Can you blame people (or politicians) for choices they make when they have no clue? Of course you can. That’s how they – and all of us – learn. And having no clue is no excuse for bad business decisions. Nevertheless, most managers and leaders get away with it. Again and again. No wonder we’re in trouble…
Survival requires making decisions even for toddlers. They learn the hard way, while we – parents and caretakers – make sure they don’t fall too hard. Unless they fall and get hurt, they don’t learn.
People make stupid choices all the time. Actually, most of the bad news hitting us every day are caused by people making stupid choices. They get paid for it – and like toddlers that never are allowed to fall, they don’t learn. They get bonuses – and continue to make mistakes. Some times – quite often, actually – with big consequences (see also Security: Everything is Broken).
Ransomware incidents don’t make the news cycle all that often anymore. For the obvious reason they’ve become commonplace. We – the public – get easily bored, we want new stuff, not ‘more of the same’. The news cycle is entertainment more than anything. Which may be good for the media but bad for everything and everyone else.
Apologies for the digression, let’s head back to ransomware: There is another reason for the relative silence: Those hit by successful ransomware attacks – there are many of them, even big ones, every week – don’t want us to know. For the simple reason that they – top management and security management – could be fired. Actually, they SHOULD be fired. Because successful ransomware attacks are always caused by sloppy security accepted by sloppy management. Almost always, like in more than 9 out of 10 cases.
Municipalities, schools, hospitals, government bodies, industry, companies small and large – there are successful ransomware hits in every segment every month and it’s getting worse. Why? Don’t we learn?
I hate this answer: Yes and no. But that’s the truth. We do learn but we don’t act. We invest in band aid – get more stuff, change more procedures, move some heads around – but ignore the root causes, usually because they’re too painful to touch. So painful that we (apparently) would rather get hit by successful attacks that deal with them. It sounds insane, yet here we are.
Here’s the thing: There is not enough expertise out there to deal with the flood of attacks. Recent analyses (such as one from World Economic Forum in late 2022) show that the world is lacking 3 million cybersecurity professionals. Which means that thousands and thousands small and medium sized datacenters, even big ones, are competing for the same (few) heads and obviously not getting them. The result? Mediocre security – and a lot of other mediocrity.
Why is this acceptable? It isn’t. What’s the solution? Close down. I mean it. Tens of thousands of small and medium sized datacenters should be closed asap. In fact they should have been closed a long time ago. The logic is too obvious to repeat, but let me do it anyway: If you need to build a house and cannot find qualified professionals to do the job, do you pull random people off the street to do it? Of course not, but that’s what we do in cyber security, sometimes even in IT operations.
I’m exaggerating, but not much. This is the primary reason behind the wave of successful ransomware attacks – and a host of other successful cybercrimes/cyberwar operations. There just aren’t soldiers to defend the systems and the centers. Even worse, and this is where the ‘no clue’ factor comes in: Most of these small and medium sized datacenters aren’t needed. The services they deliver can be ‘produced’ safer, cheaper and more professionally by larger units with the resources to attract, keep and develop the ‘soldiers’.
When presenting this point to IT departments and C-level management, I usually get something like ‘this is what we do already, we’ve moved everything to the cloud’. Not true. While most of these datacenters have moved some load to cloud providers, most of them are still running ‘the show’ (operations) themselves. The physical resources have changed locations but the rest is pretty much the same. The IT department is now (partly) managing remote resources instead of local ones.
This isn’t progress, it’s not even real change, it’s a move. And it doesn’t solve the talent/expertise crunch – which is global and rapidly increasing. Not only in security but in data science, AI/ML/LLM, DevOps, system architecture and more. This is a fact. Not dealing with it, but rather pretending to management that ‘we’re doing whatever is possible’ is unprofessional. The Ukrainians don’t call on Putin to delay the next wave of attacks so they can build up their defences. It’s as useless as pretending you can get expertise that doesn’t exist.
So let’s get real, get the priorities right: If what we have is (for example) insufficient security (a fact), change it – one layer after the other until you get it right. Does it hurt? Of course, but getting hit by a wave of successful attacks hurts more. Don’t move machines, regroup and/or redesign the production and delivery process (also known as ‘digital transformation’ by the way).
The fix is to locate and work with professional partners that HAVE the expertise you cannot get. ‘Hard to get’ doesn’t mean ‘doesn’t exist’, and we’ve dealt with scarce resources before, haven’t we?
It isn’t easy, and it’s not done overnight, but it’s urgent and it’s doable. Many have done it – fortunately, but most have not. Waiting is unsmart. No clue is not acceptable.