by Robert D. Austin, Richard L. Nolan and Shannon O'Donnell

Book Excerpt: The Adventures of an IT Leader, Part 3

News
Mar 11, 20096 mins
CIO

A new CIO scrambles to contain a security breachu2014and to keep his job. Read the third installment of our exclusive series.

The story so far: Jim Barton, the head of loan operations for financial services company IVK, has been tapped as the CIO by the company’s new CEO, Carl Williams. The previous CIO has been fired, and Barton must restore Williams’s confidence in IT while he learns on the job. In his previous role, Barton had argued against a security upgrade. Now an apparent data breach may have compromised customer information, and Barton’s job as CIO is on the line. Read the first and second installment.

More on CIO.com

Book Excerpt: The Adventures of an IT Leader, Part 1

Book Excerpt: The Adventures of an IT Leader, Part 2

Book Excerpt: The Adventures of an IT Leader, Part 4

Friday, June 29, 9:12 a.m….

Barton and his direct reports had convened at 7:15 a.m., and they’d begun talking through a list of issues.

First, they needed to identify the security measures they wanted to implement to reduce the risk of future attacks. The upgrade project that had been rejected earlier would be accelerated, but Barton wanted them to figure out what else they could do.

Second, they needed to decide what should be done to make the company secure against additional mischief from the attack that had just happened. They had no smoking gun to tell them that there had been intruders, but neither could anyone think of a way a database index file could be renamed without someone meaning to do it.

Third, they needed to figure out what to recommend to Williams about what, if anything, they needed to disclose outside the company. This was the issue most likely to get people fired, the issue most likely to spell an ugly end for IVK.

Friday, June 29, 3:47 p.m….

Options were shaping up. The team would work on “future event avoidance” on a less urgent time frame, but the other two issues, recovery from the attack and what to disclose, had to be dealt with now. There were three possible courses of action:

1. Do nothing. Assume that the past mischief was the worst that the bad guys had intended—if in fact there had been bad guys.

2. Shut down the company except for operations that could run manually and rebuild critical systems from development files. This was the “playing it as safe as possible” option, but the shutdown would be noticeable enough from outside IVK that it would need to be explained.

3. Build a mirror site from development files and rebuild production systems after the mirror site was up and running. It would cost money and take a couple of weeks to assemble the necessary facilities and equipment.

Barton’s team had a preference for playing it safe; they liked option two.

The disclosure issue was, as expected, more complicated. Some argued for coming totally clean. The most popular position called for contacting customers whose records had been accessed and warning them that their information might have been compromised. A few argued for no disclosure at all.

After much tired and occasionally heated discussion, the group settled on the immediate rebuild option—explaining it as maintenance—and disclosure to customers only.

Barton called Williams to say that he was ready to discuss options. Williams informed him that the senior management team would convene at 8 a.m. to decide what to do.

Saturday, June 30, 8:56 a.m….

“So, this is a recommendation,” said Williams. They were assembled in the boardroom. Williams stood, as usual. Leadership team members sat around the table. Williams turned to Graham Wells, the company’s chief lawyer.

“I like the idea of playing it safe,” said Wells.

“Other thoughts?” Williams looked around the room. The others stirred, nodding and murmuring agreement with Barton and Wells.

“What if,” Williams asked, “a reporter or analyst puts together the maintenance outage and the warnings we’re sending to customers, then wants to know about the attack?”

“How would a reporter or analyst know about the attack?’ asked Niels Hansen, Barton’s successor as head of loan operations.

“I don’t know,” said Williams. “Our employees know about it. Think none of them has mentioned it to a friend?” Williams continued: “Let me see hands—who thinks we should adopt the plan that Jim Barton has recommended?”

Haltingly, exchanging uncertain glances, the executives raised their hands, in the end indicating unanimous agreement.

Williams surveyed the room, then moved to the window. For a long time he stood, looking out. Such a flair for drama, mused Barton. All the long pauses and stalking around.

Williams turned back: “I don’t agree,” he said quietly. “I WAS HIRED,” he said, now shouting, “to turn this company around. We will NOT shut the company down. And we will NOT say to anyone that we think, maybe, possibly we might have—perhaps, perchance, conceivably—lost customer data.”

He paused to inhale again, then focused his attention on Barton. “This is it,” Barton thought, “I’m history.”

Miraculously, Graham Wells chose that moment to speak up: “I can’t go along with you on this, Carl. This is a very dangerous course you’re proposing.

“I agree,” said Hansen.

“Anybody else?” Williams asked. No one said anything.

“Very well,” Williams said quietly, “the two of you are fired.”

Williams returned to the window. Wells and Hansen looked at each other, then stood and left the room. No one moved or made a sound.

Suddenly, Williams turned and pointed at Barton. “YOU will need to take over loan operations again until I figure out who to turn it over to. Do NOT—and I mean DO NOT—let loan operations distract you from your duties in IT. And DO NOT let this ever happen again. ”

“Yes, Carl,” Barton whispered.

“This meeting is adjourned,” said Williams.

CAN BARTON RECOVER? Read the final installment.

Excerpted from The Adventures of an IT Leader by Robert D. Austin, Richard L. Nolan and Shannon O’Donnell, Harvard Business Press, April 2009. Austin is a professor at Copenhagen Business School and an associate professor (on leave) at Harvard Business School. Nolan is a professor at the Foster School of Business at the University of Washington, Seattle, and a professor emeritus at Harvard Business School. O’Donnell is a PhD fellow at Copenhagen Business School and a former director and dramaturg at People’s Light and Theatre in Philadelphia.