Don't rely on a "higher authority" to justify your policies and procedures
A lot of IT folks routinely invoke a higher authority as justification of why we have to do something or a policy can't be changed. This "higher authority" is usually included in one of 3 tried and true excuses:
- We have to do that to comply with Sarbanes-Oxley.
- The lawyers say we have to do that.
- The auditors make us do that.
That bumper sticker from the late '70s urging us to "Question Authority" may have been right all along. In reality those 3 reasons are just spurious excuses, not valid reasons for doing something. Although the "required" action may actually be the right thing to do, citing an excuse such as one of these is wrong for a number of reasons.
Let's start by taking a look at each of the excuses. The Sarbanes-Oxley law was enacted as a result of a number of corporate and accounting scandals. IT often cites this as why we have to do certain specific actions. I freely admit I haven't read all 745 pages of the bill but as best I can tell it doesn't get down to dictating specific IT related actions. Nothing about how long your computer can be inactive before if automatically logs you off, nothing about how often you have to change your passwords and certainly nothing about all those other things we so often claims it makes us do.
What Sarbanes-Oxley does do is make us evaluate risk and develop mitigating controls. Auto log-offs and frequent password changes are mitigating controls but Sarbanes-Oxley doesn't specifically call for these and therefore doesn't require specific time periods either. We have these mitigating controls because someone in the company has evaluated the risk and decided these controls are appropriate. Although this is a rather trite example it applies equally to all the other IT actions we insist on because of Sarbanes-Oxley.
Lawyers act as trusted advisors in our companies. That is precisely what they do, they offer advice but except in rare cases they don't make decisions. Our job as managers and leaders is to consider this advice but it is up to us to decide on a course of action.
We decide not the lawyers. Don't believe me? Imagine yourself explaining a bad decision to your CEO and trying to use the "the lawyers made me do it" excuse. The lawyers have over the years practiced and polished the "we're only advisors" speech and can deliver it with an ease and persuasiveness that will make your head spin. You weren't hired merely to follow orders but to consider the situation carefully (which means listening to the lawyer's advice), weigh the options and then you make the decision.
Like the lawyers, auditors don't make business decisions either. The job of the auditors is to evaluate our actions and controls to see if they meet certain standards of action. Many auditors, especially the inexperienced ones we first deal with are not experts in IT.
The auditors are merely comparing us against a checklist someone higher up gave them without any real understanding of how appropriate that checklist is to any particular situation. Part of our job is to work with them to make sure they are using the appropriate checklist.
The next time someone uses one of these excuses there are a couple of things to keep in mind before charging off in a flurry of righteousness. Although the justification may be spurious it doesn't necessarily mean the required action is wrong. After all they may have simply been using an easy excuse rather than wanting to explain the valid reasoning.
Also, remember to choose your battles. Do you really want to engage in a major political battle over whether the auto log-off should be 90 minutes instead of 30? If you're going to start a fight make sure it's worth winning and the inevitable wounds that come with the fight.
We as IT leaders need to stop our people from relying on these excuses to deflect questions. First, it degrades our credibility. My analysis is not ground breaking, others understand this implicitly. If we use this excuse with them they naturally draw two conclusions neither which helps our credibility. Either we don't understand the purposes of Sarbanes-Oxley, lawyers or auditors; or we're assuming they're dumb enough to accept our lame excuse and will just go away.
Second, and most importantly, allowing people to rely on these excuses destroys our critical thinking ability. Our policies and actions are controls to mitigate risk. As technology changes the control actions should change accordingly as the techology presents new and different risks. We can't allow ourselves to get locked into thinking there is a rule that prevents us from using the new technology. Our job is to figure out the best ways to utilize new technology while mitigating risks not finding giving lame excuses not to do something.
This article is also posted on Forbes.com. Feel free to join in the discussion either on this site or at Forbes.com
If this topic was of interest, you might also like these: