Sunday brings a terrific cartoon from a very wise woman, Hilary Price of Rhymes With Orange:

The password-on-yellow-sticky-note situation these days is an outgrowth not of bad memory – well, maybe a bit – but mostly of corporate or firm policies that requires complex, meaningless passwords that must be changed regularly.

I understand that hackers want into our systems. However, we’re just changing one variant of the problem – external hackers – for another – internal opportunists. And most of the leaks I’ve seen (and experienced) come from software/system errors rather than guessed or stolen passwords.

Let me share two thoughts, about potential solutions and about crossed purposes on job descriptions.

Answers?

Security experts tell me that the best solutions consist of “something you have” coupled with “something you know.” In other words, access requires a password plus a (physical) token, such as voice recognition, a fingerprint, or a USB key.

Google and others have implemented systems where the owner can require a response to a phone message (text) plus a password, your phone acting as the “something you have.” It’s a reasonable solution for those who always have their phone and know it will always have signal.

Until you can use (or your firm can and chooses to implement) such a solution, though, we’re pretty much stuck with the current situation. A few organizations are allowing biometric (fingerprint) scans in lieu of passwords. They can be hacked, but IT groups must choose whether that hacking risk is higher or lower than yellow-stickies and other ways to fudge security requirements, understanding that people will fudge these because they get in the way of doing real need-to-do-it-now work.

Getting the Problem Wrong

Here’s the part that applies to Legal Project Management. Consider the following two absurdly summarized job descriptions:

• Lawyer: Solve client problems as quickly and effectively as possible.
• IT Security Guy: Prevent any network break-ins.

In themselves, these are both good objectives. But… there comes a point when they clash, when outstanding security gets in the way of getting a job done effectively and efficiently.

So the lawyer asks the senior partner, Am I wrong to want to do this quickly to best serve my clients? The partner answers, No, you’re not wrong at all.

And the IT guy asks her CIO, Am I wrong to keep our systems secure? The CIO answers, No, you’re not wrong at all.

However, these two “truths” cannot coexist, cannot both be true at the same time. Thus they must be half-truths, where important considerations or limits are missing. I suspect that’s obvious when I state the problem in these simple terms.

This situation models one of the core problems of Legal Project Management: stakeholders whose goals are unaligned, whose goals are anything but easy to align. As a project manager, you need to attack this issue directly; it will not likely go away if you ignore it.

1. Spot the misalignment, which requires identifying the hidden stakeholders as well as the overt one.
2. Understand how each stakeholder views his or her goals.
3. Look for points of common ground on which to build.
4. Look for how both sets of goals map to the organization’s overall goals, and work to steer the conversation to ways to be a hero by benefiting the organization.

Obviously, the fourth item comes into play only when you’re on the same side. Adversaries in a matter will often have no #4, unless the prodding of a judge to agree or settle provides it.

By the way, if the users are dissatisfied with internal security requirements, you might consider sitting down informally with the CIO or her direct report responsible for security and working through the four points above. At worst, you’ll gain an understanding of each other’s worlds and constraints. (And if you do it after work over a beer, you’ll at least get the beer out of it.)