Trying to explain WannaCry Ransomware makes me want to cry
This article was originally published on May 24, 2017 and written by Rodney J. Johnson.
While this is a nice, factual explanation of what the problem is, it doesn’t really help us to come to grips with it, either from an organizational standpoint or an individual one. To truly understand what WannaCry means to us, we have to embrace all the ugly details.
How we approach problems may make them more difficult. Someone once said that "Point of view is worth 80 IQ points." What he meant was that when looking at a problem, the proper frame of reference makes all the difference. Looked at in the right way, difficult problems become easy. Looked at in the wrong way, they become intractable. With one point of view, we gain 80 IQ points and look very smart, with another, we lose 80 IQ points and look very dumb.
Enter the modern world, where problems to be solved are already very difficult. Problems become difficult when they are ill-defined, amorphous, key details are lacking, and starting points are obscured. Additional problems include lack of apparent cause and effect linkage, slow feedback loops, and unclear search spaces (it isn't apparent in what space the answer is to be found).
One of the factors that compound our collective inability to solve tough problems is the "silos" issue. In order to be good at our normal day-to-day jobs, we need to be specialists. We learn to drill down in our knowledge; to know more and more about less and less. This means that each one of our available frames of reference becomes smaller and smaller each day. This is not to say we shouldn't be specialists. We have to be specialists or we can't do our jobs well. It is to say that no one can solve today's problems while working as if on an island.
Rodney J. Johnson is currently President of Erudite Risk, Co-Founder of the KBLA, and Founder of Resilience Cloud. He has spent most of his work life in Asia. Working in both the IT and the risk management sectors, he has been based in Korea and Singapore, while running companies with direct operations in Korea, China, Singapore, and India. He is the former country manager of a Korean subsidiary of a Silicon Valley operating systems start-up acquired by Samsung SDS, Korea’s largest systems integration company. Following that acquisition, he served as the chief operating officer of the new Samsung SDS–affiliated company that resulted from the acquisition.
Rodney J. Johnson is also a former technology analyst, reporting on Asian technology issues, and served as an intelligence analyst in the US Army. Over the last 13 years, he has led or been involved with more than 2000 risk management and security-related cases for multinational companies in Asia, as well as directly consulted for more than 30 of the Fortune 100. He has a BA in economics and mathematics and an MBA from the University of New Mexico’s Anderson School of Management.What customer industries is your company strongest in?
We can function on known issues in silos, but must leave them to find answers to tough problems. We need to partner with those in other disciplines and become a multi-headed, multi-disciplinary Hydra. If Ghostbusters were formed today, it would be a multi-disciplinary team.
Consider a hacking incident, such as what the WannaCry Ransomware incident has done to UK hospitals. A single hacking incident such as this can impact an organization and its stakeholders on so many levels that no one person can hope to truly understand its ramifications.
Who's afraid of a little hacking incident?
When an incident such as this occurs in an organization, management must call in a variety of internal and external help to address the problems from every possible point of view. It goes without saying that the lawyers are going to need to be called. We've all got them on speed-dial. Hacking incident? We'll need IT help, from cyber forensics to cyber investigators to software and hardware vendors, business continuity people, and disaster recovery. Was it an inside job? Does an internal investigation need to be performed? Controls must be audited. Policies and procedures must be reviewed to figure out if the organization has liability; if it followed its own policies and if those policies were sufficient to begin with. Was the organization in compliance with global policies and local rules to begin with? What about crisis management? Surely, there is room on speed-dial for the public relations firm. Are we insured for this? If we weren't before, we will be going forward. Is our information and data now secure and, just as important, has data integrity been maintained? Can we trust our own information? How long will it take us to recover? Have those business continuity guys arrived yet?
Ok, whew, everyone is here and they are, wait for it, all working alone, in their silos. No one understands what any of the other people are doing. No one even knows each other. What is the likelihood of an optimal result? Let's pose the question another way. What are the chances that will end up exactly where we were before the incident, with holes, gaps, unworkable solutions, and no more safe than we were before? Which chances are higher?
You do what you do. I do what I do.
The problem with working in silos is that we are inevitably stuck in one frame of reference and that frame of reference is insufficient for truly understanding tough problems. If our ideas are unworkable in practice or deficient in some way, we won’t know it because we don’t know what we don’t know. It is not enough to bring in a variety of experts to help out in each area. The experts must actually work together while solving the problem and in order to do that, each one must know something about how the others operate, what their expectations are going to be, and how they, themselves, see the problem.
In an environment where experts work in silos, policies get drafted that are impossible to implement, procedures are imposed that must be ignored in order to execute other, competing procedures, and people sit around quietly whispering to themselves, in their silos, “This is not going to work.” In short, one part of the organization’s medicine causes another part to get sick.
The way to get better results is to tear down the walls between legal, compliance, IT, governance, HR, marketing, sales, product development, and security, and let everyone work together.
Erudite Risk offers risk management and security-related professional services for multinational companies operating in the Asia-Pacific region. With operations in India, Korea, and Singapore, Erudite Risk is ready to help you meet the challenges of Asia, the most dynamic and challenging business environment in the world.
Rodney J. Johnson is President of Erudite Risk. He has lived in Asia for most of his adult life, but still longs for good Mexican food.