Pruning and Cybersecurity

As I sit at my desk and type this, I can see an old server that I need to retire. It will be a pain because the golden promise of moving configurations from old machines to new machines is mostly a lie. I will have to recreate the services that have worked so well for so long. This will annoy the users, who are likely to see changes and feel inconvenience without seeing or feeling any benefit.

The benefit is the reduction of risk and that is a benefit so abstract that few people can appreciate it. Which is why so many cybersecurity vulnerabilities quietly sprout and grow in even well-run IT environments: over time your up-to-date, secure installations can become risky and then a potential liability and finally an exploited vulnerability.

I know all this, but I am dreading this project. If the replacement goes perfectly, no one will notice anything other than a drop in my ability to do the things that people are currently expecting me to do. If the replacement does not go perfectly the users will notice an interruption in a service so solid and useful that the service has become invisible. This will, understandably, annoy them. I will, no doubt, be asked why I touched something that just works.

But I am scheduling this project for next week because it must be done. And resolving to be better about all of the other similar projects that are to come. Like many people in my position, I try to keep a list of hardware and software that might need to be replaced and holes in the firewall that were essential once upon a time but perhaps can be closed and the data exchange done some other way.

This need to constantly prune your IT infrastructure, even if nothing is overtly wrong, is something we all just have to accept as a cost of doing business. Leaving things as they are unless or until something goes horribly wrong is not good enough. The conversations with users about why their beloved service or appliance or whatever needs to be replaced are a drag, but mostly people understand the idea.

The icky part is that the same thing is true of people. There are people in your organization who were great hires back in the day but who no longer pull their weight. The obvious, easy case is the slacker whose laziness is plain for all to see. Prodding those guys is generally not going to be a problem with HR or your colleagues. The not-so-obvious case is the pleasant, hard-working former star who has not kept up with things. Tech changes and cybersecurity changes even more because in addition to technological evolution there are evil people are trying to break your stuff and steal your data.

The good news is that old dogs can learn new tricks--assuming that your organization actually keeps track of who does what and how well and that your organization has the capacity to do that teaching.

The better news is that if you hire based on talent you have a much greater chance of "future proofing" your team. Past experience with obsolete technology is not as good a foundation on which to build new skills as talent and attitude.

If you can, hire talent and attitude. That is hard, but we can help.