Almost every security team I’ve met that was larger than 2 people had silos. Sure, sometimes the walls are thicker than others, but there’s a phenomenon that I’ve seen play out over and over, embedded deep within your brains, and the way it tends to manifest once you get more than one person in a room is that, at some point, one person will look at the other one and say,
“You’ve no idea what you’re talking about.”
It’s ultimately based on two fundamental drivers for human behavior: competition over resources and feelings of identity and self esteem. For example, without getting into the whole powder keg of politics, race and religion, more “mundane” topics include:
vi vs. emacs
Linux vs. Windows
Vegimite vs. Marmite
Architecture vs. Engineering
Technology vs. “The business”
Security vs., well…everybody—at least at some time or another.
My own take on the psychological drivers above is that, actually, they’re related. According to one of the basic tenets of the branch of psychology called Transactional Analysis (TA), receiving recognition is one of the essential things we need as humans to survive, both emotionally, and, more surprisingly, even physically—although the studies indicate that our need for recognition to ensure physical survival is something we grow out of as we age.
On some fundamental level, everything we do is based on recognition. And, no, saying this doesn’t mean I think everyone on the planet is a selfish prick. It’s basic psychology we’re all stuck with. Some people do a better job of managing their needs for recognition than others. We only need to look at the TV or social media to get to this—and see where people get it spectacularly wrong.
So, the thing here is that we get this recognition – TA calls them “strokes” – in either two ways: positive or negative. Saying “you suck” to someone gives them just as much recognition as saying, “you’re absolutely right,” but they’re not equal in quality.
Competition over resources in security exhibits itself in many ways. There’s competition for budget allocation – both as a whole team, and then for the functional areas within it. Everyone’s fighting for money, and that fight – on some level – is based on which people demonstrate the most value. They’re prioritized, either because they’ve demonstrated more objectively they’re more important, or simply because they’re more liked.
And, since any group of people sharing a common purpose or role are going to generally have that purpose or role baked into their identity at some level, it’s a natural badge of honor to recognize those inside “the club” and ridicule, even passively, those who aren’t.
White iPhone headphones from Apple wasn’t an accident. It was a conscious choice to build a club and allow people to demonstrate they were part of it.
Stereotypes and generalizations are necessary for us to make routine, day-to-day decisions so we don’t have to evaluate every single interaction or decision using Kahneman’s “slow thinking.” If we had to do that, we’d never get anything done, and our ancestors would’ve been eaten while trying to evaluate the risk exposure of the potential vulnerability of their flesh to the strength of the enamel on the 30cm teeth of the saber-tooth tiger.
So this leads us naturally to thoughts like:
“Strategy people don’t ever do anything. They’re just stuck in their ivory towers with no idea what we really do,” from the operations folks.
And the corollary thought of, “If those operations guys would just quit running around, chasing their tails for only 5 minutes, they’d be a lot better off.”
Easily leading to the next thought, on either side, of, “They just don’t understand.”
Which would be correct in the majority of cases. The “walk a mile in his moccasins” line from Mary Lathrap’s 1895 poem has pretty sound basis in practical fact. If you haven’t done it, you probably don’t understand a lot of the subtitles of what’s really involved to do it.
However, the trick is to recognize which of those subtleties really matter depending on the conversation you’re trying to have.
If I’m trying to type this email, on no level does it matter whether I’m typing on a keyboard whose events are processed and interpreted by Linux, Windows or Mac OS. It just doesn’t matter. My objective is typing this email.
And yet, in a conversation about what could prevent me completing it, we might get mired in the “Well, if you weren’t using Word and Windows (which I’m not, BTW), you wouldn’t have to worry about the thing crashing on you. It’s a mess,” kind of response (and I might’ve been guilty of this in my more outspoken and less mild-mannered youth myself). And then, if I get sucked into the Victim mindset, I’m going to probably flip to attacking you for your beliefs, starting an argument neither of us will win…
…when all I wanted to do was finish the damn email.
So, a first step in taking an 18# sledge to the walls of the silos between strategy and operations is to focus on what’s common. That’s been the basis of solving problems since the beginning of time, at least as far back as 4th century. The whole “the enemy of my enemy is my friend” vibe was first recorded in India by Kautilya around then, but it’s obviously been around a lot longer than that. He was just the first person to write it down we’ve found.
We need something bigger than the problems we have with each other, otherwise we can’t focus. The problem in your security programs between the strategy and the operations team aren’t real problems if something threatens the very existence of the team—or even the organization it’s trying to protect.
And those “first-world problems” causing the arguments you might be having as each team tries to fight for its own, internal identity and value in the team amongst the rest—whether for promotion, status, salary, staffing, equipment and the rest…they’re just keeping you distracted while everyone else in the organization still isn’t quite sure why your budget last year was $40-100 million and they still had a 6-month delay to their projects.
The silos prevent information sharing, and that lack information sharing prevents effectiveness. Of course, getting (and keeping) everyone focused no the bigger picture and moving towards a sustained state of Level 4 Tribal Leadership isn’t an easy thing to do. Maybe you’ve got this under control, and there’s no silos in your security team.
Or maybe the walls are so thick, the different parts of the team are in other countries and hardly ever talk to each other. It’s easy to fight the fights that are familiar or that are the recurring systems of behavior that keep us occupied, delivering that recognition we crave by trading verbal blows with “the other guys” and get so wrapped up in that we forget why we’re doing what we’re doing. Why not all threats are equally important. Why every vulnerability doesn’t need to be patched…
…and really why we’re sitting in the chairs we are.
Because even if you do manage to build some kind of architecture, if you can’t address these issues within the team, the value it will have will be a shadow of the potential and how much of it you’ll actually be able to do is an open question. The best, most business-driven and visible security architecture in the world won’t fix a broken team. As I said the other day, you have to solve the right problems in the right order.
If you don’t know where to start, or how to tackle them, then maybe I can help. If you want to know more about how, here’s the link to set up that conversation:
Andrew S. Townley
Archistry Chief Executive