Every time a major IT gaffe happens, someone pays. Perhaps someone misconfigured an AWS S3 bucket or failed to apply a critical software patch. If the outcome is bad enough, the company’s reputation and valuation could take a hit. If they do, who will be held responsible? It depends on the company’s culture and policies. Who should be held responsible? Perhaps someone else.
For example, the Equifax breach cost three executives their jobs including the CIO, CSO and CEO. The CEO blamed a single IT staff member. While not all IT failures make headline news, they happen every day as the result of negligence, ignorance and sabotage.
Blame the IT staffer
When an IT professional is publicly blamed and shamed for an IT failure, the public relations machine’s job is to convince customers, shareholders, and the public that the problem has been resolved. While the IT staff member who caused the issue should be reprimanded, blaming everything on a single employee discounts the potential mismanagement factors that contributed to the issue. Still, the outcome of multimillion-dollar lawsuits may hinge on the actions of one individual.
“When I served as an expert on high-profile cases, it came down to the AWS guy, the woman who was programming or a guy enabling the server,” said Nick Kamboj, CEO of MBA admissions consulting firm Aston & James. “Fifteen to $20 million cases would hinge on what this individual did, what they were supposed to do. Did they follow somebody else's advice or were they using common sense and best practices? It's not the individual, it's more the ecosystem that has to change.”
A lot of IT-related mistakes seem obvious in retrospect, even to non-technical people if the issue is explained in non-technical terms. However, those who work outside IT aren’t usually familiar with details of IT operations, such as the growing complexity IT is expected to manage on a flat budget amid any unplanned burdens, such as the ones shadow IT may cause. Meanwhile, IT is expected to advance business objectives, but in attempting to do so, some may be contributing to the risks of a potential failure.
"IT professionals tend to be pleasers. They say 'yes’ to a lot of things when they should say 'no," said Dave Gartenberg, chief HR officer at professional services firm Avanade. "Sometimes they'll agree to do something with less budget or less line leader involvement in order to be helpful. You'll see a lot of projects moving forward with the best of intentions when in fact anyone on the outside looking in can see it would never stand a chance. I hold the IT leaders accountable for making sure from the start the conditions for success were contracted internally."
Peter Kraatz, portfolio manager of Cloud and Data Center Transformation Consulting at IT solutions services provider Insight Enterprises said the lack of governance also contributes to IT issues.
“IT has to own the mechanical bits of governance: Who's got what role, who's going to pull what triggers and when. Why we’re doing them is something that's owned by the business," said Kraatz. "The business has to tell us when we’re running out of budget on Amazon or we’ve got the wrong workloads. I think we’re allergic to talking to one another.”
San Francisco State University fired a security officer after consultants discovered a database vulnerability. The security officer responded with a $1 million whistleblower lawsuit against the university. She allegedly warned superiors that improvements to the database were necessary prior to the third-party discovery of the vulnerability but was prevented from making those improvements due to budget constraints.
Blame a member of the C-suite
Given how integral business and technology are these days, blaming every technology-related issue on IT isn’t realistic.
“Leadership at an organization really needs to set the tone for a culture of continuous improvement, Alex Brower, VP of Marketing at digital training solutions provider Cloud Academy. “What's good today, all things being equal, is not going to be good enough 12 months from now or tomorrow. I think leadership is responsible for really establishing a clear understanding and making sure the staff understands who's responsible for what.”
Sometimes the CIO is sacrificed, although Aston & James’ Kamboj thinks if that role is going to be fired, they should have demonstrated a pattern of irresponsible behavior.
“You only fire the CIO if you see a propensity of ignorance throughout their actions,” said Kamboj.” If I continue to see that over three or four quarters and they're constantly having data breaches, privacy violations or compliance issues then my recommendation is fire the CIO, but before I make that decision, I want to see if they can make the change. Even if I get the most incredible intelligence, it's still going to take me 6 to 9 months to implement that change and see the ROI. ROI in some situations may not happen for two years”
As part of that due diligence, Kamboj pays attention to whether CIOs are implementing or rejecting third-party recommendations.
“I've never tutored or educated a CIO that was not willing to hire consultants regardless of how arrogant they were,” said Kamboj. “They hire consultants to do due diligence but I have met my fair share of CIOs who have taken those recommendations and completely rejected them.”
Today’s CIOs oversee a lot of technological complexity, although most of them are not security experts. Given the current state of cyberattacks and cyberterrorism, many companies are hiring CSOs or CISOs who may report to the CEO, CIO, COO or legal counsel. The security officer position is always created to fortify an organization’s ability to defend itself. However, with that responsibility may come sole accountability for security breaches.
“The CISO may provide input, but it always behooves the CIO to take full accountability,” said Kamboj. “They can transfer implementation to the CISO and the CISO in turn will outsource to a consultancy such as Tata, Accenture, or KPMG to implement the strategy, but you can't say a strict violation of a code of ethics or fraudulent activities were the responsibility of one person such as the CISO.”
In some cases, the CEO is blamed at least in part. For example, in Target’s case it was the chairman, president and CEO (an individual) following a data breach. At Uber, it was the CEO, CSO and a lawyer.
“I pay you as a CEO $1 million salary and $4 million in benefits. If you're not performing as a CEO, CIO or CFO, I'm sorry. We have to let you go,” said Kamboj. “I'm not going to let someone lose their lifetime pension or hurt 400,000 people simply because you made a bad decision.”