Hope for the best…

As global conflicts expand online, large companies, specifically large financial corporations are spending more time and money on the protection of their data. Much of this work is still in its infancy and those intent on doing harm, or simply causing mischief maintain a clear advantage.

If the well moneyed financial sector is in a perpetual race to catch up, the state of smaller enterprises, nonprofits and mom and pop shops is terrifyingly worse. I’ve spent the last 10 years in the public and nonprofit sectors and what I’ve seen has made me lose sleep. In comparison to the progress of some larger institutions; their preparedness strategies, training, governance and response the paltry efforts of smaller enterprises, institutions and organizations should keep you up as well.

On Friday Sept 30 2022, I attended the ISACA New England Chapter’s Cybersecurity Summit in Boston. The gathering was more sparsely attended than I had expected, but there was an advantage in this that I discovered as the day went on.

The advantage for me of fewer attendees was that I had time to speak to every vendor and a large number of professionals across many industries. The sameness of our challenges was both unsurprising and a little scary. The overwhelming amount of information exchanged among my peers helped bring me to a conclusion: no one is doing enough.

One of the central themes was that those of us “burdened with knowledge” were also burdened with work, overwhelmed with a lack of support and exhausted because we are largely undervalued, under budgeted and under voiced.

This wasn’t the mythical sales conference centered around a rah rah pyramid scheme presentation many folks envision when they hear the word “conference.” It was a informative, difficult, long confrontation with the stark reality of our individual personal stake in keeping our companies or organizations safe. It was also a stark reminder that we are as Samuel L Jackson as Nick Fury said in Marvel’s The Avengers, “we are hopelessly, hilariously outgunned.”

Unlike earth’s mightiest heroes, we don’t have a Tony Stark, millionaire playboy philanthropist, just a bottom line focused board or owner(s) who are often too embarrassed to admit that they have no idea what the hell their IT guy is talking about.

As I digest everything I experienced, and experience both in my role as a technology director and in my consulting practice, I hope to share as much of my conclusions, and remaining questions, with you as possible.

Of course I won’t be providing any direct reference to either the clients I manage, my peers or my employer but I will, as often and as much as possible, in as much detail as allowable, give my thoughts on how we as Information Technology professionals can present and push the need for training, supporting and encouraging a more security minded culture where we work regardless of what we do or the scale at which we do it.

I’ll also provide some valuable insight to any non IT leaders who hold the purse-strings and sway over security decisions at all manner of organizations, from large and growing for profit companies to charitable organizations and nonprofits of all sizes. the case will be made, and reinforced by data, that not only does forewarning equal forearming, but that investing in preventive measures is more cost effective than the damage to reputation that lackadaisical security practices encourage.

Above all, I want to express and stress as the title of this post suggests, that the attitude of most of the non tech owners, operators and boards have toward security, is no longer valid. Hoping for the best, without preparing for the worst may be your downfall.