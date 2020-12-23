This is a tale about Karen (last name refrained), the Chief Executive Officer at one of the more innovative social media consulting firms in Kentucky, Silicon Holler, Inc., a four-year-old company that’s taken full advantage of the grants and tax breaks available in Eastern Kentucky to STEM businesses. Karen, and the company, are real up-and-comers in the eyes of venture capitalists because she is über-dedicated to success, and at all costs. In fact, Karen’s own family and friends have slowly been fading from her attention while the spoils of profits and accolades moved in.
Karen expects no less dedication from her team, including Nick Burns (last name included with permission), Silicon Holler’s Chief Information Security Officer. A company’s CISO role is critical to maintaining security of its information, and privacy of its trade secrets, employee information, and data altogether. For years, at least since Silicon’s first $100,000 deal was inked, Nick has been imploring Karen to invest in cybersecurity training, tools, and defenses. Each year that Silicon’s revenues and budgets grew, Nick would amp up his concerns and pleas. Karen, ever-focused on the bottom line, politely listens, but never activates Nick’s plans. This year, however, Karen had enough. The well-intentioned lobbying by Nick started being interpreted as a nuisance, and to Karen it became mere noise and distraction from the firm’s ultimate goal of cashing out with a big deal from VC money.
Finally, at the most recent monthly meeting with Silicon’s Board and executives the two, Karen and Nick, came to outbursts about the validity of Nick’s concerns over cybersecurity. The two, basically, embarrassed themselves in the room. Yet, one prevailed. Karen, after all is the CEO and no organizational chart in American business would have a CISO atop a CEO. Karen barely restrained herself in the meeting, then privately called Nick to her office. Nick became one of millions now relying on unemployment benefits. Karen won, as far as she believed, and a good night’s sleep was finally in store having no need to fester about Nick’s advice.
In the early a.m. while Karen’s dreams animated Nick’s desired expenditures into satisfying profits, she was awoken. Simultaneously, her Alexa called out to her, the iPad and iPhone began buzzing, her smart fridge’s alarms chimed muted through her home. She sat up to see a … well … it’s hard to define. There was a spectre of sorts in the silhouette of a person but totally made up of streams of digital information. It reminded her of “The Matrix” effects and it had a soft voice, though peppered with odd, tinny, “bleeps” and “blips.” Karen was compelled to get out of bed and follow it, though they went nowhere past her lower level.
The spirit pointed at the living room window where a vision materialized. At first, Karen saw herself walking slowly through a dark hallway behind four men in white lab coats. They spoke a foreign language, but the hallway was flanked by hi-tech devices bearing English labels: “centrifuge.” Karen began deducing the scene. This, she recalled from 2010 news, was Iran’s nuclear facility that was nearly devastated by Stuxnet, a computer virus that infiltrated programmable logic controllers such as those used in Iran to control centrifuges. The scene quickly cut to 2013, when Karen was strolling the aisles of Target. When she got to the register, they wouldn’t take her payment card because they’d been seriously hacked and 40 million cards were compromised. She knew it wasn’t a problem with her card, and that sentiment segued to the third scene. The window then reflected 2017 when Equifax, one of the leading credit reporting agencies, announced a vast, years-long hacking campaign that afforded criminals access to nearly 150 million consumers’ records. She uselessly focused her view trying to selfishly ascertain whether she was affected back then. Poof!
Karen awoke, sweating, with no time having passed. No window-TV. No spirit. No history lesson. All of the sudden, into her bedroom sprung yet another ghostly being. By the time she’d begun making out its facial features, all the while stilled in pure fright, the spirit morphed into a beautiful, 75”, 4K HDTV. Blasts of light and sound. Then, it settled on a nondescript cable news program. “Today, the national security community released its report about the ongoing Russian hacking campaign….” Karen knew about this because it’s been in the news constantly. First, election meddling, and now we learned that the highest levels of government systems have been breached. “If the even the U.S. government can’t be secured, why should Silicon Holler try?!” she thought, to which the ghost replied, “Because, it’s your social duty to protect these interconnected networks.” She spun around in amazement that the presence answered her unasked question. It was instantly gone, and as she looked around, she realized that yet again she had simply awoken to some disturbance in her night’s sleep.
This time, though, what woke her was not friendly, or even amicable. Only its darkness was apparent. Dissolving scenes of Silicon Holler’s boardroom, its team members, and Karen’s own office lent to blackness and misery. The fading scene ended with two well-dressed venture capitalists walking away, shaking their heads, and muttering about “too bad there’s no security structure” and “can’t take that amount of risk on” and such.
Karen’s past wrote her future, and that of her firm and its employees. Or … did it? Did Karen learn the lesson that I’ve totally ripped from Dickens, and then twisted into some silly cybersecurity allegory? Can you, too, learn from your cybersecurity failings of yore, your current security flaws (Password123, much?) in order to save your security and privacy future? Where did poor Nick Burns end up anyhoo? It’s admittedly an incomplete story, but includes a meaningful lesson nonetheless.
Merry Christmas to all, and to all a good, secure, and private night!
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
