You think Target was a big deal? Get ready for more of the same thanks to the attitudes and understanding of consumers and corporate leadership.
The cultural disconnect between business decision makers and technology risk remains epic. They still believe this is a technical problem, handled by technical people, buried in IT. You don’t need to look any further than this report by NPR on digital startups and security at CES by Aarti Shahani (@aarti411).
In the piece, one startup CEO for a wearable that is gathering sensitive health information says, “So what kind of security you will need with your own sleep and wellness data, which is stored in your own mobile device?”
I get the fact that he is focusing on feature and function because he has limited resources, but c’mon man! He was being interviewed by a national radio program and demonstrated complete ignorance of the security risk. This is not some thoughtful trade-off, or strategy, this is pure ignorance.
This is a CEO who, if he is successful with his company, will be wondering later why he has to invest in all this “security” stuff. Didn’t he hire people to take care of this? Did he hire the wrong people?
Or worse, after his wearable gadget leads to the compromise of millions of people’s personal health information, will he feel responsible, or just scramble to find a way to save his company?
Has he signed off on the privacy language on the website with equal lack of knowledge? The FTC loves to hold companies liable who carelessly promise security to consumers and fail to deliver.
With such wanton ignorance, will he skip any consideration of public-cloud related risk when he decides that’s a great new strategy that will benefit his customers and his shareholders?
In another story on NPR by Dan Charles (@nprdancharles) about sensitive information in the cloud, the focus is on both customer knowledge and corporate decision making. This is a story about farmers allowing the big agricultural companies like Monsanto and John Deere to gather sensitive, detailed information on their entire cycle of crop management. There are questions posed about cloud security, farmer knowledge of technical risks, and the use of the data to potentially manipulate markets.
The farmer says (I’m paraphrasing): “I don’t have a problem with them gathering this information. They’re my partner.” The companies say: “We will always protect the information and we would never share it or manipulate markets.” Does this tune sound familiar?
I’m explicitly not calling into question Monsanto or John Deere’s decision making because I have no knowledge of it, unlike the CEO above. I’m calling attention to the issues that are swirling around us and a continued ignorance of consumers and many corporations. As digital business rises more failures will mount until understanding and decision making improves across the board.
Accepting risk is always a legitimate business decision, but it is only defensible if it follows a serious consideration of the attendant risks. You can’t just stay willfully ignorant and say “we accepted the risk.”
Security by heroes doesn’t work anymore. “IT risk is business risk” is not just a platitude anymore. Business decision makers can’t remain disconnected from a proactive consideration of technology and privacy risks as they engage in digital business.
I applaud NPR for their stories and I hope to see others in the press keep after these issues.