Thursday, July 9, 2015

NYSE, WSJ.com & United Grounded; Information Security Stocks Take Off

NYSE, WSJ.com & United Grounded; Information Security Stocks Take Off


Technology blunders grounded or delayed over 800 flights, halted trading on the New York Stock Exchange (NYSE), and brought down the Wall Street Journal’s website all in the span of a few hours during the morning of Wednesday, July 8th, 2015.  The small window during which these three companies were impacted led many (including personnel at the FBI and Homeland Security) to speculate that cyber-attacks may have been the culprit. 
As morning turned to late afternoon, Director Jeh Johnson of Homeland Security took the reassuring yet somewhat unusual step to publicly deny that any of the day’s events were caused by cyber-attacks.  With this denial came the implied, albeit unintended confirmation that these companies had been severely impacted by some inevitable combination of poor technology planning, implementation, and/or maintenance.  To illustrate, the outage at the Wall Street Journal was conceivably due to an overload of people seeking more information on the NYSE outage.  Separately, United (the second-largest US airline) later admitted that a “network connectivity issue” impacted their systems.  Lastly, the NYSE outage was said by an internal spokesperson to be caused by a “configuration issue”.

Just a Bad Day in the Server Room

Days like “United/NYSE/WSJ Wednesday” remind us that while burgeoning cybersecurity threats and cyber attacks have been keeping Chief Information Security Officers (CISOs) up at night, companies and their Chief Information Officers (CIOs) still have other pain points to worry about.  Not all technology issues are caused by external, evil actors.  Sometimes, the root cause for really expensive days like this can be linked back to old-fashioned bad decisions in the server room.
While none of the day’s big three outages seem to have been caused by a cyber attack, news of the day was rife with speculation to the contrary.  Key stocks in the cyber security sector were undoubtedly thankful for the gains on a day when the DOW Jones industrial average dropped over 260 points by the closing bell.   These gains highlight how even the perception of a hacking attack can benefit cybersecurity technology companies - and instill fear in companies that (probably should) contract their services, buy their software, or train for their proper implementation. 
Information security specialists have long deplored that many companies do not take cyber security seriously until they themselves have been breached.  Target learned a valuable lesson in 2013 with a much-publicized breach that is projected to have cost the company nearly $200 million dollars.  This case was clearly an awareness ‘tipping point’ felt across all IT departments worldwide - Gartner Group predicts global IT security spending to reach $76.9 billion in 2015 (up 17% from 2013 levels). 
80% of outages impacting mission-critical services will be caused by people and process issues
Hopefully "United/NYSE/WSJ Wednesday" will keep companies focused on the more mundane "blocking and tackling" functions critical to network and application uptime.  A recent Gartner study projected that through this year, 80% of outages impacting mission-critical services will be caused by people and process issues, and more than 50% of those outages will be caused by change/configuration/release integration and hand-off issues.
Many of the most significant risks to an enterprise are also the most routine:
  • lack of management buy-in or poor funds allocation
  • insufficient training and retraining
  • mismanagement of system and application upgrades
  • inadequate documentation
  • poorly designed applications
  • inadequate testing
  • lack of redundancy in the architecture and infrastructure
While the threat of cyber attacks is more prevalent than ever, most organizations don’t need to be attacked by from external parties - they can implode from the inside and from the most insipid causes.
At Training Camp, our outcome-based information technology management and information security "boot camp" courses will prepare managers and practitioners alike to safeguard against internal and external threats.  Our most popular courses include:

Information Security

Information Technology Management

Information Technology Practitioner