Blaming the IT Guy: How CYA Becomes CYPA
Most people know the old "CYA" policy. It's about employees protecting themselves from criticism, administrative penalties or any other sort of punishment that comes after a major screw up.
In the IT world, the buck usually stops with the ones who run the networks, so we have to do a little extra to cover our rear ends. We make runbooks, add alerts, monitoring, publish uptime statistics and whatever else to prove the network is running from end to end. All of this helps ensure that when fingers point our way, we can throw our shoulders back and know we covered all the bases.
CYA is common within all sorts of organizations, but my former CIO - we'll call her Deborah - employed a variation she called CYPA, which stood for “Change Your Password, A******.” Instead of allowing IT to bear the brunt of wild, unfounded finger-pointing, Deborah proactively headed off potential attacks with her CYPA policy. It was kind of nice, but also a little misguided.
Basically, it all stemmed from the growing number of mobile workers within our organization. Although they still only represented a small portion of our workforce, these people were responsible for the vast majority of helpdesk tickets. You see, while all the local folks were able to utilize our services onsite, mobile workers had more of a patchwork network that was frustrating and inefficient.
That said, the biggest problem originated with a coworker on the other side of my cube wall. He managed Active Directory, and his password rules were rough stuff: Each one had to be about a quarter-of-a-million characters long, with a dozen special characters and a precise percentage of upper case letters. Worst of all, employees had to reset their passwords every two months, and if they ignored all the warnings and emails, they were done. Booted off the system. No way to email the helpdesk. No way to reset their passwords without picking up the phone.
While Deborah liked the notion of frequent password rotation, she was not happy about the constant finger-pointing from mobile workers who were mad about being locked out of the network. In response, she established the age of CYPA. Basically, CYPA passed the onus onto the people who were complaining the most. Can't get reach the network? Can't access the helpdesk? Blame the clown in the mirror.
While CYPA made a good point, it always left me conflicted. I mean, don't get me wrong, I appreciated being spared from all the finger-pointing. Still, I've always believed IT isn't just about building good services and tools, it's about supporting the people who use them, even if they do behave like clowns sometimes.
While it did save me from finger-pointing, CYPA also turned me into a finger-pointer. It also didn't make us a closer team and it really didn't even tighten up the ship all that much.
Ultimately, CYPA left me with the understanding that we don't need to be trading responsibility and blame. We need systems and processes that simplify and enhance business operations, while providing enough CYA to keep everything safe. The networks of the future should provide this without pushing so much responsibility onto end users or the IT people who are already busy enough trying to C everyone else's A's.