A few days ago, we received some reports from users that all went something like this: “Norton is blocking access to your site. It says the site has a security risk.”
First reaction: Panic! Did our site get taken over by hackers? Not quite… When reading the security report, it turns out that Norton had incorrectly classified a link from one of our receipt emails as a phishing attack. To be clear, the link does nothing else than redirect to the user’s website, i.e. there is no phishing going on, neither on our site nor the user’s site.
We immediately issued a dispute and request for re-evaluation with Norton’s website. And then… nothing really happened. After five days, it seemed that the red warning disappeared, but for the site dispute, the re-evaluation is still “in progress”.
Now, this would not be so bad if it was not for Norton’s massive userbase and the trust that they have. Besides the users that were blocked from using our app, a slightly more serious consequence was the 1-star review on the Shopify app store that popped up on Friday morning with just the text: “My Norton Antivirus software shows this site to have an identity threat.”
Needless to say, being wrongly flagged by Norton can have real consequences for a business.
And that is the main problem here. This whole ordeal reminds of me of some of the many things I hate about big corporations: Stepping on smaller businesses, misusing power and slow processes. I would go so far as to call it Corporate Bullying. Norton makes millions of dollars by tricking people into thinking that they need an expensive security solution (when they probably don’t). They can easily afford to make a few false positives when flagging sites because it has no consequences for them, only for the businesses in the receiving end. And when confronted with the problem, Norton does not care about us and our wrong security rating, nor do they take immediate action to rectify the problem.
The only thing missing here to make the bully analogy complete is if Norton came back to us and said that we need to pay them some “administrative fee” to remove the bad rating. Then they would truly have stolen our lunch money. I would not be surprised if that happened, but I hope that the story ends here.
Unwillingness or resistance to change in the context of organizations, application design and development, when the change is objectively or arguably positive for the organization.
From the David Dictionary :-)
Imagine a house in need of renovation. You can continue to paint the walls over and build new extensions, but at some point, the foundation needs an overhaul or you risk having to tear down the entire house.
Tech debt is like that. As an application grows, some old parts inevitably start to get outdated and in need of repairs. The biggest problem in application development is often not tech debt itself though. A lot of the time, people are the problem, not the code.
I recently had a conversation with a good friend about one of those little conflicts that happens at work sometimes. In this instance, my friend was trying to optimize a process that was rather slow and costly for the company. Apparently, this rubbed a manager the wrong way and they basically told my friend to stop making things more efficient. I only know one side of the story, but the situation sounds familiar. It is a symptom of People Debt.
People Debt is not about competence. It is about unwillingness or resistance to change. “We have always done it this way” is a common quote to hear in an organization with high people debt. Change is difficult to handle, even if the change is objectively for the better, e.g. more happiness, more profits, less complexity etc. When you combine people debt and tech debt, you get a very bad cocktail. This cocktail is often called Corporate Software, but it can also happen in smaller organizations.
I do not know exactly what leads to people debt, but it probably has a lot to do with pride and fear of looking bad in other’s eyes. I can relate to that feeling. It does not feel good when one’s decisions are being challenged and this often leads to defensiveness. Another part of the problem might be a consequence of “normal” power struggles. For example, encroaching on the area of responsibility of someone else.
I think one of the first steps to avoid people debt is to create a company culture where people feel comfortable and secure in their position in the company. Insecurity leads to defensiveness. I also think it is important to encourage open and positive collaboration between different areas of responsibilities. The best results usually come from team efforts and not a “me” effort. Finally, encouraging people to not be complacent and instead challenge the status quo from time to time also helps.
As always, the most difficult change to make is to ourselves. Defensiveness and insecurity are natural feelings to have. But I do believe that we can tame those emotions when it makes sense. When someone tries to help us improve in any way, it is easy to dismiss and defend, and much harder to listen, accept and maybe even learn something new. This goes for everything in life by the way — not just my tech bubble.