If you’ve been in the working world in the past 20 years, then someone at some point probably told you to move fast and break things, the now-infamous principle espoused by Facebook founder Mark Zuckerberg.
The move-fast-and-break-things ethos, which epitomized Facebook (now Meta) in its early days, became a kind of tech-industry mantra, a way to justify taking big, audacious swings regardless of the collateral damage. But it also had consequences, and one could argue that Facebook’s quest for speed helped upend business norms around just about everything from democracy to creative culture to personal privacy.
And when it comes to security, and protecting your company’s assets, moving fast and breaking things is a really, really bad idea, experts say.
“Unfortunately, it’s been kind of a mantra of a lot of organizations for some time now,” said Scott Shackelford, professor of business law and ethics at Indiana University’s Kelley School of Business and the executive director of the Center for Applied Cybersecurity Research. “And unfortunately, a lot of things got broken along the way.”
But in this era of uncertainty, transformation, and disruption, accompanied by heightened expectations for companies to behave in socially and environmentally responsible ways, finance professionals need to move fast without breaking things, according to Shackelford. And that means taking a more thoughtful approach that considers unintended consequences.
“There’s more awareness of the need to be diligent, to be proactive and thinking about all of the different risks that can manifest with that ‘Move fast, worry about the consequences later’ idea,” he said.
Pump the brakes. Too often, organizations circumvent or sandbag internal controls in the race to move quickly, a practice that threatens security, according to Amanda “Jo” Erven, president and founder of Audit. Consulting. Education LLC and author ofBecoming the Everyday Ethicist. That corner-cutting threatens the security of companies of all sizes.
“‘Move fast and break things’ is one of my seven deadly ethical sins,” said Erven. “We are so concerned with being the first to the market, beating out our competitors, that…we’re eliminating the controls that made us safe along the way, and that’s where I see it being a huge risk.”
But often those internal controls that get neglected at the altar of speed or unchecked growth are the ones that can make or break an organization’s security.
Take Equifax. In 2017, hackers stole the identities of 147 million people from the credit-reporting agency by exploiting an outdated security certificate on one of the company’s servers.
News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
The company’s aggressive growth strategy in the previous years had “brought increasing complexity to Equifax’s IT systems and expanded data security risks” that the company failed to address, according to a congressional report on the breach.
Organizations that don’t cut corners in the rush to be fast and that take the time to fully consider cybersecurity and other risks do end up with a “security dividend,” Shackelford said.
“It’s hard from a strictly cost-benefit analysis perspective to monetize the benefits of an avoided breach five years from now,” he said. “But they’re real benefits.”
And sometimes companies do need to respond quickly, say, during a real-time security breach, without the opportunity to think through the consequences, according to one cybersecurity expert.
“That approach is appropriate in some very limited situations,” said Keatron Evans, principal security researcher with Infosec, a cybersecurity research company. “But from a strategic standpoint, that’s the opposite of what organizations should be doing.”
Move fast, and then what? However, business isn’t happening in a vacuum. And whether an organization decides to take a longer view on risks and consequences, the world is still moving—and being disrupted—at breakneck speed. Boards and shareholders still demand results, no matter how much time organizations put into not breaking things.
“The real issue is that we’re always going to keep moving fast—that's not going to fall by the wayside anytime soon,” Shackelford said. “It’s that ‘break things’ part that is the aspect where you don’t need to take that as a given.”
Circumstances may also dictate that a company move quickly without much thought to consequences. For example, a major data breach or a natural disaster forces a company to react without time to carefully consider every potential scenario.
“So many companies are getting put in the news and losing stock price over data breaches... and they want to move fast and break things just to show that they’re doing something,” Evans said. “But that’s definitely not the best approach."
Rather, the most effective organizations have response plans in place to deal with crisis moments and although they are moving quickly, they do so intentionally, Shackelford said.
“You can move fast, but you can do so in a considerate manner that takes into account all of the different manifestations of what can happen when things go wrong,” Shackelford said.—DA