Security Ripcord

One of the things that I don’t understand is how people can justify not taking responsibility for their actions or the people who work for them. Here is an excerpt of a conversation I had at my job the other day. The story behind the lead up to this conversation is the beginning of an initiative to locate and identify the necessity for social security numbers distributed throughout the organization. The leader of the organization (let’s call him the CEO) had sent a list, to all employees, of things that were going to be done to help control sensitive information. Following this email I sent out a form employees needed to sign saying that they understood their responsibilities related to sensitive information, a permission form to identify storage areas containing this information, and a list of softwares that could be used to locate, store, and remove this information. This initiative was in response to the first item on the CEO’s list.

This is not verbatim. I am recreating the conversation from memory.

Department IT Person: Why didn’t this initiative come from the CEO.

Cutaway: Well, it did, this was the first item on the list he sent out.

Department IT Person: Yes, but it what you send didn’t have his name on it. This is came from your office. It didn’t come from the CEO.

Cutaway: Yes, he stated it would be coming from IT which I am a part of.

Department IT Person: I know, but it didn’t come from his email address.

Cutaway: Yes, but I began the email with his name and I pointed to the original list.

Department IT Person: But it didn’t come from his office. How do you expect me to get anybody to want to do this?

Cutaway: That is not my problem. This is an organization wide initiative. You are responsible for implementing it within your department.

Department IT Person: But it didn’t come from the CEO.

Cutaway: Your perception is not my problem.

Department IT Person: But don’t you think it would be more effective if it come from him directly.

Cutaway: This is how we have decided to respond to his first item. He cannot be expected to do everything. This is me doing my job. I cannot help how you perceive my office or respond to this initivative. But this is how the organization is moving forward with protecting sensitive information.

Department IT Person: Well, what are the consequences if somebody doesn’t do this? You don’t list any consequences.

Cutaway: The consequences are spelled out in the organization policy.

Department IT Person: Yes, but you don’t state it on any of this documentation.

Cutaway: The consequences are already spelled out in the policy. We don’t like to reprint them to avoid contradictory statements.

Department IT Person: So, what are the consequences.

Cutaway: They are spelled out in the policy.

Department IT Person: What are they?

Cutaway: Well, I guess ultimately you can get fired.

Department IT Person: So, if somebody doesn’t sign the document they will immediately be fired?

Cutaway: No.

Department IT Person: I don’t understand.

Cutaway: Well, if somebody doesn’t sign the document then they will be forbidden from interacting with sensitive information and possibly any information resources. This could potentially mean that they cannot do their job. What would your department do with a person who could not perform their duties.

Department IT Person: *does not respond*

Cutaway: Well, I image that you would fire the person.

Department IT Person: So, who is responsible for implementing the consequences?

Cutaway: Your department.

Department IT Person: My department?

Cutaway: Yes, your management is responsible for managing itself.

Department IT Person: I don’t understand.

*At this point I could only think of one thing to say.*

Cutaway: I’m sorry, that is not my problem.

Was that the best way to leave this conversation? Probably not. But, I was getting a little frustrated. It was obvious that this person just did not want to accept that fact that their department was going to be held accountable for managing their information or personnel. This is a very common perspective in the university environment that I find hard to understand because of my military background. I would expect a different attitude, especially with all of the universities that become news due to information disclosure.

Fortunately for me the organization I work for has recently experienced an information disclosure so the majority of the personnel are extremely receptive and grateful that control and responsibility requirements are being implemented. I am actually very impressed that this has been the only push back that I have received thus far in association with this initiative.

What is the lesson to be learned from this conversation? Well, some people are just not going to understand or want to understand. The old way of doing things is, to them, the best way of doing things. Security professionals need to understand this when they are contemplating their responses. At the same time I don’t think that people should be coddled. Most people respect straight forward and consistent responses. That is what I was actually trying to accomplish here. I pointed out the history of the event. I pointed out that individuals and departments are responsible for accepting responsibility. And I didn’t back-peddle when confronted on the issue. I didn’t make my statements in a confrontational or uncaring way. I maintained my tact throughout the conversation. One thing I could have done is try to end the conversation on a more positive point. I could have complimented the person on having the conversation and being opened to new ideas and initiatives.

Go forth and do good things,
Cutaway

responsibility, ESI, Security Ripcord

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.