Who's Responsible When IT Goes Awry? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership
Commentary
3/20/2019
10:30 AM
Lisa Morgan
Lisa Morgan
Commentary
Connect Directly
Twitter
RSS
50%
50%

Who's Responsible When IT Goes Awry?

Headline news just hit, customers are livid, lawsuits are imminent. Whom should be held responsible when an IT error disrupts business?

Image: Tashatuvango - stock.adobe.com
Image: Tashatuvango - stock.adobe.com

Every time a major IT gaffe happens, someone pays. Perhaps someone misconfigured an AWS S3 bucket or failed to apply a critical software patch. If the outcome is bad enough, the company’s reputation and valuation could take a hit. If they do, who will be held responsible? It depends on the company’s culture and policies. Who should be held responsible? Perhaps someone else.

For example, the Equifax breach cost three executives their jobs including the CIO, CSO and CEO. The CEO blamed a single IT staff member. While not all IT failures make headline news, they happen every day as the result of negligence, ignorance and sabotage.

Blame the IT staffer

When an IT professional is publicly blamed and shamed for an IT failure, the public relations machine’s job is to convince customers, shareholders, and the public that the problem has been resolved. While the IT staff member who caused the issue should be reprimanded, blaming everything on a single employee discounts the potential mismanagement factors that contributed to the issue. Still, the outcome of multimillion-dollar lawsuits may hinge on the actions of one individual.

 “When I served as an expert on high-profile cases, it came down to the AWS guy, the woman who was programming or a guy enabling the server,” said Nick Kamboj, CEO of MBA admissions consulting firm Aston & James. “Fifteen to $20 million cases would hinge on what this individual did, what they were supposed to do. Did they follow somebody else's advice or were they using common sense and best practices? It's not the individual, it's more the ecosystem that has to change.”

A lot of IT-related mistakes seem obvious in retrospect, even to non-technical people if the issue is explained in non-technical terms. However, those who work outside IT aren’t usually familiar with details of IT operations, such as the growing complexity IT is expected to manage on a flat budget amid any unplanned burdens, such as the ones shadow IT may cause. Meanwhile, IT is expected to advance business objectives, but in attempting to do so, some may be contributing to the risks of a potential failure.

Dave Gartenberg
Dave Gartenberg

"IT professionals tend to be pleasers. They say 'yes’ to a lot of things when they should say 'no," said Dave Gartenberg, chief HR officer at professional services firm Avanade. "Sometimes they'll agree to do something with less budget or less line leader involvement in order to be helpful. You'll see a lot of projects moving forward with the best of intentions when in fact anyone on the outside looking in can see it would never stand a chance. I hold the IT leaders accountable for making sure from the start the conditions for success were contracted internally."

Peter Kraatz, portfolio manager of Cloud and Data Center Transformation Consulting at IT solutions services provider Insight Enterprises said the lack of governance also contributes to IT issues.

“IT has to own the mechanical bits of governance: Who's got what role, who's going to pull what triggers and when. Why we’re doing them is something that's owned by the business," said Kraatz. "The business has to tell us when we’re running out of budget on Amazon or we’ve got the wrong workloads. I think we’re allergic to talking to one another.”

San Francisco State University fired a security officer after consultants discovered a database vulnerability. The security officer responded with a $1 million whistleblower lawsuit against the university. She allegedly warned superiors that improvements to the database were necessary prior to the third-party discovery of the vulnerability but was prevented from making those improvements due to budget constraints.

Peter Kraatz
Peter Kraatz

Blame a member of the C-suite

Given how integral business and technology are these days, blaming every technology-related issue on IT isn’t realistic.

“Leadership at an organization really needs to set the tone for a culture of continuous improvement, Alex Brower, VP of Marketing at digital training solutions provider Cloud Academy. “What's good today, all things being equal, is not going to be good enough 12 months from now or tomorrow. I think leadership is responsible for really establishing a clear understanding and making sure the staff understands who's responsible for what.”

Alex Brower
Alex Brower

Sometimes the CIO is sacrificed, although Aston & James’ Kamboj thinks if that role is going to be fired, they should have demonstrated a pattern of irresponsible behavior.

“You only fire the CIO if you see a propensity of ignorance throughout their actions,” said Kamboj.” If I continue to see that over three or four quarters and they're constantly having data breaches, privacy violations or compliance issues then my recommendation is fire the CIO, but before I make that decision, I want to see if they can make the change. Even if I get the most incredible intelligence, it's still going to take me 6 to 9 months to implement that change and see the ROI. ROI in some situations may not happen for two years”

As part of that due diligence, Kamboj pays attention to whether CIOs are implementing or rejecting third-party recommendations.

Nick Kamboj
Nick Kamboj

“I've never tutored or educated a CIO that was not willing to hire consultants regardless of how arrogant they were,” said Kamboj. “They hire consultants to do due diligence but I have met my fair share of CIOs who have taken those recommendations and completely rejected them.”

Today’s CIOs oversee a lot of technological complexity, although most of them are not security experts. Given the current state of cyberattacks and cyberterrorism, many companies are hiring CSOs or CISOs who may report to the CEO, CIO, COO or legal counsel. The security officer position is always created to fortify an organization’s ability to defend itself. However, with that responsibility may come sole accountability for security breaches.

“The CISO may provide input, but it always behooves the CIO to take full accountability,” said Kamboj. “They can transfer implementation to the CISO and the CISO in turn will outsource to a consultancy such as Tata, Accenture, or KPMG to implement the strategy, but you can't say a strict violation of a code of ethics or fraudulent activities were the responsibility of one person such as the CISO.”

In some cases, the CEO is blamed at least in part. For example, in Target’s case it was the chairman, president and CEO (an individual) following a data breach. At Uber, it was the CEO, CSO and a lawyer.

 “I pay you as a CEO $1 million salary and $4 million in benefits. If you're not performing as a CEO, CIO or CFO, I'm sorry. We have to let you go,” said Kamboj. “I'm not going to let someone lose their lifetime pension or hurt 400,000 people simply because you made a bad decision.”

 

Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
7 Technologies You Need to Know for Artificial Intelligence
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2019
Commentary
A Practical Guide to DevOps: It's Not that Scary
Cathleen Gagne, Managing Editor, InformationWeek,  7/5/2019
News
Data Science Salary Survey Reveals Market Shift
Jessica Davis, Senior Editor, Enterprise Apps,  6/27/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Slideshows
Flash Poll