Wikipedia defines the incident like this:
“The WannaCry ransomware attack was a worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. The attack started on Friday, 12 May 2017, and within a day was reported to have infected more than 230,000 computers in over 150 countries.” The attack started on Friday, 12 May 2017, and within a day was reported to have infected more than 230,000 computers in over 150 countries.”
While this is a nice, factual explanation of what the problem is, it doesn’t really help us to come to grips with it, either from an organizational standpoint or an individual one. To truly understand what WannaCry means to us, we have to embrace all the ugly details.
How we approach problems may make them more difficult.
Someone once said that "Point of view is worth 80 IQ points." What he meant was that when looking at a problem, the proper frame of reference makes all the difference. Looked at in the right way, difficult problems become easy. Looked at in the wrong way, they become intractable. With one point of view, we gain 80 IQ points and look very smart, with another, we lose 80 IQ points and look very dumb.
Enter the modern world, where problems to be solved are already very difficult. Problems become difficult when they are ill-defined, amorphous, key details are lacking, and starting points are obscured. Additional problems include lack of apparent cause and effect linkage, slow feedback loops, and unclear search spaces (it isn't apparent in what space the answer is to be found).
One of the factors that compound our collective inability to solve tough problems is the "silos" issue. In order to be good at our normal day-to-day jobs, we need to be specialists. We learn to drill down in our knowledge; to know more and more about less and less. This means that each one of our available frames of reference becomes smaller and smaller each day. This is not to say we shouldn't be specialists. We have to be specialists or we can't do our jobs well. It is to say that no one can solve today's problems while working as if on an island. We can function on known issues in silos, but must leave them to find answers to tough problems. We need to partner with those in other disciplines and become a multi-headed, multi-disciplinary Hydra. If Ghostbusters were formed today, it would be a multi-disciplinary team.
Consider a hacking incident, such as what the WannaCry Ransomware incident has done to UK hospitals. A single hacking incident such as this can impact an organization and its stakeholders on so many levels that no one person can hope to truly understand its ramifications.
Who's afraid of a little hacking incident?
When an incident such as this occurs in an organization, management must call in a variety of internal and external help to address the problems from every possible point of view. It goes without saying that the lawyers are going to need to be called. We've all got them on speed-dial. Hacking incident? We'll need IT help, from cyber forensics to cyber investigators to software and hardware vendors, business continuity people, and disaster recovery. Was it an inside job? Does an internal investigation need to be performed? Controls must be audited. Policies and procedures must be reviewed to figure out if the organization has liability; if it followed its own policies and if those policies were sufficient to begin with. Was the organization in compliance with global policies and local rules to begin with? What about crisis management? Surely, there is room on speed-dial for the public relations firm. Are we insured for this? If we weren't before, we will be going forward. Is our information and data now secure and, just as important, has data integrity been maintained? Can we trust our own information? How long will it take us to recover? Have those business continuity guys arrived yet?
Ok, whew, everyone is here and they are, wait for it, all working alone, in their silos. No one understands what any of the other people are doing. No one even knows each other. What is the likelihood of an optimal result? Let's pose the question another way. What are the chances that will end up exactly where we were before the incident, with holes, gaps, unworkable solutions, and no more safe than we were before? Which chances are higher?
You do what you do. I do what I do.
The problem with working in silos is that we are inevitably stuck in one frame of reference and that frame of reference is insufficient for truly understanding tough problems. If our ideas are unworkable in practice or deficient in some way, we won’t know it because we don’t know what we don’t know. It is not enough to bring in a variety of experts to help out in each area. The experts must actually work together while solving the problem and in order to do that, each one must know something about how the others operate, what their expectations are going to be, and how they, themselves, see the problem.
In an environment where experts work in silos, policies get drafted that are impossible to implement, procedures are imposed that must be ignored in order to execute other, competing procedures, and people sit around quietly whispering to themselves, in their silos, “This is not going to work.” In short, one part of the organization’s medicine causes another part to get sick.
The way to get better results is to tear down the walls between legal, compliance, IT, governance, HR, marketing, sales, product development, and security, and let everyone work together.
Erudite Risk offers risk management and security-related professional services for multinational companies operating in the Asia-Pacific region. With operations in India, Korea, and Singapore, Erudite Risk is ready to help you meet the challenges of Asia, the most dynamic and challenging business environment in the world.
Rodney J. Johnson is President of Erudite Risk. He has lived in Asia for most of his adult life, but still longs for good Mexican food.
Read a related post at The Erudite Blog:
For many businesses, entering new markets is not an option. It is a market imperative for continued survival in our ultra-competitive world today. Unfortunately, establishing a foothold and thriving in new markets is easier said than done. Besides all of the increased risk we face when we do so, there are also some tough competitive realities we have to come to grips with.
Mastering the prediction business is about how well we utilize the risk information we have now. Explicitly thinking about how information and the use of information changes depending on how old or new that information is, may be one more tool we can put in our analytical toolbox to help us choose better indicators.
Asia is no longer the future of your business. It is the here and now. Asia is already the center of the business world, now rules are solidifying, markets are maturing, and investors are committing. Asia is more important to global companies than ever before. That creates both opportunities and risks.
What are some of the mistakes we make when we think about the future? Why do we get blindsided? Why do we fail to see new products and opportunities before they are obvious to everyone else?