All Posts in Business Ethics

|In: Business Ethics|Last Updated:

This is probably a mistake.

But I wrote about male/female workplace issues quite recently (“A tale of two genders,” 8/14/2017). Now we have the decline and fall of Harvey Weinstein and others of his predatory brethren, with remarkably little root cause analysis.

Let’s start with this: Harvey Weinstein was a major financial contributor to the Democratic party and its candidates. Roger Ailes used his media outlet to promote the Republican party and its candidates.

Linking their sexual predation with their political affinities is … what’s the word I’m looking for? … ah yes, that’s it: reprehensible. Please don’t. The last thing we need these days is more tribalism.

We can each freely agree with someone about their political views without incurring an obligation to defend them on any other aspect of their lives. “Us” does not mean “good person” any more than “them” means bad person.

Well, actually, it usually does, but let’s not succumb to the temptation. Let’s do the opposite and forbid political affinitizing (I don’t care if it isn’t a real word) about this. It cheapens an issue that should, under no circumstances, be cheapened.

Next, let’s jettison the next-most-popular root cause analysis: “They’re horrible human beings.” Yes, they are, but how does that help? What’s useful is understanding how they became horrible human beings.

Which gets us to what’s missing as commentators vie to write the Most Condemnatory Commentary Yet. It’s culture, a subject I wrote about last month (“It’s always the culture,” 9/25/2017).

Whenever you see a pattern of behavior that’s common to a group of people who know and associate with each other, you can bet culture is a major causal factor.

Go back to the early days of the entertainment industry. The so-called casting couch was, if not ubiquitous, certainly prevalent. Those who had them figured their couch was one of the perks of their position. Reclining in one was, for many a budding starlet, a distasteful prerequisite for a shot at the big time. Some chose (or in some cases were forced) to acquiesce. The rest went home.

Those who ran the entertainment industry knew and socialized with each other. Anyone lacking a casting couch in their own suite of offices understood the key message: This sort of thing is okay. It’s how we do things around here. It’s embedded in our culture, “us” being the powerful and important people who run this industry.

Want to understand how Ailes, Weinstein, and so many others could get away with their offenses for so many decades?

I had the good fortune of having a business partner who was a student of anthropology. Culture, he explained, is the learned behavior people exhibit in response to their environment.

In our Cro-Magnon past, a lot of the environment was physical: Animals that could be hunted, vegetables that could be gathered, plant, animal, and mineral matter that could be turned into useful implements.

In an organization, in contrast, most of your environment is the behavior of the people around you. Culture becomes a self-reinforcing loop: it’s the learned behavior people exhibit in response to the learned behavior people exhibit in response to the learned behavior people exhibit.

Ailes and Weinstein, Hitchcock before them if Tippi Hedren is to be believed, and Fatty Arbuckle before him, all were embedded in a culture where the norm was, and apparently still is in some circles, “This is okay. It’s better than okay. It’s something you deserve.”

Look at just about every horrible act performed by any group of people who knew each other at any time in the historical record, and ask how it’s possible that human beings behaved in such extraordinarily repulsive ways. The nearly uniform answer: Their culture told them this is how they’re supposed to behave. It’s more than okay. It’s approved of.

Which has what to do with you?

If you have a leadership role in your organization, you’re responsible for the learned behavior people exhibit in response to their environment, because as a leader a disproportionately important part of their environment is you.

If you indicate, directly, or by modeling, or through implication, or even through omission that something is acceptable that shouldn’t be, you’re responsible for anything and everything that happens as a result of the culture you’ve helped foster.

Members of the KJR community understand these two critical points about culture: First, being a leader isn’t a matter of position. It’s a matter of choice.

And, second, if there’s something you don’t like about your organization’s culture, the most important tool at your disposal is a mirror.

Comments

|In: Business Ethics|Last Updated:

We consultants have an easy life. For the most part our techniques are uncomplicated and our advice is, while good, pretty obvious. Even better, most clients don’t want our advice. They either want us to read a script, or they have a dozen reasons our advice is good in theory, but won’t work in the “real world.”

Personally, most of what I do is Undercover Boss except I’m not the boss. In my experience, employees know exactly what’s wrong with the organization, have a pretty good idea how to fix it, and have an accurate bead on why management will never make the repairs.

In the case of information security, it’s usually even easier than that: If companies would just:

> Patch: Now, please.

> Encrypt everything: Too expensive? Net the cost of the time needed to decide what should be encrypted and what doesn’t need to be against the cost of encryption. Encrypting everything costs less.

> Rotate keys: Rotate them at least as often as users are required to change their passwords because the data in your corporate databases is more sensitive than the data in individual laptops. What would you do without me?

> Phish: Subject everyone in the company to white hat phishing attacks. Everyone. Frequently. Model your attacks on real-world ones. Explain to employees who click what they fell for and how to spot the next one. Because the bad guys don’t bother trying to crack passwords any more. They just ask for them.

One more: Add “Don’t store this because we don’t need it and never will” to your company’s master data management practices. I spent much of my spare time over the past week trying to figure out what uses EquiFax might have for storing social security numbers in its credit records, and I’ve come up dry. My social security number has no bearing on my creditworthiness.

With this exception: It’s the only form of personal identification that won’t change over time.

The “never will” qualifier deserves a bit of explanation. I worked with a life insurance company once upon a time that routinely deleted a lot of information about applicants once they became policy holders because they didn’t need it anymore.

Until the time, a few decades later when the importance of customer analytics was becoming apparent.

So “never will” is a balancing act.

Which gets us to: In response to last week’s column proposing SSN 2.0, several correspondents and Commenters pointed out that when we who till the soil of corporate IT need to determine if someone should be allowed into a system, we establish a key value … the user ID … and one or two authenticators, of which passwords are the most prominent.

Social security numbers play both roles — they’re both identifier and authenticator, on the theory that only the holder of a social security number knows what it is.

It’s a quaint perspective, but seriously folks, haven’t we become just a wee bit more sophisticated in the 81 years since the Social Security administration issued its first batch of cards?

Not to mention since Woolworth became the first and possibly worst identity thief of all time? (You just have to read about this — click here.)

In an interesting way what we’re looking at is really a common IT problem: A system that elegantly solves a problem is expanded to solve additional related problems. Then it’s expanded again. And with every expansion the system’s architecture becomes another notch messier, until it reaches the point where it’s at risk of collapsing under its own weight.

When the subject is business applications this means it’s time for modernization, conversion, or a re-write, to a system designed from the beginning to handle the actual scope of the solution.

Here, the original problem was to uniquely identify citizens registered with the Social Security Administration, to which the IRS added taxpayer identification.

Now, the SSN is used by businesses asking the question, “Can we trust this person to hold up their end of the bargain when we sign a mutually binding contract?” It’s the public connecting point for all of a person’s financial records.

Whether my semi-whimsical SSN 2.0 proposal bears any resemblance to what a real solution would look like is anyone’s guess. What I am pretty sure of is that, if your company stores consumer information and doesn’t follow at least the practices described here and last week (no, not “best practices” — call them “barely adequate practices”), it will end up contributing to the problem.

Comments