Executive Management and the Board of Directors
are asking Chief Information Officers (CIO) and CISO's about
WannaCry this weekend. The illiteracy and complacency of key officials
in business and governments across the globe are again evident today:
"The ransomware strain WannaCry
(also known as WanaCrypt0r and WCry) that caused Friday’s barrage
appears to be a new variant of a type that first appeared in late March.
This new version has only gained steam since its initial barrage, with
tens of thousands of infections in 74 countries
so far today as of publication time. Its reach extends beyond the UK
and Spain, into Russia, Taiwan, France, Japan, and dozens more
If you are an Operational Risk
Management (ORM) professional in your particular organization, you may
be on high alert. You may have had a few sleepless nights since Friday,
as the wave of infections propagated across systems and networks
running Microsoft operating systems.
Are you or your organization a victim? Why?
illiteracy and complacency of senior management across commercial and
government enterprises about information security, continues to plague
our critical infrastructure sectors and institutions. In 2017, this
fact is our greatest vulnerability and threat.
any legitimate organization both public and private explain being
subjected to an exploit, that has been known about for months? What
excuse could there possibly be, for not having patched a system, that is
most likely far beyond "Out-of-Date"? There will be many excuses told
and so many others trying to explain to the Board of Directors about the
lack of funding or the vast complexity of a systems network. Yet here
we are in 2017, with the same set of complacent attitudes and practices
still in existence.
Emily Dreyfuss at Wired.com
sums it up nicely from a government perspective:
of this underscores how digital illiteracy at every level of government
endangers the security of the nation and the functioning of democracy.
It takes a multi-pronged, concerted approach, with smart internal
policies, federal legislation, tech savvy diplomats, and a willingness
to realize information security is a critical skill for the defense of
the nation—all of which is incredibly difficult to achieve even when a
government is functioning well."
At the dawn of
the World Wide Web, many of us in the "Information, Communications
& Technology" (ICT) industry, understood and studied the new
ecosystem and battle space evolving before us. All of those subject
matter experts and government officials, have been immersed in the
Internet environment for over 20 years. Even to this day, we wonder why
executives still "Don't get it."
In many cases we
understand that not every executive is going to understand the tech
vulnerabilities of ransomware. Yet are the same executives capable of
understanding the simple concept of Disaster Recovery Planning? The
ability to accomplish incremental and daily back-ups of data? We think
they also can understand the concept of patching systems that are
The budgets devoted to ICT are in many
cases a mystery to illiterate executives. CIO's and Chief Information
Security Officers (CISO) would most likely say in general, that they do
not have enough resources to fight the battle. This is known.
that occur within the ranks of senior management are now maturing to
the point of focus on building digital trust across the enterprise. The
decisions to trust between humans is different than the decisions to
trust between machines. Or is it?
Achieving Digital Trust
requires a vast yet easily comprehended set of rules and policies. Is
the United States losing the race for "Digital Trust?" Consider this
blog post from Jeffrey Ritter
toward digital trust, whether enabling commerce or government
autocracy, require enormous resources to create the inter-dependencies
and inter-operabilities that enable digital information to be functional
and useful. The conspicuous absence of those resources is simply
leaving the United States on the sideline. The disruption of digital
trust may likely gain such momentum that no amount of “catch-up”
investments will enable the combined assets of government and industry
to catch up in the global, wired marketplace that now exists."
management across America has a choice. You as an individual could
raise your education and awareness level on your ICT landscape, in
several ways. This in turn, may reduce the overall level of illiteracy
and complacency across our critical infrastructure domains. This will
eventually lower our vulnerability over time. Here is one solution: StaySafeOnline.org
Let us start the lesson by defining the landscape and the battle space. What is the "Deep Web
It is that part of the online universe, that is not indexed by
traditional search engines. But how large is it? When asked this
question to many executives, they have no idea. Not a clue.
"Deep Web" is 500+ times larger than the surface web and growing. The
"Deep Web" is 7500+ terabytes vs. 19 terabytes that Google and others
capture. Wake up and realize the magnitude of the problem-set, as you
consider the next budget allocations for the safety and security of your
The Trust Decisions you make with your
colleagues, partners, employees, customers, communities and countries,
will either make you more trustworthy, or will erode and erase trust.
At the pinnacle of your next major Trust Decision, ask yourself whether
you are truly "Achieving Digital Trust..."