We’ve riffed for years on the distinction between “Dr. No” and “Mr/Ms Yes”, but many enterprises continue to back the security professional into the awkward far corner of the Business Prevention Department. If the risk assessor is going to be blamed for security failures, then that person is always going to be motivated to make extremely conservative decisions.
The idea that risk can be understood and managed with the goal of reducing the potential for negative outcomes, and their impact, is not a radical one. This is what risk management is all about. Unfortunately, it can only flourish in an atmosphere of cooperation and team work. Blame cultures are not conducive towards making difficult decisions involving poorly understood forms of risk.
Employees operating within a culture of blame are motivated to value CYA at the personal level before the corporate one. If people feel they are going to lose their job, or experience losses of prestige or status, when they are associated with failures, then the organizational culture is providing them economic and social motivation to avoid risk. This counterproductive organizational dynamic plays out in spades in the intriguing yet ambiguous context of commercial cloud computing.
A blame culture typically approaches SaaS something like this:
- Somebody in the business thinks they can save money (or avoid IT’s annoyingly inflexible rules) buy using some kind of cloud service.
- They put together a business case that contains nothing but good news and beneficial financial outcomes.
- Contracting staff is asked to provide contract language that a) ensures that nothing bad can happen, and b) will be completely acceptable to the service provider (which has a reputation of not negotiating substantive contractual provisions).
- The IT contracting staff balks at this impossible task, it is treated harshly and is accused of empire building, and being non-cooperation.
- Meanwhile, the security staff is asked to approve a deal in which the buyer hasn’t stated their security requirements and the seller refuses to explain how their system actually works.
- The security staff balks at this impossible task, and is treated harshly. Treated as being deficient in imagination, it is accused of being out of touch and is characterized as participating in business-disabling power games.
- Provided with the binary choice, the people who have the expertise to understand and mitigate the risk do what the blame culture motivates them to do and say that they cannot approve this deal.
- The line of business makes it clear that they believe these in house functions cause more harm than good, and strongly suggests firing the lot of them.
The tragedy of this all-too-common scenario is that few, if any, of these people were actually dead set against the externally provisioned service in the first place. Life is full of ambiguity, and significant business decisions always require someone being willing to accept a risk. If the person who benefits from the positive outcome of a decision is also the person who will accept the blame for a negative outcome, then an organization is positioned to take advantage of new forms of service. If somebody wants to save money, while dumping the negative consequences into somebody else’s lap, it should come as no surprise that the owners of those laps have developed mechanisms for pushing back.
It takes a well-coordinated team to say yes to an ambiguous risk question.