Successful security teams are in a conversation with the rest of their organisation about managing security risk; unsuccessful teams are always in an argument.
Security risk management has to be a conversation. No one individual or group can own or fully control this risk due to the complex, interdependent and ever-changing nature of the organisations we build. There is no platonic ideal of a security risk state that we will one day reach. A conversation between all the people that influence security must exist to establish the optimal approach to security risk management for each organisation.
The best outcome we hope to create from this conversation is a trade-off that allows or enables the organisation to achieve its goals while protecting the organisation from harm. That trade-off is constantly renegotiated between all the people that make up the organisation as the organisation and the people change.
We often hear security practitioners claiming that ‘the business just don’t understand’ or that ‘they don’t care, they just want a tick in the box’. We also hear from the rest of the organisation that security teams ‘just say no’ or ‘make no sense’, are ‘too techie’ or are ‘blockers’. These are signs of a bad conversation and in some cases the worst situation: no conversation at all.
Both groups are suffering from a lousy conversation where they do not get their expectations and needs met and that one or more participants do not believe they have reached an optimal trade-off which creates frustration and an argument.
We need to correctly understand what we mean by a conversation and what makes it good or bad. David Angel wrote a great blog on four types of conversation which is instructive; the four types are as follows:
- Discourse, which is one way delivery of information but is cooperative to deliver information.
- Dialogue, which is two way and cooperative to exchange information and build relationships.
- Debate, which is two way and competitive with a goal to win or convince.
- Diatribe, which is one way and competitive to express emotion or browbeat.
In my experience when dealing with boards or committees, I tend to treat them as discourse whereas when dealing with people outside of formal settings I try to establish a dialogue. It may be my working style which leans towards cooperation over competition, but I find both diatribe and debate ineffectual and creates arguments.
Too often I see security practitioners start conversations with an assumption that they are engaged in a competitive conversation with someone who has incompatible needs and desires (‘doesn’t care’) and then they combine this with the assumption that as they are the experts, this should be a one-way conversation which leads to them delivering a diatribe.
The error is to assume that non-practitioners don’t care about or actively want to avoid security. This assumption is sometimes correct (a damn good reason to leave an organisation if this includes the leadership) but generally is a mischaracterisation as a result of a diatribe that led to an argument.
The issue with assuming you are in a one-way conversation is that you don’t listen. Listening is probably one of the biggest weaknesses of security practitioners I see and to be honest I’ve experienced myself when dealing with peers and yet one of the most critical ways to reach an optimal outcome for the organisation.
In my next post, I’ll pick apart listening and what we can do to improve the conversations we have and the relationships we build.