Of course that's the real question with the actual story in the actual article -- could they have implemented their security on the temporary infrastructure, or "good-enough" security, if the CIO knew about it?
In that story, is the blame on the VP for going ahead instead of getting dialogue started between CEO, VP and CIO? Is it on the CIO for just saying "no" instead of recognizing the need and the value? Is it on the CEO for failing to empower the VP and CIO to get that conversation started themselves?
And then, it's all well and good to worry about the bottom line first, until you're sitting in Equifax's shoes right.
I've been the one in the story who hears "no" enough times myself that I know which side I'm naturally going to fall on. But I've never been the one that did an Equifax, and now has to explain themselves to the board, so there's also that.
I've seen it said well in another comment on this post, I feel like could be said about more than a handful of orgs:
> The problem is, I write up a proposal identifying the risks associated with the exemption, along with minimum and recommended compensating controls. This then gets discussed among IT Management, where it is usually decided it's too much overhead, and to just deny the request or if the user can scream loud enough, allow it outright and get some director to sign something. The third oft-used response is ignore the problem and hope the user finds their own work around so we can get back to the 13 projects we're somehow expected to complete this quarter.
> ignore the problem and hope the user finds their own work around
> ignore the problem and hope the user finds their own work around
If this is even remotely the story of what happened, you can't really be surprised when the user went off and did their own thing. If they came to you with a specific priority business problem and an expectation of your support to solve it with a sense of necessary due urgency, and your answer is returned in the format of a 5 year plan... I don't think you can really act surprised in fairness when they end-around you and solve the problem somehow else, anyway.
If it means standing on a mountain of chairs for them to do so then I guess there'd have to be shared culpability. So how do we make sure that it never looks attractive to build that mountain of chairs?
I wish I knew more about the "digital customer acquisition program." The story makes it sound like this "VP for a declining line of business" honestly was not going to make it another 3.5 years without some help.
I struggle with this myself, when it seems like we could go ahead and solve a problem for like $80/mo, but instead we're going to study the problem and spend $20-40k out of peoples' salaries on coming up with a recommendation for an even more expensive project that can only be justified as necessary in order to avoid this other, cheaper tool we could have used.
There's obviously some mismatch when on one hand there's a major project with a vendor like SAP in the picture, but on the other hand there are basic needs that aren't being met, to the point where someone is going to set up "shadow-IT" on a personal credit card just to keep the basic business of the company moving in the right direction.
In that story, is the blame on the VP for going ahead instead of getting dialogue started between CEO, VP and CIO? Is it on the CIO for just saying "no" instead of recognizing the need and the value? Is it on the CEO for failing to empower the VP and CIO to get that conversation started themselves?
And then, it's all well and good to worry about the bottom line first, until you're sitting in Equifax's shoes right.