My wife and I drove from our home in Atlanta to Panama City, Florida yesterday. It’s been approximately 2 months since Hurricane Michael ripped through this part of Florida. We are here to deliver Christmas presents we and our friends, neighbors, and coworkers donated.
I’ve seen the aftermath of fires, floods, and tornadoes many times. What I saw was beyond anything I have experienced. In one neighborhood we visited, nearly every house on the block had blue tarps on the roofs. The homeowner we spoke with said she felt lucky because the all of the houses on the next block were gone. Simply gone. I saw houses torn in half and entire forests of trees all snapped halfway up. Many buildings in the area have one or more exterior walls blown out, as if a bomb went off inside. This apparently happens when wind found a way in on the other side of the building. This damage this goes on for miles, and miles. I’ve been told that the area I visited, while bad, was not the worst hit by a long shot because it was on the western side of Michael’s eye, meaning that the winds blew out to sea. The area to the east not only had roughly the same winds, but also massive storm surge from the wind blowing the Gulf of Mexico inland.
From what I saw, older structures and trees suffered most, which is not terribly surprising. I was struck by the metaphor, albeit on a much different level of significance, that this situation has with information technology. Buildings designed and constructed 30 or 40 years ago are not designed to the same standards as those built along Florida’s coast are today. As storms pass through, the older structures can be destroyed, as many were in Hurricane Michael.
I see a similar story unfold with corporate IT. Older environments are often not designed to withstand the attacks leveled at them today. IT environments designed today will not withstand attacks in five or ten years. Upgrading these environments to withstand those attacks is often prohibitively expensive, at least as assessed prior to a devastating attack.
We seem to be in a situation where all but the most forward looking organizations wait until a storm comes to force the investment needed to modernize its IT. The challenge, as we repeatedly see, is that the ultimate victims harmed in such attacks is not the so much the organization itself, but rather the people whose data the organization holds. Because of that, the calculus performed by organizations seems to favor waiting, either knowingly or unknowingly, for the storm that forces structural enhancements to their IT environments.