All Posts in Policies and Procedures

|In: Leadership|Last Updated:

Most IT professionals understand the need to work late from time to time. Suggest it’s a normal part of the profession, though, and you’ll get an earful. If I were a cynical sort, I’d think many IT professionals just aren’t happy without something to complain about.

Several weeks ago, I listed IT being a ghost town at 5pm as one of seven warning signs of a complacent IT organization. Not, I hasten to add, a certain diagnostic — just a warning sign. Into the fray steps Steve Delahunty:

“I had a … boss who complained that people were complacent … The problem was that when he left he didn’t peek into every cubicle and office. The lack of people around the halls in his view meant there was nobody there late. But also, we now can all work as easily at home as from the office. Meaning that I would often get online at night and see so many of my staff on their instant messenger clients it was like we were almost fully staffed online at 9pm with many folks working on work projects.”

Which brings up two points. The first is to be careful how you interpret what you see … and don’t see. Just as a doctor, facing a patient with a high fever, has a lot more work to do before reaching a diagnosis, a manager facing empty cubicles needs to dig in a bit before reaching a diagnosis of complacency.

The second is the subject of this week’s missive (credit where it’s due: it’s a recommendation by my partner, Steve Nazian): If you haven’t developed an instant messaging strategy for your company — one that facilitates its use while building in secure design, not one that locks it down — you’re creating, not preventing, a security hole.

We have more than two decades of experience managing and mismanaging personal technologies. Personal computers, electronic mail, remote system access, contact management software, personal digital assistants, Blackberries … it’s always depressingly the same:

1. IT forbids their use.

2. They leak in through the windows and side doors anyway.

3. A few employees are disciplined for violating company policy.

4. A rational executive somewhere in the business raises a huge stink about IT preventing employees from doing their work.

5. The CIO, recognizing the political liability of trying to keep the tide from coming in any longer, develops a strategy for managing the new technology instead of banning it.

This time it’s instant messaging. If you try to prevent it, employees will figure out a way to use it anyway. And once again, because their use is illicit, the workarounds will almost certainly create security holes. It’s akin to the well-known consequence of requiring strong passwords and forcing frequent changes: Post-It notes containing the hard-to-remember passwords stuck to computer monitors throughout the company.

There are still, in this industry, those who think the goal of security is to create an environment in which intrusions are impossible. If you’re one of these people, I can help. It’s actually quite easy. You can achieve it with three simple steps:

First, disconnect your internal network from the Internet. Second, disconnect all personal computers from the internal network, remove all disk drives and USB ports, and make printers illegal. And third, ban laptop computers from the enterprise altogether.

Of course, you’ll prevent employees from performing any useful work, but that’s just the unfortunate and unavoidable side effect of making the enterprise secure. It’s the nature of the beast. Security creates friction in business processes. The more secure you are, the higher the cost and slower the pace of doing business.

The best IT professionals put into practice what IT executives advise the rest of the company: They use information technology to maximize their own effectiveness. The best employees elsewhere in the company do likewise. Isn’t that the whole point of information technology — to help individual employees, workgroups, departments, divisions, and the enterprise as a whole work more effectively?

Instant messaging is simply the latest of the many tools available for enhancing personal effectiveness. In dealing with it, you have two choices.

You can either embrace it, and in doing so promote the very healthy attitude it represents. Or you can try to prevent it. Which is to say: You can either encourage a good attitude and improved security, or a bad attitude coupled with security holes.

Sad to say, far too many IT executives, faced with these alternatives, will instinctively choose the latter.

Comments

|In: Business Ethics|Last Updated:

“Better,” said Voltaire, “is the enemy of good.”

I used this quote last year, describing it as a healthy attitude, to finish a column proposing seven warning signs of a culture of complacency. In response, the estimable Frank Hayes, who writes “Frankly Speaking” for Computerworld and is one of the best commentators in the industry, was kind enough to respond:

“It’s an incorrect translation. What Voltaire wrote, possibly quoting an existing French proverb, was: Le mieux est l’ennemi du bien. “Mieux” does translate as “better.” But “le mieux” is always translated as “the best.” (No, I don’t know how they say “the better” in French.)

“So the translation should be: “The best is the enemy of good” — (unattainable) perfection is the enemy of (attainable) quality. Which is a worthwhile thing for us to remember, but it’s the flip side to the point you were making: better is (and should be) the enemy of good enough.

“Which doesn’t need to be translated from French — just translated into a lot of people’s brains.”

It’s an outstanding point (as you’d expect from both Voltaire and Frank Hayes): While satisfaction with mediocrity defines complacency, insistence on perfection is paralyzing. It’s pointless anyway, because the universe is a stochastic place where just about anything can happen. All the molecules of air in your bedroom could congregate in one corner while you’re sleeping, leaving you in a vacuum to asphyxiate. All of the uranium atoms in the nuclear reactor closest to you could decay at the same moment, causing a colossal explosion. Microsoft could release a version of Internet Explorer without security holes.

Hey, I didn’t say these events were likely. But they’re possible given the laws of physics as we know them. All that’s kept them from happening to you are the mathematical laws of probability.

In IT, competent project managers, system administrators and application developers all recognize the stochastic nature of their domains. Project team members get sick, hired away, or reassigned. Servers fail for indeterminable reasons and won’t come back up. The state-of-the-art development tool being used for a bunch of mission-critical code turns out to multiply wrong under certain unlikely circumstances.

Based on much of the correspondence responding to last year’s columns on complacent IT organizations, it appears some readers don’t live in a stochastic universe at all: In a truly well-run IT organization, they assert, everyone can leave promptly at 5pm every day because everything is always under control.

I don’t think so. Yes, in a well-run IT organization there will be days where nothing untoward interrupts the plan. In large, well-run IT organizations, though, the laws of large numbers take over and the odds that something goes awry increase to the point of inevitability. If a culture of complacency permeates, that won’t matter — everyone will leave at quitting time. In a healthier culture, professionals will work late to get the job done.

Quite a few readers agreed with my point — that if IT is a ghost town at 5pm it’s a symptom of complacency — but argued I shouldn’t have said so, because many executives would read it to mean that if anyone leaves at 5pm there’s a problem. That’s in spite of my also saying, in the same paragraph, “If everyone works late hours and six or seven day weeks all the time, it suggests a very different problem: Desperation. It comes from strong motivation — usually fear — coupled with severe ineffectiveness.” Their argument, while correct, is dangerous advice.

Writers are responsible for clarity. We’re responsible for avoiding ambiguity to the extent possible given constraints of space, limitations of language, and last-minute changes imposed by the copy desk. We’re responsible for marshaling persuasive facts and logic into a narrative framework that guides readers through the complexity of the subject matter.

We aren’t, however, responsible for every reader’s ability to comprehend. Some can’t. Others choose to mischaracterize because they read to gather ammunition, not new ideas.

This matters to you. As an IT leader, communication — listening, informing, and persuading — is a critical skill. Often, you’re informing and persuading non-technical executives of the need for hard-to-explain yet vital investments, such as those required to maintain a healthy IT architecture.

Communicators who spend their time and energy worrying about the ability of others to misunderstand them avoid controversial topics altogether, concerned that the consequences of someone misunderstanding their message are too large to risk. Business being a political environment, it’s a valid concern.

If you allow this concern to outweigh all others, though, you’ll have earned two labels: “craven,” and “politician.”

If you’ll forgive the redundancy.

Comments