CEO went to ‘Gemba’, unfortunately with closed ears

A supplier to TalkTalk claims that the company ignored his warnings about potential security vulnerabilities more than a year ago.

Paul Moore, an information security consultant with Urity group, claims that he warned TalkTalk last September about its lack of data encryption, but that his calls went unheeded.

Dido Harding, CEO of the group, appears to have failed in the prime task I mentioned last week: to listen to staff and suppliers.In this case to protect customers from online fraud. Reports indicate that, despite her protestations to the contrary, some customers’ bank details have been compromised and funds abstracted.

What makes this story truly damning is that this is the third cyber-attack on TalkTalk this year, yet lessons appear not to have been learned.

In February a number of customer names and account numbers were stolen; in August personal data breaches through the company’s mobile site were reported. The current episode is the latest and may not be the last.

Not listening properly, first seeking to deny problems, then the scale of them, and then seeking to divert attention away by her ‘cyber arms race’ statement was not Ms Harding’s finest performance. Patronising concerned customers whose status ranges between merely anxious, via fearful, all the way to victim with techno-nonsense is as futile as Thomas Cook’s recent protestations when it and its board were found napping.

TalkTalk’s CEO communication failures indicate fairly conclusively that the time has almost certainly come for Dido to leave.

Institutional and private shareholders may well be dismayed at the size of the inevitable severance package. As it is likely to be several orders of magnitude higher than the legal fees an employment tribunal would soak up, they might wish to insist that she is heaved out for dereliction of duty and risk the ensuing litigation. Given a fair judge, they might even win. It appears to be fairly clear that the CEO in question has failed and has failed, moreover, in the full glare of publicity with the consequent damage for their investment.

This is another instance when communication really matters. Communication being, of course, a two-way process.

One intriguing side issue to this sorry tale is that police are presently talking to three young persons in connection with the security breach.

One lives in Ireland, one in London and one in Staffordshire. Can one conclude that smart young folk, digital natives who know no national boundaries, have considerably more technical knowledge than the hugely expensive IT teams employed by large companies to look after security, and their dangerously smug board directors? I think one can.

This article was originally published on LinkedIn on 3rd November 2015.

Time for the CEO to go ‘Gemba’Straight or subtle: both work in the correct context