All Posts in Policies and Procedures

|In: Office Politics|Last Updated:

Students of corporate behavior, attempting to account for the seemingly incomprehensible level of self-destruction evident everywhere in the business world, often find themselves at a loss. Why, they ask, would a business do something like this, whatever “this” is this time?

The answer is usually easy to find, if you know where to look: Businesses can’t be self-destructive, for the simple reason that businesses aren’t selves. Human beings make the decisions, either individually or in groups.

Some of these individuals and groups make their decisions with the good of the company in mind, even though “The Company” is a fictional beastie that lacks any actual intent, consciousness, or independent reality. Others focus on “shareholder value,” showing an admirable, albeit misguided altruism toward their employer’s legal owners — misguided because their altruism is rarely returned by the shareholders whose interests they hold paramount.

The majority of decision-makers do neither. They base their decisions on exactly the criteria they’re supposed to use in a capitalist society: They look out for their own best interests. Often, their best interests have nothing at all to do with what’s best for the company.

How else to explain the following event:

A character arrives from corporate headquarters. Looking in the mirror, he sees a secret agent looking back. Or maybe he thinks he lives in The Matrix. Hard to tell.

“Why are you here?” the head of security asks him.

“I can’t tell you.”

“What are you planning to do?”

“I can’t tell you that, either.”

“What can you tell us?”

“I need a work space with a network connection, telephone, desk and chair. And please don’t interfere with what I’m doing.”

He’s from the holding company’s headquarters. A quick check confirms he has the authority and the right to ask for this, and so it is done. A few weeks later, he packs up and leaves, having downloaded a number of security intrusion tools used to … keep in mind, this is a true story, not paranoid fiction … break into and damage several production servers, thereby proving, I guess, that the network is vulnerable to someone from headquarters connected inside the firewall, with no oversight or supervision, no responsibilities other than breaking into the network, and the authority to insist on being ignored regardless of his actions.

From a security audit perspective, his behavior is unprofessional on at least two counts. The first, of course, is that he did actual damage instead of simply leaving evidence of his successful entry.

But that’s the lesser example of the complete worthlessness of his efforts. The greater is that he ignored the basics. The test of an organization’s security isn’t whether it can be hacked, let alone whether it can be hacked from inside its firewall. The test … actually, the two tests of any organization’s security are (1) Does the organization’s security policy fit its needs? and (2) Does the organization’s actual security implement its security policy?

Since Mr. Bond never bothered to read the security policy, he’ll never know. All he knows is that it’s possible to penetrate his subsidiary’s firewall from inside the firewall.

An impressive performance.

How does one go about explaining behavior this bizarre? It requires neither a conspiracy theory nor a temporary shortage of Thorazine.

All it requires is an understanding that everyone in every company acts solely in their own best interests. It’s up to the company’s leaders to ensure their best interests line up with those of the company, and that they understand this alignment.

At a guess, HQ’s secret agent saw a possibility of career advantage from showing up the subsidiary’s IT staff. Viewed in this light, his behavior makes perfect sense: By engineering a situation in which he couldn’t fail to successfully intrude, he can claim to have revealed serious security deficiencies. And because he works at corporate headquarters, he figured he could use his superior access to decision-makers to paint any objections to his behavior by the subsidiary’s IT staff as nothing more than a defensive attempt to cover up incompetence.

I’m speculating, but at least this explains this odd event. Viewed from any other perspective, the behavior of this strange visitor from another city would be incomprehensible.

I take that back. There is one other perspective that would explain it.

Maybe he’s just stupid.

Comments

|In: Leadership|Last Updated:

Violence, as last week’s column suggested, is the first refuge of the incompetent. Physical violence is, of course, frowned upon in business, but disciplinary actions of various kinds — close relatives of physical punishment — are all too commonly the first response of business leaders. The obvious, syllogistic conclusion is left as an exercise for the reader.

Disciplinary action is a tool corporations use in a variety of circumstances, from employee performance management to enforcement of policies and procedures, and it’s a necessary one. In the end, some things just can’t be optional. Disciplinary action should, however, be the option of last resort, not the first.

You’re in IT, which among other roles and responsibilities is a purveyor, or at least a collaborator in the purveyance of standards and policies. If they’re truly to be standards and policies you must be willing and able to enforce them.

Now that we’ve agreed on this point, can we also agree that every time IT has to enforce a standard, it’s a failure?

An instinct toward enforcement has three undesirable consequences. One at a time …

First: If your instinct is to enforce, you’ve made yourself responsible for something that should belong to others. If you start the conversation by saying “comply or else,” it means my sole reason for complying is the consequence of failing to do so. That makes it your standard, not mine, and I have no stake in it.

But what’s the point of an IT standard? It’s a choice among alternatives — a decision that of the many different ways of addressing some situation or other, we’ll use only the ones the standard allows.

A standard is, in other words, a decision about how a company will conduct its business, presumably to improve how it conducts its business. If that’s the goal, then IT’s responsibility should be limited to setting standards that have this potential. The responsibility for achieving the desired effect rests with those who make use of the standard. None of them will accept this responsibility if their sole reason for embracing it is the consequence of failing to do so.

That leads to the second consequence: That an enforcement instinct leads to poorly chosen standards. Here’s an easy way to demonstrate this point: Imagine you lack the authority to enforce the standards you set. What can you do instead?

Envision every standard you have to set as a decision delegated to you by those who will have to live with it once you’ve set it. They know the company needs a decision, and while they have the authority to make it, they’ve decided you have sufficient expertise that they’d like your recommendation.

Would thinking about standards this way change how you go about setting them?

It shouldn’t. Your goal is to set standards that make the business more effective. Who is the final authority on that subject? Those who operate the business. Until you’ve explained your proposed standard and they agree it will make the business more effective, all you have is an untested hypothesis.

You sell recommendations on their merits, where enforcement is a demonstration of authority. Which brings up the third reason enforcement should be your last resort rather than your first.

“Because I said so,” is a phrase used by parents when facts and logic prove ineffective at changing a young mind. Parents have to be willing to say this, because it’s their responsibility to add notions like responsibility and morality to creatures who arrive in their care with no ethical imperative beyond “It’s all about me!”

Businesses work best when employees act as adults, taking personal responsibility for the organization’s success. Every time a manager resorts to enforcement, he or she is saying, “Because I told you so,” to an employee, which defines their relationship as an adult interacting with a child.

So think long and hard before you use enforcement as the starting point of any conversation, let alone one about accepting standards you’ve decided to set. It’s a bad idea.

There should, after all, be more to leadership than assigning chores and withholding dessert if they don’t get done.

Comments