Recently, my nine-year-old son informed me that he had observed over time how I always seem to help other people and how others always depend on me. I said to him that, in a way, he is much the same, as he is always saying ‘yes’ to doing little jobs. Together, we defined ourselves as being ‘yes persons.’
However, as our conversation evolved, I said to him that it’s not always a good thing saying ‘yes’ to people. You should only say ‘yes’ to someone when you know it is within your ability to do whatever is requested of you, you are allowed to do it, and the task does not impact other activities.
I have always been dependable to my friends, family and colleagues throughout my life. I’m proud of being able to help others. However, as a ‘yes person,’ I learnt to follow the three core principles outlined above:
- Can I do it?
- Am I allowed?
- And, do I have time?
Is it a good thing you have people in your organisation who are willing to help others and say ‘yes’ to most things that are asked of them? Some would say ‘yes, that would be a benefit.’ Others may say ‘no, it could be dangerous.’
So, what are they saying ‘yes’ to?
Throughout my career of working in the information security industry, I have come across a number of people who said yes to breach controls or policies to help another colleague or team. I have witnessed someone adding someone to a restricted ‘domain admin’ group, and I’ve even seen someone make a change to a critical firewall without going through change control and doing it as a favour.
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Paul Norris. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/security-controls/yes-persons-make-change-control-necessity-organization/