Recently, my nine-year-old son informed me that he had observed over time how I always seem to help other people and how others always depend on me. I said to him that, in a way, he is much the same, as he is always saying 'yes' to doing little jobs. Together, we defined ourselves as being 'yes persons.'
However, as our conversation evolved, I said to him that it’s not always a good thing saying 'yes' to people. You should only say 'yes' to someone when you know it is within your ability to do whatever is requested of you, you are allowed to do it, and the task does not impact other activities.
I have always been dependable to my friends, family and colleagues throughout my life. I’m proud of being able to help others. However, as a 'yes person,' I learnt to follow the three core principles outlined above:
- Can I do it?
- Am I allowed?
- And, do I have time?
Is it a good thing you have people in your organisation who are willing to help others and say 'yes' to most things that are asked of them? Some would say 'yes, that would be a benefit.' Others may say 'no, it could be dangerous.'
So, what are they saying 'yes' to?
Throughout my career of working in the information security industry, I have come across a number of people who said yes to breach controls
or policies to help another colleague or team. I have witnessed someone adding someone to a restricted 'domain admin' group, and I’ve even seen someone make a change to a critical firewall without going through change control and doing it as a favour.
In the past, one of the areas I specialised in was computer forensics
and investigations involving employees. Over 15 years, I’ve pretty much seen it all, from persons selling illegal DVDs at work to persons stealing printer paper, threatening to kill someone, and threatening to end their life as the evidence I had on them was career-damaging, as well as influential over their personal lives.
What I did come across as an investigator, though, was a set of rules and policies being violated to just 'get the job done.'
In their defence, they thought they were doing the right thing by getting the change done to the system when, in fact, no testing or regression planning had taken place. This could have had a significant impact on the organisation.
Do you have a 'yes person' within your organisation? Do you know someone you can turn to and depend on and who is willing to do anything it takes to assist?
Let me put it another way, do you have any visibility on who these 'yes persons' are and what changes they are making to your critical systems that are not going through change control?
Tripwire's file integrity monitoring
(FIM) and change management solution provides complete visibility over all changes made to the corporate network and who made those modifications. It then compares that change to what was supposed to happen in the IT environment. Personnel can use that insight to confirm that a scheduled change actually occurred and quickly address unexpected changes.
To learn more about Tripwire's FIM solution, click here