|
|
02-20-2010
Registered User
26,240,
27
Demotivational Speaking
The Harvard Business School has words of wisdom at http://hbswk.hbs.edu/archive/5289.html in an article on "Why your employees are losing motivation," by David Sirota, Louis A. Mischkind, and Michael Irwin Meltzer.
It's not directly about security, but the fact that it seems to be striking a chord with so many security bloggers and microbloggers is significant.
The article's closing words about the ways in which management may unwittingly demotivate staff are applicable to many, many people who aren't security professionals, of course:
Indeed, it can be even worse, as Professor Eugene Stafford has pointed out in "Spaf's first principle of security administration":
David Harley CISSP FBCS CITP
ESET Research Fellow & Director of Malware Intelligence
More...
It's not directly about security, but the fact that it seems to be striking a chord with so many security bloggers and microbloggers is significant.
The article's closing words about the ways in which management may unwittingly demotivate staff are applicable to many, many people who aren't security professionals, of course:
"Many companies treat employees as disposable...However, the point about criticism and reward is particularly apposite in enterprises where security is regarded as a blockage and a cost centre rather than an enabler. As indeed it is, in cases where security overrides business needs because it's convenient to the IT team. In many more cases, though, Security administrators become depressingly accustomed to being recognized as the scapegoat in the event of a security breach, but not as a facilitator of smooth business processes when they run securely and uneventfully.
...Employees generally receive inadequate recognition and reward: About half of the workers in our surveys report receiving little or no credit, and almost two-thirds say management is much more likely to criticize them for poor performance than praise them for good work.
...Excessive levels of required approvals, endless paperwork, insufficient training, failure to communicate, infrequent delegation of authority, and a lack of a credible vision contribute to employees' frustration."
Indeed, it can be even worse, as Professor Eugene Stafford has pointed out in "Spaf's first principle of security administration":
If you have responsibility for security, but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong. (Practical Unix and Internet Security)As the authors of the Harvard article say "..there may be no single motivational tactic more powerful than freeing competent people to do their jobs as they see fit." However, a security autocracy is not always the best response to an evolving threatscape. In today's enterprise, competence entails seeing the whole business picture, not just the needs of a single team.
David Harley CISSP FBCS CITP
ESET Research Fellow & Director of Malware Intelligence
More...