I didn’t have time to write anything original this weekend. Instead, a cautionary re-run from November of 2003 about information security and how not to go about ensuring it. – Bob

# # #

Students of corporate behavior, attempting to account for the seemingly incomprehensible level of self-destruction evident everywhere in the business world, often find themselves at a loss. Why, they ask, would a business do something like this, whatever “this” is this time?

The answer is usually easy to find, if you know where to look: Businesses can’t be self-destructive, for the simple reason that businesses aren’t selves. Human beings make the decisions, either individually or in groups.

Some of these individuals and groups make their decisions with the good of the company in mind, even though “The Company” is a fictional beastie that lacks any actual intent, consciousness, or independent reality. Others focus on “shareholder value,” showing an admirable, albeit misguided altruism toward their employer’s legal owners — misguided because their altruism is rarely returned by the shareholders whose interests they hold paramount.

The majority of decision-makers do neither. They base their decisions on exactly the criteria they’re supposed to use in a capitalist society: They look out for their own best interests. Often, their best interests have nothing at all to do with what’s best for the company.

How else to explain the following event:

A character arrives from corporate headquarters. Looking in the mirror, he sees a secret agent looking back. Or maybe he thinks he lives in The Matrix. Hard to tell.

“Why are you here?” the head of security asks him.

“I can’t tell you.”

“What are you planning to do?”

“I can’t tell you that, either.”

“What can you tell us?”

“I need a work space with a network connection, telephone, desk and chair. And please don’t interfere with what I’m doing.”

He’s from the holding company’s headquarters. A quick check confirms he has the authority and the right to ask for this, and so it is done. A few weeks later, he packs up and leaves, having downloaded a number of security intrusion tools used to … keep in mind, this is a true story, not paranoid fiction … break into and damage several production servers, thereby proving, I guess, that the network is vulnerable to someone from headquarters connected inside the firewall, with no oversight or supervision, no responsibilities other than breaking into the network, and the authority to insist on being ignored regardless of his actions.

From a security audit perspective, his behavior is unprofessional on at least two counts. The first, of course, is that he did actual damage instead of simply leaving evidence of his successful entry.

But that’s the lesser example of the complete worthlessness of his efforts. The greater is that he ignored the basics. The test of an organization’s security isn’t whether it can be hacked, let alone whether it can be hacked from inside its firewall. The test … actually, the two tests of any organization’s security are (1) Does the organization’s security policy fit its needs? and (2) Does the organization’s actual security implement its security policy?

Since Mr. Bond never bothered to read the security policy, he’ll never know. All he knows is that it’s possible to penetrate his subsidiary’s firewall from inside the firewall.

An impressive performance.

How does one go about explaining behavior this bizarre? It requires neither a conspiracy theory nor a temporary shortage of Thorazine.

All it requires is an understanding that everyone in every company acts solely in their own best interests. It’s up to the company’s leaders to ensure their best interests line up with those of the company, and that they understand this alignment.

At a guess, HQ’s secret agent saw a possibility of career advantage from showing up the subsidiary’s IT staff. Viewed in this light, his behavior makes perfect sense: By engineering a situation in which he couldn’t fail to successfully intrude, he can claim to have revealed serious security deficiencies. And because he works at corporate headquarters, he figured he could use his superior access to decision-makers to paint any objections to his behavior by the subsidiary’s IT staff as nothing more than a defensive attempt to cover up incompetence.

I’m speculating, but at least this explains this odd event. Viewed from any other perspective, the behavior of this strange visitor from another city would be incomprehensible.

I take that back. There is one other perspective that would explain it.

Maybe he’s just stupid.

There’s never been a worse time to be a bad IT manager.

IT unemployment rates have plummeted nationwide. Even where it’s bad, like West Virginia, 4.3% is still pretty good. And if you’re an unemployed IT professional who lives in West Virginia and you’re willing to relocate, it doesn’t have to be Nebraska or North Dakota (1.6%). You could probably find work in Hawaii if the island life appeals to you (2.0%) or a true paradise like Minnesota (2.3%) (okay, it isn’t paradise, but it’s where I live).

Right now, if you’re an IT professional with even a few years of experience under your belt and can’t find a job, it’s safe to say you’re doing something wrong.

Which also means that if you’re an employed IT professional working in a toxic situation, there’s little reason for your suffering to continue.

What you might need are ways to spot when your work environment is about to become toxic … for example, when a new manager replaces the one with whom you’ve established a comfortable working relationship and it isn’t clear what working with your new boss will be like.

As always, KJR is here to help with some Workplace Incipient Toxicity Indicators, to help you spot when it’s time to polish your resume, redouble your networking efforts, and scan the landscape for more congenial situations.

But first, a non-indicator, just in case you’re a newbie at this and not a hardened cynic (that is, someone who looks at the world through glass-colored glasses).

The non-indicator: Your new manager says all the right things. Of course he does. In my experience, every new manager always says all the right things because they’ve all been through this themselves and have memorized the Right-Thing-To-Say Playbook.

Instead, pay attention to these, more reliable indicators:

Talk-to-listen ratio: Smart managers know that when they walk into a new situation, they know very little about what they’re facing. Smarter ones know the odds are high that what’s been explained to them has at best a limited correlation with what’s really going on.

The smartest make time to listen to the people who do the actual work of their organization or, if the organization is too big, to ask lots of people who the star performers are and then make time to listen to them.

If your new manager doesn’t invest heavily in organizational listening, it’s a sign it’s time for you to move on.

High-level/low-level attention span: The higher up someone is in the management hierarchy, the less time they have to understand the details. The effective ones understand that this is a problem — that “the view from 50,000 feet” is ManagementSpeak for “wrong” — and make sure their having too little time to master the details doesn’t lead them to make ignorant decisions. They achieve this by delegating decisions to those most competent to make them, namely, those who do sweat the details, to whom they share the strategy without considering it to be the only decision dimension that matters.

Those who care more about climbing than about getting the job done look at upper managers who don’t personally deal with the details and consider it a career advancement strategy. They make it clear they operate at a strategic level — that details are unimportant irritations best left to lesser mortals, so please don’t waste my time with trivia. I have more important matters on my superior mind.

If your new manager doesn’t recognize that, in the wise words of the KJR Manifesto, “Before you can be strategic you have to be competent” … if she doesn’t recognize that strategies that ignore the details are strategies that will fail … it’s probably time for you to choose a new employment strategy.

One that will allow you to succeed.

Too much to do. Too little time: One of the most important skills for anyone in management is to keep control of your calendar. If someone else controls your schedule, they control you.

If your new manager is chronically overwhelmed by his list of appointments, all of which require his personal attendance, your new manager isn’t someone you should tie your fortunes to for the long haul.

If we were living through a replay of 2008, I’d be giving you different advice — about how to survive in bad situations.

Right now, employees have choices. So don’t be victimized by a toxic workplace. You can do better.

So do it.