Secure the future – have a change of mind!

guard_cat_on_dutyThe future of the enterprise can be secured provided that it is properly organized and operated with full understanding of its economics. The current concentration on “profit here and now” is extremely harmful to the survival of the economy of the world as a whole and every given enterprise in particular.

Why is that? There are two parts to the problem. The first part has to do with the short-sightedness of the typical management of the companies and the second part – with the isolation of company parts from each other and the requirement that everything brings profit by itself. Under these conditions the security becomes an unwanted “fifth leg” that brings nothing but unjustifiable costs to the company. I tried to find a solution within this extremely limited view and there ain’t any. However, the situation looks completely different if you take a long-term systemic view of the enterprise.

In the long term, we absolutely need security as we need quality and many other things besides money to ensure that the enterprise survives. Once we understand that, we shall realize that we already have the knowledge, technology and tools to actually secure our products and we will apply the research where we see them lacking.

To illustrate, let’s look at how the simple economic model of the well-known game “Civilization” operates.

“Civilization” is a strategic game with a simplified economic model of cities, countries and the world. In this highly simplified model of the economy, describing the behavior of an entire civilization, the parameter “money” is not the only one that leads to success but rather it is used to serve other areas of society. For example, when you build a library you go to the cashier and convert money to scientific knowledge. The theater is also not built for profit but for spending money on the culture. Almost all of the buildings that do not bear a direct destination “hack loot” represent a direct loss: football stadiums, churches, and tank factories – those just consume money, not make profit, but instead they produce something else: contentment for people, culture, or the tanks.

civ-v-screen

In principle, you can try to concentrate everything in the world on getting more money – but experienced players will tell you that this option is only meaningful on the finishing spurt – when there is a race to win, when you are actually in the military conditions “it’s either us or them.” At other times, you can not ignore any sections of public life – it is necessary to make sure that the culture is taken care of and the science is at a level not far behind (so that foreign tanks don’t overwhelm your chariots), and your production facilities allow you to produce anything you might need, and that the cash account allows to support the whole caboodle.

Once again, it is important to note that most of the objects in Civilization are obviously unprofitable and that’s fine – they give non-monetary income and in most cases they determine the success or downfall of the player. You build a theater, a library or a tank, pay for them and don’t complain that they need money. Money is produced by special objects replenishing the treasury – they are important, of course, as an integral part of society but their main role in the game is to support the work of other objects – let the society work and move forward the progress, culture, carry the flag of the country. Only in a single case it makes sense to be “in the money” – when you want to win politics through buying of votes from neutral city-states. In all other cases, a large cash balance, on the contrary, is rather an indication that you are doing something wrong.

civ-attack

So, why are we talking about that? Money in Civilization is a tool and that what it should be in real life, at least in theory. Therefore, if you have excess money, it is best to invest immediately into something that moves forward some real aspects of life – culture pushes the boundaries of your country, science is discovering all the new electric cars, cavalry and navy are bringing the light of truth to infidels. Since everything around is continually evolving, then the funds should be regularly put into circulation – not in the sense of “revolve in the bank” but through investments in the real sector – because conventional 100 coins in the ancient world is not the same as even in the era of feudalism, even in the absence of inflation. Just to save money has no special meaning – it means that you could invest it in any business but did not – for example, you could mount an expedition to another continent but instead you are wasting away over your gold. Yes, the money can be useful to respond to changes in the situation in a rush – but that usually does not come with a huge effectiveness; for example, you can immediately buy up a bunch of soldiers in the case of the Mongol invasion; but if you act wisely, it is much more effective – including in monetary terms – to prepare them in advance; albeit soldiers are all loss and no profit, yes.

In the real world, it is much more complicated. Yet, somehow it turns out that in a simplified toy world simulator “father of the nation” the different effects of a particular aspect of human activity are taken into account, while in our advanced and such a diverse modern society, it all comes down to one parameter – money. Look at what is happening in the world or in your company – the terms are reductions of this and that, because of the “inefficiency”.

In purely totalitarian economies societies somehow engage in culture, science and other things, and only in our purely “liberal” economy and culture, we force the culture, science, and almost the military … to make money. But, after all, this is nonsense in terms of governance!

There seem to be two important aspects at work:

1) The atomization of society and the economy also applies to the enterprise. In a singular society and company things can be divided into “earning” parts and “wasters” of money, as was done in the traditional family – husband works in the field, a wife at home on the farm, and that’s fine. Under the conditions of atomization one is forced to survive as best one can. The science and culture in the society and security and quality in the company are forced to earn profits, losing their original essence. Every single part is required to perform, basically, all of the elements of the whole without any regard to its original purpose to survive. The security department now has to “sell” its services, engage in marketing campaigns and calculate its “efficiencies”.

2) Extremely short time horizon has become the norm. Where the top management was supposed to keep a very long-term perspective and support the activities that would cause the company to exist in the distant future, now we are dealing with a non-stop pressure to deliver everything today.

In general, the reduction of all aspects of life and work to make a profit in the monetary sense immediately leads to many fun things.

There are many aspects to our work as a software company producing and selling software products but if we simplify the model we can say that there are a few factors that are involved in long term survival and prosperity of the company. One of the factors is the features of the software. That is your “money production” part, the thing that gets software sold and brings in the money. Too much concentration on this part is dangerous, however.

There are other important parts. We will live aside many of them for the purposes of simplicity. Let’s look at the quality. Ensuring the software quality is pure cost, it does not sell as such, it does not bring money. Should we stop spending money on quality? You would be right to assume that we will not. But why? Because the quality of our product influences the future sales, it is not here-and-now but in the future that we will see indirect benefits, often not quantifiable. Still most of us understand that destroying the product quality will lead to deterioration of the market sales, company image, decline of revenues and eventual crumble of the company. So somehow over the years we realized that a completely non-profitable activity is necessary for the enterprise survival.

The same applies to security. Most companies ignore security nowadays. Security is nothing but cost and costs even more than quality. Security is even less visible and its impact is even further in the future. Many managers show short-sightedness and ignore security to concentrate on what brings money in today and tomorrow. But is that a good idea? Security is like your army in “Civilization” – it is pure cost and you may never actually use it directly but it is a good idea to have it unless you want to see your cities overrun by the American war chariots. Security is a cost that an enterprise must take on to ensure its long-term survival. It is as necessary as other costly things – quality, specialist training, research etc.

So when a company puts the security in a position where the security department has to justify its existence by proving with numbers in hand that they are somehow “profitable” – that’s pure lunacy on the part of top management. This concentration on the “money aspect” is going to pay off in the short term but will learn to a crash in the long term. The balance is as essential to a healthy company as it is essential to an empire in the game of “Civilization”. One cannot ignore the money aspect and risk running out of money at an unfortunate moment. One cannot concentrate on money and ignore everything else either. We must accept that security is one of the realities of life and it is necessary to have because otherwise “their tanks will crash our chariots”.

I hope we are clear on that now.

You may only need a sword once but you must carry it every day.
– Japanese proverb

Kinkakuji_Temple_Kyoto_Japan

Software Security vs. Food Safety

My friend works in a large restaurant chain in St-Petersburg. She is pretty high up in the command after all these years. We talk about all sorts of things when we meet up and once she told me about how they have to deal with safety and quality inspections and how bothersome and expensive they are. So I teased her: why don’t they just pay off the officials to get a certificate instead of going through all the trouble? And she answered seriously that that was only good for a fly-by-night business that does not care about clients or reputation.

Food Poisoning
Food-poisoning a customer would have severe consequences. Their chain has been around for more than ten years, she said, and they do not want to risk any accidents to destroy their reputation and client base. In the long run, she said, they are better off establishing the right procedures and enduring the audits that will help them to protect the health and safety of their clients. And she named three kinds of losses that they are working hard to prevent: direct losses from accidents, loss of customers as the result of a scare and a long-term loss of customer base as the result of reputation and trust decay.

I think there is something we could learn. The software industry has become completely careless in the recent years and the protection of the customer is something so far down the to-do list you can’t even see it. Judging by the customer care, most businesses in the software industry are fly-by-night. And if they are not, what makes them behave like if they are? Is there some misunderstanding in the industry that the security problems do not cause costs, perhaps? Evidently, the companies in the software industry do not care about moral values but let us see how the same three kinds of losses apply. Maybe I can convince you to rethink the importance of customer care for the industry?

Sony PlayStation Network had an annual revenue of $500 million in 2011, with about 30% margin, giving them a healthy $150 million in profit a year. That year, their network was broken into and hackers stole thousands of personal records, including credit card numbers. In the two weeks of the accident Sony has lost about $20 million, or 13% of their profit. When the damage compensations of $171 million kicked in, the total shot to about $191 million, making Sony PlayStation Network lose over $40 million that year. Some analysts say that the long-term damages to the company could run as high as $20 billion. How would you like to work for 40 years just to repay a single security accident? And Sony is a large company, they could take the hit. A smaller company might have keeled over.

security-2014-01-31-01

And these kinds of things can come completely unexpected from all sorts of security accidents. Thanks to the governments’ pressure we hear about companies suffering financial disadvantage from incidents that used to be ignored. The US Department of Health & Human Services has fined Massachusets Eye & Ear $1.5 million for the loss of a single laptop that contained unencrypted information. “Oops” indeed. The same year UK Information Commissioner’s Office fined Welcome Financial Services Ltd. &150,000 for the loss of two backup tapes. Things are heating up.

Now, the Sony PlayStation Network breach did not only cost Sony money. The company Brand Index, specializing on measuring the company image in the game circles, determined that that year Sony PlayStation image became negative for the first time in the company’s history. The gamers actively disliked the Sony brand after the accident. That was enough to relegate Sony from the position of a leader in the gaming industry to “just a member of the pack”.

More interesting tendencies could be seen in the retail industry. TJX, the company operating several large retail chains, suffered a breach back in 2005, when hackers got away with 45 million credit card records. At that time, the analysts were predicting large losses of sales that never materialized. TJX paid $10 million in settlements of charges and promotion and the sales did not dip.

Fast forward to December 2013, now Target suffers a security breach where 70 million customer records and 40 million credit card numbers are stolen. Target did not appear to be too worried and engaged in the familiar promotion and discount offering tactics. And then the inconceivable happened. The customers actually paid attention and walked away. The total holiday spending dropped by 9.4%, sales were down 1.5% despite 10% discounts and free credit monitoring offerings from the company. As the result, the company’s stock dropped 1.8%. In the scale of Target, we are talking about billions upon billions of dollars.

security-2014-01-31-02

So, what happened? In 2005, the industry worried but customers did not react. In 2013, the industry habitually did not worry, but customers took notice. Things are changing, even in the market and industry where software security was never of any interest to either shops or customers. People are starting to pay attention.

Now, if we talk about customer trust and industry image, the food industry serves as a pretty good role model. They have a lot of experience stretching back hundreds of years, they must have figured out a few useful things we could think of applying to our software industry. Take the dioxin scare of 2011. The tracing abilities of the food industry allowed them to find easily how the industrial oil got into animal feed and traced it to particular farms. Right away, the chickens and pigs were mercilessly culled at those farms. That’s what we call an accident response all right. In the aftermath, the food industry installed a regulation to require physical separation of industrial and food oil production and created a requirement for the labs to publish Dioxins findings in food samples immediately.

The food industry has learned that they will not be perceived well if they kill their customers. They are making an effort to establish long-term trust. That’s why they have good traceability, they are merciless in their accident response and they quickly establish new rules that help to improve customer confidence. Take the story of the horse meat fraud in 2013, where horse meat was sold as beef across Europe. That was not dangerous for health, that was a fraud to sell cheaper meat instead of more expensive. The food industry traced it all back to origin and found out that the liability for this kind of fraud was insufficient. That even after paying the fines the companies that engaged in this fraud were making a handsome profit. But customer confidence suffered immensely. And the industry took a swift action, the proposal to increase the penalties and take tougher measures was already accepted by the European Parliament on the 14th of January.

What can we learn from the food industry? They have great traceability of products, detection of all sorts of misbehavior and dangerous agents, requirements to publish data. The penalties are kept higher than potential gain and the response is swift and merciless: either recall or destruction of contaminated goods. All of this taken together helps the industry to keep their customers’ trust.

Try to imagine that HTC was required to recall and destroy all those millions of mobile phones that were found to have multiple security vulnerabilities in 2012. Well, HTC did not waltz away easily as happened in so many cases before. They had to patch up those millions of mobile phones, pass an independent security audit every two years, and, perhaps most telling, they are obliged to tell truth and nothing but the truth when it comes to security.

And this kind of thing will happen more and more often. The customers and governments take interest in security, they notice when something goes wrong and we have a big problem on our hands now, each company individually and the industry as a whole. We will get more fines, more orders to fix things, more new rules imposed and so on. And you know what? It will all go fast, because we always claim that software is fast, it is fast to produce software, make new technology, the innovation pace and all that. People and organizations are used to thinking about he software industry as being fast. So we will not get much advanced notice. We will just get hit with requirements to fix things and fix them immediately. I think it would do us good to actually take some initiative and start changing things ourselves at the pace that is comfortable to ourselves.

Or do we want to sit around and wait the crisis to break out?

Apple – is it any different?

The article “Password denied: when will Apple get serious about security?” in The Verge talks about Apple’s insecurity and blames Apple’s badly organized security and the absence of any visible security strategy and effort. Moreover, it seems like Apple is not taking security sufficiently seriously even.

“The reality is that the Apple way values usability over all else, including security,” Echoworx’s Robby Gulri told Ars.

MoneyIt is good that Apple gets a bit of bashing but are they really all that different? If you look around and read about all other companies you quickly realize it is not just Apple, it is a common, too common, problem: most companies do not take security seriously. And they have a good reason: security investment cannot be justified in short-term, it cannot be sold, and it cannot be turned into bonuses and raises for the management. And the risks are typically ignored as I already talked about previously.

So in this respect Apple simply follows in the footsteps of all other software companies out there. They invest in features, in customer experience, in brand management but they ignore the security. Even the recent scandal with Mat Honan’s life wipe-out that got a lot of publicity did not change much if anything. The company did not suffer sufficient damage to start thinking of security seriously. The damage was done to a private individual and did not translate into any impact on sales. So it demonstrated once again that security problems do not damage the bottom line. Why else would a company care?

We need the damage done to external parties to be internalized and absorbed by the companies. As long as it stays external they will not care. The same thing exactly as the ecology – ecological cost is external to the company so it would not care unless there is regulation that makes those costs internal. We need a mechanism for internalizing the security costs.