Yes, everyone can be driven to care so little.
Wait, what?
If you've not read the article to which I'm referring, the title of this piece sounds like utter insanity. Storing passwords in plain-text1‽ This is blasphemy! This is madness!
But no, I'm referring to a specific article called “Maybe you should store your passwords in plaintext”. It's well worth reading, but the gist is as follows: Some people have realised that caring about the work that they do nets them absolutely no benefits, so they have decided to not care about the work they do at all, to the point where they store passwords in plain-text—not their own, of course, but the passwords of the users of their companies' product. Thus, “storing passwords in plain-text” is short-hand for caring so little about the company as to not do even the barest minimum of extra work for it.
“Why bother improving things?” they ask. “What's in it for me?”
Levitt's advice
The article writer has no answer to this, and even acknowledges that financial incentives don't work. The closest he(?) comes to an answer is this quote from Steve Levitt:
“I think the real answer, […] this is going to sound weird or bad – is to cajole or trick your employees into thinking that what they’re doing is important.”
Not to put too fine a point on this, but ████. THAT. NOISE.
The reason this “is going to sound weird or bad” is because it's both of those things. It's essentially saying that suckers make the perfect employees. It's the reason why companies have started claiming to “change the world!” by, uh, marginally speeding a few things up here and there.
I don't really think most people are that stupid, or naïve. There are vanishingly few companies that are actually changing and reshaping the world in which we live –I think SpaceX is one of them– and even then, an entry-level employee is unlikely to be doing work of material importance.
So, from a boss's perspective, the big question is: How do you make employees care about the company?
My advice
Disclaimer: I'm not a boss. I'm just Some Guy On The Internet™. I am, however, a human, and therefore have an inkling of how humans think—which is more than can be said of some bosses if I'm honest.
The advice I'll give is as follows:
- It's piss-easy to make your employees care.
- It's damn near impossible to trick your employees into caring.
- Most people tend to reciprocate the care that is given to them.
- Some don't, but that's OK—you can always fire those.
- Therefore, there is only one reliable way to make the employees care about the company, and that's to make the company care about the employees first.
This mainly manifests in two ways, both very tightly interconnected: Mutual gratitude and Long-term investments.
Mutual gratitude
David Graeber's book “Debt: The First 5,000 Years” mentions something about primitive societies: They don't barter, at least not amongst their in-group. Instead, they use esteem and gratitude in place of currency, and it works quite well for them. Under this lens, actual money is best understood as a substitute for gratitude, not vice-versa.
This is not absent from modern humans. It runs very deep, it's almost impossible to get rid of, and it's criminally under-used as a motivating tool for employees.
I've heard stories of employees encountering family trouble, only to be given unlimited days off to process. I've heard stories of bosses successfully campaigning to make their employees' professional lives immensely easier. I've heard stories of bosses paying for their employees' debts to get them out of financial dire straits. I've heard about an employee whose boss told him “You did an amazing job!” and he spent the next 3 days riding that high.
Think about these bosses, and ask yourself: Would their employees end up storing passwords in plain-text?
“He didn't have to do that for me. He did it because he cared.” will naturally and organically grow into “I didn't have to do that for him. I did it because I cared.”
Long-term investments
There appears to be a… fad, shall we say? in companies currently, to treat employees as expendable. Get hired, work until you burn out, then bid the company adieu.
I won't comment on whether that's a moral thing to do or not. I won't comment on whether it makes economic sense. What I will comment on, is that this produces employees who only care about the short term. After all, the knife cuts both ways: An employee in whom you only make a short-term investment, is in turn an employee who makes in you only a short-term investment.
Worse yet, some bosses appear to want to make their employees constantly afraid of getting fired. For some employees, this will make them desperate to do the best possible job, so as to stave off termination… which is not sustainable, and leads to burn-out, and therefore a short-term employment. For some other employees, however, this will make them adopt a mentality of “I'll get fired anyway, let see how many wages I can get while I keep sending out CVs.” Such an employee will, if anything, be emotionally invested in the company failing, not succeeding.
Contrast this with companies who make long-term investments in their employees. In case you don't understand what this means, ponder for a while the following:
There is an old anecdote about Tom Watson Jr., former head of IBM: One day, he called a VP into his office to discuss a failed development project that lost IBM \$10 million. Expecting to be fired, the VP presented his letter of resignation. The CEO just shook his head and said: “Why would I fire you? I just spent \$10 million to educate you.”
Got that? This basically says “I want you to succeed, and I want you to be part of this company when it happens.”
Some employees will take this to mean “That means I can keep failing and still get paid”. Those employees will swiftly find themselves fired, so they won't cause too much trouble. Plus, I think these employees are naught but a slim minority.
No, the take-away lesson for most employees is that the company is hoping to keep them employed for many years to come, and the immediate corollary of this is that they have a vested interest in the company's longevity and long-term success. When most of your colleagues have been with the company for 10+ years, odds are that you too can stay with the company for 10+ years; and when that happens, anything that threatens the company's financial health also directly threatens yours. Would you store passwords in plain-text if the company viewed you as a long-term investment?
Do you want to make money, really?
This is a bit tangentially related to the article's main point, but bear with me for a moment.
One of my most frequent recurring fantasies –at least, amongst the ones that don't involve swords or comically unrealistic proportions– is one where I make a presentation to a bunch of CEOs. There, I ask them one main question:
“Do you want to make money? Really, though?”
To test their answer to this question, I pose to them a few questions like the following:
- You have the chance to invest in one of two directions: Either The Thing, or The Dude. The Thing needs an annual maintenance budget of a little more than the CEO's salary, but makes twice that much in revenue. The Dude commands an annual salary of a little more than the CEO's salary, but makes 10× that much in revenue. Which do you choose?
- You are in danger of having to pay a huge fine, around 10% of your yearly revenue. There is only one person who can fix the situation, and he just left the company in very bad terms. He has offered to fix this for free, as long as you give him a formal written apology for the circumstances under which he left. Do you take his offer?
- You find a new office space, a stone's throw away from your current one. Being much more spatious, it will allow your employees to have offices as luxurious as yours. Your calculations say this will make them twice as productive. Downside: This means that your office will not be more luxurious than theirs. Do you make the move?
There is a common theme amongst all those questions, and it's this: “Do you consistently prioritise profit over social dominance?”. I'd be very surprised if more than a third of CEOs answer “yes”. To wit:
- The Thing, of course! Why would I pay an employee more than the CEO‽
- Me, apologise? In writing‽ Forget it.
- Why would I give my employees offices as nice as mine‽ They need to know who's boss!
These examples might or might not sound contrived. The crux of the issue remains: the laziest way to assert social dominance over your employees is to not value them, and employees who feel unvalued are liable to store passwords in plain-text.
I won't tell you to prioritise one over the other—you're an adult, make your own decisions. Just don't fool yourself: make the decision consciously, by weighing the pros and cons of each.
“Sweet! So how do I hood-wink my employees into thinking they are valued?”
The same way you hood-wink your stomach into believing it's been fed, or your bladder into believing it's been emptied.
You don't. You can't cheat those things. If you could, the phrase “we're like a family here” wouldn't have ended up a red flag.
OK, there's an exception to that. Ponder the following:
You can fool some people for a long time, or many people for a short time, but you can not fool all of the people all of the time. — Abraham Lincoln, possibly
Even if you succeed at first, you will eventually create employees who realise they have been fooled, and thence become emotionally invested in your company failing. Can you flee the company before they realise?
Remember: Yes, you are the alpha. Yes, your employees are your pack. But the pack by definition can never have the resources to serve the alpha more than the alpha serves the pack. (For details, see Scar's leadership of the pride.)
Conclusion
It doesn't matter how important the work you do is. If your company doesn't care about you, and views you as a short-term investment, just store the passwords in plain-text.
It doesn't matter how unimportant the work you do is. If your company cares about you, and views you as a long-term investment, reciprocate that.
And if you're a boss, and decide to not care about your employees and view them as disposable… I won't tell you no. What I'll tell you is, don't be surprised if your ship sinks because no-one cared enough to plug that one hole over there.
═════════════════════════════════════════════════════════════════════════════════
If you don't know what the phrase even means, it's the cybersecurity equivalent of keeping spare keys to your customers' safe deposit boxes, placing them under your welcome mat, and hoping that no bad people will think to look there.