IT Hiring: No Personal Consequences for IT Incompetence, Just Excuses
As history has shown, especially recently, there are no
personal consequences for IT incompetence. Yes, data breaches
are costly, but to the organization (government, business,
media, etc.) not personally to the IT incompetent responsible
(but see
The
IT Incompetents Hall Of Shame (ITIHOS)). The
shareholders, customers, and taxpayers suffer the
consequences. Without personal consequences the situation
only gets worse since IT incompetents are emboldened (although
they will still fear for their jobs; see
IT
Hiring: IT Incompetence Breeds Disloyalty and Corruption).
No personal consequences for IT incompetence is part of
denying the massive problem of IT incompetence
altogether.
What IT incompetent is actually hands-on responsible for a
data breach — e.g. who was supposed to but didn't apply
a security patch or who committed a programming error —
is never even announced; for example, the anonymous IT
incompetent NASA programmer that confused the rocket thrust
units in the orbital insertion program and caused the
$325,000,000 Mars Climate Orbiter to crash into
Mars.
Instead all that is given are excuses. For data breaches, the
(ir)responsible organization tries to make them sound —
e.g. by calling them "sophisticated" — like they were
caused by genius hackers so there was nothing they could have
done about them. But all data breaches are caused by IT
incompetence. Period. See
Why
Stop IT Incompetence? Data Breaches and
Data Breaches. Or the
(ir)responsible organization says they found no evidence that
any data was actually taken or if it was, that it was misused.
But "absence of evidence is not evidence of absence",
particularly when they don't want to find any evidence, since
it would make them look bad, or they are too IT incompetent to
find it, since they couldn't prevent the hacking in the first
place.
However, the buck always stops with the usually equally IT
incompetent IT leader (see
IT Hiring: Cascade
Failure), like Chief Information Officer (CIO) or Chief
Information Security Officer (CISO), or other, given the game
of "
musical
titles" organizations play to avoid personal
responsibility.
It has become hard in all organizations to fire incompetents.
There is the fear of discrimination lawsuits and
whistleblowers. At worst, IT incompetents who cause data
breaches quietly get kicked upstairs or switch jobs
internally, or even just job titles (again "
musical
titles"), or comfortably retire on a full overly-generous
pension.
As a government example,
Donna
Seymour was the Office of Personnel Management's (OPM) IT
incompetent Chief Information Officer (CIO) during OPM's
massive data breach. She let hackers steal the very sensitive
personnel records of millions of government employees,
including those in defense and intelligence, which is a
continuing national security risk. When the data breach was
finally made public she was not fired. There was external
pressure for her to resign but she ignored this right up until
she was called to testify before Congress, when she finally
resigned. A year or so later she seems to have quietly gotten
another government IT job, in the Department of Homeland
Security!
As a business example,
Susan
Mauldin was Equifax's extremely IT incompetent (music
major) Chief Information Security Officer (CISO). Among other
IT incompetent mistakes, Mauldin neglected to have a known
security hole patched. In the first half of 2017, these
mistakes let hackers, in one of the most massive data breaches
of its time, have the most sensitive financial information of
millions of people, including government employees,
particularly those in national security. Equifax is facing
numerous expensive lawsuits and other officers in the company
are having to testify before Congress, but Mauldin seems to
have just comfortably retired.
← Previous Entry Next Entry →