“IT” for the purposes of this piece are those who imagine, design, implement and support the Information Technology systems that we all depend on, and who generally get the blame when things don’t go well for users. Here are a few considerations before calling out an issues as an “IT problem”:
1) Technology evolution moves quicker than skills evolution.
As soon as new technology is developed, there is not immediately a group of people who know all about it and are fully qualified with it. Very often the demand to adopt new technologies for organisational reasons leapfrogs IT’s understanding of the tech and staff play catch-up with technologies already in production. Cloud and specifically SaaS uptake has shown many clear examples of this. “IT can look after it…”. Did the economies you created help with a budget for training IT?
2) Some things can’t be fixed.
A great example of this was Wannacry, the massive ransomware outbreak that infected lots of unpatched machines globally. “Unpatched! We definitely blame IT for that!” Let’s have a counterpoint for that one. The NHS in the UK was very badly impacted by Wannacry. The simple reason for this is that many of their legacy systems could not be patched because the software they were running was not supported by the newer versions of Windows and XP was no longer supported (no patches coming from Microsoft.) So that app put together to run tests on a forensic device installed back in the XP days does not have a version for Windows 10. Not IT’s fault and an organisation’s decision as to how to deal with this issue.
3) There is a global lack of experienced and qualified IT people.
If we use IT security as an example, the skills shortage in IT is a very real problem. This can be partly attributed to 1) above, but also the rapid global uptake of new technology. We don’t just need people with skills, we need millions of them, now.
As a result, IT teams are spread very thin. When we run Threat Simulations, we will put the person who best understands the system on a desert island out-of-touch for the duration and see what happens.
4) Technology fails.
Some of the highest impact issues that have ever happened with regards to IT have not been within the power of the IT team to fix. Things fall over. A lot of people may not remember or are too young to know, but it used to be a good day if a Windows machine didn’t have to be rebooted to operate or just freeze up before you had a chance to save. This stuff still happens in different ways but as a result, IT has learnt to build in more resilience to failure but with more dependency everything scales.
People make mistakes; People can’t communicate what is wrong; People are careless; People are undertrained; People hack; People get hacked; People click on the wrong link; People are overworked and stressed; People lose things; People steal things. Not the IT department’s fault though they will do their best to get you back up and running ASAP.
To help IT perform their job in protecting the organisation, is to implement a strong cyber incident response plan. As the name suggests, the plan outlines the playbook actions that the IT team should take immediately after a cyber incident, as well as who they should reach out to firefight with.