Crying wolf

All weekend the question “A SQL injection attack, in 2015?” has been going around my head.

If you don’t understand why, you must have missed the news that UK Telco TalkTalk had suffered a major theft of data from what it appears were its woefully inadequate systems. If you don’t understand “SQL injection attack” I’m increasingly coming of the view that you aren’t fit to be in the boardroom of a listed company.

For the most part I’m fairly dismissive of the IT security industry. Parts of it (yes, you, Antivirus companies) appear to be little more than an elaborate protection racket. Others seem to be unable to understand that risks are things be assessed and managed, not thoughtlessly acted upon.

And it’s this crying wolf that I think means that we need to rethink how we address issues of technology management, including risk and security, in our institutions.

A couple of weeks ago I heard someone ask the question “Who ultimately is accountable for sales performance in an organisation?” The answer, fairly obviously, is the CEO. A Sales Director is responsible for the operational delivery, but its the man or woman at the top who has to answer to shareholders if revenue falls off a cliff.

Technology is becoming so much a part of the way in which organisations now operate that I believe we need to head to similar levels of accountability. Yet it’s still common to hear claims of Luddite-ness being worn as badges of honour in the boardroom in the way that an inability to add up numbers simply is not.

The IT Security industry cries wolf on irrelevances, and then usually pushes some new layer of technology to solve the problem. As TalkTalk have shown, if the problem is an inability for management to adequately assess risk and then act, the solution to cyber security does not lie in technology. It lies in changing behaviours – of customers, of suppliers, and of the people who manage and own those organisations.