Boss, executive, manager, supervisor. Person in charge. Of these people there are many who want their subordinates to enact their will in the way that requires their own personal least amount of effort.
They want to give ambiguous direction and receive exactly what they imagined but still be delightfully surprised. They don't want to hear about the unintended consequences of getting exactly what they asked for; they want it to "just work and don't trouble me with the details".
Pedantry is unacceptable. Everything must be interpreted exactly how it was meant to be. The rules are meant for others. If a subordinate fails while breaking a rule, then they are fired. If a subordinate fails because they didn't break a rule, then they are fired.
Ultimately, as we come closer to perfect impersonation at the press of a button, these 'people in charge' will have a tough time adapting. They want absolute obedience and unquestioning loyalty. Unless their subordinate was talking to a social engineer using a deep fake.
On the other hand. The people in charge who trust their subordinates, who let them fail and encourage them to do better, who let them question their approach and decisions. These people in charge will find themselves and their organizations more resilient to these attacks. "Yeah, Jeff might be a real jerk sometimes and he's always second guessing decisions, but he doesn't transfer $12 million just because he gets a phone call where someone who sounds like me is upset that the money hasn't been transferred."
This development is a blessing in disguise for people tired of dealing with "decision-makers" giving orders continuously. A tedious authentication step is a good speedbump against impulsive CEOs.
We should be able to trust what's displayed as a caller (stolen unlocked smartphone is a different problem). It doesn't seem that hard. It's not rocket science. I don't understand why we don't have that yet.
That only helps if you're able to recognize that number. Otherwise it's just an equally plausible number to be called from. In this case it's the voice that tricked the person and I'm pretty sure that if your boss calls you and demands something the likelihood to comply is pretty high. Your suspicions about not recognizing the phone number will not even get time to properly form.
We need for bosses to understand that this is not the way to request things but to always go through authorized channels which implement better "authentication" processes. This may also dampen their willingness to make "out of band" requests.
What millennium do you live in that when one of your contacts calls you, the thing that shows up is a number and not the caller's name?
That's my biggest pet peeve about Android. (Totally unrelated discussion, sorry) I can't tell it to send all calls that aren't from my contact list directly to voicemail. They're universally spam.
The millennium in which my CEO can call me from any phone in the company and I'd be hard pressed to tell if it's legit or not? Or from a phone in another parent or subsidiary in any number of countries that I have basically no chance of recognizing? The simple fact that it's the CEO calling discourages anyone from questioning it because C level executives and senior management have a way of imposing this kind of "absolute authority" in many companies.
Excellent point. Authoritarian workplaces worked adequately in the industrial age. But they've had a hard time keeping up with the modern world, where you get better economic results by empowering workers and investing in social systems. It's especially obvious to companies like Google: https://www.nytimes.com/2016/02/28/magazine/what-google-lear...
This deepfakes stuff can only help accelerate the move toward bottom-up power and process-oriented thinking.
The alternative of having collaborative decision making has its own downsides, of being slower, not meeting goals, and sometimes producing conflicting outputs.
In reality, a "directive" can be generalized to any "process request", such as a software enhancement request.
A "goal level" statement must be described, and then someone between the implementer and the manager needs to flesh out and escalate what the functionality looks like and any potential conflicts. ...then the person implementing them needs to translate that spec into an implementation, and then escalate any potential unintended consequences found in testing phase. ...and all of this in an iterative cycle.
Unfortunately, 99% of office requests do no merit enough _value_ for this process to be worthwhile. With infinite resources, we can achieve infinite perfection in every management request.
...but in the real world where business demands are transient, the expectation should be that management doesn't know what they want all the time and asks for things with incorrect parameters and conditions. ...and so the implementer (since there's no one in between) needs to bring their industry experience and communication skills to _poignantly_ explain the caveats in the request and explain what the alternatives are.
These are difficult conversations to have. They inherently contain conflict and the emotions of frustration associated with the manager perceiving that they aren't getting what they want, and the implementer being asked to break protocols and safeguards.
There is no perfect solution. This comes down to professionalism and having employees and managers that are able to offer compromise, have dispassionate discourse, and be willing to thoughtfully approach the problem in succinct and timely fashion.
...which is why hiring experienced intelligent emotionally stable people is the most productive choice for companies.
This. Technical verification solutions help, but none of them defend very well against your CEO apparently ordering you to bypass the verification step.
So the idealized authoritarian CEO must first have ordered you to never bypass it, and then must regularly test you to ensure that it cannot be bypassed.
There's no reason this sort of authorization process couldn't be trivially handled with any one of a number of simple technologies. If there isn't already some sort of Personal Verification Service to do this, well, there's a niche to be had. Come up with a better name.
No organization can work if normal communications are hijacked and spoofed by bad actors. This is a pretty severe security issue that no amount "social engineering awareness" training is going to fix. Most businesses can't operate if every decision of consequence needs a face to face meeting to verify authenticity.
There are other ways for 2-factor/3-factor verification (physical or passcode based tokens, e-mail+voice, or even a video chat).
There are other ways of safety like requiring a 2-person authorisation for large transactions - many organisations and especially charities already do that.
They want to give ambiguous direction and receive exactly what they imagined but still be delightfully surprised. They don't want to hear about the unintended consequences of getting exactly what they asked for; they want it to "just work and don't trouble me with the details".
Pedantry is unacceptable. Everything must be interpreted exactly how it was meant to be. The rules are meant for others. If a subordinate fails while breaking a rule, then they are fired. If a subordinate fails because they didn't break a rule, then they are fired.
Ultimately, as we come closer to perfect impersonation at the press of a button, these 'people in charge' will have a tough time adapting. They want absolute obedience and unquestioning loyalty. Unless their subordinate was talking to a social engineer using a deep fake.
On the other hand. The people in charge who trust their subordinates, who let them fail and encourage them to do better, who let them question their approach and decisions. These people in charge will find themselves and their organizations more resilient to these attacks. "Yeah, Jeff might be a real jerk sometimes and he's always second guessing decisions, but he doesn't transfer $12 million just because he gets a phone call where someone who sounds like me is upset that the money hasn't been transferred."