If you have more than just one person in a company or a department, you have politics. When you come down to it, it’s a game. You always hear about those who know how to play politics well, and therefore, can survive in any company, and those who can’t and are quickly shown the door.
Wikipedia defines politics as, “the practice and theory of influencing other people on a civic or individual level. More narrowly, it refers to achieving and exercising positions of governance – organized control over a human community, particularly a state. A variety of methods is employed in politics, which include promoting its own political views among people, negotiation with other political subjects, making laws, and exercising force, including warfare against adversaries. Politics is exercised on a wide range of social levels, from clans and tribes of traditional societies, through modern local governments, companies and institutions up to sovereign states, to international level.”
For those of us in security, it’s the practice and theory of influencing other people on an individual and company level.
In every industry, there are what we call “silos of information.” These are made up of different departments who don’t like sharing information. Someone who can play the “game” (politics) well might be able to break through those silos, get at least some departments to work together, or, at least, work with security.
Unfortunately, those of us in security often get caught in the middle as the political football. It is our job to protect the company against both physical and electronic attack. To do that, though, we must influence individuals in the company as well as what is written as part of a company policy.
In security, when things are going well, no matter how well our CTO/CISO/CSO plays politics with the others in the C-suite, we tend to be ignored – especially at annual budget time. But when the CEO and the CTO/CISO/CSO don’t get along, it can be even worse.
When budgets get cut, security practices and security awareness training go first. When training is cut, the first line of defense against attacks is weakened, and if the C-suite does not have buy-in – which means being influenced by security management – training programs go out the window.
Consider this story of a Midwest hospital from several years ago. While I had yet to join the security field, this story has remained with me as a constant security lesson. I am recounting this from memory so please excuse any inaccuracies. It’s the take-away that counts. The hospital’s President didn’t get along with the IT/security department, and the IT/security manager didn’t take the time to get to know the President. It was a small hospital where the staff and management knew each other, maybe not very well, but well enough to be approachable, and well enough to allow managers to have direct contact with the President.
This hospital was one of the first to go all electronic. Doctors used iPad-type devices and used scanners that read bar codes on each patient’s wrist. They then took notes and wrote prescriptions for each patient. Medication was also bar-coded so that there was no doubt as to what medication was dispensed. The nurses had rolling carts that they used to travel to each patient’s bedside. Nurses scanned barcodes on patients’ wrists, pulled up their medical charts for verification, and administered medication. Nurses also had access to the same electronic patient data from the main nurses’ station. All of these access points created a nearly zero mistake environment. Since a surgeon was able to view patient X-rays electronically in the operating room before surgery, there was no need to have physical X-rays. All files were electronic. Any physical files were placed in storage off-site. The hospital was HIPAA compliant, and security was the top priority.
However, one day, the President received an email message: “Put $500,000 into the following off-shore account within the next three days or we will shut down your network.” The President ignored the email and did not tell the IT department. He simply deleted the email. The next day, he received another message that said, “You have until tomorrow to put $500,000 into the following off-shore account or we will shut down your network.” He ignored that message and didn’t think it was important to tell anyone.
On the third day, he received this email: “You have ignored our requests, so tomorrow, we will shut down your network.” Sure enough, the next day, the hospital’s entire network was shut down. Doctors were unable to transmit notes or prescriptions to the nurses’ stations, medications could not be scanned from patients’ bracelets, and surgeons could not pull up X-rays for surgery.
Every time that the network was brought online, it was immediately taken offline again by the perpetrators. This took several days to fix. Doctors who were initially skeptical about the electronic system returned to using paper and pens. Patients were not taken care of in a timely fashion, and medication mistakes happened. Surgeons were forced to postpone scheduled surgeries until actual X-rays could be retrieved.
Had the IT/security manager taken the time to get to know the President, and over time, taught him the perils of security threats, this event might not have happened or happened to this extreme. What happened after the network was restored? The President fired the IT/security manager, and the hospital’s Board of Directors fired the President.
The word silo should be considered a bad word in any business environment. It can only lead to trouble. This is why it’s critical to share information about security threats company-wide. In order to get people to change or modify their behavior, they have to come around to your way of thinking. As the saying goes, that’s politics.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.