People that hold power over us are frightening, even if they’ve never misused their power to harm us. Business Technology’s resident U.S. blogger Keil Hubert argues that the threat of misconduct has to be addressed publicly in the workplace, just like it does in society at large.
On 19th April of this year, 25 year-old Baltimore, Maryland native Freddie Gray died in police custody. It hasn’t been made clear yet what exactly led to Freddie Gray’s spinal cord being severed; the most likely cause of his injuries, per many years of documented police misconduct in Baltimore, is a form of illegal abuse of power inflicted on prisoners called a ‘rough ride’. As Manny Fernandez summarized it in the New York Times on 30th April:
‘In Baltimore, they call it a “rough ride”. In Philadelphia, they had another name for it that hints at the age of the practice — a “nickel ride”, a reference to old-time amusement park rides that cost five cents. Other cities called them joy rides.
‘The slang terms mask a dark tradition of police misconduct in which suspects, seated or lying face down and in handcuffs in the back of a police wagon, are jolted and battered by an intentionally rough and bumpy ride that can do as much damage as a police baton without an officer having to administer a blow.’ [1]
It should be obvious that such misconduct on the part of an instrument of government is both illegal and utterly abhorrent to citizens everywhere. The police already possess immense power to deprive private citizens of their freedom, their property, their dignity, and their lives without being subject to the same scrutiny and consequences that normal citizens would face for committing the very same illegal acts. Most people find this misconduct appalling, but too abstract to warrant taking some sort of action to correct it; when such misconduct directly touches a community, though, the community typically erupts in outrage over what had just happened… and out of fear that nothing will be done to stop the exact same misconduct from happening in their community again.
There are, to be sure, some unhinged loons who possess so nebulous a grasp on these police misconduct situations that they completely mischaracterize what societal forces had led to such horrific acts and what should have been be done in response to it. Most people in the USA expressed outrage that such a thing could happen, and demanded action from the government. On 8th May, the U.S. Department of Justice placed three different civil rights probes of the Baltimore Police Department under federal control. While the outcome of the Gray case won’t be known for many months, the increased scrutiny into the arresting officers’ conduct raises hopes that justice will eventually be done – and that other officers will think twice before giving anyone else a ‘rough ride’.
This makes sense. As a general rule, the less likely it is that something bad will happen to you, specifically, the less likely that you are to take the threat seriously. Conversely, the more likely it is that you will be directly affected by such misconduct, the more you tend to fear it. That, in turn, is why corporate users tend to fear, mistrust, and hate their IT departments, and (by extension) those of us who work in them. The only way to minimize that fear is to show that those IT staffers that abuse their power are swiftly and comprehensively caught and punished.
I apologize for the abruptness of that shift, but the lack of a graceful segue does not in any way invalidate the truth of the assertion: if you work in IT, then you should know that your users have very plausible, very reasonable, and very compelling reasons to fear and even to hate you. Not necessarily for what you have done, but for what you can do to them… at any time… often without any repercussions.
Does that come as a surprise? Let’s look at the threat of IT staff misconduct through the same sort of societal lens that we use to look at the threat of police misconduct:
A Police Constable [2] can deprive you of your freedom by detaining you and by taking you to jail. A systems and networks tech can suspend or delete your network accounts, thereby cutting you off from some or all critical information systems –isolating you from work products, official communications, HR and payroll services, and even your co-workers. A voice systems tech can disable your ability to use your office telephones, your long distance access code, and your company mobile phone – thereby cutting off your ability communicate with anyone that you can’t hit with a thrown rock. In both cases, being unable to do your work (because you’re languishing in jail, or because you’re cut off from the network) can be grounds to terminate your employment.
A Police Constable can seize your personal property and doesn’t necessarily have to give it back. Likewise, an IT administrator can take away your work PC, tablet, mobile phone, and accessories any time that he or she feels like it, on the grounds that they need ‘repairs’ or replacement. Further, if your company has strict rules about bringing personal tech into the workplace, an IT worker can seize your personally-owned notebook, tablet, phone, and/or storage devices. They might be held indefinitely, or they might be destroyed. If you had critical files on a device and you didn’t back them up, you might wind up losing your critical files forever.
A Police Constable can destroy your reputation by accusing you in public (via a warrant, by discussing the charges with third parties, or by making public statements) that you were suspected of having engaged in an embarrassing activity, anything from drunk driving to depraved sexual practices. A PC doesn’t even have to arrest you for the alleged crime for his or her statements to destroy your reputation.
An IT admin, meanwhile, can search your e-mail account, network shares, and PC hard drives for embarrassing content. Anything you ever wrote or said might be used against you, from a flirty IM chat to a raunchy cartoon. Moreover, the IT department can destroy your professional reputation – both in your current company, and in the eyes of any potential future employer – by alleging that you were investigated for involvement with a repulsive non-work activity, like paedophilia image sharing. The malicious IT tech doesn’t have to actually get management to discipline you for such misconduct for the public statements to obliterate your reputation. Once the rumour is spread, it will likely follow you for years.
The only real difference between the two occupations is that a Police Constable can murder you, while your average IT manager cannot. [3] Still, that one point of difference is small comfort to a worker whose ability to earn a living was unjustly ruined by a jealous or malicious IT staffer. Damage is damage, and the special rights afforded to IT staff for the performance of their assigned tasks is just as deadly to a worker’s ability to earn a living as a PC’s badge can be – when misused.
There’s an additional facet to this problem, and it occurs in both professions. Even though the vast majority of both law enforcement professionals and IT professionals are conscientious, trustworthy, disciplined, and wholly above reproach, there are always going to be some vile exceptions. Whether it comes from a gun on one’s hip, or from a root-level account and password, the tools unique to each trade represent the bearer’s awesome power over others… and as Lord Acton said:
‘Power tends to corrupt and absolute power corrupts absolutely. Great men are almost always bad men, even when they exercise influence and not authority: still more when you superadd the tendency or the certainty of corruption by authority. There is no worse heresy than that the office sanctifies the holder of it.’ [4]
To be clear, this isn’t the same sort of conduct as one user doing something inappropriate against another user with the help of information systems; that’s more popularly known as ‘cyber stalking’ or ‘online harassment’. In this discussion, I’m talking about a member of the IT staff who wilfully misuses their elevated access to company information systems in order to wilfully harm another employee – the misuse of authorized powers that aren’t available to the majority of citizens.
In Annex 2 of High Tea Leadership, my second book, I provided readers a template for an ‘IT Department Policy on Disciplinary Action for Abuse of Power’. This was one of the tools that I introduced when I took over a public sector IT outfit. I campaigned to hold my people to the highest standard of professional conduct in the entire organisation. The more power that a person wielded, I argued, the more that the wielder needed to be restrained by operational controls. It’s both necessary and proper that systems administrators have root access to servers, storage devices, and networks. At the same time, the power that they have through their elevated access needs to be strictly, deliberately, and consistently controlled.
This isn’t just one bitter old technologist’s opinion. The ‘controlled use of administrative privileges’ is number 12 on the SANS Technical Institute’s list of 20 Critical Security Controls. I happen to believe strongly that the SANS recommended measures don’t go far enough: that’s why I implemented what I called ‘two-person accountability’ for my IT department for all activities that might be viewed as potentially exploitative. Need to delve into a user’s online share or e-mail account in order to find a file? One sysamin ‘drove’, while a second observed the process from start to finish. Need to physically access a private office to secure a piece of kit? One person secured the gear while a second watched them at all times. The second person acted as a constraining control and as a witness to help eliminate temptation.
There are plenty of effective control measures available that will help to thwart an employee’s potential misconduct, but no control measure is ever as effective as the disciplinary action that you take when one of your people gets caught committing a misdeed. Just like with manifestations of police misconduct, communities will generally stabilize when they see that the people in charge of an accused wrongdoer take swift, impartial, and just action to investigate, correct, and punish the wrongdoing. We expect that there will always be someone inclined to do wrong; so long as the system corrects those offenders, we can all go on about our daily routine with confidence. Aberrations that get culled are detestable, but tolerable; aberrations that are allowed to inflict harm with impunity are utterly intolerable. Management’s failure to address misconduct can utterly destroy users’ trust in the institution and in its leaders. That, then, leads to very reasonable fears of future abuses.
I understand leaders’ reluctance to take public action against offenders. Confrontation is scary. That being said, it’s also necessary for maintaining trust and good order. I’ve heard the aphorism ‘praise in pubic, punish in private’ chanted by HR types like it was holy revelation, and I generally agree with it… for non-critical purposes. When it comes to major breaches of institutional trust, however, the ‘punish in private’ concept must be stricken from the list of acceptable tactics: the only effective way to maintain community trust (I contend) is to confront the problem head-on. As my military Public Affairs instructors used to preach regarding crisis management operations: tell the truth, and tell it immediately. Show your users that you understand their concerns, that you’re not afraid of the truth, and that you’re committed to doing right by them (no matter how embarrassing that might prove to be) and that you can be counted on to remain transparent throughout the process.
I’m not advocating for or against a zero-tolerance policy when it comes to systems misuse; you have to decide for yourself whether or not that’s warranted for your unique environment. Rather, I’m advocating for the controversial practice of communicating to your user base about cases of suspected systems misuse. All of the same best practices get followed between a publically-addressed case and a secret, internal case (e.g. collection of evidence, temporary suspension of accounts, etc.) with the one exception being coming clean with the community about the fact that you’re responding to an alleged incident.
I’m also not advocating for a public hanging of a suspected offender before the evidence is in. That’s counterproductive – the mere suggestion that an unfounded accusation could ruin someone is enough to destroy morale and trust. Quite the contrary: I’m advocating for institutional transparency. Demonstrating that allegations are taken seriously, and that they’re thoroughly investigated. Many perfectly loyal employees (and all managers) will be falsely accused during their working life; that can’t be helped. [5] The irritation is partially mitigated by public displays of wilful and forthright compliance. An allegation is made, the accused cooperates fully with investigators, the truth is discovered, and then consequences fall where they may based entirely on evidence – not on petty personal politics. Let the guilty be held accountable for their actions, regardless of whether it’s the accused, the accuser, both parties, or neither, that committed the unacceptable act. [6]
That’s what people crave: they need to believe in justice to maintain their faith in the system. Remember: users are people. People have valid and well-founded concerns over the potential for the people in their lives that hold power over them to misuse that power in such a way that they’re directly harmed. Whether it’s from a gun-toting police officer or a systems operator with root access to the e-mail server, a person that can potentially inflict harm could always choose to do so. That’s what makes them frightening. Fear, when experienced over a sustained period, often turns to irrational hate. The best way to short-circuit that natural progression is to directly engage with your users to acknowledge their fears and to demonstrate that you’re taking good-faith actions to remain worthy of their trust.
I appreciate that such an approach demands greater transparency, accountability, and moral courage than most other occupations require. I submit that it’s both reasonable and appropriate to expect that level of commitment from anyone that has at his or her fingertips the power to ruin an innocent person’s life. We owe our users an exceptional level of ethical accountability commensurate to our elevated systems privileges. When our users perceive that we’re as committed to their protection as they are themselves, then we can all get on the more important things… like making a living in difficult times.
[1] The hyperlink in the quoted passage is how the original appears online.
[2] ‘Police officer’, for American readers.
[3] The exceptions to this rule exist – thankfully – solely in the realm of fiction.
[4] Emphasis added.
[5] During my tenure in the public sector, I was formally investigated 18 separate times for everything from ‘misallocation of resources’ to ‘fomenting a vast racist conspiracy’ to ‘being the Devil’ (I am not making that up). I was fully exonerated in 18 out of 18 cases, in no small part because I went about my duties with the expectation that a court would eventually examine everything I’d ever done. That attitude compelled me to always act according to the rulebooks, so that I could (inevitably) testify before a judge with a clean conscience.
[6] Fiat justitia, et pereat mundus.
POC is Keil Hubert, keil.hubert@gmail.com
Follow him on twitter at @keilhubert.
You can buy his books on IT leadership and IT interviewing at the Amazon Kindle Store.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.
–
