Self congratulation ... too soon!
I recently attended a meeting with a group of fellow security professionals. There was a brief post mortem of the recent WanaCry exploit. There was general frustration at the way the British press covered the issue. Simplifying it to the point that it was just another virus. But even more damaging is they way they treated it as if it was ONLY an NHS problem, even reporting on the progress NHS sites around the country were making to come back online. This give the impression to the general public that other organisations were not affected, which is patently false.
Another comment that was made was that this would be a boon for the security industry. That the boards of directors across the country will suddenly see the true value of IT and IT Security opening up their pocket books. That the WanaCry exploit and the up coming GDPR regulations will be good for the industry.
In my own experience, the boards are really only interested in one thing. Making money. If you do not generate revenue for the company, then you are a cost and immediately relegated to a second tier. It doesn't matter if what you do will save the company millions. You are still a cost.
WanaCry and GDPR are not going to be good for the industry. They will just put more pressure on the IT and Security professionals out there. The board will see WanaCry and GDPR as inherently IT problems and politely ask their IT and IT Security people to ensure they address these problems. Board obligation handled, full stop. Will they release more money? No. Highly doubtful. So this just means that there will be even more pressure to get the job done, with a budget that seems to shrink on an annual basis. When it breaks, it will of course be the fault of the CIO and CISO, not the board.
Another comment that was made was that this would be a boon for the security industry. That the boards of directors across the country will suddenly see the true value of IT and IT Security opening up their pocket books. That the WanaCry exploit and the up coming GDPR regulations will be good for the industry.
In my own experience, the boards are really only interested in one thing. Making money. If you do not generate revenue for the company, then you are a cost and immediately relegated to a second tier. It doesn't matter if what you do will save the company millions. You are still a cost.
WanaCry and GDPR are not going to be good for the industry. They will just put more pressure on the IT and Security professionals out there. The board will see WanaCry and GDPR as inherently IT problems and politely ask their IT and IT Security people to ensure they address these problems. Board obligation handled, full stop. Will they release more money? No. Highly doubtful. So this just means that there will be even more pressure to get the job done, with a budget that seems to shrink on an annual basis. When it breaks, it will of course be the fault of the CIO and CISO, not the board.
Comments
Post a Comment