IT outages are becoming more inevitable and expensive, even as regulators are making more demands of companies to prove they can move quickly to backup systems and minimize business disruptions.
That makes having an IT disaster recovery plan crucial, but there is a strong cultural force that can throw a wrench into the best ITDR plans: the blame game.
In a recent article in The Stack, Paul Baird, UK Chief Technical Security Officer at Qualys, said that companies must move beyond a culture of blame. It’s not only critical for well-being, it's crucial for security, Baird says.
Blame can lead to recurring incidents
The article cites a 2021 paper, “Contemplating Blame in Cyber Security,” that shows a “wider emotional fallout” can occur when an employee is blamed for an incident:
“Dekker (2016) explains that when organizations blame, they lose the opportunity to learn from the event, and to be able to take remedial action. If they content themselves with blaming, the incident will probably re-occur because the causes have not been remedied.”
News stories may point fingers at humans for major outages, but leaders who truly want to learn how to minimize IT disasters should ask themselves if human error is a legitimate cause, says Darren Lea, Cutover Product Manager for Operational Resilience. “Is human error really a thing or is it about the environment we put people in, so they don’t perform the way we think they should or could? And how could we have configured their environment differently?”
“You have to presume people are well intentioned — that nobody sets out to intentionally do their job badly,” Lea says. “So we should focus on environmental triggers and impacts that would cause something to happen.”
Finger-pointing is expensive
Companies can ill afford behavior that gets in the way of effective IT disaster recovery. Besides new rules that will require financial institutions to prove they can manage and recover from IT disruptions, outages are growing more frequent and more costly. According to the Uptime Institute’s 2022 Outage Analysis report, more than 60% of failures lead to at least $100,000 in annual losses — up from 39% in 2019. And outages that cost over $1 million rose from 11% to 15% over the same period.
Creating a culture of blame also can hurt employee retention, Lea says, in addition to creating unnecessary stress and fear, which in turn may leave ITDR issues unaddressed. “Blaming makes people less willing to hold their hand up and say, ‘I think there’s a problem here’ because it could come straight back to them,” Lea says.
Ending the blame game
Tech leaders who want to end the blame game may find they have to give up excessive control and “actually trust the staff they’ve hired,” Lea says. And if someone makes a mistake, they need to help both the employee and the organization — which likely played some role in that mistake — to improve and learn, he says. And they must learn to put their organizations business and financial needs ahead of the emotions of the moment.
“Ultimately, the blame game is just not a smart move,” Lea says.