How do you let your people innovate while keeping them compliant with data security and privacy policies? ThoughtExchange Director of Information Security and Privacy, Chris Mussell shares how he’s inspiring ownership and co-creating a culture of data security and compliance.
I started out my career as a photographer, and it was always my dream to work for a big photography firm. Eventually, after a couple of career changes, I got a job in software development at my dream company. But my vision didn’t quite match reality.
Working in software development at a company with 45,000 employees worldwide, we regularly ran up against the brick wall of corporate IT when trying to innovate. More often than not, when we asked for something, they said “no.” It made our jobs harder.
After seven years with ThoughtExchange, in a variety of roles across IT and development, I took on the position of Director of Security and Privacy. One of my first tasks was to prepare us for SOC 2 compliance. A major hurdle for me with SOC 2 was creating Information Security Policies and an Incident Response Plan that would work for a mid-stage startup.
I knew from the get-go I didn’t want to be the IT guy who blocks people from doing their jobs. I want to enable people to do their best work—in a safe and secure way. I’m lucky to work in a company that has both the tools and leadership philosophy to help me empower our people to build a culture of data security, privacy and compliance.
Inspiring ownership of the why
I started creating policies on my own, doing countless hours of research into best practices and churning out drafts. In many companies, that might have been where the buck stopped. I would deliver my final decisions, and people would have to live with them.
But not at ThoughtExchange. Whenever a significant change is on the table, everyone here wants to understand the “why.” And if the “why” doesn’t make sense, people are encouraged to question it.
So after getting agreement from senior leadership on the drafts, I used our software to ask the whole company for open feedback. The exchanges gave every person on every team a chance to ask questions and say whatever was on their mind.
That gave me real and relevant feedback in a short amount of time. It helped me create an understandable process for the company and show people I heard them by making changes that reflected their feedback.
If you lead with that vulnerability, you get to the point where you’re not telling people what needs to be done; you’re asking them what needs to be done.
Being vulnerable in the how
After I got the exchange results, I set up meetings with key teams to dig further into the feedback.
In my meeting with the Development Team, some of our devs said the documents didn’t make sense for our processes. Instead of getting stuck on what I wrote, we dissected it, changed it and reached agreement. I learned a lot in the process, and we made our approach to information security better, together.
We have a lot of brilliant people. So, when you undertake a project like this, you need a certain amount of vulnerability. If you lead with that vulnerability, you get to the point where you’re not telling people what needs to be done; you’re asking them what needs to be done.
Empowering people to do the right thing
At ThoughtExchange, we’ve always encouraged our people to use whatever tools they need to do their jobs better. It’s how we stay agile and innovate.
As we grow and start working with more enterprise clients, we need to add more oversight and guidelines to comply with security policies.
After landing on policies that everyone could get behind, it was time to educate and empower folks so they could be compliant while continuing to do their best work. That involved training sessions to share our new best practices and update their knowledge of how software can access data.
We gave them the tools to make the right decisions on their own or to ask for help if they don’t know the answer. It’s about helping people get to the point where they’re their own best stewards of customer information—with a bit of oversight.
Getting wholehearted agreement (and showing compliance)
After the exchanges on the documents were done, I used our software again while delivering security and privacy training to give everyone another chance to ask questions and share thoughts on what we covered.
This helps me be better at delivering training. It also ensures I’m giving people what they want to learn, and not just what I think they need to hear.
The bonus of doing this kind of exchange is being able to use the results to show an auditor that everyone at ThoughtExchange has attended security and privacy training each year.
Co-creating a culture of data security
Involving everyone and getting broad agreement on these documents definitely added some time and complexity to the process. Using our software to engage everyone was the only thing that made it possible.
But the long-term benefits are undeniable. I tapped internal expertise to help improve our data security, created ownership of our policies, and empowered the whole company to protect customer data.
Best of all, by continuing to co-create this culture of data security, I’ll never have to be that IT guy who says “no” to people pushing the innovation envelope.