• United States



A Joke Gone Bad

Aug 01, 20049 mins
IT LeadershipSecurity

When should you bend the rules to keep from losing a great employee who makes a mistake?

I appreciate a good security policy as much as the next guy. Good procedures help employees understand that no, it’s not OK to spend all morning surfing porn sites, and yes, it really matters if they leave our strategic plans spread out in a conference room for all the cleaning staff to see. But sometimes, good judgment just has to trump the policy book. The rules, after all, are not there to give us security folks authority

they’re there to make the organization secure. I learned that the hard way early in my career.

In a previous life, long before I became a chief security officer, I was a nuclear missile launch commander. In my unit was a fellow missileer we called “Special Ed” because he really was dumber than warm water. Special Ed was also very religious, and one day one of the other guys decided to play a practical joke on him. This wise guy typed several Bible verses onto a roll of paper that was used to print out missile statuses and alarms. He replaced the paper in the status printer and left with a sly grin.

Later, in the wee hours of the morning, Special Ed began receiving alarm information that caused him to review the paper tapes. “Power failure launch facility No. 8,” the tape read. “You shall sow what you reap.” Ed blinked twice and advanced the tape. “Power returned launch facility No. 8. No man can serve two masters, he will love one and despise the other.”

Ed scratched his noodle. What could this be? Bible verses, a powerful computer, a powerful deity…. Then, it came to him. God had taken over the computer that controls the U.S. nuclear missile forces. The most powerful force on Earth was now being controlled by the most powerful force in the universe.

Ed shot off an encrypted message to the Strategic Air Command (SAC) Headquarters informing them of the nonhostile, heavenly takeover. Ten minutes later, I received a call at home requesting my immediate presence for an emergency assumption of command at a missile silo. I jumped into my uniform, raced to the base and was escorted on board a waiting military helicopter with 12 military police armed with M16s and wearing flak jackets. We were ready to kick ass and take names.

A colonel hailed me on the helicopter radio on the flight out. “Son,” he said in a no-nonsense, Texas accent, “we have a potential broken arrow here. You have any idea what that means?”

Actually, I didn’t; it was too early. Luckily, the colonel was asking a rhetorical question. “A broken arrow means potential loss of control of a nuclear weapon,” he continued, pausing for effect. “Lt. Jones believes that God has commandeered the missile silo.”

“I don’t think that’s possible, sir.”

“Damn straight it’s not possible. God hasn’t been screened under the Personal Reliability Program, and He has not gone through an approved training program,” he said. “Your job is to go in there and relieve Lt. Jones from command. The use of deadly force is authorized, if warranted, but you are to exercise your best professional judgment to take back control of the capsule with minimum casualties. You understand me, son?”

“Yes, sir,” I replied.

We choppered down at the site, and I took the elevator down to the missile silo. When Ed opened the blast door, he said, “You won’t believe what I’ve found.”

“I know all about it, Ed. SAC wants to hear all about it, too. I’m coming down to take over the alert for you so you can go back and give a detailed report to the base commander. This is big news.”

“Really?” he asked, beaming. “You think I’ll get a promotion out of this?”

“They’ll be talking about you for years.”

With that, I relieved Special Ed. When he returned topside, the cops arrested him and flew him back to base.

In this situation, both of the men, Special Ed and the wise guy, had exercised poor judgment. Special Ed could have asked some of his crew buddies before he decided to notify headquarters. And the wise guy should have remembered that nuclear weapons aren’t something you use to amuse yourself. The emergency never would have occurred, and no one would have gotten in trouble.

But they did. Special Ed was sent to Washington, D.C., for a couple of weeks of psychological testing. The way the story got told around missile command, the doctors all thought Special Ed was mentally OK, but lacked “sound judgment.” They thought he should no longer be allowed to serve missile duty. Unfortunately, at the time SAC was short of personnel and couldn’t really afford to lose a trained crewman even if he wasn’t exactly the sharpest knife in the drawer. Besides, hadn’t he passed the Personal Reliability Program? Hadn’t he passed the evaluation for missile crew commanders? Special Ed was placed back on duty.

And the wise guy? They court-martialed him. We all felt sorry for him. He was a good guy. He just didn’t appreciate that Special Ed really did deserve his nickname, and that Strategic Air Command didn’t have a sense of humor. The only good thing was that he didn’t have to serve any prison time.

SAC was obviously trying to send a message to its missile crews that nuclear duty is serious business. Fine. But in doing so it lost a person who, except for one lapse of good judgment, was an otherwise outstanding performer.

Had I been making the decision, the jokester would have been taken to the colonel’s office, put at attention against the wall and screamed at until he sweated a shadow. The attitude adjustment session would have ended with the colonel telling him never to do it again and then giving him a wink and telling him to get back in the game. I guarantee if that had been done, the Air Force would have kept a motivated officer.

In the years since then, I have seen numerous examples in civilian life of great employees showing their humanity by making mistakes. I also know that, if the mistake isn’t too egregious, you canby exercising a little good judgmentuse the incident to remotivate that “problem” employee back to being an outstanding performer.

Recently, for example, I asked a vendor to give a presentation about a service it has that infiltrates hacker groups and uses the intelligence gained to keep customers abreast of attacks that the hacker community is plotting. I invited many people from my company with an interest in security.

One person at the meetingwe’ll call him BJ for bad judgmentwas a brilliant network engineer with a peculiar sense of humor. During the meeting, the vendor brought up a website purporting to show the relationships among several well-known criminal hackers. One hacker, Malboy, supposedly had a girlfriend named AllySin.

When BJ saw the screen, he immediately piped up. “That’s not right. I’m Malboy, and AllySin is definitely not my girlfriend. We just went out together a couple of times; that’s all.”

An uneasy laughter rippled across the room. BJ wasn’t smiling. His face was still focused intently on the screen. “And here,” he said, pointing to the screen. “I didn’t write the Netsky wormit was the Klez worm that I wrote. I did it one night with the inspiration of a bottle of fine cabernet.”

“Uh, let’s move on,” I said looking at BJ, searching hard for some hint of humorous intent on his expressionless face.

Move on we did. After the meeting, the security vendor and I compared notes. The hacker in question, Malboy, was wanted by the FBI on many counts of federal computer crimes. I contacted human resources, and together we began to investigate whether BJ was actually the hacker Malboy.

BJ’s manager and HR authorized a search of all of his e-mails. We reinitiated background and financial checks of BJ. We looked at the network logs to see his activities and the Internet sites he had visited. He came up clean on all accounts. BJ’s lifestyle and personal interests also didn’t match the profile of what was known about Malboy. There was only one rock left to overturn: personally confronting BJ. I called a meeting with BJ, his manager and the head of HR.

I cleared my throat. “I don’t know a good way of saying this, so I’m just gonna say it. Are you really Malboy?”

“Malboy? Who’s that?” he asked with a genuinely quizzical look on his face that, upon another second’s reflection, changed to horror, “Oh, you can’t be serious,” he said. “You’re not referring to that joke I made at the vendor meeting?”

Indeed we were, but this was really the first intimation that BJ had ever given that, yes, this had indeed been a joke. After his manager and the head of HR berated him for the next 30 minutes for poor judgment, I felt like putting him in a headlock and giving him a noogie on his noggin. But, of course, I didn’t. I too weighed in with an obligatory (but short) speech about some things you just shouldn’t joke about.

The toughest part, though, was what to do with him. Should he be punished? HR and his manager turned to me for a recommendation. The guy had been with the company for eight years, really was a top-notch performer and got along great with his coworkers. I said he had been punished enough with the severe lecture we had given him and that no further disciplinary action was warranted. They took my advice, and BJ remained an employee of the companyalbeit with a more controlled sense of humor.

Sometimes, I’ve learned, security people get so caught up in following the letter of a regulation that we ignore what it was written to address in the first place. Whenever I get in a situation where I realize I’ve become too myopic about the rule book, I just think back to Special Ed and Wise Guy, or to the incident with BJ. I remind myself that good security rules, when followed to the extreme, have nothing to do with good security.