At this point, CDK's hacking has made high profile national news as car dealerships across the U.S. struggle in the wake of perhaps the largest cyberattack in recent memory. Only recently has it surfaced that this old, behemoth software application was the victim of a ransomware attack. Although CDK is still rather quiet about the exact cause of the hack, they have stated that they paid the millions of ransom. Even still, it may take them another month to recover and the impact could linger for years.

Back to Analog

As reported by CNN, dealerships have little choice but to revert back to analog processes, including manually gophering titles to local DMVs, which are inundated thanks to these outages. Digital processes that once took minutes now require hours. Customers are suffering, dealerships are suffering, and the only true winners are those dealerships that didn't integrate with CDK (and I suppose the criminals).

Everyone who has suffered a security breach has some element of regret. They wish they'd spent more time and money patching obvious security flaws, listening to developers that likely raised the alarm many times, and properly weighing the cost of software development with the cataclysm erupting around them. In my view, CDK is probably cooked as a business -- at least, it will never be as commercially viable as it was.

The risk of going back to analog processes isn't something a normal business really thinks about day-to-day, but it's a serious risk in today's climate of integrations. The idea that offloading your software to a "trusted vendor" is best is easy to see from a business perspective, but are you really sure it's a good idea to risk your entire enterprise on someone else's systems?

In what world of cost benefit analysis is "100% catastrophic failure" truly worth the money you've saved by not having a development team...? What about the opportunity cost in developing bespoke software tools that work best for your enterprise? Have you really, really thought about the potential price tags involved when software vendors suffer breaches...?

Tech Layoffs Will Lead to Hacks

Tech layoffs are popular right now...and I do mean "popular" in the sense that there's a proven bandwagon effect when it comes to layoffs. Investors are the only class of people that matter to publicly traded companies, and that's not some woke rant about how bad capitalism is, that's literally the way "fiduciary duty" works in publicly traded companies. They cannot put their customers or their employees first; that's inherent to how corporate entities work!

If your software vendor is laying off thousands of people, you shouldn't be happy about it as a customer. What do you think happens to all the secrets these workers take with them as they are canned...? Do you truly expect them to be pristine stewards of internal corporate security holes after 6+ months of searching for a job in a bad tech market...? Do you really expect them to have loyalty to an old employer that laid them off even in the midst of strong profits...?

Secrets have a way of winding their way into the public. If you want to look at each laid of tech worker as one extra unit of profit for shareholders fine....but that's a very short-term mindset. Not only are you losing skilled labor with business domain knowledge, you're losing important secrets you need to safeguard and daring ex-employees not to compete with their own startups.

People will do whatever they need to do to feed themselves and their families, and even the coldest corporate CEO has to accept this reality. On one hand, you have a pile of secrets worth real money on the dark web. On the other, an employer that expects you to be a good steward of their secrets even after firing you for no reason other than a temporary stock price bump. Would you be loyal in that circumstance? Don't get me wrong, the average tech worker will never go down this sort of path...the vast majority of people are trustworthy...but it only takes one to compromise an org, and desperate times call for desperate actions.

Of the thousands of out of work tech workers, it is certain that at least one of those workers has turned to crime to feed themselves and their family. For enterprises that trust their SaaS vendors to "handle everything", you should be voicing concern about layoffs, not celebrating them for making your vendors "leaner". This goes triple for software firms that themselves like to outsource code. Software vendors are in it to make a buck, too, and cutting corners to bolster revenue is not a rarity.

Building Software isn't Optional

In the grand scheme of things, building software is not that expensive relative to the benefit...and each critical software component you choose to outsource carries with it monumental risk that only gets worse as the computing age wears on. More population, greater literacy in computing, and the advent of AI tools will make hacks more common, more sophisticated, and more dangerous. Supply chain hacks are growing more and more common and enterprises need to be far more paranoid about this risk. For example, pollyfill.io is now a malware delivery service because the domain name was simply purchased by a shadowy company.

It's great that there's so many SaaS options that allow companies small and large to leverage complex software provided "on-the-cheap" by third parties, but I doubt most enterprises look beyond the monthly fees and consider the real risk and opportunity costs involved with these integrations. In other words, if you know that everyone and their mother is using Klaviyo now, will plugging it in give you an advantage, or just keep everything even...? Enterprises that enrich their integrations or roll custom tools that compliment Klaivyo have a clear advantage compared to those that plug it in like everyone else. Integrations are no longer a big advantage because everyone now uses them. In other words, having a SaaS doesn't mean you can lay off your tech team.

More than that, it's reasonable to suggest that most innovations will still be happening in the software world. Will humanity invent some new technology that revolutionizes retail? Maybe, but for now...it's software that offers the most new ground for innovation. When you plug into a third party, you are surrendering that entire pipeline of potential innovation to a third party that truly does not care about you.

Out of Saas Gas

There's a growing chorus of devs that want a return to on premises hosting because the cloud is too damn expensive. Serverless is just another way to power that cloud computing cash register where every ounce of compute is charged as close to usage as possible. It's not always the best deal. That same is true of SaaS in general, now. Are you sure the software is really worth $50/seat for your whole enterprise...forever? If you took 10 years of fees and spent it on internal dev, wouldn't that make more sense...? It isn't just the expense, it's the opportunity cost.

CDK's hack proves just how much this equation matters. Dealers that didn't want to plug into the same behemoth as everyone else or that rolled their own software are laughing to the bank.

If the promise of SaaS was true, shouldn't dealers simply be able to pivot to another SaaS and recover? Obviously not, because SaaS companies have a vested interest in making integrations hard so that customers are vendor-locked...and SaaS companies live and die by subscriptions at scale, so smaller SaaS services are rare. It's the perfect brew for limiting customer choice.

It isn't just that some dealer has decided to use CDK as a service, it's that by doing so they have decided to be dependent on that service indefinitely, no matter what. What if they raise fees? What if they go down or are hacked again...? Wouldn't it make sense to pay a small team of devs for a year or two so that you have your own system that can register car titles...? And can then save a boatload of money on a SaaS that wants you to be dependent on them...?

Further, a SaaS will not innovate for you. If you have AI FOMO, it's because you need your own software engineers that can work on these pipelines. Enterprises that prefer to rely only on software as a service will never be on the cutting edge of anything. They will have to wait until platform-ized tools become available, at which point all your competitors have already spent plenty of time mastering this tech on their own, building institutional knowledge, and iterating on use cases.

It used to be the case that a savvy enterprise could gain advantage by being the first to integrate, but that's not true, anymore.

Conclusion

Hacks will not get better as software continues to be more complex and the supply-chain for most software continues to expand. Security is not improved by mass layoffs, nor does a firm gain advantage from following the pack with integrations like they used to. Risks involving third party software is severely underestimated. Hacks like CDK underscore the value in bringing software knowledge in-house. It's a long, round-about path that leads to a self-serving conclusion: hire more software engineers. Are you truly sure you can afford not to? Or is your enterprise prepared to revert to analog processes if the worst happens...? Are you prepared to surrender innovation to whatever firm rolls out a service for it, or does it make more sense to build that knowledge in-house...?

These aren't simple choices and they aren't entirely objective, but the right choice is rarely the cheapest one.