In a previous article I used the phrase: “In security, it can be your job to put your job on the line.” A good friend and colleague responded to me via Twitter with two words: “That’s dysfunctional!” Insofar as this can be read as career self-sacrifice, I concur.
This is the kind of situation I had in mind: A new business application is scheduled to be rolled out, and security issues emerge late in the process. Delaying the roll-out in order to fix them will impose unplanned cost. The CISO now has the choice of opposing the roll-out and risking antagonizing influential stakeholders, or allowing it, thereby becoming the fall guy for anything that might go wrong with it in the future.
Being a CISO is not a popularity contest, and as elsewhere in business one sometimes has to take a stand. It is, however – as I was seeking to illustrate – the responsibility of the company to create an environment where this is possible and, where necessary, encouraged.
I am not talking about ‘speaking truth to power’. Most CISOs I know would have no problem with doing so. As a matter of personality, the overwhelming majority of security persons I have met care deeply about their job, and would not let their right to stand up for their beliefs be taken away. I’m talking about winning a case on the merits, at financial cost to the company.
If nothing else ever got senior management’s attention, the sudden increase in spending for a key project will.
In a functional organization, the issue would be documented and assessed. Management might choose to accept the risk and proceed or accept the cost and delay. Accountability flows upwards and management and the business accept their responsibility for security.
"In a dysfunctional organization... security is the sole responsibility of the CISO. Blame flows downward"
In a dysfunctional organization, on the other hand, security is the sole responsibility of the CISO. Blame flows downward. She or he becomes susceptible to pressure and is suddenly and personally shouldering a risk – but so is the organization itself, as security issues start getting swept under the rug. (Broken windows theory for information security, anyone?) Security may be told it must be ‘an enabler, not an inhibitor’ and that it can win the next time, just not this one. Only there won’t be a next time, because next time will be a spin-off of the same production. If you find the idea off-putting you’re not alone.
You may hope for a resolution by addressing the issue openly. Perhaps you can ally yourself with key deciders and influencers. There may be ways to improve the balance of power by changing organizational structure or aligning formal responsibilities with reality. But the long term outlook is still not good.
As a CISO you may have the leverage to influence an organization’s security culture over years of sustained effort. However you realistically have very little hope of changing an ingrained blame culture. Unless you’re planning to join in playing the game (which we hope you won’t), be sure to protect yourself from damage to your professional integrity, and even your health.
Philosopher Theodor Adorno, in very different times, coined the aphorism: “There cannot be a right life amidst wrongs.” Which even today you can read as: Rather than compromising your beliefs, be prepared to leave while you can. In a dysfunctional organization, your job may have been on the line all along.