What nineteen audiences in twelve months taught me?
2014 has been an amazing and highly educational year for me as a speaker, trainer and executive. I think I may have learned as much from the audiences as they did from me. This past week, I just completed my nineteenth and final speaking engagement for 2014 on the technology innovations and security and compliance challenges that modern healthcare and other organizations are facing. I have been to many states and nearly two dozen cities, but in each I learned at least one new thing. These presentations were all over America from the West to the East coast and the South to the Northwest but some things are nearly universal. As I was considering what to include in a single blog, I thought ‘what a great opportunity to share some of the insights in a series instead’. In my 2014 travels, I found some of the issues people were facing and the ways they were dealing with them were extraordinary. As I mentioned previously, some of the issues were universal but being dealt with in varying ways. In this series, I will go through something I learned and/or an old lesson reaffirmed each week. Today, I will start with a critical lesson reaffirmed.
After presenting on the issues of major change, government regulations and advancing technology within organizations, I was constantly reminded that while fear is an incredibly intense and base human emotion, it is not a good driver of positive action. Even when we may be fully aware of potentially serious consequences, and understand that we should do something, due to decision paralysis we may actually do nothing. This decision paralysis leaves us behind the innovation curve. It can lead us to compliance gaps and in some cases, ultimate failure. Why do I raise the issue of fear in the context of technology? Because as I present on the realities of advancing technology, security, compliance, and data breach prevention, all too common decision paralysis becomes ever clearer. Many organizations are taking no action where they desperately need to be. Their fear has turned to an inability to move ahead on critical, tactical and strategic activities. Let’s look at a few of the drivers of fear in our daily jobs.
Entry 1 of 19 – Navigating Fear in the Security and Compliance World
In advancing technology it is fear of having a project go sideways, over budget or fail to accomplish the stated objective that has many frozen. What if that technology we recommend doesn’t work as we hope? What if it is something required by law (such as encryption in healthcare) that we fear an unknown outcome so much that we won’t act? What if we miss a key component of a project or underestimate the effort required and the entire project goes over our budget?
Security is a tough job for many reasons, but mostly because both action and inaction can cause failure. It is one of those jobs where only 100% is seemingly good enough. Security is one role where getting it right means nobody notices and getting it wrong can cost a job or even kill a company.
Compliance seems like a never ending drudgery and weighs on people like a backpack we never get to put down. It is the law, but we must meet the obligations with limited resources and often internal political constraints. Compounding the problem is the ambiguity the government so often leaves in their edicts. These can all lead fear, uncertainty and doubt, which leads to inaction and even false attestation.
So what can we do about the fear? As executives, how can we help to remove the decision paralysis? I think giving people freedom to fail is the only way we will ever get past it. I don’t mean to be derelict or sloppy, I mean doing a diligent job with professional standards recognizing that sometimes things go wrong. There can be no innovation without risk. It is risk that drives high returns.
When it comes to security, we have seen that even the most talented and well-funded organizations are attacked successfully. We must be willing to recognize that being outwitted or out spent in the war on our networks is a part of doing business. Especially where IT departments are limited to a staff of generalists, it is very likely a focused intruder will get in if they put their mind and money to doing damage or taking what they want. But with all of that said, we cannot limit IT support, cut budgets, fail to provide resources and then hold IT accountable for not doing what will most often prevent serious failures. We cannot only say, “No,” then when things go wrong, ask, “What happened?”
What I mean by giving our people the freedom to fail is to give them the resources to do their job and simultaneously limit the downsides for them. If they know we have their back when things don’t go as planned, they will take the risks required. Downsides can be managed through good planning, good contracts and seeking Safe Harbor within existing laws. Putting up a good defense is a combination of taking prudent security measures while also limiting risk.
Doing nothing is reliably worse than the risk associated with taking positive action. The problem is that unless we all agree to share in the decisions, those decisions weigh too heavily on an individual who may well understand the risk of doing nothing, but who may not want to take on the sole responsibility of acting. We must support those to whom we delegate the responsibilities of making important decisions and make it safe for them to do so. Otherwise all they see and feel are the downsides.
I think an amazing quote from Amazon’s CEO Jeff Bezos speaks well to risks. In 1997, Bezos wrote in his inaugural letter to stockholders, "We will make bold rather than timid investment decisions where we see a sufficient probability of gaining market leadership advantages. Some of these investments will pay off, others will not, and we will have learned another valuable lesson in either case.”
If we simply change a few of these words, it can apply to all of the risks I have spoken of here. The question is, will you push your team past decision paralysis by acting like Jeff Bezos, or not?
Some way to move ahead with well limited risk:
1. Exercise prolific change management. Always demand peer review where risks are high. This allows the risks and fear to be distributed over a group of professionals and often the group will find solutions that significantly reduce the risk in the first place.
2. Make sure you are familiar with the Safe Harbor components of your compliance environment. Take advantage of those. These are perhaps your only “get out of jail free cards” when the eventual breach happens.
3. Make sure you consult with your attorney on your contracts. How can your contracts be written to minimize risk? Make sure you have an attorney that understands cyber risk and compliance.
4. Consult with your staff. Have you given them an opportunity to voice their concerns and are you really listening? If you slow down and really listen you will get a whole new perspective.
5. Assess your staff to make sure they are both capable both technically and business maturity wise to deal with the issue of security and compliance? If not, you need to engage a professional to help them.
6. Assess your actions plan against those of your peers at other companies? Does your action meet the threshold of at least what others are doing responsibly? One good standard of defense is to be doing at a minimum at least what others are doing, if not more.
7. Have an outside expert review your plans before and after they are executed.
8. Above all, encourage your staff to do great things, take those prudent innovative risks that can pay off for everyone involved. Always stand behind them when they succeed or fail.