The Trials, Travail and Tribulations of Being a CISO: Part 3
Part of the trials, travail and tribulations of being a CISO is dealing with difficult people. Unfortunately, the information security is likely to be part of an IT organization, and IT organizations are notorious for having a disproportionate number of technical staff members who are in essence “bulldozers.” Bulldozer personalities try to get their way by being aggressive towards others, expecting those they have bullied to fold under pressure.
I was a CISO for the better part of three years in a previous job. I did my best to use good interpersonal skills in dealing with all my interactions with employees of the company for which I worked. Some of these employees had terribly deficient interpersonal skills to the point where at one point a near-fist fight occurred just outside of the corporate office. (The majority of employees had very good interpersonal skills, however.) The most difficult issue with which I had to deal as CISO was a technical staff member who refused to sign an acknowledgement of having read and agreement to abide by the provisions of the company information security policy. This policy was not very draconian at all–it contained all the usual provisions such as who owned corporate computing resources and information, password requirements, special requirements for proprietary information, and some acceptable use policy provisions. This person said that by signing this acknowledgement, the person’s family would be put at risk, because not complying with the policy could lead to negative consequences, including possibly termination. I assured this person that not signing the policy could also lead to negative consequences, something that caused this person to become ballistic.
As I look back on this ugly situation, I wish I had handled it differently. I did not lose my cool, whereas the other person did, but I now realize that when this person refused to sign the acknowledgement statement, I should have just acknowledged this person’s reaction, but should not have said anything more. I should instead have gone directly to this person’s supervisor and tried to come to some agreement with him. After the negative interaction with this employee, I talked with this person’s supervisor, but by then the damage had been done. The affronted employee kept a steady current of vitriol concerning me going until the day that I was gone.
There is in a way a happy ending to this story. The supervisor and I decided that if the employee in question objected to provisions of the security policy, that person should take the policy and delete objectionable portions. The supervisor agreed, but the employee never did anything. Over time I became increasingly concerned about the legal ramifications of every employee but one signing an acknowledgement of the security policy and agreement to abide by its terms. The situation was resolved when I went to the head of HR and told him how one employee had refused to sign the acknowledgement statement. The head of HR became livid, and within minutes the employee reluctantly signed the statement.
The morale of this story is that as in the case of this incident, CISOs sometimes simply shoot themselves in the foot, thereby increasing their trials, travail, and tribulations. But then I remind myself that hindsight is always 20-20.