“A pessimist is one who feels bad when he feels good for fear he’ll feel worse when he feels better.” — Anonymous
Today, I wanted to take a break from the technical postings I have been doing lately and discuss a splintering that is occurring within organizations that can result in operational road blocks. With the introduction of different groups, a counterproductive “us” verses “them” attitude may develop. The possible problems occur when the various groups end up seeing all the problems of the organization being the result of the other groups. For example, at some point we have all encountered those security folks who seem to do nothing but use their position to be obstacles. “No” is their favorite word, and possibly the only word they know. At this point, many developers are probably nodding their heads. Well, folks have also experienced that group of developers who resist with all their ability working with security, claiming that security just hampers development. Does this sound familiar within your organization?
While security may at times cause problems in deploying a service, one has to ask is that always a bad thing? On Thursday the Guardian reported that the Italian government just published every citizen’s declared taxable income on the Internet. Why would they do this? The finance ministry claimed it was part of a crackdown on tax evasion. The tax minister, Vincenzo Visco, was quoted in Italy’s Corriere della Sera saying: “It’s all about transparency and democracy. I don’t see the problem.” So, what is the problem? First, the government did not have consent to make the information public. Second, it was one of the last acts of Prodi’s centre-left government before it leaves office this week. People have agendas that may not be in the best interest of the organization, or in this case the country. Could the act have been motivated by spite? ADOC, the Italian consumer group disagrees with Vincenzo Visco, claiming “It’s a clear violation of privacy law.” They go on to point out, “The forms for the tax return do not contain a warning about the publication of data or a specific clause authorising publication, which is a further violation of the same law.” Just because something can be done technologically, does that mean it should be done? Security professionals sometimes need to step up and say, “heck no!” If they are unwilling or unable to make their voices heard, they have failed the organization.
Security can serve many purposes. It can be a time saver, helping to avoid major delays while keeping services running. The United Press ran a story on Saturday titled, “Students accused of hacking into grades.” Key points:
- Four Texas high school students are accused of hacking into school district computers to change the marks of at least 60 pupils, school authorities said.
- The Fort Bend Independent School District has suffered a monetary loss of at least $190,000 because of the incident, which makes it a potential felony, investigators said.
- Court documents reportedly do not give details explaining how investigators calculated the losses.
One is left questioning where the $190,000 loss would come from? Good security procedures include backups procedures along with other steps that may have prevented the changing of the grades. Maybe the Fort Bend Independent School District should take a look at the ISO 27001 security site, which promotes the ISO/IEC 27000-family information security standards. What might be real helpful is the site’s checklist for implementing ISO/IEC standards. Implementing a backup and recovery procedure is on the checklist. The school district would find the site a very good starting point. Following good security practices, at the very least, could have made recovery easier and thus less expensive.
If upon hearing standards and procedures, you started wondering about time overruns, I would point out that in many instances time is saved in the long run. We have all heard people expressing how it is sometimes faster to do things oneself than telling someone how to do something. The same principle applies. Lao Tzu summed it up well when he wrote the famous lines, “Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime.” One of the greatest lesson a person can learn is that we all have limits. It is part of the human condition. Once you have reach your limit, you have to reach out to the community to come together and work towards a common goal. The Amish have a tradition known as barn raising, where the community comes together to assemble a barn for a newlywed couple or to replace a barn destroyed by wind or fire. In one to two days the community is able construct what an individual could not hope to build by themselves without great effort and time.
IT Conversations posted a talk given by Anthony Ravitz, Project Coordinator, Real Estate & Workplace Services, Google, Inc., titled, “Google’s Solar Photovoltaic System.” It was very interesting to hear all the innovative thinking that goes on at Google. What I really found fascinating came during the question and answer phase. Anthony was asked about Google telecommuting policy. Anthony answered that Google does not have a telecommuting policy. Google feels that it is essential that their employees are able to come together and exchange ideas. This is currently done by the old fashion method of coming into work and talking to your coworkers. This amazed me to hear, but the justification was not surprising. Michael Santarcangelo, founder and Chief Security Catalyst, did a podcast titled “Why Virtual Teams Fail (and how to avoid it)” which explored why virtual teams fail, based on research from a group of graduate students at Johns Hopkins Carey School of Business. To quote from the podcast, virtual teams were threatened by:
- Concerns regarding the ability to protect sensitive information
- Lack of a single platform that provides all the tools necessary to optimize
- The struggles of virtual communication
- Poorly or under-trained users
- The challenge of building trust without the use of face-to-face communication
While a whole posting, or podcast, could be done discussing each of these challenges, the bottom line is that these challenges end up impacting workers abilities to come together as a team. Eliezer Yudkowsky posted “The Robbers Cave Experiment” where he discussed the book “Intergroup Conflict and Cooperation: The Robbers Cave Experiment” by Sherif, Harvey, White, Hood, and Sherif (1954/1961). It is a fascinating study involving 22 boys between 5th and 6th grade, selected from 22 different schools in Oklahoma City. The boys came from stable middle-class Protestant families, and they were doing well in school with a median IQ 112. The boys were as well-adjusted and as similar to each other as the researchers could manage. The purpose of the study was to investigate the causes, and possible remedies, of intergroup conflict. The 22 boys were divided into two groups of 11 campers. To quote Eliezer:
In Stage 1, each group of campers would settle in, unaware of the other group’s existence. Toward the end of Stage 1, the groups would gradually be made aware of each other. In Stage 2, a set of contests and prize competitions would set the two groups at odds.They needn’t have bothered with Stage 2. There was hostility almost from the moment each group became aware of the other group’s existence: They were using our campground, our baseball diamond. On their first meeting, the two groups began hurling insults. They named themselves the Rattlers and the Eagles (they hadn’t needed names when they were the only group on the campground).
Eliezer goes on to report:
Each group developed a negative stereotype of Them and a contrasting positive stereotype of Us. The Rattlers swore heavily. The Eagles, after winning one game, concluded that the Eagles had won because of their prayers and the Rattlers had lost because they used cuss-words all the time. The Eagles decided to stop using cuss-words themselves. They also concluded that since the Rattlers swore all the time, it would be wiser not to talk to them. The Eagles developed an image of themselves as proper-and-moral; the Rattlers developed an image of themselves as rough-and-tough.
I have sometimes wondered if managers and top level executives might be carrying out their own version of this experiment. Security professionals need to work together with everyone within an organization. As in the Robbers Cave Experiment, groups within an organization can choose to view others with suspicion, and blame all their problems on Them. In so doing, they reinforce their own mistaken opinions to the detriment of the organization.
One can see this reinforcement occurring, for example, when one encounters security folks who act like road blocks. Those employees will find people going around them in order to implement services. Those services will not be implemented in a secure manner. When those services get compromised, the security folks may point to how developers are cowboys and conclude that developers are the biggest security risk to an organization. Developers might leave security folks out of the planning and developing phases, only bringing them in at the tail end the day before the service is to go into production. Security will likely find so many problems that they will cry out, “You can’t put that into production!” The developers will sigh and say, “You see, another case of how security drag us down.” Policy people may leave everyone out when writing policy, resulting in them operating in their own separate world where the rest of the organization ignores policy. When an incident occurs, policy folks will say, “Not our fault. We wrote the policy but no one followed it.” Technical folks will say, “Not our fault. We were not aware of that policy. Even if we were aware, the policies were bureaucratic obstacles we had to bypass to get our job done. Besides, there is no way to implement the policies without a huge budget increase.” The finance folks will say, “There is no way the business can afford putting all that money into IT. We need more controls, metrics, etc. so we can see a return on investment.” Round and round it goes.
Segmentation and division seem almost built into an organization. As groups divide, drawing distinction between “us” and “them,” there is another interesting aspect at play. People bring to life their own impression of the world. Christine Carter, Ph.D. and the executive director of the Greater Good Science Center at UC Berkeley, wrote in her posting “Raising Optimistic Kids“:
There are three basic dimensions to an explanation: permanence, pervasiveness, and personalization. The OPTIMISITIC way of understanding why something GOOD happened would explain:The cause of what just happened as Permanent (so it will reoccur);
And Pervasive (it will affect many other circumstances, too);
And Personal (I made it happen).On the other hand, the PESSIMISTIC way of explaining why something GOOD just happened would illustrate that:
The cause of what just happened is Temporary (something short-lived caused it – probably won’t happen again);
And Specific (affecting only this situation);
And Impersonal (I didn’t have anything to do with what happened, other people or the circumstances did).The reverse is also true when something bad happens. A kid trips on the sidewalk and skins her knee, dirtying her new dress. The pessimist thinks: “I’m so clumsy – I’m always tripping everywhere, and now I look stupid.” The cause of her fall is (1) permanent—she sees it as a personality trait, and therefore it is both (2) pervasive and (3) personal. On the other hand, the optimist thinks: “Dang! Someone oughtta fix that crack in the sidewalk!” She’s thinking that a flaw in the sidewalk, not her own inherent clumsiness, caused her to trip. That crack is (1) temporary; (2) specific to that moment; and (3) impersonal—she had nothing to do with it.
It is important for employees to have those optimistic qualities, mainly that sense of personal responsibility and connection to others. Communication is also key in that it is the counter balance breaking down the divisions that people build up. In the Robbers Cave Experiment, the researches attempted to reduce conflict by having the groups attend pleasant events together. It did not work. For example, shooting off Fourth of July fireworks developed into a food fight. How many times does an organization try to bring together members of their company by having them attend a dinner or some common event? While I have never seen a food fight develop, I have not seen much team spirit develop either at a company’s awards dinner. In the study, only after having the boys band together in common tasks, requiring cooperation from both groups, did the both groups start coming together. For example, dealing with a water shortage, restarting a stalled truck, etc. By the end of the trip, one group used the $5 won in a bean-toss contest to buy malts for all the boys in both groups.
Don C. Weber, writes a very interesting post, “Organized Security” which addresses the point of open communication being essential to an organization operations. Don writes:
Let’s face it though, when we start talking about security within our different organizations the majority of what we want is for our organizations to follow good business practices. Companies who have a firm grasp on how their technology operates and have a process for change through open communications are much more secure that the companies that buy security products to act as stop gaps and try to prove or give the illusion of compliance.
As work becomes more specialized, people’s knowledge also becomes specialized. Companies are reorganizing their workforce. Policy folks are being split from the technical people. Network, system administrators, developers, and security people might be split into separate groups. Workforces are being split between different locations. What are the unifying goals bringing members together? Organizations need to define this or they are doomed to multiple problems between the groups resulting in those goals never being achieved.
Diana Henry Scott, one of my favorite PMP-certified Project Manager podcasters, had two shows awhile back with Cheryl Mann, President and founder of Goals Insight, Inc. The shows were titled, “Building Effective Teams Part 1” and “Building Effective Teams Part 2“. Communication and working as a team are key. A foundation on how to operate based on good secure business practices must be established and communicated to each employee. Not in a “Though shalt” manner, but in a way where everyone knows how they are contributing to the operational success of the organization. It is all about establishing a community. Lao Tzu provided these wise words, “Go to the people. Live with them. Learn from them. Love them. Start with what they know. Build with what they have. But with the best leaders, when the work is done, the task accomplished, the people will say `We have done this ourselves.’”
