Before there was Equifax there was British Petroleum. Before British Petroleum there was Enron.
All three were responsible for disasters. And, all three are evidence of something every who leader needs to embrace:
It’s always the culture.
Sure, skills and experience, tools and technologies, and processes and procedures matter too. For example: Just as you thought it couldn’t be any worse comes the revelation that in Equifax Argentina, an internal system that provided access to customer records had a backdoor, where both login ID and password were “admin.”
Proper security policies and procedures would have prevented this.
Just kidding.
For all I know Equifax Argentina’s security policies and procedures are just fine and dandy. If they’re out of step with the corporate culture they wouldn’t have made any difference. Culture wins every time.
Call it Lewis’s Law of Unnatural Disasters: When something goes terribly wrong you can bet there’s something about the organization’s culture that makes terribly wrong inevitable.
But in engineering your organization’s culture … and yes, culture is something to engineer … you need to consider your chosen solution’s ripple effects for the culture to be a positive force.
Let’s hypothesize that Equifax Argentina does have security P&Ps that specify what constitutes a suitably secure password — that the fault was a culture that resulted in nobody giving a damn. What cultural trait should its leadership be encouraging to prevent a recurrence?
The obvious one is a culture shaped so the employee handbook is law and everyone obeys it. That should do the trick.
It would. It would also create a culture where jailhouse lawyers are on a constant quest for loopholes that can only be closed by increasing the length of the P&Ps. Eventually, all your employees would need a year of study just to learn what’s in the handbook.
Beyond that, it would lead to a culture where checking off the boxes is what matters, not accomplishing the desired outcomes.
Worst of all it would result in a culture that combines blind obedience with a complete absence of risk-taking and initiative.
Compare that to a culture that focuses more on outcomes than obedience. Culture is loosely defined as “how we do things around here.” The cultural trait We don’t put people at risk” wouldn’t just eliminate the admin/admin login/password combo, whoever put it in place would suffer a fate worse than being fired.
They’d be shunned.
But there’s a complication in all of this that isn’t easily addressed.
Enron’s CEO and board chair, Jeffrey Skilling and Kenneth Lay pleaded the ignorance defense — yes, Enron the corporation was doing awful things, but they didn’t know about them. After Deepwater Horizon exploded, BP’s CEO Tony Hayward expressed a similar level of know nothing-ism.
Equifax’s executives haven’t yet pleaded ignorance, but it’s only a matter of time.
Which gets to the complication: They probably were ignorant, and in some important respects they should have been.
The best leaders don’t find ways to succeed. They build organizations that find ways to succeed. They can’t do this without delegating. They can’t do this unless the people they delegate to delegate.
In great organizations, employees at all levels have authority and take responsibility, to degrees that are surprising to those managers who consider any decision not made by themselves or someone higher up the chain of command to be an unacceptable risk.
Or as D. Michael Abrashoff, former Captain of the Benfold and author of “It’s Your Ship” put it, “I chose my line in the sand. Whenever the consequences of a decision had the potential to kill or injure someone, waste tax-payers’ money, or damage the ship, I had to be consulted. Sailors and more junior officers were encouraged to make decisions and take action so long as they stayed on the right side of that line.”
Sounds great. It is great. Only if someone on board the Benfold had done something reckless with Deepwater-Horizon-scale consequences, Captain Abrashoff very likely would have been ignorant, because that’s the whole point: The people in charge not making themselves decision bottlenecks.
Culture is certainly the first line of defense. But those pesky human beings being what they are, it isn’t a perfect, airtight solution.
Leaders also need metrics, controls, and governance mechanisms, to provide the guardrails that backstop culture’s lane markers.
But even with these, culture comes first because with the wrong culture, employees will find ways to jigger the metrics, fake out the controls, and game the governance.
What they won’t do without a culture that encourages it is take the risk of telling you something that should be happening isn’t, or that something that shouldn’t be happening is.
It’s always the culture.