Security or app continuity? An open letter to CIOs
by John Browne, on Aug 21, 2019 1:52:56 PM
I'm writing you today as a friend. Seriously. I'm not trying to sell you anything (ok, our sales department is probably trying to sell you something, but I'm in a different group).
I'm trying to save your career.
Wait...don't leave just yet. Bear with me for a moment.
Let me tell you a tale of two CIOs. Call them Abby and Ben.
They're both pretty similar: in their 40s, at the peak of their careers, CIOs for mid-size companies, smart, buttoned-up, solid. The kind of executives who have color-coded Outlook calendars and block out time just for thinking.
Abby and Ben's careers looked almost identical for most of their lives, until The Event. The Event in question was in Ben's camp: it started with a 5am text message that woke him to the news that his company had been hacked via a buffer overflow attack on a legacy desktop application. Seems a disgruntled employee had managed to walk out with the PII of several million customers.
What made it tough for Ben was that he had repeatedly ignored warnings from his staff that their legacy systems were vulnerable to attack. Ben had chosen the path of concentrating on building new applications to take advantage of all the awesome digital transformation stuff that made for exciting board meetings. Senior management didn't care about fossilized applications from the 90s; they wanted to see cool stuff on their iPhones.
Abby had taken a different path. Early in her latest gig, Abby launched an initiative to inventory all the legacy apps and bucket them based on business value and technical quality. She created modernization plans for all the mission critical apps and sunset plans for all the non-critical apps. She gave the board accurate data about the risks of unsupported platforms and legacy apps full of technical debt; resulting in budget for a staged, multi-year plan to modernize or eliminate all their legacy code. Priority #1? Apps that offered any possible vector into corporate assets like customer PII databases, credit card numbers, or IP. Apps written in obsolete languages like Cobol, RPG, Visual Basic, or PowerBuilder--where app security was not part of the runtime framework--were retired, rewritten, or migrated to modern languages and secure frameworks like .NET.
Ben's not a CIO anymore. He doesn't work at that company anymore. In fact, he's not in IT at all. His resume has a big stain on it that will never go away. His former employer, considerably diminished by the after effects of the hack, is still around. People there view everything as either before The Event or after The Event. Publicity of the hack led to lawsuits and lost customers. Management had to divert resources into a crash program to address security issues and legacy applications. Weakened financially, the company is currently fighting a hostile takeover.
Abby's doing fine, thanks for asking. She recently took a much needed vacation to Bali where for two weeks she and her family relaxed. Not once did she get a call or text message about work. Her IT department is a smoothly-running machine delivering value to both internal and external stakeholders. From time to time she pulls out an offer letter she tucked away in her beach bag--a very nice offer indeed from a much larger organization to run their IT department. She told them she would give them an answer when she returns from vacation.
From where Abby sits, it's blue skies as far as she can see.