Accountability Sinks

Having been on both sides of this—working behind a counter and answering phones at various jobs long ago, and being someone who often surprises family and friends with my ability to extract good outcomes from customer service—I think it’s somewhat of a misconception that being as unpleasant as possible is actually effective at getting results.

I fully understand that the godawful CS mazes many companies set up wind up pushing people in that direction, and that it feels like the only option, but I believe quite strongly that being patient and polite but persistent winds up being much more effective than being unpleasant.

As a small case in point: I worked summers in a tiny ice cream shop, most of the time solo. The shop had a small bathroom for employees only—it was through a food prep area where customers were not allowed by health code. I had some leeway to let people back there as it was pretty low-risk, and I would in the evenings when no other businesses were open, or if a little kid was having an emergency. People who were unpleasant from the get-go when placing their order, however, were simply told we had no bathroom at all. People who started shouting when I told them I wasn’t supposed to let people back there (not uncommon!) and suggested a nearby business were never granted exceptions.

Yes unfortunately I've observed this in some support systems. The best way is to thread the needle between being extremely personally polite to the other human on the line, but going through the required machinations on their runbook to trigger an escalation.

That is - you don't really have to behave unpleasant (raise voice, swear, be impolite, threaten) but you should just refuse to get off the line, demand escalation, and importantly emphasize with their predicament in needing to escalate you. Possibly including phrasing like "what do we need to do to resolve this issue".

I had a cellphone provider send me a $3000 bill because someone apparently was able to open 5 lines & new devices in my name/address. I went through the first few steps of their runbook including going to police department, getting report filed, and providing them the report number. They then tried to demand further work from me and I escalated.

At that point I turned it around - what evidence do you have that I opened this line. Show me the store security footage of me buying the phones, show me the scan of my drivers license, show me my social security number? Tim, are you saying I can just go to the store with your name & address and open 5 lines in your name? Being able to point out the asymmetry of evidence, unreasonableness of their demands, and putting the support staff in my shoes.. they relented and cleared the case.

I was once on the phone with a cell phone company customer support rep who was clearly as dis-empowered as it's possible for a worker to be. He was obviously forbidden to hang up on me, so I used my normal tactic of just refusing to give up - I was friendly enough but refused to end the call. He was refusing to escalate my call, but couldn't help me himself.

20 or 25 minutes in I realized that wasn't going to work, so I asked if they had a protocol to escalate in an abusive situation. He said "ummm....". I said, "hey, you're doing a great job, and I hope the rest of your day goes better, and I hope you know you're not a motherfucker, you motherfucker."

I think (hope?) he stifled a laugh and said "I'm afraid I'll have to escalate this call to my manager, sir."

As someone who worked in support as a youngling:

If you behave unpleasant enough I'll go out of my way to make sure your behavior does not pay off. I will note your abrasive behavior in the ticket or might even mark your mail as spam. On telephone our line will suddenly experience technical difficulties. And throughout I will remain as friendly and patient as ever.

I will warn superiors about you, so once you escalate they already have a colorful 3D image of your wonderful personality in mind. Whether that 100% is in your favor, you can guess.

Play asshole games? Win asshole prices.

Behave like a decent person with empathy instead, press the right buttons and I might even skip some of the company rules for you. Many people in support do not give a single damn if they lose their job over you and you might just be worth it.

These are not sfter-the-fact shower thoughts, these are actually lived experiences from the trenches and I know how other people in those roles think.

Persistence pays off, being an asshole not so much

Star Trek: Deep Space Nine introduced Section 31, an organisation which regularly acted in the way you describe the characters from 24. They operated outside official channels and used questionable methods to do whatever was necessary “for the good of the Federation”. The character of Odo criticised it well:

> Interesting, isn’t it? The Federation claims to abhor Section 31’s tactics, but when they need the dirty work done they look the other way. It’s a tidy little arrangement, wouldn’t you say?

https://memory-alpha.fandom.com/wiki/Section_31

I watched a season of Chicago PD, and noticed that they had a convenient "plot accelerator."

Whenever they got to a point, where the detectives and CSI would be painstakingly going through the evidence, sifting out clues, they'd throw the suspect into "the cage," and beat a confession out of them.

Well, it's the motive behind any atrocity committed during war, what's a few cracked eggs if there is a grand goal in mind. There are always people in places who feel like it's a historical duty to carry out those plans. And the war crimes stay in the past and get forgotten but nobody can deny the new reality on the ground. You can ethnically cleanse an area and in a 100 years that becomes barely a historical footnote and a new reality emerges and nobody can dispute that the area is occupied by a nation that claims rights based on self determination. Same for settler colonialism, they're not invading, just changing the actual conditions as a precursor to claiming political legitimacy.

What’s also interesting is that the tortured always turn out to be the bad guys. It never happens that he mistakenly tortured a good guy.

Convictions aren't convictions if you abandon them when it's hard. It's just cosplay

Chomsky's "Manufacturing Consent" comes to mind here.

Wasn't 24 cited by Cheney when he was defending USA-as-torturer ?

One of the things that strikes me about 24 is that it started running about 2 months after the 9/11 attacks. I wouldn't be surprised if there was a debate about running it or edits, but in retrospect it does seem like the timing worked and fit with the public mood of the time. What would be interesting is how 9/11 and following real life events influenced the show's writing in later series.

> "we've implemented all best practices, contracted out the hard parts to world-renowned experts, and had third party audits to verify that - there was nothing more we could do, therefore it's not our fault"

The amount of (useless) processes/systems at banks I've seen in my career that boil down to this is incredible, e.g. hundreds of millions spent on call center tech for authentication that might do nothing, but the vendor is "industry-leading" and "best in-class".

> It's just that understanding this explains a lot of paradoxes of cybersecurity as a field. It all makes much more sense when you realize it's primarily about liability management, not about hat-wearing hackers fighting other hackers with differently colored hats.

Bingo. The same situation for most risk departments at banks or healthcare fraud and insurance companies.

I thought risk at a bank was going to be savvy quants, but it's literally lawyers/compliance/box-checking marketing themselves as more sophisticated than they are. Like the KYC review for products never actually follow up and check if the KYC process in the new products works. There's no analytics, tracking, etc. until audit/regulators come in an ask, "our best-in-class vendor handles this". All the systems are implemented incorrectly, but it doesn't matter because the system is built by a vendor and implemented by consultants, and they hold the liability (they don't, but it will take ~5 years in court to get to that point).

Beginning to understand what "bureaucracy" mechanically is.

We should really define a new term for such work.

Perhaps "Risk Compliance Security" or "Security Compliance Engineering"

Where "Security Compliance Engineering" is the practice of designing, implementing, and maintaining security controls that satisfy regulatory frameworks, contractual obligations, and insurance requirements. Its primary objective is not to prevent cyberattacks, but to ensure that organizations can demonstrate due diligence, minimize liability, and maintain audit readiness in the event of a security incident.

Key goals:

- Pass external audits and internal reviews - Align with standards like ISO 27001, SOC 2, or NIST

- Mitigate organizational risk through documentation and attestation

- Enable business continuity via legal defensibility and insurability

In contrast…

Cybersecurity is focused on actively detecting, preventing, and responding to cyber threats. It’s concerned with protecting systems and data, not accountability sinks.

That is also why so much of the security[tm] software is so bad. Usability and fitness for purpose are not box-tickers. The industry term in play is "risk transfer".

Most security software does not do what it advertises, because it doesn't have to. Its primary function is for the those who bought the product, to be able to blame the vendor. "We paid vendor X a lot of money and transferred the risk to them, this cannot be our fault." Well, guess what? You may not be legally the one holding the bag, but as a business on the other end of the transaction you are still at fault. Those are your customers. You messed up.

As for vendor X? If the incident was big enough, they got free press coverage. The incentives in the industry truly are corrupt.

Disclosure: in the infosec sphere since the early 90's. And as it happens, I did a talk about this state of affairs earlier this week.

I wonder what the difference is between cybersecurity and civil aviation safety. At a glance they both have a lot of processes and requirements. Somehow on one side they are as you said, a way to deal with liability without necessarily increasing security, while on the other safety is actually significantly increased.

Rhyming with this observation - the only time I've ever heard someone getting fired over a phishing incident anywhere I've worked.. was a guy on the cybersecurity team who clicked through and got phished.

The most unfortunate thing about much of corporate 'cybersecurity' is that it combines expensive and encumbering theatre around compliance and deniability... with ridiculously insecure practices.

Imagine, for example, if more companies would hire for software developers and production infrastructure experts who build secure systems.

But most don't much care about security: they want their compliances, they may or may not detect and report the inevitable breaches, and the CISO is paid to be the fall-person, because the CEO totally doesn't care.

Now we're getting cottage industries and consortia theatre around things like why something that should be a static HTML Web page is pulling in 200 packages from NPM, and now you need bold third-party solutions to combat all the bad actors and defective code that invites.

Honestly is is just like Insurance. You understand the value of things you are protecting (and simple compliance has a value to you in penalties and liabilities avoided) and make sure it costs more than that to break into your system.

At a corporate level, it is contractually almost identical to insurance, with the product being sold liability for that security, not the security itself.

Security is closer to product management and marketing than engineering. It's a narrative and the mirror image of product and marketing, where instead of creating something people want based on desire, it's managing the things people explicitly don't want. When organizations don't have product management, they have anti-product management, which is security. We could say, "There is no Anti-Product Division."

Specifically on accountability, I bootstrapped a security product that replaced 6-week+ risk assessment consultant spreadsheets with 20mins of product manager/eng conversation. It shifted the accountability "left" as it were.

When I pitched it to some banks, one of the lead security guys took me aside and said something to the effect of, "You don't get it. we don't want to find risk ourselves, we pay the people to tell us what the risks and solutions are because they are someone else. It doesn't matter what they say we should do, the real risk is transferred to their E&O insurance as soon as they tell us anything. By showing us the risks, your product doesn't help us manage risk, it obligates us to do build features to mitigate and get rid of it."

I was enlightened. Manage means to get value from. The decade I had spent doing security and privacy risk assessments and advocating for accountability for risk was as a dancing monkey.

>I mostly end up making sure the goal is measurable in a quantitative and qualitative way, trends towards to and away from the goal are visually available and distributed , and its clear who is responsible to look and report them.

Unrelated to the post, but it sounds like you and I do similar work and have arrived at similar conclusions but I often fail to get organizations to actually spend the correct amount of time identifying these success indicators - which I think are critical to focus and scope stability. I’d love to chat sometime.

So basically, you're adding formal processes to ensure accountability. ;-)

> I'm now in a stage of my consulting career where I sometimes really get called into big organisation just to find out, that whatever they need to do is already panned out and they all want to do it! Still they call me cause ... it's a big decision and the "higher ups" (which quite often are not even part of the workshop/session then) want an external expert voice.

"Clients always know how to solve their problems, and always tell the solution in the first five minutes."

  - Gerald Marvin Weinberg
    The Secrets of Consulting

Ah yes, ass cover as a service.

There's a classic article (2010) about it: https://thetech.com/2010/04/09/dubai-v130-n18 (HN: https://news.ycombinator.com/item?id=1257644)

The difference is that while the decision has been made, it isn't necessarily very good.

I always thought that was a big reason for buying external consulting. Reminds me of that George Clooney Movie

Off-topic, but since you mention it, I've always been confused about what Americans always seem to be doing at the DMV. It seems to be a staple of pop culture that people are always there and the queue is always very long, but I've never known what anyone is actually trying to achieve.

The DVLA in the UK doesn't have a high-street presence. I took my driving test once, then received my driving licence in the post. When it needs renewing, I can do it online. I tax my car online. MOTs (annual vehicle safety tests) happen at any local garage. I've never needed a new numberplate, but I think you can buy those online too.

So what is it you all have to go to the DMV for? Because it sounds horrible.

Kafkaesque bureaucracy, it's common to a lot of government institutions, they send you from one window to the next, there is always paperwork missing or something needs to be stamped. It seems like the whole process is not to serve the people but just there to perpetuate itself.

Interesting distinction is deliberate vs unintentional accountability sinks.

DMV sounds more like incompetence than design. Compare with airline where the system is “better” when you have no recourse.

The acute guilt levied wasn't about following orders and exterminating the ground squirrels...

... but using an industrial shredder to do it. (on 440 of them)

For reference, this is an industrial shredder: https://m.youtube.com/shorts/I15kCJyl6po

Anyone who did that to a live animal deserves to be in prison, orders or no. There are innumerable compassionate, humane ways to kill animals, if it's necessary.

There is also a fun - legal - bypass to this.

The Dutch law doesn't say you 'can't have a second passport'. It only says: 'you can't have a second passport at the time you get your Dutch one'.

So countries like the UK allow their citizens to 'renounce' their UK citizenship, get a Dutch one, then get their UK one 'back'.

OMG this stirred my memories. I was interviewing with companies in Amsterdam and Berlin. The Berlin recruiter made onward and return flight bookings for me from India. I though went to Amsterdam first on a separate flight because I was juggling the schedule. I thought it’s no big deal didn’t bother informing the recruiter of my side arrangement.

I then took a train to Berlin from Amsterdam, finished the interview and went to the airport for my return flight that was booked by the recruiter. To my absolute horror I was told that since my onward journey was a no show the whole PNR was cancelled. I felt like an idiot. Since then I double and triple check whenever I’m booking flight tickets.

> So I thought that the problem could be solved by just arriving there by any other flight, which I booked almost immediately.

Why did you do that? Especially when that cost you extra money?

You should have talked to the airline directly, explained you'd missed your flight because they gave you the wrong airport, and the airline would have rebooked you and everything would have been fine. People miss flights all the time and this is an entirely normal process.

It's been standard practice for a long time if you miss a first leg, that you forfeit the rest. They're going to reuse those seats for e.g. other people who missed their original flights. It's a type of flexibility built into the whole system.

Connecting flights are super useful because you can work with the airline to reschedule the whole thing, and the airline is responsible if you can't make a connection because an earlier leg is delayed.

I truly don't understand why you would have taken it into your own hands to buy a separate replacement ticket on your own, instead of talking to the airline. Even in your second example, why didn't you work with the airline to reschedule your missed flight? Even if they for some reason can't reschedule, they will often keep your return flight valid if you have an obviously good reason (e.g. a visa issue during COVID). But you do have to contact them immediately.

I'm sorry you didn't know how all this worked, but when in doubt, contact customer service ASAP to see if they can help. Don't just go buy separate tickets on your own, and then assume later legs will still be valid. That's not how it works.

> There was no way I could convince her that it wasn't my fault. Perhaps there was a rigid process in place that disallowed her from helping, even though I'd make it to the second flight on time.

Yeah they generally have the capability to prevent that auto cancellation of your segments (within a certain time frame) but in this case unfortunately they were unwilling or it was too late to catch it.

It's generally to protect revenue because buying A-B-C instead of B-C can be cheaper, and hoards of people used to just segments to save money. So they just assume everyone is trying to cheat them.

Yes, sorry for your problem but no-shows automatically invalidate everything else. If you decide to cancel part of a trip due to unexpected events, train strikes or whatever that is not directly under control of the airline itself you must contact them and make sure they will not cancel the rest (including the return flight).