Blogger: Dan Blum
According to The Register artticle TSA worker tried to sabotage terror database, feds say a contractor was caught planting
malware in an important terrorist screening database. That this almost-disaster should happen to the
TSA, part of a superpower’s Department of Homeland Security, has to make you
stop and think.
On a few occasions when it was in scope for my document I’ve recommended
that organizations always “walk out” off-boarding staff immediately (both
logically and physically). But I have to admit that isn’t recommendation I
realistically thought my clients would follow. Yet incident after incident proves
it’s actually best practice.
Why’s it so hard? Well, most people are taught to value trust and
reciprocity from an early age and they bring those values and ethics into the
workplace. Communities can’t function well without these values (dare I call them
“goodness”?) – John Clippinger argues as much eloquently in “A Crowd of One:
The Future of Individual Identity.” In the case of the TSA, the cultural values
of trust and reciprocity are institutionalized by civilian government labor law
and employment practices.
How do we reconcile trust, reciprocity with some of harsher best
practices for organizations and communities? Not very well. As kids we’re also
taught to be wary of strangers and to distrust. But educating kids (and
employees!) to “trust yet distrust” is a practical necessity. How might we do a
better job of contextualizing knowledge, awareness, education, and process both
in the young and in the organization is part of that critical “human factor” of
security.
So how might one implement the best practice of walking employees out?
First might decompose why it’s so difficult to follow: 1) we trust the person,
2) we need the person to “keep flying the airplane” until knowledge is
transferred, projects finished, 3) we don’t want to create a cold, distrustful,
or uncaring organizational climate. These are all valid concerns.
Then contextualize the knowledge and awareness process that is part of
the implementation of the “walk out” policy to address the objections to it.
Since understanding and accepting why a policy applies improves human
compliance dramatically, one might explain it as follows:
“We have the walk out policy because it’s necessary to protect the
security of associates, customers, or citizens. We follow it for all employees
and it isn’t a negative reflection on anyone. We have HR guidelines to make it
a kind and gentle, though quick and immediate exit process. If you still
need the associate’s help on projects we can arrange short term consulting and
provide guidelines for remote working, escorted site visits, or use of audited
temporary accounts and escorted/observed sessions.”
A separate issue remains: What if an associate anticipates being part
of layoff perceived as unfair or discovers, senses, or imagines that he in
particular is no longer wanted and will be fired? This is a psychological as
well as a confidentiality problem and must be addressed through knowledge and
awareness of psychology as well as other elements of the security program.
Comments