Equifax

Much is being written about the Equifax data hack. You can read about it here or here or here if you’ve not yet read much about it.

I saw a post on Twitter the other day that cracked me up.

Screen Shot 2017-09-11 at 10.34.40 AM.png

One report in the NY Times suggested that Equifax doesn’t even know who is impacted.

Here is the deal, Equifax’s business is to gather this information and sell it to 3rd parties. When you need a loan or want a new credit card, the company extending credit to you goes to this company, or ones like it, to check on your credit. They gather this information from lots of different places and you have no options to tell them to stop doing this. They are creating this database of information about you and you have no control on how they protect this most sensitive information.

We are the ones impacted by their lack of security. We are the ones further impacted by the huge delay in telling us. What was stolen is about us and it impacts us. Equifax might take a stock hit, but not much more.

 

This company needs to be put out of business. The class action law suit should put them out of business. There should even be clawbacks on executive compensation and stock options.  

A year of credit monitoring is not even meaningful punishment for this poor stewardship and lack of property security protection.

Company and organization leadership teams need to take the protection of confidential information seriously.  There need to be examples, like here, where the company is put out of business because of their lack of proper attention and focus. Probably the CIO will be fired, but really, the board and the senior leadership team should be fired.

 

Getting Better?

I usually don’t pay much attention to IT futurists who like to tell us how IT will look in a few years. I mostly think those articles are written by people who are looking to increase their following or subscribers and are not likely based on real insights. One group I followed years ago wrote about Future IT and while some of the points where great, I thought others were absurd.

But, as I think about IT and where it is going, I think corporate IT is getting smarter and has more options than it has had in the past.

  • We can host applications internally or in public clouds or in a blend.
  • We can use open source solutions for some parts of the stack.
  • We can virtualize services and avoid more and more hardware.
  • We can use SaS solutions in some cases.
  • We can outsource parts of our service in areas where we don’t want to operate.

And we have new IT visibility tools that can give us deeper insights into our own operations than ever before. ServiceNow, Apptio, and xMatters give us more options than ever before.

I’m not sure we are getting smarter and I’m not sure if we are getting more respect from our business partners, but I do think we have more options than ever before.

What do you think?

Audit and Security

I heard of a place where internal audit was told to do a comprehensive security of all aspects of an organization. All aspects.

How is that possible?

The IT organization is likely working at 110% with all their energy and effort to manage, monitor, invest and improve an organizations security so how can a short audit effectively grade how they are doing? Now I suppose that if the auditors were knowledgeable about security aspects and if there were huge gaps in what IT was doing then those would surface in the audit. But how could an audit detect deep matters in the enterprise in a short audit?

Further, how can an IT organization comprehensively know that all is in control? Further, how can a CIO assure a board that everything is under control?

They can’t.

They can only attest that they are doing all they know to do, they are vigilant and they are working to set the tone across the enterprise that all must work together to secure the organization.

They can only assure that they are doing all they know to do.

These are difficult times for CIOs.

Get the right information to the right people at the right time

A really great post over at e2open about what CIOs should be focused on at work. I’ve thought about it a lot since reading this yesterday. The only thing I might add is that CIOs should also be focused on keeping information out of the wrong people’s hands. Get information to the right people and keep it from the wrong people. Is it that simple?

What do you think?