I recently helped my son build his first pine wood derby car. He took second place out of a field of ~60 cars. The secret of taking a block of wood, four nails and cheap plastic wheels is reducing all forms of friction that the car can face and moving the balance to the right parts of the car.One of the dads realized this fact a bit late in the process and asked a fellow dad if he happened to have any graphite (a carbon-based lubricant) with him. The response was \u201cof course I do, I carry it on me at all times\u2026right next to my Chapstick!\u201d"Friction" in a human and organizational sense is defined as \u201cconflict or animosity caused by a clash of wills, temperaments or opinions.\u201dThe average employee not working in a security\/privacy\/legal role may hear the terms \u201cprivacy,\u201d \u201csecurity\u201d and "IP\/privacy legal" and think they are variations of the same focus and desired outcomes. For example, defending a company against the theft of intellectual property and confidential information would intuitively have some overlap to protecting personal information. With that shared goal, everyone should work seamlessly well together, right?The answer, all too often, is a hesitant and unfortunate \u201cno.\u201dMany companies experience friction, silos and turf wars between security, privacy and legal departments. Friction creates drag. Drag slows progress. Lack of progress reduces a company\u2019s ability to successfully manage collective risks.Tim Sewell (CTO\/Co-founder of Reveal Risk) and I were reflecting on personal experiences and observations of these issues across different companies, and decided to analyze what was going on so we could help colleagues and clients create win:win:win outcomes between these functions. Our usual approaches to further research this seemingly common problem turned up virtually no articles or blog posts on the topic. We suspected the root causes and potential solutions were likely hidden amongst people\/politics, culture, fear and legacy thinking.Not to be deterred and wanting to get to the root of the issue, I went to my network to enlist respected experts and crowdsource contributions to the analysis and solutions. I am grateful to have had over 15 volunteers raise their virtual hands to contribute. In a testament to the complexity of these issues, many asked to remain anonymous because of current situations and relationships but shared their input by role and industry.Problem 1:\u00a0 Communication\/understanding\/engagementPoor communication, understanding and engagement between functions around tools, processes and practices within cyber security can lead to surprises, disagreements, improper evidence handling, broken attorney-client privilege and project delays.Analysis: Lack of engagement, transparency and partnership were common symptoms shared by almost everyone I talked with. Potential root causes were found to be:Lack of cross training, education and understanding other perspectives. A chief privacy officer (CPO)\/attorney from a large telecom company said, \u201cInformation security and privacy functional roles in corporations have evolved separately over the years. The need for symbiosis across these roles is clear, but often these teams at corporations do not place an emphasis on cross-learning to solve these disconnects in goals and perspectives.\u201dLack of engagement at the right time or insufficient resources to do so, causing clashes when lack of alignment or direction is discovered. Emotions can get in the way of listening and understanding on both sides when the \u201cwait\u2026what are you doing?\u201d moment hits. Matthew Berger, a privacy and cybersecurity attorney, commented that \u201cTraditionally speaking, privacy\u00a0is viewed\u00a0as a roadblock. A hindrance to\u00a0development,\u00a0profits and growth and privacy compliance\u00a0is viewed\u00a0as a paper exercise. Good privacy professionals get involved\u00a0at\u00a0the beginning of the development process and prevent these roadblocks before time is spent designing and building a risk-laden product or process.\u201dRecommendation: Be a valued and invested partner. Seek to understand the other disciplines (at least enough to speak the same language) and build empathy towards their different perspective. As the large telecom CPO recommends, "Privacy professionals should pursue training and even certification in information security frameworks, and information security professionals should pursue training and even certification in privacy and legal\u00a0fundamentals."A senior security and privacy leader in the automotive industry, shares three of his successful tips on building partnership and trust:Be the person that reaches out. I am in one of our legal offices almost every day. I stop in for non-immediate chats. Asking how I can help, attempting to make things easier. For instance, any contract review I am asked to do I return within 24 hrs. This way I am viewed as an ally. Particularly, as I see every contract (customer\/vendor) to review security\/privacy provisions.Mentor as possible. I have trained legal folks to be Privacy Officers. The more I help them the easier it is when I need something quick.Bring food. I have brought legal folks cookies\/candy on a regular basis (at least 1-2 times a week). Better to see someone that brings food than a problem.Problem 2: Technology confusion\/lack of understandingConcerns about cybersecurity methods, tools and enabled features\/functionality came up as a frequent source of conflict.Analysis:\u00a0 A relative newcomer to the table, cybersecurity brings with it a host of advanced capabilities with potential privacy and legal concerns. A common example is \u201cfull packet capture\u201d technologies that inspect encrypted network traffic. Intended to thwart malicious insiders and malware, these tools carry significant ethical and legal considerations. While the cyber security team\u2019s intent may be to detect malicious code, privacy and legal professionals are concerned about misuse of the technology and its ability to \u201cspy\u201d on employees or inspect their personal files.Lack of understanding about the details and nuances of a specific technology and its use cases leads to lack of alignment and raising an alarm (sometimes false alarm, sometimes valid concern). Potential root causes were:Inability to effectively communicate controls, technology and process between security, legal and privacy personnel creates over-inflated concerns and stalemates. Sharing too much or not enough detail can both have negative effects. Additionally, many terms in cyber security stem from military and intelligence and sound, well\u2026 kind of scary. As an example, terms like \u201cSSL interception\u201d or \u201cbreaking encryption\u201d without context sounds like \u201cwe are going to use evil hacker tools to bust into encrypted of documents and have some guys in a room looking at all of the file details to see what people that work here are doing.\u201d The framing, facts and controls must be surfaced in conversations to avoid confusion and alarm.Steve Snyder, of Bradley\u2019s Cybersecurity and Privacy Practice Group said, "There is a lack of common vernacular to discuss cyber risk. IT\/tech folks have one view of evaluating tech and managing projects; legal has a framework for discussions; business people have a different type of project management, etc. And while there are undoubtedly times when they have to come together on other projects when it comes to highly technical subject matter of cyber risk the differences seem more apparent in terms of how the problem is described, evaluated and how proposed solutions are described. I think one thing that helps is an advisor that has bridged those gaps in the past, which means typically someone external who has helped comparable entities harmonize their various stakeholders to communicate and understand the problem."Recommendation: Teams must communicate earlier and in simple terms to ensure they stay aligned. Use precise, controlled language to avoid invoking fears of \u201cbig brother\u201d and focus on describing their technology and use cases in the context of controls in place to prevent abuse. The phrases security & privacy by design really ring true. While this seems easy, many never get past this step because they trip up on language trying to talk too quickly.Problem 3: Documentation\/compliance focus vs operational outcomesFriction can be caused by efforts to get the \u201cdocumentation right\u201d (both what to, and what NOT to put in writing) vs progressing operational outcomes.Analysis: There is a healthy balance between \u201ca free-for-all with no documentation or compliance efforts\u201d and \u201cdrowning in a sea of bureaucracy and paper pushing and not moving anything forward.\u201d Most companies fall somewhere in the middle of these extremes but skew one direction or another.An automotive industry security and privacy leader shared \u201cRealistically, some of the biggest issues have to do with operational vs. policy or \u2018redline\u2019 focus. The practitioner or operational focus involves getting work completed. Whereas the \u201credline\u201d focus is driven towards a very narrow reading of the law, policy or standard.\u00a0The redline focus is to perfect every little detail with limited sense of urgency or care if\/ how the actual task needs to be done\u2026Unfortunately, it is difficult to find operational folks with deep policy\/ legal expertise and it is difficult to find operationally focused risk\/legal resources. So, there is ongoing friction.\u201dA senior privacy leader in the airline industry shared, \u201cThe role of legal is frequently misconstrued as a company\u2019s policing authority rather than being advisory in nature. In-house counsel is often asked for \u2018approval\u2019 or \u2018blessing\u2019 which is not the role, especially when the rules are not always bright line and guidance shifts based upon different factors. The role of legal is to provide legal analysis, surface the risks and provide recommendations to the business. The risks may often be accepted by the business through a mature risk acceptance process. This misconception is further emphasized when the general counsel role (advisor) is held by the same person as the chief compliance officer (enforcer).\u201dRecommendation: Beyond active partnering and understanding each other\u2019s perspectives (in solutions 1 and 2), companies need to have clear responsibilities for each group. Compliance related functions\u00a0need to have a stated and practiced objective to make compliance as easy and natural as possible. Operational functions need to determine how to better leverage their more compliance focused partners to drive process improvement and controls (not paper improvements).Problem 4: Lack of process fundamentalsWithout clearly defined processes (with RACIs) there is confusion about how things work and who should be involved, leading to conflict, misunderstandings and surprises.Analysis: Having effective and well-defined processes reduces the chaos of unstructured processes and programs. Also, when a company lacks fundamental processes, more advanced efforts are hamstrung and destined to fail.\u00a0One key component of any good process is decision rights. There will always be situations where there are disagreements or conflictA senior privacy leader in the airline industry shared that \u201cI\u2019ve often experienced confusion between what security and privacy teams are responsible for (including when dealing with security colleagues). One recent example includes managing and providing direction, standards or policy on IT controls. I\u2019ve frequently seen common controls that are simply missed within the scope of security policies and programs (logging standards, access controls, asset management, audit ready documentation). If basic good IT practices that support privacy and security are not being managed, it makes privacy and security by design impossible. It also makes it interesting to explain to an auditor why data management activities are not demonstrable when foundational asset management and asset controls cannot be confirmed.\u201dShe also shared concerns about resourcing and breadth of ownership\/coverage: \u201cAnother huge challenge is that most organizations are still relying upon a single privacy role to \u2018manage\u2019 an enterprise privacy program. This is not scalable when you have that privacy person supporting a large organization with multiple stakeholder teams (IT, ecommerce team, security, risk, marketing, HR, etc.). This program of one usually lacks sufficient budget to be effective in operational.\u201dSteve Snyder shared that there can be a \u201clack of attention to the problem due to lack of resources coupled with clear understanding of the problem. Typically, at small and medium sized businesses, IT is heavily utilized, probably understaffed on just supporting operations. They implement the solutions and practices but have no time to document or communicate them with anyone. The rest of the company is in the dark on the info sec side because it is not an operational issue that is in front of them all the time. I\u2019ve seen this problem solved primarily by having a rigorous review, again, most often by a third party. By forcing an assessment, it forces the business to stop and take stock of what\u2019s going on and gets people to focus on the issue instead of just looking at what directly drives the bottom line.\u201d\u00a0\u00a0Recommendation: Companies must invest in their processes, clarity of ownership (RACIs) and adequate staffing to cover the breadth of responsibility. Cutting corners on any of these three will ultimately result in friction, slowness and worse: increased risk to the company.Problem 5: EgoLeaders with too much\/unchecked ego tend to make decisions focus on the short-term initiatives\/gains or self-promotion rather than long term planning or sustainably reducing risk.Analysis: Security, privacy and law are all domains that require a significant motivational fit to be successful. Ego can spur motives that do not serve a company well in the long run. Much of my discussion with my contributors circled back to a conflict of personality, largely tied to ego. Ego problems can exist in any function and play out in a number of ways that block progress.A senior privacy leader in the airline industry shared that leaders with too much ego and the wrong motivations\/incentives tend to lack the ability to create and drive enterprise strategy and sustainable operations. Their decision-making process tends to focus on the short-term initiatives\/gains rather than long term planning and benefit.Ego problems are difficult to \u201ccure,\u201d especially when leaders are more senior in the company or have a low EQ (emotional quotient) coupled with a high IQ (intellectual quotient). Big egos tent to lose trust, while personal trust and transparency are critical to a healthy partnership between functions.Recommendation: Know the players involved and understand their motives. My Six Sigma training and certification included a process called political mapping. It involves diagramming an organization\u2019s key leaders, levels of influence or conflict and dynamics amongst the teams. It enables you to create an informed stakeholder management and communications plan to maximize your chances of successfully moving an initiative forward. I\u2019ve carried this tool (and many others) into my regular toolkit. You may not be able to change leaders, but you can attempt to manage them.Time is moneyNo company has time for friction in cybersecurity and privacy. The stakes are too high and customer trust is on the line. The intentions and motivations across cybersecurity, privacy and legal stakeholders are likely coming from a good place. However, communications, understanding, tactics, process and ego can cause significant friction for everyone involved. When this happens, no one wins \u2013 especially the company and its customers.Companies that take a little time upfront to invest in minimizing friction will see their speed increase significantly. If you have experienced challenges and need some \u201cgraphite\u201d in your pocket to go faster toward your goal, remember these five things.Focus on building partnershipsEnhance understanding of technology, use and controls to prevent misuseFind the right balance between operational goals vs compliance\/documentation needsDrive towards defined, efficient and continuously improving processesCheck egos: manage your stakeholdersLastly, finding resources that have experience across security, privacy and legal can help you accelerate your efforts to reduce friction. Just like one dad asking another for graphite to reduce friction just before the race, it is never too late!