Boosting Security with Civil Discourse

In cybersecurity, a culture of ‘civil discourse’, by which members of different teams make a genuine effort to understand each other’s viewpoints and challenges, is essential for ensuring security. Conversely, a lack of it can be bad for security.

There are several reasons for this:

1. Understanding organisational interests
Most of the security professionals I’ve encountered over the course of my career have had good intentions. They want to identify issues that could be a risk to or a problem for the organization and work to address those issues. Civility facilitates this noble cause by providing them with a forum in which they can raise issues safely and without fear of retribution. Organisations that promote this type of professional civil discourse often have a much better understanding of their security interests and are much better equipped to protect them.

2. Incorporating feedback
Clever security teams will collect all the feedback that stakeholders are willing to provide without passing judgment on or rejecting any of it. The feedback can always be sorted through and filtered later. If, however, stakeholders feel that the forum for providing feedback is not civil, they will cease to provide it. This will reduce the insightful and valuable feedback that is so necessary to improve security.

3. Identifying differences
Each team within the organisation has its mission that it is charged with, and that team is responsible for looking after one or more areas of the business. When different perspectives cause different teams to see the same issue differently, it can often produce helpful insight as to where a proposed approach may be incomplete or lacking certain considerations. This can be extremely helpful when working to ensure that the potential of security efforts is maximised

4. Following process
While many security professionals may not enjoy following processes, if they are timely, relevant, and well designed, they can help root out potential issues before they become big problems. A good process is designed to ensure that efforts proceed in accordance with policy, and that all relevant stakeholders are able to contribute to those efforts. In my experience, stakeholders are often able to help the security team see issues early on when processes are followed. This allows the security team to address those issues far more easily than it would be able to later.

5. Building consensus
Requiring consensus in order to move initiatives forward may seem bureaucratic, but it enforces a civil environment and ensures that those who will be affected by initiatives are on board. This, in turn, creates more robust security initiatives that address more of the relevant problems.

By creating an environment of civility, organisations can ensure that valuable input reaches those who can use it to improve the organisation’s security posture. Incivility, on the other hand, shuts down dialogue, suppresses ideas, and results in a poorer information security posture.