Graydon McKee Site Logo

Hunting Ostriches

A picture of an Ostrich.
(Originally posted on LinkedIn on October 21st, 2014)

I came across an interesting article at Forbes today entitled "
Cyber Security and the Danger of Ostriches in the Boardroom". The article is aimed at course at business leaders and attempts to highlight reasons why they need to be fully engaged in the information security dialogue.

I of course whole heartedly agree with this but let’s be realistic here. We have been trying to bridge this divide for quite some time. We have been trying to portray ourselves as friends of the business however we’ve (for the most part) been less than successful in our endeavors.

If you’ll recall back in my first post (You Get Nothing! You Lose! Good Day, Sir!), I relayed the results of two other surveys which detailed some devastating statistics namely that information security professionals are not seen as being business savvy nor capable of being a business leader outside their area of expertise.

That hurts doesn’t it. I’m sure that there are those among us who will immediately dispute this opinion. The problem is that it doesn’t matter.

Perception is reality.

Full stop.

Insanity is doing the same thing over and over again and expecting a different result.

Since what we have been doing is obviously not working and the boardroom is exactly where the ultimate responsibility for corporate governance lies, what can we do to increase the likelihood of a productive conversation?

First we need to stop talking.

I think this is the key to effective communication. We need to stop telling them about information security. We need to stop acting like experts with opinions. We need to get out of our own way.

Next we need to lay aside all of our assumptions about the business. We need to selectively forget everything we “think” we know about the business. If our perception of ourselves as business savvy people is so out of skew with what our colleagues think about us then we need to figure out this disconnect. The best way - and perhaps the only way to do this is to put aside our assumptions and preconceived notions as to what is important for the business and how they operate.

Once we do that we need to listen.

And by this I mean listen. Really listen - not analyze, categorize, or evaluate. Those are later activities. Restart your conversations with the business. Ask them about their goals and strategies and how they intend to achieve them. Ask them to discuss their challenges and anything that they feel gets in the way of them achieving their goals. Then sit back and listen to what they say. If you really want to break the perception it goes beyond just asking the right question it comes down to “how” you listen.

There is actually a way to do this and its rather simple actually.

The first thing you do is sit with an open body position. No crossing your arms or legs. Open your body and be aware of anything that you may be doing via body language that could be perceived as anything but you being open and receptive. Lean forward slightly in your chair to show that you are eager to hear what they have to say.

Next as you listen - keep your mouth shut and nod your head slowly (and at appropriate places) to show in a non-verbal way that you are engaged.

When they are done talking you can respond.

For the love of god - DON’T TELL THEM YOUR OPINION. Time for that later.

What you need to do reflect back what you heard. This is EXTREMELY important. By paraphrasing back what you just heard you are confirming that you have indeed heard and understood what was said. If you misunderstood then this is the perfect opportunity for them to correct you. It is important that any misconception or misunderstanding you have is corrected at this point before you tie what you’ve learned to a solution you're proposing. A correction here demonstrates your willingness to learn and identify with the business and won’t count against you.

This seems remedial but it is an essential skill and it goes a long way to building trust and understanding. No one will listen to you when they think you won’t listen to them. If senior management isn’t listening to you then perhaps they are reacting to a perception (true or not) that you don’t really get it and don’t understand them. You need to break them of this perception in a very direct way without actually telling them that they are wrong.

Once you have really listened, then reflected back to them what you heard to confirm that you’ve gotten it.

Now when you are ready to address or discuss serious issues with senior leadership you can do so in a manner and using language that is directed at your audience and takes into account their goals, challenges and needs. Your message needs to be clear, concise and brief. Have details to back up your message but don’t burden your audience with the details right up front. Use language and concerns that they can readily identify with. Simplicity is key.

It should also go without saying that you should avoid FUD (Fear, Uncertainly, and Doubt) at all costs. As in life, business is about taking calculated risks in order to achieve a benefit or profit. FUD plays on emotions and emotional decision making is the hallmark of bad business. Playing the FUD card only reinforces the perception that you are out of touch with the rest of the business.

Last but not least you need to establish yourself as a valued member of the team and not as the “Pro from Dover” who will sweep in and solve everyone’s problems all on your own. It is essential that you take the information you learned from listening to the business to tie information security to the benefits they will receive but also to a shared responsibility that is required in order for the business to achieve success.

The classic example here is the experience of implementing ERP solutions. When you sit down and analyze the factors involved in the success or failure of ERP implementation one factor is clear. Those organizations who clearly divided responsibility for the implementation allowed the business units to take responsibility for business processes and IT departments to take responsibility for the technology were successful. Those who looked on these as primarily IT projects with no significant business unit sponsorship failed to achieve the benefits they were seeking.

The bottom line is that in order to earn our position around the executive conference table we need to overcome the perception that we are a necessary evil, out of touch, and an overhead burden on the overall success of the company. We do that by listening, collaborating, and facilitating solutions that clearly tie into the goals and success of our companies. When successful we won’t need to worry about asking for a seat at the table - one will already be provided for us.