Technology Leadership Is About More Than Just Being Right
Implementing security policy is not easy. It's difficult from a technical perspective, sure, but convincing others in your company that the changes are necessary can be just as much of a challenge. Doubly so if you can't convince leadership.
The story of Twitter's current security woes is a great example.
IT teams are often treated as an inconvenient expense by the business(aka revenue-focused) side of an organization. This makes things doubly difficult for security professionals, because if IT a thorn in the side of the business people, security is a thorn in the side of IT. Take the famous seesaw of security vs convenience. For example, requiring multi-factor authentication means that on the one hand accounts are more secure. But on the other hand, it takes people longer to login. The result of this is that the business is substantially more secure. However, another result is that employees at all levels of the organization are irritated at best, and lose some time (a small amount of time in this case) to the new process at worst.
By now, MFA is a widely accepted standard. But it wasn't always thus. It was a long road to acceptance- one that security professionals have to go down every. single. time. a new security initiative is introduced.
This misalignment is a huge problem for IT leaders in general, and security leaders in particular. In some cases it can lead to incredible (and incredibly public) failures. Take for example the Peiter Zatko and his attempts to increase security at Twitter.
NOTE: I have never met any of the people in this story. I am not implying anything about their individual character, nor their specific actions. I do think there are enough similarities to people and situations I have observed to make this a general learning opportunity for anyone in security who has to work with non-IT leadership (or vice-versa).
In late August of 2022, Twitter's former Security Lead, Peiter Zatko (aka "Mudge"), released a whistleblower report about rampant security failures within the company. He claims that they have existed throughout his tenure at Twitter (Nov 2020 - Jan 2022), and that leadership knew about them and did nothing. Twitter, for a lack of a better word, says he's full of it. (It's actually gotten pretty acrimonious, with both sides flat-out calling each other liars.)
It is certain that there have been rampant security failures at Twitter for years. It was the July 2020 attack, where super high-profile users' accounts were compromised, that caused then-CEO Jack Dorsey to hire Mudge. During that time, Mudge made repeated and increasingly insistent attempts to get security on leadership's radar. He was ultimately unsuccessful, leading to his firing in January by new Twitter CEO Parag Agrawal.
If you want to read my brief breakdown on the technical side of the situation, you can that find that here.
Even for a company of Twitter's size, the problems Mudge highlighted should have been surmountable. However, proposing solutions to technical problems is only the beginning of the process. There are many, many people who have to be in alignment with what will happen if there is any hope of progress. This is really important for people who come in with a finely tuned mission (a 'certain set of skills,' if you will.) It can't just be about you and your wizardry, though- it has to be about the organization as a whole.
If you read Mudge's disclosure document, one of the complaints that comes through repeatedly is 'nobody wanted to listen.' Let's take a look at some common problems that can derail even the smartest and most capable of security professionals.
Problem: Pointing Out Problems, Not Solving Problems
A security leader should have risk registers that outline the issues. This is where you discuss everything that's wrong. A security leader should also have a roadmap, and that roadmap simply can't say "we start fixing absolutely everything tomorrow."
This is a hard one for many leaders- especially those who come into a new environment. You come in with fresh eyes, and immediately see 26 things that need immediate attention. The trouble is, nobody wants to listen to the new hire. They haven't proven themselves yet. This is why it's so important to get early wins. Find a problem, and stick with it until it's completely solved. That shows organizational improvement. Before/After examples from successful projects are really powerful evidence of why the next initiative should get support.
Similarly, being focused means that when you do have an opportunity to talk to higher-ups, you are on message about what you are doing. If you bring in a new problem every time you talk to someone all they will see is a lack of focus. They will have no idea what you're talking about on this brand new topic, and if that happens enough, they will eventually just tune you out. Even for executives, there is only so much time in the day.
Problem: Loss Of (Or Failure To Cultivate) Allies
Building anything, whether it is a product or a security process, requires a lot of people's support. Often times, buy-in isn't sufficient- you need allies that will work as cheerleaders for what you are doing, and argue in your favor when you're not in the room. This is doubly important in leadership- you can't just put your hands on the keyboard and make things happen. You need your team working with all the other technical teams (with the support of the business teams) to get things done.
Problem: Allowing Animosity With An Individual To Cause Damage To The Organization
This follows from the point above, and should probably be obvious, BUT: If you can't make allies, definitely don't make enemies.
In any organization, there are going to be people that you just don't gel with. Some of them are easily understandable- after all, you never know when you're going to have to deal with a Mets fan. But it's important to remember that everyone in the organization has a voice. It doesn't matter if you like them. They have influence, and they have people who report to them.
Problem: Going Around The Chain Of Command
Frustration with progress is normal. There's a reason that there are so many jokes about corporations not accomplishing anything- it takes a while to make changes happen. Any organization will build it's own momentum over time, and changing that momentum takes time. And any change is going to require everyone to be on board. This starts with your boss, and then your boss's boss, etc., etc. All you will do is build resentment if you try to be the person who kicks down the owners door yelling "we don't have time for this, we need to make [CHANGE X] NOW!"
Problem: Not Establishing A Good Reputation
This is where all of the other Problems listed above are leading: The number one thing you want as a leader is a good reputation. There is a ton of variation here, but I believe it boils down to three kinds of reputation (And for the record I have an MBA so I'm allowed to use the official Business Emojis):
- Oh that guy! 😃
- Oh THAT guy? 🙄
- ... who? 🤔
Everyone starts as a #3. But, if you do everything right, you get into #1 territory. And THAT is when you can really start to shine. If you don't do everything right, you are stuck as a #2 and you just made your own job a LOT harder.
To be clear: It is possible to do everything right and still not end up a #1. There is absolutely such a thing as a 'bad fit' in any employment situation, and that shouldn't be a permanent reflection on an employee or employer. That's true of any job at any company. If that happens then it's time to seriously consider if it's worth trying to work it out where you are, or if it's time to move on.
Conclusion (Or, The Part Where I Restate The Title)
If you're right and nothing happens, it doesn't matter that you were right.
Solving problems at scale is not just about being right. It's about doing things the right way- both for yourself, and for the organization/environment you find yourself working in. An organization of any size requires cooperation to get things done, so building a consensus is literally the only way. And since security is about getting things done that annoy other people (remember, convenience vs. security), consensus is doubly important. It's one thing if the business side says things like "it's my way or the highway" - they're the ones who are responsible for revenue. Chances are it's a pink slip if the security guy says that.