Stop IT Incompetence masthead.
Stop IT Incompetence motto.

Principles Entry tab.

Donna Seymour, Susan Mauldin.

IT Hiring:  No Personal Consequences for IT Incompetence, Just Excuses

As history has shown, especially recently, there are no personal consequences for IT incompetence. Yes, data breaches are costly, but to the organization (government, business, media, etc.) not personally to the IT incompetent responsible (but see The IT Incompetents Hall Of Shame (ITIHOS)). The shareholders, customers, and taxpayers suffer the consequences. Without personal consequences the situation only gets worse since IT incompetents are emboldened (although they will still fear for their jobs; see IT Hiring: IT Incompetence Breeds Disloyalty and Corruption). No personal consequences for IT incompetence is part of denying the massive problem of IT incompetence altogether.

What IT incompetent is actually hands-on responsible for a data breach — e.g. who was supposed to but didn't apply a security patch or who committed a programming error — is never even announced; for example, the anonymous IT incompetent NASA programmer that confused the rocket thrust units in the orbital insertion program and caused the $325,000,000 Mars Climate Orbiter to crash into Mars.

Instead all that is given are excuses. For data breaches, the (ir)responsible organization tries to make them sound — e.g. by calling them "sophisticated" — like they were caused by genius hackers so there was nothing they could have done about them. But all data breaches are caused by IT incompetence. Period. See Why Stop IT Incompetence? Data Breaches and Data Breaches. Or the (ir)responsible organization says they found no evidence that any data was actually taken or if it was, that it was misused. But "absence of evidence is not evidence of absence", particularly when they don't want to find any evidence, since it would make them look bad, or they are too IT incompetent to find it, since they couldn't prevent the hacking in the first place.

However, the buck always stops with the usually equally IT incompetent IT leader (see IT Hiring: Cascade Failure), like Chief Information Officer (CIO) or Chief Information Security Officer (CISO), or other, given the game of "musical titles" organizations play to avoid personal responsibility.

It has become hard in all organizations to fire incompetents. There is the fear of discrimination lawsuits and whistleblowers. At worst, IT incompetents who cause data breaches quietly get kicked upstairs or switch jobs internally, or even just job titles (again "musical titles"), or comfortably retire on a full overly-generous pension.

As a government example, Donna Seymour was the Office of Personnel Management's (OPM) IT incompetent Chief Information Officer (CIO) during OPM's massive data breach. She let hackers steal the very sensitive personnel records of millions of government employees, including those in defense and intelligence, which is a continuing national security risk. When the data breach was finally made public she was not fired. There was external pressure for her to resign but she ignored this right up until she was called to testify before Congress, when she finally resigned. A year or so later she seems to have quietly gotten another government IT job, in the Department of Homeland Security!

As a business example, Susan Mauldin was Equifax's extremely IT incompetent (music major) Chief Information Security Officer (CISO). Among other IT incompetent mistakes, Mauldin neglected to have a known security hole patched. In the first half of 2017, these mistakes let hackers, in one of the most massive data breaches of its time, have the most sensitive financial information of millions of people, including government employees, particularly those in national security. Equifax is facing numerous expensive lawsuits and other officers in the company are having to testify before Congress, but Mauldin seems to have just comfortably retired.

← Previous Entry     Next Entry →