It was only a minor annoyance. My health club uses the member’s club ID card to activate the locks on the locker room lockers. I had neglected to collect my card from the locking device after leaving the gym last week, and explained my dilemma to the desk clerk the next morning. She opened a drawer and looked though a mountainous stack of forgotten membership cards, but failed to find mine. I asked her if I could use a temporary one. She said I would not be able to, and would have to settle for a paid half-locker in another room — away from the showers and sinks. I wasn’t buying that answer.
Instead of quarreling with the front desk person further (who was obviously reading from a well-worn script), I temporarily accepted my fate and walked toward the main locker room where I passed the attendant who was in charge of fresh towels and locker room supplies. She is usually there during the week, and always welcomes me with a smile and a personal greeting. In return, I endeavor to have a fresh joke or witticism to share.
As I approached this particular morning, I hung my head, pushed out my lower lip, and told her I wasn’t feeling loved that day. After she enquired about the stability of my marriage, I explained my dejection had nothing to do with my spouse, but with the front desk clerk. I told her the predicament, and she rolled her eyes and exhaled loudly.
“For Pete’s sake,” she said, “ya’ll pay enough for a membership, why do they insist on punishing you for a lost membership card?”
“I don’t mind paying the small replacement fee,” I replied, “it was my fault. But I don’t like the inconvenience of dressing in another room while they take a couple weeks to mail me a new one.”
“Well, we’re not going to let those corporate suits make you get dressed in the paupers’ area. I just may have something right here…” She reached into a small drawer under the counter and produced a blank membership card with the tab that allows you to secure the locker and remove the key.
“Here,” she said, “take this and drop it off with me when you’re done.”
I thanked her profusely, and continued to take advantage of her help until my new card arrived in the mail. For the rest of the two weeks it took me to get the new card, I would check in with the front desk clerk, then check in with the towel attendant, get the secret key, and use my regular locker. In return, I brought her a fresh cup of coffee each morning.
In any organization, there is official policy and the official personnel structure to enforce it. However, everyone who has held any job where more than two people are employed knows there are relationships strung throughout the group that are not reflected on any organizational chart. This unofficial organization can be even more pervasive and more efficient than the structure originally designed to accomplish the group’s mission. In fact, this unofficial organization as I call it, usually evolves to simplify the processes laid out by senior management. Basically, most of us want to find the most efficient and effective way to get things done. Building and managing our personal unofficial organization can make our work life easier.
I use the unofficial organization where I work frequently. I will dutifully comply with the corporate policy for getting my laptop repaired by filling out the online forms and getting in a queue. However, I know my machine will get the best service and most timely turnaround if I can short-circuit the process and send the box directly to an engineer I have nicknamed Dr. Z. If Dr. Z. fixes my laptop, it will be done right and done ahead of schedule. An offering of a chocolate bar and a nice “attaboy” note to his boss ensures prompt and flawless service.
I could be accused of manipulating people for personal gain, but that’s not really the case. I am really grateful for personal service from my friends, and in return, I feel an obligation to provide tangible proof of my appreciation. I consider the towel lady at the gym and Dr. Z. my personal friends. I am treated as a friend in return. I have built and maintain an unofficial organization to make my work and personal life easier.
When you’re managing security, the unofficial organization may be a blessing, but it’s always guaranteed to be a curse. Employees and customers will leverage the unofficial organization to make their interactions more efficient, and that often means bypassing security enforcement controls you have implemented to protect organizational resources. The unofficial organization may be allowing unauthorized people into sensitive areas. They may be sending confidential information out through Web-based e-mail clients to avoid firewall and e-mail controls. They may be using communication paths and technology tools you cannot monitor or manage. In order to be an effective security leader, you need to understand how the unofficial organization works, and how you can provide protection of valuable resources knowing those personal friends and special relationships will always flourish.
John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at: Cool_as_McCumber@cygnusb2b.com.