Catch and Release Security   Leave a comment


A little break from brain-dead…

Catching a fish without harming it and then letting it go is a great experience. Face it, it’s a win-win situation: the fisherman is entertained in the chase and the fish lives on.

Security policy enforcement isn’t an area frequently associated with Steven Covey, but it can be.

An IS program is founded on policy and at a fundamental level, policies are designed to protect the company from harm. Effectively, people who violate policies are hurting the company.

If a business fails to respond to bad behavior, or only selectively enforces policies (spot enforcement), they risk failing at deterring abuse and risk being unable to enforce policies when they are really needed. (note that they risk plenty of other things too). On the other hand, militant enforcement for minor policy violations is rarely useful over the long haul. The process can and should include discretion in how violations are dealt with.

As an example, WalMart recently fired several security employees for violating a company policy when the shoplifter they had escorted to a security room pulled a gun. Fortunately, the team disarmed the individual and held him until police arrived.

Apparently, WalMart’s enforcement process is simply firing people for any policy violation. The policy the employees violated states:

“If at any point the Suspect or any other involved person becomes violent, disengage from the confrontation, withdraw to a safe position and contact law enforcement.”

In its defense (and I’m no fan), WalMart sees the employee actions as risking more significant harm than to those directly involved in the confrontation (including harm to customers). It’s a great example of where variable penalties, based at least partially on circumstances, might have worked out as a win-win for the employees and for WalMart.

For example, a letter noting the policy violation could have been privately shared with the employees and filed with personnel, explaining the circumstances and the relevant policy violation. WalMart could have retained the staff involved in the incident, and recognized them for their brave action in averting a larger confrontation.

WalMart could have avoided some pretty bad publicity, the employees would still be gainfully employed (and justifiably proud of themselves), and we all could have had something positive to read in the news. Talk about a “FAIL”.

Discretion is a funny thing and it’s important to at least be consistent across similar circumstances, but it clearly has a place in the process. Consistency is also aided by having progressive penalties defined before needing to apply them.

Just like catch-and-release, balanced policy violation enforcement is win-win. The company protects itself and fair treatment encourages compliance without contempt.

Advertisements

Posted February 22, 2011 by jeffkeith in Security

Tagged with , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: