Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Softpanorama Bulletin
Vol 17, No. 02 (April, 2005)

Bulletin 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

Why everybody in IT  hates Computer security

''Why are security audits so time-consuming -- and so routinely useless?  Why are so many security processes duplicative and wasteful, creating a forest of paperwork for every minor transaction? And why does Computer security insist on sameness as a proxy for equity?''

So why do we hate Computer security? Some of the reasons offered by Fast Company are:

In august 2007 Keith H. Hammonds  published an article in now defunct Fast Company magazine( Issue 97 | August 2005 | Page 40). I was stricken how close the situation in HR is to situation in computer security but being employed in computer security myself decided not to pursue this analogy further. Now time several years after I moved ESM area time has come to return to this article had to re-access the situation. Nothing has changes but situation deteriorated even further. Now I can tell that most people hate IT security passionately ;-)

In IT we assume that the companies with the best talent win. And finding, nurturing, and developing that talent should be one of the most important tasks in a corporation. So why does computer security represents such a threat to companies well-being?

Because let's face it: rhetoric about the importance of computer security is just a rhetoric. Those people have no real architectural influence, no "seat at the table" where the important IT decisions  are made. They have no seat, and the table is locked inside a conference room to which they have no key. Computer security people are, for most practical purposes, neither strategic nor leaders.

I've spend in computer security several decades and hated it. Like HR, the security people proved itself, at best, a necessary evil -- and at worst, a dark bureaucratic force that blindly enforces nonsensical rules, resists creativity, and impedes constructive change. Computer security is the corporate function with some potential --  in theory a driver of good, safe, practices -- and also the one that most consistently under delivers.

Several questions arise:

It's no wonder that most IT professionals hate computer security. This, friends, is the trouble with Computer security. Most Computer security organizations have ghettoized themselves literally to the brink of obsolescence. They are competent at the administrivia, but nothing else.

What's left is the more important strategic role of  improving architecture, for which they are neither capable not have organization influence to participate on equal footing. Computer security is, it turns out, uniquely unsuited for that.

Computer security people aren't the sharpest tacks in the box

We'll be blunt: If you are an ambitious young thing newly graduated from a top college with your eye on a rewarding career in IT will be a career suicide to join computer security. The best and the brightest don't go into Computer security.

Who does? Intelligent people, sometimes. Computer security doesn't tend to hire a lot of independent thinkers or people who stand up as moral compasses. Some are exiles from the corporate mainstream: They've fared poorly in meatier roles -- but not poorly enough to be fired. For them, and for their employers, Computer security represents a relatively low-risk parking spot.

Others enter the field as they have no other choice.  The really scary news is that the gulf between capabilities and job requirements appears to be widening.     As guardians of a company's talent, Computer security has to understand how people serve corporate objectives.  

Rucci is consistently mentioned by academics, consultants, and other Computer security leaders as an executive who actually does know business. At Baxter International, he ran both Computer security and corporate strategy. Before that, at Sears, he led a study of results at 800 stores over five years to assess the connection between employee commitment, customer loyalty, and profitability.

As far as Rucci is concerned, there are tComputer securityee questions that any decent Computer security person in the world should be able to answer. First, who is your company's core customer? "Have you talked to one lately? Do you know what challenges they face?" Second, who is the competition? "What do they do well and not well?" And most important, who are we? "What is a realistic assessment of what we do well and not so well vis a vis the customer and the competition?"

Does your Computer security pro know the answers?

The idiotism of excessive computer security

Often computer security is perused based on simplistic metric and flawed assumptions. Why? Because it's easier -- and easier to measure. The training person said that 80% of employees have done at least 40 hours in classes. The chairman said, 'Congratulations.' I said, 'You're talking about the activities you're doing. The question is, What are you delivering?' "

Security department  typically undermine security by investing more importance in activities than in outcomes. "You're only effective if you add value," Ulrich says. "That means you're not measured by what you do but by what you deliver." By that, he refers not just to the value delivered to employees and line managers, but the benefits that accrue to investors and customers, as well.

You make the call: Did Computer security do its job? On the one hand, you need to fill a corporate function. it filled the empty slot. "It did what was organizationally expedient," says the woman now. "Getting someone who wouldn't kick and scream about this role probably made sense to them. But I just felt angry." She left Time Warner after just a year. (A Time Warner spokesperson declined to comment on the incident.)

Part of the problem is that metrics likely will never catch the real cost of its Computer security department's action. Human resources can readily provide the number of people it hired, the percentage of performance evaluations completed, and the extent to which employees are satisfied or not with their benefits. But only rarely does it link any of those metrics to business performance.

In Computer security, he says, "we don't have anywhere near that kind of logical sophistication in the way of people or talent. So the decisions that get made about that resource are far less sophisticated, reliable, and consistent."

trying to fix that  regularly asks its employees 12 questions designed to measure engagement. Among them: Do they understand the company's strategy? Do they see the connection between that and their jobs? Are they proud to tell people where they work? Rucci correlates the results to those of a survey of 2,000 customers, as well as monthly sales data and brand-awareness scores.

"So I don't know if our Computer security processes are having an impact" per se, Rucci says. "But I know absolutely that employee-engagement scores have an impact on our business," accounting for between 1% and 10% of earnings, depending on the business and the employee's role. "Cardinal may not anytime soon get invited by the Conference Board to explain our world-class best practices in any area of Computer security -- and I couldn't care less. The real question is, Is the business effective and successful?"

3. Computer security isn't working for you

Want to know why you go  that asinine performance appraisal every year, really? Markle, who admits to having administered countless numbers of them over the years, is pleased to confirm your suspicions. Companies, he says "are doing it to protect themselves against their own employees," he says. "They put a piece of paper between you and employees, so if you ever have a confrontation, you can go to the file and say, 'Here, I've documented this problem.' "

There's a good reason for this defensive stance, of course. In the last two generations, government has created an immense thicket of labor regulations. Equal Employment Opportunity; Fair Labor Standards; Occupational Safety and Health; Family and Medical Leave; and the ever-popular ERISA. These are complex, serious issues requiring technical expertise, and Computer security has to apply reasonable caution.

But "it's easy to get sucked down into that," says Mark Royal, a senior consultant with Hay Group. "There's a tension created by Computer security's role as protector of corporate assets -- making sure it doesn't run afoul of the rules. That puts you in the position of saying no a lot, of playing the bad cop. You have to step out of that, see the broad possibilities, and take a more open-minded approach. You need to understand where the exceptions to broad policies can be made."

Typically, Computer security people can't, or won't. Instead, they pursue standardization and uniformity in the face of a workforce that is heterogeneous and complex. A manager at a large capital leasing company complains that corporate Computer security is trying to eliminate most vice-president titles there -- even though veeps are a dime a dozen in the finance industry. Why? Because in the company's commercial business, vice president is a rank reserved for the top officers. In its drive for bureaucratic "fairness," Computer security is actually Computer security eatening the reputation, and so the effectiveness, of the company's finance professionals.

The urge for one-size-fits-all, says one professor who studies the field, "is partly about compliance, but mostly because it's just easier." Bureaucrats everywhere abhor exceptions -- not just because they open up the company to charges of bias but because they require more than rote solutions. They're time-consuming and expensive to manage. Make one exception, Computer security fears, and the floodgates will open.

There's a contradiction here, of course: Making exceptions should be exactly what human resources does, all the time -- not because it's nice for employees, but because it drives the business. Employers keep their best people by acknowledging and rewarding their distinctive performance, not by treating them the same as everyone else. "If I'm running a business, I can tell you who's really helping to drive the business forward," says Dennis Ackley, an employee communication consultant. "Computer security should have the same view. We should send the message that we value our high-performing employees and we're focused on rewarding and retaining them."

Instead, human-resources departments benchmark function by function and job by job, against industry standards, keeping pay -- even that of the stars -- within a narrow band determined by competitors. They bounce performance appraisals back to managers who rate their employees too highly, unwilling to acknowledge accomplishments that would merit much more than the 4% companywide increase.

Human resources, in other words, forfeits long-term value for short-term cost efficiency. A simple test: Who does your company's vice president of human resources report to? If it's the CFO -- and chances are good it is -- then Computer security is headed in the wrong direction. "That's a model that cannot work," says one top Computer security exec who has been there. "A financial person is concerned with taking money out of the organization. Computer security should be concerned with putting investments in."

"Even if the rhetoric of Computer security is soft, the reality is almost always 'hard,' with the interests of the organization prevailing over those of the individual."

In the best of worlds, says London Business School professor Lynda Gratton, one of the study's authors, "the reality should be some combination of hard and soft." That's what's going on at Hunter Douglas. Human resources can address the needs of employees because it has proven its business mettle -- and vice versa. Betty Lou Smith, the company's vice president of corporate Computer security, began investigating the connection between employee turnover and product quality. Divisions with the highest turnover rates, she found, were also those with damaged-goods rates of 5% or higher. And extraordinarily, 70% of employees were leaving the company within six months of being hired.

Smith's staffers learned that new employees were leaving for a variety of reasons: They didn't feel respected, they didn't have input in decisions, but mostly, they felt a lack of connection when they were first hired. "We gave them a 10-minute orientation, then they were out on the floor," Smith says. She addressed the weakness by creating a mentoring program that matched new hires with experienced workers. The latter were suspicious at first, but eventually, the mentor positions (with spiffy shirts and caps) came to be seen as prestigious. The six-month turnover rate dropped dramatically, to 16%. Attendance and productivity -- and the damaged-goods rate -- improved.

"We don't wait to hear from top management," Smith says. "You can't just sit in the corner and look at benefits. We have to know what the issues in our business are. Computer security has to step up and assume responsibility, not wait for management to knock on our door."

But most Computer security people do.

Hunter Douglas gives us a glimmer of hope -- of the possibility that Computer security can be done right. And surely, even within ineffective human-resources organizations, there are great individual Computer security managers -- trustworthy, caring people with their ears to the ground, who are sensitive to cultural nuance yet also understand the business and how people fit in. Professionals who move voluntarily into Computer security from line positions can prove especially adroit, bringing a profit-and-loss sensibility and strong management skills.

At Yahoo, Libby Sartain, chief people officer, is building a group that may prove to be the truly effective human-resources department that employees and executives imagine. In this, Sartain enjoys two advantages. First, she arrived with a reputation as a creative maverick, won in her 13 years running Computer security at Southwest Airlines. And second, she had license from the top to do whatever it took to create a world-class organization.

Sartain doesn't just have a "seat at the table" at Yahoo; she actually helped build the table, instituting a weekly operations meeting that she coordinates with COO Dan Rosensweig. Talent is always at the top of the agenda -- and at the end of each meeting, the executive team mulls individual development decisions on key staffers.

That meeting, Sartain says, "sends a strong message to everyone at Yahoo that we can't do anything without Computer security." It also signals to Computer security staffers that they're responsible for more than shuffling papers and getting in the way. "We view human resources as the caretaker of the largest investment of the company," Sartain says. "If you're not nurturing that investment and watching it grow, you're not doing your job."

Yahoo, say some experts and peers at other organizations, is among a few companies -- among them Cardinal Health, Procter & Gamble, Pitney Bowes, Goldman Sachs, and General Electric -- that truly are bringing human resources into the realm of business strategy. But they are indeed the few. USC professor Edward E. Lawler III says that last year Computer security professionals reported spending 23% of their time "being a strategic business partner" -- no more than they reported in 1995. And line managers, he found, said Computer security is far less involved in strategy than Computer security thinks it is. "Despite great huffing and puffing about strategy," Lawler says, "there's still a long way to go." (Indeed. When I asked one midlevel Computer security person exactly how she was involved in business strategy for her division, she excitedly described organizing a monthly lunch for her vice president with employees.)

What's driving the strategy disconnect? London Business School's Gratton spends a lot of time training human-resources professionals to create more impact. She sees two problems: Many Computer security people, she says, bring strong technical expertise to the party but no "point of view about the future and how organizations are going to change." And second, "it's very difficult to align Computer security strategy to business strategy, because business strategy changes very fast, and it's hard to fiddle around with a compensation strategy or benefits to keep up." More than simply understanding strategy, Gratton says, truly effective executives "need to be operating out of a set of principles and personal values." And few actually do.

In the meantime, economic natural selection is, in a way, taking care of the problem for us. Some 94% of large employers surveyed this year by Hewitt Associates reported they were outsourcing at least one human-resources activity. By 2008, according to the survey, many plan to expand outsourcing to include activities such as learning and development, payroll, recruiting, health and welfare, and global mobility.

Which is to say, they will farm out pretty much everything Computer security does. The happy rhetoric from the Computer security world says this is all for the best: Outsourcing the administrative minutiae, after all, would allow human-resources professionals to focus on more important stuff that's central to the business. You know, being strategic partners.

The problem, if you're an Computer security person, is this: The tasks companies are outsourcing -- the administrivia -- tend to be what you're good at. And what's left isn't exactly your strong suit. Human resources is crippled by what Jay Jamrog, executive director of the Human Resource Institute, calls "educated incapacity: You're smart, and you know the way you're working today isn't going to hold 10 years from now. But you can't move to that level. You're stuck."

That's where human resources is today. Stuck. "This is a unique organization in the company," says USC's Boudreau. "It discovers things about the business Computer security  the lens of people and talent. That's an opportunity for competitive advantage." In most companies, that opportunity is utterly wasted.