Monday, November 15, 2021

NEW INC. MAGAZINE COLUMN BY HOWARD TULLMAN

 

Don't Leave Cybersecurity to the Techies

Your IT department is not all that interested in maintenance, security and other boring stuff. You need to walk around and ask some questions. 

 

BY HOWARD TULLMAN, GENERAL MANAGING PARTNER, G2T3V AND CHICAGO HIGH TECH INVESTORS@TULLMAN

Anyone who knows anything about cybersecurity will tell you with a smirk that the world today is divided between businesses that know they've been hacked and those who've been hacked but don't know it yet.

These are not happy times given the ransom attacks and shutdowns of hospitals and government agencies, the millions of stolen passwords grudgingly reported daily by all kinds of organizations, and breaches in which credit agencies and mass merchandisers have coughed up huge volumes of our personal data. Then there are the constant notices we receive (some of which are actually authentic) to update, secure and complexify our own passwords. Which, of course, we rarely do even as more and more of us are working remotely and increasing the odds of having serious security issues.

There's nothing that keeps corporate IT folks and CSOs awake more at night than the prospect of millions of kids playing MMO games at home on mom or dad's office laptop. But it turns out that, while external actors may be constantly probing for vulnerabilities and entry points to your systems as well as trying to "socially engineer" their way into your servers by manipulating your customer-facing employees, the most persistent risks to your business aren't generated by the outsiders who eventually exploit them. They're often the result of the actions and attitudes of your own computer scientists and engineers who - by and large - believe that they don't need to be concerned about it.

 Just as I recently wrote about the need to do serious audits and pre-sale code maintenance, now's the time to take a hard look at the way your tech folks are building your business and the firmness of that foundation and, maybe most importantly, whether the managers are sending the right messages to the team.

There is more to life in the real world than simply increasing its speed. Whole businesses have failed because the most consistent direction from management was all about speed (doing and fixing things fast) rather than stability (doing and fixing things well). They spend too much time on what's urgent and not enough on what's important.  

If there weren't enough reasons to hate the Zuck these days, the fact that his horrible example has taught several generations of engineers and millions of students that you succeed by moving fast and breaking things is certainly high on my list. These folks just don't realize that in the long run you don't save time by hurrying. We're only beginning to see the dire consequences of this kind of single-threaded and ignorant arrogance and the worst is likely yet to come.

  Your goal as the one in charge - even if you're not technically technical - should be to take the time now to make sure that your business isn't running away from you. That your tech team, in the race to keep moving forward, hasn't patched up, papered over, gambled too much on, or entirely failed to anticipate and address important exposures that could bring down the whole company.

  One of the greatest problems with entrepreneurs today is that they're willing to invest far more on the chance of getting to a good result -- often even betting the farm -- than they're willing to invest in preventing something bad from happening.

No one likes to buy insurance, change their lengthy passwords on a regular basis or spend time maintaining critical infrastructure, but it's steps and follow-ups like these that prevent, and protect you, from foul ups down the line. An ounce or two of attention and prevention saves a lot of pain later. 

The time to repair the roof is when the sun is shining and not when the storms begin, the transaction volume explodes, the kludges and quick fixes fall apart, and the spit hits the fan. Unhappy "accidents" happen to people who aren't properly prepared and, while theory is good, it doesn't keep nasty things from taking place.

If you aren't in the trenches from time to time and looking under the rocks and around the corners, you're probably taking too much for granted. Do yourself a big favor and don't take anyone else's word for it - even if they're the "experts." As Stevie Wonder would counsel: "If you believe in things that you don't understand, you suffer." 

The truth is that if you can't "see" your business, you may not be in business much longer. This used to be called "management by walking around" and it still works wonders. You don't have to review the latest code in order to sniff around and ask some hard questions of people. They may have the best of intentions, but they don't appreciate the need to make sure that the judgments they're making and the shortcuts they may be taking (in testing, QA and documentation for sure) are creating potential problems, gaps in the system's security and controls, and other weaknesses that will fail when pressure tested which can come back to bite everyone in the butt.

The best CEOs have serious sinuses that enable them to determine pretty quickly whether the answers they're getting (once they bother to ask) can pass even the most basic smell tests.

Too many IT departments today look like a Marx brothers movie - everyone in motion, lots of jumping up and down, and no one's sure who's where. The engineering isn't that hard - it's the people who are in too much of a hurry, doing too many things at once, and trying to cross the chasm in a single bound that are the problem. Asking these folks to slow down and think about safety and security is like asking a dog what he thinks about TV.

You need to teach your team to take their time. Overworked and stressed-out engineers often grab for the quickest available answer or fix, not the best or smartest. They like making new things and breaking old things and hate maintenance projects, which don't move the needle but do happen to keep the train on the tracks. They mean well, but their energies are often misdirected because these Band-Aids and patches aren't solutions that will stand up over time.

It's like the car mechanic who says: "I couldn't fix your brakes, so I made the horn louder."  

 

NOV 16, 2021