CIOs Share the Blame

Computerworld - A lively debate has been generated by the recent report "CyberInsecurity: The Cost of Monopoly," produced by, among other credible security experts, Daniel Geer, Charles P. Pfleeger and Bruce Schneier. The vulnerability of any monoculture -- the central theme of the report -- was noted here five years ago ["Microsoft a U.S. Security Threat," Nov. 30, 1998, QuickLink a3770].
While the paper makes the case for Microsoft's culpability in magnifying security risks, that's only a partial explanation of the situation we're in. Something must be said about the conduct of IT managers who have ignored rising security threats.
As microcomputers acquired mainframe power, tens of millions of amateurs got hold of the capacity to mess up systems in ways that previously were available only to professional programmers. As a result, security has now become the main inhibitor to further computerization. IT management should shoulder part of the blame for several reasons:
1. Abdication. When desktops first showed up, CIOs were pleased that they could unload the burden of satisfying rising demands to enthusiastic amateurs whose costs could then vanish into administrative expenses. Complaints about a lack of service could be unloaded to where they couldn't reflect on the CIOs' difficulties in dealing with technological innovation. For example, when the U.S. Navy and Marine Corps set out to harness uncontrolled desktops, they found over 100,000 "legacy" applications instead of the 2,000 they expected to find. Seizing control is now difficult because most of the useful work is done on local applications and not through services provided by the Navy/Marine Corps CIO.
2. Absenteeism. When computing devices started connecting to the Internet, CIOs tolerated the widespread practice of jump-starting local application services with few security safeguards. For this lack of security leadership, the CIO received accolades from computer magazines without much accountability for consequences.
Three years ago, much of the federal administrative bureaucracy became a Web-page development shop. When I got to NASA, I asked for a count of Web addresses in the organization; we stopped at 2,904 and 4.3 million individual pages. Much of the most effective work in using computers as a tool for collaboration and communication was done outside of the organizations that the CIO was supposed to guide.
3. Negligence. In the past decade, CIOs, allied with enthusiastic corporate executives, diverted their attention from managing the total costs of computing to lobbying for incremental funds for attention-grabbing technologies, such as client servers, enterprise systems or Web services. Such projects could be managed as separate tasks and were presented