We already knew that, mere months before hackers attacked Sony, the company's execs were aware of extensive issues plaguing its IT department. Now, leaked 2012 evaluations from Sony IT employees shed light on a department full of internal strife, lacking the necessary tools to do its job.
The evaluations consist almost entirely of like-minded complaints regarding IT management's overall apathy, total lack of communication, and general disregard for keeping equipment in a state that even approximates being "up-to-date." While some of it sounds like standard workplace griping, there are also some serious IT security issues laid bare.
Some key selections lie below.
We are definitely not taking advantage of the latest technologies in the way we work. We shouldn't be using an OS that has been released on 2001 anymore... There are new tools out there people, and we don't take the necessary time to exploit them, master them and improve them and that's not how leadership can be achieved...
There is no overall Strategy in the departments of IT. IT is fragmented in the US due to everyone being in different offices/locations. Trust is not seen within the departments either and this needs to be addressed.
There is still a lot of finger pointing... Information security concerns (i.e. Viruses, Application vulnerability, etc.) on a desktop are often left to a desktop technician /engineer to identify and resolve with no clear guidelines of responsibility.
Too top heavy, unstable, with frequent re-orgs where I don't think people in the division I work have adequate leadership/management skills
The general consensus in IT seems to be that there is a gap between the perception of how things are running and how things are actually running.
The result is an IT org operating in a continuously reactive mode which puts the long term stability of systems at risk.
Over the last year I've seen actions management in my department take that have shocked me. My boss was asked to leave the company because of his inability to deliver a project that was given to him with unrealistic expectations. He spoke up at the beginning of the project about how he didn't think the delivery date was reasonable and he was told he wasn't a team player.
On IT in general:
Unfortunately my department which is supposed to be in the front line of progress is actually close to obsolete. We are not taking advantage at all of the existing tools at our disposal.
IT has become an extremely difficult place to get work done... Suggestions to modify the model fall to deaf ears and/or are undermined by the management. It's time to understand/admit where the model is not working and step up and make the changes that will ensure SPE success.
SPE IT employees have ZERO power to make any changes. We have to fight with our own management to convince them there is a problem.
With Managed service model and reduced staffing model makes it impossible to innovate in IT which is going to have long term impact on company.
In Sony's semi-defense, the following year the company did at least make some sort of change. In 2013, Sony decided to put its Global Security Incident Response Team (GSIRT) in charge of overseeing the core responsibilities and general monitoring (subsidiary) SPE's IT department. Unfortunately, according to previously leaked internal documents, that transition made matters even worse, resulting in communications breakdowns that left crucial parts of the security system exposed.
While it's impossible to blame any one factor for allowing the breach, considering all the millions of dollars lost and lives upended, it certainly doesn't reflect well that SPE was fully aware of its many IT problems for years prior.