Over the past eight years I’ve been focused on how to create a more reliable, defendable and sustainable security organization. What has developed is a view of Security where I’ve had to go reanalyze the intent of the organization before driving into an implementation. The reason for this is I believe we have a significant problem in our industry and we are not maturing out of it. The problem is that we are not able to implement even the most basic of controls due to individuals in the company resisting them. In almost all of my visits to customers this is the core problem, people.
Logic Process via the “We Believe”
- We believe that our inability to implement security solutions are the result of people not allowing it.
- We believe that the reason people are resistant to the solutions is that they have no appreciation, understanding or “culture of security”.
- We believe that to change a culture we need to approach the individuals with a message that includes them as the protagonist, engaging in delivery, supported by evidence, attaches to their overall goals (Organizations and the Psychological Contract).
- We believe that the message must be customized to the organization’s purpose and delivered from a position of empathy and the collective “us”. Delivery of a message without defining the “us” as the organization with fail to truly create the culture for sustainable or advanced security long term.
- We believe that the consistent message, coupled with the behaviours, create a defining culture to change behaviours of detractors within that culture (Lucifer Effect).
To solve this problem we need to ask, how do we create a “culture of security”? There are sub questions (problems) that need to be asked as well.
- What is the problem with the people in the Security organization that they can’t see or fix this problem?
- Why have our legacy efforts of user awareness, if any, not worked?
- How do we change a culture or change people’s behaviour?
This brings us to two problems. The first is that our security organizations don’t have the focus or the skills to deal with the people problem. The second is that we have no idea how to communicate in a manner to influence or change behaviour. With this we will break the problem into these two categories Messenger and Message. They are intertwined but it’s important to focus on the two.
The most significant problem most Security organizations have is the practitioner’s behaviour and self image. This is, in my opinion, the root cause of the problems we have. Most security practitioners have a view of the rest of the employees as needing to be controlled not educated or developed.
- It’s “us”, InfoSec vs. “they”, rest of employee’s type of mentality.
- Inherent fear, in industry to communicate openly about the problems that exist in the environment.
- Strong emphasis on technical skills vs. Process or people
- Lack of general understanding of personality and behaviour types
- Inability to self critique and lack of company focus to do so
At its core, there is no ability for a Security practitioner to communicate effectively because they simply don’t see themselves and the rest of the company as equals. How can we truly win the “hearts and minds” of others if we have the view of them as less than us in our heads? (Efferson, C., R. Lalive, and E. Feh. 2008. The coevolution of cultural groups and ingroup favouritism. Science 321:1844-1849) In addition, they don’t see it themselves as culpable in the discussion problem. This comes out in various ways but most of all in a lack of open discussion on the problems, empathy and focus on influence.
To address these issues, there’s a long list, we should focus on a couple of key ones.
- Practice “brutal honesty” within the security group on not what needs to be done but “why”. Most importantly, always justify every action based on the impact and demonstrated data (Risk Management). This is important and needs to be done safely and openly for the whole team to see.
- Focus on team behaviours not just skills. In “Organizations and the Psychological Contract” we see the key need to identify and focus on the behaviours of people. Require honesty, integrity, ego less interactions, etc. Most importantly, call out those who don’t do it. Staff need to be analyzed by behaviours that fit the roles.
- Pursue an exploration in what truly motivates each practitioner to do security. In the face of adversity and it will always be there, will the practitioner continue to strive forward or buckle under the pressure? Motivation is the only differentiator there.
- Communication skills. Require each team member to give one or two presentations to the team each year. For more skilled individuals, require them to give them to other teams.
- Empathy, each decision should be made with a requirement of explaining what the impact is to the rest of the organization. Require explanations on how coming to the solution considered and tried to lessen the negative impact to others.
- Promote a BU rotation schedule. By embedding team members into the various organizations two things happen. The first is that the practitioner comes back with a true understanding of the impact of decisions. The second is that they develop true relationships with people in that group.
- Require the admittance of fault. Everyone else sees it, why shouldn’t we acknowledge it? Making a bad decision is part of life. Not admitting it or changing how you move forward is the tragedy.
- Be open with all metrics and data even if it’s not positive. The fact that we’ve kept data showing how infected with malware we are has only hurt us. We might not want to disclose everything but how can we expect everyone else to see the world through our window if we don’t open the shutters for them? Providing that view will very quickly bring them into our understanding.
The message itself needs to be crafted in line with the overall organization and reflect the values and goals of it. What I’ve tried to do is to explain how security success benefits the customer and sales by ensuring we are keeping them first. A Security failure impacts our customers and even their customers in varying ways. The impact of a security failure in a hospital can be dramatic and one that everyone would understand. In addition, the message needs vehicles to be communicated and can change depending on the audience. Recognition of that is very important.
- Focuses on the protection of Intellectual Property, expense mitigation, customer value and sales.
- Detailed issues based in a business context. These are the risk categories and focuses the conversation into a language they understand
- The conversation needs to be one where the person making the decisions (BU leader) owns the risk associated with it (accountable) and the people promoting the security position understands the overall objective of the company (Risk Mitigation not Elimination)
- Always data driven with a strong repeatable methodology (Risk Management and Metrics)
- Strategy Document
- Mission Statement
- Policy and Standards
- Town Halls
- BU Staff Meetings
- Annual Surveys
- Monthly Newsletters
Everything we do must serve the overall People problem. The Risk Management approach, that was posted earlier, is structured for this. The whole purpose of the strategy is to communicate, in understandable terms, the direction of security. Policies and standards must explain both the why and the what. Most importantly, day to day engagement, town halls, surveys, staff calls, company communications are all structured to not just explain what needs to happen but to do so within the structure of the behavioural changing factors.
The results of our implementation so far have been dramatic. We’ve seen a complete adoption to the message and intent. More people are proactively identifying security issues and resolving them than the security group itself. Most importantly, they are demanding the controls to be implemented as opposed to Security. Where it takes years to change a culture, the road is clear.
This one thought becomes the “outer shell” in which everything we do in the group goes through. Our technical solutions need to serve two masters. The first is solving the technical problem and the second is providing the data to solve the people.