Cultural shift favoring cooperation, not competition, improves cybersecurity
‘Lean security’ stresses open communication, employee responsibility
By Byron Acohido, ThirdCertainty
Imagine if no one in your organization felt compelled to compete for an operating budget, and each and every employee fully understood and embraced cybersecurity best practices?
Sound like a far-fetched fantasy? A security consultancy called New Context Services actually is promoting this radically new type of corporate culture, which it calls “lean security.”
Related podcast: Nigerian scammer target small businesses
An e-book outlining New Context’s “Lean Security Principal of Awareness” is being prepared for release at the giant RSA cybersecurity conference in February in San Francisco.
Ben Tomhave, security architect for New Context Services, recently gave a preview at the DevOps Connect conference in Seattle. I sat down with him just before he presented. Here’s a synopsis of our conversation. Text editing for clarity and length.
ThirdCertainty: Cyber exposures continue to expand, with no end in sight.
Ben Tomhave: Every time we introduce a new platform, we seem to start at square zero, and assume security eventually will come into play. Companies are creating IoT products and not thinking about doing security by default, for instance. It’s not because there is a lack of security technologies, or a lack of standards, or a lack of guidance. Fundamentally it’s a cultural problem. And this is where lean security comes into play.
3C: A cultural problem? In what sense?
Tomhave: Organizational culture essentially is based on a perverse incentive model. Only certain people are expected to be able to make good cybersecurity decisions, only certain pockets of an organization are even asked to be responsible for security … but the funny thing is, it’s not necessarily those people I’m super concerned about.
3C: Right, IT security touches everything—marketing, sales, manufacturing, the supply chain, etc.
Tomhave: And we expect people to execute, to get things done. So if a spear phishing message purporting to be from the president targets somebody in accounting, authorizing them to transfer $15,000, it’s going to get done, rather than someone picking up the phone or walking down the hall to say, ‘Hey, did you actually authorize this?’ That’s a cultural problem.
3C: We assume somebody else is taking care of security?
Tomhave: And even as we continue rolling out new (security) technology, it’s only going to perpetuate the cycle. We end up creating a larger gulf between the people who are doing risky things, who are not held responsible for their actions. And security tools are supporting this behavior. It’s an enabling culture. Basically, people are handing off the responsibility and letting somebody else make the decisions for them when it comes to security, even though they’re the ones who are taking the actions.
3C: So what is ‘lean security’ about?
Tomhave: Lean security breaks down into five principles. Awareness, execution, measurement, simplification and automation. We’re not talking about awareness in the traditional sense. We’re looking at creating a communication culture that allows people to say, ‘Oh this is suspicious,’ and not being afraid to ask questions. Also providing shared platforms for information, so people know where to go to get questions answered.
The real linchpin to all of this is a shift in the underlying cultural drivers—from internal competition to more of a cooperative model. Especially in the United States, we’re constantly fighting over budgets or pointing fingers over responsibility. We’ve got to flip it, at least internally, to say, ‘Sure, we can go compete in the marketplace, but internally we need to go to more of a cooperative model.’
3C: It’s common for organizations to have a blame culture.
Tomhave: The key is to shift to what’s called a generative culture. There is a lot of research that basically says, ‘In a generative culture, everything is cooperative.’ So it’s not a situation of, ‘something goes wrong. Well it’s your fault. I don’t have to deal with it.’ But, rather, everybody gets on the same page and moves forward.
3C: It’s never easy to change ingrained behaviors, as an individual or organizationally.
Tomhave: Absolutely. And that’s where we’re at. We’ve developed a general model, and we’re now at the point of starting to test this out with some of our clients. We hope in 2017 to start developing some case studies. Our belief is that when you start operating more cooperatively, operational costs end up dropping, especially when you get to the later phases of simplification and automation, and security becomes an emergent property.
3C: So you’re really talking about pushing responsibility for operating securely in our digital age out to every one of us.
Tomhave: Absolutely. It is a fundamental shift in how our organizations would operate. You have to switch from internal competition to cooperation. You truly, at all levels of organization, have to recognize that there’s a shared responsibility.
More stories about cybersecurity cultural shifts:
An ethical business culture should be first line of defense against cyber risk
New York financial regulations could signal cybersecurity sea change nationwide