Are Security Issues Ignored in your Organization?

Delete production database, go to jail, do not pass GO, do not collect $200.

A disgruntled Chinese sysadmin wiped his company’s servers after feeling ignored. He had complained about a lack of basic IT security, but found no understanding from his boss. He then wiped out most of their infrastructure, paralyzing a $6 billion company with 120,000 real estate brokers. He did prove his point. He was rewarded with a 7-year jail sentence.

The person with the most detailed knowledge of the vulnerabilities in your IT landscape is not the CISO. It is the database administrator or the network engineer. Do you have a process to ensure that potential security issues can be raised anonymously and will come to the attention of the CIO?

Don’t be Like FSB and Tesla

There are two ways to handle product problems: The right way and the Tesla way. A now-ex Tesla employee had the temerity to post videos on YouTube showing their vaunted self-driving feature in action. Unfortunately, one of his videos showed his supposedly self-driving car running down a bollard before he manages to react. He was fired by Tesla immediately after posting the video.

If you have a problem, acknowledge it and fix it. Getting rid of everyone bringing bad news is what made Putin think he could easily conquer Ukraine. Don’t be like FSB and Tesla. 

Don’t Ignore Bad News

You should not create products that kill people. And when you find that you’ve accidentally done so, you should not continue to sell them.

After initially refusing the strong recommendation from the US Consumer Product Safety Commission, Peloton has now stopped sales and started offering refunds. Their treadmill product has injured 72 children and pets and has tragically caused one death. This product is so much more dangerous than other treadmills because it has to look cool. Peloton didn’t like the look of a regular treadmill that has skirts to prevent children and pets from getting pulled under the machine. Instead, they created a dangerous object and wrote in the manual to keep children and pets away.

When you have invested a lot of time and money and built something you are proud of, you don’t want to hear that it doesn’t work. That’s why Peloton didn’t immediately recall their deadly treadmills. That’s Kryptonite was in denial for months even after it was proven that their expensive bicycle locks could be opened with a Bic pen.

As a CIO or CTO, you need to have someone who can talk to you honestly about the problems with your IT systems and products. It is your leadership decision what to do about it. But you can’t make a good decision if you don’t know there is a problem. That’s why my customers get me to help them evaluate systems that don’t provide the expected business benefit.