Turns out, the speed of light isn’t the universe’s limiting velocity. As evidence, I offer the SolarWinds security breach, which exited the news faster than any photon could follow.

Among the more interesting bits and piece of the SolarWinds security fiasco was how it familiarized us with the phrase “supply chain” as a cloud computing consideration.

But first, in the interest of burying the lede …

The business case for cloud computing – we’re talking about public cloud providers like AWS, Azure, and GCP – has always been a bit fuzzy. For example:

Economics: The cloud saves companies money … except when it doesn’t. If the demand for computing resources is unpredictable, provisioning in the cloud is just the ticket, because the cloud lets you add and shed resources on demand.

That’s in contrast to on-premises provisioning, where you provision for a specified level of demand. If you can accurately predict demand and your negotiating skills are any good you can probably buy enough computing resources to satisfy that demand for less than a cloud provider can rent them to you.

Engineering: Modern computing platforms and infrastructure are complex, with a lot of (metaphorically) moving parts. In the ancient days, IT dealt with this by buying its infrastructure from a single-vendor supply chain that pre-packaged it (IBM, if you’re too annoyingly youthful to remember such things).

With the advent of distributed computing and multivendor environments, IT had to bring its infrastructure engineering expertise in-house, partially offsetting distributed systems’ lower prices while supplanting a single-link supply chain with more links than a chain mail tunic.

Meanwhile, the requirements of multivendor supply chain management made the complexities of infrastructure engineering seem simple when compared to the complexities of service-provider contract negotiations. And, even worse, the complexities of multi-layer license agreements.

And, even worse than that, the aggravations of multivendor bickering and mutual finger-pointing whenever something goes wrong.

The rise of PaaS providers promised to reverse this trend – not completely, but enough that IT figured it could reduce both its vendor management and engineering burdens.

Security: In the early days of cloud computing, security was where the cloud value proposition seemed most dubious. Putting a company’s valuable data and business logic in the public cloud where IT had no control or oversight over how it was secured struck most CIOs and CSOs as a risky business at best.

But those were the good old days of basement-dwelling hobbyist hackers. Over the past decade or so these quaint relics of a bygone age have been replaced by malicious state actors and organized crime.

Meanwhile, working with a cloud provider has more and more in common with renting space in an office building: You’re relying on the architect who designed it and the construction firm that built it to select suppliers of concrete and girders that provide quality materials, and to hire a workforce that won’t plant concealed weaknesses in the structure.

You could, of course, hire your own architect, project manager, and construction workers and build your own office building.

But probably not. Unmetaphorically speaking, whether you manage your own data center and computing infrastructure or outsource it to a cloud services provider, you’re dealing with a complex, multi-layer supply chain.

The major cloud providers have economies of scale that let them evaluate suppliers and detect sophisticated incursions better than all but their largest customers can afford.

But on the other side of the Bitcoin, the major cloud providers are far more interesting targets for state- and organized-crime-scale intruders than you are.

Bob’s last word: Sometimes, making decisions is like dining at a gourmet buffet, where our choices are all good and the limiting factor is the size of our plates and appetites.

Other times, changing metaphors (again), the best we can do is, as Tony Mendez says in Argo, choose “the best bad plan we have.”

Right now, when it comes to cybersecurity, our situation is more Argo than buffet.

Bob’s sales pitch: Nope. I don’t consult on security. So I can’t help you there. But in the meantime, if you’re looking for reading material, I’m your guy. Help support KJR by buying some.

“I told you so,” isn’t as gratifying as you might think.

I’ve been writing about the business dangers of intellectual relativism and the importance of cultivating a “culture of honest inquiry” for more than 15 years (“Where intellectual relativism comes from,” 10/17/2005).

This week we witnessed the non-business consequences: A mob of armed insurrectionists, motivated by propaganda that was accepted as fact, specifically because the insurrectionists were, over the past several years, encouraged to accept “alternative facts” as being just as valid as any other kind of facts.

More valid, in fact, for two reasons. The first: actual facts might not affirm what their targets want to believe. They might even contradict it.

The second: Alternative facts have one and only one purpose: To enrage – to incite anger and hatred toward some convenient individuals and groups.

There are those who find the experience of anger, hatred, and rage gratifying. Pleasurable, in fact. Feeding alternative facts to this audience is much the same as giving Fido a doggie biscuit for rolling over.

That’s the first half of the symbiosis that was on display in our nation’s Capitol last week. The reciprocal half: People who want power, not to accomplish important goals but for its own sake. They give their audience what it wants – feelings of anger, hatred, and rage – and get power in return.


Persuading members of this audience that its leaders are playing them isn’t going to happen, because just as their leader’s goal is power, so their goal is a pleasurable experience.

It isn’t about the validity of the alternative facts they’ve been fed. The universe of alternative facts is built, not on validity, but on intellectual relativism – the branch of epistemology that insists all propositions are equally valid because how can you tell the difference? Just choose the ones you like best.

We’re all vulnerable to the temptations of intellectual relativism, and especially to the confirmation bias that makes it all work. And so, because we aren’t going to convince the insurrectionists or their cheerleaders that (for example), there was no vast deep state conspiracy that stole the election, we at least need to figure out how to inoculate ourselves.

Here are three tactics worth trying:

Inoculant #1: Anger management. This one is, in principle, simple: If someone is trying to make you angry at someone else – either an individual or a group – assume they’re trying to play you. Start ignoring them as soon as you possibly can.

Inoculant #2: The falsification test. Whatever the proposition you’re on the verge of accepting, ask yourself what collection of evidence would change your mind. If you can’t imagine one, well, meaning no offense, you’re part of the problem.

Inoculant #3: Choose your tribe. And choose it carefully. As human beings we’re all prone to viewing ourselves as members of some affinity group or other. Whatever our group, we know all the other groups are at best unenlightened and at worst despicable.

Religion is a common affinity group, as are political parties and sports teams, to name three of the more obvious. As a side note, it’s worth considering that last week’s assault on the Capitol resembled a soccer riot more than a policy dispute.

So whatever the subject at hand, “join” a tribe that has no stake in it. This helps you avoid choosing sides, helping you not think of the other sides as the awful “them.”

Bob’s last word: The purveyors of intellectual relativism in business settings might not use it to incite violence as their political counterparts did last week. That doesn’t make them okay. Quite the opposite – it makes them harder to spot.

Bob’s sales pitch: First: No, I’m not turning KJR into A Consultant Reads the Newspaper. But this week, not writing about last week’s attempted insurrection just wasn’t a possibility. Unless something equally grim takes place, I’ll get back to my usual fare next week.

# # #

Once a year I ask KJR’s subscribers to let me know if these weekly musings are still valuable to you, and what might make them more valuable. Let me hear from you, if for no other reason than to know you’re still paying attention.

Thanks, and here’s hoping for an outstanding 2021.