Gartner Blog Network

We say no because that’s what you ask us to say

by Jay Heiser  |  March 28, 2013  |  Comments Off on We say no because that’s what you ask us to say

We’ve riffed for years on the distinction between “Dr. No” and “Mr/Ms Yes”, but many enterprises continue to back the security professional into the awkward far corner of the Business Prevention Department.  If the risk assessor is going to be blamed for security failures, then that person is always going to be motivated to make extremely conservative decisions.

The idea that risk can be understood and managed with the goal of reducing the potential for negative outcomes, and their impact, is not a radical one.  This is what risk management is all about. Unfortunately, it can only flourish in an atmosphere of cooperation and team work. Blame cultures are not conducive towards making difficult decisions involving poorly understood forms of risk.

Employees operating within a culture of blame are motivated to value CYA at the personal level before the corporate one. If people feel they are going to lose their job, or experience losses of prestige or status, when they are associated with failures, then the organizational culture is providing them economic and social motivation to avoid risk.  This counterproductive organizational dynamic plays out in spades in the intriguing yet ambiguous context of commercial cloud computing.

A blame culture typically approaches SaaS something like this:

  1. Somebody in the business thinks they can save money (or avoid IT’s annoyingly inflexible rules) buy using some kind of cloud service.
  2. They put together a business case that contains nothing but good news and beneficial financial outcomes.
  3. Contracting staff is asked to provide contract language that a) ensures that nothing bad can happen, and b) will be completely acceptable to the service provider (which has a reputation of not negotiating substantive contractual provisions).
  4. The IT contracting staff balks at this impossible task, it is treated harshly and is accused of empire building, and being non-cooperation.
  5. Meanwhile, the security staff is asked to approve a deal in which the buyer hasn’t stated their security requirements and the seller refuses to explain how their system actually works.
  6. The security staff balks at this impossible task, and is treated harshly.  Treated as being deficient in imagination, it is accused of being out of touch and is characterized as participating in business-disabling power games.
  7. Provided with the binary choice, the people who have the expertise to understand and mitigate the risk do what the blame culture motivates them to do and say that they cannot approve this deal.
  8. The line of business makes it clear that they believe these in house functions cause more harm than good, and strongly suggests firing the lot of them.

The tragedy of this all-too-common scenario is that few, if any, of these people were actually dead set against the externally provisioned service in the first place.  Life is full of ambiguity, and significant business decisions always require someone being willing to accept a risk. If the person who benefits from the positive outcome of a decision is also the person who will accept the blame for a negative outcome, then an organization is positioned to take advantage of new forms of service.  If somebody wants to save money, while dumping the negative consequences into somebody else’s lap, it should come as no surprise that the owners of those laps have developed mechanisms for pushing back.

It takes a well-coordinated team to say yes to an ambiguous risk question.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: cloud-computing  it-governance  risk-management  security  

Tags: risk-assessment  risk-management  

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of SaaS and public cloud risk and control. Current research areas include SaaS governance, cloud provider transparency and digital business risks.Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.