Cool as McCumber: Understand Your Boundaries

May 20, 2009

I have been watching the increasingly intertwined political and financial communities with what started as mild amusement and what now approaches alarm. What ostensibly started as a problem with a large number of insolvent mortgages and bank liquidity has evolved into a worldwide financial mess. I refuse to call it a crisis. My father taught me that any problem that can be resolved with money is not really a problem at all. Apparently, our political leaders believe they can solve this particular problem with our tax monies — lots and lots of it. If that’s true, it’s not really a crisis, even if it is a problem.

The TARP bailout scheme, the so-called Stimulus Bill and a ballooning federal budget deficit have been the responses put forward to resolve what the politicians and media are painting as a crisis. Of course, the word crisis is trotted out in almost every scenario where prudent people will be expected to demand “action.” That action can take nearly any form, and the rush to action will often quickly eclipse any time required to carefully analyze the potential impact of any proposed solution.

Many Americans have jumped into the fray to decry the federal government’s plan to shovel unimaginable amounts of money into banks, insurance companies and mortgage lenders. Of course, we all want to avert a “crisis.” The major challenge is ensuring we have identified the root cause and are not simply applying salve to the symptoms. Once we’ve effectively accomplished that task, only then should we be engaged in evaluating possible solutions. A key component of this step is to make certain we understand all the ramifications of implementing any proposed solution — both intended and unintended. It’s those unintended consequences that bite you every time.

Even if supporting the banks and insurance companies with taxpayer money is the best solution, it presents the appearance of rewarding undesirable behaviors. If a certain bank or manufacturer is “too big to fail,” it puts legislators in the business of determining winners and losers in a supposedly free market economy. Where does that power begin and end?

There was a recent flap with whether or not those institutions who received the bailout monies should or should not honor contracts they had with their executives in the form of bonuses. On its face, paying a salary component called a “bonus” to a manager in a company that’s on the brink of bankruptcy is lunacy. However, I don’t want Washington politicians being in the business of determining anyone’s income potential — except government employees.

The genesis of all this manic hyperventilating over employee bonuses was the day our elected leaders crossed the line by making us a nation of unwitting investors in a variety of poorly managed banks, insurance companies and manufacturers. The fact that politicians are rushing to the nearest microphone to vent their outrage should be prima facie evidence of their sheer incompetence. Legislators simply had to foresee that throwing enormous sums of taxpayer money at these private companies would spawn a national debate over the salary of every effected individual and Congressional demands for state-approved products. All the resulting imbroglios are the result of claiming a “crisis” as a means to cross a line heretofore sacrosanct in our nation — state-funded and managed businesses.

The lesson for security practitioners is clear: align your personal and corporate ethics and establish the boundaries for all your professional actions. Plan ahead to understand these limitations, and know when you will simply not bend — even in a “crisis.” When difficult times arise, understanding exactly where your boundaries lie will provide you a sound plan for weathering the storms of unexpected problems. When you cross those boundaries — even during a temporary exigency — you must be prepared for the unintended consequences of your actions.

I had a colleague relate such a challenge when we shared a coffee last week. He has been an accomplished security consultant for a number of years and always staunchly refused to perform external penetration attacks without the complete knowledge and approval of all affected parties — especially the IT staff. He always felt it was unprofessional to launch surprise attacks without comprehensive support for the IT personnel.

He was approached by his employer to use his team to perform a “surprise” test for a very senior corporate client, without the involvement of anyone else in the affected company. He reluctantly refused by carefully explaining the nature and location of his boundaries. Even when the client offered a 30-percent uplift on the deal, he still said no thanks. Although his superiors weren’t happy, they acquiesced to his professional position.

When a competing consultancy took the job, it blew up in their faces. The individual who had contracted for the work was summarily fired by the board of directors of the client company. The security consultants were dismissed with a professional black eye, even though they had performed the work exactly as directed. They hadn’t established their boundaries, and when a “good deal” was offered, they eagerly signed on, only to face unintended consequences. Contemplating and defining your boundaries before the next “crisis” hits will ensure you make the right call.

John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at: [email protected].