Why we need to adopt strong C-level leadership to stop the tide of exceptionalism and toxic positivity that defines organizational approaches to information security.
IN THE BEGINNING
Many organizations consider technology to be subservient to the rest of the business. It is considered a cost center, not a valuable resource. It gets funded last, often after the flowers and coffee. This means that the business will make any excuse to not spend money on technology because it takes away from revenue. Years of education in business schools of our current C-suites to minimize “overhead” expenses and focus on core business functions have left IT in an actionable position. Nothing can go wrong because it will be seen as an excuse to further marginalize the organization and cut funding. IT Leadership becomes risk averse, often focusing on “solutions” that promise the world and deliver little, because that is what they have budget for after the Jet Ski rentals.
WHAT ARE THE EFFECTS OF THIS?
These have the effect of creating a risk-averse culture where little gets done for fear that it will go wrong and cause people to get fired or set aside by the leadership. You also end up driving away people who want to innovate and expand their knowledge, because nothing major will get done for fear that it will fail. When you do not undertake major work such as an EMR implementation or upgrade, you create an environment where people who want to advance and lead just are not welcome, and they leave. What you are left with are team members content doing the same work, ones who cannot leave, and ones who play politics to get ahead because they do not have the skills to excel in more challenging environments. It is an employee engagement nightmare.
What you also end up creating is an environment of exceptionalism. Many team members become convinced that the way that things are is the best way and perfect, and that it is not going to change. People become resistant to change because it means it disrupts the order of the business, and that innovation will lead to existential threats to the organization. They will lose their jobs and get outsourced to someone else. The people who play politics will fight this because change means that potential threats to their jobs will come into the organization that have skills other than self-promotion and throwing others under the bus. The expectation is that everything is great and perfect, and it always was, so why change it? It is going to cause you to get fired if you do, and where else will you go?
This also means that the organization is not a Learning Organization. It does not grow. It does not evolve. It just is and stagnates, like the careers of those trapped in it.
For technical environments, this means that there are little or no changes made. Legacy systems stay in place. Very little gets upgraded because it always worked, and changes will break the way things are. Security has never been a problem because no one has seen someone break into the systems or is even capable of monitoring them. Therefore, there does not need to be much new investment, because everything works, and introducing something new will break what they have. More likely, it will reveal the issues they do have, which means they must address them and do not want to do. If there is any new investment, it is to keep Someone Important happy by giving them some token new technology.
What this also leads to is toxic positivity. People are convinced that the environment is great, and that everything works well. Anyone who says otherwise is not to be trusted. Anyone from outside the organization who brings a different perspective does not understand the business or problem and is not to be trusted. The only people you can trust are your peers, and any dissent means that you disagree and are no longer part of the family.
Combined with this has been Technical Core theory. This is theory, that according to W.K. Hoy, defines the system of organizational activity where the “product” of the organization is produced. Technology has been often viewed as being in support of the technical core, and not part of it. This means that it is often relegated to second-class status in favor of revenue-generating activities. Oftentimes the leadership that gets brought in is done so with that mindset.
What this toxic combination has led to has been numerous underfunded technology organizations that do not even realize what a mess they are in. The people in charge are afraid of making changes that would disrupt revenue-generating operations. They put in quick fixes and panaceas that promise to protect networks with no changes because they want to keep things the way they are. The politicians try to find ways to make the organization look better and take credit for it.
The other part is that the more the department and technology stack diverge from reality, the distortions used to justify the reasoning why the situation exists also do so. The distortions build upon themselves, contradict themselves, and cause people to have disconnects from logic and thought. This has the effect of causing cognitive dissonance from holding these sets of beliefs. The longer this goes on, the worse it gets as they build upon each other. According to Kendra Cherry at Very Well Mind, this leads to anxiety, embarrassment, regret, sadness, shame, and stress. This is a recipe for causing not only team member disengagement, and has a significant negative impact in their lives. With IT security people already stressed out, this just adds fuel to the fire and damages their lives along with their careers.
ENTER RANSOMWARE
Ransomware has done one thing well. It is a character foil that has shown the IT community how bad the environment really is. It is not a pure security issue. It is one that stems from the application of business theory and expectations of perfection and subservience to the Technical Core that has starved technology departments across all industries of the resources they need to be resilient and support the business.
People think Ransomware is malware, or that you get it from clicking on a link. Nothing could be further from the truth. We are dealing with organized criminal gangs who are often exploiting known weaknesses using multi-stage attacks, with ransomware being the final one. They are spending months inside networks, and often know them better than the IT departments whose job it is to maintain them. They know that many organizations have a lack of leadership and strategic planning that has led to systems being held together with bandages on top of bandages with little or no actual operational monitoring by disengaged team members. It is a significant opportunity for them.
Ransomware works because the organizations that conduct these attacks know that their targets have little choice. In most cases, either they pay or go out of business. They know their targets have not prepared for this attack and have often invested in easily bypassed or unmaintained security solutions.
When the ransom gets paid and the high-end consultants come in, they will make some incremental improvements. You will see Endpoint Detection and Response (EDR) on computers. You will see some new servers. You may even see some upgrades.
However, they are likely to get attacked again. According to Cybereason, a security firm specializing in EDR software, they surveyed 1,300 security professionals. Over half of the organizations these professionals worked for had been the victim of a ransomware attack. Even more chilling, 80% of those firms that chose to pay the ransom were attacked again, often by the same group.
This now gets past the technology level to striking at the fundamental heart of the business. This is a leadership issue. This is where you need to have a strong look at the business and make fundamental changes.
HOW DO WE ADDRESS THIS?
We need to address what organizations need to do to address strategically underfunded IT departments that have left organizations vulnerable. What we are going to discuss today is a potential roadmap and guide for C-suites to follow to improve their organizations and make them more resilient to risk.
The first step is to recognize that the Information Technology and Operational Technology components are part of the Technical Core. They are fundamental to the daily operation and overall strategy of the business. Despite the arguments that some members of the C-suite have, you cannot operate a business without a strong technology function today.
Second is to get rid of the illusion of exceptionalism. Stagnation is never great. Leadership has failed to create a Learning Organization that is skilled at adapting and evolving. They have created a culture of risk avoidance, politics, and appeasement of Important People, not of leveraging technology to improve. They have let technology rot and ignored the warning signs. The associated cognitive dissonance has likely destroyed team member engagement.
This means that leadership and the board must make fundamental changes. Technology is a critical part of the business. It needs more than short-term funding to get back online after a ransomware attack. When that funding disappears and there is no plan to continually improve in place, you will get attacked again. You will not address the issues your team members face.
That EDR software and new firewalls is only part of the issue. You need to overhaul your technology functions and leadership to be able to address the root causes. These need a strong Chief Information Officer that is equal to their peers in the C suite. In many cases, there is a director or Manager of IS. If your company is generating 8 or 9 figures a year in revenue and has an IT Director, you have a problem. You need a skilled and experienced CIO.
Do not bury the CIO below the CFO or other functions. Technology is critical to business. Ransomware proved this fact by demonstration. The CIO must report to the CEO and report to the board to have that voice.
The CIO also needs to address the leadership and management of the IS organization. The politicians need to leave the organization first. From experience, getting rid of toxic management is addition by subtraction. A full review of leadership and management and what needs to be addressed needs to be done immediately by the new CIO. They cannot make the mistake of carrying forward leadership and management that promulgate politics, infighting, or toxic positivity. Reality needs to be the name of the game, not the distortions used to justify the previous regime.
Right now, we are getting a lot of short-term fixes for these solutions and no plan to address leadership. EDR and some new technologies are in that category. You need to get a Virtual CISO or full-time CISO in to immediately assess risks and develop a comprehensive risk management plan with short and long-term recommendations. They also need to help develop an operational security plan to immediately monitor assets outside of EDR.
Technology assets need to be brought up to modern specifications. This will involve bringing in a specialized firm to inventory the current application and system base. They need to develop modernization and augmentation plans for the current application, system, and service base. Security is one part of the puzzle. Bringing the application, system, and service core up to maintainable specifications with corresponding operational management processes is critical.
A short and long-term strategic plan to unify what is needed for resiliency, analytics, and innovation is also a requirement. Technology is critical. If it is not aligned with business needs, nothing improves, and it may get worse.
The CIO is also critical here because they need to justify and defend the operational costs, personnel changes, and budgets. IT is a foundational part of the business. This means that the old practice of handing it off to IT and telling them to do it with no help is over. The best way to keep the risk of further service interruptions high is to continue treating IT like an infinite resource that always says yes. The best way to drive away the talent left is to do this.
As part of replacing politicians and toxic people doing bad leadership impersonations with actual productive people, bring in good young talent to work alongside the consulting teams. Give them the learning and mastery experiences they need to function in the environment. Have them learn from the teams they are working with, and the CIO.
While doing this, keep building out a good leadership team. Take time to bring in the right leaders. Do not feel pressured to hire someone because you must fill a role. An employee that is not a good fit will cause damage. A leader that is not one will be much worse. Hire people who believe in Learning Organizations and continual improvement that can plan. Get people grounded in reality, not those who would throw their own mother under the bus to look good in front of the C-suite.
Also, hire some excellent operational leaders. Those consultants are going to eventually leave and transition work over to the CIOs team. Make sure they do so to competent people who can develop and lead the young talent. Security must have top priority on the leadership and operational teams.
Leadership and the board must know what the new CIO and their team are doing to improve. Being able to provide simple operational metrics showing the effectiveness of the organization in service delivery, security, operational performance, budget management, and currency is a critical task. These metrics need to communicate the plan and progress toward set goals.
CONCLUSION
While there has been much noise about practical steps that organizations can take to improve security, specifically the latest Executive Order from the President, these do not help organizations attack root causes. We need to start at the top with leadership, and look at the entire organization to improve, not just something that the Incident Response vendor tells us to put in.
One day, they will go away. We need to leave our organizations more resilient and better able to respond than they were before. Starting with leadership to rebuild the IT organization will be a greater benefit to organizations and reduce risk, rather than putting another bandage on top of ancient technologies, bad leadership, and disengagement. This leaves the organization just as susceptible, if not worse than before.
