“A true leader has the confidence to stand alone, the courage to make tough decisions, and the compassion to listen to the needs of others. He (she) does not set out to be a leader, but becomes one by the equality of his (her) actions and the integrity of his (her) intent.”
– Douglas MacArthur
Back in September, I had the privilege of moderating an RSAC webcast titled, “Integrity Matters, and Things that Matter Aren’t Easy.” I was joined by Pamela Fusco, Juan Gomez-Sanchez, and Jerry L. Davis—all seasoned veterans of the industry with a wide variety of experiences, including stints in various government-related security roles as well as roles across different commercial sectors.
With this diversity of background and perspectives, one thing was clear from our discussion: We have all experienced integrity-related challenges that have tested our resolve, stretched our skills at navigating difficult discussions, and driven us to be more self-aware so we could step back from specific situations and ask ourselves:
- Am I doing the right thing?
- Am I wrong?
- Am I being stubborn?
Recently, I initiated a survey on pulse.qa. I wanted to understand how much pressure we feel to whitewash, dilute or otherwise lower the risk of security-related issues we communicate to our organizations.
What I learned was sobering.
Sobering but consistent across the 100+ respondents and my own experience: 76% of us have felt some sort of pressure, either self-imposed or initiated by others, to under-report the reality of a security risk.
A December 2019 survey by the National Association of Corporate Directors (NACD) found that 61% of corporate directors would compromise on information security for the sake of a business objective. This past October, ISACA reported that 84% of business leaders were confident in their information security posture, but only 31% of security staff surveyed had confidence.
We need to look at the data.
We need to look at ourselves.
We need to realize that we have a problem on our hands that must be addressed.
We have misalignment between business executives and security teams regarding information security risk. This is perhaps the core systemic issue that has been perpetuating the cyber-risk cycle we have been experiencing for decades. As CISOs and CSOs, our job requires active engagement to resolve the misalignment of the understanding AND the portrayal of security-related risk.
Ultimately, such active engagement is what the RSAC webcast was all about. Participating leaders shared openly the challenges of making consistently sound decisions so we can always do the right thing—not only for the organizations we belong to but also the stakeholders who may be affected by an unmitigated or unmanaged security risk.
We all recognized that there is real pressure on us and on our peers that can result in substantial stress, but we also acknowledged that we could anticipate when the pressure was likely to arise—we could smell it, feel it like a sixth sense—and came to the conclusion that we need to trust and use our instincts to address ethical dilemmas earlier to create enough space so that the right questions can be asked and the best solutions created.
Facts are our friend in these moments. We need to “talk to our tribe” so we can calibrate with trusted peers inside and outside our organizations to gain additional perspectives.
Ethical decision-making is a requirement of leadership, a deliberate commitment. It is supposed to feel uncomfortable, and if it does not, then you are not doing it the right way.
Ethical decision-making requires us to have the humility to recognize we are all vulnerable to dilemmas and we all suffer from blind spots that can impact our true understanding of risk.
To support the process, we need to create a protocol to follow when we must walk up the management chain (including to the board of directors), to address risk issues. We need to leverage our own codes of ethics and our broader organizational DNA to navigate what is right and wrong.
And we must be ready to walk away—putting our badge on the table if necessary—knowing we did all we could do. Such action, while unfortunate, has been taken by many of us, but Pamela, Juan, Jerry and I can assure you will always end up in a better place—with your integrity and the integrity of the CISO/CSO role intact—when you do the right thing.
If you did not get a chance to watch the webcast, you can watch it here. And remember: “If you don’t make a choice, the choice makes you,” and, “If there is a conversation you have been avoiding, that’s the one to have.”