Revolution or Evolution

I recently had a meeting with a well placed Security Officer.  He made a comment that I thought really summed up the view that I hold as well regarding transformation of Information Security at a company….

“When I started working in Security I said – `we need a revolution’.  Now I know it is best to have an evolution.”

Lets think about this.  Revolution is, as defined by “dictionary.com”,

1.  an overthrow or repudiation and the thorough replacement of an established government or political system by the people governed.

2.  a radical and pervasive change in society and the social structure, esp. one made suddenly and often accompanied by violence.

We as human beings hate change, especially markedly drastic change.  Our dislike is typically based on a fear of the unknown, a comfort in the known, and a desire to control our fate through pursuit of self-preservation up through gratification (think Maslow).  If change is presented to someone their response is often to ask “What is in it for me?”  This is not necessarily a pure expression of greed, but more accurately a desire for self-preservation, preservation of one’s environment and comforts, and gratification at some level.  This dynamic applies equally well in our personal environments as well as our professional environments.

When we, as Information Security professionals attempt to make changes in an environment we typically seem to ignore or be ignorant of this dynamic.  We also seem to forget that each person has their own view of what is important for them – what provides them with the feeling of comfort and gratification.  Anything that threatens this drives them back into a self-preservation state which is typically primal and can be somewhat irrational (lower order thinking).

As Information Security professionals, we don’t view security as a change, but rather something “we should be doing!”.  Our thoughts are filled with risks, vulnerabilities, and anything we might have learned at the most recent briefing or hacking class we attended.  Our desire for gratification comes from our desire to “…protect this company from bad things…”, to quote a security manager I one knew.  I want you to notice something – we as Information Security professionals think about Information Security from the point of view of an Information Security professional.  Information Security professionals think of risks to Information Security, threats that could incur the risk, vulnerabilities that make the risk possible and on, and on….the items in our cognitive domain are all about Information Security and risk.

Now, lets visit Daphne in accounting.  If we look at the things she is thinking of and the things that are in her cognitive domain, we will find thoughts of “accounts payable, tick-and-tie, three-way-match, payment terms, and how do I move up the company ladder”.  Do you see anything here that matches what an Information Security professional thinks of?  (Please note, I realized some items might be relevant to financial data integrity, but play along with me here Mr. and Ms. Auditors, okay?)  Daphne in accounting has her focus on the environment of accounting.  Do you think she will care about a Revolution in Information Security?  Its not relevant to her, not part of her environment and since she is presently unaware of it, introducing into her environment via Revolution will be seen by here as an intrusion on her stability, her environment, and possibly an interference with her attempts to become more efficient, get better at her job, and move up the company ladder.  She doesn’t care about something new if it interferes with her goals and what she thinks is relevant.

So the “Revolution” that Information Security might want to impose would be viewed by Daphne as interfering with the things that give her gratification and comfort.  It distracts from her job, new controls might even make her change the ways she does things which will slow her down and make her job harder, and ultimately may affect the promotion she has been looking forward to.  Is that true?  I couldn’t say, but does Daphne believe it is true?  That is the question that matters.

Violent change typically meets violent resistance.  There is an amusing exercise where someone will ask another person to hold up their hand, and then they will push against that hand.  The first reaction is for the other person to push back.  But they were never asked to push back!  Its called “Resist – Persist” (Jack Canfield & Tony Robbins demonstrate this frequently, and I demonstrate it with my kids when they pick on each other).

How do you overcome these tendencies?

Evolve.  Engage evolution.

Think about these words, and I will discuss them more in my next post:

  • Relevance
  • What is in it for me?
  • Baby Steps (from “What about Bob?”)

About Daniel Blander

Information Security consultant who has spent twenty plus years listening, discussing, designing, and creating solutions that fit the requirements presented. President, Techtonica, Inc.
This entry was posted in CISO, CSO, Information Security, Information Security Governance, InfoSec, InfoSec Governance, IT Risk Management, Security Governance. Bookmark the permalink.