Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/21/2019
10:00 AM
Malcolm Harkins
Malcolm Harkins
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The 'Department of No': Why CISOs Need to Cultivate a Middle Way

A chief information security officer's job inherently involves conflict, but a go-along-to-get-along approach carries its own vulnerabilities and risks.

Most of us are likely to agree that if we want to continue to evolve to be our best selves, we need some form of conflict or challenge. If we want to be stronger, we lift more weights or add more repetitions. If we want improved brain function, we solve puzzles or learn new skills. We may restructure our diets or diversify our exercise regimes, but, in any event, such activity almost always requires a change in behavior, a commitment to discipline, and a flexibility of approach to achieve optimal results.

And yet as security practitioners, many of us discard this type of training when we walk through the doors at work. We stay in a known, comfortable place. We ignore the independence and creativity of our own thinking and — almost as if by default — we transform into yes men and women, agreeing with our management teams and our boards about the right ways to handle risk and cyber threats.

Ironically, to much of the rest of the organization, we transform into what I call the Department of No, a group of well-intentioned but risk-averse executives who develop complex policies that restrict employee behaviors in a misguided attempt to reduce risk levels. Our go-along-to-get-along approaches, whether positive or negative and whether we realize it or not, reveal inherent biases and predisposed behaviors that may seem benign in themselves but that carry new vulnerabilities (and therefore new risks) into the workplace.

The truth is, a CISO's job inherently has conflict. We strive to strike a balance between things like cost and quality or security and usability knowing that we're basically making trade-offs, reducing one part of the equation to give the other more weight, and those trade-offs typically show us where our bias lies. Bias resulting from our backgrounds, training, or whatever makes us inclined toward certain assumptions and contributes to our potential misperception of risk and unintentional increased vulnerability. It's hardly a path that enables us to do our best work.

Fragmented organizational responsibility is another inherent conflict. One department may be responsible for FedRAMP certification, another for SOC standards, and still others for privacy, information security, and compliance. Risk and control responsibilities may therefore be siloed in both decision-making and outcomes. When each department requires its own audits, controls, policies, and priorities, separating bias and working toward a common framework becomes increasingly challenging, making it easier for us to stay within our respective teams and again, perhaps unintentionally, weaken our organizations by working at cross-purposes.

We all view risk in our own way, like light shining through a prism. Depending on the angles we use, we see different refractions and reflections of light. The color and intensity of light changes as it traverses the prism into a spectrum of dispersed or mixed colors. Our evaluation of risk and the controls we use to mitigate vulnerabilities are just as diverse — diversity that is healthy if it is recognized and managed, but divisive and unnecessarily conflicting if not. The end result leaves wedges between organizations that should be working together to optimize the spectrum of information risk.

Disagreement Is Not Disloyalty
To get there requires the same commitment to discipline and flexibility of approach we bring to other areas of our lives. It requires us to pose high-contrast questions that foster constructive conversations and ensure we are open to exploring all available possibilities. Too often, especially as we rise through the ranks of an organization, we censor ourselves and agree with our CEOs and our boards because we don't want to be perceived as disloyal.

But loyalty is often simply another form of bias. Despite what we have been taught to believe, disagreement does not equal disloyalty. In fact, I believe the reverse is true: Disagreement can be the highest form of loyalty, although that loyalty may be toward our customers or shareholders or even society at large if not to our management teams.

We cannot be so flexible that we lose sight of our duty to protect the right things at the right times in the right order. Nor can we be so rigid that our attempts to challenge a harmful status quo create equally ossified and restrictive ways of thinking. In other words, too much "yes" is dangerous, too much "no" is dangerous, but constructive conflict is essential to ensure contrasting opinions thrive and the truly serious issues at hand are met with the best approaches to solving them successfully.

We know we cannot eliminate risk entirely, but we can make good choices and strive continually toward optimization by:

1. Ensuring the cyber safety of people first — whether employees, customers, contractors, partners, or shareholders

2. Understanding and safeguarding the data relevant and necessary to keep people safe

3. Implementing a holistic framework of overarching governance that protects the long-term health of the business by putting controls in place that solve for the whole and not the sum of its parts

Independence and objectivity are key to our success and credibility. As CISOs and risk professionals, we need to cultivate the mettle necessary to do the right thing rather than allowing bad decisions to occur on our watch because we want to appear loyal.

Conflict is OK. Tension is OK. Seen through the right lens and managed toward positive outcomes, tension and conflict allow opposing ideas to flourish and be discussed, evaluated, and discarded in turn, increasing the chance that the decisions we ultimately make will provide the best overall protection to our organizations.

It might be trite in this day and age to say "if you see something, say something," but in fact that's precisely what we should be doing. If we can't go to our management teams, we must go to our boards. But we can't be afraid to stand our ground, even if it means putting our own jobs at risk to save our organizations. We owe it to the larger constituencies that depend on us — customers, shareholders, communities — to remain objective and foster dialogue that frees us from the tyranny of "yes" or "no" and allows us to keep asking "how."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "8 Backup & Recovery Questions to Ask Yourself."

Malcolm Harkins is the chief security and trust officer for Cymatic. He is responsible for enabling business growth through trusted infrastructure, systems, and business processes, including all aspects of information risk and security, as well as security and privacy policy. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.