April 18, 2005


I love getting email directives about how I'm supposed to accept the incoming flood of action requests, pointless training time, wasted effort, disruption of routine and the like that Sarbanes-Oxley brings. I especially love it when they tell me that my role (and my best means of Helping The Company) is "not to question the measures or challenge their validity." It's a capper when said emails are finished off with platitudes about some people in higher authority (not necessarily those who wrote the email) know that I will do my best!

Allow me to offer one small piece of unlooked-for and highly-discouraged feedback: Never, ever tell an obstreperous Opgeek that his role is not to challenge or question something. Ever. Period. This is the surest way in all creation to spark the maximum prepared resistance to anything, be it the most benign and benevolent of measures; I know of Ops who will cheerfully start laying in siege plans to protest the addition of better snacks to their vending machines and the lowering of prices on said goodies if they are told not to challenge or question.

I mean, come on. It's our job to challenge and question. If we didn't do that, all you people Yertle-ing up at the higher end of the food chain wouldn't have services. You wouldn't have your useless fucking Siebel applications. You wouldn't have your immensely resource-intensive communications applications which need incessant care and feeding. Because, bluntly, if we followed the directives that flow from upstream about how to do the technical side of our jobs without questioning and challenging, you might as well give control of the datacenters to the sales organization - and we'll see how long we all last.

Note: I'm not talking about a particular company or organization here. I'm talking in general. This is one of those situations that comes up time and time again - someone at a higher level is involved in a piece of policy whose ramifications come down to the operations level inside the data center, and signs off on it. They do so either knowingly, in ignorance of the situation, or (frequently, to be fair) under duress. Then, these wonderful little missives get sent out. Never mind that the last fifty-seven pieces of useless corporate rah-rah speak from the Publicity Machine were all about how our New Corporate Culture is All About Pushing The Envelope and how we Question Everything In Order To Get Ahead or how we Challenge Boundaries Everyday. Nope, now, this time, don't question or challenge, just shut up and soldier.

Again, this is a generalization.

However, it's one I keep seeing. It's a behavior pattern that kills performance inside bottom-level teams where work gets done, and nothing ever changes. Let me give you one concrete example from the current bit of fuckery: Sarbanes-Oxley. This is shorthand for a whole series of controls and behavioral regulations on corporate organizations, only the smallest part of which (incidentally) deals with internal IT controls and systems, and then only indirectly. However, it is like a magic touchstone which gets pulled out whenever Security Policy du Jour is being floated, AFAICT. Hey! Let's make every user change their password on a strict, short rotating schedule, and require strong password characteristics! This is the kind of thing that sounds great on paper. And it's required for access controls to financial data by the Sarbanes-Oxley types!

What apparently didn't get through to the proposers of said measure (although in that case, I happen to know the group in question DID question and challenge) is that there are people who don't access financial data, and who only use the systems protected by those passwords (corporate LAN, which includes VPN access and other Ways In To Things) intermittently at best because their job doesn't require it. This means that they don't use that password regularly. Now, their sudden fast password churn on that particular access control, coupled with requirements for 'strong passwords' (heh) means that they are guaranteed to never be able to remember it when they do need it. So what do they do?

The obvious thing. They write it down on a sticky note and put it on their workstation. They don't think much about it because they only use that password to get to the corporate phone directory, which can't be that secret, right? They don't even think about what else it could be used to access - and, truthfully, that's not their job. It's the job of the people who implemented the policy - and the job of the people who proposed it.

There's the kicker. Usually, it's not so much the internal types who do this. It's some expensive 'Sarbanes-Oxley Auditor' (an outside firm) who 'recommends' the changes. Everyone nods. Then no-one questions. Or challenges.

I'm not claiming I know more about access control policy, or internal security policy, or in fact anything regarding the substantive issues, than those higher up the chain than me or their auditors. However, I am claiming expertise when it comes to the typical response pattern of those who work in my position. Regardless of how 'correct' the action items on S-O compliance are, couching them inside 'DO NOT CHALLENGE OR QUESTION' emails (before, in fact, a single email had been dispatched doing that, I should add) is somewhat akin to walking up to a group of bored lions while wearing a suit constructed entirely of top sirloin and shouting at them (in Lionspeak) "Do not in any way get any ideas about the steak sauce I am carrying in my briefcase."

Posted by jbz at April 18, 2005 2:47 AM | TrackBack

Post a comment

Remember personal info?