If a doctor saw one of his colleagues hacking open the chest of a patient with a chainsaw, you’d like to think that he’d report this fact to relevant authorities and something would come of it. I’m no brain surgeon, or any type of surgeon at all, but yet I know that chainsaws aren’t a suitable means for performing surgery of any type. I like to think that there’s a certain level of checks and balances existing in the medical profession, and as a rule those who lack the ability to perform the basics with any level of competence (or who decide to perform micro surgery using chainsaws) will eventually get found out, and have their license to practice revoked. Or at least get a slap on the wrist. NO! NO CHAINSAW FOR YOU! BAD!
I’m an optimist aren’t I?
So what about when it comes to IT providers? Where are those checks and balances? While large enterprises often have skilled professionals on staff who can smell bullshit a mile off, the same can’t always be said for small to medium sized businesses – who often end up placing a large amount of trust in the companies they engage to help them run their business. When you’ve picked skilled and competent providers then as a rule this relationship works out well, but how do you know whether your provider is competent or not?
Today a colleague of mine made an observation with regard to the quality of work of another company, and it’s an observation which I think is worth quoting verbatim. The comment was quite simply “this shit is fucking criminal”, and while it was made using emotive language (boo hoo, cry more tbh) and in the heat of fixing a series of monumental fuckups, it was completely correct, accurate, and justified.
With the importance of IT to most of today’s businesses there can be no excuses for lacking a basic level of competence. Sure, there are an increasing number of complex and ever changing attack vectors to be on the lookout for in terms of security, but there’s still no excuse for being an IT provider without doing at least some of the basics right – hell, even if you’re doing them wrong, at least know you’re doing them wrong, and inform your client of this.
This is 2010, and while the goal posts are always moving in this game we’ve still got a pretty good idea around some of the basic strategies and tactics. Some of the finer points and rules of the game change and evolve over time, but the basic aspects of game play remain constant – simple things, like the fact that storing your passwords in your database as clear text is bad, and that’s not going to change anytime soon.
The problem is that I’m unsure of how to finish this post with a clear call to action. Right now, I honestly feel like this industry is lacking in terms of standards and checks and balances (which is no doubt an opinion which is clouded partly by the events of the day), but also that simple best practices audits are something which may feel out of reach of smaller businesses. No one is perfect, but I’m terrified by the thought of the level of trust which some companies are placing in providers who are giving them terrible negligent advice.
This is wrong. In fact, it’s fucking criminal.