Steven F. Fox, CISSP, QSA, ASV is a Security Architecture and Engineering Advisor at the U.S. Department of the ...
Collaboration can be toxic to an Information Security program. Assaulted by conflicting management agendas and priorities, the consensus needed for success sometimes suffers an early death. However, many organizations perpetuate the mantra that collaboration is always a good idea. Unfortunately, managers’ collective memories tend to cling to the outcomes of successful collaboration at the cost of the details that enabled those wins. In Collaboration Is Misunderstood and Overused, Andrew Campbell examined the misuse of collaboration and highlights issues that I have seen in my consulting practice – problems that threatened to reverse the momentum gained after a security assessment.
Teamwork and collaboration are distinct approaches to harnessing the skills/knowledge of corporate stakeholders to address a challenge. The former emerges when a leader, or leadership team, directs a group that cooperates to solve a problem. According to Campbell, team actions “are interdependent, but they are fully committed to a single result.” This focus requires an outcome-focused management style where individual or group differences are sublimated for the benefit of the team. “Team members may dislike each other. They may disagree on important issues. They may argue disruptively. But with a good leader they can still perform,” said Campbell.
Collaboration differs in the lack of a central leader. According to Campbell, those involved “will have some shared goals, but they often also have competing goals. Also, the shared goal is usually only a small part of their responsibilities.” Complicating things further is the lack of conflict resolution that is an organic part of a team’s leadership structure.
A healthcare provider contracted me to map the flow of Personal Healthcare Information (PHI) throughout their organization. Three weeks of interviews revealed the controls applied to the collection, processing, utilization, storage, and destruction of patient data. These controls, together with discussions with various managers, revealed that each department had very different ideas on how PHI should be used and secured. Some managers felt that protection of PHI was a validation of the faith entrusted to them by their customers. Other managers felt that PHI should only be protected to the extent required by HIPAA.
Upon review of this feedback, upper management realized that wholesale collaboration would be unproductive in formulating an enterprise-wide strategy to optimize PHI security while enhancing their value proposition. Recognizing that a team-based approach would be more effective, they created teams based on a functional analysis of the PHI data collected previously. The teams were comprised of departments that participated in those functions and led by a corporate committee. The outcome was an ongoing, coordinated compliance effort focused on securing patient data at a reasonable cost.
What makes collaboration succeed when it is used appropriately? Stakeholders’ emotional engagement and mutual respect coupled with a governance structure increases the chance of success. Campbell advises that managers “avoid relying on a collaborative relationship except in the rare case when a company objective is important enough to warrant some collaborative action but not so important as to warrant a dedicated team.”
Realizing the value of security investments requires teamwork. However, corporate teams play on a competitive arena that demands flexibility and responsiveness. Managers must be ready to recognize when to use tactical collaborations for the benefit of team strategy.
This mix of collective problem solving is common to supply chains where risk management involves multiple suppliers, and it’s a topic we hope to discuss further in upcoming Security Connected blogs and on Twitter at @McAfeeBusiness.