How to exude values and ethics in the cybersecurity sector – Daltrey Podcast Interview

Blair Crawford: We speak to Shannon Sedgwick about the Cyber Security Strategy 2020 and the importance of ethics and values in business.  

In the dog-eat-dog world of business, it’s easy to forget your company’s purpose and values when it’s time to negotiate contracts. But Shannon Sedgwick, Senior Managing Director at Ankura, says an ethical approach is essential for greater productivity and profitability – particularly for those in the cybersecurity sector. We speak to Shannon about the recently released Cyber Security Strategy 2020, and how ethics and values should be a key driver for all companies in the sector. 

Blair Crawford: Recently the Australian Government released its Cyber Security Strategy 2020. What are your thoughts on the position that puts cybersecurity companies locally?  

Shannon Sedgwick: It hasn’t been getting the best feedback, as it’s been summarily smashed by industry leaders. I don’t think it’s all bad. I think it’s a good first step; it’s better than nothing. A lot of funding has been thrown towards it and it shows the government is taking it seriously. I do wish that some funding had been allocated to helping the Australian cybersecurity industry grow both products and services, and helping us export our services globally. 

Our economy is far too reliant on just a few industries – mining and tertiary education and tourism. And we’ve seen two of those fall over with the coronavirus pandemic and the closing of our borders. Those two industries are struggling, and I feel that innovation, technology, and cybersecurity should go hand-in-hand. It could be a useful arrow in the quiver of the government to diversify our GDP and our economy. And I feel that that Cyber Security Strategy fails to take advantage of that opportunity and to support local businesses, particularly SMBs in Australia.   

Blair Crawford: What do you think the disconnect is?

Shannon Sedgwick: I don’t think they have enough industry representation among those who develop such strategies. The government’s strategy doesn’t encompass all of the requirements, culture, belief and needs of the industry as a whole. It’s taken from a fairly small subset of where cybersecurity touches all industries. 

It has a very heavy focus on telecommunications, defence, critical infrastructure, and law enforcement. You could see that even when Peter Dutton announced the Cyber Security Strategy, his entire focus and his verbiage was around law enforcement and how this strategy would help benefit the government and its intelligence agencies to catch cybercriminals. 

But that’s an extremely small portion of what we should be focused on as an overarching cybersecurity strategy for all of Australia. They missed the mark by quite a bit.  

Blair Crawford: Sometimes an industry will have a fantastic piece of technology and they’ll use a group of technologists to represent it. But what’s often missing is that representation from a commercial standpoint. What’s the functional benefit of an amazing piece of kit? 

Shannon Sedgwick: You’re exactly right. You get these amazing companies who have vast technical expertise, but they lack the ability to translate their offering into a lingua franca that is understandable to the client and to the market. You need to get your message out there and do it in a way that isn’t “salesy” – nobody wants to be sold to. You also have to look at this for the long term – you have to build relationships and chase collaborative projects that can add value to both your team and your client. It can’t be transactional.  

I’ve long been a proponent of having a purpose that goes beyond profits. I think that’s necessary not only for your business to be trusted and to have transparency about what you’re doing in the market. But it also helps to harness the energy of your team, especially when they feel that they’re acting towards a greater good or making a real impact. If you can make them love coming into work and feeling like they’re making a real difference, the output that your business generates and the effectiveness and the work that they do is just so much higher. 

Blair Crawford: You’re a big advocate around this concept of values-based contracts, particularly speaking to the intent of a relationship over and above the functional outcome that you get from purchasing and exchanging. So what is a values-based contract?

Shannon Sedgwick: It’s something I’ve been researching for quite some time now, and it’s one of my pet projects. It taps into my enthusiasm around a purpose beyond profits, living by your values and running a values-based business. 

Now, think about most companies. They usually start with a purpose statement, and then they have guiding values or principles by which they make company decisions and carry themselves in the market. And most companies try to follow along with those. But as soon as it gets to contractual agreements and bringing in internal or external lawyers, that all goes out the window. You never hear anybody talking about how this contractual process is tied to their overall business or their purpose or their values. It becomes adversarial. It becomes a process all about protecting themselves – how can they prevent being taken advantage of, how can they limit their liability, and how can they limit their risk to an acceptable degree?  

But this is a completely adversarial approach. It’s combative, and it leaves a bad taste in everyone’s mouths. To me, for a company that purports to stand by its values and live to this higher purpose, it’s completely counterintuitive. Why would you not embed your values and a collaborative nature throughout the entire lifecycle of your client dealings? It makes no sense.  

So you have these values-based contracts – they are often called ‘relational contracts’ – and they carry much of the same content as a standard legal contract. Except at the start, before you get into the nuts and bolts of the legal contract, you sit down with your client, you sit down with your supplier, and you speak about what you want to get out of the project. You ask the question: what is our joint mission? Complete transparency is needed here. You put all your cards on the table, and then you establish a governance structure around the joint mission together. It really enforces collaboration.  

Typically, it’s mostly healthcare and religious organisations that have been using these types of contracts with any regularity. But the stats and the research that I’ve done and the benefits that I’ve experienced are just staggering. We’re seeing up to a 70% reduction in costs and wastage – not just legal costs, but the costs of running the project. Think about the amount of time you waste on a large-scale project where you’re holding each other up and it becomes a tit-for-tat where one party feels like they’re not getting what they need. Instead of committing their team, they’ll commit to saving on costs. Quality goes down and it becomes this death spiral. 

Having a values-based contract instead actually sets up a collaborative ecosystem. It allows you to live by these jointly established values and be guided by the agreed-upon principles throughout the entire lifecycle of the project.  

Blair Crawford: You’re an expert in your field. You’re also very focused and passionate about driving cybersecurity capability locally and doing business ethically and morally. So if you could give one piece of advice to organisations operating within the Australian cybersecurity market, given the current environment, what would it be?  

Shannon Sedgwick: Two things. Be kind to one another, no matter who you’re talking to, whether it be the CEO or one of your graduates. It takes courage to be kind constantly, and it’s free. And second, “specificity” – find out what you could be the best at and concentrate solely on that. Don’t try to do everything. Find out what you can be the best at and chase it as hard as you can.  

Want more insight into the world of security, identity access management, biometrics and more? Get your weekly fix with the IDentity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app. 

Why your incentive scheme is (most likely) wrong

If you have been reading my content and following me on LinkedIn or on my website, you will be aware that I am an active proponent of organisations committing to a purpose beyond profits and living by their values, rather than using them as surface-level marketing buzzwords. I strongly believe that this approach harnesses the discretionary energy of employees and leads to a successful, high-performing, and enjoyable organisational culture.

However, the culture and supporting values of a company are only one part of the puzzle. The structure and processes of an organisation must also be engineered to maximise that culture and achieve their strategic intent.

There is no more damaging structure to an organisation’s success than a poorly considered and implemented incentive scheme. If you, like some others, disagree with me and believe that “culture” is an intangible wishy-washy notion or perhaps you struggle to define exactly what culture means, then perhaps this will pique your interest.

When you boil it down, incentives are what motivates staff to produce the effort to achieve an outcome. There are extrinsic motivators such as compensation incentives (bonus, stock options, raises, profit-sharing etc.) and then there are more intrinsic motivators such as recognition incentives (certificates of achievement, awards, accomplishment announcements etc.). My focus in this argument is compensation incentives, particularly performance bonuses.

If you ask any typical CEO or business leader what the purpose of their organisation is, they will likely state a phrase containing one or more of the following: “innovation”, “customer success”, “value creation”, “growth”, “social impact”, “passion”, “sustainable”, “positive outcomes” etc.

Herein lies the problem. Performance bonuses, particularly in sales teams, are customarily geared towards monthly, quarterly, and annual revenue targets. The compensation incentives and associated key performance indicators (KPIs) are in no way geared towards any of their lofty purpose statement catchwords. Nor are they geared towards doing what is best for the organisation in the long-term.

For a particularly poignant example of incentives-gone-wrong, consider the most devastating cyber-attack in history, NotPetya, and its effect on the shipping giant Maersk. This statement is from an anonymous insider in the organisation, “the security revamp was green-lighted and budgeted. But its success was never made a so-called key performance indicator for Maersk’s most senior IT overseers, so implementing it wouldn’t contribute to their bonuses. They never carried the security makeover forward”. The aforementioned “security revamp” was scheduled to be completed before NotPetya destroyed their IT infrastructure and cost them close to half a billion dollars…. Ouch.

Could you imagine if an organisation’s stated purpose actually reflected what their employees were incentivised to do? “Company A is committed to growing our revenue, at the expense of all else.” I think it might be difficult to win customers and motivate or even retain employees with a purpose such as that. But that is EXACTLY the message that is being sent when you engineer your incentive structures for short-term revenue goals.

Speak to any project (whether product or service-based) delivery team and they will freely admit (perhaps after a couple of drinks) that their internal sales team promise customers the world, lower prices to win work to such a degree that the delivery team’s profit margins are in the toilet, and then expect the delivery team to, well, deliver on those promises. This perverse incentivisation leads to communication breakdown and siloing of effort because both teams have different and oft-competing incentives. If your organisation is actually committed to “customer growth” and “positive outcomes” then why aren’t your staff incentivised to achieve that very aim.

Ineffective incentive structures are evident in a company’s relationships with its customers and staff. You will find such companies often have to revert to the contract in its dealings with customers and the persistent arguments about who is living up to their part of the bargain is a never-ending quagmire of pervasive negative consumer sentiment. Staff are typically unmotivated for anything that does not benefit them personally and are so inwards-facing that they are unwilling to accept any risk to the warm little cocoon of bare-minimum effort and complacency they have built for themselves. Monthly and quarterly revenue targets are their sole concern. You will see things such as rounds of applause being given during meetings when sales targets are met, yet there is silence regarding their ever-worsening customer Net Promoter Scores (NPS) and subsequent blown-out budgets and timelines. You will hear statements from staff, behind closed doors, such as “I am just waiting until I reach ten years so I can get my long-term bonus and long service leave, then I am out of here”.

Another real-life example of perverse incentives is from Safi Bahcall’s new book Loonshots, “In the 1960s, the Ford Motor Company was desperate to compete with smaller, cheaper cars from Japan. So, the CEO announced an exciting stretch goal: the company would produce a new car that would cost less than $2,000 and weigh less than 2,000 pounds—the Ford Pinto. The goal and tight deadline, unfortunately, did not leave much time for safety checks. The fuel tank was placed just behind the rear axle with only 10 inches of crush space. The design flaw, as lawsuits later showed, led to a less-than-desirable new feature: on impact, the car could blow up.”

Is this type of environment or behaviour striking some chords with those reading? I am sure some of it is familiar to you.

No alt text provided for this image

Now for the denouement! I promise it is not all doom and gloom and coruscating attacks on a deficient commitment to values. I have the medicine! Although, to implement the solution will take significant structural changes to compensation and incentive schemes, and those who are most comfortable with the status quo will likely lash out and rail against these changes. That is a sure sign you are making the right changes.

I submit that an organisation’s sales, delivery, marketing, and other business units should ALL be incentivised by project success. What do I mean by project success? I define project success as a concinnity of the following measurable outcomes:

·     Customer satisfaction pre, during, and post-project (NPS)

·     Employee engagement and morale

·     Profit margins

·     Customer success (what this means should be pre-agreed prior to project commencement)

·     Delivery within scheduled timeframes

·     Quality assurance

·     Maintenance of scope (don’t draw outside the lines!)

When all staff are incentivised to achieve the above outcomes, an increase in new customer wins and increased revenue will follow. Except, with this approach, you will also enhance customer satisfaction, elevate teamwork and collaboration, create a positive impact, and all without sacrificing profit margins. You will be, in fact, living up to your stated values and purpose.

There is no such thing as a flawless incentive scheme and despite most incentive structures being well-intentioned, you can see how they can motivate the wrong type of behaviour. Consider what your company’s incentives are promoting and what the most likely adopted behaviour of your staff will be. Adjust accordingly.

Put simply, you can’t motivate your staff solely by revenue targets. Making money for someone else will not engage them beyond bare-minimum effort and it will erode relationships with employees and customers. It also sends a clear message that your purported values and purpose are embellished misrepresentations and that inevitably destroys trust. Look beyond revenue. You might find you like what you see.

Purpose is not the sole pursuit of profits but the animating force for achieving them. Profits are in no way inconsistent with purpose — in fact, profits and purpose are inextricably linked.” – Larry Fink – CEO of Blackrock