Making it safe to speak up – Leadership In Security

This week in DuhaOne: SVB’s miss, keeping onboarding fresh, make safety to spot danger, and tackling inclusion.

Leadership Moment: Silicon Valley Bank

The postmortems have already begun for the SVB failure, the second-largest in US history. This line inside CNN’s summary leapt out at me:

Several experts who spoke to CNN said it’s likely that people within SVB knew about the risks but let them slide.

I want to be cautious about hearsay and supposition – and this is both – but I wonder if “let them slide” might be rephrased as “saw no clear way to challenge the risk decisions of the company.” History is littered with failures where staff spotted a problem, and the combination of executive incentives and entrenched bureaucracy made the knowledgeable staff feel helpless. Maybe the SVB failure can be eye-opening to other leaders to think about how to put in place processes that will enable escalations of truly toxic risks.

And yes, SVB needed a CRO, but I doubt that was the only missing piece.

One Minute Pro Tip: Self-Updating Onboarding

You have an onboarding guide for new hires, right? Well, if you don’t, you should. Saving the time and energy of your new employees so they don’t have to hunt down the answers to basic questions they don’t even know yet is one of your key jobs in the workplace. But the most important instruction in an onboarding guide is one that is often left out, but should be the first step:
1. Update this guide.

The person who is using the guide is the one most likely to discover its deficiencies. At the same time, they’re the person who often feels least empowered to edit it. Until they understand the nuances of your workplace, they’ll likely constrain their critique … and problems in your onboarding guide will hit your next new-hire. So explicitly tell new staff to update the guide.

Chapter 39 Teaser: Create safety to let people warn you of danger.

It’s really rare that a crisis or incident completely surprises everyone in the organization. You’ll usually find multiple folks – often junior technical staff – who, away from their managers, comment that they are unsurprised. Likely they didn’t foresee this exact incident at this exact moment, but they saw the hazards that led to it. Maybe they expected something worse, maybe something better, but, either way, they saw something coming.

At the same time, executives are looking at each other asking, “How did we not see this coming? Why weren’t we on the lookout for this?” The disconnect between these two groups is a chasm that seems uncrossable. Most of those executives don’t remember that, at some point, one or more of those junior technical staff have pointed out risks and hazards, and been summarily shut down (I recall a product review where I noted that we hadn’t even done a risk assessment because the product team hadn’t shared anything with us, and a vice president said, “Are you going to stop what could be a billion dollar product over that?” (hint: the product ultimately failed on the market)).

The challenge is that executives are very decision-oriented. Any conversation is seen as an input to a yes/no decision, and risk conversations are a little more nebulous. Someone pointing out an unmanaged risk is perceived as trying to force a decision to stop, so they get run over very quickly. As a leader, you need to create space for staff to raise risks, so you can understand what risks you’re taking. If you’re not comfortable with those risks, then you might decide to implement some compensating controls to offset the risk. But don’t make it the responsibility of your team to solve all possible problems for you … or you’ll be blindsided more and more often.