Ignoring The Risk In The Name Of Profit...A "Cultural Change".

In an earlier posting, I spoke of a comparison between the current financial mess caused (at least in part) by bad choices at many levels in the housing/property market and potential bad choices being made by Pharmaceutical Companies as they consider options for ePedigree which include RFID. From an article I read today, Washington Mutual insiders have testified that the "company's risk managers, the "gatekeepers" who were supposed to protect the bank from taking undue risks, were ignored, marginalized and in some cases, fired."

The article goes on to say that WaMu executives tried to convince risk mangers to "lay off" and that the new way of doing business at the bank was part of a "cultural change" and instructed them to "lead the charge in modifying the perception of compliance and risk oversight from a regulatory burden to a competitive advantage."

This is an extremely direct and irresponsible approach to risk on the part of these executives, and truly indicative of a willfully ignorant approach to dealing with the issue. It is clear (at least to me) that executives who chose to ignore such risks are clearly at fault for the failure of such institutions.

In dealing with the security concerns in implementing RFID for use in the ePedigree initiative, the irresponsible behavior is not always so obvious. Security choices are generally delegated to the information technology and engineering departments, and the choices they make are generally driven by cost mandates for the implementation of the technologies, as well as the ease in which the security (if any) can be implemented. If implementation resources become strained (time and money), then security is simply marginalized. Executives are, by and large, unaware of this, and are generally viewed as innocent in nearly all cases of systemic failures caused by security breeches. This is largely because, unlike choices executives make regarding financial decisions, executives are not generally expected to understand the intricacies of security, nor do they want to. This situation results in "plausible deniability" par excellence. When faced with the cause of the failure, executives simply point the finger of guilt elsewhere.

An example of this would be the security failures in voting machines. The State Election Boards certified electronic voting machines for elections, and when security problems were discovered, they de-certified the machines, and the finger of guilt pointed directly at the voting machine vendors. Consequently, State and Federal governments have begun expending resources to determine how far the security issues go (and they are indeed being thorough), and we, as taxpayers, are now shouldering the burden of the failed system (one estimate place the cost to California alone at $66 Million). If this had simply been done at the beginning of the project, in all likelihood it would not have cost $66 Million plus the enormous loss in trust by the electorate in the election system and in vendors of the equipment.

What will happen if or when Pharmaceutical Companies decide to either ignore or marginalize security in the implementation of ePedigree systems? Such systems will cost BILLIONS of dollars to implement (a cost sure to be passed on to consumers and/or taxpayers), and will cost BILLIONS of dollars to repair once security holes manifest themselves. In several instances both I (a security consultant) and pharmaceutical consultants I have convinced to present the issue of security to pharmaceutical company employees who have been given direct responsibility for implementing ePedigree, have either been politely ignored or flat out told that "security is not even on the radar screen". When pressed for a reason that security is not being addressed, the typical response centers around...You Guessed It...cost.

Can we, as stakeholders in this initiative, sit idly by and allow this risk taking in the name of profit? Is this a "cultural change" we are ready to embrace?