Source: CSO Magazine On:
I recently helped my son build his first pine wood derby car. He took second place out of a field of ~60 cars. The secret of taking a block of wood, four nails and cheap plastic wheels is reducing all forms of friction that the car can face and moving the balance to the right parts of the car.
One of the dads realized this fact a bit late in the process and asked a fellow dad if he happened to have any graphite (a carbon-based lubricant) with him. The response was “of course I do, I carry it on me at all times…right next to my Chapstick!”
“Friction” in a human and organizational sense is defined as “conflict or animosity caused by a clash of wills, temperaments or opinions.”
The average employee not working in a security/privacy/legal role may hear the terms “privacy,” “security” and “IP/privacy legal” and think they are variations of the same focus and desired outcomes. For example, defending a company against the theft of intellectual property and confidential information would intuitively have some overlap to protecting personal information. With that shared goal, everyone should work seamlessly well together, right?
The answer, all too often, is a hesitant and unfortunate “no.”
Many companies experience friction, silos and turf wars between security, privacy and legal departments. Friction creates drag. Drag slows progress. Lack of progress reduces a company’s ability to successfully manage collective risks.
Tim Sewell (CTO/Co-founder of Reveal Risk) and I were reflecting on personal experiences and observations of these issues across different companies, and decided to analyze what was going on so we could help colleagues and clients create win:win:win outcomes between these functions. Our usual approaches to further research this seemingly common problem turned up virtually no articles or blog posts on the topic. We suspected the root causes and potential solutions were likely hidden amongst people/politics, culture, fear and legacy thinking.
Not to be deterred and wanting to get to the root of the issue, I went to my network to enlist respected experts and crowdsource contributions to the analysis and solutions. I am grateful to have had over 15 volunteers raise their virtual hands to contribute. In a testament to the complexity of these issues, many asked to remain anonymous because of current situations and relationships but shared their input by role and industry.
Problem 1: Communication/understanding/engagement
Poor communication, understanding and engagement between functions around tools, processes and practices within cyber security can lead to surprises, disagreements, improper evidence handling, broken attorney-client privilege and project delays.
Analysis: Lack of engagement, transparency and partnership were common symptoms shared by almost everyone I talked with. Potential root causes were found to be:
- Lack of cross training, education and understanding other perspectives. A chief privacy officer (CPO)/attorney from a large telecom company said, “Information security and privacy functional roles in corporations have evolved separately over the years. The need for symbiosis across these roles is clear, but often these teams at corporations do not place an emphasis on cross-learning to solve these disconnects in goals and perspectives.”
- Lack of engagement at the right time or insufficient resources to do so, causing clashes when lack of alignment or direction is discovered. Emotions can get in the way of listening and understanding on both sides when the “wait…what are you doing?” moment hits. Matthew Berger, a privacy and cybersecurity attorney, commented that “Traditionally speaking, privacy is viewed as a roadblock. A hindrance to development, profits and growth and privacy compliance is viewed as a paper exercise. Good privacy professionals get involved at the beginning of the development process and prevent these roadblocks before time is spent designing and building a risk-laden product or process.”
Recommendation: Be a valued and invested partner. Seek to understand the other disciplines (at least enough to speak the same language) and build empathy towards their different perspective. As the large telecom CPO recommends, “Privacy professionals should pursue training and even certification in information security frameworks, and information security professionals should pursue training and even certification in privacy and legal fundamentals.”
A senior security and privacy leader in the automotive industry, shares three of his successful tips on building partnership and trust:
- Be the person that reaches out. I am in one of our legal offices almost every day. I stop in for non-immediate chats. Asking how I can help, attempting to make things easier. For instance, any contract review I am asked to do I return within 24 hrs. This way I am viewed as an ally. Particularly, as I see every contract (customer/vendor) to review security/privacy provisions.
- Mentor as possible. I have trained legal folks to be Privacy Officers. The more I help them the easier it is when I need something quick.
- Bring food. I have brought legal folks cookies/candy on a regular basis (at least 1-2 times a week). Better to see someone that brings food than a problem.
Problem 2: Technology confusion/lack of understanding
Concerns about cybersecurity methods, tools and enabled features/functionality came up as a frequent source of conflict.
Analysis: A relative newcomer to the table, cybersecurity brings with it a host of advanced capabilities with potential privacy and legal concerns. A common example is “full packet capture” technologies that inspect encrypted network traffic. Intended to thwart malicious insiders and malware, these tools carry significant ethical and legal considerations. While the cyber security team’s intent may be to detect malicious code, privacy and legal professionals are concerned about misuse of the technology and its ability to “spy” on employees or inspect their personal files.
Lack of understanding about the details and nuances of a specific technology and its use cases leads to lack of alignment and raising an alarm (sometimes false alarm, sometimes valid concern). Potential root causes were:
- Inability to effectively communicate controls, technology and process between security, legal and privacy personnel creates over-inflated concerns and stalemates. Sharing too much or not enough detail can both have negative effects. Additionally, many terms in cyber security stem from military and intelligence and sound, well… kind of scary. As an example, terms like “SSL interception” or “breaking encryption” without context sounds like “we are going to use evil hacker tools to bust into encrypted of documents and have some guys in a room looking at all of the file details to see what people that work here are doing.” The framing, facts and controls must be surfaced in conversations to avoid confusion and alarm.
- Steve Snyder, of Bradley’s Cybersecurity and Privacy Practice Group said, “There is a lack of common vernacular to discuss cyber risk. IT/tech folks have one view of evaluating tech and managing projects; legal has a framework for discussions; business people have a different type of project management, etc. And while there are undoubtedly times when they have to come together on other projects when it comes to highly technical subject matter of cyber risk the differences seem more apparent in terms of how the problem is described, evaluated and how proposed solutions are described. I think one thing that helps is an advisor that has bridged those gaps in the past, which means typically someone external who has helped comparable entities harmonize their various stakeholders to communicate and understand the problem.”
Recommendation: Teams must communicate earlier and in simple terms to ensure they stay aligned. Use precise, controlled language to avoid invoking fears of “big brother” and focus on describing their technology and use cases in the context of controls in place to prevent abuse. The phrases security & privacy by design really ring true. While this seems easy, many never get past this step because they trip up on language trying to talk too quickly.
Problem 3: Documentation/compliance focus vs operational outcomes
Friction can be caused by efforts to get the “documentation right” (both what to, and what NOT to put in writing) vs progressing operational outcomes.
Analysis: There is a healthy balance between “a free-for-all with no documentation or compliance efforts” and “drowning in a sea of bureaucracy and paper pushing and not moving anything forward.” Most companies fall somewhere in the middle of these extremes but skew one direction or another.
An automotive industry security and privacy leader shared “Realistically, some of the biggest issues have to do with operational vs. policy or ‘redline’ focus. The practitioner or operational focus involves getting work completed. Whereas the “redline” focus is driven towards a very narrow reading of the law, policy or standard. The redline focus is to perfect every little detail with limited sense of urgency or care if/ how the actual task needs to be done…Unfortunately, it is difficult to find operational folks with deep policy/ legal expertise and it is difficult to find operationally focused risk/legal resources. So, there is ongoing friction.”
A senior privacy leader in the airline industry shared, “The role of legal is frequently misconstrued as a company’s policing authority rather than being advisory in nature. In-house counsel is often asked for ‘approval’ or ‘blessing’ which is not the role, especially when the rules are not always bright line and guidance shifts based upon different factors. The role of legal is to provide legal analysis, surface the risks and provide recommendations to the business. The risks may often be accepted by the business through a mature risk acceptance process. This misconception is further emphasized when the general counsel role (advisor) is held by the same person as the chief compliance officer (enforcer).”
Recommendation: Beyond active partnering and understanding each other’s perspectives (in solutions 1 and 2), companies need to have clear responsibilities for each group. Compliance related functions need to have a stated and practiced objective to make compliance as easy and natural as possible. Operational functions need to determine how to better leverage their more compliance focused partners to drive process improvement and controls (not paper improvements).
Problem 4: Lack of process fundamentals
Without clearly defined processes (with RACIs) there is confusion about how things work and who should be involved, leading to conflict, misunderstandings and surprises.
Analysis: Having effective and well-defined processes reduces the chaos of unstructured processes and programs. Also, when a company lacks fundamental processes, more advanced efforts are hamstrung and destined to fail. One key component of any good process is decision rights. There will always be situations where there are disagreements or conflict
A senior privacy leader in the airline industry shared that “I’ve often experienced confusion between what security and privacy teams are responsible for (including when dealing with security colleagues). One recent example includes managing and providing direction, standards or policy on IT controls. I’ve frequently seen common controls that are simply missed within the scope of security policies and programs (logging standards, access controls, asset management, audit ready documentation). If basic good IT practices that support privacy and security are not being managed, it makes privacy and security by design impossible. It also makes it interesting to explain to an auditor why data management activities are not demonstrable when foundational asset management and asset controls cannot be confirmed.”
She also shared concerns about resourcing and breadth of ownership/coverage: “Another huge challenge is that most organizations are still relying upon a single privacy role to ‘manage’ an enterprise privacy program. This is not scalable when you have that privacy person supporting a large organization with multiple stakeholder teams (IT, ecommerce team, security, risk, marketing, HR, etc.). This program of one usually lacks sufficient budget to be effective in operational.”
Steve Snyder shared that there can be a “lack of attention to the problem due to lack of resources coupled with clear understanding of the problem. Typically, at small and medium sized businesses, IT is heavily utilized, probably understaffed on just supporting operations. They implement the solutions and practices but have no time to document or communicate them with anyone. The rest of the company is in the dark on the info sec side because it is not an operational issue that is in front of them all the time. I’ve seen this problem solved primarily by having a rigorous review, again, most often by a third party. By forcing an assessment, it forces the business to stop and take stock of what’s going on and gets people to focus on the issue instead of just looking at what directly drives the bottom line.”
Recommendation: Companies must invest in their processes, clarity of ownership (RACIs) and adequate staffing to cover the breadth of responsibility. Cutting corners on any of these three will ultimately result in friction, slowness and worse: increased risk to the company.
Problem 5: Ego
Leaders with too much/unchecked ego tend to make decisions focus on the short-term initiatives/gains or self-promotion rather than long term planning or sustainably reducing risk.
Analysis: Security, privacy and law are all domains that require a significant motivational fit to be successful. Ego can spur motives that do not serve a company well in the long run. Much of my discussion with my contributors circled back to a conflict of personality, largely tied to ego. Ego problems can exist in any function and play out in a number of ways that block progress.
A senior privacy leader in the airline industry shared that leaders with too much ego and the wrong motivations/incentives tend to lack the ability to create and drive enterprise strategy and sustainable operations. Their decision-making process tends to focus on the short-term initiatives/gains rather than long term planning and benefit.
Ego problems are difficult to “cure,” especially when leaders are more senior in the company or have a low EQ (emotional quotient) coupled with a high IQ (intellectual quotient). Big egos tent to lose trust, while personal trust and transparency are critical to a healthy partnership between functions.
Recommendation: Know the players involved and understand their motives. My Six Sigma training and certification included a process called political mapping. It involves diagramming an organization’s key leaders, levels of influence or conflict and dynamics amongst the teams. It enables you to create an informed stakeholder management and communications plan to maximize your chances of successfully moving an initiative forward. I’ve carried this tool (and many others) into my regular toolkit. You may not be able to change leaders, but you can attempt to manage them.
Time is money
No company has time for friction in cybersecurity and privacy. The stakes are too high and customer trust is on the line. The intentions and motivations across cybersecurity, privacy and legal stakeholders are likely coming from a good place. However, communications, understanding, tactics, process and ego can cause significant friction for everyone involved. When this happens, no one wins – especially the company and its customers.
Companies that take a little time upfront to invest in minimizing friction will see their speed increase significantly. If you have experienced challenges and need some “graphite” in your pocket to go faster toward your goal, remember these five things.
- Focus on building partnerships
- Enhance understanding of technology, use and controls to prevent misuse
- Find the right balance between operational goals vs compliance/documentation needs
- Drive towards defined, efficient and continuously improving processes
- Check egos: manage your stakeholders
Lastly, finding resources that have experience across security, privacy and legal can help you accelerate your efforts to reduce friction. Just like one dad asking another for graphite to reduce friction just before the race, it is never too late!
This article is published as part of the IDG Contributor Network. Want to Join?