Wednesday, May 24, 2017
It takes a disaster to unite everyone, then the blame game starts
A recent but fading cyber incident exposed technology vulnerabilities that were always known and ticked off as acceptable risk by almost every enterprise. It was all about deferring necessary change with lower spends; for some it was about inability to change because vendor or supplier or support provider did not offer an upgrade thus necessitating a change which would have raised the budget. Unfortunately in this case the risk materialized into a disaster of which the impact would take a long time to understand.
It was unsurprising to see friend, foe, acquaintance, partner, bystander, everyone shed differences and come together to tackle the situation and problem; for many survival was at stake, for others an opportunity to make a fast buck. Either way they flocked together commiserating the unfortunate and talking about safety steps they took that fended off the enemy. It did not matter if their good fortune was a result of their actions or providence of their inaction or ignorant apathy, for now they were the heroes and survivors.
Flashback to an earlier incident of similar nature: In a large enterprise an ERT (Emergency Response Team) meeting was called to discuss the threat as it spread and anticipation of more to come with an accidental recess. The CXO collective gushed forth with their assessment of the widespread damage and impact to the market, revenue, and the world at large. It gave them an excuse for future quarterly results should the numbers not make the cut. Soon they ran out of things to say and there was silence in the room when everyone turned to the CIO.
The CIO stood up and gave the gathering the good and the bad news; good news that almost 99% of the enterprise survived the attack. He paused for the applause to subside and then continued to the bad news that the systems impacted had critical machine data now unrecoverable and it impacted regulatory compliance. No pin dropped to break the eerie lack of sound as the Head of Risk and Compliance (R&C) stood up and asked the CIO to clarify the specifics of the damage, which plant, which product, which market ?
CXOs no longer needed an excuse, the resultant impact was real and they had a tough situation at hand considering the last audit management response clearly stated a budget for upgrade of the impacted systems. Not too long ago Finance had at the last minute stayed the upgrade/replacement with a view to depict a better quarter. R&C Head was tasked to declare the news to the Board and CEO while the CFO agreed to not hold back further budgets which even remotely impacted any regulatory compliance.
Never let a good crisis go to waste, so said a well-known statesman well before most of us were born or for that matter technology overtook our lives. Our team did exactly the same; between the CIO and Head R&C, they garnered budget required to take care of future eventualities. Rest of the CXOs used the opportunity to justify the suboptimal performance, the company took a hit larger than most others in the industry. Things came back to normal and life moved on, the lessons catalogued and filed for posterity.
Less than 24 hours had passed since the news broke of the disaster that hit far and wide; the same team barring a few who had moved on, met again to assess the damage. This time the news was scarier, spread wider, impact larger, and the world was unable to contain the losses. This time faces were grim and little small talk precluded the meeting; the CEOs presence too added to the gravity of the event. The impact was not dissimilar to the past, it appeared that remediation sanctioned did not change the fortunes of the company.
Livid and frustrated the CEO wanted heads to roll; how can we make the same mistake twice ? He sensed the fear and waited for the CIO and Head R&C to finish before seeking the perpetrators of the current situation. No guesses for who the sword fell upon, it was swift and no explanations were sought, none given. Money flowed to solve the problem, lessons learned catalogued once again, the impact fortunately not allowed to be used as an excuse for any future adverse performance by any of the functions.
It is a rare enterprise that imbibes learning without finding scapegoats; make yours one !