[BreachExchange] The 'Department of No': Why CISOs Need to Cultivate a Middle Way

[Destry Winant]

https://www.darkreading.com/threat-intelligence/the-department-of-no-why-cisos-need-to-cultivate-a-middle-way/a/d-id/1336391

A chief information security officer's job inherently involves
conflict, but a go-along-to-get-along approach carries its own
vulnerabilities and risks.

Most of us are likely to agree that if we want to continue to evolve
to be our best selves, we need some form of conflict or challenge. If
we want to be stronger, we lift more weights or add more repetitions.
If we want improved brain function, we solve puzzles or learn new
skills. We may restructure our diets or diversify our exercise
regimes, but, in any event, such activity almost always requires a
change in behavior, a commitment to discipline, and a flexibility of
approach to achieve optimal results.

And yet as security practitioners, many of us discard this type of
training when we walk through the doors at work. We stay in a known,
comfortable place. We ignore the independence and creativity of our
own thinking and — almost as if by default — we transform into yes men
and women, agreeing with our management teams and our boards about the
right ways to handle risk and cyber threats.

Ironically, to much of the rest of the organization, we transform into
what I call the Department of No, a group of well-intentioned but
risk-averse executives who develop complex policies that restrict
employee behaviors in a misguided attempt to reduce risk levels. Our
go-along-to-get-along approaches, whether positive or negative and
whether we realize it or not, reveal inherent biases and predisposed
behaviors that may seem benign in themselves but that carry new
vulnerabilities (and therefore new risks) into the workplace.

The truth is, a CISO's job inherently has conflict. We strive to
strike a balance between things like cost and quality or security and
usability knowing that we're basically making trade-offs, reducing one
part of the equation to give the other more weight, and those
trade-offs typically show us where our bias lies. Bias resulting from
our backgrounds, training, or whatever makes us inclined toward
certain assumptions and contributes to our potential misperception of
risk and unintentional increased vulnerability. It's hardly a path
that enables us to do our best work.

Fragmented organizational responsibility is another inherent conflict.
One department may be responsible for FedRAMP certification, another
for SOC standards, and still others for privacy, information security,
and compliance. Risk and control responsibilities may therefore be
siloed in both decision-making and outcomes. When each department
requires its own audits, controls, policies, and priorities,
separating bias and working toward a common framework becomes
increasingly challenging, making it easier for us to stay within our
respective teams and again, perhaps unintentionally, weaken our
organizations by working at cross-purposes.

We all view risk in our own way, like light shining through a prism.
Depending on the angles we use, we see different refractions and
reflections of light. The color and intensity of light changes as it
traverses the prism into a spectrum of dispersed or mixed colors. Our
evaluation of risk and the controls we use to mitigate vulnerabilities
are just as diverse — diversity that is healthy if it is recognized
and managed, but divisive and unnecessarily conflicting if not. The
end result leaves wedges between organizations that should be working
together to optimize the spectrum of information risk.

Disagreement Is Not Disloyalty
To get there requires the same commitment to discipline and
flexibility of approach we bring to other areas of our lives. It
requires us to pose high-contrast questions that foster constructive
conversations and ensure we are open to exploring all available
possibilities. Too often, especially as we rise through the ranks of
an organization, we censor ourselves and agree with our CEOs and our
boards because we don't want to be perceived as disloyal.

But loyalty is often simply another form of bias. Despite what we have
been taught to believe, disagreement does not equal disloyalty. In
fact, I believe the reverse is true: Disagreement can be the highest
form of loyalty, although that loyalty may be toward our customers or
shareholders or even society at large if not to our management teams.

We cannot be so flexible that we lose sight of our duty to protect the
right things at the right times in the right order. Nor can we be so
rigid that our attempts to challenge a harmful status quo create
equally ossified and restrictive ways of thinking. In other words, too
much "yes" is dangerous, too much "no" is dangerous, but constructive
conflict is essential to ensure contrasting opinions thrive and the
truly serious issues at hand are met with the best approaches to
solving them successfully.

We know we cannot eliminate risk entirely, but we can make good
choices and strive continually toward optimization by:

1. Ensuring the cyber safety of people first — whether employees,
customers, contractors, partners, or shareholders

2. Understanding and safeguarding the data relevant and necessary to
keep people safe

3. Implementing a holistic framework of overarching governance that
protects the long-term health of the business by putting controls in
place that solve for the whole and not the sum of its parts

Independence and objectivity are key to our success and credibility.
As CISOs and risk professionals, we need to cultivate the mettle
necessary to do the right thing rather than allowing bad decisions to
occur on our watch because we want to appear loyal.

Conflict is OK. Tension is OK. Seen through the right lens and managed
toward positive outcomes, tension and conflict allow opposing ideas to
flourish and be discussed, evaluated, and discarded in turn,
increasing the chance that the decisions we ultimately make will
provide the best overall protection to our organizations.

It might be trite in this day and age to say "if you see something,
say something," but in fact that's precisely what we should be doing.
If we can't go to our management teams, we must go to our boards. But
we can't be afraid to stand our ground, even if it means putting our
own jobs at risk to save our organizations. We owe it to the larger
constituencies that depend on us — customers, shareholders,
communities — to remain objective and foster dialogue that frees us
from the tyranny of "yes" or "no" and allows us to keep asking "how."