101

My manager has asked me to violate a company policy that they disagree with. The policy is very strict and violating it normally is considered gross misconduct. The policy is for security and violating it puts the organisation at risk. I would not be comfortable doing what my managers asks even without this policy.

This has put me in an awkward situation, I want to ask my manager for written authorization to violate the policy to carry out this request.

My two concerns are

  1. My manager does not have the authority to authorize such a violation as the policy is coming from executive leadership.
  2. If I push back and create problems, I'm worried about retaliation going forward.

This is in the UK. How should I deal with this?

Masked Man
  • 47,281
  • 27
  • 131
  • 170
Tim J
  • 705
  • 2
  • 5
  • 4
  • 8
    "If I push back and create problems, I'm worried about retaliation going forward." But if you don't and executive leadership gets to know about it, they may still fire you, not your manager. It's a dilemma. I would consider, not doing such a thing without a written backing by your manager or the consent of the next higher level. – NoDataDumpNoContribution Sep 08 '17 at 07:25
  • 75
    If you say: " it puts the organisation at risk" - I just wanted to point out, normally you have the obligation to protect you employer against harm as part of you normal work-relationship. So a written confirmation from lower management may not actually protect you, if things go wrong. You can ask the fired VW-Diesel engineer about this :) – Daniel Sep 08 '17 at 07:42
  • Agreed with @Daniel - the correct approach here very much depends on what exactly this policy is, what you are doing, and what your role is. If we're talking about leaving a key to the office under the mat at the door it's much different than, say, bypassing an engineering review for a design revision. Make sure you understand your legal obligations here. – J... Sep 08 '17 at 11:16
  • 6
    You could also refuse to do it. Just because your manager has asked you does not mean that you should do it. I think this is even more relevant since you say that you would be uncomfortable doing it even without the policy in place. I would argue that you should just not do it! – drone.ah Sep 08 '17 at 11:46
  • 3
    Workplaces are like lakes - they become toxic easily, and once they are nobody cleans them up - they just leave instead... – corsiKa Sep 08 '17 at 13:12
  • Did your manager give an explanation or context for this request, such as "I know I'm asking you to violate company policy, but if we don't then this [something really bad will happen]..." Maybe he "forgot" that it is a violation? – Brandin Sep 08 '17 at 16:24
  • 6
    It is possible this counts as constructive dismissal – Gaius Sep 08 '17 at 17:57
  • I assume the point of the written confirmation is in the hopes that the manager will be the one who gets fired instead of the OP. It's not ironclad (both might get fired) but it's better than nothing. OP surely doesn't want to end up in a situation where it's his word against his manager's. The best (?) outcome is if the boss realizes it's a bad plan and stops pursuing it. – stannius Sep 08 '17 at 18:10
  • Tell him, you will report this request to his boss if he persists. The only one who can make an exception is the person/department that made those rules. – cybernard Sep 09 '17 at 16:10
  • 1
    I'm kind of surprised no one has mentioned HR. If violating this policy is normally considered gross misconduct, surely they would be interested in knowing this is happening...? Are people not recommending it because it puts the OP at risk or what? – jpmc26 Sep 10 '17 at 19:07
  • Don't do it. Your boss will make sure to run over you, back up and run over you again if this blows up. – Matthew Whited Sep 11 '17 at 16:30

12 Answers12

183

Your boss is not going to give you a written authorization, so you will have to make a paper trail yourself. Assuming you are using email for communication, send an email like this:

Dear Boss,
As per our discussion this morning, I understand that you would like me to do X. Here is how I plan to work on it: Step A, Step B, Step C.

Please confirm if my understanding is correct and if it is okay to proceed in this manner.

Now your boss will certainly not "confirm" this, so you can put this on hold indefinitely. You are not disobeying your boss, just waiting for his "confirmation".

Your boss' response to this can range from dropping the idea to figuring out other ways to get you fired. Depending on how strongly your boss feels about it, it may be prudent to start looking for a new job.

Masked Man
  • 47,281
  • 27
  • 131
  • 170
  • Comments are not for extended discussion; this conversation has been moved to chat. – Jane S Sep 10 '17 at 06:39
  • 12
    This would work well in conjunction with DouglasHeld's answer. 'Step A' in your email could be that you intend to apply for a security exception and you require your boss' help in wording the business justification for the request. – Darren H Sep 10 '17 at 08:13
  • @DarrenH Indeed, and just to avoid confusion, I must clarify that when I wrote this answer, the exact nature of the policy violation being demanded of the OP was not mentioned in the question. That it was a security policy violation was an additional detail added later. – Masked Man Sep 10 '17 at 08:46
  • And if he confirms by talking to you rather than sending an email, you send a second email: "As you requested at the coffee machine 15 minutes ago, I'll go forward with as instructed." – Peter Sep 10 '17 at 18:32
  • Doing this will likely be construed by Boss for, well, what it is - meaning outing him with a paper trail as having instructed OP to break policy. Likely to lead to an explosion vis-a-vis Boss. -1. – einpoklum Sep 11 '17 at 09:21
  • @einpoklum Ok, and what is your alternative solution? – Masked Man Sep 11 '17 at 09:22
  • It depends on multiple factors, e.g. whether I think the policy breach is justifiable, what kind of personal guarantees the boss can give me for breaking the policy, etc. Without more information I would tend to support @norcaljhonny's answer. – einpoklum Sep 11 '17 at 09:29
  • I have checked all the answers. But this seems to me the better and simple one. – Jagz W Jan 04 '18 at 12:44
84

This is easy. Your security team should be able to provide you with a Security Policy Exception. The general form of a security policy exception is:

  • The name of the policy being excepted
  • The way in which the policy will be violated
  • The business justification or business case
  • The date that the policy will be complied with (i.e. expiration of the exception)

Example:

I would like to request a security policy exception for 30 days, disabling my anti-virus.

  • Policy: Employee Computing Equipment Policy 2017
  • Exception: I would like to disable my anti-virus software
  • Justification: I am a technology journalist and I am researching the efficacy of AV and also the risk exposure of users who violate commonly accepted security practices. I would like to document what happens in my day to day job for 30 days, using a computing device for work without AV protection.
  • Beginning: 2017-10-01
  • Expiring: 2017-10-31

In the above case, I would expect the security team to either say "not approved"; or to work out with the requestor how to safely set up a sandbox or honeypot environment to obtain a similar result for the research project.

And finally, if your security team is not able to provide you with one of these... then you are not working for an organisation wth a functional security team.

Douglas Held
  • 748
  • 4
  • 8
  • 10
    Your example is giving me heart palpitations! – Dan Sep 08 '17 at 06:48
  • 51
    Not every company has a security team, actually they are pretty rare in my experience – JMK Sep 08 '17 at 11:31
  • @Dan: Engineering has largely been able to force-create the exemption here after Anti-Virus broke the build one too many times. Years later we were able to find one that didn't break the build. – Joshua Sep 08 '17 at 17:36
  • As a fellow ItSec professional, your views match my own. +1 I was just about to post my own answer, but you have said what I was going to say better. If the business case is sufficiently persuasive, such exception may be granted – Anthony Sep 08 '17 at 22:41
  • 9
    This would be more appropriate if the OP thought this action was a good idea. Since the OP thinks it's a bad idea, this is at best a creative CYA. –  Sep 09 '17 at 12:36
  • 3
    My company has a security team, but I've never heard of a standardized "Security Policy Exception" form for people to fill out. To me the idea of even having such a standardized process for this seems like a giant red flag that the policy is too restrictive. – Ixrec Sep 10 '17 at 13:34
  • 1
    Well, the question says the relevant policy "is for security" so I expect, there is a security responsible person at the asker's org. who wrote the policy. @lxrec, the exception process is not typically something security people would want to advertise widely. I would agree if they were requested on a regular basis something would be wrong. But for occasional requirements, I disagree. It is perfectly normal to allow and monitor exceptions. – Douglas Held Sep 10 '17 at 13:43
  • 2
    @BenCrowell I don't think it's supposed to be a CYA, I think the idea is that the request is explicitly denied and the manager must either convince them or give up. Higher ups see things differently, and won't want you to do something really dumb just to meet a deadline or quota, as middle managers often do. – James Hollis Sep 10 '17 at 17:49
  • @JMK You could potentially put the request through normal IT channels, or submit it to whoever is responsible for writing/enforcing the policy. – jpmc26 Sep 10 '17 at 19:04
39

To be honest, I would just tell my boss that this seems to be against company policy, and that given this fact, I would like to ask him to give me written authorization before I move forward.

He can't sensibly deny your request. So the only reason you wouldn't do this is if you can't even bring yourself to tell him this violates company policy. If you can't, then either that's just something you need to practice, or you need to look for a new job where you might be more comfortable telling your boss obvious facts.

user541686
  • 1,818
  • 11
  • 14
8

The question doesn't say whether it's clear that the manager knows that this is a bad idea and that it violates policy. If I were the manager, I would want you to start by giving me this information.

Step 1. Send your boss an email saying something like this: "Dear Boss, I don't think we can do it this way. You might not be familiar with Company Policy 42, which we'd be violating. Instead, maybe we could..."

Even if he does already know this, but all previous communications have been oral, do this anyway. It establishes a record where you are acting reasonable and responsible, and it it also gives him an out, if he wants it.

Step 2. Reading between the lines, it seems like you have serious concerns about this manager's ethics and competence (e.g., you express serious concerns about retribution). Think about quitting, or if that's not feasible, maybe you could get a transfer.

If a resignation or transfer aren't options, or will come too late, don't just try to get a CYA email from your boss and then proceed. You've expressed clearly that that would be unethical, and in any case it doesn't necessarily protect you, because, as you say, your boss doesn't have the authority to override the policy.

Step 3. Send your boss an email like this: "Dear Boss, It sounds like you think that Policy 42 is a bad policy, or that an exception needs to be made in this situation. That kind of policy decision is way above my pay grade. Could you consult with higher-ups about this?" Simultaneously open a conversation with HR and supply them with copies of the two emails.

  • 1
    "You might not be familiar with.." or "It sounds like you think that..." sounds rather patronizing to me. I would not write something like that to an average boss. Just "It violates company policy X" or "seems to violate..." sounds more neutral. – hyde Sep 11 '17 at 10:16
3

Your manager has asked. You don't need to push back, but you could tell him that you'd feel unconfortable doing what he asks, and that you'd like to be on the safe side about it by having a written confirmation from his side. You can tell him plain and simple that you fear being accused of misconduct and eventually fired, which you can't risk. Try to put him in your shoes, this should work.

Noldor130884
  • 1,573
  • 3
  • 11
  • 20
3

People very regularly downplay the importance of security, usually under the influence of the Dunning–Kruger effect. This can have catastrophic consequences for customers but also for the company. If you are very good at explaining your case and they are capable of understanding and objectively evaluating it, they may change their mind. But it is likely that this will polarise them against your position. Instead, consider that your boss has already shown a disregard for the rules which were put in place and enforced by higher-ups, so for your purposes you can consider the rules to have been broken already.

If you have a paper trail of this you should therefore bring it up with the executives in person, in a neutral, "could you please advise on this situation", tone. If you do not have any proof then it is quite possible that your boss will refuse to give you anything in writing, to cover themselves. If so they will either laugh it off or go ballistic, telling you to do your job without questioning them at every corner. In this latter situation I'm afraid the only recourse you have is to stall or refuse, and then look for another job, because you don't want to have a security breach to your name.

l0b0
  • 2,970
  • 1
  • 16
  • 17
3

So, a few things to consider.

  1. Your employment contract is between you and the company, not you and the manager. If you violate company policy your manager can't save you - he'll most likely be in the soup line with you.
  2. Whether you have a job tomorrow or not is entirely out of your control. All you can control is your actions. If you find yourself jobless do you want your reference to be "Tim is a coward that I'd never hire again." or "Tim is a standup guy full of integrity. I'd work with him anywhere.".
  3. Sometimes companies conduct loyalty tests.
Sam Axe
  • 147
  • 3
1

Cover yourself, either ask for written authorisation which may result in a personal visit instead. Or just do it and confirm via email that you actioned such and such as requested.

At the end of the day it will fall back on the manager, not you. I'd actually go the latter route because I have to assume my manager knows what he/she is doing and is allowed to, and I'm just not privy to all the info concerning it. If they're not, I don't care, I'll apply for their job when they get the boot.

Kilisi
  • 222,118
  • 122
  • 486
  • 793
  • "I have to assume my manager knows what he/she is doing" - That seems a rash assumption. – Martin Bonner supports Monica Sep 08 '17 at 09:44
  • 2
    Depending on the kind of violation it may very well fall back to the employer as well as the manager. Extreme example: Obeying a command as a soldier to commit war crimes does not save you from being convicted, even with written permission of a higher ranked officer. In general, a written permission from someone who can't allow you the action in question will not save you. – Thern Sep 08 '17 at 09:51
  • @MartinBonner questioning everything your manager asked you to do would be more rash I would think. Just cover your back, it doesn't make you bullet proof but generally it's good enough. I've thought some managers were total idiots, but still followed instructions. – Kilisi Sep 08 '17 at 10:21
  • @Nebr selling prohibited drugs to minors on your managers orders would allso result in conviction, I'm assuming common sense, extreme cases are too many to list. – Kilisi Sep 08 '17 at 10:23
  • 2
    @Nebr I realise it's just an example and that you describe it as "extreme" but nothing in the question suggests that the thing the boss wants is illegal; just that it's against company policy. I think we can be fairly confident that the worst that could happen personally to the asker is that they get insta-fired for gross misconduct. – David Richerby Sep 08 '17 at 14:19
  • @DavidRicherby It may be not illegal, but the thing both examples have in common is the fact that the manager may simply not allow the action in question - and this is well known to the subordinate. Maybe another example: If the manager orders the subordinate to publicly criticize the company, complying and then pointing to the manager will still not save the subordinate, even if the action is not illegal in a strict sense. – Thern Sep 10 '17 at 10:47
  • 1
    @Nebr Sure. My point is just that the situation is sufficiently different from soldiers being ordered to commit war crimes that the analogy doesn't tell us anything. – David Richerby Sep 10 '17 at 16:31
1

one thing to consider, usually companies have a code of conduct that supersedes your line managers orders. Violating the code of conduct is often deemed to be grounds for dismissal whether or not you get an approval from your manager in writing. Keep in mind that even if you get a cya from your boss you won't be immune to repercussions should this action be discovered in an audit or review, especially if you already know you are violating company policy. If your company has an ethics officer (probably depends on the industry) I would strongly advise approaching them with this situation. Remember with security issues, company brand can be at risk and the stakes are high if something goes wrong.

mercurial
  • 338
  • 4
  • 10
1

I believe in communication directly with the person at hand. If one goes asking other people or departments that oversee these things, than that alone can come across as somewhat deceitful or simple put, going behind their back.

I, personally, would simply share my thoughts. Tell the person, you are my boss and I find it an honor when you entrust me with responsibilities. I do not disregard or undermine your orders as you have been placed with the given authority. My concern, in this case is X,Y, and Z and is not related to whom the request comes from. I honor you and your employment and would not want to jeopardize your reputation or my ability to keep your trust. I have not spoken to co-workers about this and look to you for guidance as with many other work related situations.

In short, I believe in giving people a chance first. Then if it goes sour, you know in your heart you did the right thing and you can take the next step from there, if need be.

Showing concern for people, usually comes back with favor.

norcal johnny
  • 167
  • 3
  • Along the same line - This would have worked best if you did it right away: I've jokingly said to a supervisor something like "Sounds like a good way to get fired. I don't think so". This makes it sound like you think he's kidding about something that's such a major infraction, and you avoid insinuating that he's acting unethically. At this point you could maybe go back and say "You were joking about _______, right? Because it's a major policy violation". – Brian D Sep 14 '17 at 06:29
0

Not mentioned previously, if you are in a casual work environment, consider asking your boss's boss in the hallway if these actions are ok. Some work environments are ok with this sort of "going over the head of your boss" type of thing. (Some are not).

Astor Florida
  • 378
  • 2
  • 9
-7

Zugzwang: https://en.wikipedia.org/wiki/Zugzwang

Zugzwang (German for "compulsion to move", pronounced [ˈtsuːktsvaŋ]) is a situation found in chess and other games wherein one player is put at a disadvantage because they must make a move when they would prefer to pass and not move.

Probably, if you do as you're asked, you'll be fired for violating company policy. If you don't, you'll be fired for insubordination.

Just quit.

Code Whisperer
  • 1,998
  • 12
  • 20