How could some of the brightest minds in business create the sub-prime mortgage mess? Most went to business school and had decades of experience in their industry. All are highly paid, with their pay, supposedly, reflecting their talent, education and experience. The market valued their skills highly. Yet their foolishness has triggered a plunge in the stock market with financial stocks--the stock of their companies--leading the way and a recession assuredly to come (it may already have begun).
It is not the first time that the brightest in business have eagerly touched a tar-baby that left them stuck when things went bad. Enron and the Internet bubble are but two other recent examples. What they have in common is a failure to realistically consider risk. They also showed a willingness to abandon some of the simple, cardinal virtues of conducting business.
The focus here will be on risk. That has strong implications for much of what happens in public life these days, and for information security, my chosen field, in particular. What happened with these great financial schemes is that their perpetrators ignored risks that, predictably, became reality. With subprime mortgages, it was predictable that interest rates, which could hardly have been lower, would rise in the face of inflationary pressures caused by federal budget deficits and the falling dollar, among other things. When those rates rose, the poor souls whose credit-worthiness was questionable were bound to default. How could that not be seen? Similar blindness afflicted the moguls at Enron and the visionaries of the dot-com era.
It has also afflicted the Bush administration, which entered Iraq without a clear view of the risks of insurgency and civil war. And--a central point here--it afflicts many of those who decide how to allocate time and effort on information technology (IT). There are two ways that risk is dealt with poorly in IT.
First, the simple fact of risk is ignored. The recent loss of the records of 25 million people in Britain is a case in point. An employee was allowed to put those records on a laptop, unencrypted and protected only with a password. The thought of loss seems to have escaped those who established policies and procedures for the agency that allowed it. I imagine that they relieve that such things rarely happen, so why protect against an occurrence that would probably not happen. The potential cost if it did was not considered. Nor were the--low--costs of countermeasures.
Another example comes from my own experience of several years ago. A network I worked on was unprotected by anti-virus. We knew we needed it, but the project manager told us to get licenses from HQ, which had extra, already paid for, that we could have. They dawdled; so did we (and, to be fair, I did not push the issue--a lesson for me). Then The Klez virus struck, big time. The network went down. Suddenly, no price was too high for AV. We got it. It took us several days to clean up and install the anti-virus package.
Risk is also poorly analyzed all too often. One agency I worked on decided that a particular piece of malware was a major threat because the unit chief saw that it was covered prominently on CNN. Other, more severe threats were ignored. This agency, like many organizations, never did even a preliminary analysis of the risks it faced and the most effective means of countering them. Consequently, at least some the means allocated to IT security--which will always be limited--were misallocated. These organizations are prepared to stop something, but not what threatens them most.
None of that would matter if risks did not become reality. Yet, as the executives at Citibank, Countrywide, Washington Mutual, and other firms have found, they do.
25 November 2007
07 November 2007
The Choice in Pakistan
The Bush administration sees the choice in Pakistan as one of choosing between an errant friend and rabid enemies. General Musharaff's declaration of martial law is seen as the mistaken choice of a leader who saw his country falling apart under pressures generated by the growth of Islamist extremism. He has, the administration sees, battled Al Qaeda and its ilk, avoiding the temptation to pander to them. It has called on the general to reconsider what he has done and to return Pakistan to the status quo ante.
This is a false choice. The administration has been too gentle on the general, having defined American national interests too narrowly. Consider that Musharaff declared martial law contrary to the publicly expressed wishes of the United States. Secretary Rice herself said on November 3, as reports of Musharaff's actions were coming out:
Now we have have pictures of Westernized Pakistanis, even Pakistani lawyers, having their demonstrations broken up by the army. At the very least, the United States looks weak. It even looks hypocritical: our oft-expressed support for democracy is shown to be mere words, or less.
Moreover, the support for Musharaff within Pakistan is virtually non-existent, according to reports. The Islamic extremists certainly oppose him. Moderate and secular Pakistanis now oppose him as well. And Benazir Bhutto and her supporters are just beginning to gear up for the struggle. How long can this ally last? We appear to be supporting the losing side.
Sanctions of some kind--a reduction in aid at the very least--should have been imposed by the end of the day on November 3. Not simply because democracy is a good thing, but out of a realistic approach to satisfying our true national interests in the region.
This is a false choice. The administration has been too gentle on the general, having defined American national interests too narrowly. Consider that Musharaff declared martial law contrary to the publicly expressed wishes of the United States. Secretary Rice herself said on November 3, as reports of Musharaff's actions were coming out:
I just want to be clear that the United States has made clear that it does not support extra-constitutional measures because those measures would take Pakistan away from the path of democracy and civilian rule.To date, the United States has scarcely even said "Tut-Tut" in reaction, much less taken any substantive action to make its displeasure felt in Islamabad.
Now we have have pictures of Westernized Pakistanis, even Pakistani lawyers, having their demonstrations broken up by the army. At the very least, the United States looks weak. It even looks hypocritical: our oft-expressed support for democracy is shown to be mere words, or less.
Moreover, the support for Musharaff within Pakistan is virtually non-existent, according to reports. The Islamic extremists certainly oppose him. Moderate and secular Pakistanis now oppose him as well. And Benazir Bhutto and her supporters are just beginning to gear up for the struggle. How long can this ally last? We appear to be supporting the losing side.
Sanctions of some kind--a reduction in aid at the very least--should have been imposed by the end of the day on November 3. Not simply because democracy is a good thing, but out of a realistic approach to satisfying our true national interests in the region.
Subscribe to:
Posts (Atom)