The sanctity of the confessional
There is an issue here about sharing information when an offence has been committed, or might have been committed, for example by negligence. Many are the articles and comments on the Register describing when stingy management has decided to 'save' money by not providing a fully operational back up system, power supply or to train staff properly or even just have proper rehearsals, and when something went wrong, they were unable to cope. This despite their internal regulations requiring them to provide standby systems and test them and ISO 27001 'compliance'.
One major comms company effectively cut off a city for a day because when something failed in a big way, the mandatory back up system simply had not been built, almost certainly in order to save money at the time, and get the (ir)responsible manager some 'brownie points' and a bonus / promotion.
I cannot see large companies publicly quoted on the stock exchange ever giving their technical people the authority to describe in any detail the technical issues around GDPR failures, contractual 'five nines' failures, or any breach of government security regulations when the actual cause was saving money on a deal. Let's face it, if your idiot programme manager decides to close down the contractually required secure support desk in a secure building and move it to a commercial, shared service support team to save some money*, are they really going to own up? Similarly the programme manager who decides to offshore the technical IT support team for a secure government system which is specifically required to be operated by cleared staff, 'because it is cheaper and we won't make a profit on the deal otherwise' will not be happy at even Chatham House Rules disclosures.
OK, so the article was about people not being egregiously stupid, but management tends to regard things going wrong as a risk assessment exercise - 'how likely is it that I will be around and cop the blame if or when the shit hits the fan? A classic example is that senior management of large corporations typically spend 5 years of less at any one company (see, e.g. the length of service of BT CEOs over the last 20 years).
Priests may be bound by the sanctity of the confessional, but they tend also to dole out punishments or requirements to change behaviours and require repentance, and we have all seen from the RC church's** record on dealing with child abuse by priests how that works out.
Sorry folks, the solution, as far as I know it, is to spend the money required to to do the job properly and not cut corners, but that tends to be out of technical people's hands. And we all know that management types dislike being informed of the facts of life by technical underlings.
*Yup that really happened, probably more than once (my lips are sealed).
**Other religious and public institutions are equally culpable if the press are anything to go by (The BBC, CoE, Rotherham, Canada's indigenous 'schools' etc.).
Biting the hand that feeds IT
