The 'Department of No': Why CISOs Need to Cultivate a Middle Way
A chief information security officer's job inherently involves conflict, but a go-along-to-get-along approach carries its own vulnerabilities and risks.
Most of us are likely to agree that if we want to continue to evolve to be our best selves, we need some form of conflict or challenge. If we want to be stronger, we lift more weights or add more repetitions. If we want improved brain function, we solve puzzles or learn new skills. We may restructure our diets or diversify our exercise regimes, but, in any event, such activity almost always requires a change in behavior, a commitment to discipline, and a flexibility of approach to achieve optimal results.
And yet as security practitioners, many of us discard this type of training when we walk through the doors at work. We stay in a known, comfortable place. We ignore the independence and creativity of our own thinking and — almost as if by default — we transform into yes men and women, agreeing with our management teams and our boards about the right ways to handle risk and cyber threats.
Ironically, to much of the rest of the organization, we transform into what I call the Department of No, a group of well-intentioned but risk-averse executives who develop complex policies that restrict employee behaviors in a misguided attempt to reduce risk levels. Our go-along-to-get-along approaches, whether positive or negative and whether we realize it or not, reveal inherent biases and predisposed behaviors that may seem benign in themselves but that carry new vulnerabilities (and therefore new risks) into the workplace.
The truth is, a CISO's job inherently has conflict. We strive to strike a balance between things like cost and quality or security and usability knowing that we're basically making trade-offs, reducing one part of the equation to give the other more weight, and those trade-offs typically show us where our bias lies. Bias resulting from our backgrounds, training, or whatever makes us inclined toward certain assumptions and contributes to our potential misperception of risk and unintentional increased vulnerability. It's hardly a path that enables us to do our best work.
Fragmented organizational responsibility is another inherent conflict. One department may be responsible for FedRAMP certification, another for SOC standards, and still others for privacy, information security, and compliance. Risk and control responsibilities may therefore be siloed in both decision-making and outcomes. When each department requires its own audits, controls, policies, and priorities, separating bias and working toward a common framework becomes increasingly challenging, making it easier for us to stay within our respective teams and again, perhaps unintentionally, weaken our organizations by working at cross-purposes.
We all view risk in our own way, like light shining through a prism. Depending on the angles we use, we see different refractions and reflections of light. The color and intensity of light changes as it traverses the prism into a spectrum of dispersed or mixed colors. Our evaluation of risk and the controls we use to mitigate vulnerabilities are just as diverse — diversity that is healthy if it is recognized and managed, but divisive and unnecessarily conflicting if not. The end result leaves wedges between organizations that should be working together to optimize the spectrum of information risk.
Disagreement Is Not Disloyalty
To get there requires the same commitment to discipline and flexibility of approach we bring to other areas of our lives. It requires us to pose high-contrast questions that foster constructive conversations and ensure we are open to exploring all available possibilities. Too often, especially as we rise through the ranks of an organization, we censor ourselves and agree with our CEOs and our boards because we don't want to be perceived as disloyal.
But loyalty is often simply another form of bias. Despite what we have been taught to believe, disagreement does not equal disloyalty. In fact, I believe the reverse is true: Disagreement can be the highest form of loyalty, although that loyalty may be toward our customers or shareholders or even society at large if not to our management teams.
We cannot be so flexible that we lose sight of our duty to protect the right things at the right times in the right order. Nor can we be so rigid that our attempts to challenge a harmful status quo create equally ossified and restrictive ways of thinking. In other words, too much "yes" is dangerous, too much "no" is dangerous, but constructive conflict is essential to ensure contrasting opinions thrive and the truly serious issues at hand are met with the best approaches to solving them successfully.
We know we cannot eliminate risk entirely, but we can make good choices and strive continually toward optimization by:
1. Ensuring the cyber safety of people first — whether employees, customers, contractors, partners, or shareholders
2. Understanding and safeguarding the data relevant and necessary to keep people safe
3. Implementing a holistic framework of overarching governance that protects the long-term health of the business by putting controls in place that solve for the whole and not the sum of its parts
Independence and objectivity are key to our success and credibility. As CISOs and risk professionals, we need to cultivate the mettle necessary to do the right thing rather than allowing bad decisions to occur on our watch because we want to appear loyal.
Conflict is OK. Tension is OK. Seen through the right lens and managed toward positive outcomes, tension and conflict allow opposing ideas to flourish and be discussed, evaluated, and discarded in turn, increasing the chance that the decisions we ultimately make will provide the best overall protection to our organizations.
It might be trite in this day and age to say "if you see something, say something," but in fact that's precisely what we should be doing. If we can't go to our management teams, we must go to our boards. But we can't be afraid to stand our ground, even if it means putting our own jobs at risk to save our organizations. We owe it to the larger constituencies that depend on us — customers, shareholders, communities — to remain objective and foster dialogue that frees us from the tyranny of "yes" or "no" and allows us to keep asking "how."
Related Content:
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "8 Backup & Recovery Questions to Ask Yourself."
About the Author
You May Also Like