? You always start with, ‘Money is not an object.’ Then the question becomes ‘What are you trying to improve and what is your current process?’ You [learn more about] what your current process is. We can then come back and make some recommendations on how to fix that, where it makes sense.”