I found myself in one of my least favorite moments a few weeks ago. I was having a discussion about the build out of a new environment. Someone brought up the subject of how people should access the environment and I started laying out my vision. It included several specific and significantly restrictive controls and requirements. I got through half of my list and the most senior person in the room jumped up and said they were unreasonable. I almost had a knee-jerk reaction of defending them with a “You must do this to be secure!”, but stopped myself as I realized I fell into a trap I so often preach against.
What I had done was bury my head in the sand of a regulation, a checklist of requirements and let myself preach from what I thought security was, and not try to find what the business or the operational environment needed. I was wrong. Dead wrong.
I had the great fortune to be invited by a Gene Kim to read his early drafts of his book “The Phoenix Project”. It is the story of one company’s attempt to overcome its obstacles and survive. One of the characters in the book is named John. He is in charge of Information Security at the company. He carries a binder of controls, and is continuously focused on security because he needs to save the company from its security failures. Except it isn’t security the company is struggling with – it is struggling with its own business and operational survival. John however is not attuned to this. He is focused on a checklist of requirements that are completely tangential to the company’s needs. John has his own climatic scene where the antagonist of the story finally beats down John’s character with a finger to the forehead and a stern lecture that he better find out what’s important to the company and get out of the way. I laughed hard as I read this scene. I laughed because I can think of all the times I deserved that finger in the forehead. If you can’t think of the times you deserved that finger in your forehead you are deluding yourself.
Why Do We Act This Way
There are probably a litany of reasons why we tend to operate this way. The one reason that always seems to make the most sense to me is the simple constraint in our ability to operate outside of what we know. We use the skills and knowledge (cognitive domain, awareness, call it what you will) we know best, what we have been schooled in, read and heard. I have been, like many of us in information security, fed lists of controls, told that things had to be a certain way, and that breaches, like burglary or murder, carried huge consequences. I was taught responses to situations from the perspective of security – a professional deference – because that was my job and task.
And we are not alone. Others do the same within their profession. There are people in marketing who only see the world through a marketing perspective; or sales; or financial; and the list goes on. Even our own children see the world from the limits of what they know and what they’ve been taught. If we all knew the bigger picture we likely wouldn’t have had the embarrassing stories from our high school and college years, and use the phrase “If I only knew then what I know now.” We all have a bit of John in us – even when we consider ourselves enlightened.
Learn To Embrace the John in All of Us
We all have our constraints so the best way to overcome them is to first accept that we have them. Acknowledge them. Admit that many of the things that we discuss, propose, and recommend to people come from our perspective on the problem. This suddenly makes the problem have multiple angles that it can be viewed from. You may not be able to see all of them, but you certainly can ask someone else to tell you how it looks from their angle.
Ask questions. One of the first things I do when I find myself in the situation of being dead wrong is to set aside all my security concerns, suspend my preconceptions, pretend to be a complete outsider, and ask what is important to the business – what is the real business goal and objective. Things like how it creates revenue, how does it help the company, and what would happen if it was to stop working. The perspective is suddenly very different than when I look at it as a security person.
Then, I take one of my favorite steps. I create a solution that focuses on achieving the business goal, and that gives back just as much as it takes away. I have a rule with my teams, “For every control you put in place, you must give something back to the people affected by the control.” This creates some shock, some amusement, and then very puzzled looks. Several people have asked me why I do this. Some have resisted the rule, but I rarely waiver. This rule forces my teams to focus on and understand the impact of what they are doing when they put controls, policies, rules or anything else in place that is restrictive. And then it forces them to think of how they can make it less restrictive, or provide some benefit that is in line with the original business objectives and goals. It makes them understand what the affected people need to do their jobs better and what really matters to them. You also create some raving fans when they realize you understand their needs.
And lastly, and most importantly, recognize the Johns in all of us – in everyone around you. Encourage them to do the same as you – to learn to accept their inner John, to explore and ask questions, and to look from different perspectives. As role models we can develop the patterns in others and they will begin to mirror our behavior. Poke people in the forehead once in a while, and remind them to learn what is really important, and listen a little better.