The myth of the CEO’s surveillance dashboard

I’ve delivered various employee education sessions covering workplace surveillance over the years, and recently updated the material taking into account the vast amount of change we’ve seen in the past year or so, technological, societal and bringing in some interesting cases. I also wanted to bring in the reality I believe exists in quite a few companies, but I also know this can vary depending upon location, local cultural norms, industry sector, etc.

We sometimes visualise workplace surveillance as a pyramid where the CEO sits at the top with a clear view of the bottom. But the reality is that surveillance is rarely a simple top-down model. Instead, companies build complex hierarchies of surveillance where the "watchers" are also the "watched."

When C-suite executives require workplace analytics, they are often driven by Dataism. They believe the dashboard reveals the truth about efficiency and by accepting this logic, they inadvertently validate the metric as the ultimate judge of value. If the truth of the company is found only in the data, then the executive’s own value must also be measured by that data, and I think that they are not the “masters” of the algorithm because they are also its subjects (or victims).

Once the norm of Dataism is established, it inevitably travels upward:

• Managers and supervisors are monitored to ensure they enforce protocols. Their ability to manage efficiently becomes an important KPI.

• Companies use metadata to assess management performance, so if a department is flagged for say, low engagement by a piece of software, the VP of that department is the one being judged.

Does the CEO have the “ultimate dashboard"?
In my career spanning 5 decades, I’ve been in quite a few CEO offices and I’m yet to visit one that resembles a control room, or has various banks of cameras. The CEO is usually too detached and busy to monitor raw surveillance feeds. So, where does the "ultimate dashboard" actually sit?

I think in many cases, the person with the most granular view of a company, including the movements and messages of the C-Suite, is a mid-level Systems Administrator or a Security Operations Center (SOC) analyst. This inverts the hierarchy because a junior employee technically has surveillance power over the executive team. Obviously legal controls should prevent unauthorised disclosure of this powerful information but a dangerous information asymmetry does exist. The CEO doesn't see the data. They see a sanitised report filtered by the very people the data is supposed to measure.

Another interesting question is do CEOs make the ultimate decision to procure and implement the surveillance tools? Often, the answer is no. Most large companies use various platforms to help run their businesses, but they are also governed by their mechanisms because the surveillance infrastructure is not always a strategic decision made in the boardroom. It inadvertently begins in procurement and gets implemented in the server room.

For example, the CTO procures Microsoft 365 or Zoom for communication where "Productivity Scores” or "Attention Tracking" features are embedded in the platform's architecture. The decision to surveil wasn't made by the CEO, it was made by the platform vendor and enabled by a sysadmin. And of course CISOs buy tools for security.

So the CEO rarely signs a document that says, "Let's spy on everyone." They sign a budget for "Digital Transformation," and the surveillance apparatus is built one piece at a time.

On a final note, years ago I worked with a company where it was a revealed that the company’s CEO had made a request to the CISO in surveil another member of the c-suite - all behind the scenes, and undocumented, and yes, in an unlawful manner. This created an awkward dilemma for CISO, what some might call a "governance crisis." These days whistleblower laws exist in many countries, but are these sufficient to address such dilemmas?

To conclude, if you are a CEO, you don't physically pull the levels of the dashboard, your IT admin does and remember you are often subject to the default settings of the platforms you procure or the vendors you hire.

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get sense of what we do.

We are experienced in working with data protection leaders and their teams in addressing troubled projects, programmes and functions. Feel free to book a call if you wish to hear more about how we can help you improve your work.