American View: Why Someone Must Play the “Bad Guy” in Your Organisation
I was invited to participate in a live teissTalk webinar on 2nd November. Our topic was “Helping colleagues recognise and learn from their risky behaviour.” This is a topic I’m madly interested in; when the teiss folks asked me to participate, I was thrilled to assist. If you missed our discussion, you can watch the whole thing on-demand here.
All three panellists – me, Thom Langford, and Robert Flanders – agreed that effective risk management requires open and non-judgmental communication. A CSO needs everyone in their organisation to feel comfortable reporting security incidents and raising concerns. When workers are scared that they’ll be punished for reporting, they won’t do it if there’s any way not to. That’s one of the first lessons people working in security human risk management have to master.
I raised an argument during our conversation that there needs to be a designated and consistent “good guy” arm of security that users can always feel comfortable speaking to. That said, there also needs to be a “bad guy” arm to perform those uncomfortable – but necessary! – tasks that correct bad behaviours. Tasks like direct confronting users over wilful noncompliance, performing on-the-spot corrections, and visibly enforcing required standards.
An organization that won’t perform these mission-critical corrective tasks not only allows users to violate security rules … they encourage noncompliance through a lack of perceptible corrective action.
In the webinar, I used the example of my mate “Peter’ [1] to make my point. I wanted to tell his story in more detail today’s. Peter was a computer science major at university. We met while we were both working part time in the computer support department. I was a level 1 Organisational Computer Consultant (entry level), but Peter was one of the department’s rare and valuable level 2 techs. Peter had grown up with technology; his father worked for IBM, and Peter had his own IBM PC when he arrived in the dorms. The fellow knew tech better most of us on the school’s payroll.
His skill and experience earned Peter a position at the IT Help Desk. While the rest of us were babysitting the various “small computer labs” across campus, Peter was the team’s subject-matter expert at the command centre. When we didn’t know how to solve a problem, we called the hotline and Peter walked us through troubleshooting and remediation.
During our sophomore year I was lucky to pull a few shifts in the Help Desk. My role there was to support remote OCCs by phone, to teach new users how to use the small computers and terminals in the labs, and to manage the long queues of students and staff coming in to use the university’s crown jewels: our laser printers.
This was in the 1980s, mind you, so almost all printing had to be done from our mainframe to the line printer in the basement of the Comp Sci building, or from the PCs and Macintoshes to the temperamental dot matrix printers in the student labs. Most every student knew that printing your assignments would earn you at least one letter grade higher than you’d get by handwriting them.
Still, most students at the time (including me, at first) were computer illiterate, so the labs were only ever packed during the run-up to finals week.
Then the university paid big bucks to acquire a first-generation Apple LaserWriter and a first-generation Hewlett-Packard LaserJet. These beasts were huge, slow, twitchy, and expensive and cost as much as new economy car.
Still, seeing your term paper printed in perfectly legible 300 dots-per-inch from one of the laser printers seemed like a miracle. The computer savvy people on campus adored the new toys. Once world got out, we’d see a long snake of people starting at the door to the Help Desk and running all the way down past the lab to the fire stairs every time major assignments came due ... not just at semester’s end.
This surge in usage meant the Help Desk has to set basic rules for user behaviour. If you wanted to print your work on our laser printers, you were required to:
1. Your print job must be entirely academic material. No printing personal projects.
2. Have your finished document saved on a floppy disk. 3.5” only for the Mac, 3.5” or 5.25” for the PC.
3. Have all your formatting, spell-checking, editing, and whatever else futzing you felt was necessary finished before you arrived.
4. When directed, you sat at either the Mac or the PC, inserted your disk, opened your file, used the print command, closed your app, removed your disk, and joined the queue at the printer to collect your output. No hogging the machine.
Most users were keen to obey. They just wanted a stellar print job and didn’t want to inconvenience anyone else. Some people, though, felt they were exempt from rules that constrained the “little people.” These “special” folks would – if not challenged – snarl up the printing queue, thereby preventing other students from getting their work in time to turn in. Such behaviour was anti-social, selfish, and unacceptable.
The rules for accessing the laser printers had to be enforced, but the Help Desk’s one full-time employee was uncomfortable with confrontation. She was a genuinely nice person and wanted to be everyone’s friend. She couldn’t bring herself to be stern or forceful with anyone. This inability to perform allowed bad actors to get away with all sorts of disruptive shenanigans.
Enter Peter. He had no qualms about playing the “bad guy” to the Help Desk employee’s “good guy.” During my first shift on the Help Desk, I witnessed Peter calmly remind the students in the print queue about the rules. Then, when a few arrogant individuals broke the rules, Peter snapped at them … loud enough for everyone in the hall to hear him. The users that complied were allowed to print their work and go; the ones that tried to argue with Peter or refused to comply were stunned when Peter force-ejected their floppy and hurled it down the hallway like a frisbee … often announcing that the offending user was banned from using the Help Desk for a month for wilful noncompliance. To quote Ken White, “Play stupid games, win stupid prizes.”
Peter’s work in the Help Desk was pure performance art. He wasn’t a bully outside of work; while on the clock, he was playing a role to ensure effective management of the organisation’s high-demand, low-density resources. Someone had to do it. The critical staff weren’t willing to, so Peter performed the role … and he did it with élan. Some users wouldn’t dare come in while Peter was on duty; others would only come in while he was on duty to ensure they could get their printing done on time and drama free. He was a controversial figure but he made the Help Desk function.
This solution worked out well for everyone … right up until Peter transferred schools at the end of our second year. Once he was gone, the malcontents immediately started jamming up the printing process because no one left was willing to stop them.
That’s why, one morning, the full-time Help Desk employee asked me if I’d be willing to serve as the Help Desk’s “virtual Peter.” I started playing the “bad guy” role just as he had. I couldn’t (yet) exude the aura of menace that he had, but by imitating his mannerisms I was able to retore good order and compliance in the printer queue. I never got to fling anyone’s floppy down the hall, but I did force-eject several and sent malcontents packing … including a tenured professor with an attitude problem.
I know this is a silly example; it’s meant to be. Still, the experience helped teach 20-year-old me the importance of roles, performances, and influences within an organisation. Most everyone wants to be the “good guy” and that’s a good thing. The people allowed to play that coveted role get to create and maintain a welcoming, friendly, and helpful environment. That said, someone has to play the “bad guy” in the outfit. If no one is enforcing mandatory standards, then a small number of selfish jerks will inevitably make life miserable and unnecessarily difficult for everyone else.
Think about Peter’s story when you look at the roles and responsibilities in your own security organisation. Yes, you want “colleagues [to] recognise and learn from their risky behaviour.” That’s essential. However, you also need to indisputably demonstrate to all hands that violating mandatory behaviour rules will not be tolerated. See above, re: stupid games and prizes.
Who’s performing that critical function in your org? If no one, why not? And what are you going to do about it?
[1] His real name, as he’s the hero of the story rather than a villain.
Keil Hubert
You may also like
Most Viewed
Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF
23-29 Hendon Lane, London, N3 1RT
020 8349 4363
© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543