Cultural shift favoring cooperation, not competition, improves cybersecurity

‘Lean security’ stresses open communication, employee responsibility

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Imag­ine if no one in your orga­ni­za­tion felt com­pelled to com­pete for an oper­at­ing bud­get, and each and every employ­ee ful­ly under­stood and embraced cyber­se­cu­ri­ty best practices?

Sound like a far-fetched fan­ta­sy? A secu­ri­ty con­sul­tan­cy called New Con­text Ser­vices actu­al­ly is pro­mot­ing this rad­i­cal­ly new type of cor­po­rate cul­ture, which it calls “lean security.”

Relat­ed pod­cast: Niger­ian scam­mer tar­get small businesses

An e-book out­lin­ing New Context’s “Lean Secu­ri­ty Prin­ci­pal of Aware­ness” is being pre­pared for release at the giant RSA cyber­se­cu­ri­ty con­fer­ence in Feb­ru­ary in San Francisco.

Ben Tomhave, secu­ri­ty archi­tect for New Con­text Ser­vices, recent­ly gave a pre­view at the DevOps Con­nect con­fer­ence in Seat­tle. I sat down with him just before he pre­sent­ed. Here’s a syn­op­sis of our con­ver­sa­tion. Text edit­ing for clar­i­ty and length.

Third­Cer­tain­ty: Cyber expo­sures con­tin­ue to expand, with no end in sight.

Ben Tomhave: Every time we intro­duce a new plat­form, we seem to start at square zero, and assume secu­ri­ty even­tu­al­ly will come into play. Com­pa­nies are cre­at­ing IoT prod­ucts and not think­ing about doing secu­ri­ty by default, for instance. It’s not because there is a lack of secu­ri­ty tech­nolo­gies, or a lack of stan­dards, or a lack of guid­ance. Fun­da­men­tal­ly it’s a cul­tur­al prob­lem. And this is where lean secu­ri­ty comes into play.

3C: A cul­tur­al prob­lem? In what sense?

Ben Tomhave, New Context Services security architect
Ben Tomhave, New Con­text Ser­vices secu­ri­ty architect

Tomhave: Orga­ni­za­tion­al cul­ture essen­tial­ly is based on a per­verse incen­tive mod­el. Only cer­tain peo­ple are expect­ed to be able to make good cyber­se­cu­ri­ty deci­sions, only cer­tain pock­ets of an orga­ni­za­tion are even asked to be respon­si­ble for secu­ri­ty … but the fun­ny thing is, it’s not nec­es­sar­i­ly those peo­ple I’m super con­cerned about.

3C: Right, IT secu­ri­ty touch­es everything—marketing, sales, man­u­fac­tur­ing, the sup­ply chain, etc.

Tomhave: And we expect peo­ple to exe­cute, to get things done. So if a spear phish­ing mes­sage pur­port­ing to be from the pres­i­dent tar­gets some­body in account­ing, autho­riz­ing them to trans­fer $15,000, it’s going to get done, rather than some­one pick­ing up the phone or walk­ing down the hall to say, ‘Hey, did you actu­al­ly autho­rize this?’ That’s a cul­tur­al problem.

3C: We assume some­body else is tak­ing care of security?

Tomhave: And even as we con­tin­ue rolling out new (secu­ri­ty) tech­nol­o­gy, it’s only going to per­pet­u­ate the cycle. We end up cre­at­ing a larg­er gulf between the peo­ple who are doing risky things, who are not held respon­si­ble for their actions. And secu­ri­ty tools are sup­port­ing this behav­ior. It’s an enabling cul­ture. Basi­cal­ly, peo­ple are hand­ing off the respon­si­bil­i­ty and let­ting some­body else make the deci­sions for them when it comes to secu­ri­ty, even though they’re the ones who are tak­ing the actions.

3C: So what is ‘lean secu­ri­ty’ about?

Tomhave: Lean secu­ri­ty breaks down into five prin­ci­ples. Aware­ness, exe­cu­tion, mea­sure­ment, sim­pli­fi­ca­tion and automa­tion. We’re not talk­ing about aware­ness in the tra­di­tion­al sense. We’re look­ing at cre­at­ing a com­mu­ni­ca­tion cul­ture that allows peo­ple to say, ‘Oh this is sus­pi­cious,’ and not being afraid to ask ques­tions. Also pro­vid­ing shared plat­forms for infor­ma­tion, so peo­ple know where to go to get ques­tions answered.

The real linch­pin to all of this is a shift in the under­ly­ing cul­tur­al drivers—from inter­nal com­pe­ti­tion to more of a coop­er­a­tive mod­el. Espe­cial­ly in the Unit­ed States, we’re con­stant­ly fight­ing over bud­gets or point­ing fin­gers over respon­si­bil­i­ty. We’ve got to flip it, at least inter­nal­ly, to say, ‘Sure, we can go com­pete in the mar­ket­place, but inter­nal­ly we need to go to more of a coop­er­a­tive model.’

3C: It’s com­mon for orga­ni­za­tions to have a blame culture.

Tomhave: The key is to shift to what’s called a gen­er­a­tive cul­ture. There is a lot of research that basi­cal­ly says, ‘In a gen­er­a­tive cul­ture, every­thing is coop­er­a­tive.’ So it’s not a sit­u­a­tion of, ‘some­thing goes wrong. Well it’s your fault. I don’t have to deal with it.’ But, rather, every­body gets on the same page and moves forward.

3C: It’s nev­er easy to change ingrained behav­iors, as an indi­vid­ual or organizationally.

Tomhave: Absolute­ly. And that’s where we’re at. We’ve devel­oped a gen­er­al mod­el, and we’re now at the point of start­ing to test this out with some of our clients. We hope in 2017 to start devel­op­ing some case stud­ies. Our belief is that when you start oper­at­ing more coop­er­a­tive­ly, oper­a­tional costs end up drop­ping, espe­cial­ly when you get to the lat­er phas­es of sim­pli­fi­ca­tion and automa­tion, and secu­ri­ty becomes an emer­gent property.

3C: So you’re real­ly talk­ing about push­ing respon­si­bil­i­ty for oper­at­ing secure­ly in our dig­i­tal age out to every one of us.

Tomhave: Absolute­ly. It is a fun­da­men­tal shift in how our orga­ni­za­tions would oper­ate. You have to switch from inter­nal com­pe­ti­tion to coop­er­a­tion. You tru­ly, at all lev­els of orga­ni­za­tion, have to rec­og­nize that there’s a shared responsibility.

More sto­ries about cyber­se­cu­ri­ty cul­tur­al shifts:
An eth­i­cal busi­ness cul­ture should be first line of defense against cyber risk
New York finan­cial reg­u­la­tions could sig­nal cyber­se­cu­ri­ty sea change nationwide