And What We Can Learn From Donna Seymour
Are you talking about the most important things in IT when you meet with business owners and CIOs? It’s security – not managed services. Cost savings are great, but security is crucial. In fact, for some, not only do they need more security…they need more education and perhaps a lawyer.
What Happened to Donna Seymour?
Just a few months ago no one knew the name, “Donna Seymour”. Today, she’s becoming a household name. Is it her fault that millions of employee records were taken from the OPM? It might be – but who knows. It would be easy to jump on the bandwagon and say she should lose her job. The truth is, any company can be successfully hacked and the CIO can’t stop it. However, there are some things to consider. Due care means taking the steps that should be taken to decrease the risk of an attack. But this is harder than it sounds.
First, how often do politics get in the way of making the right decision? You know, the budget constraints everyone works under. I just got off the phone with a sales rep going through my Vendor to Advisor Mastery Program – he’s facing this issue right now. A very large company in the midst of a merger, not willing to spend any money. How should he respond?
With Donna, what we can say, based on a recent study I wrote about a few days ago, is that these business leaders are not equipped to make a case for better security because they can’t quantify the risk. They don’t know how much risk they really have, so they don’t know how to budget, or how to justify more budget.
As a result, Donna Seymour is not only being pressured to join the Target leadership in resigning, she’s being threatened with lawsuits. She blames it on outdated infrastructure – that’s probably true, but as Eric Ries, author of The Lean Start Up recommends, you need to ask “Why?” five times, to get to the root cause….and it’s not outdated infrastructure.
Why did OPM get hacked?
Outdated infrastructure – that’s what they are telling us. But why is the infrastructure outdated? Because Donna didn’t get budget to upgrade it sooner. Why not….etc. I bet it eventually boils down to not predicting the need. A security expert probably would have predicted it. The average CIO would have delegated that meeting down to someone in IT Security, and that person would have delayed any sort of action due to budget constraints – not wanting to pressure Donna, or being too afraid to ask. That IT person is still unknown and still employed. Donna on the other hand may not be for long. Donna should have taken the meeting.
Or, it could be that there just wasn’t a sales person bold enough to ask for the meeting with Donna. Maybe should have listened, if the sales rep had offered the assessment. Who knows.
Of course they’ve had assessments, but were they the right kind? Did they just choose the low cost provider and get what they paid for? Or did the provider deliver the right results, but Donna failed to take action? Who knows?
These lawsuits are personal
Donna’s being held personally responsible for the loss of millions of personal employee files. Whatever her organization wasn’t willing to spend, she’ll make up for personally (Of course she can’t really do that – millions of people are affected and a credit score service is not going to protect them on this one.)
Are You Talking To The People Who Need To Know?
Are you calling on CIOs that won’t take the meeting? The WSJ reports, “CIOs generally should expect to be sued in increasing numbers over cybersecurity issues…” In my latest book, The House & The Cloud, on page 195, I explain exactly what Donna needed, and what every CIO, CISO, and board member needs to know. So you have a great reason to make the call – what can you say to get them to listen. Hopefully, by understanding these recent attacks, you can get someone’s attention before it’s too late.
© 2015, David Stelzl