Tossing ethics into the heap with morale and honesty, one has to realize that much as some development and IT managers look upon outsourcing as a way to form a shell company, cooking the IT change control records is nowhere near as refined an art as keeping financial books on a slow simmer.

It's a safe bet that any substantive discrepancies in the IT records will lead to a thorough roasting, whether they're discovered next week, or pulled off the shelf years later after a security breach. The solution depends on the organization, but the principle is clear: Don't shoot the messenger.

More pointedly, IT managers should pay attention to bad news that's accompanied by information useful for fixing the problem(s), and reward forthright honesty.

I'm sure lazier organizations or those tied to inflexible technical methodologies will continue to focus on the placement of blame immediately following the discovery of unexpected risk.

However, they would do well to learn from the professional tone of more mature and constructive organizations, in which honesty is rarely a career-ending mistake. In short, firms that play hide-and-blame need to grow up.