[cybercrime] hidden cost of commoditizing IT Talent
There's a funny corporate culture that I have observed in Kenya that could shed some light on why local IT systems appear so vulnerable: TALENT COMMODITIZATION. Take the banking industry for example, I recall a while back seeing some chatter on twitter about how big brands UNDERPAY key IT staff (I.e. the hands on technical staff like sysadmins / app admins / dbadmins & devs) in order to "save" on manpower costs. In this day and age that is not an intelligent thing to do. Others assume that outsourcing to India will magically solve for costs, quality and security. I have worked on projects with "world-class" offshore teams and what I saw was a minefield of HIDDEN COSTS if you don't have your own savvy supervisory / QC team. Then there is the "contract fixes everything" fanatics. Contracts mean nothing if you can't detect shoddy work - and if going to court after the fact is almost impossible given risks of PR blowback (in image sensitive industries). In many cases such contracts are just for CYA (avoiding blame or passing audit reviews). Some tradition-heavy institutions still put IT under Finance directors / VPs or GMs instead of having IT representation at board level. This makes it hard for IT to push back on top-down "spreadsheet inspired" directives. You don't increase shareholder value by setting up your critical functions for downstream failure (or putting the entire org or at risk just to hit annual growth targets). Beefing up the Infosec unit is pointless if the underlying architecture is full of holes. There is only so much duct taping that can be done. Worse if that team is underpaid as well. It's also interesting that many local companies don't have a "specialist path" for technical talent advancement. This limits the political/decision making clout for technical talent as well as limiting their personal growth. Hopping / side hustling / track switching (e.g. to management) is the end result. These mistakes have cost the financial industry (for example) a whopping 17BILLION in potentially avoidable losses (and still counting). So much for HR "cost savings". :-/ I think the Infosec crisis in Kenya is just a SYMPTOM of bigger "organisation and culture" issues - and short term thinking is right at the heart of it. "Financial institutions in Kenya have recently become a soft target for cybercriminals, with police records showing that they lost about Sh17 billion to the fraudsters in 2016, up from Sh14 billion in 2015." https://mobile.nation.co.ke/business/Police-probe-130-bank-cyber-fraud-suspe...
Spot on Patrick, Information and Communications Technology is quiet misunderstood. No wonder for the longest time ever Gartner always reported the fact that only 30 % of ICT projects always succeeded in the long term. Regards On 2/1/19, Patrick A. M. Maina via kictanet <kictanet@lists.kictanet.or.ke> wrote:
There's a funny corporate culture that I have observed in Kenya that could shed some light on why local IT systems appear so vulnerable: TALENT COMMODITIZATION. Take the banking industry for example, I recall a while back seeing some chatter on twitter about how big brands UNDERPAY key IT staff (I.e. the hands on technical staff like sysadmins / app admins / dbadmins & devs) in order to "save" on manpower costs. In this day and age that is not an intelligent thing to do. Others assume that outsourcing to India will magically solve for costs, quality and security. I have worked on projects with "world-class" offshore teams and what I saw was a minefield of HIDDEN COSTS if you don't have your own savvy supervisory / QC team. Then there is the "contract fixes everything" fanatics. Contracts mean nothing if you can't detect shoddy work - and if going to court after the fact is almost impossible given risks of PR blowback (in image sensitive industries). In many cases such contracts are just for CYA (avoiding blame or passing audit reviews). Some tradition-heavy institutions still put IT under Finance directors / VPs or GMs instead of having IT representation at board level. This makes it hard for IT to push back on top-down "spreadsheet inspired" directives. You don't increase shareholder value by setting up your critical functions for downstream failure (or putting the entire org or at risk just to hit annual growth targets). Beefing up the Infosec unit is pointless if the underlying architecture is full of holes. There is only so much duct taping that can be done. Worse if that team is underpaid as well. It's also interesting that many local companies don't have a "specialist path" for technical talent advancement. This limits the political/decision making clout for technical talent as well as limiting their personal growth. Hopping / side hustling / track switching (e.g. to management) is the end result. These mistakes have cost the financial industry (for example) a whopping 17BILLION in potentially avoidable losses (and still counting).
So much for HR "cost savings". :-/ I think the Infosec crisis in Kenya is just a SYMPTOM of bigger "organisation and culture" issues - and short term thinking is right at the heart of it. "Financial institutions in Kenya have recently become a soft target for cybercriminals, with police records showing that they lost about Sh17 billion to the fraudsters in 2016, up from Sh14 billion in 2015." https://mobile.nation.co.ke/business/Police-probe-130-bank-cyber-fraud-suspe...
-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A
Indeed Barrack. It's the reason we have non-ict influencers (possibly sponsored by rent seeking multinational corporations that want to turn the market into slave labor) pushing weird initiatives like an "ICT bill" whose only real effects are retrogressive: e.g. by creating a BACKDOOR RENT TAX (license fee) for anyone who wants to practice ICT and to suppress independent indigenous innovations. Legislation can't fix ignorance... On Friday, February 1, 2019, 10:40:32 AM GMT+3, Barrack Otieno <otieno.barrack@gmail.com> wrote: Spot on Patrick, Information and Communications Technology is quiet misunderstood. No wonder for the longest time ever Gartner always reported the fact that only 30 % of ICT projects always succeeded in the long term. Regards On 2/1/19, Patrick A. M. Maina via kictanet <kictanet@lists.kictanet.or.ke> wrote:
There's a funny corporate culture that I have observed in Kenya that could shed some light on why local IT systems appear so vulnerable: TALENT COMMODITIZATION. Take the banking industry for example, I recall a while back seeing some chatter on twitter about how big brands UNDERPAY key IT staff (I.e. the hands on technical staff like sysadmins / app admins / dbadmins & devs) in order to "save" on manpower costs. In this day and age that is not an intelligent thing to do. Others assume that outsourcing to India will magically solve for costs, quality and security. I have worked on projects with "world-class" offshore teams and what I saw was a minefield of HIDDEN COSTS if you don't have your own savvy supervisory / QC team. Then there is the "contract fixes everything" fanatics. Contracts mean nothing if you can't detect shoddy work - and if going to court after the fact is almost impossible given risks of PR blowback (in image sensitive industries). In many cases such contracts are just for CYA (avoiding blame or passing audit reviews). Some tradition-heavy institutions still put IT under Finance directors / VPs or GMs instead of having IT representation at board level. This makes it hard for IT to push back on top-down "spreadsheet inspired" directives. You don't increase shareholder value by setting up your critical functions for downstream failure (or putting the entire org or at risk just to hit annual growth targets). Beefing up the Infosec unit is pointless if the underlying architecture is full of holes. There is only so much duct taping that can be done. Worse if that team is underpaid as well. It's also interesting that many local companies don't have a "specialist path" for technical talent advancement. This limits the political/decision making clout for technical talent as well as limiting their personal growth. Hopping / side hustling / track switching (e.g. to management) is the end result. These mistakes have cost the financial industry (for example) a whopping 17BILLION in potentially avoidable losses (and still counting).
So much for HR "cost savings". :-/ I think the Infosec crisis in Kenya is just a SYMPTOM of bigger "organisation and culture" issues - and short term thinking is right at the heart of it. "Financial institutions in Kenya have recently become a soft target for cybercriminals, with police records showing that they lost about Sh17 billion to the fraudsters in 2016, up from Sh14 billion in 2015." https://mobile.nation.co.ke/business/Police-probe-130-bank-cyber-fraud-suspe...
-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A
Very interesting observations. I think for a long time and in many companies, the IT guy's role was to clean the machines, ensure everyone could connect to their email/internet, install MS office and generally ctrl-alt-del whenever machines hang. Today, an entire company's systems are IT based. The IT guy now is critical to ensure the entire company runs smoothly, as IT is at the core of how several companies run. However, to some companies, the IT guy is still seen as the guy who dusts machines and installs antivirus. Hence this lack of recognition of the centrality of competent IT staff and giving them the appropriate support and rewards is costing companies billions. Kenya will no longer be a leader in ICT sector in the continent or the globe if we cannot develop our capacity appropriately to respond to emerging threats and challenges. It is not enough to propose laws such as the ICT practitioners bill. Another example is the computer misuse and cybercrimes act which fails to acknowledge that Cybersecurity is a shared responsibility that cannot be addressed by government alone. We need to think critically about the sector and have concrete plans that cement Kenya's leadership in the sector. Disjointed approaches to solving problems in the sector will only lead to more problems. Hence, critical country plans that are in dire need of revision ought to be revised. The ICT policy 2016 should be reviewed and adopted. Multistakeholder approaches are critical. We all need to work together to address these apparent gaps and table solutions that will save the profession and the country at large from this impending disaster. Otherwise, companies and any person using IT services might as well just continue increasing their budgets to make provision for losses that will arise from cybercrimes. Victor K On Fri, 1 Feb 2019, 11:56 Patrick A. M. Maina via kictanet < kictanet@lists.kictanet.or.ke wrote:
Indeed Barrack. It's the reason we have non-ict influencers (possibly sponsored by rent seeking multinational corporations that want to turn the market into slave labor) pushing weird initiatives like an "ICT bill" whose only real effects are retrogressive: e.g. by creating a BACKDOOR RENT TAX (license fee) for anyone who wants to practice ICT and to suppress independent indigenous innovations. Legislation can't fix ignorance...
On Friday, February 1, 2019, 10:40:32 AM GMT+3, Barrack Otieno < otieno.barrack@gmail.com> wrote:
Spot on Patrick,
Information and Communications Technology is quiet misunderstood. No wonder for the longest time ever Gartner always reported the fact that only 30 % of ICT projects always succeeded in the long term.
Regards
There's a funny corporate culture that I have observed in Kenya that could shed some light on why local IT systems appear so vulnerable: TALENT COMMODITIZATION. Take the banking industry for example, I recall a while back seeing some chatter on twitter about how big brands UNDERPAY key IT staff (I.e. the hands on technical staff like sysadmins / app admins / dbadmins & devs) in order to "save" on manpower costs. In this day and age that is not an intelligent thing to do. Others assume that outsourcing to India will magically solve for costs, quality and security. I have worked on projects with "world-class" offshore teams and what I saw was a minefield of HIDDEN COSTS if you don't have your own savvy supervisory / QC team. Then there is the "contract fixes everything" fanatics. Contracts mean nothing if you can't detect shoddy work - and if going to court after the fact is almost impossible given risks of PR blowback (in image sensitive industries). In many cases such contracts are just for CYA (avoiding blame or passing audit reviews). Some tradition-heavy institutions still put IT under Finance directors / VPs or GMs instead of having IT representation at board level. This makes it hard for IT to push back on top-down "spreadsheet inspired" directives. You don't increase shareholder value by setting up your critical functions for downstream failure (or putting the entire org or at risk just to hit annual growth targets). Beefing up the Infosec unit is pointless if the underlying architecture is full of holes. There is only so much duct taping that can be done. Worse if that team is underpaid as well. It's also interesting that many local companies don't have a "specialist path" for technical talent advancement. This limits the
making clout for technical talent as well as limiting their personal growth. Hopping / side hustling / track switching (e.g. to management) is the end result. These mistakes have cost the financial industry (for example) a whopping 17BILLION in potentially avoidable losses (and still counting).
So much for HR "cost savings". :-/ I think the Infosec crisis in Kenya is just a SYMPTOM of bigger "organisation and culture" issues - and short term thinking is right at
On 2/1/19, Patrick A. M. Maina via kictanet <kictanet@lists.kictanet.or.ke> wrote: political/decision the
heart of it. "Financial institutions in Kenya have recently become a soft target for cybercriminals, with police records showing that they lost about Sh17 billion to the fraudsters in 2016, up from Sh14 billion in 2015."
https://mobile.nation.co.ke/business/Police-probe-130-bank-cyber-fraud-suspe...
-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/vkapiyo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Well articulated Victor. Thanks for weighing in. As indigenous practitioners, we need to proactively propose solutions that create maximum value for the people (more high quality jobs, less crime etc) and for Government (more taxes, macro-economic stability, stronger governance/democracy etc) - otherwise the MNC lobbyists will continue pushing for retrogressive regulations that harm/stifle the potential for local industries. Btw, this is not just a Kenya thing - the whole world is literally waking up to this - especially India, with the PM pushing for strict implementation of laws that favor indigenous tech (similar initiatives in some European countries, like France; in CIS Europe, and in Asia as well). Do we have local-content-friendly lawyers in this group we start drafting the following 21st Century Bills: 1. Promotion and Protection of Indigenous Innovations Bill (in line with the Constitutional requirement to for Gov to promote and protect indigenous innovations) 2. Addictive Technology Control bill (in recognition that addictive tech e.g. social media and online games are deliberately designed to work the same way as controlled chemical substances - and are just as harmful - diverting attention from productive economic and educational activities, impacting mental health and turning people into cognitive "zombies" - which seriously harms the economy) 3. Large Content Platforms Control Bill (to ensure accountability and more commitment to technical solutions by large platforms which are known for their potential to destabilize society. If left unchecked, these platforms can be used to subvert democracy, sabotage the economy and trigger mob crimes that harm to human beings. This would complement the Data Protection and Hate speech Acts - but is much more technology focused) 4. Global Platforms Taxation Bill (to ensure that Government gets a fair share of revenue from global platforms which operate in Kenya, to get fair compensation for diversion of workers attention away from the local economy, to encourage global platforms to have a meaningful presence and local teams - in high responsibility positions, to promote skills transfer; and to block those that only want to extract and repatriate without a commensurate benefit to the country). For example basing tax on local attention tokens (fair value of local attention for each county - based on median salary and median school fees in that county) based on the number of installs and typical usage patterns - instead of traditional revenue basis. This data can be more easily collected locally. These last three bills will attract global attention as they will introduce 21st century tech regulations (something that many countries are struggling to solve). Brgds,Patrick A. M. Maina.[Public Policy Analyst - Indigenous Innovations] On Friday, February 1, 2019, 12:20:15 PM GMT+3, Victor Kapiyo <vkapiyo@gmail.com> wrote: Very interesting observations. I think for a long time and in many companies, the IT guy's role was to clean the machines, ensure everyone could connect to their email/internet, install MS office and generally ctrl-alt-del whenever machines hang. Today, an entire company's systems are IT based. The IT guy now is critical to ensure the entire company runs smoothly, as IT is at the core of how several companies run. However, to some companies, the IT guy is still seen as the guy who dusts machines and installs antivirus. Hence this lack of recognition of the centrality of competent IT staff and giving them the appropriate support and rewards is costing companies billions. Kenya will no longer be a leader in ICT sector in the continent or the globe if we cannot develop our capacity appropriately to respond to emerging threats and challenges. It is not enough to propose laws such as the ICT practitioners bill. Another example is the computer misuse and cybercrimes act which fails to acknowledge that Cybersecurity is a shared responsibility that cannot be addressed by government alone. We need to think critically about the sector and have concrete plans that cement Kenya's leadership in the sector. Disjointed approaches to solving problems in the sector will only lead to more problems. Hence, critical country plans that are in dire need of revision ought to be revised. The ICT policy 2016 should be reviewed and adopted. Multistakeholder approaches are critical. We all need to work together to address these apparent gaps and table solutions that will save the profession and the country at large from this impending disaster. Otherwise, companies and any person using IT services might as well just continue increasing their budgets to make provision for losses that will arise from cybercrimes. Victor K On Fri, 1 Feb 2019, 11:56 Patrick A. M. Maina via kictanet <kictanet@lists.kictanet.or.ke wrote: Indeed Barrack. It's the reason we have non-ict influencers (possibly sponsored by rent seeking multinational corporations that want to turn the market into slave labor) pushing weird initiatives like an "ICT bill" whose only real effects are retrogressive: e.g. by creating a BACKDOOR RENT TAX (license fee) for anyone who wants to practice ICT and to suppress independent indigenous innovations. Legislation can't fix ignorance... On Friday, February 1, 2019, 10:40:32 AM GMT+3, Barrack Otieno <otieno.barrack@gmail.com> wrote: Spot on Patrick, Information and Communications Technology is quiet misunderstood. No wonder for the longest time ever Gartner always reported the fact that only 30 % of ICT projects always succeeded in the long term. Regards On 2/1/19, Patrick A. M. Maina via kictanet <kictanet@lists.kictanet.or.ke> wrote:
There's a funny corporate culture that I have observed in Kenya that could shed some light on why local IT systems appear so vulnerable: TALENT COMMODITIZATION. Take the banking industry for example, I recall a while back seeing some chatter on twitter about how big brands UNDERPAY key IT staff (I.e. the hands on technical staff like sysadmins / app admins / dbadmins & devs) in order to "save" on manpower costs. In this day and age that is not an intelligent thing to do. Others assume that outsourcing to India will magically solve for costs, quality and security. I have worked on projects with "world-class" offshore teams and what I saw was a minefield of HIDDEN COSTS if you don't have your own savvy supervisory / QC team. Then there is the "contract fixes everything" fanatics. Contracts mean nothing if you can't detect shoddy work - and if going to court after the fact is almost impossible given risks of PR blowback (in image sensitive industries). In many cases such contracts are just for CYA (avoiding blame or passing audit reviews). Some tradition-heavy institutions still put IT under Finance directors / VPs or GMs instead of having IT representation at board level. This makes it hard for IT to push back on top-down "spreadsheet inspired" directives. You don't increase shareholder value by setting up your critical functions for downstream failure (or putting the entire org or at risk just to hit annual growth targets). Beefing up the Infosec unit is pointless if the underlying architecture is full of holes. There is only so much duct taping that can be done. Worse if that team is underpaid as well. It's also interesting that many local companies don't have a "specialist path" for technical talent advancement. This limits the political/decision making clout for technical talent as well as limiting their personal growth. Hopping / side hustling / track switching (e.g. to management) is the end result. These mistakes have cost the financial industry (for example) a whopping 17BILLION in potentially avoidable losses (and still counting).
So much for HR "cost savings". :-/ I think the Infosec crisis in Kenya is just a SYMPTOM of bigger "organisation and culture" issues - and short term thinking is right at the heart of it. "Financial institutions in Kenya have recently become a soft target for cybercriminals, with police records showing that they lost about Sh17 billion to the fraudsters in 2016, up from Sh14 billion in 2015." https://mobile.nation.co.ke/business/Police-probe-130-bank-cyber-fraud-suspe...
-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/vkapiyo%40gmail.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
participants (3)
-
Barrack Otieno
-
Patrick A. M. Maina
-
Victor Kapiyo