Other companies/products:
I think that any system that could pose a health hazard should be most closely guarded, with company secrets being the second priority.
Healthcare and healthcare-adjacent medical data (mental health, reproductive health, maternal health, fertility health) that are non-“medical” as far as the FTC and the HIPAA are concerned are huge categories that don’t even NEED to be hacked to be accessed. With period tracking data, people already fear what would happen if this data were subpoenaed in an anti-abortion state, since it is already freely sold to data brokers at Google and Facebook (Flo’s settlement with the FTC is a good example). This, however, is more of a legal and regulatory question rather than a matter of public safety and network security.
As for hackable software that would pose danger to its consumers, the reading gives a great example of how edible goods should always be considered as a potential health hazard. Water sanitation and filtration systems are also a good example, as well as any processes involved in producing pharmaceuticals. The systems measuring and reporting the intake of the chemicals involved in these processes should always have limited access, because if toyed with, their dosage could be falsely reported and potentially fatal. Restaurant chains should also abide by this, as whatever tests run on their food or whatever food sourcing data they have should always be accurate and very difficult to tamper with.
I don’t know why, but the “sacred” family recipe doesn’t seem to be the biggest issue to me. Newhouse Cheese Company already seems to have their reputation and their production processes where they need them, and I think that’d be harder to steal and replicate than to ruin their business by placing them at the centre of a public health hazard.
“Who invited her?”
Sara had good insight into parts of the business that the C-Suite takes to be a given, such as the inherent good in digitising all their processes. Perhaps as a bit of an outsider, she didn’t see the value in “cutting costs” if it led to them being exposed and threatened for $50k. Since this doesn’t compare to the $6M they’d already spent, I think she had a critical eye in determining that spending more on cybersecurity measures should maybe not be their top priority.
I think that companies should always consider the outsider perspective just as much as their own. That’s why they hire consultants. Although she already works at Newhouse, she didn’t have the biases that the C-Suite had regarding their established processes.
Obviously, her input should be taken the same way as it would from anyone in the board, C-Suite and technical or not. For one, she would not have to speak out if the technical foundations of the company were bulletproof, so I also believe it’s a matter of owning up to one’s mistakes to be able to take criticism or a new idea from someone, even if they are junior to you. I like that the CEO saw value in having that unbiased perspective but didn’t take it with face value and hired someone to dig deeper into the data. If he had just ignored her, he’d potentially be exposing the company to huge risks, but by hiring someone to look into the security flaws, he was also able to validate her convictions.
For our project, although there are no health implications, protecting user data in any capacity should be a priority. We’re dealing with data that should mostly remain public, but we should definitely look into openings where users wouldn’t want their data shared or stolen.
