As I stand in an office high above the streets, looking out the window on a beautiful sunlit day, I listen to another story about Eric Snowden. They speak of the secrets he has leaked from the U.S. National Security Agency or “NSA”. Some applaud him. Others condemn him. Some wonder if their own conversations were overheard. Some are upset that governments in general, and the United States in particular, appear to violate the privacy that we assert as our rights.
The story may be looked at from many angles. One is the “invasion of privacy.” I’ll leave that to others for now. Another is our own use of communications devices for sensitive information, and who may have access to our communications. I’ll leave that to others for now, as well. I won’t worry, for now, about legal issues of what could and should be done about Snowden, and any helpers or facilitators. But what I wonder about is the apparent failure in planning, and foresight, of the NSA and other U.S. government people, and what these lessons could mean for us, and our businesses.
A basic idea that leaders are always taught is to “plan for the worst, and hope for the best,” or words to that effect. I wonder why the NSA doesn’t seem to have a good plan for how to handle leaks. If we are to believe what has been in the press, Snowden had an amazingly wide range of information that was at his beck and call. A typical organization will implement “need to know” rules, with safeguards to enforce the rules, and they will conduct audits to confirm compliance. We can presume that NSA used these standard techniques. But what seems to be lacking is a good plan to deal with failure of those techniques. From such an organization, this is truly disturbing.
So this is what I wonder about as I look out on the beautiful day: What are WE doing to plan for handling of inevitable failure? What are WE doing to safeguard our reputation, and our ability to do our work, when something core to our business goes horribly wrong? Perhaps one of our trusted employees steals a large amount of cargo, money, jewels, information, or whatever. Or she is implicated in setting up such a theft, even if unknowingly. How do we handle pictures posted on social media of an employee or company officer in a, well let’s just say, less than appropriate position? What do we do when we are legally within our contract terms, but an incident happens that raises questions about the judgment of our employees in its handling? Will the public furor be reduced by simply saying that we acted within our contract?
It can be easily said that the NSA failed to guard its secrets well. It failed even more miserably in anticipating what would happen if those secrets were released. They seemed to have relied too heavily on the safeguards, on the “fences,” without taking into account that fences fail sometimes. Snowden has caused me to rethink my stance about tritely citing contract clauses, “rules of engagement,” and lawyer’s opinions in handling sensitive incidents. Contracts are critical. “Rules of Engagement” are critical. And my lawyer and her opinions are near and dear to my company’s heart. But we need to consider more than legalisms and liability. Our reputations, and our ability to thrive as a company, demand more than the mere and strict adherence to the letter of the law. We must work to build reputations as right acting people, sober in our intent and our acts. We must strengthen our reputation as people prepared to do all we can to “Protect and Defend” those in our care. We must know that we will be judged not only by the client, but by the community – and this may extend far beyond the groups we normally consider. We must have plans in place and ready to implement when such incidents happen. Contingency planning and preparations for failures are traits of good leaders.
The NSA debacle teaches us about much more than just the apparent violations of privacy. It teaches an aware person much about contingency planning and preparedness. Are we able to get the lessons? Will we act? I think so, and it starts now.