Time to Back Away From Telecommuting? Nope

Yahoo’s CEO Marissa Meyer announced the end of telecommuting at Yahoo. While some decry this as a step backward, the other side of the story is that there was widespread abuse of telecommuting and a lack of accountability. The move might be a de facto layoff, too, if some people would quit rather than work on premises.

But is Yahoo’s action a warning that telecommuting isn’t everything it’s cracked up to be? Nope.

The problem I have with all the arguing over whether telecommuting is worthwhile, or whether Yahoo made the right decision, is this: Your Mileage May Vary.

People keep talking like telecommuting is one thing that works one way, and that it has a consistent, specific set of benefits and disadvantages, for everyone, everywhere, all the time.

Are you more productive in the office or at home? Not everyone has the same answer, and often it’ll depend on the task. Your workplace has resources and distractions. Your home has resources and distractions. There’s no universal answer to say one is always better than the other, for every person, for every task. A report from the Bureau of Labor Statistics (“The hard truth about telecommuting“) says telecommuting “seems to boost productivity, decrease absenteeism, and increase retention.” That’s good news, but it’s a trend, not a universal truth. The BLS report also notes that telecommuters tend to work longer hours, and that telecommuting often falls short on offering a better work-life balance. Here too, a trend is a trend, not a universal rule. Your mileage may vary.

Does a company save money on office space when people are telecommuting? Only if the company removes or reassigns your office space when you switch to telecommuting, and only if the cost savings are greater than any cost increases associated with extensive telecommuting. Does Yahoo have plenty of empty office space and unused office resources sitting around, ready for the returning workers? If so, Yahoo has been wasting money maintaining an environment people weren’t using: heating and cooling, electricity, cleaning services, network connectivity, office supplies, and so on. If not, Yahoo is facing a sizable cost of getting the workplace ready for a big influx of workers. Your mileage may vary.

Ms. Meyer mentioned one area that really does differ between telecommuters and office workers: face time, or the lack thereof. There’s a lot of value and opportunity in the ad hoc communications that can occur when you’re with your colleagues. Communications benefit when you see facial expressions and body language. You lose out on all that when you’re working alone, physically isolated from your colleagues. One telecommuter’s lament (“17 Telecommuting Disadvantages“) is mostly about the lack of face time. Some research suggests that a lack of face time can affect your evaluations (“Why Showing Your Face at Work Matters“).

How do you handle the lack of face time for telecommuters? There are several ways to offset it:

  • In-office days: Arrange for periodic in-office days. Maybe one employee splits up each week by working three days in the office, two days at home; the employee gets some face time, and some isolated time. Maybe the employee comes in once a quarter, and you take full advantage of the opportunity with events or activities that would most benefit from having the person on site.
  • Video conferencing: Some meetings or conversations could work better if you can see the remote people on a screen.
  • Educating staff on audio conferencing: Mostly, problems on audio conferences are the result of people not being used to it. Tips and reminders, or just plain frequent usage, can help.
  • Make online conferencing the norm: Skip the meeting table with a speakerphone in the middle. Have everyone use online meeting tools, whether or not telecommuters are involved, so that your location is immaterial.
  • Acceptance: The offsets above can help reduce the problems of losing face time, but they won’t eliminate them. Another “offset,” therefore, is simply to accept that the reduction in face time is a cost of doing business. If the benefits of telecommuting outweigh the hassles, take a breath and accept it. There are potential disadvantages for those who show up on site, too, but we accept those as a normal cost of doing business.

It Depends: On the Person, the Place, and the Thing

The way to look at telecommuting is that it’s not a universal good or a universal evil. Handle it case by case.

It depends on the person. Is this employee reliable and trustworthy? experienced and resourceful? fully onboarded and acculturated? An employee who gets the organization’s culture and who can work unsupervised is a good candidate for telecommuting. An employee who’s still learning the job, or whose reliability is in question, might need more in-person attention.

It depends on the place. Does this employee have a home environment that’s suitable for telecommuting, including the necessary connectivity and equipment, and a reasonably distraction-free work space? I’d want to make sure telecommuters understand what’s expected.

It depends on the thing. Will the employee be performing “black box” tasks, for which all you care about are the outputs? Does the employee consistently have enough of a workload of such tasks?

Culturally, you might have a challenge convincing the staff that telecommuting isn’t for everyone. You might have a challenge if telecommuting appears to favor some groups over others.

In the end, not everyone gets to telecommute, and not every telecommuter is a 100% telecommuter. I’d rather handle abuses case by case instead of letting a few bad citizens ruin things for the good citizens, but if the abuse has become widespread enough among your telecommuters, it might indeed be time to pull the plug – and time to find out how the abuse got so bad before anyone took useful action.

Jim

Breaches Gonna Happen

Two simple tests tell me whether someone does or doesn’t get infosec.

The First Test: Do you think your systems will ever suffer a breach?

If you say yes, if you assume there’ll be a breach, sooner or later, because nobody is invincible, then in my book, you get infosec.

If you say no, because you think nobody could get past your infosec solutions, you don’t get it. You’re adding to the risk if you think you’re invincible.

The best infosec people assume a breach will occur. Certainly, they strive to prevent a breach, and to detect and contain a breach rapidly if one occurs, and to recover rapidly and thoroughly, but they never assume they’re invincible.

The people who worry me most about infosec are the ones who think that any breach means someone needs to be fired or something needs to be replaced. These are the people who play the blame game: if something goes wrong, there must be someone or something you can blame (other than yourself, of course).

Take, for example, the flap over Symantec anti-virus and the New York Times breach. The New York Times got hacked, and Symantec’s anti-virus tools didn’t stop it. One of the sure signs that someone doesn’t get infosec is that they think an anti-virus tool should make them invincible. I’ve never heard an anti-virus provider make that claim. If the Times thought an anti-virus tool should be 100% successful against 100% of attempts, shame on them for dangerously naive security planning. It’s like thinking that a lock on your front door should prevent all crime against you.

As reported so far, Symantec tools captured only one of the 45 pieces of malware that had invaded the Times – but was that because the malware was delivered where anti-virus tools weren’t deployed or involved? Were the anti-virus tools misconfigured or out of date? Was the malware customized not to match known virus signatures? Were there ways for the Times staff to bypass virus checking? Was it the only tool in the toolbox? Back to the door lock analogy: if there’s a crime in my house, I wouldn’t blame the front door lock until I determined that’s where the criminal got in, and that the lock had been properly locked. Even then, if the criminal got in through a locked front door, I wouldn’t declare it’s time to stop using door locks.

If it turns out that the anti-virus tools at the Times were thoroughly deployed and properly configured, and the attacks got through only because they didn’t match known anti-virus signatures, that confirms what people who get infosec understand very well – that anti-virus tools alone aren’t enough. If the anti-virus tools are indeed catching lots of other malware, they’re still serving a purpose, but failure to stop this breach doesn’t mean it’s time to throw out the anti-virus tools.

The Second Test: Do you think infosec decisions are business decisions or technology decisions?

My second test is as important as the first: Is infosec a business decision or a technology decision?

If you think it’s a business decision, you get infosec. If you think it’s a technology decision, you don’t. No tool is universally the right answer; business matters drive the selection and usage of tools.

The “IT knows best” crowd – or, one might say, the “shut up, it’s good for you” crowd – thinks technologists should decide which solutions to enact and how to configure them. Sometimes, IT people are the ones with this attitude, but sometimes it’s management: the managers who dismiss infosec discussions as icky techie stuff, so they wash their hands of it and leave it to the technologists to magically render the organization invincible.

Is this what happened at the New York Times? Did management fail to view infosec from a business perspective, and then they were astonished when the security tools in place didn’t match up with business needs? The fact that the Times is looking for someone or something to blame suggests to me that management at the Times doesn’t get infosec.

Infosec decisions are business decisions, based on impact and likelihood. The potential breaches that have the greatest impact – from the organization’s perspective – and the greatest likelihood, need the most thorough protections. The potential breaches that have the least impact and the least likelihood don’t need the most thorough or costliest solutions, and in fact you’re wasting your resources if you overdo the security in those areas.

You can pass the tests with or without an infosec or IT background

You can pass both of my tests whether or not you have an IT background, and whether or not you have an infosec background. You don’t need to be an expert to understand that breaches are always possible or that they should be driven by the organization’s needs, and not just by technical matters.

What really led to the breach at the New York Times? The reports so far don’t say, but there are multiple possibilities:

Management gets infosec Management doesn’t get infosec
Infosec staff gets infosec The infosec environment was good, but management and staff both understood that no solution would be 100% effective every time. They’ve got work to do to recover and adapt, but they understood a breach was always a possibility. They’re not blaming a tool failure until they find out that’s really the culprit. The staff did the best they could without much help from management, and they knew a breach was entirely possible, but now management is fishing for something or someone to blame.
Infosec staff doesn’t get infosec The staff did a poor job of delivering an infosec environment that matches business needs. This breach might have been preventable, if they had delivered a better environment. Management would get after the staff for poor execution, and wouldn’t single out one tool as the cause. It’s no wonder this breach occurred. Management and staff together thought that as long as they deployed some anti-virus tools, this kind of thing couldn’t happen. Of course they’d try to blame the anti-virus tool for their problems.

We may find out more later on, but for now, trying to blame the anti-virus tool at the New York Times suggests that somebody there doesn’t get infosec.