"As creepy as Facebook is turning out to be, the entire industry is far creepier. It has existed in secret far too long, and it's up to lawmakers to force these companies into the public spotlight, where we can all decide if this is how we want society to operate and -- if not -- what to do about it ... [The smartphone] is probably the most intimate surveillance device ever invented. It tracks our location continuously, so it knows where we live, where we work, and where we spend our time. It's the first and last thing we check in a day, so it knows when we wake up and when we go to sleep. We all have one, so it knows who we sleep with."
- Doing separate training for privacy, security, records management and code of ethics.
- Equating "campaign" with "program."
- Equating "awareness" with "training."
- Using one or two communications channels.
- No measurement.
We've been addressing all those points ever since NoticeBored was launched way back in 2003. It's galling, though, to note that those 'top 5 mistakes' are still evident today in the way that most organizations tackle awareness.
We're doing our best to take current practice up a level through this blog, our awareness materials and services, and occasional articles. Perhaps we need a change of approach ... and we're working on that.
Jay's list of mistakes could be extended. In particular, most awareness programs focus on general employees or "end users". While Jay mentions offering role-based training for particular specialists, I feel that still leaves a gaping hole in awareness coverage, namely management. You could say they are specialists in managing, although there's no hint of that in Jay's piece.
Looking again at the list, all those mistakes could be classed as management or governance issues, being problems in the way the awareness and training programs and activities are structured and driven ... which, to me at least, implies the need to address that. It's a root cause. If management doesn't first notice that mistakes are being made, and then join-the-dots to figure out that the way security awareness as a whole is handled is probably causing the mistakes, then we're unlikely to see much improvement.
So, raising management's awareness of information security, risk, compliance, privacy, accountability, governance, assurance and so forth makes a lot of sense ... which is exactly what we aim to do through the management stream in NoticeBored. If management truly 'gets it', the awareness task becomes much more straightforward, giving the awareness and training program as a whole a much greater probability of success, leading to a widespread culture of security.
That leaves us with a chicken-and-egg conundrum though. If management doesn't quite 'get it', in other words if this security awareness stuff doesn't presently register with them as an issue worth investing in (or, more often, is treated as something trivial best left to IT or HR, with no real support and bugger all resources), then how can we tackle management's lack of awareness and break the deadlock?
I'll leave you now to contemplate that question, as I will be doing over the weekend. Maybe the vague thoughts I have in mind will crystallize into something more concrete for the blog next week. Meanwhile, by all means chip-in through the blog comments, or email me directly. I'd love to know what you think, especially any innovative and effective solutions you can offer. Is this an issue you face? How are you tackling it, or planning to do so?
- Business reasons e.g. hacking, fraud, privacy breaches and other inappropriate disclosures;
- Compliance reasons e.g. PCI-DSS and [soon] GDPR;
- Ethical/social reasons e.g. offensive/inappropriate behavior or bribery & corruption by workers, failure to uphold corporate social responsibilities;
- Bringing those responsible for various issues to account.
- It's not the done thing;
- We can't be bothered - we don't give a hoot - we simply don't care;
- It hasn't occurred to us;
- It is too risky to open Pandora's box;
- It positively invites trouble;
- It is too expensive;
- It is not a priority - there are More Important Things we'd rather do;
- We didn't invent it;
- We are not formally required to do anything of the sort, therefore we won't even consider it - it's not on the table.
- We are scared of being found out and held to account;
- We know we have big issues already - telling us won't help;
- So long as we have our eyes closed and fingers in our ears, we can pretend everything is alright.
I have a pet peeve. Ok, I have several, but nonetheless, we're going to talk about one of them today. That pet peeve is security professionals wasting time and energy pushing a "security culture" agenda. This practice of talking about "security culture" has arisen over the past few years. It's largely coming from security awareness circles, though it's not always the case (looking at you anti-phishing vendors intent on selling products without the means and methodology to make them truly useful!).
I see three main problems with references to "security culture," not the least of which being that it continues the bad old practices of days gone by.
1) It's Not Analogous to Safety Culture
First and foremost, you're probably sitting there grinding your teeth saying "But safety culture initiatives work really well!" Yes, they do, but here's why: Safety culture can - and often does - achieve a zero-sum outcome. That is to say, you can reduce safety incidents to ZERO. This factoid is excellent for when you're around construction sites or going to the hospital. However, I have very bad news for you. Information (or cyber or computer) security will never be a zero-sum game. Until the entirety of computing is revolutionized, removing humans from the equation, you will never prevent all incidents. Just imagine your "security culture" sign by the entrance to your local office environment, forever emblazoned with "It Has Been 0 Days Since Our Last Incident." That's not healthy or encouraging. That sort of thing would be outright demoralizing!
Since you can't be 100% successful through preventative security practices, you must then shift mindset to a couple things: better decisions and resilience. Your focus, which most of your "security culture" programs are trying to address (or should be), is helping people make better decisions. Well, I should say, some of you - the few, the proud, the quietly isolated - have this focus. But at the end of the day/week/month/year you'll find that people - including well-trained and highly technical people - will still make mistakes or bad decisions, which means you can't bank on "solving" infosec through better decisions.
As a result, we must still architect for resiliency. We must assume something will breakdown at some point resulting in an incident. When that incident occurs, we must be able to absorb the fault, continue to operate despite degraded conditions, while recovering to "normal" as quickly, efficiently, and effectively as possible. Note, however, that this focus on resiliency doesn't really align well with the "security culture" message. It's akin to telling people "Safety is really important, but since we have no faith in your ability to be safe, here's a first aid kit." (yes, that's a bit harsh, to prove a point, which hopefully you're getting)
2) Once Again, It Creates an "Other"
One of the biggest problems with a typical "security culture" focus is that it once again creates the wrong kind of enablement culture. It says "we're from infosec and we know best - certainly better than you." Why should people work to make better decisions when they can just abdicate that responsibility to infosec? Moreover, since we're trying to optimize resiliency, people can go ahead and make mistakes, no big deal, right?
Part of this is ok, part of it is not. On the one hand, from a DevOps perspective, we want people to experiment, be creative, be innovative. In this sense, resilience and failure are a good thing. However, note that in DevOps, the responsibility for "fail fast, recover fast, learn fast" is on the person doing the experimenting!!! The DevOps movement is diametrically opposed to fostering enablement cultures where people (like developers) don't feel the pain from their bad decisions. It's imperative that people have ownership and responsibility for the things they're doing. Most "security culture" dogma I've seen and heard works against this objective.
We want enablement, but we don't want enablement culture. We want "freedom AND responsibility," "accountability AND transparency," etc, etc, etc. Pushing "security culture" keeps these initiatives separate from other organizational development initiatives, and more importantly it tends to have at best a temporary impact, rather than triggering lasting behavioral change.
3) Your Goal Is Improving the Organization
The last point here is that your goal should be to improve the organization and the overall organizational culture. It should not be focused on point-in-time blips that come and go. Additionally, your efforts must be aimed toward lasting impact and not be anchored around a cult of personality.
As a starting point, you should be working with org dev personnel within your organization, applying behavior design principles. You should be identifying what the target behavior is, then working backward in a piecemeal fashion to determine whether that behavior can be evoked and institutionalized through one step or multiple steps. It may even take years to accomplish the desired changes.
Another key reason for working with your org dev folks is because you need to ensure that anything "culture" that you're pursuing is fully aligned with other org culture initiatives. People can only assimilate so many changes at once, so it's often better to align your work with efforts that are already underway in order to build reinforcing patterns. The worst thing you can do is design for a behavior that is in conflict with other behavior and culture designs underway.
All of this is to underline the key point that "security culture" is the wrong focus, and can in some cases even detract from other org culture initiatives. You want to improve decision-making, but you have to do this one behavior at a time, and glossing over it with the "security culture" label is unhelpful.
Lastly, you need to think about your desired behavior and culture improvements in the broader context of organizational culture. Do yourself a favor and go read Laloux's Reinventing Organizations for an excellent treatise on a desirable future state (one that aligns extremely well with DevOps). As you read Laloux, think about how you can design for security behaviors in a self-managed world. That's the lens through which you should view things, and this is where you'll realize a "security culture" focus is at best distracting.
So... where should you go from here? The answer is three-fold:
1) Identify and design for desirable behaviors
2) Work to make those behaviors easy and sustainable
3) Work to shape organizational culture as a whole
Definitionally, here are a couple starters for you...
First, per Fogg, Behavior happens when three things come together: Motivation, Ability (how hard or easy it is to do the action), and a Trigger (a prompt or cue). When Motivation is high and it's easy to do, then it doesn't take much prompting to trigger an action. However, if it's difficult to take the action, or the motivation simply isn't there, you must then start looking for ways to address those factors in order to achieve the desired behavioral outcome once triggered. This is the basis of behavior design.
Second, when you think about culture, think of it as the aggregate of behaviors collectively performed by the organization, along with the values the organization holds. It may be helpful, as Laloux suggests, to think of the organization as its own person that has intrinsic motivations, values, and behaviors. Eliciting behavior change from the organization is, then, tantamount to changing the organizational culture.
If you put this all together, I think you'll agree with me that talking about "security culture" is anathema to the desired outcomes. Thinking about behavior design in the context of organizational culture shift will provide a better path to improvement, while also making it easier to explain the objectives to non-security people and to get buy-in on lasting change.
Bonus reference: You might find this article interesting as it pertains to evoking behavior change in others.