Gather round, everyone, because a shiny new fad is coming to infosec departments everywhere! This week, Business Technology’s resident U.S. blogger Keil Hubert casts a jaded eye at Zero Tolerance conduct management programs.
American businesses adore flashy trends: Total Quality Management, Self-Directed Work Teams, Servant-Leadership, and hundreds more ill-conceived management fads have infatuated executives and padded the expense accounts of consultants all throughout the working world ever since Frederick Taylor’s vaunted ‘Scientific management’ fad caught fire at the start of the 20th Century. Call them techniques, methodologies, disciplines, revelations, or mysteries, they all have one essential common attribute: following someone else’s shiny, new programme will (so the experts say) allow you to achieve greatness without ever having to think for yourself. The hard thinking work has all been done for you.
Am I a big jaded by all the hype surrounding these fads? Most certainly, yes. I’m all for putting best-practices into play in order to improve team morale and efficiency, but I stop well short of believing that any one regimented approach can work miracles – especially when said approach is a copyrighted one. I’ve watched deadly-earnest managers throw themselves behind trending fads with the desperate fervour of a born-again sinner, only to have their beautiful dreams founder on the slippery rocks of pedestrian office reality. I’m deeply cynical towards any and every ‘revolutionary’ technique that promises to change workers’ behaviour. I like elements of the aforementioned example fads  but I’m harshly sceptical about each of the fads’ extraordinary claims. I hold fast to the belief that management techniques cannot fundamentally change human behaviour.
Still, an embarrassing number of successful companies routinely throw themselves headlong into the latest schemes every year like love-struck teenagers discovering a new crush. The advocates for each doomed initiative conveniently forget all of the well-intentioned disasters littering their history, and breathlessly testify to the Harvard Business Review that this time they’ve found The One.
One of the new trends that I’ve seen popping up lately here in the infosec community lately is a re-hash of an old trend that originated in the education world around two decades ago. If you haven’t heard about ‘Zero Tolerance’ security policy yet, then take warning: these are misconduct management policies based on wildly inaccurate assumptions about effectiveness and utility. My stance is that they’re utter garbage, and that you should mercy-kill them before they’re allowed to infect your organisation.
I first encountered ZT over 20 years ago when the state of Texas introduced it into the public school world.  At the time, teachers welcomed ZT with open arms; I know, because my wife was teaching in the Texas school system back then, and was willing to embrace just about anything that would get her most troublesome kids under control. During her final year of full-time teaching, she had one nasty little piece of work that kept disrupting school with violent temper tantrums and outlandish behaviour. Among his highlights, the snotty little git vandalized a teacher’s car, brought weapons to school – including clubs, knives, and bloody firearms – and was never suspended for more than a week at a time for any of his antics. Back then, the school principal decreed that they weren’t allowed to hold the child accountable for his actions because he was classified as ‘special needs’ by the state. The rest of the school (students and staff alike) just needed to tolerate the kid’s violence… even if it got someone killed. To blazes with that!
When Texas introduced the concept of ZT for certain offenses, teachers rejoiced. The concept was simple: if a kid commits certain offenses, he or she automatically gets suspended or expelled from school without appeal. No special circumstances, no context, no room for mitigating circumstance. You’re just done. I spoke to a bunch of teachers who thought that this hard-nosed approach would finally save them from spineless principles and overbearing parents. To some degree, they were right; chronic offenders were swiftly dispatched. That in and of itself was cause for celebration. The trend caught on, and quickly went nationwide.
ZT is still employed in school districts all over the country: it does what it says it does… in the sense that it throws kids out of school who engage in egregious behaviours. Unfortunately, it also throws lots of casual offenders out of schools that didn’t deserve anywhere near the punishment mandated by the inflexible ZT program because their ‘egregious’ behaviour wasn’t… but looked like it was. In some cases – like the program that we have in Texas – the number of students caught up in ZT nets comprised the lion’s share of a school’s population. As Carly Berwick wrote in The Atlantic back on 17th March:
‘Zero-tolerance policies mean that suspension is used as a consequence for infractions ranging from severe (such as weapon possession) to minor (defiance or chronic tardiness). … in Texas, nearly 60 per cent of students have been suspended by the time they graduate high school, according to a 2011 report by the Council of State Governments’ Justice Center.’
I’ve been subscribing to a weekly news digest service called ‘This Is True’ for the last 15 years. The author is fond of sharing stories of ZT disasters from all across the USA. I have 644 copies of his publication archived in my mail client that go all the way back to October 2000. Of those, 40 per cent of those editions  contain news items concerning ridiculous punishments imposed by heartless schools that common sense clearly indicated were gross overreactions. Examples included kids making hand gestures that were interpreted as ‘weapons’, kids using sticks as toy swords on the playground, honour students caught with dull flatware in their backpacks, and the like. For the vast majority of cases, a responsible adult would look at the evidence, would likely conclude logically that no actual threat or ill intent existed, and would dismiss the tyke with a mild chastisement. Instead, these kids all got suspended and unfairly branded as ‘violence risks’.
Defenders of ZT are often swift to point out that allowing school administrators to make case-by-case judgments introduces the twin spectres of favouritism and prejudice. Therefore, in the interests of ensuring that all of the truly nasty kiddies get booted, some collateral damage will have to be accepted in the interests of guaranteed punishment for those truly deserving of it. ‘Rules are rules,’ the logic goes, ‘so you have to accept that some innocent kids will get punished along with the guilty.’ To my thinking, that sentiment reeks of Arnaud Amalric’s (alledged) order to the knights that conducted the Béziers Massacre: ‘Kill them [all]. For the Lord knows those that are His own.’ 
As a former military man, I believe that line of thinking is abhorrent. Condemning the innocent along with the guilty in order to guarantee punishment of the guilty runs counter to every legal and social notion of justice that we claim to hold dear. Allowing a narrow and insensible policy document to ruin a person’s life simply because a poorly-written rule demands such reflects the utter abandonment of the moral authority required of an educator… or a teacher… or a parent… or a judge… or, now, a corporate manager.
Yes, ZT is creeping its way into the business world… the same way it insinuated itself into the education world: its proponents insist that introducing ZT for certain offenses will ‘greatly simplify’ compliance and accountability by taking the uncomfortable decision-making step completely out of the process. CEOs, CIOs, CISOs and their management underlings need merely cede their authority to adjudicate individual cases of alleged wrongdoing to a Napoleonic-style code of administrative processing. No muss, no fuss, no grey area to fret over. Most importantly: no individual accountability for the really tough decisions.
This sounds dangerously seductive… why go to all the trouble of conducting investigations and holding disciplinary hearings when you can simply publish a comprehensive list of prohibited behaviours and decree that anyone caught violating them will be summarily dismissed without appeal? It certainly seems efficient… Faster, too.
Let’s compare the ideal ZT program with a real-world example: several years ago, I was running the IT department for my company. I received a frantic call late one afternoon from our health and safety department about a pornographic content violation. One of the healthcare professionals on staff had been directed to prepare a presentation on breast cancer awareness for the other menbers of the site’s clinical staff. Thinking like a physician (and operating on far too little sleep), the dutiful doc fired up his browser and asked Google Images to find him some appropriate photos of ‘breasts’ to copy into his preso.
It wasn’t until the results page loaded that the poor fellow realized the enormity of his mistake – whereupon he imediately called me and turned himself in. He said that he believed the IT department was monitoring all network traffic, and that his actions would undoubtedly be considered wilful, prurient misconduct if and when they were taken out of context. I lied and told him that we already knew about his faux pas, but that we appreciated his immediate disclosure. No harm had been intended, so no punishment was warranted. I told him to close his browser and to never do that again. He didn’t. Problem solved.
Under a ZT InfoSec conduct policy, that employee’s career would have been scuttled thanks to one inappropriate – but completely innocent – image search. He viewed ‘pornographic content’ on his company PC! Therefore, he’s a dangerous fiend, and must immediately be terminated for cause (so sayeth the holy ZT guide). Except… no. No, he didn’t. Looking at the context, intent, and response for the incident, the user’s behaviour was ill-advised, but thoroughly above-board. Firing him would have been unwarranted – and tarring his CV with a for-cause dismissal would have effectively ended his ability to find comparable work in his field for the rest of his life. Allowing that to happen would have constituted a far graver injustice that letting an exposed mammary appear in a browser window.
I understand why ZT is appealing… confronting people over suspected bad conduct can scary. Trying to find a just solution to a difficult situation is often stressful. Getting useful answers out of HR and Legal can be like trying to divine sources of underground water with a stick. Leadership is difficult, which is why it’s highly-compensated work. Your job as a leader is to wade into the fray and find the truth of any given situation – and to make the best decision that you can, given the totality of the information available. You then have to live with the consequences of your decisions, right or wrong. That’s not a punishment; it’s simply an incentive to do your absolute best to find the optimal course of action for everyone involved in every new incident.
Still, sometimes making those hard decisions means that you’ll take flak from your boss, from HR, from your workers, and even from the press. That’s to be expected. Leadership is a messy business. You’ll inevitably make mistakes. We all do. I submit, though, that it’s far better for your organisation and (most importantly) for your people that you never cede your authority to render judgments over alleged misconduct to an oversimplified, unyielding, and context-oblivious ‘code’ like ZT. People deserve a fair hearing, and no grossly-oversimplified if/then processing code can ever be truly fair.
Seriously… if someone approaches you about implementing a ZT approach to employee conduct policing, steer them to something less destructive… like Six Sigma manufacturing. It’ll give them something trendy and popular to occupy their time, and will keep them the heck out of your domain… probably for years.
 Take measurements, empower workers to make decisions, and focus on making your people successful, respectively.
 If I understand the cultural divide, y’all’s ‘public’ schools in the U.K. are exclusivist private schools for the well-to-do; our ‘public’ schools are exactly that: the taxpayer-funded baseline institutions that all children attend if their parents aren’t wealthy enough to afford ‘private’ schools.
 40.8 per cent, specifically: 263 out of 644. I checked.
 ‘Caedite eos. Novit enim Dominus qui sunt eius;’ in modern parlance, ‘Kill them all; let God sort them out.’
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.