Is not the tech a part of the organizations way of doing business?

These things are highly related to what’s going down in a thread [1] from yesterday (about “shitty projects”).

I’m sure these guys spend many millions each year on security products, but either people in the know on the tech side is ignored, or they have no competencies left.

In the thread I mention above I have actually posted about my general experience from a major insurance player.

A concrete example:

We were making changes to a custom software and as there were concerns about bandwidth requirements and latency I took it upon myself to figure out what a specific process looked like, from the business perspective.

In short, in the middle of the workflow, customers journals was written to CD and mailed to physicians. Encryption? Eh, no... Any process in place to ensure safe keeping and return/destruction? Uh, forget about it...

This was in the time when a lot of these “lost usb devices” and hacked systems seemed to pop up daily.

I obviously raised this with the security team, the security officer and the business unit.

No one wanted to touch this finely tuned business process.

It felt like I was working at fawlty towers.

Again, that companies have drawn this line between business and tech, “‘cause tech is not core bidniz”, will haunt a lot of big players for years to come.

[1] https://news.ycombinator.com/item?id=19998806

> In short, in the middle of the workflow, customers journals was written to CD and mailed to physicians. Encryption? Eh, no... Any process in place to ensure safe keeping and return/destruction? Uh, forget about it...

That's a manually initiated transaction done internally and should be a red flag to anyone. Data outside of the organisation is data with no control. You could keep escalating this. That's an example of no 'speaking up' channel. If a channel to escalate is missing or poorly implemented, frauds will happen by internal or external agents. The process doesn't sound finely tuned at all.

Of course I was being ironic about it being ”finely tuned”!

What I’m saying is that in spite of having, in a sense, all the resources at their disposal, this process was chosen by the business, for the business.

An encrypted on-line service could, and should, have been implemented. But being far from tech & dev the business choose a process matching their compentecies.

Messing with this several years in, and trying to digitize a process obviously in need for it, is met with much resistance.

Another gem of a process:

Many (like hundreds) employees needed personal printers. But why?!

Because:

- printing claim from “modern” client/server system.

- Pinning an also printed bar-code to the pages from step one

- scanning these in to software that reads the bar-code and adds them to queues for mainframe processing.

D/A -> A/D? Huh?!

Holy cow! I almost fell off my chair...

And the inherent security risks in play here, not to mention acres of forrest consumed during the years. My mind is boggling...

Am I actually living my working life inside a Dilbert strip?! It’s not even funny, because it’s true.

What I’m saying is that many large corps are anything but in fine tune with tech.

It’s gonna’ cost em’ in the long run.

Right. I'm 'business' and the split 'business' vs 'tech' should not be there. I'm sure we've both seen terrible things, these are reinforced by organisational constructs. Escalate escalate escalate if you see something wrong. To coin a bigcorp slogan, of a company I admire the mission of, "Do the right thing" and "Not good enough."

I recently opened a new bank account in the UK and chose a 'challenger' bank. The process was secure, very smooth, the customer support very nice. They have no branches. This is regulationtech, not so much fintech, and challengers are coming from all sides, including in insurance. I wish these challengers well as being on the inside of incumbents I'm just left scratching my head "Why?".

I for one am through escalating stuff in a hierarchical organization. Too much politics.

I’ve been out of that game for a few years and have no ambitions make a career for myself at such a place.

In a very big, top down org. ponder the following:

Granting, in a specific scenario, that I’m right — this “whatever” is a disaster waiting to happen or possibly an already flaming disaster, heads have to roll.

Someone always have to take the blame, as this most likely will affect someones budget or set goals.

It might have profound effects on the current “1.” or “.One” consolidation & synergetic tech project that management is giving misdirected focus at the moment.

The “1Whatever” projects usually have bizarre amounts of $$$ attached, and end up holy.

Have you worked big enough companies you know about the “whateverOne” projects I’m referring to!

I don't know what 1.whatever is. Yes, I've worked for supercorps, mainly financials, and I have a responsibility to ensure customer and employee data are managed responsibly.

It is important to escalate what doesn't seem right. Sometimes that means email after email after email (written record) and that if it still doesn't smell right to keep pushing. Ops was a strange place, but 500 emails per day is no longer a challenge.

I commented this as an organisational failing rather than a technical one as a debate about UUIDs seems to be missing the point that people could have been aware something was not right but did not, or weren't allowed, or it got drowned in organisation, to do anything.

Clarification on 1/one — in my experience big co is naturally striving for synergies and often target “IT” as it’s seemingly an obvious candidate.

These projects often bare a description such as “ProgramOne”, “Platform1” or 1SomethingAwesome, and is of a “bite of more than you can chew” character.

At least at three of class leading companies I’ve worked, all with 90.000+ employees.

It’s just my disillusionment shining through! :)

I believe we agree — the future holds a merger of tech with business and what I’ve stated above are org failures. That’s true.

IT must not block business, it should expose opportunities and be inherently secure by convention.

> the future holds a merger of tech with business

Completely agree. And regulators are pushing for this. When.. in retail and SME banking and financial services the future is here, in Europe, but has yet to gain traction and public trust but that's coming quickly. That will be 5 years, change takes time, a long journey for VC money but not too long, they will see returns.

Asia will be slow. NA perhaps slower still. AU might pick up the ball but NZ will be faster if they choose. SG will lag HK because of technical debt in SG. I'm Asia based, not much idea on South America. South Asia are hand-tied by regulation, mainly currency, restrictions, the above regulators will be providing markets with the best retail and SME financial products. A hot place to be, Europe probably hotter coz PSD2.

My feeling is that at some places the effects is still somewhat underestimated.

There’s probably 90% lower hanging fruit than blockchain, if you know what I mean.

Throwing inventive projects at failing orgs will most likely fall flat.

I understand many of the challenges though, and no true recipe for change exists.

The closest I can think about is “letting go”.

I mean, you have people hired for a reason! If you don’t trust them doing their thing, who’s the one hiring them?

Yup, raise any flags and risk being treated as an outsider/treated poorly. That's my current situation after raising concerns ranging from being way overcharged on a government client project by a vendor who happens to be friends with a manager, and catching a now ex manager pulling mitm attacks on a router (to snoop/play politics) which happens to be on the same network as servers housing client data. It's an awful feeling not being able to have glaring issues resolved or be treated like shit after doing what seemed right and in the best interest of the company.

Needless to say, I'm making moves to get the hell out of there

And this is from a huge organisation. There are many more medium-large organisations that still operate under the Chinese-walls model: perimeter defense, but once you are inside the VPN/intranet the security is a lot more relaxed (if any). That is the security culture and very hard to change.

The market forces those orgs to start offer services online. They run those (relaxed security) services inside their intranet, so they start poking holes in their firewall. The next decade is not going to be pretty in that regard.

I think you're correct, that these will become more common. A couple of years ago I was chatting with friends who were doing APIs, because of market/regulatory pressure EU's PSD2, exporting JSON of transactions using COBOL for use in online. Because that bank - almost an order of magnitude larger than First American in terms of employees - will do everything in order to not move off COBOL / it's legacy system.

Interesting skill set: COBOL, DB2, JS, Angular.

You know what's a great incentive to actually care about this stuff? Legal consequences for not caring about it.

Anyone conceivably responsible for ignoring the developer's complaint should be on trial right now.

I personally think the board and CEO should be personally criminally liable. I don't know exactly how but if I can't use ignorance of the law as a defense for shouting in public (one yell back at someone who yelled "fuck you" at me and I got a $180 fine) then the CEO and board can't use that as a defense for leaking data for SIXTEEN years.

Didn't know this was happening in your organization? Fuxk you, go to prison.

As an American resident in Europe, I have to wonder what liability they face under GDPR.

You can access documents all the way back to 2003.

That doesn’t necessarily mean that this hole has existed that long.

Very good point.