Don't Leave Cybersecurity to the Techies
Your IT
department is not all that interested in maintenance, security and other boring
stuff. You need to walk around and ask some questions.
BY HOWARD TULLMAN, GENERAL MANAGING PARTNER, G2T3V AND CHICAGO HIGH TECH INVESTORS@TULLMAN
Anyone who knows anything about cybersecurity
will tell you with a smirk that the world today is divided between businesses
that know they've been hacked and those who've been hacked but don't know it
yet.
These are not happy times given the ransom
attacks and shutdowns of hospitals and government agencies, the millions of
stolen passwords grudgingly reported daily by all kinds of organizations, and
breaches in which credit agencies and mass merchandisers have coughed up huge
volumes of our personal data. Then there are the constant notices we receive
(some of which are actually authentic) to update, secure and complexify
our own passwords. Which, of course, we rarely do even as more and more of us
are working remotely and increasing the odds of having serious security issues.
There's nothing that keeps corporate IT folks
and CSOs awake more at night than the prospect of millions of kids playing MMO
games at home on mom or dad's office laptop. But it turns out that, while
external actors may be constantly probing for vulnerabilities and entry points
to your systems as well as trying to "socially engineer" their way
into your servers by manipulating your customer-facing employees, the most
persistent risks to your business aren't generated by the outsiders who eventually
exploit them. They're often the result of the actions and attitudes of your own
computer scientists and engineers who - by and large - believe that they don't
need to be concerned about it.
Just as I recently wrote about the need
to do serious audits and pre-sale code maintenance,
now's the time to take a hard look at the way your tech folks are building your
business and the firmness of that foundation and, maybe most importantly,
whether the managers are sending the right messages to the team.
There is more to life in the real world than
simply increasing its speed. Whole businesses have failed because the most
consistent direction from management was all about speed (doing and fixing
things fast) rather than stability (doing and fixing things well). They spend
too much time on what's urgent and not enough on what's important.
If there weren't enough reasons to hate the
Zuck these days, the fact that his horrible example has taught several
generations of engineers and millions of students that you succeed by moving fast and breaking things is certainly high on my
list. These folks just don't realize that in the long run you
don't save time by hurrying. We're only beginning to see the dire consequences
of this kind of single-threaded and ignorant arrogance and the worst is likely
yet to come.
Your goal as the one in charge - even
if you're not technically technical - should be to take the time now to make
sure that your business isn't running away from you. That your tech team, in
the race to keep moving forward, hasn't patched up, papered over, gambled too
much on, or entirely failed to anticipate and address important exposures that
could bring down the whole company.
One of the greatest problems with
entrepreneurs today is that they're willing to invest far more on the chance of
getting to a good result -- often even betting the farm -- than they're willing
to invest in preventing something bad from happening.
No one likes to buy insurance, change their
lengthy passwords on a regular basis or spend time maintaining critical
infrastructure, but it's steps and follow-ups like these that prevent, and
protect you, from foul ups down the line. An ounce or two of attention and
prevention saves a lot of pain later.
The time to repair the roof is when the sun is
shining and not when the storms begin, the transaction volume explodes, the
kludges and quick fixes fall apart, and the spit hits the fan. Unhappy
"accidents" happen to people who aren't properly prepared and, while
theory is good, it doesn't keep nasty things from taking place.
If you aren't in the trenches from time to time
and looking under the rocks and around the corners, you're probably taking too
much for granted. Do yourself a big favor and don't take anyone else's word for
it - even if they're the "experts." As Stevie Wonder would counsel:
"If you believe in things that you don't understand, you
suffer."
The truth is that if you can't "see"
your business, you may not be in business much longer. This used to be called
"management by walking around" and it still works wonders. You don't have to
review the latest code in order to sniff around and ask some hard questions of
people. They may have the best of intentions, but they don't appreciate the
need to make sure that the judgments they're making and the shortcuts they may
be taking (in testing, QA and documentation for sure) are creating potential
problems, gaps in the system's security and controls, and other weaknesses that
will fail when pressure tested which can come back to bite everyone in the
butt.
The best CEOs have serious sinuses that enable
them to determine pretty quickly whether the answers they're getting (once they
bother to ask) can pass even the most basic smell tests.
Too many IT departments today look like a Marx
brothers movie - everyone in motion, lots of jumping up and down, and no one's
sure who's where. The engineering isn't that hard - it's the people who are in
too much of a hurry, doing too many things at once, and trying to cross the
chasm in a single bound that are the problem. Asking these folks to slow down
and think about safety and security is like asking a dog what he thinks about
TV.
You need to teach your team to take their
time. Overworked and stressed-out engineers often grab for the quickest
available answer or fix, not the best or smartest. They like
making new things and breaking old things and hate maintenance projects, which don't
move the needle but do happen to keep the train on the tracks. They mean well,
but their energies are often misdirected because these Band-Aids and patches
aren't solutions that will stand up over time.
It's like the car mechanic who says: "I
couldn't fix your brakes, so I made the horn louder."
NOV 16, 2021
