Most people overestimate what they can do in one year, and underestimate what they can do in ten years.
Think long term. Use the future.
Don’t be short sighted. Don’t be a donkey.
Source: Don’t be a donkey | Derek Sivers
Most people overestimate what they can do in one year, and underestimate what they can do in ten years.
Think long term. Use the future.
Don’t be short sighted. Don’t be a donkey.
Source: Don’t be a donkey | Derek Sivers
“A lot of smaller communities are resource-constrained. If you have a million dollars, are you going to fix the potholes constituents have been calling about, open parks and swimming pools for the summer? Or buy new servers and do all the things that are going to make you more secure?”
“When Ransomware Cripples a City, Who’s to Blame? This I.T. Chief Is Fighting Back“
New York Times, August 22, 2019
Yes. The answer is yes.
Municipal leadership, like the leaders of any organization, are tasked with balancing the seemingly endless number of competing priorities. That’s why they get paid the big bucks.
Crumbling physical infrastructure or reductions in municipal service offerings are always sure to elicit strong reactions from residents and constituencies. Technology assets and infrastructure are not as visible to their end customers. As a result, software updates and hardware refresh cycles often take a back seat because “well it still works” or “but we only bought that server 5 years ago and it’s not broken.”
But in today’s operating environment, proper maintenance and risk management of a municipality’s technology infrastructure, endpoints, and systems are as just as critical as the maintenance and risk management of its roads and bridges.
When faced with audit findings and risk assessments, far too often management takes what is viewed as the “easy” way out: just accept the risk. I mean, it’s just a checkbox or your initials, as opposed to thousands of dollars and person hours that could be used for other things, right? Quick election cycles and the tendency to kick the can down the road for the next administration makes accepting the risk even easier…let the “next guy” deal with it in the “next budget.”
But the crucial caveat that management is failing to remember in these situations is that when you accept the risk, you accept the risk.
In the case of Lake City’s ransomware attack, I look forward to seeing what comes out through public records requests and the legal process. It should be relatively easy to determine what decisions were documented and what actions were or were not taken.
It is crucial that this incident be a lesson to better understand that day-to-day actions and decisions do have consequences:
Regardless of how management chooses to act, remember this invaluable advice from SANS NewsBites Editorial Board Member William Hugh Murray in reference to the Lake City incident:
Any such risk acceptance, and its acknowledgement by the leadership, must be documented. If that was done in this instance, Hawkins will have a good case. In the absence of such documentation, his case may turn upon the honest recollection of that leadership of a decision made months ago. The three rules of risk management are document, document, document.
Happy eighty forth, my dear friend…
Horrible news today out of Ethiopia, with the loss of a second Boeing 737 MAX 8 resulting in the deaths of all aboard. I’m grateful to learn that the recorders have been recovered, though one was severely damaged. Hopeful Boeing and the authorities can piece things together quickly.
Reading the initial reporting on today’s incident, this amateur plane nerd’s first reaction was a single word: Prius.
Remember when shortly after the Prius hit the mainstream there was a series of unfortunate events involving vehicles and their occupants sailing through hedge bushes and shopping mall storefronts? Toyota did eventually issue software updates to help prevent crashes, but over time the platform also became familiar to the public. Now, we see more and more models with push button starts and unconventional shift levers and transmissions.
This is the Prius, at scale. Boeing is already working with the FAA to deploy software updates to improve safety, and I’m sure they will help prevent future events. But training and familiarity with an aircraft and, now more than ever, its software, will always win the day. Like when you hit birds and determine your best bet is to go for a swim.
If I call your company’s 24 hour support hotline at nine on a random Sunday night and the first thing that comes on the line is your front-end message announcing “unusually high call volume,” what you really are telling me is that you not only don’t care about service you’re giving your customers, but don’t care how routinely overworked your call center staff is as well.
“We are experiencing high call volume” is just like “please listen carefully as our menu options have recently changed” – they are the “under construction” clip art of the 21st century IVR system. Just don’t use it.