A recent report found that many IT departments have struggled to prioritize upkeep, with innovation often winning out. Letting tech resiliency efforts lose steam, though, is a recipe for disaster.
Last month, something really crazy happened: Your college band’s demos disappeared from the internet—along with every other college band’s demos from the mid-2000s.
OK, maybe you weren’t in a college band—maybe that was your roommate in the dorms. But a lot of music disappeared from the internet after the social network MySpace revealed that it had lost all of the music uploaded to its site between 2003 and 2015. That’s a lot of MP3s—and a lot of culture—lost in one fell swoop.
What the heck happened? Well, according to MySpace, it was a case of a server migration gone wrong, though some are skeptical of the official line. No matter what it was, the truth is that an important resource was lost forever, with the faded social network’s primary cultural and strategic advantages lost in the process.
Could you imagine something like that happening to your association? All of a sudden, your website goes “poof”?
And it doesn’t have to be user error at play—it could be due to bad device security, poor vendor hygiene, malware, or even misconfiguration. Pick your poison.
It was with this mindset that I stumbled upon a recent study from the IT security firm Tanium, which made the somewhat harrowing case that resiliency efforts—from updates to laptops to maintenance on servers—are falling by the wayside out of an interest in forward innovation.
According to Tanium’s report— “How to Avoid Disruption by Bridging the Resilience Gap” [registration]—94 percent of chief information officers (CIOs) and chief information security officers (CISOs) admitted to having to make compromises in their security decision-making because of issues within the organization. Much of the problem comes down to visibility: Sometimes it’s hard to understand what all the laptops, desktops, servers, and external services are doing, and with 32 percent of respondents reporting departments working in silos, IT departments are finding their decision-making abilities being limited by external needs.
Simply put, it makes deploying a critical patch or keeping unauthorized software off users’ machines a total pain. The report added that 81 percent of CIOs and CISOs reported holding off on a security patch for this reason—52 percent more than once.
“With a large percentage of breaches tied in some way to patching problems, organizations can’t afford to hold back critical patches,” said the report.
Of course, when it comes to security and resilience, it’s not just about patching drivers. It’s about ensuring there’s redundancy and safeguards in place—because when they’re not, it can be a recipe for disaster.
And there was a section of the report that really had me thinking of what happened to MySpace:
Digital-oriented businesses must be prepared to safeguard assets, protect customers, maintain brand reputation, optimize workflows, and mitigate the likelihood of data being compromised. Regardless of the cause, a business grinding to a halt, even for a matter of minutes, can affect customer confidence, brand equity, and ultimately revenue—not to mention productivity. North American businesses alone are losing $700 billion every year to IT downtime.
All of which is to say that “cybersecurity” doesn’t just mean fending off malware or phishing. It means protecting your data and prioritizing your processes to minimize both data loss and downtime.
Fact is, when you’re running an organization, you have to build for resiliency, which comes in many forms. A short downtime is bad enough, let alone catastrophic data loss. If you have legacy information that you need to keep around, you have to plan for that!
And a large part of this is cultural: the inability to get the people who need to care about it to actually do so. MySpace was working on a way bigger scale than most of us do—50 million songs is definitely challenging to protect and salvage over a long period of time—but one has to wonder if stronger priorities might have helped the company avoid disaster.
That said, there are signs of hope for those who would like to see their organizations focus more on security needs. The United Kingdom recently released a study [PDF] analyzing the cybersecurity readiness of the country’s businesses and charities and found that many organizations had increased their efforts to improve cybersecurity in the past year, with the European Union’s General Data Protection Regulation a driving factor behind the shift. (Insert Brexit joke here.)
I’m sure the concerns about GDPR compliance got people more worried about privacy and resilience over the past year. But as GDPR starts to fade from the conversation, there needs to be discussion about the maintenance needs of the IT department—not just regarding EU regulatory policy, but in general.
Having an innovation mindset is great within an organization—and it’s something I push for organizations to have with these columns—but it can’t come at the cost of the fundamentals.