Who Needs to Know? The Hidden Value of Transparency

April 29, 2021

IP Watchdog

“In a networked world, trust is the most important currency.”

           — Eric Schmidt

I recently finished Gen. Stanley McChrystal’s book, Team of Teams, in which he describes organizational lessons learned as Commander of the Joint Special Operations Command in Iraq. Arriving in 2003, when Al Qaeda in Iraq (AQI) was outsmarting the best special forces that NATO could muster, McChrystal later switched out the traditional military approach of hierarchical control over information and authority to a “shared consciousness” system that pushed authority “to the edges of the organization.” Within two years they had eliminated the head of AQI, Abu Musab al-Zarqawi.

This feat was made possible, McChrystal argues, because the various elite units making up this special force had been transformed into a single organization capable of making decisions without orders from headquarters. While the separate teams of Navy SEALs, Army Rangers and CIA analysts had each proven themselves the best at their particular tasks, they trusted only their own members, and coordination among them was a matter of top-down control by the generals. But to meet the challenge of the elusive, loosely-networked AQI, the Command had to empower these individual teams to work together seamlessly. And that required extreme transparency: each team was aware of the whole mission.

“Need to know” is a bedrock tenet of information security. You only get to see it if you need to see it. The reasoning is that the fewer people who know the details, the lower the risk that information will be compromised by reaching the competition. Another term used among professionals is the “principle of least privilege,” borrowed from the notion in computer science that a user account should be given only that level of privilege that is absolutely necessary to its operation within the system, making failures less likely. By whatever name, the principle increases control by limiting access.

Is ‘Need to Know’ Really Best?

The idea that any one person in an organization probably doesn’t need to know much is rooted in the industrial revolution. When we moved from the age of craftsmen who made an entire product to the assembly line, the worker mounting the wheel didn’t have to know anything about the rest of the car. In fact, mass production efficiency (and profits) resulted from breaking down every process into its predictable steps and assigning each step to a separate worker. The chief architect of this reductionist view of human behavior was Frederick Winslow Taylor, whose 1911 The Principles of Scientific Management has been described as the most influential management book of the 20th century.

Keeping secrets has long been viewed through the same lens: compartmentalization helps keep things under control. But interestingly, it doesn’t always make things more efficient or productive. For example, consider what may have been one of the most important government secrets of the modern age: the wartime Manhattan Project to develop the atomic bomb. Operators of uranium centrifuges at the military headquarters in Oak Ridge, Tennessee knew how to operate the machinery, but didn’t know why they were doing it, until the weapon had been dropped on Japan. In parallel, at the Los Alamos, New Mexico, labs where the physicists and engineers were racing against time and the Nazis, the complex calculations for their work depended on manual punch card inputs to IBM calculators. When management revealed to those clerical workers what all the numbers were for, productivity soared, and they even invented programs to speed the process.

Managing Unpredictability by Sharing Information

What McChrystal learned in Iraq was that the long-held assumptions of the military about command and control started to break down in the complex, unpredictable environment of modern insurgent warfare. Despite having the best equipment, the most advanced technology and the most thorough training, his finely tuned teams couldn’t match the adversary’s lithe adaptability. The traditional approach of anticipating and carefully planning for every eventuality didn’t work when nothing was predictable, especially when permission had to come from headquarters and each team was operating independently. Instead, he had to scramble the organization chart and develop trust among the teams that equaled the trust they had for one another, so they could act together as a single, responsive organism.

Building trust requires sharing information, and that’s where the lessons lie for modern industry. The adversary is not AQI, but a global swarm of disrupters bent on displacing your business. They operate in a flexible, data-rich, technology-driven environment where the rules of engagement are neither clear nor static.

This is not to say that “need to know” is dead. Not at all. But we shouldn’t think that just because information is not immediately required for a task it should not be widely accessible. Let’s consider a couple of examples.

First, a member of the sales team is attending an industry show (yes, we are going to do those again). She runs into the representative for an important potential customer, who as it turns out has a need for what the company is offering, but only the new, as-yet-unannounced version with some compelling features would suffice. Should she reveal the confidential information she knows, even though there’s no nondisclosure agreement in place? Or should she pass on the potential sale?

Now consider the engineer who has left the company to join a competitor. He’s working in the same general technology. At a meeting with his new colleagues, they describe a challenge they’re facing to decide among several options that seem like fairly straightforward engineering choices. But this employee knows from his most recent experience that one of those options will likely lead to failure. Is that knowledge part of his general skill and experience that he can share, or does he need to take himself out of the conversation?

Enabling Smart Decisions

Whether or not the answers to these questions seemed straightforward to you, the issue is what that employee will decide in the moment. More specifically for management, the question is what you would want them to do, and whether you are confident they will make the right choice.

If your business applies the “need to know” principle in its restrictive sense, it’s possible that your training program does not prepare employees for these kinds of decisions. Companies that tend to lock down information across the board also tend to assume that employees know what to do about confidential information. And anyway, if they don’t have access to it, there can’t be any risk, right?

One of McChrystal’s innovations in Iraq was to conduct mandatory daily briefings with all relevant units connected by video, including back at the Pentagon. It took some time before everyone from the various branches and agencies attended, but they came to understand the value of broadly sharing information. Trust improved, and the previously independent teams began to work organically, anticipating each other’s moves and making on-the-ground decisions. In short, greater access to information made them more effective.

What does this mean for your organization? You likely will benefit from rethinking your approach to access controls. More restrictive is not always better. Trusting people with broader information can improve performance. But to open things up and take full advantage of the capabilities of your workforce, you’ll need to take a hard look at your education program. Expecting employees to exercise good judgment about business secrets requires more than just sharing detailed plans for the next quarter.

McChrystal started with some of the best-trained soldiers in the world. If you want an adaptable workforce able to make smart decisions about when and how to share information in a complex world, you need to educate them thoroughly and continuously. They need to know what the company’s most valuable data assets are. They need to know their role in protecting them. They need to know what everyone else is doing and how they can help. Then you’ll have a team of teams.

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram