I visited Barcelona for the first time this summer. The city has everything: fantastic food, great museums, Gaudi’s astonishing architecture, vibrant night life and, best of all, miles of sandy beaches. But this sybaritic urban magnet has a dark past. Situated at the fault line between France and Spain, the city has been fought over and occupied by many different armies over the centuries. Founded by the Carthaginian general Hamilcar Barca (father of Hannibal ‘of the elephants’), it was conquered by the Romans in the 1st Century BC, followed by the Visigoths (5th C), the Moors (7th C), the Carolingians (9th C) until finally coming under the unified Spanish crown in 1469. Barcelona backed the wrong side in the the War of Spanish Succession and the city was sacked in 1714 when the Bourbons defeated the Habsburgs and then ended up on the losing side yet again in the Spanish Civil War (1936-39). It suffered greatly in the subsequent period of General Franco’s rule and it was not until 1977 that Barcelona finally regained a degree of freedom when Catalan autonomy was restored.
This history of suffering at the hands of more powerful neighbours has bred a strong sense of local identity. Catalan culture, with Barcelona at its centre, has been forged through centuries of resistance to external oppressors and, as a result, is community oriented, suffused with a self -reliant creativity and an independence of spirit. This is evident in the very fabric of the city, composed of 10 different districts each with its own distinct character. Different neighbourhoods compete with each other in a rolling series of cultural festivals, in which local idiosyncrasies are expressed almost on a block by block basis. When I visited, the Grazia barrio was having its local festival. Turning a corner, I came across a sight that is such a perfect physical encapsulation of Catalan culture that it received UNESCO protection in 2010. It was a tall tower, built not of brick or stone but of people.
Barcelona’s “Castellers” compete in teams marked by different coloured shirts to see who can build the tallest ‘human tower’. At first, there is nothing to see. A crowd packed together and milling around in a urban square. Then a few hands go up, wrists wrapped in cloths of the appropriate team colour. More hands go up and then clasp together to form a rigid unit, and soon there are a hundred or so people locked together making a solid circular platform of humanity. Then, magically, a tower begins to arise spontaneously from the crowd. Men in groups of 3 or 4 standing on each others’ shoulders form the bottom stories. Crawling up their backs come the women and children adding new layers to the tower in turn and supported at the base by the pushing of the crowd. Then, at the end, an infant with elven grace scrambles to the very top to make a final flourish to the attendant judges.
The photos I took don’t do it justice. Seeing this human tower arise majestically from the massed populace, you are struck with a deep and resonant communal emotion. The same feeling in your gut as at a football match or rock concert but with a greater sense of purpose and a more satisfying consummation. This human edifice is a tangible expression of the will of the many as one; a spontaneous stalagmite of flesh; a priapic obelisk of collective zest.
Culture is a bottom-up phenomenon. It arises from below and can not be imposed from above. This is the truth to which Barcelona’s human towers bear testament. It is also a truth that many corporate organisations struggle with. Senior managers who want to change a corporate culture from above, often find the task close to impossible. New policies can be written, new procedures and guidelines can be published but they are more often than not ignored. These sort of prescriptive rules are only scratching the surface. One layer beneath this are the ‘core values’ to which an organisation subscribes, expressed in a corporate vision or mission statement. They often express banal sentiments such as ‘customers first’ , which ring hollow when you observe what is actually happening at the coal face. If you were to spend a morning sitting on a typical sales desk you might soon learn that doing a profitable deal is more important than customer satisfaction and that meeting this quarter’s sales target is more important than long term performance. These are the tacit assumptions, learnt from the peers and colleagues sitting next to you, that truly define corporate culture; it’s all about what is happening at the bottommost rung of the corporate hierarchy.
Part of the problem with the whole concept of corporate “culture management” is the assumption that it can actually be managed. In this paradigm, the company is viewed as a machine, with the manager as an engineer. Culture is seen as a mechanical part of an organisation that that can be reengineered and manipulated at a manager’s whim. Workers who resist are clearly either too ‘stupid’ to follow simple instructions or suffering from some sort of psychological maladjustment.
This mechanical model, the corporation as a perfectible Swiss watch, is deeply flawed. Culture is not something that a company has, it is something that the company is. So the appropriate paradigm is not a mechanical one but a biological one. Viewed from this perspective, workers who resist prescriptive policies are not psychologically ill, but creative problem solvers who have found an optimal pathway through a series of conflicting environmental pressures. Much as cells evolve in a Darwinian way in response to their surroundings, workers synthesise the conflicting messages from different parts of the organisation (HR, compliance, immediate boss, top management, customer support, etc) to come to a unique resolution that optimises all those inputs.
This is true both at the organisation wide ‘macro’ level and also in the microcosm of information security. Professor Angela Sasse, who runs the Information Security Group at UCL, has been exploring these ideas in a number of influential papers* which examine the conflict between the “top down” policies imposed by Information Security departments and “bottom up” user activity. She advocates a new approach to cyber protection which she terms “Shadow Security”.
A good example of this issue is corporate password policy. A common complaint from a company’s information security department concerns ‘stupid’ users who can’t remember their passwords and so write them down on post-it notes and stick them to the bottom of the screen. Corporate policy mandates long passwords made from a combination of numbers, symbols and capital letters which should be changed on a regular basis. The problem is that human memory does not work that way. The more frequently we do something the better we remember it, and we remember things with meaning better than a random string of symbols and numbers. A typical response from a user is “I was forced to change my password every month, so I had to write it down to remember it”. The user has found a workaround that resolves the conflict between an unrealistic corporate directive and the fundamental job requirement to do work on PCs. Some company’s are requiring bid bonds to protect them and the buyers.
The unintended consequence of the password change policy is to actually reduce computer security. Far better, in Professor Sasse’s view, to observe what users are actually doing and then build information security policy around that. One definition of stupidity is continuing to do the same old thing while expecting different results. This password problem has been the bane of information security for the last 30 years. So maybe it’s not the users but the information security department that is being stupid. Surely it’s time to try something new…