I want to talk to you about a delicate issue we face in IT. No, not the legalization of recreational marijuana, I mean our Gilfoyle Problem.
Our Gil…wait, what?
Stay with me here, we are going on a Vision Quest.
Gilfoyle is a character on the hilarious HBO TV show Silicon Valley. Gilfoyle is the quintessential IT jerk: intelligent, socially awkward, arrogant, subversive, and (ultimately) deeply insecure. Actor Martin Starr plays this role to deadpan perfection. However, Starr and the writers of Silicon Valley have done more than give us some laughs. Gilfoyle is the reflection of a serious problem facing IT and cybersecurity: insecure technology people are a pervasive obstruction to progress, innovation, and security.
In Silicon Valley the show, Gilfoyle exaggerates his skills, belittles his co-workers, gives up when challenged, rejects change, and arrogantly dismisses new ideas. Sound like an IT person you know? Within the narrative of a TV show, Gilfoyle’s antics are hilarious, especially when he is teasing his co-worker Dinesh.
Gilfoyle may be a fictional, but the Gilfoyle Problem is very real. Inside many IT organizations, immature IT and cybersecurity people play out many of Gilfoyle’s behaviors. When a new technology falls outside their comfort zone, Gilfoyle deflects back to what they know (which is basically the crux of Cisco’s go-to-market strategy.) When an outsider conducts an assessment (voice of experience here), Gilfoyle argues and complains about the results, techniques, or scope of the engagement, casting doubt on the entire effort. And when a business needs to react quickly to shifting market conditions or cybersecurity threats, Gilfoyle dismisses change as bad, wrong, and dangerous. All of these outcomes inhibit growth and change when it is needed. This can become catastrophic if the change is a crucial security improvement. And when the inevitable breach happens, Gilfoyle crosses his arms and sneers, while management is shown the door.
One way we see Gilfoyle behaviors manifest in IT is in patch management practices. System patching is proven to reduce risk. It is also extremely easy to do. There are ample of tools that automate patching. Yet Gilfoyle will argue for hours about all manner of horrific, earth shattering disasters will certainly befall the company if systems are patched. We see this with disturbing regularity. Unpatched systems that come pre-loaded with a list of excuses from Gilfoyle.
In cybersecurity, the Gilfoyle Problem goes beyond a mere annoyance. It is a serious threat to organizational security. Immature IT people can block vital security improvements, putting the entire company at risk. Compounding this, operational staff will invent all manner of ludicrous practices and formalities to avoid making simple improvements. If leadership lacks the savvy to handle a Gilfoyle, they give in to these antics and empower more of it.
However, there is a way to overcome Gilfoyle. It is easier than you might think.
In 2009, Anitian was completing a complex risk assessment for a large organization. During our meetings, we observed a consistent behavior: as our questions became more technical, the IT people reacted with defensiveness. Furthermore, group meetings intensified the behavior.
Sometimes the IT people would challenge our skills and experience. They also would seize any inconsistency as proof that we were unfit to question their IT operations and practices. This was classic defensive behavior from people who felt insecure. We were an outsider scrutinizing their work. We threatened their status as an expert in their organization.
Frustrated with the antagonistic behavior (and the lack of risk intelligence), we changed tactics. We switched to one on one meetings. Rather than focus on the technology, we focused on the person, their role, and their expertise. We would begin asking to describe their job and what they liked and did not like. We showed respect to their expertise and listened intently to their passions. We would let them babble about hobbies, sports, and video games. We also began using techniques to build rapport, such as matching breathing patterns and body position. As they became comfortable, we would slowly switch to asking about the technologies and practices. And the spigot would open wide. No attitude or defensiveness. They would openly share their frustrations, worries, and challenges. We had gobs of risk intelligence.
This practice, which we call “chase the rabbit,” ultimately became a core tenant of our risk management practice.
However, something else happened. As these technical people relaxed, they became far more amenable to new ideas. On occasion, developers would solve their own vexing problems during our meetings. We merely “greased the wheels” to make it happen.
The Gilfoyle Problem is ultimately a façade that insecure people create when they are afraid of being challenged or humiliated in front of their peers. It is born from feelings of inadequacy. Rather than face their own discomfort, they create an entire outward personality that is tough and immune to scrutiny.
The irony of Gilfoyle is that most of these insecure jerks, are supremely talented people. Their insecurities are as much a facet of their intellect as it is their emotional immaturity. If they can overcome the façade, their intelligence can shine.
Overcoming this façade is the challenge of IT and security leaders. We must motivate, engage, and reach the Gilfoyles out there and lead them. Racks (or clouds) full of cool technologies are all well and good. Unlocking the greatness inside people is the only way to make those racks become something more than aluminum and code. As much as we dislike Gilfoyle, we need him.
For cybersecurity leaders, breaking down the Gilfoyle façade is the only way to start making real change. This is why we are so critical of cybersecurity conferences like RSA and BlackHat. They focus far too much energy on the hackers and attitude, and far too little energy on motivating defenders to do their jobs.
We all accept the notion that people are the most important dimension of IT and cybersecurity. Why then are we afraid to confront our own insecurities? Gilfoyle does not need another next-generation box of awesome, he needs leadership. The reason the Gilfoyle on Silicon Valley never grows up is because his leaders, Richard Hendricks and Erlich Bachman, are weak leaders themselves. Also, Bachman is usually high.
However, Hendricks can have moments of clarity and vision. When he does, it inspires Gilfoyle to put the attitude aside, and start making the changes necessary.
Its not enough to just listen to the Gilfoyles. Great leaders inspire them to overcome their insecurities and unleash their greatness within.
It is time to put down the technology bong and sober up to our Gilfoyle Problem.
Andrew, as always, your insights are poignant, vexing, well reasoned and clearer than fine crystal. Should be required reading.