Tuesday, December 20, 2005

Dealin' with mole hills

This blog entry was started before Christmas but never got around to finishing it until now.

Sorry that it has been a while. Been busy at work with all these projects basically sreaming for resources. I wanted to talk about an incident that happened at my place of work. Last Friday (Dec 16th) at 5:30 pm (past working hours), a colleague sent an email cc'ing my manager and the Manager of Security which basically stated that the sky is falling because we have given the keys to our servers to consultants and a whole bunch of the consultants now have priviledged access and could be install rootkits and backdoors and what not on those servers.

Obviously you could imagine the reaction from the Manager of Security at this "faus pax". A meeting was demanded and I am to explain how did this happen and what we needed to do to fix and prevent it from happening again.

I was angry as I read through the email as it contains allegations that might or might not be true. For example, there was an allegation that the root password was known to a bunch of consultants. I was also mad because the email caught me by surprise and I think it was something that could be resolved (if necessary) without making a mountain out of a mole hill.

Anyhow, my first task was to confirnm the facts before venting on the colleague and a request was sent to him to get the names of the consultants allegedly having access to the root account. The reply didn't surprise me at all as there were no evidence to support the allegations but the colleague had gotten the information from one of my guys! The excuse from my guy was that he had assumed that if one consultant has access, the rest of the consultants also has access after all they are consultants and have no morals!

Anyhow, the bottom line was that there was no basis to the allegations and the meeting that took place ended up with hardly any action items other than the Manager of Security to draft a Terms of Reference for current and future consultants as to their responsibilities and non-disclosure for matters related to my organization.

So, what's wrong with an employee raising concerns (valid or not)? Well, the concerns themselves are not the issue (other than the fact that they are not valid) but more so the approach taken. In this particular case, there is only one person at fault (the colleague). Why? You ask. Well, there is no evidence that my employee went directly to my colleague to complain. What my colleague should have done was to either advise my employee to raise those concerns with me OR bring those concerns to me. He also make a faux pas by not going to my manager directly but instead raised it to other managers outside of the group.

Now, what if the concerns were raised to appropriate folks and nothing was done? I would advise a couple of things: a) if the folks that you had raised your concerns to promised to do something but didn't, then send them a gentle reminder; b) if the concerns are ignored, then draft a proposed strategy to mitigate the risk - this way, the concerns are addressed and you don't put yourself on your manager's black list for not being a team player. Of course there are other options, like leaving the organization, transferring out of your current group, etc. but I am assuming that you enjoy where you are working and just wanted to make sure that concerns are raised and addressed.

With my colleague, I am more relunctant to share nontask-related information in case he uses the information out of context to either futher his own aims or by accident. I will still be a team player where it is necessary but no more and no less with this particular colleague (after all, you don't have to be best buddies to work together).

No comments: