As politics, news, and social media appear to become ever more polarized, I find myself longing for a time when things weren't this way. I remember when people used to sit down, civilly, to discuss their viewpoints and differences. Debates and conversations involved truth, facts, and logical arguments, rather than half-truths, ad hominem attacks, and changing the subject when asked to respond to a particular point.
While there is little chance I can facilitate a return to civility in the various forums mentioned above, I do believe that we in security can learn a valuable lesson from the state of the world. Simply put, civil discourse is good for security, and a lack of it is bad for security. I'd like to offer five reasons why.
1. Understanding Organizational Interests
Most of the security professionals I've encountered over the course of my career have had good intentions. They want to identify issues that could be a risk to or a problem for the organization and work to address those issues. Their focus is solely on improving the organization's security posture. Civility facilitates this noble cause by providing them a forum in which they can raise issues safely and without fear of retribution. Organizations that promote this type of professional civil discourse most often have a much better understanding of their security interests and are much better equipped to protect them.
2. Incorporating Feedback
One of the ways in which security efforts mature and improve is by soliciting and incorporating feedback. Of course, not all feedback is helpful, nor is all of it relevant. The clever security team will collect all feedback that stakeholders are willing to provide without passing judgment on or rejecting any of it. The feedback can always be sorted through and filtered later. If, however, stakeholders feel as if the forum for providing feedback is not civil, they will cease providing it. While that will certainly reduce the irrelevant and unhelpful feedback, it will also reduce the insightful and valuable feedback that is so necessary to improve the state of security.
3. Identifying Differences
Have you ever stopped to think about what causes differences and debates within an organization? Sometimes they are caused by bad faith actors and selfish motives. In my experience, though, that is not the majority of cases. Often, they are caused by differing priorities and focus. This is actually a good thing. Each team within the organization has its mission that it is charged with, and that team is responsible for looking after one or more areas of the business. In other words, when different perspectives cause different teams to see the same issue differently, it can often produce helpful insight as to where a proposed approach may be incomplete or lacking certain considerations — provided that the organization can nurture the civility that allows for this type of discourse, naturally. This can be extremely helpful when working to ensure that security efforts maximize their potential.
4. Following Process
While many security professionals may not enjoy following processes, particularly within a large company, processes can be quite helpful. This might sound radical, but if processes are timely, relevant, and well-designed, they can help root out potential issues before they become big problems. That's because a good process is designed to ensure that efforts proceed in accordance with policy, and that all relevant stakeholders are able to weigh in on and contribute to those efforts. More often than not, in my experience, stakeholders are able to help the security team see issues early on when processes are followed. This allows the security team to address those issues far more easily than it would be able to later.
5. Building Consensus
In theory, the security team should be pushing forward initiatives that make changes that will ultimately be good for the security posture of the organization. If this is the case and a good, well-designed process is followed, stakeholders will have a chance to hear of, internalize, and partake in the initiative. If the security team has done its homework and incorporates feedback, it will build consensus and gain buy-in. Requiring consensus in order to move initiatives forward may seem bureaucratic, but it enforces a civil environment and ensures that those who will be affected by initiatives are on board. This, in turn, creates more robust security initiatives that address more of the relevant problem space.
While civil discourse may be a pipe dream in various media these days, it doesn't have to be within your organization. By creating an environment of civility, organizations can ensure that valuable input reaches those who can use it to improve the organization's security posture. Incivility, on the other hand, shuts down dialogue, suppresses ideas, and results in a poorer information security posture.