How to Stop CIOs From Sending You Back To IT
And What We Can Learn From Donna Seymour
Are you talking about the most important things in IT when you meet with business owners and CIOs? It’s security – not managed services. Cost savings are great, but security is crucial. In fact, for some, not only do they need more security…they need more education and perhaps a lawyer.
What Happened to Donna Seymour?
Just a few months ago no one knew the name, “Donna Seymour”. Today, she’s becoming a household name. Is it her fault that millions of employee records were taken from the OPM? It might be – but who knows. It would be easy to jump on the bandwagon and say she should lose her job. The truth is, any company can be successfully hacked and the CIO can’t stop it. However, there are some things to consider. Due care means taking the steps that should be taken to decrease the risk of an attack. But this is harder than it sounds.
First, how often do politics get in the way of making the right decision? You know, the budget constraints everyone works under. I just got off the phone with a sales rep going through my Vendor to Advisor Mastery Program – he’s facing this issue right now. A very large company in the midst of a merger, not willing to spend any money. How should he respond?
With Donna, what we can say, based on a recent study I wrote about a few days ago, is that these business leaders are not equipped to make a case for better security because they can’t quantify the risk. They don’t know how much risk they really have, so they don’t know how to budget, or how to justify more budget.
As a result, Donna Seymour is not only being pressured to join the Target leadership in resigning, she’s being threatened with lawsuits. She blames it on outdated infrastructure – that’s probably true, but as Eric Ries, author of The Lean Start Up recommends, you need to ask “Why?” five times, to get to the root cause….and it’s not outdated infrastructure.
Why did OPM get hacked?
Outdated infrastructure – that’s what they are telling us. But why is the infrastructure outdated? Because Donna didn’t get budget to upgrade it sooner. Why not….etc. I bet it eventually boils down to not predicting the need. A security expert probably would have predicted it. The average CIO would have delegated that meeting down to someone in IT Security, and that person would have delayed any sort of action due to budget constraints – not wanting to pressure Donna, or being too afraid to ask. That IT person is still unknown and still employed. Donna on the other hand may not be for long. Donna should have taken the meeting.
Or, it could be that there just wasn’t a sales person bold enough to ask for the meeting with Donna. Maybe should have listened, if the sales rep had offered the assessment. Who knows.
Of course they’ve had assessments, but were they the right kind? Did they just choose the low cost provider and get what they paid for? Or did the provider deliver the right results, but Donna failed to take action? Who knows?
These lawsuits are personal
Donna’s being held personally responsible for the loss of millions of personal employee files. Whatever her organization wasn’t willing to spend, she’ll make up for personally (Of course she can’t really do that – millions of people are affected and a credit score service is not going to protect them on this one.)
Are You Talking To The People Who Need To Know?
Are you calling on CIOs that won’t take the meeting? The WSJ reports, “CIOs generally should expect to be sued in increasing numbers over cybersecurity issues…” In my latest book, The House & The Cloud, on page 195, I explain exactly what Donna needed, and what every CIO, CISO, and board member needs to know. So you have a great reason to make the call – what can you say to get them to listen. Hopefully, by understanding these recent attacks, you can get someone’s attention before it’s too late.
© 2015, David Stelzl
High Tech Business Growth 
Brilliant bog post, as always, David. I am also an advocate of the “5 why’s” that you mentioned, popularized by Eric Ries in “The Lean Start Up” but dating back to the 1930’s when developed by Sakichi Toyoda, founder of Toyota. Frankly I see far too few CIOs using this technique and if I was to apply the 5 why’s to that I am sure it would come down to a lack of awareness of this effective principle for unearthing the root cause of a problem.
When I perform the 5 why’s on my clients I find two recurring themes:
One of these you touched upon in your blog post. CEOs and boards of directors do not having quantified risks upon which to make decisions. One of the reasons why risk is so poorly managed is that CIOs don’t identify all of their assets. Sure, they get their IT team to obtain a list of files from a recent data backup and run vulnerability scanners, and the astute may even consider looking at an asset inventory managed by the finance team, but they forget that beyond the digital and physical assets there is yet another type of asset. In 2012, Trend Micro stated that 91% of attacks begin with spear-phishing. That means that 91% of attacks target humans. Chances are that number is higher now, though I can not confirm that as I have not seen any more recent statistics. Humans are the third category of asset that CIOs tend to forget about. It’s time CIOs started working with HR, legal, finance and even building management as these are all important owners of assets that can store, process or transmit critical information. This only substantiates the fact that security extends far beyond technology and IT and should be regarded as a business problem.
The other problem I see, and this is a massive one, is that the entire IT security industry is heading down the path of chasing a goal that simply is not possible to achieve. To explain this, I’ll use an analogy. I’m going to compare death and security. In common is that these are binary – as in there are two possible states; just like a 1 or 0, so IT people ought to appreciate this. You are either dead or alive, and I’m willing to bet that the latter applies to you, the reader, right now. There is no in between. As long as you have one more breath and one more beat of your heart, you are alive. The moment these vitals stop, you are dead. Now think about security. We are either secure or not secure; no in between. Information security is about maintaining confidentiality, integrity, and availability of information. Any breach of these three principles means we have failed. It is simply impossible to achieve security and it is the wrong goal. Let’s hypothetically say we could achieve security, what would that mean? Telling all of your clients to go elsewhere; firing all of your employees; and disconnecting from the Internet…. and that’s probably not enough. You might need to erase the memories of everyone on the planet who ever came in contact with your organization. Unless you know where to score one of those gadgets used in the movie “Men In Black”, let’s just say that this in impossible! What we need is a goal that is achievable. A destination that we can arrive at. Forget security and aim for resilience. We can not prevent every breach of confidentiality, integrity or availability, but we can recover if we can rapidly detect and respond to these breaches. Stop travelling down the path towards cyber security and instead take one to cyber resilience.
In the future we are likely to see more once unknown CIOs have the spotlight cast on them and their pictures plastered throughout the media, and those that will survive the scathing reviews and keep their jobs will be those who practice cyber resilience and use it as a means to solve the deep underlying problems that transcend IT – business problems.
Well put – I like the dead or alive analogy. That brings it home and your right…thanks for the well thought out comment.