October 6, 2017 at 8:33 pm
Comments posted to this topic are about the item The Achilles Heel
Best wishes,
Phil Factor
October 6, 2017 at 9:48 pm
Heh... I won't mention the name of the company that I think you're talking about but its initials are "Equifax" 😛
I can't believe that the CEO of a company would be so lame as to try to put the blame on some probably overworked nub that forgot to install a patch. Where is the sign off and verification of the process that requires the installation of such patches? That blatherskite of a CEO should be folded in half and shot butt first from a cannon into the business end of a sharpened telephone poll.
Absolutely great article on the subject, Phil. Thanks for taking the time to write it.
--Jeff Moden
Change is inevitable... Change for the better is not.
October 10, 2017 at 6:33 am
Sigh. My first thought when I read the news about who the "retiring" Equifax CEO "blamed" for the breach was "It wasn't me! It was the one-armed IT guy!"
That being said, on the general thrust of the editorial, I think part of the reason why no details are released about the causes of these breaches is more "the software is *OUR* product / proprietary and we don't want to give our competitors insight into how we do things." I know in the past people have bandied about the idea of something along the lines of a "real" professional organization for programmers / IT people, sort of like the AMA or such.
Interesting idea, but I can't see it taking off, not in any meaningful manner. Unlike, say for instance surgery, there are so many different ways to do the same thing (different programming languages, styles, etc.) And again, unlike medicine, it's far, far easier (I think) for errors to creep into software being written than for a Dr to leave a sponge in your chest or miss a stitch. Add to that the "get it out the door yesterday and we'll fix the bugs tomorrow" mentality of many businesses and you get even more errors creeping in (and despite the "fix it tomorrow," well, tomorrow is always tomorrow, never today.)
Maybe the best that software developers / IT staff can hope for is to point out (in writing, of course) what appear to be weak or poor policies (really Equifax? ONE guy was responsible for the patching??) and try to get them changed. Because sadly, businesses tend to think of us as interchangeable with some C-level execs cousin who's "good with computers," except for the business knowledge we already have. Use other breaches and failures as ammo in your fight to get lax policies corrected. If you go to your boss and tell them "if we don't get at least 2 other people involved in making sure security updates get applied in a timely manner, we could end up being the next Equifax of our industry" will carry more weight than "boss, it's been just me handling updates, what happens if I go on vacation and a big apply this now security update comes out while I'm gone?" In the case of the latter, the boss will likely say "enh, we'll be fine until you get back, don't worry about it."
And then the company gets breached while you were in Cancun, a couple days / weeks / months later it gets discovered, and you've just become the CEOs "one-armed IT guy" whose fault it was. CEO gets their golden parachute, you get a cardboard box and 15 minutes with a security guard to clean out your desk and a resume-stain...
October 10, 2017 at 8:40 am
Very amusing!
I'd imagine that companies that go round sacking individuals for what are in essence cultural or systemic problems tend to end up out of business fairly shortly anyway. Best to leave as soon as you realise the culture has gone wrong before you can be scapegoated.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply