In Chapter 9, I mentioned a study released in September 2021 that showed that 91 percent of security teams had felt pressure to compromise security during the pandemic in the name of business continuity, creating a “ticking time bomb” for corporate security incidents. Compromised security leaves holes in an organization for criminals to walk right through and these holes can remain there for years.
Yet, among certain business leaders, there is a willingness to leave these holes unpatched due to the fear of what it might do to the current flow of business. Interruptions are costly. Upgrades and fixes can cause downtime and delay, as can training and retraining employees. Installing secure endpoints in the houses of every employee who chooses to work from home is seen as spending money we don’t have. It all appears, in the minds of some, to be an abundance of unrealistic caution that is greater than the possibility of an actual attack.
The key words here are the current flow of business . There is a fear of change among senior management that is palpable – these are people who have created long-range plans and who have made significant commitments, financial and otherwise, to their company’s viability, only to have it threatened first by digital transformation itself and then by digital transformation magnified by Covid-related issues.
At the time, McGrath wrote, “simply asking CEOs of traditional companies about digital would throw them into a panic. This is because they believe digital technologies and business models pose an existential threat to their way of doing business — and of course they’re right.”
For former CIO Wayne Sadin, “CIOs are doing everything from before, they are just doing it 25 percent faster, from home. If you had a digital transformation strategy pre-Covid, you would have built an organizational culture that reacted faster to changes in markets, products, customer experience (CX), and employee experience (EX). In this case, you would have evolved relatively smoothly. Lacking such digital experience means you’re scrambling faster today to get there.”
CTO Stephen diFilipo noted, “The pandemic surfaced disparities among employees’ ability to comprehend and adopt to the requirements of digital business capabilities.” This means leaders can only advance as far as their employees’ capabilities allow them to. For this reason, digital maturity level and the quality of digital business initiatives are dependent on employees. Success is less about digital and more about workplace readiness for digital.
Former CIO Isaac Sacolick suggested “Most businesses need a top-down review of the markets they want to be in, customer needs, product and service offerings, and technology/data impacts. Many changes need to be made post-Covid, so it is best to start with customers and then consider your supply chain. The threat is that hybrid work will create a new digital divide between the valley’s openness and Wall Street’s traditional ways of doing business.”
CIO Deb Gildersleeve agreed, saying, “Most organizations need to really take a step back. This process should start by prioritizing agility, resiliency, and continuity. It’s no longer just about large-scale transformation. The world we operate in makes it impossible to ignore an organization’s need to adapt to changing business conditions. From getting employees the physical technology and tools to do their jobs when the pandemic hit to creating digital solutions that drive collaboration and productivity as we’re all approaching work differently, it’s all completely changing how we think about digital technology.”
A central office isn’t required to be productive. CIO Jason James said we should acknowledge that as a starting point: “We have proven that productivity isn’t tied to offices. This gives more options to protect the workforce in areas that may have been in the past considered higher risk.”
CIOs are doing everything from before, they are just doing it 25 percent faster.
Leaders can only advance as far as their employees’ capabilities allow them to.
Hybrid work will create a new digital divide between the valley’s openness and Wall Street’s traditional ways of doing business.
It’s no longer just about large-scale transformation.
Productivity isn’t tied to offices.
There is a fear among those in management that the business as it was, and also as it was being planned for, is no more – that things will not return to the normalcy of 2019 and earlier, but will require significant shifts in strategy and financial commitment – a restart. That is a change that few in management want to see happen.
Trying to Grasp the Infinite
Digital transformation is not just about remote teams, of course. It has much more to do with the addition of more technologies into the work cycle, technologies that are simultaneously more intelligent than ever before and more connected.
These technologies are not well understood. Companies have teams of IT specialists and cybersecurity specialists, all of whom work hard to maximize their companies’ productivity and profitability while simultaneously trying to protect it from an infinite universe of cybercrime. They know a lot about their craft, but every one of them, if they’re being honest with themselves, knows that cybersecurity is a game with no end, but with severe consequences for losing. From viruses on through to ransomware, the invisible nature of cybercrime is difficult to visualize. Perhaps there is no better illustration of this than the image of the stereotype hacker: a young looking person dressed in a hoodie, hands hovering over a keyboard – a misleading caricature of an invisible and incomprehensible enemy.
The problem is that, in the private sector, a company is always free to fail on its own due to an inadequate understanding of their marketplace, or from selling a poor quality product. But when it comes to failures in the digital world, these potentially affect everyone on the planet due to the fact that every company and individual is connected via the Internet.
Breaches, hacking, and ransomware can happen in any one of a million ways, and that fact alone makes it difficult for any person – but especially one whose responsibilities involve leadership and decision-making – to contemplate the enormity of an infinite criminal landscape without losing their senses.
The Fear of Ransomware
Ransomware, for example, is a relatively new form of cybercrime, having been around for about a decade, but it has been continuously escalating in severity and sophistication to the point that stories of ransomware now happen daily. Whereas computer viruses have been wreaking havoc on computers and networks for much longer, ransomware closes the circle of destruction by making it enormously profitable. It’s robbery without the hassle of having to show up in person with a gun. It can be applied to companies anywhere in the world with minimal outlay – the cost of a few million emails sent, and you can remain as anonymous as you want to be.
Ransomware payments are often made in cryptocurrency, Bitcoin being the most famous, but other, less traceable currencies like Monero always a favorite. This, too, is an area that leaves most people in the dark. Cryptocurrency and the blockchain system upon which it travels are not well understood and become yet another unknown in a collection of digital unknowns.
Ransomware always seems to happen at the worst time, because, frankly, there is no best time. People are busy. They have files and messages to retrieve, and a great deal of work to do. Most of this work is done in some way by interacting with a networked computer.
When the “locked” screen appears, informing every member of the staff that their files are no longer available, fear explodes in all directions. Employees suddenly have to find out how to access the documents they need. They struggle to remember where the alternatives and backups might be, such as paper records. They panic as they try to remember what they were working on the moment the lockout happened. They call for help from the people who attend the IT helpdesk, who themselves are scrambling to put out a thousand fires and pull out ten thousand cables.
There are fears about what is being stolen, what is being violated, what damage is already mounting to records and data, but also, by the minute, to the company’s brand, and reputation. How is the public reacting? What is this doing to the share price? To the company’s credibility? How long will it take to restore and repair? Who is going to talk to the media? Who is going to take the fall?
A company under ransomware siege is a company gripped by panic. It requires careful and well-planned steps to work through the crisis without making rash, tunnel-vision-based mistakes. It demands access to people who know what to do and what to say, and who know just what cards the company still holds.
When ransomware strikes an individual company, that company must close ranks and fix itself with minimized damage. When it hits a hospital, the stakes become even higher. Peoples’ lives are at risk, as all the electronic machinery freezes. When it hits a part of a country’s infrastructure, such as a water purification plant, an oil distribution center, or an agricultural hub, it becomes everyone’s problem.
The Fear of the Cost of Prevention
So it seems that the fear of ransomware should be enough to ensure every organization takes sufficient steps to ensure they do not become vulnerable. This includes establishing a solid and efficient backup and recovery process, proactive vulnerability scanning, and appropriate cyberhygiene training for all employees at all levels. In theory, if the data that is being held for ransom has been backed up, then the pirates lose their leverage. Simply restore the data and carry on.
But it’s not as easy as that. Restoring data to a full operational state can take days, weeks, or even months, during which time the organization remains hobbled.
At that point of crisis, when turning to a backup is the only option, some companies might then discover that their data has not been backed up for many weeks and is correspondingly out of date. How could this happen? Because backups are costly and time-consuming. They appear to be like money poured down the drain. They impede the fiscal flow of business.
Humans really don’t like thinking about the bad things that might happen to them, and they certainly don’t like paying for things that might or might not happen.
There were worries of aircraft falling out of the sky, power grid shutdowns and all manner of destructive events to come. Fortunately, enough skilled programmers, many brought out of retirement, were martialed, and enough money was spent – estimated at $500 billion globally – to thwart most of the problems. The fact that nothing much happened on January 1, 2000, was not hailed as a victory of proactive crisis avoidance, but more like a disappointment that the entire thing had always been a non-event, and perhaps was overstated from the start.2
This is a problem that happens with human beings in general. Being wired for reaction and not pro-action, it becomes exceedingly difficult to comprehend threats until they are actually upon us. Endless case studies will be written on this same theme by people observing different countries’ responses to the Covid-19 pandemic, climate change, earthquake preparation, and much more. And by the way, the next Y2K events on the horizon are in 2036 and 2038, so we are not safely through those woods yet, either.3 As a reminder of how pervasive and possible these types of events are, a minor one happened to Microsoft on January 1, 2022, when a bug started blocking email delivery with on-premise servers. This again was due to a date value that maxed out at the end of 2021 and was not able to handle any higher numbers. It was localized and did not cause major carnage, but regardless, it happened.4
This amounts to a dilemma: the fear of losing the business crashes headlong into the fear of commitment to an intangible threat. The collective instinct of many decision makers or their directors is to stick with the adage better the devil you know than the devil you don’t.
Pay the Ransom Already!
The unwillingness to prepare adequately to face intangible dangers is not just a quaint quirk of human nature. It has enormous consequences. Despite having authorities like the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) and others around the world recommending that ransoms not be paid, once the ransomware virus hits, the sudden fear of being sidelined for days or weeks makes it seem like a good idea to simply pay the ransom. It is starting to be seen as simply the cost of doing business.
This, despite the fact that actually paying a ransom is no guarantee that seized data will be released fully or even partially, or that stolen data will be left untouched.
Some companies have started to rely on their insurance companies to reimburse them for the cost of the ransom. In fact, in many documented ransomware cases, the pirates have actually chosen a ransom amount after having analyzed the coverage held by a company’s insurers, and then calculating accordingly.
A fascinating example of this happened to British retailer FatFace in early 2021. It made headlines by appearing to ask its customers to keep its cyberattack “strictly private and confidential,” while paying a $2 million ransom to the Conti cybercrime gang. According to security analyst Graham Cluley, the gang initially demanded an $8 million ransom based on its assessment of what FatFace’s insurance would cover, but the company talked them down after explaining revenues had tumbled due to the Covid lockdown. Furthermore, in accepting the payment, Conti offered tech-support advice to FatFace’s IT team about how to harden its defenses against future attacks.5
As of 2021, insurers the world over started to refuse to pay out claims relating to ransomware. It’s off the table, since it is simply too great a risk to insure.
But even without the insurance companies as a backup, the fear-stricken mind carries on: opening the checkbook to get the business back on track as soon as possible. But what many tend to forget in their panic is that when you’re doing business with criminals, you’re doing business with criminals. They are not always going to play by the Queensbury Rules.6
Furthermore, in some cases, companies have paid the ransom, but then have changed nothing on their systems, security-wise. They are then surprised when the ransomware pirates strike again in exactly the same place, and ask for more ransom. Criminals in this business take neither the high road nor the hard road. They seek the easiest and cheapest route, and will often go back and strike a victim again since they know the lay of the land. To expect them to move on after having had their fill is yet another extension of the “watering hole” willful blindness scenario described in Chapter 9: the assumption being that the lion has eaten, is no longer hungry, and will move on.
In an active ransomware situation, fear flies all over the place. Fear of losing the business drives the Executive to authorize a ransom payment. But fear of the cost of prevention then sends them to re-start the company without building new defenses.
Very few executives have ever encountered the type of fiendish brilliance and ruthless minds that drive the top echelons of cybercrime. The vulnerabilities within software, networks, and hardware are discovered and exploited by criminal gangs even before the software manufacturer is aware of them. This is known as a zero-day, since that’s how many days advance notice the software makers get before the weaknesses are exploited. Naturally, such brilliant minds are to be feared. Equally naturally, most humans will look the other way and avoid them.
The same goes for newer modes of communication and group coordination that occur quickly and highly effectively through new social media platforms. Hacktivists bent on resolution of climate change, economic inequities, and a range of other causes need not have to resort to injecting malware or writing code of any sort, if they can instead mobilize to sabotage a company’s brand. Many who are in senior management today tend to come from a pre-Internet or early-Internet era, where things ran at a different pace and scale. Most are smart enough to educate themselves on such dangers, or at least hire people to take on these roles, but there will always be a mental imprint of behavior and norms that comes from much earlier in their individual lives.
When You Were Ten
What was going on in your world when you were ten years old? Can you remember that far back? The age of ten can be a pivotal moment in life experience, as it is generally a point of relative stability between the activities of infancy – self-awareness, physical movement – and the chaos and changes of the teen years. At this point, at the age of ten or thereabouts, kids start to take a look at the world around them and evaluate their place in it.
This is important when talking about fear, especially the fear of losing control over a business, because the intellectual response to fear – the use of facts to level out emotion – will be based on knowledge and presumptions.
A leader or manager who turned ten years old in the mid-1970s, let’s say born in 1965, will have arrived at this point of situational awareness at a time when there was no public Internet, no computers, and no smartphones. The telephone was a rotary dial or early pushbutton type, hardwired to a wall socket, and property of the phone company. News was delivered via newspaper as well as by well-known and trusted TV news anchors at one of the three major networks in the United States, and similarly in other countries. Learning about the world in general came from reading an encyclopedia, and ordering things from a catalog involved a delivery period of four to six weeks. The closest people came to texting back then was passing notes in class.
The point behind talking about all of this nostalgia is that it fostered a sense of formality and hierarchy. Your parents got their telephone from the one-and-only phone company, not from a choice of retailers at the mall. News came from a recognized source. Observing these types of activities, passively, as a ten-year-old, naturally instills those same senses and indelibly stamps them into long-term memory.
This means that a manager born in 1965 will likely still feel that meetings should be measured in 60-minute blocks, that they should start at the top of the hour, and that work is something you commute to and from five days a week. Even those progressive managers who have learned to overcome these biases still have to actually overcome them. They are still there.
These biases are also responsible for the seemingly slow response time to cybercrime. When it took weeks for a product to be delivered by mail order back in the day, it is difficult to grasp the idea that a newly released brand of software can be hacked and exploited within hours of its release, or that an IoT-connected smart doorbell can be in any way connected to a DDoS attack on an oil pipeline a thousand miles away.
…had at most one technology-related discussion a year, and almost half claimed that the attention they gave to technology was insufficient. More than half of board members also felt they should hold more discussions of how technology will affect their industries in the coming years, but fewer than 30% actually had these kinds of discussions. Only one-quarter of boards report that they review formal reports from the CIO at every meeting, and on average boards claim to spend about 5% of their total hours each year on IT oversight.7
Although 2016 was a long time ago, progress has been slow on this front, leading some in the industry to suggest that IT should no longer be a silo unto itself, but should be moved “out from under IT and treated as a business risk rather than a technical problem.”8
The Challenge of Agility
Frankly, it’s a tough time to be agile. Companies have been using this term for a while to help describe themselves as nimble and responsive to changes in the marketplace. Yet they still try to hold on to a lift-and-shift mentality which tries to copy real-world office practices such as meetings, and paste them, often reluctantly, into a virtual space.
The word agile, whether capitalized or not, refers to a philosophy of software development, in which substantial transformation was introduced to the vast global community of coders, developers, and testers in the form of the Agile Manifesto , written by a team of seventeen software developers in 2001. It substantially changed the way software was to be developed, tested, and managed, by essentially following a non-linear design approach.9
In short, rather than move the software in steps along an assembly line, or as they called it, a waterfall (as in water cascading down successive layers or steps in a landscaped waterfall), the culture of testing had to be radically shifted to earlier in the development timeline in order to maximize the chances that the software – that runs apps, gas pumps, and everything else we depend on – works properly the first time out.
Agile for software development was a new and fear-inducing change for most people in the software development world, and it was not universally well-received. A great book that covers this specifically for the high-tech sector is The Kitty Hawk Venture, written by Aruna Ravichandran, Jeffery Scheaffer, and Alex Martens.10 It highlights the significant degrees of cultural resistance put up by software developers who face the threat of transformations in the world of DevOps. It is surprising to discover such stubbornness and fear within a culture that to outsiders seems dynamic and progressive. But software developers, too, in cloud and mainframe alike, are fearful for their livelihood. They do not wish to be digitally transformed out of a job.
For mainstream companies, being agile will always be a challenge. It is not easy to turn a large ship in a tight circle, and that’s what agility truly means. All attempts to move companies digitally forward were already facing resistance prior to 2020, but were further substantially stymied by the Covid pandemic, which damaged economies and slowed progress, and also let the genie out of the bottle regarding work-from-home options.
So, in addition to contemplating the introduction of technologies like artificial intelligence and machine learning, and in addition to struggling with the incomprehensible world of cybersecurity, companies found themselves having the rug pulled out from under them almost literally as they saw their need for floor space get reduced due to their workforce opting to work from home.
The fear, then, of losing the business is a bit of a double entendre. It refers first to a concern that the business itself might fall apart due to the changes described above, but it also reflects back on individual managers and leaders. In addition to losing control over their employees as described in Chapter 8, here they are also, feeling that they, too, are being pushed out of the loop, that they are losing much that they understood business to be about.