Rank Has Its Privileges

Rank has its privileges is such a strong part of military life that this concept goes by its acronym: RHIP. Alas, this concept is not limited to the military. Plenty of civilian workplaces have cultures that encourage leaders to use at least some of their power to make their lives easier and more convenient. This tendency is often more annoying to the rank-and-file than anything else. After parking in my unprivileged parking spot and walked a good long way in the cold or rain, I have felt a stab of bitterness as I slog by the cars which are parked closer to the building and under some kind of shelter.

If that were all RHIP ever did to an organization, we could just shrug it off. A little resentment by underlings isn't going to hurt the organization much and perhaps that resentment spurs some people's ambition, which might be good for the organization.

Alas, in the Cyber Security realm, RHIP does much more damage than cause a little resentment or bitterness or jealousy. As we often say at Pythia Cyber, security is inconvenient. If your leaders are in the habit of using their positions to avoid inconvenience, then your organization is at risk of having its leaders use their positions to avoid Cyber Security. Not only is Cyber Security inconvenient, but it is usually enforced by lower level or mid-level employees. This means that underlings are in the position of policing their superiors. If those superiors are apt to brush aside both underlings and inconvenience, then you have a problem.

(Signalgate is a painfully good example of RHIP run amok. We have a blog post on that incident.)

What does this problem look like? One example from my career as a software provider leaps out at me. The product creates a rich clinical data environment which consultants (MDs or PhDs) use to form clinical impressions, which impressions are low volume, high value events. So these consultants have high status. One of these consultants complained to me about the inactivity timeout in the app, which is a HIPAA requirement. I was politely unhelpful: there is no way to avoid this feature (you get logged out if you are not actively using the app) because we have to assume that you have walked away, even though you may be sitting right there, lost in deep and contemplative thought. We take into account whether or not the computer you are using is in a secure location, but a wireless laptop has to be assumed to anywhere at all; I gave this consultant my usual worst case scenario: a laptop might even in a Starbucks. As it happened, she told me, she does her work in Starbucks all the time and when the timeout had annoyed her, she had been getting coffee.

I took some deep and calming breaths and then explained that working in Starbucks is a bad idea, privacy and security-wise, but walking away from an active session with Private Health Information on the screen in a Starbucks was a much worse idea. She paused, presumably carefully weighed my well-reasoned arguments and considered my deep experience and replied that she would keep on doing exactly what she had been doing.

If that had been the end of it, it would have been bad enough, but later I was scolded by the owner of the medical company, who told me that she had told him that not only had I refused her reasonable request for a longer timeout, but that I had been rude about it. Rank has its privileges, but being overly privileged is a problem that keeps on giving.

This kind of interaction, lamentably common in my career, was a large part of why I started Pythia Cyber in the first place: Cyber Security lives and dies by human behavior. Bad behavior beats good technology, every time. So we at Pythia Cyber have a team that does not merely include behavioral experts, but that lives the mantra the Behavior Is Critical to Cyber Security. We help you guide the people and help you lead the leaders, as well as helping you harden your IT infrastructure.