“That’s an IT problem”

Blame IT for Problem Incident response CTRL Group

“IT” for the purposes of this piece are those who imagine, design, implement and support the Information Technology systems that we all depend on, and who generally get the blame when things don’t go well for users. Here are a few things to think about before you blame IT:

1) Technology evolution moves quicker than skills evolution.

As soon as a new technology is developed, there is not immediately a group of people who know all about it and are fully qualified with it. Very often the demand to adopt new technologies for organisational reasons leapfrogs IT’s understanding of the tech and staff play catch-up with technologies already in production. Cloud and specifically SaaS uptake has shown many clear examples of this. “IT can look after it…”. Did the economies you created help with budget for training IT?

2) Some things can’t be fixed.

A great example of this was Wannacry, the massive ransomware outbreak that infected lots of unpatched machines globally. “Unpatched! We definitely blame IT for that!” Let’s have a counterpoint for that one. The NHS in the UK was very badly impacted by Wannacry. Simple reason for this is that many of their legacy systems could not be patched because the software they were running was not supported by the newer versions of Windows and XP was no longer supported (no patches coming from Microsoft.) So that app put together to run tests on a forensic device installed back in the XP days does not have a version for Windows 10. Not IT’s fault and an organisation’s decision as to how to deal with this issue.

3) There is a global lack of experienced and qualified IT people.

If we use IT security as an example, the skills shortage in IT is a very real problem. This can be partly attributed to 1) above, but also the rapid global uptake of new technology. We don’t just need people with skills, we need millions of them, now.

As a result IT teams are spread very thin. When we run Threat Simulations, we will put the person who best understands the system on a desert island out-of-touch for the duration and see what happens.

4) Technology fails.

Some of the highest impact issues that have ever happened with regards to IT have not been within the power of the IT team to fix. Things fall over. A lot of people may not remember or are too young to know, but it used to be a good day if a Windows machine didn’t have to be rebooted to operate or just freeze up before you had a chance to save. This stuff still happens in different ways but as a result IT has learnt to build in more resilience to failure, but with more dependency everything scales.

5) People.

People make mistakes; People can’t communicate what is wrong; People are careless; People are undertrained; People hack; People get hacked; People click on the wrong link; People are overworked and stressed; People lose things; People steal things.

Not IT’s fault though they will do their best to get you back up and running ASAP.

There’s plenty more examples but a few things to think about next time you have an IT issue.


– Fergus Brooks, Chief – Cyber Risk at CTRL Group