The first-day lesson on cybersecurity is to learn the fundamental mantra of responsibility: maintain the C-I-A of our information. We are to make sure information has Confidentiality, Integrity, and Availability. The massive shift to a locked-down society, called The Great Hunkering by a cousin, caused by the novel coronavirus pandemic, has put a huge strain on maintaining availability of information and services across the interwebs. Oliver Sudden folks who had been spending their days in offices and classrooms became victims of telework and tele-school mandates. The immediate impact on network bandwidth usage is obvious to anyone in the world of information systems (IS) and information technology (IT). However, that just accounts for the flow volume impact. Less obvious to many is the impact on load capacity of the processing systems that use that data. Which brings us to a painful lesson in the news.
Fairfax County, Virginia, has one of the largest school systems in the US (189,000 students). I am fairly familiar with that system since my own children went through its schools. The system had been using Blackboard for class management, so the natural move was to expand the use of Blackboard's live classroom module for conducting classes. The shift did not go well at all. Students and parents complained of inability to connect, faulty video and audio feeds, and malicious classroom intrusions. As reported in an April 22 Washington Post article the schools IT chief lost her job because of the system failures. The school board held a (virtual) meeting to investigate, where the IT chief and a senior representative of Blackboard traded blame. From that article, here is what I consider the key failure in IT management that led to the fiasco:
"Blackboard Chief Product Officer Tim Tomlinson noted that Fairfax had failed to implement seven updates to its technology over the past nearly two years, although company staffers had publicized the upgrades to the school system.But Luftglass [the IT chief] said the company never told her the updates were needed to improve performance ahead of distance learning. ... Documents obtained by The Post show that technology specialists within the system foresaw possible trouble weeks ago and tried to warn higher-ups long before virtual school began."
Really? They let their software languish without upgrade through seven cycles and two years? They didn't think it necessary because no one told them? Basic Control #2 of the CIS Top 20 is Inventory and Control of Software Assets. Controlling enterprise software includes keeping it up to date. While the CIS control #2 is implicitly focused on reducing vulnerabilities, performance improvements in software updates and upgrades are often essential to maintaining system availability. Apparently that was the problem at Fairfax County Schools.
So, the lesson here, learned the hard way by the [former] IT chief: Keep your software up to date!. And secondary lesson: listen to your workers on the front lines.
(c) 2020, D. Cragin Shelton as posted online on Randomness.