The feedback loop is broken
Executives keep making the same categories of bad IT decisions because the consequences land on operators, not decision-makers. The pattern is structural, not accidental.
The people who make IT strategy decisions and the people who absorb the consequences of those decisions are almost never the same people. This is the single most expensive structural problem in enterprise technology, and it has been the same problem for at least twenty years.
The pattern
DHS notified Equifax of CVE-2017-5638 on March 8, 2017. Internal policy required a 48-hour patch window. The patch was never applied. An expired TLS certificate hid malicious traffic for 76 days. 147 million records were stolen. The FTC settlement landed between $575 million and $700 million. Total remediation exceeded $1.38 billion. The House Oversight Committee called the breach “entirely preventable.”
The CEO, CIO, and CSO all resigned. The CEO retained an $18 million pension.
Target deployed FireEye’s malware detection system. It flagged the intrusion in real time on November 30 and December 2, 2013. The Minneapolis security team decided the alerts “did not warrant immediate follow-up.” A prior decision had disabled FireEye’s automatic removal capability. 40 million payment cards and 70 million customer records were stolen. Direct costs exceeded $200 million. The CEO resigned after 35 years. The CIO left.
Change Healthcare, after being acquired by UnitedHealth Group, never brought a Citrix remote-access portal under MFA policy. CEO Andrew Witty admitted this to Congress. ALPHV/BlackCat used stolen credentials to walk in. 192.7 million individuals were affected, making it the largest healthcare breach in US history. Claims processing halted nationwide. A $22 million ransom was paid. Response costs exceeded $2 billion in 2024 alone.
Uber’s CSO, Joe Sullivan, learned of a breach affecting 57 million users in November 2016, ten days after testifying before the FTC about Uber’s data security practices. He authorized a $100,000 bitcoin payment to the attackers, classified as a “bug bounty,” and required NDAs falsely stating no data was taken. He was convicted of obstruction and misprision of felony. Sentenced to three years’ probation. The Ninth Circuit upheld the conviction in 2025. It was the first criminal conviction of a corporate security executive for covering up a breach.
Four breaches. Four companies that had the tools, the policies, or the warnings in hand before the incident. Four cases where the decision to not act, or to actively conceal, was made above the operational layer.
Where the consequences land
In each case, the C-suite departed with severance or pensions intact, or, in Sullivan’s case, probation and no prison time. The people who stay are the ones rebuilding. The engineers whose replacement cost runs to 150% of annual salary. The operations teams who told leadership this would happen and got overruled, then got blamed when it did.
The average CISO tenure is 26 to 39 months. The average for other C-suite roles is about 5.3 years. That gap is not a coincidence. It is the sound of accountability rolling downhill.
When a migration fails or a breach lands, attribution settles on IT regardless of who made the strategic call. The dominant register among operators is not anger. It is exhaustion mixed with dark humor. “We told them this would happen” is the recurring phrase. It recurs because the structural incentive never changes: the person who approves the budget is not the person who lives with the implementation.
Why it repeats
The problem is not that executives are ignorant. The problem is that IT operates as a cost center in most organizations. When IT reports to the CFO and competes for budget against revenue-generating departments, allocation defaults to minimum viable spend. CIOs present budgets by technical category rather than business outcomes, which makes it easy for the board to trim what looks like overhead.
This produces a specific downstream effect. McKinsey surveyed 220 companies and found that technical debt consumes roughly 40% of IT balance sheets. Thirty percent of CIOs report that more than 20% of their new-product budget actually goes to resolving tech debt invisibly. The money that was “saved” by deferring maintenance is being spent anyway. It is just being spent without a line item, without accountability, and without the strategic decision-maker ever seeing the bill.
The rip-and-replace pattern makes it worse. ERP replacement projects fail at a rate of 50 to 75 percent. Birmingham City Council projected its Oracle Cloud ERP migration at 19 million pounds. The system never worked correctly. Security controls were disabled to keep it running. Internal reporting culture deteriorated to the point where “bad news was not welcome.” Cost grew to 90 million pounds by 2023. The council issued a Section 114 notice, which is effectively a declaration of bankruptcy. The projected total cost by 2026 is 216.5 million pounds, an 11x overrun. They are now selling 750 million pounds in assets.
The Standish Group’s CHAOS data puts a number on why: projects with sustained CEO involvement succeed 68% of the time. Projects that lose executive sponsorship within six months succeed 11% of the time. The executive who approved the migration is often not the executive who has to finish it.
What operators already know
The operators I talk to are not asking for more money or more headcount, though they could use both. What they consistently ask for is simpler.
Include technical staff in vendor evaluations before signing. Hertz paid Accenture $32 million for a website that never went live. A documented federal procurement planned at $4 million grew to $72 million and became largely redundant within a decade. The pattern is signing before scoping.
Build timelines with the people doing the work. McKinsey and Oxford studied 5,400 projects over $15 million. Forty-five percent came in over budget. Fifty-six percent delivered less value than predicted. Seventeen percent threatened the existence of the company. Hershey’s SAP rollout in 1999 cost over $100 million in missed Halloween orders because the timeline was set by the business calendar, not the implementation reality.
Distinguish between “we need this done by the conference” and “this cannot be done by the conference.” These are different statements. The first is a preference. The second is an engineering constraint. When they are treated as the same thing, the constraint loses.
Gartner reported in 2024 that 58% of boards want to take on more technology risk, while 81% view cybersecurity as a business risk. Both statements are true at the same time, in the same boardrooms. That is not a strategy. It is two slides from different consultants that no one reconciled. Until the people who approve the budget also own the outcome when it fails, this will keep producing Equifaxes and Change Healthcares at increasing scale.
The knowing was never the problem. The acting was. And the acting is someone else’s budget line.
Sources
- The Equifax Data Breach (US House Committee on Oversight and Government Reform)
- A 'Kill Chain' Analysis of the 2013 Target Data Breach (US Senate Commerce Committee)
- Testimony of Andrew Witty, UnitedHealth Group CEO, Senate Finance Committee
- USA v. Sullivan, No. 23-927 (9th Cir. 2025)
- Tech Debt: Reclaiming Tech Equity (McKinsey)
- Delivering Large-Scale IT Projects On Time, On Budget, and On Value (McKinsey & Oxford)
- CHAOS Manifesto 2012 (The Standish Group)
- Birmingham City Council Section 114 Notice
- Hertz v. Accenture: $32M Lawsuit Over Failed Website (The Register)
- Hershey's SAP ERP Implementation Failure (CIO)
- The Equifax Data Breach Went Undetected for 76 Days Because of an Expired Certificate
Share