BOFH: This buck's for you
Psst, pass it on
“What’s this?” the Boss snaps, pushing several sheets of paper over the desk at me in an annoyed manner.
“Ah! Memo two thousand and eleven dash one dash one,” I reply, “workplace resiliency.”
“Yes, I can read the title, but what is it?”
“It’s a memo outlining the things we should be addressing for systems and networks resiliency.”
“And you expect me to take this seriously?”
“Of course. You asked us to identify areas of risk in the company so we worked through the issues at length over the past two days and considered the changes we might make to ensure the company is protected both from disaster and accident.”
Which is a complete lie. In actual fact we hastily cobbled together a variety of randomly selected Google documents about disaster planning, disaster recovery into a semi-coherent investment guide for senior management. Then went to the pub for two days…
…Earlier in the week…
“I don’t get it,” the PFY says. “We’re recommending dual UPS units with dual generators, fed from dual supply circuits via dual redundant switching? It’d cost millions!!!”
“Probably not millions, but certainly more than the company would want to spend,” I reply. “I’ve not even got to the terabit backup network linking us to our hot site.”
“They’ll never go for it!!!”
“Of course they won’t – that’s the point.”
“What is?” the PFY asks.
“It’s the Big Buck Pass,” I sigh. “The insurance company wants to reduce their risk so they’ve upped the premiums claiming we don’t have a policy document which outlines how we mitigate risk - using this year’s terminology. The auditors – who should have seen this coming – raise it with the board as an ‘audit issue’ a couple of nanoseconds before the insurance bill comes in. The board raises the audit issue with the CEO, the CEO passes the buck to senior management, senior management pass it to middle management, middle management to line management and line management to us.”
“Yes, I get all that, but what are we doing?”
“We’re pushing the risk back up the food chain by suggesting the most expensive solution possible.”
“Imagine we have no offsite backups but decide we’d get by if you took a portable drive home every night.”
“We don’t have any offsite backups. And the only hard drive I take home is full of completed torrents!”
“That’s why I said ‘Imagine’. Now if the drive fails when the company really needs it we’ll be held responsible for not protecting the data to the best of our ability. If, however, we recommend an offsite disk storage solution that’s outside of our spending authority then the Boss has to authorise it before we can proceed. When he says no then we’re in the clear – buck shifted.”
“You’re losing me…” the PFY says.
“The Secret to the Big Buck Pass,” I say, “is in recommending a solution that someone further up the chain will say NO to. So the more outrageous the solution the better, because as it gets more expensive it needs to go further up the food chain to get approved or denied. Then, when disaster strikes we’ll say we always knew this might happen and had recommended a good solution but it got turned down. Buck passed.”
“So why don’t we just recommend the offsite disk storage idea?”
“It’s not expensive enough. See, if it’s something we can afford they might agree to it - and undoubtedly axe part of our ever decreasing operational budget to pay for. If, however, it’s something ridiculous that we couldn’t possibly afford it’ll get vetoed by someone up the food chain and we just keep the veto memo for... insurance… purposes.”
“And they wouldn’t try and implement it over a couple of years – part this year and part next?”
“Not if it’s ridiculously expensive,” I say.
“But won’t the Boss just say we have to do something cheaper?”
“He would – but to counter that we embellish the risk with fake numbers – like the 103 reported cases of UK companies losing over a million quid as the result of poorly backed up data in 2010 alone. And those are just the reported cases!!”
“And the real number?”
“Who cares? The Boss will hear “103” and “a million quid” and crap himself. By the time it gets to the IT Director it’ll be 153 and 2 million. But he’ll change “reported” to “apparently reported” just in case the IT Director checks.”
“Course he won’t. IT Directors check numbers for accuracy about as often as they check their faeces for fibre – i.e. only when it’s in their face. He’ll pass it up and it’ll get axed somewhere below the CEO.”
“And this will work?”
“Sure, everyone does it!”
“Like when the HR person was complaining about how much liability the company was carrying from accumulated leave from the Beancounters who never take leave. And someone suggested pushing the worst offenders down the lift shaft.”
“And were you the one who suggested pushing them down the lift shaft?”
“Hell, I was the one who pushed them down the lift shaft! But who could have known their grandparented contract gave them unlimited sick leave. So then someone suggested maybe the company should stop paying for their life support and maybe the problem would solve itself...”
“And that someone was you?”
“It might have been.”
“This has stopped being about passing the buck and just become a brag session hasn’t it?” the PFY asks unkindly.
“I’m trying to teach you about the machinations of a large company!” I counter. “Machinations that take years to learn. Like the time the Boss vetoed a workplace resiliency proposal and someone suggested we take him to the pub, feed him absinthe till he thinks he’s Conan the Barbarian, hand him a sword and let him out of the lift at the Beancounter’s floor.”
“I think I’ve seen that movie!” the PFY says.
“How did it end?”
Sponsored: 2016 Cyberthreat defense report