Red Teaming: Feel the Power


RTJ PowerI‘ve been teaching a knowledge management course since the start of the year. One of my preferred textbooks, Donald Hislop’s Knowledge Management in Organizations, is somewhat unique in the field for noting how much issues of power influence the practice of knowledge management. Knowledge is power, and not everyone holds equal knowledge and power. This affects the day-to-day practice of knowledge management. For example, someone holding knowledge might view sharing that knowledge as a loss of power, or staff might view management’s request for process knowledge as a prelude to pink slips. As obvious as this might seem, many textbook authors discuss the topic of knowledge management without ever mentioning unequal power relationships.
      We often discuss the practice of red teaming independent of the real-world power settings in which we implement it. Partly this is due to OPSEC, but I believe it’s also partly due to the fact that we usually do our best to avoid issues of power so we can focus on the stated problem. When we’re hired to red team a problem, it’s often above our pay grade to unravel the power relationships that inform our customers’ perspectives and interests. Can you imagine telling a customer “We understand you want us to red team your system here, but we believe that unequal power relationships in your organization are leading you to mischaracterize the issues.”? Maybe we should do this more, but we should also remember that a meeting (or two) with a potential customer is typically insufficient for us to draw such conclusions and level such assertions. If we’re hired to red team system X, it’s probably not immediately clear that the customer wants to enhance system X’s reputation with a favorable red team review relative to competing manager’s system Y.
      Perhaps because of this we tend to view red teams as neutral, unbiased, and inherently independent. Seldom is this so. First, no red team is free of its own biases. Second, no red team is ever hired or implemented by a customer who is free of his or her own biases. These biases intermingle to taint the effort. Sometimes the effect is minimal, and sometimes it’s significant; rarely is it acknowledged. Third, red teaming is usually avoided entirely when the “powers that be” don’t want an idea, plan, or system challenged, particularly when it took a tremendous amount of effort to build the coalition that supports the idea. This is the basis of RTJ Red Teaming Law #1 (“Jaunty Man”): “The more powerful the stakeholders, the more at stake, the less interest in red teaming.”

RTL Card 01 450

      Alternatively, a savvy but devious decision maker might launch a captive red team and preordain its conclusions. Of course true red teamers wouldn’t knowingly participate in such an effort, but not everyone who calls themselves a red teamer is true.
      The issues are both similar and different for internal red teams and devil’s advocates. An internal red team is likely to understand their own organization’s power relationships much better than an external team. That said, it is usually much easier for an external red team to walk away from a loaded project than it is for an internal one to just say “no.” Much hinges on the culture of the organization in which the internal red team or devil’s advocate operates. Inflexible organizations in which ideas do not flow freely can and do establish red teams, but those red teams are usually captive. If not, or if they go rogue, they are not likely to last long.
      Devil’s advocates and members of internal red teams will learn quickly whether their ideas and suggestions are heeded or dismissed out-of-hand. These aren’t the only two options, however–a third exists: a red team can be co-opted. This is the perhaps the most subtle response to a devil’s advocate or red team. Individuals are susceptible to persuasion, whether devious or otherwise, and red teamers are no exception.
      Picture a situation in which the CEO takes a troublesome devil’s advocate to lunch, tells her that her ideas are being heard and acknowledged, praises her for being such a strong team player, and promotes her to a position of greater authority. All the while, the initiative she is questioning moves forward as if her ideas were never raised. What does she do at this point? Play along, figuring that she can do more good in her new position than she could if she were to fall on her sword and quit? This is the real-world power environment in which red teams and devil’s advocates live. Note that external red teams are not immune to such persuasion either, even if the carrots and sticks are different.
      Lastly, red teams and red teamers are themselves subject to power relationships. As I mentioned above, red teams have biases. They can even suffer from internal power struggles. Who hasn’t known at least one red team leader who launches a project via assertive diktat. And who hasn’t encountered the red teamer with a private agenda to show that Z is always vulnerable, even if Z is tangential to the main project?
      Reading through what I’ve written so far, I realize that I’ve perhaps characterized power relationships as something wholly destructive and devious. I actually don’t believe this. They can be, of course, but in most situations, most people are doing what they believe is best. Interests and preferences collide. That’s just life.
      So what’s a red teamer to do? Retreat to an ivory tower and refuse to red team unless the customer is fully vetted as pure and free from any hidden agenda or preference? Of course not. Here’s what I believe is a healthy and practical alternative: be aware, confident, and independent. And how exactly do we do this?
      First, we watch for signs of political interference. We map the stakeholders and their concerns, and we talk about the map. We look for potential conflicts of interest. We ask what we might be missing. In other words, we red team our project and its political environment. Second, we follow our intuition. If something feels off about the situation, it probably is. If we feel like we’re being played, we probably are. Third, we guard our independence jealously. In practice, this might mean pointing out how the team’s independence is threatened and working within the existing power structure to fix the problem. In extreme circumstances, it might mean walking away from a project or even a job. I can’t think of any possible situation in which red teaming is improved through the loss of independence.
      I most certainly do not advocate that red teamers everywhere rise up and speak truth to power willy nilly. I do advocate that red teamers become more aware of the power relationships around them and consider how these relationships might undermine their efforts. Working within these relationships to adjust imbalances and preserve the red team’s independence is always the best option. Among other things, this argues for an experienced and politically astute red team leader, someone who thinks before acting, respects the fact that few red teams exist free from conflicting preferences, and considers the possibility that he or she might be wrong.
      To close, I want to frame an ivory tower argument, naïve though it might be. While I wrote Red Teaming Law #1 myself, I don’t believe that we should accept it as an unassailable fact. I also wrote Red Teaming Law #40 (“Der Zauberlehrling”): “Take heed; we can build systems of systems of systems, but that doesn’t mean we can always secure them.”1 (Not only have we created systems of systems we can’t always secure, we have built systems of systems we can’t always manage.)

RTL Card 40 450b

The combination of these two laws in the modern world is potentially catastrophic. No proposal, agenda, or of national or international consequence should be implemented without first undergoing an independent red team review. Yes, I know I’m being naïve, but I also know that we live in a world of too many apprentices who believe themselves to be sorcerers.

Related post: “Five Reasons You Should Red Team Your Red Team.”

  1. Actually, I wrote all the laws, unless otherwise noted. []


Terms of Use

Please read.