The Right Exceptions to the Rule
I want to expand slightly on a recent post of Ted's entitled We Said/He Said: Protecting The Wrong Things.
That post takes a high level look at the problem of protecting the wrong things in your cybersecurity program. This post takes low level, nuts-and-bolts look at the same problem.
I know from personal experience that there is a lack of continuity between the C-Suite and the lower echelons. By personal experience I don't mean decades ago, when I was a humble computer programmer; I mean yesterday because I am still a (part-time) humble programmer. At every stage of my career I have continued to be a technical contributor at the same time I was advancing. This started out as a temporary issue caused by a career transition but this duality is so useful that I made it a feature of my career.
(This isn't as odd as it might sound: our local ambulance company requires its senior staff to ride the vehicle one weekend per month and our local hospital requires their senior staff to work the floors for one month per year.)
Having one foot in each camp means that I am constantly asked the same question in each context. When I am talking to leaders I am asked "Why aren't they (the worker bees) doing {whatever}?" When I am slaving away in the coal mines I am asked "What were they (the leaders) thinking when they told us to do {whatever}?"
In my experience answers go a long way toward resolving these kind of disconnects and opacity leads to suspicion and hostility. In my experience neither side is evil or stupid. Perspective makes all the difference.
Perspective does not cure all ills. Explaining to the grunts that the new IT system, which sucks for them, has really good management reports doesn't help all that much. Explaining to the C-Suite that their expensive new IT system makes everyone's job harder and that productivity is going down as a result doesn't help at all.
This difference in perspective is natural: the C-Suite can't grovel around in the details and the grunts can't ignore the details. This difference in perspective leads to vocabulary issues galore though, especially if you choose the wrong level of detail. Misunderstanding leads to protecting the wrong thing, either because the worker bees think they were asked to protect the wrong thing or because the leaders were unclear in what they asked to be protected.
Mind you asking for the right protection is not easy. Leadership can't be too specific because they will inevitably get out of date. Leadership can't be too vague because that will inevitably lead to Miscommunication. At the bottom of the totem pole spitefully following the letter of the law is easy and looks safe but will not yield the best result or protect your job.
The answer is a culture of give and take; leadership sets priorities but the lower echelons push back when something seems off. You need psychological safety to get honest, frank feedback up the chain. Leaders have to lead, subordinates have to follow most of the time. Figuring out to deal with the exceptions to this rule is hard. We can help. Ask us how.
Comments
Post a Comment