What is permissible is not always honorable. – Marcus Tullius Cicero
Rules. Best practices. Guidelines. Design patterns. Policies. All are good and necessary, and you’ll rarely find anyone who will argue against the need to establish boundaries and set expectations. But can adherence to rules and design patterns be taken too far? I believe it can.
The Rules Gone Amok: A Case Study
A couple of weeks ago, Oracle published a controversial blog post entitled “No, You Really Can’t.” In this post, which was written by Oracle security chief Mary Ann Davidson, customers of the software giant are instructed to stop reverse engineering Oracle’s code for the purpose of security vulnerability testing. This 3000-word rant accuses customers doing this type of testing of having violated their license agreement, along with demands to cease and veiled threats if they do not. Although the stated percentage of vulnerabilities found by customer testing has come into question, I have no reason to doubt of the accuracy of the principles stated by Davidson. Customers may very well be violating their licensing agreements when using testing methods involving reverse engineering. Oracle sales personnel might be allowed to refuse new licenses to customers to do this. And certainly Davidson, as security chief of the company, was well within her rights to publish such a post.
However, it was a stupid thing to do. It was nothing more than a backhand slap at Oracle’s customers, which likely included many of their most valued. The post has since been deleted and Oracle has tried to distance themselves from Davidson’s angry tirade, but the damage is likely done. Oracle, and Mary Ann Davidson specifically, will be remembered for years to come because of this message, and it’s likely to be an unhappy memory.
The moral of the story? Just because you’re acting on the letter of the law doesn’t mean you’re doing it right. When adherence to rules conflicts with good judgment, the latter should prevail.
It’s Not Just Software Bugs and Online Rants
Rules and best practices are necessary boundaries, but they should be a part of a larger strategy to actually solve the problem at hand and not simply mark a task as having been completed. This is true of business ownership, people management, database development, and practically any other area that involves people and processes.
Why don’t people make more of these bend-the-rules, game-time decisions? It’s usually one or more of the following.
- They aren’t allowed to
- They think they aren’t allowed to
- They’re afraid to
- They are just doing a job, and don’t really care about the outcome
Whether you’re the one making the judgment call, or the one enabling others to make them, there is risk involved. Rules and guidelines can help prevent some bad decisions by removing the element of the judgment call entirely. Creating an environment that allows folks to use their professional experience and common sense introduces the possibility that a judgment call will turn out to be wrong. An employee stepping up to say, “I’m going to make an exception here” is risky because she could be held accountable if she makes a bad judgment call.
However, with the risk comes the likelihood of better outcomes, for the customer or client as well as for the company and the employee.
Are there absolutes which must not be tampered with? Certainly. The protection of a client’s data, for example, should always meet certain standards which cannot be tweaked on the fly. Similarly, it is reasonable to insist that all databases should be included in an automated backup schedule. But these types of no-exceptions rules should be few.
Above All, Good Judgment
In the case of the Oracle executive, a more reasonable course of action would likely have involved a much softer line on enforcing the “no reverse engineering” clause in the license agreement. Though technically she was likely correct in her statement, she could have made more progress toward two company goals – keeping paying customers happy, and making more secure software – by using good judgment rather than a dogmatic and abusive attitude on the software licensing issue.
Rules are good and necessary. But a system of guidelines and expectations should always be complemented with common sense reviews by experienced folks who are empowered to make judgment calls to reach the best possible outcome.