Propagating Mission Language Throughout an Organization

I’ve been courting an idea lately, but have not been able to capture it completely. Hopefully this post will help me do that.

The idea goes something like this:

1. At the top of any organization, there is a mission, and the goal of every group within it should be to support that mission.

2. Unfortunately, large organizations tend to have many groups inside them, and because many of those groups require diverse skill-sets and diverse backgrounds (logical, creative, analytical, empathic, etc.) the methods used to achieve peak efficiency within those groups often vary significantly.

3. This often results in groups adopting their own sub-missions and their own ways of defining and communicating success.

4. The farther the group is from the top of the organization, and the more groups there are in total, the more likely it is that any one group may see their mission as quite different from the original.

Let’s call this Mission Drift.

There’s also another dynamic whereby the various groups are performing specialized functions for the organization. These might include: marketing, source code development, accounting, human resources, etc. And each of these might have and require their own particular set of industry assumptions, perspectives, and ways of interpreting the world.

Let’s call this Profession Bias.

My idea is that when you combine these two— Drift and Profession Bias—you will end up with different languages within the groups.

What I mean by language is different vocabularies, different syntax, and even different communication styles—like the difference between a Swiss banker and a French Poet.

What I’m wondering is if organizations become significantly harmed by these differences in communication.

The example that lead me to explore this is Information Security, which is the field I am in.

Here we’ve been grappling with a chasm between Information Security and the business since information security started.

The business wants to know how much money to spend in order to reduce what amount of risk. Information Security people tend to talk about the details of the vulnerabilities, and then about how some of them might have X or Y outcomes that would be very bad.

But ultimately, the infosec teams are speaking in infosec terms, about infosec problems. And business people are speaking about business problems in business terms.

So here’s the idea.

What if the organization’s language is the universal one?

What if it was the job of all other groups to translate their language into the language of the organization—in this case infosec translating to business.

And here’s taking it a bit further: what if it was simply considered failure for any group to be unable to do this?

So, human resources.

They want to implement a new policy that stops people from using the Internet during the day.

The business asks how this will affect their ability to attract top talent, and to make the best stuff, which will make the most money, which will raise the stock price the most.

Human resources shrugs and says they’re not experts on that kind of thing. They say there will be some negative impact, but it shouldn’t be too bad. Someone else says they know 9 of the best engineers who will leave if that happens.

But ultimately nobody knows. They’re guessing.

Then information security has some vulnerability they want to fix. it’ll require an upgrade to Windows 11. It’ll cost 124 million dollars.

The business asks how much risk it’ll reduce.

Information Security says they don’t know, but a lot. It could lead to a compromise where they lose 125 million. In certain situations.

The business asks how likely that is.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

Information Security says they don’t know, and that it’s almost impossible to say for sure.

These are failures of two groups inside the business to speak the language of the organization’s leadership.

Everything is a business decision, and you can’t do business fractions if you don’t have like terms.

How many riskies are in a could-be-bad? 11. Is that good or bad? Depends who you ask.

Well that’s great. Thanks for coming in today.

I feel like we could be in an infancy period for all of business functionality. It’s like we have these parasitic growths inside of businesses who have their own motives, goals, DNA, and yes–their own languages that don’t translate to business.

I think the ideal state for organizations such as businesses and countries and militaries, is to have all groups within them be able to convey all of their functions as benefits and losses to the organization—and in the organization’s mission terms.

For corporations, that’s money. The chances of losing X or Y amount, over Z amount of time. The amount of money that will be saved by doing A now instead of later. The amount of loss that will be prevented by implementing B instead of C.

Some in infosec are trying to do this, with differing levels of success. But it’s not universal. Nor is it non-trivial or overwhelmingly successful.

A few are grasping at it. Most don’t even know they should be.

The standard way of doing things is to talk about your field’s metrics, and then to try to loosely link that to the business world in some way.

We have 41 MockWocks—that’s roughly equivalent to $235,000.

Ok, but $235,000 dollars of what? When? How often? How do I raise or lower that number?

We’re still working on that stuff. These are the best numbers I could make up for this presentation.

Cool, thanks for coming in.

Summary

1. The endgame way of providing value to the business is translating EVERYTHING you produce into business language. Nothing you should do should be left in your own field’s terms.

2. We’re very far from being able to do this. We’re all still using our own terms, but that’s true because it’s (mostly?) necessary.

3. We shouldn’t let this stop us from realizing that the goal is unified language. We have to keep working for it.

Related posts:

1. Stop Trying to Violently Separate Privacy and Security

2. The Difference Between Business Intelligence, Reporting, Metrics, and Analytics

3. The Real Internet of Things: Details and Examples

4. When Companies Stop Caring About Data Loss, Risk Will Be Resilience-based and Focused on Business Disruption and Human Safety