Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:00 AM
Malcolm Harkins
Malcolm Harkins
Connect Directly
E-Mail vvv

The 'Department of No': Why CISOs Need to Cultivate a Middle Way

A chief information security officer's job inherently involves conflict, but a go-along-to-get-along approach carries its own vulnerabilities and risks.

Most of us are likely to agree that if we want to continue to evolve to be our best selves, we need some form of conflict or challenge. If we want to be stronger, we lift more weights or add more repetitions. If we want improved brain function, we solve puzzles or learn new skills. We may restructure our diets or diversify our exercise regimes, but, in any event, such activity almost always requires a change in behavior, a commitment to discipline, and a flexibility of approach to achieve optimal results.

And yet as security practitioners, many of us discard this type of training when we walk through the doors at work. We stay in a known, comfortable place. We ignore the independence and creativity of our own thinking and — almost as if by default — we transform into yes men and women, agreeing with our management teams and our boards about the right ways to handle risk and cyber threats.

Ironically, to much of the rest of the organization, we transform into what I call the Department of No, a group of well-intentioned but risk-averse executives who develop complex policies that restrict employee behaviors in a misguided attempt to reduce risk levels. Our go-along-to-get-along approaches, whether positive or negative and whether we realize it or not, reveal inherent biases and predisposed behaviors that may seem benign in themselves but that carry new vulnerabilities (and therefore new risks) into the workplace.

The truth is, a CISO's job inherently has conflict. We strive to strike a balance between things like cost and quality or security and usability knowing that we're basically making trade-offs, reducing one part of the equation to give the other more weight, and those trade-offs typically show us where our bias lies. Bias resulting from our backgrounds, training, or whatever makes us inclined toward certain assumptions and contributes to our potential misperception of risk and unintentional increased vulnerability. It's hardly a path that enables us to do our best work.

Fragmented organizational responsibility is another inherent conflict. One department may be responsible for FedRAMP certification, another for SOC standards, and still others for privacy, information security, and compliance. Risk and control responsibilities may therefore be siloed in both decision-making and outcomes. When each department requires its own audits, controls, policies, and priorities, separating bias and working toward a common framework becomes increasingly challenging, making it easier for us to stay within our respective teams and again, perhaps unintentionally, weaken our organizations by working at cross-purposes.

We all view risk in our own way, like light shining through a prism. Depending on the angles we use, we see different refractions and reflections of light. The color and intensity of light changes as it traverses the prism into a spectrum of dispersed or mixed colors. Our evaluation of risk and the controls we use to mitigate vulnerabilities are just as diverse — diversity that is healthy if it is recognized and managed, but divisive and unnecessarily conflicting if not. The end result leaves wedges between organizations that should be working together to optimize the spectrum of information risk.

Disagreement Is Not Disloyalty
To get there requires the same commitment to discipline and flexibility of approach we bring to other areas of our lives. It requires us to pose high-contrast questions that foster constructive conversations and ensure we are open to exploring all available possibilities. Too often, especially as we rise through the ranks of an organization, we censor ourselves and agree with our CEOs and our boards because we don't want to be perceived as disloyal.

But loyalty is often simply another form of bias. Despite what we have been taught to believe, disagreement does not equal disloyalty. In fact, I believe the reverse is true: Disagreement can be the highest form of loyalty, although that loyalty may be toward our customers or shareholders or even society at large if not to our management teams.

We cannot be so flexible that we lose sight of our duty to protect the right things at the right times in the right order. Nor can we be so rigid that our attempts to challenge a harmful status quo create equally ossified and restrictive ways of thinking. In other words, too much "yes" is dangerous, too much "no" is dangerous, but constructive conflict is essential to ensure contrasting opinions thrive and the truly serious issues at hand are met with the best approaches to solving them successfully.

We know we cannot eliminate risk entirely, but we can make good choices and strive continually toward optimization by:

1. Ensuring the cyber safety of people first — whether employees, customers, contractors, partners, or shareholders

2. Understanding and safeguarding the data relevant and necessary to keep people safe

3. Implementing a holistic framework of overarching governance that protects the long-term health of the business by putting controls in place that solve for the whole and not the sum of its parts

Independence and objectivity are key to our success and credibility. As CISOs and risk professionals, we need to cultivate the mettle necessary to do the right thing rather than allowing bad decisions to occur on our watch because we want to appear loyal.

Conflict is OK. Tension is OK. Seen through the right lens and managed toward positive outcomes, tension and conflict allow opposing ideas to flourish and be discussed, evaluated, and discarded in turn, increasing the chance that the decisions we ultimately make will provide the best overall protection to our organizations.

It might be trite in this day and age to say "if you see something, say something," but in fact that's precisely what we should be doing. If we can't go to our management teams, we must go to our boards. But we can't be afraid to stand our ground, even if it means putting our own jobs at risk to save our organizations. We owe it to the larger constituencies that depend on us — customers, shareholders, communities — to remain objective and foster dialogue that frees us from the tyranny of "yes" or "no" and allows us to keep asking "how."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "8 Backup & Recovery Questions to Ask Yourself."

Malcolm Harkins is the chief security and trust officer for Cymatic. He is responsible for enabling business growth through trusted infrastructure, systems, and business processes, including all aspects of information risk and security, as well as security and privacy policy. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It...
PUBLISHED: 2021-04-15
Lotus is an Implementation of the Filecoin protocol written in Go. BLS signature validation in lotus uses blst library method VerifyCompressed. This method accepts signatures in 2 forms: "serialized", and "compressed", meaning that BLS signatures can be provided as either of 2 un...
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it mak...
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform a...
PUBLISHED: 2021-04-15
Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.