Instead of taking the day off for parades and pubs (especially if you’re in Dublin), this St. Patricks Day may find you faced with a whole new array of cloud security questions driven by the work-from-home directives and necessities of the communities in which you live and work. And, even if things have started to settle into a new routine of kids in the background of all your regular meetings, we have to admit that tensions are probably running high all around due to the direct personal uncertainty faced by everyone right now.
One thing I’d like to caution you about – especially when stress and anxiety level are off the charts – is to work even harder than normal to avoid the standard mantra of “NO” from security in response to potentially a large number of new requests to help people be productive in an atypical environment.
Remember, the only things we can ultimately control are our activity, what we choose to do, and our behavior, how we respond to events. A particular event I’m talking about right now is being asked for security input (or security “clearance”) for a particular situation.
Unless you have a perfect BCP plan (which I said yesterday was gonna be neigh-on impossible to do), you’re going to always have areas where things haven’t been well thought through about what it really takes for people to still get their work done during a crisis with no end in sight.
My guess is that many of those questions will have a lot to do with use of public cloud infrastructure and personal computing environments that people may be forced to use at the moment. And the standard response of “just follow the policy” or “no you can’t do that” probably aren’t going to get you very far.
You’ll need to come up with different answers to those questions—at least for some of them. Or, at the very least, have to re-justify your policy decisions – in terms your customers can actually understand – without simply resorting to fear as the weapon of choice. Going to that well again when people are already anxious isn’t really a good idea.
Of course, if you have a domain-based security architecture with clear understanding of the interactions required within and between those domains, you’re already set up to be able to provide ad-hoc answers to the questions you’re likely facing right now.
If you don’t, things are going to get harder.
So in today’s email, I’m going to give you two sets of suggestions that will hopefully make things easier if this is a scenario you’re actively facing right now.
The first suggestion is simply this: if you don’t already have a domain-based architecture, build it, and build it right now. You might be thinking I’m crazy, because this is supposed to be onerous, cumbersome and, well…really, really hard.
But it isn’t.
In fact, this is one of the best times to build (or enhance) your existing security architecture because you have all kinds of requirements coming out of the woodwork that people probably didn’t consider before. And that need means that you’re going to need to figure out answers.
Those answers are going to both fill in and enhance your existing policies, and they’re probably going to end up creating more than one policy exception.
Whatever decision you make, and whatever your rationale behind it, WRITE IT DOWN. It’s architecture. Draw your domains, define your interactions, and anchor it in the models you already have somewhere.
Because if you don’t, you’ll just have to remember what you did or figure it out again next time—hoping you’ll end up with the same answers.
The second suggestion that I’d like you to take on board follows on from yesterday’s email. Remember, other people are under just as much pressure as you are—and you have no idea what their situation is like outside of work. Tempers are going to flare, and it only takes a heartbeat to decide whether that flare turns into a raging inferno or is allowed to just burn out in isolation.
That decision is partially up to you. And if you were a subscriber to the Security Sanity™ newsletter when I sent out the October 2019 issue, I talk about some of the key aspects from the Transactional Analysis (TA) school psychology – the ego states – that you can use to help you respond appropriately by understanding where another person is coming from with whatever they say. If you don’t, and you’re still interested, you can find some coverage on Google about it that might help.
However, one of the other major thinkers of TA created something called the Drama Triangle (or Karpman’s Triangle) that gives you an even simpler lens to use when you’re interacting with people to understand where they are. Hopefully, this’ll help you keep your own sanity and avoid spiraling into a quickly escalating set of spins around the triangle in the interactions you’re having with your team, peers, colleagues and customers.
There’s 3 states (hence the triangle), and these can be used to describe where someone is in any interaction. One of the tricks is to be able to recognize whether each state is a psychological response or a legitimate situation, because they’re often quite similar. No space to get into that part, but it’s important to consider.
Drama is created by switching roles on the triangle. And one of the papers by the guy who created it maps out several classic stories and movies to illustrate how it works.
The roles are:
- The Victim – the person who has a problem or needs help
- The Rescuer – the person who feels compelled to help, or “rescue” the person with the problem.
- The Persecutor – the person who lays the blame
People aren’t fixed in any role, but there are some roles where people feel more comfortable. As you might imagine, security is probably more likely to be seen playing the Persecutor role than it is the Rescuer, and this is one of the key differences between control-driven and business-driven security.
Anyway, the point is that people flip between the roles as part of any interaction. If someone complains about a problem (in the Victim role), and someone else offers some unsolicited advice – or even some well-intended but ineffective advice – (the Rescuer), if it’s unwanted, inappropriate or fails to help, the original person may easily switch from the Victim role to the Persecutor, complaining that you never give them solutions they can use, you always stop them from getting their work done, etc., etc.
What may happen next – and this is what I want to caution you about so you can take the time to pause and make a conscious decision about what you’re going to do and how you’re going to respond – is that if a business customer is saying something similar to you as security, it’s pretty easy to flip to the Victim role where you’re feeling threatened, annoyed or angry that they just don’t see that a) they need to follow the rules or b) that you’re trying to help or even c) that you’re just trying to do your job too…
…you’ll probably be VERY tempted to lash back at them, switching to the Persecutor role again, and tell them why they just don’t get it, how incompetent they are and how stupid they are because they can’t follow the policies and just live with it.
Of course, you’ll probably use different words…at least I hope so.
The issue is that it’s a wheel, and you can sit there and get lost spinning it all day, accomplishing nothing material, and only making a tense situation even worse. At each interaction, half of a “transaction” in TA, you have the opportunity to control your behavior—or at least be aware of what you’re doing.
Maybe you don’t care, and maybe you do. I can’t say, and maybe this isn’t useful to know for you. All I can say is that once I found this model, it helped me navigate some tense situations with a lot more tact than I could previously, but YMMV as they say.
Closing this off with reference to yesterday’s models, I wanted to highlight common positions (or roles) people may have at the various stages in the hope that if you recognize the stage, it might help you respond the best way.
First the Red Cross model:
The Heroic phase most likely will be full of people starting from both the Victim and Rescuer states. The thing here is to make sure your offered help is actually going to be helpful rather than just making the problem worse.
The Honeymoon phase is primarily still Victim and Rescuers. Only when the Persecutors start to become dominant will things shift into the Disillusionment Phase.
The Disillusionment Phase will likely be full of people coming more from the Victim and Persecutor phase, where people are trying to blame everyone else for the problems they have—or maybe even blaming themselves somehow. Resurgence of a more dominant Rescuer is the key shift to Reconstruction.
The Reconstruction Phase will again be primarily starting from Rescuers and Persecutors when things don’t go fast enough or turn out the right way.
The model quoted by Welch is less about the individuals but more about the attitudes of the leadership team.
In the Denial phase, the predominant mode is Persecutor, shooting down all the people who are trying to highlight the problem or bring solutions.
Containment is still lead by Persecutors, because it’s about avoiding being blamed, e.g., feeling forced into the Victim role, so proactively attacking is the main strategy both here and in the Shame-Mongering and Blood on the Floor phases that follow.
One of the key things to recognize about the “Blood on the Floor” phase is that the “rescue” of firing someone high profile might not actually have anything to do with the real problem. It might just be a move in a longer-term game (in the TA sense).
Only a sustained shift from Persecutor to genuine Rescuer by the leadership team will signal the shift to “The Crisis Gets Fixed.”
If you’re reading this, then you’re a security leader, regardless of your role. And that means that you have a choice of how you behave in response to the events you observe and experience – whether they’re specifically related to cloud security decisions in a crisis or not.
Right now we have one of the biggest potential opportunities to build and strengthen our professional relationships as security with our security customers in the business and IT through the choices we make about how we communicate and interact.
If we don’t make positive choices, we’re just going to throw those opportunities directly in the toilet, missing the chance to build the credibility and trust essential to our ability to do our jobs keeping the organization as safe as possible—especially during a crisis.
Maybe the information above doesn’t help you, but I hope it does. If you want to go deeper, or if you’d like some focused assistance handling some of what’s currently on your plate and helping your team better cope, we can talk about that if you use the button at the bottom of this page:
The reality is that these kinds of situations require different skills and solutions than standard BAU, and we’re not always ready. Hopefully, you’re doing what you need to do to manage your stress and keep the lights on. It’s also a good time to remember the airline advice of “put on your own oxygen mask first,” because you can’t help anyone if you’re not in a good place yourself.
Andrew S. Townley
Archistry Chief Executive