Monday, September 02, 2013

When should I fire my CISO?

If you've ever been a CEO of any company then you'll quickly learn the role is not just about leadership and strategy but also about balance. Whether balancing existing business models and the inertia they create with the future, the culture that has been created or the various factions within it. 

It's very easy to lose sight of this balance. 

Everything we do is ultimately about meeting some user need. Those needs are multiple from the thing itself, the way it is operated, how it is interacted with, the experience, any regulatory requirements and any needs for security. Those needs also vary according to the type of user and what we're doing (the context), so for example security needs for a private wiki are somewhat different for a public wiki.

All of these needs have to be balanced with the context in mind. 

It's therefore a dangerous route to allow one need (such as user experience) to override all other needs (such as security) and establish itself as a principle for the organisation. It is dangerous because the needs vary with the context and so you can't have generic principles but instead end up with vague platitudes like "appropriate security measures need to be taken", "appropriate UI design is needed" etc.

Such "principles" give ample opportunity for groups to run amok in an organisation and a plethora of such principles loses sight of the one thing that matters - meeting user needs.

And that ultimately is the balance that a CEO needs to continually maintain by creating an environment which  meets user needs today and the user needs of tomorrow (the two are obviously not the same). To make matters worse the meeting of user needs today (i.e. a successful business model) will invariably create practices and cultural norms which will resist meeting the user needs tomorrow (i.e. inertia to change). This all has to be managed.

In specific circumstances such as when the change is unexpected (i.e. difficult to predict) this inertia can have dire consequences for an organisation through disruption. Examples of which are product substitution such a cable versus hydraulic excavators or different sizes of hard disks. This is what is classically called disruptive innovation.

In other circumstances such as the evolution of an act from a product to a utility (e.g. cloud) then the change is expected and can be managed with planning. Often companies get disrupted in these circumstances but that's really a consequence of executive failure and CEOs snoozing at the wheel.

But let us assume you're wide awake, you understand the issue of balance and the importance of user needs. So, what has this got to do with the CISO (Chief Information Security Officer)? The problem is Shadow IT.

Shadow IT occurs when your organisation is screaming at you that you're not meeting their needs and so they've gone and found their own way of doing it. Shadow IT is born out of frustration, it's a worrying sign that something has gone wrong with the balance.  Now, it's not simply just a case of users using some other more useful service to get something done because we've given it a name - 'Shadow IT'. The name implies its outside of our norms of operating which means our norms of operating aren't meeting our user needs. This should set alarm bells ringing.

At this point the CEO should be asking the CIO and CISO what is happening? There are two key message which are important.

If you hear the message that we need to make 'Shadow IT' part of the norm by enabling our users to use such services then this is good news. The focus is on user need, it's about abolishing 'Shadow IT' by making it an operating norm and by applying any techniques needed to ensure our other needs (e.g. security) are met.

However, if you hear the message that we need to ban 'Shadow IT' and force users to use our systems then you know that one user need (security) is overriding other user needs and you have a problem. This is the point where you need to start thinking about pruning some attitudes from the organisation.