If ever there was a wakeup call that the information technology industry needs to change, the recent Equifax attack was it. This was one of the largest data breaches in history, inflicting on Equifax an immediate loss of $5.3 billion in market capitalization. And that’s only the short-term impact. The potential long-term costs are exponentially greater, including at least 23 class-action lawsuits, (one seeking $70 billion in damages). So the question becomes, has the cost of doing IT effectively simply become too much for traditional business models? And how can you adapt your business to survive?
Answering these questions will require undertaking a serious overhaul in regard to our approach to IT as it pertains to corporate culture, technology and business models. In the past, the focus had been on making business processes cheaper and more efficient, with enterprise data being treated as little more than a byproduct. Like many enterprises, Equifax made the critical error of radically undervaluing the data it was protecting, but the hackers who stole the information of more than 145 million people certainly didn’t share that opinion, and neither did Equifax’s customers.
A new outlook on IT is required, one that focuses not only on efficiency but also radically improving protection. Make no mistake -- this will be difficult and expensive. The tech industry has gotten used to treating IT as a commodity and assumed the cost -- like it has with hardware, internet and communication tools -- would eventually go down. But like so many other industries, these practices are built on aging and crumbling infrastructure that will be very expensive to bring up to modern standards.
The average large enterprise spends a little more than 3% of their total budget on IT, and I believe the investments in processes, certifications and talent needed to adequately address today’s challenges may very well mean total IT costs will go up by 10X or more. But in a world where a breach in security can cost more than the value of your company, there is simply no choice but to evolve.
Due to its design and culture, enterprise IT is highly resistant to change in that it forces companies to decide between acting quickly to deal with an elevated risk or moving slowly to mitigate risk. Most enterprises have chosen to move slowly and thoroughly, and that choice was an easy one to make 10 years ago when it took hackers a year to find the chinks in your armor. They’re called zero-day exploits for a reason; in today’s world, you need to be able to anticipate, respond and adapt to new threats immediately.
On the technology side, enterprises must become comfortable with the fact that safety lies in becoming much faster, more agile and proactive in resisting emerging threats. The days of siloed departments that spend more time and energy concerned with office politics and preserving their own budgets than they do worrying about existential IT threats are over. Companies need to focus on their core competency and partner on everything else. Less is more.
So what will be the cost of doing IT right? When the dust settles, the new CEO of Equifax will have to find out if the company still has a viable business model, because if it costs more to protect its customers' data than it can charge for a credit check, the answer is no. I hope that the Equifax case will be the catalyst for a seismic shift that will finally force companies in every industry to change how they view IT.
