This is one of the articles I am struggling to write. Security consulting is as much art as science, and I feel like a traitor to my profession by revealing any insider knowledge. It’s like Penn & Teller explaining the science and misdirection behind their amazing magic acts. The audience is left better off by simply being amazed and concluding it’s all magic. Today, though, I’ll clue you in on two: tribal knowledge, and what I call the Nelson Effect, both related to job longevity.
I work with my teams to gather as much meaningful intelligence before we arrive for the on-site portion of our engagements. It’s pretty amazing what you can glean from corporate websites and searching professional networking sites. We gather a lot of intelligence just understanding the turnover and length of service of key security staff.
When we arrive at the client site for meetings, it becomes clear how personnel longevity influences a security program. The verbal cues become glaringly obvious once you learn what you need to listen for. When the clients refer to operational roles and responsibilities by people’s first names, you can rest assured job longevity is impacting the security program. The conversation usually goes like this:
Me: “Who is responsible for your corporate training program?”
Client: “Oh, that’s Sally’s group.”
Me: “…and who’s handling governance?”
Client: “That’s Tim’s responsibility.”
Now obviously, I couldn’t pick out either Sally or Tim in a police lineup. I have no idea who they are, and their names don’t describe their roles within the organization. Yet, all the client personnel around the table sagely nod their heads at the mention of these names. My work is cut out for me.
As I try to establish the roles and responsibilities of long-serving people who are identified by their given names, I also have to try to figure out if there’s an accurate organization chart and policies tied to these roles. These organizations usually don’t have a current organization chart, and it’s also not a surprise when their policies are either out-of-date or non-existent.
It’s truly wonderful in this day and age that people can have long and fruitful careers with a single company. However, corporate leaders have to be on-guard against ever-expanding tribal knowledge that can undermine efforts to identify and mitigate control risks. Over the decades, strong interpersonal relationships and back-channel operations begin to create a complex, hidden infrastructure that’s neither documented nor controllable. When elements of these processes fail – and they will – you don’t have the basic tools to accurately identify the problem and recover from failures.
If you work in an organization that uses names to identify roles and responsibilities, look around and see if you have the policies and controls to ensure your operations can continue to run smoothly when you encounter failures. Relying on a quick call to Sally or Tim may not be enough.
I’ve run out of room. Next time, we’ll discuss the other consulting cue to look for with long-serving employees – the Nelson Effect.
