Should IT Professionals be regulated?

breach May 31, 2022

Or are we doomed to repeat the past failures?

I've been in the IT industry for longer than the graph below.  But time and time again we see issues that quite simply, should never have happened.

Ransomware is on the rise,  and no one is safe.  I was reading this morning about a US county whose entire county database has been knocked offline. It seems almost a daily occurrence.

There are vulnerabilities being constantly notified and exploited.

We're only half way through 2022, so it looks like it's going to be another record year.

All this leads to panic and stress on operational teams, trying to patch a never ending saga only to be notified that the new version needs patching and the whole circle repeats itself.

So who's to blame?

While the bad guys are obviously to blame, how much responsibility should be shared by the IT industry?   This is not just the end users IT operations teams, but extends into the vendor space, the software products and the actual developers themselves.

Many jobs are regulated by law, Surgeons, Doctors and Nurses,  Electricians and Gas-fitters.  Architects and Engineers who certify high rise buildings, Pilots, Teachers, Lawyers etc. etc.

When I see  these exploits, it's usually "Oh no, not again.", but it the same old.  Buffer overflows, parameter checks not being done, sql injections, cross-site scripting or forgeries.  Equally on the operations side, it is poorly configured services, backdoors left 'on the internet', inappropriate FW rules or architectures.

In this day and age, where so many services are moving to the cloud.  It exposes organisations to a whole raft of additional issues that previously didn't exist.  For example, Once upon a time, your AD (Authentication and Authorization) was in your secure areas,   now it's on the Internet in Azure AD and open to the world for access from everywhere.  Convenience comes with a price.

The responsibility lies with the IT Architects and Change Makers who define these new world paradigms,   it lies with the teams who implement them, it lies with developers who write the code and it lies with the business leaders who drive companies down the road of never ending efficiency.

Most, a sweeping generalization, developers are fairly recent graduates.  Smart people, but generally with little experience.   Many people move into 'IT' with some certifications and the promise of a good pay packet.   There are too many instances of critical coding being pushed to the cheapest resource (Boeing 737 max anyone?)

But where's the legislation and  liability?  Where's the checks and balances?   Where's the equivalent of the Electrical (Safety) Regulations and codes of practice?  

Almost everything is reliant on connected software these days.  From homes and hospitals, to power grids and air traffic control.   We deserve better.

Industry 'best-practice' doesn't cut it.   If the professionals responsible for allowing the vulnerabilities to exist were liable for their code.  Would the same problems exist?

This blog was largely inspired by the article below:

Phil Snowdon

Phil is the Technical Operations Manager at vBridge. Loves all things infrastructure. Network/Security/Storage/Compute and Virtualization.