Jodie likes to frame the work that we’re doing as shifting quadrants in the Eisenhower matrix (popularized by Stephen Covey) from Urgent-Important — where most of our leaders tend to live — to Not Urgent-Important.
It’s a great frame, not least because our leaders (having been introduced to it at Rockwood) are familiar with it. The goal, ultimately, is not to help shift these individuals, but to also shift their organizations and supporting structures. Without the latter, people are likely to stay stuck in their old habits.
The concerns raised at the last Wye meeting about security and surveillance offer both a great case study and a potential set of experiments. The fear and uncertainty that people feel fall squarely in the Urgent-Important category. Unfortunately, the solution lies in the Not Urgent-Important category. There is no universal checklist that solves people’s concerns about security. You have to look at the problem systemically, and you have to implement solutions collectively.
Here’s what I mean. Several people insisted that all Wye web properties use SSL before we start using them. I actually think that’s a fair thing to ask for, and we’re in the process of implementing it. The more important question, however, is why? Why should we use SSL on our website?
The stock response is, “Security experts told us we should do that.” That’s not a good answer. Perhaps it’s okay for EDs to have that answer, since security policy might fall under someone else’s purview, but at minimum, EDs should be able to concretely name what they’re afraid of and to quantify their concerns.
For example, they might be afraid of the information in the website falling into the “wrong” hands. Whose hands are these? The government? Corporations? Members of conservative organizations? Members of other progressive organizations not participating in Wye?
If that’s the fear, what are the biggest threats? Is it the lack of an encrypted transportation channel? Is it the fact that we have one password for the entire site? (Again, that’s by design.) Is it the fact that anyone can easily copy and email the information to anyone else? Is it the fact that people have the password (and many others) saved unencrypted on their phones, and that they leave their phones lying around all the time for anyone to peek at or steal?
What are the costs of those threats? How much time and resources should people be investing to mitigate them?
Your security policy needs to be part of a larger strategy, and every ED should understand what that strategy is. I’ve been doing some research and talking to some trusted colleagues to find orgs that are doing this well, and good examples are few and far between. Which makes total sense. If the overarching culture is not to spend time in the Not Urgent-Important quadrant, then these strategies never get formed, and people resort to busy-work tactics that might not actually address your problems.
So what can we do about this? First, we need to model. STP needs to do some threat and risk modeling, build an organizational strategy around that, and implement it. Miles River needs to do the same.
Second, we can support experiments around helping other orgs do this.
Finally, I just want to acknowledge that this stuff is really hard. One of those “universal” recipes that every individual should be doing is using a password manager. If you’re not already using a password manager, starting to use one is a pain-in-the-ass, and learning how to use one and integrating it into your workflow takes time. Furthermore, simply using a password manager is only a first step. You have to start randomizing your existing passwords as well, which is additional work, and creates new problems. Even this “simplest” of steps results in a not-insignificant change management challenge.
It’s hard work, but we’ve got to start doing it. The muscles for doing it well are the same muscles required to build shared systemic understanding, to do long-term visioning and strategy, and to constantly learn and adapt.