Culture of Security: Critical Conversations

Have you ever been in an organization where everyone can see the cause of an issue, but no one has the guts to say it out loud?

Of course, we all have.

It’s the type of organization that can harbor those awkward “the king has no clothes” moments - but unfortunately, in a corporate setting, we don’t have the luxury of children blurting out whatever comes to mind - so these things often never get addressed.

One of our values at Bedel Security is “Candid Debate”.  It’s the idea that we are our best when we allow conflict to occur, and we encourage the discussion and resolution of that conflict.

We use that value internally for growing and managing our company. But we also use that with our customer relationships. In fact, when it’s our customers, we use the rallying cry: “tell them what they need to hear, not what they want to hear”. And that approach has worked very well for us.

Many organizations don’t allow critical conversations to happen because conflict is considered bad. But lack of conflict is actually MUCH worse. It causes that tension that you can just feel in the air and ultimately leads to passive-aggressive interactions and political maneuvers.

It’s simple, but not easy. This type of approach has to be embedded in the culture and if it’s not, it can be very hard to establish. This is true for the organization as a whole, but also especially the information security program. You have to set the culture for security and it starts with encouraging open dialogue and debate.

We’ve seen this (or a lack thereof) in our years of providing virtual CISO services.

• Someone is afraid to point out a vulnerability
  
  
• A conversation about accountability/roles/responsibilities is avoided
  
  
• Stretching the truth on control effectiveness because it may make themselves or a team member look bad

This is all happening in fear of conflict, fear of looking bad, fear of the truth. But it’s not your people’s fault - they are in a culture that doesn't allow vulnerability - it doesn’t allow people to say: “I don’t know” or “I made a mistake”.

Without that culture, the organization severely limits itself:

• You can’t be your best as a team unless we are vulnerable.
  
  
• You can’t grow unless you can be humble enough to admit when you’ve made a mistake.
  
  
• Your team can only reach the best solutions when multiple viewpoints are shared freely, and the differences are discussed.

Wouldn’t you rather know that the patching process is unsustainable than find out the hard way? Wouldn’t you rather see a “red” on a backup report today than find out after a ransomware attack tomorrow? Wouldn’t you rather hear an opposing idea on how to secure your environment than just stay with the “way you’ve always done it”?

If your people don’t feel comfortable identifying issues and discussing disagreements these problems may never come to light until it’s too late. And in the information security world, that comes at a big cost.

So, here are some keys to building that culture that shares freely and debates openly:

• Be vulnerable - This piece cannot be overlooked. Your team won’t share unless they feel safe. They won’t feel safe until you build trust. And you build trust through being vulnerable. This means being humble - saying I don’t know and asking for help. Often we see this as a sign of weakness, but it’s actually the other way around.
  
  
• Remind the team repeatedly that you all want what’s best for the organization and that everyone plays an important part in that. That may be in the form of different viewpoints, but the end goal is the same.
  
  
• Encourage healthy conflict - this means disagreements (and various perspectives) are a good thing, but name-calling, disrespect, etc are not. Your job as a leader is to make sure these discussions are healthy. It also helps to remind your team from time to time that conflict, when done correctly, is a good thing and makes you better.
  
  
• Be clear - this does not mean you become a democracy in your decision-making. We want everyone to feel “heard”, that doesn’t mean they have a “say” in every decision. That’s the leader’s job.
  
  
• Reinforce unified teamwork - after a decision has been made set the expectation that you will execute that decision, full force, in a unified way.
  
  
• Have courage - as a leader, you’ll need to be open to feedback - and if you’ve not been doing this there could be a backlog.  You’ll need to be ready to call your team out if necessary - or be there to listen when they need some guidance. All these conversations can be tough, but they are necessary.

Finally, understand that this takes time and practice. Culture can be one of the hardest things to change in an organization. To make this work, you need to be committed, but patient.

If you have any questions on how to implement these ideas among your team, feel free to reach out to me directly at chris@bedelsecurity.com

For more information on the subject, check out these books that I’ve read numerous times:

• The Advantage: Why Organizational Health Trumps Everything Else In Business by Patrick Lencioni https://www.amazon.com/gp/product/0470941529/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1
  
  
• Crucial Conversations by Kerry Patterson et al https://www.amazon.com/Crucial-Conversations-Talking-Stakes-Second/dp/0071771328/ref=sr_1_2_sspa?crid=2ZBQZR213G4NN&dchild=1&keywords=crucial+conversations&qid=1630670362&s=books&sprefix=crucial+%2Cstripbooks%2C439&sr=1-2-spons&psc=1&spLa=ZW5jcnlwdGVkUXVh

Additional Resources:

5 Reasons Information Security is a Team Sport
https://www.bedelsecurity.com/blog/5-reasons-information-security-is-a-team-sport

Culture Counts
https://www.bedelsecurity.com/blog/culture-counts