A couple of weeks ago the political satire TV show, VEEP, returned to the screens in the USA for its fifth season. For those of you not familiar with it, the show is set in the office of Selina Meyer, a fictional Vice President, and subsequent President, of the United States. The series follows Meyer and her team as they attempt to make their mark and leave a lasting legacy without getting tripped up in the day-to-day political games that define Washington, D.C. In the first episode they made a subtle reference to cyber security that will resonate with all of us.
The President, played by ex-Seinfeld stalwart Julia Louis-Dreyfus, was approached by one of her aides, who stated that Chinese hackers had breached the firewall of the National Security Agency (NSA). Rather than looking deeply concerned, or even worried, The President retorted with “Any chance they also fixed the WiFi!”. In one sentence she encapsulated what so many business managers, leaders and board members think about cyber security. It’s important, but we are so busy just trying to get the basics to work, to keep the IT ‘lights on’ that we just can’t approach the subject.
Although this is humorous underlying it is an important issue. In many companies there is a concern, a worry, a dirty little secret, that their in house IT systems are only just holding together. They will be plagued by services going offline, backups may fail once in a while, the network may ‘slow down’ at some point. All the time the well-meaning efforts of the IT Helpdesk and other staff will be working flat out to keep the collection of legacy systems chuntering along as best they can. The concept of now re-looking at every last dark corner of technology for potential cyber risks is just too much of a mountain to climb. It’s easier just to live with the risk of a cyber-attack or breach and do something about it when and if it should ever happen!
As a former IT Manager and prior to that an IT Consultant, I can speak from a point of personal experience here. Many times I have encountered organisations who are challenged with just the day to day management and upkeep of their existing systems and have no bandwidth to take on radical reengineering, even if it is in their long term business interests. Senior Management can be equally at fault, as so many SME’s will not have IT representation at a board level, instead they will wheel in a stressed IT manager now and again to provide an update on the inner workings of their organsistion, who will usually use too much technical jargon and acronyms leaving them reeling and things will just continue as normal.
Many IT managers will know that they need to address cyber and will, if questioned, know what to do. But as they are hamstrung with a legacy, less resources than they need and an ever growing expectation from the staff that they support, cyber will sit on the list alongside other tasks that will be done ‘one day’. So how can the status quo be broken? How can businesses start to address cyber without having to get their IT house in order first? The answer is to simply get on with it and if done correctly both the Senior Management and the IT Management will be satisfied.
Cyber risk goes across an entire company; it is not a subject that is just another silo within IT. So for example an IT manager may have been pulling their hair out over trying to implement a policy that ensures that passwords are changed on a regular basis, with pushback from the staff that complex passwords are too difficult to remember, so staff just write them down on a Post-IT note and leave it stuck to their screens. That is now a cyber risk, so should be implemented and any staff member found flouting that would be reprimanded through HR processes. Perhaps the IT Manager has wanted to end of life legacy systems that are running on Windows NT but has not had the budget to do so – that’s a cyber risk, so now needs to be addressed. Moving to cloud services, improving backups, introducing patch management solutions and automated endpoint protection, all of these will be looked at, or will be requiring investment in order to get a company in a technical and process position to obtain either a cyber certification or cyber liability insurance.
Protecting an organistion from cyber-attack is actually an opportunity to relook at their entire IT infrastructure, without judgement, and to clear up all those dirty little secrets to ensure continued successful operation in the modern world. IT managers have longed to resolve so many issues – cyber risk mitigation can do this. Equally Senior Management teams have long wanted greater transparency and understanding of how their IT operates – cyber risk mitigation can do this too. It’s rare that you get a win-win between an IT Team and Senior Management, but undertaking cyber risk mitigation could be a rare opportunity to do just that and at the same time they will probably be able to fix the WiFi too.