The people, process and technology triangle is over rated.
Yeh I said it!
Oooh I can already sense some people getting ready to flame me. Ok, it’s a bit of a click bait title but what isn’t today.
Ok, let me tell you a story…
A little background…
A while back a graduate asked me for three key things that I thought would help them in their career. We are talking about a newbie to the corporate world of work let alone tech. For me it’s always:
- Watch your ego. Your degree might get you in the door but you’ll be starting from the floor. Absolutism, perfection and winning are an illusion. Your main goal is always be improving. Baby steps.
- Learn to read the room. Generally, but also, for example, in especially tense meetings. Sometimes it’s better to have that conversation in another setting.
- If you provide a blanket “No” to someone without an alternative. They’ll find their own alternative and you’ll only know about it when the fish hits the tan.
They specifically wanted to know about the often-mentioned people, process and technology (PPT) elements. I’ve made a lot of mistakes and picked up a few things along the way (I think). So we had a chat around it all and as they asked questions I said there’s a level deeper than people, process and technology that you need to be more aware of and they looked at me quizzically.
They asked what I meant about going deeper.
To elaborate…
If you take the people element and explore further you end up with another PPT, the real PPT. Essentially this is organisational culture but this is how I’ve experienced it and how I break it down:
Politics, Personalities and Trust
- Politics – Different business units across the organisation will have their own:
- Risks
- Objectives
- Workflows
- Ways of working
- Friction
- Pain points
- Stresses
For various reasons (out of scope for this blog) there’s often friction between business units but the main one I’ve noticed is lack of engagement and communication.
- Personalities – In your daily interactions with staff across the business, you’ll pick up:
- How and how not to approach people.
- You’ll hear gossip.
- You’ll notice cliques
- You’ll hear both positive and negative things.
- You’ll notice protectionism
- You’ll come across ego
Remember, every interaction counts. Personal and departmental relationship building is key in information security.
- Trust – Deliver when you say you will. If you can’t, then manage expectations as early as possible and have a back up.
- Be clear and transparent
- Be concrete
- When you get things wrong be quick to take ownership, your apologies must never be fluffy.
One of the areas that I’ve noticed trust break down is where projects failed to carry out dependency mapping, in short how much you depend on other departments to help get your project delivered. If you have a good project manager on board then you’re lucky, though this isn’t always the case.
To wrap it up…
The above three all meld into one and these dynamics are important to understand and work with. Arguably, success in the process and technology elements is predicated on appreciating the nuances of the environment you find yourself in and being to able to navigate them. Everything you do in your day-to-day job will first be dominated by politics, personalities and trust.
Take note that information security is still seen as the “department of no”. It is changing but the stigma still exists and just as you have technical debt you also have trust debt. It’s a legacy issue stemming from the past when security was still a relatively new function and simply said no to everything. I’ve said it before but a lot of information security functions are still in negative equity.
What you’ll find is that most people want to do the best they can in their job with the tools and processes available to them. Unfortunately, sometimes the overarching structure and culture just makes it hard to do. This is especially important to understand when you hear “security is everyone’s responsibility” this is great but then the environment needs to be able to facilitate that responsibility.
So as a newbie to the field, learn to appreciate the nuances of the organisation you’re in. You’ll notice that most security problems are because of a fundamental lack of understanding or wilful negligence of appreciating and working with the organisation’s culture.
You can’t positively influence an environment, if you don’t take a step back and understand it first and nothing successful happens without effective engagement and empathy. Ever.
Watch the friction and flow of everything around you.