This week I came across a LinkedIn post that suggested that CISOs (Chief Information and Security Officers) often find themselves at a crossroads between innovation and gate-keeping.
On one hand, they are expected to champion innovation, integrating cutting-edge technologies that can propel organizations forward. On the other hand, they are the gatekeepers of caution, responsible for mitigating risks and ensuring that the security architecture is not compromised.
This is an important observation that applies to many other risk and compliance domains.
However, I am not sure what is being observed is a “crossroad.”
Instead, I believe we are observing the new reality for organizations, specifically, the need for whole brain thinking and operations.
Two Brain Hemispheres
Iain McGilchrist writes about the impact of a divided brain in his book, “The Master and His Emissary: The Divided Brain and the Making of the Western World.” Iain McGilchrist argues that the human brain is divided into two hemispheres with distinct functions and tendencies. This division, he believes, is crucial to understanding human nature and the challenges of modern society.
Right Hemisphere: Often referred to as the "Master," this hemisphere is attuned to the big picture. It's associated with intuition, creativity, empathy, and our connection to the world around us. It's the part of the brain that helps us understand context, relationships, and the nuances of human experience.
Left Hemisphere: Often called the "Emissary," this hemisphere is focused on details, logic, and analysis. It's responsible for language, mathematics, and the development of tools and technology. It's essential for breaking down complex problems into manageable parts.
McGilchrist contends that Western society (and I will add business in particular) has become overly reliant on the left hemisphere, leading to an imbalance. This overemphasis on logic, analysis, and control has resulted in a fragmented, dehumanized world – a world of algorithms and machine-based decisions. While the left hemisphere is crucial for progress, its dominance has overshadowed the wisdom and intuition of the right hemisphere.
In essence, McGilchrist's work calls for a more balanced approach, recognizing the value of both hemispheres and finding ways to integrate their strengths. By understanding the differences between the two halves of our brain, we can gain deeper insights into ourselves and the world around us.
The crossroads, that CISO’s and others are experiencing, may in fact not be a call to decide between innovation and gate-keeping, but rather the need to bring these two aspects together for the benefit of the whole.
Two Modes of Operations
Geoffrey Moore's book, “Zone to Win” while not written to address the divided brain, provides a useful model and operational approach applicable to this situation.
In his book, Moore makes the argument that to succeed businesses need different zones, each having different purposes, behaviours, and goals. They have their own operating system and culture, or better said – mode of operation.
A significant challenge for CISOs (along with other C-Suite roles) is that they often have more than one zone of operation within their mandate. These are often structured functionally, with a large span of control, and managed using the same behaviours and practices – and therein lies the rub.
With respect to behaviours, some will be more reactive to contend with deviations, exceptions, and non-conformance. However, others will be proactive to anticipate, plan, and act to respond to new threats and opportunities. The reactive side tends to be more reductive focused on the parts, whereas, the proactive side will tend to be integrative, focused on the whole.
Geoffrey Moore's concept of business zones aligns closely with McGilchrist's hemispheric model. The reactive, detail-oriented approach required in some business zones mirrors the left hemisphere's focus on analysis and control. Conversely, the proactive, strategic mindset needed for other zones resonates with the right hemisphere's capacity for synthesis and innovation.
The challenge for organizations, particularly in roles like the CISO, is to effectively balance these two modes of operation, often within a single function. This necessitates a deeper understanding of how the brain works and how it applies to organizational design.
Two Types of Risk
McGilchrist's two hemisphere model also helps to understand how we contend with threats and opportunities.
Risk as Threat: A Left-Brain Perspective
Threats are typically associated with negative outcomes, potential losses, or dangers. They often involve clear and defined risks that can be analyzed and quantified.
The left hemisphere, according to McGilchrist, is analytical, logical, and focused on details. It excels at identifying patterns, calculating probabilities, and developing strategies to mitigate threats. For instance, a financial analyst using data to predict market downturns is primarily employing left-brain functions.
Risk as Opportunity: A Right-Brain Perspective
Opportunities are associated with potential gains, growth, or positive outcomes. They often involve ambiguity and require a broader, holistic view to recognize.
The right hemisphere is more intuitive, creative, and focused on the big picture. It excels at recognizing patterns, understanding context, and envisioning possibilities. An entrepreneur spotting a new market trend is primarily using right-brain functions.
While the two hemispheres are often described as separate, they are interconnected and work together. In essence, understanding the different strengths of the left and right brain can provide valuable insights into how we perceive and respond to risk.
What is important to understand is that protecting against loss is different than pursuing gains. They each will have different cultures, behaviours, and methods. By harnessing the capabilities associated with threats along with opportunities, individuals and organizations can develop more comprehensive and effective risk management strategies.
Two Management Capabilities
The left and right brain model also sheds light on two management capabilities that are often confused but critical to meeting the breadth of obligations spanning rules, practices, targets, and outcomes. These capabilities are known as: Management Systems and Management Programs.
Management Systems
When it comes to operational risk – the uncertainty of meeting goals and objectives – we need systems and controls that make things more certain. These systems need to be consistent, reliable and maintain state by removing variability through feedback and control loops to correct for exceptions and deviations from the norm (expected behaviour).
We don't want innovation in the operation of these systems. Instead, we want conformance to standards and predictable performance. These systems are best described as closed-loop systems and are often called, “Management Systems.”
Management Programs
However, we also need to contend with emerging and new threats and opportunities. This requires introducing change to adapt to variations in the conditions by which an organization operates or the actions they are engaged in.
Here we need openness and innovation to adapt existing systems and processes to respond, for example, to expanded attack surfaces and threats. This requires exploration and discovery along with alignment and accountability – a prerequisite for proactive behavior. This kind of system changes state and are better characterized as open-loop systems often referred to as, “Management Programs.”
McGilchrist's model of the divided brain offers a compelling lens through which to view these management functions. The analytical, detail-oriented left hemisphere aligns with the structured, controlled nature of management systems. These systems thrive on consistency, predictability, and a focus on maintaining conformance to rules and practice standards.
Conversely, the intuitive, creative right hemisphere resonates with the dynamic, adaptive nature of management programs. These programs necessitate exploration, innovation, and a capacity to navigate uncertainty.
By recognizing the distinct roles that both hemispheres play in management, organizations can optimize their approaches. Again, this is not a crossroad but the need to maintain stability and steer towards targeted outcomes.
Towards Balanced Brain Operations
C-Suite roles face a complex balancing act between fostering innovation and mitigating risk.
On one hand, they are expected to champion cutting-edge technologies that drive organizational advancement. On the other, their role demands a vigilant focus on uncertainty and risk management.
This tension can be understood through the lens of Iain McGilchrist's theory of the divided brain. The analytical, detail-oriented left hemisphere aligns with risk management responsibilities, while the creative, big-picture perspective of the right hemisphere is crucial for innovation.
To effectively navigate this challenge, C-Suite roles benefit from two management capabilities. Management systems, driven by the left hemisphere, focus on control and risk mitigation. In contrast, management programs, aligned with the right hemisphere, emphasize innovation and adaptation.
By understanding and leveraging both hemispheres, organizations can optimize their strategies to improve the probability of mission success.