I had the good fortune of a long drive (12 hours to be exact) which allowed me time to catch up on four months of backlogged Martin McKeay’s Network Security Podcasts. My fortune improved when I listened to the June 7th 2011 edition. I hadn’t known about the #SecBiz thread on Twitter, and I am sorry I missed it when it started. The discussion on the Podcast was fantastic. The identification of the issues, the perspectives offered, ideas on distribution of duties and the consensus that everyone had about the need was spot on. The stories of employees having to work in every part of an organization are excellent, and a great insight. A well placed CEO I know of did the same his first month after being hired and created a significant level of trust across the organization.
If you haven’t heard the Podcast, please do so. It is all excellent. Well, except for the last 18:27, after Martin asks the question: “What can we do…” To me, the answers at that point fell flat and missed an opportunity. So many great ideas that helped bridge the gap were provided before the question that the opportunity to expand on them was missed. So I’ve decided to provide some answers, and make up for my lost time on the #SecBiz discussion. This blog post will be a bit fractured and piece-meal, but the intent should come through. The thoughts are all part of lectures I’ve given since Shakacon in 2007, ongoing research, and a book I’m writing based on my research and case study collection.
First I’d like to point out something I think is very important to the discussion. Years ago a wise CIO taught me to avoid the great mistake of referring to the non-IT portion of the company as “The Business”. IT and InfoSec are part of the Business, and together with the other parts of a business create solutions and better the organization as a whole. Referring to “The Business” separate from IT perpetuates the “Them” vs. “Us” we are trying to overcome. Create new language, since our language is a reflection of our thoughts and intentions. Let us re-arrange our intention and build the first link between ourselves and the other parts of the business in our mind.
The Goal
The goal that the #SecBiz thread shoots for is an achieved mutual appreciation between InfoSec and the rest of the business. The goal is noble however too often we look at it in InfoSec or technical terms. The answers to Martin’s question highlighted this for me. The answers talked about how to structure InfoSec, how technical knowledge is key, and how teams need to take responsibility.
But the business will never understand the depth of technical issues in InfoSec, just as we will never understand the intricacies of finance and accounting. We both can communicate high level concepts, but the technical details are why we have “specialties”. Generalists who can also dive deep are rare. We must stop trying to make everyone outside InfoSec experts. The answer we need to focus on instead is based in the dynamic of how to build collaboration and a common base of understanding regarding our goals, and our priorities. To do this we need to think deeper into psychology, or in my favorite parlance, organizational psychology.
Understanding Motivation and Perspective
Each of us has a motivation – things that we value and strive towards to achieve our goals. These goals include the things we value, the objectives we want to achieve (both long term and short term) as well as the way we act to support these values. Every business group (which includes IT) has numerous individuals working in it who have their own motivations and values. There are often commonalities – values such as recognition and significance, certainty, and personal connection – but with individual variations in priority and manifestation. A CFO and the finance group are, from a business perspective, focused on the goal of ensuring the financials are accurate, timely, and assist in the objective of maintaining profitability through the appropriate management of monies in all forms. There are also personal motivations layered on top of this such as being recognized for your work, and maintaining personal relationships.
This might seem tangential, but I assure you it is not. If the InfoSec group comes along and tells the finance group that they cannot implement software that in the eye of the CFO and the finance group helps them achieve their goals faster, better and with the potential for them to be recognized for improvements in their group, how do you think it will go over? Think. You just told a group that they cannot pursue things they value. Their value is based on their perspective through their motivation. They do not see your perspective because it is not part of their goals or values.
Until we understand the motivations, goals and values of various groups within our businesses, we cannot accurately address security in those groups. We must apply security with their motivations in mind. If we derail their motivations, we will fail. If we align with their motivations or show how our goals and values align with their motivations, we will create wins, and the understanding we are looking for.
[These have been discussed in academic circles by Maslow’s theories, Chris Argyris, and cognitive psychologists and adapted in more contemporary discussions on motivation through the works of business and personal development by Steven Covey, Jack Canfield and Tony Robbins.]
Building Collaboration – Towards Empathy
I have long held that collaboration is the method to creating buy-in and understanding and I suspect few would disagree. My definition of collaboration is bi-directional actions and behaviors that include honest communication, active listening, and empathy. The latter is what I consider the critical end-game you need to achieve. I do not advocate outright sympathy, but rather an understanding and appreciation for another person’s thoughts, concerns, challenges, and ultimately their motivation. From the above conversation, understanding a person’s or group’s motivation allows us to align or at least discuss issues in relation to their motivations.
Collaboration is not built by re-inventing how we shuffle InfoSec groups about but by building new paths and methods of communication. The path to achieving this requires that we in InfoSec be willing to learn and lead in building these new paths and methods of communication. Either side can initiate and lead this effort, but since we are speaking of the initiative, and are the ones calling out for greater recognition, let us take the lead building that bridge. Let us model the methods so we can all benefit.
Modeling collaboration is first achieved reaching out to open lines of communication. The techniques to achieve this include asking questions first rather than trying to “tell” someone things. Ask to understand because it allows the other party to feel listened to, and for you to understand their frame of reference. We all value when we are listened to. Be the bigger person and listen to those outside of IT and InfoSec so you can understand their business, their fears, their needs and their motivation.
Second step of opening lines of communication is through active listening. Being able to restate what the other party has said to demonstrate you understanding of it. This creates respect from the other party as they feel even stronger that you are attempting to understand them.
Third step is active and sincere empathy. Empathy is the ability to understand and comprehend the other party’s view, values and justifications for what they do. You can understand their frame of reference. Do not abuse this understanding since you can dismantle and shatter the trust you have built with the other party.
Lastly, use the knowledge you have gained to relate your position and view to their view of the world, their goals and their motivations. When you have tied your objectives to their motivations, you have created the foundation for collaboration. They now see the value in understanding your goals since it aligns to their goals. Your goals are being achieved because they are aligned to the other party’s goals. We call this a win-win. Both sides get their needs met.
Some of the ideas that have come about in my case studies:
Business Impact Assessments: Dragging the Information Security team around to do Business Impact assessments with each of the groups within the business – sales, accounting, logistics… The questions that were asked were “What is the most important process in your group?”, “What keeps you up at night?”, “What processes or systems would cause you the most impact if they were to fail?” The result was a very personal discussion about what each group cared about, what their priorities were, and what they wanted attention given to. By doing this under the guise of a BIA, we were able to better understand what each group cared about, and what was most valuable to them. We also were able to understand in great detail the operational processes of the organization. Think of it as a business mapping or process flow exercise. We listened, we described what we heard to ensure we heard it correctly, and made sure we identified their biggest processes and biggest values. The result was much more than just our knowledge of our business. It built camaraderie. The business groups felt we cared about them because we listened, we showed empathy for their needs and goals. Now when we discussed security we had two things working in our favor – a knowledge of the entire business that we could use in determining risks and where to apply useful controls, and an audience who felt respected and felt it acceptable to show us respect.
Security or Risk Council: An internal “governance” group, not unlike an IT Governance structure which reviews business and IT objectives and budget to make sure IT aligns with the priorities and objectives of the entire organizations. The council is made up of leadership from all business groups, and are free to share their concerns for security and risk management. Monthly meetings are held, and all domains of Information Security are discussed but with a focus first on areas outside of the IT and Information Security Groups (such as perhaps HR background checks, concerns for fraud and loss in distribution, safety of workers in the workplace…) By first making the council about their security concern the participants felt it was a collaborative effort and their views were valued. This example worked well in several companies.
Risk Management and Business Process Discovery: Businesses understand risk management. Banks and insurance companies for obvious reasons prove to be particularly adept and aware of risk management and process evaluation as valuable and integral to the organization. While listening to Edition 10 of the Risk Hose Podcast I re-discovered the concept of risk management – in a process oriented sense – to reflect the ideas I discussed above. The Risk Management teams explore the business processes with the business, understand it, evaluate the risk, and decide what to focus on with the business. The InfoSec team in undertaking a business process discovery can understand the business. By framing the analysis in Risk Management terms, you can increase the likelihood that the other areas of the business will relate to the findings.
Distributing Responsibility for Security: One of the conversations in the Podcast revolved around Security Operations. I’m going to go down this rabbit hole even though on many levels it’s not a direct #SecBiz discussion. It can however serve as a model of how to collaborate on security.
I prefer to demarcate Security Operations in to two groups:
a) the acts of providing preventative security functions such as Anti-Virus, Patching, Firewalls, System Configuration (for security).
b) the acts of providing detective security functions such as Security Incident and Event Monitoring, Unauthorized System and File Changes, and validation of controls (such as reviewing system configuration standards or firewall rules for approval). I also sometimes refer to this as segregation of duty functions since they are checks against potential inappropriate activities and control failures.
I divide this way because I prefer to assign responsibility for the preventative functions with the administrative groups who are usually tied to systems and devices (e.g. configuration standards and patching as the responsibility of each system group, firewalls as network devices, etc). This takes security from being an InfoSec only function and makes it part of the job description for groups outside of InfoSec. They become accountable for security and it begins to be part of their culture, and their thoughts. Holding them accountable is the second part – the detective controls that are assigned to an InfoSec group. The outcome of these role designations are conversations about security that spread wider than just the InfoSec group, and control designs are collaborated on.
What does Collaboration Achieve?
I conducted a survey in summer of 2007. Over 100 companies responded, and while the survey was highly un-scientific, the results were clear. They survey asked what was the perceived acceptance of the company’s Information Security Policies, and what parts of the business were involved in creating those policies. Unsurprisingly, of the organizations who said they developed their InfoSec Policies with the business, 80% said their policies were well accepted, and the remaining 20% felt the policies were accepted and challenged, but not outright rejected. Of the organizations who developed their policies just within IT or the InfoSec group, 36% felt their policies were well accepted.
The Quote
I’m going to leave you with two quotes since they both contribute some insight:
Chris Hayes: “We have to accept that it’s not our risk tolerance that matters as risk practitioners or security professionals. Its the person accountable for the risk at the end of the day. And until you overcome that you’re almost a barrier to what you’re trying to achieve.”
We have to work with the business to get them to understand the risk, and design with it (for better solutions). In order to do this we need to understand what the business is about in the first place. And then we need to demonstrate we understand it, with empathy for their motivation.
Ultimately InfoSec is juggling risk and business goals, or as @shitmyCSOsays quoted: “Security is about eliminating risk. Business is about taking risk to make money. See how they are a perfect match?”