When something bad happens to our systems, our applications or our security, it’s almost certain that our organisation is not the first it has happened to. We won’t be the first in the world, or in our industry, or in our country, or probably even in our area. Why, then, does it feel like we are?
The answer is simple: the people to whom it’s happened before haven’t told anyone. And why? Because it’s considered an unwise thing to do. Admitting your failings can dent your reputation, your share price, and your revenues.
Yet this is at odds with what we, as IT managers and cybersecurity people, tell people within our organisations. We stand in front of rooms full of people – or, more recently, sit in front of laptop cameras trying to remember what rooms full of people look like – and say: hey, if you fall for a phishing campaign, or you inadvertently delete a directory, or you lose your laptop, get in touch straight away and we’ll help you get it sorted.
Tell us about your mistakes and, as long as you’re not being malicious or idiotically negligent, we’ll help you get them fixed. Yet can you imagine your company telling the world that its systems went TITSUP because the generator ran out of diesel, or because of a previously undiscovered software bug, or that your six levels of redundancy all failed and broke your country’s emergency services phone lines? Even when people write to El Reg‘s “On Call”, their names are Regomised to protect the innocent/guilty/optimistic/misguided/just plain daft from retribution, finger-pointing, abject shame, and P45s.
The thing is, though, there’s more to admitting problems than shouting from the rooftops. After all, when we encourage work colleagues to tell us when they dropped a clanger, we’re not asking them to grass themselves up via an all-users email or the kitchen noticeboard. Instead, they’re asked to confide in a controlled group that they can (hopefully) trust with the details.
And this is the key point: if we want to share our troubles with others, in the hope that they will reciprocate and both parties will benefit as a result, whom shall we decide to trust?