Manifesto for a Modern IT Consulting Industry - Part 3
It's Time for IT Consultants to Take a Step Up
This is Part 3 in a series on transforming our industry into a profession. Here are the previous installments:
Transformation of an Industry into a Profession - Part 1. Profit. Maintenance-Focused Support.
Part 3: Ransomware and How We Handle It
A great deal of this discussion about our industry, and where we want to take it, is triggered by the crises of ransomware, how we respond to ransomware, and how governments and insurance companies are responding to ransomware. And so far "we" don't have a response. Lots of vendors are selling lots of solutions. But none of them is really a solution: Each is a small fix for a small piece of a big, big problem.
As with so many things in technology, our response to problems consists of a big toolbox filled with various sizes of Band-Aids. But very little effort is put into taking a step back and looking at the big, big picture.
Here's a great example: Identity theft or credit theft. On more than one occasion I have posted photos of my drivers license or credit cards online. People come screaming out of the woodwork because these things contain lots of information that can be used to "steal" my credit, open accounts in my name, etc.
But I don't care for a simple reason: I have made this information useless. Try to open an account in my name. You can't. Try to buy a house in my name. Try to take over my car registration. Try to use my credit cards. You can't.
You see, there are different ways to look at problems like this. "The data" genie is out of the bottle. I grew up in an era when my social security number was my student ID. I think it was published in the school directory. The birth dates and death dates of my parents are public information. My ex-wife worked for the State of California during roughly 1,000 incidents where all of our private information was stolen and sold on the dark web.
Your information is just as secure. So you are no more or less secure if you post your drivers license online. But you can take steps to make that information useless. You don't have to throw up your hands and say, "Oh well. If they want to break into my stuff, they will." And yet, that defeatist attitude is exactly what virtually everyone in IT says to one another - including MSPs, VARs, vendors, distributors, and even security companies.
I have written this many, many times over the last five years, but it's still true: There is absolutely no excuse for ransomware to take down a business or government agency today. The first time I created real-time data-mirroring between offices in Southern California and Northern California, the setup was about $100,000 and monthly monitoring and maintenance was about $10,000. I was happy to do it.
That exact site could be backing up to a BDR with images in the cloud for a fraction of that cost today. (I hope they are.) What was once nearly impossible and extremely expensive has become simple and very reasonably priced.
The question is no longer whether we can secure all data but whether we are willing to. And that "we" clearly includes the client. Next time, we'll talk about insurance and government regulation. Clearly, if a client cannot afford to be protected, the IT Service Provider should not be held liable for the results of a ransomware attack. And, clearly, if a client can afford but refuses to pay for the appropriate systems, then the IT Service Provider should not be held liable for the results of a ransomware attack. But that's next time.
Now let's look at the next two pillars for our emerging industry: Defending client systems and our consistent response to attacks.
The Fifth Pillar: Defending client systems and data is an ethical imperative.
I know a lot of people are not comfortable with the discussion of ethics and what's ethical. But I am. Maybe it's my "Arts and Sciences" education. But I think that professions do have some ethical requirements. For example, financial advisors should put their clients' financial interest first; they should not overcharge their clients; they should not steal from their clients.
All of that is actually based on a clear difference in knowledge. When you know more than your clients, you have the opportunity to recommend "solutions" that don't really increase security. And you have a great deal of power to remove yourself from taking the blame when things go wrong.
See the last post on an industry code of ethics.
In the first installment, I made the case that basic maintenance and backup are central to our profession. Here I would take that up a notch. I believe we are obligated to defend our clients' data once they have engaged us. And a huge piece of this is based on that same differential of knowledge.
I've heard people make fun of clients who think that their data are automatically backed up because it's in the cloud, or with Microsoft. Similarly, they laugh about clients who think that mirrored drives or a RAID array are backups.
But here's the hard cold reality: If we want to be a profession instead of a collection of really smart people who all just happen to work in the same industry, we have to draw a line and take responsibility when the client cannot make correct decisions for themselves. If a client doesn't understand backup, and you do, you have an obligation to look after their interests. When a client doesn't understand security and you do, you have an obligation to look after their interests.
Your clients will never know what you know or understand what you do. They are professionals at dentistry, or law, or finance, or whatever. They trust you. They rely on you. They turn to you and ask, "What should I do?" You are morally obligated to give them good advice. Ultimately, what we do in this business is to help clients make good decisions about technology.
The funny thing about this discussion is that so many people immediately put it all back on the client: They refuse to secure their systems; they refuse to pay for it; they don't believe they're in danger. But that doesn't excuse you from your moral obligation.
This goes beyond you and the client. The "client's data" is often not the client's information to leave unsecured. The client's data probably includes their clients' information, medical records, financial information, intellectual property, etc. Your client has no right to wave their hand and decide that such information can be open to compromise.
We're seeing more and more compliance legislation all the time. It all boils down to this: Left to their own devices, many people will not secure their own systems or their clients' data. And further, compliance legislation acknowledges that society has a stake in securing that data - even if a specific company doesn't want to.
As an IT service provider, you don't have any choice. You are part of this mix. The players are you, your client, the government, and insurance companies.
So, protecting and defending this data is an imperative. What do you do when the client simply refuses to comply, for whatever reason?
Today, the best you can do is to have them sign a waiver of liability. But it is unclear whether such waivers are enforceable. As you probably know, almost every contract has limits on liability that are simply ignored. When lots of money is at stake, companies sue. Insurance companies sometimes pay out. And then they sue to recover their money. I'm not aware of any contract that has actually prevented a lawsuit.
And no matter what you do, you're still in the mix. Whether we like it or not, we need to work with governments and insurance companies on a formal process for removing ourselves from the mix.
It begins with acknowledging that creating data security systems and business continuity are imperative. Then, the client needs to be educated, to the extent that's possible. But remember: Some clients will never understand or accept the danger.
In the world of finance, there's a thing called a sophisticated investor. A sophisticated investor is someone who has lots of experience and knowledge in a variety financial dealings. So, for example, you might only be invited to consider a certain investment opportunity if you can document that you are a sophisticated investor.
We experience a similar thing in technology. If you're reading this, you're probably a sophisticated technology consultant. You know and understand certain things at a level that most of your clients will never reach. So how do you educate them sufficiently so they can make an educated decision to not protect their data?
Ultimately, you cannot force any client to buy into a business continuity solution or to protect themselves from ransomware, extortionware, etc. Today you have three options when a client refuses to protect themselves: 1) Take the risk that you'll get caught up with them, their problems, and their insurance company. 2) Walk away and let someone else take the risk. 3) Stay and try to limit your liability.
There should be a formal process whereby you educate the client. And, if they choose not to protect their data, there should be a formal process - recognized in law - that removes you from liability.
This process cannot be haphazard. It needs to be a formal process. The insurance companies need to go along with it. And I expect they will, if it's done right. After all, the reason they're raising rates through the roof is that they're paying out massive ransoms because so many systems are simply not protected.
We will return to this topic next time.
The Sixth Pillar: A strong profession begins with consistent, effective responses to our greatest challenges.
In 2020, the world of compliance took a huge step in the right direction. And somehow, almost no one noticed. Every time I mention that the US Department of Health and Human Services has blessed the use of NIST CMMC for attaining and documenting HIPAA compliance, I get several requests for links.
[Okay. Just to get this out of the way, here are the links to start with:
- https://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/index.html
- https://www.hhs.gov/sites/default/files/cybersecurity-maturity-model.pdf
This is one example of the kind of thing we should be doing on several fronts. HIPAA (the Health Insurance Portability and Accountability Act) originally had no clear guidelines. It had no standards that could be built into a checklist. There was no way to document compliance. And, oddly enough, compliance could not be achieved without documentation.
As a result, "compliance" was simply determined by who sued or brought an action against a healthcare provider or IT professional. Finally, the DHHS move in 2020 made it possible to define compliance, create checklists, and demonstrate compliance. The documents above literally map CMMC actions to HIPAA requirements.
This is a great model that we can repeat in other areas. Again, with one eye on the government and the other on insurance companies, we can develop procedures that define appropriate responses. The basic formula is this:
- Define the challenge. For example, stop viruses and phishing attacks from allowing data to be compromised, encrypted, and exfiltrated.
- Define a set of actions and processes that define professional best efforts with regard to the task at hand.
- Define procedures and checklists which, when implemented, will meet the requirements for best efforts.
- Document the execution of these processes and procedures, and be willing to be judged by this documentation.
In a perfect world, we don't need the government to be involved in any of this. But, so far, our industry has spent more effort passing the buck and selling Band-Aids than solving the biggest challenges we have. We each come up with a set of different procedures, software, and services. And when it doesn't solve the problem, we confidently tell each other, and our clients, "There's no way to stop everything."
I go back to my original statement: There is absolutely no excuse for ransomware to still be a problem today. But instead of getting our arms around it and addressing the big picture problems, we spend our time playing whack-a-mole and making sure we're not the ones being sued for millions of dollars.
I see three obvious ways that action will be taken in the next few years. First, we can continue our uncoordinated attempts to apply patches here and there. This will result in the government taking action that solves some problems for the government but probably doesn't solve the actual problem. Remember: government agencies are getting hit at least as much as private businesses. They'll do "something" in response, even if it's not the best thing.
Second, the insurance industry will draft legislation and it will spread across the globe. This is actually the most likely response since the insurance industry is already well funded, well organized, and very experienced with lobbying. I assure you, their response will serve them very well. You will not find yourself relieved of any liability if the insurance industry writes the rules without input from IT service providers.
Third, we as a profession can begin to address the big problems with standardized processes and procedures that address the needs of our clients, government agencies, and the insurance companies. This approach might include getting some of these processes and procedures written into government regulations or legislation. It would involve engaging the insurance industry in discussions about what they need, and the role we play.
To be honest, a coalition of the IT service industry and the insurance industry may be the most powerful thing we can do. We could actually draw some lines around the obligations companies have to protect data, the liability that goes with that, the requirements for best efforts to protect that data, and the documentation required to verify where liability lies.
In many ways, we have accidently taken on liability for our clients' behavior by the response we have to security challenges. And now it's time to limit that liability and define the terms under which it can be lifted off of us and placed back on the client.
The only way to eliminate liability altogether is to eliminate risk altogether. Between ourselves, our clients, and the insurance companies, I believe we can define processes and procedures to reduce risks considerably, and therefore reduce liability as well.
I'm not saying it would be easy. But it could be done.
-- -- --
Next time: Legislation, Insurance, and Building a Long Term Path to Professionalism
-- -- --
Here are links to the entire series:
Part One - Profit and Maintenance-Focused Support
Part Two - Education and Core Values
Part Three - Ransomware and How We Handle It
Part Four - Legislation and Insurance
Part Five: Building a Path to the Future
:-)