We found out a couple of days ago that there’s a proposal to change policy so that only people working in Operations have card-swipe access to the data centers; the rest of us who work on the machines there will (under the proposed policy) have to be checked in and out by the operators.

Well, this seems like a great idea. Now every time we need to go into the data center we’ll get to stand around and wait for an operator, who will have to interrupt whatever he’s doing to let us in. And what benefit does this provide? It certainly isn’t going to make things any more secure. (The amount of effort being expended on physical security for the data centers already seems way out of proportion to the risks.) It will, however, increase the feeling that management doesn’t trust us or respect our abilities. (And hurt morale, as was so eloquently expressed in yesterday’s ITS all staff meeting.)

Some people seem to have the idea that if you set up sufficient rules you can prevent bad things from happening. This never actually works: as long as you’re doing something, there’s a chance that things will go wrong. The best way to get things done with minimal risk is to trust people but hold them accountable for the results.