People keep asking why the management of companies in the critical infrastructure industries aren’t jumping on the cybersecurity problem and crushing it into manageable chunks to get it done. Truth be told, some companies are. Dow Chemical is a shining star in this regard. But many others are acting like ostriches with their heads buried deeply. Why? The problem has been clearly identified, and several workable solutions besides ripping everything out and putting secure stuff in have been devised. Yet there is no enormous rush to institute major projects, and there wasn’t even before the greedy idiots who run the world’s mortgage banks allowed the economy to go to smash. So there’s something we’re obviously not seeing.
I’ve talked about the economic calculus before. Companies are founded and run on the premise that they will deliver maximum value and return to their shareholders. Expecting companies of any kind, including publicly owned entities such as power or water/wastewater utilities, to do anything that does not lead directly to delivering value and return to their shareholders is like expecting the sun to come up in the west. It’s not going to happen.
The series of commercials from IBM now showing on TV—the ones with the engineer briefing the board of directors on going green—clearly illustrate this fact. The minute the engineer stops blathering on about the “how-to” and provides a business value statement like, “We’ll save 40% of our energy cost in the next year, and we spent $18 million on energy last year,” the Disney-like cartoon forest pops out, and the birdies sing and the board members dance around hugging the cartoon tree.
We who understand that there is a problem and have identified it, its scope and what needs to be done to implement the solutions we’ve devised are stymied because the people we are talking to are telling us, like the manager in one of the IBM commercials, “The people I report to don’t eat granola.” Board members remember the Y2K debacle all too well. They don’t want to spend a lot of money on a disaster that isn’t going to happen.
The economic calculus has been widened to include “going green.” Sustainability, by whatever definition, is a hot topic in boardrooms these days, and major corporations don’t want to be seen as any color but green.
How did that happen? Partly, the economic calculus got widened the same way it did in the 1960s when, under the impetus of The Silent Spring by Rachel Carson, the environmental movement went mainstream. That, in turn, caused the development of legislation and regulation that made it possible to cost the effects of continuing to pollute versus the effects of initiating pollution control procedures. In other words, it magically got cheaper to not pollute, because there were laws and regulations, with fines attached, that could be accounted for on a balance sheet.
The same things now need to happen with cybersecurity in critical infrastructure. We need to widen the economic calculus once again. There is some groundswell already. Now there needs to be pressure on the people who will provide the other side of the economic calculus equation: We know what the costs are; what we need is to provide some reason to do cybersecurity projects other than because we think they should be done.
We will need legislation and regulations that make it necessary to do those projects. Write your legislators. Talk to insurance companies. Mention the dread words “Sarbanes-Oxley” to your managers as high in the corporations as you can reach. And the tree will show up in your office, and the cartoon bluebirds and squirrels will dance and sing.