It is hard to keep track of the number of patches that are released for some software products, never mind finding the time to test, then deploy them. So in the midst of a crisis, which is worse: to deploy an untested patch or leave a gaping vulnerability?
Brian Collins, a professor of information systems at Cranfield University and chief scientific advisor to the UK’s Department for Transport and clearly not a man to be trifled with, has a very definite answer.
Speaking recently, Collins lifted the lid on his experiences as CIO for a ‘magic circle’ law firm, his tenure at which coincided with release of the notorious ‘Love Bug’ worm in 2001.
The predicament arose, he explains, as a result of the London-based firm’s merger with two other practices in New York and Germany some 18 months previously, which resulted in “cultural differences” that had yet to be “flushed out” when the Love Bug hit.
“Most of us had done all the right patching, and the Love Bug was very tightly contained [and] didn’t propagate – except for in Germany. Germany had a procedure that they patched on the last day of the month – period. They had the patch three weeks before[but] waited until the end of the month.”
As the bug began infecting the rest of the firm, Collins instructed the IT manager in Germany to apply the patch then and there. “I rang him and said ‘this is really serious, you’re stopping the firm working, this is really revenue hitting in terms of gathering money and doing fee-earning work.’ He said: ‘No, we do it at the end of the month’.”
Faced with unmoving defiance, Collins had to make a choice: keep Germany functional and let that operation infect the rest of the global organisation, or cut the entire organisation off from the network and protect the rest of the firm. “So I disconnected Germany. We stopped Germany working, lock, stock and barrel, but it allowed the rest of us to get on and make some money.”