In our previous post, The Paradox of Fire-Fighting Culture: How It Emerges and Persists in Organizations, we talked about how fire-fighting culture emerges in various organizations. But, is this really that bad? Should companies really prioritize solving this issue? I say yes.
But don’t blindly trust me. Think for yourself. Below I listed the most common consequences I’ve observed in companies with fire-fighting culture.
When an organization has a fire-fighting culture, it means they are dealing with problems in a rushed and reactive way. This often leads to only partially fixing problems, causing them to come back or new problems to arise.
This creates a negative cycle that takes up a lot of time and resources and makes it hard for the organization to make progress. Which significantly increases the number and criticality of security risks to the business.
Now, here’s the list.
Constantly addressing urgent issues can often lead to decreased productivity and efficiency as employees struggle to keep up with their work. Typically, security controls implemented in suboptimal ways will usually hurt the productivity too. Hence, they’re being ignored or avoided.
When a company is always dealing with urgent problems, it can be really stressful and overwhelming for employees. This can make them feel burned out and want to quit their job. The people in charge of making sure everything stays up and running (like the platform, infrastructure, and SRE teams) usually feel the most pressure out of everyone in the company.
Fire-fighting culture can lead to inefficient processes and workflows. Employees would usually prioritize immediate problem-solving over optimizing systems and procedures. Security phases of various processes will be ignored if possible. All of this can drastically increase the security risks to the organization.
Lack of Planning.
Fire-fighting culture can result in a lack of planning and strategic thinking, as the focus is on reacting to problems as they arise rather than anticipating and preventing them. No one gets very far without planning. Keep in mind:
“Plans are worthless but planning is everything” - Dwight D. Eisenhower
Leaders may be more likely to make reactive, short-term decisions rather than considering long-term consequences or investing in preventative measures. This can backfire in some many unpredictable ways. I’ve seen companies wasting hundreds of thousands of euros on unsuccessful initiatives and projects, due to broken decision-making.
When employees are constantly dealing with urgent issues, it can be difficult to see progress or accomplishments. This will lead, sooner or later, to decreased morale and job satisfaction. Which takes us to the first long-term consequence.
Loss of Talent.
When a company always reacts to problems instead of preventing them, its best employees will get upset and eventually quit. Good managers might be able to keep those employees for a while longer. But even the best managers can’t stick around in that kind of company forever.
A fire-fighting culture can lead to a lack of innovation and growth as resources are directed towards solving immediate problems rather than investing in long-term solutions. It takes more time to develop products and ship new features.
Companies that are always reacting to problems may find it difficult to keep up with competitors who are more proactive and strategic in their decision-making. This is not obvious in the short term, until it happens “overnight”.
Escalation of Issues.
When teams don’t have the time to address the real causes of problems, they will eventually enter a negative cycle of repeated issues. Such issues usually become increasingly difficult and expensive to solve over time.
Reduced Customer Satisfaction.
A bit far-fetched, but still a valid point. Any company that is always in crisis mode will likely struggle to provide consistent, high-quality customer service. Which could lead to reduced satisfaction and retention. One of the most common issues I’ve seen in the Tech companies was downtime of their services. They break their own SLAs, so they must pay for penalties to their clients. Which leads to the next point.
A company that is always in crisis mode may be seen as unreliable or untrustworthy by customers, investors, and other stakeholders, which can damage its reputation over time. Which hurts business growth and profits.
Significantly Increased Risk.
No proactive planning and preventative measures. Fixing the symptoms and not the real causes. Avoiding security controls to increase productivity. Ignoring security in various processes. And the list goes on. All of this significantly increases security risks to the business.
If after all of this, you’re still not convinced that eliminating fire-fighting culture should be among your top priorities, get in touch. You might be right. Or you might be biased. Overconfidence is a very common cognitive bias among business leaders.
Most major cybersecurity incidents and breaches in the past few years could have been prevented. Not by “next-gen AI super ultra cyber tools”. But by taking care of the Information Security basics in a proper way.
Building a security culture is one of the ways to effectively and efficiently fix fire-fighting, but you get so much more. And it’s likely much cheaper than your CISO’s next-gen AI cyber tool. For more info, see our whitepaper Security Culture as a Strategy.
To get updates about our new blog posts and other publications, sign up below.