The Buck Stops At Cybersecurity

US President Harry S. Truman famously  had this sign on his desk while in office: 

The import was "I am ultimately responsible for whatever happens." What a glorious, goal-oriented and functional philosophy. The other day I was bitterly reminded of how rare this philosophy is.

Taking my cue from some medical establishments that require their senior medical staff to commit to working as though they were still mostly providers (a hospital that requires its department heads to spend a month a year on the floor and an ambulance company that requires its vice presidents to ride the ambulance one weekend a month), I still take on front-line IT projects not as a senior exec but as a humble technical contributor. In theory, this keeps me current and in touch. In practice, it reminds me that "the view from 50,000 feet" misses lots of detail, most of which is irrelevant but some of which matters.

The day in question I was struggling with trying to re-establish remote access to a client's medical information systems in the wake of new, improved security. I have no data on how effective this new access method is, but is certainly baroque: 9 steps involving my desktop's browser, my phone's security app, two sets of credentials, my email account and another app to run on my desktop. All this to give me a way to login in to server.

This tower of power all worked in May. It has not worked since. Attempts to get it to work via back channels failed: now only vendors use this facility, so my internal contacts have no insight: they use some other mechanism for remote access. I finally set aside the many hours I feared it would take and started down the path of technical support.

So far I am still completely stuck and am 6.25 hours. I am sure that I will eventually triumph. I am not so sure that I will be able to hold my tongue when next I interact with the senior people who have presided over this security upgrade.

The essential problem with this complex combination of technologies is that the buck doesn't stop anywhere. My users referred me to IT. IT referred me to the Help Desk. The Help Desk referred me to some specialized commando Help Desk for this specific problem. They referred me back to an exec in IT for authorization for help in getting authorized for remote access so that I could then figure out what is going wrong in the 9 step process of authenticating myself. Last night, I rested and composed myself. Today I shall resume my quest to be able to do useful work.

At every stage no one was interested in solving my problem; instead, they were interested in passing the buck. This is what I call "the call center effect" which is caused by judging performance on how quickly problems are dismissed instead of how effectively those problems are solved.

I understand how this happens, especially in Tech Support: you chase those beautiful metrics that your trouble ticket system gives you. How quickly do tickets get moved out of a given employee's queue? How many tickets get moved out of queues? What a seductive proxy for performance!

I am very aware that overly friendly Tech Support is a juicy target for Social Engineering. I would not have been comfortable if anyone offered to reset my password or to force remote access for me without my identity being fully authenticated.

I am complaining about a lack of focus on the end result because this lack of focus makes your support team a drag to deal with, but it makes your cybersecurity team ineffective. Cybersecurity is about results. You don't get credit for having a firewall, you get credit for having a properly configured firewall whose effectiveness you can confirm on an on-going basis.

While it is possible that Tech Support is all about appearances and Cybersecurity is all about results, I would not assume that. Corporate culture is powerful and pervasive. It is difficult to have context-specific culture. It is imperative that your cybersecurity be effective and that they not be merely performative. The management team must make sure of that. Pythia Cyber can help.