Show me the victim!

Insider trading is in the news, and is so often is the case, there are parallels to your day-to-day decisions and actions as a leader in the world of business, independent of the specific indictment. And so …

A common defense for insider traders is that it’s a victimless crime. That is, when the stock in question is from a publicly held company, it’s rarely possible to identify any individual who was directly harmed by the insider trading.

The usual counter is that the stock in question is priced wrong because the information in question is known only to insiders. Armed with that information, insider traders know when a stock is underpriced and they should buy, and when it’s overpriced and they should sell. Who do they buy from and sell to? To other investors who lack access to the key facts in question.

From KJR’s perspective this is interesting but not essential, included here for completeness. Here’s what is essential to you as a business leader.

Imagine that, instead of investing, we’re talking about the Minnesota State Lottery. Now imagine the headline story is that one player has been told the first 3 numbers of the winning entry.

If I’ve done my arithmetic right, this knowledge improves the odds of winning from 1 in  36,348,339,200 to 1 in 115,600. As payouts, based on the first number, are typically in the tens of millions and each ticket costs $2, an investment of $231,200 pretty much guarantees the player with insider knowledge a multi-million dollar profit.

Ignoring the debate over whether this is a crime with victims or not, we come to a more important matter: Everyone now knows it’s a rigged game.

This is an issue that matters to all business leaders, or at least it should: Many, without even thinking about it, rig the game of getting raises, bonuses, and promotions.

Take, for example, the very common situation of a mentor/protégé relationship. This is widely considered to be a positive thing — leaders should mentor promising employees as part of being a good corporate citizen.

And it is: the additional mentoring makes the protégé a better manager and leader; having a better manager and leader makes the company incrementally more effective; and as the protégé progresses through the management ranks, the mentor increases his or her influence in the corporation at large.

Also: Because the mentor/protégé relationship is warmer than that of boss to direct report, the mentor and protégé inevitably develop a personal friendship, the result of which is that the protégé has increasing influence with his/her mentor.

Which is also good, in that the mentor now gets a second pair of eyes on difficult decisions.

What’s not to like?

Everything is not to like if you aren’t the mentor or protégé, which, mathematically speaking, is everyone minus one. Because everyone (minus one if the protégé is oblivious) knows the game of raises, bonuses, and promotions is rigged in favor of the protégé.

Take, for example, one of the most basic leadership skills (and one of the eight tasks of leadership — see Leading IT: (Still) the Toughest Job in the World, 2nd Edition, by yours truly, IS Survivor Publishing, 2011. Leaders generally delegate to those they considered most qualified. As they mentor their protégé, the protégé is, in their eyes, more and more likely to be the most qualified, especially for high-visibility assignments.

Which gets the protégé the next high-visibility assignment.

It’s a virtuous cycle if you’re the protégé; a vicious one if you’re anyone else.

How, as a leader, do you solve this? It isn’t complicated: As a business leader you should think of yourself as mentor for all of your direct reports.

What’s easy is the concept. What’s hard is that you inevitably have better rapport with some of the men and women who report to you than you do with others.

My recommendation: Invest the time needed to develop rapport with the ones who are harder.

That’s the view as you consider your relationship with your direct reports. How about your relationship with your own manager, if your manager is less conscious of these dynamics?

The solution is as inescapable as it is unfortunate. It’s that the only thing worse than having to play a crooked game is losing one.

Be the protégé.

I didn’t have time to write anything original this weekend. Instead, a cautionary re-run from November of 2003 about information security and how not to go about ensuring it. – Bob

# # #

Students of corporate behavior, attempting to account for the seemingly incomprehensible level of self-destruction evident everywhere in the business world, often find themselves at a loss. Why, they ask, would a business do something like this, whatever “this” is this time?

The answer is usually easy to find, if you know where to look: Businesses can’t be self-destructive, for the simple reason that businesses aren’t selves. Human beings make the decisions, either individually or in groups.

Some of these individuals and groups make their decisions with the good of the company in mind, even though “The Company” is a fictional beastie that lacks any actual intent, consciousness, or independent reality. Others focus on “shareholder value,” showing an admirable, albeit misguided altruism toward their employer’s legal owners — misguided because their altruism is rarely returned by the shareholders whose interests they hold paramount.

The majority of decision-makers do neither. They base their decisions on exactly the criteria they’re supposed to use in a capitalist society: They look out for their own best interests. Often, their best interests have nothing at all to do with what’s best for the company.

How else to explain the following event:

A character arrives from corporate headquarters. Looking in the mirror, he sees a secret agent looking back. Or maybe he thinks he lives in The Matrix. Hard to tell.

“Why are you here?” the head of security asks him.

“I can’t tell you.”

“What are you planning to do?”

“I can’t tell you that, either.”

“What can you tell us?”

“I need a work space with a network connection, telephone, desk and chair. And please don’t interfere with what I’m doing.”

He’s from the holding company’s headquarters. A quick check confirms he has the authority and the right to ask for this, and so it is done. A few weeks later, he packs up and leaves, having downloaded a number of security intrusion tools used to … keep in mind, this is a true story, not paranoid fiction … break into and damage several production servers, thereby proving, I guess, that the network is vulnerable to someone from headquarters connected inside the firewall, with no oversight or supervision, no responsibilities other than breaking into the network, and the authority to insist on being ignored regardless of his actions.

From a security audit perspective, his behavior is unprofessional on at least two counts. The first, of course, is that he did actual damage instead of simply leaving evidence of his successful entry.

But that’s the lesser example of the complete worthlessness of his efforts. The greater is that he ignored the basics. The test of an organization’s security isn’t whether it can be hacked, let alone whether it can be hacked from inside its firewall. The test … actually, the two tests of any organization’s security are (1) Does the organization’s security policy fit its needs? and (2) Does the organization’s actual security implement its security policy?

Since Mr. Bond never bothered to read the security policy, he’ll never know. All he knows is that it’s possible to penetrate his subsidiary’s firewall from inside the firewall.

An impressive performance.

How does one go about explaining behavior this bizarre? It requires neither a conspiracy theory nor a temporary shortage of Thorazine.

All it requires is an understanding that everyone in every company acts solely in their own best interests. It’s up to the company’s leaders to ensure their best interests line up with those of the company, and that they understand this alignment.

At a guess, HQ’s secret agent saw a possibility of career advantage from showing up the subsidiary’s IT staff. Viewed in this light, his behavior makes perfect sense: By engineering a situation in which he couldn’t fail to successfully intrude, he can claim to have revealed serious security deficiencies. And because he works at corporate headquarters, he figured he could use his superior access to decision-makers to paint any objections to his behavior by the subsidiary’s IT staff as nothing more than a defensive attempt to cover up incompetence.

I’m speculating, but at least this explains this odd event. Viewed from any other perspective, the behavior of this strange visitor from another city would be incomprehensible.

I take that back. There is one other perspective that would explain it.

Maybe he’s just stupid.