On the Risky Business podcast last week, Andrew Wilson, the CEO of Australian cryptography gear maker Senetas, stated that many businesses see the bad things that happen from poor IT security as just a cost of doing business.
Nothing revolutionary there. We’ve all seen it. Target is paying a steep price right now, but what about Michaels and Nieman Marcus? They got breached at the same time as Target, and nobody’s talking about them. Maybe Target thinks the cost of doing business got too high, and they’ve hired a CISO and I hear they’re hiring lots of new security personnel–I have coworkers and former coworkers in the Minneapolis area who tell me as much–but for Michaels and Nieman Marcus, the cost, at least so far, appears to have been manageable.
But Wilson added something that I hadn’t heard anywhere else before. Fifty years ago, he said, construction workers dying while building a large building was considered a cost of doing business. Fifty years ago that was normal. Today it’s unacceptable.
I can vouch for that. Here in St. Louis, the two largest rivers in North America meet. We have lots of bridges to get across them. A couple of months ago we opened up a brand new bridge across the Mississippi River. One man died during the building of that bridge, and that was one man too many. The accident that killed him was the main headline in St. Louis the day that it happened, and the day they recovered his body, it was the main headline again.
Fifty years ago, it wasn’t news. If anything, it might have been news that only one person was killed building that bridge, rather than many more.
I was in a meeting this week when I pointed this out, only I stated it a little differently. I was in an office building. Fifty years ago, it would have been a given that some people would have died building that building. Today, the acceptable number of deaths when building that building is zero. Everyone in the room nodded. It’s a nice enough building, but none of the 20 people in that room thought it was worth dying for.
The thing is, Wilson pointed out that the excuse 50 years ago was the same excuse we hear now. We could make construction safer. We could make it a lot safer–just as safe as a desk job. But it’s too expensive.
Wilson suggested that legislation is the only answer. But I’m not so sure. Let’s finish the argument.
The difference between construction and IT security is that one of those situations involves human lives and one doesn’t.
Well, except when IT security is in a hospital. The computers that run medical devices need to be secure, because if they don’t, they might malfunction and someone might die.
And if the IT security is in a pharmacy, a computer malfunction might cause the wrong drug to go into that bottle, and that could cause illness or injury or death.
Oh, and IT security in companies that make cars and airplanes and other vehicles is pretty important, because if someone altered the plans for the vehicle maliciously, they might cause the vehicle to malfunction, which would cause injuries and/or death.
On a related note, IT security would be important for an architectural or structural engineering firm, because something making a minor alteration to one math problem could be the difference between a building being strong enough to last forever, or toppling unexpectedly, causing countless deaths.
IT security might be important for first responders too, because if their computers malfunctioned, it might send them to the wrong house, or at least slow them down at a time when seconds count, and that might cause someone to die.
I could spend all day and all night coming up with other examples, but I think you get the idea.
We don’t normally think of IT security being something where lives are at stake. I do, but that’s because I spent half my career doing IT security for the United States Air Force, where lives were at stake.
If we started treating IT security with the gravity it deserves, maybe in 50 years we’ll be where we need to be. I have friends who work in construction, and I’m glad that their jobs are no more dangerous than the typical desk job. It’s senseless for a construction worker to die in the line of work.
It’s equally senseless for someone to die due to an intentionally inflicted computer error. And I hope it doesn’t take some nutjob using a computer to carry out something equivalent to the 1982 Chicago Tylenol murders for the public to start taking it seriously.
I think potentially saving lives is worth the incremental cost of doing business–especially when that incremental cost of better security often reaps other benefits, and ends up paying for itself.