Every business generation seems to learn the same lesson over and over: The Internet is not a natively safe place to operate devices. A company has to do some security to prevent hackers from taking over their little pieces of technology.
Fifteen years ago, we did a security check for a company that did venture capital. They had a business that was going to do on-line business for big customers just starting to think about clouds and they thought it was a good idea to see if they were secure enough to do Internet business. They weren't. On the first survey our team did, I sent another team back out to the same site because I didn't believe the results could have been so bad. They had to know something about security if they were going to be in business in a hostile environment. The Internet is not a safe place.
In the last few months, we have seen people hack an airplane's entertainment system, a pump used to control the distribution of drugs to a patient in a hospital, and the guts of an automobile electronic control system. We should be similarly surprised that the people who developed those devices thought they could be operated safely in such a hostile place. Boards of Directors should be a little more careful about their due diligence. They need to be asking more questions about any device that has an Internet connection. I talked to a friend of mine, who sat on some of those Boards, and he laughed at that idea.
Boards are not selected for thier technical abilities, he said. I know that. They don't know what questions to ask. I didn't know that. In fact, I thought Boards were smart people put in place to ask hard questions. He laughed again.
Certainly they must know something about hacking, since so much of it is going around. Then, I thought about all those businesses losing information to the Chinese, and thought I might re-evaluate that position. They don't know enough to ask about how they should protect their own trade secrets from the Chinese. They didn't ask any questions about what was being done by their own internal IT shops. The questions they would have to ask about development projects are harder to thiink about about. They would actually have to think about development as an IT-related business, rather than as a product which will make a certain amount of money, given a specific financial investment. He laughed hard at that. I may have overestimated the degree of discussion about the technical merits of a product, given the amount of investment in it. No wonder they never get around to asking about security. They are definitely paying these guys too much money.
No comments:
Post a Comment