Zombie rules are those well-intentioned yet obsolete protocols that continue to impede progress long after their owners have left the organisation. People subject to zombie rules are eventually driven to break the rules to get work done … thereby unintentionally exposing their organisation to preventable risk.
Although Halloween is behind us, I want to talk about zombies. Specifically, zombie rules; those policy requirements and regulations that soldier on long after they’ve lost their relevance. Zombie rules are often overlooked as a source of significant vulnerabilities, not because they’re written badly, but because they impede operations; resulting in otherwise good employees seeking ways to circumvent active policy.
Zombie rules come into existence when some element of an organisation publishes a policy or process to address a specific problem. This is done with the best of intentions. Unfortunately, as people come and go and as organisations re-structure, “ownership” of the rule gets lost. It marches on, oblivious to changes in operational needs. Eventually, the zombie rule devolves from something protective and necessary to something actively counterproductive. When no owner can be found to change or eliminate the legacy requirement, employees feel obligated to disobey it.
For example, consider the case of my Cursed Coffee Bar. When I took command of my unit (in my Air Force days, I inherited a strange “snack bar” that my predecessor had built right outside of my office.
For context, our building was only three years old. Whoever designed it had installed features based on its original occupancy plan. As a customer-facing entity, the IT department was supposed to be on the headquarters building’s first floor across from our data centre. Instead, a last-minute rearrangement was ordered after construction was finished, causing the IT department to be scattered all over the HQ. My office, our clerks, and our classroom were all moved one floor up.
Our new home – which originally had been slated to be a personnel office – featured a large, L-shaped counter-and-cabinets feature right next to the two private supervisors’ offices.  We suspected that the area had been intended to store forms and office supplies. My predecessor had turned the space into a “snack bar.” By the time I took over, the entire counter was covered in boxes of candy, baskets of fruit, and the occasional box of doughnuts.
I despised the snack bar at first. Easy access to sweets was doing terrible things to our physical fitness scores. Worse, “snack bar management” duties were tying up about 20% of my junior chief’s time. Every week, he had to sort the cash and do a resupply run off-base. This was not a good use of time for a senior supervisor.
The Chief was earning six figures to lead four shops and two dozen technical workers. He seemed to prefer his “side gig” stocking Mars bars. This causes more than a few arguments.
Still, the Airmen liked it. The chief persuaded me to leave it be. His only request was that we get a sink installed so we could make our own coffee. I asked our civil engineers what it would take to run the necessary water lines to our end of the building and was told it was impossible. Our building had never been designed for fresh water and sewer pipes in the East wing; installing new plumbing in a nearly-new building wasn’t allowed by policy.
The engineers also mentioned that there were very rigid rules governing the sale of food and beverages in the building. Apparently, the unit had signed an exclusive contract with a vending machine company to be the sole provider of snack foods and canned drinks for the building. Our “snack bar” wasn’t “legal” according to policy.
I investigated and confirmed the engineers’ warning. There was only one vending machine allowed in our building; it alone was to be the sole source of purchasable snacks. Unfortunately, thanks to the aforementioned “last-minute rearrangement,” the building’s only “break room” had no seating, no coffee machines, and a vending machine that was broken 90% of the time. Still, it existed. Therefore, we were required to shut our “snack bar” down.
A few months later, the Wing Commander demanded that the engineers build him a coffee station conveniently near his office suite. We had to de-install the only large photocopier serving the second floor to make way for a counter assembly remarkably similar to ours on the other side of the wall. This time, the engineers managed to run water and sewer lines despite it being “forbidden.”
Amazing what you can accomplish when the guy who signs your promotion orders wants something.
Not long after, people complained that the colonel who ran the new “executive” drinks station brewed nothing but burned (over-cooked) cheap coffee to suit his own peculiar tastes. My Airmen asked if we could get our own. My purchase request was denied on the grounds that it was illegal to spend government funds on a coffee maker unless your unit’s allocated space was authorized a break room with a kitchen. We were not; most of our space was allocated to our data centre and a parts warehouse.
Exasperated, we competed for a “unit excellence” competition, won it, and used our prize money to buy our own business-grade Keurig coffee maker. We still didn’t have a sink, though. After we installed our new brewer, we learned that we couldn’t use government funds to buy coffee, filters, or other supplies. So, we decreed that each Airman could bring their own K-cups and would be allowed to store them at work. Since we couldn’t get water piped in, I went to the commissary every three days and bought 4-5 gallons of water. We kept this arrangement going for years.
Guests would often ask if they could buy a K-cup from us and we always had to refuse to accept their money. Snack bar rules required the sale of food be registered, overseen by a dedicated supervisor, maintained with extensive financial records, and be audited annually. You could only have a snack bar if you had a sink and didn’t have a non-compete agreement with the owner of a non-functioning vending machine. So, I’d buy an extra box of K-cups every month and give them away to guests for free. It was the only way to be “legal.”
For me, the Cursed Coffee Bar always illustrated the zombie rule problem. We didn’t need doughnuts and candy bars, but we sure needed caffeine! Our people were expected to arrive in early-morning darkness, put in 11+-hour shifts, and drive home in darkness. Safety rules did allow units to have stimulating beverages, however the food service rules only covered commercial vending machines. We couldn’t have coffee, only unhealthy sodas. The civil engineers had rules for kitchens and plumbing, but only for larger units. The finance people had rules for procuring coffee, but only for units authorized “break rooms” and so on. All these rules were well-intentioned and doubtlessly solved some time long-ago. In our specific circumstance, though, the legacy rules didn’t work. So, we felt forced to work around them.
For six months or so, I weathered upset (and severely under-caffeinated) technicians enthusiastically complaining about how unfair and “stupid” the organisation’s rules were. It put me in an impossible position: I couldn’t defend the indefensible.
That’s the problem: when an acknowledged operational need crashes against one or more zombie rules, the only way to progress is to ignore, bypass, circumvent, or subvert those rules. That, my friends, is a huge security risk. Not only does it pit the users against the organisation itself, it also undermines the legitimacy of all the organisation’s rules and mandatory processes.
Now, imagine if we replace “coffee machine” with “secure file transfer solution” or “groupware platform” or some other new technological wonder. What do you think business units do when they find themselves caught between an urgent need and a shambling legacy rule? This is how you get “shadow IT” projects and breaches.
The solution isn’t to craft “perfect” rules since there’s no such thing. The solution is two-fold: first, ensure that your organisation revisits their rules and processes regularly (annually is optimal) with a mandate to modernize what’s aging and to retire what’s no longer viable. Second, build easy-to-understand exception processes into all policies, regulations, etc. Always provide the organisation with a safe and official way to deviate from the norm when exceptional circumstances make the norm unviable. Don’t put your people into a position where they feel that they have to disobey.
Also, provide your people with coffee. It’s not difficult. That is … it shouldn’t be difficult.
 One for the commander, one for one of the two authorized Chief Master Sergeants. For reasons I will never understand, my second, more senior, Chief was only allotted a cubicle.