Sudden dress code changes are a pain in the tail. They’re often meant to be. Business Reporter’s resident U.S. ‘blogger reveals that some security chiefs will use seemingly-trivial orders specifically to suss out who on staff is inclined to disobey orders that they don’t like.
I’d like to apologize for publishing so many columns connected to food. Last week was a double-header, with my regular Business Reporter column exploring the idea of operations management via a deli scene, and my inaugural column for TEISS site discussing the Panera Bread vulnerability remediation issue. I realized yesterday that food and eateries have been coming up a lot more often in my writing recently because I’ve started finding most of my inspiration for my columns while at lunch. I’ve been terribly busy lately between work, family, Scouts, preparing my next audiobook, and general life maintenance. Lunchtime tends to be the only time that I can afford to let my mind wander and find interesting associations.
This week was no exception. The idea for this column came to me while I was scarfing down a mediocre burger last Friday. I was minding my own business and scanning the crowd when a pair of young businesspeople took the next table over and captured my attention. The young lady was stylishly dressed in a colourful summer getup that impressed without being gaudy. I thought she was quite fetching while still looking wholly professional. Her companion, however, looked like a confused rodeo clown.
Specifically, the young businessman had made an extremely poorly wardrobe choice. His starched white dress shirt was fine, but his trousers … Dear God! The man went out in public in a pair of hopelessly oversized and wrinkled black polyester dress slacks that seemed to have been made for a man with at least double his waist size. This was a fellow of medium build wearing trousers that could easily be converted into a flotation device. They billowed. They snagged on every knee-height object that he passed. They qualified as ‘rugose’ as if torn from the purple prose of an H.P. Lovecraft story. These were awful trousers.
I don’t mean ‘garish hipster threads;’ I mean that they were so awful that I couldn’t find a relevant stock photo to represent them.
And forgive me for being a dyed-in-the-wool security person, because the first thing I thought of on seeing that poor fellow’s awful attire was ‘That dude looks like he just declared himself to be a low potential security risk.’
To be clear, I’m not trying to draw any sort of parallel between a person’s fashion sense and their potential criminality. That’s close, but misses the point. What I mean is that security and operations leaders sometimes use small-but-meaningful practical tests of obedience to see who in their organisations they might need to keep a close eye on. I suspect that’s why this fellow was out in public wearing a truly defamatory trouser selection. He’d been given an order to change up his wardrobe for the day, grabbed the closest thing that he had that met the requirement in his wardrobe, and went to work.
The technique works like this: someone in authority (usually an executive) declares that the company dress code is changing for one day only to accommodate a ‘special event.’ The ‘event’ can be anything; a visiting executive, a high-profile client, a television taping, whatever. The actual reason announced is just an excuse. What the line-leaders are specifically looking for is who among the population obeys the new dress code order in good faith and who ignores it. The worker who bristles at being told what to do and refuses to comply is marking him- or herself as someone who prioritises their own wants above the company’s needs. In short, someone who has a predisposition to bypass or ignore security regulations whenever it becomes inconvenient to them.
This is important. Long-time readers will recognize that this is a deliberate call-back to a book that I wrote on this subject called Office Cowboys: Cautionary Tales from the Cubicle Frontier. To quote … er, well, … myself:
I now hate myself more than I hated that young businessman’s trousers.
‘I train my cyber support employees to evaluate user behaviour for evidence of petty rule violations, because each act of defiance predicts a future security breach. I strive to drum this mantra into my people: “If an employee is able to rationalize violating one rule, then they are likely predisposed to violate others.”
‘That’s why I always actively scan the workplace for evidence of defiant behaviour. It’s not so much a matter of threat; it’s a critical indicator that we need to take note of early on. If an employee is willing to petulantly defy the easy rules, then they’re also likely to petulantly defy our critical security rules when compliance is hard. I teach my security techs to watch out for and monitor these “I do what I want!” cowboys because they represent the most likely sources of human-imposed vulnerabilities to the enterprise cyber infrastructure.’ 
Well said, er … me. Good grief that’s pretentious. Argh! Sorry.
So, why use an altered dress code for his or her compliance exercise? Because the results are instantly obvious at a glance. If you announce that everyone has to wear, say, a suit or an unusual colour top for one day only, you’re going to catch most workers unprepared. No one has an infinite supply of possible outfits. Closets are only so large. People tend to accumulate clothes that are appropriate to their workplace and displace clothes that they can’t wear in the office.
Moreover, people change shape over time.  Outfits that you wore regularly two or three jobs ago will likely no longer fit when you need the later. Clothes aren’t magic, either. Unlike what Ann Brashares’ best-selling, young adult, coming-of-age novel The Sisterhood of the Traveling Pants might have led you to believe, no item of clothing will ever magically re-size itself to perfectly fit your evolved shape. Ain’t happening.
Working yourself to the bone and fueling yourself with junk has a way of changing a person over time.
That’s what I was on about regarding the mysterious businessman in the stunningly awful trousers. I’d bet a fiver that his boss was running an internal compliance exercise on his office. Given that this bloke didn’t have anything better than that to wear, I suspect that his company was normally a T-shirt and jeans sort of place. Their boss ordered everyone to be in ‘business attire’ for one day, and this fellow was simply obeying as best he could with the old or borrowed slacks that he had access to. Credit earned for making a valid (if failed) attempt to comply. Box checked.
If these sorts of ‘unannounced exercises’ seem like dirty tricks to you, I can empathize. It is a bit sneaky. It’s not a sure-fire way to prove that a given employee might be a future troublemaker. It is, however, fairly reliable and completely fair. A reasonable order gets issued and some people decide to wilfully disobey it. Miscreants out themselves.
The fact that the order isn’t truly important is entirely the point. The bad actors’ demonstrated willingness to ignore orders that they don’t care for is a strong indicator that these people are more likely than their peers to put the company’s security in jeopardy someday by refusing to obey a minor but wholly necessary security protocol. From the perspective of a security chief, it’s far better to know who those people are early – before it counts! – than to wait until a preventable breach occurs. If you learn who your potential rogues are early, you can see to it that your defiant workers are re-trained, rehabilitated, or encouraged to move on to their next adventure.
 If you don’t want to buy the book (and why wouldn’t you?), the original column that this is quoted from can be found here.
 Er … spoilers?
POC is Keil Hubert, firstname.lastname@example.org
Follow him on Twitter at @keilhubert.
Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant.
Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.