In the aftermath of the bombshell allegations from Twitter whistleblower Peiter “Mudge” Zatko about the company’s security practices — or the stunning lack thereof — enough ink has been spilled about him and other Silicon Valley dissidents who came before to notice a troubling trend: the failure of security-minded personnel to “blend in” or “gel” with the corporate culture.
Without litigating the finer points of Zatko’s complaint or his testimony in front of the Senate Judiciary Committee on Tuesday, this is the latest episode in a string of tech companies hiring respected names in infosec only to have them ushered out or resign (often in protest). This pattern raises more questions about whether the C-suite can face difficult truths than it does about the ability of strong personalities to conform to corporate culture.
The affair also raises suspicions of performative tokenism on the part of some tech giants, who sometimes appear to keep some of their security and ethics personnel on staff merely for window-dressing. Just recently, Meta disbanded its Responsible Innovation Team just about a year after touting them, while Patreon, which suffered a massive data breach in 2015, laid off its entire security staff.
This is not a new phenomenon. Organizational customs are in many ways a byproduct of the humans that inhabit them — or the most successful ones, of a conscious and systematic struggle against bias, territoriality and tribalism.
From the animal kingdom to the business world to the military, deference to hierarchy and “managing upward,” however, is a reality with which everyone must grapple. The farther up the food-chain you go, the more tightly the wagons tend to circle. In the most extreme cases, in-group loyalties are tested against one’s own ethical compass, the echo-chamber around the boss proves impenetrable, group consensus takes precedence over innovation and the choice comes down to “love it or leave it.”
These time-tested vestiges of bureaucratic survival are likely the wrong yardstick to measure Zatko’s duties to Twitter, particularly for an industry that has long prided itself on innovation and upending the status quo. Moreover, in a world short on cybersecurity talent and plagued by growing and costly cyber risk, a new dose of humility from C-suites may be in order.
Security evangelists have spent nearly three decades trying to make inroads in the corporate landscape (the first CISO was hired by CitiGroup in 1995 after a major breach), only to keep finding themselves standing athwart a hurricane of disincentives to invest the necessary time, talent, tech and funding to survive a growing swathe of vulnerabilities. In a very real sense, corporate America is drowning, and keeps asking its security hires to describe the water more politely, and to toss their lifelines with a little less visible gusto.
Viewing Zatko’s plight within Twitter’s ecosystem through such a Darwinian corporate lens is probably unfair, as he was reportedly brought on not despite, but because of, his noted straight-shooting demeanor and no-nonsense approach to infosec. There are, however, other insights to be drawn from evolution that illustrate the recurring tendency he and so many like him have encountered.
For instance, author Howard Bloom outlines in his 2000 book “Global Brain” how collectives — from bacteria to boardrooms — either survive or perish, depending on the outcome of internal tensions between “conformity enforcers,” “diversity generators,” “resource shifters” and “inner judges.” A healthy synergy among these elements enables an organism to evolve and develop fitness for changing environments; imbalance, however, threatens peril (or extinction).
In the C-suite, security and compliance experts usually fall in the latter category; their diagnoses are frequently at odds with a company’s inertia, expansion or frugality, but nevertheless dangerous to disregard. Bloom’s description of this result is also apt for Twitter’s current showdown with Zatko: “If a crisis seems indecipherable, its victims are condemned by their inner-judges to a shutdown, the helpless nail-biting of anxiety. But if the causes of a crisis seem explainable, the result is surprisingly healthier … .”
Ultimately, corporate leaders will face a choice as to whether cybersecurity and product integrity are peripheral to their business survival and their duty to shareholders, or critical elements thereof — the only real question is when. Zatko’s allegations only lend further impetus to force that choice. As former Cybersecurity and Infrastructure Security Agency Director Chris Krebs noted earlier this year, “business as usual” needs to change. CISA, the Securities and Exchange Commission, and other agencies all appear poised to reinforce by regulatory fiat many of the practices for which Krebs, Zatko and other prominent cybersecurity voices have long advocated voluntary adoption.
To the extent security imperatives and their champions can be likened to “healthy inner-judges,” Bloom asserts that they can “shift a creature from inhibition to boldness, depending on the signals hinting at its value to society.” In that regard, between the Mudges of the world and the C-suites, it seems clear who in fact has failed to “read the room” or “align with the culture.” Unless executives can get on the right side of this issue, they’ll face even more damaging consequences sooner than they think.
Gavin Wilde is a Senior Fellow in the Technology and International Affairs program at the Carnegie Endowment for International Peace. He previously worked as a managing consultant for the Krebs Stamos Group, a cybersecurity advisory, and served as a director on the National Security Council staff. The views expressed here are his own.