A human resources guy I respect said something today that really hit home: when you’re discussing corporate values, listing the word, “Integrity” is really odd — if you need to list that as a corporate value, you’re really starting behind the meatball in terms of your hiring. I mean, we should be able to presume something, right?
Corporate values are an important part of corporate culture, and corporate culture is hugely important. I suspect cultural debt is as expensive for a company to fix as technical debt — it’s something you want to spend a lot of time considering so you accrue as little as possible.
But there are times during which cultural impact takes a back-seat to reality. These are by definition exceptional events, and leadership must be prepared to recognize them.
For example, it is genuinely arguable whether the City of Atlanta should have invested more before getting hit with ransomware. Not patching and fixing may well have been the decision — They may have decided that taking preventive steps, maintaining a full-time program of security for years, was more expensive than just cleaning up a mess if one happened. I disagree, but it is quite possibly true — in fact, it was true right up until it wasn’t.
But this is not arguable: now, since the defecation has hit the ventilation, the problem must be fixed, and fixed well. Atlanta has left the realm of probability and risk, and entered the world of “known bad.”
That’s my world.
Until the existential problem is solved, the massage-table is closed. My advice is that we move quickly, and get people like me out of here as fast as we can.
Yet some executives have a problem seeing this. They want to ensure that they maintain the vestiges of cultural niceties while the building is in flames.
The prototypical object-lesson in this realm is Mohammed Saeed al-Sahhaf, more commonly known as ‘Comical Ali.’ Al-Sahhaf was Saddam Hussein’s gloriously unflappable PR man, who insisted during the 2003 American invasion — as the very buildings behind him burned — that everything in Baghdad was A-OK.
Had the regime survived, I’m sure Sahhaf would have gotten a shoutout for Staying True To Our Values on the company Slack channel.
Not everything you do at your company should be dependent on cultural fit.
For example, take plumbing: you don’t want a plumber to try through influence to fix a leak.
You want the, ah, water to stop flowing.
I propose that information security incidents are in the same category as plumbing. Sure, there are vast areas in which cultural deference and the politics of influence must take precedence.
Some things actually are, “Do this or you’ll die.”
Executives who waffle about on this are risking the very existence of their company. There are many examples of companies being forced to confront existential cyber threats. Think Microsoft after the source-code theft; think Google after the China breach. When it’s existential, the nap-rooms, massages, and the meaningful explorations of self in the company newsletter just simply do not matter as much as remaining able to pay for those things.
And if the executives don’t put the confidentiality, integrity and availability of their data and services above all else, then sometimes, we as security people have to leave.
Here is a rule for companies:
- If your corporate culture interferes with security, it’s the culture that must change, or you will die.
Here’s a rule for security people:
- If I care more than you do about your company, then I’m the one with the problem.
There are limits. I speak here only of existential threats. When a new procedure will provide an incremental improvement, you don’t get people to change long-established habits by shouting at them or calling them stupid. You discuss it, and influence, and hopefully get a small and meaningful win.
But if the issue is existential? Or if the issue is the difference between a breach or not a breach? A regulatory violation or not a regulatory violation? A breach of customer trust or good stewardship?
I got yer culture right here.