Blog detail

Organizational Transformation Barrier: Corporate Security Policies
Organizational Transformation Barrier: Corporate Security Policies

The Barrier
This is the first post in the ‘Barriers to Organizational Transformation’ series and it is the Friday before Memorial Day so I thought I’d start with something light but important: Those corporate security policies that disallow openly displaying information on walls, hallways, etc.


The Effect
As you can imagine, the problem with these outdated and frankly useless policies is forbidding to put up any vital visual management tools (e.g., task-boards, burn-down charts, defect rates, etc.), architecture diagrams, meeting boards, etc. and have to erase everything from whiteboards at the end of the day.

I have actually been present at sites where we just got through getting the team bought-in and excited about the idea of transparency though visual indicators and information radiators, agreeing upon and constructing the visual information radiators and installed them and then promptly being asked to rip them down by security the VERY SAME DAY! This was not just a blow to morale, but set the transformation back since it was one of the pilot teams. Unfortunately, I see this barrier in almost every client I work with.


The Reason
The reason behind this policy is that they do not want vital information to be seen by someone on the outside, especially corporate spies. While I can understand this, consider the amount of security that needs to happen before someone can even get in, starting with a badge that has to be authorized by a guard or an electronic system. I have seen this policy enforced even when there were 3 separate locked doors standing between the would-be ‘spy’ and the information.

Consider a couple of things:

  1. Would someone who can breach physical security not be able to get to your wiki, most of which are available on the intranet w/o a username and password?
  2. Is the fact that John Q Engineer is blocked on task #3 on day 5 of the sprint actually useful information? Will your competition’s CEO look at that information and say, “My plan to take over the world is coming together nicely, now that John is blocked on task #3 ”?
  3. Even if it is a guest or a customer, would it really matter if they looked at that information?


The Solution
Fortunately, the solution to this, even in the some of the most rigid environments, is reasonable simple (compared to the other barriers, anyway). Meet with one of the managers (the highest-level manager you can get to) of the security group in your physical space and go over the use and importance of these information radiators with them. Explain to them what they are and why they are needed and why the information isn’t harmful and they will usually grant an exception. In many cases, there is an exception form that has to be signed by a manager or director within your group.

Sometimes they will ask you to obfuscate some of the information or ask that just a small part not be displayed or taken down and locked up when not being used. We concede to some of these, especially architecture. Many of those are easily resolved by doing what we need on the whiteboard, taking a high-quality picture (or set of pictures) and displaying them in a secured site.

I once had one of these meetings where they said everything is allowed to stay up as long as you write the codename backwards. We had to laugh at the fact that we have a codename for a codename. Like someone from the outside is going to look at it and say “utkubmiT? What’s that? Darn-it! My plans are foiled once more!” None-the-less, it was a small price to pay and we complied.


Do you have any war stories with this barrier? Please share. We’d love to hear them.