How can we communicate the risk level of below the operating system vulnerabilities to non-tech leadership, or technologist who don’t really understand what it is?
Sort by:
We need to be better at risk-based decisions as an industry. Going to our leadership and saying, this is the impact that it could have. And we always talk about impact and likelihood and all that, but like, make it real. We need to be able to articulate, “This is the reality. We have 100,000 devices on the internet. If each of those get hit and we have to replace them and then do this other thing, it's going to cost us this, and there's a 5% chance it's going to happen every year. Is that worth it to you?” And they might say, “yeah, let's roll the dice.” Well fine. I need you, the executive board, to sign off on that dollar amount and that thing from happening and not allowing it to be cut into our profits by five pennies or whatever. That's something I'm really passionate about is turning things into reality.
Making clear objective decisions around the risk and the implications is paramount. Perhaps even 10 years ago, it may have been that “yeah, we got to worry about it.” The asteroid coming closer today would change the dialogue. So the probability and the implications start changing.
It changes from an asteroid to a car accident. We're no longer talking about an asteroid coming out of the sky. We're talking about the chances of you getting hit by a truck on the way to work. And it turns out that's a pretty decent chance. So we need to as an industry, make that change.
For firmware, I use an analogy. Think of the firmware as the rebar or the slurry mix in the concrete. If it's bad, your foundation is poor and everything above it is just potentially a house of cards under the right situation. Say you're standing in a high rise, you're in your corporate offices or your building, if you have rebar that's deteriorating, or the slurry has a bad mix in it and will crack easily under the right conditions. What does that mean for the building?