This morning I found myself very frustrated as I attempted to fill out my expense report. Keeping track of expenses is a painful exercise. You must remember to get receipts, remember to save those receipts, keep those boarding passes and submit the report in a timely manner. Let’s face it. It is an enormous pain. Here is where my American Express card typically saves the day.
I do love my American Express card, it has never let me down and while I do a fairly good job of keeping up with my receipts, sometimes things slip my mind or I lose a receipt. In those cases the first thing I do is login to my American Express account check out all my statements (since I’m so environmentally friendly I’ve rid myself of those pesky paper statements). It is a great resource to double check that I haven’t missed any expenses and it ensures I’m reimbursed for my work-related expenses.
Unfortunately, when I logged on this morning, this is what I saw:
Not only am I unable to access my account, they are unable to write an error message in proper English. Of course, once I saw this message I thought I’d simply hit the trusty back arrow and try again, except this time this is what I got:
“We’re Sorry”? That’s all you have to say about this? And you don’t even have the decency to properly format the HTML to display in my browser?
In 2009 American Express did about $24 Billion in revenue with a net income of about $2.1 Billion, yet they haven’t figured out whether their network and application infrastructure can handle the load of customers simply trying to check their recent card activity. You could probably argue that it is not a big deal if a handful of their customers cant login to see their statement and pay their bills. But, if their customers are unable to login and pay their bills, maybe those customers forget to “try again sometime” and pay their bill a lot later. If you’ve ever studied finance, you probably know about the time value of money. All other things being equal, American Express would much rather have my credit card payment today rather than next week, especially considering the financial climate over the last 18 months. Because of their network and application infrastructure failure, they aren’t going to get my payment today.
While this in and of itself is a sizable issue, it really is more of a symptom of a larger and potentially far more catastrophic problem. Our security. American Express’ inability to support the required number of users logged into their network indicates a series of problems with their network infrastructure. Certain devices that make up their network infrastructure are unable to handle the load associated with everyday users logging in. It is very likely that the issue is isolated to a very small segment of their network infrastructure, but here is the problem: if one of the elements in their infrastructure is incapable of handling the requisite load, the entire infrastructure suffers.
Validating Infrastructure Resiliency
What my experience this morning has told me is that American Express hasn’t validated the resiliency of their network infrastructure, particularly under load. What I’d really like to know is what would happen if American Express was subjected to a larger scale cyber attack. Would our personal information be vulnerable to evildoers?When validating a network or IT infrastructure there is a critical interrelationship between realistic applications, security, performance, currency and concurrency:
- Realistic applications and security means that network infrastructure is subjected to an appropriate blend of applications and malicious traffic that occur in the real world.
- Performance means that the infrastructure is kept under realistic load conditions.
- Currency refers to whether the applications and security are the latest versions, while concurrency is the amalgamation of the four previous factors.
The ability to handle all of those factors at the same time is what defines a resilient cyber infrastructure. Here is where American Express has failed. They certainly have tried to validate their network is secure. And it might be. But, clearly they have not validated their infrastructure under stressful performance conditions; otherwise I would have been able to access my account. Thus, they haven’t really validated their network is secure. They’ve missed the concurrency aspect of resiliency.
Naysayers might claim that it is too hard to do all of this validation and be prepared for any conditions. And up until recently, they may have actually been right. But things have changed. One example is our announcement of the BreakingPoint Resiliency Score last week. This concept brings a scientific method to validating cyber infrastructure resiliency and removes the guesswork from the entire process.
Maybe if American Express had validated their cyber infrastructure’s resiliency, I’d have been able to submit my expense report.