One of the CISOs I follow on Twitter triumphantly tweeted (oohhhh….’lotta ‘literation there):
“I think I managed to speak CEO effectively today.”
And I think that’s great. It’s an achievement…and it’s also something that’s a bit like Steven Wright’s photo of Houdini locking his keys in his car—very rare.
The question is, what are we going to do about it? Why is this a problem we keep having as security, and, before I was “a security guy”…
…it was a problem we kept having as IT.
And it’s a problem you have with almost anything that has enough history – and enough complexity – to have its own language, it’s own culture—and even its own set of norms.
But the point is, it’s 2019, and by one count from TechRepublic, we’re at over 3,800 breaches this year and counting.
Oh, let me think…we just don’t have enough information to know how to engage with those non-technical, business folk. They just haven’t been around long enough to be consistent in the terms they use…or the structures of an organization…or the processes that exist in your average business.
Invention of the American corporation, c.1790 or so…only about 230 years of prior art.
Hierarchical organization, Holocene period, approximately 12,000 years ago.
Identification of bureaucracy in modern times, Max Weber in the 1920s, so ok, only about 100 years of prior art
Independently standardized definitions of organizational processes, the APQC Process Classification Framework, 1992, so, yeah, not a lot of time for this one—only about 30 years
So perhaps it’s not that the material doesn’t exist, or isn’t accessible. Perhaps it’s just that either:
- we truly don’t care, or
- we’re afraid of what we don’t know
Now, I’m hoping the first one is categorically untrue—especially if you’re in any kind of security leadership or architecture role. That’s an attitude you just can’t afford to have if you want to be successful.
So that leaves that we’re afraid of what we don’t know. Maybe we’re afraid it’s too much to understand because we don’t have time to wipe our backsides correctly on any given day.
Maybe we’re afraid that we’re going to discover how wrong we’ve been, and we don’t have the humility and wisdom to recognize a growth opportunity.
Or maybe, we’re just afraid of admitting we don’t know, so we stick to what we do know, and we adamantly maintain that “the business” should literally “walk a mile in our moccasins” so that they understand us and what we’re trying to do for them—so we don’t have to brave their world.
Either way, we’ve gotta do something about it. Because it’s actually our job to understand what our customers value. And yes, security has customers—and forgetting – or not knowing – that is a problem.
No, they don’t pay us in money, but we need to support them, because they’re the only reason we exist. If we didn’t have business initiatives, new projects and existing operations supporting customers outside the organization…
…there’d be no security customers inside the organization. We’d all be on the street, flipping burgers or cleaning toilets…or raising chickens seems to be the new pastime of security people lately when they’re not doing security.
And hey, I grew up on a farm – cows, dogs, cats and horses, but no chickens – so I know a little bit about that, so I’m qualified to be pithy about it.
The more I do this, the more I believe that in some way, all those 3,800+ breaches THIS YEAR ALONE, all come down to a failure to understand what was required from our customers…
…and a failure to relate back to them in terms they understood and which resonated with what they value…
…what we needed to do to keep them safe.
It’s only one or the other. We either didn’t understand, or we weren’t able to convince them to fund what we believed we needed to deliver…
…to keep them safe
…to enable them to do business
…to enable them to be successful.
And, before you say, “OOOOHHHH! OOOOHHH! There’s a another one, Andrew! We didn’t know how to do it, or we failed to do it!”
But to me, that’s still the second case—because if we weren’t confident we had the resources, the knowledge and the know-how, then we clearly didn’t get them. And if we didn’t get them, we weren’t qualified to know we needed them, or we weren’t successful in justifying the investment we needed to get them.
We couldn’t make the case.
And we couldn’t make the case, because we couldn’t communicate in the right terms, at the right level, to talk about the value of what we do.
And that value comes from understanding how we support what our customers are supposed to do.
And that understanding comes from being able to talk to the—to really and clearly get what our customers are trying to do.
30 years, and we still can’t do it reliably.
So let’s fix it.
I’m doing my part to talk about understanding the customers’ worlds in the September print issue of the paid Security Sanity™ newsletter. The whole issue is on finding, connecting, communicating and capturing the important stuff about the worlds of our customers.
And you can get it here: https://securitysanity.com.
So that’s what I’m going to do—my part to solve the problem. What are you going to do?
How are you going to learn to Speak CEO?
Andrew S. Townley
Archistry Chief Executive