Standard best practice in places like the military and intelligence organizations, where lives depend on secrecy being kept from outsiders—but not insiders—is to compartmentalize and maintain “need to know.” Similarly, in information security, the best practice is to only give being security access to what they need, and granularize access to different services / data, and well as differentiating read / write / delete access. Even in regular organizations, lots of information is need-to-know—HR complaints, future budgets, estimates of profitability of a publicly traded company before quarterly reports, and so on. This is normal, and even though it’s costly, those costs are needed.
This type of granular control isn’t intended to stop internal productivity, it is to limit the extent of failures in secrecy, and attempts to exploit the system by leveraging non-public information, both of which are inevitable, since costs to prevent failures grow very quickly as the risk of failure approaches zero. For all of these reasons, the ideal is to have trustworthy people who have low but non-zero probabilities of screwing up on secrecy. Then, you ask them not to share things that are not necessary for others’ work. You only allow limited exceptions and discretion where it is useful. The alternative, of “good trustworthy people [] get to have all the secrets versus bad untrustworthy people who don’t get any,” simply doesn’t work in practice.
Thanks for the explanation. (My comment was written from my idiosyncratic perspective of having been frequently intellectually stymied by speech restrictions, and not having given much careful thought to organizational design.)
I would imagine that most military and intelligence organziation do have psychiatrists and therapists on staff that employees can access when they run into psychological trouble due to their work projects where they can share information about their work project.
Especially, when operating in an envirioment that does get people in contact with issues that caused some people to be institutionalized having only a superior to share information but not anybody do deal with the psychological issues arrising from the work seems like a flawed system.
I agree that there is a real issue here that needs to be addressed, and I wasn’t claiming that there is no reason to have support—just that there is a reason to compartmentalize.
And yes, US military use of mental health resources is off-the-charts. But in the intelligence community there are some really screwed up incentives, in that having a mental health issue can get your clearance revoked—and you won’t necessarily lose your job, but the impact on a person’s career is a great reason to avoid mental health care, and my (second-hand, not reliable) understanding is that there is a real problem with this.
Seconding this: When I did classified work at a USA company, I got the strong impression that (1) If I have any financial problems or mental health problems, I need to tell the security office immediately; (2) If I do so, the security office would immediately tell the military, and then the military would potentially revoke my security clearance. Note that some people get immediately fired if they lose their clearance. That wasn’t true for me—but losing my clearance would have certainly hurt my future job prospects.
My strong impression was that neither the security office nor anyone else had any intention to help us employees with our financial or mental health problems. Nope, their only role was to exacerbate personal problems, not solve them. There’s an obvious incentive problem here; why would anyone disclose their incipient financial or mental health problems to the company, before they blow up? But I think from the company’s perspective, that’s a feature not a bug. :-P
(As it happens, neither myself nor any of my close colleagues had financial or mental health problems while I was working there. So it’s possible that my impressions are wrong.)
I don’t specifically know about mental health, but I do know specific stories about financial problems being treated as security concerns—and I don’t think I need to explain how incredibly horrific it is to have an employee say to their employer that they are in financial trouble, and be told that they lost their job and income because of it.
To attempt to make this point more legible:
Standard best practice in places like the military and intelligence organizations, where lives depend on secrecy being kept from outsiders—but not insiders—is to compartmentalize and maintain “need to know.” Similarly, in information security, the best practice is to only give being security access to what they need, and granularize access to different services / data, and well as differentiating read / write / delete access. Even in regular organizations, lots of information is need-to-know—HR complaints, future budgets, estimates of profitability of a publicly traded company before quarterly reports, and so on. This is normal, and even though it’s costly, those costs are needed.
This type of granular control isn’t intended to stop internal productivity, it is to limit the extent of failures in secrecy, and attempts to exploit the system by leveraging non-public information, both of which are inevitable, since costs to prevent failures grow very quickly as the risk of failure approaches zero. For all of these reasons, the ideal is to have trustworthy people who have low but non-zero probabilities of screwing up on secrecy. Then, you ask them not to share things that are not necessary for others’ work. You only allow limited exceptions and discretion where it is useful. The alternative, of “good trustworthy people [] get to have all the secrets versus bad untrustworthy people who don’t get any,” simply doesn’t work in practice.
Thanks for the explanation. (My comment was written from my idiosyncratic perspective of having been frequently intellectually stymied by speech restrictions, and not having given much careful thought to organizational design.)
I would imagine that most military and intelligence organziation do have psychiatrists and therapists on staff that employees can access when they run into psychological trouble due to their work projects where they can share information about their work project.
Especially, when operating in an envirioment that does get people in contact with issues that caused some people to be institutionalized having only a superior to share information but not anybody do deal with the psychological issues arrising from the work seems like a flawed system.
I agree that there is a real issue here that needs to be addressed, and I wasn’t claiming that there is no reason to have support—just that there is a reason to compartmentalize.
And yes, US military use of mental health resources is off-the-charts. But in the intelligence community there are some really screwed up incentives, in that having a mental health issue can get your clearance revoked—and you won’t necessarily lose your job, but the impact on a person’s career is a great reason to avoid mental health care, and my (second-hand, not reliable) understanding is that there is a real problem with this.
Seconding this: When I did classified work at a USA company, I got the strong impression that (1) If I have any financial problems or mental health problems, I need to tell the security office immediately; (2) If I do so, the security office would immediately tell the military, and then the military would potentially revoke my security clearance. Note that some people get immediately fired if they lose their clearance. That wasn’t true for me—but losing my clearance would have certainly hurt my future job prospects.
My strong impression was that neither the security office nor anyone else had any intention to help us employees with our financial or mental health problems. Nope, their only role was to exacerbate personal problems, not solve them. There’s an obvious incentive problem here; why would anyone disclose their incipient financial or mental health problems to the company, before they blow up? But I think from the company’s perspective, that’s a feature not a bug. :-P
(As it happens, neither myself nor any of my close colleagues had financial or mental health problems while I was working there. So it’s possible that my impressions are wrong.)
I don’t specifically know about mental health, but I do know specific stories about financial problems being treated as security concerns—and I don’t think I need to explain how incredibly horrific it is to have an employee say to their employer that they are in financial trouble, and be told that they lost their job and income because of it.