Information security is vastly complex, both technically and from a governance, risk and compliance (GRC) perspective. When workplace politics come into play, security best practices become more complicated and risk management is weakened significantly.
Security professionals commonly meet resistance when they attempt to implement IT initiatives that do not align with the organization’s political culture. Such an environment makes it extremely difficult to manage these initiatives. Security teams must recognize the obstacles they face and work to gain buy-in from key stakeholders.
The Problem With Organizational Politics
Denial can impede IT efforts — especially when C-suite executives are insulated from the realities of the security landscape. In many cases, when executives say that security is not in the budget, they simply mean that it is not on their radar and, therefore, doesn’t matter.
Other obstacles include hidden agendas and power struggles that prevent employees from sharing information with others. For example, some employees might withhold information as a tactic to ensure job security, while another staffer might use it as organizational currency to buy influence. Chief information security officers (CISOs) may encounter this behavior during red on blue exercises when red team members refuse to divulge vulnerability test results to the security operations center (SOC) team, or at the very least aren’t totally forthcoming about their exploits.
Pushing the Right Buttons
No department is immune to the effects of organizational politics. Security professionals must thoroughly understand the political landscape and devise more effective ways to communicate risks to C-level executives. This communication must occur in business terms with a focus on the end business goals.
To successfully navigate organizational politics, IT professionals must gain their colleagues’ trust, which takes time. Start by forming personal connections with fellow employees or subordinates. People have their own individual interests and concerns, and leveraging them can go a long way toward building positive rapport.
The bottom line is that if IT professionals have the organization’s best interest in mind, executives and other stakeholders are less likely to question their motives. This trust enables them to foster alliances and more effectively advocate for security. The CISO can take it a step further by acting as a mediator to help employees in other departments find common ground when disagreements arise.
Organizational politics require security professionals to be adaptable. As executives and employees come and go, the political landscape shifts accordingly. The key is to understand what you’re up against and use your experience to keep security top of mind throughout the enterprise.
Listen to the podcast series: A CISO’s Guide to Obtaining Budget
Chief Information Security Architect, Securityminders