The pandemic has forced most of us to reconsider why, where, and when we perform many of the expectations that rule our daily lives. No, wait; that statement is too broad. Let me clarify.
I shouldn’t say that “everyone” was forced to questions such things. To be fair, the wealthy have barely noticed the pandemic. When you can afford massive private compounds patrolled by armed guards, the trials and tribulations of the “little people” scrabbling for crumbs on the other side of your mansion’s privacy walls needn’t interrupt your champagne-fuelled poolside yacht shopping. The rest of us, though, were forced by months of lockdowns, remote work, crowd avoidance, and frantic process workarounds to take a hard look at the “requirements” that had dictated our working lives before SARS-CoV-2 made its diabolic debut.
The wealthy still don’t need to care and, as such, see no reason to change the status quo. Working folks, though, are facing the prospect of “returning to the office” with a sense of scepticism tempered with dread. Why, exactly, do we need to swap airborne germs in a fabric veal pen, pressed shoulder-to-shoulder with co-workers we can barely tolerate on the best of days just to “get work done”? Especially when we’ve demonstrated that we can perform most of our core tasks at 80%+ efficiency from the other end of a home broadband connection? Every organisation has their own answer to this based on its unique mission and circumstances. I’m not trying to argue that any one position is “correct” for every employer or person.
Instead, I’m encouraged by the fact that we’re having these discussions at all. People are seriously questioning the assumptions that we’ve taken for granted over the last half-century. Must we commute in and out of the city cores from the suburbs? Is it truly useful to meet face-to-face when the same work can be sorted in half the time over a sanitary Zoom call? Why do we still need wet ink signatures on paper forms when cryptographic digital signatures on PDFs hold up in court? Why must we pay elite-tier wages for talent in the Bay Area when we can hire four equally talented boffins to perform the same work remote from Omaha? The reconsideration of norms and customs is healthy. We’ve needed to overhaul the global “standard operating procedures” for working life since the 1990s. [1]
In that overly dramatic? Eh … Maybe. What I wanted to argue is that questioning assumptions is good for us as individuals, as organisations, and as nations. Dissecting why we do the things we do helps clarify what we can, should, and must change. Many of the customs that we take for granted as inviolable are zombie expectations that shamble along uselessly long after their original motivating circumstances ceased to exist.
Neckties, for example. A French king took a fancy to some Croatian mercenaries’ dress uniform adornments in 1646 and we’ve been tying variations of these danged things around our necks ever since. They serve no practical purpose. Get rid of them! Except … we don’t, do we? We might change the style of the darned things every decade or so, but we inevitably return to the wearing of a “proper” necktie as a required uniform item for business wear. I still have my “skinny ties” from the 1980s even though they’ve never been considered “professional enough” for the office. Why is that? What keeps us all tied [2] to this valueless tradition?
I’ve found that the most common answer to the zombie expectation problem is the classic non-answer “Because we’ve always done it this way. It’s expected. You wouldn’t want to appear unprofessional, would you?” If I had a twenty pound note for every time I’ve heard a variation on this old chestnut, I wouldn’t need a 401(K). To be clear, this non-answer in and of itself is not a compelling reason to do anything.
It’s one thing to maintain an outdated custom, like the NIST protocol on requiring unnecessary complexity in passwords. You know the old rule about substituting special character for letters as a fool proof method for creating an un-hackable password? Yeah, that’s dead. NIST updated their guidance in SP 800-63B-3 back in March 2020. Scientists learned that length is more effective than pseudo-complexity for protecting passwords against cracking so they dutifully changed the guidance. Still, sticking with the old official government standard because you haven’t heard the latest science makes logical sense. I can dig that as a justification … but that’s not what I’m on about.
No, I’m talking about security chestnuts like “never write down a password.” This aphorism has done more damage to security hygiene than probably any piece of folk wisdom. Sure, in a perfect world we’d all memorize all our unique system credential combinations (i.e., user ID and password/PIN). That was a fine practice in the 1970s when a few academics had a few accounts on a small number of university computers. These days? When everything is done online? Pshaw. It’s a ludicrous and counterproductive expectation. The last time I checked my password manager, I had 954 managed accounts, each with a unique password. Memorize all that? Hardly realistic! More importantly, it’s not the writing down of passwords that creates risk; the risk comes from leaving those written records unsecured. It’s far more important to have unique, complex passwords for every account than it is to have everything memorized.
Another hoary aphorism that won’t hodl water is “If it ain’t broke, don’t fix it.” This is a common excuse used to prevent mission-critical systems from being upgraded or replaced before (or, often, after) becoming obsolete. I discovered a horrific example of this while investigating a hosting client’s infrastructure: one of the client’s crucial customer service systems still ran on Macintosh Plus computers twenty-five years after that machine had been discontinued. There was no way to patch, upgrade, or configure these undead PCs to guard against new exploits. The client, though, insisted that the function the machines provided was still working acceptably, therefore they wouldn’t even investigate possible replacements. Madness.
There there’s local peculiarities, many of which are left over from the organisation’s chaotic early days. Like allowing the Chief Marketing Officer to veto security controls. Or exempting the developers from mandatory security best practices. Start-ups often kludge barely functional solutions to organisational problems based on short term needs and resource constraints. Left alone, these compromises eventually become dogma – practices that Must Not Be Be Questioned™. Short term solutions become permanent.
The “we’ve always done it this way so let’s not change” conviction creates one of the most pernicious and intractable security challenges to a business because it’s based on pure belief, not on facts. These legacy solutions to obsolete problems become security risks that stakeholders won’t address because of the suffocating weight of tradition. The longer these beliefs go unchallenged, the harder it becomes to change them … like white collar businesses’ irrational obsession with neckties.
Since we’re entering Pandemic Year Three, I urge everyone to take advantage of this rare and precious opportunity to questions everything about their organisational culture. I’m not advocating for tearing everything down in a riot of anarchic pyromania (fun as that might be). Rather, I’m calling on everyone to violate the social taboo that prohibits questioning How We Do Things Here™ to determine if their legacy practices are truly appropriate for the modern world. If any security process is found wanting, find a way to improve it … or, better yet, replace it.
I know that people are naturally resistant to change. I know that re-engineering is difficult, especially when it might disrupt critical process steps. I appreciate the effort it takes to bring reluctant stakeholders around, especially when they have so many other distractions stressing them out (like a global pandemic). All that said, I argue that it’s crucial to constantly modernize security operations to reflect contemporary practical realities. Nothing in business is so sacrosanct that it must not be modernized.
[1] Joel Kotkin published a new book called The Coming of Neo-Feudalism back in 2020 that warned us we’ll need to take drastic action if we want to save what’s left of the “middle class.” Billionaires are wasting their cash piles on phallic ego rockets while soldiers in the richest nation on earth need food stamps to survive. A little stark introspection might help us find an exit ramp off this highway to hell.
[2] Cheap pun very much intended!
