I read an interesting article today by Erik Engberg on “Extending Your Comfort Zone”… beginning with a quote from Neale Donald Walsch, “Life begins at the end of your comfort zone.” In addition to the article describing the leap into unknown, or lesser known, territory, the article chastises those leaders who promote such a star into another leadership role without providing some training and I would add “or on-going active executive support.”
Are You Setting Your Team Up For Failure?
It’s an uncomfortable question, but that just further reinforces the need to ask it of ourselves. Especially when moving an individual into an area where they will have greater influence in your information risk management program.
Did we want an individual to fail? Did we secretly hope that she would be so buried (and so determined to get it right) that we wouldn’t hear from her again for another 6 months?
You might say that you knew that she would, with great resolve and strength of character, dig into the details and quickly establish herself as an expert in the regulations and requirements – after all, the compliment of being chosen, the confidence being bestowed on her, was gratifying and served to fuel her intentness to succeed.
Ah, if that was all that was needed to succeed, in a compliance leadership role.
We know better. The landscape is littered with failures in effectiveness in compliance roles.
Did we, as leaders, provide:
- Time and money for her proper training of responsibilities and for obtaining appropriate certification (e.g. CIPP/US, HCISPP, CIPM),
- Communication to the organization, not only of the “promotion” announcement, but also of the commitment of the executive leadership team support,
- Establishment of the current level of compliance/security in order to provide a baseline from which rewards for improvement can be awarded,
- Provision of budget and resources for approved initiatives, and
- Oversight of initiative approval, progress on remediation plans and the breaking down of barriers to success
Or did we know, that without those tactics of offense (or at least boulders of defense), that our nominee would fail and another chosen, in time. During which time, we could turn our attention to other risks facing the organization- because in actuality, we don’t really consider compliance and data security as a priority risk and we’re just putting a band aid on a broken limb. A hire that would allow us to say “we’re doing something – see we hired a crackerjack Privacy Officer – give her time” and in some (small) way show “good faith effort” when OCR or FTC or OIG comes knocking on the door.
Of course, we knew. Who do we think we’re fooling?
Or if we didn’t, we should have. We knew the pressures of this perennially underfunded role, and should have known that the lack of organizational power would undermine their success. That without conspicuous, prominent executive support and investment that our star was doomed to flailing and ultimately leaving… or worse, staying – disillusioned and dispirited.
Not a pretty ending for a potential leader in need of just some training and support.
Latest posts by Mary Chaput (see all)
- Call for State Privacy Laws to Align with HIPAA - February 13, 2017
- IF YOU HAVE TO DISCLOSE, LOOK YOUR BEST - December 27, 2016
- OCR is using audits to find risks and vulnerabilities that might not otherwise be known. - December 14, 2016