IT leader chapter 11
Find and read Chapter 11 of (Adventures of an It Leader
Book by Richard L. Nolan, Robert D. Austin, and Shannon O’Donnell)
Chapter 11 Only, then answer these questions in 2-4 sentences.
1. Let’s look back- why did this happen? Wasn’t IVK prepared for such an event? Who is responsible?
2. Which option to secure IVK would you recommend? When should a company actually, in effect, shut the business down?
3. What would you disclose to the outside world when there are problems like this? What are the possible implications of such disclosure? Or, the *lack* of disclosure?
4. Why does Barton still have a job?
5. What do you think of the advice to always tell your boss the bad news first, even if you don’t know for sure?
Adventures of an IT Leader — Chapter 11 Discussion Questions
1. Let’s look back — why did this happen? Wasn’t IVK prepared for such an event? Who is responsible?
The breach traces back to the “network consolidation” that occurred during IVK’s merger with People’s, when two different technology platforms were forced to interoperate without anyone fully securing the seams between them. IT had identified the vulnerability and even tried to get funding to fix it, but the request was denied because IT does not control its own capital budget; business units decide what gets funded, and a security patch with no obvious revenue payoff lost out to projects with clearer business cases. IVK was not prepared, in part because emergency response protocols were thin and inconsistently followed, and partly because Barton himself had previously rejected a fast-track upgrade that might have closed this very gap. Responsibility is therefore shared rather than singular: the business-unit-driven budgeting process that starved infrastructure spending, the previous IT leadership that allowed known risks to go unaddressed for years, and Barton’s own recent decision-making all contributed to the company being caught exposed.
2. Which option to secure IVK would you recommend? When should a company actually, in effect, shut the business down?
Of the choices on the table, a brief, deliberate, well-communicated shutdown of the affected production systems is the most defensible option, even though it is disruptive and embarrassing. Continuing to run systems that may still contain malicious code or an open intrusion point risks far greater damage later, including data theft, corrupted transactions, or a second, larger incident that would be even harder to explain to customers and regulators. A company should take the drastic step of effectively shutting down operations when there is credible evidence that continuing to operate could actively make things worse, meaning ongoing data exposure, the risk of corrupting financial or customer records, or the possibility that an unresolved vulnerability could be exploited again while systems stay live. The shutdown should be as short and targeted as engineering judgment allows, but the trigger should be risk of compounding harm, not merely the inconvenience or embarrassment of taking systems offline.
3. What would you disclose to the outside world when there are problems like this? What are the possible implications of such disclosure? Or the lack of disclosure?
The most defensible path is a measured, honest disclosure: confirming that an incident occurred, describing in plain terms what is being done to address it, and directly notifying any customers whose data may have been affected, without volunteering excessive technical detail that serves no one’s interest but a curious reporter’s. Full, dramatic public confession risks unnecessarily alarming customers, inviting regulatory scrutiny, and handing competitors a talking point, especially before the company even knows the full scope of what happened. But saying nothing, or actively minimizing the issue, carries its own serious risks: if the truth surfaces later, as it nearly did through an employee’s blog post in this chapter, the company looks far worse for having concealed it, and trust erodes faster from a cover-up than from the original incident. Silence can also create legal exposure if affected customers later argue they should have been notified sooner. The implications of disclosure are short-term reputational discomfort and difficult questions at the next earnings call; the implications of non-disclosure are a slower-building but more severe loss of trust if the truth comes out anyway, which it frequently does.
4. Why does Barton still have a job?
Barton keeps his job because, despite the breach happening on his watch, he responds to it the way leadership is supposed to: he surfaces the problem quickly rather than burying it, brings the right people into the room, weighs the disclosure options seriously instead of reflexively choosing the easiest one, and is willing to absorb the discomfort of telling Williams bad news directly. Executives and boards generally distinguish between a leader who inherited a flawed system and is now actively managing the crisis competently, and a leader who either caused unnecessary risk through negligence or tried to hide the problem afterward. Barton falls into the former category. He also benefits from the fact that the underlying vulnerability predates his tenure, originating in the merger-era network consolidation, which gives him some credibility in framing this as a legacy problem he is now fixing rather than one he created from scratch.
5. What do you think of the advice to always tell your boss the bad news first, even if you don’t know for sure?
This is sound leadership advice, and the chapter illustrates exactly why. Bad news that travels up the chain late, or only after every fact is confirmed, almost always arrives too late to be useful and often arrives through the worst possible channel, a rumor, a blog post, a reporter’s question, rather than from the leader who should have raised it first. Telling your boss early, even with incomplete information, allows the organization to start preparing its response, get ahead of disclosure decisions, and avoid the appearance of having concealed something once the full picture emerges. The risk, of course, is crying wolf or alarming leadership unnecessarily over something that turns out to be minor, so the advice works best when paired with appropriate framing, communicating clearly that the situation is still developing and the facts are not yet fully confirmed, rather than presenting tentative suspicions as settled conclusions. Used this way, early disclosure protects both the leader’s credibility and the organization’s ability to respond, while overly cautious silence, waiting for certainty that may never come, tends to make a bad situation worse.
