Simon Says – Musings of a Technology CTO

I was flying this week between offices, and being travel-bored and a nosy so-and-so I zeroed in on an extremely loud conversation taking place between a fellow traveler and what must had been his Bangalore helpdesk.

A typical situation, middle aged gent in a sports jacket and slacks, reasonable shoes though needing cleaning, expensive watch etc. Blackberry glued to the side of his face, Glass of airport Merlot on the table.

It was obvious to all within 50 feet that he was having trouble logging onto his corporate network, and was talking to a patient, but frustrated offshore colleague about getting his password reset. ‘John’ as I will call him (real name and company clearly displayed on the numerous executive tags on his travel worn Tumi luggage) was getting increasingly frustrated, and I guess the line was bad because he’d put his Blackberry on speaker phone to hear better…

(paraphrased, and details changed to protect the guilty)..

John: “It’s John Smith – J–O–H-N S-M-I-T-H”
HD: “Yes Mr John. I have your account here. Can you give me your personnel number and Mothers maiden name for identification?”
John: “What? I don’t know, hang on, eh? It’s 12345.”
HD: “I’m sorry Mr John – can you repeat that”
John: “ONE TWO THREE FOUR FIVE!”
HD : “And your mothers maiden name”
John: “It’s Smith, like, Smith! S-M-I-T-H!”
HD: “I’m sorry Mr John but are you sure that’s correct – I need your Mothers MAIDEN name, before she was married?”
John: “What? What do you need that for – it’s Jones though, JOHN ORANGE GNOME ELEPHANT SINGAPORE!”
…

Needless to say this conversation went on for some time, and by the time I’d finished my Manchu Wok mock Chinese meal (oh the joys of Charlotte Airport) I knew the last four digits of his social security number, his name, company, Mothers maiden name and personnel number. I also worked out the helpdesk phone number, no real trick as it was on the front page of their company website.

John eventually got logged back into his corporate network, but not before writing his new password down on a napkin which he eventually left on the table along with his empty wine glass as he left to catch his connection. I thought about pointing this out to him when he returned some 5min later to pick up his also-forgotten luggage, but no, I tore it up and trashed it after he’d again left it in plain sight.

A sorry state of affairs you will no doubt agree, but is John really to blame? He obviously really does not understand what his password is for, why it’s special and needs protecting, why even his network needs a password – he views it as an obstruction to doing his job.

I imagine perhaps there was a time when his company didn’t use passwords, then suddenly they got thrust upon the user population with no warning and no coaching – to John, the security in front of his corporate network is obstructive and valueless, and not something he feels any compulsion to value or protect. His job is to sell widgets or whatever, and damn the IT department for getting in the way of that.

Too often we IT leaders get sucked into technology rather than thinking about, and promoting its benefits. John’s a victim of that mentality. Security starts at layer 8, the users. Technology as I seem to oft repeat, can only help us protect ourselves – It can never be the whole solution. Any change in business practices which affects users needs to start off by expressing the value of the change to those people, how it is beneficial for them – perhaps it keeps them out of jail, or protects their jobs, or makes new systems available to them. To suddenly introduce security measures without expressing these benefits to the users is guaranteed to cause trouble.

It’s not a big thing, but user education and consideration can really help smooth the technology introduction and migration to a more secure working environment. If you think you can get away with mandating security and backing it up with a stick, you should perhaps consider attending one of Stan Slaps enlightening courses on Leadership.