A little over 20 years ago, I learned the importance of asking better questions when connecting security to the business.
The investment bank we supported wanted to launch a new service, the sort that required the phone company to shut down part of the block to install a new connection. Paul, the CIO, took this seriously and directed my team to do a risk assessment of the connection and the service. We knew the stakes were high, and we followed the best practices to estimate risk.
We sat in plush green leather chairs around a massive wooden table with Paul at the head and another 20 to 25 leaders in the tech and business organization to review the plans to go forward. The room was as impressive as intimidating. I waited for my turn to brief the room on our findings, fascinated by the depth of the discussion.
Near the end of the meeting, Paul turns to me and asks me to share the results of our risk assessment.
I took a deep breath, then walked everyone through our detailed process, confirming our findings. We concluded, solemnly, that we calculated an additional $1 million of risk. Two decades ago, that felt like a huge number to use, and it convinced us our findings were about to shut the program down.
Paul thanked me for the report. He looked around the room and asked if anyone had questions or challenges to our findings. No one challenged our findings or conclusion.
Then Paul looked around the table again and approved the program.
I couldn’t believe my ears.
I spoke up, energetically, and explained that we just told them we found several risks that totaled $1 million of exposure and I was confused. Paul kept his cool, but I could read the frustration on his face as he confirmed the project's approval.
Then he dismissed the room and asked me to stay. Just me. As people shuffled out, my mind raced and my heart beat out of my chest. I had the sense of doom that I just screwed up in a big way, big enough to get fired.
Once the room emptied, he beckoned me to move down to the seat next to him.
I expected yelling, but Paul was cordial and inviting.
He started by thanking me for the thorough assessment, then pointed out I didn’t ask an important question. After a few awkward seconds of silence, he asked me what I didn’t ask him. Somehow I realized I had never learned about the program, and I blurted out something to that effect.
Paul smiled and confirmed that, as an investment bank, they deal with risk all the time, but also consider the expected reward. He explained they expected this program to produce at least $10 million dollars in profit in the first year, possibly more. Based on the expected reward, the potential loss of up to $1 million dollars was acceptable.
Suddenly, it seemed obvious, and I felt a little dumb.
My team went into it knowing the problem that we were going to solve. We were looking at the security risk of establishing a new connection outside of the bank. We didn’t ask what problem the bank wanted to solve, and therefore we only solved our narrow band of the problem.
We never explored the context or asked about the expected outcome. We just kept focused on the risk.
I took a few key lessons away from this experience, including the need to capture a more complete, more accurate, and more clear understanding of the situation to connect security with the business — in their terms.
The second lesson came when Paul made me an offer. He started by reviewing the determination of $1 million in risk and asked me for a gut check on the real exposure. While we didn’t pad our calculations, we definitely showed the worst-case scenario, lest we get blamed down the road. In my gut, though, I figured they were probably looking at $250k in exposure in the next year.
Paul said, “Great. How about I do this? I’ll give you and your team another 90 days and $250,000 to work with my team and see what you can do to do better. Just don’t get in the way or delay this project at all.”
A few minutes earlier, I expected to get fired. Now I walked out with a new agreement and direction to reduce the risk further (and we did).
Here’s the lesson: we sometimes mistake the actions of others as a sign they don’t care about security. I know I did in that meeting. I learned that Paul — and others — cared about the security of the program. They just saw more of the picture than I did.
I was lucky to learn this early in my career.
To connect security with the business, we need to ask more and better questions and engage in the dialogue. Once we understand the context of the problem and ideal outcome, it positions us to deliver the value they need and earn the recognition we deserve.