Today’s most interesting tech problems – AI & ML, for instance – happen where money, privacy, and even lives are on the line. With stakes so high, security & compliance teams are bound to show up and bring things to a screeching halt. This often pits product teams focused on delivery and charged with ‘breaking things’, on one the side, against security folks that have never written a line of code on the other. On top of this, your board is demanding results. What can you, as a leader, do to break this impasse? The good news is that you can do it without becoming a cybersecurity expert.
InfoSec & innovation – a vicious adversarial cycle
I got my start doing InfoSec work while leading change programmes for the UK government where this scenario is not uncommon. Since then, I’ve seen these same headaches working with other highly-regulated environments like banking & fintech. Security’s often an adversarial relationship between those that do and those charged with compliance. It’s an impasse more common than most will admit.
It happens for a lot of reasons, but a major one is that architects & developers bringing innovation into the organisation on these sorts of projects are there to deliver. Spelunking through the depths of governance & policy on a delivery budget can start to look like mismanagement of valuable resources. More likely, the type of person who loves making things isn’t interested in the task.
“Just tell us what to do” is a common refrain.
The answer from compliance teams can be equally frustrating – endless forms and meetings, but little guidance. Often, they’ve never written a line of code in their lives. More likely, they’re a scarce and costly organisational resource.
There are rules to follow, but nobody can say what they are because they don’t exist. Everyone agrees that something definitely, absolutely needs to happen, but it can’t happen until the rules that don’t exist are followed.
And so it goes.
Breaking the cycle, getting to the source of the problem
It turns out that the rules for information security (at least for the government) are often written into law, for the protection of the public. The weight of the law, or rather fear of breaking it can be a strong motivator to not ask questions. As a result, efforts stick to the established rules that everyone else is using.
Slightly shocking was the confession from one confidant, that the risk management process that was stopping us had been established long ago by an external consultancy, and that’s what they’ve done since, even if it “wasn’t exactly right”". The people who make the laws, not being technologists, rely on standards. Legal and HR teams can develop policies without ever talking to a developer. Those standards become rules and procedures that work at that time.
Then times, being what they are, a-change, and you’re left holding the bag.
What stops momentum in innovation projects isn’t the rules, or even the lack of rules. The paralysis is caused by fear – of the unknown, of taking blame, or worse, breaking some unknown law. Teams and whole organisations often hobble forward with poor InfoSec practices because it’s the devil they know.
But, innovation efforts stalled due to security & compliance are also risky to an organisation for a few reasons:
- falling behind - delays with new tech have knock-on effects on what’s often the tail end of innovation – knowledge, upskilling, and establishing new procedures
- costs - when the above is taken wholistically, the costs to an organisation can be innumerable
- whistling past the graveyard - social pressure to deliver can cause middle managers and delivery teams to paint a rosy picture and eventually “let things go” where security is concerned
Understanding that fear – the realisation that things are stalled because no one is sure of the outcome – is coincidentally the first step in managing risk. It means that an organisation has insufficient information. When established rules – policies, and procedures – are a blocker, then it’s time to go delve deeper into them and their source. Often, this means questioning security standards.
Standards, the good and the bad
The Standard in this story is often ISO 27001. It can be villain or hero depending on your perspective. That’s because it has a great amount of flexibility while being short of details. Where there are details, they can conflict with modern, agile delivery practices.
From the perspectives of ML/AL and Blockchain technologies or modern, remote-first organisations, the Standard can look quite outdated. But these technologies are now mainstreaming into governments, banks and other highly regulated enivironments where ISO 27001 compliance is required.
Online info on the Standard can be frustrating, shallow, and circular. Many videos are useful if you’re trying to pass an exam and repeat what’s in the Standard documents. Contextual information – what, exactly, must happen, and how it might apply to you – is lacking. There also seem to be a lot of unwritten rules.
So, it helps to understand that the Standard itself is quite simple, maybe even elegant. It describes a set of management practices that, when observed by a third party (an Auditor), can be agreed to have the tendency to produce an organisation that’s managing its information security risks well. That sort of flexibility can be good. All the confusion and misinformation stems from so-called experts taking the things that they were taught that filled in these gaps as gospel.
But everything’s new all the time now, and so the information security rules need to be. How can we follow a security Standard that’s only been updated once in the last decade while working with technology that’s just come out of the oven?
Lessons from a decade of Digital Transformation
A separate effort I led to understand the UK’s successful GDS technology governance programme, concluded that you can’t create a governance regime big enough to check all the work all the time. Not when things are under constant change at the scale of five-person teams, anyway. Instead, things that start out as governance must become internalised practice, integrated and distributed across a workforce at the earliest possible time.
Organisations that are able to quickly adapt, not just new technologies, but the practices around them that make them both useful AND safe in a world where threats are new, constant, and serious will thrive.
Scaling and diffusion of innovation, we also discovered, happens faster at the upper-management level, where the operational directors leading the hands-on day-to-day work have both the authority and mandate to quickly react to the constant flow of new information.
These leaders require specialised knowledge that fits their role, at every level, throughout the organisation. In InfoSec speak:
They don’t need to know the ins and outs of firewall rules, but they do need to understand what a good policy looks like and what to do about it when they suck. They should know that jamming unrealistic policies down the throat of an apathetic workforce leads to complacency at first, and eventually worse.
For managers, especially those that are on the front line, understanding and evaluating information security posture from internalised knowledge is important. To get there they need to know the rules and where they come from. They also need a framework for understanding when the rules no longer apply, that also gives them a way to do something about it.
InfoSec for Organisational Leaders
We’ve started this video series – InfoSec for Managers & Organisational Leaders – to start to address this. There’s a lot of information out there about the ISO 27001 Standard for would-be auditors and security managers, but not a lot about how it works at our level. Where the rules come from, how they’re all tied together, and why is there so much conflicting information. Managers need to understand these things to make agile, informed decisions.
We started with Risk Management because we’d spent the most time doing education in this area. Take a look, feedback is appreciated, and please do get in touch if you’ve got any questions. We don’t have to become cybersecurity experts, but we’re all managers of information security now.