In November, I wrote about the art of “Constructive Conflict” for a cybersecurity leader - being able to effectively and gracefully raise issues and have productive business discussions with differing perspectives. Today I’m digging into an element of that idea. Constructive Conflict is initiated by friction – when ideas that don’t smoothly align meet and create tension.
A good leadership team tries to root out sources of negative - bureaucratic or personal – friction, as it can bring a team down and cause disfunction. Not all friction is bad for a team, though, particularly when key decisions are being made. Having challenges to prevent groupthink and ensure everyone at the table has a chance to voice differing views on an issue are results of healthy friction and help ensure good decisions.
Creating moments for healthy friction on cybersecurity risk is part of an effective cybersecurity program. One of the key elements of success for a security team is their ability foster meaningful and open business risk discussions. Friction can cause those discussions.
There needs to be mechanisms that create friction – project checkpoints, committee meetings, contract reviews, code reviews, red team tests, and leadership updates where the cybersecurity team can potentially push on IT and business plans that could create unacceptable risk. As organizations charge forward with initiatives that leverage digital transformation, AI, and other technology innovations, cybersecurity leaders must put these friction points in place to ensure business leaders consider security risks along with business opportunities.
Here are some factors to consider in creating points of healthy friction:
Build them into established processes – Assess the processes the company uses to bring new business and technology ideas forward and transform them into reality. What are the key points in that cycle where security risk discussions should take place?
Timing is critical – Identifying security risks late in the IT development cycle usually leads to painful results. Ensure you choose the right timing – when enough is known for a meaningful risk discussion, but before too much has been invested in the plan.
Keep the bigger picture in front: As a steward of the company, ensure any extra effort makes sense in the bigger scheme.
Clearly articulate the why: Present the potential consequences of security risks in a way that resonates with business leaders, focusing on tangible monetary impact, reputational damage, and legal/regulatory repercussions.
Make them credible: Ensure the process gates create relevant and meaningful risk dialogue and clearly demonstrate a commitment to protecting the organization.
Make them problem-solving events: The points of friction shouldn't stall progress, they should identify risks before they become problems, and focus on solving them.
Collaboration is key: Explain the intent and openly communicate with IT and business leaders to choose how, where, and when to establish your points of friction.
The SEC’s recent updates to disclosure rules and actions that up the ante for transparency on cyber risk management mandate that CISOs are integrated into business processes and drive risk awareness - and discussions that may have been bypassed in the past. By creating points of "healthy friction" a cybersecurity leader can create robust cybersecurity discussions that enable informed decisions on risk without hindering progress.
Hold Fast and Stay True!