People-Centric Security: Transforming Your Enterprise Security Culture

Copyright©2016byMcGraw-HillEducation.Allrightsreserved.ExceptaspermittedundertheUnitedStatesCopyrightActof1976,nopartofthispublicationmaybereproducedordistributedinanyformorbyanymeans,orstoredinadatabaseorretrievalsystem,withoutthepriorwrittenpermissionofthepublisher.

ISBN:978-0-07-184679-0MHID:0-07-184679-4

ThematerialinthiseBookalsoappearsintheprintversionofthistitle:ISBN:978-0-07-184677-6,MHID:0-07-184677-8.

eBookconversionbycodeMantraVersion1.0

Alltrademarksaretrademarksoftheirrespectiveowners.Ratherthanputatrademarksymbolaftereveryoccurrenceofatrademarkedname,weusenamesinaneditorialfashiononly,andtothebenefitofthetrademarkowner,withnointentionofinfringementofthetrademark.Wheresuchdesignationsappearinthisbook,theyhavebeenprintedwithinitialcaps.

McGraw-HillEducationeBooksareavailableatspecialquantitydiscountstouseaspremiumsandsalespromotionsorforuseincorporatetrainingprograms.Tocontactarepresentative,pleasevisittheContactUspageatwww.mhprofessional.com.

InformationhasbeenobtainedbyMcGraw-HillEducationfromsourcesbelievedtobereliable.However,becauseofthepossibilityofhumanormechanicalerrorbyoursources,McGraw-HillEducation,orothers,McGraw-HillEducationdoesnotguaranteetheaccuracy,adequacy,orcompletenessofanyinformationandisnotresponsibleforanyerrorsoromissionsortheresultsobtainedfromtheuseofsuchinformation.

TERMSOFUSE

ThisisacopyrightedworkandMcGraw-HillEducationanditslicensorsreserveallrightsinandtothework.Useofthisworkissubjecttotheseterms.ExceptaspermittedundertheCopyrightActof1976andtherighttostoreandretrieveonecopyofthework,youmaynotdecompile,disassemble,reverseengineer,reproduce,modify,createderivativeworksbasedupon,transmit,distribute,disseminate,sell,publishorsublicensetheworkoranypartofitwithoutMcGraw-HillEducation’spriorconsent.Youmayusetheworkforyourownnoncommercialandpersonaluse;anyotheruseoftheworkisstrictlyprohibited.

http://www.mhprofessional.com

Yourrighttousetheworkmaybeterminatedifyoufailtocomplywiththeseterms.

THEWORKISPROVIDED“ASIS.”McGRAW-HILLEDUCATIONANDITSLICENSORSMAKENOGUARANTEESORWARRANTIESASTOTHEACCURACY,ADEQUACYORCOMPLETENESSOFORRESULTSTOBEOBTAINEDFROMUSINGTHEWORK,INCLUDINGANYINFORMATIONTHATCANBEACCESSEDTHROUGHTHEWORKVIAHYPERLINKOROTHERWISE,ANDEXPRESSLYDISCLAIMANYWARRANTY,EXPRESSORIMPLIED,INCLUDINGBUTNOTLIMITEDTOIMPLIEDWARRANTIESOFMERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.McGraw-HillEducationanditslicensorsdonotwarrantorguaranteethatthefunctionscontainedintheworkwillmeetyourrequirementsorthatitsoperationwillbeuninterruptedorerrorfree.NeitherMcGraw-HillEducationnoritslicensorsshallbeliabletoyouoranyoneelseforanyinaccuracy,errororomission,regardlessofcause,intheworkorforanydamagesresultingtherefrom.McGraw-HillEducationhasnoresponsibilityforthecontentofanyinformationaccessedthroughthework.UndernocircumstancesshallMcGraw-HillEducationand/oritslicensorsbeliableforanyindirect,incidental,special,punitive,consequentialorsimilardamagesthatresultfromtheuseoforinabilitytousethework,evenifanyofthemhasbeenadvisedofthepossibilityofsuchdamages.Thislimitationofliabilityshallapplytoanyclaimorcausewhatsoeverwhethersuchclaimorcausearisesincontract,tortorotherwise.

ToJayneandWyatt,becauseeverything.

AbouttheAuthorDr.LanceHaydenisamanagingdirectorintheTechnologyAdvisoryPracticeofBRG,aninternationalstrategyandresearchfirm.Dr.Hayden’ssecuritycareerspans25yearsacrossthepublic,private,andacademicsectors.HisinterestinhumansecuritybehaviorsandculturebeganwhileaHUMINToperationsofficerwiththeCentralIntelligenceAgency,andcontinuedinsecurityrolesatcompaniesincludingKPMG,FedEx,andCisco.Dr.Haydenprovidesexpertadviceandconsultingoninformationsecuritystrategy,measurement,andculturetocompaniesandgovernmentsaroundtheglobe.InadditiontoPeople-CentricSecurity,heistheauthorofITSecurityMetrics:APracticalFrameworkforMeasuringSecurityandProtectingData,alsofromMcGraw-HillEducation.LancereceivedhisPhDininformationsciencefromtheUniversityofTexas,wherehealsoteachescoursesonsecurity,privacy,andtheintelligencecommunity.HelivesinAustin.

AbouttheTechnicalEditorDavidPhillipshasbeenprotectingclients’ITsystemsforover20years,includingtechnicalmitigation,informationsecurityriskprograms,ITnetworksecurityarchitecture,andregulatorycompliance.Daviddevelopedagrowingprofessionalservicebusinessinsideamultinationalnetworkingcorporationfocusedoncybersecurity,protectingclients’intellectualpropertyandcustomerdata,andsecuringnetworkstoallowforresilientITinfrastructureinthefaceofcyberattacks.Hisclientshaveincludedmultibillion-dollarbusinessesintheretail,finance,manufacturing,energy,andhealthcareverticals.Davidhasworkedwithglobalenterprisestomeasureandmaturetheirsecuritycapabilitiesacrosspeople,process,andtechnology,spanninglevelsfromtechnologymanagementtosecurityawarenessandsecurityculturaltransformation.DavidlivesoutsideofAustin,Texas.

ContentsataGlance

PartIUnderstandingYourSecurityCultureChapter1InformationSecurity:AdventuresinCultureHacking

Chapter2StrategyforBreakfast:TheHiddenPowerofSecurityCulture

Chapter3OrganizationalCulture:APrimer

Chapter4CulturalThreatsandRisks

PartIIMeasuringYourSecurityCultureChapter5TheCompetingSecurityCulturesFramework

Chapter6TheSecurityCultureDiagnosticSurvey(SCDS)

Chapter7CreatingCultureMapswiththeSecurityCultureDiagnosticSurvey

Chapter8ImplementingaSuccessfulSecurityCultureDiagnosticProject

PartIIITransformingYourSecurityCultureChapter9FromDiagnosistoTransformation:ImplementingPeople-

CentricSecurity

Chapter10SecurityFORCE:ABehavioralModelforPeople-CentricSecurity

Chapter11TheSecurityValueofFailure

Chapter12TheSecurityValueofOperations

Chapter13TheSecurityValueofResilience

Chapter14TheSecurityValueofComplexity

Chapter15TheSecurityValueofExpertise

Chapter16BehaviorandCulture:MasteringPeople-CentricSecurity

Chapter17Leadership,Power,andInfluenceinPeople-CentricSecurity

Chapter18SecuringaPeople-CentricFuture

Index

Contents

ForewordAcknowledgmentsIntroduction

PartIUnderstandingYourSecurityCulture

Chapter1InformationSecurity:AdventuresinCultureHackingBurntBacon

SafeandNotSecureWhatWereYouThinking?

CultureHackingSoftwareoftheMindABriefHistoryofCultureHackingSecurityCulture:HackorBeHacked

Who’sHackingYourSecurityCulture?Security,HackThyself

CultureHacks:TheGoodCultureHacks:TheBadCultureHacks:TheUgly

SecurityIsPeople!FurtherReading

Chapter2StrategyforBreakfast:TheHiddenPowerofSecurityCultureWhySecurityFails

WeStartwithaDesignWarningSigns

DoingMorewithLessWhoMovedMyFence?LookOutBelow!GettingtheDrift

TheOppositeofMonocultureCulturalTraitsinInformationSecurityCompetingValuesandSecurityThreats

TheChangeAgentsofSecurityCultureTheC-SuiteSecurityAwarenessTeamsSecurityResearchersSecurityPractitioners

MakingSecurityCulturalFurtherReading

Chapter3OrganizationalCulture:APrimerTheFieldofOrganizationalCulture

OriginsOutcomes

TheCultureIcebergHiddenAspectsPeoplePowered

TheOrganizationalCultural/OrganizationalPerformanceLinkAssessingandMeasuringCulture

Qualitativevs.QuantitativeMeasurementofCultureQualitativeMeasuresandTechniquesCulturebytheNumbers

ChallengesofCulturalTransformationThere’sNoOneRightWaytoChangeCultureYouHavetoIncludeEverybodyYouHavetoBuildConsensus

YouHavetoEvaluatetheOutcomesYouHavetoHaveGoodLeadership

AnOceanofResearchFurtherReading

Chapter4CulturalThreatsandRisksCulturalThreatModeling

CovertProcessesandCulturalRiskGettingtoKnowPEPL

PoliticalThreatsEmotionalThreatsPsychologicalThreatsLogisticalThreats

CulturalCompetitionasaSourceofRiskSizingUptheCompetition

FurtherReading

PartIIMeasuringYourSecurityCulture

Chapter5TheCompetingSecurityCulturesFrameworkMeasuringSecurityCulture

QuantitativeDataandAnalysisQualitativeDataandAnalysisCombiningtheQualitativeandQuantitativeOtherWaysofDescribingCulture

TheCompetingSecurityCulturesFrameworkOriginsoftheCSCFinCompetingValuesResearchAdaptingtheCompetingValuesFrameworktoSecurityTheCSCFQuadrantsOverlappingandCompetingValuesLimitationsoftheFramework

WhyNotJustUsetheCompetingValuesFramework?

SecurityCultureBenefitsFromaTargetedApproachNotEverythingintheCompetingValuesFrameworkTranslatesWell

OrganizationalSecurityCulturesProcessCultureComplianceCultureAutonomyCultureTrustCulture

FurtherReading

Chapter6TheSecurityCultureDiagnosticSurvey(SCDS)SCDSFormatandStructure

HowSurveysWorkQuestionsintheSCDSSCDSScoringMethodology

ScoringtheSCDSResultsSecurityCultureDiagnosticStrategies:CaseStudies

ABLEManufacturing:MeasuringanExistingSecurityCultureCHARLIESystems,Inc.:ComparingSecurityCulturesofTwoOrganizations

DOG:ComparingExistingtoDesiredSecurityCulture

Chapter7CreatingCultureMapswiththeSecurityCultureDiagnosticSurveySecurityCultureMaps

MappingSecurityCultureUsingtheCSCFCompositionofaSCDS-basedCultureMapOtherTechniquesforMappingSecurityCulture“WhenShouldIUseEachTypeofMap?”MappingSpecificValuesandActivities

InterpretingandComparingCultureInterpretingSCDSResults

ComparingCultures

Chapter8ImplementingaSuccessfulSecurityCultureDiagnosticProjectGettingBuy-infortheSecurityCultureDiagnosticProject

DirectBenefitsofSecurityCultureImprovementEstimatingtheFinancialImpactofSecurityCultureCaseStudy:FOXTROTIntegrators,Inc.

ExecutingaSecurityCultureDiagnosticProject1.SettingUptheProject2.CollectingData3.AnalyzingResponses4.InterpretingCultureandCommunicatingResults

FromMeasurementtoTransformationFurtherReading

PartIIITransformingYourSecurityCulture

Chapter9FromDiagnosistoTransformation:ImplementingPeople-CentricSecurityDiagnosisandTransformation:OneCoin,TwoSides

TheCSCFasaFrameworkforUnderstandingWhatIstheFrameworkforTransformation?

BehavioralModelsforSecurityCultureTransformationComplianceandControlRegimesSecurityProcessImprovementTechnologyandAutomationApproachesSecurityNeedsMoreOptions

FurtherReading

Chapter10SecurityFORCE:ABehavioralModelforPeople-CentricSecurityOriginsofSecurityFORCE

HROResearch

HROsinInformationSecurityIntroducingtheSecurityFORCEBehavioralModel

FiveCoreValuesofSecurityFORCESecurityFORCEValueBehaviorsandMetrics

SecurityFORCEValueBehaviorsSecurityFORCEValueMetrics

TheCulture–BehaviorLinkinHRSPsFurtherReading

Chapter11TheSecurityValueofFailureWhatIstheSecurityValueofFailure?

“FailureIsNotanOption”ReevaluatingFailureEmbracingFailureFailSmall,FailFast,FailOften

FailureKeyValueBehaviorsAnticipateFailuresSeekOutProblemsRewardProblemReportingShareInformationAboutFailuresLearnfromMistakes

AssessingYourFailureValueBehaviorsTheSecurityFORCESurveyTheSecurityFORCEMetrics

ImprovingYourFailureValueBehaviorsEmbedtheSecurityValueofFailureintoPeopleReeducatePeopleonWhatItMeanstoFailSetLeadershipExamplesOpenUpCommunication

FurtherReading

Chapter12TheSecurityValueofOperations

WhatIstheSecurityValueofOperations?OperationalPowerSensitivitytoOperationsExpectationsandReality

OperationsKeyValueBehaviorsKeepYourEyesOpenFormaBiggerPicture“Listen”totheSystemTestExpectationsAgainstRealityShareOperationalAssessments

AssessingYourOperationsValueBehaviorsScoringtheOperationsValueBehaviorSurveyFORCEValueMetricsforOperations

ImprovingYourOperationsValueBehaviorsEmbedOperationsValueintotheSecurityProgramThinkMoreLikeScientistsEmbracethe“SharingEconomy”LightenUpaBit

FurtherReading

Chapter13TheSecurityValueofResilienceWhatIstheSecurityValueofResilience?

WhenBadThingsHappen(toGoodOrganizations)RollingwiththePunchesImaginingFailuresandDisasters

ResilienceKeyValueBehaviorsOvertrainPeopleCreate“SkillBenches”ActivelyShareExpertiseEncourageStretchGoalsPracticeFailing

AssessingYourResilienceValueBehaviorsScoringtheResilienceValueBehaviorSurveyFORCEValueMetricsforResilience

ImprovingYourResilienceValueBehaviorsEmbedResilienceValueintotheSecurityProgram“ASecurityIncident?IWantIn!”MakeSecurityIncidentsMundane

FurtherReading

Chapter14TheSecurityValueofComplexityWhatIstheSecurityValueofComplexity?

DumbingItDownGrowingUncertaintyIgnoranceIsRisk

ComplexityKeyValueBehaviorsDon’tOversimplifyFormalizeYourAssumptionsCovetEmpiricalEvidenceSharetheDoubtMakeEveryModelBetter

AssessingYourComplexityValueBehaviorsScoringtheComplexityValueBehaviorSurveyFORCEValueMetricsforComplexity

ImprovingYourComplexityValueBehaviorsEmbedComplexityValueintotheSecurityProgramThinkBiggerAcceptWhatWeAlreadyKnow

FurtherReading

Chapter15TheSecurityValueofExpertiseWhatIstheSecurityValueofExpertise?

FilterYourWater,NotYourInformation

StructuralAuthorityvs.StructuralKnowledgeWaitingfortheBigOne

ExpertiseKeyValueBehaviorsAsktheExpertsSuppresstheEgosAllowAuthoritytoMigrateShareCredibilityRewardCallstoActionandCriesforHelp

AssessingYourExpertiseValueBehaviorsScoringtheExpertiseValueBehaviorSurveyFORCEValueMetricsforExpertise

ImprovingYourExpertiseValueBehaviorsEmbedExpertiseValueintotheSecurityProgramMakeEveryoneaSensorCreateDecisionFastLanesValueExpertisefromtheTopDown

FurtherReading

Chapter16BehaviorandCulture:MasteringPeople-CentricSecurityWhatDoesSecurityCultureTransformationMean?

DescribingTransformationinTermsofCulturalCapabilitiesMaturityTheCulturalCapabilitiesMaturityModel:FormalizingCulturalMaturity

SupportingSecurityCultureTransformationwithSecurityFORCEProjects

TheValueofaSecurityFORCEProjectManagingaSecurityFORCEProject

TheSecurityFORCEScorecardScoringtheFORCESurveyQuestions,RevisitedPoolingYourFORCEsSecurityFORCEMetricsandtheFORCEScorecard

“AreWeaHighlyReliableSecurityProgram?”CSCFandSecurityFORCE:AligningCultureandBehaviorinPeople-CentricSecurity

ChainingCultureandBehaviorEffortsUsingtheSCDSandFORCEIndependentlyGeneralAlignmentsBetweenSecurityFORCEandtheCSCFTakingAdvantageofCultural-BehavioralAlignmentsBlendingSecurityCultureDiagnosticandSecurityFORCEProjectsforImprovedCulturalMaturity

FurtherReading

Chapter17Leadership,Power,andInfluenceinPeople-CentricSecurityACrisisofLeadership

TheCISOasaBusinessLeaderBusinessLeadersasSecurityEnablersSecurityPowerDynamics“WhatifIamnotaCISO?”

LeadershipinPeople-CentricSecurityYouDon’tLeadMachinesInfluenceandTransformation

AdaptingtheCSCFandSecurityFORCEModeltoLeadershipTheCSCF,SCDS,andCulturalLeadershipTheSecurityFORCEModelandBehavioralLeadership

FurtherReading

Chapter18SecuringaPeople-CentricFutureTheSecurityofThings

SocialSecurityAsManySecuritiesasThingstoSecure

FramingPeople-CentricSecuritySecuritySoftPowerThreeTakeawaysfromtheBook

PuttingPeople-CentricSecuritytoWorkTwoModels,OneGoalPeople-CentricSecurityStrategies

ConclusionFurtherReading

Index

Foreword

Afterhavingworkedininformationsecurityforover20years,Ihavecometoasimpleconclusion:unlesswemovebeyondtechnologyaloneandstartaddressingthehumanelement,weareinano-winsituation.Technologyiswhereeveryorganizationshouldstartwhenmanagingitscyber-risk,buttechnologycanonlygosofar.Wehavehitthatpointofdiminishingreturn.Wecannolongerignorethehumanfactorininformationsecurity.Lance’sbookisabreathoffreshair.Hecreatesanewchapterinhoworganizationsshouldmanagetheirrisk,notjustatthetechnicallevelbutatahumanlevel.WhatmakesLance’sbooksopowerfulisthathenotonlybacksthebookwithtremendousresearchandacademicstudies,butalsobringsinreal-worldapplication.

IfirstmetLancethroughhispreviousbook,ITSecurityMetrics.ItwasoneofthefewbooksIhadfoundthatattemptedtomeasurethehumansideofinformationsecurity.Hewentbeyondjusthardnumbersandacknowledgedthesoftersideofourworld.Sincethen,IhavebeenworkingwithLanceandhavecometorecognizeandrespecttheuniquetraitshebringstoourcommunity.AsaPhDinsocialscience,Lancebringsacademicrigortoourworld,butevenbetter,hebringstheskillsnecessarytounderstandhowpeopleandcultureswork.Combinedwithmorethan25yearsofreal-world,globalexperienceintheinformationsecurityfield,hisphilosophyandpracticebringimmensewealthtothesecuritysector.

WhatIlovemostaboutthisbookisthatanyonecanreadit.Lancehelpsyouunderstandwhatcultureisandwhyitisanissueforinformationsecurity,ultimatelyprovidingaframeworktomanageandmeasureit.IhopeyouareasexcitedasIamaboutthisopportunitytobothbetterunderstandachallengeweallfaceandleavethisbookbetterarmedtodosomethingaboutit.

–LanceSpitznerResearch&CommunityDirector,SANSSecuringTheHuman

Acknowledgments

Alotofpeoplehadahandinmakingthisbookhappen,bothdirectlyandindirectly,andIwanttotrytoacknowledgeallofthem.IowesomuchtoMeghan,myeditoratMcGraw-HillEducation,whotookachanceonanideathatshebelievedinandfoughtfor.Therewouldbenobookwithouther.IalsowanttothankDavid,myfriendandmentorforsomanyyears.Iliketotellmysonthathe’llhavelivedafortunatelifeifhehasafriendasgoodasDavidhasbeentome.

IamindebtedtotheentireteamatMcGraw-HillEducation,especiallythosewhosupportedgettingthisbookoutthedoor.Amy,Janet,Brandi,Jared,Bill,andAnubhooti,youmadethisexperiencerewardingandchallenging,andIcan’ttellyouhowthankfulIamforyourhelpandyourinsights.ThanksaswelltothemanypeoplebehindthescenesatMcGraw-HillEducationwhoInevergottoknowpersonally,butwhocontributedtheirowneffortstothisproject.Bigshout-outsgotoLanceSpitzner,forcontributionsofbothwordsanddeedsasIwasputtingthisbooktogether.ToIra,whoalwaysgivesmehishonestopiniononeverything,whichIvaluemorethanItellhim.ToRic,forwalkaboutsandconversationsallovertheworld.AndtoKen,Mike,Pablo,Steve,andTroy,forbeingtruefriendsingoodtimesandbad.AlsomygratitudetoDr.PhilDoty,oneofthesmartestpeopleIhaveevermet,whofirstsuggestedIreadKarlWeickallthoseyearsago.

Thereisverylittletrulyoriginalknowledgeintheworld,andscholarsandresearcherseverywherecreatenewcontributionsbyminingtheeffortsofotherswhohavegonebeforethem.Iamaprimeexample,andIwanttoacknowledgetheworkandcontributionsofalltheacademicsandpractitionerscited,quoted,andadaptedinthisbook.ThankyousomuchforlendingmesuchexcellentshoulderstostanduponasIlookedaround.

Finally,adedicationisnotquiteenough.Mywifeandsondeservethelastword.Theygavemespaceandfreedom,withoutcomplaint,totakeononeofthemostconsumingactivitiesIhaveeverexperienced.Andtheydiditnotonce,buttwice.Thanks,youtwo.

Introduction

Theoriginsofthisbookarediverse.ItcomesfromseveraldifferentideasI’veexploredorbeeninterestedinovertheyears,ideasthattracedtheirownindividualorbitsinsidemyheadandthengraduallycametogetherintoaconceptIfeltcompelledtowriteabout.IdecidedIwantedtowriteabookaboutsecurityculturenotlongafterIfinishedmyfirstbook,ITSecurityMetrics.Ididn’tcallit“securityculture”atthetimeorthinkaboutinthoseterms.IjustknewafterIfinishedthefirstbookthatIwasn’tactuallyfinished.

AgoodfriendcommentedtomeafterreadingITSecurityMetricsthathethoughtoneofmymostimportantpointswashowvaluablequalitativedataandmeasurementcanbetoinformationsecurityprograms.Itmademegladtohearhimsaythat,becauseitwasoneofthereasonsIhadwrittenthebookinthefirstplace.Iwantedtoaddsomethingnewtoaconversationthatwasalreadytakingplaceinourindustry.Havingrecentlyfinishedadissertationinthesocialsciences,onethatreliedonbothquantitativeandqualitativeresearchmethods,Ithoughtthesecuritymetricsliteraturewasoveremphasizingquantitativeinquiryandanalysisandmissingoutonthevalueofqualitativeapproaches.Often,securityprofessionalsIencounteredcriticizedqualitativedataanddownplayeditsusefulness,butthesesamefolksmanytimesdidn’tevenusetheterm“qualitative”correctlyorunderstandhowqualitativeresearchactuallyworks.

InITSecurityMetrics,myadvocacyforqualitativeapproacheswasdeliberatelygentleandconciliatory,toneddowninthehopesthatImightgetsomereadersinterestedbutnotalienatetoomanyofthem.Istillgavequantitativeapproachestopbilling,whichwasfine.Thebookseemedtohavetheintendedeffect.Somepeoplewantedtoexplorequalitativeinformationsecuritymetricsmoredeeply,whilethosewhodidnotcouldsafelyignorethoseparticularchapters.

IntheyearssinceIfinishedthefirstbook,alotofthingshavehappenedandalotofthingshavechanged.PerhapsthetwomostimpactfuleventsasfarasPeople-CentricSecurityisconcernedwereaglobalfinancialcrisisandacrisisofconfidenceintheinformationsecurityindustry.Theformerhaspassed,although

westillfeelitslingeringaftermath,whilewearestillsmackinthemiddleofthelatter.Inthecaseofthefinancialmeltdown,acomplexglobalsystemthathadbecomeopaqueandautomatedbrokedownasadirectresultofirrationalhumanbehavior.Safeguardsthatweremeanttopreventsuchcollapsesdidn’twork.Inthecaseofinformationsecurity,asimilarlycomplexglobalsystemthatisalsohighlydependentupontechnologysolutionsseemstobebreakingdown.Thecollapseisnotasspectacularorcompressedasthefinancialcrisiswas,butitstillfeelsprettycatastrophicwheneveryweekseemstobringnewsreportsofmillionsofpeople’sdatabeingstolen,publicaccusationsofspyingandsabotageagainstgovernmentsandcriminalorganizationsalike,andtradeconferenceswheretheindustrythatmakessecurityproductswillbethefirsttotellyouithasfailedandthatliterallyeveryonehasalreadybeensuccessfully“owned”bythebadguys.

Ifoundatthecenterofallthesethingsinterestingquestionsofcomplexity,ofthelimitsoftechnologysolutions,andofthepowerofhumanbehaviorforgoodandforbad.Societyisbecomingmoretechnicalandmoresocial,eachdrivingandextendingtheother.Socialnetworking,sharingeconomies,andtheInternetofThings(orEverything)promisetomakeourworldmoreinterconnectedandmorecomplexthaneverinhumanhistory.Theyalsopromisetomaketheideaofpeopleandmachinesbeingseparatemoremeaninglessthaneverbefore.We’renotexactlyatthepointwhereeveryonebecomesacyborg,butinaworldofwearabletechnology,amazingprostheticscontrolledbytheuser’smind,andbodyimplantswithembeddedcomputingandWi-Ficapabilities,theideaisn’texactlyhyperbole.

Whathappenswhenyoucannolongertellthehumaninfrastructurefromthetechnologyinfrastructure?That’saquestionthathasasmanyphilosophicalimplicationsaspracticalones.I’mnottryingtoaddressthephilosophicalpointsinthisbook.ButIamgoingtodrawabitofalineinthesandonthepracticalsideofthequestion,specificallytheonethatwefaceininformationsecurity.Culturehaslongbeenawordassociatedwithhowaparticulargroupofpeopleseestheworld,includingwhatthatgroupbelievesandhowthosebeliefsinfluencethewaythegrouplives.Culturefunctionsatdifferentlevels,includinggeographical,ethnological,andreligiouslevels.Culturealsofunctionsattheleveloforganizations,suchascompaniesandgovernments,whichareperhapsmoreartificialandlessorganicthanfamilies,tribes,andreligions,butwhichhavecometodominateourworldjustasmuch.ThecompanyIworkforhasaculture.Sodoestheinformationsecurityindustry.Andthosecultures,asmuchasanythingelse,drivewhypeopledowhattheydo.Ourculturehasbecome

technological,sowehavetounderstandtechnologytodecipherit.Butourtechnologyhasalsobecomecultural.Ifyouwanttoknowwhyatechnologysystemsucceedsorfails,whetheritbeafinancialsystemoranITsystem,youhavetoalsounderstandpeople.

Whichbringsme,ifinaroundaboutway,tothisbook.InfoSechasalwayspreachedthetriadof“people,process,andtechnology”asessentialforgood,effectivesecurity.Myexperienceintheindustryhasbeenthattechnologyalwayscomesfirst,followedbyprocesswhenwecanmanageit,andpeoplewhenwegetaroundtothem.Themainrolepeopleplayininformationsecuritytendstobethatofaproblemwaitingtohappen,aninsiderthreat,anegligentuser,orjustanannoyancetobeautomatedoutofexistenceasbestwecan.Thisbookismyattempttoinvertthat,toputpeopleinthecenterofinformationsecurityprogramsandpractices.Sometimespeoplewillbethreats,butmoreoftentheywillbetheuntappedresourceswiththesolutionstomanyofsecurity’scurrentchallenges.Thankfully,I’mnotaloneinbelievingthatpeople-centricsecurityisthefuture.Thesecurityindustryisbeginningtorealizethattechnologycanonlytakeussofar.AsInfoSecprogramshitthepointofdiminishingreturnsontheirtechnologyinvestments,theymustlookforotherreservesofeffectivenessandvalue.Ihopethisbookhelps,insomeway,tofacilitatetherealizationofthatvalue.

WhoShouldReadThisBook?Iwrotethisbookforeveryonewhohaseverwonderedwhy,despiteourbesteffortsandmostsophisticatedtechnologysolutions,informationsecurityseemstobefailingmorenowthanever.InfoSechasbecomesobigandsodispersedacrossdifferentspecializationsanddisciplinesthatthere’snotreallyevenasinglefieldanymore.Wehaveinformationsecurity,ITsecurity,informationassurance,cybersecurity,andothersallmaybereferringtothesamething,butmaybenot.Asanexample,throughoutthisbookI’llrefertoourfieldasinformationsecurity,orInfoSecforshort,whichisindicativeofmyownprofessionalhistory,preferences,andexperience.Attheleadershiplevel,however,nomatterwhatyoucallit,chiefinformationsecurityofficers(CISOs)havetoruntheirprogramsasabusiness,inpartnershipwithother,non-securityexecutives.Atotherlevels,practitionerswillhavetheirownpreferencesandopinionsofwhatconstitutesourfield.Everyonehastheirownconcernsaboutthebestwaytoprotecttheinformationassetsthatarecrucialtoenterprise

success.Thatbeingsaid,thereareseveralgroupsIcanmentionwhomightfindvalueinideasabouthowtomeasureandchangesecurityculture.

CISOsIuse“CISOs”asacatch-alltoincludeanyorganization’sInfoSecleadership,regardlessofofficialtitle.Ifyou’reinchargeofmanagingsecurityforyourcompany,youarethechiefnomatterwhatyourjobtitleis.Asleaders,CISOsarethepeoplebestpositionedtoactuallymanageandchangeanorganization’sculture,includingitsinformationsecurityculture.Butyoucan’tmanagewhatyoucan’tmeasure,sohavingawaytoanalyzeandarticulatesecurityculturebecomescentraltoimpactingandimprovingit.ThetechniquesandmethodsIlayoutinthisbookcangiveCISOsthatanalyticalcapability,enablingthemtoaddInfoSecculturetotheirstrategicobjectivesandroadmaps.

Non-securityOrganizationalLeadershipForeveryseniorexecutiveorboardmemberwhohasstruggledtounderstandwhataCISOistalkingaboutortomakesenseofthefear,uncertainty,anddoubtoversecuritybreachesbombardingtheminthemedia,Ihopethisbookhelpstobreakdownhowsecurityprofessionalsthink.Ifyoucanunderstandwhatmotivatesaperson,youcanfindawaytoworkwiththem,tocompromiseformutualbenefit,andtoresolveconflictsbeforetheybecomedangerous.Thisbooktalksalotaboutthecompetitionbetweenvaluesandcultureswithinanorganization,includingvaluesandculturesoutsideoftheInfoSecprogram.Mysincerehopeisthatnon-securityleadersandmanagerscanusethisbookasawaytobetterunderstandinformationsecurity,andwherethesecurityteamiscomingfromintermsofvaluesandpriorities.Evenbetter,maybethesesamenon-securityprofessionalswillbebetterabletoexplaintosecuritypractitionerswhereeveryoneelseintheorganizationmaybecomingfrom,especiallywhenthosevaluesandprioritiesclash.InfoSecprogramsareoftenseenasimpedingratherthanenablingthebusiness,whichleadstotensionandconflictbetweenstakeholders.Thisis,atheart,aculturalchallenge,oneIhopethisbookcanhelppeopletoovercome.

TrainingandAwarenessTeamsInthebook,Irefertosecuritytrainingandawarenessteamsasthe“tipofthespear”forculturaltransformationintheindustrytoday.Ihaveagreatdealof

respectforanyonewhotakesonthechallengeofeducatingandmentoringothers,andwhenthesubjectisprotectingandpreservinganorganization’sinformationandtechnologyassets,thatchallengecanbeevengreater,thestakeshigher.Thisbookisnotatrainingandawarenessbook,butthemethodsandtoolsprovidedinthebookcanabsolutelyhelpsecurityawarenessprograms.Onemajorcontributortosecurityincidentsanddatabreachestodayisthatwedon’tincludeenoughhumanandorganizationalbehaviorsinourrepertoiresofrisk.TheframeworksIofferherecanhelpexpandthatknowledgebaseandgivetrainingteamsmoreoptionsandmoreareasoffocuswithwhichtobesuccessful.

SecurityOperationsAgain,Italkabout“securityoperations”generally,asablanketreferencetoallthepeopleresponsibleforkeepingtheInfoSecprogramrunning.Whetheryouareananalyst,anincidentresponsemanager,adeveloper,orsomeotherinformationsecurityspecialist,youarepartofwhatcreatesandtransmitsyourorganization’ssecurityculture.Thatmeansyouhavepower,evenifitdoesn’talwaysfeelthatway.

Thisbookcanhelpgiveinformationsecurityprofessionalsalanguagewithwhichtoexpresswhattheydoandwhy,andtocommunicatewithotherswhomaynotunderstandoragreewiththem.Idon’texpectpeopletoreadthisbookoutofsomeappealtotheclichéthat“everyoneisresponsibleforinformationsecurity,”althoughthat’strue.Instead,Iwouldencourageyoutoreadthebookforthemostself-servingofreasons,namelytobeabletojustifywhyyoudothingsacertainwayandtoexplaintootherswhytheyshouldgivetheirsupport(financial,political,time)tohelpyougetthemdone.ThemostcommonquestionIgetaskedbycustomersisifIcanhelpthemjustifyinformationsecuritymeasures,activities,andbudgetstouppermanagement.Inmyexperience,seniorbusinessleadersspeakthelanguageofcultureandorganizationalbehaviormorefluentlythantheyspeakthelanguageoftechnologyandsecurity.ThisbookcanhelptranslatethecrypticdialectofInfoSecintospeechthatbusinessstakeholdersunderstand.

Ihavedrawnonyearsofconsultingexperiencesindevelopingthecasestudiesandstoriesinthisbook.Names,details,andcircumstanceshavebeenalteredtoprotecttheidentitiesofspecificorganizations.

CompanionWebsiteAccompanyingthisbookaretemplatesthatyoucanuseinyourownorganizationtotransformyourinformationsecurityculture.Tocallyourattentiontothesetemplates,theDownloadiconhasbeenincludedwherethesetemplatesarereferencedthroughoutthebook.Thesetemplates,aswellasotherresourcesonorganizationalandInfoSecculture,areavailabletoyoufordownloadfromhttp://lancehayden.net/culture.Thetemplatesarefullycustomizablesothatyoucanusethemtotheirbesteffectwithinyourorganization.

AnoteonURLs.Throughoutthebook,Iuseonlytop-levelURLs,evenwhenpointingreaderstospecificdocumentsorwebpages.Thisisdeliberate.Inthisageofe-books,abrokenlinkcanbetroublesome,sometimesevenresultinginabookbeingmadeunavailablethroughsomevendors.Toavoidthisproblem,Ihaveavoidedlinksthataremorelikelytochangeordie.Inallcases,itshouldbeasimplemattertosearchthesiteIgiveinthelink,ortheInternetmoregenerally,fortitlesandauthors.Iapologizeforanyinconveniencethismaycause.

http://lancehayden.net/culture

PARTI

UnderstandingYourSecurityCulture

Y

CHAPTER1

InformationSecurity:AdventuresinCultureHacking

oudon’thavetogodiggingthroughtechnologynewsfeedsforevidencethattheworldofinformationsecurityisinastateofcrisis.Databreachesarealloverthemainstreammedia.Enormousinscaleandfrighteningintheirimplications,majorsecurityincidentsseemtobehappeningwithalarmingregularity.Whenitisnotshadycriminalhackersperpetratingthetheft,weworrythatitmightbeahostilegovernmentgearingupforanewkindofwarfare,orevenourowngovernmentembracinganewageofOrwelliansurveillancepossibilities.Andthemessagethatresonatesfromthepagesofinformationsecurityindustrymagazinesandwebsitestothekeynotespeechesofindustryconferencesandthemarketingbrochuresofproductandservicesvendorsis,InfoSecisbrokensomehow—itdoesn’tseemtoworkanymore.

Maybe.Societyhasundergoneprofoundchangeswiththewidespreadadoptionofdigital,networkedinformationtechnologies.Sometheoristsspeculatethatthesechangesarestructural,representingnotjustnewfeaturesoftraditionalsociety,butnewdefinitionsofsocietyitself.Inthisview,wearegoingthroughchangeslikethosethathappenedwhenhumanbeingsstoppedbeingnomadicandestablishedagricultureandvillages,orlikethetransformationsthattookplaceduringtheEnlightenment,orasaresultoftheIndustrialRevolution.

Suchevolutionmeansthateveryone,includingtheinformationsecurityindustry,betterbereadyforchangesunlikeanythingwe’vepreviouslyexperienced.Technologyhasbecomesocial,centeredaroundpeople,and

informationsecuritymustbecomeequallypeople-centricifithopestosucceed.Wenotonlyhavetodothingsbetter,butwehavetoinventwholenewwaysofdoingthem.Thatmeanslookingatthingsthathavetraditionallymadesecurityexperts,especiallytechnologistsandengineers,uncomfortable.Thingsthatarehardtomeasureorautomate.Thingslikepeople,includingtheirbeliefsandassumptionsasmuchastheirbehavior.Thingslikeculture.

BurntBaconIfirstrealizedthepowerofcultureininformationsecurityafewyearsagoatasupplierconferencehostedbyacustomer.Dozensofrepsfromdifferentvendorsfilledalargehotelballroomreservedbyourhost.Afterwehadallgrabbedourcoffeesandsatdown,theexecutiverunningtheeventcalledthemeetingtoorderwithasafetybriefing.Heintroducedustooursafetyofficer,let’scallhimBob,whoalsoworkedforthecustomer.Bobwasnotanexecutiveorevenamanager.ButbeforeturningoverthemicrophonetoBob,theexecutivemadeitclearthat,intermsofourphysicalsafetyandsecurity,forthenexttwodaysBobmightaswellbetheCEO.

Ihadnotexpectedthebriefing,butIwasn’tverysurprised.Thecompanyrunningtheconferenceoperatedinseveralhazardousindustriesandprideditselfonthe“cultureofsafety”itinstilledinemployees.Bobspentaboutfiveminutesrunningusthroughareviewofsafetyprotocolsfortheevent,pointingoutalltheexits,tellinguswhichweshoulduseintheeventofanemergency,andevendeclaringarallyingpointacrossthestreet.Shouldsomethinghappenthatrequiredustoleavethebuilding,everyonewasrequiredtomeetattherallyingpointforaheadcountpriortoreturningortakingwhateverotheractionsBobdeemedappropriate.Oncehehadfinished,Bobtookhispostatthebackoftheballroomandtheday’sactivitiescommenced.

Iwassurprisedwhenwereturnedfromthefirstday’slunchbreakandtheexecutiveagainhandedBobthemikesothathecouldrepeatthesamebriefingwehadlistenedtoonlyfourhoursbefore.“Wow,”Ithought.“Thesepeopletakesafetyseriously.”Ihadneverexperiencedthatkindofbriefingbeforeatanyofmyowncompany’smeetings,muchlesstwointhesamedayatthesameevent!

Coincidenceisafunnything.Justoveranhourafterourpost-lunchbriefing,thehotelfirealarmbegantowail.Onreflex,everyoneturnedaroundtolookatBob,whoimmediatelyslippedoutoftheroom.Withinaminute,thealarmstopped.AminuteortwolaterBobreturnedwithoneofthehotelmanagersin

tow,whowasobviouslytryingtoexplainsomething.IwatchedBobshakehishead“no,”promptingthemanagertoleave.Tenminuteslater,IwasstandingwithmyfellowvendorrepresentativesacrossthestreetasBobtookaheadcount.

WefoundoutlaterthatthemanagerhadcontactedBobtotellhimthefirealarmhadbeentriggeredbyasmallgreasefireinthekitchen,butthatithadbeencontainedandposednodangertoourmeeting.Bobhadnotboughttheexplanationandhadtriggeredanevacuationanyway.Weweretheonlyonestoleavethehotelafterthealarm,andwecaughtmorethanafewcuriousglancesfrompeoplepassingby.OnceBobwassatisfiedeveryonewaspresentandthatthehotelwasnotactuallyonfire,hegavetheallclearandwefiledbackintoourseatsintheballroom.Despitetheminornatureofthefireandthefactthatunnecessarilyevacuatinghadcostusnearlyanhourofourpackedschedule,theexecutivenevergaveahintofannoyance.Instead,hecalledusbacktoorderbyspendinganotherfewminutespraisingBob’sdecisionandremindingusthat,forhiscompany,safetycamebeforeanythingelse.

Thesecondmorningoftheconferenceconsistedofbreakoutsessionsscatteredinsmallerroomsthroughoutthehotelconferencecenter,buttheybeganonlyafterourmorningsafetybriefingwascomplete.Webrokeagainforlunch,andwhenwereturnedtotheballroomintheafternoon,theexecutivewaswaitingforus.Hewasnothappy.Standinginfrontoftheroom,hehelduponeofthevendorpacketseachofushadreceivedatthestart.Stamped“HighlyConfidential”oneverypage,thepacketsweretheblueprintsofthecompany’sforward-lookingITstrategy,includingstrategiccompetitivedifferentiatorsenabledbytechnologyadoption.

Wavingthepacketslowlysothatweallcouldseeit,theexecutivechewedusout,describinghowthedocumentheheldhadbeendiscoveredinoneoftheemptybreakoutroomsduringlunch,lefttherebysomeoneintheroom.Heexplainedwithobviousirritationthatsuchblatantdisregardforprotectingsensitivecorporatedatawasunacceptable,especiallyinaroomthatincludedmanyinformationsecurityprofessionals.Ifithappenedagain,hewarnedus,therewouldbehelltopay.Andwiththat,westartedupagain,beginningonceagainwithourmandatorysafetybriefing.

SafeandNotSecureAnimportantcharacteristicofcultureisthatittendstobeinvisible,functioningjustbelowourconsciousawarenessofitsinfluence.Butthatoftenchangeswhen

wefindourownculturalnormschallenged,andsuddenlyweseepatternsandconflictsjumpingoutatusfromtheshadows.Take,forexample,thestarkcontrastbetweenmycustomer’ssafetyculture,wheretheresponsetothepossibilityofanincidentbroughtallbusinesstoastopandtriggeredemergencyactionplans,andthecustomer’ssecurityculture,whereanactualsecurityincidentresultedinnothingmorethanasterntalking-to.Thetwocompletelydivergentresponsestoessentiallythesamething,afailureincident,madethedifferencesbetweenthesafetyandsecurityculturesofmycustomerstandoutfromoneanotherlikeblackandwhite.“Wow,”Ithought,“oneofthesethingsisnotliketheother.”Itwasastounding.

Mycustomerbelievedtheyhadastrongcultureofsafety.Theyalsobelievedtheyhadastronginformationsecurityculture.Butcultureisdefinedbybehaviors,notbeliefs.Thecompletelydifferentbehaviorstheyexhibitedbetweenthetwoincidentsshowedwheretheirprioritiesreallylay.HadtheexecutivetreatedthefailuretosecuresensitiveinformationlikeBobhadtreatedaburntrasherofbacon,wewouldhavestoppedtheproceedingsimmediatelyuntilheresolvedtheproblem.Insteadoforderinganevacuation,hewouldhaveorderedeveryoneintheroomtoholduptheirvendorpackets.Thedocumentswerecontrolled,andatleastonepersonwouldnothavehadone.

WhatWereYouThinking?Ifoundmyselfobsessingovertheexperiencefortherestoftheday.Itdistractedmefromfocusingonthepresentationsandtheinteractivesessions.Iwasdistantanddisengaged.Whyhadtheexecutivejustletthatsecurityincidentslidesoeasily?Hehadbeenvisiblyangryoverit,buthecouldhavedonemuchmorethanscoldus.Washeworriedaboutembarrassingpeople?Hadtheevacuationthrownussofaroffschedulethathewasjusttryingtomakeupforlosttimeandnotdelaytheeventfurther?Thinkingthatmaybeheintendedtofollowuplaterandtrytotrackdowntheperpetratorsomeotherway,Icheckedforuniqueidentifiersonmypacketthatcouldhavetrackeditbacktomedirectly.Ifoundnothingofthesort.

Foralittlewhile,Igotdepressed.Ihadtraveledalongwaytoattendameetingthatwasallabouthowimportantsecuritywastothiscompany,onlytowatchaseniorexecutivegetupstagedbyajunioremployeewhenitcametotakingactioninthefaceofrisk.Theresponsetothesecurityincidentcalledintoquestionthewholepurposeoftheconference.Ifthecompanywasn’tgoingtotakeactionwhenfacedwithasecuritybreachinvolvingoneoftheirowninformationsecurityvendors,howweretheyevergoingtoprotectthemselves

fromtherealbadguys?Itwouldallbetechnologyproductsandlipservice.Theydidn’tcareenoughtomakearealchange.Ifoundmyselfthinking,“TheyshouldputBobinchargeofinformationsecurity.”

ThenIrealizedsomethingelse.Iconsideredthereal,physicalharmthatIknewthiscompanyhadseenasaresultoflapsesinworkplacesafety.Peoplehadbeeninjuredonthejob,hadevendied,inthedecadesthatthefirmhadbeenworkingintheindustry.Iknewthefirmhadalsoexperiencedinformationsecuritybreachesinthepast,butmyimpressionwasthatthesefailureshadrarelyrisenabovethelevelofamoderateinconvenience.Peoplehadabadday,tobesure,butattheendofiteveryonewenthomesafely.Iftheinformationsecurityculturewasnotasstrongasthesafetyculture,itwasbecausetheworldofinformationsecurityjustdidn’tfeelasdangerousastheworldofworkplacesafety.Nomatterwhattheysaid,thiscompanycouldnotthinkaboutdatasecuritythesamewaytheythoughtaboutphysicalsafety.Thoseculturescouldexistsidebyside,buttheassumptionsandbeliefsthatdrivebehavior,bornofexperienceandobservation,werejustnotthesame.Iwasfascinatedand,oncemoreabletofocusonthecustomer,madeamentalpromisetoresearchthetopicfurther.

Sohereweare.

CultureHackingThisbookisaboutculture.Itisaboutunderstandingitandabouttransformingit.Youcanevensayit’sabouthackingit.AndwhenIsayhacking,Imeanhackinginanold-schoolsense,thehackingthatStevenLevydescribedinHackers:HeroesoftheComputerRevolution.Beforethetermevolved(somemightsaydevolved)intotoday’smorefamiliarusage,withallitsimpliednegativityandcriminalinferences,hackingdescribedaprocessofgainingknowledgeaboutasystembyexploringanddeconstructingit.Thisknowledgewouldthenbeputtousetomakethatsystembetter,moreinnovativeandelegant.TheMIThackersthatLevywroteaboutdealtincomputersoftware,theprogramsanddigitalcodethatdefinehowthosesystemsfunction.Butsystems,code,andhackingdon’tstopthere.

SoftwareoftheMindResearchersandexpertsinorganizationalculturetalkabouttheirtopicinways

thatwouldnotbecompletelyunfamiliartocomputerengineers.Therearemanyframeworksandmetaphorsfordescribingorganizationalculture,butallconvergeontheideathatcultureisasharedsetofnorms,values,androutinesthatservestodefinehowpeoplebehavetogetherinorganizedgroupsettings.Ifyouhaveeverstartedanewjob,thenyouhaveprobablyexperiencedaculturalshiftasyouhadtolearnhowthingsweredoneatyourneworganization,andmaybesomeofthosethingswerecompletelyforeigntoyou.Butasyoulearnedtheropes,astheculturewastransmittedtoyouandyoubecamepartofit,thingsthatyouhadtothinkaboutbecameautomaticandunconsciousbehaviors.It’salmostliketheorganizationprogrammedyoutofunctionwithinit.

GeertHofstede,oneofthemoreinfluentialscholarsinthefield,talksaboutorganizationalcultureinjustthisway.ForHofstede,cultureis“softwareofthemind”thatallowsindividualstoaligntheirthoughts,beliefs,andactionsinordertosolvespecificproblems.NowheredoesHofstede,oranyothercultureresearchersIamfamiliarwith,claimthatpeopleareprogrammableinthesamewaycomputersare.Buttheseexpertsdolookatorganizationsascomplexsystemsthatsharesimilaritieswithcomputersandnetworks.

Byusingmetaphorsdrawnfromsoftwareandcomputing,wecanconceptualizeandidentifymeansofunderstandinghowculturecanbeobserved,measured,andchanged.Thinkingaboutorganizationalcultureasadifferentkindofsoftware,withitsowncodesandprogrammingtechniques,makesthehackinganalogyalotmoreapplicable.Infact,thesecurityindustryalreadyusestheanalogyallthetimewhentalkingaboutsocialengineering.Theideaofhackingpeopleisnotneworevenverycontroversialinourindustry.Butsocialengineeringhasalwaysfocusedprimarilyonindividuals,treatingeachpotentialvictimasanindependentsystemthatmustbeexploited.Youcanautomatesocialengineering,asdoesanattackerwhoconductsmassphishingattemptsbyusingautomatedgroupe-mailtools,butthisonlyallowstheattackertotargetindividualsmorequicklyandefficiently.It’ssimplyaquestionofscale.

Hackingcultureisdifferentfromhackingcomputers.Itmeansunderstandingandexploringtherelationshipsbetweenpeople,thedrivesandmotivationsthatcausemanyuniqueindividualstobehaveinverysimilarways,asagroup.Insteadoftryingtoaffectthebehaviorofindividualpeoplemakingspecificdecisions,aculturehackerismoreinterestedinunderstandingandchangingtheentiregroup’sbehavior,bychangingwhatthatgroupthinksandbelieves.Partofhackingisabouteleganceandefficiency,theabilitytoproducethegreatesteffectwiththeleasteffort.Ifyoufocusonmyindividualbehaviors,tryingtochangethemoneatatime,youwillbelostinaninfinityofinputsandoutputs.

Butifyouareabletounderstandandchangemybeliefsandassumptions,youwillhavetappedintotheprogrammingthatdrivesallmydecisions.

Hackingaperson’sbeliefsystemsmayseemkindofcreepy,andculturehackingcancertainlybeputtoeviluses.Buthackinghasneverjustbeenaboutbreakingintocomputersystemsillegallyorimmorallyforillicitgain.That’sanarrowdefinitionthathas,unfortunately,cometobethemostassociatedmeaningoftheword,thankstothemediaand,ironicallyenough,thesecurityindustry.Buthackingismuchmorethanthat,withalongerhistorythantheoneinformationsecurityhastriedtoimposeonit.Culturehackingissimilar.Ididn’tinventtheconcept,andit’sbeenaroundforalongtime.Ijustbelieveit’saveryusefulwaytothinkaboutthechallengeofpeople-centricsecurity.

ABriefHistoryofCultureHackingThefirstpeopletocallthemselvesculturehackerscamefromtheworldsofactivism,fashion,andart.Theywantedtoshapethewaytheworldlookedatitself,toshakeupthestatusquo,andtopullthecurtainsbackonpeople’spreconceivednotions.ForMikeMyatt,aleadershipexpertandauthor,hackinginorganizationsinvolvesbreakingdownexistingcodesandcomplexity,findingalternatives,andreplacingout-of-dateorinefficientprocesses.That’sold-schoolhacking.

Culturehackingispre-digital,goingbacktopracticeslikebillboardjamming,literallychangingthemessagesonreal-worldroadsidebillboardsfromadvertisementstomoreironicoranti-corporatemessages.Thesetechniquesdatebacktothe1970s,developinginparallelwithphonephreakingandthebeginningofcomputerhacking.Itwasn’taboutstealingordefacingprivateproperty;itwasaboutretakingcontrolofthesystemfromthosewhohadcorruptedit,tomakeitfreeagain.Thiswasthe’70s,remember.

Thoughitstartedoutfueledbyflowerpower,culturehackinghasprovenremarkablyresilient.Astheworldchanged,sodidthefocusofthemovement.CulturehackingandtechnologymergedwiththecreationofgroupsliketheAdbustersMediaFoundation,whichbothusesandcritiquesdigitaltechnologies.In2011,AdbusterswascentralincreatingtheOccupyWallStreetmovement.Throughoutitshistory,themissionofculturehackerswastoreshapebehaviorbytargetingbasicsocialprogramming,usuallywithananti-authoritarianandanti-corporatebias,justlikemanyoftheearlycomputerhackers.

Whetherornotyougrokthewholeanti-establishmenttheme,hacking(computersorcultures)isasetoftechniquesandtoolsforexploringand

deconstructingcomplexsystemsfortheexpresspurposeofchangingthem,makingthemworkdifferently,evolvingthem.Dependingonwhatsideofthefenceyouareon,thiscanbeaprocessofinnovationoraprocessofmanipulationandabuse.Butthenagain,youcansaythatofjustaboutanytool.Ahammercaneasilybecomeanastyweapon.

SecurityCulture:HackorBeHackedIbelievethatcultureisthesinglemostimportantuntappedresourceforimprovinginformationsecuritytoday.Securityisnotatechnologychallenge.Ifitwere,technologywouldhavefixedtheproblemsalongtimeago.Securityisapeoplechallenge,asocialandorganizationalchallenge.It’saculturalchallenge.

People,andhowtodealwiththem,seemtoespeciallybaffleinformationsecurityprofessionals,tothepointwherewehavetroubleeventalkingaboutthehumanbeingsthatmakeupourorganizationsasanythingotherthanproblemstobedealtwith,insiderthreatstobeidentifiedandmanaged,orriskstobemitigated,preferablybyautomatingthemaway.Whenwedothinkaboutpeople,wetendtothinkofthemastargetsforattackoraccidentswaitingtohappen.Steepedastheindustryisinabackgroundofengineeringandappliedtechnology,wecanbedeeplyambivalentaboutthequalitative,theemotional,orthepolitical—inotherwords,allthethingsthatmakeuptheorganizationalculturesinwhichinformationsecurityhastooperate.Giventheindustry’smistrustofpeopleingeneral,it’snotverysurprisingthattheideaofpeople-centricsecurityhastakenawhiletogaintraction.

Theindustryischanging,becomingmorecognizantoftheimportanceofpeopletothesuccessfulprotectionofinformationassetsandinformationsupplychainsthroughouttheglobaldigitaleconomy.We’renotchangingbecausewehavesuddenlyseenthelightanddevelopedanewappreciationforthechaoticandirrationalhumannetworkswemustsecure.We’rechanging,atleastinpart,becausewe’vetriedeverythingelse,it’sstillnotworking,andwe’redesperate.Andthat’sokay.Sittinginmyvendorconference,Ihadtheepiphanythatmyhostsdidn’ttakeinformationsecurityseriouslybecausetheyhadneverexperiencedanyreallyseriousproblemsrelatedtoit,certainlynotliketheyhadwithphysicalaccidentsandlosses.Iwassurethatassoonastheydidexperienceacatastrophicinformationsecurityevent,theywouldattacktheproblemwiththesamecommitmentandzealthathadcreatedtheirimpressivelyformidablesafetyculture.Today’sinformationsecurityenvironmentischangingdramatically.Todayyoueitherhackyourowncultureoryouwaitforsomeonetodoitfor(orto)you.

Who’sHackingYourSecurityCulture?Thinkforamomentabouttheculturehackersinyourownsecurityprogram.Theymaynotbeimmediatelyapparent.Yourfirstthoughtmightbethesecurityawarenessteam,ifyourorganizationhasone.Thesebravesoulsarepresentlythetipofthespearwhenitcomestosecurityculturetransformation,althoughwewillseeinlaterchaptersthatthechallengetheyfaceisoftenimpossiblyidealistic.Butifyouarelookingforthosefolksbeatingthebehavioraldrumandtryingtochangethewaytheentirecompanythinksaboutsecurity,awarenessteamsaretopofmind.

Securityawarenessmanagersareprobablynottheonlyonessociallyengineeringyourorganization’ssecuritybeliefsandpractices.Thinkaboutyourauditors,forexample.Audits,particularlythoseforregulatoryorindustrystandardslikethePaymentCardIndustryDataSecurityStandard(PCIDSS)orSarbanes-Oxley,haveamaterialeffectonacompany’sabilitytodobusiness.Internalauditandcomplianceteamsareresponsibleformakingsurethecompanydoesn’tfailaudits,andtheydotheirbesttotransmitandinstillcertainbeliefsandritualsintothelargerenterprise.Astrongauditcultureisunlikelytobelieve,forinstance,thatdocumentedprocessesareunnecessaryorthateveryemployeeshouldhavecompleteaccesstoeverysysteminordertostayagile.Giventheimportanceofmaintainingcompliance,auditorsalsotypicallyhavethepowertoreprogramtheorganization’sfocusandactivities,evenifonlytemporarily.

Finally,thinkabouttheprojectmanagerorlinemanagerwhohasnodirectresponsibilityforsecuritybutcanrewardorpunishhisemployeesbasedontheirjobperformance,throughpromotionsandpayraises,orevenbyfiringpoorperformers.Everyorganizationhaspriorities,andthesedonotalwaysalign.Infact,theycancompetedirectly,asituationweoftenseeininformationsecurityasasortofRubik’sCubeeffect,inwhichimprovingonepartoftheproblemmakesanotherpartworse.

Imagineourprojectmanagerrunningasoftwaredevelopmentteamworkingonanewproduct.Bringingtheprojectinontimeandonbudgetisamajorpriorityforthecompany.So,too,isensuringthattheproductdoesnothavesecurityvulnerabilities.Whathappenswhenthereisnotenoughtimetodoboth?Forexample,supposeadeveloperrealizesshehassevendaystofinishherworkbeforedeadlinebutthatafullsecurityreviewwilltaketendays.Shecouldgotohermanagerandtellhimthatshewillcompletethereview,becausesecurityisapriority,butthattheprojectwillbelatetomarket.Hermanager’sresponsewill

bekey.Whetherhegivesherpraise,likeBobreceivedwhenheputsafetyfirstandevacuatedoveraminorincident,orpunishesherwiththelossofabonusormaybeevenherjobfordelayingtheproject,hewillshoweveryonewhatthecompanyvaluesmost.Whenthatchoicecomesupagain,everyonewillknowwhattodo.

Nowimaginethatyouarethesecurityawarenessmanagerforthisexamplefirm,oranothermemberofthesecurityteam.Iftheculturalbiasistowarddeadlines,howcanyourvaluescompete?Securityawarenesssuddenlybecomesmorecomplexthanjustmakingsureallthedevelopersknowthepoliciesonsecurecodingandtesting.Ourdeveloperwasalreadyawareofherresponsibilityforsecurity.Butifmanagementrewardsandpunishesbasedonprojectdeadlines,orbudgets,orsomeotherfactor,noamountofhandwringing,trainingsessions,orpostersonthewallwillchangeadeveloper’sempiricalunderstandingthatsecuritycomessecond.That’sculturalengineering.

Security,HackThyselfYoudon’thavetohaveagraduatedegreeinorganizationalpsychologytobecomeaculturehacker,anymorethanyouneedoneincomputersciencetobecomeatechnologyhacker.Whatyoudoneedisanewwayoflookingatyourorganizationalenvironmentandthepeopleinit,whichrequiresimaginationandawillingnesstoexperiment.Technologyhackersdon’tletotherstellthemwhatthesystemcanorcannotdo,butinsteadfigureitoutforthemselvesbyexploringthesystem.Ifyouwanttohackculture,youhavetolearnhowtheculturereallyworks,notjustwhateveryonethinksorexpectsofit.

Theclosestthisbookgetstoamanifesto—andafirstprinciplethatanyoneseekingtotransformtheirsecurityculturemustbecomecomfortablewith—concernstheroleofpeopleininformationsecurity.Inapeople-centricsecurityprogram,humanbeingsmattereverybitasmuchastechnology,andprobablyquiteabitmore.Technologyenablespeople,nottheotherwayaround.Technologyneithercaresnorsuffersifitishackedorcompromised,atleastnotyet.IfyouweretothroweveryITassetyourcompanyownsoutthewindowtonight,tomorrowmorningwheneveryoneshowsupforworkyouwouldstillhaveanorganization.Kickoutallthepeople,ontheotherhand,andtomorrowyouwillhaveawarehousefullofstuffwithnoonelefttocareaboutwhetherornotit’ssecure.

Computersystemsareimmenselycomplicated,designedandbuiltfrom

hardwareandsoftware,governedbyextraordinarilyintricatearchitecturesandmillionsoflinesofprogrammaticcode.Forallthat,computershavefinitelimitstotheircapabilities.Peopledefinewhatcomputerscando,andtheydoonlywhattheyhavebeenprogrammedtodo,eveninsituationswherethosepossibilitiesarenotwhattheprogrammersexpectedorintended.Therearealwaysclearreasonsforacomputer’sbehavior,atleastonceyouhavetrackeddownthosereasonstorootcauses.Butcomplexityisdifferent.Complexsystemsproduceemergentbehaviors,aninfinitepossibilityofoutcomesthatisimpossibletopredict.Thosebehaviorsmaynotbeconsistent,orevenrational.Peopleandsocialsystemsarecomplexinwaysthatacomputercanneverbejustonitsown.Butpluggingacomputerintoasocialsystemlikeacompanyoragovernmentcreatesnewavenuesforcomplexityandemergentbehavior.People-centricsecurityrecognizesthatfocusingontechnologysystemsalonewillalwaysbealosingbattlebecausetechnology-centricsecurityisinvariablyoutflankedbyemergenthumanbehavior.Themomentyouthinkyou’recoveringalltheangles,someonewillfigureouthowtosquareacircleandproducefourmorenewangleswherenonepreviouslyexisted.

Hackingyoursecurityculture,asopposedtohackingyourITinfrastructure,meansdiggingintotheforcesthatmotivatepeople’ssecurity-relatedbehaviorswithinyourorganization.Youhavetoanalyzenotonlywhatyoursystemsdo,butwhatpeoplearedoingwiththem,howtheyareadaptingthemtonewandinnovativepurposes.Someofthesenewuseswillcreaterisk,butalsoopportunity.Culturedefinestheinterfacebetweenusersandsystems.Ifyouwanttotransformyourorganization’ssecurityculture,tomakeitbetterandmoreefficientatprotectingorganizationalassets,youhavetopullapartthepeoplesystemaswellastheprocessandtechnologysystems,sothatyouknowalloftheminsideandout.Itisn’tenoughtojustobservewhatpeopledo,ordowiththetechnologyattheirdisposal.Youhavetounderstandwhytheydoit,andtrytoconsiderallthepossiblealternativedecisionstheycouldhavemade,ratherthanjusttheonethatmayseemobviousorexpected.

IntheyearssinceIsatinthathotelconferenceroomandrealizedthedifferencesbetweenacultureofsafetyandacultureofsecurity,Ihaveobserveddozensofotherorganizations’InfoSeccultures.Everyonehashadsomethingtoteachme.EvenwhenIcannotgetacustomertothinkaboutcultureasmuchasImightlike,theyalwaysmanagetokeepmethinkingaboutit.AndIcantellyouthatculturehackinginthesecurityspaceisazestyenterprise,regardlessofwhethertheorganizationisevenawaretheyaredoingit.

CultureHacks:TheGoodIt’salwaysgreattoworkwithanorganizationthattakescultureseriously,withoutdiscountingitastoovagueorpayinglipservicetoitsimportancebutneverreallytryingtochangeit.I’veevenencounteredafeworganizationsthatembracedtheculturaltransformationofinformationsecurityfullon,withallthemessinessanduncertaintythatcomewiththatsortofwork.Inthecaseofoneparticularorganization,Ihadcomeintohelpthemdefineanewenterprisesecurityframework,agovernanceprogramthatwouldtietogetherallthedisparateandsometimesdysfunctionalsilosandpocketsofsecurityownershipthathadgrownuporganicallyoverthelifeofthecompany.Aswewalkedthroughthevariousoptionsfordesigningthenewprogram,thesecurityteamkepttryingtoarticulatewhattheyreallyweretryingtoachieve.Theyhadneedsandrequirementsthatspannedpeople,processes,andtechnology,andourconversationsoftengotspecificanddetailedononeormoredesiredoutcomes,butnothingeverseemedtocompletelyhitthemark.“Yes,”theywouldsay,“weneedthat.Butweneedmuchmore.”

TheorganizationwasintriguedbyISO27001,theinternationalstandardforsecurityprogrammanagement,andaskedmealotofquestionsaboutwhatIthoughtofit.ItoldthemIthoughtveryhighlyofISO27001.Whenproperlyandconscientiouslyimplemented,ISO27001canfunctionasaverypowerfulgovernanceframework,onethatIalsothinkhappenstobethemostpeople-centricsecuritystandardouttheretoday.Itoldmycustomerso.

“ButISOisn’tforeveryone,”Icautioned.“It’snotabouttechnologyorevencontrols.Thestandardisaboutchangingwhatyourwholeorganizationthinksandbelieveswhenitcomestoinformationsecurity.ImplementingISOtomeisaboutdrivingaprocessofculturaltransformationinregardtosecurityacrosstheentireenterprise.”

Theteammembers’eyeslitup.Eureka!Thatwasexactlywhattheyhadbeenstrugglingtoarticulate.Theydidn’tjustwantanewsecurityprogram,theywantedawholenewsecurityculture.“Wedon’twanttojustchangethemechanics,”theyexplained,“ortoswitchoutonesetofcontrolsoronebestpracticesframeworkforanother.Wewanttochangewhatsecuritymeanstothecompany,andwewanttochangeitforeverysinglepersonwhoworkshereregardlessofrankorrole.”Amen,Ithought.

That’sagoodculturehack,oratleastthebeginningofone.Thesecurityteamwantedtochangebehavior,butrecognizedthatbehaviorgrewoutofsomethingdeeper.Thatwaswheretheywantedtoconcentratetheirefforts.Ithelpedthatthecompanywasalreadyaself-consciouslystrongculture.Theideaofsocial

identityandsharedbeliefspermeateditsbusiness.Thesecurityteamalreadyhadatemplateandalanguagethatwerefamiliartothem.Believinginthepowerofcultureingeneralmakesitaloteasiertoseethebenefitsofimprovingsecuritycultureinparticular.

CultureHacks:TheBadNoteveryorganizationthinksintermsoftransformingtheirinformationsecurityprogramorculture.Somesecurityteamsaresoswampedjustkeepingontopofoperationalactivitiesanddeadlinesthatthinkingaboutwhytheydothingsthewaytheydo,orwhethertheycoulddothembetter,seemslikealuxury.It’shardtothinkaboutafive-yearimprovementplanwhentheauditorsarecomingnextweek.Infact,compliancedrivessomuchsecurityactivitytodaythatit’sprobablythemainmotivationcompanieshavefortakingsecurityasseriouslyastheydo.ISO27001isavoluntarysecuritystandard,butmostcompaniesaredealingwiththenonvoluntarysort.PCIDSSforcreditcardprocessors,Sarbanes-Oxleyinternalcontrolrequirementsforpubliclytradedcompanies,HIPAAregulationsinhealthcare,alongwithaslewofotherlocal,national,andtransnationalregulatoryregimesmayputconstantdemandsontheattentionoftheChiefInformationSecurityOfficer(CISO).

Securitycomplianceeffortsareabitofanattemptatculturehackingthemselves.Regulatorsandindustrygroupsdevelopcompliancerequirementsasameansofforcingorganizationstotakesecuritymoreseriously.Thisisgreatinsofarasitimprovesthefinalproduct.Butwhencompliancereplacessecurityasthegoal,culturaltransformationbackfires.It’sliketheoldZenwarningnottomistakethefingerpointingatthemoonforthemoonitself.Complianceisnotthesamethingassecurity,ashasbeenmadepainfullyclearbyrecentsecurityincidentswhereauditorshadpreviouslysignedoffontheverysystemsthatendedupbeingcompromised.

I’veobservedmorethanoneorganizationwherethesecurityculturehasbeentrainedandconditionedbycomplianceprogramstoequatesuccessfulauditswithgoodsecurity.Evenwhencertainfolksinsidetheorganizationknowbetter—andoftenthesearethesecurityoperationspeople,whoknowhowthesausageismade,sotospeak—thesharedassumptionisthatiftheauditorsarehappy,theorganizationmustbesecure.That,too,isaformofculturaltransformation,justnotagoodone.

Culturehacksarebadwhentheymakethesystemeasierbutdon’tactuallysolvetheproblem.Knowledgeofthesystemispartialorincomplete,makinga

culturehackerfeelliketheyhaveaccomplishedsomethingmorethantheyactuallyhave.Toextendthemetaphor,thosewhoputtotalfaithinaone-size-fits-allcompliancechecklistarelikeculturalscriptkiddies,interestedmoreinquickresultsthanindeepandlastingchange.

CultureHacks:TheUglyEvenwhentheeffortsatculturalchangeareunsophisticatedorincomplete,thepeopletryingtochangethingsusuallyhavegoodintentions.Mostsecurityteamsarepassionateaboutwhattheydoandaredeeplyconcernedwithmakingtheirsystemssaferandstronger.Buttherewillalwaysbeoutliers,individualsandorganizationswhosesecuritybehaviorsaresoegregiousthatyoualmosthavetothinktheywanttofail.

IvisitedanorganizationoncewherethesecuritymanagementteammembersweresomeofthemostarrogantjerksIhadevermet.EventhoughIhadbeenhiredtohelpthem,theybelittledandsecond-guessedeverythingIormyteamsaid.Whenweaskediftheyhadaparticularcontrolorprocess,theywouldrolltheireyes.“Ofcoursewehavethat,”wastheanswer.“That’ssecurity101.Isthatallyousmartconsultantscanaskus?”

Intheorganization’sdefense,itdidhaveaformidablesetofcontrolsinplace.Alotofhighlysensitivedatapassedthroughitssystems,andtheinformationsecurityteammadeitdifficultwithinthosesystemstosharethedatawithoutjumpingthroughadministrativehoops.“Welockourpeopledowntight,”seniorleadersbraggedtous.“Noonegetsuptoanyfunnybusiness.”

Whenwemovedonfromtheleadershipandstartedinterviewingemployeeswhowerelowerontheorganizationalchart,weaskedabouttheintenselevelsofcontroltheorganizationhadputinplace.Manyofourinterviewsubjectsgrinnedatthequestions,thentoldusstoriesofhowmuchofapainitwastoshareinformationefficiently.

“Thoseseniorguysyoutalkedto,”oneemployeetoldus,“allhavepersonalwebmailaccountsthey’vesetup.Whentheywanttosharethingsquickly,theyjustbypassthecontrolsandattachstufftotheirpersonale-mailsandshareit.”

Wewereshocked.“Buttheysaidyouguyscouldn’tdoanythinglikethat,”weprotested.

“Oh,sure.Wecan’t.Theydon’ttrustus,andtheythinkeveryonewhoisnotamanagerisanidiot.Butit’snotaproblemforthem.That’sjustthewaythingsworkaroundhere.”

SecurityIsPeople!Thisbookisaboutgivingorganizationsandthepeopleresponsibleforsecuringthemanewsetofconceptsandtechniques.I’mnottryingtoreplacetechnologyorprocessaseffectivetoolsthatareneededininformationsecurity.ButIamtryingtogivepeople,theoftenneglectedthirdlegofthepeople-process-technologytriad,theirproperplace.People-centricsecuritymeanslookingatthehumanelementofdataprotectionasmorethanjustanotherthreatvector.People-centricsecurityimpliesthatwithoutpeoplethereisnosecurity,noranyneedforit.Processandtechnologyaretheretosupportpeople,bothfromasecurityperspectiveandfortheentireorganization.Nobodystartsoutwithsecuritybutnoinformationtoprotect.Securityneedsarebornwhenanorganization’sinformationsupplychainstartsproducingvaluableassetsthatdemandprotection.Peopledefinewhenthatoccurs,peoplemakeprotectionhappen,andpeopleareresponsiblewhensecurityfails.

Cultureactsasapowerfulengineoforganizationalsecurity,andinsubsequentchaptersI’llgointolotsofdetailaboutwhatcultureisandhowitdriveshumanbehavior.Butthecorepremiseofeverythingthatwillfollowisthis:ifyouwanttoreallychangehowsecurityworks,youhavetochangethecultureoperatingbeneathit.Justbecausesecurityhasstruggledwiththehumanequationinthepastdoesn’tmeanitmustcontinuetobaffleusinthefuture.Infact,itcan’t.Ourworldissocial,andourtechnologiesareincreasinglysocial.Oursecuritymustbesocialtoo,retirementpunsnotwithstanding.People-centric,then.Securityispeople!

FurtherReadingAdbusters:JournaloftheMentalEnvironment.Availableatwww.adbusters.org.Hofstede,Geert,GertJanHofstede,andMichaelMinkov.CulturesandOrganizations:SoftwareoftheMind.3rded.NewYork:McGraw-Hill,2010.Levy,Steven.Hackers:HeroesoftheComputerRevolution.25thAnniversaryEdition.Sebastopol,CA:O’Reilly,2010.Myatt,Michael.HackingLeadership:The11GapsEveryBusinessNeedstoCloseandtheSecretstoClosingThemQuickly.Hoboken,NJ:Wiley,

http://www.adbusters.org

F

CHAPTER2

StrategyforBreakfast:TheHiddenPowerofSecurityCulture

oranindustrythatissogroundedinengineeringandtechnology,informationsecuritycanappearquiteunscientifictothoseoutsideofthefield.Yourorganization’sinformationsecurityteamcanprobablyinundateyouwithreamsofdataaboutsecurityoperationsandposture,includingproductperformancebenchmarks,securityeventlogs,patchesapplied,andeventscounted.Buttheindustrystrugglestosatisfactorilyanswerthequestionofwhyoneorganization’ssecuritystrategyseemstoprotecttheorganization,whileanother’seffortsfailmiserably.It’salmostlikefateorthewrathofthegodsisinvolved.Weseemtoknoweverythingabouthowinformationsecurityworksexcepthowitactuallyworks.Thatisnotbecauseinformationsecurityisinherentlymysticalormoreartthanscience.Securityfailsbecausestrategyisnotenough.ManagementguruPeterDruckersummeduptheprobleminaphrase:“cultureeatsstrategyforbreakfast.”Toooften,securityprogramssearchingforthereasonswhytheyfailedintheirtechnologyortheirstrategyaresimplylookinginthewrongplaceforanswers.

WhySecurityFailsIhaveapresentationIoftengivetocustomersanddeliveratindustryconferences,athoughtexercisetodemonstratehowsecuritycanfaileveninthefaceofcontrolsandcommitmenttoensuringthatitdoesnot.It’sanaturally

visualthoughtexperiment,butI’lltrytocommittosomethingmorenarrativeinthefollowingpages.Youcanfindanactualvideopresentationathttp://lancehayden.net/culture.

WeStartwithaDesignSupposewewanttobuildanewsystem,ormaybeprotectanexistingone.Itcanbeatechnologysystemoranorganizationalsystem,amachineoracorporateprocess,orevenaglobalfinancialsystem…itdoesn’tmatter.Webeginwithadesignforthesystem.Inthecaseofanewsystem,wecreatethatdesign.Ifthesystemalreadyexists,wemayjustdocumenttheexistingdesign.Howeverwedoit,weendupwithsomethingwe’llcallSystem1.Now,wemayknowonlyalittleaboutthissystemoralot,butonethingwealwaysknowforcertainisthatthereareconditionsunderwhichthesystemwillfail.Wemaynotknowexactlywhenorhowsuchfailurewilloccur,butweknowitisinevitablegiventherightcircumstances.Wemay,insomecases,beabletotestforfailure,butinmanyothercasesthatwon’tbepossible.Failureinthissystemislikeacliffinthedark,aprecipiceatnightthatwecan’tseeuntilitistoolateandweareabouttotumbleoverit.We’reafraidofit,waitingforusoutthereinthedarkness,andallweknowisthatweneverwanttogettoocloseinourwanderings.SeeFigure2-1forasimplepictureofthisscenario.


Figure2-1System1andthefailureline

Tomakethemetaphorconcrete,let’sextendanexampleItouchedonbrieflyinChapter1.Imagineacompanythatproducescommercialsoftwareproducts.Thedesignweareinterestedinistheproductionsystemthatmakestheprogramsthecompanysells.Thesystemismadeupofpeople,processes,andtechnologies,allexistingwithinthecontextofsoftwaredevelopment.Engineersanddeveloperswritethecodethatgoesintothecompany’sproducts.Managerssupervisetheengineersanddevelopers.Customersdependontheendproductsthatthecompanysells.WithinthissystemisClara,adeveloperwhohasworkedforthecompanyforseveralyears.

Therearemanywaysthesoftwareproductionsystemmightfail,butwe’llconcentratespecificallyonsecurityevents.Narrowingourfocusevenfurther,we

knowthatmistakesClaramightmakewhilewritinghercodecouldhavedeleteriouseffects,perhapsbyintroducingvulnerabilitiesintothecompany’ssoftwareproducts,touseoneexample.Ifaproducthitsthemarketwithaseriousvulnerability,onethatresultsinazero-dayexploitbeingcreatedthatcompletelycompromisesthesoftware,thenthedevelopmentsystemwillhaveexperiencedamajorfailure.Butthatedgeisextremelydifficulttosee,andClara’scompanymayonlyfindoutitisinastateoffreefallwhenjournalistsorlawenforcementagenciesstartcalling.

WarningSignsIfweweredealingwitharealcliff,wemightputupafence.Wecouldbuilditfarenoughbackthattherewouldbenodangerofpeoplegettingtooclosetotheedgeastheywanderaroundatnight.Wecouldhanglightedwarningsignssaying,“Danger!GoNoFurther!Cliff!”And,havingdonethis,wecouldreasonablyexpectthatwehavemanagedtheriskofsomeonehavinganunfortunateaccident.

Itturnsoutwedoverymuchthesamethinginothersystemsthatwedesign.Notknowingexactlywherethefailurepointis,wehedge,puttinginplacethresholdsandboundariesthatwebelieveprovideahealthybufferbetweenusandourtheoreticalpointofnoreturn.Wecallthisourrisktolerancelevel,anditisameasureoftheriskwecanlivewith,thechanceoffailurethatwefindacceptable.

Asmentioned,hedgingtakesplaceinmanysystems.Forexample,themanufacturerofaserverornetworkdevicemightspecifyatemperaturerangeoutsideofwhichoperatingthedevicebecomesrisky.Thedevicemayworkjustfineattheextremesofthatrange,orevenbeyondthem,butpushingthelimitsislikedancingonthecliffedge.Asanotherexample,abankermightdecidetokeepacertainratioofassetsonhandincasethebankexperienceslossesorarunonthebankoccurs,andshemaychoosetokeepmoreonhandthanshethinksshe’lleverneed,justtobesafe.Closertohome,anITmanagermightimplementcontrolsintheformofsecureconfigurationandhardeningstandardsthatapplytoanyproductionITsystem.Justaboutanythingcanbemadetoplaytheroleofthefencewhenbuildingabufferbetweenthedesignanditsfailure,includingthesamepeople,processes,andtechnologiesthatmakeupthesystem.Figure2-2illustratesthisprotectivehedgeagainstfailure.

Figure2-2Risktoleranceandhedgingagainstfailure

Inourexamplesoftwarecompany,oneofthefencesbuiltforsecuritypurposesisasoftwaredevelopmentlifecycle(SDLC)processthatexplicitlyincludessecurityreviews.Ourdeveloper,Clara,isrequiredaspartofherjobtoperformcertainsecuritytestsaspartoftheSDLCadoptedbythefirm.Thesetests,amongthemasourcecodereview,givethecompanypeaceofmindthatreasonablemeasuresareinplacetokeepfailuresassociatedwithvulnerablecodefromhappening.

DoingMorewithLessNoweverythinglooksgoodforourexamplesoftwarecompany.Thecompanyhasasystemdesignedtoproducequalitysoftwareforitscustomers.Partofthatqualityisacommitmenttosecurity.AndthecompanyhasdesignedprotectiveprocessesintothesystemintheformofSDLCsecuritytomakesurethatClaranevergetstooclosetothecliff.Managementsleepswellatnight.

Theproblemwiththishappyscenarioisthatitrarelyplaysoutsoperfectlyintherealworld.ForClara,workinginahigh-speedsoftwarecompanyisrewarding,butstressful.Likemostorganizations,Clara’scompanydoesnothaveunlimitedresourcesandhashighexpectationsofemployeeproductivity.Thedevelopmentteamseemstobeconstantlyshortacoupleofsoftwareengineers,andthemarketisalwaysdemandingnewandimprovedversionsofthecompany’sproducts.Projectdeadlinesforcodedeliverycanbebrutal,andClara’sjobsometimesfeelslikeshe’srunningonemarathonafteranother,sprintingtothefinishlinejustintimetostartthenextrace.Claraisaprofessional,andshetakessecurityseriously.Butsecurityisnottheonlythingonhermindduringadevelopmentproject.

On-time,on-budgetproductdeliveryispartofthecompany’sDNA.Claraknowsthis.Projectstatstrackedbythecompanyarealmostallaboutcompletion.Howmanymilestoneswerecompletedonschedule?Howoftenweretheycompletedearly?Noonewantstotalkaboutbeinglateforadeadline.Missingprojectdeadlinesbyevenacoupledaysthrowseverythingintodisarrayandcausesmanagementtofreakout.Themanagers’bonusesandhopesforpromotion,justlikeClara’sandeveryoneelse’sonherteam,aretiedtoprojectperformancemetrics.Ifyoublowadeadline,managementissuddenlyinyourface,andevenyourfriendsontheteambegintolookatyoufunny,likeananchorthatisdraggingthemdown.Developerswhomissmorethanafewmilestonedeadlinestendnottosurvivelongwiththecompany.

Duringaparticularlyaggressiveupdateprojectforthecompany’sflagshipproduct,Clararealizesearlythatmeetingtheprojectdeadlineisgoingtobeextremelydemanding.Shebeginstoprioritizeearly,focusingoncritical-pathactivitiesandlettingotherdetailsslideinthehopeofpickingthemuplater.SDLCsecuritytasksstarttoaccumulate,butClarakeepstellingherselfshe’llgetcaughtuplater.Soshe’sconcerned,butnotallthatsurprised,whensherealizestendaysbeforetheprojectcompletionthatfinishinguphersecurityreviewsandtestingisgoingtotaketwofullweeks.NowClarahasadecisiontomake.Sheknowshowimportantsecurityistothefirm,andtoherpersonally.ShewantstotellherbossthedeadlinewillneedtosliptoaccommodatetheSDLC

requirements,butshealsoknowsthatdoingsocouldmeantheendofhercareeratthecompany.Clarafeelsasthoughshe’scaughtbetweentwoopposingforces.TheSDLCislikeabarrierinfrontofher,holdingherbackuntilshefinishesthewholejob.Butbehindherisacrowdofpeople,surgingandpushingheragainstthatbarrierunrelentingly,tryingtoforceittogivesothatshecanfinishontime.Figure2-3illustratestheforcesactingonClara.

Figure2-3OpposingforcesinfluencingClara’sdecision

Intheend,thepressureofthedeadlineoverwhelmstheinfluenceofthe

SDLCsecurityreviewpolicies.Claralikesherjob,andsheneedsthatbonusforalong-overduetropicalvacation.Soshecrossesherfingersandchooses.She’llcompleteasmuchofthesecurityreviewasshepossiblycanintendays,butthenshe’shandingoffthatcode.

WhoMovedMyFence?UnlesssomeonenoticesandcallsClaraoutonherincompletereview,it’sunlikelythatanythingbadwillhappen.InClara’scompany,theSDLCisasetofguidelinesandpolicies.Thedevelopersholdthemselvesaccountableforcompliance,withsomeperiodicspotcheckingbymanagementandauditors.TheoddsareinClara’sfavor.Noonenoticesthatshe’scutafewcornersonthesecurityreviews.Infact,lifeforClaraisgood.Herbossisgiddythathisteammanagedtopulloffsuchanaggressiveupdateontime.Salesishappytohaveaproducttodeliver.Thecustomerissatisfiedwiththenewfeatures.Onceagain,thecompanyhasliveduptoitsreputationforreliabledelivery.Claragetsagoodbonusandlotsofpraiseforbalancingprioritieseffectively.

Clararegretsthatsheskimpedonsecurity,butit’sobvioustoherthatshemadetherightdecision.Ifshehaddelayeddeliverytodotallthesecurityi’sandcrossallthet’s,thewholesituationwouldhaveendeddifferently,andprobablybadlyforher.She’sprettysureshewouldn’tbeflyingtoMauiattheendofthemonth.

Clarahasexperiencedapowerfulfeedbackloop,createdbytherequirementforhertomanagetwoopposingsetsofexpectations.LivinguptoonesetmeanteverythingworkedoutandClaraprospered.Nowherbossthinksshe’sarockstar,andherteamrespectsher.Nothingbadhappened,andthesoftwareisprobablyfine,sinceClara’sagoodcoder.Thenexttimeshefacesthissortofdecision,Clarawillremember.Shewillbemorelikelytomakethesamedecisionagain.Herpeerswillnoticetoo,andemulateherbehavior.Eachtimesheisrewardedandtherearenonegativeconsequencesforherfailuretocompletehersecurityreviews,Clarawillfeelthatthecompanyapprovesofherlapse,atleastinthefaceofthealternatives.She’sworkingherbest,optimizingeffectively,doingmorewithless.She’salsomovingclosertothecliff.

Whatnoonecanseeisthat,asClaraandthecompanymakeahabitoftheprioritizationofcompletedprojectsovercompletedsecurityreviews,theyareslowlymovingthefence.UnlessmanagementrecognizesthatsecurityisbeingsystematicallyunderminedbymissedSDLCreviewsandrespondsbypullingClaraandherteambackbehindthesafetylinespecifiedinthedesign,thenthat

lineshiftsbydefault.Themarginoferrordecreases,thesafetyzoneshrinks,andthewholesystemdriftsinexorablytowardtheedge,asillustratedinFigure2-4.

Figure2-4Thesystemdriftingtowardfailure

LookOutBelow!Thenthedaycomeswhenavulnerabilityinoneofthecompany’sproductsspawnsanexploitthatisusedtoattackacustomer,resultinginaverypublicsecuritybreach.Intheensuinginvestigationandrootcauseanalysis,thefailure

istracedbacktocodeClaradeveloped.Peoplestartdemandingexplanations.Howcouldthishappen?Howcouldthecompany,andClarainparticular,besonegligent?Investigatorsandauditorsbegintoask,“Don’tyouhaveprocessesinplacetoreviewthesecurityofyourcode?”“Wellofcoursewedo,”thecompanyresponds.“Butinthiscasetheywerenotfollowedappropriately.”Furtherdiggingrevealssystematicproblems.ManySDLC-mandatedsecurityreviewswerenevercompleted.Theriskmanagementdesign—thefencethatpeopledependedonandassumedwasfunctioningproperly—existedonlyonpaper.Overnight,Claragoesfrombeingamodelemployee,rewardedandadmired,tobeingincompetent,negligenteven,andperhapsworse.Nooneissingingherpraisesnow,aseveryonelooksforascapegoat.HermanagersaysheneverknewClarahadviolatedpolicy,whichwassupposedtomakesecurityreviewsautomatic.Clarawillbeluckytokeepherjob.

Thecompany’smanagement,nowfacedwithacrisisthatismorethanjustaone-offfluke,decidesthatthesystemitselfisflawedandneedstobechanged.“WeneedacompletelynewSDLCsystem,”theysaytooneanother,“maybeonethatisfullyautomated.”TheCIOputsoutanRFPforconsultingtohelpthemrebuildthebrokenprocesses.Theresult,aftersixmonthsandalargebucketofmoney?System2,whichisbetterandisdesignedtoovercometheweaknessesthatgotClaraintotrouble.Ofcourse,nosystemcanbeperfect,andknowingthatthisnewsystemwillalsohaveafailurepoint,onethatishardtopredict,hardtoseeuntilyou’vegottentooclose,thecompanymakessuretobuildinappropriatelevelsofrisktolerance,keycontrolstomakesurethatsecurityisproperlyprioritized,andupgoesabright,shiny,newfencetokeepeveryonebackfromtheedge…

GettingtheDriftThephenomenonthiscasestudydescribesiswhatfailurestudiesscholarSidneyDekkercalls“drifting”intofailurestates,andithasnothingtodowithanydeliberatelybadbehavioronthepartofClaraoranyoneelse.Onthecontrary,uptothepointoffailure,Clarawasdoingeverythingright.Facedwithcompetingprioritiesandinsufficientresourcestoaccomplisheverythingthatwasexpectedofher,Clarahadtomaketrade-offs.Herenvironmentwasacomplexsystem,fullofintertwineddemandsandemergentconsequencesforeachdecision.Byfocusingonthedesignofastrategytopreventfailure,ratherthantheincompatibleandunresolveddemandsonClara’stimethatactuallyledtothefailure,thecompanyshouldreallyhavezeroconfidencethatSystem2willescapethesameeventualfate.

WhenIgivethispresentation,Ioftenseeheadsnoddinginagreementintheaudience.ThedriftanalogyobviouslyresonateswithpeopleItalkto,whoseewithinittheirownsituationsandstruggles.Butdriftexplainsmorethanjustinformationsecurity’sstruggletomaintaineffectiveprotectiveposturesovertime.Dekkerexploredfailureineverythingfromcommercialaviationtofinancialcrises.Securityisnotunique;it’sjustanothercomplexsystem.Andthistypeofslowmovementtowardfailure,broughtaboutbycompetingimperativesthatproveincompatiblewithallofanorganization’sstrategiesandgoals,canbeseeninanycomplexsystem.Asonegoalisoptimized,theriskoffailureincreasesforanother.Asthesystemproducessuccessinonearea,itcreatesfailureinanother,likeabyproduct.

TheOppositeofMonocultureTheideaofthemonoculture,alow-diversityenvironmentwhereeverythingisthesame,hasgottensomeattentioninsecurity.Specificallyappliedtotechnology,itmeansthatifyoudependtoomuchononetechnologyproduct,youcanbewidelyvulnerableifthattechnologyfailsoriscompromised.Monoculturalvulnerabilitiesmayapplytosoftwarevendors,buttheyrarelyexistwhenitcomestopeopleandsocialsystems.Ifanything,theoppositeistrue.Organizationshavesomanydifferentmicroculturesoperatingwithinthem,eachwithitsownbeliefsandwaysofdoingthings,thattheycanimpactperformanceiftheydon’tgetalong.

Thinkforamomentaboutthedifferencesbetweengroupsofpeoplewithinyourownorganization.DothepeopleintheITsupportdepartmentexperiencetheworldthesamewayasthepeopleinthefinanceorganization?Insomeways,theyprobablydo.Forexample,theyprobablyspeakthesamenationallanguage,oratleastagreetoworkinthesamelanguagewhendoingbusiness.ButevenifeveryonespeaksEnglish,peopleinthedifferentgroupslikelyspeakverydifferentlanguagesinthecontextoftheirjobs,withdifferentterminologyandcommunicationstylesthatcharacterizetheirbusinessfunctions.Beyondlanguage,therecansometimesseemtobeworldsofdifferencebetweenhowonegroupthinksandbehavescomparedtoanother.Engineersdon’tworryaboutemployeeretentionlikeHRmanagersdo.Thecustodialstaffdoesnotobsessoverquotaretirementlikethesalesteamdoes.Managersandexecutivesstressoverpoliticalrivalriesthatmanyindividualcontributorscouldn’tcarelessabout.

Microculturesareinevitablewhenyouhavedifferentspecializedgroups

populatingthelargeorganizationsthatdefinemodernsociety.Everythinghasbecometoocomplexforonepersontobeabletohaveallthecompetenciesnecessarytoachieveourorganizationalobjectives.Sowedivideuptheworkandeveryoneprovidestheiruniquecontributionstotheoverallgoal.We’veevendevelopedspecializationtoenablesomepeopletomanageallthemovingpartsstrategically,eveniftheydon’tunderstandeverythingabouthowthosepartsoperate.

Butourcollectiveactivitydoesn’talwayswork,despiteallourefforts.Wecan’therdthecats,can’tgetallthedifferentteamstoplaynicelytogether.Ourstrategicplanningmaybestymiedwhenallofthegroupsnecessarytoachievethegoalsdon’tperformthewaywehavepredictedorexpected.Ifweask“ordinary”peoplewithintheorganizationaboutwhyastrategydidn’tworkout,weoftengetsurprisinglyhonestanswers:

“Oh,Icouldhavetoldyouthatsoftwareimplementationwasn’tgoingtoworkfromthebeginning.Theyjustsetituptofail.”“Thenewexecutivestaffjustdoesn’tgetit.Theythinktheyaregoingtomagicallychangecompanyperformanceovernight.Youdon’tturnanoiltankeronadime.”“Youknow,wetryreorganizingaroundsmallerteamseveryfewyears,butitnevertakes.That’sjustnotthewaywedothingshere.”

WhenDruckercoinedhisphrase,thepreviousexamplesareexactlythesortsofscenarioshewastalkingabout.(Asanaside,althoughthequoteisattributedtohim,Druckerneveractuallywrote“cultureeatsstrategyforbreakfast”inanyofhisbooks;seethereadingsuggestionsattheendofthechapterforagoodarticlethatquotesit.)Organizationsmakeplansandformulatebusinessstrategiesallthetime.Thoseplansandstrategiesemergefrommoreorlessrationalconsiderationoftherequirementsandchallengesfacingtheorganizations,andtheorganizationsdevoteextensivetimeandenergytowritingthemdown,organizingthemintoinitiativesandprojects,settingupteams,andexecutingonmilestonestoachievetheirgoals.And,whenthosestrategiessometimesfallshort,whentheyfailtosucceedfornoapparentreason,organizationshaveadifficulttimearticulatingwhatexactlywentwrong.Organizationstalkaboutculture,andtheygotogreatlengthstoemphasizetheiruniquecultures,buttalkingaboutsomethingisn’tthesamethingasdoingit,andmoreeffortisputintodoingstrategy.Organizationsdon’tputthesameemphasisonunderstandingculture,workingtochangeit,andsettinggoalsforit.That’saproblembecause,asDruckerpointedout,cultureisfundamentaltostrategic

success.

CulturalTraitsinInformationSecuritySecurityorganizationsaren’tdifferentthanotherorganizationswhenitcomestospecializationandsubcultures.Informationsecurityoftenfunctionsasasubcultureofinformationtechnology,whilealsopossessingitsownspecializationsandmicroculturesatthecorporate,professional,andindividuallevels.Youcanfindverydifferenttypesofpeopleininformationsecurity,withcompletelyseparateskillsetsandexperiences,yetallofthemidentifythemselvesasbelongingtothesameindustryorfield.Andthefieldofinformationsecuritymostdefinitelyhasasharedcultureallitsown.Insideacompany,InfoSecmaybeaspecializedsubculturewithinIT,whichcohabitatesandconstructsthegeneralenterpriseculture,alongwithotherspecializedcommunitieslikeHR,Legal,orPhysicalSafetyandSecurity.Figure2-5illustratesthisrelationshipinasimpleway.AsIdescribedinmystoryaboutthedifferencebetweenphysicalsecurityandinformationsecurityinChapter1,eventwosubculturesthatarebothdedicatedtothesamepurpose,protectingcorporateassets,canbequitedifferentinwhattheybelieveisimportantandinthedecisionsthattheymakeabouthowtoachievetheirends.

Figure2-5Securityasasubculture

Ininformationsecurity,eventhoughtherearemanydifferentroles,eachrequiringspecializedskills,theculturesharessomecommoncharacteristicsandvaluesthateveryoneintheculturemoreorlessaccepts.Definingandanalyzingthesesharedbeliefsandassumptionsisacorerequirementforunderstandingandeventuallytransformingsecurityculture.ThroughmycareerexperienceIhaveidentifiedfourculturaltraitsthatIbelieveareimportanttorecognizewhentryingtounderstandwhysecuritystrugglestosucceed.Thesetraitsarenottheonlycharacteristicsthatdefineourculture,andobviouslynoteveryoneintheindustryexhibitseverytraitorsharesthemtothesamedegree.Butasgeneralprinciples,Ioftenseethesetraitsdrivethethinkinganddecisionsoforganizations,theirvendorsandsuppliers,andevenregulatorsandpolicymakerstryingtosolveinformationsecurity’smorecontentiousproblems.

Techno-romanticismIt’srightthereinthename.Technologyisfrontandcenterinsecuritytoday,bothasthepotentialproblemandasthelikelysolution.ButwhatdoImeanbytechno-romanticismasaculturaltrait?Thismeansthat,allthingsbeingequal,wetendtodefaulttoprioritizingtechnologyovereverythingelse.Actually,wedoitevenwhenallthingsarenotequal.Whenweidentifyaproblem,thefirstplaceweusuallygolookingforasolutionistechnology.Thatthisisthewaytheindustryworksisnotreallyverysurprising.Wehavemorethanourfairshareofengineersintheindustry,peoplewhocomefromtheirowntechnology-centricculturalbackground.Andsecurityproductvendorshaveavestedinterestinencouragingandmaintainingasysteminwhichautomationandinfrastructurearebelievedtobethemostimportantaspectofsecurity.

Culturalvaluesempowerpeoplebygivingthemacommonframeofreference.Buttheycanlimitpeople,too,byclosingmindstoalternativewaysofthinkingaboutaproblem.PsychologistAbrahamMaslowcapturedtheconceptinhisfamoussaying,“Isupposeitistempting,iftheonlytoolyouhaveisahammer,totreateverythingasifitwereanail.”Thiscanbeaprobleminsecuritywhentechnologyeclipseseverythingelse.Ifrequentlytalktosecurityprofessionalswhonotonlybelievethatmostsecurityproblemscanbebestsolvedwithtechnologysolutions,butalsobelievethatiftechnologycannotsolveaproblem,theproblemisinherentlyunsolvableandthere’snopointinputtingfurthereffortintoit.Forthem,technologyisnotjustthebestsolution,itistheonlyrealsolution.

Monoculturesareaproblemnotonlywhentheyhavetoomuchofonekindoftechnology,butalsowhentechnologyisalltheyhave.Oneofmyhopesforthis

bookisthatitbeginstopointtoademonstrablyeffectiveapproachtopeople-centricsecuritythatcanhelpalleviateourunhealthydependenceontechnologicalsolutions.

DefeatismThisculturaltraitseemstohaveevolvedprettyrecently,butithasquicklygoneviral.Withinthelastfewyears,thegeneralmessageyouwillheartransmittedinmarketingmaterials,atconferences,andintrademagazineshaschangedfromoneofhowtokeepyoursecurityfromfailing,totheneedtoacceptthatithasalreadyfailed.Evenifyoudon’tknowit,theextremeversionofthismemegoes,Thebadguyshavewon.Youarealreadyowned.Allyoucandoistrytocontainthedamageandcleanupthemess.

WhenIcameintotheindustrydecadesago,thegeneralconsensuswasthatsecuritywaswinning.Sure,therewerethreatsandchallenges,butthedominantanalogywasthatoftheWildWest.AndinformationsecuritywasliketheTexasRangers,ridingacrossthelandprotectingcitizensfrommaraudingbanditsandoutlawsasthemodernworldoflawandordertookroot.Today,westillliveintheWildWest,butnowitseemsweidentifymorewiththedefendersoftheAlamo.Surroundedonallsidesbythebadguys,everythinghasbecomeanexistentialthreat,andheroicasoureffortsmightbe,it’sonlyamatteroftimebeforewegetoverrunandslaughtered.

ExceptionalismTalktomanysecurityprofessionalstodayandyou’llhearthatthereisabsolutelynothingthatrepresentsagreatermenacetothewell-beingofsocietythancyberthreats.Inadditiontothinkingthatsecurityisthebiggestproblemtheworldfacesinaworldfullofproblems,theindustryoftenactslikethesecurityproblemisalsounique—noonehasfacedanythinglikeitbefore,sonoonecanunderstandwhatitisliketoberesponsibleforinformationsecurity.Whenyoucombinethissenseofexceptionalismwiththesenseofembattleddefeatism,youcanstarttounderstandwhysecurityexpertslookatyoulikeasuicidalidiotwhenyousuggestthatitmightbecooltobeabletouseyourpersonaliPhoneatwork.

There’snothingparticularlyexceptionalaboutinformationsecurity’ssenseofexceptionalism.Everyfieldthinksit’sdifferent.We’dbemoreexceptionalifwerecognizedasanindustrythatwearenotunique.Theproblemsweface,eventechnicalproblemsthatseemimpossiblewithoutthepresenceofadvancedITsystems,canbetracedbackhistoricallytothetelephone,thetelegraphbefore

that,andprobablyallthewaybacktowhensomeNeanderthalsnuckintoarivalclan’scaveandexfiltratedthesecretofmakingfirebycopyingadrawingfromthewall.Whatourexceptionalismdoesamuchbetterjobofexplainingiswhyitcanbesodifficultforthesecurityprogramsinmanyorganizationstogetpeopletolistentothem.Itcanbehardtogetsomeonetoagreewithyouranswerwhenyoucontinuallyactasthoughtheyareincapableofreallyunderstandingthenatureofthequestioninthefirstplace.

ParanoiaAlthoughwemightnotbeasexceptionalasweliketothinkweare,InfoSecdoesdosomethingsquitedifferentlyfromotherprofessions,somuchsothatwesometimeslookattheworldonewaywhilewearingoursecurityglasses,andadifferentwaywhenlookingatitthroughabusinessorevenpersonallens.Considerthecaseofrisk.Whenworkingwithclients,Ioftenfindthatacognitivedissonanceexistsaroundrisk,astatewherethesecurityprofessionalI’mtalkingwithholdsdifferingandcontradictoryideasaboutthesameconceptsimultaneously.Whentheydiscussriskinthecontextofsecurity,theygiveadefinitionthatessentiallycharacterizesitaspotentiallossordownside.Theymaydefineitasaformula,suchaslikelihood×severity,orasastatementofthingsthatcangowrong.Butriskisalmostalwaysperceivedasnegativeandalmostalwayssomethingtobeavoidedor,ifitisnotpossibletoavoidaltogether,managedinawaythatminimizesit.

ButifIaskthatsameprofessionalsomeprobingquestionsabouthowtheyinvestforretirement,orwhattheyliketoeatordoforfun,orwhichcompaniestheyadmiremost,itcanbeliketalkingtoacompletelydifferentperson.Aretheykeepingtheirportfolioexclusivelyinsafe,low-yieldinvestments?Mostsay“no.”Dotheysmoke,drink,oreatthingsthatarebadforthem?Manydo.Andthecompaniestheygetexcitedaboutareusuallystartupsandinnovativetrendsetters,nottheboring,dependablesortsofcompaniesthatwouldattractWarrenBuffet’seye.Risk,itseems,meanssomethingremarkablydifferentwhentheyarenottalkingaboutsecurity.

ThesedifferencesbetweenhowInfoSecprofessionalsaddresssecurityasopposedtootherthingsintheirlivesspeakstoanotherculturaltrait,asometimespervadingsenseofparanoia.Wearesousedtowatchingthingsgowrongandtounderstandingallthethingsthatcangowrong,thatwe“accentuatethenegative.”ThebenefitsofallthisITinfrastructurewehavebuilttendtofadeintothebackgroundwhenitrunssmoothly,andwetakeitasagiven.Atleastuntilitbreaks.Sincesecurityisusuallyfrontandcenterwhenitdoesbreak,both

asthemeanstoafixandapotentialtargetofblame,it’snowonderthatsomesecurityprofessionalsdevelopanobsessivelyglass-half-emptyworldview.It’sthenatureofthebeast.Butitdoesn’talwayshelpusrelatetootherpartsoftheorganizationthatdon’tnecessarilyshareourfeelingthateverythingisasecurityincidentwaitingtohappen.

“IJustKnowWhatTheyCouldDo…”Oneofmybestfriendsisasecurityexpertwhohasperformedpenetrationtestsforyears.Onatriptodoajointconsultingengagement,Istoppedbyhisroomaswewereleavingthehoteljustintimetofindhimlockinghistoothbrushandseveralotherpersonalgroomingitemsinthehotelsafe,alongwithhisvaluables.

“Whatareyoudoing?”Iasked.HispassportandiPad,Iunderstood.Buthistoothbrushandcomb?

“Ineverleavethatstuffout,”hesaid,enteringanewcodeintothesafe.“Doyou?”

“Yeah,”Ilaughed.“What,youthinkthecleaningstaffwantstomesswithyourstuff?”

“Idon’tcarewhattheywant,”hereplied,shootingmealook.“ButI’vebeenscrewingwithpeople’ssystemsforlongenoughtoknowit’snotaboutwhattheywanttodo.Ijustknowwhattheycoulddo,iftheywantedto.Thinkaboutthat.”

Idid.Andtothisday,IlockupmytoothbrusheverytimeIstayinahotel.

CompetingValuesandSecurityThreatsClara’scaseearlierinthechapterisanexampleofasituationwhereoneculturalvalue(thedesiretoproduceafinishedproductquickly)createdadirectthreattoanotherculturalvalue(thedesiretomakesurethatproductdidnotcontainsecurityflaws).Theseconflictsoccurallthetimeinbusinessandinlife.TheyareatthecoreofDekker’sconceptofdrift,becauseindividualsareforcedtochoosebetweencompetingprioritiesthatallhavethepotentialtocausefailure.Theprioritiesthatendupbeingchosen,andwhetherthosedecisionsarethenrewardedorpunished,representthereal-worldoperationalizationofanorganization’svalues.SecuritymayhavebeenapriorityinClara’scompany,but

whenpressed,whentherewasnotenoughtimeormoneytodoeverything,asinClara’scase,thecompany’smostimportantculturalimperativewastogetproductstomarketontime.That’swhatthecompanymostcaredabout.Cuttingasecurityreviewshortwaslamentable,butblowingtheproductiondeadlinewasunacceptable.

Muchoftherestofthisbookwillbedevotedtohuntingdownthehiddenthreatsposedbycompetingculturalvaluesandreplacingvaluesthatdegradesecuritywiththosethatimproveit.Many,ifnotmost,securityincidentscanbetracedbackatleastinparttocompetingvaluesthatledtoconflictsinbehavior,whichinturncreatedrisk.Theseriskscannotbeeasilymanagedbyjustidentifyingathreatandavoidingorcontrollingforit.Thethreatisalsointrinsictothesystem.ItistheRubik’sCubeeffectImentionedinChapter1,wheremakingsomethingmoresecuremeansmakingsomethingelselesssuccessful,maybelessefficientorlessproductive.Iftheorganizationputsagreaterpriorityonthatsuccessthanoninformationsecurity,securitywilllose.Theonlysurefirecontrolistoincreaseresourcessothatbothprioritiescanbeachieved.Sincethat’snotusuallygoingtohappen,theonlyrealisticoptionistodiscoverthesethreatsandmakethecompetingvaluesthatinitiatethemvisibletoallthestakeholdersinvolved.Youdon’tsolvetheproblemthisway,butyouallowpeopletohaveanhonestconversationaboutthoseprioritiesandgivetheorganizationtheopportunitytoacceptriskinaninformedway,ratherthantheblindacceptanceoflettingitcontinuetoexist,invisibleanddangerous.

Whenleadersimposestrategiesonanorganizationwithoutunderstandingtheculturaldynamicsinplace,orinspiteofthoseculturaldynamics,theymakethemistakeofexpectingabouldertorolluphill.Youcancertainlymakeaboulderrollupahill,butnotbyjustdeclaringthatiswhereitmustgo.Defyinggravityrequiresplanning,force,andengineeringeffortstocreatewhatfeelslikeaveryunnaturaloutcome.Executionistheboulder.Cultureisthehill.Gravityandinertiaarealwaysonitsside,andlefttoitsowndevices,culturealwayshasthefinalsay.

TheChangeAgentsofSecurityCultureSowhomakessecurityculturework?Whoisresponsibleforchangingit,forhackingitlikeIencouragedinChapter1?Whoisbestpositionedtotransformthesystem?Theclichéansweriseverybody.Anorganization’scultureiscreatedbytheeverydaydecisionsandinteractionsandbeliefsofthepeopleinit.Butwe

cannarrowthatdownalittleandidentifydifferentfolkswiththebestchanceofleveragingculturalchange.Let’sstartattheverytop,withseniorleadership.

TheC-SuiteLeadersareinauniquepositiontoaffectculture,becausetheycanhelpcreateitthroughtheirinfluenceandtheirexamples.Ininformationsecurity,theCISOistheseniorsecurity-specificleader,butcompanieshavebecomepainfullyawarethattheeffectsofabreachcanreverberatefarbeyondtheCISO’soffice,affectingtheentireC-Suiteofchiefexecutives.Sosecurityleadershipandorganizationalleadershiparesortofsynonymousthesedays.Theyallhaveastakeinsuccess.

Changingcultureishard.Themostimportantthingseniorsecuritystakeholders,bothinsideandoutsidetheformalsecurityprogram,candoistorecognizethattransformingsecurityculturemeanschangingthewaypeoplethink,notjusthowtheybehave.Andthatstartswiththeleadersthemselves.Theymayhavetochangecompletelythewaytheythinkaboutsecurity,andtheywillcertainlyhavetoacceptthatsolvingthehumanequationistheonlywaytomaketheirstrategiessuccessful.Youcandictateastrategy,butyoucannotdictatethecultureyouneedtomakeitwork.

SecurityAwarenessTeamsImentionedsecurityawarenessteamsinChapter1inthecontextofculturehacking,andIhavetoputthemfrontandcenteragainhere.Morethananyoneelseoutsideofseniorleadership,thesecurityawarenessmanagersandtrainersinanorganizationarebestpositionedasculturalchangeagents.Onereasonisthat,evenmorethanseniorleadership,securityawarenessprofessionalshavealreadyboughtintopeople-centricsecurity.Agreatpartoftheirraisond′êtreistheexplorationandmanagementofhumanbehavior,includingthemotivationsandhiddendriversofit.

WhatIhaveseensecurityawarenessteamsstrugglewithisthelackofagoodknowledgebaseandmaturityintheindustryforunderstandingorganizationalandhumanbehavioringeneral.Whiletherearelotsoftacticalapproachesandmethodsforimprovingsecurityawareness,Ioftenseesecurityawarenessteamslookingformorestrategicandtheoreticresourcesthatcanhelpinformtheireffortsandcarrythemtonewlevelsofefficacyandreach.Giventherelativeyouthandinexperienceofinformationsecurityasaformaldiscipline(afewdecadesforuscomparedtogenerationsorevencenturiesforlaw,insurance,and

finance),thisshouldbeunsurprising.Andweareatthepointinourprofession’sevolutionwherewemovefrompracticingwhatwedototheorizingabouthowandwhywedoit,sothoseconversationsarebeginningtohappen.I’mwritingthisbookinmyownminorattemptatcontributingtoandinfluencingthatconversation.

SecurityResearchersI’mnottheonlycurioussoulinthesecurityindustry,fortunately.Onethingthatmakesmeproudofbeingpartofinformationsecurityisthatweseemtohavemorethanourshareofsmart,curiousresearcherswhoenjoythinkingaboutthingsinnewways.Thatincludesthebadguysaswellasthegoodguys,butifyoucanjudgepeoplebythequalityoftheirenemies,informationsecurityisadynamicandinnovativeplace.

Theindustry’sloveaffairwithtechnologyputsapremiumonengineeringandproductresearch,andthere’snoquestionthatInfoSecresearchersinthisspacedosomeamazingthings.Butthatsametechno-romanticismhasmadesecurityprettyweakinthesocialsciences,bycomparison.Iencounteralotofbiasandcondescensiondirectedtoward“subjective”approachesandqualitativeresearchmethodscommonlyusedbysocialscienceresearcherssuchasanthropologists,sociologists,andeconomists.Securityproswillusesuchapproachesandmethods,butonlyasnecessaryevilswhen“objective”andquantitativemethodsaren’tpossible.Thefactthattheindustryoftenshowsalackofunderstandingofwhatthesetermsactuallymeancanbeannoying,butIliketothinkofitasanopportunity.

Thisbookisaboutculture,soitisunashamedlygroundedinthesocialsciences,intheostensiblysecond-tiersubjectiveandqualitativemethodsmanyintheindustrymistrust.OneofmyhopesisthatreadersfindthetechniquesIincludeintriguing,maybeevencapableofanswering,atleastinpart,questionstheythoughtimpossibletoanswerbefore.Iamconvincedthatmoresocialscienceresearchininformationsecurity—explorationsofsociology,ofpsychology,andofhumanrelationshipsingeneral—hasthecapabilitytotransformnotjustsecurityculturebuttheentirewayweoperateasadiscipline.

SecurityPractitionersFromsoftwaredeveloperstofirewalladministratorstotheanalystsmanningthesecurityoperationscenters,practitionersmakethedailyworkofinformationsecurityhappen.Youdon’tchangesecurityculturewithoutthem.But

practitionersarenotjustpassivetargetsoftransformationalefforts.Thesestakeholdersareperhapsbestpositionedtounderstandandexploresecurityculturebecausetheyliveiteveryday.

Securitypractitionerscancontributetosecurityculturalchangeinatleasttwoways.First,theycanactasasourceofdataonhowthesecurityculturefunctions,whatitis,whereitworks,andwhereitdoesnotwork.Researchersandspecialistswhoaretrainedtoelicitthisinformationcanhelpthesecurityculturebecomemoreself-aware.Onceself-knowledgetakesroot,practitionerscanthenbecomemoreactiveparticipantsinchangingtheirownenvironment.Aswe’llsee,muchoftheprocessofculturaltransformationreliesonthesesortsofbootstrappingefforts,peoplerecognizinggoodandbadhabits,cultivatingtheformerandworkingtomodifythelatter.

MakingSecurityCulturalApeople-centricapproachtosecuritydoesnotmeanaddressingthehumanthreat.People-centricmeans,literally,puttingpeopleatthecenterofthewholesecuritychallengeandemphasizingthewaysinwhichtheyarecentraltosolvingproblemsratherthanhowtheycontributetothem.People-centricsecuritymeansthatsecurityleaderssuchastheCISOhavetolookbeyondtheimmediateneedsofasecurityprogramteamandtakeintoaccountotherstakeholdersandtheirneedsandpriorities.People-centricsecuritymeanstheentireindustryrecognizesthatnoteveryonesharesintheirbeliefthatsecurityistheworld’sbiggestproblem,thattechnologyisthebestwaytoescapethatproblem,andthatinformationsecurityhasaprivilegedanduniqueinsightintohowtheworldoperates.

Instead,apeople-centricsecurityperspectiveembracesthevaluesandprioritiesofthosewhoareoutsidetheinformationsecurityfieldasthebestwayofhelpingsecuritybesuccessfulandcompeteinanactivemarketplaceofvaluesandideas.People-centricsecurityispoliticalandhumanistic,anditistheonlywayforsecuritytothriveintoday’senvironment.FUD,theuseoffear,uncertainty,anddoubttopushouragenda,isnolongersustainable.Weneedtoreexamineourownbeliefs,questioneverythingthatwehavecometounderstandaboutinformationsecurity,andseeifthosevaluesstillholdup.Wheretheydonot,wemustchangethem.Ourendgoalwillbetotransforminformationsecuritycultureforentireorganizations,butbeforethathappens,wewillhavetotransformourown,andthatrequireslearningabitabouthoworganizational

culturefunctions.

FurtherReadingAulet,Bill.“CultureEatsStrategyforBreakfast.”TechCrunch,April12,2014.Availableathttp://techcrunch.com/.Dekker,Sidney.DriftintoFailure:FromHuntingBrokenComponentstoUnderstandingComplexSystems.Burlington,VT:Ashgate,2011.

http://techcrunch.com/

I

CHAPTER3

OrganizationalCulture:APrimer

’mgoingtomakethecaseinthisbookthatsecuritycultureisfundamentaltosecurityperformanceandofferapathtotransformingyourorganization’sinformationsecuritycultureasawaytoreducerisk,increasevalue,andavoidsecurityincidents.Buttomakethatcase,Ineedtodemonstratethatthecriticallinkbetweenorganizationalcultureandorganizationalperformanceisnotanewideainindustry,justonethatisprettynewtoInfoSec.Studyingorganizationalandcorporatecultureasameanstomakingcompaniesperformbetterincompetitiveandvolatilecircumstanceshasarichhistoryinbothbusinessandacademia.InthischapterIwilldrawonsomeofthisresearchtohelpyouunderstandthegroundworkthathasalreadybeenestablished,evenifonlyataveryhighlevel.

TheCulturalSuccessofAppleIt’salmostaclichétoholdupAppleasanexampleofasuccessfulorganizationalculture,butprobablymorethananyothercompanyinrecentmemory,includingotherwildlysuccessfultechnologyfirms,Appleremainsuniqueasaculturalcasestudy.Itsucceededwildly,thennearlyfailed,onlytopulloffoneofthemostamazingcomebackstoriesinhistory.ThenearcultofpersonalitythatdevelopedaroundSteveJobs,whowasinstrumentalinApple’sreturntoglory,madehisstyleofleadershipsynonymouswithApple’sculture.Andthecompanyhasliterallychangedglobalsocietywithitshardwareandsoftware,allwhilemaintaininganauraofstyleandcontinuousinnovationthatfewofitspeerscanmatch.

Muchink,realanddigital,hasbeenspilledtryingtodeconstructApple’sculture,includingwhetherthecompanyisasmagicalasitshardcorefansbelieveittobe.Butyoudon’thavetoloveAppletoappreciatethepowerofitsemployees’andcustomers’senseofidentityandnearworshipofcoretenetslikedesign,simplicity,andnovelty.Cultureisaboutsharedvaluesandbeliefs.WhateveronethinksaboutAppleasacompany,noonecansaythatthecompany’sculturehaslittletodowithApple’ssuccess.

TheFieldofOrganizationalCultureThestudyoforganizationalculturegrewoutofthestudyofcultureatamoregenerallevel.Sometimesthetwofieldsstilloverlap.Someresearchersengagewithculturesthatexistwithinorganizations,asIdointhisbook,andsomestudyhoworganizationsworkacrossandbetweencultures(forinstance,inthecaseofmultinationalcorporations).Idon’tputasmuchemphasisonthislatteraspect,althoughitstillcanholdimplicationsforinformationsecurity.

OriginsThefirstscientiststostudyculture,theoneswhoinventedthewordinthefirstplace,wereanthropologists.Inthenineteenthcentury,socialscientistswereconcernedwithhowsocietiesandcivilizationsdevelopedandevolved.Specifically,theywantedtoknowhowentirebeliefsystemscouldbetransmittedandmaintainedfromgenerationtogeneration.Whatmadeonesocietysoverydifferentfromanother,andwhatmadethosedifferencesstickovertime?Afullexaminationoftheevolutionofculturalanthropologyiswaybeyondthescopeofthisbook;thepertinentpointhereisthatearlyanthropologistsrecognizedthatsomething,somephenomenon,alloweddifferinggroupsofpeopletosharecommonsocialattributesandbehaviors,andthatthisphenomenoncouldactasapowerfulforceinshapingthelivesofagroup’smembersacrossbothspaceandtime.

SecurityandGlobalCultureCiscoisaglobaltechnologycompanywithofficesandcustomersallovertheworld.Inadditiontomanagingadiverseandmulticulturalworkforce

acrossdozensofcountries,Ciscohassponsoreddedicatedresearchintothewaysthatdifferentculturesengageininformationsecurity.AstudycommissionedbyCiscoin2008,resultinginaseriesofwhitepaperstitledDataLeakageWorldwide,specificallytargetedhumaninformationsecuritybehaviorsacrosscultures,identifyingpatternsanddifferencesaroundsecuritypracticesfromcountrytocountry.Theresultspointedtointeresting,culturallyspecificwaysthatsecuritypracticesdifferdependingupontheuniquebeliefsandsocialvaluesofthesocietiesinwhichthosepracticesexist.TheDataLeakageWorldwidewhitepaperscanbefoundbysearchingontheCiscohomepageatwww.cisco.com.

Withtheriseoflarge,bureaucraticorganizationsdesignedtofacilitatebusiness,governance,andotherstrategicsocialgoals,theworldbegantowitnessdifferententerprisesgrowingascomplexandasgeographicallydistributedassomenationsorpeoples.Astheseorganizationsexpandedandthrivedacrossspaceandtimeaswell,maintainingthesamestructuresandprocesseswellbeyondthelifetimeofanysingleindividualmember,anewgenerationofresearcherstooknotice.Businessscholarsandorganizationaltheoristsborrowedtheconceptsinventedbythesocialscientistsandanthropologistsandbegantoapplythemtocompaniesandotherlargeorganizations.Ittookawhile.Thefieldoforganizationalstudieshasalsobeenaroundalongtime,evolvingseparatelyfromanthropologyanddatingbacktotheIndustrialRevolution.Butitwasonlyinthesecondhalfofthetwentiethcenturythatresearchersmergedthetwodisciplinesandbeganspecificallylookingatcultureinthecontextofbusinessesandotherlarge,organizedenterprises.

Whereastheanthropologistswereconcernedwithunderstandingwhatmadeasocietytick,theorganizationalcultureresearcherswereoftenmoreconcernedwithwhatmadeorganizations,particularlybusinesses,successful.Whydidonecompanydosomuchbetterinitsindustry(orsomuchworse)thananother?Howcouldonecompanycompletelyreinventitselftoovercomeamarketchallengewhileapeerstruggledandultimatelyfailedtochangethewayitdidbusiness?Often,thedifferencesbetweencompetitorfirmsseemedtoboildowntothingsthatseemedintangible.Whatdidtheleadershipbelieve?Howdidtheorganizationtreatitsmembers?Whatwerethemostimportantsymbols,values,andritualsinthedailylivesofallthemembers?

http://www.cisco.com

OutcomesTheendresultofthesestudiesisanacademicfieldofitsown(several,actually),aswellasanindustryofmanagementtheoristsandbusinessconsultantswhohaveattemptedtounlockthesecretsofcultureandputthemtoproductiveuseinimprovingorganizationalperformance.Therearetheoriesandframeworkstoexplainculture,aswellasdisagreementanddebateaboutwhatitallmeans,butatthecoreofthedisciplineareanumberofpowerfulcommonthemesthatyouwillfindoverandoveragain.ThesecommonalitiesarewhatweneedtofocusoninordertounderstandwhatorganizationalculturecandoforITandinformationsecurity.

TheCulturalFailureofEnronIfAppleisago-toexampleofsuccessfulorganizationalculture,thescandalousEnroncultureeasilyqualifiesasanobviousopposingexample.In2001,theenergyandcommoditiescompanyimplodedasitbecameapparentthattheentireenterprisewasbuiltuponasystemiccultureofcorruption,deceit,andfraud.WhereApplechangedtheworldbycreatingtheiPhone,thususheringintheageofmobilesmartdevices,EnronchangeditbycallingintoquestionvirtuallythewholeaccountingindustryandusheringintheageofSarbanes-Oxley(SOX)compliance.

Enrondidnotfailbecauseitsculturewasweak,atleastnotinthesensethatpeopledidn’tsharecommonvalues.Thebigproblemwasthatthecommonvaluessharedbyseniormanagementandpushedthroughoutthecompanywerereprehensibleandethicallybankrupt.Enron’sculturewasaboutpushingtotheedgeandbeyond,beginningwithinnovationsincommoditiestradingandenergymarkets,beforeendingwithdebt,oversight,andthelaw.Enronwasnotthelastofthecorporategovernancescandalsinthatperiod,andseveralhigh-profilecompaniesfollowedthefirmintoignominiousfailureasaresultoftheirowntoxiccultures,whilesimultaneouslypoisoningthereputationsoftheaccountingfirmsthatmanagedtheirbooks.InthecaseofEnron’sownaccountingcompany,ArthurAndersen,thedamageprovedfatalandthatcompanyceasedtoexistalongwithitsdisgracedclient.

TheCultureIcebergOrganizationalculturelendsitselftotheicebergmetaphor.Readafewbooksoncorporatecultureandwhatimmediatelycomesthroughisthesenseofthingshiddenbelowthesurface.Nomatterwhatyoucanseesuperficially,youcanbesurethereismuchmoregoingonbelowthatyoucannotobserve.Infact,inthegrandschemeofthings,theicebergyouseeisreallyjustthetip.

InChapter2,IquotedPeterDrucker’spredictionthatstrategywillloseouttocultureinnearlyeverycontest.Theicebergmetaphorhelpstoexplainwhy.Whenastrategicinitiativefocusesonlyonthepartofachallengeorproblemthatisvisibleandeasilyidentified,it’slikehookingaropebetweentheicebergandarowboatandtellingthecrewtotowit.Itmaynotlooklikesuchabigjobfromthesurface,butthat’sonlybecauseyoucan’tseetheenormityofwhatyouaretryingtomove.Peoplecanrowreallyhardandeveryonemayapplaudtheirefforts,butthatonelittlerowboatisnotgoingtoaltertheiceberg’scourse,nomatterhowgreattheexertion.Therealityisit’sthemassunderthewavesthatactuallydeterminestheiceberg’scoursethroughthesea,thepartthatremainshiddenfromyou,untouchedandunaffected.Theremightnotbeaboatbigenoughtochangethatthing’sdirection.

Withculture,thepartofthewholethatisanalogoustothevisibleiceabovethesurfaceisthecollectionofobservablebehaviorsoccurringwithintheorganizationeveryday.Whatpeopledo,whattheysay,whattheywear…theseareallmoreorlessvisibledecisions.Andwetendtotalkaboutcultureintermsofthesebehaviors,choices,anddecisions.Wemightsayanorganizationhasaformalcultureifweobservethateveryonewearsasuitandtietowork,oracasualcultureifeveryonecomestotheofficeinshortsandflip-flops.Basedonanorganization’sbehavior,itsculturemaybedescribedascutthroatcomparedtoonethatiscollegial;oropenandtrustingasopposedtohighlycontrolled.Weevenseeculturesthatwewoulddescribeastoxicorunhealthyandthatcorruptorharmthepeoplewithinthem.Butallofthesebehaviorsaredrivenbymotivatingfactorsthatarehappeningunderneaththethingsweareseeinginfrontofus,asillustratedinFigure3-1.

Figure3-1Theicebergmetaphorofculture

HiddenAspectsThefirstprincipleexpertsrecognizeinorganizationalcultureisthatobservablebehaviorsaresuperficial.Theyarealwaysconnectedtounderlyingassumptionsandbeliefsthatremainhiddeninthesensethateveryonesimplytakesthemforgranted.Peopledon’toftenspendalotoftimethinkingaboutwhytheybelievesomething.Theyareusuallytoobusydoingthings,livingtheirlives.Butthethingstheydoaredriven,atleastinpart,bywhattheybelieve.Cultureisthesameway,andscholarsfromEdgarScheintoGeertHofstedetoKarlWeickhaveexploredanddocumentedthewayorganizationalculturefunctionsasasortofcollectiveunconsciousfortheorganization.Itwouldbeincrediblydifficultforacompanytodobusinessifeveryoneinithadtoask“whydowedothis?”before

makingadecision.Companieswillactuallygotogreatpainstoarticulateaspectsoftheculture—postingsignsaroundtheiroffices,makingcardstowearwithpeoples’badges,runningawarenesscampaigns—toencouragecertaintypesofbehaviors.Theywanttomakethosehiddenassumptionsmorevisible.Ironically,thisattempttohelppeopleunderstandwhytheyareexpectedtobehaveinacertainwayisalsointendedtomakesuchbehaviormoreautomaticandreflexive.

Soanyunderstandingofsecurityculturehastotakeintoaccountalltheassumptions,hiddenbeliefsandmotivations,andunconsciousritualsthathavebeeningrainedintotheorganizationasawhole.TheexampleofClarainthepreviouschapterillustratesthisidea.Encouragingaspecificsecuritybehaviorwasveryimportanttothecompany.Noonewouldhavesuggestedotherwise,andtherewerenumerouspoliciesandprocessesinplacetoenforcethatbehavior.Butlurkingunderthesurfacewereotherbeliefsandassumptions,onesthatdirectlycompetedwithClara’ssecurityresponsibilities.Noonereallyquestionedthem,ortheresultingincompatiblerelationship.And,attheendoftheday,Clarabelievedmorestronglythatshewouldberewardedorpunishedforonebehaviorthanshewouldforanother.Afterthecustomerbreachoccurredthatexploitedhercodingmistake,thecompanyretroactivelyattemptedtomakeherdecisiontoforegofinalsecuritycheckslooknegligentandwrong.Butthefactwas,atthetime,shedidexactlywhatthesystemhadtrainedandconditioned(andevenrewarded)hertodo.

Adifficultyofanalyzingcultureisthatitinvolvesmorethanjustdifferentiatingbetweenwhatapersondoesandthemotivationsbehind(orbeneath)thoseactionsanddecisions.Almostallresearchersintoorganizationalculturesharetheopinionthatculturecanbeverydifficulttochange(atopicI’llcoverabitlaterinthechapter).Thisisbecausebehaviorisnotsomethingthatexistsindependentlyofculture.Aperson’sbehavioristhevisibleresultofculture,liketheflameonamatchstickisthevisibleresultofthechemicalprocessofcombustion.Youcan’tstartwithaflameandendupwithamatch.It’slikethatwithbehaviorandculture,too.Focusonlyonbehavior,onwhatyoucansee,andyoumightchangeit,atleastuntilyoustoplookingatit.Afterthat,peopletendtogobacktotheirold,unconsciouswayofdoingthings.Soeffectuatingbehavioralchangealoneisextremelyresourceintensive,asanysecurityawarenessteamcantellyou.Butchangewhatsomeonebelieves,whatdrivesthemtomakethedecisioninthefirstplace,andtheywilldothebehavioralworkforyou.It’stheculturalequivalentoftheancientMaimonidesquote,“Giveamanafishandyoufeedhimforaday;teachamantofishand

youfeedhimforalifetime.”

PeoplePoweredYouonlygetconflictsbetweenbeliefandbehaviorwhenyouaredealingwithhumanbeings.Theideathatvaluesandassumptionsdrivedecisionsandactionsisasecondbasicprincipleoforganizationalculture.Softwaremayhavehiddenbugs,yourfirewallmayhavehiddenruleconflicts,buttechnologydoesn’thavehiddenmotivations.Itcan’texperiencecognitivedissonanceorgetconflictedabouttherightthingtodoinadifficultsituation.Peoplearetheonlyoneswhoexperiencethesethings,andpeople-centricsecuritymeansfirstandforemostrecognizingthatculturedrivesbehavior.Policiesdon’t.Howmanyofuscanthinkofapolicythatweknowisinplaceinourorganizationyetwedon’tfolloworobeyit,maybebecauseit’ssilly,maybebecauseweknowthatthecompanydoesn’tenforceit,ormaybebecauseitconflictswithamoreimportantpolicy?

Divingintotheorganizationalcultureliterature,youwillfindanoverwhelminglydiverseexplorationofthewaysinwhichpeoplecreatetheorganizationandhowtheychangeitforthegoodorforthebad.Insightscanrangefromtheexistenceofmythologiesandstoriestodefinehowcultureworks,talesofheroesandmonstersstraightoutofJosephCampbell,toclinicalpsychology,diagnosingbehaviorasthoughanorganizationitselfcouldbementallyill.Butattheheartofeverythingistherecognitionthatwithoutpeople,youhavenoorganizationalculture,orevenanorganization.

Theeasewithwhichculturecanoverwhelmandconfoundorganizationalstrategyisoneofthepowerlessonsforpeople-centricsecurity.Informationsecurityisbeginningtohitawallintermsofwhatitcanhopetoaccomplishwithstrategiesbasedprimarilyontoolsandtechnologyproducts.Thisisnotbecausewedon’thavegreattoolsandtechnologies,butbecausewearereachingapointwherewecannotdomorewithouttheexpresscooperationandcollaborationoftherestoftheorganization,whohavetheirowngreattoolsandtechnologies,manyofwhichconflictwithsecurity.Increasingly,thepotentialsuccessorfailureofinformationsecurityisajointpartnershipwithpeopleelsewhereinthesystem,whethertheyaretheexecutiveswhosetstrategyanddirection,thebudgetgatekeeperswhofundthings,themanagerswhokeepitallrunningonthefrontlines,ortheindividualuserswhomaketheeverydaychoicesthatmeanthedifferencebetweendeterrenceanddisaster.

TheOrganizationalCultural/OrganizationalPerformanceLinkAnothercommonthemeinorganizationalcultureresearch,andtheonethatresonatesmostwithcorporateexecutives,isthelinkbetweenorganizationalcultureandorganizationalperformance.Doesanorganization’scultureexertapositiveornegativeimpactonhowsuccessfulthatorganizationisinitsindustryorhoweffectivelyitachievesitsgoals?Theanswerisanunqualifiedyes.Evidencerangesfrom“commonsense”anecdotalstories,tobusinessschoolcasestudies,tolongitudinalstudiesofcorporateperformancestretchingoveryears.Butthebottomline,figurativelyaswellasliterally,isthatanorganizationwithadysfunctionalcultureisnevergoingtoperformaswellasitcould.Whatconstitutesgoodorbadwhenitcomestoculture,whatmakesoneculturestrongandanotherweak,isastickierproblem.Differentculturesareappropriatefordifferentindustries,andwhatworksforoneorganizationwon’tnecessarilygeneratesuccessinanother.Butifyourcultureholdsyouback,itcanbelikerunningaracewithweightstiedtoyourorganization’slegs.

Oneofthemostimpressiveexaminationsoftheculture–performancelinkisJohnKotterandJamesHeskett’sbook,CorporateCultureandPerformance,whichdescribestheirresearchstudiesspanningmultiplecompaniesoverseveralyears.Empiricalandnuanced,KotterandHeskett’sworkexplorestheoriesofwhyandwhencultureeitherhelpsorgetsinthewayofacompany’ssuccess.Theyshowthatitisnotaseasyassayinga“strong”ora“weak”culturemakesyourorganizationsuccessful.Manyorganizationswithstrong,forcefulculturesthataretransmittedandenforcedamongmembershavefailed,sometimesspectacularly,whileseeminglyweakorlessentrenchedcultureshavethrived.Instead,itseemsthatthesecrettosuccessisoneofharnessingculturetoservethebusiness,justlikeanyotherresource.Theculturesthatdothebestappeartobetheonesthathavethebest“fit”fortheindustryandthechallengestheyface,includingthecapabilitytorespondandadapttochange.

Culturecanbedisruptivejustlikemarkets,businessmodels,andtechnologies.Manyofthecasestudiesyouwillfindthatdescribehowcultureislinkedtoperformancewillnotbeaboutanyparticularculturetype,butabouthowanorganizationadapteditselftonewchallengesanduseditsculturetohelpitdoso.Failurebecomesmorelikelywhenaculturethatseemedtoworkyesterdaynolonger“fits”itsenvironment.Inthesesituationstheorganizationcanfinditselfoutmaneuveredbyother,moreresponsivecultures.Culturescanalsocompetewithinthesameorganization,asmyexampleshaveshown,and

thiscanleadtodegradingcapabilitiesastheenterprisehastocompetewithotherorganizationswhilealsoaddressinginternalconflictsthatdistractandsapresources.

TheCulturalMigrationofPayPalAfascinatingexampleofthepoweroforganizationalculturecanbefoundintheso-calledPayPalMafia,atermthatreferstothefoundersandearlyemployeesofdigitalpaymentpioneerPayPal.AftereBay’sacquisitionofPayPalin2002,manyofthosefoundersandemployeeslefttogostartothercompanies.Theseindividuals,includingbillionaireentrepreneursReidHoffman(LinkedIn),ElonMusk(TeslaandSpaceX),andPeterThiel(ClariumCapitalandFacebook),areoftencreditedasstartinganewSiliconValleyresurgence.Thecommonthreadsofthestory,beginningwithreportedclashesbetweenthePayPalfoundersandtheirmorecorporateandconservativenewowners,havetodowithasetofbrilliantandrestlesspeopleliterallysharingavisionofreshapingtheworld,notjustfacilitatingonlinefinancialtransactions.

Cultureisnotonlypowerfulandmalleable.Itisportableandpotentiallycontagious.Createdbypeopleorganizingincomplex,interdependentways,culturecanproduceeffectsthatrippleandtransmitthroughanentiresocialnetwork.InthecaseofthePayPalMafia,normalstartupvisionswerenotevenenough.Morethanbuildingacompany,theywere(andstillareinmanycases)driventochangesocietyaltogether,fromspacetraveltoelectricvehiclestofindingacurefordeath.Andtheyhadnointentionofallowingthestatusquo,evenonethatmadethemfabulouslywealthy,getinthewayoftheirvisionforanew,morefunctionalsystem.That’sculturehacking.

Theimplicationsoftheculture–performancelinkforinformationsecurityareprettyclear.InfoSecusuallyexistsasaseparatesubculturewithinanorganization,maybeevenremovedfromtherestofIT.Andinformationsecurityculturestendtobestrong,inopinionandmotivationifnotalwaysinpoliticalpower.Ifinformationsecurityisnotagoodculturalfitwithintheorganization,ifitconflictsorcompeteswithotherculturalgroups,thenitisgoingtobeverydifficulttomaximizetheInfoSecprogram’seffectiveness.Consequently,performancemaydegrade,oratleastmaynotbeaseffectiveasitcouldbe,and

thisleadsdirectlytoincreasedsecurityrisks.

AssessingandMeasuringCultureTheideaofculturehavingacausallinktocompanyperformancemakestheideaofmeasuringandanalyzingorganizationalcultureveryimportant.Youarenotgoingtosuccessfullychangeormanagesomethingthatyoucannotdefine,observe,andassess;inotherwords,somethingyoucannotmeasure.Researchershaverespondedbydevelopinginstrumentsandtechniquesformeasuringcultureanditsimpactonanorganization’seffectiveness.

Qualitativevs.QuantitativeMeasurementofCultureAsanyonewhoknowsmeorhasheardmespeakpubliclycantellyou,Ihaveaproblemwiththeinformationsecurityfield’suseofthetermqualitative.InInfoSec,referringtodataasqualitativeimpliesthatthedatashouldbeconsideredsubjectiveandlessreliable,asopposedtoquantitativedata,whichareseentobemoreobjectiveandtrustworthy.Thiscreatesallsortsofchallengesforsecurityprofessionalswhoaretryingtomeasuretheresultsoftheiractivities.Ourindustry’sbiastowardnumberslimitsthemeasuresandapproacheswecanuse.Italsoencouragesustoengagein“statisticalalchemy,”whichistheprocessbywhichwetakethingsthatarenotquantitativeandassignnumberstotheminanattempttomakethemappearmorerigorous.Whatweendupwithisnotonlyanattempttocompareapplestooranges,butaformulabywhichapplesaremultipliedbyoranges,thenweightedusingasystemofbagels.Inotherwords,nonsensedressedupasscience.

Iregularlyseesecurityteamsgetintotroublestatistically,usuallywhentheyfeeltheneedtocreatemetricsthatwillimpressseniormanagement.Askingindividualmembersofthesecurityteamwhetherrisksandcostsarehigh,medium,orlowisastapleofinformationsecurityriskassessments.Theresultingred,yellow,andgreenheatmapscancomeacrosstosomeaudiencesassimplistic,becausetheyusuallyare.Butchanginghigh,medium,andlowtoarangebetween1and100(orcorrespondingarbitraryfinancialfigures)doesn’tmakeameasurementquantitative.Itjustmeansthatyouareaskingforanopinionexpressedasanumberratherthanaword.You’restillgettingpeople’sopinionsaboutthetruthratherthanactuallymeasuringwhat’strue.Butthisneverthelessallowsmanysecurityteamstoclaimthattheyhavestopped

collectingfuzzy“qualitative”dataintheirassessmentsinfavorofthosethataremorequantitative.

Inthesocialsciences,includingfieldslikeanthropologyandsociology,whereculturecanbeofprimaryinterest,qualitativedatameanssomethingverydifferent.Simplyput,dataarequalitativewhenyoucannoteasilycountthem.Goodexamplesincludeastorytoldduringastaffmeeting,thetranscriptofaresponsetoanopen-endedinterviewquestion,avideorecordingofasalesmeeting,orthephotographfromyourlastteam-buildingevent.Myexampleofthesecurityteam’sopinionsregardingriskisanotherexampleofqualitativedata.Qualitativedataareempirical,meaningyoucanobservethem.Theyjustdon’timmediatelylendthemselvestostatisticalanalysis,assumingthat’swhatyouwanttodo.Butisstatisticalanalysistheonlywaywecanobtaintruthorknowledge?Whenyoursignificantother,oryourchild,tellsyoutheyloveyou,doyouinsistonverifyingthatassertionthroughatwo-tailedt-testorlinearregression?DoourfavoritemoviesandnovelsspeaktousbecauseweappreciatethattheyfollowaverifiableGaussianprobabilitydistribution?Clearly,numberscan’ttelluseverythingthatisworthknowing.

QualitativeMeasuresandTechniquesCultureisaboutbeliefsandassumptions,aboutmotivationsandvaluesthatmaynotevenbeexplicitwithinanorganizationorconsciousonthepartofitsmembers.Culturetendstostayhiddenbelowthesurface,unlessyoudeliberatelyseekitout.Yetyoucan’tjustgooutandstartcountingculture.People’sbehaviorsaremoredirectlyobservableandlendthemselvestomorequantitativeanalysis,butknowingwhodidwhatandwhenandwheretheydidit,doesnottellyouhoworwhytheybehavedthatway.Thesequestionsofhowandwhy,whicharemoreimportantwhenattemptingculturaltransformation,arethedomainofqualitativeresearchandanalysis.Qualitativeresearchersusesurveys,interviews,andotherinteractionsbetweenpeopletofacilitateunderstandingofthetopicstheyexplore.

LordKelvin’s“MeagreUnderstanding”WhenIwrotemybookITSecurityMetricsafewyearsback,itwasfashionableamongsomesecuritymetricsproponentstoquoteLordKelvin’sadageonmeasuringsomething,“whenyoucanmeasure…andexpressitinnumbers,youknowsomethingaboutit;butwhenyoucannotmeasureit,

whenyoucannotexpressitinnumbers,yourknowledgeisofameagreandunsatisfactorykind.”Iwouldusuallyaskwhoeverthrewoutthequotetoexpressthemeasurementreasoningbehinditintheformofanumber.Inevergotone.Instead,Igotstoriesandanecdotesthatdemonstratedboththe“meagreunderstanding”ofKelvin’sclaimaswellastheincredibleutilityofqualitativedatasuchasstoriesandanecdotes.

Differenttraditionsofqualitativeresearchmethodshavedevelopedinvariousfields.Table3-1liststhemajorqualitativeresearchapproaches.Someofthesearegoingtolookabitstrangetoaninformationsecurityprofessionalwithanengineeringbackground,althoughtheymightlooklesssotoanyonewhohasstudiedpsychologyorbusinessadministration.Infact,alloftheseresearchapproachesareusedinindustryinoneformoranother.Thefactthatinformationsecurityhasnotmademuchuseofthemsaysmoreabouttheinadequacyofourownresearchmethodsandourbiasagainstqualitativeresearchthanitdoesabouttheeffectivenessofqualitativetechniques.

Table3-1MajorQualitativeResearchApproaches

I’vegoneintosomedetailinTable3-1aboutthesequalitativetechniquesbecausetheyareoftentheonlywaytomeasureandunderstandorganizationalculture.Assuch,theybelongintheconceptualtoolkitofeveryorganizationlookingtoimproveandtransformsecuritycultureandmakeitpeople-centric.YoudonothavetobeaPh.D.anthropologisttodobasicqualitativeresearch.Youjusthavetorecognizethatsometimesyouarenotgoingtofindtheanswersyouarelookingforinanywayotherthantalkingwithpeople,listeningtowhattheysay,andlookingforthemeaningyouseekinthestoriestheytell.

CulturebytheNumbersAlthoughqualitativedataandanalysisplayabigroleinunderstandingculture,thatdoesnotmeanthatquantitativemeasurementisoffthetable.Quantitativeandqualitativetechniquesareoftenbothnecessarytounderstandwhatisgoingonunderthesurface.Manyresearchersusequalitativetechniques,suchasinterviews,participantobservation,andtheanalysisofartifacts,toleadthemtopatternsandrelationshipsthatcanbequantified.Let’sagainconsiderClaraandherdevelopmentteam.Whatifaresearcheroraconsultantcameinandbeganinterviewingallthedevelopers,collectingstoriesabouttimestheyneglectedorfailedtocompletetheirsecurityreviews,andaskingthemtotalkaboutwhytheymadethosedecisions.Asdifferentreasonsweregiven,theconsultantmightbeginputtingtogetherpatternssuchasdeadlinepressuresbeingaprimarycause.Thesereasonsmightcorrelatetocertaintypesofsoftwaredevelopmentprojectsthathadatendencytorunintootherdelays,maybeeveninastatisticallysignificantwaythatprovedtheseprojectsweremorelikelytohavesecurityvulnerabilitiesinthecodewhenshipped.Nowwe’retalkingrealnumbersandquantitativeinsight,butnoneofitwouldbeavailablewithoutthequalitativedatacontainedinthoseinterviews.

KotterandHeskittdidsimilarcombiningofqualitativeandquantitativedatawhentheymeasuredthelinkbetweencultureandperformance.Bycollectingqualitativedatafromindustryanalystsaboutperceivedcorporateculturesandcomparingthosedatatothehardnumbersofcompanyfinancialperformance,theywereabletodrawconclusionsabouthowandwhencultureaffectedthebottomline.Otherresearchershaveattemptedevenmorespecificquantitativemeasuresofculture,althoughthemorestatisticalthemeasuresget,themoretheytendtofocuswithlaserintensityondescribingspecificattributesofculture

ratherthanexploringhowtochangeit.

ChallengesofCulturalTransformationIfnothingelseisclearatthispoint,itshouldbeapparentthatunderstandingandmanagingcorporatecultureishardwork.Wetakecultureforgrantedbecauseweareimmersedinit.Weliveit.Andlikeotherpartsofourlivesthatwemightwanttochangeforthebetter,it’seasiertosaywearegoingtochangeourculturethantoactuallyeffectthatchange.CulturaltransformationinitiativesinmanyorganizationsaresomethingliketheNewYear’sresolutionswemakeeachyear.Theyareexpressionsofhopeandoptimism.Andwithoutcommitmentandhardwork,manyofthemdon’tmakeitoutofJanuaryalive.

Organizationalcultureexpertsprescribemanydifferingwaystotransformculture,but,liketheirunderstandingofcultureingeneral,thereareseveralcommonthemesthatemergefromtheiradvice.Theseinclude

Culturecanbechangedinavarietyofways.Cultureisinclusive,soculturalchangemustbetoo.Consensusbuildingallowsforthecreationofnewsharedbeliefs.Culturalchangecannotbetakenforgranted.Leadersmustsetanappropriateexample.

There’sNoOneRightWaytoChangeCultureIfanalgorithmforcreatingtheperfectcultureexisted,everyorganizationwouldbeequallyinnovativeandadaptabletoshiftsinitsbusiness,everymemberwouldfunctionefficientlyandeffectivelytoachievetheorganization’sgoals,andperformancewouldbemaximizedacrossallindustries.Thefactthatthisutopiahasnotcometopassisproofenoughthatnoonehasdiscoveredthesecret,claimsbyconsultantsandmanagementgurusnotwithstanding.Researchersandtheoristsoforganizationalculturewilltellyouasmuch.Thepointisnottocreatesomemythicalperfectculture,butrathertoshootforthebestcultureyourorganizationcanhavegivenitsmembers,theenvironmentinwhichitfindsitself,andthegoalsandstrategiesitwantstoachieve.Thisbeingsaid,successfulculturaltransformationwilldependonafewkeystrategies,describedinthefollowingsections.

YouHavetoIncludeEverybodyAnyculturaltransformationishighlyunlikelytosucceedunlesstheprocessisdeliberatelyinclusive.Sinceeveryoneinanorganizationhelpstocreateandtransmittheculture,everyonehastohaveastakeinchangingit.Thisreallymeanseveryone,fromthetopoftheorganizationalcharttothebottom.Inclusivenessalsomeansdirectinvolvement.Manyframeworksforculturemanagementareformedaroundrepresentativeteamsmadeupofpeoplefromallovertheorganization,allofwhomcontributetoplanningandformulatingthechangesandthengobacktotheirownrolesaschampionsandchangeagentstohelpensurethattheeffortsareadoptedintodailybehaviors.Theultimateoxymoroninculturaltransformationisthetop-down“culturalchange”strategy,whereleadershipexpressesdissatisfactionwiththeexistingculture,definesunilaterallywhatthenewculturewillbe,andthendemandseveryonegetwiththenewprogram.

YouHavetoBuildConsensusGettingeveryoneinvolvedinculturaltransformationisonlythefirststep.Sinceanorganization’scultureisareflectionofthedeep-seatedbeliefsandassumptionsheldbyitsmembers,youcannotsimplydictatethateveryonewillnowbelievesomethingdifferent,orevenwhatthenewbeliefsshouldbebasedupon.Whenwasthelasttimeyousuccessfullyarguedthatsomeonewaswrongbasedonthefactthatyoureallyfeltyouwereright?Mostorganizationalchangeresearchemphasizestheneedforsomelevelofconsensusbuildinginidentifyingthecurrentcultureinplace,aswellasanychangesthatneedtobemade.

Informationsecurityisparticularlyvulnerabletoalackofculturalconsensus.WhentalkingwithCISOsandothersecuritystakeholders,IheartimeandagainthatoneoftheirgreateststrugglesistomakepeopleoutsideoftheInfoSecprogramcareaboutsecuritylikemembersoftheprogramdo,totakeitasseriouslyaseveryonewhoistaskedwithprotectingcompanyinformationassets.Withoutthatconsensus,securityprofessionalsmustspendalotoftimeexplainingandjustifyingtheirwork.Ofcourse,itdoesn’thelpwhensecurityteamscancomeacrossasnotcaringverymuchabouttheprioritiesandconcernsofthosestakeholdersoutsidethesecurityteam.ButinorganizationswhereotherbusinessunitsandexecutiveswieldmorepoliticalcloutthantheCISOorthesecurityowner,theburdenofconsensusbuildingfallsonthesecurityteam,iffornootherreasonthantheyhavetosellsecuritytransformationtostakeholderswhomaynotevenunderstandsecurity,andcertainlydon’tprioritizeitovertheir

ownuniquechallengesandconcerns.Inthewakeofthemassivesecuritybreachesofrecentyears,it’sgettinglessdifficulttoconvincethesestakeholdersthatsecurityisimportant.Butwhatisthebestwaytodosecurity,andwhatisthebestwaytoallocateresourcesthatwillhavetocomeoutofotherpeople’sbudgets?Thoseremainhotlydivisiveissuesthatthesecurityteamisgoingtohavetodeconflict.

YouHavetoEvaluatetheOutcomesAcommontrapthatorganizationalcultureexpertsoftenwarnofintheliteraturecanbecharacterizedasa“fireandforget”approachtotransformationalchange.Inotherwords,wemakesomeattempttochangeourculture,butthenneverfollowuptoseeifwhatwedidhadanyeffect.Oneoriginofthistrapisthegeneralbeliefthatcultureisdifficultorimpossibletomeasure,soyoucan’tknowwhethereffortstochangeculturehavebeeneffectiveanyway.Ihavedescribedanumberofwaysthatorganizationscananddomeasuretheircultures,butnoteveryoneisfamiliarorcomfortablewiththeseapproaches.Amoreperniciouscontributortothetrapcouldbedescribedasgenerallaziness.Itisaloteasiertohireconsultantstoconductasurvey,toadopttheframeworktheyrecommend,toprintupmotivationalpostersencouragingeveryonetoadheretotheframework,andthentodeclaretheculturaltransformationinitiativeasuccessthanitistoforgeaheadandmeasurewhethertheculturehasactuallybeentransformed.Doingtheinvestigativelegworktodeterminewhat,ifany,effectallthisactivityhadistimeconsuming,it’stedious,anditalwayscarriestheriskthatmaybeyourslickinternalawarenesscampaignreallydidn’tconvinceanyonethattheyshouldstartlookingattheworlddifferently.

Butwhyshouldtheorganizationcareenoughtodevotethetimeandresourcesnecessarytoactuallyevaluatewhetherornottheculturechanged?Herewemustlookbacktotheculture–performancelink.Organizationsdon’tworryaboutchangingtheirculturejustbecausetheywanttoexperimentwithsocialtheory.Theydoitbecausetheresearchhasshownthatbettercultureequateswithbetterbusinessoutcomes.Evaluationisthenkeyfortwocrucialreasons.First,ifperformanceimprovesonlywhenthecultureimproves,youneedtobesurethecultureisactuallyimproving.Second,youneedtoevaluatethelinkitselftounderstandhowmuchmovingthecultureneedlecorrespondstomovingtheperformanceneedle.Withoutthisinsight,there’snopointintryingtochangeyourcultureatall.

YouHavetoHaveGoodLeadershipThelastcommonthreadI’lldiscussistheuniversalimportancethatorganizationalcultureresearchplacesonleadership.Leadershipplaysacentralroleinjustabouteverystudyoforganizationalcultureyouwillfind.Insomecases,cultureandleadershipalmostbecomesynonymous,giventhatfewentitieswithinanorganizationhavethesameopportunitytosetculturaldirectionasthosewhosetboththedirectionandtheexample.

Leadershipisadouble-edgedswordaswell.Businessbooksarelitteredwithcaseswhereanorganizationbringsinanewleaderinanefforttoimproveperformanceonlytowatchthemfailmiserablyeitherbecausetheycouldnotadapttotheexistingcultureorweresoarrogantthattheybelievedtheycouldjustchangeitbyforceofwill.OvermyowncareerI’vepersonallyexperiencedseveralpainfulperiodswhereIfoundmyselftransitioningthroughamanagementchangethatseemeddesignedtocauseasmuchdisruptiontotheexistingcultureaspossible.Intheworstcases,thetransitionfeltlesslikeareorganizationandmorelikeacoupd’état,wheretheexistingmanagementteamwasdemotedorevenfired,oftenfornootherreasonthantheyrepresentedtheoldwayofdoingthings.Inspiteofstudyafterstudyshowingthatpromotinginsiderstendstoproducebetterresultsthanrecruitingoutsiders,manycompaniesstilloperateunderanapparentassumptionthatradicalchangeofculture,quicklyaccomplished,istheonlywaytoimprove.Muchoftheorganizationalbehaviorresearchwouldseemtoindicatethatthisverysenseofinsecurityanddesperationisasymptomofaculturethatmayhavealreadybeguntodegrade.

AnOceanofResearchIforganizationalculturesarelikeicebergs,thestudyofthemislikeanoceanofresearchandinsightthatspansacademia,industry,andgovernment.Thischapterhasnecessarilybeenlittlemorethanaglimpseintothatocean.Myintentwasnottoprovideacomprehensivesurveyofthefield,asthereareplentyofgreatbooksthatdothisbetterthanIevercould(andyou’llfindalistofjustafewofthesebooksinthe“FurtherReading”sectionsthroughoutthechapters).Buttounderstandhowinformationsecuritycultureworksandhowitcanbetransformed,itisnecessarytoatleastunderstandthatthebroaderandwell-establishedfieldsoforganizationalcultureandorganizationalbehaviorhavealreadyexplored,debated,andmaybeansweredmanyofthequestionsthatapply

toinformationsecurityculture.People-centricsecurityisoneofthemoredemandingdevelopmentsinourindustrytoday,notbecauseitissomuchmoredifficulttodothanprocessortechnology,butbecauseitisequallydifficultandwehavesolittleexperiencedoingitcomparedtotheothertwoareasoffocus.Butwecantakecomfortintheknowledgethatsomuchworkhasbeendoneforus,blazingatrailthatwecanfollowinordertoapplytheseinsightstotheculturalchallengesfacingourownindustry.

FurtherReadingCohenD.,andB.Crabtree.“QualitativeResearchGuidelinesProject.”July2006.Availableatwww.qualres.org.Kotter,JohnP.,andJamesL.Heskett.CorporateCultureandPerformance.NewYork:TheFreePress,1992.Myers,MichaelD.QualitativeResearchinBusinessandManagement.2nded.ThousandOaks,CA:SAGE,2013.Schein,Edgar.OrganizationalCultureandLeadership.SanFrancisco:Jossey-Bass,2010.

http://www.qualres.org

H

CHAPTER4

CulturalThreatsandRisks

avingcoveredthegroundofthepreviousthreechapters,we’releftwithalotofcircumstantialevidenceregardingtherelationshipbetweeninformationsecurityandorganizationalculture.Butwheredoestherubberhittheroad?Whereisthetangible,empiricalinterfacebetweencultureandsecuritythatallowsustoimagine,observe,anddesignaroundthechallengesandopportunitiesofourownsecuritycultures?

CulturalThreatModelingInrecentyearsthesecurityindustryhastakenaninterestinthreat-centricsecurityapproaches,whichattempttoaddresstheactorsresponsibleforsecurityincidentsinsteadoffocusingontheweaknessesthatsuchactorsmightexploit(vulnerability-centricapproach)orthethingstheywanttoattack(asset-centricapproach).Tothisend,methodologiesformodelingsecuritythreatsareindemand.TherecentsuccessofAdamShostack’sThreatModeling:DesigningforSecurity,includingbeingnominatedasoneofthebestsecuritybooksfor2014,demonstratesthepopularinterestwithinthesecuritycommunity.ThreatModelingispredominantlytechnology-centric,butAdamdoesgoout

ofhiswaytoexplorehumanfactors,atopichealsoemphasizedinhispreviousbook,TheNewSchoolofInformationSecurity.Obviouslyinterestedinbehavioralandsocialmodelsandtheirapplicabilitytothesecurityindustry,Adamcatalogsanddescribesseveraltheories,applyingthematahighleveltoourfield.Andheexplicitlyrecognizesandarticulatestheneedforimproved

modelstobetterdescribehowpeople“do”security,aswellasthevalueofbringinginotherresearchtraditionssuchassociology,anthropology,andpsychologyintoourefforts.ThreatModelingneverdirectlyappliestopeopletheSTRIDEmethodologythatAdamhelpedtocreate,butthebookservesasatantalizingendorsementofmoreculturalthreatmodelingtechniquestocomplementthetechnology-andactor-centricmodelstheindustrydependsontoday.

Today’sthreatmodelingtechniquesallmoreorlessassumeaboundedinformationsystemorassetthatissomehowfacedwithattackorothercompromise.Thislendsitselfverywelltoaspecificproductorsystem,butthethreatmodelingbreaksdownifyoutrytoapplyittosomethinglesscircumscribed,likehumanbehaviorsorsocialsystems.Unfortunately,thoseofusresponsibleforsecuritydon’tliveinaworldwheretheonlyconcernisatechnologysystem.Inthecomplexwebofreal-worldrelationships,technologysystemsinteractwith,influence,andareshapedbyotheractorsandevents,includingpeople,forcesofnature,andothercomplexsystems.Theresultingemergentbehaviorsmaketheestablishmentofboundariesaroundanyparticularelementofthesystemartificialatbest,althoughassumingsucharbitraryboundariesbecomessomewhatobligatoryforbreakingdownandanalyzingchallengesthatwouldotherwisedefyanalysis.Appliedtothreatmodels,thisjustmeanswehavetogetcomfortablewithreplacinghardware,software,andnetworkswithmoreabstractboundariesliketheperson,thesocialgroup,andtheorganization,somethingsocialscientistsareadeptatdoing.

CovertProcessesandCulturalRiskModelingsecuritythreatsinvolvinganorganization’sculturereallyisnotthatdifferentfrommodelingsecuritythreatsinvolvingsoftwareorhardware.Atthecoreisabasicexerciseinexposingthenon-obvious,makingitobservableandtangibleinawaythatcanbeproperlyanalyzedinordertoproperlymanageormitigatethethreat.Thedifferencesarelessconceptualthanoperational.Noteverysoftwareapplicationwillbemodeledinthesameway,andhardwareandsoftwarethreatscanbeverydifferentfromathreatmodelingperspective.Modelingculturalthreatsisjustafurthervariationonthistheme.Therewillbedifferentsourcesofthreats,differentwaysofdescribingthem,anddifferentapproachestomanagingthem.

Sincetraditionalthreatmodelingisaboutmakingvisiblethehiddenrelationshipbetweenthoseresponsibleforsecurityfailuresandthemeansbywhichsecurityfails,wecanattempttoreplicatethatapproachforculture.Asit

turnsout,thereisresearchavailableinthisarea.Covertprocesses,aconceptfirstdevelopedbyorganizationaldevelopmentscholarBobMarshak,areorganizationalforcesanddynamicsthatarehiddenbutexertpowerfuleffectsonourcommunicationsandeffortstoachievegoals.Weexperiencecovertprocessesashiddenagendas,unspokenrules,ororganizationaltaboos.ManyoftheexamplesI’vegivensofarinthisbookareevidenceofcovertprocessesfunctioningwithinanorganization.Theyarealsoattheheartofculturalriskfromasecurityperspective.

Covertprocesses,andthebehaviorstheycreate,aredifficulttorecognizeandaddressbecausetheytypicallyarecamouflagedbyappealstoamuchmoreovertprocess,rationallogic.Returningtotheicebergmetaphorofcultureandbehavior,supposedlylogicalandobjectivedecisionmakingisoneofthemorevisibleaspectsoforganizationalactivity.Wemakeplansandbuildstrategiesforactivitybasedonouranalysesofwhatwebelieveneedstobeaccomplishedfororganizationalsuccess.Thisis,arguably,theprimaryjobofmanagersandleadersinanenterprise.Theydebaterequirementsanddesiredoutcomes,layoutthebestrationalpathforgettingthere,andsettheconditionsbywhichtheorganizationwillexecuteontheirstrategy.Usuallythatprocessofreason(singular)generateslistsofreasons(plural)whythestrategyistherightthingtodo,whicharecommunicatedthroughouttheorganizationintheformofvisionstatements,plans,policies,andotherartifacts.

Organizationalleaders,havingundertakenlogicalandrationaldeliberationtodevelopthebeststrategy,tendtoexpecteveryoneelseintheorganizationtobuyintotheirplans.Tonotdosowouldbeirrational;itliterallywouldnotmakesense.Andthatwhichdoesnotmakelogicalsensehasnoplaceinthemanagementoftheorganization.Afterall,howcanyourespondtosomeonewhoisbeingunreasonable?Butrationalityisonlyoneorganizationaldynamic,justasreasoncoexistsinindividualsalongwithphysical,emotional,andpsychologicalfactorsthatcananddooverpowerourreasonallthetime.Byignoringeverythingbutlogic,organizationsoftendenythemselvestheinsighttheywouldneedtounderstandwhyastrategyfailed.

InspiredbyAdamShostack’swork,anddrawingfromtheliteratureoncovertprocesses,I’vedevelopedasimplifiedthreatmodelforsecurityculture.Sinceweloveacronymsandmnemonicsinsecurity,andthethreatmodelingliteraturehasitsfairshareinmethodssuchasSTRIDE,DREAD,andOCTAVE,Idecidedtocontinuethetraditionandsearchedforagoodmnemonic.Theacronymgodssmiledonme.Peopleareattheheartofculturalthreats,bothasactorsandastargets.Andpolitical,emotional,psychological,andlogisticalthreatsareoften

corecovertprocessesthatcreateriskswithinanorganization.Thusmyculturalthreatmodel,PEPL,wasborn.

GettingtoKnowPEPLPEPLthreatsaffectdesiredsecurityoutcomesratherthanboundedsystems.Thesesecurityoutcomesaredesirablebecauseofsomerational,logicaldeliberationonthepartoftheorganizationthatdefinedthemasthewaythingsshouldfunction.Anoutcomewillalmostalwaysbeacombinationofpeople,process,andtechnology,andthreatsmayexisttosomeoralloftheseelements.Goodexamplesofoutcomeswouldbebringingasoftwareproducttomarketthathasnohiddensecurityflaws,oranorganizationnotgettinghitwithamassivedatabreachduetoacompromisedsystem.Asintraditionalsecuritythreatmodeling,thethreatreliesonsomevulnerabilityinthesystem,althoughIprefertorefertotheseas“weaknesses”toavoidconfusionwithtechnicalvulnerabilities.Table4-1describesanddefinesthespecificPEPLthreatalongwiththelikelytargetofthethreatandexamplesofspecificculturalweaknessesandtheireffectsonsecurityoutcomes.Ofcourse,theultimateeffectisasecurityfailureleadingtoanincident,oftenbroughtaboutbyaninabilitytorealizethedesiredoutcome.

Table4-1PEPLThreatModel

Likeotherthreatmodelingframeworks,PEPLisprimarilyabrainstormingtool.Itcangeneratealargesetofpotentialproblemsforthesecurityoutcomesyourorganizationhopestoachieve,muchlargereventhanatraditionalmodelfocusingonaboundedsystem.WhileitiseasytoapplyPEPLtothosesameboundedsystems(softwareapplications,hardwaresystems,evenadepartmentorfunction),oftentheresultingthreatswillbefunctionsoftheorganizationasawhole.Theculturethatendsupdefiningtheuseofapeople,process,ortechnologysystemisthecultureofeveryonewhodependsonit,whetherornottheyareimmediatemembersoftheinformationsecurityteams.

PoliticalThreatsPoliticalthreatshappenwheninterestsandagendascollidewithinanorganizationinawaythatdamagesorganizationaleffectiveness.Politicsiseverywhereinbusiness,andpoliticalrivalries,alliances,andconflictsbetweenindividualsandgroupsaresocommonthatwetakethemforgrantedevenaswecomplainabouttheireffects.Whatmakespoliticsacovertprocessisnotourlackofawarenessthatpoliticalbehaviorsexist,butratherourreluctancetoadmitjusthowmuchtheyplayaroleinourbusinessdecisions.Professionalpoliticians,ofcourse,havelessproblemadmittingtoovertpoliticalmaneuvering,butemployeesandmanagerswhobehavethiswaycanfindthemselvesaccusedofmanipulationor“playingpolitics”insteadofputtingtheneedsofthebusinessfirst.Individualpoliticalambitionsandmotivationsareoftenseenasunprofessionalandincompatiblewithgoodgovernancepractices.Businessstakeholdersaresupposedtoplanandsetstrategyrationally,onthebasisofobjectiveevidence,notoutofpersonalambitionorrivalries.Theresultisoftenasituationwherethepoliticaldimensionsofaplanningordecisionactivityarenotadmittedtoorarecamouflagedwithinrationalizationsthataremoreprofessionallyacceptable.Thisdrivespoliticalmotivationsintothebackgroundandpeoplemaybediscouragedfromaddressingthemopenly.Theresult:peoplepretendingtodosomethingforbusinessreasonswhenthosereasonsareactuallypersonalandpoliticalcanhaveaperniciousinfluenceonorganizationalculture.

TurfWarsTurfwarsareastapleoforganizationalpolitics.Theyoccurwhenactorswithinanorganization(orsometimesbetweencollaborativeorganizations)engagein

competitionoverareasofbureaucraticcontrol,resources,oradvancementofgoalsandobjectives(individualaswellasorganizational).Thiscompetitiondivertsenergyandeffortfromotherendeavorswhilecreatingtensionandsocialfrictionbetweenrivalactors.Turfwarcombatantsmaydeliberatelywithholdresourcesandinformationfromoneanother,ormayusetheirorganizationalauthoritytoweakenorcounterdemandsandrequirementsimposedbyothergroups.Inhighlypathologicalturfwars,organizationscanfracturecompletelyasactorsandtheirrepresentativesattempttodeliberatelystymieorsabotagetheeffortsofinternalcompetitors.

Asaculturalthreat,turfwarsinvolvingsecuritycanresultinabreakdownofposturethatintroducessignificantrisktotheorganization.Silosandorganizationalfiefdomsmaydevelopoutsidetheinfluenceorreachofcentralsecuritymanagement.Insomecases,centralmanagementmayceasetoexistormayberelegatedtoasmallsecurityteamwithnorealauthoritytoimposesecurityrelatedtopeople,process,ortechnologyonanyotherpartoftheorganization.Decentralizedsecurityisnotnecessarilyaproductofturfwars,astherearemanyreasonsorganizationsmaywishtofederateordevolvesecurityefforts.Butinsituationswheresecuritybecomesamechanismbywhichactorsfightforturf,theorganization’soverallprotectiveposturecanbeimpaired,sometimesseverely.

ABattleforControlThefollowingexampleillustratestheperversethreatofaturfwar.

Acustomeroncecontractedmycompanytoconductapenetrationtestontheirnetwork.Unfortunately,wedidnotrealizethatSecurityOperations,theinternalsponsorofthetest,wasengagedinaturfwarwithNetworkOperations,whichstillownedsecurityresponsibilityforthecompany’snetworkinfrastructure.SecurityOperationshopedtousethepentesttoshowhowpoorsecuritywasonthenetwork,thenmakeaclaimforauthorityoverthoseresources(includingtheenormousbudgetforsecuritytechnologythatNetworkOpscontrolled).ButtheNetworkOpsteamwasnoslouchwhenitcametomonitoringandprotectingtheirdomain.Threedaysafterthestartofthetest,armedcorporatesecurityguardsshowedupattheconferenceroomwherethepentestershadsetupshop,threateningtokickthemalloutofthebuildingandnotifytheauthorities.Thewholeengagementquicklyturnedintoafiasco.Intheensuingbattleoverwhohadtheauthoritytodowhat,theresultsofthepentesting,includingsome

seriousvulnerabilitiesthathadbeendiscoveredearlyon,werealmostcompletelyforgotten.Thereportitself,onceitwasfinallydelivered,wasshelvedforfearoffurtherexacerbatingavolatilepoliticalsituation.

VendorBiasVendorbiasoccurswhenindividualsorgroupswithintheorganizationdecideonparticularproducts,technologies,orvendorsbasedonpoliticalmotives.Iusetheterm“vendor”broadlyheretodenoteanyentityprovidinggoodsandservicestoanorganization,commerciallyorotherwise(opensourcesoftwareproviders,forinstance,wouldbeincludedasvendorseveniftheydonotchargeorarenotevenaformalcommercialentity).Motivesforvendorbiascanrangefromadesiretoprotectincumbenciestobackroomorevennepotisticarrangementsandpartnerships.Aculturalthreatemergeswhenpreferencesfor,orarrangementswith,certainvendorsconflictwithdesiredsecurityoutcomesandcreateconflictsofinterestthatintroducesecurityrisk.

Whenanorganizationswearsbyaparticularvendor,orhatesanothertothepointwheretheorganizationrefusestobuythatvendor’sproducts(orusethemfreely,inthecaseofopensource)nomatterwhat,rationalsecuritydecisionscanendupheldhostagebyforcesthatmaynotbefullyarticulatedorevenunderstoodwithintheorganization.Allsortsofweirdbehaviorcanemerge.Anorganizationmayenduphavingtodevoteresourcesandbudgettoworkaroundstogetitstechnologytomatchitssecurityrequirements.Orsecurityteamsmaydenythemselvesthebestsolutionbecausetheyhavedecidedtheydisliketheprovideronpersonalgrounds.Risksarenotlimitedtotechnology.Structurallyincumbentvendorshavelessmotivationtowardefficiencyandcosteffectiveness.Internally,theorganizationmayfinditselfbehindthecurveonskillsandinnovationbycontinuallysupportingvendorsoutofasenseofloyalty(oranimositytoacompetitor)ratherthansoundbusinessanalysis.Thereisnothingwrongwithbuildinglong-standingrelationshipsbetweenbusinesses,butifarelationshipdevelopsitsownpoliticalbasewithinanorganization,itcanendupcompetingdirectlywithsecurityobjectivesandintroducinguncertaintyandrisk.

EmotionalThreatsEmotionalthreatschallengeorganizationsbecausetheyaretheoppositeoftherational,logicaldecisionmakingorganizationstendtopridethemselveson.In

industry,emotionstendtobedownplayedinfavorofreason,andnegativeemotionslikefear,jealousy,andregretaretreatedaslessbeneficialthanpositiveoneslikepassion,contentment,andhope.Almostallorganizationsclaimtohaveconquered,oratleastcontrolled,emotionalismasabasisforaction.Somemayevenhavedoneso,asiscommonlyattributedtoWarrenBuffet’sBerkshire-Hathaway,whichhasfamouslyembracedanonemotionalinvestmentstyle.Butmostorganizationsonlypretendtobeascoldlyrationalastheyclaim,givingintoandevenrelyingon“emotionalintelligence”throughouttheiroperations.Emotionscanbecomeaculturalthreatwhentheyinfluencedecisionsbuttheorganizationdeniestheirrole,makingthemunavailableforanalysisorimprovement.

Fear,Uncertainty,andDoubtIknewaCISOwhoonceadmittedfreely,ifsheepishly,thatthedrivingrequirementsforhissecurityteamweretoaddress“whatevermostrecentlyscaredthecrapoutofmeinthemedia…”Everytimeanewvulnerabilityorthreathitthenews,orevenanewsolutionthatmightrepresentariskiftheorganizationdidnotimmediatelydeployit,hepanicked.Weeklystaffmeetingswereoftenanexerciseinthetroopstalkingthegeneralasfarofftheledgeastheycould,thenfiguringouthowtorespondtothefearsremainingthattheycouldnotmanagetodispel.TheCISOknewitwasabadwaytorunhisInfoSecprogram,butasmuchashetriednottolethisemotionsguidehim,heconstantlyworriedwhatmighthappentohiscompanyandhiscareerifoneofhisfearsweretoactualizeandhehadnottakenitseriouslyenough.

Intoday’sdigitallynetworkedworld,thenumberofthingstobeafraidoffromaninformationsecurityperspectiveapproachesinfinity.Thepastcoupleofyearshaveseencyberattacksonamassivescaleagainstsomeofthelargestandmostwell-knownorganizationsontheplanet.Emotionsrunhigh,anditisnowonderthatthecombinationoffear,uncertainty,anddoubt(FUD)hasbecomeaprimarydriverofsecuritystrategy.Itisasthoughtheemotionalandthelogicalhavemerged.Insecuritytoday,youcanbelabeledirrationalfornotbeingsufficientlyterrified.

TheproblemwithFUDasabasisforsecuritystrategyisthatitmakescrazydecisionsseemperfectlyjustifiedintheheatofthemoment.Itisnotaproblemuniquetosecurity,anditcanleadtoresponsesthatmakelessandlesssensethefurtheryougetfromthemomentofpanic.InChapter2IwroteaboutthesenseofdefeatismthatIthinkhasbecomeadominantculturaltraitinsecuritytoday,andoneIbelieveisaculturalthreatthatisrootedasmuchinFUDasitisin

incidentsweseehappening.FUDallowsustohighlightspecificsecurityeventsandincidents(Iamdeliberatelynotbeingspecifichere—searchfor“worstsecurityincidents”inthelastyearifyouarelookingforreasonstopanic)whileignoringeverythingthatdoesn’tgowronginthedigitaleconomyeveryday.FUDallowsustoholdupthecostofcyberbreaches(estimatesvarywidely,butseveralreputableattemptsputitintheheftyrangeof$300–600billioneachyear)asevidencethatweneedan“allhandsondeck”responsefromindustryandgovernment.That’scertainlyabignumber,butelevatingcybersecuritytendstooverlookorignorethecostsofotherglobalchallengesthatalsowarrantaction.A2014McKinseyreport,OvercomingObesity:AnInitialEconomicAnalysis,estimatesthecombinedcostsofsmokingandobesityatover$4trillionannually(twicetheestimatedcostofglobalwar,violence,andterrorism),andtheseproblemslikelyaffectmoreInfoSecprofessionalsdirectlythansecuritybreachesdo.Arationalapproachbasedoncostsandlimitedresourcestoaddressglobalproblemswouldseemtoimplythatinformationsecuritymaynotbethehighestpriority.Butrationalityisnottheonlyforceatworkhere,andthat’sthepoint.

EmotionalLogicEmotionallogicmayseemcounterintuitive,butitisoneofthereasonsthatFUDremainspervasive.Itisthefeeling,whichwenurtureandencourage,thatwearemakingobjective,rationaldecisionswhenwearereallyjustdoingwhatwewanttodoorthinkweneedtodo.Rememberthatcovertprocesseshappenbehindtheorganizationalfacadeofrationality.Sincereasonisprioritizedinorganizations,anythingthatisgoingtobeacceptedmustbetranslatedintothelanguageofrationality.MyCISOfriendconsoledhimselfoverthefactthathewassendinghisteamonweeklysnipehuntsbycouchinghisirrationalfearintheveryreasonabletermsthathewasbeingproactive.“Whatifwearevulnerabletothisandwejustdon’tknowityet?We’reallgoingtobegladImadeyoutakethetimetocheckeverysingledeviceintheinfrastructure.”

PsychologicalThreatsPsychologicalthreatsarecloselyrelatedtoemotionalthreats,maybeevencontributingtosomeofthem.Butthesethreatsaredifferentinthattheyaregroundedincognitivefunctionsandprocessesofthepeoplecreatingthem.Researchersinthefieldsofpsychology,humandevelopment,andbehavioraleconomicsspendcareerstryingtounderstandthehiddenreasonsbehindpeople’s

decisions.Theexplanationsrangefromdifferenttypesofintelligencebetweenindividualstodifferingcognitivesystemswithineachofus.Theimplicationsforsecuritycanbeprofound,particularlysowhen,likethepreviousexamples,thecovertprocessoperatesoutofsightandoutofmind,unavailableforanalysisorevenobservation.

StatisticalAlchemyIseeanexampleofemotionallogicasaculturalsecuritythreatwheneverIworkwithcustomersontheirsecuritymetricsprograms.Incommunicatingsecurityinformation,particularlyinformationaboutthreatsandvulnerabilities,CISOsandsecuritymanagersoftenhavelittlemorethanthegutfeelingsoftheirstafftogoon.Noonereallyknowshowlikelyorhowsevereanincidentmightbe,unlessofcoursethatpersonhasaccesstosomelevelofhistoricaldata,whichmanyorganizationsdonot.EmotionallogiccandrivetheprocessofstatisticalalchemythatIreferencedinChapter3,whereopinionsareconvertedintonumbersbythereplacementofameredescriptionwithaquantitativescoreorascale.Statisticalalchemycanmagicallytransmutetheleadofraw,emotionalspeculationintothemuchmorevaluablegoldofscientificfact.Ithappenseverytimeasecurityteamchangesathree-categoryordinalriskdescriptionlikehigh,medium,andlowintoanintervalorratioscorethatkicksoutanumberlike“ourriskscoreis3.85”or“oursecurityis80%good.”Itisusuallynearlyimpossibletoretracehowtheygotfromariskdescriptionof“low”toanumberlike“3.85”giventheavailableempiricaldata.Infact,thenumberprobablymakeslesssenseeventothesecurityteamthanastraightforward“low”everdid,addinguncertaintytotheriskanalysisinsteadofremovingit,butboy,itlookssomuchbetteronagraph.

CognitiveLimitationsAculturalthreatresultingfromcognitivelimitationshappenswhenaparticularsecuritystrategyordesiredoutcomedoesnotaccountfordifferencesinthewaypeopleprocessinformation,interactwithtechnology,learn,orgainnewprofessionalskills.Cognitivelimitationsarenotassimpleasdifferencesinintelligence.Theycanbegenerational,educational,geographical,orcultural(inthelargersenseaswellaspertainingtoorganizationalculture).Thecommon

traitforsecurityisthatcognitivelimitationsallbutensurethatarigid“onesizefitsall”approachtosecurityisunlikelytosucceed.

WiththeAudienceinMindConsideraneducationalexampleofcognitivelimitations.Onemeasureofeducationalachievementisreadinglevel.In2002and2003,theU.S.governmentpublishedtheNationalAssessmentofAdultLiteracy(NAAL),thelargestandmostcomprehensivestudyofadultliteracyintheUnitedStateseverconductedbythegovernment.Amongmanyfindings,thestudyestimatedthattheaverageAmericanreadsataseventh-oreighth-gradelevel,withlessthanafifthofthepopulationachieving“fullliteracy,”meaningareadinglevelequivalenttothatofsomeonewhohasanundergraduatedegreefromauniversity.Theestimatehassincebeenusedinguidelinesforreadabilityofeverythingfrompopularnovelstomachineryoperatingmanualstothelabelsanddirectionsonpharmaceuticals.Ininformationsecurity,thecreationanddistributionofpoliciesandguidelinesarefundamentalasaframeworkandbasisfordesiredsecurityoutcomes.

Billionsofdollarsarespentcollectivelybyorganizationstowritesecuritypolicies,postthem,andregularlyrequireuserstoreadthemasevidencethattheyknowwhatisexpectedofthemwhenitcomestoprotectingcorporateinformationassets.Buthowmucheffortisputintounderstandinghowreadablethesepoliciesare?Icantellyouthattheeffortisnotalwaysenough,asevidencedbymyreadabilityanalysesofnumerousclientsecuritypolicies.Inonecase,acustomercomplainedbecausetheyhadaveryexpensive,verycomprehensivepolicycreationanddistributionprocessandyettheywerestillseeingcontinualviolationsofpolicy.“It’slikenooneevenreadsthethings,”theCISOsaid.Areadabilityanalysisshowedapotentiallydifferentexplanation.Usingstandardscalesofreadability,thecompany’spoliciesoftenrequiredtheequivalentofagraduatedegreetoreadandfullycomprehendthem.Soeveryonemayhavebeenreadingthesecuritypolicies,butmostpeoplelikelyfoundthemimpossibletounderstand,muchlesscomplywith.Considerjustonebriefsnippet:

Employeeshaveanethical,aswellasalegal,obligationtoadheretotherequirementsarticulatedinthispolicy.Failuretocomplywithmandatedsecurityrequirementsresultsinsignificantenterpriseriskandliability.Itisincumbentuponemployeestoregularlyreviewand

familiarizethemselveswiththecontentsandrequirementsofthispolicy.Failuretodosocanresultinconsequencesuptoandincludingimmediateterminationofemploymentstatus.

SecuritymanagersmaynotthinkitaproblemthatsuchpoliciesarewritteninparticulardialectsoflegaleseandHR-speak,thendisseminatedthroughcut-and-pastetemplatesimplementedbyorganizationsoftenmoreinterestedincheckingacomplianceboxthanhelpingpeoplefigureoutwhattheyaresupposedtodo.Suchapolicymayseemtomakerationalsense(youwantonethatfunctionssomethinglikealegalcontractbetweenemployeesandemployer).Buttrymakingyoursecuritystrategyactuallyworkwhenthepeoplemostresponsibleforimplementingitarealsotheleastabletomakesenseofit.

CognitiveDifferencesThefieldofbehavioraleconomicsisbooming.DanielKahneman,DanAriely,andDanielGardner(IwonderwhatabehavioraleconomistmightmakeofthefactthatmanyofmyfavoritebehavioraleconomyexpertsarenamedDaniel…)haveallpublishedbookstheorizingwaysthatourrationaldecision-makingprocessesareoftennotrationalatall.Ageneralthemeamongtheirbooksisthathumanbeingsdonotseemtoprocessinformationormakedecisionsinthesimple,linearwaythatwehavetraditionallyaccepted.Humandecisionsareahodgepodgeofcognitiveactivity,somedeliberativeandwhatwewouldrecognizeasrational,andothersemergingfromprimitiveintuitivepatternmatchingthatseemstobehardwiredintoourevolutionarybiology.Theresultisasetofdifferingcognitivefunctionsthatcangrosslymisleaduswhileprovidinganalmost(ormaybeanactual)physicalsenseofcertaintyandclarityaboutwhatwethinkweknow.

Insecurity,thesecognitivedifferencesmanifestthemselvesasculturalthreatsmostoftenwhenitcomestotryingtofigureoutrisk.Peopleareabsolutelyterribleatassessingrisk,orevendecidingwhattheyshouldreallybeafraidof.DougHubbard,theauthorofTheFailureofRiskManagement:WhyIt’sBrokenandHowtoFixIt,hasgonesofarastoclaimthatthegreatestsingleriskmostorganizationsfaceisprobablythewaytheydotheirriskmanagement,astatementthatmightringsadlytrueforsomecurrentandformerCISOsI’mawareof,nottomentionafewfinancialinstitutionsandanuclearfacilityortwo.

LogisticalThreatsLogisticalthreatscandevelopwheneverasecuritystrategyisincapableofbeingrealizedduetoincompatibilitieswithexistingorganizationalinfrastructure.Implementingastrongpasswordpolicycompanywidewhensomesystemsareincapableofhandlingcomplexpasswordsisoneexample.Mandatingtheuseofcertaintechnologiesthatareincompatiblewithlegacysystemsisanotherexample.LiketheotherculturalthreatsI’vedescribed,itiswhenlogisticalissuesfunctionasacovertprocessaffectingaperceivedrationalstrategythattheybecomeriskyanddangerous.

IncompatibleSystemsBothoftheprecedingexampleshavetodowithsecurityimposingrequirementsthatconflictorarenotcompatiblewithexistingsystems.Intheauditandcomplianceworld,suchsituationsareencounteredregularly,andhaveproducedtheconceptofcompensatingcontrolsasasafeguardagainstrisksthathavebeenassessedandacceptedasnecessarybutrequireadditionalefforttomanage.Inotherorganizations,theproblemishandledbyexceptionprocessesthatallowpeoplewith(moreorless)goodreasonstooptoutofcertainsecurityrequirements.Whateverthecase,theresultisthatanewsystemorsystemsmustbecreatedinordertoalignsecuritystrategywithsecurityfact.

ExceptionsastheRuleIhaveobservedorganizationswhereoverhalfofthesystemsinoperationrannonstandardconfigurations,ostensiblyviolationsofthecorporateequipmentstandardsforsecurity,butwhichhadbeengrantedsecurityexceptions.Onewondershowrationalanorganization’ssecuritystrategycanbewhenfollowingitproperlyinthedeploymentoftechnologysystemsactuallymakesyoutheexception.Thisparadoxcanoftengetlostinthefogofsecurity,though,whenthelogicofwhatshouldbedoneaccordingtosomecomplianceregimeorthedreaded“industrybestpractice”overwhelmstherealityofwhatisactuallypossiblewithintheenvironment.

IncompatibleOutcomesSecurityincompatibilitiesdonotjustoccurwithtechnology,asmypreviouscase

studyofClara,thedeveloperinChapter2,demonstrated.Outcomesthemselvescanbeatoddswithoneanotheronverybasiclevels.BYODandthecloudarebothcurrentcaseswherebusinessstrategycancollidedirectlywithsecuritystrategy.Whenthedifferencesinstrategyaremanagedproperly,threatscanbeavoided.Whenthecompetingoutcomes(marketagilityvs.securitycontrol,forexample)arenotproperlymanaged,especiallywhenlogisticalchallengesbecomeimbuedwithpolitical,emotional,andpsychologicaldimensionsthemselves,theycangrowintoaseriousthreattosecurityandtotheorganization’sbusiness.

Treatingsecurityasastrategicoutcomeindependentofotherorganizationalgoalscancreateafalsechoice,azero-sumgamewhereeveryconcessiontothebusinessisseenasalossforsecurityandeverycapitulationtosecurity’sdemandsisviewedasablowtobusinessefficiency.Thisisnotrational,nomatterwhatjustificationsandbusinesscasesaremadeoneitherside.Thecomplexityoftoday’sorganizationsandenterprisesmeansthatnothingcaneverbecompletelysecurednorevermadetotallyefficient.Allthatmattersisachievingaproductivebalancebetweenthevariousforces,includingculturalforces,atworkwithinanorganizationasittriestomeetitsgoals.Thisincludesbalancingsecurityriskwithbusinessrisk,notonlytheriskofhavingtoolittlesecurity,butalsothebusinessrisksthatcancomewithoverlyrestrictivesecurityinfrastructuresthathamperacompany’sagilityandinnovation.

CulturalCompetitionasaSourceofRiskTheexerciseinculturalthreatmodelingoutlinedinthischapterisnevergoingtobeasstraightforwardasthreat-modeling-boundedtechnologysystems.Thelatterarecomplicatedsystems,sometimesstaggeringlyso,butacomplicatedsystemhasafinitesetofstatesandpossibleoutcomes.Theoretically,youcanknowthemallinadvance,includingallthepossiblethreatsassociatedwiththesystem.Acomplexsystem,however,producesemergentbehaviorsthatcannotbeknowninadvancebutdevelopoutofuseandinteractionwithothersystementities.Thepossibilitiesapproachinfinity.Whenacomplicatedsmartphoneoranetworkswitchorasoftwareprogramisputintosomeone’shandsandthenincorporatedintoasystemofothertechnologiesand,mostimportantly,people,itbecomesacomponentinacomplexsystem.Itisnolongerpossibletopredictallthewaysthecomponentwillbeputtouse,includingallthethreatsassociatedwithit.

Culturalthreatmodelsshownotonlytherisksthatexistbetweenthreatsina

traditionalsense(anactorornaturalphenomenoncreatinganegativeoutcomebasedonweaknessinthesystem),butalsotherisksassociatedwithlegitimateinteractionandcompetitionamongsystemcomponents,particularlyhumanstakeholders.Abalanceofforcesexistswithinthesesystems,andrisktooneactororentitymayequatetoopportunityforanother,creatingscenarioswherefailureisbothundesirableandalsoanaturaloutcomeofsuccesselsewhere.Iffailuresorsuccessesbegintodominatedisproportionately,thewholesystemcanbegintofalloutofbalanceandmayexperienceamoregeneralsystemicfailureorcollapse.

Thelessonofculturalthreatmodelingspecifically,andpeople-centricsecuritymoregenerally,isnotabouttryingtoenumerateeverypossiblethreatfromortotheculture.Thisisimpossible.Instead,thesethreatmodelsareabouttryingtogetahandleonthecompetingforcesthatarecurrentlyoperatinginanycomplexorganizationalsystem,toobservetheiroriginsandeffects,andtoattempttobringthembackintobalancewhentheyshiftdangerouslytoonesideoranother.Itismuchhardertodowhensomeormostofthethreatentitiesareoperatingascovertprocessesthatwecannotorchoosenottoobserve.Riskiscreatedbytheseinteractionswhenpeoplesaytheyaredoingonethingforacertainreason,basedonlogicandrationalanalysis,butareactuallydoingitfordifferentreasonsthatmayhavenothingtodowithobjectivity,orarereallydoinganotherthingentirelywithoutadmittingit.

SizingUptheCompetitionPeople-centricriskmanagementisnotabouttryingtopredicthumanbehavior,atleastnotexactly.Instead,itisaboutshiningananalyticallightonorganizationalandculturalrelationshipstofindoutwherecovertprocesses,hiddenbehavior,andcompetitionexistandmayneedtobemanagedandbalanced.Thesourcesofcompetitioninorganizationalsecurityprograms,thepressurepointswherecovertprocessesproduceculturalthreats,includeanorganization’sstakeholders,priorities,andvalues.

CompetingSecurityStakeholdersStakeholdersareindividualpeopleandorganizedgroups.ACISOisastakeholder,asisaregulatorybodythatdefinesITcomplianceandauditrequirementsforanindustry.Informationsecuritystakeholdersdonothavetobedirectlyconnectedtosecurityoperations.Usersarestakeholdersinthattheydependontheconfidentiality,integrity,andavailabilityofITassetstodotheir

jobs.Customersarestakeholdersformuchthesamereason.Stakeholdersdonotneedtoconsciouslycareaboutinformationsecurity;theyneedonlyhaveanexplicitorimplicitinterest(astake)intheresultsofsecurityactivities.InInfoSec,thisincludesjustaboutanyonewhodependsoninformationtechnology.

Justbecausestakeholdershaveaninterestinsecuritydoesnotmeantheyareequallysupportiveofsecurityeffortsorhavethesamegoals.Stakeholderscancompeteagainstoneanother,evenwhenbotharededicatedtosecuringinformationsystemsandassets.Anauditor’sgoalsarenotnecessarilythesameasasecuritymanager’s.Theauditorwantstoexploreandperhapsexposeasmanysecurityproblemsaspossible,inordertoforcechangeandreduceriskinaccordancewithsomeregulatoryorotherrequirement,irrespectiveoftheresourcesrequired.Asecuritymanagerwantstosuccessfullycompleteanauditwithaminimalleveloftimeandeffort.Boththeauditorandthesecuritymanagerwantgoodsecurity,buttheirideasofwhatthatmeanscancompetefiercelywhenitcomestothebottomline.

Whenstakeholdersexistoutsideofsecurityaltogether,competitioncanbecomeevenmoreintense.Membersofanorganizationhavemanythingstheycareabout,andsomeofthosethingsaremorevisibleormoreimportantthanothers.Theymaywantagility,productivity,andinnovationmorethananythingelse.Securityteammembersmaywantthingstobeprotectedandpredictable.Theseprioritiescompete.ACISOisthemostprominentsecuritystakeholderinanorganization,butasanexecutive,thatCISOalsohasastakeinthecontinuedgrowthandsuccessofthecompany.Ifenterprisesecurityistoorestrictive,ifitinhibitscompetitivenessormarketperformancetoomuch,thenthewholecompanymaysuffer,andtheCISOwillhavefailedjustasbadlyasifadamagingsecurityincidenthadcausedtheproblem.

Organizationstodayarecollectiveentities,butbureaucracyandprofessionalspecializationhavecreatedfragmentationaroundjobrolesandfunctions.Peopletendtobetrainedforaveryspecificsetofcapabilitiesthatwilldefinetheircareersforyearsorevendecades.Wetalkaboutsecurityprofessionals,HRprofessionals,andprojectmanagementprofessionals,eachwiththeirownbodyofknowledge,certificationrequirements,andworkingculture.Thisspecializationtendstoresultinpeopleprioritizingtheinterestsandassumptionsoftheirnarrowfieldabovethedesiresandexpectationsofothers.Suchspecializationisrequiredtotacklecomplexproblemsintoday’sbusinessenvironments,butitcontributestothecreationoffiefdomsandsilosthatinhibitorganizationalvisibilityandcoordination.

CompetingSecurityPrioritiesIhavealreadydevotedseveralpagestothewaysinwhichsecurityprioritiescancompetewithnon-securitypriorities.Butitisimportanttocalloutthatconflictsexistwithinsecurityaswell.Partofthereasonisthatinformationsecurityhasbecomealargediscipline,withbranchesandsubfields,initsownright.SecurityawarenessmanagersandfirewalladministratorsbothoperatewithinthelargerfieldofInfoSec,buttheyareprobablyverydifferenttypesofpeople.Andtheymaynotalwaysagreeonwhatthemostimportantconsiderationsforsecurityshouldbe.Education,experience,andinteractionswithtechnologyandotherpeoplewillinformtheirworldviewinpossiblyverydifferentways.

Securityprofessionalsalsohavetodealwithprioritiesthatmaybeunwelcometopuristswhowishtofocusexclusivelyonthefundamentalsofprotectinginformationassetsandenforcingsecuritypolicies.Budgetsandresourcesareasmuchsecurityprinciplesasconfidentiality,integrity,andavailability.Feworganizationshaveunlimitedsupplies,sothingsthatshouldbedonearebalancedagainstthingsthatmustbedone,withthestrugglebeinghowtodecidewherethatlineisdrawn.Risksandthreatscanoftenbeprimarilyaproductofhoweffectivelyasecurityteamallocatesitslimitedcapacities,whichmayexplainwhysomeorganizationssucceedwhilepeersthatappearverysimilarfailhard.Whatisoftencharacterizedasbadluckorbadtimingcanoftenbeattributedtopoorhandlingofcompetingpriorities.

CompetingSecurityValuesPrioritiesareaboutchoosingwhatisimportantamongmultiplepossibilities.Valuesareaboutwhywethinksomethingisimportantinthefirstplace.Oursecurityvaluesdriveoursecuritypriorities,butoftenforreasonsthatwearelessconsciouslyawareof.Ifoursecurityprioritiesarethemoreorlessrationalrankstackingofourdecisions,oursecurityvaluesmorecloselyreflecttheassumptionsandbiasesattheheartofoursecurityculture.Whensecurityvaluescontradictoneanother,theeffectsechoacrossthedecisionsandoutcomesofthewholeorganization.

I’veworkedwithsecurityteamsthatsharedadministratorpasswords,withorganizationsthatrefusedtoallowpenetrationtestingoncertainkeysystems,andinplaceswhereauthenticationlatencyrequired10to15minutesbetweenloginandaccesstoabusiness-criticalsystem.Ineverycasethesecuritystakeholdersresponsibleforthesystemshadbalancedonevaluetheyfeltwasimportant(nonrepudiation,visibilityintovulnerabilities,andproductivity,respectively,inthesecases)withacompetingsecurityvalue.Eachbalancingact

introducedoneormorerisksintotheenvironment.Butnoneofthesecaseswereseenasirrationalorunacceptablewhentheorganizationinquestiondescribedit.Theymighthavewantedtochangethings,ormaybewishedtheycouldbedifferent.Buteachhadtodealwiththefactthattheirswasanimperfectworld,andtrade-offswererequired.“Hey,itiswhatitis,”onesecuritymanagertoldme,holdinguphishands,whenIgentlypointedoutoneoftheseconflicts.

Whenparticularsecurityvaluesbecomeacceptedandembedded,theycancreateaculturalpattern.Asortofpathofleastresistancedevelopswheresomeideasandproposalsaremoreeasilyacceptedandfacelessscrutinythanothersbecausetheyresonatewiththepattern.Patternscandevelopintoculturalarchetypes(orstereotypes,ifyouprefer),likeacollectivepersonalitythatanticipates(butdoesn’tpredict—thesearepeopleafterall)likelyoutcomes.Aheavilyregulatedorganizationwithregularvisitsfromauditorsislikelytoadoptacompliancemindset,thinkingliketheauditorsitanswersto,untilmostdecisionsarefilteredthroughthelensof“howwillthisaffecttheaudit?”Anopenenvironmentthatreliesonthefreeflowofinformationandaccesstoachievesuccessmaybecomeasecurityskeptic,interrogatingaCISOabouteveryproposedinitiativeandwhetherornotthecontrolwillimpedepeople’sabilitytodotheirwork.

Theeffectofcompetingculturalvalueshasbeenstudiedoutsideofsecurity,withtheresearchintocovertprocessesI’vecitedbeingjustoneexample.Researchershaveusedtheconceptofcompetitiveculturalforcesasawayofmeasuring,managing,andtransformingorganizationalculture,guidedbythelogicthatifwecanunderstandwhywebehaveinacertainway,westandabetterchanceofchangingthatbehavior.Suchtheoriesandmethodscurrentlyareutilizedinmanagementscienceandbusinessconsultingcircles,andIamunawareofanymajorattemptstoapplythemtoinformationsecurity.Inthenextsectionsofthebook,Iwillattempttodojustthat.

FurtherReadingAriely,Dan.PredictablyIrrational:TheHiddenForcesthatShapeOurDecisions.NewYork:HarperCollins,2008.Gardner,Daniel.TheScienceofFear:WhyWeFeartheThingsWeShouldn’t—andPutOurselvesinGreaterDanger.NewYork:Dutton,2008.Hubbard,DouglasW.TheFailureofRiskManagement:WhyIt’sBrokenandHowtoFixIt.Hoboken,NJ:Wiley,2009.

Kahneman,Daniel.ThinkingFastandSlow.NewYork:Farrar,StrausandGiroux,2011.Marshak,Robert.CovertProcessesatWork:ManagingtheFiveHiddenDimensionsofOrganizationalChange.SanFrancisco:Berrett-Koehler,2006.NationalCenterforEducationStatistics.“NationalAssessmentofAdultLiteracy.”Availableathttp://nces.ed.gov/.Shostack,Adam.ThreatModeling:DesigningforSecurity.Hoboken,NJ:Wiley,2014.

http://nces.ed.gov/

PARTII

MeasuringYourSecurityCulture

E

CHAPTER5

TheCompetingSecurityCulturesFramework

veryorganizationthatisconcernedaboutprotectingitsinformationassetsandsystems—basicallyallorganizationsintoday’snetworkedanddigitalsociety—hasaninformationsecurityculture.Thesecuritycultureisafacetoftheoverallorganizationalculture.Mostorganizations,infact,havemultipleinformationsecuritycultures,reflectionsoflocalvaluesandpriorities,andnoteveryoneinsidetheorganizationisgoingtosharethesamebeliefsandassumptionsabouthowsecurityshouldanddoeswork.Whattheinformationsecurityteamvaluesandthinksismostimportantforprotectingtheorganizationwillprobablybedifferent,atleastindegree,fromwhatHR(orInternalAudit,orFacilities,etc.)valuesandthinksismostimportant.Inbenigncases,theseculturalcharacteristicscoexistpeacefully,neverhavingcausetointerferewithoneanother.Butmoreoften,theyeventuallycompete.Thatcompetitionmayoccuroverresources,overmoney,oroversimplepoliticalinfighting.Butthesecurityculturethatdominates,includingthevaluesandprioritiesthatdrivedecisionsandspending,willhaveprofoundimplicationsfortheorganization’sperformanceinregardtoinformationsecurity.

Toensurethatorganizationsdevelopthemostbeneficialsecurityculture,themostsuccessfulbalanceofdifferingprioritiesandmotivations,wehavetounderstandculturebetter.Organizationsmustdeveloptechniquesfortranslatinggeneralinsightsaboutcultureintoactionableintelligence.Fortunately,therearelotsoftheories,frameworks,andmethodsforaccomplishingthisgoal,fueledbydecadesofresearchandpracticeinthefieldsoforganizationalperformanceand

development.Iproposemyownmethodology,theCompetingSecurityCulturesFramework(CSCF),furtherinthischapter.ButtheCSCFdidnotdevelopspontaneously.Icreateditbyadaptingandextendingearlierresearch,anditisworthspendingalittletimetounderstandthoseroots.

MeasuringSecurityCultureInChapter3,Idescribedtechniquesformeasuringcultureatahighlevel.Particularly,Ifocusedonqualitativedataandanalysis,whicharecommonlyusedinthestudyofculture,anddifferfromquantitativedataandanalysismethods.Itisimportanttovisitthesedifferencesdirectly,particularlysincetheinformationsecurityandITsecurityfieldsoftenmisusethetermsandconceptsofmeasurementorsufferfromadistortedunderstandingofwhattheyrepresent.Measurementisaboutcomparisonmorethanaboutcounting,anddifferenttoolsarenecessaryfordifferentphenomena.

ThetoolsIhavedevelopedtomeasuresecuritycultureandtoencouragetheadoptionoftransformationalsecuritybehaviorsareprimarilysurvey-based,withthepossibilityofusinginterviewsandmoreinteractivemethodstoexpandoncollectedsecurityculturedata.Thesetoolsareusedasbothqualitativeandquantitativeapproachestomeasurement.Somerequiremanualwork,whileotherscanbeautomated,dependingonthegoalsandresourceconstraintsanorganizationhas.Wewillexplorethemingreatdetailinlaterchapters,butfornowitisenoughtofamiliarizeyourselfwiththeiroriginsandsomeofthecharacteristicsofthedatatheyutilize.

QuantitativeDataandAnalysisQuantitativedataare,putsimply,thosethatlendthemselvestocounting.Theresultofacointossortheresultofadicerollaresimpleexamples.Yourheightandweightaretwomoreexamples.Quantitativedatacanberankedinaparticularorder,assignedtospecificcategories,orexpressedinstandardizedunits.Whilemanypeopleassociatequantitativedatawithmathandnumbers,quantitativedatacanbemoreorlessmathematicaldependingonwhethertheyarenominal,ordinal,interval,orratiodata.Thedatatypeinquestionalsodeterminesthetypesandsophisticationofstatisticalanalysisthatcanbeperformed.Toexplorethesefourquantitativedatatypesfurther,supposeyouworkinadatacenter.Wanderingaroundyourdatacenter,you’llseeplentyof

examplesofallfourdatatypes,asdescribedinthefollowingsections.

NominalDataWanderingaroundtheracksofequipmentinthedatacenter,younoticedifferentcomputersfromdifferentvendors.Youseeswitches,servers,andworkstations,forinstance.AndyoumaynoticeproductsfromCisco,Dell,orHP.Theseareexamplesofnominaldata,whichmeanstheyarestrictlycategorical.Allthedevicesyouobservearecomputers,butyoucandifferentiatebetweentypes.Youalsomaynoticethateachrackhasanumber.Thesearealsonominaldata,aseachnumberrepresentsacategorylabel,notamathematicalvalue.YoucancountthenumberofCiscoswitchesyouhave,butyoucan’tdoanythingstatisticalwiththecategoriesthemselves.Youcan’taddCiscoandDellorfindtheaveragebetweenracknumber6andracknumber14.Nominaldataonlyservetoidentifysomethingasdifferentfromsomethingelse,tonameit,whichiswherethetermnominalcomesfrom.

Confusingly,nominaldataaresometimescalledqualitativedata,whichIsuspectiswherethesecurityindustry’suseofthetermoriginatedgivenourregularuseofcategoricaldata.Nominaldataarenolessempiricalorscientificthanotherquantitativedatatypes.Buttheyliterallydon’taddup.Statisticalanalysisofnominaldataonlyoccurswhenyoucomparedatawithinthecategories.Youmightfindthat90percentofyourserverscomefromonevendor,forexample,whichcantellyousomething.Oryoumightfindthatmachinesinracknumber3failtwiceasoften,whichmightbecoincidenceormightimplyanissuewiththeenclosureitself.

OrdinalDataSupposethedatacenterteamisinstallingsomenewequipmentonthedayyouaremakingyourobservations.Theyaredeployingandconfiguringthreeservers,andtheygotstartedfirstthinginthemorningasyouarrived.Thefirstserveriscompletedlaterthatmorning,thesecondearlyintheafternoon,andthethirddoesn’tgetdoneuntillatethatnight.Theorderinwhichtheserverswerefinishedisanexampleofordinaldata,whichprovidepositionandrankingbutnotmuchmore.Youknowthatthefirstserverwassetupfasterthanthethirdserver,butnothowmuchfaster,atleastnotwithoutgatheringadifferentkindofdata.Buteventhelimitedinformationaboutpositionallowsyoutoperformmorestatisticalanalysis“outofthebox”thanwithnominaldata.Youcanuseordinaldatatodeterminesomethingaboutcentraltendency(definedintheproximatesidebar),animportantaspectofquantitativeanalysis.Themost

commonmeasureofcentraltendencyistheaverage,ormean.Butwecan’tusethemeanforordinaldata,whereweonlyhaverankorder(completedfirst,second,andlast).Thedifferenceintimebetweencompletionofthefirstandsecondserversisnotthesameasthedurationbetweencompletionofthesecondandthirdservers,soanaverageisimpossiblewithjustthepositions.

Wecan,however,applythemediantoordinaldata.Themedianissimplythemiddle-rankedordinalvalue,theonewithasmanyvaluesaboveitasbelowit.Inourcase,themedianvaluewouldbe2,representingtheserverthatwascompletedbetweenthefirstoneandlastone.Wecouldalsousethemode,meaningthevaluethatappearsmostfrequentlyinthedata,althoughitdoesn’tapplyaswelltoourserverexample.Aclearerexamplewouldbearacewherethereisathree-waytieforsecondplace,butnootherties.Inthiscase,themodewouldbe2,sincemorepeoplefinishedsecondthananyotherranking.

StatisticalTermsStatisticshasitsownlanguage.Sometermsarefamiliarfromoureverydaylives,butothersareabitmorechallenging.Readerswhohaven’ttakenastatisticsclassinawhilemaybenefitfromaquickrefresherofthefollowingtermsusedinthischapter:

CentraltendencyThedegreetowhichasetofvaluesormeasurementsgroupsorclustersaroundsomecentralvalueinadistribution.Themostwell-knownexampleofcentraltendencyistheGaussiandistribution,ornormalcurve,inwhichvaluesclusteruniformlyaroundthecentermostvalues.MeanThe“average”ofasetofvalues,computedbytotalingallvaluesandthendividingthattotalbythenumberofvaluespresent.MedianThemiddlevalueinasetofvalues,wherethenumberofvaluesisequallydistributedbelowandabovethemedianvalue.Ifyouhaveanoddnumberofvalues,themedianistheoneinthemiddle;forexample,thevalue2inthesequence1…2…3isthemedian.Ifyouhaveanevennumberofvalues,themedianisthemeanofthetwomiddlevalues;forexample,2.5inthesequence1…2…3…4.ModeThemostfrequentvalueinasetofvalues,theonethatoccursmostoften.Asetofvaluescanhavemultiplemodes,inthecaseofanequalnumberofrepetitions,ornone,ifnovalueoccursmore

frequentlythananother.

IntervalDataLookingaroundthedatacenter,younoticeadigitalthermometeronthewalltellingyouthatthetemperatureinsideis80degreesFahrenheit.Nowyou’recollectingintervaldata,whichallowsyoutoconsiderhowmuchvaluesdifferfromoneanother.Yourememberreadingtheoutsidetemperaturewhenyougotoutofyourcarthatcoolfallmorningandnoticingitwas40°F.Intervaldataallowsyoutosaymorethanjust“hotter”or“colder”inanordinalranking.Youcannowstatethatthedifferenceintemperaturebetweentheinsideofthedatacenterandtheoutsideworldis40°F.Whatyoucannotdo,though,istostatethatitistwiceaswarminsideasitisoutside.Ratioslikethisdon’tworkwithintervaldata,becauseitlacksanymeaningfulzerovalue.ZeroontemperaturescaleslikeFahrenheitandCelsiusaresubjective.80°Fisnottwiceashotas40°Fbecauseyoucanhavenegativetemperatures.YoucouldonlymakesuchstatementsabouttemperatureifyouwereusingtheKelvinscale,whichdoeshaveanabsolutezerovalue.Butmostdatacentersdon’tsportKelvinthermometers.

Despitenotbeingabletobringafullrangeofstatisticaltechniquestointervaldata,youcanstilldoquitealot.Themean,median,andmodeallworkforintervaldata.Youcanalsobeginusingsomemoresophisticatedstatisticaltechniques,includingthestandarddeviation,inyouranalysis.ThisiswhyyourHVACsysteminthedatacentertracksthingslikehowfartemperaturefluctuationsdifferfromthenormandalertssomeoneifthingsgettoofarawayfromnormal.Andyoucanmakeclaimsaboutthedifferencesbetweenintervalvaluesthatyoucannotmakeaboutthevaluesthemselves.Iftomorrowisawarmerdayandthetemperatureoutsidehits60°F,youcanstatethatthetemperaturedifferenceonthecolddaywastwicethetemperaturedifferenceonthewarmerone(40°Fdifferencevs.20°Fdifference).

RatioDataRatiodataisthewholeenchilada,sotospeak.Itpossessesatrue,nonarbitraryzerovalue,acontinuousscale,andstandardunits.Youcanbringthefullbruntofstatisticalanalysistobearonratiodata,andthesedataarewhatweareprobablythinkingaboutwhenwethinkaboutscientificdata.Forthedatacenter,everythingfromoperatingcoststouptimetonetworktrafficthroughputarerepresentedbyratiodata.Ratiodataarethingsyoucancountoutandcomparein

anapplestoappleswaytosaythatAisXtimesbiggerorYtimesshorterorZtimesmoreexpensivethanBorC.

Onethingthatmayjumpoutatyouasyou’rereadingthesedescriptionsisthatsecurityteamsdealwithalotofdifferenttypesofquantitativedata,muchofwhichisprobablynotratiodata.Nonetheless,giventhatratiodataallowsmorestatisticalanalysis,somepeoplemaybetemptedto“manufacture”ratiodataoutofothertypes.Thisdesirecanleadevenwell-meaningsecurityprofessionalstofallintothetrapof(thanksagain,AdamShostack)“jetengine×peanutbutter=shiny!”TheShostackequationisabasicexpressioninstatisticalalchemy.Usingit,youcantransformnominalorordinaldata(high,medium,low)intointervalandratiodata(scoreslike3.85or80)thatcanthenbeslicedanddicedstatisticallytoderiveallsortsofimaginaryinferences.Theproblemisn’tthemethod,it’sthedata.Toomanysecurityprogramsthesedaysconfuse“quantitative”with“empirical,”andthevaluetheirmetricsbringtothetablearediminishedasaresult.

QualitativeDataandAnalysisEmpiricaldatameansthatyoucanobservewhateveritisyouaremeasuring.Qualitativedata,asyouwillrecall,ismostsimplydescribedasthingsthataredifficulttocountdirectly.Buttheycanstillbeobserved,soqualitativedatamaybeeverybitasempiricalasquantitativedata.Let’sgetbacktoourdatacenterformoreexamples.TakingabreakfromyourTPSreports,younoticeyourcolleaguesJohnandRacheldebatingthequalityofthemarketingcampaignforanewlineofhigh-performanceserversthecompanyisconsideringpurchasing.Rachelhatesthemarketingcampaign,butJohnlikesit.Rachelhasabrochureonherdeskfromthevendormeetingtheyattendedearlierthatday.

“Itlookslikeakid’scartoon,”shelaughs.“HowamIsupposedtotakeitseriously?”

“Nah,it’skindofhip,”Johncounters.“ThevendordidagoodjobofnotmakingitlooklikeeveryothercorporateITadvertisement.Whatdoyouthink,Ken?”

Ken’ssittingtwocubesover,engrossedinasecurityawarenessvideothat’spartofthecompany’sHRcomplianceprogram.Hegruntsnoncommittally,withoutlookingup.

Everyoneoftheseartifactsareexamplesofqualitativedata.JohnandRachel’sconversation,thevendorbrochure,Ken’ssecurityawarenessvideo,allofthemrepresentobservablethingsthatcanbeanalyzedbutdon’tlend

themselvesimmediatelytocounting.Youcancountthingsaboutthem,certainly,likethenumberofwordsspokeninJohnandRachel’sverbalargumentorthenumberofpixelsinthetrainingvideo,butwhatdothosenumberstellyou?WearemorelikelytofindmeaningfulanalysisinJohn’scommentthatthebrochureistryingtodifferentiatethevendorfromitscompetitors,butthat’salotmoredifficulttodirectlyquantify.

QualitativeApproachesRevisitedChapter3listedseveralapproachestoqualitativemeasures,includinghistoricalandbiographicalmethods,ethnography,groundedtheory,andactionresearch.Theseareallmeansbywhichresearcherscancollectandanalyzequalitativedata.Anyofthequalitativedatawenoticedinourdatacenterexamplearepossibletargetsofcollection.YoumightmakeatranscriptofJohnandRachel’sconversationoraskforcopiesofthebrochureandawarenessvideo.Observingsuchthingsactuallymakesyouadatacollectioninstrumentyourself.Spendayearinthedatacenter,andyoumightwriteabookaboutyourexperiencesthere,assomeresearchershavedone.

TheframeworksandmeasurementtoolsIpresentinthisbookdrawfromtheexperiencesofqualitativeresearchers,buttheydonotdependuponorrequireyoutobeahistorian,ethnographer,orsocialscientist.Ipointouttheexamplesofqualitativedatabecauseyoumaycomeacrossthemandwanttousethemintransformingyoursecurityculture.Wespendalotoftimeinthesecurityfieldwonderingaboutquestionsofwho,what,where,andwhen.Quantitativedatacanhelpusdecipherthesemysteries.Butwealsospendalotoftimetryingtofigureouthowandwhy.Oftentheanswerstothesequestionsareonlyfoundbyobservingqualitativedataandinterpretingtheresults.

ArtifactsasDataThegreatthingaboutusingqualitativedatatoanswerquestionsisthatitallowsyoutogreatlyexpandwhatyouconsidertobe“data”inthefirstplace.Wedon’tbataneyelashwhenanauditorrequestscopiesofallofoursecuritypoliciestoreview,butwedon’tusuallythinkofthosesecuritypoliciesasscientificdataeither.Theytotallyare,oratleastcanbeifsubjectedtotherightanalyses.TheexampleofthereadabilityofsecuritypoliciesIusedinChapter4isagoodexample.Policydocumentsareartifactsproducedbyasecurityprogram.Theyarealsodatathatcanrevealthingsaboutthatprogram.Whenexamininganorganization’ssecurityculture,ahugevarietyofartifactscanbeconsidered,notjustthesecuritypoliciesoftheorganization.Securityawarenessmaterials,the

minutesofstaffmeetings,sourcecodeandconfigurationfiles,evenvideofromtheCISO’soffsiteleadershiptrainingprogramcanbecomeempiricaldataproducedbytheorganization,datajustwaitingtogiveupinsightstotherightkindofanalysis.

CombiningtheQualitativeandQuantitativeThetechniquesformeasuringsecuritycultureinthisbookwillrelyontwokeymethodsofcollectingdata:thesurveyandtheinterview.Thesetoolsarewidelyusedthroughoutindustry,asanyoneknowswhohastakenanopinionpoll,workedonamarketingsurvey,orbeenpartofajobintervieworafocusgroup.Whatmakesthesetoolsinterestingisthattheyallowustoobservebyproxythingsthatareintrinsicallynotobservable,thethingsthatgooninsidepeople’sheads.Thoughts,opinions,andvaluesareallrealthings,butobservingthemishardandsubjecttointerpretation.Oneoftheoldestandbestwaystofindoutwhatapersonthinksaboutatopicistoaskthemdirectly,andthatisexactlywhatasurveyinstrumentoraninterviewtemplatedoes.Thesetoolsdon’tguaranteevalidresults,meaningthatyoumaynotbeobservingwhatyouthinkyouareobserving.Peoplelie,theygetconfused,andtheycontradictthemselves.Butunlessyouarepsychic,therearen’tmanyotherwaystoobservesomeone’sthoughts.

Itshouldbenoted,briefly,thattheadvertisingandmarketingindustriesareexperimentingwithevermoresophisticatedwaysofdiscoveringwhatpeoplearethinking(orwhattheyaredoing,evenwhentheyaredoingitunconsciously).Sentimentanalysis,onlineadvertisingexperiments,andhumanfactorsresearchareallcontributingtomakingsenseofhumanbehavior.Insomecasesthesetechniquesaremuchmoreprecisethansurveysandinterviews,frighteninglysosometimes.Buttheyremainaninterpretiveeffortbywhichresearchersuseproxiestomeasurewhatcannotbedirectlycounted(onlineadclick-throughsvs.aperson’sactualproductpreferences).

Thefactthatqualitativedatacannotbecountedinrawformdoesnothingtostoppeoplefromapplyingquantitativeapproachestoit.Infact,alotofresearchisacombinationofqualitativeandquantitativeapproaches,sometimesreferredtoasmixedmethodsresearch.Byidentifyingandcodingspecificattributesofqualitativedata,itbecomespossibletoactuallycountthings,toidentifypatterns,andtocomparedifferences.JohnandRachel’sargumentaboutthevendormarketingcampaign?Well,imaginewehaveawrittentranscriptofeverythingtheysaidandwestartlookingforrepetitivepatternsinthetext.SupposewediscoverthateverythirdorfourthsentencespokenbyRachelcontainsan

explicitcomparisonbetweenthemarketingbrochureandachildren’scartoon.WemightthencodeeachofRachel’sstatementsasmakingeitherafavorablecomparisonoranunfavorableone.Ifwediscoverthatoutof50comparativestatementsmadebyRacheloverthecourseofthedebate,90percentwereunfavorableandcontainedwordslike“juvenile,”“immature,”and“unprofessional,”wemightbeabletodrawsomeinferencesaboutRachel’sfeelingsbothtowardtheadvertisementand,possibly,towardcartoonsingeneral.SomeoneknowingRachelforalongtimemighttellyouthatRachelhasalwaysthoughtcartoonsweresilly.Buttheymightalsostruggleto“prove”that,andRachelmightevenarguewiththem.QualitativedataofthesortIjustdescribedprovideempiricalevidenceofRachel’sopinion,evidencethatcanbemorescientificallyanalyzedthroughthelensofobservablebehavior.

InterviewsWhencomparinginterviewsandsurveys,interviewsaremorequalitativethansurveysbecausetheytendtobeexploratoryandopen-ended.Whenweinterviewsomeone,wejustletthemtalk.Wemaystructuretheinterviewtoaskspecificquestionsorfocusonaparticulartopic,butwedon’ttrytocompletelycontroltheinterviewee’sresponses.Whatweendupwithisalotoftextthatmustthenbeanalyzedandcodedforpatterns.Fromthesepatternswecaninterpretfindingsandinsights.

Ifyouhaveonlyageneralideaaboutwhatyouwanttoknow,conductinginterviewscanbethebestwaytoapproachtheproblem.Supposeyouwanttoknowhowanemployeefeelsaboutworkingforthecompanyandyoudon’twanttobringanypreconceivednotionsintothemix.Anopen-endedinterviewapproachwouldbetosimplyaskthatperson,“Howdoyoufeelaboutworkinghere?”Theemployeecouldsaywhatevertheywanted,bringupanytopics,andspeakaslongastheyfeltnecessary.Thedownsideisthatyoumightendupwithalotofdatathathasverylittletodowithactuallyworkingatthecompanyandmuchmoreaboutthatperson’sindividuallife.Open-endedinterviewscanproducelargequantitiesofdatathatmustthenbeanalyzed,andthatcanbealotofwork.Youmightwanttonarrowthingsdownabit.Asemistructuredorstructuredinterviewwouldbreaktheopen-endedquestionaboutworkingatthecompanyintosubtopicsthatencouragemorespecificanswers.Butthoseanswerswouldremainopen-ended,withresponsesvaryingdependingonthepersonanswering.

Surveys

Surveysaremuchmorespecificthaninterviews.Notonlydoyoudefinethequestionorquestionsinasurvey,like“howdoyoufeelaboutworkinghere?”butyoualsodefinethepossibleanswers.Youmightallowthepersonfillinginthesurveytochoosefromthreepossibleanswers,“Iloveit,”“Ihateit,”or“I’mneutralaboutit.”Oryoucouldgoadifferentwayanduseascale,with1being“Iloveit”and5being“Ihateit.”Thepointisthatsurveysareusedwhenyouarelessinterestedinexploringsomethingyoudon’tthinkyouknowaboutbutwanttodiscoverandmoreinterestedinmorepreciselydefiningsomethingthatyoualreadyfeellikeyouknowabout.

Becausesurveyresearchisspecificandtargeted,andbecauseitusespreassignedclassificationsandcategoriesincollectingdata,itisoftendescribedasaquantitativemeasurementapproach.Inconductingsurveys,youaredeliberatelyaskingquestionsinawaythatallowsyoutocountthenumberandtypeofanswers.Itispossibletogeneratesurveyquestionsandanswersthatarenominal,ordinal,interval,orevenratiovalues.Thetrickypartisthatalmosteverysurveydependsontherespondentansweringitbasedontheirownknowledge,withallthemessyqualitativeparametersthatthisentails.Surveydataisempirical,butwhatyouareobservingisnotthephenomenayouareinterestedin(howmuchmoneydoesthispersonmakeinayear?),butratherthesurveytaker’sresponsetoaquestionaboutthatphenomenon(Iactuallymakelessthanthis,butI’membarrassedtosaythat,soI’llpickahigheramount…).Itisasubtledifference,butanimportantonetoremember.

OtherWaysofDescribingCultureQualitativeandquantitativemeasurementsformabasisformeasuringculturedirectly,throughvarioustools,methods,andinstruments.Butitisraretoseecultureexpressedintermsofdata,regardlessoftype.Organizationalcultureisjusttoocomplex,toorichandvaried,tobereducedtoanumberorasinglecategory.Instead,organizationalculturetendstobedescribedintermsofstoriesandmetaphorsthatallowustoglimpsethewholebylookingatamodel,representation,ormetaphor.People,expertsandlaymenalike,havebeendevelopingandusingthesetoolstodescribeorganizationalcultureforalmostaslongasorganizationshavegrownbigenoughtohaveculturesoftheirown.

CulturalArchetypesandStereotypesPeoplegeneralizeaboutotherpeopleallthetime(infact,Ijustdiditmyself).Whenwecollapsethecomplexityanduniquenessofanindividualoragroup

intoacatch-allsetofcharacteristicsorrulesthatweclaimappliesuniversally,wecreateatype.Ifthegeneralizationisinterpretedbyothersasmostlypositiveandaccurate,oratleastnotnegative,wecallitanarchetype,aprimeexampleofthethingwearegeneralizingabout.Ifthegeneralizationisnegative,offensive,orinsultingtowardthosegeneralized,wetendtocallitastereotype.Describingsomethingasanarchetypeimpliessomethingtoaspiretoortofruitfullycompareathingagainst.Stereotypesareoftenviewedasinaccurateandbiasedandathingtobeavoided.Inbothcases,peoplebuildapredictivemodelbasedonattributestheythinktheyunderstand.

Organizationalculturesaresubjecttothesametreatment.Howmanytimeshaveweheardaparticularcompanybeingcalleda“cultureofinnovation”whileanotheriscalleda“cultureofdishonesty”?Byapplyingtheselabels,peopleattempttosimplifyaverycomplexconstructionofpeopleandrelationshipsintoasingledefiningcharacteristic.Thegeneralizationsmayevenbeaccurate,butthisisbesidethepoint.Byturningacultureintoanarchetypeorastereotype,onerunstheriskofintroducingmoreuncertaintyintotheanalysisthanoneremovesfromit.Peoplecansurpriseyou,andifyoubaseyourpredictionsonasingledatapoint,youintroduceasinglepointoffailureintoyourassessment.

Generalizingcanbeusefulifbasedonrationalanalysisandiftheinherentassumptionsremainexplicit.Allmodelingandsimulationisaformofgeneralization.Assigningtypescanbeusefulasoneofseveralelementsinyouranalysis.Butifitbecomesacrutchthatexcusesyoufromactuallyanalyzingthings,itisarecipefordisaster.Thisisespeciallytrueinamultifacetedculturewheretheorganizationhasseveralcompetingdrives.Someonewhoseesonlyoneculturaltrait,perhapsbecauseoftheirroleindealingwiththeorganization,mayneverevenseethesidesofculturethatwouldconflictwiththeirnarrowviewpointandchallengetheirpreconceivedbiases.

CulturalFrameworksandModelsWhenageneralizationisapproachedmorerigorouslyandscientifically,archetypesandstereotypescanbecomemodelsandframeworks.Thesemodelsandframeworksremainsimplifiedversionsofreality,subjecttouncertaintyandunpredictability,buttheeffortthatgoesintoformulatingthemincludesbasingthegeneralizationsonempiricalevidence,andensuringthatassumptionsremainclearandwellarticulated.Securityhasplentyofitsownmodelsandframeworks,sothisapproachshouldnotseemalien.TheclassicexampleistheOpenSystemsInterconnection(OSI)referencemodel,withitssevenlayersfromphysicaltoapplication.Themodelisverysimple,verygeneralized.Itdoesnot

representanyactualexistingnetwork.Butyoucanuseittounderstandthefunctionalityofjustaboutanymodernnetwork.Thisisinlargepartbecausethemodeldoesnotrepresenthowweassumenetworkswork,buthowweknowtheywork,becausetheyhavebeenbuiltinpartbyusingthemodel.

Therearenumerousframeworksandmodelstochoosefromwhenexploringorganizationalculture.TheCompetingSecurityCulturesFramework,themodelIproposeandwilldiscussinthischapter,isadaptedfromoneofthemorewell-knownframeworksintheorganizationalcultureliterature.Butthereareothers.Table5-1brieflylistsafewoftheexistingmodelsandframeworksproducedoverthelastfourdecades.Mypointhereisthat,notonlyiscultureanempiricallyobservablephenomenon,butorganizationalscientistshavebeenobservingitlongenoughtodevelopmodelsforhowitworks.

Table5-1FrameworksandModelsofOrganizationalCulture

VisualizingCultureFrameworksandmodelsdonothavetobevisual,buttheyoftenlendthemselveseasilytovisualrepresentation.MostoftheframeworksandmodelsinTable5-1havebeenexpressedvisuallyatonepointoranother.Visualizationhelpsustoidentifypatternsmoreeasilyandtomakesenseofrelationshipsspatiallyratherthanverbally.Metaphorsallowustounderstandonethingbyrelatingitdirectlytosomethingcompletelydifferent.ThevisualmetaphoroftheiceberginChapter3demonstratestheconceptofpowerfulforcesatworkbelowourconscious

perception.Inanageofincreasinglycomplexinfographicsanddatavisualizationtechniques,wemaybetemptedtothinkofsimplerimagesaslessinformative.Butthepopularityoftheicebergmetaphorindescribinganynumberofsituationstestifiestoitssuccessasanexplanatorytool.

Manyvisualmodelsofculturearerelativelysimple.Thepointisnottocaptureeveryrelationshiporeverynuanceofinteractiongoingoninsideanorganization.Instead,thefocusremainsonprimaryflowsofinformationorinfluence,broadpatternsofbehaviorandinternalrelationships,andhigh-levelstructure.Unlikeamodelforamechanismoraphysicalstructure,wherestandardcomponentsexist,thereisrarelyasinglewaytoaccomplishsomethingwhenitcomestohumaninteractions.Culturemodelshavetoachieveabalance,reflectingnotonlyreality,butambiguity,tobesuccessful.Inmanysituations,simpleisbetter,solongasthemodeldoesnotunnecessarilyoversimplifywhatishappening.

TheCompetingSecurityCulturesFrameworkMymodel,theCompetingSecurityCulturesFramework(CSCF),enablesanorganizationtodescribeandinterpretthedifferentwaysthatsecurityisunderstoodandpracticedbytheorganization’smembers.Specifically,theCSCFenablestheorganizationtoidentifyareaswherecompetitiveprinciplesandvalueshaveemergedthatmayrepresentrisktotheorganization’ssecuritygoalsandobjectives.TheCSCFisbaseduponavenerableandwell-regardedculturalmodel,QuinnandRohrbaugh’sCompetingValuesFramework,whichwasfirstdescribedinanarticleinManagementSciencein1983.

OriginsoftheCSCFinCompetingValuesResearchTheoriginalpurposeoftheCompetingValuesFrameworkwastounderstandthecharacteristicsandorganizationaltraitsmostassociatedwithcompanies’enterpriseperformance,howwelltheydidintheirindustriesandmarkets.Usingboththeoryanddatafromempiricalstudiesofdifferentorganizations,QuinnandRohrbaughgroupedorganizationaltraitsintorelatedsetsofcorevaluesthatcreatedspecificcultureswithinanorganization.Astheydiscoveredpatternsofbehavioramongvarioussubjectcompanies,theresearchersmappedthemintolikegroups,eachofwhichdemonstratedcertainareasofvalueandpriorityfora

company.Thesepatternsalsorevealedopposingtraits,values,andprioritiesthatwereantitheticaltotheonesidentified.QuinnandRohrbaughmappedtheseaswell,usingasetofaxesthatdividedtheframeworkintoquadrants.

QuinnandRohrbaughfound,forexample,thatsomeorganizations,incertainindustries,weremoreeffectivewhentheybuilthierarchiesandbureaucracytoemphasizecontrolandstability;theresearchersfoundthatotherorganizationsachievedsuccessfulperformancebystayingflexibleandadaptable,avoidingrigidstructuresofauthorityorfunction.Likewise,theyfoundthatsomeorganizationstendedtolookoutward,prioritizingexternalcustomersandmarketstoachievetheirgoals,whereasothersbenefittedfromaninwardgazethatvaluedinternalcohesionandintegration.Theresultoftheirfindingswasavisualmetaphorofculturethatdividedorganizationalvaluesintofouropposingcultures,whichtheresearcherstermedclan,adhocracy,market,andhierarchy.Figure5-1illustratestheCompetingValuesFrameworkmodel.

Figure5-1TheCompetingValuesFramework(adaptedfromQuinnandRohrbaugh)

ClanCulturesAsshowninFigure5-1,clancultureisoneofthefourgroupingsoforganizationalprioritiesandbehaviorsidentifiedintheCompetingValuesFramework.Clanculturesarecommunityoriented,valuingasenseofbelongingandinclusion.Internallyfocusedandvaluingflexibility,theseorganizationswantallmemberstoparticipateinmakingtheorganizationsuccessful.Tothisend,clanculturesputagreatdealofemphasisonhumandevelopmentandthesharingofbothresponsibilityandreward.

AdhocraciesAdhocracies,anothergroupingoforganizationalprioritiesandbehaviors,areariffontheideaofanadhocapproach,onethatisflexibleandmaybenotpermanent,createdasaspecificresponsetoauniquechallenge.Flexibilityandagilityarepriorities,andaremadenecessarybecauseofafocusondealingwithchaoticandunpredictableexternalenvironments.Startupsandentrepreneurialorganizationsaretoday’smostfamiliarexamplesofadhocracies,buttheyalsoexistinlarger,moretraditionalorganizationsthathaveaneedtoinnovate.

MarketCulturesMarketculturescontrastwithclancultures,valuingtightcontrolovertheinternalworkingsoftheorganization,andfocustheresultsoftheseeffortsontheorganization’sexternalenvironment.Customersmaybeakeypriority,butmarketculturesmayalsovaluerelationshipswithpartners,regulators,tradegroups,andshareholders.Performanceinrelationtothesestakeholdersisconsideredmostimportant,whetherthatperformanceisexpressedintermsofprofit,marketshare,productivity,orsomeothermeasure.

HierarchiesHierarchiesaremarkedbyahighdegreeofinternalfocusandintegration,combinedwithtightcontrolandbureaucraticstructuresdesignedtoensurestability.Everythingisorganizedandformalized,governedbyclearlinesofauthorityandresponsibility.Inahierarchyculture,processtendstobeking,androlesandresponsibilitiesaredefinedthroughpoliciesandprocesses.Unlikeanadhocracyculture,adaptabilityisfarlessimportantthanstabilityandrepeatability.

AdaptingtheCompetingValuesFrameworktoSecurityTheCompetingValuesFrameworkconcernsitselfprimarilywithenterpriseandindustryperformancebycompanies,whetherornottheyareprofitable,productive,orsucceedinincreasingtheirmarketsharerelativetotheirindustrypeersandcompetitors.Theframeworkdoesnotaddressinformationtechnology,muchlessinformationsecurity.ButtheCompetingValuesFrameworkhasbenefittedfromagreatdealofempiricalstudyandscholarlythoughtovertheyearssinceitwasdeveloped,andhasbeenwidelyadaptedandappliedtootherareas.Thismaturityandflexibilityoftheframeworkhasmuchtoofferpeople-centricsecuritybecauseithelpstoexplaintheconflictsandcompetingprioritiesthatoftencreatesecurityriskandfailure,conflictsIhaveexploredinpreviouschapters.

AdaptingtheCompetingValuesFrameworktoinformationsecuritymeantthatIhadtoalteritandnarrowittothespecificconcernsofsecurityownersandstakeholders.Insteadofcapturingthebroadspectrumofbehaviorsandvaluesthatcontributetooverallorganizationalperformance,Iwantedtomeasureandanalyzethosespecifictraitsthatenhanceorimpedeinformationsecurityperformanceindifferentindustriesandsituations.ButtheoriginalinsightsoftheCompetingValuesFrameworkstillapply,asdoesthequadrantstructureofthemodel.TheCSCFreorientsandreconfigurestheseintoapeople-centricsecuritymodel,whichisillustratedinFigure5-2.

Figure5-2TheCompetingSecurityCulturesFramework

TheCSCFusesthesametwo-axesmodelastheCompetingValuesFrameworkbutappliesittothewayInfoSecthinks.Thefirstaxisrepresentsthedegreeofsecuritycontrolvaluedbytheorganization.ThesecondaxisoftheCSCFrepresentsthecontinuumoffocusbetweeninternalandexternalenvironments.

DegreesofControlControlmeanstheextenttowhichtheorganizationattemptstodirect,restrict,orinfluencethebehaviorofthepeopleandsystemsitcontains.Thedegreeofcontrolexistsasacontinuumrangingfromtightcontrol,representingamaximumofstabilityandstandardizationthroughouttheorganization,toloosecontrol,inwhichsecuritymaybedistributedorsubjecttovariabilityintermsofprocessandvisibilityacrosstheorganization.Theresultingaxisreflectsacompetingsetofvaluesthatliebetweenthedesiretomakesecuritymoreeffectivebypromotingadependable,orderlyenvironment,andthedesireto

makesecuritymoreeffectivebyencouragingaflexible,situationalenvironment.Insecurityprograms,controlisusuallyimposedthroughcombinationsof

centralizedauthority,establishedbureaucracy,definedhierarchies,andstandardizedpoliciesandproceduresthatdefineacceptablebehaviorsandactivities.Thedegreeofcontroloversecurityisimpliedandoperationalizedbymanyfactors,includingthesizeofthesecurityteamandtheresourcesavailabletothem;executivesponsorshipandsupport,includingwhetherornotaCISOleadstheprogramaspartoftheexecutiveteam;andthepresenceandenforcementofsecurity-specificpoliciesandstandardsacrosstheorganization.

You’llnoticeinFigure5-2thatIalteredtheoriginalspatiallayoutoftheCompetingValuesFramework,invertingthecontrolaxissothattightcontrolisatthetopratherthanthebottomofthemodel.Theresultisthatthesecurityculturesthatprioritizemorecontroloversecurityactivitiesarenowrepresentedinthetoptwoquadrants.Inmyexperience,securityingeneralisacontrol-focusedculture.Thechangeofspatialpositioningreinforcesthisemphasis.Figure5-3showsvariouscharacteristicsasonemovesalongthecontrolaxis.

Figure5-3Characteristicsalongthecontrolaxis

Internalvs.ExternalFocusInternalorexternalfocusdetermineswhethertheorganizationisprimarilyconcernedwithunderstandingandmanagingsecurityasafunctionoftheorganizationitself,orisprimarilyconcernedwithunderstandingandmanagingsecurityasafunctionofitsdealingswithentitiesoutsidetheorganization.Outsideentitiesmayincludecustomers,partners,regulators,themedia,andeventhreatentitieslikehackersandotheradversaries.

Inaninternallyfocusedprogram,securityisconsideredeffectiveiftheresultisacohesiveandconsistentprogramforprotectingtheorganization’sinformationassets.Internallyfocusedsecurityprogramsseekanenterprise-widealignment,wheresecurityiscompatiblethroughouttheorganization’s

operationalfunctions.Thismayincludeorganizationswherethesecurityteamisresponsibleforsettingdirectionandpolicyforalloftheorganization’sinformationsecurityandperhapsevenitsphysicalsecurity,includingdefiningstandards,managingtechnology,andcreatingstrategy.

Externallyfocusedsecurityprogramsconsidersecurityeffectivewhenitresultsinsuccessfulrelationsbetweentheorganizationandoutsideentities.Thisexternalfocuscreatesaconcernformeetingcontractualandregulatoryobligations;forprotectingprotecteddata;andforavoidingsecurityfailuresthatcanresultinlossofreputation,marketshare,ortheabilitytoconductbusiness.Accomplishingthesegoalsmayrequireadiversificationofsecurityresponsibilityandauthority(forinstance,acrossregulatoryortechnologyenvironments)inordertomeetthevariousneedsofspecificconstituentsandexternalentities.Figure5-4showscharacteristicsasonemovesalongtheinternal-externalfocusaxis.

Figure5-4Characteristicsalongthefocusaxis

TheCSCFQuadrantsThesecurity-specificquadrantsoftheCSCFareillustratedinFigure5-5,whichalsoshowsmoredetailregardingthecomponentsandvaluesinherentineachsecurityculturetype.Eachofthequadrantsrepresentsagroupingofvalues,assumptions,andprioritiesthatinfluenceandshapesecuritydecisionsandactivitiesinsideanorganization.ThesesecurityculturetypesincludeaProcessCulture,aComplianceCulture,anAutonomyCulture,andaTrustCulture.

Figure5-5TheCompetingSecurityCulturesFrameworkwithexpandeddetail

OverlappingandCompetingValuesThequadrantmodeloftheCSCFappearsveryorthogonalwhenyoufirstlookatit,withrightanglescreatingindependentculturalcharacteristics.Thisvisualizationtendstoobscurethewaythatthetwoaxescreateoverlappingvaluesanchoredondifferentperspectivesoncontrolandfieldsoffocus.Diametricallyopposedrelationshipslikethosebetweenprocessandautonomyareeasiertosee,butthereareconnectionsandsharedvaluesthroughoutthefourculturesaswell.Figure5-6representstheCSCFasconcentriccirclesthatbetterillustratetheseoverlappingtraits.ProcessandTrustCultures,forexample,maynotseemtohavemuchincommon,untilonerealizesthattheyarebothcentrallyconcernedwithhowtheorganizationfunctionsinternallyasacoherentstructure.ProcessandComplianceCultures,touseanotherexample,seemnaturallycongruentwhenthinkingofinformationsecurity,withtheirjointemphasisoncontrol.ButComplianceandAutonomyCulturesdonotseemtomakeasmuchsensetogether,atleastnotuntilyourecognizethemutualvaluetheseculturesplaceonaddressingchallengesassociatedwiththeorganization’sexternalenvironment,notitsinternalworkings.

Figure5-6CircularviewoftheCompetingSecurityCulturesFramework

LimitationsoftheFrameworkNotedstatisticianGeorgeBoxoncewrote,“Essentially,allmodelsarewrong,butsomeareuseful.”MyhopeisthattheCSCFhelpsorganizationsbyservingasausefultoolforachievingpeople-centricsecurity.Butitisjustasimportanttoacknowledgeitslimits.TheCSCFdoesnotpretendtofullydescribeorexplain

everyorganization’ssecurityculture.Instead,theCSCFisintendedtobeatoolforlearningandexploration,amethodbywhichpeopleworkingwithinthecontextofanorganization’ssecurityculturecanlearnmoreaboutthatculture,assigntermsandconceptstoit,andidentifyareasofriskthatemergewhensecurityprioritiesandvaluescomeintooppositionwithoneanother.Organizationalcultureresearchersunderstandhowdifficultitistomeasureoranalyzeanythingascomplexasthesharedbeliefsandrelationshipsofalargesocialgroup.Withoutaplacetostart,withoutsomemethodofsimplifyingthecomplexityofculturaltransformationtoachieveactionablestrategies,noprogressislikelytobemade.Somecriticscomplainthatthissimplificationmakesthemodelworthlessforreal-worldanalyses.Iappreciateareluctancetooversimplify,whichisacoresecuritybehaviorIwilldiscusslaterinthebook,butallmodelsaresimplificationsbynecessity.Nooneexpectsabalsawoodmodelofanairplanetoflyliketherealthing,oranarchitecturalmodeltobeareal,livablebuilding.Forthesepurposes,themodelsarewrong.Buttheyremainusefulnonetheless,usedbyengineersandarchitectseverywheretounderstandonasmallerscalethethingstheybuildonalargeone.

WhyNotJustUsetheCompetingValuesFramework?Inthedecadessinceitwascreated,theCompetingValuesFrameworkhasbeenwidelyadapted,andvarioustechniqueshavebeendevelopedformeasuringhowanorganizationcomparestotheframework.SpecifictoolssuchasDanielDenison’sOrganizationalCultureSurveyandKimCameronandRobertQuinn’sOrganizationalCultureAssessmentInstrumentusesurveystohelporganizationsfigureoutwheretheyfitinrelationtotheCompetingValuesFrameworkquadrants.Thedatatheseinstrumentscollectregardingculturalvaluesandnormsarethenmappedtothevariousculturalattributesoftheframework,producingprofilesofoverallorganizationalculture.

Butwhybuildanew,security-centricframeworkatall?WhywouldanorganizationnotjustusetheCompetingValuesFrameworkdirectlytomeasuresecurityculture,sincetherearealreadyassessmenttoolsavailablethatarebaseduponit?Someofthesetools,likeCameronandQuinn’sOCAI,havebeendeployedbyhundredsoforganizationsseekingtounderstandtheircultureanditslinktobusinessperformance,marketposition,andindustrycompetitiveness.It’salegitimatequestiontoaskwhetherornotsecurityteamsthatwanttochange

cultureshoulduseanexistingculturalframeworkastheirstartingpoint.

SecurityCultureBenefitsFromaTargetedApproachTheanswerisaboutspecificityandprecision.Informationsecurityisabusinessprocess,justlikeanyother.Butjustlikeotherbusinessprocesses,itspecializesinasubsetoftheoverallorganization’sfunctions.Therearemanyuniqueaspectsofsecuritythatarelegitimatedifferentiatorsbetweenourindustry’sactivitiesandobjectivesandthoseofHR,Marketing,orevendifferentpartsofIT.Thesedifferencesmanifestthemselvesinthelanguageandtermsweuse,theapproacheswetake,andtheoutcomesweseek.Manyofthesedifferenceshaveadirectimpactonthepotentialeffectivenessofusingageneralorganizationalcultureframeworktoassesssecurityculture.

IntheCSCF,IhaveadaptedtheCompetingValuesFrameworkinawaythatmaintainsthecoretheoreticalconstructsofthemodel,namelytheperformanceimpactsthatoccurwhendifferentculturespursuedifferentgoalsincompetition.ButIhavereshapedandreorientedtheCompetingValuesFrameworkintheCSCFtospecificallyaddressareasofconcerntoCISOsandsecuritystakeholders,touselanguagethatismorealignedwiththeconcernsofsecurityprograms,andtoilluminatethebehaviorsandvaluesthatsecurityteamsaremostoftenassociatedwith.Nevertheless,manyofthetraitsandbehaviorsdescribedbytheCSCFwillberecognizabletoother,non-InfoSec,partsofthebusiness.Thismakessensebecausesecurityremainsabusinessprocessthatcontributesbusinessvalue,oratleastshouldbeconsideredassuch.

NotEverythingintheCompetingValuesFrameworkTranslatesWellTargetingthetraitsandvaluesthatinformandshapeinformationsecuritypracticesallowsamoreprecisepictureoforganizationalsecurityculturetoemerge,onegroundedinthoseelementsthatsecurityownerscanunderstandandthusbettercommunicatetootherbusinessstakeholders.Nonsecuritypeoplewillstrugglewithamodelofculturethatrequirescontinuoustranslationbetweenperformanceingeneraltermsandperformanceofinformationsecurity.Itisbettertoperformthattranslationupfront,aspartofthemodel,astheCSCFdoes.

ConsidertheadhocracycultureoftheCompetingValuesFramework.Thisculture,moreprevalentinstartupsandothercompaniesoperatingin

environmentsofintensecompetitionandvolatilemarkets,valuesaggressiveindependenceandagreatertoleranceforrisk,exemplifiedintheSiliconValleymotto“movefastandbreakthings.”MostInfoSecprofessionalswouldneverconsiderspeedanddisruptionagoodmodelforsecurity,butadhocracyculturesfeelthesethingsareessentialfortheirsuccess.Adirecttranslationofadhocracytoinformationsecuritydoesn’texist.Buttheideaofautonomyandsilosofsecurityauthority,ofstrikingabalancebetweencontrolandflexibilitywithintheenterprise,issomethingeveryCISOrecognizesandmustcopewith.

TheCSCFallowsorganizationstoforegroundthevaluesandprioritiesofsecurityandorientthemintosecurityculturetypes,whilepreservingthespiritofthemodelinwhichtheseculturesvieforresources,buy-in,anddominanceinacompetitiveorganizationalmarketplaceofideas.TheCSCFillustratestheseculturesatahighlevel.IwilldiscusshowtodiagnoseandassessthestrengthoftheCSCFculturesinChapter6.Fornow,let’sexploretheseculturesinmoredetail.

OrganizationalSecurityCulturesThefourspatiallyopposedquadrantsoftheCSCFrepresentdistinctculturalapproachestoinformationsecurity.Eachquadrantrepresentsadistinctsecurityculture,althoughnoorganizationwillhaveonlyoneoftheseculturespresent.Someculturesmaybestronger,evenpredominant.Butallorganizationsareamixofcultures,notonlyasawholebutintermsofdifferentsubunitswithinthewhole.Thefourculturesaregeneralizations,modelswithinamodel,andIwillexplorethenuancesofeachinthissection.

ProcessCultureAProcessCulturevaluestightcontrolcombinedwithaninternallyfacingfocus.ProcessCulturesviewtheirsuccessmostoftenintermsofhowwellsecurityoperationsaremanagedandcoordinated,howstablyanddependablyoperationsfunction.Fromatheoreticalperspective,theconceptofmanagedcoordinationisparamountintheProcessCulture.Securityisseenasanorganization-widefunctionthatmustbecentralizedandcontrolledtoensurethatitisdonerighteverywhere,byeveryone,inthesameways.

OnekeyfeatureoftheProcessCultureisthecreationofbureaucracytomanageinformationsecurityactivities.Bureaucracy,briefly,isasystemof

managementinwhichspecializedprofessionalsactaccordingtoacceptedrulestoaccomplishgoals.Theword“bureaucracy”haschangedmeaningsoverthetwocenturiessinceitwascoined,butnegativeconnotationshavealwaysaccompanieditsuse.NotuntilGermansociologistMaxWeberbeganstudyingbureaucracyscientificallyintheearlytwentiethcenturywastheidearehabilitatedsomewhat.InWeber’sview,bureaucracywasnecessaryforsocietytofunctioneffectivelyinamodernworldgrowntoocomplextoachieveitsgoalsthroughtheeffortsofindividualsandsmallgroupswithoutuniqueskillsandtraining.

Security,alongwithmostotherorganizationalfunctions,hasalsogrowntoolargeandcomplexforanyonepersontodothejob.Specializationhasledtoavarietyofsecurity-relatedroles,includingthetechnical,theoperational,andthemanagerial.Inordertocoordinateandoptimizethesedisparateresources,organizationscreatehierarchicalstructures,includingjobfamiliesandorganizationalcharts,tosegmentactivitiesandareasofresponsibility.Theserolesandspecialtiesdeveloptheirownbodiesofknowledgeandpathsforadvancement,allgovernedbydefinedprocessesandstandardsofbehavior.

CoreValuesoftheProcessCultureCorevalueswithinaProcessCulturedevelopoutofadesiretokeepthingsrunningsmoothlyandpredictably,andinclude

StabilityEnsurethattheorganizationmaintainsitsexistingfunctionsandstructuresovertime.Change,especiallyunplannedchange,isdisruptiveandistobeavoidedormanagedverycarefully.VisibilityEnsurethattheorganizationunderstandshowitfunctionsandcantraceorpredictoutcomeseasily.Blindnessandblindspotsnotgovernedbyestablishedprocessrepresentuncertaintyandrisk.StandardizationEnsurethatalloperationsaremanagedaccordingtoformallyestablishedrules,wellunderstoodbyallmembers.Individualfreedomcreatesexceptionsanddiscrepanciesthatmustbemanaged,degradingoperationalefficiency.

AcardinaldirectiveoftheProcessCulturemightbestatedasenforcethepolicy.Inmyexperiencesconsulting,“securitypolicy”hasbecomesomethingofametaphorforthecollectedbodyofrulesgoverningtheorganization’ssecurityactivities,fromthehighest-levelacceptableusepolicydownthroughtheintricaciesoffirewallrulesandintrusiondetectionsystem(IDS)tuning.Enforce

thepolicyimpliesdoingthingstheorganization’sway,submittingtocontrolsandrestrictions,andtherebyensuringthatthegoalsoftheorganizationaremet.

ExamplesofProcessCulturesInover25yearsofworkinginInfoSec,IhaveencounteredmanyorganizationswheretheProcessCulturedominates,beginningwithmyfirstjobasanoperationsofficerintheCentralIntelligenceAgency.TheU.S.governmentisperhapsanepitomeoftheProcessCulture.TheU.S.intelligencecommunityisevenmoreintense,especiallywhenitcomestosecurity.Classification,compartmentalization,anddeeplyembeddedorganizationalhierarchieswerenotjustthenorm,theyweremylife.Inmycareersince,IhaveseensimilarculturesinothergovernmentagenciesIhaveworkedwith,whetheratthefederal,state,orlocallevel.ThismakesagreatdealofsensewhenyouconsiderthatMaxWeber’sworkwasbasedinlargepartonthegrowthofciviladministrationsasnation-statesmodernized.Governmentwas,ifyouwill,akeyearlyadopterofbureaucracy,aninnovationthatwassorelyneededasstateswereexpectedtobettermanage,provideservicesfor,andcontroltheircitizens.

OneofthemostdominantProcessCulturesIhaveencounteredsincejoiningtheprivatesectorwasintheretailindustry.Thiscompanyhadaprocedureforeverythingsecurityrelated,allrunaspartofahighlycentralizedprogramunderapowerfulandaggressiveCISOwhowasconsideredanequalmemberofthecompany’sexecutivestaff.Thesecurityculturemirroredthecorporateculture,whereeverythingwasdone,literally,bythe“book”ofpoliciesandstandardsthatexistedtomanagethestores,corporateoffices,andevencontractorsandpartnerswhoworkedwiththefirm.ThestrongProcessCultureofthesecurityprogramwasneithergoodnorbadingeneral,butitworkedinthelargercontextofthecompany.Peopleunderstoodrulesandstandards,andexpectedthesecurityprogramtoworkthesameway.

Financialfirms,manufacturingcompanies,andutilitiesalsotendtoexhibitstrongcharacteristicsofaProcessCulture.

ComplianceCultureComplianceCultures,likeProcessCultures,valuetightcontrolovertheorganization’ssecurityactivities.ButwhereaProcessCultureappliesthatcontrolforinternalpurposes,theComplianceCultureisexternallyfacingandviewssecuritysuccessmostoftenintermsofhowwellitsupportsrelationsbetweentheorganizationandoutsideentities.IntheComplianceCulture,

securitybenefitstheorganizationtotheextentthatitaddressestheconcernsofotherstakeholders,whetherthosearecustomerswhosedatatheorganizationmanages,regulatorsseekingtocontroltheconductofcertaintypesofbusiness,orevenhackerslookingforatarget.Thetheoreticalperspectivethatbestdescribesthisapproachisrationalgoals.Securityisagoalbecauseithelpsorimpedestheabilityofotherstomeettheirgoals,notbecausetheorganizationvaluesitindependently.

AComplianceCultureisdrivenbydemandsoutsidetheorganization.Inrecentyears,securityregulationsandframeworks—includingISO27001,thePaymentCardIndustryDataSecurityStandard(PCIDSS),theHealthInsurancePortabilityandAccountabilityAct(HIPAA),theHealthInformationTechnologyforEconomicandClinicalHealth(HITECH)Act,theFederalInformationSecurityManagementAct(FISMA),andahostofotherglobalregimes—haveplayedanincreasinglyimportantroletoinformationsecurityprogramsandCISOs.Theincreasingnumberandseverityofsecurityincidents,andthemediacoverageandpublicscrutinytheyproduce,willdolittletoabatethistrend.Ifanything,organizationscanexpectanincreaseinregulatoryfocusinthecomingyears,alongwiththepotentialforlossofmarketsandcustomersintheeventofamajorbreach.ComplianceCulturesaredeeplyconcernedwithensuringthattheirorganizationsnavigatetheseturbulentwaterssafely.

CoreValuesoftheComplianceCultureCorevalueswithinaComplianceCulturereflecttheinsecurityandperceivedneedthatsurroundsaccountabilitytotheorganization’sexternalstakeholders,including

ConformityEnsurethattheorganizationadherestoexpectationsandrequirementssetbyothers,oftenthroughmirroringtheserequirementsinternally.Uniformitywithintheorganizationmaynotbeapriority,buttheorganizationmustbeabletomeetalldemandsofspecificoutsidestakeholders.RepeatabilityEnsurethattheorganizationcanreproduceprocessesandresultsondemand.Situationsinwhichoperationsdonotproducetheexpectedresultsaredangerousfailures.DocumentationEnsurethattheorganizationmaintainsevidencethatitismeetingitsobligationsandtheexpectationsofothers.Operationalprocessesthatcannotbeproventofunctionasrequiredrisksanctionsfromanyoneinapositiontoholdtheorganizationaccountable.

AcardinaldirectiveoftheComplianceCulturecanbeexpressedaspassaudits.Auditsarenotonlyplanned,structuredassessmentsperformedordemandedbyaninterestedthirdparty.Severalorganizationaltheoristsconsiderunplannedsystemfailurestobe,inthewordsofKarlWeick,“brutalaudits.”Asecuritybreachrevealsweaknessandpoorsecuritycontrolsinexactlythesamewaythatanauditdoes,onlywithmuchmorestressandmoreseriousconsequences.Penetrationtestingandredteamingevolvedoutofthisunderstandingthatitwasbettertosubjecttheorganizationtoacontrolledattackthantowaitfortheuncontrolledone.SopassauditsisasmuchaboutthesuccessfulresponsetoarealsecurityattackasitisaboutappeasingyourQSAduringaPCIaudit.

ExamplesofComplianceCulturesComplianceCulturesaremostprevalent,asyoumightimagine,inhighlyregulatedindustries.IhaveseenstrongComplianceCulturesintheinsuranceindustryandinhealthcareorganizations.Butfromaninformationsecurityperspective,PCIDSShasbeenthemostinfluentialdriverofComplianceCulture,forseveralreasons.First,PCIDSShasrealreachandunambiguousteeth.Organizationsthatwanttoprocesscreditcarddata,andagreatmanydo,havetocomplywithPCIDSSorelsetheydon’tgettheprivilege.Second,PCIDSStendstobehighlyprescriptive,meaningthatthestandardactuallytellsyouspecificallywhatyouhavetodo.Manyregulatoryregimesoutlinehigh-levelprinciplesofsecurityandgeneralizedactionsthatmustbeperformed,butremainopentoalotofinterpretation.HIPAA/HITECHisagreatexamplehere,asthehealthcaresecurityandprivacyregulationismeanttobeappliedtoahugenumberofverydifferentorganizationsandmustbemoreflexiblethanthelaser-beamfocusofPCIDSS.Finally,thebusinessnatureofPCIDSS—aregulatoryframeworkdesignedbycompanies,primarilyforcompanies,withanecosystemofothercompaniessupportingit—makescomplianceseemeasierforcorporateorganizationstounderstandandimplement.

ButPCIDSSisinterestinginthattheverythingsthatmakeitinfluentialcanworktogethertoformasortoftrapthatmanyorganizationsfallinto,onethatsayssomethingabouttheComplianceCultureingeneral.PCIDSSlendsitselftowhatsomeinthesecurityindustry,myselfincluded,call“checkboxcompliance.”Whilegoodsecurityalmostalwaysequatestogoodcompliance,becomingamatteroftranslatingasecurityprogramintothelanguageofwhicheverauditorisreviewingit,goodcompliancedoesnotnecessarilyequalgoodsecurity.Severalofthelargestbreachesinrecentyearshaveinvolved

companies,andevensystems,thatwerecertifiedasPCIDSScompliant.Justbecauseanorganizationcanpassatraditionalaudit,inwhicha(mostly)friendlyentityaskstheorganizationifithasdonewhatitwassupposedtodo,adversariesconductingabrutalauditintheformofanattackdon’tgiveadamnifyouhavecheckedalltherightboxes.

ComplianceCulturesoftenoverlapwithProcessCultures,asmanyofthebenefitsofoneapplytotheother.Butthedifferencebetweentheculturesisthatareaoffocus,whichcanbeasourceofculturalconflictandrisk.IfProcessCulturesrunthedangerofbureaucraticinefficienciesinthenameofcoherentsecurityoperations,ComplianceCulturesrisklosingsightofthebigpictureofsecuritybyfocusingontheindividualmandatesforcedonthemfromtheoutside.

AutonomyCultureAtfirstglance,theAutonomyCulturemightnotseemverycompatiblewithinformationsecurity.Andifyouweretoconductastudythatexpectedtofindfewersecuritycultureswhereautonomyisthedominantculture,atleastonpaper,youwouldnotbedisappointed.Mostsecurityprofessionalsfindtheideaoflettingeveryoneintheorganizationdecideforthemselveswhatlevelofsecurityworksbesttobeirrationalanddangerous.Butlookcloserandyoubegintoseethatthequestionismorecomplex.Securityisoftenatoddswithotherpartsofthebusiness,sometimesevenatoddswithitself.Thecriticismofsecurityprogramsas“the‘no’team,notthe‘go’team”reflectsthesuspicionsomepeoplehavethatsecuritycandoatleastasmuchharmasgood,protectingtheorganizationatthecostofspeed,efficiency,andprogress.

AutonomyCulturesexhibitlesscentralizedcontrolwhilealsofacingoutwardfromtheorganization.Thetheoreticalbasisofthecultureisthatofadaptivesystems,inwhichpeople,process,andtechnologycanreshapeandreorientthemselvesasnecessarytomeetchangesintheirenvironment.Theideaisthatthoseclosesttoasituationhaveabetterawarenessofwhatishappeningandwhatisrequired.Logicdictatesthattheyshouldalsohavethepowertoactonthatuniquesituationalinsight.Theresultisanorganizationthatcanrespondinpartwithoutrequiringsimilarchanges,oreveninvolvementattimes,bythewhole.

AutonomyCulturesinsecurity,itshouldbesaid,arenot“anythinggoes”environments.Ihavenever,atleastinthelastdecadeorso,encounteredanorganizationthatbelievedsecuritywascompletelyunimportant.ButIhave

workedwithalotoforganizationsforwhomsecurityisacompromise,amoreorlessbalancedtrade-offnotonlybetweenlockingthingsdownandopeningthemup,butbetweentheneedforcentralizedcontrolandlocalsituationalawareness.Manyreasonsexisttopushsecurityauthorityandresponsibilityout,todistributeitthroughoutanorganization.Sometimesthisisareflectionofacorporatestructurethathasmanyautonomousorsemiautonomousdivisions.Atothertimes,federationoccursbecauseofmoreoperationalormarketneeds.

CoreValuesoftheAutonomySecurityCultureCorevalueswithinanAutonomyCultureemergefromtheneedtomanagedifferentlevelsofsecurity,fordifferentreasons,indifferentplaces,andinclude

FlexibilityEnsurethattheorganizationrespondstochangingeventsandenvironments.Unexpectedchangeisunavoidableandactuallyrepresentsanopportunityforthosewhocanadapt.AgilityEnsurethattheorganizationmovesquicklyandefficientlytotakeadvantageofopportunities.Wastingtimedebatingoptionsordealingwithbureaucracyriskssacrificingfirst-moveradvantages.InnovationEnsuretheorganizationnotonlyreactstochange,butcreatesit,discoveringnewwaystoimprovebeforecompetitorsdo.Thebestideascomefromunexpectedplaces,fromindividualforward-thinkers,andtoforbidexperimentationistocourtobsolescence.

AcardinaldirectiveoftheAutonomyCulturecouldbesummedupasgetresults.Anorganizationinahighlyvolatileandcompetitiveenvironmentcanliterallyfaceextinctionifitfailstobeinnovative,adaptable,andagile,allcharacteristicsthatarisk-aversesecurityprogramcanimpede.Afailurefromoverlycautiousapproachestosecuritycanbeasdeadlyasafailurethatoccursasaresultofamajorbreach.Manysocialmediacompaniesandtechnologystartupstodayfaceexactlythisparadox.Theinformationtheymanageistherawmaterialoftheirbusiness.Lockinginformationdown,protectingit,takesresourcesandmaydiminishthevalueofthedata.Ascrupulouscompany,doingrightbyitscustomersorusersonsecurityandprivacy,mayfinditselfoutmaneuveredbyacompetitorthatputthoseextraresourcesintomarketinganduserinterfacedesigninsteadofdataprotection.

FreewheelingstartupsarenottheonlyorganizationsthatfindvalueinsomeformofAutonomyCulture,though.LotsoforganizationsdivideauthorityandresponsibilityforITandsecurityamongdifferentgroups,orembedtheminto

linesofbusinessorgeographicalregions.ThemainfeatureofanAutonomyCultureissimplythattheorganizationhasconcludedthatcentralized,standardizedsecuritydoesnotworkaswellasindividuallyorlocallymanagedsecurity,andhasdelegatedtheauthorityforitamongdifferententities.

ExamplesofAutonomyCulturesIhaven’tfoundanindustrythatexplicitlyadvocatesforasecuritycultureofAutonomy,atleastnotoutloud.Intoday’senvironment,statingthatsecurityshouldbeleftuptoindividuals,allowingthemtodecideforthemselveswhatneedstobeprotectedandhow,mightbeseenasreckless.Butplentyoforganizationsfunctionthisway,eveniftheydon’tprintitonthebrochure.Startups,especiallytechnologystartups,areoftenforcedtomovesofastthatsecurity(alongwitheverythingelse)ishandledbyindividuals.Similarly,somepartsofacademicinstitutionsaremoreautonomousbecausetheyaremeanttobeopensystemsforthefreeexchangeofinformation.Securitypeople,inmyexperience,tendtoseethevaluesandtraitsofanAutonomyCultureasanecessaryevil,atbest.

WhereAutonomyCulturesdoexist,theylookattheideaoffreedomdifferently.AutonomyinsecurityisdifferentfromtheadhocracycultureintheoriginalCompetingValuesFramework,whereitrepresentsadeliberaterejectionofrules,standards,andbureaucracyinfavorofbeinganimblecompetitor.Fewinsecurity,evenproponentsofmoreautonomy,wouldmaketheclaimthatsecuritypolicies,processes,andothermechanismsofcontrolareactuallyharmfultothebusinessandshouldbeavoided.Instead,AutonomyCulturesprioritizetheideathatcentralizedcontrolandstandardsecurityprocessarenottheonlywaytogoandmustbebalancedwithotherconcerns.I’veusuallyfoundevidenceofAutonomyCulturebylookingbetweenthelines,examiningtheconflictingprioritiesofthesecurityteamandtherestoftheorganization.

OneofthebestexamplesofAutonomyCulture’sinfluenceonsecurityisthe“bringyourowndevice”movement,orBYOD.Theconsumerizationoftechnology,whichhasintegratedpowerfulandsophisticatednetworkedcomputingdevicesintothelivesofeverydayusers,combinedwithaprofusionofsocialandinformationservicesthatintegratewiththosedevices,hasmadealmosteveryoneanadvancedITuser.Companieshave,sometimesinadvertently,encouragedconsumerizationthroughthegrowingerosionoftheboundariesbetweenworklifeandpersonallife.Manypeopleexpectandareexpectedtobequicklyavailableatalltimebyfriends,coworkers,andbossesalike.Asbothopportunitiesanddemandforconnectivityandavailabilitygrow,unique

ecosystemshavedeveloped.Bigplayers,likeAppleandGoogle,aswellasmanyotherlargeandsmallcompetitorsproducephones,tablets,andpersonalcomputerswithdisparateuserbases.TheresultingplatformdiversityhasstrainedtheabilityofcorporateITtokeepup,andpersonalpreferencesdriveninpartbyyoungergenerationswhowant“cool”ratherthan“companyapproved”techhasmadeBYODasmuchaboutreputationandretainingtalentasitisaboutmanagingITinfrastructures.

IonceheardaCISOsay,“Iquestionthesanity,nottomentionthejudgment,ofanyonewhowantstobringtheiriPhonetouseatwork.”ThisexecutivewaslessconcernedwithAppleinparticular;hementionedthathehadaniPhoneforpersonaluse.Buthewasadamantthatthefreedomtoaccessthecorporatenetworkwithanydevicewasanunacceptablesecurityrisk.ContrastthatwithcompanieslikeCisco,wherecarefullymanagedBYODispartofthefabricofcompanylife,andyoucanseethedifferencebetweenthevaluesoftheProcessCultureandthoseoftheAutonomyCulture.

TrustCultureCulturesoftrusttendtoinsistthatsecuritymustbeashared,collaborativeprocess.TrustCulturesachievesuccesswheneveryoneisastakeholderinsecurity,withtherightskills,knowledge,andawarenesstomakegooddecisions.ThetheoreticalperspectiveofaTrustCultureishumanrelations,therecognitionthat,asIsaidinChapter1,securityispeople!

TrustCulturesembodyanapproachthatfavorsloosercontrol(sincetheorganization’smembersaredependableparticipantswhodon’trequireconstantsupervision)andlooksinwardtothepeoplewhoembodytheorganization.Thiscanonlybeaccomplishedthrougheducated,engagedmemberswhoremaincommittedtoorganizationalsuccessataverypersonallevel.

Manypeopleworkinorganizationsthatseethemselvesascommunitiesorevenfamilies,andsomepeopleinvestagreatdealoftheirownsenseofself-worthintotheirprofessionandtheiremployer.Insecurity,thiscohesioncanfunctionabitdifferently,butitisstillverymuchthere.Forsecurityprograms,theplaceyouaremostlikelytofindproponentsoftheTrustCultureisinsidethesecurityawarenessteam.EverysecurityawarenessprofessionalI’vetalkedtoorheardspeak—andthankstoLanceSpitznerandtheSANSSecuringtheHumanProjecttherehavebeenquiteafew—hasbeenabsolutelypassionateaboutmakingnonsecurityfolksunderstandwhysecurityisimportant,andthengivingthemthetoolstomakethebestsecuritydecisions.Theyviewpeoplenotasa

threattobemanaged,butasaresourcetobevalued.

CoreValuesoftheTrustCultureCorevalueswithinaTrustCultureemphasizetheneedtointeractandcooperateasateam,andinclude

CommunicationEnsurethattheorganizationsharesinformationclearlyandefficientlywithallmembers.Ifpeoplecannotunderstandwhattheyaresupposedtodo,andwhy,theywillfail.ParticipationEnsurethattheorganizationencourageseveryonetotakeownershipandbecomeastakeholder,ratherthanfoistingresponsibilityontootherparties.“Passingthebuck”isseenasirresponsibleandrisky,aswellasaviolationofthesocialcontract.CommitmentEnsurethatpeoplewanttomaketheorganizationgreatbyensuringthattheorganizationdoesallitcantomakepeoplegreat.Wastinggoodpeopleisbadbusiness.

AcardinaldirectiveoftheTrustCulturemightbestatedasempowerpeople.Insecurityenvironmentsthismeansnottreatingpeopleliketheenemy,butrathergivingthemwhattheyneedtobealliestothesecurityteam.I’veseenmorethanonesecurityprogramobsessaboutinsiderthreats,viewingalmosteveryoneoutsideofInfoSecastimebombsjustwaitingtogooffinexplosionsofignorance,incompetence,oractivemaliciousintent.ATrustCulturedoesnotignorethepossibilitythatpeoplecanbecomeproblems;butitbelievesthattheseproblems,moreoftenthannot,canbeavoidedbysimplyunderstandingwhatapersonreallyneedsinordertodotherightthing,andthengivingthattothem.

ExamplesofTrustCulturesAswithAutonomyCultures,IhavenotfoundTrustCulturestobeuniquetoaspecificindustry.Mostorganizationsbeyondacertainsizehaveasecurityawarenessprogram,oftendrivenbyacompliancerequirement.WhethertheawarenessprogramisevidenceofaTrustCulture,devotedtoempoweringthemembersoftheorganizationsothattheycanmakebetterchoices,orevidenceofaComplianceCulture,inwhichawarenessisonlyimportanttotheextentthatitservesotherinterests,canbehardtodecipher.ButIhaveyettofindasecurityawarenessofficerwhowasonlyinterestedincheckingaboxonanauditform.Theyallwanttoappealtoheartsandminds.

TherealchallengeforTrustCulturesisthat,ofalltheculturaltraitsinthe

CSCF,trusttendstocomehardesttosecurityprofessionals.Wearenot,bynature,atrustinglot.PeopleinInfoSectendtofocusonwhatcangowrongmorethanwhatcangoright,andweneverhavetolookveryfarorhardtohaveourworstsuspicionsofdangerconfirmed.Securityisaboutlockingthingsdownandrestrictingaccesstothem.Wetendtowanttocontrolpeople’sbehavior.EmpoweringthemcanfeellikesomethingbestlefttoHR.Butformanyothersinanorganization,trustandasenseofcommunityarequiteimportant,eventakenforgranted.ThistendstolimittheinfluenceofTrustCulturesininformationsecurityprogramsandtofostermorecompetitionbetweenthemandotherquadrantsoftheCSCF.

Asthefirstsectionofthisbookargues,however,itisexactlythiscompetitivetensionbetweendifferentprioritiesandrequirementsthatfuelssecurityrisk.ATrustCulturedoesnotimplyanaiveassumptionthateveryoneisniceandfairandputstheinterestsoftheorganizationfirst.ATrustCulturerestsonafoundationofcooperationandsharedresponsibility.Thismeansthatpeopleknowwhattherightchoiceis.Butitalsomeansthatpeoplerecognizethatsomechoicesareharderthanothers,andthatcompromisesandtrade-offsmustbemade.Trustisaboutcommunicatingconflictsofinterestasmuchasitisaboutpostingawarenesspostersremindingeveryoneofapolicy,andhavingfaiththattheorganizationwilllisten.

FurtherReadingCameron,KimS.,andRobertE.Quinn.DiagnosingandChangingOrganizationalCulture:BasedontheCompetingValuesFramework.3rdEd.SanFrancisco:Jossey-Bass,2011.Quinn,RobertE.,andJohnRohrbaugh.“ASpatialModelofEffectivenessCriteria:TowardsaCompetingValuesApproachtoOrganizationalAnalysis.”ManagementScience29,no3(1983):363–377.SANSInstitute.“SecuringtheHuman.”Availableatwww.securingthehuman.org.

http://www.securingthehuman.org

T

CHAPTER6

TheSecurityCultureDiagnosticSurvey(SCDS)

heCompetingSecurityCulturesFramework,introducedinChapter5,isacornerstoneofthisbook’speople-centricsecurityapproach.Itprovidesameansofvisualizingthetensionsbetweeninformationsecuritystakeholders,priorities,andvaluesthatexistineveryorganization.Therewillalwaysbedifferencesbetweenorganizationalcultures,andeverycompanyandenterprisewillhaveitsownuniqueapproachtoInfoSec,amixofcultures,beliefs,andassumptionsthatwilldriveeverydaydecisionsandbehaviorsacrossallpeopleinvolved.TheCSCFencouragesobservationandidentificationoftheseuniquetraits,placingtheminaspatiallyorientedframeworkthatallowstheorganizationtounderstanditselfandtochartpathwaystoculturalimprovementandtransformation.

Noorganizationislikelytobeofjustoneculturaltype.Takeamomentandconsideryourownorganization’sculture.WouldyousayyouhaveaComplianceCulture,whereauditsaretopofmindforthesecurityteam?CompliancetendstobeakeydriverofInfoSecthesedays.Butatthesametime,doyoualsohaveasecurityawarenessprograminplace?Doyouemphasizesecurityawarenessmoregenerally,oronlyforthosespecificareasthatyouareauditedagainst?Youprobablyhaveanumberofsecuritypoliciesandstandards,butaretherealsoareaswherepeopleandgroupsaregivenmorediscretioninhowtheyuseormanagetechnology,suchaswithBYOD?

ChancesarethatalloftheCSCFtraitswillbefamiliartoyouinsomeway,representingsomeaspectofsecuritythatyourorganizationvaluesandpromotes.

Securityculture,likeorganizationalcultureingeneral,ismultifacetedandflexible.Theinterestingquestionis,ifyoureallygotdowntoitandwereforcedtochoose,whichvalueswouldcomeoutontop?If,likeClarathedeveloperfromChapter2,youneededtomakehardchoicesbetweenwhatwasrightforsecurity,whatwasrightforthebusiness,andwhatwasrightforyourself,whichwouldyougivehighestpriority?Forwhichdecisionswouldyouberewardedandforwhichwouldyoubepunished,nomatterwhatthe“partyline”saysabouttheimportanceofsecurity?Thatbalanceisthetruefaceofyoursecurityculture.

TheCSCFisusefultohelpconceptualizesecurityculture,butitdoesn’ttellyoumuchaboutyourownorganizationorthebalancebetweencompetinginformationsecurityvaluesinyourparticularcase.Todeterminethat,youneedameasurementinstrumentofsomesort.IdesignedtheSecurityCultureDiagnosticSurvey(SCDS)tobethatinstrument.UsingtheSCDS,InfoSecteamscancollectempiricalevidenceabouttheculturalandbehavioralnormsthatexistregardingsecuritywithintheirorganization.TheresultisaprofilethatdescribesthebalanceanorganizationexhibitsbetweenthefourdifferentsecurityculturesoftheCSCFandtheirassociatedvaluesandbehaviors.TheSCDSbuildsupontheresearchandoperationaldevelopmentoftheCompetingValuesFramework,discussedinChapter5,aswellasmyownadaptationintheCSCF.

SCDSFormatandStructureTheSCDSisdesignedtoelicitdataregardingculturaltraitsandinformationsecurityvaluesthatexistwithinanorganizationalenvironment.TheSCDSisaccompaniedbyascoringprocessforusingtheresponsestosurveyquestionstocomputethelevelofaparticularculturalattributeagainstascale,aswellasavisualizationprocessbywhichthesescoresareorientedspatiallyagainsttheCSCFquadrantstocreateasecurityculturemaporprofile.Theseculturemaps,describedinChapter7,canbeusedtodrivediscussion,brainstormtransformationstrategies,andcommunicatetoInfoSecandorganizationalleadership.

HowSurveysWorkMostpeoplearefamiliarwithsurveys.We’vealltakentheminoneformoranother,whetheritwasfillingoutaformdescribingoursatisfactionwithaparticularproductorservice;beingaskedstructuredquestionsaboutwhatwe

mightbuy,whowemightvotefor,orwhatpersonalitytypeswearelookingforinaromanticpartner;ortakinganemployeesurveyaskingushowwefeelaboutourcompany,leadership,orindividualjob.TheInternethasimprovednetworkingandcommunicationingeneral,andseveralcompaniesofferspecializedonlinesurveytoolsthatmakeiteasyforjustaboutanyonetosetupasurveyandstartaskingquestionsofrespondents.

Surveyshavebecomesocommonplacethatpeopletendtotakethemforgranted,forgettingthattheycanbesophisticatedresearchtoolsintherighthands.Likeachromatograph,anetworkprotocolanalyzer,oravideocamera,surveyscollectdataasinputsthatcanthenbeanalyzed.Butinsteadofchemicals,packets,andphotons,surveyscollecthumanverbalorwrittenresponses.Mostofusunderstandhowtoaskquestionsandgetanswers,askillwehavetolearnearlyaslanguageusers.Sosurveyscanseemeasierandlessspecializedthansomeofthosemoretechnicalinstruments.Butlikethem,surveyresearchisbuiltonabodyoftheoryandempiricalresearchthatenablessocialscientiststocollectdatainvalidandrepeatableways.Unlikethemoretechnicalinstruments,however,distinguishingbetweena“good”survey,onethatproducesscientificallyvaliddata,anda“bad”survey,wheresomeoneisjustaskingquestionsofsomeoneelse,canbedifficult.

Adetailedoverviewofsurveytheoryandpracticeisoutsidethescopeofthisbook,buttherearesomegeneralaspectsofsurveysthattendtodifferentiatethosethataremorescientificallyrigorousfromthosethatarelessso.Thesetraitsinclude

ClearlyunderstoodobjectivesforthesurveyPre-establishedresearchquestionsthesurveyshouldanswerAnexplicitconceptualandanalyticalframeworkinwhichtoevaluatetheresponsesWell-designedsurveyquestionsandvariables

TheSCDSattemptstomeetthefirstthreecriteriabygroundingitselfintheCompetingSecurityCulturesFrameworkitself.TheCSCFdefineswhatneedstobeunderstoodandhowtoevaluatetheresultsofsecurityculturemeasurement.Whatisleftisthefourthcriteria,theneedforthespecificquestionsandscoresbywhichthatmeasurementisachieved.

QuestionsintheSCDS

TheSCDSismadeupoftenquestions,eachwithfourresponsesthataligntothefourquadrantsoftheCSCF.Thequestionscorrespondtokeyorganizationalactivitiesthatinfluenceandareinfluencedbynormsandbehaviorscentraltoinformationsecurityculture.Youmaynoticeatfirstglancethatmanyofthequestionsdonotspecificallymentionsecurity.Thisisdeliberate.Securityis,asIhaveemphasized,abusinessprocessjustlikeanyother.SecurityculturedoesnotgrowoutofhowtheInfoSecteamlooksatinformationsecurity.That’sjustnavelgazingbyeveryonesittingontopoftheiceberg.Securitycultureisabouthowthehiddenassumptionsunderthesurfaceinfluencehowsecuritygetsdone.ThesehiddenassumptionsinfluencethingslikehowtheorganizationisrunandtheInfoSecteamwithinit,thingslikethemanagementofcoreoperationsortechnologies,orabouthowwejudgepeople’sperformanceandholdthemaccountableforoutcomes.Securitydoesn’tdriveanyofthesethingsinsideanorganization,buttheydriveeverythingthesecurityorganizationaccomplishes.

Table6-1providesthequestionsandresponsesthatcomprisetheSCDS.ThesectionsfollowingTable6-1explainthequestionsandresponsesinmoredepth,andasubsequentsectionexplainshowtoscoretheSCDSresults.EditableversionsoftheSCDSareavailablefordownloadfromhttp://lancehayden.net/culture.TheseversionsincludetemplatesforassessingasingleInfoSeccultureorcomparingmultiplesecuritycultureswithintheorganizationoracrosstime.Instructionsforcompletingeachofthesesurveysaregenerallydescribedlaterinthischapter,andspecificinstructionsforeachtemplateareincludedinthedownloadableversions.

1.What’svaluedmost?

A.Stabilityandreliabilityarevaluedmostbytheorganization.Itiscriticalthateveryoneknowstherulesandfollowsthem.Theorganizationcannotsucceedifpeoplearealldoingthingsdifferentwayswithoutcentralizedvisibility.

B.Successfullymeetingexternalrequirementsisvaluedmostbytheorganization.Theorganizationisunderalotofscrutiny.Itcannotsucceedifpeoplefailauditsordonotliveuptotheexpectationsofthosewatching.

C.Adaptingquicklyandcompetingaggressivelyarevaluedmostbythe


organization.Resultsarewhatmatters.Theorganizationcannotsucceedifbureaucracyandredtapeimpairpeople’sabilitytobeagile.

D.Peopleandasenseofcommunityarevaluedmostbytheorganization.Everyoneisinittogether.Theorganizationcannotsucceedunlesspeoplearegiventheopportunitiesandskillstosucceedontheirown.

2.Howdoestheorganizationwork?

A.Theorganizationworksonauthority,policy,andstandardwaysofdoingthings.Organizationalchartsareformalandimportant.Theorganizationisdesignedtoensurecontrolandefficiency.

B.Theorganizationworksonoutsiderequirementsandregularreviews.Auditsareacentralfeatureoflife.Theorganizationisdesignedtoensureeveryonemeetstheirobligations.

C.Theorganizationworksonindependentactionandgivingpeopledecisionauthority.There’snoonerightwaytodothings.Theorganizationisdesignedtoensurethattherightthingsgetdoneintherightsituations.

D.Theorganizationworksonteamworkandcooperation.Itisacommunity.Theorganizationisdesignedtoensureeveryoneisconstantlylearning,growing,andsupportingoneanother.

3.Whatdoessecuritymean?

A.Securitymeanspolicies,procedures,andstandards,automatedwhereverpossibleusingtechnology.Whenpeopletalkaboutsecuritytheyaretalkingabouttheinfrastructuresinplacetoprotecttheorganization’sinformationassets.

B.Securitymeansshowingevidenceofvisibilityandcontrol,particularlytoexternalparties.Whenpeopletalkaboutsecuritytheyaretalkingaboutpassinganauditormeetingaregulatoryrequirement.

C.Securitymeansenablingtheorganizationtoadaptandcompete,nothinderingitorsaying“no”toeverything.Whenpeopletalkaboutsecuritytheyaretalkingaboutbalancingrisksandrewards.

D.Securitymeansawarenessandsharedresponsibility.Whenpeopletalkaboutsecuritytheyaretalkingabouttheneedforeveryonetobeanactiveparticipantinprotectingtheorganization.

4.Howisinformationmanagedandcontrolled?

A.Informationisseenasadirectsourceofbusinessvalue,accountedfor,managed,andcontrolledlikeanyotherbusinessasset.Formalrulesandpoliciesgoverninformationuseandcontrol.

B.Informationisseenasasensitiveandprotectedresource,entrustedtotheorganizationbyothersandsubjecttoreviewandaudit.Informationuseandcontrolmustalwaysbedocumentedandverified.

C.Informationisseenasaflexibletoolthatisthekeytoagilityandadaptabilityintheorganization’senvironment.Informationmustbeavailablewhereandwhenitisneededbythebusiness,withaminimumofrestrictivecontrol.

D.Informationisseenasthekeytopeople’sproductivity,collaboration,andsuccess.Informationmustbeasharedresource,minimallyrestricted,andavailablethroughoutthecommunitytoempowerpeopleandmakethemmoresuccessful.

5.Howareoperationsmanaged?

A.Operationsarecontrolledandpredictable,managedaccordingtothesamestandardsthroughouttheorganization.

B.Operationsarevisibleandverifiable,managedanddocumentedinordertosupportauditsandoutsidereviews.

C.Operationsareagileandadaptable,managedwithminimalbureaucracyandcapableoffastadaptationandflexibleexecutiontorespondtochangesintheenvironment.

D.Operationsareinclusiveandsupportive,allowingpeopletomasternewskillsandresponsibilitiesandtogrowwithintheorganization.

6.Howistechnologymanaged?

A.Technologyiscentrallymanaged.Standardsandformalpoliciesexisttoensureuniformperformanceinternally.

B.Technologyisregularlyreviewed.Auditsandevaluationsexisttoensuretheorganizationmeetsitsobligationstoothers.

C.Technologyislocallymanaged.Freedomexiststoensureinnovation,adaptation,andresults.

D.Technologyisaccessibletoeveryone.Trainingandsupportexiststoempowerusersandmaximizeproductivity.

7.Howarepeoplemanaged?

A.Peoplemustconformtotheneedsoftheorganization.Theymustadheretopoliciesandstandardsofbehavior.Thesuccessoftheorganizationisbuiltoneveryonefollowingtherules.

B.Peoplemustdemonstratethattheyaredoingthingscorrectly.Theymustensuretheorganizationmeetsitsobligations.Thesuccessoftheorganizationisbuiltoneveryoneregularlyprovingthattheyaredoingthingsproperly.

C.Peoplemusttakerisksandmakequickdecisions.Theymustnotwaitforsomeoneelsetotellthemwhat’sbest.Thesuccessoftheorganizationisbuiltoneveryoneexperimentingandinnovatinginthefaceofchange.

D.Peoplemustworkasateamandsupportoneother.Theymustknowthateveryoneisdoingtheirpart.Thesuccessoftheorganizationisbuiltoneveryonelearningandgrowingtogether.

8.Howisriskmanaged?

A.Riskisbestmanagedbygettingridofdeviationsinthewaythingsaredone.Increasedvisibilityandcontrolreduceuncertaintyandnegativeoutcomes.Thepointistocreateareliablestandard.

B.Riskisbestmanagedbydocumentationandregularreview.Frameworksandevaluationsreduceuncertaintyandnegativeoutcomes.Thepointistokeepeveryoneontheirtoes.

C.Riskisbestmanagedbydecentralizingauthority.Negativeoutcomesarealwaysbalancedbypotentialopportunities.Thepointistoletthoseclosesttothedecisionmakethecall.

D.Riskisbestmanagedbysharinginformationandknowledge.Educationandsupportreduceuncertaintyandnegativeoutcomes.Thepointistofosterasenseofsharedresponsibility.

9.Howisaccountabilityachieved?

A.Accountabilityisstableandformalized.Peopleknowwhattoexpectandwhatisexpectedofthem.Thesamerewardsandconsequencesare

foundthroughouttheorganization.

B.Accountabilityisenabledthroughreviewandaudit.Peopleknowthattheywillbeaskedtojustifytheiractions.Rewardsandconsequencesarecontingentuponexternalexpectationsandjudgments.

C.Accountabilityisresults-driven.Peopleknowtherearenoexcusesforfailing.Rewardsandconsequencesareaproductofsuccessfulexecutionontheorganization’sbusiness.

D.Accountabilityissharedamongthegroup.Peopleknowtherearenorockstarsorscapegoats.Rewardsandconsequencesapplytoeveryonebecauseeveryoneisastakeholderintheorganization.

10.Howisperformanceevaluated?

A.Performanceisevaluatedagainstformalstrategiesandgoals.Successcriteriaareunambiguous.

B.Performanceisevaluatedagainsttheorganization’sabilitytomeetexternalrequirements.Auditsdefinesuccess.

C.Performanceisevaluatedonthebasisofspecificdecisionsandoutcomes.Businesssuccessistheprimarycriteria.

D.Performanceisevaluatedbytheorganizationalcommunity.Successisdefinedthroughsharedvalues,commitment,andmutualrespect.

Table6-1TheSecurityCultureDiagnosticSurvey

1.What’sValuedMost?Question1asksrespondentstothinkofthekeyvaluesaffectingtheirorganization’ssecuritycultureandtoidentifythetop-of-mindprioritiesthatbestdescribedailydecisionmaking.Theresponsechoicesallowtherespondenttodifferentiatebetweentherelativeimportanceofstabilityandstandardization,externalvalidationandreview,adaptabilityandfreedomofchoice,andasenseofsharedcommunityandresponsibility.Theseresponsechoicesbeginthedescriptivedifferentiationoftheorganization’ssecuritycultureintothefourquadrantsoftheCSCF.

2.HowDoestheOrganizationWork?Question2focusesonhowtheorganizationgetsthingsdone,howitdivides

responsibilityandauthority,andhowitembedsthosevaluesintohierarchiesandorganizationaldivisions.Organizationalworkhabitsdefinemostaspectsoforganizationalbehaviorbycreatingandencouragingsomeformsofcommunicationandinteractionamongmembers,whilelimitinganddiscouragingothers.Overtime,thesebehaviorsbecomeingrainedandinstinctual,asthe“shape”oftheorganizationbecomespartoftheculture.Responsestothisquestionallowrespondentstodefinewhethertheorganizationlooksinwardoroutwardforitsmarchingorders,whethertheprimarystakeholdersareinternalorexternal,andwhetherthedivisionoflaborandmanagementisdesignedtopromoteindividualandgroupinitiativesortoplaceandpreservecontrolinmorecentralizedhands.

3.WhatDoesSecurityMean?Question3isthemostsecurityspecificintheSCDS,askingtherespondenttoexplicitlydefinehowheorsheortheorganizationconceptualizesinformationsecurity.Theresponsesencouragerespondentstothinkofsecurityintermsofhowitisperceivedandimplementedwithintheorganization.Insomeorganizations,securityissynonymouswiththeinfrastructureofsecurity,whetherthosesystemsaretechnologicalorprocessbased.Otherorganizationsseesecurityintermsofeffectsandresults,theoutcomesoftheprocessratherthanthemeansofitsachievement.Ofcourse,abalancemustexistbetweenthedifferentconceptualizations,butthequestionallowsrespondentstoweightwhatthetypicalmemberoftheorganizationisreferringtowhenheorshetalksaboutsecurity.

4.HowIsInformationManagedandControlled?Informationisthelifebloodofmostorganizationstoday,centralbothtothegeneralbusinessactivitiesoftheenterpriseandtoinformationsecurity.Question4asksrespondentstodescribethemanagementandcontrolofinformationasasharedresource.Theflowsofinformation,itsownersanduses,andthebeliefsabouthowitshouldbedisseminatedandsharedaredefinedwithintheresponses.Informationcontrolisnotnecessarilysecurityspecific,butthewayinwhichanorganizationviewsinformationasatoolandacommodityhasadirectbearingonhowtheorganizationfeelsaboutrestrictingaccesstoitandotherwisecontrollinginformationusesforsecuritypurposes.

5.HowAreOperationsManaged?

Question5asksrespondentstoselectandprioritizetheorganization’severydayfunctionalactivities,includingtasks,interactions,decisions,andevaluations.Organizationaloperations,likeorganizationalstructure,tendtobecome“formalandnormal”overtime.Evenachaoticoperationalenvironment,subjecttoindividualdecisionsandlittleoversight,canbecomea“normal”wayofdoingthings.Justaskanyonewhohasbeenresponsibleforchangingsuchanenvironment.Asoperationalrealitiesgivewaytohabits,thehabitsencourageparticularwaysoflookingathownewoperationsareconducted.Thisquestionelicitsdataaboutwheretheoperationalenvironment,includingthehabitsandnormsthatitrepresents,issituatedwithinthefourculturalcategoriesdescribedintheCSCF.

6.HowIsTechnologyManaged?Question6examinesthemanagementoftechnologyasanorganizationalresource.Likeotherresource-centricquestionsintheSCDS,itaskssurveyrespondentstodescribewhethertechnologyissubjecttomoreorlesscontrol,andwhetheritisputtousetoincreasethesuccessofinternalstakeholdersorexternalstakeholders.Technologymanagementcanhaveprofoundimplicationsforsecurityculture,addingbothfreedomsandconstraintstomembersthroughouttheorganization.TheseimplicationsmayormaynotmakethejoboftheCISOorInfoSecmanagereasier.

7.HowArePeopleManaged?Althoughapeople-centricapproachtosecurityisthecentralthemeofthisbook,noteveryorganizationmanagespeopleinthesameway,forthesamereasons.Question7asksrespondentstodescribehowpeoplearetreatedandutilizedasaresourcewithintheorganization.Isthatmanagementstyleformalandcentralized,aswithatraditionalhumanresourcesdepartmentthatmaytreatpeoplemuchlikeanyotherorganizationalasset?Oristheenvironmentmorelikeafamily,acommunity,orasocialmovement,wherepeopleareelevatedaboveothercomponentsoftheorganizationandgivenspecialfocusandprivilege?

8.HowIsRiskManaged?Question8gathersdatafromrespondentsabouttheunderstandingandmanagementofriskwithintheorganization.Riskisoftensubjecttodifferentinterpretationsanddefinitionswithinanenterprise,asIhavedescribedin

previouschapters.Howriskisunderstood,whetheritrepresentsanegativeorapositive,andwhatshouldbedonetoreduce,accept,orevenencourageitbecomekeyconsiderationsforsecurity.ThisquestionexploreshowriskmanagementmaydifferbetweenculturalcategorieswithintheCSCFanddocumentsthemeansbywhichtheorganizationaddressesrisksandopportunitiesintheconductofitsbusiness.

9.HowIsAccountabilityAchieved?Themeansbywhichorganizationsholdmembersaccountablefortheiractionscanbedeeplyinfluencedbythecultureoftheorganization,andcanserveasareflectionofthosecoreculturaltraits.Question9askssurveyrespondentstoexplainthewaysinwhichtheirorganizationunderstandsandundertakesaccountability.Dependingontheculture,accountabilitymaybemechanisticandtheproductofstrictmeasures,oritmayprovemoresituationalandsubjective.Howaccountabilityisperceivedcanplayapartinhowpeoplewithintheorganizationmakedecisions,howtheyviewtheirjobsandresponsibilities,orevenhowtheyinteractwithandsupport(orfailtosupport)othermembers.

10.HowIsPerformanceEvaluated?Performanceevaluation,likeaccountability,isacorerequirementfororganizationalsuccess.Itisalso,likeothertraits,culturallysituatedandinfluencedbynormsandbeliefs.Whilerelatedtoaccountability,Question10focusesmoredirectlyonthemeasurementofsuccessorfailurethanonthedesignationofwhoisresponsibleforthosesuccessesorfailures.Thequestionasksrespondentstodefinethemethodsbywhichevaluationisconducted,whethersuccesscriteriaareformalizedoradhoc,internallydrivenorinfluencedbyoutsiders,andwhetherperformanceisasharedormoreindividualizedorganizationalactivity.

SCDSScoringMethodologyTheSCDSusesanipsativescaleformeasuringresponses.IpsativescalesmaybelessfamiliartoyouthantheLikertscalestypicallyseeninmanysurveys.Likert,ornormative,scalesuseresponsesthatforceasurveyrespondenttoanswerintheformofarating.Ratingsmaybenumeric,suchasaskingarespondenttorateapreferenceonascaleof1to5.Ortheymaybedescriptive,askingtherespondenttoratetheiragreementwithaparticularstatementfrom“stronglyagree”throughto“stronglydisagree.”WithLikertscales,each

responseisindependentofotherresponses.IfasurveyasksarespondenttoratehowtheyfeelaboutdifferentaspectsoftheirjobusingaLikertscale,itisperfectlyacceptablefortherespondenttorateeverything“stronglyagree”orata“5”level,dependingonthescale.Thereistypicallynorankinginvolved,wherea“1”ratingononeitemwouldnecessitatea“5”rankingonanother,relateditem.

Ipsativescalesforcearespondenttochoosebetweenaseriesoftwoormoreoptions.ForeachquestionintheSCDS,surveyrespondentsareaskedtoweightthefourresponsesbyindicatingtheextenttowhicheachaccuratelyanswersthequestion.ThereareprosandconstousingboththeLikertandipsativeresponsesystems,butipsativescalesworkbestwhenresponsesarenotintendedtobeindependentandshouldreflectdifferingbutrelateddegreesofpreferencebetweenresponseitems.

TheCSCFdescribesorganizationalculturalenvironments,whereopposingnormsandvaluesarepresent.Anorganizationmayexhibitabalancebetweenculturaltraits,butitcannotbecompletelyonetypeofculturewhilealsobeingcompletelyanothertypeofculture.Consideranenterprise,forinstance,thathasaverystrong,deeplyingrainedcontrolculture,formalandstricthierarchiesandbureaucraticcommandstructures,andaprocess-driveninfrastructureofpoliciesandcontrols.Itisextremelyunlikelythatthissameorganizationwillalsoallowindividualstomakeindependentdecisions,follownonstandardprocesses,andregularlyfloutpoliciesorcircumventestablishedcontrols.Theincompatibilityofthecultureswillcreatefrictionandfailureuntiltheyarenormalized,eitherwithonecultureattainingpredominanceandtheotherbeingmarginalized,orbyamixingoftheculturesthatformsacompromisebalancebetweenthetwo.

AnipsativeresponsescalefortheSCDSreflectsthesetrade-offsbetweenculturalattributeswithintheSCDSandtheCSCF.EachSCDSquestionhasfourpossibleresponsesthatreflectdifferingandcompetingvalues.Respondentsmustassignatotalscoreof10pointsacrossallfourresponses,dividingthepointsamongtheresponsesbasedonhowstronglyorweaklyeachofthestatementsreflectstheirownorganization.Forinstance,ifresponseAreflectstheorganization’svaluesperfectlyandnootherresponseisapplicable,thesurveyrespondentmightassignascoreof10pointstothatresponse.Buttherespondentwouldthenhavetoassignallotherresponsesa0score,indicatingthosevaluesarenotpresenttoanydegree.Similarly,ifaresponseisinnowayreflectiveoftheorganization’svaluesandassumptionsandneverinfluencesbehavior,therespondentmightscoreita0,leavingtheremainderoftheweightingtobedividedbetweentheotherthreeresponses.

Noorganizationislikelytoexhibitasingleculturalattributeorsinglesetofvaluestotheexclusionofallothers.SCDSscoreswillusuallyreflectabalancebetweenresponses,whichcorrelatestoabalancebetweenthefourquadrantsoftheCSCFandthecultureseachrepresents.Itispossibleinsomecasesthataparticularsetofvalueswillbeperceivedasabsentfromtheorganizationalenvironmentandbeassigneda0weighting.Arespondentmaydecide,forinstance,thatsomevaluesassociatedwiththeAutonomyCulturearenotpresentandthereforescoreseveralofthe“C”responsesasa0.Buttherewilllikelybeotherareaswheresomedelegationofcontrolordecisionmakingisallowed,evenifthosevaluesremainsmall.

ScoringtheSCDSResultsScoringtheSCDSisrelativelystraightforward,asIdescribedinthelastsection.Respondentsdivide10pointsbetweeneachofthefourpossibleresponses,assessingthedegreetowhichthestatementreflectsthevalueswithintheirorganizationalenvironment.ItisunnecessaryforsurveyrespondentstounderstandorevenbeawareoftheCSCF,ordivisionsoforganizationalcultureingeneral.TheyonlyneedtodecidetowhatdegreeeachresponsestatementdescribesthevaluesoftheirownorganizationfortheSCDSquestionunderconsideration.

ThosetaskedwithinterpretingtheSCDSresultswillrequireabitmoreinsightintohowthequestionsandresponsesaredesigned.IfyouhavefamiliarizedyourselfwiththeCSCFpresentedinChapter5,youwillquicklyrecognizepatternswhenyouexaminethesurveyresponsechoices.Eachresponsedescribestraits,values,andactivitiesthatareassociatedwithoneoftheCSCFculturalquadrants:

“A”responsesreflectvaluesandtraitsthatareinternallyfacingandprioritizetightercontrol.Theseattributes,includingconcernsoverstability,theexistenceofstandardsandbureaucraticlinesofcontrol,andadesireforcentralization,areprioritiesthattendtoexistmorestronglyinProcessSecurityCultures.“B”responsesreflectvaluesandtraitsthatstillprioritizetightcontrol,butareaimedatexternalstakeholders.Attributesincluderegularreview,theneedforjustificationanddocumentationofactivities,andanaudit-drivenapproachtothebusiness,allofwhichareprioritiesmoreoftenfound

prevalentinComplianceSecurityCultures.“C”responsesreflectvaluesandtraitsthatareexternallyfacing,butprioritizelesscontroloverdecisionsandactivities.Flexibility,adaptability,andtheneedtobeagileandunhamperedbyrigidbureaucracyandlinesofauthorityarethedominantattributes,whicharemostoftenfoundinAutonomySecurityCultures.“D”responsesreflectvaluesandtraitsthatareinternallyfacingandmorelooselycontrolled.Attributesincludecooperationandtransparency,sharedresponsibilityandempowerment,andasenseofindividualownershipandmutualsupport,allofwhichareindicativeoftheprioritiesexistinginTrustSecurityCultures.

OncetheSCDSiscompletedandthesurveyownershaveasetofresponses,dataanalysiscanbegin.AnalyzingSCDSdatacanbeassimpleasaggregatingandaveraginganorganization’sSCDSscorestoshowoverallculturaltraits.Orthesurveyownerscantakemoresophisticatedpaths:comparingscores,visualizingdata,andusinginsightsfromtheSCDStoplanInfoSecculturetransformationstrategies.ThecasestudiesinthenextsectionservetoillustrateseveralwaysthatSCDSscorescanhelpanorganizationunderstandandimproveinformationsecurity.IwilldiscussvisualizingandmappinginformationsecuritycultureandtherelationshipbetweenSCDSscoresandtheCSCFinthefollowingchapter.

SecurityCultureDiagnosticStrategies:CaseStudiesThereareseveralstrategiesforusingtheSCDStodiagnoseandassesssecurityculturewithinanorganizationorbetweenorganizations.Themostobviousstrategyistotakeageneralmeasurementofoverallsecuritycultureacrosstheentireorganization.AnotherstrategyistoadministertheSCDSseparatelytoorganizationaldivisions,allowingforcomparisons,forinstance,betweenthecoreinformationsecurityprogramteamandagroupthathasnothingtododirectlywithsecurity.Thiscanrevealculturalgapsbetweenthosewhoareresponsibleformanagingsecurityandthosewhoareresponsibleforotherbusinessfunctionsthatmaycompetewithsecurity.AthirdstrategyistoadministertheSCDStotwodifferentorganizationspriortoamergeror

acquisitiontodeterminethecompatibilityoftheirsecuritycultures.AfinalstrategyistousetheSCDStoassesshowtoimprovepeople-centricsecuritythroughculturaltransformation.Bymeasuringanexistingsecuritycultureandthenimaginingwhatafuture,improvedculturewouldlooklike,anorganizationcanmapoutdesiredchanges.Thefollowingcasestudiesofrepresentative,butfictitious,organizationswillcovereachofthesestrategies.

ABLEManufacturing:MeasuringanExistingSecurityCultureABLEManufacturingCorporationisamidsizedcompany,producingbothconsumergoodsthatitsellsdirectlyandindustrialproductsthatitsellstoothercompanies.Familyownedandprivatelyheld,thecompanyhasalwaystriedtofosteraclose-knitworkplaceenvironment.ManyemployeesofABLECorp.haveworkedthereforoveradecade.ABLEconsidersitselfaboveaverageinitsuseofinformationtechnologyforitssizeandindustry.InformationsecurityhasbeendrivenovertheyearsprimarilybyrequirementsforPCIDSScompliance,asABLEprocessescreditcardsdirectly.TheexistingInfoSecteamiscross-functional,withpeoplefromITandfromInternalAudit.

Inthewakeofrecentinformationsecuritybreacheselsewhere,theCIOhadbecomeconcernedaboutABLE’ssecuritypostureandthushiredaDirectorofInformationSecurity(DIS),reportingdirectlytoher.ThenewDISpreviouslyworkedforseveralcompaniesandhadseenfirsthandhowculturaldifferencescanexacerbatesecurityrisks.HepersuadedtheCIOthatmanyoftheincidentsthatshewasconcernedaboutweretheresultofpeople-centricfailuresandnotsimplytechnologyorprocessdeficiencies.TheCIOgavetheDISapprovaltolaunchaculturalbaselineprojecttoidentifypotentialareasofconflict,andtheDISengagedanSCDS-basedassessmentofABLE’sexistingsecurityculture.RespondentswereasmallmixofmanagerswithintheCIO’sorganization.Figure6-1showsasampleoftheaveragescoresforthefirstthreesurveyquestionsandtheirassociatedresponserankings.

Figure6-1SampleSCDSscoresforABLEManufacturingCorp.

ABLE’sSCDSresponsesrevealedseveralthings.First,consistentlyhighscoreswereassociatedwith“A”responses,whicharelinkedtotheProcessCultureintheCSCF.ThesescoresindicatedthatcentralizedmanagementandstandardpoliciesandprocedureswerepriorityvaluesforABLE.ThiscameasnosurprisetotheCIO.ABLEisfamilyowned,withseveralfamilymembersinkeyleadershippositionsandontheboard.Authorityflowsfromthemthroughastrongchainofcommandtotheentirefirm.Andbeingamanufacturingcompany,ABLEisallaboutstable,repeatableprocesses.

ItwasalsounsurprisingtothosereviewingtheresultsoftheSCDSassessmentthat“D”responseswereratedsohighly.TheseresponsesaretiedtotheTrustCultureintheCSCF,whichemphasizeshumandevelopmentandasenseofcommunity.ABLEemployeesareencouragedtothinkofthemselvesasanextensionoftheowningfamilyandtoexpecttoshareinbothsuccessandfailure.Mutualrespectandsupportarekeycompanyvalues.

Discrepancieswerediscoveredaswell.The“B”responsescores,whicharealignedwiththeComplianceCulture,exhibitedquiteabitofvariance.TheseresponsesindicatedthatABLEcaredaboutmeetingexternalstakeholderrequirements,whetherfromcustomersorregulatorsorboth,butwasnotstructuredaroundcompliance.Furtherinvestigationrevealedthataudits,particularlyPCIDSSauditsinthecontextofsecurity,weretheresponsibilityofspecificteams.Generally,ABLEemployeeswerenotdirectlyorregularlyinvolvedinthesecomplianceactivities.Theexistingsecurityteam,however,consideredPCIDSScomplianceoneofitsmostimportantresponsibilitiesandhadstructureditselfaccordingly.

Anotherinterestingdatapointinvolvedtheperceptionofsecurityasahindrancetobusinessoperations.Althoughthe“C”responsescores,whicharealignedwiththeAutonomyCultureintheCSCF,tendedtobelowfortheseSCDSresults,theresponsetoQuestion3aboutsecurity’smeaningandpurposerevealedascoreovertwiceashighastheotherquestions’“C”responsescores.Thismightindicateaconflictinwhichpeopleperceivesecurityaslessanenablerofthebusinessthanablocker.Moreexplorationwasneededtoconfirmwhethersuchaperceptionwasattherootofthatparticularscore,butitpointedthereviewersinaninterestingdirectionforconsideringsecurity’sroleinthecompany.

ComparingDifferentSecurityCulturesWithinABLEManufacturingCorp.AsanoutcomeoftheinitialpilotSCDSassessment,theDirectorofInformationSecuritywasgivenpermissiontoexpandtheprojectandfocusoncomparingresultsfromABLE’ssecurityteammemberstoresultsfromotherpartsofthecompany.ThiswouldenabletheCIOandtheDIStogaugewhetherthereweresignificantdifferencesinsecurityculturesbetweenthoseowningandusingITresourcesandthosetaskedwithprotectingthem,andthenassesswhetherthosedifferencesmightresultincompetingvaluesandcreaterisksfortheorganization.AsampleoftheseresultsisshowninFigure6-2.

Figure6-2ComparisonofsampleSCDSscoresforABLEInfoSecandCorporate

ComparingtheresultsoftheSCDSfortheABLEInfoSecteamwiththeresultsfortherestoftheorganizationshowedsomeimmediatevaluediscrepanciesthatcouldbeindicativeofcompetingcultureswithinthecompany.Onceagain,scoresassociatedwithaProcessCulturewerehighforboththeinformationsecurityteamandforthecorporationasawhole.Butinterestingly,respondentsoutsideofthesecurityteamdefinedsecurityintermsofprocessesandpoliciestoagreaterextentthanthesecurityteamdid.ForyouraverageABLEcorporateemployee,whenyoutalkedaboutsecurity,youweretalkingaboutsecuritypoliciesandstandards,whichwerethethingstheyweremostfamiliarwith.EveryoneatABLEhadtogothroughannualsecuritytraining,whichemphasizedthecorporatesecuritypolicies.Theresultsdemonstratedthesecurityteamhadamorenuancedview,oneinwhichsecuritypoliciesandstandardsareimportant,butnotthetotalityofABLE’sInfoSecinfrastructure.

Divergentvaluesandcultureswereveryapparentwhenitcametocomplianceandaudits.Forthesecurityteam,ifanyonethingdefinedsecurity,itwasasuccessfulPCIDSSaudit.MuchoftheInfoSecinfrastructurehadcomeaboutinresponsetoPCIDSSauditrequirements.Butoutsideofthesecurityteam,compliancewithPCIDSSwasfarremovedfromtheaverageemployee’smind.ManydidnotevenknowwhatPCIDSSis,otherthansomesortofaudittheorganizationhastogothroughandsomethingtheinformationsecurityteamisresponsiblefor.ThesurveyresultsshowedthatABLEemployeestendednottoworryaboutcomplianceissuesingeneral,andthatthecompanywasnotstructuredinawaythatencouragedthemtodoso.Asitturnedout,thehigherratingsontheinitialpilotSCDSassessmentweremoreareflectionofthefactthatITmanagersweretheprimaryrespondentsthanevidencethataComplianceCultureexistedwithinthecompany.

DifferencesinculturalvalueswerereinforcedagainwhentheCIOandDISreviewedthescoresforAutonomyandTrustCultures.Thesecurityteamoftenexpressedfrustrationthat,eveninaprocess-drivencompanylikeABLE,securityoftengotalotofpushbackoverrulesandstandards.ABLE’ssecurityteamtendedtoberiskaverseandviewedexceptionstoanddeviationsfromthesecurityrulesandstandardsascreatingrisk.AlthoughtherestofABLE’semployeeswerehardlyadvocatingan“anythinggoes”culture,giventheirSCDSresponses,neverthelessthecorporateculturewasmuchmorepermissiveinthenameofbusinessagilitythanwasthesecurityteamculture.

ThecompetingvaluesinplaywithinABLE’sorganizationalsecurityculture

bothexplainedalottotheCIOandconcernedher.Itbecameapparentthatthesecurityteamculturewasdifferent,insomecasesmarkedlyso,fromthatoftherestofthecompany.Inadditiontocreatingpoliticalfriction,thesedifferingvaluesmeantthatpeopleresponsibleforprotectingcompanyassetsweremotivatedbyverydifferentideasaboutwhatwasrequiredtodobusinesssuccessfully.AcompleteculturaltransformationprojectwasnotsomethingthatABLEwaspreparedtodiveintoimmediately,buttheresultsoftheassessmentconvincedtheCIOtogranttheDIS’srequesttosignificantlyincreaseABLE’strainingandawarenessbudgetsothathecould“getthewordout”aboutsecurityandstartnormalizingrelationsbetweenhisinformationsecurityteamandotherABLEcorporatestakeholders.

CHARLIESystems,Inc.:ComparingSecurityCulturesofTwoOrganizationsCHARLIESystems,Inc.,isatechnologyfirmthatmakesseveralacquisitionseachyear.CHARLIEfeelsstronglyaboutensuringaculturalfitbetweenthefirmandanycompanythatitbuys.CorporateculturehastraditionallybeentheprimaryfocusforCHARLIE,butacoupleofrecentacquisitionshaveforcedCHARLIEtoconsiderhowinformationtechnologyculturesingeneral,andInfoSecculturesinparticular,alignaswell.Thecompanyfoundoutthehardwaythatanincompatibleinformationsecuritycultureinanacquiredcompanycancreateproblemsthat,hadtheybeenforeseen,mighthavechangedCHARLIE’sdecisionaboutthedeal.

CHARLIESystemshasaCISOwhoreportstotheCIO,andacentralizedsecurityinfrastructure.TheCISOenjoysquiteabitofinfluencewithinthecompanyand,afterpushingtoaddsecuritytotheculturalassessmentsthatCHARLIEperformsaspartofitsduediligence,shewasabletoinstituteanSCDS-basedprogramtocollectsecurityculturedataonanypotentialacquisition.ThefirstcompanyagainstwhomtheassessmentwasperformedwasEZCompany,asmallsoftwarestartupwithaninnovativeonlineworkflowandcollaborationproduct.SampleSCDSresultscomparingthecompaniesareshowninFigure6-3.

Figure6-3SampleSCDSscoresforCHARLIESystems,Inc.,andEZCompany

Asyoucansee,majorculturaldifferencesexistbetweenCHARLIEandEZ.Theformerisalarge,establishedcompanythathasbeenaroundformorethan15years.Thelatterisastartupoftwodozenpeoplethatwasfounded18monthsbeforetheacquisition.Althoughithasreceivedsomeventurefunding,EZhasalwaysbeenaclose-knit,highlymotivatedgroup,mostofwhomhaveknowneachothersincecollege.“Kickass,takenames,havefun”isthecompany’sinformalmotto.

Lookingatthescores,theCISOisconcernedabouttheculturaldifferences.StructureandstabilityarenotkeyvaluesatEZ.Quitetheopposite,infact.Manyoftheemployeeswearmultiplehats,jumpinginandoutofeachother’srolesasthesituationdemands.Asaresult,decisionauthorityhasbeenwidelydecentralized,andEZemployeeshavealotoffaiththateveryonewilldotherightthingforthecompany…andtherightthingisbuildingandsellingverycoolsoftwarethatpeopleenjoyusing.

FortheCISOandtheexecutiveteamatCHARLIESystems,whatisconsideredthe“rightthing”ismorenuanced.Beingpubliclytraded,CHARLIEhasshareholderandregulatoryobligations,includingSOXcompliance.ThecompanyisPCIDSScertifiedandmustcomplywithabroadrangeofprivacyregulationsgiventhebusinessitdoesinEurope.EZCompanyhasalmostnoexperiencewithauditorsorcompliance,andtheSCDSscoresreinforcesomeconcernstheCISOhasaboutthewayEZmanagesitsownsoftwaredevelopmentandITprocesses.ShewonderswhetherEZ’sdevelopersaregoingtofiteasilyintothemoreformal,centralizeddevelopmentprocessatCHARLIE,whichhasmultiplecontrolsinplacearoundsecuresoftwareengineering.

TheSCDSscoresandthecompetingvaluesandsecurityculturesthatexistbetweenCHARLIESystemsandEZCompanyarenotnecessarilyshow-stoppersfortheacquisition.ButtheSCDSresultsdoallowCHARLIE’sexecutivestoweighveryreal,butmuchlessvisible,risksandcostsofthedeal.WouldCHARLIEstillthinkthedealwasgoodif80–90percentofEZ’sdevelopersweretoquitafterfindingtheirnewenvironmenttoorestrictive?AndwhatistheriskthatEZ’sprioritizingofcoolfeaturesoversecurityandprivacyimplicationscouldleadtoasecurityincidentintheproduct,thecompany,orforacustomerdowntheroad?

DOG:ComparingExistingtoDesiredSecurity

CultureTheDepartmentofGovernance(DOG)isastateagencyresponsibleforoverseeingaspectsofbusinessoperationsatotherstateagencies,particularlyconcerningcontractsmanagement,public-privatepartnerships,andlegalandethicalissues.Likemanystateagencies,theDOGisbureaucratic,centralized,andriskaverse.Inanefforttoimprovecommunicationandefficiency,aswellastoattractbetteremployeecandidatestotheagency,theCIOproposedimplementinganITtransformationproject,includingsuchinnovationsasbringyourowndevice(BYOD)ande-governmentinitiatives.Tohisfrustration,theCIOdiscoveredthiswaseasiersaidthandone,asaminorrebellion,ledinpartbyhisowninformationsecuritymanager,attemptedtoblocktheinitiativeonthegroundsofunacceptablesecurityrisks.“Noonewillbeconnectingdeviceswedon’tcontroltothisnetworkwhileI’mhere,”thesecuritymanagerstatedpointedlyduringoneoftheCIO’sstaffmeetings.Notlongafterward,theCIOandtheInfoSecmanagermutuallyagreedthattheInfoSecmanager’stransfertoanotheragencywasineveryone’sbestinterests.

TheCIOrecruitedanewinformationsecuritymanagerfromalocaluniversity.Thenewmanagerwasyoungerandmoresupportiveofaflexiblesecurityenvironmentthatbalancedsecurityriskswithbusinessopportunities.Acornerstoneoftheeffort,theCIOandsecuritymanageragreed,wouldbeatwo-yearculturaltransformationinitiative.AnSCDSassessmentwasconductedtobaselinetheexistingculturalvaluesheldbythesecurityteamandtoarticulatewheretheorganizationneededtobeintermsofsecurityculturetomaketheCIO’sdesiredinitiatives,includingtheBYODrollout,morelikelytobesuccessful.AsampleofthesecurrentanddesiredscoresareshowninFigure6-4.

Figure6-4SampleofcurrentanddesiredSCDSscoresforDepartmentofGovernance

TheCIOandsecuritymanagerbothpromotedthecaseforamorebalancedsetofsecurityvalues.Neitherhadanyillusionsaboutthebureaucraticandstructuredenvironmentinwhichtheyworked,andtheydidnotwanttoturnitintoastartupculture.ButmanyDOGstaffmembershadexpressedadesireforaBYODprogram.Thegoalwastograduallychangethewaythatemployees,andparticularlythoseinbothinformationtechnologyandInfoSec,lookedattheirworld.Insteadofthinkingaboutriskinawaythatmadesomeinthedepartmentafraidtoembracechange,theDOGculturehadtostartatleastbalancingthatapprehensionwithahealthyconcernfortheriskofnotchangingatall.

OnekeyareaofchangewouldbetomovefromasecurityculturethatvaluesnotgivinganyonetheabilitytomaketheirowndecisionstoastrongerAutonomyCulture.ButlooseningthecontroloverindividualsintermsoftheirITusewouldrequiregivingthemtheskillsnecessarytomakebetterdecisionsontheirown.Forthisreason,aboostingoftheTrustCulturewouldbenecessaryaswell,whichwouldmeaninvolvementandawarenessprogramstohelpeveryonebecometheirownquasi-securitymanagers.

Bythesametoken,structureandstabilitywouldcontinuetobeacorevalueforDOG.ButtheorganizationwouldnolongerbesoheavilyweightedtowardaProcessCulture.ExploringtheSCDSresultsanddevelopingthedesiredculturerevealedthatpoliciesandstandardswereoftenusedsimplytoenforcethestatusquo,ratherthantoenableperformance.TheCIOwantedtokeepthebureaucracythatworked,adapttothebureaucracythatwouldprovetoberequirednomatterwhathedid,andstripawaythebureaucracythatwasstiflinghisorganizationandslowingitdown.

ThesecuritycultureandvaluesworkthattheCIOandnewInfoSecmanagerperformedwasnotaneasyfixthatautomagicallytransformedtheculture.ButbymeasuringthecurrentstateandsettingdefinedgoalsforafuturestateofITandinformationsecurityvaluesandculture,theywereabletoarticulateastrategyandaplantoDOGleadershipthatalignedwiththegoalsofmakinggovernmentworkmoreefficiently,moretransparently,andinawaythatwouldcontinuetoattractthebestcandidatestopublicserviceinthestate.

T

CHAPTER7

CreatingCultureMapswiththeSecurityCultureDiagnosticSurvey

heSecurityCultureDiagnosticSurvey(SCDS)describedinChapter6enablesanorganizationtodefineandmeasureitsinformationsecurityculturebyhavingrespondentsassignscorestospecificvalues,assumptions,andnormsthatalignwiththefourgeneralsecurityculturetypesoftheCompetingSecurityCulturesFramework.TheinherentlyvisualnatureoftheCSCF,withitsquadrantsandcompetingvalueaxes,alsoenablesandencouragesusersoftheSCDStovisualizetheinsightsthattheSCDSscoresprovide.TheresultinggraphicalrepresentationmakestheinsightsregardingculturalconflictsandinterrelationshipsgeneratedbytheSCDSmoreintuitiveandpowerfulandprovidesagreatvisualtoolforexploringandtransformingtheorganization’sinformationsecurityculture.

ThischapterwilldescribehowtouseSCDSresultstocreatevisual“maps”ofInfoSecculture,aswellashowtointerpretthosemapsoncetheyarebuilt.ExpandinguponseveralofthecasestudiesfromChapter6,IwilldescribehoweachorganizationincorporatesCSCFvisualizationsintotheirSCDSanalyses.MappingsecuritycultureagainsttheCSCFisanimportantcomponentofanyefforttofacilitateculturechangeandpromotepeople-centricsecuritywithinanorganization.

MappingandVisualizationTools

Iamnotavisualizationguru,nordoyouhavetobetotakeadvantageoftheCSCFandthesecurityculturemapsyoucanproduceusingtheSCDS.Allculturemapscreatedinthischapterweredoneusingstandardofficeproductivitysoftware,specificallyspreadsheetandpresentationprograms.Youprobablyalreadyhaveaccesstostandardofficeproductivitysoftware,butifyouneedtools,youhavealotofchoices,includingopensourcesoftwarefromApacheOpenOffice(aswellasLibreOfficeandNeoOffice)andcommercialsoftwarefromAppleandMicrosoft.Ofcourse,forthosereadersskilledinthevisualarts,Ihavenodoubtyoucanimproveuponmyhumbleexamples.

SecurityCultureMapsIrefertothevisualizationsofculturecreatedusingtheSCDSasmapsintentionally.Mapsaremetaphors.Conventionalmapshelpustonavigatephysicalgeographyinthe“real”world,suchaswhenwesearchfordirectionstoarecommendedrestaurantorplanatripacrossthecountry.Othermapsenableustonavigateconceptualgeographies,suchasamindmaptohelpusnavigateourownideas,oratopicmaptoformallyexplorethelinkagesbetweenbodiesorinstancesofknowledge.Likeallmetaphors,mapsareaboutdescribingonethingintermsofsomethingelse.Themapisnotthereality,butitcanhelpusunderstandthatrealitybetter,aslongaswekeepinmindtheassumptionsandlimitationsthatgointoit.ThedotonamapoftheUnitedStatesthathas“Austin”writtennexttoitis,ofcourse,notthecityIlivein.IthasabsolutelynosimilaritytotheactualcityofAustinotherthanthesuspensionofdisbeliefthateveryoneusingthemapagreestopracticeinordertogetsomethingusefuloutofthesharedexperience.

Theconceptofaculturemapisaboutmorethanjustasharedvisualmetaphorthatdescribesyourorganization’ssecurityculture.Thepurposeofaculturemapisnotonlytomeasureorvisualizesecurityculture,butalsotochangeit.Mapsimplyajourneyandadestination,startinginoneplaceandendinginanother.Mapshelpyouorientyourselfandfindthebestroutetowhereyouwanttogo.Transformingcultureandmakingyourwaytoamorepeople-centricsecurityinfrastructureisajourney.Itwilltaketimeandeffort,anditcannotbeachievedbyputtingavendor’sproductintoyourdatacenteranymorethanyoucaninstantlyteleportfromNewYorktoSanFrancisco.Buttogetfromheretothere,you’regoingtoneedaguide,acompass,andamap.

MappingSecurityCultureUsingtheCSCFTheCSCFisthestartingpointformappingyourorganization’suniquesecurityculturebecauseitvisuallyrepresentsageneralculturallandscapeforInfoSec.Unlikeastreetatlasorageographicalmap,though,youdon’tpointtooneplaceontheCSCFandsay“hereweare.”CultureintheCSCFisdeterminedbytherelativestrengthofeachofthefourculturaltypeswithinyourorganization.TheclosestphysicalanalogyisabitlikestandinginFourCorners,thespotintheUnitedStateswhereNewMexico,Colorado,Utah,andArizonameet.Dependingonhowyoulean,theremaybemoreofyouinonestatethaninanother.WiththeCSCFyourorganization’svaluesandassumptionsdothe“leaning,”andyourcultureiswhereyouendup,drivingthedecisionsandbehaviorsyoucanexpectfrompeople.IfyouareaCISOandyouareleaningheavilyinonedirectionwhileothersintheorganizationarebentoverbackwardstheoppositeway,youmayfindyourselfinadifferentstateofmind,ifnotactualgeography.Thatcanbeaproblembecausesecurityrisksareoftencreatedinthespacebetweenculturalpriorities.ButyoumaynotevennoticethateveryonethinksdifferentlyaboutInfoSecuntilyoucanlocatedifferentpeople,andthedirectiontheyareleaning,ontheculturemap.

Figure7-1showsanarrativerepresentationoftheCSCF,usingtheideaof“Youarehere”thatyouseeonmapslocatedeverywherefrommallstonationalparks.Justlikeamapthattellsyouwhatreferencepointstolookaroundfortotriangulateyourownlocation,theCSCFgivesyoubehavioralreferencepointsthatcanindicatewhereyourorganizationislocatedintermsofcontrol(tighterorlooser)andperspective(inwardoroutwardfocus).

Figure7-1NarrativeculturalreferencepointsintheCSCF

WhiletheCSCFcanfunctionasamaptoorientyourselfgenerallyintermsofyoursecurityculture,itlacksthespecificityoftheSCDSasameasurementinstrument.If,however,youusetheSCDSresultstoprovidecoordinatesonthat

map,youcanliterallydrawabetterpictureofyourInfoSecculture,onethatgivesmoreinsightintoimprovingpeople-centricsecurity.CulturemapsthatcombinetheCSCFandSCDSresultsaccomplishjustthisgoal.

CompositionofaSCDS-basedCultureMapSecurityculturemapsarecreatedbysuperimposinganorganization’sSCDSresponsesontheCSCFvisualmodel.TheexamplesecurityculturemapspresentedinthischapterarebasedonthecasestudiesfromChapter6.RecallthattheSCDSgivesusascoringsystembywhichwecanassociatedifferentresponsesaboutthetenorganizationalcharacteristicsandactivitieswithculturaltypesintheCSCF.Usingthesescores,wecanjudgetherelativestrengthofaProcessCulture,forexample,againstanAutonomyCulture,ComplianceCulture,orTrustCulture.BygraphingthesescoresinthecontextoftheCSCF,wecanmakethosecomparisonsmoreintuitiveandvisualtohelpsecurityteamsbetterarticulateculturalrisksandhelpconsumersofSCDSfindingsabsorbtheresults.

SuperimposingSCDSResponsesontheCSCFVisualModelWhiletherearemanydifferentdatavisualizationtechniques,Ipreferthreebasictypesformysecurityculturemaps,butdataaredataandyoushouldfeelfreetoexperimentwithwhateverworksbestinyourorganization.EachofthepreferredmethodsIusehasitsstrengthsandweaknesses,whichIwilldescribeaswemovethroughthefollowingexamples.AllofthemapsarecreatedfromthesameorganizationsandresultsthatIprofiledinChapter6.

Thefirstexampleofasecurityculturemapisthemostcomplicated,imposingspecificSCDSscoresasabarchartontothegeneralvisualmodeloftheCSCF.Figure7-2showsamapforthegeneralcultureofABLEManufacturingCorporation,asdefinedbytheaverageofallSCDSscores.ResponsestoeachofthetenquestionsareindexedtoalignwithspecificCSCFquadrants.“A”responsesindicatecharacteristicsofaProcessCulture,“B”responsesalignwithaComplianceCulture,“C”responsesimplyanAutonomyCulture,and“D”responsescorrespondtoaTrustCulture.Bydividingandaveragingthefourresponsecategories,wecanderiveanoverallscorefortheorganization’sculturalvaluesandtherelativestrengthofeachculturaltypeintheCSCF.

Figure7-2GeneralcultureofABLEManufacturingbySCDSscores

LookingattheculturemapinFigure7-2,youcanimmediatelynoticesomebigdifferencesacrossculturalvaluesinsideofABLEManufacturing.Themapistop-heavy,indicatingthattightercontrolisanimportantorganizationalvalue.Similarly,themapisheavilyweightedinthetwoleftquadrants,whichimpliesmoreofafocusinternallythanexternally.ButtheanchorpointforbothoftheseobservationsisthedominanceoftheProcessCulturequadrant.AddingactualSCDSscoreaveragestothemaphelpsareaderunderstandthattheProcess

Culturescores,onaverage,arenearlytwicethatofthenextnearestculturaltype.ABLEManufacturingisobviously,accordingtoitsSCDSscores,an

organizationthatvaluesstability,centralizedcontrol,andstandardwaysofgettingthingsdone.Thegeneralscoresdonotdifferentiatebetweenhowsecurityteamsseethingsversushowtherestoftheorganizationmaylookattheworld.ItsimplyrepresentstheoverallcultureasdeterminedbytheaverageresultsoftheSCDS.

Supposewewantedtodrillalittlemoredeeplyandseejusthowthoseaverageswereattained.WecouldexpandtheculturemapasshowninFigure7-3,whichprovidesarepresentativeexampleofalltheresponsestotheSCDSquestions.

Figure7-3TotalSCDSresponsesforABLEManufacturing

Breakingoutthescoresbyindividualresponsesmakestheresultsmoreinteresting,andthevarianceshowsthatnosingleCSCFquadrantisasmonolithicasitmightappearjudgingonlybyaverages.Instead,eachquadranthasatleastonescorethatisatoddswiththeoverallresult.Processmaybethestrongestculturaltypewithintheorganization,butatleastonescoreislessthanhalfoftheaverage,implyingthatnoteverybusinessactivityprioritizescentralized,stableoperationsasaculturalvalue.Conversely,eventhelower-

scoringquadrantsdemonstratevaluesthatareatoddswiththedominanttrend.Mostoftheorganization’svaluescoresdonotreflectaculturethatvaluesnonconformityandflexibility.Butinatleastonecase,themanagementoftechnology,theorganizationisequallybalancedbetweenaProcessCultureandanAutonomyCulture.ThinkabouttheimpactonsecurityofanorganizationthatcentralizeseverythingexcepttheabilitytocontrolcorporateITsystems,whichisdecidedbyindividualdivisionsorgeographiclocations.Thecompetingvaluesbetweenthosetwoculturescouldeasilycreateheadachesandrisksforanysecurityteam.

OtherTechniquesforMappingSecurityCultureUsingbarchartsineachofthefourquadrantsisnottheonlywaythatwecanvisualizeSCDSresults.AmoretraditionalbarchartcanquicklyshowusthescoresasalistratherthananoverlayoftheCSCF.AnexampleofthissimplifiedculturemapisshowninFigure7-4.ThesimplifiedchartmakesiteasytocompareSCDSscoresdirectly,butitlosesthevisualconnectiontotheCSCF.Ioftenfinditusefultocombinethetwomaps,usingthesimplifiedchartasalegendtoquicklycomparescoreswhileshowingthequadrant-basedmaptovisualizerelativestrengthswithintheculturaltypes.

Figure7-4BasicbarchartforABLEManufacturingSCDSscores

OnemorevisualizationtechniquethatIfindusefulforculturemapsispulleddirectlyfromthetechniquesthatCameronandQuinnusetovisualizeculture.TheirOrganizationalCultureAssessmentInstrumentproducesgeneralorganizationalculturescoresthatarethenmappedintoaradarchart.WecanmapSCDSscoresinthesameway,asshowninFigure7-5.

Figure7-5ABLEManufacturinggeneralcultureusingradarchart

Theradarchartmaphastheadvantageofgivingthecultureadefiniteshape,onethatisvisuallyintuitiveandrecognizable.Theradarchartslooklikewhatwewouldexpectfromamap,assigningculturalscoresinawaythatimpliesterritorywithintheCSCFmodel.Butradarchartshavealsobeensubjecttocritiqueoverrecentyears.Somegraphingprogramsandonlineservicesdonot

evenofferthemanymoreasavisualizationoption.Thecritiquesvary,butmainlyrevolvearoundtheideathat,whilearadarchartcancreateapowerfulvisualfirstimpression,itactuallytendstomakeanalysisofresultsmoredifficult.Peopletendtobemoreadeptatstraight-linecomparisons,liketheoneinthebasicbarchartexampleinFigure7-4.Inaradarchartyoureyehastotravelaroundthechart,mappingeachdatapointtotheonebeforeitinawaythatcanbemoredifficultthanwhenthosescoresareplacedsidebyside.

AnotherdifficultyIhavewiththeradarchartisthatitcantakethemapmetaphorabitfurtherthanIlike.ThemapofABLE’sgeneralcultureinFigure7-2isquiteclearlyasetofsurveyscores,mappedtothedifferentquadrantsoftheCSCF.Youneverlosetouchcompletelywiththeunderlyingdata.Witharadarchart,thetemptationistoseea“shape”thattheculturetakes,insteadofasetofanswerstospecificSCDSquestions.Divorcedfromanassociationwithasurvey,aradar-basedculturemapcantrytoforce-feedtoomuchcomplexityintoasimplistictwo-dimensionalimage.Anorganizationmaydecide“welooklikeadiamond,whenweneedtobeasquare”insteadofthinkingaboutwhyparticularSCDSscores,andthevaluestheyreflect,arehigherorlowerthanothersandwhatthatmaymeanforsecurity.

Butforallthecritique,itisoftentheradarchartculturemapsthatIfindelicitthestrongestresponse,thatah-ha!momentwhereanexecutiveorastakeholdergetsit.Asacommunicationtooltheycanbeveryusefulinpointingoutandcommunicatingtheessenceofcompetingvalues.InFigure7-4,it’shardnottonoticethatthecultureskewssharplytowardProcess,withthevaluesoftheotherthreeculturaltypeshavingmuchlessinfluenceovertheenterprise.Amorespecificorpreciseculturemapthatfailstomakeasmuchofanintuitiveimpressionmayendupfailinginitscentralpurpose,whichistoshowwheretheorganizationis(Youarehere!)andgiveitabetterideaofwhereitmightwanttobe.

“WhenShouldIUseEachTypeofMap?”Thereisnoonerightwaytopresenttheresultsofaculturalmeasurementexercise.Thebestwaytodoitisthewaythatworksthebesttostimulatethoughtandaction.Whatismostimportantistorealizethekeystrengthsandweaknessesofeachtechniqueandtopicktherighttoolfortherightjob.IfyouaretheSecurityAwarenessManagerandyou’vegotfiveminutesoutofatwo-hourmeetingtogetseniormanagement’sattention,youmightverywelldecidethataradar-basedculturemapisthewaytogo.IfyouaretheCISOtaskedwithtransformingsecurityculture,theideathatyou’regoingtomakeyourculture

“moresymmetrical”isprobablylessusefulthanfiguringouthowtoinfluencespecificSCDSresponsesbychangingvalueswithintheorganization.

Giventheintroductorynatureofthisbook,Iwillrelyheavilyonradarchartsthroughoutthischapterandothers.Theyaretheeasiestwaytoquicklyconveyacultural“shape”thatgetsthepointacross.Butwhenitcomestimetooperationalizecultureintomeasurableactivities,itwillalwaysbenecessarytofallbackonSCDSscores.The“shape”ofyourcultureonlychangeswhenpeoplegivedifferentresponsestotheSCDS,reflectingdifferentopinionsabouttheorganization.Theonlywaytoaccomplishthatistotransformthevaluesthatpeopleholdabouthowyourorganizationshouldmanageitself,itsbehaviors,anditsInfoSecstrategiesandactivities.

Datavisualizationisascienceandanartuntoitself,andyoushouldalwayskeepinmindthatthespecifictechniquesIpresentinthisbookorthatotherresearchersorpractitionershavedevelopedarejustafewoftheoptionsavailabletoyou.Youmaydevelopacompletelynovel(andmaybeevenstrange)wayofmappingsecurityandorganizationalcultureusingtheSCDSdata,andIencouragethatifitworkswithinyouruniquecontextandenvironment.Howanorganizationvisualizestheexistingculturecanitselfbedependentonthatveryculture.Feelfreetoexperiment,andletmeknowifyoucomeupwithsomethingespeciallygood!

MappingSpecificValuesandActivitiesAlltheprecedingexampleshavefocusedonthegeneralinformationsecuritycultureofABLEManufacturing,asdefinedbytheaggregatescoresresultingfromacompany-wideSCDSassessment.ButwegotahintinFigure7-3thatwehaveuncoveredsomeinterestingpatternsanddiscrepanciesintheresults.Anorganization’sculture,includingitssecurityculture,istheproductofmanydifferentvaluesandactivities.ThesearereflectedinthetenquestionsoftheSCDS.Howanorganizationviewsinformationandhowthatsameorganizationviewsrisk,tousetwoexamples,areprobablyseparatesetsofvaluesandassumptionsaboutwhatisimportant.Bothcontributetotheoverallorganizationalculture,andbothdriveactivitiesanddecisionsthatimpactsecurity.Buttheyoftenfunctionasconceptualsilos,exceptinthemindsofpeoplewholike,orarepaid,tothinkabouttheintersectionbetweeninformationuseandbusinessrisk.

Itcanbeveryusefultovisualizenotjustgeneralculture,butspecificculturalvalues.Thesevaluescanthenbecompareddirectly.Buildingaculturemap

aroundspecificSCDSresultsisnomoredifficultthanbuildingoneforgeneralculture.Figure7-6showsallthreemapsfortheaveragescoreresultingfromresponsestoSCDSQuestion3,“Whatdoessecuritymean?”

Figure7-6CulturemapsforsingleABLEManufacturingSCDSresponsescore(“Whatdoessecuritymean?”)

Mappingsingleresponsesisusefulwhenanalyzingandinterpretingspecifictraitsinthecontextoftheoverallculture.Itcanhelpidentifycompetingvaluesthatmayleadtorisk.Itisalsousefulinfine-tuningaculturaltransformationprogrambyallowingtheorganizationmoreprecisionintermsofidentifyingbehaviors,norms,andassumptionstotarget,andthemeasurementoftheresultingchanges.

InterpretingandComparingCulturePeoplewhomakeorusemapsandvisualizationshaveconcernsthatmaybeaesthetic(uglymapsarelessuseful)aswellasfunctional(lessusefulmapsarelessuseful).Youcreateamaptohelpyouaccomplishsomething,togetsomewhereyouwanttogo.Creatingthemapisthefirststepofthisprocess.Readingit,interpretingit,andusingittofigureoutwhereyouare,whereothersmightbe,ortoplotacoursefromheretotherecomesnext.Culturemapsservetheseorientationandnavigationalpurposes,too.OnceyouhavevisualizedtheSCDSdatatographicallyrepresentyourorganization’sculturalattributesandvalues,it’stimetoputthosevisualizationstouseinimprovingandtransformingyoursecurityculture.

InterpretingSCDSResultsLookingattheculturemapinFigure7-2,weseethegeneralcultureasdefinedbyABLEManufacturing’sSCDSresponses.Whatdothescoresandtheirassociatedvisualizationstellus?HowdoweusethemapstocraftastoryaboutABLE’sculturalvaluesandtodecidewhat,ifanything,needstobedonetochangethem?

DominantCulture:TheWayThingsGetDoneABLEManufacturingcaresalotaboutstabilityandstandards.ThatmuchisobviousfromtheSCDSscores,whichconsistentlyrateorganizationalbehaviorsassociatedwithaProcessCulturemorehighlythananyotherculturalattributes.ABLEdoes,ofcourse,exhibitotherculturaltraits.Compliance-relatedbehaviorsareimportant,asarebehaviorsandvaluesassociatedwithcommunityandfosteringapeople-friendlyworkplace.ABLEevenexhibitsabitofanAutonomyCulture,insomecasesallowingfreedomandindependenceratherthanrequiringadherencetostrictrules.Butifwewereaskedwhatisthe

dominantculturewithinABLE,theanswerwouldhavetobeProcess.AProcessCulturemakessenseforABLE,aprivatemanufacturingcompany,

whereconsistencyofproductionandstandardlevelsofproductqualityarehighlyvaluedbythebusiness.ABLEmanufacturesarelativelyfewnumberofthingsandbelievesthatitdoessoverywell.TheownershipstructureofABLEkeepsthehierarchyandorganizationalchartstableovertime,withclearlinesofpowerbackuptothefamilymembersatseniorlevelsofmanagementandtheboard.

Whenperformingaculturaldiagnosticexercise,identifyingoneormoredominantculturesisagoodfirststep.Thedominantculturetendstodrivebehavior,todefinetheorganization’scorebeliefs,andtoprovideananchorpointagainstwhichdivergencefromthatculturecanbecompared.Iforganizationalculturecanbedefinedas“thewaywedothingsaroundhere,”thenthedominantculturerepresentsthemostlikelywaythatthingswillgetdone.Therewillalwaysbeexceptions,butthemoredominantaparticularculturaltypeiswithintheorganization,themoreglaringarethedeviationsfromitwhentheydooccur.Wehaveexploredinpreviouschaptershoworganizationalculturebecomesinvisible,functioningbelowthesurfaceofourobservablebehaviors.Whenthingsseemtobegoingright,wheneverythingismovingsmoothlyandasexpectedaroundus,weseldomthinktoask“whydidyoudothat?”Decisionsseemnatural,inaccordancewithourassumptionsabouthowtheworldworks.It’sonlywhensomethingorsomeonechallengesthoseassumptionsthatwefindourselvesconsciousofthem.

CulturalConflict:“YouCan’tDoThatHere…”ConsiderthecaseinwhichanewmarketingmanagerishiredintoABLE,taskedwithupdatingthecompanybrandandmakingABLE’sproductsmoreattractivetoyoungerconsumers.Arrivingherfirstweektogothroughcompanyorientation,themanagerissurprisedtofindthatshewillbeissuedacorporatestandardlaptopcomputerrunningMicrosoftWindows.

“ButI’manAppleuser,”thenewmanagersays.“I’dliketohaveaMacasmyworkcomputer.”

“Sorry,”theITrepresentativetaskedwithgettinghersetupreplies,“westandardizeonMicrosoftproducts.Youcan’thaveaMac.”

“Well,I’llneedtousemypersonalMacforsomeworkthings,”themanagerreplies.“HowcanIgetitconnectedtothecorporatenetwork?”

“Youcan’t,”theITtechnicianrepeats,abithorrified.“Thatwouldbeanenormoussecurityviolation.”

“Well,Ineedanexception,”themanagersays,nowannoyed.“Ican’tdomyjobusingonlyaWindowsmachine.”

“Youbetterfigureouthow,”thetechtellsher,sortofamazedathowarrogantthisnewemployeeisprovingtobe.“Youcan’tjustconnectanythingyouwanttoournetworkbecauseyoudecideyouneedit.”

ABLE’stechnicianandnewlyhiredmanagerhavebothjustbeengivenalessoninculturalconflict,onethatwasdisconcertingtobothofthem.ThedifferencesbetweentheirassumptionsandvaluesmayevenresultinnegativeimpactsonABLE.IfthemarketingmanagerisnotjustexaggeratingandreallydoesneedtouseaMactobefullyproductive,thenthecompanywillsufferwhensheisnotabletodothejobABLEhiredhertodobecauseofabureaucraticrequirement.Shemayevendecidetoquitaltogether,ormaybetemptedtouseherpersonaltechnologydevicesinviolationofthecompanysecuritypolicy.ABLE’sprocessesmayactuallygetinthewayofthecompany’sabilitytoexecuteonitsowngoalsandobjectives.

Thissortofconflicthappenseverydayinorganizationsaroundtheworld.Peoplerealizetheworlddoesn’tquiteworkthewaytheyassumeditdoesandaresurprisedwhenbehaviorstheyconsiderstrangeandbizarreprovetoberoutineandnormaltoothers.Theexperiencecanbeawkwardanduncomfortable,butshakingourselvesoutofourowncomplacencyisoftentheonlywaytogrowandimprove,bothindividuallyandasorganizations.UsingculturalmeasurementandevaluationtoolsliketheCSCFandtheSCDScanhelpshineaspotlightonthesedifferencesinamethodologicalandcontrolledway,givingtheorganizationbettervisibilityintoitsownnature.

CulturalIntensityCulturalintensityisthedegreetowhichaparticularculturaltypeoperateswithintheorganization.Whenoneculturaltypeissignificantlymoreintensethantheothers,asinthecaseofProcessCultureinABLEManufacturing,thatcultureisdominant.ButnoteveryorganizationhasadominantcultureasintenseasProcessisatABLE.ThecasestudyofCHARLIESystems,Inc.,fromChapter6isanexample.LookingattheradarchartinFigure7-7,CHARLIE’sorganizationalcultureislessweightedinanyparticularquadrant,withnosingleaveragescoremorethantwicetheintensityofanyothers.

Figure7-7GeneralcultureforCHARLIESystems,Inc.

Culturalintensityprovidescluesastohowtheorganizationwillbehaveineverydayoperations,aswellaswhenfacingparticularsituationsorevents.ThestrengthoffeelingthatgoesintoindividualSCDSresponsescanbeaproxyfortheintensityoftheunderlyingvaluesthatwilldrivepeople’sdecisionsandinfluencehowtheymakechoices.Whereaculturaltypeismoreintense,youcanexpecttoseetheorganizationadoptingstrategiesthatprioritizethosesharedvaluesandassumptions.InABLEManufacturing,onewouldexpecttoseepeoplefallingbackonpoliciesandprocesseswhenmakingdecisions,askingthemselves,“WhatdotherulessayIshoulddo?”Whendecisionstobendorbreaktherulesaremade,theyarelikelytobeseenasexceptionalbehaviors,maybeevendefinedthroughformalexceptionprocessesandprocedures.

InCHARLIESystems,wewouldexpecttoseemoreinfluencesonbehaviorthanjusttheprocessesinplacewithinthecompany.ForCHARLIE,ComplianceisaculturaltraitnearlyasstrongasProcess.RecallthatCHARLIEisapubliclytradedtechcompanythatmustalsoundergoregularPCIDSSaudits.Thismeans

thatCHARLIEmustlookoutwardasmuchasitlooksinward.Policiesandprocessesareimportanttothecompany,particularlyinthattheysupportauditsandcomplianceefforts.Butcompanystandardsdonotdriveexternalverification.Quitetheopposite.Ifexternalauditrequirementschange—forinstance,anewlawrequiresadditionalregulatoryoversightoverpubliclytradedcompaniesorPCIDSSisupdated—CHARLIE’sinternalpolicieswillfollowsuit,evenifitmeanschangestointernalbehaviorsthataffecttheexistingbureaucracy.

CulturalAnomaliesandDisconnectsMappingalsoallowsustoquicklyexploreculturaldifferencesthatmayneedtobeharmonizedtoimprovepeople-centricsecurity.TheengineoftheCompetingSecurityCulturesFrameworkistheideathatconflictingorganizationalvaluestendtoproducesecurityandperformancerisks.Onlybyidentifyinganddeconflictingthesecompetitivevalueswillweeliminatethoserisks.Culturemapscanhelppinpointsuchdiscordantculturaltraitsinawaythatiseasilyunderstoodbythestakeholderswhowillberesponsibleformakingculturaltransformationhappen.

LookingatanotherexamplefromABLEManufacturing,Figure7-8showstheculturemapsforthreedifferentorganizationalactivities:managementofoperations,controlofinformation,andthewaythatsecurityisunderstoodwithinthecompany.

Figure7-8CompetingculturesinsideABLEManufacturing

Lookingatthethreeactivities,wecanseethateachismoreorlessdominatedbyadifferentculturaltypewithintheorganization.Operationsaremanagedaccordingtothehighlyprocess-orientedculturethatisinherenttoABLE.Information,however,iscontrolledmostintenselyusingvaluesandassumptionsthatareassociatedwithaTrustCulture,whereuserempowerment,collaborativesharing,andtransparencyarethekeypriorities.Insuchanenvironment,wewouldexpecttoseebehaviorsregardinginformationtobegovernedlessbyformalrulesandstandardsandmorebynotionsthatinformationisaresourceto

besharedamongpeoplewhorelyononeanothertodotherightthingwithit.Soimmediately,wehavetwosetsofvaluesthatcouldcreateopportunitiesforcompetitionandconflict.

Comparethecontrolofinformationandthemanagementofoperationswiththemeaningofsecurityinsidethecompany.ABLEthinksaboutinformationsecurityprimarilyintermsofaComplianceCulture,eventhoughComplianceisnotacoreculturaltraitgenerallywithinthecompany.Oninspection,thisisnotassurprisingasitmayfirstseem.ABLE’sintroductiontoITandinformationsecuritycameprimarilythroughPCIDSSrequirements,andmeetingthoseauditrequirementshasbeenpartofthesecurityteam’sDNAsinceinception.Inmanyways,ABLEassociatessecuritywithauditandPCIDSS,bothwithinthesecurityteamandoutsideofit.AslongasPCIDSScertificationismaintained,thecompanyfeelssuccessfulandsecure.

Nowconsidertheramificationsofanorganizationwheremanagingoperations,controllinginformation,andinformationsecurityallmeandifferentthingstodifferentpeople,someofwhommaynotconsiderthosefunctionsdirectlyrelated.Dependingonyourownorganization,thisscenariomaynotbedifficulttoenvision.Wetendtotreatdifferentthingsdifferently,andittakesanefforttodeliberatelylinkthem.ABLEManufacturingcertainlythinksaboutinformationmanagementinthecontextofPCIDSS.However,managinginformationisnotthesamethingasmanagingPCIDSScertification.Differentassumptionsandvaluesgovernbothactivities.Itisthroughthesedifferencesthatriskcandevelop.

Thinkoftheexampleofinformationclassification.PCIDSSrequiresabasiclevelofdataclassification,meaningABLEmustatleastbeabletoidentifycardholderdata.Butevenassumingthatcardholderdataisidentifiedandprotected,howcanABLEbesurethatothertypesofdataareprotected?Howcanthecompanyknowforsurethat,incertainsituations,ComplianceCulturevaluesaroundprotectinginformationwillnotbesupersededbyTrustCulturevalues?Theshortansweris,itcan’t.TherewillalwaysbescenarioswherethevalueofTrustgoesheadtoheadagainstthevalueofCompliance,andgiventhatbothculturesarealmostidenticalinintensity,it’shardtosaywhichwillwinout.Butwecanpredictthatifcardholderdataiscompromisedsomehow,thatitisquitelikelythepersonresponsiblewillbelievethattheyhadmadetherightdecisionatthetime,giventhecompany’sculture.

ComparingCultures

Beyondinterpretingtheculturemaptoidentifyhoworganizationalvaluesandbehaviorscanaffectsecurity,wecanalsouseourmapstohelpcomparecultures.ExtendingthecasestudiesdiscussedinChapter6,wewilluseculturemapstomakeourcomparisonsmorevisualandintuitive.

ComparingABLEManufacturing’sSecurityEmployeeandNonsecurityEmployeeCulturesPreviously,wecomparedtheSCDSscoresofABLE’ssecurityteamandthescoresofthecompanyasawhole.ThesescoresreflectedthatmembersofthesecurityteamviewedABLE’ssecurityculturedifferentlythantherestofthecompanyviewedit.IfwetaketheresponsestothefirstSCDSquestion,“What’svaluedmost?”andcreateaculturemapfromthescores,wegetthemapshowninFigure7-9.Thesolidlinerepresentstheresponsesfromthesecurityteam,whilethedashedlineshowsthosefromoutsidethesecurityteam.

Figure7-9“What’svaluedmost?”responsesofABLEsecurityemployeescomparedwiththoseofnonsecurityemployees

ThismapillustratesanagreementbetweensecurityandnonsecuritymembersoftheorganizationregardingtheimportanceofProcess-relatedvalues.Butitalsoshowsthatinothercases,thesecurityteamsubscribestodifferentvaluesthanemployeeselsewhereinthecompanysubscribeto.Forsecurityteammembers,Compliance-relatedvaluesareeverybitasimportantasstandardized,stablepoliciesandcentralcontrol.Fortherestoftheorganization,thesevaluesarenotprioritizedatallincomparison.Instead,ABLEemployeesoutsideofsecurityseeTrust-relatedvaluesaskeypriorities,whilethesecurityteamratesthesevaluesmuchlessintensely.

SohowcanABLEManufacturinginterprettheseresults?Knowing,aswedonow,abitmoreaboutthecompany,thescoresmakesense.ABLEgrewasacommunity,aclose-knitfirmthatvaluedpeopleasanextensionoftheowners’family.Thatfeelingisbakedintothecorporatefabric.Onlylater,inthefaceofaregulatoryrequirement,didsecuritybecomeimportant.AsemployeeswerehiredinortrainedtomanagePCIDSScompliance,securityevolvedintoaspecializedfunctionwithaspecificmission.Valueschanged,atleastinthecontextofwhatdifferentcultureswithinABLEconsideredmostimportantonadailybasis.

Knowingthesedifferencesmakesiteasiertospottrendsandformulateplansofactiontoimprovepeople-centricsecurity.Thesiloinwhichthesecurityteamfunctionsbeginstomakeabitmoresense,asdoesthefrustrationthatteamfeelswhentherestofthecompanypushesbackoninitiativesorrequirementstheteamfeelsisnecessaryforsuccessfulsecurityandcompliance.Bycomparingthesecompetingvalues,itbecomespossibletoformulateplansofactiontoincreaseawareness,promotespecificvalues,andtransformABLE’ssecurityculture.

ComparingDOG’sCurrentSecurityCulturetoItsDesiredSecurityCultureThenextexamplecomparesthecurrentcultureofanorganizationtothecultureitwantsorneedstocultivate.TheDepartmentofGovernanceprofiledinChapter6haddecidedculturaltransformationwasnecessarytoachievetheagency’slong-termstrategicgoals.TheCIOandhissecuritymanagerwantedtotransformanoverlybureaucraticandrisk-aversecultureintosomethingmorebalanced.Figure7-10translatesthisstrategyintoaculturemap.

Figure7-10DepartmentofGovernancesecurityculturetransformationstrategy

UsingculturemapstoexpressSCDSresultsvisuallycanhelpstakeholdersinaculturaltransformationefforttomoreeasilyexpressconcepts,comparisonsbetweenvaluesandcultures,andstrategiesforchangeandimprovement.Itisimportanttoalwayskeepinmindthatthesemapsaremetaphors,necessarysimplificationsthatmakeiteasiertocompareverycomplexorganizational

behaviorsandinteractions.Thepicturestheyprovidemeannothingwithoutsolidunderlyingdata,inthiscase,theresponsesandscorescollectedthroughtheSCDS.

CISOs,securityawarenessmanagers,andanymemberofanorganizationconcernedwithorresponsibleformanagingandchanginghumansecuritybehaviorsmuststrikeabalancebetweenoversimplificationandscientificrigor.Apicturecanbeworthathousandwords,butarhombusaloneisnotgoingtoenableyoutodomuchtocreatefunctional,people-centricsecurity.Thenextchapterwilldiscussmethodsforgivingyourculturalassessmentprojectsthebestchanceforsuccess.

W

CHAPTER8

ImplementingaSuccessfulSecurityCultureDiagnosticProject

e’vecoveredalotofterritoryinthispartofthebook,includingaframework(Chapter5)andasurvey(Chapter6)formeasuringanorganization’sinformationsecurityculture,andsecurityculturemapsforvisualizingandcommunicatingthesurveyresults(Chapter7).Asyou’veread,youcaninterpretthedatacollectedfromsuchmeasurementprojectsnotonlytounderstandwhereyoursecuritycultureistoday,butalsotodeterminewhereyouwantyoursecurityculturetobeinthefuture.Butonequestionstillremains:howdoesanorganizationactuallyperformasecuritycultureassessment?Thischaptertacklesthatquestion,discussinghowyoucangetsupportfordiagnosingyourorganization’ssecurityculture,howtoexecuteasecurityculturediagnosticproject,andwheretogonextwithyourresults.

GettingBuy-infortheSecurityCultureDiagnosticProjectRecalltheChapter3discussionofthecorrelationbetweenorganizationalcultureandorganizationalperformance.Theresearchevidenceisprettystrongthatanorganization’scultureimpactsitsperformance.Ifweacceptthatevidence,thenweacceptthattheperformanceofanorganization’ssecurityculture,itsrelativestrengthorweaknessincertainareas,hassomeeffectontheorganization’ssecurityperformance.MostsecurityprofessionalsIknowfindthisnotion

intuitive,eveniftheydon’tknowexactlyhowtomeasureorarticulateculture’seffectonsecurity.

DirectBenefitsofSecurityCultureImprovementWhenItalkaboutimprovingInfoSecculture,Imeanacoupleofspecificthings.First,improvingsecurityculturenecessarilyincludesincreasingtheorganization’sunderstandingof,andvisibilityinto,howitscultureworks.Youcannotimprovesomethingthatyouhavenoabilitytomeasureinthefirstplace.Nomatterwhatyourcultureistodayorhowyoudefineimprovement,makingtheculturethatexistsbelowthesurfacevisibletothoseaboveisafirstrequirement.Salescultures,ethicalcultures,eventheculturalaspectsoflanguageandsocialcommunication,canvarybetweenenterprisesandwithinthem,andsecurityisjustoneofthesemanyvariations.WhenItalkaboutincreasingculturalvisibility,Imeanlearningtomeasureandanalyzethesecurityculturetoalevelwhereyouknowenoughaboutitandhowitworkstomakechangesthatwillstick,andthatyoucandemonstratehavestuck.

Second,improvingsecurityculturemeansimprovingthewaythatinformationsecuritycompeteswithothervaluesexistinginsidetheorganization.Thatdoesn’talwaystranslateintosecuritybeingthemostimportantconsiderationineverydecision.Buttherealitytodayisthatsecurityoftenlosesoutindecisionswhenthedecisionmakersarefarremovedfromthepeoplewhoaredirectlyresponsibleforsecurity.Whenmakingdecisions,topofthemindtendstobetopofthelist,andsecuritycanfinditselfdrownedoutwhenmanydifferentstakeholdersareinvolved.Improvingsecuritycultureisaboutraisingsecurityawarenessandnotjustaboutspecificdecisionslikewhetherornottoclickalinkinafishy(phishy?)e-mail.Theendgoalofsecurityawarenessprogramsismorethanjustrotebehavior.It’sreallymindfulsecurity,astateofwhichsecurityawarenessissomuchapartoftheflowoforganizationalactivitythatpeoplethinkaboutsecurityevenwhenmakingdecisionsthattheyhavenotbeenspecificallytoldaresecurityrelated.

IncreasedSecurityandEfficiencyWhensecurityispartofeverydaydecisionmakingacrossanorganization,thengoodsecuritypracticeshaveamuchbetterchanceofpermeatingmoreoftheorganization’sactivities.Andasmoreactivitiesareperformedinasecureway,oratleastinlessinsecureways,overallsecuritywithintheorganizationwillincrease.Thisisnothingmorethanafancywayoftalkingabouthabit.Security

worksbetterwhenitisperformedashabitualbehavior,ratherthanassomethingthatrequiresforced,consciousconsideration.Andcultureis,atthecore,thesumtotalofmore-or-lesshabitualthoughtsandbehaviorsexistingwithinandamongtheorganization’smembers.Improvetheculture,improveyourhabits,andyoucannotfailtoimproveinformationsecurity.

Efficiencyisincreasedinregardtosecuritywhenculturalimprovementsremovefrictionandconflictresultingfromculturalcompetitiveness.Thinkofhowmuchtimeandefforthavebeenexpendedwithinyourorganizationwhilesecuritystakeholdersfight,negotiate,andcompromisewithotherbusinessstakeholderstobalancetheirmutualinterests.Someofthistensionistheresultoflegitimatedifferencesinopinionovertherisksandopportunitiespresentedbydifferingstrategiesandoperationalnecessities.Butalotofit,inmyexperienceovertheyears,boilsdowntocompetingculturesandthecompetingvaluesandprioritiesthattheyspawn.Wedothingsthisway,youdothingsthatway,andneverthetwainshallmeet.Culturalimprovementmeansculturaloutreach,theabilitytoexplainnotonlywhatyoudo,butwhyyoudoit.Andwhenstakeholdershavethatlevelofvisibility,thepotentialformoreevidence-basedmanagementopensuphugeopportunitiestoeliminatewaste.Eveninaworst-casescenario,wheretherearelegitimateculturalimpasses,atleasttheorganizationwillknowwhatit’sdealingwithandcanappealtoamorepowerfularbiterforresolution,savingeveryonetimeandheartburn.

ReducedRiskandCostsfromIncidentsThemostenticingpotentialoutcomeforsecuritycultureimprovement,particularlyintoday’senvironmentofhighlypublicizedsecuritybreaches,isfortransformationtoactuallypreventorreducethenumberandseverityofsecuritybreaches.CISOs,andlatelyalloftheleadership,arelookingforanysolutionsthatcanhelpthemtocurtailsecuritybreaches.Processandtechnologywillalwaysbecrucialcomponentsofanysecuritysolution,butpeopleandculturerepresentperhapsthegreatestheretoforeuntappedsourceofinformationsecurityvalueleft.Informationsecurityprofessionalshavedonesolittlehistoricallywithrespecttothepeopleaspectofsecuritythatitdoesn’ttakemuchefforttostartseeingreturns.

Thegrowingvisibilityandcloutofsecuritytrainingandawarenessprogramsisevidenceofmoreprogressiveorganizations’attemptstoleverageculturalresourcestoimprovesecurityandreducerisk.Ihavedevotedmuchinkearlierinthebooktoemphasizetheroleofsecurityawarenessprofessionalsasthe“tipofthespear”whenitcomestosecurityculturaltransformation.Butwestillhavea

longwaytogo.Qualityofsecurityawarenessprogramsvariesagreatdeal.Ihaveseenphenomenalprogramsthatactually“movetheneedle,”asLanceSpitznerlikestosay,andIhaveseenprogramsthatdolittlemorethanpayslide-basedlipservicetoawarenessasameansofmeetingacompliancerequirement.Theformerrepresenttrueimprovementstrategies.Thelatterdonot,plainandsimple;theymaycheckabox,buttheydon’tmoveanyneedles.

Organizationsthatreallywanttoleveragesecuritycultureandawarenessasameanstoreduceriskandcostsneedtodomuchmore…impactmoredecisionsandwinmoreheartsandmindstothecauseofsecurity.ButCISOsandsecurityprofessionalsstillstrugglewiththequestion:HowdoIshowthatlinkagebetweensecuritycultureandsecurityperformance?HowdoIdemonstratethatdirectlyaddressingourorganization’ssecuritycultureisworththemoneyandtimeforadiagnosticproject?

EstimatingtheFinancialImpactofSecurityCultureThebestwaytomakeacasethatasecurityculturediagnosticprojectisworththecostistoshowhowmuchimpactculturalimprovementcanhaveontheorganization’sbottomline.WecanbegintoshowthevaluethatstrongerInfoSecculturesbringbycreatingabasicmodelofsecuritycultureimpactonthelikelihoodandcostofsecurityincidents.Inotherwords,wecanshowseniormanagementjusthowmuchaweaksecurityculturemightcostthem.

Thecasestudypresentedinthefollowingsectionusesabasicprobabilisticmodel,calledaMonteCarlosimulation,toestimatethefinancialimpactofdifferentsecuritycultureswithinanorganization.MonteCarlosimulationsareusedwidelyinindustryforestimatingallkindsofrisk,fromfinancialperformancetothelikelihoodofprojectfailures.Theyarelesscommonlyusedininformationsecurityinmyexperience,althoughI’veintroducedafewcompaniestothemduringmyprofessionaltravels.Atahighlevel,Iwillmakesomeassumptionsaboutsecuritycultureandthelikelihoodofsecurityincidents,buildasetofscenariosthatincorporatethoseassumptions,andthentestthosescenariosstatisticallybysimulatingthemrepeatedly.Theoutcomeofthesimulationwillshowtheexpectedresultsofasecurityculture’simpactonanorganization’slossesfromsecurityincidents.

MonteCarloSimulationsMonteCarlotechniquesemergedoutofWorldWarIIandtheeffortsto

createthefirstatomicbomb.ThescientistsworkingontheManhattanProjectnamedtheirmodelsafterthefamousEuropeancasinoinMonaco,andusedthemtoestimatetheprobabilitiesoftherandombehaviorsofsub-atomicparticlesintheweaponstheywerebuilding.MonteCarlotechniquestookadvantageofstatisticalanalysesandtheavailabilityofelectroniccomputerscapableofdoingmoresophisticatedcalculationsmorequicklythantheexistingmanualmethods.

Putsimply,MonteCarlomodelsfunctionbyallowingpeopletorepeatedlysimulateeventsaboutwhichtheyknowcertainthings,suchasasetofpossibleoutcomesandthelikelihoodofeachofthoseoutcomes.Agoodexampleistheoutcomesfromrollingtwosix-sideddice.Assumingthedicearefair,theprobabilityofrollinga7isknown(1/6orabout17percent).Buthowcouldwetestwhether7reallycomesuponceoutofeverysixrolls?Onewaywouldbetorolltwodice100or1000or10,000timesandrecordtheresultofeachscenario(therollingoftwodice).Afterallthoserepeatedscenarios,wewouldexpectthenumberof7swerolledtoapproach17percentofourtotalrolls.Rollingdicethousandsoftimes,however,isnotsomethingmostpeoplehavetimetodooutsideofLasVegas.But,thoseparameterscanbepluggedintoacomputertohaveitrandomlysimulaterollingdice,whichwouldbemuchfasterandachievethesameresult.That’saMonteCarlosimulation.

TherearemanytoolsavailablefordoingMonteCarlosimulations,andafulldiscussionisbeyondthescopeofthisbook.YoucanbuildsimulationsdirectlyusingspreadsheetprogramslikeMicrosoftExcelorOpenOfficeCalc,althoughthiscantakesomemanualeffort.Therearealsoplentyoffreeandcommercialadd-insandapplicationsfordoingsimulations.AnInternetsearchforMonteCarlotoolswillreturnmanyoptionsyoucanexploretogetstarted.Itendtouseavarietyofthesetools,dependingonwhatIwantorneedtoaccomplish.

Beforewebeginourcasestudy,weneedtosayawordaboutassumptions.Inanygoodmodel,includingourMonteCarlosimulation,assumptionsaremadeexplicit.Youshouldstateyourassumptionsupfront,thesamewayaresearchershoulddefineherhypothesisbeforesheconductsanexperiment.Modelsaresimplificationsthatcontainuncertainty,andonlybyacknowledgingwhatassumptionswehavemadeinbuildingthemodelcanweexpectotherstotaketheoutcomeswepredictseriously.Statingourassumptionsopenlyand

transparentlygiveseveryoneachancetounderstandtheuncertaintyinvolvedinourestimates,toidentifythingswemighthavemissedorgottenwrong,andtosuggestnewdataorchangedassumptionsthatcanmakethemodelbetter.

CaseStudy:FOXTROTIntegrators,Inc.Thiscasestudysimulateshowaweakerorstrongersecuritycultureaffectsthepotentialfinanciallossesfromsecurityincidentsatahypotheticalcompany,FOXTROTIntegrators,Inc.Likealltheotherexampleorganizationsdiscussedinthisbook,FOXTROT’ssecuritycultureandvaluescompetewiththeculturesandvaluesofotherstakeholdersandotherbusinessimperatives.Whatwewanttoknowis,ifFOXTROT’sinformationsecuritycultureweretocompetemoreeffectivelywithintheorganization,wouldFOXTROT’ssecurityimprove?

AssumptionsTobuildtheprobabilisticmodelforthiscasestudy,Ineedtomakeafewassumptions.Theyarenotblindguesses,ortricks,butratherjustthegroundrulesthatdescribehowIthinktherealFOXTROToperates.IfIhadempirical,historicalevidence,thenIcoulduseittofillinsomeoftheseblanks.Otherwise,Imustmakeabestjudgmentestimate.Inthiscase,thatdoesn’tnecessarilylimitme.I’mnottryingtoconvinceanyoneexactlytowhatextentculturalchangespecificallyimpactssecurityperformance.I’msimplytryingtomakethelogicalcasethatthestrengthorweaknessofasecurityculturedoesimpactsecurityperformance.

Myfirstassumptionhastodowiththeoutcomeofthemodel,namelythattheamountofmoneythatsecurityincidentsarecostingFOXTROTisagoodproxyforhowwellinformationsecurityworkswithinthecompany.Ifthesimulationshowsthatastrongersecurityculturereducessecurityincident–relatedfinanciallosses,thatisthesamethingassayinginformationsecurityisimprovedinthecontextofthecasestudy.Someonemightdebatethatassumption,butthat’sthepowerofmakingyourassumptionsexplicit.Theargumentbecomesmoreconcrete,focusedonthemeritsofthemodelandhowitcanbemademoreaccurate.

Mysecondassumptionisaboutinformationsecurity–relateddecisions.IassumethatFOXTROT,asanorganization,makesadecisionwithpotentialsecurityimpactaboutonceaweek.Idon’tspecifywhatthisdecisionis.Itcouldbeateamdecisionaboutwhichnewsoftwaretoimplementoradecisionbyanindividualdeveloper,likeClarafromChapter2,aboutwhethertocompletea

securityreview.Itmightbeanemployeedecidingwhetherornottoopenanunfamiliare-maillinkorattachment.Thepointisthatanyofthesedecisionshasthepotentialtocauseasecurityincident.Whetherornotanaverageof52decisionsperyearisrealisticisimmaterialhere.Remember,I’mtryingtoestablishacorrelation,notaspecificnumber.Ionlyneedtobespecificaboutthenatureofthedecisions—thateachonehasthepotentialtocauseasecurityincident.It’sunlikelythatthenumberwillstaystatic,yearinandyearout.Soinadditiontotheaverageof52decisions,Iwillassumethatthenumberofdecisionseachyearfollowsanormal,orbell-shaped,curve.AndIwillassumethatthenumberofeventseachyearexhibitsastandarddeviationof5decisions,whichsimplymeansIcanbeprettyconfidentthatFOXTROTwillmakesomewherebetween42and62security-impactfuldecisionsinanygiven12-monthperiod.

Mythirdassumptionisthatthestrengthofanorganization’sinformationsecuritycultureinfluenceshowsecurity-relateddecisionsaremade.Whensecuritycultureandprioritiesareforcedtocompetewithotherorganizationalculturesandpriorities,securitymayormaynotprevaildependingonhowweakorstrongthesecuritycultureiswithintheorganization.Ifthesecuritycultureisweak,securitywillloseoutinthesecontestsmoreoften.Whensecurityfailstoovercomecompetingpriorities,decisionswillbemadethatarebadforsecurity,althoughtheymaybegoodforotherstakeholders.InthecaseofClarathedeveloperfromChapter2,herdecisiontoprioritizeprojectcompletionoversecurityreviewcompletionrepresentedabadsecuritydecision,onethatcouldleadtoanincident.Ifsecuritycultureisstrong,decisionsthatfavorsecurityoverotherprioritieswillbemademorefrequently,andotherstakeholdersmayhavetocompromise.Thesegoodsecuritydecisionsreducethechancesofanincident.

Table8-1laysouttheassumptionsIhavemadesofarforthiscasestudy.

Table8-1FOXTROTSecurityDecisionModelandAssumptions

ScenariosThenextstepinthecasestudyistoconsiderhowthestrengthofthesecuritycultureinfluenceswhetherbadsecuritydecisionsgetmade.Toaccomplishthiswithinthemodel,Ihavehypothesizedthreelevelsofsecurityculture:weak,moderate,andstrong,eachwithitsownsetofassumptions.Strengthofthesecurityculturemaybeafunctionoftheorganization’strainingandawarenessprogram,oritmaybebecausetheorganizationoperatesinahighlyregulatedorhighlysensitiveindustry.Whatevertherootcause,thestrengthofthesecuritycultureisdefinedashowoftenamemberoftheorganizationwillprioritizesecuritywhenmakingadecision,evenwhenfacedwithacompetingculturalvalue.Thisstrengthisameasureofhowwellsecuritycompeteswithotherculturesintheenvironment.Whensecurityisputfirstinthedecision,securitywinsinthemodel.Table8-2liststhethreelevelsofsecurityculturestrengthbasedonthisdefinition.

Table8-2LevelsofSecurityCultureStrength

The“68-95-99.7Rule”IntheFOXTROTexample,Iamconfidentthattheactualnumberofsecurity-impactfuldecisionsinagivenyearissomewherebetween42and62.Ihavethisconfidencebecauseofastatisticalguidelineknownasthe“68-95-99.7Rule,”alsosometimescalledthe“threesigma”rule.Instatistics,standarddeviationisameasureofdispersionofdata,symbolizedbytheGreeklettersigma,σ.Assuminganormaldistribution,datavaluesaredistributedequallyaroundthemean,decreasingasonemovesawayfromthatvalue,andmeasuredintermsofstandarddeviations.Ageneralruleofthumbisthat68percentofvalueswillliewithinonestandarddeviationofthemean,95percentofvalueswillbewithintwostandarddeviations,and99.7percentwithinthreestandarddeviations.InthecaseofFOXTROT,becausethestandarddeviationisfivedecisionsimpactingsecurity,Icanbereasonablyconfidentthatanassumedrangeof42to62decisionswillbeaccurate95percentofthetime.Thefollowingillustrationdepictsthe68-95-99.7ruleinanormaldistribution.

(CourtesyofDanKernlerwithpermissiongrantedunderthetermsoftheCreativeCommonsAttribution-ShareAlike4.0Internationallicense,http://creativecommons.org/licenses/by-sa/4.0/legalcode)

Thecasestudyscenariosarealmostcomplete.AllIneednowistodefinemyassumptionsabouthowoftensecurityincidentswilltakeplaceandhowseveretheywillbe.Iassumethechanceofsecurityincidentsresultingfrombadchoiceswillbesimilartochancesinacointoss.WithoutharddataeitherwayIassumethat,onaverage,FOXTROTwillseeasecurityincidentresultfrom50percentoftheirbadsecuritychoices,giveortakeabit.Foranysingleinformationsecurityincident,IestimatethatFOXTROT’sminimumlosswillbe$10,000.Ialsoassumethecompanywilllosenomorethan$5milliononanyonesecurityincident.Thesearebothextremevalues,however,andIassumethatthemostlikelycostperincidentwillbeaquarterofamilliondollars.

Table8-3liststheseassumptions.

http://creativecommons.org/licenses/by-sa/4.0/legalcode

Table8-3LikelihoodandSeverityofSecurityIncidentsResultingfromaBadSecurityDecision

TestingtheScenariosInowhaveallthecomponentsofamodelthatIcansimulateusingaMonteCarloanalysis.Icanplugalltheseassumptionsintomysimulationandthen“run”thescenarioacouplehundredtimes,eachrunsimulatingahypotheticalyearoftotalfinanciallossesfromallinformationsecurityincidentsFOXTROTexperiences.Similartotheexampleofthrowingdicediscussedinthe“MonteCarloSimulations”sidebar,IcanaggregateandaverageallthesimulatedannuallossestoshowthemostlikelyannuallossesFOXTROTwillexperiencefromsecurityincidentsgiventhestrengthofthecompany’sInfoSecculture.Figure8-1showstheresultsofthissimulation,includingthelikelyminimum,average,andmaximumannuallossesfromsecurityincidentsatFOXTROT,basedonwhetherthecompanyhasastrong,moderate,orweakinformationsecurityculture.

Figure8-1MonteCarlosimulationresultsofFOXTROTannualsecurityincidentlossesbysecurityculturestrength

Theresultsofthesimulationareprettyremarkable,andtheyshowthatsecurityculturehasadefiniteimpactonhowmuchFOXTROTislikelytoloseeachyearfromsecurityincidents.AsthestrengthofFOXTROT’ssecuritycultureincreasedinthemodel,theoveralllossesfromsecurityincidentswentdown.Ifyouaccepttheassumptionsofthemodel,thismakessense.Astrongersecurityculturemeansthateverysecurity-relateddecisionismorelikelytofavorsecurityoveracompetingculturalvalue,resultinginagoodsecuritydecisioninsteadofabadone.Thefewerthebadsecuritydecisionsbeingmade,thelowerthelikelihoodthatadecisionwillcontributetoasecurityincidentandcauselossesfortheorganization.

Themodelallowsforawiderangeofpossibleoutcomes.Noteveryyearwillbringcatastrophicsecurityincidentsandhugelosses.Evenassumingaweaksecurityculture,sometimesFOXTROTwillgetluckyandmaynotlosemuchmorethanitwouldhaveifastrongerculturehadbeenpresent.Butasbadsecuritydecisionspileup,sodothecostsofaweakersecurityculture.Theeffectofsecuritycultureonaveragelossesamountedtomultimilliondollardifferences.AndinthecaseofastrongInfoSecculture,themodelestimatedthatthemaximumannuallossesincurredbyastrongsecuritycultureweremillionsofdollarslessthantheaveragelossesexperiencedbyaweaksecurityculture.

UsingtheResultsoftheModelItisonethingtotellseniormanagementthatinformationsecurityisaculturalproblemandthatresourcesareneededtoimproveit.Itissomethingelseentirelytotellthemthataweaksecurityculturecouldcostthecompanytensofmillionsofdollarsinotherwisepreventablelosses.Aprobabilisticanalysisofculturalrisk,asdemonstratedintheFOXTROTcasestudy,allowsaninformationsecurityprogramtomakeamuchmorecompetitivecaseforimplementingasecurityculturediagnosticprojectwithinanorganization.Theresultsrevealthetangiblebenefitsofimprovedsecuritycultureinthefinancialtermsofotherbusinessstakeholders.

Theresultsofmodelingsecuritycultureriskandbenefitsareusefulformorethanjustmakingthebusinesscaseforasecuritycultureperformancelink.Noteveryonemayagreewiththeresultsortheassumptions,whichcanprovideagreatopportunityforconcretediscussionsaboutpeople-centricsecurityandinformationsecurityingeneralwithintheorganization.AndtheabilitytoconnectsecurityculturewithfinancialimpactsoftheInfoSecprogramcanbeverypowerful.Ifpeople-centricsecurityandsecurityculturetransformationcansaveacompanymillionsofdollarsinpotentiallossesforlesscostthanatechnologyproductoraprocessimprovementinitiative,manyorganizationsmightviewthisasaverygoodreturnoninvestment.

ExecutingaSecurityCultureDiagnosticProjectTheFOXTROTcasestudymadethecaseforalinkbetweensecuritycultureandsecurityperformance,butnoimprovementinsecuritycultureispossibleifan

organizationcannoteffectivelyassesstheculturetheyhave.Eventhemostplausiblehypothesesandthemostintuitiveframeworksareonlypartofthesolution.TheCompetingSecurityCulturesFrameworkandtheSecurityCultureDiagnosticSurveyprovideaviablebasisforcreatingamapofsecurityculture.Buttheydon’tcreatethatmapthemselves,andtheydon’ttakeyoufrompointAtopointB.Peoplestillhavetodothat.

Diagnosingsecurityculturemustbedoneinthecontextofaprojectand,likeanyproject,itcanbedonewelloritcanbedonepoorly.Theremainderofthischapterfocusesonhowtosuccessfullydesignandexecuteyoursecurityculturediagnosticproject.Thetimeandcareyouputintoassessingyourculturewilldeterminehowmuchinsightandvalueyougetoutofit,soitisimportantthatyouaddressandplanforthefollowingprojectphases:

1.Projectsetup2.Collectionofdata3.Analysesofresponses4.Interpretationofcultureandcommunicationofresults

1.SettingUptheProjectCulture,althoughmeasurabletoacertaindegree,isalsonaturallyamorphousandhardtopindown.Measuringacollectivesetofhumaninteractionsisnevergoingtobeaseasyasmeasuringpacketthroughputinyournetworkorthemoneyyouspentlastyearonvendorsecurityproductsandservices.Sotheworstthinganorganizationcandowhenembarkinguponanassessmentofsecuritycultureistoconductaprojectthatisillconsidered,vaguelyconceptualized,andpoorlydesigned.Planningforthesecurityculturediagnosticprojectisthemostimportantstage,asitwilldeterminehowwelleverythingelsegoesafterwards.

DefiningtheProjectStrategyAsobviousasthegoalsandobjectivesofthesecurityculturediagnosticprojectmayseematfirstglance,theyprobablyaren’t.Andinanyevent,likeassumptionsinanymodel,projectstrategiesshouldbelaidoutexplicitlyinadvanceanddocumented.Thatwayeveryoneisonboard,oratleastshouldbe,fromthebeginningintermsofwhatishopedforandwhatisexpectedoutoftheproject.

Akeystrategicconsiderationiswhichcultureorculturestheprojectintendstomeasureanddescribe.Istheprojectgoaltoascertaintheexistingsecurity

cultureacrosstheentirecompany?Ordoestheorganizationonlywanttodiscoverthesecuritycultureforaspecificgroup,suchasthesecurityteamitself?

MostSCDS-basedprojects,andthelinkagestotheCSCFculturalquadrantstheycreate,aregoingtohavesomesortofcomparativefunction.Thewholeideaoflinkingsecurityrisktoculturalcompetitionimpliesthatmorethanonecultureisstrivingforpredominance.Culturaldiagnosticshelpidentifythesediscrepanciesandconflictsandmakethemvisibletotheorganization.Sowhatistheproject’scomparativestrategy?Thecultureofthesecurityteamisanobviouschoice,butgiventhatanyorganizationmayhavealargenumberofsubcultures,whicharethemostimportantforcomparison?Theeasiestcomparisontobemadeisthatoftheentirecorporateculture.Buttheremaybeotherculturalvaluesthatneedexploring,particularlyinthewakeofasecurityincident.

AthirdaspecttoconsideriswhetherandhowtheSCDSresultswillbefedintoafollow-ontransformationproject.Doyouwanttochangeparticularaspectsofthesecurityculture,suchasmakingitmoreprocessorpeopleoriented?Ordoyouhopetomakecompetingculturesmorecloselyaligned?Thesedecisionswilldriveanalysisandthecommunicationofresultsdowntheline.

Theseareonlyafewofthepossibilitiesanorganizationshouldconsiderbeforeembarkingonaculturalmeasurementinitiative.Strategyiscritical.Ifyouarerunningasecurityculturediagnosticproject,youshouldbeabletoeasilyexplainwhyyouaredoingit,howyouaredoingit,andwhatyouexpecttogetoutofdoingit,allinasmuchdetailaspossible.

DefiningtheContextoftheAssessmentBeyondthe“why?”ofstrategyliesthe“why?”ofcontext.Understandingthecontextinwhichtheculturalassessmentisperformedcanbeasimportantasunderstandingitsgoals.Forexample,istheSCDSbeingadministeredbecausethecompanyhasbeenrockedbyseveralinformationsecurityincidentsinrecentyearsandseniormanagementisdemandingtoknowwhyalltheexpensiveproductsandservicestheypurchaseddon’tseemtowork?Oristhediagnosticprojectnecessarybecausethecompanyismakinganacquisitionandneedstounderstandpossiblesecurityimplications?

Contextcanalsorefertoenvironmentalfactorssuchastimepressures,theattitudesofseniorleadership,legalandregulatoryrequirements,orapassionforinnovation.Eachofthesemotivationswillshapeandsteerthesecurityculturediagnosticprojectmoreorlesssubtly.Issuesofduration,cost,anddesired

outcomesareoftenrevealedwhenanorganizationtakesthetimetoformallyidentifythecontextinwhichtheprojectisbeingattempted.

PerformingaCost/BenefitAnalysisThere’snowayaroundit:assessingandanalyzingyoursecuritycultureisgoingtocosttimeandmoney.Theabilitytoarticulatetothosewhoholdthepursestringshowspendingthattimeandmoneywillproduceapositivereturnisinvaluable.Equallyvaluableisarealisticexpectationofhowmuchbangtheorganizationcanexpectforeachbuckspentonunderstandingitselfbetter.IntheFOXTROTcasestudy,financialsimulationprojectedpotentialsavingsofmillionsofdollarsresultingfromfewersecurityincidentsoccurringinastrongsecurityculture.Estimateslikethesecanhelpmakethecasethatmoneyisnotbeingwastedonmerenavelgazing.Atthesametime,itwouldbeunrealistictoundertakeamultimillion-dollarculturaltransformationprojectinthehopesofreducinglossesthatarefarlessthanthecostoftransformation.

EngagingSeniorManagementNothingsays“we’reserious”likedirectexecutiveinvolvement.Bythis,Idon’tmeanane-mailfromtheCIOsayinginformationsecuritycultureisimportantandeveryoneisexpectedtocooperatewiththesecurityteamonthisprojecttheyaredoing.Imeandirect,active,andinterestedinvolvement.Nosecurityculturediagnosisisgoingtogetthatlevelofinvolvementifprojectownersfailtoengagewithexecutivesponsors.

CISOorseniorInfoSecprogramleadershipsupportisthefirstrungonthisladder.IftheCISOdoesnotbelieveinculturalchange,theprojectislikelydeadonarrival.Butinmyexperience,mostCISOsareinterestedinanythingthatcangivethemalegupbothinprotectingtheorganization’sinformationassetsandinhelpingthesecurityteamcompetedirectlywithotherstakeholdergroups.Theabilitytoidentifyandexplainculturalriskstosecuritygivesseniorsecurityleadersanopportunitytotalkaboutsomethingotherthanhackers,systemvulnerabilities,andthenetworksegmentationrequirementsofPCIDSS.

OrganizationalcultureisafieldmorefamiliartoMBAsandmanagementconsultingthantoengineersandsystemadministrators.Engagingtheorganizationalleadershiponasecurityculturediagnosticprojectcanprovideasecurityteamwiththeopportunitytospeakanotherlanguage,alanguagethatlinkssecuritydirectlywithorganizationalperformance.Onceoneormoreseniorleadersareonboard,thefolksconductingthesecuritycultureassessmentcanhopeforbetteraccesstoresourcesanddata.

Itisalsoimportanttoremembertokeepseniorsponsorsinvolvedandinformedthroughoutthesecurityculturediagnosticproject.Theprojectislikelytorunintoobstaclesoverthecourseofitslife.TheabilityforaprojectteamoraCISOtoquicklycallonaseniorsponsoroutsideofsecuritytoremindeveryoneofwhytheorganizationiscommittedtopeople-centricsecurityandculturalimprovementcanmeanthedifferencebetweensuccessandfailureoftheinitiative.

Attheveryleast,anorganization’sleadershipshoulddefineminimumexpectationsforparticipationintheproject.Theyshouldactivelypromoteandsharetheproject’sgoalsandtheirexpectationsforitsoutcomewiththeirteamsandtheexecutivestaff.Thetoneshouldbepositiveandencouraging,anextensionoftheprojectteam’soutreach.Additionalexpectationstobecommunicatedthroughouttheorganizationincludetheneedforhonestfeedbackfrommembersoftheorganizationabouttheproject,informationabouthowdatawillbecollectedandused(andnotused)duringtheproject,andapromisetosharetheresultswitheveryone.

EngagingOtherStakeholdersSeniormanagement’ssupportandinterestarenottheonlyingredientsforsuccessinasecurityculturediagnosticproject.Successfulexecutionwilldemandcooperationandactiveinvolvementfrommanycornersoftheorganization,includingusers,front-linemanagers,andareaspecialistswhocanhelpinterpretresultsanddiscrepanciesinthecollecteddata.Evenwhentheorganization’stopleaderslayoutminimumexpectations,ifparticipantsinthesecurityculturediagnosticprojectaren’tengagedproperly,theymayfeelliketheyarebeingforcedtodosomethingtheydon’treallyunderstandratherthansomethingtheyfeelisimportantandworthtakingseriouslybecausetheyknowitwillbenefitthemdirectly.

Mostoften,itwillbetheInfoSecprogramthatinitiatesasecurityculturediagnosticproject.Itmayevenbespecialistswithinthesecurityteam,likethetrainingandawarenessowners.Fortheowneroftheproject,themostimportantthingtorememberistokeepyoureyesontheprize.People-centricsecuritywillbenefiteveryone,butyouwillhavetosellthatconcepttojustabouteveryone,likelystartingwithintheInfoSecprogramitself.

Itmaybechallengingformembersofasecurityprogramtorecognizeoraccepttheinherentvalueofotherculturesandprioritieswithintheorganization.AsIhavediscussedpreviously,informationsecurityprofessionalscantakethemselvesandtheirdutiesveryseriously,tothepointoffeelinglikesecurity

trumpsallotherorganizationalconsiderations,oreventhepeopleintheorganization.Culturalintoleranceiswhatdrivessomesecuritytechno-utopians(justtotakeanexample)tomakeridiculousstatementslike“thisjobwouldbesomucheasierifIdidn’thavetodealwiththeusers…”Well,ofcourseitwould.Itisalwayseasierwhenyouonlyhavetodealwithpeoplewhothinkthesamethoughtsandvaluethesamethingsasyou.Butengagingotherstakeholdersmeanstakingamoreaccommodatinganddiplomaticapproachtoimprovinginformationsecurityculture.

Asavvyculturehackerwillmoveslowlyanddeliberatelytotakethemessageofculturalimprovementtoothers,toalignthegoalsoftheprojectwiththeirgoals.Oncethesecurityteamunderstandsthattoleratingotherculturalimperativesmightmaketheirownjobseasier,thesecurityculturediagnosticprojectownercanmoveontohelpingothersoutsideofsecurityrealizehowabettersecurityculturecouldsolveproblemsforthem,includingproblemstheymaynothaveevenrealizedtheyhad.

BuildingtheProjectTeamandPlanFormalizationisakeydriverofsuccessforanyorganizedactivity.It’sthereasontheProcessCultureintheCSCFcanbesopredominantinmanyorganizations.Everyonehasplans.Wethinkaboutwaystomakeourworldandourlivesbetterallthetime.Butthere’sadifferencebetweensittinginyourcubicleandfantasizingaboutthatInternetbusinessthatwillenableyoutoenjoyafour-hourworkweekandactuallycreatingastartupcompany.Theformercanbeaccomplishedwithnothingmorethanimaginationandtime.Thelatterisgoingtorequireyoutostopimaginingandstartactuallybuildingsomething.

Anyorganizationalprojectthathopestoachieveresultswillbeassignedaformalteam,andthatteamwilldevelopanequallyformalplan.Teamandplanbothwillbedocumentedandofficiallysignedoffonbytheseniorleadersandsponsorswhohavebeenengagedforsupportinthefirstplace.Thesizeoftheteamandtheresourcesprovidedtoitwillbedevelopedoutofthecost/benefitanalysisdescribedearlier.Theteammustbesufficientlycapableofmeetingthegoalstheorganizationhaslaidoutforitself.Thatmeanstheteammustincludeskilledpersonnel,internaltotheorganizationwhereavailableandsupplementedbyoutsideconsultantswherenecessary.Theprojectplanwillbeveryclearaboutwhoisinvolved,whattheymustdo,andwhattheorganizationwillgetoutofthoseactivities.

Incentivesarealsocriticaltoprojectsuccess.ManyoftheexamplesofculturalriskI’vedescribedcomefromsituationswherepeoplearegiven

multipleresponsibilitiesbutarethenrewardedorpunisheddisproportionatelyforonlysomeofthoseresponsibilities.Itwouldbeironic,althoughprobablynotshocking,tofindthatyourmeasurementofcompetingsecurityvaluesfailedduetocompetingorganizationalpriorities.

Noteverysecurityculturediagnosticprojecthastobehugeorenterprise-wide.Securitycultureassessmentisagreatplaceforsmallexperiments,pilotprojects,andexploratoryinitiatives.Thesecanoftenbeaccomplishedandvalueachievedforasmallinvestmentoftimeandmoney.Butevenwhenambitionsaresmall,everythingshouldbeformal,withapapertrailthatallowseveryonetoseeattheendoftheprojectjusthowwelltheorganizationexecutedonitsstrategy.

2.CollectingDataWiththeSCDSprojectdesigninplace,itistimefortheorganizationtocollectactualdata.Aspartofthestrategyandplanningprocess,decisionswillalreadyhavebeenmadeaboutwhichculturestotargetforassessmentandforwhatpurpose.ThemostimportantoutcomeofthesedecisionsisthedeterminationofwhowillactuallycompletetheSCDS.

UsingtheSecurityCultureDiagnosticSurveyTheSCDSisfreelyavailable,underaCreativeCommonslicense,foruseinmeasuringyourorganization’ssecurityculture.Youcanfinditavailablefordownloadathttp://lancehayden.net/culture,alongwithinstructionsforadministeringthesurveytoyourownorganization.

TherearemultiplewaysofadministeringorganizationalsurveysliketheSCDS,includingautomatedtoolsandwebsitesthatcanhelpyousetupandadministeronlinesurveysforyourorganization.Aquickwebsearchonsurveytoolswillgiveyoumanyoptionstochoosefrom,buttouseanyofthesetoolsyouwillenduphavingtotranslatetheSCDSquestionsandresponsesintoasurveyinstrumentyoucanpostanddisseminatetorespondents.PollDaddy,SurveyMonkey,andSurveyGizmoareafewonlinecompaniesthatprovideeasyandaffordabletoolsforpreparingandconductingsurveyswithinyourorganization.

Youshouldalsodecideupfront,evenduringtheplanningprocess,howmany


peopleyouwanttotakethesurvey.Themorerespondentsyouhave,thelargerthedatasetyoucananalyze.Thedownsideisthattheselarge,automatedsurveysaremoredifficulttoexplainandpromoteacrossdifferentgroupsofstakeholders.Runningthesurveyasasmallerexercise,withaselectgroupofrespondents,enablesyoutomoreeffectivelyengageandtrainthemonhowtheCSCFandSCDSwork.However,workingwithsmallerrespondentgroupsmaycauseconcernsaboutnotgettingenoughrepresentativedataabouttheentireorganizationorgroup,particularlyinlargecorporations.Theseconcernscanbemitigatedthroughtheuseofrandomsamplingtechniquesthatallowyoutogeneralizeyoursurveyresponsesacrossanentireorganizationwhileaskingonlyasmallsubsetofthetotalmemberstorespond.SurveyMonkey,oneoftheonlinesurveycompaniesImentionedpreviously,hasagoodblogpostonchoosingrandomsamplerecipientsforsurveysliketheSCDS.YoucanfinditontheSurveyMonkeyblogatwww.surveymonkey.com.

OrganizingRespondentsRespondentsfortheSCDSmustbetreatedcarefullyandrespectfullyiftheorganizationwantstogetvaluableinsightsfromtheirparticipation.Transparencyisalwaysthebestpolicy,andtheorganizationshouldshareasmuchinformationaspossibleaboutthesurvey,whichisanotherreasontolimitparticipationinthebeginningandbuildmindsharewithintheorganization.Whoyouwanttoincludedependsonwhatyouaretryingtoaccomplish.Ifyouwanttomeasurethesecuritycultureoftheentireorganization,youneedarepresentativesamplefromacrosstheorganization.Ifyourfocusisthesecurityteam,youcanlimityourrespondents.Whencomparingdifferentgroupsorfunctionswithintheenterprise,youneedtoidentifyrespondentsfromthetargetsofcomparison.Youwouldmakesimilaradjustmentsforwhateverculturalmeasurementsyouwanttoaccomplish.Somethingstoconsiderregardingsurveyparticipationincludehowyouplantomarketthesurveytopotentialrespondents,whatkindofidentifiableinformationyouwillcollectaboutrespondentsandhowyouwillprotectthatdata,andhowyouintendtoencouragehonestanswerstoyoursurveyquestions.

MarketingandPositioningtheProjectTheorganizationshouldconsiderwaystomakeparticipationintheSCDSprojectattractivetorespondents.Ifparticipationinthesurveyismandatory,theorganizationshouldthinkabouthowtoatleastmakeitaspleasantanexperienceaspossible.Ifsurveyparticipationisvoluntary,thengettingpeopletowanttoparticipateisimportant.Theworst

http://www.surveymonkey.com

outcomeforasurvey-basedinitiativeistodecidetogowidewithparticipation,allowingeveryonetotakethesurvey,onlytofindthatresponseratesareverylow.Iftheendresultissurveydatafromaquarteroftheorganizationorless,thatgivestheappearanceoffailure.Worse,evenif25percentoftheorganizationisstillalotofpeople,thedataislikelytobelessreliableintermsofdescribingtheentireorganization’ssecurityculturethanasmaller,trulyrandomsamplewouldhavebeen.

Conductingthesurveyshouldbemarketedasaprivilege,achancetobepartofsomethingspecialandimportanttotheorganization.Considerformalinvitationsfromseniormanagementtoparticipateorrewardsfordoingso,suchasgiftcards,orcompany-widerecognitionasbeingpartoftheproject.Respondentsshouldbemadetofeelspecial,thattheiropinionsareimportanttothesuccessofthecompany,ratherthanfeelliketheyjustgotrobo-calledbyaprofessionalpollingfirmduringdinner.Anotherusefulwaytomotivateparticipantsisbyallowingthemtoclaimtheirinvolvementintheprojectforcreditandrecognitioninperformancereviewsortrainingplans.

SelectedparticipantsshouldbeprovidedtrainingintheCSCFandSCDS,eitherinpersonorviateleconference.Whereneitheroftheseoptionsispossible,theorganizationshouldprovideadetaileddocumentationpackagethatshowshowtheprojectwillwork.TheinstructionsIprovideaspartoftheSCDS,aswellasexamplesandmaterialfromthisbook,canallbeusedtosupportthecreationofsuchapackage.

CollectingDemographicDataTheorganizationmustconsiderwhich,ifany,demographicdatatocollectaspartofthesecurityculturediagnosticproject.TheSCDStemplatesthatIprovidedonotspecifydemographicinformation.Inreality,theonlyrequireddemographicdatayoumayneedtocollectalongwiththeSCDSisthegroupordivisiontowhicharespondentbelongs.Youwouldneedthattobeabletocompareresultsbetweencultures.ButinanSCDSprojectwheretheorganizationwantstomapthegeneralculturewithoutcomparisonsbetweensubcultures,eventhatdataisnotrequired.Realistically,though,youwillwanttocollectatleastbasicinformationaboutwhoarespondentisandwhereintheorganizationtheywork.Thismayormaynotincludepersonallyidentifiableinformationaboutindividualparticipants,whichIcoverfurtherinthenextsection.Butinformationaboutroles,howlonganindividualhasworkedfortheorganization,andwhetherornottheyareamanager;iftheypossesstechnicalskills;orareassociatedwithsecurityinanywayareallusefuldatapoints.

Beyondbasicdemographics,theorganizationcanconsidercollecting

additionaldatathatmayproveusefulindiagnosingcompetingvaluesandculturalrisksregardingsecurity.Lotsofthingsinfluenceaperson’sworldview,theirassumptionsabouthowthingswork.Age,gender,educationalbackground,evenwhereyousitontheorganizationalchartcanallinfluencehowyoulookatthings.CapturingthisinformationaspartoftheSCDSresponsesgivestheorganizationanopportunitytosliceanddiceculturaldataalongmanypotentialaxes.Sure,thefinanceteamisheavilyProcess-centric,butmaybethehigheryougoupthechainofcommand,themoreAutonomybeginstoemergeasadesirablevalue.Orthemajorityofyoursecurityteammayeat,drink,andbreatheCompliance,exceptforyoursecurityawarenessmanagers,whomayseeTrustasequallyimportant.

EnsuringPrivacyandAnonymityThechallengewithcollectingdetaileddemographicinformationisthebalancebetweencollectingtoomuchinformationandnotenough.Intoday’senvironment,whereprotectingyourpersonaldataanddealingwiththreatsofsurveillanceandprivacyerosionaretopofmind,peopleareoftenmuchmorewaryofsharingtoomuchinformationaboutthemselves.Thisreactionmayseemcounterintuitiveinaworldofsocialnetworkingandblogging,butviewpointstendtochangewhenit’syourbossoranotherauthorityfigureaskingyoutosharewhatyouthinkofthem,specificallyorgenerally.Thisiswhymany360-degreereviewsandotheremployeesurveysareconductedanonymously.

Respondentsmustbereassuredthattheopinionstheygiveabouttheorganization’sculturewillnotgetthemintotroubleorbeusedagainsttheminsomeotherway.Projectownersshouldbeveryspecificaboutwhytheyarecollectinganyparticulardemographicdataandtiethosereasonsbacktothestrategyofthesecurityculturediagnosticproject.Collectingnamesandpersonallyidentifiableinformationcanmakerespondentsthemostnervous,butiftheorganizationwishestofollowupSCDSresponseswithmoredetailedinterviewsorfocusgroups,thisinformationmaybenecessary.Onecompromiseistoofferan“optin”feature,allowingpeopletovolunteersuchinformationandgivepermissiontocontactthemforfollow-ondiscussionsifnecessary.

Insomecasesyoumayactuallyrunintoregulatoryandlegalissuesthatprecludeyoufromcollectingpersonallyidentifiableinformation,particularlyincountrieswithstrongprivacylaws.Mostorganizations,atleastintheUnitedStates,havesignificantleewaywhenconductinginternalemployeesurveys,sincedemographicinformationsuchasjobrole,location,andwhichpartoftheorganizationanindividualworksforisallpartofthecompanyrecordandunlikelytobeconsideredprivate.Thismaynotbethecaseinothercountries,

withdifferentprivacylaws,sotheorganizationshouldcheckbeforecollectingsuchdata.Similarly,anyquestionsaskingfordemographicinformationregardingrace,gender,orreligiouspreferencesshouldbeclearedwithHRandeventhecorporatelegaldepartmentbeforegoingintoasurvey,justtobesure.

CollectingHonestResponsesReassuringrespondentsthattheinformationtheyprovidewillbeusedobjectively,toachievepredeterminedgoals,improvesthechancesforhonestfeedback.Seniormanagementshouldmakeclearatthebeginning,andprojectownersshouldreiteratethroughoutthedurationoftheproject,thatparticipatingintheSCDSwillnotnegativelyimpacttherespondent,theirrelationshipwiththeirmanagerorpeers,ortheirperformanceappraisal.

Beyondjustassuringthathonestresponseswillnothavenegativeconsequences,theprojectsponsorsandteamsshouldreiteratehowimportantsuchhonestyistothesuccessoftheproject.Therearenorightanswerswhenmeasuringculture,andrespondentsshouldbeeducatedagainstperceivingtheprojectasanattemptbymanagementtoconfirmthatthecultureisacertainwayratherthananexplorationofwhatthecultureactuallyis.“Telluswhatyouthink,notwhatyouthinkwewantyoutotellus”couldbeagoodmottoforanyculturalfeedbackinitiative.

DataManagementandStorageAspartofprojectdesignandplanning,makesuretogivesufficientthoughttohowdatafromtheSCDSwillbemanagedandstored.Projectdataandresponsesfromparticipants,especiallywhentheycontainpersonalorsensitivedemographicdata,shouldbekeptsecureinaccordancewiththeorganization’sdataclassificationandinformationprotectionpolicies.Communicatingthatthisinformationwillbehandledresponsiblyandsecurelyisalsoimportantforreassuringparticipantsintheprojectthattheirpersonalinformationwillremainprivateandprotected.Thismayinfluencehowtheycompletethesurvey.Detailsaboutthemechanismsfordoingsoshouldbemadeavailableandtransparenttoparticipants.Manyofushavetakeninternalsurveysortrainingwherevagueassurancesofanonymityaremade,butItendtofindthatlessthanreassuringwhenIhavetousemyemployeecredentialstologintothesystembeforeIcanparticipate.

3.AnalyzingResponsesWhetheryouarecollatingscoresintoaspreadsheetorbuildingthemoutfroma

tool,thefirststepaftercollectingrawSCDSdataistoanalyzethoseresponsesandturnthemintosomethingcoherent.DetailedinstructionsforscoringtheSCDSwerecoveredinChapter6,andcanbefoundinthedocumentationofthesurveyonline.ButtherearesometipsandsuggestionsthatIcanprovidebywayofguidancetohelpyoumakeyoursecurityculturediagnosticexerciseasfruitfulaspossible.

GeneratingSecurityCultureScoresSecurityculturescoresaregeneratedbyaligningspecificSCDSresponseswithquadrantsoftheCSCF.RecallfromChapter6thattheresponsesintheSCDSinstrumentareorganizedintofouralphabeticalcategoriesandthateachcategoryismappedtoaspecificCSCFculturaltrait.Table8-4reviewsthisalignment.

Table8-4SCDSScoresAlignedwithCSCFQuadrants

GeneralsecurityculturescoresforeachCSCFquadrantaregeneratedbyaveragingthesumofthescoresforeachSCDSresponsecategoryacrossalltenSCDSquestions.Formoregranularinquiries—forinstance,onthespecificvaluesandalignmentsrelatedtothemanagementoftechnology,security,orrisk—thescoresaretakenfromeachofthekeyorganizationalactivitiesandtraits.Foreaseofuse,aworksheetisavailablefordownloadathttp://lancehayden.net/culturetohelpyoucalculateyourSCDSculturescores.

CreatingCultureMapsVisuallymappingyourculturescores,asIdemonstratedinChapter7,takesabit


moreeffortthansimplycalculatingthem,butitdoesnotrequireanythingmorethanstandardofficesoftware.MicrosoftExcelandApacheOpenOfficebothallowthecreationofradar-stylechartsfromasetofdata.Somespreadsheetandchartingtoolsdonotofferradarcharts,forreasonsItouchedoninChapter7,soifyouwishtoemploythatvisualizationyouwillhavetouseatoolthatsupportsit.TherestofmychartsItendtodorelativelymanually,buildingthemindividuallyandthenmanipulatingthemintothequadrantsoftheCSCFasimages.Ilikethecontrolofthisprocessenoughtomaketheextratimeittakesworthwhile.Butthelistofchartingandvisualizationtools,includingfreelyavailableoptions,isgrowingallthetime.Iencouragereaderstoexplorethem,asIamdoing,andtoputthemtousewheretheywork.

4.InterpretingCultureandCommunicatingResultsAfterthenumericaldusthassettledandyouhaveaformalsetofscoresandvisualmapstorepresentyoursecurityculture(s),theprocessofinterpretationandcommunicationbegins.Havingdoneallthisgreatworktoputboundariesaroundyoursecuritycultureandidentifyareasofcompetingvaluesandpossibleculturalriskstoyoursecurityposture,it’stimetousethoseresultstointerpretculture,supportpeople-centricsecuritygoals,andcommunicateprogresstootherstakeholders.

AligningDatawithProjectGoalsInterpretingyoursecurityculturediagnosticresultsis,primarily,aprocessofaligningwhatyouhavefoundwithwhatyousetouttodo.Aligningthecollecteddataandresultingscorestoyourstrategicobjectivescreatesthevalueinherenttoimprovingpeople-centricsecurity.Itisalsothebigreasonthatitissoimportanttoidentifyanddocumentthosegoalsaheadoftime,togetbuy-inforthem,andtoproperlysetexpectationsaboutoutcomes.Manyattemptstomeasurecultureendupfallingintoatrapofamorphousambitions,withinsightsandfascinatinganecdotesthatentertainbutaredifficulttoturnintoactions.Cultureisaforestofhumaninteractionsandsocialbehavior.Yourstrategyisthetrailofbreadcrumbsyouleavetohelpyoufindyourwaybackoutagain.

DescriptiveGoalsIfyourmainobjectivewastomeasureoneormoreaspectsofsecurityculturewithintheorganization,togetapictureofwhatitlookslikeasawayofunderstandinghowitworks,thenyourdiagnosticstrategywasprimarilydescriptive.Everyculturalassessmentprojectisadescriptiveeffort,in

thatitattemptstomakevisiblethevaluesandassumptionsoperatingbelowthesurfaceoforganizationalbehavior.

ComparativeGoalsWhenyoubegintoputyourdescriptionsofculturesidebyside,tonoticedifferencesbetweenthemandconsiderwhythosedifferencesexist,you’vemovedfromdescriptivetocomparativegoalsforthediagnosticproject.Mappingthesecuritycultureagainsttheorganizationalculture,orthesecurityculturethatexistsagainstthesecuritycultureyouwouldliketohave,requirescomparativeanalysis.WhentheSCDSprojectstrategyincludesthesecomparisons,youcannowuseyourresultstogetmoreinsightintothequestionsyouhopedtoanswer.Sometimesthoseanswersmaysurpriseyouandmaygeneratenewquestions.

SCDSresultsshouldbeanalyzedinthelightofthecomparativeobjectivesdefinedaspartofthestrategy.DotheSCDSresultslineupwithpeople’sexpectationsorperceptionsaboutthenatureoftheorganizationalsecurityculture?Ifdiscrepanciesexist,where?Andwhatmighthavecausedthem?InChapters6and7,wesawseveralexampleswhereasmallsetoforganizationalactivitiescanskewaculturalquadrant,makingthatcultureseemmorepredominantwhen,infact,justafewoutliersinkeybehaviorsareskewingtheresults.Discoverieslikethiscanpointtofruitfulareasofexploration,andcandirectlydrivechangestotraining,awareness,andpolicythatbecomemoretargetedapproachestosecuritybehavior.

TransformativeGoalsTransformativegoalsarethosethatinvolvechangingexistingculture.Ifyouarecomparingexistingsecurityculturetodesiredsecurityculture,forexample,knowinghowthetwoculturesdifferisjustthestart.Securityculturemapsshowwherespecificchangesarenecessaryandtowhatdegree.Often,evenincaseswhereanorganizationknowsthatchangeandculturaltransformationarenecessary,completionofadiagnosticprojectisanecessaryprerequisitetoknowinghowthatchangemighttakeplace.

SCDSscoresandsecurityculturemapsallowanorganizationtoplanspecific,measurableactionsdirectedatculturalchange.Thisisanimportantpoint,especiallyforcounteringcriticsofculturalmeasurementwhoarguethatcultureistoovaguetopindown.Byfocusingontencoreactivities,theSCDSidentifiesbehavioralcomponentsthatdirectlyimpactsecurity,namesthem,andprovidesawaytoanalyzethem.Changingculturemeanschangingthewaysthattheseactivitiesareundertakenwithintheorganization.If,forexample,acompanydiscoversfromtheSCDSthatpeopledonottakepoliciesandproceduresseriously,thatrepresentsadirectpathtoaction—promotingthebehaviors

inherentinamoreProcess-drivenenterprise.Thosevaluescanbeinstilledbyincludingthemintrainingprograms,buildingthemintoperformancereviews,andmeasuringhowoftenviolationsoccur.Changingthingsisnolongerasvagueorfuzzyasitmighthavebeen,althoughthisdoesnotminimizetheworknecessarytoalterpeople’sbeliefsandhabits.Butatleastyouknowwhatthosebeliefsandhabitsare.

CommunicatingSecurityCultureGettingthesecurityculturemessagetotherightpeopleintherightwaymeansthedifferencebetweenasuccessful,well-receiveddiagnosticprojectandonethatmissesthemark.Failedprojects,attheveryleast,makeitunlikelythattheorganizationwillbewillingtoinvesttimeormoneyintofutureefforts,creatingaself-fulfillingprophecyabouthowharditistomeasureculture.Butthebiggerlosswillbetheinabilityoftheprojecttosupportincreasedculturalmaturityandimprovedsecuritythroughouttheenterprise.Measuringcultureisonlyeverthefirststep,leadingtoactionandchange.Convincingpeoplethattheeffortnecessarytochangeisworthitdependsonhowwellyoucommunicatethebenefitsoftransformation.

KnowingtheAudienceKnowingtheaudienceiskeyinanyculturaldiagnosticproject,bothintermsofunderstandingyouraudienceandshapingyourmessagetomeetitsuniqueneeds.ProjectleadersshouldcarefullyconsiderSCDSresultsinshapingtheperceptionsofallthestakeholdersinvolvedintheproject,fromseniormanagementdowntoindividualcontributorsandrespondentsacrossdifferentgroups.IfcarehasbeentakentopositionandmarkettheCSCFandSCDS,theaudiencewillalreadyunderstandwhytheywereaskedtoparticipate.Nowtheprojectteammustshapethemessageaboutresultsandinsightsforthataudience.

Ourownculturewillinvariablybemorefamiliartousthansomeoneelse’s,whichmaymakethethingstheyprioritizeorcareaboutseemstrangeorevenwrong.Inasecurityculturediagnosticproject,youarelikelytoseepeoplewithstrongculturalbiasesonewayortheotherstrugglingtounderstandwhyeveryonedoesn’tseesecurityprioritiestheywaytheydo.Whencommunicatingculturaldiagnosticsandriskstorespondentandstakeholderaudiences,itcanhelptobeginbyreviewingtheresultsinthecontextoftheculturetheymostcloselyidentifywith,exploringthoseresultsandbringingthemessagebacktofamiliarvaluesandassumptions.Leadingthediscussionoftransformingsecurityculturebyalwaysstartingwiththesecurityteam’sperspectiveoftheworldcan

givetheimpressionthatthesecurityteam’svisionisthepreferredone.Youcanloseyouraudiencequicklywiththisapproach,whichtendstomakepeoplefeelliketheyarebeingtoldthattheybelievethewrongthings.Instead,theprojectteamshouldstartwithmorefamiliarterritory,thenuseexamplesofcompetingsecurityculturesandvaluestoexplainwhymisunderstandingscanhappenandtherisksthatsuchconflictscarry.

Anotherbenefitofthinkingaboutculturelocallyatfirst,throughtheeyesofthestakeholderslivingit,isthechancefortheprojectteamtochallengetheirownassumptions.Mostofthetime,securityculturediagnosticinitiativeswillberunbythesecurityteam.Understandingempiricallythatnoteveryonesharestheirworldview,andhavingtocommunicateanddefendthatworldviewbyfirstempathizingwithotherwaysofseeingthings,cangivesecurityprofessionalsanewperspectiveonthemarketplaceofideasinwhichtheyhavetocompete.

ChoosingaMediumThereisnoonebestwaytocommunicate,nosinglemediumbywhichinsightcanbetransferredmoreeffectivelythanthroughothermediums.Theintendedaudiencewilloftendrivethechoiceofmedium,accordingtobothconventionandexperience.Slide-basedpresentationshavebecomesoingrainedinthecorporateworldthateventhoughtheymaynotbethebestmediumforcertainwaysofcommunicating,youcanalienateyouraudienceifyoudon’tusethem.Butyoushouldalwaystrytopickthebesttoolforthejob.

Scores,charts,andmapsnotwithstanding,thestrengthoftheCSCFisthatitallowsyoutotellastoryaboutculture.Yourstorywillhaveprotagonistsandantagonists,plotpointsandconflicts.TheSCDSdoesnotcreatethatstory.Itsimplyorganizesthethemesinawaythatallowsyoutoputstructurewhereithasn’texistedbefore.Motivationsthathavepreviouslyseemedmysteriousandirrationalnowmakemoresense.Visualscanhelp,butdon’texpectaculturemaptobeimmediatelyandobviouslyintuitivetoyouraudience.Youhavetowalkthemthroughit,interpretforthem,beastoryteller.

Manypresenterstodayhavemasteredslide-basedpresentationsasastorytellingtechnique.Manyothershavenot.Buttechnologyhassetusfreefromanoverdependenceonslides.IencourageyoutoexplorealternatepresentationtoolssuchasPrezi(http://prezi.com),HaikuDeck(www.haikudeck.com),oranyofthenumerousfreeandcommercialmind-mappingtoolsthatalsosupportgraphicalpresentations.

LookingtoNewHorizonsAspartofyoursecurityculturediagnosticspresentation,youwillalsowanttogetyouraudienceexcitedaboutfutureopportunitiesforpeople-centricsecurity.Lookingouttothehorizonofwhat

http://prezi.com

http://www.haikudeck.com

comesnextcangiveyourorganizationapowerfulincentivetokeepgoingwithbetterandmoresophisticatedculturalassessments.Rememberthattheculture–performancelinkhasnonaturallimits.Themorematureandeffectivethesecuritycultureorthelargerorganizationalcultureis,thebettertheresultswillbeofeveryactivityanddecisiontheorganizationundertakes.Culturalmeasurement,itshouldbeemphasized,startswithorientation,theactoffindingoutwhereyouarerightnow.Themapmetaphoremphasizesthisneedforlocationandsituationasthefirststepofalongerjourney.

FromMeasurementtoTransformationThefirsttwopartsofthisbookhavefocusedonmeasuringanddiagnosingorganizationalsecurityculture.Theyhavepresentedwaystodescribeit,analyzeitsrelativeintensity,andidentifyareasofculturalconflictandriskthatmayresultinsecurityfailures.Throughout,thegoalhasbeentotransformorganizationalsecuritycultureintoamorepeople-centricsecurityenvironment.

Butunderstandingsecuritycultureisnotthesameastransformingit.Diagnosisisanimprovementoveruncertainty,butitdoesnotdoanythingtomakeasystembetter.Initiatingchangeanddrivingnewbehaviorsrequiretheirownstructuresandefforts.UsingtheCSCFandtheSCDScanshowexactlywhereyourorganizationstandsculturallyandcanhelpyourorganizationformulatewhereitthinksitshouldbe.Butwhatisthepathtorealizethatchange?It’sgreattosay“wewantsecuritytobelessbureaucraticandmoreflexible,”butwhereistheframeworkandwhatistheinitiativetodefinewhat“moreflexible”meansandhowtoachievethatgoal?

Thethirdpartofthebookwilllooktothemoretacticalchallengeofdevelopingbehavioralchangethatistheengineofculturaltransformation.Aswithmyadaptationsofpreviousresearchintoculturalmeasurement,Ihavegroundedsecuritybehavioralchangeinresearchfromotherdisciplines.AndinthecaseoftheSecurityFORCEBehavioralModelthatIwilldescribe,IhavetracedthesebehavioralstrategiesbacktotheCSCFtocreateastructurebywhichthegroundworklaidinunderstandingyoursecurityculturescanbeusedtobuildapowerfultransformationstrategy.

FurtherReading

AlthoughneitherofthefollowingbooksareMonteCarlotextbooks,bothdiscusstheuseofMonteCarlosimulationsinriskanalysis.

Hubbard,DouglasW.HowtoMeasureAnything:FindingtheValueofIntangiblesinBusiness.Hoboken,NJ:JohnWiley&Sons,2007.Savage,SamL.TheFlawofAverages:WhyWeUnderestimateRiskintheFaceofUncertainty.Hoboken,NJ:JohnWiley&Sons,2009.

PARTIII

TransformingYourSecurityCulture

T

CHAPTER9

FromDiagnosistoTransformation:ImplementingPeople-Centric

Security

hefirsttwopartsofthisbookhaveaddressedculturegenerally,securitycultureinparticular,andwaystoarticulate,diagnose,andanalyzethesecuritycultureinyourorganization.Culture,however,remainsahugeandinclusivephenomenoninanyenterprise,thesumtotaloftheassumptions,beliefs,andvaluesmixingandinteractingbelowthesurfaceofeasilyobservablebehavior.Culturecanbetransformed,buttransformingitislikechangingtheflowofariver.Itisn’teasywhentheriverisconstantlytryingtorevertbacktoitspreviouscourse.Itisanexerciseinorganizationalengineering.Yourstrategyhastobeveryspecificandwellunderstoodoryouwillfail.Thethirdpartofthisbookisaboutdevelopingastructured,measurablestrategytoimplementpeople-centricsecurity,totransformsecurityculture,bycomingfullcircleanddealingdirectlywithhumanandorganizationalbehavior.

DiagnosisandTransformation:OneCoin,TwoSidesUnderstandingcultureandchangingculture,diagnosingandtransformingit,aredeeplyintertwinedideas,whichIillustrateinFigure9-1.Wedon’tneedto

understandcultureifwearecontentwithcontinuingtooperateoninstinctorganizationally,moreorlessunawareofwhypeoplemakecertaindecisionsandnotconcernedwithwhetherornottheywerethebestones.Ourassumptionsandvaluesareembeddedineverydayenterpriseactivity.Theyarereflexeswedon’thavetothinkabout,habitsandritualswefallbackonwhenevernecessary.Culturetakescareofitself.Butforthosetimeswhenwewonderwhywekeepmakingthesamebaddecisionsoverandoveragain,whenwehavethisnaggingfeelingthatwecouldbedoingsomuchbetterifwecouldjustgetoutofourownway,westarttheprocessofincreasingculturalawarenessandvisibility,eventuallytothepointwherewecanshapeittoourowndesiresandpurposes.

Figure9-1Diagnosisandtransformationofculture

TheCSCFasaFrameworkforUnderstandingYoucan’tchangesomethingyoudon’tunderstand.Yourorganizationalsecurity

culture,leftunanalyzedandunexplored,willalwaysremainsomethingofamystery.Peoplefollowtherulesandliveuptoexpectations…untiltheydon’t.Everyonebehavesrationallyanddoestherightthing…untiltheydon’t.Andwhentheicebergkeepsdriftingsouthnomatterhowmuchpeopleleantothenorth,it’sverytemptingtojustgiveupandblameeverythingonfateoronthestarsthatarealignedagainstus.

TheCompetingSecurityCulturesFrameworkisoneattempttoexertmorecontroloveryourorganizationalsecurityculture.Noframeworkcanpreciselymodeleveryvariableinaculture,anymorethanacomputersimulationcanpreciselymodeltheweather,buttheCSCFallowsustounderstandmoreabouthowoursecuritycultureoperates,inthesamewaythataweathermodelhelpsusreduceuncertaintyaboutthechanceofraintomorrow.Ithelpsidentifypatternsandtendenciesthatgiveinsightintowhatdrivesactivity.

UsingtheCSCFgivesusapicture,sometimesfigurativelyandsometimesmoreliterally,ofhowoursecurityculturesandsubculturesoperateandwheretheycomeintoconflictwithoneanotherinwaysthatcancreaterisks.Thissituationalawarenessnotonlyshowswhatreallymattersinsidetheorganization,butcanpointtotheunconscious,andusuallywell-intended,motivationsthatunderliehabitualsecurityproblems.

WhatIstheFrameworkforTransformation?Simplyunderstandingyourorganization’ssecurityculturewon’tchangeit,ofcourse.SecurityculturetransformationiscertainlypossibleusingtheCSCFandSecurityCultureDiagnosticSurvey.Bothtoolsprovideameansforcreatingamap,anavigationalaidshowingwheretheorganizationisandhelpingitdecidewhereitdesirestobe.Butthemechanicsofgettingthereisnotsomethingthatafundamentallydiagnosticmodelisbestequippedtoexplain.“MovefromanoverweightedComplianceCulturetomoreAutonomyandTrust”maybethebestprescriptionforsuccessinagivenorganization,butknowingthatiswhatisneededisonlythebeginning.

Implementingpeople-centricsecurityalwaysrequireskeepingoneeyeonculture,onthevaluesanddrivesthatinfluenceanddirectourbehavior,whilekeepingtheotheronbehavioritself.Adiagnosticmodelmustbebalancedbyabehavioralmodelforthebestchanceofsuccessfullyimplementingpeople-centricsecurity.Thetwomodelsexisttocomplementoneanother,likeamedicaldiagnostictoolcomplementsatreatmentplan.AnX-rayoranMRIscancanproduceadiagnosis,andcanshowwhatmustbedonetocorrecttheproblemor

pathology,butitisnotaguidetothesurgery,thedrugregimen,orthedietandexercisethatspecificallyaccomplishesthatoutcome.

InthechaptersthatfollowIwilldescribetheSecurityFORCEBehavioralModel,whichcomplementsandalignswiththeCSCFandtheSCDS.Themodelisbasedonawell-researchedtheoreticalframeworkinthefieldoforganizationalbehavior,calledhigh-reliabilityorganizations,thathelpsusunderstandwhysomeorganizationsfaillessoftenandlessspectacularlythanothers.TheSecurityFORCEModelrepresentsmyspecificapplicationofhigh-reliabilityorganizationstoInfoSec.Mymodelisjustoneapproach,andunderstandingabitaboutalternativeapproachesmayhelpyouseewhyIfavorit.Therestofthischapterdiscussessomeofthosealternatives.

BehavioralModelsforSecurityCultureTransformationInformationsecuritytodayisundergoingaseriesofexperimentsinbehavioralengineeringandculturaltransformation,althoughwedonottendtousethosetermsdirectly.Buttheentirecomplianceapproachtosecurity,includingthedevelopmentandenforcementofnewcomplianceregimes,demonstratesattemptsbythoseinsideandoutsidethesecurityindustrytoimposechange.Thecomplianceapproachmaybethemostvisibleoftheseattempts,butevenitisjustonesetofinterventionsthatyoucanfindintheindustrytoday.

ComplianceandControlRegimesI’vementioneditinpreviouschapters,butitbearsrepeatingthatcomplianceisprobablythebiggestdriverofactivitytodayininformationsecurity.Manycompaniesthathaveneglectedorbeenlessthanaggressiveintheirinformationsecurityactivitieshavesignificantlyincreasedthoseeffortsinthepastdecadeorso,asadirectresultofcompliancerequirementslikePCIDSS,HIPAA,SOX,andprivacyanddataprotectionlawspassedbygovernmentsaroundtheglobe.

Complianceisperhapsthemostdirectlybehavioralapproachtotransformationandpeople-centricsecurity,sinceitisallaboutforcingpeopletomakenewordifferentchoices.Thesedecisionsmayincludeenterprisemanagementbeingforcedtoaddbudgetforsecurity,IToperationsbeingforcedtocreateandimplementnewprocessesandtechnologiestosupportsecurity,andinformationandITusersandownersbeingforcedintoaccountabilityfortheir

actions.Behindallofthisarethedirectorindirectfearsofenforcementandtheconsequencesoffailedaudits.Organizationsthatdonotimplementexternallymandatedbehaviorsorcontrolsonbehavior,oragreetobeboundbythird-partyassessmentsoftheirduediligence,mayfindthemselvessubjecttoinvestigation,legalaction,fines,andbeingcutofffromtheirabilitytoruncriticalbusinessfunctions,suchasprocessingcreditcardtransactions.

Aspowerfulascomplianceisasamotivationforsecurity,itsweaknessliesintherelianceonsanctionsandpunishmentsforfailingtocomply.MostorganizationsthatadoptacompliancestandardlikePCIDSSdosobecausetheyhaveto,notnecessarilybecausetheybelieveitisthebestwaytosecuretheirinformation.Bymandatingaminimumlevelofsecurityrequiredforcompliance,regulatorsandindustrygroupscanevencreateaperverseincentiveto“dumbdown”thecomplexityofsecuritytoincludeonlywhatismandatedbytheframeworkorstandardinquestion.Thismayleadto“checkbox”InfoSecprograms,wheresecuritybecomessynonymouswithafinitesetofspecificcontrolsimposedbyanoutsidepartythatmaynothavemuchideaabouthowanorganizationactuallyworks.

“Let’sSuetheAuditors…”Inthewakeofhigh-profilebreachesofseverallargecorporations,likethatofTargetin2013,atleastonePCIDSSQualifiedSecurityAssessor(QSA)hasfounditselfonthereceivingendofalawsuit.Trustwave,theQSAforTarget,wassuedfornegligenceinitssupportofTarget’sinformationsecurity.ThelawsuitspawnedanumberofresponsesaboutwhetherornotaQSAshouldbeheldliableforaclient’ssecurityfailure,butitalsopromptedalotofdiscussionaboutwhetherornottheincidentcalledintoquestiontheviabilityofPCIDSSasasecuritystandard,andeventheideaofsecurityassessmentsingeneral(asimpleInternetsearchon“PCIDSSlawsuits”willuncoverseveralsuchanalyses).

AnumberofthecritiquesofPCIDSSinparticulargobeyondthatonestandardtomoregenerallyaddresstheshortcomingsofusingcomplianceandcontrolregimesasasecuritybehavioralframework.Theseincludeconflictsofinterestbetweenpaidauditorsandthecompanieswhoemploythemtodoaudits,thenatureofarelativelystaticandprescriptivesetofcontrolstoaddressadynamicandmutablesecurityenvironment,andthefavoringofsimpler,easierchecklistsoverthehardchallengesofsecuringcomplexinformationsystems.

SecurityProcessImprovementAttheoppositeendofthetransformationcontinuumfromcomplianceandcontrolregimesaresecurityprocessimprovementmethodologies,whichtakeamoresystematicandholisticapproachtosecuritytransformation.Insteadofthenarrowperspectiveofcompliance,whichdefineswhatanorganizationmustdo,securityprocessimprovementtakestheperspectiveofhowanorganizationshoulddothingsandletstheresultingprocessdriveappropriatecontrolsandcomplianceefforts.ISO27001,aninternationalstandardforinformationsecuritymanagement,isprobablythemostwidelyadoptedoftheseapproaches,withthousandsofimplementationsworldwide.Butotherframeworks,mostnotablytheU.S.FederalInformationSecurityManagementAct(FISMA)andthesupportingguidancecreatedbytheNationalInstituteofStandardsandTechnology(NIST),alsoenjoyagreatdealofsupport.

SecurityprocessimprovementframeworkslikeISO27001andtheNISTSpecialPublicationsdonotattempttoforceaprescriptive,controls-centricsecurityframeworkoneveryorganization,subjecttostandardized,recurringaudits.BothISO27001andFISMAdohaveanauditcomponent,butthefactthatmanyenterprisesvoluntarilyimplementtheinternationalstandardortheNISTguidelinesbestpracticearchitecturesfortheirInfoSecprogramistelling.Theseorganizationsmayneverundergoaformalauditoftheirprogram,buttheyrecognizeISOandNISTasgoodwaysto“dosecurity”nonetheless.

IamaproponentofISO27001andoftheprocessimprovementapproachitandNISTpromulgate.Whenimplementedproperly,theyofferacomprehensiveblueprintforsecuritythatdemandsleadershipbuy-in,thoughtfulanalysisofwhattheorganizationactuallyneedsintermsofsecurity,andarisk-basedselectionofcontrolsthatworkbestfortheenterprise,ratherthansatisfyinganexternalpartyimposingaone-size-fits-mostlistof“necessarycontrols”withlittleassociatedcontextornuance.Anunfortunateproblemisthatmanyorganizationsdon’timplementsecurityprocessimprovementframeworkscorrectlyandmanagetoturnthemintojustanotherchecklistofcontrols.ThisisespeciallyfrustratingtomeasacertifiedISO27001auditorwhenIseeanorganizationtakethestandardandskimoverthemainbodybeforelatchingontoAnnexA,alistofpossiblecontrolstheorganizationmayselectfrom.We’resousedtothinkingofsecurityintermsofcontrolsthatwe’resometimesconditionedtoignoreeverythingelse.

Anotherlimitationofthesecurityprocessimprovementapproachisthatitcan

bedifficulttoimplementincrementally.Whetheryouarefacinganauditornot,bothISOandNISTtendtoassumeastaticInfoSecprogram,acompletesystemthatmustbeeitheraugmentedorcreated.Thistendstorequireatop-downimplementationdirective,usuallymandatedwithinafinitetimeframe,ratherthanaprocessthatisgradualandorganic.InthecaseofISO27001,theresultisthatorganizationsregularlychoosetolimitthescopeoftheirinformationsecuritymanagementsystem(ISMS),perhapstoasingledatacenterorenterpriseapplication.MakingtheISMSapplytotheentireorganizationatonceisperceivedasbeingtoodifficult.

“ButWeDon’tDoE-CommerceHere…”Ioncedidaglobaltourofamultinationalcompany’sregionalofficesanddivisions,ostensiblytoassessthecompany’sinformationsecurityprogramagainsttherequirementsofISO27001.Withofficesanddivisionsinmanydifferentnations,someoperatingasdirectlymanagedsubsidiariesandothersasquasi-independentpartnershipsandjointventures,widedifferencessoonbecameapparent.Asthechallengesofdivingintothespecificandnuancedwaysthatdifferentregionalofficesrantheirsecurityprogramsthreatenedtooverwhelmtheresourcesdevotedtotheproject,thecompanydecidedinsteadtosimplyfallbackonassessingthepercentageofimplementedcontrolslistedinAnnexAofthestandard.Thiswouldprovide,itwasthought,an“applestoapples”comparisonofInfoSecprogramefforts.

Thecontrolsassessmentprovedunsatisfactory,withthequantitativescoringofcontrolsonlydoingalimitedjobofalleviatingthecompany’suncertaintyabouthowsecuritywasmanagedacrossdifferentgeographiesandcultures.Anditprovedfrustratingforboththeregionalofficesandtheassessmentteam.Saddledwithaprescriptiveandinflexiblelistofcontrolsthathadtobeassessedandscoredinthesamewayforeachcompany,itbecamedifficulttoexplaindiscrepanciesinthefinalgrades.E-commerce,forexample,isthesubjectofseveralcontrolsunderAnnexA,andtheassessmentteamwasrequiredtonotewhethertheofficehadthosecontrolsinplace.Withoutleewaytoalterthescoring,manyofficeswerelessthanhappytofindoutthatweweretakingpointsoffforthefailuretoimplementthe“required”controls.Icouldonlynodsympatheticallyeverytimeoneofthelocalsecurityemployeescomplained,“Butwedon’tdoe-commercehere…”

TechnologyandAutomationApproachesIwouldberemissnottoincludetechnologyapproachestothelistofpotentialbehavioralmodels,approachesthatbelieveitispossibletoautomatepeople’sbehaviorswithintheorganization,usuallybylimitingwhattheycando,butalsobypredictingwhattheymightdo.Atthecenterofmuchofthiseffortliesthepromiseofbigdataandadvancedanalytics,whichmanybelievewillcompletelyrevolutionizethepracticeandindustryofinformationsecurity,inpartbylettingmachinesdothelearninganddecidinginsteadofpeople.Thesesystemsoperateattheintersectionofsurveillanceandsecurity,gatheringdataaboutabewilderingvarietyofactivitiesandprocessingittofindpatternsandsupportorganizationaldecisions,whichmaythemselvesbeautomated.

Inthepost–EdwardSnowdenworld,manypeoplefindtheideaofincreasinglevelsofanalyticallydrivenpersonalandprofessionalsurveillancecreepyanddisturbing,regardlessofwhetherthosetechniquesarebeingusedbysocialnetworks,advertisers,rentalcarcompanies,ouremployers,orintelligenceagencies.AlthoughIsharesomeoftheseconcerns,Ifindmybiggerproblemwiththebigdatamovementininformationsecuritytobethehypearoundcapabilities.Idon’thaveanydoubtsaboutthepowerofanalytics,butIalsohaveanabidingfaithinpeopleandtheirabilitytocircumvent,intentionallyorthroughsheer(good,bad,ordumb)luck,justaboutanytechnologysystemdesignedorintendedtocontroltheirbehavior.Ofcoursethetechnologywillwinsomeofthetime.ButI’malwaysskepticalofclaimsliketheoneIheardadatascientistmakeduringatalkatasecurityconferencenottoolongago.“Infiveyears,”thespeakersaidconfidently,“therewon’tbeanyoneinsecuritybesidesdatascientists,becausewewon’tneedthem.”

MakingItPersonal…Wouldn’titbegreatifoursecuritysystemscouldtellwhatuserswerethinkinganddecidewhowasapotentialthreat?Well,Fujitsuisworkingondoingjustthat.Inearly2015,thecompanyannouncedthedevelopmentofinnovativetechnologythatcanpickoutvulnerableusersbyprofilingthempsychologicallyandbehaviorally.Thesystem,accordingtoFujitsuandindustrywrite-ups,analyzeseverythingfrome-mailsandvisitedwebsitestomouseclicksandkeyboardactions,andproducesaprofileofeachuser

designedtopredictthelikelihoodthatpersonmightsuccumbtoacyberattack.Thecompanyfiguredatthetimethatthetechnologywasayearoutfromproduction.

Maybeitwouldn’tbesogreatafterall.Fujitsu’stechnologysoundsabitlikeinformationsecurity’sversionofthefilmMinorityReport.Andthereisnoquestionthatadvancementinbehavioralanalyticsmakessuchhumanmonitoringcapabilitiesseemlesslikesciencefictioneveryday.ThequestionistowhatextenttechnologylikeFujitsu’sautomatedpsychologicalprofilingislikelytoimpactorganizationalsecuritycultureandpractice.Willorganizationsacceptthepotentialsurveillanceandprivacytrade-offsthatsuchtechnologiesbring,inthenameofimprovedsecurity?Andwillpeopleacceptsuchintrusiveactivitiesintotheirlives?Perhapsmostimportantly,onehastowonderifapanopticcultureofsecurity,onedrivenbyknowingyouarebeingwatchedallthetime,isasdesirableoreffectiveacultureasonewherepeoplevaluegoodsecuritybehaviorssomuch,andpracticethemsoconscientiously,thattheydon’tneedtobeunderconstantsurveillance.

SecurityNeedsMoreOptionsTosummarizemypoints,Ithinkthatthebehavioralmodelscurrentlyavailabletopeople-centricsecurity,whileusefulinmanyways,oftencomeupshortintermsoftheirabilitytosuccessfullytransformsecurityculture:

ControlandcomplianceregimesOftentooprescriptive,toospecificandstandardized,creatingaleastcommondenominatorstateofsecurityprioritizing“checkingthebox”overaddressingproblemsSecurityprocessimprovementframeworksOftennotprescriptiveenough,embracingcontextanduncertaintywhenpeoplejustwanttobetoldwhattodo,makingimplementationstressfulandhardTechnologyandautomationapproachesOffersoliddataandevidence,butriskthetrapofthinkinghumanbeingscanbemanagedlikemachines,deterministically,whenhistoryprovesotherwise

Ifthebadnewsisthatnoneoftheseapproachesarefullyalignedwithdevelopingapeople-centricsecurityculture,thenthegoodnewsisthatthereisopportunityfornewbehavioralframeworkstobeexploredandimplemented.ComparingthethreeI’vecalledoutisaclassicopportunityforaVenndiagram,liketheoneshowninFigure9-2.Opportunityliesindevelopingnewbehavioral

modelsthatcomplementsecurityculturemodelsliketheCSCFandprovidethebestelementsofthevariousexistingmodels.

Figure9-2Opportunitiesfornewsecuritybehavioralmodels

Inthefollowingchapters,Iproposeanddescribeanewframework,theSecurityFORCEBehavioralModel,whichisdesignedtoaddresstheseshortcomingsandaddvaluetoanorganization’stransformationtopeople-centricsecurity.

FurtherReading

Fujitsu.“FujitsuDevelopsIndustry’sFirstTechnologyThatIdentifiesUsersVulnerabletoCyberAttackBasedonBehavioralandPsychologicalCharacteristics.”January19,2015.Availableatwww.fujitsu.com.Hornyak,Tim.“FujitsuPsychologyToolProfilesUsersatRiskofCyberattacks.”NetworkWorld,January21,2015.Availableatwww.networkworld.com.ISO/IEC.27000:2014,Informationtechnology–Securitytechniques–Informationsecuritymanagementsystems–Overviewandvocabulary(thirdedition).January15,2014.Availableathttp://standards.iso.org.NISTComputerSecurityDivision(CSD).FederalInformationSecurityManagementAct(FISMA)ImplementationProject.Availableatwww.nist.gov.

http://www.fujitsu.com

http://www.networkworld.com

http://standards.iso.org

http://www.nist.gov

I

CHAPTER10

SecurityFORCE:ABehavioralModelforPeople-CentricSecurity

nformationsecurityprofessionalsneednewwaysofthinkingabouttheproblemswefaceandhowtoconfrontthem.Intheindustry,wetalkalotabouthowmuchtheworldhaschangedovertheyears.Ourcurrenttechnologyenvironmentswouldbestunninglycomplextoearlysecurityprofessionals,andourthreatenvironmentswouldbeterrifying.Irememberwhenfirewallswereallweneededtoprotectournetworks,intrusiondetectionsystemswereanew-fangledtechnology,VPNsdidn’texist(atleastnotforthecommonperson),andcellphonescouldonlybeusedasphones.It’sliketheoppositeoftheoldmantellingtalesofwalkingtoschoolbarefoot,inthesnow,uphillbothways.Lookingback,itallseemssoidyllic,thegoodolddayswhenalmostnoonewantedtostealyourinformation,thosewhodidwanttostealitusuallycouldn’t,andthereallybadoneswhocouldstealitoftenwerecaughtbeforetheywereabletodotoomuchpermanentdamage.

Perhapssecurityprofessionalstodaycanbeforgivenfortakingaglumviewoftheworld.Butforanindustrythathasseensomuchtransformation,it’ssurprisinghowpoorlyourframeworksandmodelshavekeptpace.Tobesure,ourtechnologyhascomealongway.Butourbasicconceptshavenotevolvedallthatmuch.Westillactasthoughconfidentiality,integrity,andavailability(CIA)meanthesamethingstheydid30yearsago,thatriskcanbemeasuredinthreecolors,andthatcontrolsaretheessentialbuildingblocksofsecuritylife.Informationsecurityisaremarkablyconservativedisciplinetobelivingandworkingsoclosetothebleedingedgeofinformationagedisruption.

Thepurposeofthisbook,andtheframeworksIproposeinit,isnottosaythatwhatwe’vedoneinthepastdoesn’twork,ortoadvocateabandoningtheCIAtriad,heatmaps,orcontrolframeworks.Thatwouldbesillyanddisingenuous.ButIdobelievethatthetoolsinourtoolboxarenolongerenoughtogetuswhereweneedandwanttobe.Therearemanydirectionssecuritycantake,andistaking,toinnovate.Someofthesedirectionsareextensionsoftechnology,likebigdata.Some,likeincreasinglyaggressiveregulation,focusoncontrols.Iamanadvocateforimprovingcultureandbehavior,fordevelopingmorepeople-centricsolutionstosecuritychallenges.Ibelievetheyofferthebestopportunitytochangethings,torightourselvesbeforewestartseeingdisruptionthatmakestoday’sworldlookasidyllicastheoneIrememberfrommyearlydaysinthefield.

TheSecurityFORCEBehavioralModel,hereafterreferredtomoresimplyasSecurityFORCE,offersanothertoolfororganizationstoutilizeinsecuringtheirinformationandenterpriseassets.Itwon’treplacealltheothertoolsorbeusefulineverysituation,butitcanhelpprovideanotherangleofassessmentandinsightthatmayjustbetheperspectiveanorganizationneedstomakerealheadwayagainstsecurityproblemsthathaveseemedunsolvableuptonow.

OriginsofSecurityFORCEMyexperiencesworkingwithorganizationafterorganizationovertheyearshavegraduallycoalescedintoaformofpatternrecognitionthatcausesmetoseeinformationsecurityasabehavioralandculturalproblem,oneperpetuatedasmuchbysecurityitselfasanyoneoutsidethediscipline.WhatIhaveobservedoverandoveraresecurityculturesthatexhibitirrationalattitudestowardriskandfailure,struggletoreconcileexpectationswithactualoperations,don’tbouncebackfromproblemsverygracefully,tendtowardoversimplification,andmakeahabitofignoringormarginalizingthepeopleclosesttotheproblems.Itonlytakesafewofthesetraitstodestabilizeevenagoodorganization’sinformationsecurityposture.

Alotofresearchandworkhasgoneintounderstandingwhysomeorganizationsfailmoreoftenorlessoftenthanothers,anditturnsoutthatthepatternsIjustdescribedarenotuniquetosecurity,butcanbefoundacrossindustry,organizational,andgeographiclines.Amongthemostprominentresearchersintothetraitsandcharacteristicsoforganizationsthatfailversusthosethatdon’tisKarlWeick.

KarlWeickhasbeenexploringorganizationalcultureandbehavior,andtheireffectsonperformanceandfailure,forhalfacentury.TheSocialPsychologyofOrganizing,abookWeickoriginallypublishedin1969,isconsideredaclassicandhasbeentranslatedintomultiplelanguages.I’vepersonallyfollowedWeick’sworkforwelloveradecade,eversinceIwasfirstintroducedtoitingraduateschool,andI’vetalkedaboutotherareasofhisworkearlierinthisbook.ButthemostimportantapplicationofWeick’sworkforsecurityishisresearch,alongwithcolleagueKathleenSutcliffe,intotheconceptofhigh-reliabilityorganizations,orHROs,summarizedintheirbookManagingtheUnexpected.Weick’sresearch,especiallyhisworkwithSutcliffe,isacentraldriverofSecurityFORCE.

Inessence,high-reliabilityorganizationsfaillessoftenandprovemorerobustwhenfailuredoeshappenbecauseofseveralculturaltraitsthatdefinehowHROsworkandthinkcollectively.SecurityFORCEcapturesthesetraitsandadaptsthemspecificallytopeople-centricsecurity.

TheconceptsandtoolsIintroduceinthisbook—theCompetingSecurityCulturesFrameworkandSecurityFORCE—arebothadaptationsofresearcheffortsthatbeganandweredevelopedelsewhere.Moreimportantly,theseframeworksandmodelshavethebenefitofyearsofempiricalstudybehindthem.Theyhaveworkedwherepeoplehaveappliedtheminotherindustries,andinformationsecuritycanbenefitbymappingandapplyingthemtoourownchallenges.Cultureandbehaviorarephenomenathatapplyasmuchtosecurityastoanyotherorganizedactivity.BeforewediscussSecurityFORCEfurther,it’simportanttounderstandnotonlywhatdefinesahighreliabilityorganizationbutalsothecommontraitsandprinciplestheseorganizationsshare.

HROResearchWeickandSutcliffedescribehighreliabilityorganizationsasthoseenterprisesandorganizationsthathavelearnedtoadapttodangerousandhostileenvironments,wheremanymorethingscangowrongthanin“normal”environments,andwherethingsthatdogowrongtendtogowronginamuchworseway,uptoandincludingpeopledying.Inanorganizationwherethechancesofmistakesandproblemsoccurringarehigherthanusual,youwouldexpectmorethingsto“break”moreoften.Andwhenthingsbreakingbringsworse-than-averageconsequences,possiblydisastrousones,thenyouwouldexpectreallybadthingstohappen.

ButHROresearchershavefoundthatthingsworkdifferentlyinthese

organizationsfromwhatmightbeexpected.HROsoftenexhibitfewerproblems,withlesssevereconsequences,thantheaverageorganization.Whywouldthatbe?Well,itmakessenseifyouthinkaboutit.Anorganizationthatoperatesinalow-risk,low-impactenvironmentmaybeabletomuddlealongindefinitely,evenwhilemakingmistakesandfailingonaregularbasis,nevermanagingtofundamentallychangeitswaysevenwhenthatmeansneverrealizingitsfullpotential.Butanorganizationthatfacescatastropheateveryturnmustlearntosurvivebyskillandconstantvigilance.Otherwise,itwon’tsurviveatall.

WeickandSutcliffeidentifiedspecificexamplesoforganizationsthatoperateasHROs.Theyincludefirefightingteams,aircraftcarriers,manufacturingcompanies,andnuclearpowerplants,amongothers.Allofthesetypesoforganizationsexperiencefailures,ofcourse.Firefightersdie,aircraftcrashonflightdecks,industrialaccidentsandproductrecallsoccur,andoccasionallyweevenfacenucleardisasters.BeinganHROdoesn’tmeannothingevergoesterriblywrong.Butforsystemsthiscomplex,inenvironmentsasdangerousastheonestheseorganizationsoperatewithin,theyhaveatrackrecordremarkableenoughfororganizationalscientiststounderstandthattheydon’tfunctionlikeotherorganizations.Theydothingsdifferently.

TheuniquewaysinwhichHROsfunctionhavebeenorganizedintofiveprinciplesthatsummarizethedifferencesinthebehaviorsofHROscomparedtootherorganizations.TheseprinciplesencompasshowHROslookatsuchthingsasfailureandtheabilitytobouncebackfromit,complexityandoperationalrealities,andwhoismostcapableofdealingwithacrisis.ThesefiveprinciplesaresummarizedinFigure10-1.Eachoftheseprincipleshasitsownapplicationinthecontextofinformationsecurity,andIwillcovertheseindetaillaterinthechapter.

Figure10-1Fiveprinciplesofhigh-reliabilityorganizations

PreoccupationwithFailureHROsobsessoverfailure,butnotforthesamereasonsasotherorganizations.Insteadofoperatingontheassumptionthatfailureisauniversallybadthing,tobeavoidedatallcosts,HROstreatfailureasanunavoidableoutcomeofdoingbusiness,anintrinsicpropertyoftheirenvironment.HROsarecompulsivelydriventoidentifythesefailuresatallcosts,asearlyaspossible.Theythentrytousesmallfailuresasatoolbywhichtheycanavoidlargedisasters.

ReluctancetoSimplifyTheeasiestwaytomakemembersofanHROnervousistoexplainthe

challengestheyfaceinsimplistic,dumbed-downterms.Bymaintainingahealthyrespectforthecomplexityandunpredictabilityoftheenvironmentsinwhichtheyoperate,HROsseekmorecomplicatedanswers,backedbyobservationanddata.SimplemodelsandframeworksmakeanHROwonderwhatisbeingleftoutorignored,andhowthatmightbitethemlater.

SensitivitytoOperationsHROsformulategrandstrategiesjustlikeanyotherorganization,buttheydifferinthattheyputequalemphasisonthetacticalrequirementsthatmakethestrategywork.HROleadersdon’tdo“thevisionthing,”leavingunderlingsandsubordinatestohammeroutthedetails.HROswanttoknowexactlyhowthingsarereallyworking,notjusthowtheyexpectthemtowork,andtheygatherdataandknowledgefromavarietyofsourcestomakethelinksbetweenstrategyandoperationsvisible.

CommitmenttoResilienceRecoveryfromafailuresaysalotaboutwhetheranorganizationisanHROornot.HROs,knowingthattheywillexperienceafailureatsomepointforsomereason,puttimeandeffortintoimagininghowthatfailurewilloccurandwhattheyshoulddowhenitarrives.Asaresult,HROstendtofalldownmoresoftlyandgetbackupmorequicklythanotherorganizations.Likeafighterwhoknowshowtotakeapunch,anHROreboundsandgetsbackintothefightratherthanbeingknockedoutofit.

DeferencetoExpertiseHROsstructurethemselvesaroundadifferentdecision-makingsystem,onethatismoreflexibleanddiverse.Hierarchiesareimportant,butnotwhentheyhinderpeoplewhoknowwhatisgoingonfromactingonthatknowledgeimmediately.Byrelyingontheskillsandjudgmentsofthepeoplewhoareclosesttothesystemsinquestion,HROscangatherdataonpotentialproblemsmorequicklyandrespondwithmoreagilitytochangesinoperations.

HROsinInformationSecuritySincemyfirstencounterwiththeHROresearchliteratureasastudent,Ihavebeenstruckbyhowmuchthisbodyofworkhastoofferinformationsecurity.I’veobservedmanycompaniesthatbehave,fromasecurityperspective,lesslikeorganizationscommittedtosurvivinginthemidstofcomplexityandexistential

danger,andmorelikeonesthatarecomplacentandevenconfidentthattheyareunlikelytoeverreallygethurt.EvenorganizationsthattakesecurityseriouslyareoftenplaguedbytheverydeficienciesthatHROshaveevolvedtoavoid.

IhavebeenusingelementsofHROresearchinmysecurityworkforalongtime.AdaptingandapplyingthebehaviorallessonsofHROstosecurityprogramsisamorestraightforwardprojectthanfull-blownculturaltransformation.Butuntilrecently,IhavealwaysusedthelessonsofHROsinapiecemealfashionandnotasafullydevelopedmodelinitsownright,onethatwouldbeprescriptiveandmeasurableinthecontextofasecurityprogram.Myinterestandresearchintopeople-centricsecuritychangedthat.AsIformulatedamodelofsecurityculturethatcouldleadtolong-termchange,Irecognizedtheneedforacomplementarytransformationalmodel.BasingthatmodelonHROswasthenaturalchoice.

StudiesinFailureHROresearchisjustonebranchinatreeofresearchdevotedtohowandwhysystemsandorganizationsfail,andwhat,ifanything,canbedonetopreventfailure.Aresomesystemsjustdestinedforeventualdisaster?Orcancatastrophebeavoidedthroughcertainenterprisestructures,organizationalcultures,andbehavioralhabits?Obviously,WeickandSutcliffetakeamoreupbeatstancethat,yes,organizationscansavethemselvesfromsignificantfailuresbylearningfromandbehavingmorelikeHROs.Butthereareotherperspectives.

SidneyDekker,whoIdiscussedinPartI,isafailurestudiesexpertwhohasconceptualizeddriftasawayofunderstandinghowcomplexsystemsandorganizationsexperiencegradual,entropicdecayasthedesignsofthosesystemsproveunabletokeepupwithchangingenvironmentalandsocialfactors.ForDekker,failureisasortofbyproductofsuccess.Aspeoplemakeoptimizingdecisions,compromisesinthefaceofinsufficientresourcesorevensimpleinertia,thesystemgrowsunstable.Butratherthanbeingseenasmistakes,thesedestabilizingdecisionslooklikesoundlogicinthemoment.Itisonlyafterafailureincidentthattheorganizationisforcedtoretroactivelyfindandimposeresponsibility.

CharlesPerrowisanotherfailurestudiesscholar,andhisbookNormalAccidents:LivingwithHigh-RiskTechnologieswasamongtheearliesteffortstotheorizethecausesofinstabilityandfailureinhighlycomplextechnologyenvironmentslikenuclearenergy.Perrow’sanalysisofthese

environmentsissimilartoHROresearch,identifyingprinciplessuchastheinevitabilityoffailure,theideathatbigfailuresstartsmall,andthatfailureisasocialratherthanatechnologicalproblem.Perrow’sconclusionsare,however,somewhatlessencouragingthanthoseoftheHROresearchers.Hepositsthatitismoredifficulttodesignaroundoravoidfailuresbecauseunpredictableinstabilityisembeddedintothefabricofsystemsthataremassivelycomplexandcloselylinkedtogether.

HighlyReliableSecurityProgramsSomeInfoSecprogramsalreadybehavelikeHROs,althoughtheytendtoberare.Theseprograms,whichIcallHighlyReliableSecurityPrograms(HRSPs),havemanagedtodevelopthecultureandbehaviorsoftheirHROcounterpartsinotherindustries.“Highlyreliable”insteadof“highreliability”issomethingofahedgeonmypart.IwanttoemphasizethecharacteristicsandbehaviorsofHROswithinInfoSecprograms,butwithoutimplyingthatit’seasytotranslatethosecharacteristicsdirectly,ortoputunduepressureonorganizationstosuddenlybeseenasinfallible.HRSPsshould,asagoal,simplybecomemorehighlyreliablethantheyaretoday.HRSPsdoexist,forinstance,insensitivemilitaryandintelligenceorganizations,aswellassomecompaniesthatdependsoheavilyonproprietaryorprotectedinformationthatanysecurityincidentcanprovedeadly,eitherfigurativelyorliterally.Buttheyareatypical.Takingsecurityseriouslyislaudable,butitisnotthesamethingasbeinganHRSP.Highreliabilityisnotabouthavingthemostcutting-edgetechnologyorreligiouslyimplementinglistsoftopcontrols,anditcertainlyisnotaboutsuccessfullymeetingcompliancerequirements.

Highreliabilityislessabouthoworganizationssucceedatsecurityandmuchmoreabouthowtheyfailatit.Infact,preoccupationwithfailureisthefirstprincipleofHROs,andthevalueoffailureisthefirstkeyvalueinSecurityFORCE.HRSPsfailinaveryparticularway,underspecificcircumstances.Moreimportantly,theyexpecttofail,andsotheypreparefortheeventualityinawaythatallowsthemtoreboundquicklyandgracefullyfromafall.Mostsecurityprograms,evenverycompetentones,findtheircapabilitiesstrainedwhenitcomestofailure,asmanyoftherecentpublicbreachincidentsdemonstrate.Theirbehavioralpatternsandhabitsareconcentratedondifferentpriorities.SecurityFORCEisdesignedtohelpInfoSecprogramschangethosehabitsandbehaviors,toadoptnewonesthatwillnotonlymakelargefailureslesslikely,butenablebetterresponsestothosethatinevitablydooccur.

IntroducingtheSecurityFORCEBehavioralModelSecurityFORCEappliesthefiveprinciplesofHROs(depictedinFigure10-1)asasetoffivecorevaluesthatdefineanHRSP,adaptingthesevaluestosecurityandpackagingthemwithinauser-friendly,memorableacronym.TheseFORCEvalues,showninFigure10-2anddescribedshortly,drivebehaviorandinfluencedecisionmakingwithintheInfoSecprogramandtheentireorganization.FORCEvaluesreflectthethingsthatthesecurityprogramtakesseriously.

Figure10-2CorevaluesofSecurityFORCEfoundinanHRSP

Rememberthatorganizationalcultureisthecollectivevaluesandassumptionsofagroupofpeopleworkingatacommonpurpose,thehabitsandnormsthatdrivetheirdecisionsandactivities,oftenbeneaththeconscioussurface.HRSPspossessauniqueculture,onethatenablesthemtoperformdifferentlyunderdifficultconditions.SecurityFORCEidentifiesthevaluesthataremostlikelytoexistwithinanHRSP,whetherornotthatsecurityprogramconsidersitselfhighlyreliable.SecurityFORCEthereforeapproachescultural

transformationfromtheotherendofthespectrum,fromthebottomup.IfeveryoneinanorganizationbehavestowardinformationsecuritythewaythatpeopleinanHRObehave,allthetime,habitually,thenthatorganizationisanHRSP.Itdoesn’tmatteriftheyexplicitlythinkintermsofanHRO-typeculture.“HRSP”isnotsomethinganorganizationcallsitself,butrathersomethingthatitdoes.Whenyoulooklikeaduck,walklikeaduck,quacklikeaduck,andhavetheDNAofaduck,you’readuck.SecurityFORCEdefineswhatitmeanstobeahighlyreliableduck.

FiveCoreValuesofSecurityFORCEThefivecorevaluesdefinedbySecurityFORCEbenefitinformationsecurityandleadtoatypicalsecurityprogramtransformingintoaHighlyReliableSecurityProgram.AnHRSPtendstoreducethenumberoflargesecurityfailuresthatitexperiences,andtypicallywillrecoverfromfailuresthatdooccurmorequicklyandwithlessdisruptionthanitsnon-HRSPpeers.IhavedevelopedspecificprescriptivebehaviorsforeachSecurityFORCEvalue,behaviorsthatcanbeobservedandencouraged,aswellasSecurityFORCEmetricsthatcanbeusedtotestandassesshowcloselyaprogramconformstothebehaviorsofanHRSP.Isummarizethesecorevaluesinthefollowingsections,andexplorethemindetailthroughoutthesubsequentchapters.

TheSecurityValueofFailureFailuremayseemlikeacounterintuitivevalueforinformationsecurity,butonlybecausewhenitcomestofailingwetendtobedoingitwrong.Thesecurityvaluederivedfromfailureinpeople-centricsecurityisthatitleadstobetterinsightsaboutwhenorganizationsfailandwhattodowhenfailuresoccur.Insteadoftryingtoavoidfailurealtogether,whichisimpossible,HRSPsusefailureasatoolbywhichtheyunderstandweaknessandvulnerabilityintheirsystems.Thisvalueisrealizedwhenfailuresarediscoveredearlyandoften,sothattheycanbeaddressedandcorrectedwhiletheyremainsmall,insteadofwaitingforlargefailuresthatprovecostlierandmoredisruptive.

TheSecurityValueofOperationsOperationsarecentraltoanyInfoSecprogram,butoftenthereisadisconnectbetweenwhatpeopleintheprogramthinkishappening“ontheground”andwhatisactuallygoingon.Asecuritypolicymaysaysomethingisrequired,forinstance,butthepolicyendsupbeingwidelyignored.Orcompliancewitha

standardmaymakeaCISOfeellikesecurityisfunctioningmoreeffectivelythanitreallyis.HRSPsworryconstantlyaboutwhatisreallygoingonwithintheirorganizations.Thesecurityvaluederivedfromoperationshappenswhenthesecurityprogramincreasesvisibilityandfocusonoperationalrealities,ratherthanrelyingonproxiesorassumptionstoguidedecisions.

TheSecurityValueofResilienceHowanorganization’ssecurityfailsisasimportantas,ifnotmoreimportantthan,whetheritfailsorwhenitfails.Securityfailuresareinevitable,butparalysisanddisruptionasaresultofsecurityfailuresarenot.Resilienceinvolvesknowingexactlywhattodowhensomethingbreaks,sothatyoubouncebackquicklyfromtheproblem.HRSPsconstantlythinkaboutfailureandroutinelypracticehowtheywilldealwithit.Thesecurityvaluederivedfromresilience,therefore,isgainedwhenasecurityprogramnotonlyknowswhereitislikelytoexperiencefailure,buthasdetailedplansforaddressingfailureandconductsdrillsonthoseplansuntilhandlingfailureisasnaturalashandlingnormaloperations.

TheSecurityValueofComplexityComplexenvironments,threats,andriskschallengeanysecurityprogram’sabilitytoreduceuncertaintyandmakeeffectivedecisions.Butwheremanyorganizationsmeetthischallengebyreducingcomplexityandpursuingsimpleexplanationsandframeworkstoguidestrategy,HRSPsknowthatoversimplificationaddsmoreuncertaintythanitremoves.Justasassumptionscanleadtoblindspots,oversimplificationcanreducetheorganization’ssituationalawarenessandincreasethelikelihoodof“failuresofimagination”resultingfromrisksthathavenotbeenpreviouslyconsideredandresultinginso-called“blackswan”eventsthatprovesurprisingandcostly.Thesecurityvaluederivedfromcomplexityisharnessedwhenanorganizationmaintainsahealthyskepticismofsimpleanswersandexplanations,andprefersnuancedinsighttoone-size-fits-allexplanations.

TheSecurityValueofExpertiseThereisnoshortageofexpertiseininformationsecurity,butthatdoesn’tmeanthatthepeoplebestpositionedtomakeadecisionarealwaystheoneswiththeauthoritytodoso.HRSPsrecognizethatrigidchainsofcommandandhierarchicalpowerstructurescangetinthewayofeffectiveoperations,

especiallyinacrisis.Thesecurityvalueofexpertiseisrealizedbydistributingdecisionauthoritywithinanorganizationtomaximizeefficiencyandimpact,takingadvantageofthehumansensorsbestplacedtorespondtonewinformationimmediatelyandtakeaction.

SecurityFORCEValueBehaviorsandMetricsThepurposeofSecurityFORCEisnotmerelytodescribehowHRSPsdifferentiatethemselvesfromothersecurityorganizations.Themodelisalsoprescriptive,inthatitprovidesatemplateforchangeandtransformationthatenablesmorereliable,people-centricsecurity.BybreakingdownthekeyvaluesofHRSPsintocertainbehaviors,wecandeterminewhetherthevaluesarebeingupheldwhenitcomestoenterprisesecurity.Oncewehaveidentifiedthesebehaviors,wecanempiricallyobserveandmeasurethem.Andwithmeasurementwecanmakeassessmentsandassignscoresthatenableustocomparebehaviorsandorganizationsagainstoneanother.

SecurityFORCEValueBehaviorsAsIhavedescribedthroughoutthebook,organizationalculturedrivesbehavior.Cultureisthesumtotalofvaluesandassumptionsheldbythepeoplewhomakeuptheenterprise.Anorganization’ssecuritybehaviors,then,arekeyindicatorsofthatorganization’sunderlyingsecurityculture.WhenasecurityprogramfunctionsasanHRSP,whenitscultureisonethathasadoptedtheprinciplesandvaluesofhighreliability,itsbehaviorswillreflectthosedeepinfluencesandpriorities.

EachSecurityFORCEvaluehasanassociatedsetofobservablebehaviorsthatprovideevidenceoftheinfluenceandstrengthofthatparticularvaluewithinthesecurityprogram.Forsecurityculturetransformation,thesebehavioralindicatorsarethesignsthatthetransitiontopeople-centricsecurityandHRSPbehaviorsistakingplace.Ifculturalchangeisreal,ifithaspenetratedandtakenrootwithinthedeeplyheldvaluesandbeliefsoftheorganization,theevidenceofthatsuccesswillbefoundinmeasurablechangesindailybehaviorsoftheorganization’smembers.Conversely,ifchangeissuperficialandhasnotinfluencedembeddedvaluesandpriorities,thiswillbeobservableinthelackofanyrealbehavioralchange.

Tothisend,IhavedevelopedtwodiagnostictoolsthatcanassistyouinimplementingSecurityFORCEvalues.ThefirstisabasicsurveyyoucanusetoassesswhetherornotyourorganizationbehaveslikeanHRSPtoday.ThesecondisasetofmeasuresforeachSecurityFORCEvaluethatyoucanusetogatherempiricalevidenceregardinghowwellyoumanagetheSecurityFORCEvaluebehaviorsinsideyourownenvironment.BothSecurityFORCEdiagnostictoolscanbedownloadedfromhttp://lancehayden.net/culture.

IwillreservedetaileddiscussionofthebehaviorsassociatedwitheachSecurityFORCEvalueforthesubsequentfivechapters,whereIaddresseachFORCEvalueatlengthandprovideworksheetsforassessingandscoringthem.Butforpurposesofintroduction,thebehaviorsassociatedwitheachoftheSecurityFORCEvaluesarelistedinTable10-1.


Table10-1SecurityFORCEValuesandAssociatedKeyValueBehaviors

SecurityFORCEValueMetricsMeasurementiscriticaltothesuccessofsecuritycultureandbehavioraltransformation.AnotherstrengthofSecurityFORCEistheinclusionofmetrics,taggedtothekeyvaluebehaviorsofthemodelanddesignedtoassessHRSP-relatedtraitsandcomparethemovertimeandagainstotherorganizations.ThesemetricsprovideempiricalevidencethattheorganizationisbehavinglikeanHRSP,ratherthansimplygoingthroughthemotionsofbehavioralchange.

AswiththespecificbehaviorsassociatedwiththeSecurityFORCEvalues,Iwillreservedetaileddiscussionofthemetricsassociatedwiththemodelforthesubsequentchapters.Butforpurposesofintroduction,themetricsassociatedwitheachoftheSecurityFORCEvaluesarelistedinTable10-2.

Table10-2SecurityFORCEValuesandAssociatedFORCEValueMetrics

TheCulture–BehaviorLinkinHRSPsTheCSCFrepresentsa“top-down”approachtounderstandingandtransforminginformationsecurityculture.YoucanusetheCSCFtoorientyourselfbroadlyintermsofyourorganization’svaluesandassumptionsaboutsecurity,andtoidentifyareasofcompetitionandpotentialculturalrisk.TransformationusingtheCSCFisalsonecessarilybroad.TheCSCFallowsanorganizationtodeterminedirectionanddistance,sotospeak.Itallowsanorganization,forexample,toarticulatethatitisprimarilyaProcessCulture,andtomakethecasethatitmightbenefitfromtraitsfoundinanAutonomyCulture.It’slikeareal-worldmapinthatyoucanlookatitanddecide,“We’retoofarwest.Weneedtogoeast.”

TheCSCFdoesnottellanorganizationexactlyhowtogetwhereitwantstogo.“BemorelikeanAutonomyCulture”isnotveryhelpfulifyoudon’tknowwhatthatmeansatadetailedlevel.ThebehaviorsmodeledunderSecurityFORCEaredesignedtoprovidethemore“bottom-up”perspectiveonculturaltransformationthatIdiscussedearlyinthechapter.Understandinginformationsecurityasbothcultureandbehaviorisanimportantinsight.AsI’vestatedearlierinthebook,anorganizationcannotchangeitssecurityculturebyjusttargetingobservablebehaviorsandignoringtheinvisibledriversbeneaththesurface.Butatthesametime,theorganizationhastohavesomeideaofwhat

behaviorstolookforifitisevertoknowwhethertransformationissuccessful.Thislinkbetweentopandbottom,betweencultureandbehavior,isattheheartoftherelationshipbetweentheCSCFandSecurityFORCE.

HROsandHRSPsdonothavetothinkintermsofculturetoaccomplishtheirmissions.Theirbehaviorsdevelopovertime,throughevolutionaryadaptationtohostileenvironments.Ittookorganizationalbehaviorresearcherstoobservethoseadaptationsandassignnamestothepatternsthatmakethemwhattheyare.Highlyreliableorganizationsareoftentoobusydoingwhattheydo,survivingandthriving,toworryaboutassigninglabelslike“highreliability”tothemselves.Buttheseenterprisesareculturallydifferentfromothers,andtheirbehaviorsareaproductofthatdifferentculture.Whichcamefirstislikeachickenandeggquestion.WhatboththeCSCFandSecurityFORCEshareisthegoalofdefiningandarticulatingpatternsandrelationshipsthatexistbetweencultures,betweenbehaviors,andbetweenbothcultureandbehavior.Together,theCSCFandSecurityFORCEbecomecomplementaryexercisesinsharedvisibility.

OnlytheReliableSurviveItisdifficulttooverstatetheeffortinvolvedinbecominganHRSP,orinmaintainingthatstatusonalong-termbasis.Organizationsarelikeindividualsinalotofways.Theydevelopcertainhabitsandworldviews,andtheycanbecomeverysetintheirways.It’saboutaseasyforanorganizationtosay“ThisyearI’mgoingtobecomemoresecure”asitisforapersontosay“ThisyearI’mgoingtogethealthy”(or“stopbeingsostressed,”or“writethatbookI’vebeenthinkingabout,”orwhatever).ButNewYear’sresolutions,astheysay,aremadetobebroken.Ittakeswillpower,endurance,anddoggedefforteverysingledaytoliveuptoourgoals.

ThehabitsIseeinmanyInfoSecprogramsaretheonesyoucanfindinmostorganizations.Peckingordermatters,whetherornotitisformalizedinanorganizationalchart.Peoplehatetogetbadnews,especiallywhentheyknowthatturningthingsaroundwillnotbeeasyorwillrequirethattheyembracechange.Andfewthingsareascomfortingasaneatlypackagedsolutiontoaproblem,whetherthatsolutionisatechnologyproduct,aneatvisualthatsumsuptheworldinthreeslides,orapromisethatifyoujustdothesefive,orten,ortwentythings,everythingwillbeokay.

HRSPsdotheirbesttorejectallofthesethings,notbecausetheyare

morallyorintellectuallysuperiortoothersecurityprograms,butbecausetheyknowdeepdownthatiftheydon’tdothingsdifferently,theirenvironmentwilleventuallycrippleordestroythem.Thismeansknowingthedifferencebetweenshort-termandlong-termnecessities,andbeingabletobalancethemeffectively.Itmeansmaximizingbothutilityandinnovation.Likepeoplewhofindthemselveslivingininhospitableclimatesorsurroundedbypredators,HRSPsadaptortheydie.It’snevereasybeingasurvivor.

ThevaluesdescribedinSecurityFORCEoftenalignwithindividualculturetypesintheCSCF.WhetheranorganizationoranInfoSecprogramhasaProcess,Compliance,Autonomy,orTrustCulturecaninfluencehowmuchresistanceoracceptancethatorganizationislikelytoexperiencewhenpromotingthekeybehaviorsofSecurityFORCE.Sounderstandinganddiagnosingtheorganization’ssecurityculturesisanimportantpartofimplementingSecurityFORCEbehaviors.Inthesameway,anorganizatonhopingtoemulateorbecomeanHRSPcannotreallyjumpintotransformingitsculturewithoutadeepunderstandingofthekeybehaviorsthatareexpectedtobefoundinamorehighlyreliableInfoSecprogram.Thenextseveralchaptersareadetailedexaminationofthosebehaviors,startingwiththesecurityvalueoffailureinChapter11.

FurtherReadingWeick,KarlE.TheSocialPsychologyofOrganizing.2nded.NewYork:McGraw-Hill,1979.Weick,KarlE.,andKathleenM.Sutcliffe.ManagingtheUnexpected:ResilientPerformanceinanAgeofUncertainty.2nded.SanFrancisco:Jossey-Bass,2007.Perrow,Charles.NormalAccidents:LivingwithHigh-RiskTechnologies.Princeton,NJ:PrincetonUniversityPress,1999.

T

CHAPTER11

TheSecurityValueofFailure

hefirstkeyvalueinSecurityFORCEisfailure.InChapter10,Idiscussedhowharditisforinformationsecurityprofessionalstoembracefailure,whileemphasizingitsplaceinpeople-centricsecurity.Inthischapter,IwillgointomuchmoredetailaboutjustwhyfailureissovaluabletoInfoSecprograms,whatbehaviorsareassociatedwithacceptingfailureasavalueproposition,andhowtomeasureandincorporatethesebehaviorsintoanexistingsecurityprogram.

WhatIstheSecurityValueofFailure?MostofthesecurityprogramsandleadersIinteractwithhaveaspecialrelationshipwithfailure.Theyfearitandloatheit.Tothem,failuremeansthatyouarenotgoodatwhatyoudo,thatyouhaveletdownyourorganizationandeveryonewhodependsuponit.Failuremayalsocarryharshpersonalconsequencesforyourcareerandyourself-image.Theideathatfailureisnotabadthingisalientomostinformationsecurityprofessionals,andattemptingtomakethecasethatfailureisactuallyagoodthingislikelytogetyoulaughedoutoftheroom.ButmakingthatcaseisexactlywhatI’mgoingtodo.

Failuresareamonganorganization’smostvaluablesecurityresources.Untilthey’renot.Thentheyjustmightkillyou.

“FailureIsNotanOption”

InManagingtheUnexpected(introducedinChapter10),WeickandSutcliffetalkaboutaquotefromthefilmApollo13,alinespokenbyactorEdHarris,playingNASAFlightDirectorGeneKranz.“Failureisnotanoption,”Kranzterselyinformshisteamduringthefilm,settingthestagefortheheroicfeatofrescuingthreeastronautsinacrippledspaceshipheadedforthemoon.Failureisnotanoptionisaninformalmottoinmanysecurityorganizations

I’veencountered,thereasoningbeingthatthestakesarejusttoohigh.Soit’sabitironicthattherealGeneKranzneverutteredthosewordsduringtheApollo13mission.Thelinecamefromoneofthemovie’sscreenwriters,basedonacommentthatadifferentmissioncrewmembersaidasthemoviewasbeingresearched.Therealcomment,abouthowNASAweigheditsoptionscontinuouslythroughoutthedisasterandsimplyneglectedtoeverincludefailingamongthem,wasmorenuanced.Butthatlinewouldn’thavesoundednearlyascoolcomingoutofEdHarris.

FailurewasobviouslyanoptionduringtheApollo13mission,whichfailedbydefinition.Noonelandedonthemoon.ThestoryislegendarybecauseNASAdidaheroicjobofsavingthemissionfromamuchbiggerfailure,thedeathofthethreeastronautsinthecrew.TocasuallysaythatsuchanoutcomewasnotapossibilitybecauseNASAsimplywouldn’tallowitistopretendthatwecanavoidfailurebyforceofwillalone.Thatmayworkinthemovies,butwhenthecreditsrollandthelightscomeup,mostofusintheaudiencehavetogobacktoreality.Intherealworld,avoidingfailuretakeshard,doggedwork.Thisisalessonthatiscoretopeople-centricsecurity.

WhenItalkwithCISOsandsecuritymanagersandamtoldthatfailureisnotanoptionintheirorganization,orthattheyhaveazerotolerancepolicyforscrew-ups,oranyoftheothervariationsIhearonthetheme,Iunderstandwheretheyarecomingfrom.ButIalsotrytopointouttheirrationalityofaphilosophythatdoeslittlemorethanguaranteeyouwillexperienceafailure,andprobablynotjustaminorone.It’slikerepeatedlysayingyourefusetobeunhappyorinsistingthateveryonearoundyoumustalwayshaveapositiveattitude.Theyareimpossibleoutcomesandyoujustenduplyingtoyourselfaboutachievingthem,orexpectingotherstolietoyou,orboth.Eventuallythatcomesbacktobiteyou.

Sowhydoweadoptsuchapatentlyfalseworldview?Probablybecausemostofushavebeentrainedandconditionedtofeelbadaboutfailing.ThismaybemoreofauniquelyAmericanperspective,butfailuregetsalltangledupwiththeideaoflosing.Welearnthatlifeisacontest,andthatbusinessisevenmoreofone.Tofailistolose.Andtolosemeansthatotherpeoplearebetterthanyou.

Sofailurecancarrymorethanjusttheconnotationofmakingamistakeorhavingsomethingbadhappen.Failtoomanytimesandyouactuallybecomeanoun,afailureyourself.Aloser.Abadperson.

ReevaluatingFailureFailureis,atheart,asimpleconcept.Stripawaythemoralandculturaljudgmentsthatmakefailuresomethingtobeashamedof,theoppositeofasuccesstobeproudof,andyouareleftwithamorebasicdefinition.Failureistheoutcomewhensomethingdoesnotfunctionasitissupposedtoorexpectedto.It’sastate,notacharacterflaw.Inhigh-reliabilityorganizations(HROs),failureisatermassociatedwiththeperformanceofasystemandwhetherornotthatperformanceisconsistentandreliable.InaHighlyReliableSecurityProgram(HRSP),whichistheInfoSecequivalentofanHROandthegoalofmostCISOs,thatsystemcanbeaspecificmachineorprocess,oritcanbetheentiresecurityprogram.Butwhicheversystemyouareconsidering,theonethingthatyoucanbesureofisthatitisnotalwaysgoingtowork.Machinesbreakdownovertime.Softwarehasbugsthatgetdiscovered.Securityprogramsareevenmorecomplex,forallthereasonsIhavedescribedinpreviouschapters.Theonlysurethinginasecuritysystemisthat,soonerorlater,somethingisgoingtofail.

Thingsdonotoftencollapsespontaneouslyandcatastrophically,notinthephysicalworldandnotininformationsecurity.It’sveryraretohaveaperfectlyviable,stronglydesignedsystemthatonedaysuddenlyexplodes.Mostfailuresoccuraspartofacontinuousprocessofdecayanddegradation,thestateofthesystemgrowingslowlyandquietlyweakerandlessstableuntilitisnolongerabletowithstandthepressuresofitsenvironment.Thatfinal,completefailure,theonethatbreaksthesystemandthateveryonenotices,cancertainlycomeasanunwelcomesurprise.Butthatdoesn’tmeannoonecouldhaveseenitcoming,iftheyhadlookedforsignsandcluesearlier.

WeickandSutclifferefertobigfailuresas“brutalaudits,”adescriptionthatIfindveryaproposforinformationsecurity.Somuchofourworkiscompliance-driventhesedaysthattheideaofauditshasbecomeinstitutionalizedwithinsecurityprograms.Auditsaredesignedtopointoutdiscrepanciesfromanexpectednorm,usuallytakingtheformofacomplianceframeworkorregime.Aninformationsecurityauditisthereforedesignedtorootoutfailures,thingsthatarenotfunctioningastheyareexpectedtoorastheyshould.AlthoughyoumayfeelbrutalizedafteryourmostrecentPCIDSSorSOXaudit,thefactisthatyouhavehadthosefailuresidentifiedbyfriendlyparties,peoplewhoare

interestedinseeingyourorganizationsucceed.Pointingoutyourdiscrepanciesgivesyouanopportunitytofixthem.Whenacriminalhackerbreaksintoyoursystemsandexfiltratesallyourcustomerinformationtosellontheblackmarket,andthestoryhitsthenewswires,that’sanaltogetherdifferentkindofaudit.Essentially,ithasachievedthesameresult:youarenowawareoftheshortcomingsinyoursecurityprogram,asevidencedbyathirdpartytestingit.Butthatthirdpartyisnotyourfriendandcouldcarelesswhetherornotyourorganizationmakesthingsbetter.They’realreadydonewithyou.

Sothesecurityvalueoffailuredoesn’timplythatamajorbreachorincidentisvaluable,butratherthatvalueliesinunderstandingtheprocessofslowdecayinthestabilityofyoursecurityposture.Theabilitytoidentifysmallerfailures,cracksinthesystemthatappearbeforeitbreakscompletely,iswhatisimportant.HROsandHRSPsaremuchbetterthanotherorganizationsatfindingproblemswhiletheyarejustsymptomsofimpendingfailure.Mistakes,missteps,anderosionareallsignsofgrowingweaknessinasystem.Someofthesesignsaresosmallthattheyarebarelyvisibleandthefailurecausesnorealharm,butwhensmallfailuresstartpilingup,thesignsbegintopointtobiggerproblemsthatmayproveveryharmful.Cracksbecomeholesandfissures,andeventuallythewholethinggives.Thetricktoavoidingbigsecurityincidentsistocorrectfailureswhiletheyremainsmallandinsignificanttotheoperationoftheentiresecurityprogram.Buttocorrectthem,youhavetowanttofindthem.

EmbracingFailureEmbracingfailureasasecurityvaluedoesmeanthatwedesiretofail.Itsimplymeansthatweknowfailureofsomesortisinevitable,thecostofdoingbusinessviathecomplexsystemsthatwedeployanddependuponintheinformationeconomy.Knowing,then,thatwecannothelpbutfailsometimes,atsomelevel,wereadjustouroutlookonwhatitmeanstofailandtrytomakefailureworkforusinsteadofagainstus.YourInfoSecprogrammayhavethemosttalentedpeople,themostrobustprocesses,andthebestcutting-edgetechnologyallworkingtogether,butpeoplewillmakemistakes,processeswillbepoorlycommunicatedorenforced,andthetechnologyenvironmentwillchange,creatingareasofopportunityfordecay.Thesespaceswillgrowandexpand,compoundingoneanother,untiltheproblemgrowstoolargetoignore.

Evensmallfailuresprovideclues,pointerstothefactthatsomethingiswrong,liketheearlysharptwingeinanotherwisehealthytooththatpresagesthecavitythatisgrowingthere.Mostofusdon’tpayattention,atleastnotuntilthepainhasgrownconstant.Wecanidentifysimilarsymptomsofproblemsinour

securityprograms.Employeesvisitwebsitestheyarenotsupposedto,allowsomeonetotailgatethemintoasecuredareawithoutusingtheirbadge,andsoforth.Theeventisablip,anerror,notevensomethingtowhichonewouldapplythetermfailure,withallthebaggagethatwordcarries.Nooneexpectsthatonesmalldeviationtobreakthesystem.ButinaHRSP,peoplearemuchmoresensitivetothese“weaksignals”offailure,asWeickandSutcliffecallthem.Theyarenothugeproblemsinandofthemselves,takenindividually.Buttheyaresymptomaticofmuchlargerweaknessthatexistsoutsideofwhatisvisiblyobvious.

Theheartofhighlyreliablesecurityisacommitmentbytheorganizationtowatchcloselyforinsignificantproblems,smallmistakesandflaws,andtocorrectandrepairthosesmallareasofweaknessbeforetheygrowtoolarge.Everytimesomethinghappensthatisdifferentfromwhattheorganizationexpectedwouldhappen,everytimetheactualstateofafunctiondeviatesfromtheanticipatedstateofthatfunction,it’sconsideredafailure.Thatfailurerepresentstwothings.Ontheupside,it’sanopportunitytolearnabout,correct,andimprovethefunctioningofthesystem.Onthedownside,ifitisnotaddressed,thefailureisanotherincrementalsteptowardthecliff.

WhenanHRSPembracesfailure,itputsmechanismsintoplacetofind,share,andaddresssmallproblems.AnHRSP’ssecuritymanagerstendtoobsessoverfailure,tobroodonit,withthesameenergyandpassionthattheythinkaboutsuccess.That’snotthesameemotionasthegeneralparanoiathatexiststhroughoutthesecurityprofession.Paranoiaisjustfear,oftencompoundedbyasenseofpowerlessness.BroodingonfailureinanHRSPisallabouttakingaction,aboutfindingoutwhetheryourparanoiaisjustified,andthendoingsomethingwhenitis.ACISOinanHRSPisneversoparanoidaswheneverythingisgoingalongswimmingly,withnoproblemstobeseenandsunshineonthehorizon.Heknowsthathisworstenemyisthecomplacentassumptionthatthesystemissound.Forhim,theworstfailureisnottohaveseenthewavecoming,nottohaveputthecluestogetherbeforehand.Sohelooksallthatmuchharderfortheproblemsheknowsmustbethere.

FailSmall,FailFast,FailOftenTheoptimalfailurerateinanHRSPisasclosetocontinuouslyaspossible.Continuous,real-timefailureindicatesthateverythinggoingwrongisdetectedandidentifiedasitfails.Problemscanbeaddressedwithminorcoursecorrectionsandincrementalchangestothesystem.Decayisneverallowedtogetamajortoeholdinsidethesecurityprogramorallowedtolastverylong.In

recentyears,thesecurityindustryhasputalotofemphasisoncompromisesthatallowattackerstositonasystemornetworkformonthsorevenyears,monitoring,collecting,andexfiltratingsensitivedata.TheprincipleissimilartohowHROslookatfailureingeneral.Thelongerafailurestateisallowedtocontinue,theworsethelargerproblembecomes.Uncertaintyisintroduced,andgrows.Youcannolongereffectivelyanticipatesystemoutcomes,andtheoptionsavailableforaddressingtheproblemdiminishovertime.Ofcourse,noneofthismaybeobvious,orevenvisible,tothoserunningthesystem.Onthesurface,everythingappearstobefine.Ifamajorfailureoccurs,it’sallthemoredisturbingbecauseitfeelstoeveryoneinvolvedlikethingsjustsuddenlycollapsedeverywhereatonce.Butthat’sjustbecausenoonesawtherotbehindthefacade.

Itisn’teasytospotsmallfailures.Norisiteasytoadjusttoanenvironmentofconstant,never-endingbadnews,whichiswhymostorganizationsarenothighlyreliableoverthelongterm.Paradoxically,thefearoffailurethatweareingrainedtofeelcancoexistwithequallypowerfulsocialnormsaboutbeingoptimisticandupbeat.Nobodylikesadowner,andpeoplewhoarealwayslookingatlifeasaglasshalf-emptyareseenasnegativeandevendisruptive.Wemayevencreateafantasywherethepeoplewhoworryaboutwhatcangowrongsomehowcontributetoeventualfailurebyvirtueofaself-fulfillingbadattitude.Buttherealchoiceisnotwhetherto“turnthatfrownupside-down”rightuptothepointwhereacatastrophewipesthesmilesoffeveryone’sface.Ourchoiceiswhetherwewantourpaindoledoutinsmall,regulardoses,manageablepinchesthatareeasilycorrectedwiththecontrolwehaveoverthesystembutthathappenmoreorlesschronically,orwepreferourpainexcruciatingandallinoneburst,aswearerippedapartattheseamsbyforceswehaveallowedtogrowoutofourcontrol,untilallwecandoistrytocleanupthemessafterward.

EmbracingfailureandtheotherSecurityFORCEkeyvaluesistheessenceoforganizationalmindfulnessandculturalmaturity.Mindfulnessisnotsomespiritualnirvana,butinsteaditisthestateofbeingtotallyandcompletelyawareofeverythingthatisgoingonandadjustingyouractionsatsuchamicro-levelthatyoudon’tseemtobedoinganythingatall.ThinkofOlympicathletes,dancers,martialartists,orvirtuosomusicians.Onethingobserversnoticeaboutthesepeopleisthattheygetinto“thezone”whereeverythingflowsandgivestheappearancethattheiractionsareeffortless.Butweknowtheyarenot.Thoseactionsaretheprocessofyearsoftrainingandpractice,untiltheycanadjustwhattheyaredoing,correctimbalancesormistakesbeforemostofusevenrealizetheyhaveexperiencedthem.Whenanorganizationachievesthisstateof

mindfulness,itmaygivetheimpressionthatitcandonowrong.Everyproductisahit,everybusinessmovepuregenius.Lookbehindthecurtains,andyouarelikelytoseeasystemsointunewithitselfthatitdoesn’tneedtowaituntilaftersomethingisfinishedtoknowthatitissuccessful.Thatorganizationprobablyknowswhenthings“feelwrong”andhasmechanismsinplacetocorrectproblemsinthemoment.I’veknownafewsecurityteamsthatcoulddothis.Butnotmany.

MinorAccidentsandNearMisses:TrackingtheSeedsofFailureOutsideofthesecurityindustry,youaremuchmorelikelytofindanappreciationforidentifyingsmallfailures.Thesafetyindustry,andthegovernmentagenciesthatregulatecompaniesforsafetypurposes,hasalonghistoryofcollectingincidentdatathatthesecurityindustrywouldprobablyfindincredible.Federal,state,andlocalagenciesintheUnitedStates,aswellasnationalandlocalgovernmentsaroundtheworld,aretaskedwithcollectingandcollatingindustrialaccidentstatisticsthatareusedtoidentifypatternsandtrytoheadofflargersafetyproblemsbeforetheyoccur.TheOccupationalSafetyandHealthAdministration(OSHA),theBureauofLaborStatistics(BLS),andtheNationalTransportationSafetyBoard(NTSB)arejustthreeofthemanyU.S.governmentagenciesthatcollectandtrackdataaboutaccidentsandfailureincidents,bothsmallandlarge,inthecompaniestheyregulate.

Someorganizationsgobeyondjustcollectingroutineaccidentandfailuredatabyattemptingtochartanddescribethespaceinwhichsmallerrorscanturnintobig,life-threateningproblems.TheAviationSafetyInformationAnalysisandSharing(ASIAS)collaborationbetweenMITRE,theFederalAviationAdministration(FAA),andtheaviationindustryisoneexample.TheASIASsystemworkstoidentifyfailurepatternsthatcanpointtosystemicweaknessintheoverallaviationsafetysystem.Anotherorganization,theNationalNearMissprogram(www.nationalnearmiss.org),collectsinformationonnearmissfailuresforbothfirefightersandlawenforcementofficers.

http://www.nationalnearmiss.org

FailureKeyValueBehaviorsTakingadvantageofthesecurityvalueoffailure,andmovingtowardhighlyreliablesecurity,dependsupondevelopingacultureand,morespecifically,asetofbehaviorsthatenableanorganizationtoembracefailureandbegindetectingandcorrectingmistakesandproblemswhiletheyremainsmallandfixable.TheKeyFailureValueBehaviorsdefinedinthischapterdistillthecoreculturaltraitsofHRSPsintoameasurablesetofprioritiesandactivitiesthatwillenableanorganizationtotakeadvantageoffailureasalearningexperienceandaresource,ratherthanwaitingforthecatastrophic“brutalaudit”thatbringsdisruptionanddestructiontothesystem.Thesebehaviorsarenothardtounderstandorevenimplement,giventhebenefitstheycanprovide.Theyare

AnticipatefailuresSeekoutproblemsRewardproblemreportingShareinformationaboutfailureLearnfrommistakes

AnticipateFailuresMostinformationsecurityprofessionalsworry.Weknowthatmanythingscangowrong,andwefretoverwhatmightgowrong.Wemayevenhavespecificideasabouthowthingscanfailintheinformationenvironmentswithwhichwearefamiliar.Butworryisdifferentfromanticipation.Worryingaboutsomeevent,suchasasecuritybreach,meansyoubelieveitcouldhappen,butyouaren’tcertain.Anticipatingthatsameeventmeansyouknowitwillhappen,andyouaresimplywaitingforittohappen,moreorlesscomfortably(dependingonhowwellpreparedyoufeel).Whenyouworrythatsomethingcouldpossiblyhappen,thatmentalimagesitsinabalancedtensionwiththepossibilitythatmaybeitwon’t,whichcanmaymakeyoumorecomplacent.Youjustcan’tbesure,soyoumighthesitatetoact.

Ifyouknowsomethingisgoingtohappen,youbehavedifferently.IfIweretotellyou,with100percentcertainty,thattomorrowanemployeewillletahackertailgatethroughalockeddoorandthattheattackerwillthenproceedtostealtheplansforyournextbigproductlaunch,youwouldtakeaction.Youmightnotpreventtheincident,butyouwouldnolongerhavetheluxuryofwonderingwhetherornotitwouldoccur.Anticipationspawnsactioninways

thatfear,uncertainty,anddoubtdonot.Evenmostriskassessmentsdonetodayaremorefunctionsofworrythanofanticipation.Weoutlineourrisks,eventrytoquantifythem,butwestilloperateundertheassumptionsthattheymaynothappenatall.Wethinkintermsof,“Ifxweretohappen,here’swhatitwouldmean…”

HRSPsanticipatetheirworstsecurityfailuresbyflippingthatscript,byimaginingtheworstsecurityfailuresandtakingtheapproach,“xisgoingtohappenifwedon’t…”(forexample,“…findtheproblemscreatingtheconditionsforthatfailure”or“…takeactiontocorrectthosesmallererrorsbeforetheygetbig”).Anticipatingsecurityfailuresmeansgettingpeoplewhoknowtogethertobrainstormhowthingscangowrong(andhowtheyprobablyarealreadygoingwrong).Itmeanswritingthoseexpectationsdownsothatwecancomparethemwithrealitylater.Anditmeanscreatingtheinvestigativemechanismsrequiredtodigintoeachanticipatedworst-casescenarioandfigureoutwherethecluesandweaksignalsaretodaysothatwecangofindthemandcorrectthem.

SeekOutProblems“Seek,andyeshallfind,”theversesays,andI’veyettoencounteranInfoSecprogramthatcouldnotfindproblemsonceitstartedlookingforthem.Infairness,I’veneverencounteredasecurityprogramthatwasnotlookingforproblems.Riskassessments,penetrationtesting,codereviews,andauditsallcontributetothesearchforsecurityfailuresandtheefforttopreventlargerfailuresdowntheline.Butthetruthis,mostorganizationsarenotdoingitenough,intherightway,orfortherightreasonstoqualifyasHighlyReliableSecurityPrograms.

HRSPsseekoutfailurebecausetheysincerelywanttofindit.Failureisgold,providedyoudon’tgetcrushedunderanavalancheofit.MostfailureseekingthatIseetodayishalf-heartedatbest,andpeoplearehappiestwhenfailureisnotactuallydiscovered.ThatmentalitywouldalarmanHRSP’sstaff.Itwouldmeantheydidn’tlookcloselyenough,orintherightplaces.Itwouldmeanthethreatsarestilloutthere,unknownandunaddressed,allowedtogrowbigger.

HRSP’scultivatefailure-seekingbehavioratalllevels,byeveryoneintheorganization.Thesecurityteamcannotbeeverywhereatonce,sotheyenlistinformantsallovertheenterprise.Securityawarenessteamstrainpeoplewhattolookoutfor,howtoidentifyproblems.Andthesecurityprogramcollectsandanalyzesthisdatainasystematicandformalizedway.Seekingsecurityproblems

isnotthejobofspecializedtestingorauditteams,whousuallycanidentifyproblemsonlyinspecificinstancesoronlyaftertheyhavereachedcertainthresholds.HRSPfailure-seekingbehaviorisabouttryingtocapturefailureinformationnearlyassoonassomeone,anyone,doesadoubletakeandsays,“Whoa,thatwasweird!”

RewardProblemReportingFewpeoplearegoingtoenthusiasticallyundertakeanactivitythatdoesn’tbenefittheminsomeway,muchlessgetexcitedaboutvolunteeringtodosomethingthatislikelytohurtthem.HRSPsencouragethereportingoffailuresbyusingthetried-and-truemethodofrewardingpeoplefordoingit.Securityawarenessteams,again,areoftenthefrontlinetroopsinanyattempttoencouragefailurereporting.Notonlydothesefolksrepresentaprimaryinterfacebetweenthesecurityprogramandtherestofthecompany,theycanalsobethebestmeansofputtingamorebenignandfriendlyfaceonadifficultandsensitivetopic.AtypicalemployeemayfeelmuchmorecomfortableconfidingthefactthattherearepersonalWi-Firoutersinstalledaroundhisopen-planworkspacetothenice,friendlyawarenessmanagerhemetat“SecurityDay”thantotheCISO,oreventothegeeky,dismissivesupporttechnicianwhofixedhislaptopthelasttimehegotavirus.

Rewardingpeopleforreportingsecurityfailuresmeanspraisingpeoplewhobringattentiontothesmallgapsintheorganization’sarmor,evenifthepersonwhoreportsthatgapisthepersonwhocreatedorcausedit.Especiallyifitisthem.Thiscanbeanespeciallybitterpillforsecurityteamstoswallow,particularlywhentherootcauseissomethingasecuritypersonwouldconsiderstupidorevenwillfullynegligent.ButHRSPskeepaneyeonthebiggerpicturehere,andthatviewstatesthattheonlythingaccomplishedbypunishingapersonforreportingamistakeistoensuretheywillneverreportanotherone.Highlyreliablesecurityisfarmoreconcernedwithblindspotsthanwithcriticizingthesourceofaninvaluablepieceoforganizationalvisibility.

Rewardsforsecurityfailurereportingneedtoberealandtangible.Therearemanywaystoaccomplishthis,frombuildingfailurereportingintojobdescriptionsandperformancereviews,toofferingcashorother“bounties”onreportingproblemsinmuchthewaythesecurityvulnerabilitymarketpaysoutforzero-dayexploits,tosimplycallingattentiontoandpraisingpeoplewhonoticewaystomakethingsbetter.Buthoweverthegoalisaccomplished,thesecurityvalueoffailurecannotberealizedfullyunlessitisaculturalvaluethattheentireorganizationpracticesandbelievesin.

ShareInformationAboutFailuresPeoplereportingaboutsecurityfailuresisawayofsharinginformationwiththesecurityprogramorteam.ButHRSPspracticesharinginformationoutward,too.Hoardingorevenconcealinginformationaboutsecurityproblems,forwhateverreason,contributestotheuncertaintyandlackofvisibilitythatcanallowsmallproblemsthespacetometastasizeintohugeones.Informationsharingisanotherareawherethesecurityindustryisstartingtoseemoreinnovationandactivity,asaresultofhigh-profilebreachesthathaveprompted(orforced,dependingonyourpoliticalviews)governmenttostartgettinginvolveddirectly.Likeitornot,informationsharingisonlygoingtogetbigger.HRSPsdon’tmindthistrend,becausetheyalreadybelieveinsharingaspartofthesecurityvalueoffailure.

Ihearplentyofreasonswhyinformationsharingregardingsecurityfailuresisaconcern.Mostofthetime,theprimaryreasonhastodowiththeorganization’sconcernthatbyrevealingincidentsorvulnerabilities,itwilladvertiseitsweaknessestopotentialattackers.Thisconcernhasmeritincertainsituations,butmoreoftenitdirectlycontradictslessonswehavelearnedabouthowsecurityworksinclosedversusopensystems.Sure,anorganizationthatpubliclysharesinformationaboutanexistingvulnerabilitymayaswellhanganeonsignsaying,“HereiswhereIamvulnerable.Ihavenotfixedtheproblem,comeandgetme.”Butifyouknowyouhaveaproblem,whyhaven’tyoufixedit?Theremay,ofcourse,belegitimatereasonsfornotsharinginformationaboutavulnerability,suchastheinabilitytofixit.ButIwouldhumblysubmit,basedonaquarterofacenturyofworkinginthisfield,that“wecan’tfixit”alotoftimesisadisingenuouswayofsaying“wewon’tfixit,”or“wechoosenottofixit,becauseitwouldbetoohard/expensive/timeconsuming…”

HRSPssharefailureinformationmorefreelybecausetheybelievewhatopensourceproponentsbelieveaboutsecurity:thatmoreeyesontheproblemgeneratesmoreinsightintohowtofixitandmorepressuretodoso.ItdoesnotmeanthateveryHRSPpublishestheresultofeverypenetrationtestitconductsorsecurityincidentitexperiences,downtotheIPaddressesinvolved,onapublicwebsiteintheinterestofinformationsharing.Failuresatthatlevelarealreadyabigproblembecausetheywerenotdetectedsooner,beforetheycouldresultinacompromise.Highlyreliablesecurityteamsaremoreconcernedwithsharinginformationabouthowthevulnerabilitygotthereinthefirstplace,andhowitwasallowedtogountreateduntilitreachedthebreakingpoint.

Sharinginformationaboutsecurityfailuresrequiresthattheorganizationsetupformalmechanismsbywhichtoexchangedataandinsights.Whilemostoftheinformationsharingdiscussionshappeningintheinformationsecurity

industrytodayhavetodowithsharingbetweenseparateorganizations,HRSPstendtofirstlookmoreinward.Facilitatingthesharingofinformationthatcouldpreventasecuritybreachaltogetherismuchmoreefficaciousthanstrugglingoverthebestwaytotellapeerorganizationwhenandhowyouwerebreached.

LearnfromMistakesHRSPsseealargepartofthesecurityvalueoffailureasbeingassociatedwithlearningopportunities…learningtounderstandtheirsecurityprogramsbetter,learningtomanageanticipatedoutcomesagainstactualoutcomes,andlearningwheretotakeactiontokeepminorincidentsfromgrowingintomajorones.Therefore,itiscentraltohighlyreliablesecuritythattheInfoSecprogramlearnsomethingfromeveryfailureitencounters.Thatmaysoundtrite,buthowmanytimeshaveyouseenorheardaboutasecurityproblemthatmanagedtogetidentifiedbutnotfixed?Ifweseeasecuritypolicybeingcontinuallyviolated,howoftendowetrytolearnwhythatpolicyissodifficultforpeopletofollow,asopposedtosimplyhandingdownsanctionsor,worse,juststopenforcingitaltogetherasunmanageable?

Everyfailure,nomatterhowsmall,hasareasonbehindit,somethingthatcausedatransitionfromastateofexpectedfunctionalitytoastateofunexpectedfunctionality.InHRSPs,identifiedfailuresalwaystriggerchange—ifnotadirectchangetopeople,process,ortechnology,thenatleastachangeinmindset,tosensitivity.Ifitcan,theHRSPwillcorrecttheproblembyalteringstandardoperatingprocedurestoaccommodatethenewexpectationsthatthefailurehasbroughttolight.IftheHRSPcan’tdothat,itwilladdthefailuretothelistofthingsthatcangowrongandtowhichitmustpaymoreattentioninthefuture.

“ThatReportMadeaGoodPaperweight”Knowingwhatcanorislikelytofailisonlyasgoodasyourcapabilitytotakeactiononthatknowledge.Iftheorganizationcannotorwillnotputtheinformationtoproductiveuse,thenitbecomesimpossibletoextractvaluefromyourfailuredata.OneareaIhaveseenparticularlyhardhitbythistrendisthatofvulnerabilityandpenetrationtesting.Itseemsthat,alltoooften,doingthetestdoesnottranslateintodoingsomethingwiththetest.

I’veworkedwithseveralcompaniesthatreligiouslyconductedpenetrationandposturetestsontheirsecurity.Ineachcase,theethicalhackerteamIwasworkingwithormanagingwouldgointothecompany,

dotheirwork,anddutifullypresenttheirfindings.Theaudiencewouldgetexcitedorfrightened,dependingonthefindingsandwhetherornottheyfelttheyhadknownaboutthelikelihoodofparticularattackvectorsworkingorvulnerablesystemsbeingcompromised.InallthereportsIwasinvolvedindelivering,thefindingsincludeddetailedrecommendationsforhowtocorrectorotherwiseavoidthesmallfailures,errors,andmistakesthathadcreatedaspaceinwhichthehackerscouldcausethesecurityposturetoweakenorcollapsecompletely.Havingshownthecustomerwhatwaswrong,why,andhowtofixit,wewouldleave,notseeingthecustomeragainformonthsoryears,untilthenextscheduledtest.

Therewerealwaysafewcompaniesthat,uponourreturn,wouldsufferthesamepenetrations,thesamefailures,astheredteamdiditswork.Thesewerenotjustsimilartypesoffailures,orrecurringpatternsofvulnerabilityondifferingsystems.Forsomecustomers,thepenetrationtesterswouldsuccessfullyattackandcompromisethesameboxesthesameway,usingthesameexploits,astheyearbefore.Nothinghadchangedatall.Noonehadcorrectedanythingreportedinthepreviousspecificfindings.Reasonsrangedfromthebanal(“Wedidn’thaveenoughtimeorpeopletogettothatone.”)totheterrifying(“That’saproductionmachinethatiscentraltoourbusiness,sowecan’ttakeitofflinelongenoughtoevenfixtheproblemthatallowedyoutoownit.”)

Oneofthefruitsofthesecurityvalueoffailureisinsight.Butinsightwithoutactionislikeappleslefttofallfromthetreebutneverpickedupandeaten.Soonenough,nomatterhowmuchfoodissittingaround,you’regoingtostarve.

AssessingYourFailureValueBehaviorsImplementingnewanddifferentorganizationalbehaviorisnotashardaschangingtheculturethatdrivesthosebehaviors,butthatdoesnotmeanthetaskiseasy.Youhavetoidentifythebehaviorsyouwanttoencourage,andthendevelopwaystoassessandmeasurehowprevalenttheyareandhowwidelytheybecomeadopted.Andallthewhileyouhavetokeeponeeyeonculturalinfluencesthatyoumaybeabletoharnesstoyourpurpose,orthatmightresistyoureffortstowardchangebycompetingdirectlywiththeprioritiesyouhopetoenshrine.

TheSecurityFORCESurveyTheSecurityFORCESurveyisabriefdatacollectioninstrumentdesignedtoassesswhethertheorganizationexhibitsthebehaviorsassociatedwithaHighlyReliableSecurityProgram.Itconsistsof25statements,dividedintosectionsforeachofthefiveSecurityFORCEvalues,mappedtothebehaviorsassociatedwitheachparticularvalue.Respondentsareaskedtostatetheirlevelofagreementwitheachstatement.ThefivestatementsunderSecurityValueofFailurearelistedintheexcerptoftheSecurityFORCESurveyshowninFigure11-1.

Figure11-1SecurityFORCESurveystatementsforfailurevaluebehaviors

LiketheSecurityCultureDiagnosticSurvey(SCDS),theSecurityFORCESurveyisageneralisttool,suitableforavarietyofsituationsandaudiences.Itcanbeusedbyaninformationsecurityteamtoassessbehaviorsrelatedtothesecurityprogramgoalsandoperations,orasacomparativetooltomeasurethedifferencesbetweenteamsororganizationalfunctions.SecuritybehaviorandcultureisnotuniquetotheInfoSecteam,butappliesacrosstheentire

organization(althoughparticularculturaltraitsmayvaryalotwithinthesameenvironment).Highlyreliablesecurityalsohappensorganization-wide,ordoesnot,asthecasemaybe.TheSecurityFORCESurveyallowsanenterprisetogainvisibilityintoitsreliabilityfromasecurityperspective.

ScoringtheSecurityFORCESurveyAdministeringandscoringtheSecurityFORCESurveyisnotdifficult.Thesurveycanbecompletedbyanyoneintheorganization,andawidernetisusuallybetter.HRSPsaretypicallynotorganizationswheresecurityisbothhighlycentralizedandrelativelyisolated,sothatpeopleoutsidesecurityarelessawareofhowthingswork.SecurityFORCEvaluebehaviorsmustbeembeddedthroughouttheorganizationforthebenefitsofhighlyreliablesecuritytobefullyachieved.GatheringFORCEvaluebehaviordatabyadministeringthesurveythroughoutdifferentareasoftheenterprisewillyieldamuchmoreaccuratepictureabouthowoftenthosebehaviorsoccurthefurtheronegetsfromtheofficialsecurityteam.

Oncethesurveydataiscollected,theorganizationaggregatesandaveragesthescoresforeachstatement,fortheSecurityFORCEvaluethestatementrepresents(Failure,Operations,etc.),andforparticulardemographicareasofinterest(securityteamvs.otherorganizationaldivisions,forexample,orbetweenfunctionalroles).Demographicanalysis,ofcourse,requirescollectingdemographicinformationaspartofthesurvey,whichmayormaynotbepossibleordesirableforreasonsofresourceallocationorprivacy.

SincetheSecurityFORCESurveyusesatraditionalLikertscale,witharangeofresponsesfrom“StronglyDisagree”to“StronglyAgree,”itispossibletoassignnumericalscorestothedataandproduceaverageresponses.Iwouldsuggestasimple1to5scale,withlowernumbersindicatingthattheassociatedbehaviorislesslikelytooccurintheorganization.

Anaveragescoreof4orabove(mostresponsesindicateAgreeorStronglyAgree)signifiestheorganizationexhibitsbehaviorsfoundinanHRSP.Anaveragescoreof3(mostresponsesindicatetherespondentfeltNeutral)signifiestheorganizationmayormaynotbehavelikeanHRSP.Anaveragescoreof2orbelow(mostresponsesindicateDisagreeorStronglyDisagree)signifiestheorganizationdoesnotexhibitthebehaviorsfoundinanHRSP.

Inthecaseoffailurevaluebehaviors,then,anaveragescoreof4orgreater

indicatesthattheorganizationbehavesinwaysthatwillmakeitmorelikelytodiscoverfailureswhiletheyremainsmallandactonthemtoavoidamajorsecurityincident.Ascoreof2orbelow,conversely,indicatesthattheorganizationmaylackthebehaviorsassociatedwithanHRSPandmayfinditdifficulttodiscovertheminorproblems,failures,andmistakesthatarereducingthehealthandstabilityofthesystem.

TheSecurityFORCEMetricsTheSecurityFORCEMetricsareasetof25measures,alsomappedtothefiveSecurityFORCEvaluesandtheirassociatedvaluebehaviors.ThesemetricscanhelpyoumeasurethesuccessofyoureffortstocreateanHRSPbehavioralenvironmentwithinyourorganization.Figure11-2showsthefivemetricsforthesecurityvalueoffailure.

Figure11-2SecurityFORCEMetricsforfailurevaluebehaviors

Youcannotmanagewhatyoudon’tmeasure,andevensurvey-basedmeasuresofbehaviorcanbedifficulttointerpretandtrackovertime.TheSecurityFORCEMetricsarebasedontheartifactsandoutcomesthatasetof

behaviorsshouldproduceifthosebehaviorsareprevalentandembeddedwithinanInfoSecprogramorthelargerenterprise.Bytrackingtheseartifactsandoutcomes,anorganizationconcernedwithreliabilityisgivenanadditionalsetofevidencetouseincomparisonwithcommonsense,establishedpolicies,andsurveyresults.Evenifallofthosethingsindicatehighlyreliablesecuritybehaviors,discrepanciesintheSecurityFORCEMetricscanpointoutdiscrepanciesthatshouldbeexploredfurther.

UsingtheFORCEFailureValueMetricsThefiveFORCEMetricsassociatedwiththevalueoffailuretracktheidentificationandmanagementoffailuresanderrors,andserveasindicatorsofwhetherthosefailuresarebeingfoundearlyenoughtoincreasethereliabilityoftheInfoSecprogram.Thereisnosinglewaytousethesemetrics,nordotheyrepresenttheonlyperformanceindicatorsavailabletoanorganization.Buttheyareastartingpointforsecurityprogramsthatmaynottrackcomparablemeasuresortrends.Metricsworkbestwhentheyareperformedovertime,allowingthedevelopmentofbaselinesandcomparisonsofcurrentversuspastresults.SomeoftheFORCEMetricsspecifymeasurementintervals,usuallyonanannualbasis.Butindividualorganizationsmustdecide,givenavailableresourcesandprogramgoalsandobjectives,whatthemostappropriateusesandmeasurementcyclesshouldbeforeachoftheFORCEMetrics.

NumberofsecurityfailurescenariosdevelopedinthepastyearAlargepartofidentifyingsecurityfailuresisanticipatingthem,andHRSPswillgotogreatlengthsnottofallvictimto“failuresofimagination,”whereabreachorincidentmighthavebeenpredictedwithalittleforethought,butwasneverconsidered.Securityfailurescenariosaresimply(butnotnecessarilysimple)brainstormedideasofevents,incidents,orbreaches.Theyaretheextensionsofthethreatmodelsandriskscenariosalreadyundertakenbymanyorganizations,butHRSPsdesigntheirfailurescenarioswithaneyeonthedetailsofsmallfailuresthatwilllikelyoccuronthewaytothebigevent.Thegoalistodevelopanideaofthesmallsignsthatthebigfailureiscoming.Themorescenariosthatanorganizationtakesthetimetoconsideranddevelopoveraperiodoftime,themorelikelytheycanspottelltalewarningsignsearlyoninthefailurecycle.

Numberofsecurityfailurescenarios(whetherornotresultinginaformalsecurityincident)reportedinthepastyearThepurposeoffailurescenariodevelopmentisn’tjustsecurityteammemberstellingscarystoriesaroundacampfire,sotospeak.Somefailurescenariosaremorelikelytooccurthan

others,andthismetricallowsanorganizationtomeasurethepredictivepowerandaccuracyofitsfailurebrainstormingactivities.HRSPsreportfailures,bothsmallandlarge,andthesefailuresshouldbecorrelatedwiththescenariosthathavebeendevelopedinternally.Ifthesecurityteamispredictingscenarioswithidentifiablefailuremarkers,thendetectingandmanagingthoseminorincidentsbeforethescenariofullydevelops(orevenifafailuredoesoccur,butthesignswerenotedbeforehand),that’sagoodthing.Itshowstheenterpriseimaginationhasahealthyawarenessofitsownweaknessesandcanimprovethoseinsights.

RatioofsecurityincidentswithnopriorfailurereportingorindicatorsinthepastyearTheorganizationwantstoseeexpectedfailuresbeingidentifiedandreported,evenifasecurityeventprovesunavoidable.If,ontheotherhand,theorganizationisexperiencingsecurityincidentsthatwereneverconsidered,ornotobservingtheminorproblemsitexpectstoseeassociatedwithaneventthatdoesoccur,thenthat’sbad.Securityincidentsshouldbetrackedandcorrelatedwithapplicableorrelatedscenarios.Anorganizationthatdoesn’tseeanyincidentscoming,orthatexpectssomeincidentsbutgetsonesthatarecompletelydifferent,mustquestionitsprognosticskills.AnHRSPwillwantthismetrictoremainverylow.Whetherornotanincidentprovesavoidable,thefirststepinhigherreliabilityistomakeitmorevisible,sooner.

Ratioofsecurityfailureorincidentdata(reports,root-causeanalyses,after-actions,etc.)voluntarilysharedoutsidetheinformationsecurityprogramImadethecaseearlierinthechapterthatinformationsharingoutsidetheInfoSecprogramisvitalinordertogetdifferentperspectivesandinsightsabouthowsecurityisworkingwithintheorganization.Sharingsecurity-relatedinformationwithnon-securitystakeholdersmaymakesomeInfoSecteammembersabitnervous,butthepotentialpayoffforpushingthatcomfortzonecanbesignificant.Thismeasureprovidesasimplegaugefordeterminingwhetherasecurityteamisemulatingthemoreopen,advice-seekingfailurebehaviorsofanHRSP,oriscontinuingtobeinsularandclosedofffromtherestoftheorganizationaboutsecurityactivitiesandchallenges.

RatioofsecurityfailuresresultinginsystemchangesItdoesn’tmatterhowmuchtheorganizationseeswhat’sgoingwrongifitdoesn’ttakeaction,justasknowingyou’redrivingtowardsacliffwon’tmeanmuchifyoudon’tturnthewheelorhitthebrake.Securityincidentsanddatabreachesalmostalwaysresultinsystemchanges,usuallylargeones.Thismetrichelpstheorganizationunderstandtheextenttowhichchangeisbeingimplementedwhenfacedwith

smaller,moreminorfailures.RememberthatHRSPsaren’tjustlookingtoidentifysmallfailures.Theywanttotakeactionwhiletheyarestillsmallandthecostsofchangearelessburdensome.Unfortunately,manyorganizationstakejusttheoppositeapproach,neglectingtomakechangesbecausetheproblemappearssosmall.Ifanenterprisescoreslowonthismeasure,thatcanbeanindicatorthatthingsdonotchangeuntiltheyareforcedto,usuallyasaresultoftinyfailuresaddinguptobigproblemsthatcannolongerbeignored.

ImprovingYourFailureValueBehaviorsOnceyouhaveidentifiedthesecuritybehaviorsthataremostlikelytomakeyoursecurityprogrammorehighlyreliableandhavecomparedthewayyourorganizationbehavesdaytodaywiththesedesiredbehaviorsthroughthesurvey,measurements,orothermeans,youarelikelytofindareaswhereyouwanttoimprove.Improvingsecuritybehaviordoesnothappenovernight,anditdoesnothappenbyfiat.Weallknowhowharditistojustchangeourownhabitsandcomfortzones.Changingthemforanentireorganizationisthatmuchmoredaunting.

EmbedtheSecurityValueofFailureintoPeoplePeople-centricsecurityputshumanbeingsatthetopofthesecurityvaluechain,andtheyaregoingtobeyourfirst,bestsourceofvaluewhenitcomestoreapingthefruitsofthesecurityvalueoffailure.AsIhavedescribedthroughoutthischapter,therealvalueoffailurehaseverythingtodowithfindingitearlyenoughandoftenenoughtolearnfromitandchangedirectionbeforedisasterstrikes,likeaship’snavigatorkeepingtrackofcurrentsandwindtomakemicroadjustmentstotheship’scoursesothatitnevergetsclosetodanger.Severalapproachescanbeleveragedtomakeiteasierforpeopletoadoptsecurityfailurevaluebehaviors.

ReeducatePeopleonWhatItMeanstoFailCulturalbeliefsandassumptionsdrivebehavior,sochangingbehaviormeansattackingculturalresistance.Organizationscanencouragepeopletovaluefailuremoreactivelyandeffectivelybyredefiningwhatitmeanstofailintheorganization.Akeymessagehereshouldbethatnotallfailuresareequal,andthatsomeareactuallydesirable,sincetheyaredestinedtohappenanyway.By

turningsmallfailuresintolearningopportunities,andreservingfearandavoidancestrategiesforthosebigfailuresthattheorganizationanticipates,afeedbackloopcanbecreated.Peoplewillunderstandthattherearecertainoutcomesthataretrulyunacceptable,thatmustneverhappen.Everythingelseisfairgame,solongasitcreatesanenvironmentofknowledgethatcanbeusedtopreventandavoidtheunacceptable.

SetLeadershipExamplesFewthingswillencourageapersontobehaveinacertainwaymorethanseeingotherpeopledoit,especiallypeoplewhothatpersonrespectsorwantstoimpress.OrganizationalleadersliketheCISOhaveenormouspowertoinfluence,simplybylivinguptotheidealsandrequirementsthattheysetforeveryoneelse.Bywalkingthewalk,suchleadersencourageimitation.Soleadersintheorganization,especiallysecurityleaders,shouldbethefirsttoembracethesecurityvalueoffailure.Thismeanschangingthewaytheydealwithfailuresthatoccur,butalsobeingmoreopenandtransparentabouttheirownfailuresandthoseofthesecurityprogram.WhentheCISOisseenaswelcomingbadnews,evenneedingittodoherjobcorrectly,thenpeoplewillshareitmorewillingly.

OpenUpCommunicationThesecurityvalueoffailureonlygetsrealizedinanenvironmentofopenandfreeinformationsharing.Encouragingthatsharing,andrewardingpeoplefordoingit,ispartofthesolution.Butchannelsmustexistforthemessagetogetthrough.Iffailureinformation,nomatterhowwelcome,neverleavestheinformalsharingenvironmentofthecafeteriaorthewatercooler,itwillnotgetcodifiedordistributedinawaythatgivesthebestresults.Securityawarenessteamsareoftenthebestpositionedtocreateandmanagecommunicationsinvolvingthesecurityvalueoffailure.Byactingasaninterfacebetweenstakeholders,theyareinthebestpositiontoencourageopendialogue,understandchallenges,anddeconflictproblemsthatmayarise.

FurtherReadingPaynter,Ben.“CloseCallsAreNearDisasters,NotLuckyBreaks.”Wired.com.Availableatwww.wired.com.

http://Wired.com

http://www.wired.com

A

CHAPTER12

TheSecurityValueofOperations

sindicatedinChapter10,thesecondkeysecurityvalueintheSecurityFORCEBehavioralModelisoperations.AswiththekeysecurityvalueoffailuredescribedinChapter11,theFORCEModelchallengesustoreconsiderournotionsregardingwhatoperationsmeansforinformationsecurity.OfalltheSecurityFORCEvalues,operationsisprobablytheonethatmanyInfoSecprogramsthinktheydobest.Theindustryisincreasinglypopulatedwithsophisticated(andexpensive)securityoperationscenters(SOCs)tomonitoractivity,combinedwithdashboards,alerts,reviews,andoperationalassessmentsatmultipleenterpriselevelstomaintainsecuritysituationalawareness.Manycompaniesswearbyoperationalvisibilityintheirinformationsecurityprograms,andwiththeplethoraofavailabletools,fromtraditionalsecurityeventandincidentmanagement(SEIM)toolstoenterpriseriskmanagement(ERM)softwaretosophisticatedthreatintelligencesystemslikeOpenSOC,there’safeelingthattheoptionstoimproveInfoSecvisibilityarebetterthantheyhaveeverbeen.

Ifweweretalkingabouttechnologyonly,Iwouldtendtoagree.OurtoolsandcapabilitiesforcreatingsituationalawarenessaroundITinfrastructureshaveevolvedtoanamazingdegreeovertheyears,andareimprovingallthetime.Theproblemisthatoperationalactivitiesarenotlimitedtotechnologyandinfrastructure.Theyincludeallthemessiercomponentsofpeopleandprocessaswell,thingslikestrategies,policies,relationships,andconflicts.Iftheprimaryvaluewederivefromthesecurityvalueofoperationsislimitedtoourvisibilityintotechnicalsystems,thenwearemissinganenormousamountofinsight,andprobablythoseveryinsightsthatmattermostintermsofwhetherornotour

securitywillbeeffectiveinthelongterm.

WhatIstheSecurityValueofOperations?Tobehighlyreliable,anInfoSecprogramneedstounderstandmorethanjustitstechnologylandscape.Tobehaveinwaysthatwillenabletheorganizationtoexperiencefewerseverefailuresandbouncebackmorequicklyfromthosethatdooccur,securityteamsneedmoreoperationalawarenessthantheyhavetoday.Technologyisonecomponent.Manysecurityprogramsareatleastpartlycorrectintheirassertionthattheyhaveagoodhandleonoperationalawareness.Theproblemtheyfaceisnottheirabilitytoobserveallthethingstheirtoolsandmethodsaredesignedtomonitor,ortointerpretthedata(usuallytechnical)theyarecollecting.Theproblemistheirinabilitytoseethingstheyarenotlookingat,tounderstandtheplaceswherenodataisbeingcollected,andtoknowthedifferencebetweenwhattheythinkishappening(becauseapolicyoratechnologycontrolisinplace,forexample)andwhatisactuallyoccurring“ontheground”(suchaseveryoneignoringthepolicyorfindingwaystocircumventthecontrol).Eliminatingblindspotslikethesebyredefiningthenotionofoperationalvisibilityleveragesandmaximizesthesecurityvalueofoperations.

OperationalPowerWheredoesinformationsecurityexist?Whereisitaccomplished?Doesinformationsecurityhappeninstrategy,asorganizationsdecidehowtobestprotecttheirprogramsandformulateplanstodoso?Doesithappenonthewire,asthebitsrushbyinelectromagneticpulsesofdata?Doesithappenattheinterfacewithadversaries,asthreatscrossfromthetheoreticaltothereal?Theansweristhatinformationsecurityhappensinalloftheseplaces,butnoneofthemcanbeseenascomprehensivelydescribinganorganization’ssecurityposture.Securityisbehavior,adecisionbeingmadeandaresponsetothatdecision.Evenwhenthatdecisionismadebyamachine,itistheresultofahumandecisionbeingmadesomewhereelse,someonedecidingonathresholdorbuildinglogicintoaprogrammaticresponse.Securityoperations,therefore,areinherentlypeople-centric.AndHighlyReliableSecurityPrograms(HRSPs)knowthis.That’swhytheypayallsortsofspecialattentiontothedecisioninterfacesintheirsecurityprograms.That’swherethemagic(blackorwhite)happens.

Decisioninterfacesatthestrategiclevelarelessoperationalthanthosemadeonthefrontlinesofactivity.ACISO’sdecisionthathiscompanyneedstoreducephishingattackscarrieslessoperationalweightthananemployee’sdecisionaboutwhetherornottoclickalinkinane-mail.Powerdynamicstendtobeturnedontheirheadattheoperationallevel,withtheindividualuseroroperatorhavingmoreinfluenceinthemomentthanthemanagersandstrategistsathigherlevelsoftheorganizationalchart.Onepersoncandestroyanentirebusinessif,atthemomentofdecision,thatpersonistheonewiththeirfingeronthewrongbutton.HRSPsaren’tafraidofbeingaccusedofpayingmoreattentiontothetreesthantotheforest.Firesalwaysstartsmall,andHRSPsdon’twanttowaituntilhalftheforestisburningtonoticethesmoke.

SensitivitytoOperationsTheliteratureabouthigh-reliabilityorganizations(HROs)introducedinChapter10identifiessensitivitytooperationsasaprinciple,andHRSPsdotheirbesttobesensitiveaboutwhat’sreallyhappeningwhensecuritydecisionsarebeingmade.TheideaistiedverycloselytotheFORCEvalueoffailure,becauseyoucan’tcatchsmallerrorsandmistakesifyouaren’twatchingforthematthelevelswheresmallfailureshappen.Ifthesecurityprogram’svisibilitykicksinonlywhentheattackerswhohaveinfiltratedyoursystemsforthepastninemonthsstartsuddenlyexfiltratingterabytesofdata,thatisnottheappropriatelevelofdetectedfailure.Andiftherewasnopossiblevisibilityattheleveloftechnologythatcouldhaveidentifiedfailuresbeforethatpoint,itisprobablytimetostartlookingatvisibilityonotherlevels.

HRSPsaremuchmorecomfortablewithuncertaintyandambiguitythanaremoretypicalInfoSecprograms.IntheirbookManagingtheUnexpected,WeickandSutcliffedescribedhowoneofthegreatestinhibitorstooperationalawarenessinHROsisan“engineeringculture”thatprioritizesandfavorscertaintypesofinformationandknowledge,namelythatwhichishard,quantitative,formal,andeasilymeasurable,oversupposedlysofterand“qualitative”informationthatislessreliablebutclosertoeverydayhumanexperience.Thesefindingsarejustasapplicabletoinformationsecurity,andinPartsIandIIofthisbookI’vemadethesamepointregardingthequalitative/quantitativedichotomyininformationsecurityprofessionals.

ForHRSPs,qualitativeversusquantitativeisafalsedichotomy.Havingaccesstoreamsofquantitativedatameansnothingifthosedatadon’ttellyouwhatyouneedtoknow.Andwhatweoftenneedtoknowiswhythingsarehappeninginacertainway,howrelationships,motivations,andassumptionsare

leadingpeopletobehaveliketheydoandtomakethedecisionstheymake.Thesearenotthesortsofinsightsoneisabletogetjustbyanalyzingquantitativedata.Instead,HRSPsseekahybridformofknowledge.Securityprofessionalswhoseetheword“operations”andimmediatelythinktechnologyproductsorSOCs,butfailtoconsiderpeopleandprocessfunctionssuchashowpeoplecommunicateorhowtheyimprovisetoaccommodateconflictingpriorities,missthemajorityoftheoperationalpicture.Technologyvisibilityisimportant,butsoisknowingabouthowpeopleinteractandcommunicateevenwhentechnologyisnotinvolved.Operationsisneverlimitedtowhat’sgoingoninoneparticularareaoftheorganization,suchasthenetwork;itisaboutknowingwhatisgoingoneverywhereintheorganization.

Inadditiontolinkingtechnologyoperationsandotheroperationalfunctions,anHRSPwillexplicitlylinkmorepeople-centricconditionstooperationalawareness.Operationalvisibilityatthelevelofhumanbeingsismorechaoticandlesspredictable,butthatdoesn’tmeanit’sanylessrealintermsoftheorganization’ssecurityposture.Knowingwhatishappeningatthelevelofinterpersonalandorganizationalrelationships,ofpoliticseven,isanotherimportantaspectofoperationalvisibility.Anorganizationrunsonknowledge,andiffullknowledgeisnotsoughtoutorifacertaintypeofknowledgeisdeliberatelyignoredbecauseit’sdifficulttoacquireorcertainstakeholdersfeeluncomfortablegivingitoraskingforit,that’saproblem,becauseitmeanstheenterprisedoesn’thavewhatitneedstomakeafullyinformeddecision.

ExpectationsandRealityHRSPsarealwaysworriedthatthingsarenotgoingasplanned,sotheyconstantlyfeeltheneedtotesttheirassumptions.“Wehaveapolicyofdataclassification?Great.Let’sgofindouthowmuchofourdataisactuallyclassifiedthewaythepolicysaysitshouldbe.”Or,“Theauditorstelluswehavetherightcombinationofperimetercontrols?Excellent.Let’shiresomepenetrationtesterstomakesurethosecontrolscanreallykeeppeopleout.”Or,“Ifwearenothearinganybadnewsfromemployees,isthatbecauseeverythingisperfectorbecauseemployeesfearbeinglabeledatroublemakeriftheypointoutthatsomethingisbroken?”

OnebigdifferentiatorwithHRSPsisthat,whereotherInfoSecprogramsmayviewtheconstantbickeringoverbudgetandresources,thepoliticaljockeyingbetweendivisionsandstakeholders,andthesilosandfiefdomsofeverydaymanagementasintractableproblemsthatcan’tbeovercome,HRSPsviewtheseproblemsasvulnerabilitiestotheorganizationthatareasseriousasanyzero-day

vulnerability.Competingvaluesleftunaddressedandunmanagedonlyservetodemonstratethefragilityandinstabilityoftheorganization’ssecurityposture.Andwhenanattackorincidentputsstressonthatsystem,itfails.

Thesecurityvalueofoperationscomesfromidentifyingsmallfailuresnomatterwheretheyoriginate.Thatincludesthingslikeinterpersonalrelationshipsandorganizationalrivalries,notjustsystemlogsandITdashboards.Warningsignalsarewarningsignals,soHRSPstendtodeploymanymoresensorsacrossamuchwiderspectrumthanjustITorinformationsecuritysystems.Knowingthatpeopleoftensayonethingbutdosomethingelse,HRSPslookbeyondofficialstrategies,formalplans,ordocumentedpolicies.Theywanttoknowhowtheworkofsecurityreallygetsdonearoundtheenterprise.

SecurityOperations“Unplugged”AninformationsecurityoperationsdirectorinonecompanyIworkedwithhadhisownwayoftestingoperationalreality.Walkingaroundthecompany,helikedtolookoutformachineshedidn’trecognize.Itwasadecent-sizedcompany,withalargeIToperationalfootprintacrossmultiplephysicalbuildings,andheregularlycameacrossanomalousboxes,sometimessittinginadatacenter,sometimesrunningunderneathadeskthatnobodyowned,andonceevenoneproppeduponacoupleoftelephonedirectories,sittinglonelyandhumminginthecornerofacommonroom.Whenthedirectorcameacrosssuchamachine,hewouldaskaroundtoseewhoownedit.Ifnoownercouldbeidentified,hewouldseeifthemachinewasregisteredintheITassetinventory,which,bythedirector’sownadmission,wasprettyspotty.Finally,afteradayortwo,ifthedirectorcouldnotfindsomeonetoclaimthedevice,hewouldtakeaction.“Iunplugthem,”hetoldme,“andwaitforthescreamingtostart…”

Thedirectorfiguredhehaddonerealharmonlytwoorthreetimesinthedozensoftimeshehadresortedtohisextremeversionofoperationalreview.Butheremainedunapologetic.“Peoplegetangry,ofcourse,andtrytogetmeintrouble.Butthefactis,wehaveaprocesswetrytofollowforkeepingtrackofoursystems,andwhentheydon’tfollowit,theyputthecompanyatmoreriskthanIevercould.Wehavetoknowwhat’sgoingonunderourownroof.Icantellyouitneverhappenstwicetothesameteam.”

OperationsKeyValueBehaviorsJustaswiththesecurityvalueoffailurediscussedinChapter11,therearekeybehaviorsassociatedwithHRSPsthatmaximizethesecurityvalueofoperations.Thesebehaviorshaveeverythingtodowithtryingtoknowmoreaboutwhatisreallygoingonintheorganizationandtousethatknowledgetohuntforthesmalldiscrepancies,disconnects,anderrorsthatwillslowlygrowintolarge-scalesecurityfailures.Thebehaviorsthatcharacterizethevalueofoperationsinclude

KeepyoureyesopenFormabiggerpicture“Listen”tothesystemTestexpectationsagainstrealityShareoperationalassessments

KeepYourEyesOpenAccordingtotheoldsaying,familiaritybreedscontempt,andanironyofinformationsecurityisthatwecanbecomesoaccustomedtocertainoperationalrealities,evenhighlydysfunctionalones,thatwebegintotakethemforgranted,maybeevenbegintoignorethem.Definingcultureas“thewaywedothingsaroundhere”doesnotguaranteethatwe’realwaysdoingthingswell,orsmart,orsecurely.I’veneverworkedwithasecurityteamthatcouldn’ttellmeatleastonestoryaboutsomethingtheydidthattheythoughtwasill-advisedorevendumb,andthattheyworriedwouldcomebacktobitethem.ThedifferenceinanHRSPisnotthateverythingisalwaysdoneright.HRSPsjustworrymoreaboutwhattheyaredoingwrong,lookforthosesymptoms,andrefusetoallowthemtogountreated.Dysfunction,complacence,andcompetingvaluesmayormaynotresultinadirectthreattoinformationsecurity,butbadbehaviorscreatespaceinwhichthreatscanfindafootholdandcauseproblems.

Howdoesanorganizationkeepitseyesopen?Let’sstartbyaddressingwhataretheorganization’s“eyes.”Howdoesit“see”whatishappeningwithitssecurity?Don’tgethunguponthemetaphor.Asakeyvaluebehavior,keepingyoureyesopenjustmeanstakingadvantageofallthesensorsandinformationinputsavailabletotheenterpriseandthesecurityprogram,andimplementingmorewhentheyareneeded.Onelegacyofthetechnologybranchofthesecurityfamilytreeisthewidevarietyoftoolsandproductsthatcanbeusedtogenerate

informationsecuritydata.Veryfewsecurityproductstodaydon’tincludedataexportcapabilitiesofonekindoranother.IfwethinksimplyintermsofSIEMproducts,anentireindustryoftechnologysystemsisavailabletoprocessandmanagethisdata.Ifanything,theproblemisoneoftoomuchinformation.InfoSecorganizationsprobablycomplainmoreaboutinformationoverloadandtoomucheventdatatomanagethantheydoabouttheavailabilityofsecuritydata.Insomeways,thisistheresultofrelyingtoomuchonasinglesourceofvisibility.It’sasthoughwe’vedecidedthatofalloursenses,onlyoureyesightcounts,butthenweblindourselvesbystaringstraightintothesun.

HRSPsdon’trelyononlyonesensoryinput,nomatterhowsophisticatedordatarichitis.Beingpeople-centricbynature,HRSPsalsotendtobewaryofinformationandsensorsthatareabstractedorremovedfromhumaninvolvement.Thisisnottosaythatautomationisuntrustworthy,butonlythatthere’srarelyanythingthatispurelyautomatic.Eithersomeonehastointerprettheresultsoftheautomatedprocessorsomeonehasbuilttheirowninterpretationofthingsintotheprocessastheyautomatedit.Eitherway,believingthatyouhaveeliminatedhumaninvolvementismisleading.

SoHRSPslookforadditionalsensors,preferablyofthehumanpersuasion.Underthesecircumstances,manynewandinterestingsourcesofdatabecomeavailable,includinggroupmeetings,face-to-faceconversations,andahostofelectronicallymediatedsocialinteractions,fromtelephonesandtelepresencetoe-mailandinstantmessaging.Thesesourcesallbecomepotentialorganizationaltelemetrystreams,alongwiththedocumentswecreate,theperformancemeasuresweassign,andtheresultsofevaluationsandreviews.Manyorganizationstakethesesourcesofcollectivesensemakingforgrantedasmereartifactsofoperations,notsourcesofoperationalinsightthemselves.ForHRSPs,everyoneofthesesourcesbecomesatoolwithwhichtotakeadvantageofthesecurityvalueofoperations.

FormaBiggerPictureInformationoverloadisnottheonlybarrierstandingbetweenanInfoSecprogramandthesecurityvalueofoperations.CISOsandsecurityownersalsofacetherelatedbutopposingproblemof“informationpoverty,”whichhappenswhenanorganization’sinformationorinformationprocessinginfrastructure(notjusttheITinfrastructure)isnotgoodenoughtoget,process,anduseinformationeffectively.Insuchanenvironment,decisionmakingisweakened,starvedofitsmostimportantfuel.Itmayseemcontradictorytosaythatasecurityprogramcouldsimultaneouslysufferfrombothtoomuchinformationandnotenough

information,butifyouthinkaboutthewaysecurityworksthesedays,itactuallymakessense.AsI’vealludedto,wefeastontechnicalandmachine-generatedinformationbutdon’tconsumeenoughdatafromothersources.Theresultisanoperationalbigpicturethatisasnarrowasourinformationaldiet.Thetheoryofinformationpovertywasfirstappliedtoindividualsatasocio-economiclevel,butI’vefounditappliesprettywelltoinformationsecuritytoo.

Weonlyovercomeinformationpovertybydeliberatelyconsumingmorevariedinformationandseekingoutabiggerpictureofoperationalreality.Onedifferencebetweentraditionalnotionsofinformationpoverty,wherepeoplearenotgivenadequateaccesstoinformationresourcesbythestateorthroughtheeffectsofeconomicpoverty,andthenotionasappliedtoinformationsecurityisthatthelattertendstostarveitself.Likekidswhomakeafaceathealthierorunfamiliarfoods,InfoSecprofessionalstendtostickwiththethingsweknowandlike.Butagoodoperationalinformationdietisomnivorous,andthefirstplaceatrulypeople-centricsecurityprogramwilllookistheareaofdata-richinterpersonalrelationshipsthatexistbothwithinthesecurityprogramandbetweensecurityandotherpartsoftheorganization.

HRSPsturnrelationshipsintofeedbacknetworks.Meetingsbecomesensors.Conversationsbecometelemetryfeeds.E-mailsandmeetingminutesbecomelogs.Enterpriseintelligencefromthesesourcesislessaboutthenetworkplaneorendpointactivityandmoreabouttheculturalplaneandpoliticalactivity.Theformermaytellyouwhatyourusersaredoing,butthelatterhelpsyouunderstandwhytheyaredoingit.Dopeopleknowthingsarefailingbutareafraidtosayso?Doestherootofasecurityproblemlienotinanexternaladvancedpersistentthreat(APT)butinthefactthattworivaldirectorshateoneanotherandcovettheirVP’sjob?Bymakingitsbigpicturewiderandlessdependentontechnologyinfrastructure,anHRSPgivesitselfmoreoptionsforoperationalanalysisandresponse.Competingsecurityprioritiesandcultureswillnevercometolightonthebasisofsyslogdata—theformatandcontentofthatinformationsimplydoesnotlenditselftowhatdrivespeopletochoosetheirprojectcompletionbonusovertheirsecurityresponsibilities,touseanexamplefromearlierinthebook.It’slikeexpectingsomeoneinastaffmeetingtotellyouwhoisconnectedtothewirelessnetworkbysniffingtheair.Differentqueriesrequiredifferenttools.

Peopletendtocomplicatethethingstheygetinvolvedin,whichbothbenefitsandchallengesthenotionofabigger,widerpicture.Ithinkengineerspreferconsumingrelativelyuncomplicatedtechnologydatapreciselybecauseitisuncomplicated.It’shardtoarguewithahistogram.Theopinionsandbeliefs

tossedaroundinastaffmeetingaretrickier,andoftentheeasiestwaytodealwiththemistomakeopinionaless-trustedsourceofsecurityoperationalinsight.Weneedtouseboth.

“Listen”totheSystemContinuingtheanalogyofthesenses,HRSPstendtodoabetterjobof“listening”towhattheirsystemsaretryingtotellthem.Theseorganizationsareparticularlytunedtodetectingthesmallhintsandsubtextswithinanoperationalconversationthatprovideevidenceofthingsgoingwrong.Inanyconversation,thereismoretotheprocessthanjustthewordsthatarebeingsaid.Inflectionanddemeanorplayanimportantpartofinterpersonalcommunication,andorganizationshavetheirownversionsofhiddenmeanings,hintdropping,andbodylanguage.

“Well,That’sJustYourHypothesis,Man!”ImagineifwereplacedasinglewordintheInfoSecteam’slexicon,changing“opinion”to“hypothesis.”Wethinkofopinionsasbeingcompletelysubjectiveandrelativelyuntrustworthy.(Myfather,asailor,hadawonderfullycrudeaphorismaboutopinions,invokingcertainbodilyorificesandimplyingparticularodorsthatwouldbeinappropriatetoquotedirectly.)Amatterofopinionisamatterthatcanneverreallyberesolved,atleastuntilonepartychangestheiropinion.Ahypothesis,however,issomethingdifferent.Itisanopinionofsorts,butonethatcanbetested.Indeed,italmostmustbetested,orwhyhypothesizeinthefirstplace?Icomplainregularlythatinformationsecurityisinsufficientlyscientificinitsapproachtothings.So,inthenameofthesecurityvalueofoperations,I’mmakingachallenge.Lettherebenomoreopinions.Thenexttimeyouhearone,consideritahypothesis.Ifyoucan’tconvincethepersonwhoholdsittotestittoyoursatisfaction,thentakeituponyourselftodisproveit—withempiricaldataandrepeatableexperimentation.Wereallyneedtodothismoreofteninourindustry.Atleast,that’smyhypothesis.

OneofthemostcommonapproachesInfoSecprogramstaketowardlisteningtothesystemistheuseofoperationaldashboards.Dashboardsgive(oraresupposedtogive)anorganizationasnapshotintimeofallthemeasuresand

indicatorsthatmattertoit.Dashboardsaremeanttobeautomated,approachingreal-timefeedbackloopsthathelpusmanageagainsttheworkingsofthesystem.Butdashboardsfaceaclassic“garbagein,garbageout”dilemma.Ifyourmetricsandindicatorsarefocusedonthewrongthings,yourdashboardisessentiallyuseless.Itmaybeimpressive,captivatingeven,initssophisticationandbeauty,butitcanlullyouintoafalsesenseofvisibilityandinsight.Therearemanyinformationsecurity–relateddashboardsmarketedontheWebthatshowamazingviewsofthingslikethreatsourcesorvulnerabilitycounts,butmostproviderelativelylittlevaluebeyondimpressivemarketingfortheircreators.

I’macriticofwhatIcalldashboardification,whichisthecreationofmetricsanddashboardsforlittleotherreasonthantheInfoSecprogramfeelsaneedorisrequiredtogivesomeonesomething“operational”tolookat.Ifthesecurityteamhasnotthoughthardaboutwhatitreallywantstoknoworneedstomeasuretoensureeffectiveness,theresulttendstobeahistogrambuiltoutofwhateverdataiscurrentlyavailableormosteasilycollected.Thattendstomeantechnology-basedlogging,whichproducesthemyopicvisibilityIdiscussedintheprevioussection.Theorganizationmaybeabletoseewhenanetworkdeviceorasecurityproductgetsoverwhelmedwithtrafficorevents,forexample,butitwillmisswhenpeoplearehittingtheirlimits,asClarathesoftwaredeveloperfromearlierinthebookdidattheendofherproject.

HRSPsuseoperationaldataofallkinds,fromavarietyofsources,inanattempttomanagewhatisreallygoingonintheirsystemsandnotjustwhatisrepresentedinapolicy,adiagram,oratechnologyproductdashboard.HRSPsdolooktotraditionalsourcesofinformation,fromlogstoSEIMstoSOCs,butsupplementthemwithpeople-centrictoolssuchassentimentanalysisofinternalcommunications,“opendiscussion”sessionsbuiltintoregularmeetingsandperformancereviews,andanonymoussuggestionboxes(physicalordigital)wherepeoplecanbringupproblemstheyfeelareimportantbutmaynotfeelcomfortablesharingpublicly.Ifdashboardsaretobedeveloped,theyshouldbedesignedto

Identifyearlypatternsandsignsofoperationalinstabilityandpotentialfailureforinformationsecurity,regardlessofsource(people,process,ortechnology)GiveactionableintelligenceaboutinformationsecurityoperationalproblemssothattheorganizationcaneffectincrementalchangesIncludecoverageofallsystemsimportanttotheoperationalsuccessofinformationsecurity,notjustthesystemsthatareeasiesttobuild

dashboardsaround

HRSPsareconstantlyworriedaboutwhetherthecomplexoperationalbeasttheyareridingisgettingawayfromthem.Theywanttoknowwhenthingsarebeginningtoslipoutoftheircontrol,andtheywanttheabilitytocallondefinedresourcestobringthingsbackundercontrolquickly.Thismeanskeepingtrackofrequiredlevelsofeffortandcorrelatingthemwithavailabilityofresources.Listeningtothesystemmeansidentifyingwhenpeople,process,andtechnologyoperationsneedmoreorlessmanagementovertimeandbeingpreparedtomeetthatdemandwithaslittledelayanddisruptionaspossible.

TestExpectationsAgainstRealityHRSPstesttheirexpectationsagainstreality,anotherbehaviorthatmaximizesthesecurityvalueofoperations.Theyaskprobingquestionsthatavoidtakingoperationalactivitiesforgranted:Whatistheorganization’srealsecurityposture?Ifapeople,process,ortechnologycontrolistested,willitworkaswellasitdoesonpaper?Whenpeoplearefacedwithinformationsecurityimpactingdecisions,especiallyiftheyhavetojugglecompetingpriorities,willtheychoosesecurity?Andhowcanweknow,empiricallyandwithevidence,theanswertoallthesequestions?HRSPssuspectthatthingsprobablywon’talwaysgoasexpected,andtheyattempttoeitherconfirmordisconfirmthatsuspicion.Thisbehavioralprocessbeginswiththeage-oldneedtodocumentandformalizetheInfoSecprogramitself.Withoutspecificpolicies,standards,guidelines,andalltherestofthebureaucraticstructurethatdefinestheassumptionsthesecurityprogramholds,itisimpossibletoverifywhetherornotthoseassumptionsreflectoperationalreality.Beforeyoucantestyourexpectationsandassumptions,youhavetoknowwhattheyare.HRSPsdon’tlookatdocumentationasjustaformalityorasanecessaryevil,butratherasthecodethatmakesuptheorganizationalOS.Poorlycraftedandpoorlydocumentedcodecancauseproblems,bothforsoftwareandforpeople.

Onceyoudefinewhatyoubelieveishappeningorexpectwillhappen,youcantestagainstthoseexpectations.Ifapolicyexists,youcantestyourexpectationthatitisenforced.Wherestandardshavebeenset,youcangatherevidencethatpeopleandsystemsdoordonotadheretothem.Securityteamsalreadyperformauditsofthiskindagainstcertainexpectations.APCIDSSorSOXauditisatestoftheexpectationthattheorganizationhasmettherequirementsofthoseregulatoryframeworks.Apenetrationtestauditstheexpectationthatnetworksandendpointsareproperlysecuredagainstattack.

HRSPsdonotdothingsfundamentallydifferentlyinthisregard;theysimplydothemmoreoftenandinmoresituations.Thosesituationsincludethepsychological,behavioral,andculturaldimensionsoftheorganization.Weexpect,forexample,thatourdevelopersarecompletingtheirsecuritytestsonthecodetheywrite.Howoftendowechecktomakesurethattheyhaveenoughtimeandresourcestobeabletoaccomplishthosetests?

Resourcesliketime,money,andemployeeallocations(asopposedtotheemployeesthemselves)don’tthink,orexhibit,operationalawareness.Theydon’tgowheretheyareneeded,butwheretheyaredirected.Manyorganizationsundergoannualbudgetprocesscycles,dolingoutcashandheadcountbasedonexperiencesfromthepastorpredictionsaboutthefutureovercontinuouschunksoftime.Feworganizationsreviewandassignresourcesincyclesthatareclosertooperationalrealtime.Theresultcanbescenarios,especiallywhenthesystemisunderduress,wherelackofmoneyandpeoplecanerodetheorganization’sabilitytorespondandreact.HRSPsworktomakeresourceallocationmoreoperationallysensitive,morecapableofflexibleresponse.

Closelyrelatedtotheideaofflexibleresourcestomeetshiftingoperationaldemandistheideaofappropriateresourcecoverage.Itisatacitexpectationthatthesecurityorganizationhasenoughresourcestomanagesecurityfortheentireorganization.Thisbeginswithvisibility.There’snowayInfoSecprogramstaffcanmanagesecurityoperationsatacomprehensiveleveliftheydon’thavesufficientresourcestoseewhatthoseoperationsentail.Thingswillbeignored,notoutofnegligence,butoutofnecessity.Naturally,noonegetseverythingtheywant,andsecurityisnottheonlyorganizationalfunctionfacingresourcescarcity.Butmanyinformationsecurityownersfeelasifgettingbloodfromstonesisonlyslightlyharderthangettingheadcountormoneyfromseniormanagement.

ExceptionstotheRulesIhaveseenthesecurityvalueofoperationsembracedinsomecompanieswhilegoingunrealizedandunrecognizedinmanyothers.Whenorganizationsreallycapturethatvalueandunderstandtheiroperations,itcanliftasecurityprofessional’sheart.Whentheydon’t,thinkingabouttheramificationscanscarethehelloutofthatsameprofessional.

AlthoughI’venotcomeacrossmanyHRSPsintheindustry,Ihaveencounteredafew.OneofthebestthatIconsultedforfunctionedinahighlyreliableway,notbecausetheCISOwasabusinessculturewonkor

hadadegreeinorganizationalbehavior.Infact,hewasn’tevenaCISO.TheCIOwasresponsibleforinformationsecurityinthisorganization,andhehadasmallteamwithwhichtomanagethechallenges.Healsohadasimple,drivingprinciplethatinformedeverythinghedidandeverygoalthathesetforhisteam,whethertheyhaddirectsecurityresponsibilitiesornot.

“Iwantmypeopletogohomeatnightandbewiththeirfamilies,”hetoldmeduringtheengagement.“Idon’tbelieveinthewholefirefighterthing.Youfindpeoplewhotakeprideinalwayshavingtorespondtocrises,whowillputin20hoursstraightandwearitlikesomebadgeofaccomplishment.ButIthinkifyouhadtospend20hoursstraightfixingsomethingthatwentwrong,that’snotsomethingtobeproudof.”

ThisCIOhadimplementedacomprehensive,cascadingbalancedscorecardperformancesystemthatreachedfromhimselfallthewaydowntoeachindividualcontributor.ThesecuritystaffhadindividualbalancedscorecardsjustlikeeveryoneelseresponsibleforIT’scontributiontothebusiness,andthecompanymanagedthosescorecardsreligiously.Thesystemdidn’tpreventthingsfromevergoingwrong,butitkeptproblemsmanageablebyidentifyingproblemtrendsearlyinthefailurecycleandgavetheCIOvisibilityandchoicebeforethingscouldgoofftherails.

AttheotherendofthespectrumwasacompanyIworkedwithyearsago.Onpaper,thisfirmhadacomprehensivesetofconfigurationstandardsthatwerebothstrictandhighlysecure.Everythinghadtobehardenedbeforeitcouldbedeployed.Thingswerelockeddownsotightly,infact,thatsomeinternalgroupsoftencomplainedthatsecurityrestrictedsomebasicbusinessfunctionality.Inawell-intentionedefforttoaccommodatedifferentbusinessneeds,anexceptionprocesshadbeencreated,onethatallowedITteamswithalegitimatebusinessneedtoalterorignoretherequiredconfigurations.BythetimeImettheCISO,thisprocesshadbeeninplaceforyears.Theengagementrevealed,amongotherthings,thatovertimethecriteriaforgettinganexceptionhadslackenedconsiderably,tothepointwhereithadbecometrivial.Asaresult,overtwo-thirdsofthesystemsrevieweddidnotmeettheconfigurationstandards.Yearsofoperationalmyopiahadcreatedastateinwhichtheexceptionwasliterallythenorm,andthestandardsthatthecompanyexpectedtobeinplacewere,inreality,outliers.

ShareOperationalAssessments

Thefinalkeyvaluebehaviorforoperationsdoesn’trequirethatanInfoSecprogrambuildanythingnewordevoteresourcestoadditionalcapabilities,atleastnotatfirst.Allthatisneededisanexistingsetofoperationalassessmentsregardingsecuritywithintheorganizationandanopenmind.Yet,withsofewrequirements,thisbehaviormaybeoneofthehardesttoencouragewithininformationsecurity.Thereareatleasttworeasonsthatitisdifficult.Thefirstisthatsecurityprogramshatetoshare,andthesecondisthatwhatsecurityprogramsdoshareisoftennotsomethingotherswant.

InfoSecprogramsknowhowtoreportinformation,andmostdoitregularlyinsomeway,shape,orform.Butreportingisnotthesamethingassharing.Toreportimpliesthatinformationisbeingrequiredordemandedofthesecurityprogram,thatthepurposeisforaccountabilityandoversight.Sharinginformationisamorevoluntaryactivity,performedoutofmotivationshavingmoretodowithcollaborationandasenseofcommonpurpose.ForHRSPs,oneofthefirstbarriersthathasbeenovercomeintheprocessissecurity’snaturalinstinctofparanoiaandmistrust.

HRSPsshareoperationalinformationandassessments,includinginformationaboutproblemsandfailures,becausetheywantfeedbackontheiractivities,notbecausetheyareforcedtoreceiveit.Andtheywantthatfeedbackfromavarietyofsources,notjustfromthosewhocanobviouslybenefittheHRSPthroughbudgetaryorresourcecontrol.Users,otherbusinessprocessowners,partners,andcustomersareallvaluablesourcesofinformationthatcanhelpthesecurityprogramunderstandwhereaproblemorinsufficientoperationalvisibilityisincreasingsecurityrisk.Thisknowledgeseekingrequiressecurityteamstoacceptthatotherstakeholdersmaynotfeelthesamelevelofurgencyastheydo,andtobewillingtoacceptcriticismandskepticismaboutthesecurityteam’soperationalplansandactivities.Invitingotherpeopletocriticizeyourhardworkisdifficultforeveryone(trustme,asanauthor,Iknowfirsthand),butitisalsotheonlywaytomakethatworkbetter.

Amoredifficultproblemtosolveinsharingoperationalassessmentsinvolvesthequalityofthoseassessments.IftheInfoSecprogramdoesnotdomanyoperationalassessments,ordoesnotdothemwellorinawaythatiscomprehensibletothoseoutsideofsecurity,thensharingthoseassessmentscanbeabitofanonstarter.Thisisaprobleminsecurityinformationreporting,too.Iamoftenaskedtohelponthesecuritymetricssidebyassistingasecurityteamindevelopingbetterperformanceindicatorsandprogrammeasurestopresenttoseniormanagementaspartofrequiredreporting.Toooften,thesecurityteamstrugglestoshowprogress,ortolobbyformoreresources,oreventostimulate

theinterestofseniorenterpriseleaders,becausetheiroperationalassessmentsareeitherincompleteorinscrutabletoseniorbusinessowners.Forsecurityprogramswithinadequateassessmentcapabilities,thisbecomestheexceptiontomyearlierstatementthatthiskeyvaluebehaviordoesn’trequiredoinganythingnew.Toeffectivelyshareinformation,youhavetomakethatinformationaccessibletoothers,bothphysicallyandfunctionally.Thegoodnewsisthatsharingevenbadassessmentscanbeuseful.Ifthepeoplefromwhomyouareaskingfeedbacktellyoutheycan’tgiveanybecausetheydon’tunderstandyourassessmentsoraren’tinterestedintheinformationpresented,youareimmediatelyprovidedsomeusefulinformationthatleadstotheseobviousquestions:HowcanIhelpyouunderstandthembetter?WhatdoyoucareaboutthatIcanprovide?

DenialAin’tJustaRiver…OneofthemoreinterestingengagementsI’vebeenoninvolvedaside-by-sidetestofoperationalvisibilityandreality.Althoughwedidn’tintenditthatway,Ifoundthatmyteamwasinvolvedwithahigh-levelgovernanceandcontrolsassessmentatthesametimethatapenetrationtestingteamwasdoingtheirassessmentofthecustomercompany.Wewereallstayingatthesamehotelandhangingouttogetherafterworkeachdayand,naturally,webegantotalkshop.Afterafewdaysofonsitework,ImentionedtooneofthesecurityengineersdoingtheethicalhackingthatIwasprettyimpressedwithhowwellthecompanymanageditssecurity.Inparticular,Iwasstruckbyhowstringentlytheycompartmentalizedthingsbothatthelevelofinformationclassificationandatthelevelofnetworksegmentation.“Areyoukidding?”theengineersmiled.“Theirnetworkmightaswellbeflat!Wecangoanywhere.”

Aswestartedtradingnotes,realitysetin.Onpaper,thecompany’ssecurityinfrastructurelookedrocksolid.Policiesdefinedacceptableactivity,standardscontrolledwhocouldputwhatwhereandhowtheycoulddoit,andguidelinesencouragedeveryonetomakedecisionsthatbenefitedtheprotectionoforganizationalassets.Inpractice,thesecuritythecompanywassoproudofessentiallyonlyexistedonpaper.ITwasruninsilos,ruleswerenotuniformlyenforced,andthebusinessputmoreemphasisonfunctionalitythansecurity.Likethecompanymentionedearlierthathadexcessiveexceptionprocesses,thiscompanyhadallowedimportantoperationalgapstodevelop.Moreimportantly,everyoneinthegovernance

interviewseitherassumedthattheinfrastructurewasworkingjustasitwassupposedto,orknewitwasnotandchosenottosaysoforreasonsoftheirown.

Whenitcametimetoreportthefindings,someofthemanagementteamrefusedtoacceptthem.“Youfoundisolatedproblems,”theycountered.“Everyorganizationhasafewproblems.”Operationalblindspotsweresopronouncedthatevenwhenfacedwithevidence,theseindividualsfoundthemimpossibletoreconcilewiththeirassumptions.Thealternativewasjusttoodisturbingandhumiliatingtoendure,inessenceanadmissionthatforyearsthesecurityteamhadnotbeendoingitsjobaswellasitbelieveditwas.

AssessingYourOperationsValueBehaviorsLikethesecurityvalueoffailure,discussedinChapter11,thesecurityvalueofoperationsandtheotherSecurityFORCEvaluescanbeassessedandmeasuredusingtheSecurityFORCEdiagnostictoolsthatIhavecreated.TheSecurityFORCESurveyandtheSecurityFORCEMetricsprovideempiricalevidenceofhowprevalentandextensivetheFORCEbehaviorsarewithinanorganizationandhowcloselytheorganizationisadheringtotheprinciplesofanHRSP.

ScoringtheOperationsValueBehaviorSurveyTheSecurityFORCESurveyincludesstatementsrelatedtothesecurityvalueofoperations.ThefivestatementsunderSecurityValueofOperationsarelistedinthesampleoftheSecurityFORCESurveyshowninFigure12-1.

Figure12-1FORCEValueSurveystatementsforoperationsvaluebehaviors

RememberfromChapter11thattheSecurityFORCESurveyusesaLikertscalewitharangeofresponses(“StronglyDisagree”to“StronglyAgree”)thatallowsthoseconductingthesurveytoassignnumericalscores,suchas1through5,tothesurveyresponsesandproduceaveragelevelsofagreementamongallsurveyparticipants:


Foroperationsvaluebehaviors,anaveragescoreof4orgreaterindicatesthat

theorganizationbehavesinwaysthatwillmakeitbetterequippedtounderstandhowthingsreallyworkwithinthesecurityenvironment,andtoidentifyerrorsandoperationalpatternsthatcouldresultinafailure.Thisincreasedoperationalsensitivitynotonlymakesitmorelikelythattheorganizationwillbeabletodetectsmallfailureswhiletheyremainsmall,butalsomakesiteasierfortheorganizationtodetectthem.Ascoreof2orbelowindicatesthattheorganizationisnotbehavinglikeanHRSP,andthereforemaylackoperationalvisibility,maymistakewhatisexpectedorassumedforwhatisactuallyoccurringoperationally,andmaybeslowertorespondtofailuresandeventsthanwouldamorehighlyreliableprogram.

FORCEValueMetricsforOperationsInadditiontousingtheassessmentscoresoftheSecurityFORCESurveytogaugethesecurityvalueofoperations,anorganizationcantracktheSecurityFORCEMetricsassociatedwithoperationstoprovideadditionalmeasuresofHRSPbehavioralalignment.ThesefivemetricsareshowninFigure12-2.

Figure12-2FORCEValueMetricsforoperationsvaluebehaviors

UsingtheFORCEOperationsValueMetricsThefiveFORCEMetricsassociatedwiththevalueofoperationstracktheorganization’scapabilitiesforimprovedvisibilityintoabroaderrangeofoperationalinformationsecuritybehaviors,andforidentifyingdiscrepanciesbetweenwhatisexpectedoperationallywithintheInfoSecprogramandwhatisactuallytakingplacewithinorganizationalsystemsandprocesses.AswiththeotherFORCEMetrics,thereisno“right”waytomeasureandthemeasuresIhavecreated,includingsuggestedtimeintervals,arenotexhaustive.Theorganizationshouldusethemandadaptthemasappropriate.

Levelofsecuritystaffcoveragefortheorganization(sizeofprogram,breadthofresponsibility,systemsmanaged,etc.)I’veknownbigcompaniesthathadlarge,centralizedInfoSecteamswhowereresponsibleforeveryaspectofprotectingsystemsanddatathroughouttheorganization.I’veknownothersofcomparablesizewherethesecurityteamwastwoorthreepeople.Everyorganizationmustdecideforitselfthebeststructurefororganizinginformationsecurity,buttheoperationalfactisthatfewerpeoplecannotobserve,explore,ortestasmuchaslargerteams,assumingenterprisesofequalsize.Automationcanhelp,butforreasonsIdiscussedearlierinthechapter,automatedsecurityoperationscarrytheirownvisibilityrisks.Thismetricisnotprescriptive,anddoesnotimplyamagicnumberforeffectivesecuritystaffing.Butitcanhelpanorganizationunderstandwhyoperationalvisibilitymaybelacking.Likeanythingelse,informationsecurityissomethingofanumbersgame,andyoucanonlydosomuchmorewithsomuchlessforsolong.

NumberofsecurityoperationsreviewscompletedinthepastyearThismetricdoesnotrefertodetailedoperationalreporting,butrathertooverallreviewsofInfoSecoperationaleffectiveness.SeveralrespectedInfoSecgovernanceframeworks,includingISO27001,requireregularandcomprehensivereviewsofthesecurityprogramasabestpracticeforinformationsecuritymanagement.Organizationscollectalotoftacticaldataeveryday,butitisnecessarysometimestoconsiderallofthisfromastrategicperspective.Isthedatagivinguswhatweneed,intermsofvisibilityandintermsofactionableintelligenceorpredictiveevidence?HowcanwemakeInfoSecoperationsbetter,orimproveandexpandsourcesofvisibility?Mostorganizationstendtodothissortofreviewannually,althoughinlargeorganizationscomprehensivereviewsmaybebrokendownintocomponentsorcapabilitiesandconductedonaquarterlyor(morerarely)amonthlybasis.

RatioofformallydocumentedsecurityoperationsorprocessesIfmanagingsomethingyoudon’tmeasureisachallenge,measuringsomethingyouhaven’tdefinedisanevengreaterone.Thosefamiliarwiththeconceptofcapabilitiesmaturitymodelswillrecognizethebenefitsofformalizingandstandardizingprocessesandoperationswithinanenterprise.Alackofformal,documentedprocessesmakesitdifficulttoreplicatebehaviorsandshareortransferknowledge.Italsomakesaccurateoperationalvisibilityandcomparisonbetweenwhatshouldhappenandwhatdoeshappennearlyimpossible.Lowratiosofdocumentedprocessesindicatepotentialblindspots,spaceswherefailurescanoccurandgrowlargerwithoutanyonenoticing.Byidentifyingalltheprocessesassociatedwithinformationsecurityoperationsandidentifyingwhicharewrittendown,anorganizationcanbegintodeterminehowformalized(and,byextension,howmature)theirsecurityprogramis.

RatioofsecurityoperationalassessmentssharedoutsidethesecuritygroupMeasuringhowoftentheInfoSecprogramsharesoperationalassessmentswithoutsidersissimilartomeasuringhowtheysharefailuredata.Thegoalistoelicitvaluablefeedbackandinsightfromotherswhomayhaveotherneeds,priorities,orconcerns.Sharingsensitiveoperationaldataaboutsecuritydoesnotrequiretotaltransparency.Butorganizationsthatseekahigherlevelofreliabilitywillwelcomefeedbackfrominterestedadvisorselsewhereintheenterprise(andmaybeevenoutsideofit,incertaincases),andtheywilltrackhowoftenthissharingandelicitationoffeedbacktakesplaceandinwhatcontexts.

AveragetimetoaddressoperationalinstabilitiesWhenanorganizationfindsadisconnectbetweenwhatitthinksishappeningintermsofinformationsecurityandwhatisoccurringoperationallyeveryday,ithasseveralchoicesofresponse.Oneistodonothing,forwhateverreasonseemsmostlogical.Maybetheproblemseemssmall,ormaybeeveryonealreadyknowsaboutit.Maybechangerequirespoliticalorseniormanagementsupportthatsimplydoesn’texist.Anotheroptionistotakeactiontoaddressthediscrepancy.Ineithercase,understandinghowlongthisprocesstakescanbevaluabletotheInfoSecprogramandtootherstakeholders.Improvingvisibilityprovideslessreturnonthesecurityvalueofoperationsiftheaveragetimetofixproblemstheorganizationmightfindapproachesforever.Insituationswhereoperationalinstabilitiesandproblemsareaddressed,thenthetimenecessarytoaddressthembecomesanotherusefulInfoSecoperationsmetrictoaddtothesecurityprogram’stoolkit.

ImprovingYourOperationsValueBehaviorsAttemptingtochangeandimproveanorganization’soperationalbehaviortofunctionmorelikeanHRSPislikelytomeetquiteabitofresistance.It’sonethingtopointoutthatweneedanewwaytolookatfailure.Idon’tgetalotofargumentamongsecuritypeoplewhenIproposethatweneedabetterunderstandingofhowandwhysecurityfails.It’sanotherthingtosuggestingtinkeringwithoperations.Securityoperationsnotonlyencompassthesinglebiggestsetofregularhabitsthatsecurityprogramshavebuiltupovertime,theyareprobablythelargestcollectionofactivitiesthatweactuallyfeelcomfortablewith,thatwefeellikewehaveasolidlockonaccomplishing.Decadesoflearningthegear,ofbuildingtechnologyinfrastructure,andofsettingupaparticularwayofauditingandevaluatingsuccesshavemadethesecurityoperationscenter,whetherthatisanactualphysicalplaceornot,intothebastiontowhichthesecurityprogramcanalwaysretreatwhentheywanttofeelliketheyareonsolid,defensiblefooting.NowcomesthisFabergeeggheadwritingabookaboutsomethingasfuzzyandmutableasculture,tellingeveryonetheyneedtochangebecauseit’snotabouttechnology,it’saboutpeople.Meh.

So,let’ssettherecordstraight.Thesecurityvalueofoperationsisnotaboutdoingoperationsdifferently.It’saboutexpandingwhatoperationsmeansandextendingourvisibilityandmanagementpracticestootheroperationalareas,specificallybeyondtechnology.Thepurposeofoperationalvisibilityistoknowwhatishappeninginsecurityasclosetowhenithappensaspossible,andtobeabletoreacttoandactuponthatintelligenceeffectivelyandefficiently.AsI’vesaidbefore,ifsecuritywasaseasyasinstallingaproductintoarack,thenwewouldhaveautomatedtheproblemsoutofexistencelongago.Weknowthis,andwe’veadmitteditpubliclyasanindustryatleastsinceBruceSchneiercoinedthephrase15yearsagothatsecurityislessaproductthanaprocess.Partofthatprocessishumanrelationships,andit’sabouttimeweaddedtheoutputofpeople-centricsecurityinfrastructurestoouroperationalmonitoringtoolbox.

EmbedOperationsValueintotheSecurityProgramPeoplehaveanextraordinarycapacitytoadaptandchange.Allittakesisanenvironment,asituation,oraleaderthatsnapsthemoutofcomplacencyanddemandschange.Sometimestheimpetusforchangeispainfulandthreatening,butnoteverytriggerhastobealiteralone.Thesecurityvalueofoperationscancreateaspaceinwhichinformationsecuritycanthriveandcontributetothe

greaterorganizationinwaysthatmostCISOstodayonlydreamof.Therearefewthingsmoreimpressivethansomeonewhohasacompletecommandofthesituationtheyarein,whocandirectactionwhilereassuringothers,successfullyovertime,withtheconfidencethatonlycomesfromabsolutelyknowingtheirstuff.Weglorifythistraitinourleaders,fromgeneralsandscientiststoCEOsandpoliticians.Youcanfakeitsometimes,butnotalwaysandnotforever.Thesecurityvalueofoperationsmeansdrivingthatcapabilityhomeforsecurityleadersbygivingthemthebehavioralresourcesthatcreatesecurityconfidence.

ThinkMoreLikeScientistsOneofthemostimportantdistinctionsthatI,asanon-engineer,havediscoveredinmyinformationsecuritycareeristhatengineersarenotscientists.Foralongtime,untilIwentbacktograduateschooltobecomeaninformationscientist,Iassumedengineeringandthesciencesweremoreorlesssynonymous.Theyarenot.Engineerstakethetheoriesofscienceandputthemtopracticalpurpose.Scientistsdiscover,butengineersbuild.Securityhasmanyengineers,butnotnearlyenoughscientists.Scientistsareinherentlycurious,andnotjustabouthowthingswork.Theywanttoknowwhytheyworkthewaytheydo,tofindthefirstprinciplesthatcannotnecessarilybediscoveredsimplybytakingapartasystem’scomponents.Theory,hypothesis,experimentation,andcontrolgroups(asopposedtosecuritycontrols)areallhallmarksofscientificthinking.TheyarealsothesubjectsmostlikelytomakemelosemyaudiencewhenIstarttalkingaboutthemtoagroupofsecurityengineers.AsIstatedinthesidebarabouthypotheses,weneedtostartencouragingthemmuchmoreintheinformationsecurityprofession.

Embracethe“SharingEconomy”Informationsharingisalreadyabigdealatthemacrolevelinsecurity,withindustryandgovernmentinvolvedintryingtostimulatebettercollaborationbetweenorganizations.Weneedtopushsharingfurther,downtotheinternalandevenindividuallevel.Notallsecurityinformationshouldbemadeopenlyavailabletoeveryone,buttodaysecurityisoftenmoreabouthoardingthansharing.Paranoia,legitimateconcernsovervulnerabilityintelligence,andplainold-fashionedCYAkeepssecurityinformationunderwraps.Theeffectsrangefromallowingsecurityprogramstoliveinanechochamberwherenon-securityopinionsarerarelyheard,toactivelyhidingoperationalinformationtheorganizationneeds.Thesharingeconomyworksontheideathatmakinggoods

andservicesmorefreelyavailableactuallyincreasestheirvalue.Todaythat’smostvisiblyperformedintheworldofconsumergoodsandservices,aswithAirbnb,Craigslist,andeBay.Butinroadsarealreadybeingmadeinapplyingtheideatoinformation.Insomecases,liketheopensourcecommunity,theeffortshavebeengoingonforsometime,includingeffortsaroundsecurity.Otherareas,likeopengovernment,arenewbutexemplifytheprinciplethathavingmoreeyeballsfocusedonaproblemisoftenbetter.

LightenUpaBitTheInfoSecprofessiontakesitselfprettyseriouslysometimes,maybetooseriously.Evenifthecybersecuritythreatreallyisoneofthegreatestfacingtheworldtoday,it’sonlyone.Majorimprovementsininformationsecuritycouldbeachievedifsecuritypeoplewouldrealize—andhelptheirnon-securitycolleaguesandconstituentsrealize—thatit’samanageablethreat,oratleastasmanageableasmanyothersfacingsociety.Threatstodigitalassetsarenomoreapocalypticthanthreatslikedisease,crime,orwar,allofwhichwehavetofacerealisticallyandrationallyifwehopetoaddressthem.Thatdoesnotmeandownplayingtheirimpact,butitalsomeansputtingthemintoperspective.Peopleandenterprisescantakesecurityseriouslywithoutbeingconsumedbyit.Thereisnogreaterthreattoacompany’ssecurityposturethantheproblemsomeoneknowsaboutbutistoointimidated,eitherbyfearofconsequenceorlackofknowledge,tobringtotheattentionofthepeoplewhocanaddressit.

FurtherReadingBritz,JohannesJ.“ToKnoworNottoKnow:AMoralReflectiononInformationPoverty.”JournalofInformationScience30(2004):192–204.MacDonald,Jackie,PeterBath,andAndrewBooth.“InformationOverloadandInformationPoverty:ChallengesforHealthcareServicesManagers?”JournalofDocumentation67(2011):238–263.Schneier,Bruce.SecretsandLies:DigitalSecurityinaNetworkedWorld.Wiley:Indianapolis,2000.

S

CHAPTER13

TheSecurityValueofResilience

upposeyourorganizationhasmaximizedthefirsttwokeyvaluesoftheSecurityFORCEBehavioralModel,failureandoperations,discussedinChapters11and12,respectively.Youhavesetuptherequisiteoperationalbehaviorsandvisibilitytoensureyoucandetecterrorsandmistakes.Andyouhaverebootedyourunderstandingoffailureitself,becomingadeptatidentifyingfailureswhiletheyarestillsmall.Whatcomesnext?That’seasy:you’regoingtoexperienceasecurityincident.Failureislikedisease,likesadness,likepain.Nomatterhowgoodyouareatanticipatingandavoidingfailure,everyonefailseventually.Highlyreliablesecurityprograms(HRSPs)arenodifferent.Theytendtohavebettertrackrecordsthanotherorganizationsatavoidingfailures,butourlessonsfromfirefightingtoFukushimademonstratethatbeingfailureresistantisnotthesameasbeingfoolproof.Buthigh-reliabilityorganizations(HROs)andHRSPsalreadyknowthis,whichiswhytheythinkalotaboutwhattheywilldowhendisasterfinallystrikes.Theyembracethesecurityvalueofresilience.

WhatIstheSecurityValueofResilience?ResiliencereferstoanInfoSecprogram’sabilitytoexperienceamajorsecurityincidentinsuchawaythattheorganizationnotonlysurvivesitbutcomesawaybetteroffforithavinghappened.Theexperiencewillstillbestressfulandwillstillrepresentanonoptimaloutcomeforeveryoneinvolved.Butitwillbehandledexpertlyandprofessionally,inawaythatmaximizesstabilityduringthe

eventandminimizesdisruption.Andwhenit’sover,theorganizationwillhaveabetterunderstandingofwhathappenedandwhy,insightthatitwillputtousethenexttimesomethingcompletelyunexpectedhappens.Thisisthesecurityvalueofresilience.

WhenBadThingsHappen(toGoodOrganizations)Evenastheyseekoutsmallfailuresthatcanadduptoabigone,HRSPsknowtheywillmissafew.Theorganizationalandtechnologicalsystemsweworkwithinarejusttoocomplextoevercompletelypredictorcontrol.Andevenifwesomehowmanagetoknoweverythingforamoment,complexsystemsproduceemergentbehaviorsthatcontinuouslythrownewsourcesofuncertaintyandriskintothepot.Youcannotpredicteverypossiblethreatandrisk,butyoucanpredictthattherearethreatsandrisksthatyoucannotpredict.Eventuallyyourorganizationisgoingtoencounterone.

HRSPsspendalotoftimeobsessingoverfailure,asIhaveexplainedpreviously.Buttheydon’twastetimeobsessingovertheinevitabilityoffailure.Instead,theytrytoanticipatewhattheycanandtheyconsiderwhattheywilldointhoseinstanceswhenanticipationitselffails.Atthatpoint,it’sadifferentballgamewithdifferentrules.There’snotimeforsoulsearchingabouthowsomethingcouldhavebeenprevented.Allthatmattersisactionandwhathappenstoaddressthesituation.Insomeways,resilienceisthemostimportantprincipleofHROs.InthepreviouschaptersI’vereferencedKarlWeickandKathleenSutcliffe’sbookManagingtheUnexpectedseveraltimes.Theirchoiceoftitleisareflectionoftheinevitabilityofsurpriseeveninorganizationsdedicatedtonotbeingcaughtoffguard.

Thereisafreedominacceptingtheinevitable.WhenanHRSP,andnecessarilythelargerenterprise,sincerelyinternalizestheexpectationofasecuritybreach,peopleareliberatedfromtheterribleconstraintsimposedbypretendingtheycandodgesecuritybreachesforever.Themostimportantbenefitofthisnewfreedomistheabilitytoputseriousthoughtandresourcesintowhathappensduringandaftertheincident.Suddenlyincidentresponseanddisasterrecoverplanningcantakeonawholenewmeaning,notascontingencyplanningfornightmaresyouferventlyhopeneverhappen,butasthesyllabusforanothercourseinthatmostvaluableofHRSPeducationalresources:failure.

IncidentResponse:We’reDoingItWrong

Informationsecurity’sapproachtoincidentresponseplanningoftenremindsmeofthewaypeoplegoaboutpreparingtheirownlivingwill.Someorganizationsavoiddoingitaltogetherbecauseitremindsthemoftheirownmortality.Othersdoitbutwithoutemotionalinvestment,treatingitasalegalandbureaucraticexercisethatisnecessaryoutofasenseoffearorduediligence.Rarelydoyoufindsomeonepreparingtheirlivingwillwithasenseofwonderandanticipation,seeingthedocumentasthemeanstoensuretheycanmeetauniversalexperienceontheirownterms.Organizationsarenotverydifferent,inmyexperience.

HROresearchhasalwaysappealedtomebecausescholarslikeKarlWeickunapologeticallyevokeanalmostspiritualsensibilityonthepartoforganizationsthatknowhowtofailproperly.ForHRSPs,informationsecurityincidentsareimportantexperiencesbecausetheyhelpdefineandbuildthecharacteroftheorganization.Youdon’twanttoomanyofthem,butwhenyouhaveone,youwanttosqueezeasmuchvaluefromitasyoupossiblycan.Fromtheself-helpaisleofbookstorestotheboardroomsofSiliconValley,dealingwithadversityandfailureistoutedasanimportantlifelesson.There’sevenanethicalandmoralqualitytobeconsidered,becauseifanorganization’sfailureisgoingtoputpeopleatriskorunderduress,thatorganizationhasaresponsibilitytomakethateventcountforsomething.

Ifthatperspectivehasthemorehardcorebusinesstypesrollingtheireyesover“soft”conceptslikecorporatesocialresponsibility,Igetit.Let’sinsteadthinkaboutincidentresponseincolder,morerationalterms.Noteventhemostcynicalsecurityownerwouldarguethatcorporatereputationandbrandvaluearemeaninglessconcepts,untetheredfromanymeasureofbusinesssuccess.Securityincidentsrankamongtheraretimesthatanorganizationisgivenmasspublicattention.Peoplearefrightenedandangryandlookingtounderstandwhatareyougoingtodoaboutthis?Nowconsiderthehandlingofrecentlarge-scalesecurityevents.Didtheresponseservetohelporharmthereputationsofthecompaniesinvolved?Thesecurityincidentresponseplan,inmanyways,isamongthemostimportantmarketingcampaignsanorganizationwilleverdo.Ifit’slittlemorethanarootcauseanalysisandaseverancepackagefortheCISO,that’sakintoanchoringyournewproductlauncharoundtheannouncementthatyou’vefinallyfiguredoutwhyyourlastproducttankedsobadly.

RollingwiththePunchesThesecurityvalueofresilienceisaboutfailingsuccessfully.Amajorinformationsecuritybreachcanspawnavarietyofresponses,fromparalysistoproactivity.Thinkoftwoboxers.Thefirstispoorlytrainedandhasa“glassjaw.”Onegoodpunchandheisonthecanvas,strugglingtogetbackupagain.Itmaybeawhilebeforeheisreadytogetbackinthering,andhehasprobablynotlearnedmanynewskillsafterbeingknockedoutsoquickly.Thesecondfighteriswelltrainedandconditionedfromalotofsparringroundstotakeahit.Heappearstobeabletoweatheranimpossiblybrutalamountofabuse,butneverseemstogodown.Evenontheropes,hekeepshiswits,lookingforhowhe’sgoingtoescapeandbringthefightbacktohisopponent.Evenifhelosesbydecisionortechnicalknockout,heisreadytofightagainsoonandisabletousethelessonsfromaten-roundcontesttobecomeabetterboxer.

OnekeytoHRSPresilienceistheattitudethatasecurityfailureisjustthebeginningofthefight,nottheendofit.Abreachdoesn’tmeanthattheorganizationhasfailedcompletely,onlythatithasenteredintoanewphaseofinformationsecurityoperations,onethatwasalwaysexpectedtohappen.Focusshiftsfromtryingtopredictandpreventtoworkingtorespondandrecover.Theserepresentseparateskillsetsandrequirethesecurityteamtoquicklyshifttheirstrategiesandtactics;thefirstimperativeistonotlettheincidenteclipseeverythingelsetheInfoSecprogramisresponsiblefor.Iftheresponseisallhandsondeck,thenwhoislefttosteertheshiportakecareofanyoftheday-to-daytasksofrunningit?Theentireorganizationcanbecomedisabled.Worse,thepanicthatensuescreatesnewspacesforadditionalfailurestomanifestunnoticed.

Informationsecurityplanningandlifecyclesdon’tstopjustbecauseyourplansgoawry.HRSPstakeadvantageofthevalueofresiliencebyremainingcalm,byfallingbackontheirtraining,bybringinginadditionalresources,andbystickingtotheplantheymadeaheadoftimeforwhattodowhenotherplansfail.WeickandSutcliffeaptlycalledittheabilityto“degradegracefully.”Resilienceis,ultimately,aboutcontrol.AnHRSPhasthecapabilitiesinplacetoassurethatevenwhencontrolislost,theorganizationstillmaintainssomeabilitytoinfluenceanddeterminethepaceandtenorofthatprocess.Inotherwords,resilientsecurityprogramshaveworkedtoensurethattheycanatleastcontrolhowtheylosecontrol.

ImaginingFailuresandDisasters

Noorganizationcandevelopitscapabilitiesforresiliencebyfiat.Justdeclaringinamemorandumoraroadmapthattheorganizationwillberesilientdoesnotmakeithappen.LikeeveryotherSecurityFORCEvalue,thegainstobehadfromthesecurityvalueofresilienceonlycomeafteralotofdetermined,hardwork.Inthiscase,muchofthathardworkinvolvesthesecurityteamenvisioningallthethingsthatcangowrongandthevariouswaysinwhichtheycangowrong.Asmuchasanyotherskill,fromcodingtotestingtoadministration,anactiveimaginationisoneofthebestattributestolookforinagoodincidentresponsemanager.AnHRSPusesitscollectiveimaginationtocreateacatalogofpotentialincidents,events,andbreaches.Insteadofestablishingasingle,genericincidentresponseplan,HRSPsadoptascenario-basedmodel,onethatconsidersasmanywaysthatthingscangowrongaspossibleandadaptstheincidentresponsestrategytoeachscenarioasappropriateandpossiblegiventheinformationathand.

Imaginingthethingsthatarelikelytoharmyoucanfeelperverse,evenpathological.ButanHRSPdoesnotimaginedisasteroutofasenseoffear.Itdoesitoutofanappealtologic.Inacomplexsystem,theopportunitiesforfailureapproachtheinfinite,soanorganizationthatistryingtoanticipatefailureknowsthatitwilleventuallyfaceasituationthatithadnotpreviouslyconsidered.Logicthendictatesthattheorganizationputresponsesinplacetodealwithbothexpectedfailuresandunexpectedfailures.Planningforexpectedfailuresiseasier,ofcourse,becauseyouhaveanideaofthepatternstheywilltakeandcanspecifyresponseresourceswithmoreprecision.Planningforunexpectedfailuresrequiresresponsecapabilitiesthatareflexibleandabletolearnandadaptquicklytonovelchallenges.Themorefailuresyoucanaddtoyour“expected”list,eitherbecauseyouthoughtofthembeforehandorbecauseyoulearnedaboutthemfromanunexpectedfailure,thebetteroffyouare.Butyouwillalwaysneedthatcapabilitytomanagetheunexpected.

Resilienceisthereforesomethingofanoperationalfeedbackloopitself.AnHRSPlearnsfromfailureevenwhileattemptingtoavoidandminimizeit.Newfailuresareformallyincorporatedintotheorganization’sknowledgeandmemory,sothattheybecomeexpectedfailuresinthefuture.HRSPsdonotlookatsecurityincidentsasholesinadikethatmustbepluggedsothattheynevereverleakagain.Whenanorganizationreactstoeverysecurityincidentbybuildinganewsetofpoliciesandrestrictionsorbuyingnewproducts,withthegoalofmakingitimpossibleforthatincidenttoeverrepeatitself,theresultcanbeincreasedrigidityratherthanincreasedsecurity.Justbecausethatonespecificsecurityeventcannotberepeateddoesn’tmeanonesimilartoitwillnothappen

orthatonecompletelydifferentwon’toccur.Andhavingconvinceditselfthatitsolvedtheproblem,theInfoSecprogramriskscomplacencyandafalsesenseofsecurity.Itismuchbettertotreattheincidentasatriggerforenterpriseimaginationandask,howisthisincidentsimilartoothers?WhatpatternscanIidentify?Andwhatoptionsareavailabletonotonlypreventthisspecificfailurefromrepeating,butmakeiteasiertoidentifyandrespondtothisgeneraltypeoffailure,preferablybeforeoneturnsintoanincidentinthefuture?

ResilienceUnderFireMyfavoriteWeickjournalarticleisalsothefirstonethatIeverreadinwhichheexploredthefatalbreakdownofasmokejumperteamfightingahugeforestfireinMontana.“TheCollapseofSensemakinginOrganizations:TheMannGulchDisaster”stillholdslessonsforpeople-centricsecurity.Itdemonstratesthewaysinwhichcatastrophethrowsevenseasonedprofessionalsintosituationssouncertainthattheirownbeliefsandexperiencescanturnagainstthem,sometimeswithfatalresults.

TheMannGulchfirehappenedinlatesummerof1949andkilled13smokejumpersastheyfledfromituparidgeafterthefiregrewoutofcontrol.Themostdramaticpointintheeventoccurredwhentheforemanoftheteam,realizingthatthefirewasgoingtocatchthem,beganburningasectionofthetallgrasstheteamwasmovingthroughandorderedeveryonetoliedownandletthefirepassoverthem.Noonelistenedandeveryoneelseranfortheirlives.Theforemansurvived,asdidtwoofthefirefighterswhomanagedtomakeitovertheridgeintime.Therestdiedasthefireovertookandengulfedthem.

OneofthelessonsofMannGulchwasthat,inacrisis,what’srationalandwhat’scrazycanbecomeconfused.Peoplestrugglingagainstfearanddesperationmakeemotionaldecisionsiftheyhavenot,throughtrainingandexperience,madetheirreactionsautomaticenoughtoovercomepanic.Theforemanofthesmokejumperteam,alsothemostexperiencedofthegroup,hadalotofreactionstofallbackon.Knowingthatthefirewasgoingtocatchhisteamnomatterwhat,heoptedtochoosehisowngroundandcreateconditionsinwhichhecouldcontrolwhatwouldhappen,specificallybyclearingaspacefreeoffuelfortheoncominginferno.Itmadeperfectsense.Buttoeveryoneelse,hiscommandsoundedsuicidal,essentiallyanordertoliedownandgivethemselvesuptotheblaze.Mostofthemenontheteamhadnotworkedwiththeforemanbefore,sotheydidn’tknowhim

wellenoughtocomprehendhowmuchexperiencehehad,andthuswereunabletounderstandhisactions.Thetworemainingsurvivorsmadeitbecausetheywerefasterandluckierthantheircompanions.Buthadeveryonetrustedtheforeman’ssuperiorinstinctsandexperience,theentireteamprobablywouldhavesurvived.

Duringasecuritybreach,manyactionsmaymakesenseinthemoment.Forinstance,acommoninstinctistostopcommunicatingandcirclethewagonsuntiltheinvestigationiscomplete,ortosimplydisconnecttheaffectedsystemsandthusstoptheattack.Butinsomecases,theseactionscanandwillonlymaketheconsequencesworse.Theonlywaytoprepareforamajorbreachistoactuallyprepareforit,byimaginingit,scopingitout,andthenpracticingitoverandoveragainuntilwhatyouhavedecidedarethebestcoursesofactionareingrained,eveniftheymayseemimpracticalorextremeinthemoment.Therewasatimewhenwargamesandredteamexercisesweresomethingonlythemilitarydid.NowtheyarestandardoperationsinmostCISOs’toolkits.

ResilienceKeyValueBehaviorsTheresiliencevaluebehaviorsthatanHRSPexhibitsenabletheorganizationtofailsuccessfullyduringanunexpectedsecurityincident.Thesebehaviorshelpensurethattheorganizationiscontinuouslypreparingtomeetanyfailuresituation,whetheritisonethattheorganizationhaspreviouslyimaginedoronethatwasneveranticipated.Theorganizationmustquicklyreact,adapt,andincorporatelessonsfromtheincidentandotherstominimizeimpactwhilenotovercompensatinginwaysthatcreateriskinotherareas.Thebehaviorsthatcharacterizethesecurityvalueofresilienceinclude

OvertrainpeopleCreate“skillbenches”ActivelyshareexpertiseEncouragestretchgoalsPracticefailing

OvertrainPeople

Whenitcomestotrainingforinformationsecurityincidents,HRSPsbelieve“theroadofexcessleadstothepalaceofwisdom.”Inanenvironmentthatoffersinnumerablewaysforthingstogowrong,yousimplycannothavetoomanyskilledandknowledgeablepeopletohelpwhensomethinginevitablydoesgowrong.Inhighlyreliablesecurityenvironments,peopleknowtheirjobswell,knowotherpeoples’jobswell,andareabletogetuptospeedquicklyinunforeseensituations.Overtrainingisnotoverstaffing.Mostorganizationscannotaffordtokeepmorepeoplearoundthantheyneednormally,justinpreparationforthedaywhenadequateisnotenough.Butorganizationscanaffordtomaximizethepeopletheydohave,toencourageandevendemandthattheirskillsareoptimizedagainstextraordinaryaswellastypicalsystemstressors.

People-centricsecuritytakestheapproachthatinvestmentinanddevelopmentofhumancapitaltosupporttheprotectionofinformationassetsandITsystemsarejustasimportant,ifnotmoreimportant,thaninvestinginmoretraditionalcapitalexpendituresonsecurity.Humancapitalisbroadlydefinedasthevalueofanemployee’sknowledgeandskills,andhumancapitaltheoryhasbeenwidelyappliedacrossindustrialandeducationalcontexts.Atthecoreistheideathatinvestmentsinpeoplearesimilartoinvestmentsinotherlarge-scaleinfrastructures.Ifyouinvestsignificantlyandwisely,yougetbetterandmoreproductiveorganizationalsystems.Skimponpeopleand,likecheapingoutonbuildingmaterialsorITsystems,youendupwithstructuralweaknessthatmakesyoulesscompetitiveandmorepronetobreakdown.

Duringasecurityincident,anorganization’sresilienceisgoingtodependonitsabilitytoengagetheproblembyapplyinglotsofpotentialsolutionsveryquickly,identifyingpatternsandmoreandlesssuccessfulresponsestoeventson-the-fly.Evenwiththebestpreparation,securityincidentsaregoingtoconfoundanddistract.Responseteamsthatbarelyunderstandhowsystemsworkinthebestoftimeswillbeillpreparedtounderstandhowtheyworkastheyarecollapsing.Andasincidentssuckinothersystemsandfunctions,includingthosetotallyoutsidethenormalpurviewofInfoSec,onlyacombinationofskillsandexperiencewillbeabletomanagethem.

HRSPstrytobuildcollaborativeincidentresponsecapabilitiesthatcanlearnandgrowevenwhileinthemiddleofafull-blownattackandbreach.Thisrequirescommitted,engagedpeoplewhohaveworkedtobuildcross-functional,interdependentknowledge.Itisn’teasyanditisn’tcheap,especiallyconsideringthatthemorevaluablethehumancapitalistooneorganization,themorefungiblethoseskillsandtalentsareontheopenmarket.Butforsecurity

programsconcernedwitheffectivelymanaginglargefailureevents,nothreatismoredisturbingthannothavingresourcescapableofrespondingtoiteffectively.

ExploringHumanCapitalHumancapitalhasbeenthesubjectofagreatdealofresearchand,insomecases,critique.Buttodayitiswidelyacceptedinfieldsasdiverseaseducation,humanresources,andpublicpolicy.IhavenotevenscratchedthesurfaceofhumancapitaltheoryindescribingthetrainingenvironmentofHRSPs.Therearelotsofbooksonthesubjectanditsapplicabilitythroughoutorganizationalmanagement.TwogoodintroductorysourcesofinformationforthoseinterestedinexploringthetopicfurtheraretheHumanCapitalInstitute(www.hci.org)andtheDeloittereportGlobalHumanCapitalTrends2014(availablefromDeloitteUniversityPress,http://dupress.com).

Create“SkillBenches”Trainingandskillbuildingalonedon’tgiveanorganizationeverythingthatitwillneedinacrisis.Itonlyprovidestherawmaterialsforthesecurityvalueofresilience.AnHRSPstillneedstodirectandstructureitshumancapitalsothatitcanbebroughttobeareffectivelyduringasecurityincident.FormallydesignatedskillbenchesthroughouttheInfoSecprogramandbeyondprovideaflexiblesupportstructurethatcanadapttochangingcircumstancesbefore,during,andafteranincident.

Askillbenchis,atheart,justaplancombinedwithalistofpeoplewithspecificexpertise.Thebenchfunctionsasaworkaroundforpersonnelshortagesthatemergeduringanincident.Ifonlyoneortwoemployeeshaveasetofskills,technicalorotherwise,thenabreachthatinvolvestheirexpertisecantiethemupfordaysorweeks.Whathappenstotheirregulardutiesandresponsibilitiesduringthattime?Iftheydonotdirectlysupportorarenotdirectlyaffectedbythesecurityevent,it’slikelytheywillbeneglectedorevenignoredcompletely.That’snoteffectiveoperationalmanagement.If,ontheotherhand,theorganizationcancallonabenchofsimilartalentandskill,evenifthoseindividualsarenotasfullycapableastheemployeeswhodothejobfulltime,callinginthebenchresourcescanblunttheimpactofthecrisis.Likeareserveparachute,theskillbenchmaynotworkquiteaswellasthemainchute,butit

http://www.hci.org

http://dupress.com

willensurethatyouaren’tkilledonimpact.HRSPscreateskillbenchesbyfirstmappingouttherolesandrequisitejob

skillrequirementsforeveryinformationsecurityfunction,andprobablyseveralnon-securityones,thatcouldreasonablybeinvolvedinanincident.Theresultingexpertisemapisusedtoassessprobableskillshortagesandbottlenecksresultingfromspecificsecurityincidentsintheorganization’sincidentcatalog.Contingencyplansarethendevisedwithparticulartriggerstoguidethesecurityteaminidentifyinglikelyincidentpatternsandapplyingskillbenchresourcesbasedonpredeterminedneed.Again,noneofthisiseasy.Contingencyplanningiscomplicatedandisasmuchartasscience.Organizationsarefluidandenvironmentsaredynamic,sotheskillbenchmustbekeptcurrentovertime.Peopleonthebenchhavetoknowtheyarepartofitandbeprovidedthetrainingandeducationnecessarytokeeptheircapabilitiesviable.Butlikeeveryotherbehaviorinvolvingthesecurityvalueofresilience,HRSPschoosetoundertakethechallengebecausetheywanttoknowthatwhenamajoreventhappens,itwillfeelmorelikeabaddayattheofficeandlessliketheendoftheworld.

Skillbenchingcanbeaperfectopportunityforoutsourcing,especiallyinresource-strappedenterprises.It’sverylikelythatasecurityincidentwillmotivateseniormanagementtofreeupfundsandsupportthataresimplynotavailableinother,morenormalcircumstances.ButbuildinganexternallysupportedbenchdoesnotletanHRSPoffthehookforadvanceplanning.Likebackupsitesindisasterrecoveryandbusinesscontinuityplanning,theorganizationshouldgiveitselfoptionsforhot,warm,andcoldstaffingbeforeanincident.Youdon’tbeginpreparingahotdisasterrecoverysitethedaythefloodtakesoutyourdatacenter.Anoutsourcedbenchstaffneedstobeoncallimmediately,notonlytoensurethattheresponseistimely,buttonegotiateandtakeadvantageof“Imayhaveaproblemsomeday”vs.“Ineedsomeoneherenow!”pricingdifferentials.

ActivelyShareExpertiseYoumayhavenoticedbynowthateveryoneoftheSecurityFORCEvaluesincludesabehaviordevotedtosharinginformationandinsight.Forthesecurityvalueofresilience,thatsharingisofexpertise,whichflowsnaturallyoutofthefirsttwokeybehaviors.ButexpertisesharingextendsbeyondjustlettingeveryoneknowwhohasActiveDirectoryskillsorwhohasbeentrainedinincidentforensics.Expertisesharingalsomeansopinionandimaginationsharingacrosstheorganizationduringasecurityevent.It’saboutbringingthefullweightofenterprisehumanandintellectualcapitaltobearonsuccessfully

managingasecuritycrisis.Reflexandinstinctmay,duringasecurityincident,drivepeopletoembrace

actionoverthought.AsinthecaseoftheMannGulchdisaster(seetheearliersidebar),whena30-foot-highwalloffireiscomingatyou,theoptionthatseemsleastwiseistostopandthinkaboutwhattodo.Thewisestoptionwouldseemtobetorunforyourlife.Butasthevictimssoontragicallydiscovered,stoppingandlisteningtotheforemanisexactlywhattheyshouldhavedone.Thesameholdstrueininformationsecurity.Itfeelsbetterinthemidstofanuncertainsituationtobedoingsomething,anything,thatseemslikepositiveaction.Butifoursituationalawarenessisinsufficienttoknowwhatthebestactionis,wemayfindthattakingactionworksagainstus.Inacrisissituationthereisafinebalancebetweenreflexandreflection.Itpaystorememberthatgutinstinctscanbemisleadingandsometimesweneedtoquestionthem,particularlyinthoseinstanceswherewehavelittleexperienceortrainingwithwhatwearefacing.

Duringasecurityincident,itisimperativethatanorganizationexaminealltheoptionsavailableandchoose(albeitquickly)thebestmovestomake.However,whenexpertisehasbeenrelegatedtosilosandindividualshaveonlytheirownlimitedexperiencetorelyon,thechanceofmakingbaddecisionsgoesup.Evenworse,crisisoftenmotivatespeopletoactliketheyknowwhat’sgoingon,eitherbecausetheydon’trealizetheextentoftheirownignoranceaboutthesituationortoreassureothersintosupportingtheiractions.HRSPstrytoavoiddecisionsbasedonbravadoornarrowinsights.Theirgoalinsteadistocreatejustenoughroomforcollectingdifferentanalysesandopinionsacrossavarietyofstakeholdersbeforedecisionsgetmade,whatManagingtheUnexpectedreferstoas“conceptualslack.”It’satrickybalancebetweensnapjudgmentononesideandvacillationontheother.ForanHRSPmanagingasecurityevent,though,takingafewhourstogatheralternativeframesofreferenceandcontraryviewpointsmaymeannotwastingordersofmagnitudemoretimegoingdownthewrongpathandthenhavingtoretracetheirsteps.

EncourageStretchGoalsThesecurityvalueofresilienceisnotreapedsimplybygivingmembersofanorganizationplentyoftraining.Takingclassesandachievingcertificationsdonotmakeapersonaseasonedpractitioner.Ifthosenewskillsarenotputtouse,theyatrophyanddegrade.Forthatreason,HRSPsmotivateandencouragetheirmemberstoputtheirtrainingtowork,preferablybytakingonchallengesthatwillpreparethemforthemoreintensetempoofasecurityincident.

Stretchgoalsareusedwidelyininformationsecurityandperformancemanagementmoregenerally,althoughtheycansometimesbemoreaboutwishfulthinkingoranattempttosqueezeoutafewmoreouncesofproductivitythanaboutreallystretchingsomeone’sabilities.ChallengesinthecontextofHRSPsandresiliencearemeanttoachievethelatter,tostrainandstretchtheemployee’scapabilitiesinthesamewaywestrainandstretchourbodiesthroughexercise.Wewantourteamstobestrongerandmorelimbersothattheyarebetterpreparedtofaceadverseconditionsduringanevent.Butinsteadofphysicalprowess(althoughthatcanbenecessaryaswell—securityincidentstendtobeexhaustingphysically),theobjectiveiscognitiveandevenemotionalstrengthandstamina.

Thekeyresiliencevaluebehaviorsdescribedinthischapterprovideampleopportunitiesforchallengingstretchgoals,tothepointwheresuchgoalsarepracticallyastructuralfeatureofthesecurityvalueofresilience.Havingtrainedandorganizedskilledpeopletofunctionasbothprimaryandreserveresourcesduringamajorsecurityincidentorevent,HRSPswillencouragethemtoengageandparticipateacrossthesecurityprogramlandscape.RotationsthroughotherInfoSecandITfunctions,opportunitiesforleadingorjoiningprojectsandinitiatives,andvirtualteambuildingexercisesthatbringtogetherfolksontheskillbenchesandtheirprimary-dutycolleaguesareallmeansbywhichanHRSPcanfosteranenvironmentofcollaborativeexcellence.

Mostimportantly,however,stretchgoalshavetoberewarded.Compensationforgoingaboveandbeyondone’susualresponsibilitiesdoesnotalwayshavetobefinancialinnature,andinsomecasesmoneycanbelesseffectivethanothermeansofmotivation.Rememberthatthegoalistoformatightlyknitoperationalteamthatcaneffectivelyhandleacrisis.Ifwetakelessonsfromothercrisismanagementfields,thosewithahighdegreeofprofessionalismandespritdecorps,thebestperformersarenotnecessarilythebestpaid.Asimportantasmoneyis,HRSPsworktomakepeoplefeelvaluedandappreciatedfortheircontributions.Company-widerecognition,opportunitiestomentororworkoninterestingprojects,andformalinclusionofstretchgoalsintoperformancereviews(whichcanalsohaveafinancialbenefitinthelongterm)aregoodalternativewaystoencouragepeopletogoaboveandbeyondthecallofduty.

PracticeFailingHowdoyougettoCarnegieHall?theoldjokegoes.Practice!It’ssomethingofauniversallifelessonthatnooneisjustnaturallyavirtuoso.Ifyouwanttobe

thebestatsomething,youhavetoputinthelong,hardhourstotrainandprepare,repeatingthesameexercisesagainandagainuntiltheyarepitchperfectandinscribedinmusclememory.It’strueformusicians,it’strueforathletes,andit’strueforHRSPs.Failingisprettymuchtheoneeventthatinformationsecurityteamsmostoftenthinkabout,stressabout,andwonderiftheyarereadyfor.Youwouldthinkwemightpracticeabitmorethanwedotogetreadyforourbignightonstage!

SomeoftheproblemgoesbacktothepointsImadeaboutthesecurityvalueoffailureinChapter11,namelythatwehatethethoughtoffailureandweengageitwithaboutthesameenthusiasmaswedodeathandtaxes.But,asI’vealsopointedout,securityincidentsareasinevitableasdeathandtaxes,soweshouldbereadyforonewhenitcomes.Withoutpractice,asecurityincidentisnewandunfamiliarandfrightening,maybeoverwhelminglyso.Evenwithpractice,securityincidentswillincludethingsthatarenewandscary,somakingasmuchofourresponseaspossibleroutineandfamiliaramidthechaosfreesupcognitiveresourcesthatwecandevotetosolvingproblems.ReturningagaintoChapter11,ItalkedabouthowthemovieApollo13misquotedthe“Failureisnotanoption”line.NASAneverruledoutfailure.Infact,theypracticedfailingallthetime.TheveryfirstApollomissionendedintragedyin1967whenthreecrewmembersdiedinafire.AboardofinquirywashighlycriticalofNASA’soperationsleadinguptotheaccident,andafterwardNASAbeganpayingalotmoreattentiontosafetyandpreparingforfutureaccidents.AsNickGardnerdescribesinhisbookMistakes,throughouttherestoftheApolloprogram,NASAteamsspenttimebetweenlaunchesdreamingupdisasterscenariosandrunningsimulationsofthemagainstoneanotherastests.TheApollo13rescueplan,infact,wastheoutcomeofoneofthesescenarios.

HRSPstreatfailurepracticethesamewaythattheytreattraining:youcanneverhaveenough.Youmightnotbeabletogetallyouwantorallyouneed,butpracticeintheformofwargames,scenarioplanning,andsecurityincidentdrillsisconsideredhighvalueandanexcellentuseoftimeandmoney.Practicingfailureisnot,however,thesamethingaspenetrationtestingorcomplianceaudits,althoughthesecanbefactoredintoapracticeexercise.Testingandauditsaredatacollectionmechanisms,notexperientialexercises.Practicingfailuredoesnotmeanidentifyingwhereacybercriminalcancompromiseyourproductionservers.Practicingfailuremeanssimulatingexactlywhathappenswhenthatcriminalactuallycompromisesthosedevices.Howdoestheorganizationfindout?Howdoesitrespond?Howdoesitdealwiththeoutcomes?Practicingfailureinvolvesunderstandingthisentireprocess

indetailandfiguringoutwheretheresponsetothesecurityincidentfailsinandofitself.Aftermanyiterations,thatresponsebecomesmuchbetter,andeventuallybecomeshabit,professionalizedintojustanotheroperationalprocess.

TheUnrecoveredCountryEstoniaworriesagreatdealaboutthesecurityvalueofresilience.TheBalticnationhasanimpressivehistoryofdigitaladoption,aswellasconcernsovercyberwarfare,havingbeenhitbyoneoftheearliestexamplesofitin2007.Morerecently,theEstoniangovernmenthasembarkedonaprogramdesignedtomanagethecountry’sdigitalserviceinfrastructureevenifthecountryishitbyanothermassivelydebilitatingcyberattack.

Undertherubricofthe“DataEmbassyInitiative,”Estoniahasbegunplanningforthemigrationofcomputerdataandresourcestoothercountriesintheeventofanemergency.InsituationswhereanattacktakesoutordeniesgovernmentserviceshostedinsideEstonia,thoseresourcescanquicklyandeffectivelymigrateabroad,primarilytopredesignateddataembassiesrunfrominsideEstonia’sphysicalembassiesaroundtheglobe.Thestrategyisforgovernmentcapabilitiestocontinuetofunction,includingpayingsalariesandprovidingservicesforcitizens,whilethecrisisonthehomeinfrastructureisresolved.

AninitialtestbytheEstoniangovernmentofthedigitalcontinuitysystemwaspromisingbutalsodemonstratedtheincredibleintricaciesthatexisteveninwell-designedandwell-manageddigitalinfrastructures.ThetestsconductedinpartnershipwithMicrosoftfoundtechnicalproblems,legalproblems,andmanagementproblems,someofwhichhadbeenconsideredaheadoftimeandsomewhichwerecompletesurprises.Astheofficialgovernmentreportstated,“it…becameclearthatnomatterwhat,textbookreadinessisimpossibletoachieve.”

Amongthespecificfindingsandrecommendationsoftheexerciseweretwothatclearlyechothematerialinthischapter.Onefindingdeterminedthatduetoimproperormissingsystemdocumentation,itwasoftenthecasethatworkingknowledgeofasystemwaslimitedto“onlyasmallnumberofexperts”andcreatedgapsinthepotentialfordigitalcontinuityduringanincident.Oneofeightkeyrecommendationsofthereportwasevenmoretothepoint.Itstatedthat“operationalproceduresshouldbepreparedandtestedinadvanceratherthaninacrisis.”ThefullreportcanbefoundonEstonia’sEnglishversionoftheMinistryofEconomicAffairsand

Communicationswebsiteatwww.mkm.ee/en(searchfor“DataEmbassyInitiative”).

AssessingYourResilienceValueBehaviorsUsetheSecurityFORCESurveyandSecurityFORCEMetricstodeterminehowwellyourorganizationadherestothekeyvaluebehaviorsforresilienceandtoprovideempiricalevidenceofthosebehaviors.

ScoringtheResilienceValueBehaviorSurveyTheSecurityFORCESurveyincludesstatementsrelatedtothesecurityvalueofresilience.ThefivestatementsunderSecurityValueofResiliencearelistedinthesampleoftheFORCESurveyshowninFigure13-1.Aswithpreviouschapters,scoringassumesLikertresponsesnormalizedona1–5scale:


http://www.mkm.ee/en

Figure13-1FORCEValueSurveystatementsforresiliencevaluebehaviors

Forresiliencevaluebehaviors,anaveragescoreof4orgreaterindicatesthattheorganizationbehavesinwaysthatwillenableittorespondmorequicklyandmoreeffectivelytosecurityincidents.Theorganizationwillhavepreparedforavarietyofpossibleincidentsinadvanceandputmechanismsintoplacetodealwithunexpectedincidentsthathadnotbeenconsidered.Theresponsewillbemoreeffectivegiventhepresenceofresourcesreadytoaddressproblemsinacoherentway.Ascoreof2orbelowindicatesthattheorganizationdoesnotbehavelikeanHRSPandislesslikelyto“failgracefully”andrecoverquicklyfromasecurityincident.Itismorelikelytolosecontrolofthefailureprocessandgiveintopanicorparalysiswhenfacedwithneworuncertainsecurityincidentscenarios.

FORCEValueMetricsforResilienceTheFORCEValueMetricsforresilience,providingadditionalmeasuresof

HRSPbehavioralalignment,canbefoundinFigure13-2.

Figure13-2FORCEValueMetricsforresiliencevaluebehaviors

UsingtheFORCEResilienceValueMetricsThefiveFORCEMetricsassociatedwiththevalueofresiliencecaptureanorganization’scapacityforcrisisinthefaceofaninformationsecurityfailuresuchasamajordatabreach.Allaresuggestionsandnon-exhaustive,andshouldbeused,adapted,orsupplementedasappropriate.

Numberofsecurity-relatedtrainingopportunitiesprovidedtopeople,byroleorgroup,inthepastyearCompaniesgivetheirInfoSecteamsinformationsecurity–specifictraining,usually.Andtheygivetrainingintheformofawarenesseducationacrosstheenterprise,mostlikely.Ifsecurityreallydoesaffectacompanyasawhole,thenthewholecompanyshouldbetrainedonittosomedegree,andbeyondjustthebasicsofknowingwhenorwhennottoclickanemaillink.Manyorganizationstodaytreatproficiencywithstandardofficeproductivitysoftwareasarequiredskill.Mereawarenessthatword

processingorpresentationdevelopmentisathingisnotenough.Securityknowledgeandskillshouldbeonthesamelevel,andtheorganizationshouldprovideeveryonewithaccesstoit.NoteveryoneinHRwillneedorwanttoknowhowencryptionworksorhowtoconfigureafirewall.Butsomemight.Andhavingskilledpeopleinnon-securityrolescanbothhelptopreventfailuresaswellastomakeanorganizationmoreresilientinthefaceofone.IftheorganizationlimitssecurityskillsdevelopmenttojusttheInfoSecteam,thiscanbeanindicatorthatresiliencemaybeimpairedwhenthatteamfacesabreachthatnooneelseisabletounderstand.

NumberofidentifiedsecuritybackupresourcesavailableduringanincidentSpreadingaroundinformationsecurityskillsandknowledgecanleadtomorethanjustaninformedandcapableworkforce.Theorganizationcandramaticallyimproveresiliencebyformallyidentifyingsomeofthesepeopleasbackupresourcesthatcanbecalleduponduringanincident,asortof“volunteerfiredepartment”or“ArmyReserve”fortheInfoSecprogram.Knowingwhoandwherethesepeopleare,oriftheyevenexist,isagoodmeasureofcrisiscapacityforanorganization,whichwilldirectlyimpacttheorganization’sabilitytorespondandrecoverquicklyfromanincident.

Ratioofemployeeswithidentifiedsecurity“challenge”assignmentsaspartofregularperformancereviewsThismetricdoesnotmeantheorganizationmustfindwaystomakepeopledirectlyresponsibleforsecurityortakeonsecurity-relatedtaskstheydonotunderstandorwanttopursue.Securitychallengeassignmentsbeginwheretheminimumbaselinesoftrainingandawarenessend.Organizationsshouldworkcreativelytomakeassignmentspracticalandvaluable,tomakecompletingthemworthanemployee’stime,andtheyshouldbecomparableandequaltootherperformancegoals,notextraresponsibilities.AssignmentscanrangefromtakinganextraoptionalsecuritytrainingcourseallthewaythroughshadowingamemberoftheInfoSecteamforaday.Thepointisto(gently)pushpeople’scomfortzonesandexposethemtothefactthattheorganizationtakesinformationsecurityseriouslyenoughtoaskthemtodevoteworktimetoitandthenrewardsthemappropriatelycometimeforperformanceappraisals.

NumberandtypeofsecurityknowledgesharingopportunitiescreatedinthepastyearTeachinginformationsecurityskillsandencouragingindividualeffortstoimprovesecurityknowledgeshouldbesupplementedbyfosteringthesharingofthoseskillsandthatknowledge.Likethechallengeassignments,

organizationsshouldbecreativewithhowtheydevelopknowledgesharingforInfoSec,anddoingsodoesnotimplyorrequiresignificantexpendituresoftimeormoney.Buttheorganizationshouldtrackitseffortsandusethatmetricasagaugetounderstandhowandtowhatextentthediffusionofsecuritycapabilitiesistakingplacewithintheenterpriseinordertoleverageincreasesinthevalueofresiliencethatarerealizedwhencollectiveknowledgeisrequiredduringafailureevent.

Numberofscenario-basedresponsetestingorsecuritywar-gameexercisesconductedinthepastyearThismetricisverystraightforwardand,unlikethepreviousmeasures,isdirectedprimarilyattheInfoSecprogram.Theorganizationshouldtrackeffortstoanticipateandsimulatefailurescenariosaspartofitsresiliencestrategy.Ifitisnotpracticingfailingonaregularbasisandnotfeedingtheresultingdataandinsightsbackintosecurityingeneral,andincidentandcrisisresponseplansinparticular,thentheresultinglowscoresforthismeasurementareagoodindicatorthattheorganizationisnotaspreparedforamajorinformationsecurityeventasitcouldotherwisebe.

ImprovingYourResilienceValueBehaviorsPeoplearethecornerstoneofthesecurityvalueofresilience,andimprovingtheirbehaviorsisaboutprovidingmoreopportunitiesforthemtorealizetheirpersonalgoals,whilealsomeetingstrategicobjectivesoftheentirefirm.Unlikewiththesecurityvaluesoffailureandoperations,whichasksanorganizationtorethinkitsapproachtothosethings,thesecurityvalueofresilienceexhibitedbyanHRSPinthefaceofinformationsecurityincidentsisprobablynotascontroversial.Mosteveryonewillagree,especiallytoday,thattheabilitytoweatherasecuritycrisis,andlookcompetentpubliclywhiledoingit,isanunqualifiedgoodthing.It’showyougettherethat’stricky.

Themajorobstacleanorganizationislikelytofaceinrealizingthesecurityvalueofresilienceisnotskepticismabouttrainingorpracticingincidentresponsescenarios.Fewmanagers,atleastinpublic,woulddownplaytheseimportantelementsofoperationalreadiness.ThemostlikelypushbacktheInfoSecprogramwillfaceistheavailabilityofresources,includingtime,money,andpeople,necessaryfortheorganizationtobehavelikeanHRSP.Thethemeofcompetingprioritiesrunsthroughoutthisbook,andthatcompetitionwillimpactpeople’sdecisionsaboutwheretheyspendtheirtime,money,andpoliticalcapital.Improvingresiliencemeansshiftinglimitedresourcesfromsomething

else,oftensomethingtangibleandcurrent,deprioritizingthatthinginfavorofimprovedreadinessforeventsthatwillinevitablyhappenbutcannotbeaccuratelypredicted.Thatcanbeatoughsell.

I’vefoundthatamongthebestwaystomakethecaseforthesecurityvalueofresilienceistotiethatvaluetoother,moreintuitiveenterprisepriorities.Don’tmakeitaboutimprovingresilience.Makeitaboutimprovingfunctionsanddecisionsthatwillresultinbetterresilience,whichbringsusbacktotheideaofhumancapitalandpeople-centricsecurity.Resilienceisonlyoneofthepositivebenefitsoftrainingandimprovingpeople’sexpertise,skills,andworkexperiences.Themostadmiredcompaniestoday,theonesthatenduponthelistsofbestplacestowork,haveincommontheiremphasisoncreatingameaningfulplacetobeemployed.ThevalueofresilienceincludesopportunitiesforhumanimprovementinsidetheInfoSecprogram,butwithmuchwiderpossibilitiesfortheorganizationasawhole.

EmbedResilienceValueintotheSecurityProgramThetwobiggestchangesnecessarytomoveanInfoSecprogramtowardbecominganHRSPintermsofthesecurityvalueofresiliencedonotinvolveconvincingpeoplethatmoreeffectiveincidentresponseisgood.AsImentionedearlier,that’sprettymuchagiven.Thechangesthatarerequiredinvolvegettingpeopletotakemoreactiveownershipincross-functionalsecurityresponsibilitiesandovercomingorganizationalanxietyoveraninevitablesecurityincident.

“ASecurityIncident?IWantIn!”Eliteteamsofheroes,sacrificingthemselvesdoingajobnobodyelsecandoorwouldwantto,isexactlytheoppositeofhowyouwantpeopletoseetheemployeeswhorespondtosecurityincidents,ortoseethemselvesiftheyarethosepeople.HRSPsspreadtheownershipofmajorfailureeventsaround,andnotinordertolayblameorholdpeopleaccountable.Ifyoutrainandpreparewellforsomething,evensomethinghorrible,there’sacertainsenseofaccomplishmentandevenpridethatcomeswithputtingthatpreparationtothetest.Firstrespondersinadisasterscenedon’tcomeonsitehopingtofindotherpeopletodothejob.Theyjumpinandtakeaction,providingtheresourcesandservicestheyhavetrainedandcommittedthemselvestoprovide.Securityincidentsshouldtriggerthissamelevelof,ifnotenthusiasm,determination.Peoplewhohaveworkedtocontributetothevalueofresiliencewanttohelpbecausetheyareconfidenttheycan.It’saculturaltraitthatmustbenurturedand

constantlyreinforcedthroughthebehaviorsdefinedthroughoutthischapter.

MakeSecurityIncidentsMundaneItwillbemucheasiertogetpeopleinvolvedinrespondingtosecurityincidentswhentheylookatsuchincidentsasatestofskillandnotanexistentialthreat.AproblemIhavewiththe“you’vealreadybeenhacked”narrativeininformationsecuritytodayisthatitteachesthewronglessonsaboutthebanalityofsecurityfailures,namelythatyoucan’tdoanythingaboutthem(except,ofcourse,buytheproductsandservicesofthefirmsusingthenarrative).Abetterapproach,amoreHRSP-orientedapproach,wouldbetoaccepttheinevitabilityoffailurebutrejecttheinevitabilityofhelplessnessinthefaceofit.Whatshouldmakeasecurityincidentmundaneisthatitisexpected,anticipatedtosomedegree,plannedfor,anddocumentedsothattheresultscanbefedintoaprocessoforganizationallearningandimprovement.InanorganizationrunninganHRSP,“wehadasecurityincident”is,ideally,onthesamelevelas“revenuegrowthwasflatinEurope”or“wehadasupplychainissueinAsia”or“thecompanyhadtodealwithaproductlawsuit.”Thesehappenallthetimeandarerarelyfrontpageheadlines,althoughnoonewouldarguetheycanbebigproblems.Butassuch,theyarecrisestodealwith,toanalyze,torespondto,andtomoveonfromwithaslittledisruptionaspossible.

FurtherReadingGardner,Nick.Mistakes:HowTheyHaveHappenedandHowSomeMightBeAvoided.BookSurge,2007.Maclean,Norman.YoungMenandFire.Chicago:UniversityofChicagoPress,1972.Weick,KarlE.“TheCollapseofSensemakinginOrganizations:TheMannGulchDisaster.”AdministrativeScienceQuarterly38:4(1993):628–652.

R

CHAPTER14

TheSecurityValueofComplexity

esilience,theabilitytogracefullyweatherfailureevenaftereveryattempttodetectandpreventithasbeenunsuccessful,issomethingofanoverarchingobjectiveoftheSecurityFORCEvalues.IfresilienceistheoverarchinggoaloftheFORCEModel,thencomplexityshouldbethoughtofasthesoulofFORCE.Thesecurityvalueofcomplexityinfusesandinformseverythingelse,awayoflookingatthewholeworlddifferently.Researchintoaccidents,breakdowns,andHROsgrewoutofandintandemwithresearchintocomplexsystems.Theemergenceofcomplexityinsocialandtechnologicalenvironmentswas,infact,aprimarycatalystforstudyingtheinevitabilityoffailureinthefaceofthesesystems’emergentandunpredictablebehaviors.ForHROsandHRSPs,workingwith,notagainst,complexityisfundamentaltoimprovingtheirreliability.

WhatIstheSecurityValueofComplexity?Complexityisn’tsimple.That’saterriblecliché,butnotabaddefinition.AccordingtotheSantaFeInstitute,amajorresearchcenterdevotedtothescienceofcomplexity,thetermcomplexityisusuallydefineddifferentlyacrossvariousdisciplines.Fundamentally,complexityinvolvesemergentbehaviorsthatgrowoutofinteractionsbetweenthedifferentelementsofasystem.NeilJohnson,theauthorofSimplyComplexity,riffson“two’scompany,three’sacrowd”andmakesthecasethatcomplexsystemsbeginwhenbinaryonesend.MyfavoritedefinitionsofcomplexitycomecourtesyofWarrenWeaver,who,

alongwithClaudeShannon,developedthefieldofinformationtheory.Inhis1948article“ScienceandComplexity,”Warrensketchedoutthreelevelsofcomplexproblems:

ProblemsofsimplicityComplexityattheleveloftwo,three,orfourvariables,whichistosaynotthatcomplexatallandeasytopredictwithrelativelyunsophisticatedanalyticalmethodsProblemsofdisorganizedcomplexityComplexityatthelevelofmillionsorbillionsofvariables,operatingatrandomsothatnoonevariableispredictablebutaveragebehaviorscanbeaccuratelyanalyzedProblemsoforganizedcomplexityComplexityinwhichlargenumbersofvariablesinteract,butinnonrandomways,andthoseorganizedrelationshipswithinthesystemmakebehaviorsunpredictableusingnormalanalysis

WhenWeaverpublishedhisarticleaboutthedifferencesbetweendisorganizedandorganizedcomplexityin1948,heanticipatedthatorganizedcomplexitywouldbethebigchallengeforscienceinthecomingcentury.Itcertainlyisforinformationsecuritytoday.Securityprogramshaveforthelongesttimebehavedasiftheyweredealingwithproblemsofsimplicity.Nowthattheyarerealizingthat’snotthecase,theyareturningtotechniqueslikebigdatathatpromisetoturnsecurityintoaproblemofdisorganizedcomplexity.Butthatwon’tworkeither,atleastnotcompletely.Thesecurityvalueofcomplexitybeginswiththerecognitionthatinformationsecurityisanenvironmentdominatedbyproblemsoforganizedcomplexity.Thoseproblemscannotbeeasilymeasured,orevenmeasuredwithdifficulty,usingtraditionalmethods.Theymaynotbepredictableatall.HRSPsstartbyacceptingthatpossibilityandincorporatingitsimplications.

DumbingItDownHumansarebiologicallyandevolutionarilyprogrammedtosimplifythings.Identifyingpatterns,shortcuts,andheuristicsisoneofthewaysthatwehavesurvivedoverourhistoryasaspecies.Aspeoplebegantocometogetherincollectiveandthenorganizedgroups,theybroughttheirtendencytosimplifycomplexanddiverseinformationinputswiththem,nowintensifiedbytheneedtocreatesharedconsensusandagreement.Cutforwardafewmillenniaandourcurrentworldofframeworks,commoncriteria,andbestpracticemethodologiesismucheasiertounderstand.Liketheirloneancestors,companiesand

enterprisesthrivebysimplifyingtheparalyzingstimulitheymustdealwithintocategories,labels,scenarios,andtriggersthatallowthemtomakedecisionsunderconditionsofchaos.

Gotoofardownthesimplicitytrack,though,andyouendupinaplacewhereyouhaveremovedsomuchnuanceanddetailfromtheabstractionsyouhavecreatedthattheybecomemeaningless.Everythinggetsreducedtothesmallsetofvariablesnecessarytomakeitaproblemofsimplicity,andthuseasilyanalyzedandactedupon.Runintosomethingnew?Justdumpitintotheclosestcategorybucket.Insteadoffocusingonwhatmightmakeitdifferent,lookforthethingsthatmakeitthesame.Otherwise,howcanweactonit?Isitsecureorvulnerable?Isitcompliantornon-compliant?Isitatechnicalcontroloraprocesscontrol?Ifsomeoneremindsagroupofpeoplethatsomethingcanbebothofthesethings,orevenallofthem,theyareremindedofthepracticalqualitiesofinformationsecurity:Wehavetodrawthelinesomewhere.Anddrawingthatarbitraryline,whetheritrepresentsdivisionsofcellsonaheatmaporperimetersonanetworkdiagram,involvesanassumption.Theorganizationassumesthedivisionreflectsreality,anditassumesriskagainsttheprobabilitythatitdoesnot.

Thesecurityvalueofcomplexityisnotarejectionofsimplification,whichisimpossible,butinsteadahealthysenseofskepticismandmistrust.Wedumbthingsdownbecausewehavetoattimes,notbecausewewantto.Thereisalwaysatrade-off,andeveryactofsimplificationbringsconcomitantriskalongwithit.HRSPsfighttokeepsimplificationsfromtakingoverbyengaginginthemhesitantly,byquestioningandcritiquingthemrepeatedly,andbytryingtore-complicatethemcontinuously.Allowingsimplicityislikeallowingvulnerability.Sometimesyoumustdoitforbusinessreasons,butyou’reneverhappyaboutit.Andassoonasyoucan,youtrytocorrecttheproblem.

GrowingUncertaintyWhensecurityteamsandotherorganizationsoversimplify,theystartputtingtoomuchstockinlabels,categories,andrepresentations.Infact,theymaystarttrustingtheirclassificationsandmodelssomuchthattheystoppayingcloseattentiontotherealworldthosethingsrepresent.Empiricalevidencecanbecomelessimportantthanwhatthemodelsaysisreal.Thisisespeciallytruewhenpoliticalorculturalforceshaveavestedinterestintherepresentation.Iftheorganizationhasinvestedsignificanteffortincompromiseandindevelopingconsensusandcooperationamongstakeholders,criticizingthatcommonframeofreferencemaybeseenasthreatening.Taketheexampleofapenetrationtest,

whereanorganizationreceivesareportofvulnerabilities.Thefindingscomebackwithproblemsclassifiedbyseverity,perhapsusingCommonVulnerabilityScoringSystem(CVSS)scores.Tasksandmaybeevenblamearedoledoutasaresult,withsometeamsbeingassignedsevereproblemsthathavetobefixedimmediately,whileotherteamsareassignedlessproblematicvulnerabilitiesandaregivenmoreleeway.Nowimaginethehellthatbreaksloosewhensomeonearguesthatacommonlyfound“minor”vulnerabilityisactuallyasbadasthesevereonesandshouldbeprioritized,triplingtheworkloadoftheteamswhothoughttheyhadtheeasierassignment.Screamingmatchesandappealstoseniormanagementensue.Whetherornotthevulnerabilityinquestionisreallythatdangerousgetslostinthenoise.Themodeldrivestheargument.

Linguistsandphilosophershave,foralongtime,exploredtheideathatwordsveryliterallyhavepower.Theyarenotjusttoolsofdescription,butactionsthemselveswiththeabilitytoshapethoughtanddrivebehavior.InManagingtheUnexpected,WeickandSutcliffeciteBenjaminWhorf,alinguist,whodemonstratedthepoweroflabelsinhisexaminationof“empty”gasolinedrumsatanindustrialsite.Useddrums,whichhadoncebeenfilledwithfuel,wereprocessedoncethegasolinehadbeendrained.Thesenow-emptydrums,Whorffound,weretreatedlesscarefullythanonesthatstillcontainedliquid.Workersequatedtheideaofanemptydrumwithsomethingdevoidofflammablematerial,whichmadethemlesslikelytotakesafetyprecautionswithit.Butinreality,afullcontainerofgasolineissaferthanonethathasnoliquidleftinit,duetotheexplosivenatureofvaporizedgas.Returningtothepenetrationtestexample,Ihaveseenplentyoforganizationsthatallowedvulnerabilitiestogounmitigatedforyearsbecauseclassifyingthemas“minorvulnerabilities”cametobeinterpretedasnonthreateningevenwhentheyexistedwidelythroughoutthenetwork.

Everytimewesimplifysomethingtomakeiteasiertoconceptualizeormanage,wecreateuncertainty.Toreducecomplexity,wehavetoleavethingsout,lumpthingstogether,makeblurryedgesartificiallysharp.Ourpicturesbecomeclearbecausewenolongerhavetofocusonsomanymessydetails.It’sanincrediblyusefulprocessthatmakesdecisionmakingmoreefficient.It’salsoanillusion.Thehiddenaspectsarenoteliminated,justputintothebackground.Theykeepfunctioning,butwechoosenottoseetheminfavorofthethingswe’vebroughttotheforeground.Althoughwearenotfocusingonthehiddenaspects,theymaystillaffectus,andwewon’trealizeitbecausewe’veplacedthemintoourblindspot.HRSPsworryaboutthattonoend.

CVSS,Heartbleed,andtheUncertaintyChallengeinScoringSystemsScoringsystemsareuseful.Weneedthem.IusethemmyselfforbothofthemeasurementframeworksIproposeinthisbook.Buttheyareimperfectandshouldneverbetreatedasempiricallymeasuringsomeobjectivereality.Theyaremetaphorsdescribingsomething(performance,risk,etc.)intermsofsomethingelse(anumber,arank,oralabel).Weusuallyinventscoreswhensomethingistoodifficulttomeasuredirectlyandwehavetocreateanapproximation.Evenseeminglyobjectivescores,likeinsports,hideasmuchastheyreveal.TheTexansbeattheCowboysby14onSunday?WellthatprovestheTexansareabetterteam,right?Highlyunlikely,asI’msuresomeCowboysfanwillpointouttomesomedayinperson.

BloggerMichaelRoytmanexploressimilarproblemsinthecontextofinformationsecurity,specificallyvulnerabilityseverityscoringinthewakeoftheHeartbleedOpenSSLvulnerabilityof2014.Hispost,“CVSSScore:AHeartbleedbyAnyOtherName”waswritteninMayofthatyear.Whiletechnologyandmainstreammediaoutletswerethrowingaroundtermslike“catastrophic”and“worstvulnerabilityever,”HeartbleedwasofficiallygivenaCVSSscoreof5.0outof10,classifiedasmediumseverity.ThescorereflectedacombinationoffactorsinherenttoCVSScalculationandincludedananalysisthatthevulnerability,whilehighlyexploitable,wasofrelativelylowimpact.ThescoreseemedsooutoftouchwithrealitythattheNationalVulnerabilityDatabase(NVD)tooktheapparentlyunprecedentedstepofissuingacaveatwarningaboutit.TheNVDpointedoutthat,eventhoughsomelocalsystemresourcesmightnotbedirectlyaffected,thevulnerabilitycouldbeusedtogainsensitiveinformationthatmightleadtootherattacks.

ThepointoftheattentionthatRoytmanandtheNVDbroughttotheCVSS,andwhichIillustratedthroughmyfootballanalogy,isthatanyscoringsystemisaproductofsimplification.Weusethemtoreduceouruncertaintyaboutadecisionoranalysis,suchaswhoplayedasportbetter(thehighest-scoringteam)orwhichvulnerabilitytoprioritizeforfixing(theoneswiththehighestCVSSscores).Butyoucannotreducereal-worldcomplexitytoasmallsetofdatapointswithoutsimultaneouslyincreasinguncertaintyaswell.Ifyouralgorithmisgood,youreducetheuncertaintyyouwantwhileintroducinguncertaintyyoudon’treallycareaboutinthatcontext.Ifyouralgorithmisflawed,youconfuseyourselfaboutthevery

thingyouaretryingtomakemoreclear,aproblemworththinkingabout.YoucanfindMichaelRoytman’scompleteanalysisofCVSSscoringchallengesontheAlienVaultblogpageatwww.alienvault.com.

IgnoranceIsRiskDeliberatelychoosingtoignoresomethingsinfavorofemphasizingothersmaybeauniquelyhumanskill.Andaslongaswerememberwhatwehavechosentoignore,wemanagethetrade-offquitewell.It’swhenpeopleandorganizationsgoforthefull-onbliss,neitherrememberingnorreallycaringtoknowwhattheyhavechosentodisregard,thattheyopenthemselvestodanger.HRSPsuseignoranceasatool,butasapowerful,dangeroustool,onethatmustbemanagedconsciouslyandcarefullysothatitdoesn’tcauseharmfulaccidents.AssumptionsarethecontainersinwhichHRSPsstoreandmanagethethingstheydeliberatelyignore.Andlikeanyotherdangerousmaterials,theyaresubjecttostrictrulesregardinghowtheyaretreated.

HRSPsdonotliketocreatenewassumptionsthattheythenhavetomanage.HRSPstendtosimplifythingsasinfrequentlyandascarefullyastheycan,andwhentheydochoosetodumbthingsdown,theytrynottogooverboard,nomatterhoweasythatmightmaketheirlives.ThatmeansHRSPsminimizethenumberofassumptionstheyhavetodealwithandmaintainahealthysenseofcognitivedissonance,alwaysholdingboththesimplificationandtheassumptioninbalance,usingtheformerbutneverforgettingthelatter.It’slikethesuspensionofdisbeliefwhenwatchingamovieorreadingagoodnovel.Youknowwhatyouimagineishappeningisn’trealordoesn’tmakelogicalsense,butyouacceptitforalittlewhileinordertoabsorbtheexperienceandeverythingitoffers.Thenthelightsgoupinthetheateroryoulaythebookdownonyourdesk,andit’sbacktoreality.

PeopleinHRSPsarelikethepeopleyouknowwholovetoripapartthemoviesandnovelsothersenjoy,topointouteveryflawinplotorinconsistencyofdetail.Theyenjoykillingagoodbuzzbypointingoutthingsliketheobservationthatthehero’sgunseemedtohaveanunlimitedsupplyofbulletsduringthefinalshootout.Butinsteadofshuttingdownthesecynics,HRSPsinvitetheircomments,evenwhentheyareinconvenientorannoying.Securityteamsfocusedonthevalueofcomplexityknowthattheproblemthatultimatelyimpactsthemwillprobablynotbecomingfromtheplacetheyarelooking.Theysuspectitwillcomeoutoftheirblindspot,sotheyarefanaticalaboutremindingthemselveswherethatspotisandwhattheyhaveshovedintoit.Those

http://www.alienvault.com

assumptionsarethevulnerabilitiesintheirmentalsecuritysystems,andtheytrytotestandaddressthemasmuchastheonesintheirtechnologyproducts.

MyHeatMapandIHaveBoundaryIssuesOneofthebestillustrationsofthepoweranddangeroflabelsandcategoriesininformationsecurityistheheatmapthatsomanysecurityprogramsusetomeasureandexpresssecurityrisk.Imustprefacethisexample,asIdowhenIspeakaboutittocustomersoratconferences,thatIhavenothingagainstheatmapsperse.ButIhavebigissueswithusingheatmapsunselfconsciouslyandwithoutthinkingasmuchaboutwhattheheatmapleavesoutaswhatitcontains.HRSPsuseheatmapstoo,buttheyneverlosesightofthefactthatyouenduppackingadisproportionatelylargequantityofassumptionsanduncertaintyintothesevisualizationscomparedwithotheravailableriskmanagementtechniques.

Thefollowingillustrationshowsasimpleheatmap,representativeofheatmapsIhaveseenusedthroughoutinformationsecurityorganizationsaroundtheworld.TheX-axisisthecompany’sestimateofthefrequencyofsecurityriskorevents,whiletheY-axisisthecompany’sestimateoftheimpactofanyparticularriskorevent.Increasedfrequencyand/orlikelihoodtendstoraisetheperceivedrisklevel,thusincreasingtheoverallriskseverityscore.Manyorganizationsusedifferentscoresthanhigh,medium,orlow,butitreallydoesn’tmatterintheendwhatterminologyisused,aswe’llsee.Usually,thecellsrepresentinghighscoresarecoloredred,themediumscoresyellow,andthelowscoresgreen.Thesescoresarethenusedtomakedecisionsregardingresourceallocationandtimeallottedtoaddresstheriskorfixthevulnerability.Theremaybevariationsonthistheme,butheatmap–drivenriskassessmentshavebeenandremainanacceptedbestpractice(oratleastatotallyacceptablepractice)intheinformationsecurityindustry.

Icouldcommentonthesomewhatintriguingpracticeofassigninganysecurityriskorvulnerabilitya“green”color,butitremindsmesomuchofBenjaminWhorf’s“empty”(andthuspresumably“safe”)gasolinecontainersthatIfeellikeI’vealreadyaddressedit.Instead,let’sfocusontheassumptionsanduncertaintythatcongregatearoundtheheatmap’sartificialboundarylines.

Thenextillustrationbreaksoutasectionofninecellsfromthemiddlethreerowsintheupperrightareaoftheheatmap.I’vealsolabeledtheboundariesbetweencellsinwaysIhavefoundprettytypicalintheheatmapsIhaveseen.Frequencyisseparatedintofourprobabilitythresholdsof25percenteach.Impactisdefinedbynumericalscoresfrom0to10,with10beingthemostsevere.Usually,thesescoreswillbetiedbacktoacategorykeythatindicatesfinancialloss,lossofserviceoraccess,orsomeotherdirectimpact.MostorganizationsI’veseenuseheatmapsusethemtobuildorpopulateremediationplans,assigningthehighestseverityrisksto

befixedthequickestandgraduallymovingdowntheseveritystackuntileverythingisaddressedortheorganizationrunsoutoftime,money,orpersonnel(usuallythelatter).Byexaminingthreeuniquerisks,labeledA,B,andCandclassifiedusingtheheatmapshownintheillustration,wecanstarttogetanideaofjusthowmuchuncertaintyisinvolvedwithheatmapsandhowtheselabelscanresultinlargeblindspotsofpotentialrisk.

RiskAcomesinwithafrequencyestimateof50percentlikelytooccurandanimpactscoreof7.9.Accordingtoaliteralinterpretationoftheheatmap,RiskAisahigh-severityrisk(oftencoloredredonaheatmap).Butheatmapsarenotliteralmeasurementsofrisk,andtheboundariesbetweenseverityarearbitrarilydrawnupbythepeopleinterpretingthem.Theorganizationbuildsanapproximationofreality,whichthenbecomestemptingtouseinplaceofactuallyexploringreality.IfRiskA,duringtheassessmentcalculations,hadbeenratedjustonepercentagepointof

frequencylower,becoming49percentlikely,itwouldhaveimmediatelybeencategorizedasmediumseverity(andshadedyellow).Isariskof50percent/7.9thatdifferentfromoneof49percent/7.9?Intermsofrisktreatment,iftheInfoSecteamisgivenadeadlineofsixmonthsinsteadofsixweekstofixtheproblem,thenthedifferenceincategorizationimpliesasignificantdifferencebetweenthetwoestimatedrisks.

RisksBandCarevariantsofthissamephenomenon.InthecaseofRiskB,itfallswithinahigh-severityriskcellbracketedbyotherhigh-severityriskcells,buthaditbeenestimatedslightlylessimpactfulandslightlylesslikelyduringtheassessmentcalculations,itwouldhavefallenintothemedium-severityriskcelltoitslowerleftontheheatmap.HowdowedifferentiatebetweenRiskBandotherhigh-severityrisksthatmaybelesslikelyormoredamaging,orbetweenitandamedium-severitycousinjustacrosstheboundary?RiskCisrated100percentlikely,butitsimpactscoremakesitmediumseverity.Inthiscase,theorganizationmaydecideithastoacceptunavoidabledamagefromoneriskinordertoprotectagainstonethatmightneverhappen.Heatmapsencourage,evendemand,thiscategory-centricthinking,sometimesattheexpenseofcommonsense.HRSPsrefusetoallowtheirmodelstotellthemwhat’sreallyreal.

ComplexityKeyValueBehaviorsEnvironmentsoforganizedcomplexityresistourattemptstoidentifypredictivepatterns.Thus,thecomplexityvaluebehaviorsthatanHRSPwillencouragearelessaboutlookingforthosepatternsandmoreaboutremindingourselvesthattheycanbemisleadingorimpossibletoaccuratelyidentify.IdescribedthesecurityvalueofcomplexityearlierasthesoulofanHRSPbecauseembracingitresultsinanattitudeofcautiousself-doubtthatisfundamentalforsuccessfulpeople-centricsecurity.Securityfailsbecauseorganizationsforeveroverestimatetheirunderstandingofthesystemsthattheycreate,andunderestimatethosesystems’capacitytodosomethingcompletelyunexpected.Wedothisoutofadesiretomakerealitysimplerandeasiertoanalyzeandexplain,whenweshouldbetryingtomakeourexplanationsmorecomplexandharderwhilestretchingourselvesintomoresophisticatedanalyses.Thebehaviorsthatcharacterizethesecurityvalueofcomplexityinclude

Don’toversimplify

FormalizeyourassumptionsCovetempiricalevidenceSharethedoubtMakeeverymodelbetter

Don’tOversimplifyWithtrainingforresilience,discussedinChapter13,theroadofexcessleadstogoodplaces.Butwithsimplification,theroadofexcessispavedwithgoodintentionsandonlyleadsdownward.Simplicityisseductiveandalluring.Itpromisesbetterresultsforlesswork,allwhiledeliveringanaestheticqualitythatappealstoourartisticandevenspiritualnatures.Buttoomuchsimplicityendsupmakingusobliviousandindifferenttoagreatdealofriskwemaynevernoticeuntiltheaftermathofanincident.Oversimplificationhappenswhenanorganizationisnotcarefulenoughabouthowmuchrealityitiswillingtogiveupinthenameofefficiency.

HRSPsgreetpromisesofsimplicityliketheywouldgreetasalespersonwhowalksthroughthedoorpromisingthattheirproductdoesmore,doesitbetter,andcostsless.HRSPstakethemarketingbrochurewithalargegrainofsaltandstartaskinghardquestions.Theyactivelyandaggressivelydistrustandchallengeattemptstoboildowncomplexsystemsandprocessesintoeasilydigestedlabels,categories,orpictures.Insteadofemphasizinghowmuchworkasimplerapproachsavesthem,anHRSPwantspeopletoconsiderhowmuchhastobehiddenawayfromviewinordertoachievethatlevelofreducedcomplexity.Sacrificetoomuchrealitytothemodelandyoudestabilizeyourabilitytorespondtoyourownsystem.

InfoSecprogramsthatleveragethesecurityvalueofcomplexityavoidoversimplificationfirstbychangingtheirattitudeaboutcomplexity,muchthesamewaythatsecurityprogramsthatembracethesecurityvalueoffailurefirstchangetheirattitudeaboutfailure.Simplicityincreasesuncertaintyinsecurity,andoversimplifyingcreatesrisk.Therefore,anHRSPsimplifiesonlywhenthereisaclearneedforitandaclearunderstandingofwhatisbeinghiddenforthesakeofsimplification.InanHRSP,peopleareconditionedtopayattentiontowhatisbeingignoredandtopointouttheassumptionsthathavetobeacceptedinorderforasimplifiedmodelorframeworktoevenwork.Asimilaritybetweenthesecurityvalueofcomplexityandthesecurityvalueofoperationsisthatbothareconcernedwithcomparingwhatisbelievedwithwhatisreal.Asecurityframeworkmaydowondersatdescribingsometheoreticalfuturestate,along

withthe10,20,or100discreteelementsthatgetyouthere.HRSPsworryaboutthecurrentstateandhowthemilliondiscreteelementsalreadyinplaywillinfluencethosetheframeworkprioritizes.

FormalizeYourAssumptionsAssumptionsareorganizedcollectionsofuncertainty,dedicatedtoaspecificpurpose.Theyarementaltacticsthatallowustoacceptthingsastruewithoutanyproof.Assumptionsallowustotakeashortcutaroundproblemsofevidencebyignoringourlackofit.Scientistsmakeassumptionsallthetime.Groupsandindividualsmakingassumptionscandosotemporarily,toworkthroughpartofaproblem,ortheycandoitpermanentlybytransformingthoseassumptionsintobiasesandprejudices.Justbecausesomethingisanassumption,orevenaprejudice,thatdoesnotautomaticallymakeituntrue.Itjustmeansthatthosewhomakeithavelittleornoempiricalevidencetosupporttheirassertionofbelief.

Byvirtueoftheirdesiretoreducethenumberanddegreeofsimplificationstheyengagein,HRSPsnaturallytrytoreducethenumberofassumptionsthathavetobefactoredintosecuritydecisions.WhenHRSPsdomakeassumptions,theyattempttoformalizethem.Thisincludesidentifyingthem,documentingthem,andmakingthatdocumentationavailabletoothers.Asuccessfulauditiscauseforcelebration,butthesecurityteamwillalsobeconsideringeverythingithasacceptedatfacevalue,fromthecompetenceoftheauditortothecomprehensivenessofwhatwastested.

Formal,documentedassumptionsprovidebothapapertrailforwhenthingsgowrongandanopportunitytoidentifynewsourcesofdataandinsight.Theyallowtheorganizationtotrackandmanageuncertaintyaroundsecuritydecisionmaking,whichisoneproxyforsecurityrisk.Formalassumptionsarealsoaveryvaluable,butmuchunderutilized,complementtosecurityframeworks,regulatoryregimes,andprogramplansandstrategies.Comparingandratingtheseorganizationaltoolsaccordingtotheamountofrealitytheyforceyoutoignoretoreaptheirbenefitshassecurityaswellaseconomicvalue,similartothevalueofunderstandingthetotalcostofownershipoverthelifeofthewhiz-bangnewproductlinethatsalespersonhascometopitchtoyou.

CovetEmpiricalEvidenceCovetingsomethingmeansmorethanjustwantingit.Itmeanswantingitverymuch,tothepointofobsessiveness.Recognizingthesecurityvalueof

complexity,HRSPscovetdataandevidencebecausetheyareneversatisfiedwithhowlittleorhowmuchtheyknowabouttheirthreatenvironment,theirsecurityposture,andtheirdecisionsinregardtoboth.It’snotjustaquestionofmetrics,performanceindicators,ordashboards.HRSPswantevidence-basedsecuritymanagementandscientificlevelsofjustification,evenwhentheyknowthosethingsmaynotbepossiblewiththeinformationathand.

OnereasonthatHRSPscovetempiricalevidenceisaninversionofanargumentusedbymanytraditionalsecurityprofessionals,namelythatsecurityeffectivenessisverydifficulttomeasurebecauseit’simpossibletoproveanegative.Ifyouputinsecuritytechnologyanddon’tgethacked,youcan’tproveyoudidn’tgethackedbecauseyouputinthesecuritytechnology.This“logic”hasbeenthebasisofanynumberofmeasurementandmetricsargumentsIhavefoundmyselfdrawninto,anditwouldseemtomakesense.Howcanyouprovesomethingthatyoudidpreventedsomethingthatneverhappened?Butaspresented,it’safalsechoice,predicatedontheassumptionthattheunderlyingmeasurementofsecurityeffectivenessistheabsenceofsecurityfailure.And,asI’vediscussedatlengthinthissectionofthebook,that’sanimpossibleandmeaninglessdefinitionthateventhesecurityindustrynolongerbelieves.Buttheargumentstillgetsmade.

Thesecurityvalueofcomplexitycannotberealizedaslongasinformationsecurityprogramsinsistontryingtounderstandtheircomplexsystemsusingonlylimitedsourcesandtypesofdataandevidence.Ignoringinformationbecauseitishardtocollectormeasure,orbecausewetrustmachinesmorethanwetrustpeople,istoacceptadeliberatehandicap.Low-hangingfruiteventuallyallgetspicked.Ifyouwantmoretoeat,you’regoingtohavetoworkalittlebit(oralot)climbinghigherintothetree.

LimitingthedataweusetosupportourInfoSecprogrammeanslimitingthevocabularywecanusetodiscussourprogramandthesecurityitprovidesorfacilitates.Whenwelimitourabilitytodescribeanddiscusssecurity,welimitthewaysweareabletothinkaboutit.Thatleavesinformationsecurityveryvulnerabletodisruptionbyanythingnovel,andthesedaysitfeelslikeeverythinginthethreatworldisnovel.HRSPsworkhardtothinkintermsofquestionsthatneedtobeanswered,notdatathatareeasilyavailable.Wantingsomethingbecauseit’scheapandmediocredoesn’tworkforsecurityevidenceanymorethanitdoesforconsumerorindustrialproducts.Notallluxuryisaboutstatusorostentation.HRSPscovetqualityevidencebecauseitgivesthemcapabilitiestheycan’tfindinthecommoditybrands.Goodempiricalevidenceanswersimportantquestionsandallowssecuritytocompetemoreeffectivelyin

theorganization.

EvidenceandFalsifiabilityHitchens’Razorisanaxiomnamedafterthelatejournalistandskeptic,ChristopherHitchens,whocoineditfromaLatinproverb.Theaxiomstates,“Whatcanbeassertedwithoutevidencecanbedismissedwithoutevidence.”Inotherwords,ifyoumakeaclaimforsomethingandyoucan’tprovideanysupportingdata,Iamfreetorefuteyourclaimwithoutanysupportingdataofmyown.Theresponsibilityofproofisplacedonthepartymakingaparticularclaim.Whenhelpingwithsecuritymeasurement,IencourageCISOsandsecuritymanagerstomakeHitchens’Razoracoretenetoftheirprograms,bothoffensivelyanddefensively.Youcan’texpectenterprisesupportorresourcesifyoucannotbackupyoursecurityclaimswithevidence,butneitherdoyouhavetoacceptargumentsagainsttheneedforsecuritywhentheyarenotsupportedbydata.

Anotherinterestingconceptregardingevidenceandtruthisthatoffalsifiability,whichoriginatedwithKarlPopper,aphilosopherofscience.Popper’sargumentwasthatforatheorytobetrulyscientific,itmustbecapableofbeingprovenfalsethroughempiricalinquiry.Youhavetobeabletotestatheory.Ifyoucan’ttestitbyobservationorexperiment,thenthe“theory”isjustameaninglessstatement.Taketwoexamplesfromsecurity.IfItellmyinformationsecurityvendorthatIdon’tneedthevendor’sproductbecauseIhavenosecurityvulnerabilities,that’safalsifiablestatementandthushasscientificmeaning.Myvendorcoulddoapenetrationtest,andiftheyfoundavulnerablesystem,mytheorythatIhavenosecurityvulnerabilitieswouldbeinstantlyinvalidated.That’sscience.Butifmyvendortellsmemysystemhasbeenhacked,Ijustdon’tknowityet,that’snotsomethingIcantestempirically.NomatterhowmanytimesIfindnoevidenceofattack,Ican’tdisprovethetheorythattheremightbeonethatImissed.SoIcanneverprovethevendor’s“theory”wrong.Thatmaybeagreatmarketingtechnique,butit’snotrationalscience.

SharetheDoubtHRSPsrunonskepticismandanobsessionwithtakingnothingforgranted.

Theyworrythattheyaren’tfindingtheirfailures,thattheydon’tknowwhat’sreallygoingonoperationally,andthattheirmodelsandframeworksaremissingtheinformationtheyneedtostaysafeandsecure.Asthissectionoutlines,therearequiteafewhabitsandbehaviorsthattheseorganizationsadopttoovercometheirdoubtsandfears,andoneofthemostimportantissharingthosedoubtsinsideandoutsideofthesecurityprogram.

Simplificationhappensformanyreasons,andoneofthemisthatanorganizationreliesonanexperiencebasethatistoolimited.Ifeveryonesharesthesameskills,background,andexperiences,thechancesincreasethateveryonewilllookataprobleminthesameway.Diversitybenefitspsychologicalecosystemsinthesamewaythatitbenefitsbiologicalortechnologicalones.Whenyouaddpeoplewithdifferentbackgroundsandopinionstothemixandencouragethemtointeract,yougetmoreideasandmorenuancedviewsoftheenvironmentandthechallengesitoffers.Specialistsareveryvaluablewhenitcomestoengagingonaspecific,targetedproblem,likewhattodoaboutasoftwareflawinwidelydeployedsoftware.Ifyoubringinabunchofexperiencedsoftwareengineers,theycandeconstructthatproblemquicklyandeffectively.That’swhattheydo.Butifyouaskthatsamespecializedgroupofsoftwareengineerstobrainstormthefivebiggestsecuritythreatstoyourorganization,youshouldnotbesurprisedifalloftheirrepliesaresoftwarerelated.Afterall,that’swhattheydo.

HRSPsencouragebroaderexperienceandvaluegeneralknowledgeasmuchasspecializedskills.JacksandJillsofalltradesarewelcomedfortheirabilitytomixandmashupdifferentconceptsandinsightsintonewknowledge.Thisincludescomingupwithnovelideasaswellasnovelproblemswithexistingideas.HRSPsapplythesecurityvalueofcomplexitytoskepticismanddoubtbyencouragingeveryonetopokeholesintheories,spotlogicalandconceptualflaws,andrelatechallengestheyseeinotherareastotheonesunderdiscussion.

Itisnotenoughtojustbringtogetherspecialistsfromdifferentareas,aswellasgeneralists,andletthemtalk.HRSPsunderstandthatsocialnormsandpoliticsmayimpedefranknesseveninsuchbrainstorminggroups,sotheydeliberatelyandofficiallygivetheseparticipantsthespaceandfreedomtoquestionandcriticizeeachother’sideasandarguments.Whethertheseinteractionsareconductedinpersonthroughfocusedgroupactivitiesorbyremoteandasynchronouspeerreviewsystemsorsomeothermeans,structureshavetobecreatedtoensurethateveryonefeelssafeandwelcomewhilesharing.Thisbecomesaleadershipresponsibilityfortheorganization,toemphasizethatthegoaloftheprocessistoharnessthecollectivewisdomoftheorganizationfor

thebenefitofeveryone.

MakeEveryModelBetterAspredictorsofrealphenomena,modelsarekindofmeanttobebroken.Youbuildone,testitagainstreality,andrealizethatit’sprettyflawed,soyourejectthatspecificmodelandgoaboutcreatinganewone.Thatprocesshasbeenatthecoreofscientificinquiryforprettymuchtheentirehistoryofscience.Modelsareprettypoorsubstitutesfortherichcomplexityofarealsystem,beitweather,thestockmarket,ororganizationalculture.Ontheotherhand,modelsallowustodescribeanddeconstructthosesystemsmuchmoreeasilyandcheaplythanifwehadtodescribeorre-createthewholethingwithcompleteaccuracy.It’satrade-off.Wecansqueezeplentyofinsightandpredictivepoweroutofevenanimperfectmodel,butcomparedtoreality,mostmodelspossessapotentialforimprovementthatapproachesinfinity.

AcareerininformationsecurityhasbroughtmetotheconclusionthatthemodelingcapabilitiesandskillsofmostInfoSecprogramsareprettyunsophisticated.Webuildmodelsallthetime,andweusemodelseverywhere,butwerarelyquestionorevenconsidertheassumptionsonwhichourmodelsarebased,andwedon’tdomuchtotestthosemodelsorattempttomakethembetter.Heatmapsaremodels,annuallossexpectancyisamodel,andcomplianceframeworksaremodels,butinmanycases,wehavebeenusingthesamemodels,almostasis,fordecades.Whenwedoimproveamodel,it’softenmoreaboutmakingthemodel“quantitative”or“prettier”thanabouttestingitsassumptionsortheresultswegetfromit.Thethingis,badmodelsmakeforbadsecurity.Andimperfectmodelsthatneverchangeorareneverupdatedbecausetheyarenevertestedforaccuracyarenotgoodmodels.

HRSPsknowthatmodelsmustgrowandevolvetostayrelevant,especiallywhentheyarebeingusedfordecisionsupport.Luckily,modelsaregenerativeifyouallowthemtobe.Theyproducetherawmaterialsnecessaryforimprovingthemodel,namelytheresultsofthemodelandtheerrorsinthoseresults,asafunctionoftheiroperation.Anymodelthatisdevelopedshouldbeaccompaniedbyaformalsetofassumptionsthatdefineswhatthesimulationhastoleaveoutinordertowork,andHRSPsalreadymakeahabitofthisbehavior,asI’vedescribed.Next,anypredictionsorinsightsgeneratedbythemodelmustbetestedagainstthesystembeingsimulated.Didthemodelpredictaneventoralevelofloss?Didthatreallyoccur?Ifyes,thengreat,wecanbeginlookingathowthemodelmightbeexpandedtopredictothersystembehaviors.Ifno,thenthat’sokaytoo,solongaswecangobackanddecidewheretochangeour

assumptionsandtweakthemodelbasedontherealoutcomes.

AssessingYourComplexityValueBehaviorsUsetheSecurityFORCESurveyandSecurityFORCEMetricstodeterminehowwellyourorganizationadherestothekeycomplexityvaluebehaviorsandtoprovideempiricalevidenceofthosebehaviors.

ScoringtheComplexityValueBehaviorSurveyTheSecurityFORCESurveyincludesstatementsrelatedtothesecurityvalueofcomplexity.ThefivestatementsunderSecurityValueofComplexityarelistedinthesampleoftheFORCESurveyshowninFigure14-1.Aswithpreviouschapters,scoringassumesLikertresponsesnormalizedona1to5scale:


Figure14-1FORCEValueSurveystatementsforcomplexityvaluebehaviors

Forcomplexityvaluebehaviors,anaveragescoreof4orgreaterindicatesthattheorganizationbehavesinwaysthatwillminimizeoversimplificationandreducerisksassociatedwithblindspotsandunrealizedassumptionsregardingtheorganizedcomplexityoftheinformationsecurityenvironment.Anaveragescoreof2orbelowindicatesthattheorganizationdoesnotbehavelikeanHRSPandismorelikelytooversimplifytheinformationsecurityenvironmentandthechallengesthesecurityprogramfaces,andmaycreateandincreaseriskanduncertaintybynotmakingassumptionsexplicit,bynotcollectingsufficientevidencetosupportassertionsordecisions,andbyusingoutdatedorflawedframeworksandmodels.

FORCEValueMetricsforComplexityTheFORCEValueMetricsforcomplexity,providingadditionalmeasuresofHRSPbehavioralalignment,canbefoundinFigure14-2.

Figure14-2FORCEValueMetricsforcomplexityvaluebehaviors

UsingtheFORCEComplexityValueMetricsThefiveFORCEMetricsassociatedwiththevalueofcomplexityassesshowwelltheorganizationmanagesuncertaintyandavoidsoversimplificationintheinformationsecurityprogram.Thesemeasuresareintendedtobeappliedbroadlyacrosspeople,processes,andtechnology.SomeofthemetricsthemselvesrepresentcomplexandhighlyuncertainaspectsofInfoSec,andmayrequirenecessarysimplificationtocollectandanalyze.Allaresuggestionsandnon-exhaustive,andshouldbeused,adapted,orsupplementedasappropriate.

Number,type,andcomplexityofadoptedorganizationalframeworksOrganizationsshouldunderstandhowdependenttheyareupondifferentconceptualframeworksandmodelsusedtomanageinformationsecurityforthebusiness.Collectingdataonthenumberofframeworksormodelsused,alongwithanalysisofhowtheywork,canhelptheorganizationdecidehowmuchuncertaintyitisaccepting.Usingtoomanyconstructionsthatareoverlysimplisticorpoorlyunderstoodandappliedcanproduceresultsthatobscuremoreinsightthantheyreveal.Theorganizationshouldunderstandifitsframeworksandmodelsareconceptual,descriptive,ortechnical,andwhether

assumptionsforeachconstructhavebeenfullyandformallydocumented.Ananalysisofcomplexityshouldalsobeperformedonframeworksandmodels,althoughthisisnecessarilyalooselydefinedterm.Ataminimum,frameworksandmodelsshouldbeassignedcomplexityratingsthatresultfromhowmanyinputsaframeworkormodelallows,howmanyassumptionsarenecessaryforittofunctioncorrectly,andhowmuchvariabilityisallowedintheresults.Oversimplifiedframeworksandmodelstendtolimitinputsandresults,whilerequiringuserstoignorelargenumbersofpotentialinfluences,inorderfortheconstructtoworkproperly.

Averagetimetoorganizationaldecisions(frominitialproposal,throughdebateordeliberation,tofinalresolution)Putverysimply,howlongdoesittaketheorganizationtomakeadecisiononaverage?Aredecisionsthoughtfulanddeliberated,withdebateandinputcomingfrommanydifferentareas?Ordotheygetmadequickly,byafewpeopleclosetothedecisionitself,perhapsthen“rubberstamped”throughotherareasoftheorganization?Justbecauseafirmmakesdecisionsquicklyorwithoutwideconsensusdoesnotmeanthatitislosingoutonthevalueofcomplexity.Butifanorganization’sdecision-makingprocesstendstobefastandnotveryrigorous,thiscouldbeasignthatoversimplificationismorelikelytooccurduringthatprocess.

AveragenumberofdatapointscollectedinsupportofindividualorganizationaldecisionsThismeasurementisanotheronethatmaybehighlyvariableinitscollectionandanalysis.Adatapointcanrefertojustaboutanythingthatgoestowardssupportingaparticulardecision,althoughIdefinethetermasaspecificitemofempirical(observable)evidencethatiscollectedandpresentedinordertoinfluenceadecisionmaker.Themoredatapointsthatanorganizationcanreasonablyandefficientlycollect,thebetter.Ifanorganizationismakingitsdecisionsononlyafewdatapoints,itislikelythatthevalueofcomplexityisnotbeingfullyrealizedorexploited.

Numberofformalreviewsofsecurityplansbynon-securitystakeholdersinthepastyearLiketheotherFORCEMetricsconcernedwithsharinginformationandcollaboratingoninformationsecuritydecisions,thismeasurementassesseshowwellaninformationsecurityprogramisaskingforfeedback,assumptions,andcriticismsfromotherstakeholdersinthefirm,especiallyoneswhomayseedifferentorganizationalprioritiesasbeingmoreimportantthanInfoSec.Themorereviewssubjectedtooutsidereviewandscrutiny,thebetterthechancethatinaccurateorincompleteassumptionscanbe

identifiedregardinghowsecuritywillfunction.

NumberofoutcomeandmodelingevaluationsconductedinthepastyearIftheframeworksandmodelsusedbyanorganizationarenotsubjecttoreviewandassessmentonaregularbasis,theyruntheriskoflosingtheirrelevanceandaccuracy.Equallyimportant,evaluatingtheeffectivenessofmodelsandframeworksbycomparingexpectationswithresultsistheonlywaybywhichtheseconstructscanbeshowntobeaccurateintheirpredictiveordescriptivecapabilities.Basinginformationsecurityonamodelthatconsistentlydeliversinaccurateresultscreatesrisk,butunlessthatmodelisauditedtoensurethattheresultsitproducesmatchwhatreallyoccurs,itisveryunlikelythatinaccuraciesorerrorsinthemodelwilleverbedetected.Everymodelorframeworkusedbytheorganizationshouldbeevaluatedperiodicallytoensureitisstillmeetingtheorganization’sneeds.

ImprovingYourComplexityValueBehaviorsReturningtoWarrenWeaverandtheideaoforganizedcomplexity,itisdifficulttounderstatethesignificanceofhisdifferentiationbetweentypesofcomplexity.Thesecurityindustrytodayhasbecomeveryconcernedwithcomplexity,butIbelievethatitmaynotappreciatehowenormousisthesizeofthewrenchthatisthrownintotheanalyticalgearboxwhenasystemmovesfromdisorganizedtoorganizedcomplexity.Thepromiseofbigdatahasbeentoutedasbeingabletofindpatternsthatwillallowustopredictsystembehaviorinaggregate,evenwhenwecannotpredictthebehaviorofindividualsystemcomponents.Butthatassumesdisorganizedcomplexity,whereeverythinginthesystemfollowsthesamerules,whichcanbedetermined.Whencomplexitystartsorganizingitself,yougetdifferentrulesindifferentpartsofthesystem,andthedistributionoforganizationmayitselfberandom.That’snotasystemwithamillionthingsbehavingindividuallyaccordingtocomplicatedrules.It’sasystemcomposedofmillionsofthosesystems,alldoingtheirownthingbutimpactingeachother.Itmaybepossibletoanalyzethattoo,butWeaver’spointwasthatwehaven’tdiscoveredhowtodoityet.

HRSPsdon’ttrytodiscoverhowtoanalyzeandpredictsystemsoforganizedcomplexity.Theysimplytrytofindwaystosurviveandthrivewithinthosesystems.Theydothisbyfacingtheimplicationsheadon.Youwillneverunderstandexactlywhyyoursecuritysystemsbehavethewaythattheydo.Youmayunderstandatechnologyproductprettywell,butpeoplearepartofthat

systemtoo,andoncetheygetinvolved,allbetsareoff.Youcanmanageagainstthecomplexity,butyouwillalwaysinevitablybesurprisedbyemergentbehavior.Insteadofhopingthingsworkthewaytheypredicted,HRSPsspendagreatdealoftimeandeffortthinkingaboutthewaystheywon’t.

Improvingcomplexityvaluebehaviorscan,paradoxically,beliberating.Whenyouacceptthatyouarenotincompletecontrol,youcanstopputtingsomucheffortintoconvincingothersthatyouare.Itopensupavenuesforcollaborationandcooperationthatarefruitfulandevenpleasant,breakingdownbarriersbetweenthesilosoftheorganizationandinvitingpeopletoworktogethertomastertheircomplex,surprisingenvironments.Peopleareproblemsolversbynature,andpeople-centricsecuritydevotesitselftosolvingnotonlytheproblemsthatcomefromspecificthreatsorvulnerabilities,butalsotheproblemsthatcomefromthelackofinteractionandsharingofinformationthatkeepspeoplelockedintorisk-inducingbehaviorsinthefirstplace.ComplexityisthemostdirectlinkbetweentheSecurityFORCEBehavioralModelandtheCompetingSecurityCulturesFramework,addressingtherelationshipsbetweenhumanbeingsthatcausecomplexitytobecomeorganizedtobeginwith.

EmbedComplexityValueintotheSecurityProgramGivingupillusionsofcontrolandbreakingdownbarriersbetweengroupswillchallengeanysecurityprogram.Specializationpluspoliticsequalsturf,andtakingandholdingterritoryisanotherthingthatpeoplehavebecomegoodatoverthelifeofourspecies.Manyofuswillnotgiveupthoseinstinctseasily,whethertheyconcernourhomes,ourjobtitles,orourideas.Butsomanyofoursecurityproblemstodayemergefromexactlythesebehaviorsthatitisnearlyimpossibletofindamoreappropriatecandidatefororganizationalchange.Tothrive,maybeeventosurviveasafield,informationsecuritywillhavetogrowmoreinthenextdecadethanithasinitsentirehistory.Itisalreadystartingtodoso,butthechangesthathavetohappenarenothingshortofincredible.Fiveyearsago,whenItalkedtopublishersandsecuritypractitionersaboutwantingtowriteabookoncultureandthesociologicalaspectsofsecurity,IgotweirdlooksandsuggestionsthatmaybeIshouldgetajobinacademia.TodaywhenImentionthesetopicsIcanevenmanagetogetsomehard-coreengineersandpractitionerstonodtheirheadsinagreement.

Securityhashitaninflectionpointwherewerealizejusthowlittleweknowaboutwhyoursystemsworkordon’twork.Inthescrambletocometogripswiththatknowledge,wearealltakingacrashcourseinthesecurityvalueofcomplexity.Somesecurityprogramswillharnessitbetterthanothers,putitto

moreproductiveuse.AndsomeofthoseprogramswilldoitsowellthattheyfindthemselvesmorphingintoHRSPs.

ThinkBiggerThinkingbiggermeansthinkingaboutbiggergoals,biggerchallenges,andbiggerstakes.Informationsecurityisonesetoforganizedcomplexitieslivingwithinalargercomplexsystem.Theboundariesbetweenthesubsystems—betweensecurityandotherbusinessgroups,orbetweentechnologyandpeople—arebothrealandimaginary.Securityteamscantapintothevalueofcomplexitybypracticingsomethingtheydowellinalotofothercontexts:deliberatelyignoringthings.Wemakeassumptionsinourmodelsandourframeworks,foregroundingordeemphasizingthingsasnecessary.Informationsecuritycandothesamethingataprogramlevel.Wecantryignoringorganizationalboundariesanddivisionsinfavorofassumingthattheentireenterprisefunctionsasasingleorganism.Howwouldorshouldthatchangethepurposeandbehaviorofthesecurityprogram?Orperhapswecouldassumethatthecontributionsandobjectivesofotherorganizationalstakeholdersareequaltoourown,ignoringourownfeelingsthatsecuritymustbegivenpriority.Howwouldthatchangeourbehavior?Woulditencourageustobemoreinclusiveandcomplementaryinourownactivities?

Wecanbuildsuchnewsecuritybehavioralmodelswithoutforgetting,orevenbelieving,theassumptionsthatwemake.Allwehavetocareaboutisgivingourselvesamoresophisticatedinsightintohowtheentiresystemworks,onethatmightevenimproveouranalyticalandpredictivecapabilitiesformanagingandgrowingourownprograms.Atthesametime,learningthesebehaviorscanalsomaketheentireorganizationbetter.InformationdiscoveryandsharingarecentraltoHRSPactivity,somethingthatshouldbeclearfromthebehaviorsdescribedforeachoftheSecurityFORCEvalues.Nooneinanorganizationcanorshouldholdamonopolyoninformation,eventhosetaskedwithsecuringit.

AcceptWhatWeAlreadyKnowAnironyofthesecurityvalueofcomplexityisthatpeoplealreadyknowtheyarenotincontrol.Theideathattheworldiscapriciousandunpredictable,andhumanbeingsevenmoreso,isembeddedinhumanbeliefandculture.Wecantrytooutwitorcontrolnature,butmostofusacceptthatwearesmallbeingsinabiguniverse.Weneedtoembedthatsameresignationintooursecurityprograms.

Beingresignedtotheinnateunpredictabilityoftheworldisnotsynonymouswithdespair.Ifanything,itcanmeantheopposite.IthinkthatsomeofthesenseofdefeatismImentionedearlyinthebook,whichIseepermeatingtheinformationsecurityfieldtoday,resultsfromourrepeatedfrustrationandhorrorwatchingthecontrolwethoughtwehadbesweptawaylikedust.Ifyouhaveyourbest-laidplansandallyourhardworkinvalidatedinthemostbrutalwayimaginableafewtimes,youcanbeforgivenforthinkingtheworld’souttogetyou.Butit’snot.It’sjustthattherearemorethingsinheavenandearththanarecurrentlydreamtofinourphilosophy.Whenathousandthingscanhappen,butdayinanddayoutyouinsistthereareonlythree,youareboundtoberegularlysurprisedanddisappointed.It’saboutexpandingoursenseofwhat’spossible.

FurtherReadingJohnson,Neil.SimplyComplexity:AClearGuidetoComplexityTheory.Oxford:OneworldPublications,2009.Popper,Karl.TheLogicofScientificDiscovery.NewYork:BasicBooks,1959.Weaver,Warren.“ScienceandComplexity.”AmericanScientist36:536(1948).Whorf,Benjamin.“TheRelationofHabitualThoughtandBehaviortoLanguage.”Availableathttp://languageandhistory-rz.wikidot.com.

http://languageandhistory-rz.wikidot.com

O

CHAPTER15

TheSecurityValueofExpertise

vertheyearsthatImanagedpenetrationtestingengagements,Iranintoacuriousphenomenonregardingexpertise.Expertiseshouldbesomethingrespectedforitsownsake.Ifyouknowyourstuff,thatknowledgeshouldinviterespectfromothers.Atleastthat’showit’ssupposedtowork.Oneofthereasonsconsultantsandspecialists(suchaspenetrationtesters)arehiredandpaidpremiumratesistheassumptionthattheyknowmorethantheorganizationsthathirethemabouttheirparticularareasofexpertise.That’swhymyteamofsecurityengineerswasroutinelyhiredtotestcustomers’informationsecurityinfrastructureforvulnerabilities.Ourteamwouldengageacustomer,theengineerswouldruntheirreconnaissanceandprimaryscans,performsecondaryexploitation,ownwhateversystemstheycould,andthenreportflawsandfindings.Theexpectationwasthatwewoulduncoverthingsourclientdidn’tknowwerethere,becauseweweretheexperts.Butoverandover,aswewouldbegintoreportthevulnerabilitieswehadidentifiedtothetechnicalgroupsinchargeoftheinformationsecurityinfrastructure,theywouldbeunsurprised.Sometimesmyteamwouldfindthingsthatthesegroupshadtolduswewouldfindbeforeweevenstartedthefirstprobes.Andoftentheywouldbepositivelyhappythattheengineershadmanagedtobreakintoandownacriticalsystem.“Weknewallaboutthis,”wouldbethegeneralexplanationforwhysomethingsobadmadethemfeelsogood.“Butnoonelistenstous.Wehadtopaybigmoneytooutsideexpertstoproveit.Nowthatyouguysfoundthesameproblem,managementwillhavetolistentous.”

Expertiseisnotjustaboutknowingsomethingwell.It’salsoaboutproximity.Beingclosetosomethingcanmakeyouuniquelyqualifiedtojudgeit.Butbeing

localisadouble-edgedsword.Organizationsexistandsucceedbymanagingadelicatebalancebetweenthelocalandtheglobal,betweenstrategyandtactics.Thefurtherupthehierarchyonegets,themoreimportantbecomesbig-picture,generalizedexpertise.Youhavetoknowalittlebitaboutanawfullottomanageacomplex,distributedorganization.Butasbroadexpertiseincreases,narrowexpertisetendstobelost.ACISOwhostartedoutasabrilliantsecurityengineerbackinthedayprobablyfindsshenolongerhasthetimetofocusonthedetailssheonceknewinsideandout.Nowshehasdifferentsetofknowledgeandskills,morefocusedonmanagingpeopleandpoliticsthanindividualsystems(thatlevelofmanagementispusheddownwardtosubordinates).Organizationalchartsarereallyjustthetechnicalblueprintsfororganizationaldelegation,mapsofdecisionflowswithinanenterprise.

Problemswithenterpriseeffectivenessbeginwhenhierarchiesandorganizationalchartsstopmappingdynamicflowsofinformationandauthority,andinsteadbegintoshowonlythelocationsandboundariesofpowercenters.Thecorruptinginfluenceofpowerisapeople-centricproblemacrossallorganizations.Egoandgreedmaysupplantdutyandresponsibility.Whenpeoplecaremoreabouttheirpersonalstatusandpositionthantheydoaboutthesuccessoftheorganization,instabilitycanresult.Inthecaseofinformationsecurity,thiscreatesuncertaintyandrisk,especiallywhensomethinggoeswrong.

SecurityFORCEisaboutimprovingorganizationaleffectiveness,particularlyinthefaceofcrisis,bybringingtotheforegroundtheprioritiesandbehaviorsthatenablemorehighlyreliableresults.Expertiseistooimportanttoanorganization’sperformancetosquanderitsvalueorlimititsavailabilitywhenitismostneeded.

WhatIstheSecurityValueofExpertise?Powerandauthorityarenotinherentlyorinevitablybadthings.Theyarerequirementsforjustaboutanylarge-scalecollectiveactivity.Ifeveryoneisdoingtheirownthing,undertheirownauthorityandsubjecttotheirownwhims,thenit’sonlybyluckthatsomethingcollectivehappensatall.Thedangerthatpowerandauthorityposetoorganizationsistwofold:first,individualpowermaybecomemorevaluedculturallythancollectiveexpertiseandresponsibility;andsecond,theauthoritytomakedecisionsmaybecomeaprivilegethatisreservedonlyforthosewithpower.

HRSPstakeadvantageofthesecurityvalueofexpertisebyfightingtheurge

tovaluepoweroverknowledgeandskill.Theyrecognizethatpowerisrelativeandthatauthorityisacommoditytheorganizationhastoputtogooduse.Powercanbemismanagedanditcanbewasted,justlikemoney,electricity,ortime.Whenoptimized,authorityflowsthroughtheorganizationtotheplaceswhereitisneeded,whenitisneeded.Expertisedefineswhereandwhenthoseneedsexist,anditmeansmakingauthoritymorefluidsothatdecisionscanbemadebythepeopleclosesttotheproblemandwiththebestinformationregardinghowtoaddressit.

FilterYourWater,NotYourInformationMostpeoplearetrainedfromaveryyoungagetorespectauthority.Parents,teachersandcoaches,bosses,politicians,andprofessionalexpertsofallstripesareallheldupaspeopleweshouldrespect,listento,andobey.Werebelagainstsomeofthem,expressdisdainandskepticismforothers,butmostofushaveauthorityfiguresinourlivestowhomwedefer.Theymayhavedirectpoweroverus,likeouremployer,ortheymayhaveadifferentsortofpower.Ihavenotlivedundermyparents’authoritysincealongtimeago,butthatdoesn’tmeantheycannotstillexercisesomepartoftheirauthorityoverme,evenifit’sonlytomakemefeelalittleguiltyfornotcallingorvisitingmoreoften.Andwhentheyaskmeforadviceaboutsomething,eveninsituationswhereI’mstronglyagainstwhattheymaywanttohear,Ihaveahardtimejustbluntlygivingmyopinion.Unlikemycolleagues,orevensomeofmyclosefriends,whenitcomestoMomandDad,Itrynottohurttheirfeelingswithmyhonesty.

Theproblemwithsparingsomeone’sfeelingsbynotbeingcompletelyhonestisthatitdoesnothelpthemtomakethebestdecisions.Whenfilteringmyopinionformymother’ssake,theconsequencesareusuallysmall.Shemaybuyalow-qualityapplianceagainstmyadvicebecauseshewantstosavesomemoney.Butinsecurityprogramsandotherorganizations,filteringtheinformationIgivetothepeoplewhoareseniortomecanhavemoredireeffects.ImaybereluctanttoshareordisclosebadnewsorproblemsIbelieveexist.Imaydothisformanydifferentreasons.MaybeIassumethat,becausetheyareuppermanagement,theymustbemorecompetentorknowledgeableandalreadyknowwhatIknow.MaybeIknowthat’snottrueandthatthereisrealreasonforconcern,butIworrythatpushingbadnewsupthechainofcommandcouldhurtmycareerorinviteunwantedattention.Whateverthereason,andwhoever’sresponsibilityitisforthosefiltersbeingimposedinthefirstplace,informationfilteringisadangerouspracticeforanyorganization.Beingtoldthateverythingisfine,oreventhatit’snotasbadasitreallyis,worksonlyuntilaneventor

situationcomesalongthatexposestheliebehindallthefakeoptimism.Theneveryoneislefttofigureouthowthingswentfromutopiatothezombieapocalypseovernight.

StructuralAuthorityvs.StructuralKnowledgeHRSPstrytomitigatetherisksthatcomewhenexpertiseandlocalknowledgearesuppressed,eitherunintentionallyorbydesign,byauthorityandpower.Theyknowthatwheresomeonesitsinanorganizationalchartmayhaveverylittlecorrelationwithhowmuchthatpersonknowsaboutaparticularsituation,especiallysomethinglikeaninformationsecurityfailure.Expectingthatvisibilityintoasecurityincidentwillcorrespondtohowhighsomeonesitsinthemanagementhierarchyonlymakesitlikelythattheorganizationwillbeflyingrelativelyblind.Powerandexpertisetendtobetwoseparatebutinteractivesystemswithinanyenterprise.Power,embodiedinauthoritystructureslikejobtitles,organizationalcharts,andmanagementchains,defineswhocanmakedecisions.Expertise,embodiedinknowledgestructureslikeindividualandteamexperience,availableskillsandtraining,andtheinformalandsituationalinformationthatonlyexistswhenpeopleworkcloselytothesystemsthemselves,defineswhatdecisionsneedtobemade.

Strikingabalancebetweenorganizationalauthorityandorganizationalknowledgeoftenisdifficult.Peoplewithoutpowerandorganizationalstaturecanendupfeeling(andbeingtreated)liketheyareinvisible,eveniftheyknowmoreaboutwhat’sreallygoingonthananyoneelse.Andthehighersomeonerisesinthehierarchy,themoretheymaybetemptedtofeelsuperiorinsteadofjustsenior.Theproblemsthatarisewhenonestructurehasmoresaythantheotherarenotjusttheoretical.InManagingtheUnexpected,WeickandSutcliffecitetheofficialreportontheproblemsatNASAthatledtotheaccidentthatdestroyedtheColumbiaspaceshuttle.OnekeycauseofthetragedywasthatNASA,overtheyears,haddevelopedachain-of-commandstructurethatoverrodeallothersourcesofinformation,includingthetechnicalknowledgeandexperienceofNASA’sownengineers.Asaresult,problemsweredownplayedandignoreduntiltheyturnedintocatastrophe.

InanHRSP,thegoalbecomesoneofneverallowingtheinfluenceofonestructuretooutweighorovercometheinfluenceofanother.Whatthisusuallymeansinpracticeisprotectingexpertiseandknowledgefrombecomingsubservienttoauthorityandpower.Experienceandinsight“fromthetrenches”shouldalwaysbevaluedandrespected,evenwhen(andmaybeespeciallywhen)itcontradictswhatseniorleadersthinkorwhattheywanttohear.Thisis

accomplishedbyassigningexpertiseandknowledgeitsownbrandofauthority,thesamekindofauthoritythatwereserveforotherspecialistsandprofessionalswecalluponinlife.Ifyouvisitamechanicandhetellsyouthatyouneedanewtransmission,orifyouseeadoctorandshetellsyouthatyouneedtogoonmedicineforsomeillnessyouhave,youmaynotlikethenews.Butyouareunlikelytoignorethem,evenifyouownthegarageinwhichthemechanicworksorareaboardmemberofthedoctor’shospital.IgnoringordownplayingsecurityproblemsreportedbyyourInfoSecteamjustbecauseyouhaveenoughpowertodosois,touseatechnicalterm,dumb.

Optimally,decisionsinanHRSPareroutedtothepointswhereauthorityandexpertiseintersect.Theycanmovebackandforthbetweentheknowledgestructureandtheauthoritystructure.Insomecases,itisamatterofquickresponse,likewhenfactoryworkerscanshutdownanassemblylineiftheyseeaproblem.Inothers,itisamatterofwhohasthebestvisibilityandinsight.Seniormembersofanorganizationarenotwithouttheirownspecializedexpertise,alljokesandpointy-hairedcartooncharactersaside.Somedecisionsmayimpactmultiplesetsofstakeholdersandneedtobemadenotbyatechnicianbutbyapolitician.

BobandClaraRevisited:MigratingAuthorityEarlyoninthebook,IintroducedBobandClara.Bobwasthesafetyofficerinmyvendorconferencewhotriggeredanevacuationoverburntbacon.Clarawasthesoftwaredeveloperwhogotherprojectdoneontimebutfoundoutlaterthecornersshecutonsecurityresultedinasecurityvulnerabilityinhercompany’sproduct.Bothoftheseindividualsrepresentexpertswhomadedecisions.Andbothareexamplesofhowandwhyauthoritytomakeparticularsecuritydecisionsoftenneedtomigratetothepersonintheorganizationwhohasthebestexpertisetomakethatdecision.

InBob’scase,authoritymovedtherightway.Itwentdownthechainofcommandtofindthebestpersontomakethecall.Thecompanyhadalreadythoughtaboutthesescenariosand,atleastinthecaseofphysicalsafety,practicedasystemofmarryinguppowerwithexpertise.Bobwastherecognizedexpert,sothedecisionwashisandeveryonedeferredtohim,eventheexecutivesrunningtheevent.ThefactthatBob’sevacuationorderprovedunnecessarywasbothfortunateandbesidethepoint.Imagineifoneofthecompany’sVPshaddecidedthatBobwasoverreactingandcountermandedhisdirectiveintheinterestoftime,onlytohavepeoplehurt

orevenkilledinarealfire.Thatscenarioismorelikewhathappenedafterthesensitivedocumentwasdiscoveredinthebreakoutroomduringtheconference,albeitwithoutsuchphysicallydireconsequences.Whetherbecauseofanabsenceofidentifiedexpertiseorsomeotherreason,thedecisiontochastisetheaudienceandmoveonratherthaninvestigateaseriouslapseinsecuritymigratedtotheseniorexecutiveintheroom,whodidnotapparentlyhavetheexpertisetorecognizetheseverityoftheproblem.

ForClara,authoritymovedthewrongway.Itshouldhavegoneupthechainofcommand.Clara’sdecisionwasnotbetweenfinishinghersecuritytestingorfinishingtheprojectontime.Thatwasonlytheimmediatescenario.Instead,Clarahadtodecidebetweentwospecificenterpriserisks.Oneriskwastheimpactonthefirmofpotentiallydelayinganimportantproductrelease.Theotherriskwasthefutureimpactonthefirmshouldavulnerabilitybediscoveredintheproduct.Thoseriskscutacrossmultiplestakeholdersandparameters,includingfinancialramifications,legalliabilities,andimpactsonthecorporatebrand,tonameafew.Claradidnothavetheexpertisetomakethatdecision,althoughbydefaultshehadtheauthority.Theexpertisetodealwithdecisionsregardingenterpriseriskisjustwhatyouwouldhopetofindinseniormanagement,whohavewidervisibilityandmoreinsightintoconsequencesatthecorporatelevel.Butthepeoplebestpositionedtomakethatcallwereneverinformed,inpartbecauseClarawasafraidthatinbringingthebadnewstomanagementshewouldbepunishedinsteadofrewarded.Andsoshewas,alongwitheveryoneelse,butonlyafteritwastoolatetoaskforhelp.

WaitingfortheBigOneInorganizationsinsomesectors,likecommercialaviation,healthcare,andthemilitary,processandprocedurecanapproachalmostreligiousstatus.Policies,procedures,andchecklistscanevolvetocoveralmosteveryconceivablescenariothattheorganizationhasdealtwithorhasbeenabletothinkof.Membersandemployeesoftheseorganizationscanbecomesoindoctrinatedintostandardizedwaysofdoingthingsthatthosewaysbecomeunconsciousritual.Inmanycasesthisworks,sometimesexceptionallywell.AtulGawande’sbookTheChecklistManifestodemonstratesthepositivesideofchecklist-drivenactivity,andGawandemakesastrongcaseformeticulouslyfollowingstandardizedprocedures.Butwhathappenswhensomethingtakesplacethatyouhavenever

experiencedbeforeandhaveneverthoughtof?Whathappenswhenthereisnochecklist?Theironyofallthatusefulstandardizationisthatitcan,incertainscenarios,makeabadsituationmuchworse.Wheneveryoneisusedtodoingthingsexactlyacertainway,notbeingabletodoitthatwaycancauseparalysis.Thesystemmaylockup,literallyandfiguratively.Informationsecuritystruggleswiththisbalance,betweentheunarguablevalueofdefinedprocessesandchecklistproceduresandthedangerofturningthosesamechecklistsintoacrutchthatrelievespeopleoftheresponsibilitytothinkandadapt.

Bureaucracyisafantasticstabilizer,likeorganizationalconcretethatcanfixprocessesinplacesothattheylastdecades,evencenturies.Butconcreteisrigidandnotveryadaptableonceithardens.That’swhywehavewreckingballs.Bureaucracycanalsobebatteredandcrushedintodust.Somecompaniesdojustthatafteraserioussecurityincident.TheCISOisfired(oraCISOishired,iftherewasn’tonebefore).Theexistingorganizationalchartandtechnologyinfrastructuresmaygettorndownandreplaced.Perhapstheentiresecurityprogramismovedintoanotherpartoftheenterprise.Butifattheconclusionofthatprocessallthatresultsisanewbureaucracy,adifferentstructurewiththesamerigidity,what’sreallychanged?It’slikerebuildingafteranearthquake.Ifyoudon’tchangethefundamentalprinciplesandtrytomakebuildingslesssusceptibletounforeseenshocks,you’restartingoutonborrowedtime.

HRSPsuseexpertiseandauthoritytomaketheirorganizationslesspronetoshockslikestructuralengineersusebaseisolatorsorreinforcedconcretetomaketheirbuildingsearthquakeresistant.ThereiscertainlystructureinanHRSP.Peoplehaverolesandsuperiorsandsubordinates.Policiesandprocessesdefineactivity.Butwhenputunderstress,theorganizationadaptsbyfindingtherightcombinationofknowledgeandauthoritytorespond.Unlikeabuilding,wherephysicsandmechanicsdeterminewhichpiecesshiftandwhichabsorb,inanorganizationtheresistanceisaccomplishedthroughprocessesandnetworksofpeople,alongwithalltheknowledgeandskilltheypossess.Theyallowtheorganizationtotemporarilyshiftandreconfigureitself,managingthestressesandforcesitencounterswithoutcollapsing.

TheRoadtoDamascusEricSchlosser’sbookCommandandControl,aboutnuclearaccidentsduringtheColdWar,ismustreadingforanysecurityprofessional,particularlyforpeoplelikemewhoareinterestedinhowcompetingculturescreaterisk.Butmoreimmediately,CommandandControlspeakstothe

securityvalueofexpertise.Indescribingthe1980Damascus,Arkansas,incident,adeadlyaccidentatanuclearmissilesiloinArkansas,Schlosserrecountsstoryafterstorywithinthecrisiswherebreakdownsindecisionandauthorityflowsaddedtothedangeranduncertaintyoftheincident.Allalongtheway,theverynatureofthemilitary’srigidcommandsystem,controlledthroughmeticulousattentiontoprocedureandchecklistsandobsessivelydeferentialtoseniorityandrank,builtuporganizationalpressuresthatwereasdangerousasthefuelvaporsthatcausedthephysicalexplosion.

Schlosserwritesingreatlengthaboutthedependenceofthemissilecrewsonchecklists,whichpreciselydefinedeveryaspectofmissilecrewactivityandmaintenance.Addressingevery(supposedly)imaginabledetailofthecareandservicingoftheICBMstheAirForceowned,checklistsstructuredjustabouteveryaspectoflifeforthecrewsonduty.Butwhenasocketfromasocketwrenchamaintenancecrewmemberwasusingduringaroutineprocedurefellintothesiloandpuncturedoneofthemissile’sfueltanks,theAirForcesoonfoundoutitfacedasituationforwhichithadnochecklist.Withoutachecklist,themissilecrewandtheirsuperiorsliterallydidnotknowwhattodoandhadtogoaboutbuildingabrand-newchecklisttodealwithacrisistheywerealreadyinthemiddleof.Asauthoritymigratedupward,commandingofficersrefusedtotakeanyactionuntilthechecklistwasinplaceandproceduresestablishedonceagain.Realityforthemwastheprocess.Thebrownhazeoffuelvaporbuildingupinthesiloonlyexistedlocally.

Atthebottomofthechainofcommand,somelocalexpertschafedundertherestrictionsplaceduponthemastheywatchedthedangerbuildinginthesilobytheminute.Insomecasestheairmenandtechniciansobeyedtheorderstheyweregiven,somedoingsoevenastheyquestionedthedecisionsoftheirsuperiorofficers.Atothertimestheyrebelledagainsttheorderstheywerereceivingfrompeoplewhowerefarawayandmoreconcernedwithissuesofpublicrelationsandpolitics,insteadfavoringlocalexpertisethatmightsavetheirfriends’andcolleagues’lives.Intheend,nooneescapedunscathed.Onecrewmemberdiedandmanywereinjured,anoutcomethatwouldlikelyhavebeenlesscatastrophicifauthorityhadbeendelegatedtothelocallevel.Somecrewmemberswerepunishedbecausetheytookituponthemselvestoexerciselocalauthorityanywaybydisregardingorderstheythoughtmadenosense.Theentireincidentservedasademonstrationthatyousimplycannotplanforeverything,thatwhenfacingacompletely

novelscenario,onewherenoscriptorchecklistexists,theimportanceofreconfiguringorganizationalexpertiseandauthoritytomeetthenewchallengecanmeanthedifferencebetweenlifeanddeath.It’salessonasvaluableforHRSPsasitisfornuclearmissilecrews,tobesure.

ExpertiseKeyValueBehaviorsThesecretoforganizationalexpertiseisthateveryonepossessesit.Expertiseisnotlimitedbyrankinthehierarchyorsalaryorpoliticalstatus.It’snotevenlimitedtoasinglepersonatatime.Expertiseisanorganizationalcapability,abyproductofhumancapital.Bydefinition,everyoneinanorganizationisanexpertinsomething,possessessomespecializedknowledgeabouthisorherjobfunctionsthatnooneelsepossesses(exceptperhapsotherswhoholdthesameposition).Thisevenappliestopeoplewhodon’tdomuchworkatall—itoftentakesagreatdealofskilltoavoiddoinganything.HRSPsutilizethesecurityvalueofexpertisetomaketheirorganizationsmoresuppleandnimble,especiallywhenfacinganincidentoracrisiseventthattheyhavenotencounteredpreviously.

HRSPswanttofunctioninastableandpredictablewayjustlikeanyotherorganization,butduringasecurityincidenttheyalsowanttobeabletoreconfigurethemselves,oratleasttheirinformationandauthorityflows.Insteadofslowlyandinefficientlyforcinginformationupthechainanddecisionsbackdown,expertiseandauthorityarecombinedwherevertheyaremostneeded.It’saprocessthatcannotbeaccomplishedifitisnotembeddedinculture,inmutualrespectandtrustthatovercomenaturaldesiresforcontrolandpower,whichisprobablywhyitisoneofthehardestsetsofbehaviorsforanHRSPtomaintainovertime.Thebehaviorsthatcharacterizethesecurityvalueofexpertiseinclude

AsktheexpertsSuppresstheegosAllowauthoritytomigrateSharecredibilityRewardcallstoactionandcriesforhelp

AsktheExperts

Strangeasitmayseem,giventhelargeamountofmediacoverageofinformationsecuritybreachesandgiventhehighlevelofimportancebeingplacedoninformationsecuritybymanysectorsofsociety,Iregularlyencountersituationswherethepeopleinanorganizationwhoknowthemostaboutsecurityarenottheoneswhogetaskedforinputaboutit.Thisoftenhappensnotbecauseofanydeliberatepolicy,butasaresultofthebasicdisconnectIdescribedearlierwithregardtohiringexternalpentesters.Companiesknowtheyhavesecurityexperts,hiredandtrainedtoperformthatrole.Butwhenthecommunicationofexpertknowledgehastobechanneledupthroughsuccessivelayersofmanagement,thetemptationbythoselayerstoshapeandcontrolthemessagecanbeoverwhelming.I’vemetveryfewboardmembersorseniorexecutiveswhodonotwanttobetoldifthereisaseriousproblemintheorganization,yetI’vealsometmorethanafewfront-lineandmiddlemanagerswhoactivelyavoidhavingtotellhigher-upswhensuchaseriousproblemexists.

Therearealsocaseswhereexpertsaren’taskedforinputbecausetheirexpertiseis,orseemstobe,sooperationalorspecializedthatmostpeoplecan’tordon’tunderstandit.It’shumannaturetodownplaytheimportanceofthingsthatwedonotfullycomprehend,aswellastopretendweknowmoreaboutthemthanwedowhenwemakeourdecisions.Itcutsbothways.I’vetalkedtosecurityengineersandadministratorswhoareconvincedthatseniormanagersare“cluelesssuits”whohavenobusinessrunningacompanybecausetheydon’tknowthe“obvious”answerstoinformationsecurityissues.Ifthesecurityengineeroradministratorcanseetheproblemsoclearly,howcantheexecutivenot?Fromtheexecutive’sstandpoint,theengineeroradministratormaycomeacrossasaparochialspecialist,convincedthatinformationsecurityisthemostimportantthinginthecompany,wheninfactitisjustonemorevariableinacomplexbusinessequation.

InanHRSP,expertiseisvaluedforitsownsakeandformstheorganization’scognitivecapabilitytodealwiththefailure,operations,resilienceand,especially,complexitythatmustbemanagedtocreateeffectivesecurity.HRSPsarealwaystryingtofindnewsourcesofexpertiseandfindoutwhattheyknow.Athigherlevelsinthebureaucracythatmeansunderstandingdifferentstakeholderpositionsandrequirementssoastobetteradaptsecuritytothebusiness.Atthelowerlevelsitmeansidentifyingwhocantellyouthemostaboutwhateveritisyoumayneedtoknow,regardlessofthatperson’srankorpoliticalclout.Whetherthepersonisthepatchanalystwhounderstandsallthethingsthatcangowrongupdatingevenvulnerablesoftware,thesecurityguardwhoknowswhichentrancesaremostsusceptibletotailgating,orthe

administrativeassistantwhoisnotevenpartoftheInfoSecprogrambutknowsthepasswordsofhalftheexecutivestaffbecausetheykeepgivingthemtoheragainstcompanypolicywhentheyaretoobusytodosomethingthemselves,allthesepeoplepossessprivilegedknowledgethatisindependentoftheirlevelofprivilege.

SuppresstheEgosNaturally,someorganizationsaremoreegalitarianthanothers.Inthebestcases,theideaofpullingtogetherasateamisnotjustacliché.Thatdoesn’tnecessarilymeanthereisnorankororganizationalhierarchy,althoughcompanieshaveexperimentedwithgoingdownthatpathtoo.Fosteringamorecommunalworkplaceenvironmentisinvoguethesedays,whichincludesapproachessuchasadoptingopenfloorplans,abandoningperformancereviews,andlaunchinginternalcampaignstocreateasenseofcommunityandevenfamilyinsidetheorganization.Sometimestheseapproachesarelessthansincere,andtheydon’talwaysworkevenwhentheyaresincere,buttheirgrowingpopularityreflectsasensethatpromotingtrustandasenseofsharedpurposeaddsenterprisevalue.

Equalitydoesn’tmeanthateveryonegetspaidthesamesalary,hasthesamejobtitle,ordoesnothavetotakeordersfromanyoneelse.Rather,equalitymeansthatnooneintheorganizationisconsideredanymorevitalthananyoneelse.Acustomertoldmeagreatanecdotethatillustratesthisperfectly,aboutameetinginwhichthecustomer’sCEOdiscussedanewcompensationplan.Underthenewplan,thenumberofemployeesreceivingbonuseswasgoingtobeexpandedgreatly.Oneemployeeexpressedsomeconcernthatthecompanywasrewardingpeoplewhohadnothingtodowiththecorebusinessanddidn’tdeservethesamebonusasthepeopleinmoremission-criticalroles.TheCEOrespondedbyholdinguphishandtoshowthewatchonhiswrist,thenaskedtheemployeetopointoutwhichpartsofthewatchwerenot“missioncritical”andcouldthereforebethrownout.

Gettingridofegotisminbusinessislikegettingridofsecurityvulnerabilitiesincommercialsoftware:anadmirablebutnotveryrealisticgoal.HRSPsdonotattempttosuppressegoaltogetherortodiscourageasenseofprideinindividualaccomplishments,buttheydounderstandthategotismcanleadtoarroganceandarrogancecanmakeasecurityproblemexponentiallyworse.Nooneinamodernorganizationisresponsibleforallthesuccess,nomatterhowtalentedtheyare.HRSPstrytomakeanotherclichéreality,thatsecurityiseveryone’sresponsibility.Manyorganizationsinvokethisphrasewhentheywanttoemphasizethateveryonehastofollowsecuritypoliciesnomatterwhatposition

theyholdorwheretheywork.HRSPsusethephraseasamantrareflectingthesecurityvalueofexpertise.Ifyouknowmoreaboutyourindividualjobthananyoneelseintheorganization,thenyouknowbestabouthowsecurityworksinthecontextofthatjob.Thesecurityvalueofexpertisemeansthatyouhavearesponsibilitytoshareyourknowledgewiththerestoftheenterpriseandthatotherpeoplehavearesponsibilitytorespectwhatyouknowandaskforyourinsight.Itdoesn’tmatterifthatpersonisyourcolleagueinthecubenextdoororthechairmanoftheboard.

AllowAuthoritytoMigrateThereareafewprerequisitesforthekeybehaviorofallowingauthoritytomigratewithintheorganization:knowingwhereexpertiseexistsandaskingforhelpfromthosewhopossessit,andsuppressingtheegotismthatmightmakethoserequestsmoredifficult.Oncemore,it’simportanttodifferentiatebetweenacompletelyopenauthoritystructure,whereone’sexpertisedefinesone’spower,andanadaptablestructure,wheretheorganizationcandeliberatelyloosenthecontrolsandfreeupdecisionauthorityifnecessary.HRSPsdonothavetobeanymoredemocraticthananyothersecurityprogram.Whattheydobetteristorecognizethattherearesomescenarios,usuallysecurityeventsthatturnthenormalorderofthingsonitshead,wherearigidcommand-and-controlhierarchyisnotthebestapproachandismorelikelytoexacerbatethesituation.Inthesecases,theorganizationrestructurestemporarilytomeetthenewchallenges.Authoritygoestowhereit’sgoingtobeofmostimmediateuse,andexpertisedefineswherethatis.

Allowingauthoritytomigratemeansthat,undercertaincircumstances,actualdecisionauthoritywillbedelegatedelsewherewithintheorganization,usuallydownwardtotheindividualsandteamsclosesttotheaffectedsystems.Forinformationsecurity,thismightmeanplacingalotmorepowerinthehandsoftheCISOtoproactivelyrespondtoanincident.Morelikelystill,itmeansallowingfront-linemanagersandengineeringteamstomakeexecutivedecisionsaboutwhatneedstobedoneinacrisis.Underthesechallengingcircumstances,seniorleaderswillstayinconstantcontact,offeringtheirsupportandanyadvicetheycanprovide,buttheywillstayoutofthewaywhilethepeopleclosesttotheworkmakethedecisions.Formanyorganizations,justthesuggestionofthisarrangementisenoughtomakepeopleuncomfortable,buttimeandtimeagain,fromNASAtonuclearmissileteamstocommercialenterprises,whenseniorleadersinsistonmicromanagingfluidandimmediatecrisisscenarios,theresultsarerarelygood.Timesimplydoesnotaffordtheluxuryofsendinginformation

aboutwhat’sgoingonupanddownthechainofcommand.Often,bythetimeonepieceofinformationreachesapointwheresomeonecanmakeadecision,thesituationhaschangedagainandthatdecisionnolongermakessense.

Thekeytomarryingauthoritywithexpertiseintheenterpriseistoidentifythesubjectmatterexpertsyoumayneedbeforethecrisisoccurs,sothatlookingfortherightpeopletotakethehelmisnotamatterofblindguessingorluckofthedrawinthemidstofextremecircumstance.Andseniorleadersdon’tjusthandoverthereinsandsay“callmewhenyou’redone.”Theystayontopofthesituationandmonitorit,puttingthemselvesatthereadyforwhencircumstancesrequireauthoritytomigratebacktothem.Duringasecurityincident,youprobablydon’twanttheCEOdecidingwhetherornotaparticularserverneedstobetakenofflineanymorethanyouwanttheserver’sadministratortomakethecallaboutwhetherornottoalertthepress.

ShareCredibilityAuthorityandcredibilityaretightlycoupled.Thosewithoutthelattertendtolosetheformer.HRSPsdotheirbesttoensurethatexpertiseisrecognizedandrespectedthroughouttheorganization,thatitbringswithitthecredibilitynecessarytomakepeopleacceptthatadesignatedpersoncanbesafelygivenauthorityduringanincidentorevent.Ensuringthatexpertiseisrecognizedandrespectedisaccomplishedinpartbyputtingeffortandresourcesintobuildinghumancapital,asIhavediscussedpreviously.People’straining,skills,andexperiencehavetobeofficiallyrecognizedandsupportedforthistofunction.Inacrisis,peopleatalllevelsoftheorganizationhavetotrustthattheirfellowmembersnotonlyarewillingtohelp,butpossesstheabilitytohelp.Ifonegroupthinksanothergroupisincompetent,thelikelihoodislowthatthefirstgroupisgoingtofollowthelattergroup’sleadwhendisasterlooms.InmyrecountingoftheMannGulchfireinChapter13,Idescribedhowseveralofthesmokejumpersbalkedattheforeman’sordertostartanotherfire,liedown,andletitpassoverthem.Becausetheteamhadnotworkedtogetherextensively,theforemanlackedcredibilitydespitehisextensiveexperience,andfailingtodefertohissuperiorexpertisecostseveralmentheirlives.

Thereisnosimpleprocessforsharingcredibilityinsideanorganization.Itisaculturaltrait,definedfirstbythebeliefthatexpertisemeanssomethingimportanttotheenterprise,andthenbyeveryonedemonstratingahealthylevelofrespectanddeferencetothosewhopossessexpertise.Sinceeveryonepossessessomelevelofspecializedexpertise,thismeansthatdeferencehastobecomesomethingofauniversalattribute.Itmustbeconstantlynurturedand

reinforcedthroughactionandexample.Thiscanbemoreeasilyaccomplishedinsmallercompanies,orevenfamily-ownedfirmswherethesenseofpersonalstakeismoreafeatureofeverydaylifethanitisinpubliccompanies.Buteveryorganizationthatwishestobehighlyreliableneedsalevelofdeferencetoexpertise.Ifitcan’tbeachievedthroughemotionalappeals,itneedstobedonestructurally,embeddedintomeetings,performancereviews,andtrainingprograms.Wheneverythinggoestohell,thelastthingtheorganizationcanaffordisforpeopletobequestioningwhetherornotthepeoplewhoarebestpositionedtodothejobarethebestpeopleforthejob.

RewardCallstoActionandCriesforHelpPartofthesecurityvalueofexpertiseforindividualsandorganizationsalikecomesfromknowingwhatexpertiseyouhaveandwhatknowledgeyou’relacking,andthenreactingappropriatelyinthemoment.HRSPsgooutoftheirwaytorewardnotonlyteamsandpeoplewhotakeactionbasedontheirexpertise,butalsopeoplewhorealizethatauthorityneedstomigrateandthusaskothersforhelp.Liketheotherkeybehaviors,knowingwhentoactandwhentodefertoothersrequiresbothasolidawarenessofwhereknowledgeandexpertiseexistwithintheorganizationandtheabilitytodecidewhichsituationscallforwhatkindofauthority.Trustandcredibilityarecrucialhere,becausenoteverydecisioninthemidstofafluidsituationisgoingtobethebestone.Therealquestionisnotwhetheradecisionwasrightornot,butwhethertherightpersonmadeit.Anyonecanscrewup,evenanexpert,butmigratingauthoritytotheproperexperttomakeadecisionisgoingtoincreasetheorganization’soddsofchoosingthebestpathforward.ThereisnogreatertestofcharacterforanHRSPthantorewardsomeoneformakingthewrongdecisionattherighttime.

Wetendtoreserveouradmirationandrespectforpeoplewhotakechargeinacrisis,showingtheirstrengthandmettlewhenothersaroundthemarepanicking.Buttheboldplayisn’talwaysthesmartone.Egotismandarrogancecanturnheroismintofoolhardinessaseasilyasfearandlackofconfidencecanparalyze.Bothareirrationalresponses,andneithergetsgreatresults.HRSPsexpecttheorganizationtoremainlevelheaded.Sometimesthatmeanstochargeahead,butitcanjustaseasilymeantofallbackandrequestreinforcements.HRSPsreservetheirpraiseandrewardforthetimeswhenexpertiseandauthorityareproperlyalignedandbroughttobearonaproblemorafailure.Themeasuresofsuccessaremuchlessaboutindividualpersonalitiesandmoreaboutwhatwaslikelytobringaboutthebestoutcomefortheentiresystem.Asanyonewhohaseverhadtoadmitthattheyareinovertheirheadunderstands,expressingyourweakness

andlimitationsandaskingsomeoneelseforhelpoftentakesalotmorecouragethanforgingaheadonyourown.Seniorleaderscanbeespeciallypronetotakingthelattercourse,oftenbecausetheyfeardamagingtheformidablereputationsthattheyhavebuiltovermanyyears.ButwhatmakesHRSPsworkdifferentlythanothersecurityteamsisexactlytheirabilitytoputthesecurityandstabilityoftheenterpriseaheadofanyindividualinsecuritiesorpersonalconcerns.

“We’reChangingtheWorld”OneofmyfavoritebooksinpolicystudiesisJamesScott’sSeeingLikeaState.Scott,aYalepoliticalscientistandanthropologist,setsouttodescribewhysomanyofthelarge-scaleattemptsatsocialengineeringinthe20thcenturyfailed,oftenterribly.Enormouscollectiveprojects,sometimesbyauthoritarianregimeswithneartotalcontroloftheircitizens,haveattemptedtotransformentirenationsinrelativelyshorttimespans.FromtheSovietUniontoChina,andfromTanzaniatoBrazil,countrieshavetriedtocollectivize,toindustrialize,andtocreateentirecitiesandsocietiesfromnothing.

Whentheseprojectsdidn’twork,theresultsrangedfromthemerelyepicfailuretocompletehorror,includingfamine,displacement,andsufferingonamassivescale.Somenationsweresetbackagenerationasaresultofthehubrisanddeterminationoftheirleaderstocreateorre-createanationalutopia.Evenwhentheresultswerelessdisastrousandtheoutcomelimitedtofailedcivilandengineeringprojectsthatneverquiteseemedtotake,thecostsremainedhuge.ForScott,thecauseofthesefailednation-buildingprojectswasfairlysimple.States,whetherembodiedbyadictatororagovernment,becomevictimsoftheirowngrandvisionwhentheylosetheconnectionbetweenthatvisionandtheeverydayknowledgeandpracticeofthemassesofpeoplewhoactuallycomprisethestate.Scottcalledthisignoredandmarginalizedpracticalknowledgemetis,anditrepresentedthecommon,everydayskillsandexperiencesofindividuals.InthecontextofHRSPs,expertiseisquitesimilartometis,andorganizationsneglectitattheirperil.

Thankfully,manyofthemassivecollectivistschemesofthelastcenturyappeartobeproductsoftheirplaceandtime.Butthatdoesn’tmeanwe’vesolvedtheproblem.The21stcenturyhasseenitsshareoflargesocialengineeringerrors,atthelevelofbothcountriesandorganizations,someofwhichechotheclashesbetweentheoryandpracticedescribedinSeeingLike

aState.Intheworstcases,theresultiswar,regionalinstability,andglobalfinancialcrises.Butthingsdon’thavetogetthatbadtoseeScott’scausesandgeneraleffectsonasmallerscaleinreorganizations,acquisitions,andfailedenterpriseimplementationsthatsomehowalwaysseemtoworkbetteronpaperthantheydoinreallife.Often,thereasontheseprojectscrashandburnisthesamedisconnectionbetweenauthorityandknowledge,betweenhigh-levelandlocalexperience,thatIhavediscussedinthischapter.Theedificesthatarebuiltarenotflexibleandadaptableenoughtowithstandthetremorsandshockstheymustendure,afatethatHRSPstrytoavoidbyharnessingthesecurityvalueofexpertise.

AssessingYourExpertiseValueBehaviorsUsetheSecurityFORCESurveyandSecurityFORCEMetricstodeterminehowwellyourorganizationadherestothekeyexpertisevaluebehaviorsandtoprovideempiricalevidenceofthosebehaviors.

ScoringtheExpertiseValueBehaviorSurveyTheSecurityFORCESurveyincludesstatementsrelatedtothesecurityvalueofexpertise.ThefivestatementsunderSecurityValueofExpertisearelistedinthesampleoftheFORCESurveyshowninFigure15-1.Aswithpreviouschapters,scoringassumesLikertresponsesnormalizedona1to5scale:


Figure15-1FORCEValueSurveyStatementsforExpertiseValueBehaviors

Forexpertisevaluebehaviors,anaveragescoreof4orgreaterindicatesthattheorganizationbehavesinwaysthatwillallowauthoritytomigrateandjoinupwiththeexpertiseneededtomakeeffectivedecisionsunderstress.Ascoreof2orbelowindicatesthattheorganizationdoesnotbehavelikeanHRSPandismorelikelytoexperienceproblemsofbureaucraticrigidityorlackofadaptabilitythatkeepstheexpertisenecessarytounderstandaproblemseparatedfromtheauthoritynecessarytoactonit.

FORCEValueMetricsforExpertiseTheFORCEValueMetricsforexpertise,providingadditionalmeasuresofHRSPbehavioralalignment,canbefoundinFigure15-2.

Figure15-2FORCEValueMetricsforexpertisevaluebehaviors

UsingtheFORCEExpertiseValueMetricsThefiveFORCEMetricsassociatedwiththevalueofexpertisedescribeanorganization’ssuccessatensuringthatexpertknowledgeisidentified,effectivelymanaged,andcoupledwiththepowertoactlocallywheredecisionmakingisrequiredinagivensituation.Theytrackthelocationofexpertiseandmigrationpathsofauthorityand,wherethesethingsdonotexist,offerinsightintohowtoincreasethevalueofexpertisefortheInfoSecprogram.AswithalltheFORCEMetrics,thesemeasurementsandindicatorsaresuggestionsandnon-exhaustive,andshouldbeused,adapted,orsupplementedasappropriate.

NumberofformalknowledgeorskillrepositoriesinplaceAnorganizationcannothopetomigrateauthoritytotherightdecisionmakersifitdoesnotknowwhereexpertise,knowledge,orspecializedskillscurrentlyexist.Knowledgeandskillrepositoriesareoftenthedomainofenterpriseknowledgemanagementprofessionals,andthesegroupsareagreatplacetobeginiftheinformationsecurityprogramisstartingfresh.Attheirmostsimple,theserepositoriesaresimplylistsanddatabasesoftheknowledgeandskillscurrentlyexistingwithinanorganization.Sourcescanincludetrainingandeducationrecords,job

descriptions,orcrowd-sourcedandself-selectedrepositories(apreviousemployerofmine,forexample,allowedeveryoneinthecorporatedirectorytoaddtheirskillsandknowledgetotheirdirectoryprofiles,thenmadethisinformationsearchableaspartofthedirectory).

NumberofpeoplewithsecurityresponsibilitieswrittenintotheirjobdescriptionsNothingsays“I’mresponsibleforthis…”likeexplicitlywritingitintoajobdescription.Fortheinformationsecurityteam,theseinclusionsarelikelytakenforgranted.Infact,iftheInfoSecprogramdoesn’tscore100%onthismetric,thenthatmaybethefirstplacetostart.Buttheorganizationshouldnotstopthere.Anyoneresponsiblefortechnologymanagementcertainlyshouldhavesomethingaboutsecuritybuiltintotheirjobrequirements.Asenterprisesecurityculturematures,securityresponsibilitiesshouldbecomemorewidespreadandmorespecificacrossalljobdescriptions,replacingthecurrentpracticeofmakingpeopleresponsibleforundergoingsecuritytrainingperiodically,whichisnotthesamething.Thepointistoachievemorethanjustaccountability.Ifacompanymakesanemployeeresponsibleforsomeaspectofinformationsecurityasajobrequirement,ittakesonresponsibilityofitsowntomakesuretheemployeeistrainedtodothatjob.Themorespecificandcomprehensivetheseresponsibilitiesget,themoretheycanfeedintoafunctionalrepositoryofexpertisethefirmcanleverage.

Numberofidentified“quickresponse”scenarioswithexpediteddecisionmakingThismeasurementcollectsdataregardinghowmany“decisionfastlanes”existwithintheorganization.Aquickresponsescenarioisonethathasalreadybeenidentifiedandanalyzedsuchthat,shoulditoccur,authorityimmediatelymigratestoapredeterminedlocusofexpertise,bethatagroup,afunctionalrole,oranindividual.Thinkofthesescenariosasparallelstructurestotheincidentordisasterscenariosthattheorganizationcreatesinanticipationofsecurityevents.Infact,aquickresponsescenariocanbeasbasicasanaddendumtoanexistingincidentordisasterscenariothatspecifieshowauthoritymigratesduringthatincident.Ausefulapplicationofthismetricistodeterminehowmuchcoordinationanorganizationwillhavetodoshouldasecurityincidentoccur.Ifafastlanehasnotbeenestablishedbeforehand,theorganizationcanassumethatinformationwillhavetotravelfromthepointoforiginordiscoveryoftheincidentthroughtheentirechainofauthorityandbackbeforeactioncanbetaken,eveniflocalexpertsalreadyknowthebestresponse.

Numberofdecisionownersforsecurityformallyassignedinthepast

yearAcorollaryindicatorwithtiestoboththeassignmentofsecurityresponsibilitiesandtheassignmentofownershipforassetsandrisk,decisionownersaredefinedasthepeopleinanorganizationwiththeauthoritytotakeactioninresponsetoasecurityevent.Decisionownersmaybelocal,forinstance,asystemadministratorwiththeauthoritytoimmediatelyrestrictaccessofanunrecognizeduseraccountonhismachine.Ortheymaybemoreremovedfromtheimmediateincidentbutlocaltootherconcerns,likethefirm’sgeneralcounsel,whoisresponsiblefordecidingwhentheorganizationnotifiestheauthoritiesorthepublicaboutthesecuritybreachthattheunknownuseraccountrepresents.Thepurposeofthismetricistocaptureandmakeavailablewherethesedecisionpointsexist.Ifnodecisionownersareassigned,thisagainisastrongindicatorthattheorganizationwillneedtotakeprecioustimetodetermineorcreatetheseinformationandauthorityflowsinthemidstofacrisis.

Numberofcross-functionalsecurity-relatedactivitiesorprojectsinthepastyear(initiatedinternallybytheinformationsecurityprogramorexternallybyotherstakeholders)ThismeasureassessesthesharingandcoordinationofexpertisebothwithintheInfoSecprogramandbetweenInfoSecandothergroupsandfunctionsoftheorganizationorbeyond(partners,vendors,regulators,etc.)Cross-functionalactivitiesarethosedevelopedwiththeintentoffosteringtheexplorationandsharingofexpertisebetweendifferentunits.Theymaybetrainingsessionsorknowledgesharingworkshops,buttheemphasisshouldbeontwoormoredifferentgroupscomingtogethertoshareknowledge,notonegroupdisseminatingcontentorteachinganother.Theselatteractivities,whileuseful,donotfosterthetwo-wayexchangeofinformationthatfacilitatesthevalueofexpertise.Cross-functionalinsightsareattainedwhenallthegroupspresenthaveachancetochallengeandcollaboratewitheachothersasequalpartners.Buttheseactivitiesdonothavetobeoverlyformalorburdensome.Anyopportunityforgroupstoobservehowothersmanageanddoinformationsecurity,especiallywhentheydodifferentthingsordothingsdifferentlyfromoneanother,isausefulexercise.

ImprovingYourExpertiseValueBehaviorsAlloftheSecurityFORCEvalueshavepsychologicalcomponents,requirementsthatanorganization’smemberschangethewaytheythinkaboutitsvaluesinordertoachievemorehighlyreliablesecurity.Butembracingthesecurityvalueofexpertisecanbedifficulttoencouragebehaviorally,asitchallengestheway

welookatourselvesandcompareourownsenseofvaluewiththatofothers.AsaFORCEvalue,leveragingthesecurityvalueofexpertisemeansfacinguptotheideathatsomepeoplearesmarterandmorecapablethanyouare,andthattheymaybebetterpositionedforsuccessincertainsituations.Italsomeansacceptingthatinothersituations,thesmartest,most-capablepersonintheroommaybeyou,whichcanbeanequallyscaryprospect.

Whenemotionistakenoutoftheequation,though,thelogicbecomesverysimple.Responseduringacrisisofanykind,includingsecurityincidents,requiresacombinationofknowledgeaboutcircumstancesandthepowertotakeactiononinformationabouttheproblem.Inefficienciesthatresultfromhavingtonegotiatebetweenthepeoplewhohavetheknowledgeandthepeoplewhohavethepowerdegradetheresponsecapabilityofthesystemasawhole;therefore,negotiationsofthistypeareunambiguouslybadiftheyreduceresponsetimeandeffectiveness,ormakethingsworse.Itisauniquelyhumanproblem,foundonlyincomplexsocialsystemswhereegoandpersonalagendashavetobefactoredintothemix.It’snotaproblemwefindintechnologysystems,wheresoftwareandhardwarecomponentsknowtheirplaceandfunctionunimpededbyegoorpolitics.Organizationalprogrammingsuchascultureismorecomplicated,sooursolutionshavetobemoresophisticatedtoo.

EmbedExpertiseValueintotheSecurityProgramBuildingbetterconduitsbetweenexpertiseandauthorityflowsrequiresacombinationofprocess,culture,andadesirebymembersofanorganizationtoovercomebarrierstotheirownsuccess.Aswehaveseen,actionsanddecisionshappenmoreefficientlywhentheyhavebecomehabit.SoHRSPstrytocreatehabitsofbehaviorthatmakesharingexpertise,credibility,andauthorityeasier.Buttheyalsofocusonpromotingtheculturalvaluesthatenablethosehabitstobecomeingrained.Thiscombinationcanbedifficulttogetright,butwhenthatisachieved,theresultcanbestunning:anorganizationthathasaclearcommand-and-controlstructureundernormalconditionsbutisabletoreconfigureitselfquicklyinacrisis,likesomesortofadvancedmaterial,adaptingtostress,shiftingstrengthandreactiontowhereitismostneeded,thenreturningtoitsoriginalformoncethecrisishaspassed.

MakeEveryoneaSensorIhaveanumberofhumblesensorsinmyhome.Mysmokealarmsareinexpensivecommodityappliancesdesignedtobenearlyinvisible.Timersand

alarmsofallsortsarescatteredthroughoutmyhouse.EventhenaturalgasIusetocookwithisembeddedwithtinymoleculesofchemical,probablymethylmercaptan,thatgivestheotherwiseodorlessgasitsfamiliarsulfursmellthatalertsmeofaleak(althoughtechnically,inthiscase,mynosebecomesthesensor).Iamfarmorepowerfulandevolvedthananyofthesedevices.Butwhentheytrigger,theyinstantlydemandmyfullattention.Undercertaincircumstances,Idependuponthemfortheirexpertise.

HRSPstakethatideaandrunwithit.LanceSpitznerlikestotalkabout“humansensors”withintheorganization,andIthinkit’sagreatanalogy,onethathasbeenexploredthroughouttheHROresearchliteratureaswell.Peoplearethemostsophisticatedsensorsthatanyorganizationwilleverhopetofield,capableoffarmorethantherelativelydumbstimulus-triggerlogicofevensophisticatedtechnologicalsensors.Anorganizationthatcaresaboutthesecurityvalueofexpertisewillneverignoreanypotentialsourceofusefuldata.Itwon’tcarewherethatsourcesitsinthepeckingorder,solongasit’sclosetotheactioninanygivensituation.ThechallengeanHRSPcaresaboutishowtoqueryallthesesensorseffectively,howtofindtheexpertise,toaskthoseexpertswhat’shappening,andmaybeevengivethemauthoritytotakeaction.

CreateDecisionFastLanesInformationneedstotravel.Weeventalkaboutinformationpipes,conduits,andhighways.Whenthosebecomecongestedorroadblocksareerected,toextendthemetaphor,communicationbreaksdown.Decisionsarejustaspecializedformofinformation.Knowingthattheymayfacescenarioswherethedistancebetweenknowledgeandauthorityneedstocollapsequickly,HRSPstrytocreateshortcutsaheadoftime,likeevacuationroutesorHOVlanesinthephysicalworld.AsaresultofotherSecurityFORCEbehaviors,theorganizationwillalreadyhaveconsideredmanyfailurescenarios,andpartofthoseconsiderationswillbeplansandcapabilitiesforquicklymarryingupexpertisewithpower.Bypredefiningcontingenciesinwhichauthoritywillmigrate,theorganizationgetsanimmediatejumponthings.AsImentionedearlier,thisisnotaboutseniormanagementremovingthemselvesfromtheequation.Duringasecurityincidentoranyothercrisis,organizationalleadersinanHRSPwillremainintimatelyinvolved,butinasupportingroleuntilsuchtimeasadecisionmustbemadethatrequirestheirownpersonalexpertise.

Alotofthediscussionaboutauthoritymigrationinvolvestop-downmovement,becausepowertendstobeconcentratedatthehigherlevelsoftheorganizationalchart.Butauthoritymayneedtoflowupwardaswell,especially

incaseswherelower-leveldecisionmakersmaynothaveallthebigpicturedataneededtomakedecisionsthathavelargerormorepoliticalramifications.Inthesecases,decisionfastlaneswillhavetoovercomedifferentobstacles.Insteadofconvincingmanagerstogiveuppowertemporarilytothosefurtherdownthehierarchy,upwardauthoritymigrationoftenhastoovercomethefilteringofinformationandsuppressionofbadnewsthatpreventsseniorleadersfromunderstandingtheriskstheymaybefacing.

ValueExpertisefromtheTopDownThesecurityvalueofexpertiseoftenhighlightswhatgoesonatthelowerendsoftheorganizationalchart,butthetruthisthatharnessingthatvaluestartswithenterpriseseniorleaders.Oneofthebestthingsaleadercandoistoaccepttheirownrelativepowerlessnessover,andignoranceabout,muchofwhatgoesonintheirenvironment.Settingahumbleexampleforothers,particularlysubordinates,canbetough.Muchofourtraditionalwaysofthinkingaboutbusinessputsindividualismonapedestal.ButlikethehomeofPercyShelley’sking,Ozymandias,thedesertislitteredwithbrokenpedestalsandtheremnantsofonceinvincibleempires.ThemythoftheindispensibleCEOhasbeenprettythoroughlybusted.Eventhebestexecutiveleadersaccomplishwhattheydoonlybecausetheydosoinpartnershipwithothers.Yetthatmythremainsresilientandenduringinindustryculture,oftenperpetuatedbythosewhotendtobenefitfromit.

EarlierinthechapterIreferencedSchlosser’sCommandandControl,withitsdescriptionsofdysfunctionalAirForcepowerdynamicsthatcontributedtoabadaccidentalmostliterallygoingnuclear.Letmeendthechapterbypointingoutthatthemilitaryisalsooneofthebestexamplesofanorganizationthatlivesandsometimesdiesbythevalueofexpertise.TheDamascusaccidentnotwithstanding,theU.S.militaryorchestratessomeofthemostefficientmarriagesofknowledgeandauthorityimaginable,andanygoodgeneralknowsthatsometimesyouhavetodependonthefactthatthesquadonthegroundistheonlyonethatcanmakethecall,andthenletthemmakeit.

FurtherReadingGawande,Atul.TheChecklistManifesto:HowtoGetThingsRight.NewYork:MetropolitanBooks,2009.

Schlosser,Eric.CommandandControl:NuclearWeapons,theDamascusIncident,andtheIllusionofSafety.NewYork:ThePenguinPress,2013.Scott,JamesC.SeeingLikeaState:HowCertainSchemestoImprovetheHumanConditionHaveFailed.NewHaven,CT:YaleUniversityPress,1998.

I

CHAPTER16

BehaviorandCulture:MasteringPeople-CentricSecurity

nChapter8Idiscussedhowtoimplementasecurityculturediagnosticproject,includinghowtogetsupportfortheproject,howtoexecutetheproject,andhowtointerpretandusetheresultscollectedfromtheSecurityCultureDiagnosticSurvey(SCDS)instrument.Chapter9madethepointthatdiagnosingandmeasuringsecuritycultureisnotthesamethingasimprovingandtransformingit.NowthatIhavepresentedboththeCompetingSecurityCulturesFramework(CSCF)andtheSecurityFORCEBehavioralModelindepth,wecanconsiderhowthesetwocomplementaryframeworkscanbecombinedtocreatecomprehensivepeople-centricsecuritytransformation.

WhatDoesSecurityCultureTransformationMean?Ihavediscussedsecurityculturetransformationinseveralcontextsandatseverallevelsduringthecourseofthebook.Transformingsecurityculturecanrefertoanumberofoutcomes,includingchangingexistingsecurityculturetypestodifferentones(forexample,fromaProcessCulturetoanAutonomyCulture);encouragingordiscouragingspecificculturaltraitsandbehaviorswithinasecurityculturetype(forexample,focusingonhowriskismanagedorhowfailureishandled);orgrowinganddevelopingabehavior-basedsecurityculturearoundadesiredmodel(forexample,SecurityFORCEandhighlyreliable

securityprograms).Theseresultsareallformsofsecurityculturetransformation.Buttheydon’tcapturethemorestructuralprocessoftransformation.Whenattemptingtogetstakeholderbuy-inforpeople-centricsecurity,itishelpfultoalsohaveasupportingstorytoexplainwhattransformationmeansintermsofthehowsandwhysoftheprocess.

DescribingTransformationinTermsofCulturalCapabilitiesMaturityAusefulwayoftellingastoryabouttheprocessoftransformingorganizationalcultureingeneral,andsecurityculturespecifically,istodiscusstransformationinthecontextofacapabilitiesmaturitymodel.MaturitymodelingfirstdevelopedattheSoftwareEngineeringInstituteofCarnegieMellonUniversityinthe1980sasawayofevaluatingandmanagingsoftwareengineeringcapabilities.Sincethencapabilitymaturitymodelinghasexpandedbeyonditsroots,andmaturitymodelshavebeenbuiltanddeployedasmoregeneralbusinessprocessimprovementtoolsacrossarangeofindustriesandfunctions,includingtraditionalsoftwaredevelopment,otherinformationtechnologyfunctions,andevenhumancapitalandresources.Assuch,maturitymodelswilllikelybefamiliartomanystakeholdersinvolvedinpeople-centricsecuritytransformation,eveniftheyarenotdirectlyassociatedwiththeInfoSecprogram.

Capabilitymaturitymodelsfocusonthevisibilityandmeasurabilityofa“capability,”suchasabusinessprocessorfunction,andwhethertheinsightsgainedfromobservingandmeasuringthecapabilityareeffectivelyusedtoimproveitovertime.Atthelowestlevelofmaturity,theorganizationperformsthecapabilityinawaythatispoorlyunderstood,informal,andhardtorepeatsystematically.Atthehighestlevel,theorganizationhasmasteredthecapabilitytothepointwhereitnotonlyknowshowtoperformitinawaythatiswellunderstood,formalized,andeasytorepeatsystematically,butalsoactivelyimprovesandoptimizeshowitperformsthecapabilitybasedonregularlycollectedmeasuresanddata.Scalesanddefinitionsvarywiththetypeandcreatorofthematuritymodel,butthescaleisusuallyavariationofa0-to-5scaleor1-to-5scale.

People-centricsecuritytransformationinvolvesbothculturalchangeandbehavioralchange.Buttransformationonlyhappensastheorganizationgetsbetteratunderstandingitselfandtakingactiononthoseinsights.TheCSCFandtheSecurityFORCEBehavioralModelaretoolsthatworkwithinthisstructure

ofincreasingmaturityandawareness,bothcontributingtoimprovedmaturityandbenefittingfromthatmaturityasitgrows.Communicatingthisprocesshelpspeopleunderstandhowtheorganization’ssecuritycultureischangingandthebenefitsthattheorganizationwillgetfromtransformation.

TheCulturalCapabilitiesMaturityModel:FormalizingCulturalMaturityIhavedevelopedmyownmaturitymodel,theCulturalCapabilitiesMaturityModel(CCMM),tofacilitatecommunicationandtogiveInfoSecprogramsanothertoolbywhichtotellthestoryofpeople-centricsecurity.LiketheFOXTROTcasestudyandmodelofthefinancialimpactofcultureonsecurityincidentlossesinChapter8,theCCMMismeanttobeonemorewaytodemonstratetostakeholderswhatthesecurityculturetransformationprojectisintendedtoaccomplish.NotethattheCCMMisnotlimitedtoonlyinformationsecurityculture.Itcanbeusedtodescribeorganizationalculturemuchmorebroadly.ButIwilllimitthediscussionheretoitsutilityinthecontextofasecurityculturetransformationproject.Figure16-1showstheCCMM.

Figure16-1TheCulturalCapabilitiesMaturityModel

TheCCMM,likeothermaturitymodels,dividesculturalcapabilitiesintofivelevelsofproficiency.Atthelowestlevel,cultureisnotunderstoodwellatallandpeopleintheorganizationoperateonaformofinstinct,reactively,withoutmuchinsightintowhytheorganizationworksthewayitdoes.ReturningtotheicebergmetaphorfromChapter3,theyarelikepeopleabovethesurfaceoftheicebergwhohavenoideawhatisbeneaththewaterlineorwhytheicebergmovesinthedirectionitdoes.Atthislevelofculturalmaturity,riskanduncertaintyarehigh.Theorganizationcannotidentifyculturaldeficienciesorcompetingprioritiesthatmaynegativelyimpactperformance.AtthetopleveloftheCCMM,theorganizationhasmastereditsownculturetothepointwhereitnotonlyunderstandswhypeoplebehaveastheydo,butcanshapeanddrivebehaviorasnecessary,quicklyandefficiently,tomeetjustaboutanychallenge.Theyarelikepeoplewhohavemappedtheentireicebergaboveandbelowthesurface,calculateditsmassanddensity,andcreatedmechanismstotowandpushitindifferentdirections.Culturalriskatthislevelislow,astheorganizationhasafullunderstandingofitsculture–performancelinkagesandcaneasilyadjusttochallenges.

Table16-1describesthespecificorganizationalproficienciesthatexistateachleveloftheCCMM.

Table16-1OrganizationalProficienciesWithinCCMMMaturityLevels

SupportingSecurityCultureTransformationwithSecurityFORCEProjectsJustastheSCDSisameansofidentifyingandevaluatingcompetingsecuritycultureswithintheCSCF,I’vedesignedtheSecurityFORCESurveyandSecurityFORCEMetricstobediagnostictoolsforuseinevaluatinghowcloselyanorganization’sbehaviorsalignwiththoseofaHighlyReliableSecurity

Program(HRSP).IhavetouchedonthesurveyandmetricsinrelationtoeachspecificFORCEvalueintheprecedingchapters.ThischapterlooksathowtopulleverythingtogethertocreateasimplescorecardthatcanbeusedtoquicklyshowstakeholdersandmanagementtheresultsofSecurityFORCEbehavioralassessments.

TheValueofaSecurityFORCEProjectImplementingandrunningaSecurityFORCEprojecthasalotincommonwithrunningasecurityculturediagnosticproject,whichIdiscussedinChapter8.Thetwoare,ideally,closelyrelated.IndevelopingtheCSCFandSCDS,Isawtheneedforaparallelmodelthatcouldallowsecurityprogramstoaddresspeople-centricsecurityatthebehaviorallevel,whichcanbemoretacticalandconcretethanculture.Theculture–behaviorlinkswithinthehigh-reliabilityorganization(HRO)research,discussedinChapter10,providedjustwhatIneededtocreatemySecurityFORCEModel.SecurityFORCEprojectscanandshouldbeusedinconjunctionwithSCDSprojectstoaddressculturaltransformationbothfromthetopdownandfromthebottomup.IwilldiscussSCDSandFORCEalignmentslaterinthechapter.

ManagingaSecurityFORCEProjectProjectmanagementissuesforaSecurityFORCEanalysisparallelthoseIenumeratedforSCDSprojectsinChapter8,butitneverhurtstoreview.Understandingthesimilaritiesanddifferencesbetweentheprojectswillbeespeciallyvaluablewhentheprojectsareconductedseparatelytoavoidredundantworkorstakeholders’perceptionofredundantworkwhenactivitiesaresimilarforbothtypesofprojects.

CostsandSchedulesProjectscostmoneyandtime,andimplementingaSecurityFORCEprojecttocomplementyourSCDSprojectwilladdtothosecosts.OnewaytoovercomethechallengeistotakeadvantageofscaleandcombineSCDSandFORCEworkintoasingleprojectorprogramplan.Eveniftheprojectswillbeundertakenseparately,budgetaryandoperationalplanningoverthecourseofquarterlyorannualcyclescanensureresourcesareavailableforthecompletesetofprojectsinadvance.ThiswaytheorganizationcantakeadvantageofthefactthatmostactivitiesforanSCDSprojectrequirethesametoolsandcapabilitiesasa

SecurityFORCEproject(includingsurvey-baseddatacollection,interviewsandprojectreviews,andlinkingbothprojectstopeople-centricsecuritytransformationefforts).Ifresourcesaretight,themodularnatureofbothSCDSprojectsandSecurityFORCEprojectsallowthemtobeconductedseparately,perhapsannuallyorsemiannually.Thegoodnewsaboutpeople-centricsecurityandtransformationisthatthereisliterallynorush.Culturestaketimetochange.

LeadershipSupportandEngagementAnoldsecurityindustryfriendofminerecentlygavemesomeexcellentadvice,aboutthisbooknoless.“ACISOisn’tgoingtolistentoyoujustbecauseyouhaveagoodidea,”hetoldme.“Youhavetotellhimspecificallyhowhisprogramwilldirectlybenefitfromyourgoodidea.”

I’veworkedhardtoliveuptomyfriend’sguidanceinthesepagesbyshowingtheconcretewaysthatcultureandbehaviorcanimpactsecuritybottomlines.Evenifyouarereadingthisandfindingyourselfagreeingwithmeoneverypoint,youwoulddowelltokeephiswordsinmind.Donotjustexpectyourpeople-centricsecurityprogram’sbenefitstobeself-evident,tospeakforthemselves.Youwillhavetoconstantlyreinforcethosebenefits,torecruitmanagementbuy-inthroughthem,andtomessagethemtoeverystakeholdergroupwhosesupportyourequire.

Ihaveespeciallytriedtopackthesechapters,includingthe“FurtherReading”sectionsattheendofeach,withmoreevidencefortheapproachesIpropose.Theseframeworksandtechniqueshavebeenwidelyandproductivelyappliedinindustriesotherthaninformationsecurity.Theyarenewonlytoinformationsecurity,butthereisnothingininformationsecuritythatwouldkeepthemfromworkingheretoo.Oneofthesellingpointsforseniorleadershipengagementissimpleinnovation,theopportunitytoputnewideastoworkontheorganizationalandpeopleside,justlikeaCISOlookstoleverageinnovationintechnology.Theinnovationspincanevenhelpselltheinevitableriskstoanysecurityproject,includingtransformationprojects.We’renottryingtokeepupwiththeproblem;we’retryingtogetaheadofit.Andgettingaheadoftomorrow’ssecurityfailuresisprobablyworthsomerationalexperimentationwithnewtechniquestoday,especiallysince,onceagain,theyaren’teventhatnew.You’rejusttakingthetestedworkofothersandbringingithome.

StakeholderEngagementStakeholdersforSecurityFORCEprojectswilltendtorequirethesamecareandfeedingasSCDSprojectstakeholders.Users,othermanagersandbusiness

owners,andevenexternalstakeholderssuchascustomersorauditorsmayhaveaninterestinorbeabletoaddvaluetoaproject.Partoftheoutreachprogramtocarryforwardapeople-centricsecuritymessageincludesnotonlyrecruitingparticipantseffectivelytogainsupportandexcitementfortheproject,butalsosharinginformationregardingfindingsandbehavioralchangestrategies.

SecurityFORCEcansometimesbeabitofaneasierselltostakeholdersduetoitsmoretacticalnatureandfocusedattentiononobservableactivity.Stakeholderscanoftendeterminewhetherit’sbettertoleadwithSecurityFORCEorwithSCDSandfullculturaltransformation.Eitherway,thejourneyendsinthesameplace.

RespondentsandDataAlloftheconsiderationsandcaveatsofSCDSprojectsapplytoSecurityFORCEprojects.Beforeconductingthesurvey,theorganizationshoulddetermineinadvancewhowillreceivethesurvey(asamplingofrespondentsorblanketdeliverytoeveryoneintheorganization?),howmetadataanddemographicinformationwillbecollected,andwhattheendgoalsoftheprojectare.ToolsforadministeringandanalyzingtheSecurityFORCEsurveyarethesameasthosefortheSCDS.Thesurveycanbedeliveredonpaper,byPDFform,oronline,whicheverisdesiredandappropriatewithintheorganization.AswiththeSCDS,respondentsshouldbetrainedpriortotakingtheSecurityFORCEsurvey.

ItisalsoworthreiteratingmypointsondemographicdataandprivacyfromChapter8.CollectingdemographicdataaboutrespondentscanprovideawealthofinformationtomaketheanalysisofSecurityFORCEvaluesandbehaviorsmoresophisticatedandrich.Butcollectingsuchdataalsobringsquestionsofprivacyandanonymityinbothconductingthesurveyandstoringresponsedata.InfoSecprogramsshouldconsiderhowtheywillensurethatrespondentsfeelsafeandcomfortableingivinghonestresponsestothesurveyorinreportingSecurityFORCEMetricstomanagement.Insomecases,personallyidentifiableinformationmaybeprotectedbypolicy,regulation,orlaw.Iftheorganizationdecidestocollectortrackrespondentdatainanyway,itisadvisabletoseekapprovalandadvicefromtheHumanResourcesandLegaldepartmentsbeforedoingso.

TheSecurityFORCEScorecard

Chapters11through15describedeachoftheSecurityFORCEvalues,includingkeybehaviorsforeachofthefiveFORCEvalues:failure,operations,resilience,complexity,andexpertise.EachchapterincludedthespecificSecurityFORCESurveystatementsandMetricsassociatedwiththevaluediscussedinthechapter.Together,theseindividualstatementsandmeasuresmakeupthecompleteSecurityFORCESurveyandSecurityFORCEMetrics.Thesurveyandmetricsareavailableasfull-size,customizable,downloadabledocumentsforusebysecurityorganizationsonlineathttp://lancehayden.net/culture,alongwithinstructionsforhowtousethem.

ScoringtheFORCESurveyQuestions,RevisitedTheSecurityFORCESurveyincludesstatementsrelatedtoeachFORCEvalue,asdescribedintheprecedingchapters.EachSecurityFORCEvaluehasfiveassociatedstatementsdesignedtomeasure,atahighlevel,theprevalenceofkeybehaviorsforthatFORCEvalueandthealignmentofbehaviorswiththosefoundinHRSPs.Whenscoringthesurveyforeachvalue,recallthefollowing:


PoolingYourFORCEsAftercollectingSecurityFORCEdatafromthesurveyresponses,organizationswillwantaquick,high-levelwayofpresentingresults.TheSecurityFORCEScorecardisasimplerepresentationofSecurityFORCESurveyresultsthatcanbeusedtopresentfindingsandanalysistostakeholdersandseniormanagement.TheScorecard,illustratedinFigure16-2andalsoavailableathttp://lancehayden.net/culture,providesseveralrepresentationsofthesurveyscores,including



AveragescoresforthepresenceandstrengthofeachSecurityFORCEvaluefrom1through5AhistogramshowingallfiveSecurityFORCEvaluescoresforside-by-sidecomparisonAspiderchartshowingallfiveSecurityFORCEvaluescoresfor“shape”comparison

Figure16-2BlankSecurityFORCEScorecardexample

SecurityFORCEMetricsandtheFORCEScorecardTheSecurityFORCEScorecarddoesnotincorporatetheresultsofanySecurityFORCEMetrics.Thisisadeliberateomission,forseveralreasons.SecurityFORCEMetricsareimportantcomponentsofthemodel,buttheydonotlendthemselvesaseasilytoinclusioninaneasilydevelopedandeasilyexplainedscorecard.Instead,theSecurityFORCEMetricsaredesignedtooperateinthebackgroundoftheSecurityFORCEModel,providingempiricalevidencetosupportorchallengeSecurityFORCESurveyresponses,andtoallowformoredetailedandgranularmeasurementofspecificFORCEvaluesandbehaviorsovertime.ThefollowingarethingstoconsiderwhencomparingtheSecurityFORCEScorecardtoSecurityFORCEMetrics:

UsetheSecurityFORCEScorecardtosimplify(alwayscarefully,withallassumptionsmadeexplicit)thepresentationofFORCEValueresults.UseSecurityFORCEMetricstosupportandvalidateSecurityFORCEScorecardresultsforstakeholdersandsecurityownerswhorequiremorespecificdetails.UsetheSecurityFORCEScorecardprimarilyasadiagnosticofattitudesandperceptionsamongmembersoftheorganization.UsetheSecurityFORCEMetricsprimarilyasadiagnosticofactionsandoperationsthatareactuallytakingplacewithintheorganization.

“AreWeaHighlyReliableSecurityProgram?”HavingconductedaSecurityFORCESurveyandcollectedSecurityFORCEMetricsresults,itwillbetemptingtomakeajudgmentregardingwhetherornottheorganizationcanclaimtofunctionasanHRSP.Highlyreliablesecuritydoesnotexistinasinglepointintimeorastheresultofpeople’sperceptions.HRSPsarehighlyreliablepreciselybecausetheyremainhighlyreliableoverextendedperiodsofoperationwithinhostileordangerousenvironments.NoorganizationcanclaimtooperateasanHRSPonthebasisofasinglediagnosticdatapoint.HRSPscanonlybejudgedlongitudinally,overtimeandovermultipleassessmentsandevaluations.Theseassessmentsmustbecomparedandcorrelatedwiththefrequencyandseverityofsecurityincidentsandfailuresaswell,comparedagainsthistoricaldataoragainstindustryexpectationsandstandardsofhowsecureanorganizationshouldbe.Unfortunately,today,therearefewsuchstandardsorexpectationsbeyond“morereliablethanwearetoday…”

ItmaybehelpfultoconsiderseveralscenariosagainstwhichtocompareclaimsofHRSPbehavior.EachofthefollowingthreeexamplesrepresentsanexampleorganizationthathasconductedaSecurityFORCEprojectusingtheFORCEScorecard.

GEORGEG,LLPGEORGEG,LLP,isaboutiqueadvertisingandmarketingcompany,specializinginonlinecampaigns.Withamultinationalpresenceandsophisticatedtechnologycompaniesforcustomers,GEORGEGtakesaproactiveapproachtoprotectingcustomerintellectualpropertyandstrategies.Aspartofasecuritycultureassessment,GEORGEGimplementedacompany-wideSecurityFORCESurvey.TheresultingSecurityFORCEScorecardisshowninFigure16-3.

Figure16-3GEORGEG,LLP,SecurityFORCEScorecard

InterpretingonthebasisoftheSecurityFORCEscores,GEORGEGwouldseemtolackseveralofthebehavioralattributesofanHRSP.Onlyintheareaofthesecurityvalueofoperationsdidcompanyemployeesexpressaperceptionthattrackswithhighlyreliablesecurity.DoesthatmeanthatGEORGEGisnotreliableandisonthevergeofamajorsecurityincident?Certainlynot.Nosinglediagnostictoolcanprovidesuchpredictiveevidence.ButGEORGEGmanagementwouldhavesomecauseforconcernaboutthesescores,particularlythoseforFailureandExpertise,ifHRSPbehaviorswereamongtheirgoals.

HOTELINDIA,Inc.HOTELINDIA,Inc.,managesachainofuniquelodgingestablishments,includingtraditionalhotels,B&Bs,andhostels,in19countries.HOTELINDIAundertookasecuritycultureimprovementinitiativeaspartofalargersecuritytrainingandawarenessprogram,followingseveralsecurityincidentswithinboththecorporateandcustomer-facingnetworks.TheresultsofHOTELINDIA’sSecurityFORCEScorecardareshowninFigure16-4.

Figure16-4HOTELINDIA,Inc.,SecurityFORCEScorecard

IsHOTELINDIAanHRSP?ItcertainlywouldseemtobewhenitsScorecardiscomparedtotheScorecardforGEORGEG.Perceptionofthecompany’sbehaviorsindicatesthatmanyoftheSecurityFORCEbehaviorsarestrong.ThisisasituationwheretheSecurityFORCEMetricscouldprovevaluableindeterminingtowhatextentcompanyperceptionsmatchuptoreality.IftheSecurityFORCEMetricsresultswerepoor—forexample,ifnoactivitiesorartifactscouldbeproducedtovalidateclaimsorperceptionsofbehavior—theinformationsecurityteammightbeforcedtoconsiderotherreasonsthattheFORCESurveyscoresweresohigh.Werepeopleafraidtorespondhonestlyforsomereason?Issecurityawarenessoutofsyncwithsecurityoperations?

IfSecurityFORCEMetricsforHOTELINDIAvalidatedtheresultsoftheFORCESurvey,thenitmaybethatthecompany’sInfoSecprogramisoperatingasanHRSP,therecenteventsnotwithstanding.Afterall,evenanHRSPwilleventuallyexperienceafailure(andembraceitslessons).Inthiscase,reexaminingthecompany’sresponsetothesecurityincidentscouldshedlightonthesurveyresponses,especiallyconsideringthatsecurityvalueofresiliencewasthelowest-ratedSecurityFORCEvalue.

KILOKINGEnterprisesKILOKINGEnterprisesisamidsizelogisticsfirmwithanationwidenetwork.KILOKINGhasbeenaskedbyseveralofitscustomersandpartners,spookedbythecurrenttrendofseriousdatabreaches,toassessitsentiresecurityoperationsstructure,includingawarenessandculture.Asaresult,KILOKINGundertookaSecurityFORCEproject,theScorecardresultsofwhichareshowninFigure16-5.

Figure16-5KILOKINGEnterprisesSecurityFORCEScorecard

KILOKING’sScorecardisinteresting.Insomeareas,itbehaveslikeanHRSP.Inothers,itdoesnot,leavingalopsidedbehavioralprofile.Howarewetoassesstheseresults?ItisnotparticularlydifficulttoimaginethatKILOKING’sbusiness,planning,andlogisticswoulddriveanenvironmentofoperationalreadinessandrelianceonsmartpeopletoovercomeproblems.Butwhy,ifthescoresaresohighinonearea,aretheysolowinothers?Don’tHRSPsbehaveuniformly?

Notnecessarily.HRSPsaremadeupofpeople,justlikeanyotherorganization.Becominghighlyreliabledoesnotguaranteestayingthatway,nordoeshighreliabilityinoneareaguaranteethesameineveryarea.Allsecurityprogramsaresubjecttocompetitiveprioritiesandculturaldriversinthefaceofdynamicanduncertainpressures.InthecaseoftheSecurityFORCEvalues,itturnsoutthatsomevaluebehaviorscomemoreeasilytocertainsecurityculturesthatexistwithintheCompetingSecurityCulturesFramework.Thesealignments,andwhattheymeanforHRSPdevelopmentandpeople-centricsecurity,arewhereIwillturnnow.

CSCFandSecurityFORCE:AligningCultureandBehaviorinPeople-CentricSecurityInthesamewaythatindividualpersonalitytraitsinpeoplenaturallypredisposethemtocertainbehaviors,differentinformationsecurityculturetraitscanmakeanorganizationmorenaturallypredisposedtocertainbehaviors.AProcessCulture,withitshierarchiesandformality,isgoingtoexcelatcertainactivitiesmorethananAutonomyCulture,whichwillhaveitsownstrongsuits.OneadvantageoftheSecurityFORCEmodelisthatitcanbealignedwiththeCSCFtohelpanorganizationunderstandwhichFORCEvaluesarelikelytocomemorenaturallytoanorganizationandwhichmightmeetincreasedresistance,giventhesecurityculturesinplace.

ChainingCultureandBehaviorEffortsSecurityculturetransformationexertsapowerfulinfluenceonsecuritybehaviors,changingandshapingthembyaddressingtheirunderlyingcausesandmotivations.Behavior,though,canalsoshapeculture.Onewaybehavior

influencescultureisbyprovidingatemplatefornewmembersofanorganization.Welearnbyexampleinourorganizationalenvironments,bywatchingourpeersperform,andbyadheringtotheofficialpoliciesandguidelinesoftheenterprise.Cultureisnottransmitteddirectlyfrompersontopersonassuch.Itisnotenoughtotellanewemployee“thisisoursecurityculture,sogowithit.”Thatnewhirewillacclimate(ornot)tothecultureinsteps,bylearningwhatisacceptedbehaviorandwhatisacceptablebelief,overtime,byobservingothers.

Asecondwaythatbehaviorcaninfluenceculture,specificallyculturaltransformation,isbyimposingnewhabitsthatquicklyorgraduallyreplaceolderonesthatarenolongervaluedordesired.Regulationisagoodreal-worldexampleofthispractice.Industriesareregulatedwhentheyaredeemedimportantenoughforsomereasonthatthestatemustinterferewiththeiroperations.Regulationsareessentiallymandatorybehaviorsandhabits,enforcedthroughinspectionandaudit,thatcontrolandconstrainbehavior.Sometimes,aswiththecorporatefinancescandalsoftheearly2000s,regulationisexplicitlydirectedatchangingculture.Sometimes,aswithsafetyorsecurity,regulationseeksaspecificeffectsuchasfeweraccidentsorharmfulevents.Inthesecasesaculturemaydeveloparoundtheregulatedbehaviors,creatingaculturethattakesthosethingsseriously.Industrieslikeenergyandaviationalreadyhavedecadesofexperienceinthisorganicculturalgrowth,whileindustrieslikeinformationsecurityarejustbeginningtoexperienceit.

Reinforcing“chains”ofcultureandbehavior,illustratedinFigure16-6,perpetuatevaluesandprioritieswithinanorganization.Thesechainscanfunctionmoreorlessunconsciously,belowthelevelofdeliberateanalysis.Ortheycanbedeliberatelyforgedandshapedthroughvisibilityandeffort.Toextendthemetaphorabit,howwemanagecultureandbehavioralchainsalsosaysalotaboutwhethertheywillacttotheorganization’sbenefit,likeananchortoafoundation,orwillimprisonanddragdowntheorganization,likeMarley’sghostinAChristmasCarol.

Figure16-6Cultureandbehavior“chains”

UsingtheSCDSandFORCEIndependentlyThereisnothingtostopasecuritystakeholderorCISOfromusingtheSCDSandtheSecurityFORCEmodelindependentlyofoneanother.TheSecurityFORCEmodelisjustoneproposalforbehavioraladaptation,actually,althoughIthinkitisuniquelysuitedtoinformationsecurity.ButIkeptthetwoframeworksseparatebecauseIdidnotwanttoimplythatimprovingtheSecurityFORCEvaluebehaviorsistheonlywaytoimproveInfoSecculture.Itisnot.Organizationsinheavilyregulatedenvironments,orthosewithstrongsecuritytrainingandawarenessprogramsinplace,mayalreadyhavebuiltintotheirsecurityoperationsbehavioralmodelsthattheywishtoadaptandapplytotheCSCF.ISO27001,COBIT,ITIL,andsomeNISTstandards,tonamebutafew,allattempttoaddressbehaviorchanges.Wheretheseframeworksarealreadyimplementedandwellunderstood,theymayserveasusefulcomplementsoralternativestoSecurityFORCE.

GeneralAlignmentsBetweenSecurityFORCEandtheCSCFWiththeexceptionofsecurityvalueofcomplexity,whichappliestoeverything

inpeople-centricsecurity,eachoftheSecurityFORCEvaluescanbegroundedinoneofthequadrantsoftheCompetingSecurityCulturesFramework.Figure16-7illustratesthisbasicalignment.Animportantcaveattopointoutonceagainisthatthesearemodels,notperfectreproductionsorinfalliblecrystalballs.Theymakeassumptionsandcontainuncertainty.Theyshouldbeusedastools,toidentifyconnectionsandguidediscussionandassessment,andshouldnotbeexpectedtoansweralltheorganization’squestions.Butwhenusedasameanstounderstanding,notasasubstituteforit,thesemodelscanbehighlyeffectiveinhelpingimplementamorepeople-centricprogram.

Figure16-7SecurityFORCEvaluesalignedtoCSCFquadrants

InthefollowingdiscussionI’lladdresstheSecurityFORCEvaluesabitoutoforder,goinginsteadbytheCSCFquadrants,tomakethealignmentseasiertofollow,andaddressingthesecurityvalueofcomplexity,whichhasnodirectculturalalignment,attheend.

ProcessCulturesandtheSecurityValueofOperationsProcessculturesareallaboutthedetails.Settingstandards,documentingpoliciesandconfigurations,andmakingsurepeopleknowwheretheyfitwithinthehierarchyareallhighlyvaluedprioritiesforProcess-focusedsecurityprograms.Theoverarchingneedtomanageandcoordinateactivities,andtohaveahighdegreeofvisibilityintothoseactivities,iswhatdifferentiatesaProcessCulturefromtheotherthreesecurityculturetypes.

ThissenseofprioritizingvisibilityandstandardizedmanagementiswhatmakesaProcessCultureparticularlyadeptatrealizingthesecurityvalueandkeybehaviorsofoperationsfromtheSecurityFORCEModel.Thesecurityvalueofoperationsincorporatestheactiveunderstandingofhowthingsworkandwhentheyareworkingdifferentlyfromthewaytheyareexpectedorassumedtowork.AProcessCulturewillmorenaturallyprioritizetheanalysisanddocumentationofoperationalfunctionsneededtoseeandcomparethesedifferencesandtodetectdeviationswhiletheyareminor.

Thesecurityvalueofoperationsalsoputsapremiumonassessingandsharingoperationalinformation,behaviorsthatalsolendthemselvestoaProcessCulture,oneinwhichorganizationalboundariesandbureaucraticcommunicationchannelstendtobeestablishedbydefault.Thesecanoftenbeutilizedasreadilyavailableprocessesforformallyandsafelydisseminatingoperationalassessmentsandelicitingfeedbackfromotherstakeholdersinthebusiness.

ComplianceCulturesandtheSecurityValueofFailureWhileComplianceCulturescertainlyconcernthemselveswithafairshareofinformationsecuritydetails,includingoperationalactivities,theiroftensingle-mindedfocusonsuccessfulauditsmakesthemespeciallysensitivetotheconsequencesofnotmeetingthatgoal.Theresultisaculturethattakesthesecurityvalueandkeybehaviorsoffailuremoreseriouslythanothersecuritycultures,eveniftheydon’tthinkaboutitconsciouslyintermsoftheSecurityFORCEModel.

Anticipatingworst-casescenariosinanorganizationwithastrongComplianceCultureiseasy,sincetheorganization’sperspectiveontheworld

canbeabitbinary:eitherwepassedorwefailed.Failureiseasilydefinedanditspossibilityiseverpresent,astheauditcycleneverends.Eachsuccessfulevaluationleadsstraightawayintothepossibilitythatthenextonewon’tgosowell,andtheorganizationmustalwaysmaintainvigilance,learningfrommistakestopreventtheirrecurrence.

Thatvigilanceextendstotheotherkeyfailurebehaviorsofseekingoutproblemsbeforetheymanifest,rewardingpeopleforfindingandreportingproblems,andsharinginformationaboutsecurityfailures.Insomeorganizations,thesebehaviorsmayevenreadlikeajobdescriptionfortheinternalauditfunction.Compliancesecurityculturesembedthesesamevalues,thissamepreoccupationwithfailure,acrossthesecurityfunction.

AutonomyCulturesandtheSecurityValueofResilienceSecurityincidentsthroweverythingintoconfusion,challengingeverytypeofsecurityculturewithinanorganization.ButofthefourculturaltypesidentifiedwithintheCSCF,AutonomyCulturemostprizesandevenencouragesinitiativeandindependentactioninthefaceofuncertainty.PerhapsthefactthatAutonomyCulturestendtobealmostuniquelysuitedtothechaoticconditionsofanincidenthelpsexplainwhytheytendtoberareininformationsecurity.Organizationsviewsecurityincidentsassomethingthatshouldneverhappen,andencouragingthekindofculturethatthrivesinthosesituationsmayseemliketemptingfate.

Thesecurityvalueandkeybehaviorsofresiliencebeginwiththeexplicitacceptancethateveryorganizationwillexperiencesecurityincidentsofsomekindoranother,includingdamagingpublicbreachesthatthroweverythingintocrisis.Thisacceptanceofriskanduncertaintyiseasiertointernalizeinaculturethatalreadyacceptschangeasaconstantandviewsindependentthoughtandactionasarequirement.Spreadingtraining,skills,andresponsibilitiesaroundtoawidervarietyofpeople,enablingmultiplepeopletodoajob,andencouragingthemtostretchthemselvesarecentraltothemoreentrepreneurialbentofpeopleinanAutonomyCulture.

ThatsamestartupmindsetcanmakeiteasierforpeopletoacceptmistakesandincidentsinanAutonomyCulture,too.Fallingdownintheseenvironmentscountsmoreason-the-jobtrainingforsuccessthanproofofincompetenceorpersonalfailure.Thiscanbeaproductivepsychologyforanorganizationattemptingtorecovergracefullyandwithconfidenceintheaftermathofasecurityincident.

TrustCulturesandtheSecurityValueofExpertiseTrustculturestakenooneforgranted.Everypersonintheorganizationisvaluablehumancapital,necessaryforthesuccessandgrowthoftheenterprise.Forsecurityspecifically,thatmeanstraditionalsecurityawarenessandbeyond,tothepointwheremembersoftheorganizationarethehumansensors,firewalls,andresponsesystemsthatactasaparallelinfrastructurecomplementingandextendingtechnology.

Thesecurityvalueofexpertiseleveragespeopleassourcesofbothknowledgeandaction,anditskeybehaviorsdrivedecisionmakingintothefabricoftheorganization.Theseprioritiesandbehaviorsdemandtrust,andwithoutit,organizationswillnotbeabletoallowauthorityanddecisionstobepusheddownandaroundtheorganizationtowherecircumstancesrequirethem.ATrustCulturethatvaluespeoplebasednotonrankorpositionbutontheirabilitiestocontributetothegoalsoftheenterprisewillinstinctivelygravitatetowardthesecurityvalueofexpertise.Thosebehaviorswillcomemoreeasilyandbemoresustainableovertime.

ComplexityEverywhereComplexityhasnodirectalignment.EveryoneoftheCSCFculturetypesmustaddresscomplexityandworkwithinitsinfluence,andnoparticularcultureisbetterorworseatdealingwithit.Atbest,itcanbesaidthateachsecurityculturetypeconcernsitselfwithaparticularflavorofcomplexityanddevelopsitsownculturallyspecificmethodsfordealingwithit.

Tacitassumptions,thetemptationtowardoversimplification,andtheneedforempiricaldataaretherealitiesofeverysecurityculture.ThepresenceofandtensionsbetweentheserealitiesmayevenbeattherootofsomeofthecompetitionbetweensecurityculturesintheCSCF.That’swhyeachCSCFculturetypeneedstoacceptandmanagethecomplexitiestheyfaceandtocoordinateandsharetheirevidenceandtheirdoubtsamongthosewhomayhaveadifferentculturaloutlook.

Nowheredoestheneedforcoordinationonissuesofcomplexitydemonstrateitselfmorethanontheissueofmodels.Eachsecurityculturetypewillhaveitsfavoredmodels,thelensesthroughwhichthatculturelooksattheworldofsecurityandoftheorganizationwritlarge.Processmodels,auditframeworks,agilityandinnovationmethodologies,andhumancapitalmanagementstructureswillexistsidebysidewithinanInfoSecprogram,withtheirrelativestrengthandinfluenceconstrainedonlybytherelativepowerofthatculturewithinthesecurityprogram.Theymustbebroughttogether,mademoretransparent,and

improvediftheorganizationistoachievehighreliabilityandtrue,transformativepeople-centricsecurity.

TakingAdvantageofCultural-BehavioralAlignmentsPathsofleastresistancearewonderfulthings.Especiallywhenyoufindthemamongotherpathsofalmostridiculousresistance.AnotherbeneficialuseoftheCSCFandtheSecurityFORCEModelistocombinethemintoacompassofsorts,anavigationalaidthatcanhelpasecurityprogramknowwherepotentialproblemsmightlie.Likea“herebedragons”sketchoverunknownterritory,cultural–behavioralalignmentscanidentifytheareasonthepeople-centricsecuritymapwheredangerlurks,hiddenbelowthewaves.

Inanygivenpointintime,cultureisgoingtotrumpbehavior,justliketheicebergmetaphorsuggests.Butwhenpeoplecandirectandconcentratebehaviorinparticularareastoparticularends,youcanmultiplyitseffect.PeoplehaveknownthisatleastsinceArchimedes’time(“Givemealeverandaplacetostand,andIshallmovetheearth”),justaspeoplehaveknown,foratleastaslongastherehavebeenbrickstobuildthemwith,thefrustrationofbangingourheadsagainstwalls.Thetrickistoknowthedifferencebetweenafulcrumandawall.

WhenCultureMakesBehaviorEasierIfyourpeople-centricsecuritytransformationincludesbothculturalandbehavioralelements,youshouldbelookingathowtotakeadvantageofforcemultiplication.Yourculturaldiagnosticscanhelpyou.ThecombinationofSCDSresultsandsecurityculturemappinghelpsyourorganizationunderstandthesecurityvaluesandprioritiesmostprevalentinsideyourorganization.Thoseculturalinsightscanguideyouasyouplanbehavioralstrategiesaspartofyourprogram.

ImaginethatyouhaveconductedasecuritycultureassessmentusingtheSCDS.TheassessmentrevealsthatyourorganizationhasaparticularlystrongComplianceCulture.AfteradministeringtheSecurityFORCESurvey,youdecidethatyourorganization’sbehaviorssupportingthesecurityvaluesofbothfailureandexpertiseneedimprovement.Somestakeholderssuggestanimmediateinclusionofthosebehaviorsandtheirrelevantmetricsinthecompany’ssecurityawarenessprogram.

Thethingis,theeffortrequiredtoimprovethosetwobehaviorsmaynotbethesame.BecauseofthenaturalalignmentbetweenaComplianceCultureand

thesecurityvalueoffailure,theorganizationmayseeimmediategainsinitsefforttoimprovebehaviorssupportingthesecurityvalueoffailure,whileitsefforttoimprovebehaviorssupportingthesecurityvalueofexpertisecouldprovelesseffective.Withoutinsightintocultural–behavioralalignments,thedisconnectmightnotmakesenseandtheentireeffortcouldenduptaintedanddiscredited.

Onealternativetodividingresourcesbetweendifferentchallengesistoputallyoureffortsintooneparticularchallengewhereyouthinkyoucanmakethemostgains.IfthesecurityvalueoffailureisseenasimportantandtheComplianceCultureislikelytofinditmoreacceptable,theorganizationcouldworktoimprovejustthatareaandtakeadvantageofthecultural–behavioralalignment.SignificantimprovementontheSecurityFORCESurveyandMetricsresultingfromtheprogramcouldthenbeusedtodemonstratethevalueandeffectivenessofoverallculturaltransformationefforts,andtheresultinggoodwillcouldbeappliedtoimprovingthesecurityvalueofexpertise,whichmightprovemoredifficult.

WhenCultureMakesBehaviorHarderKnowinghowculturalalignmentandinfluencemakeatransformationjobhardercanbejustasimpactfulasknowinghowtheyreduceresistancetochange.Theremaybetimeswhentheorganizationdecidesonastrategythatfocuseslessonfindingthepathofleastresistanceandeasywins,andmoreonaddressingthereallydifficult,intractablecultureproblemsthatareholdingbackperformance.

Consideracompanythathasexperiencedacoupleofbad,andbadlymanaged,securityincidents.CSCFassessmentrevealsaprocess-heavysecurityculturewithverylittleprioritygiventothevaluesofAutonomy.ASecurityFORCESurveyshowsthattheorganizationislackinginseveralbehaviorsitneedstoimprovetobeclosertobecominganHRSP.But,feelingastrongneedtoimproveitscapabilitiesforincidentresponseatamacrolevel,thefirmembarksonastrategydesignedtogetmorevalueoutofresilienceanditsassociatedkeybehaviors.

TherelativeweaknessofAutonomyCulture–relatedsecurityvaluesperhapshelpsexplainwhythecompanystrugglestorespondflexiblyandreliablywitheveryincident.Thatweaknessalsoshowsthechallengesthecompanyislikelytofacetryingtoimproveresiliencebehaviorswhoseunderlyingmotivationsconflictwiththewaythefirmlooksatsecurity.Onceagain,achoiceisimplied:treateverythingthesame,orfocusonspecificareas?

Insteadoffollowingapathofleastresistanceinordertomoreeasilysecurea

win,aswiththepriorexample,thiscompanymaychoosetotacklethebiggestconflictfirst,becausethesecurityvalueofresilienceisseenasthemostcriticalvalueinthepathtobecomeanHRSP.Butjustlikethepriorexample,thisinsightallowsthecompanytodevoteresourcestoaspecificoutcomebasedonanuancedunderstandingoftheeffortinvolvedtoachieveit.RatherthancultivatingeverySecurityFORCEvalueandjusthopingforthebest,understandingculturalalignmentsallowsInfoSecprogramstoachievemoretargeted,andultimatelymoreeffective,outcomes.

BlendingSecurityCultureDiagnosticandSecurityFORCEProjectsforImprovedCulturalMaturityExploringandanalyzingthealignmentsbetweenCSCF/SCDSandSecurityFORCEprojectsshouldbepartofeverypeople-centricsecuritytransformationproject.Addressingthelinkagesandpotentialconflictsbetweendifferentsecurityculturesandthebehaviorsnecessaryforhighlyreliablesecurityisperhapsthesinglebestreasontousethetwoframeworksintandem.Togethertheyallowanorganizationtounderstandwhatisgoingonbothabovethesurfaceoforganizationalawarenessandbelowit,andtograspwherelinesofforceandinfluencebetweenthetwointersect.Theinsightswon’talwaysbeperfect,butaswithanyothermodel,theycanbeputtouseand,overtime,improvedtomakesecurityculturetransformationmoreeffectiveandmature.

Theideaofimplementingoneoverarchingsecurityculturetransformationprojectissomewhatmisleading.Inalllikelihood,mostorganizationswillimplementsomethingmorelikeatransformationprogram,madeupofaseriesofprojectsovertime,asshowninFigure16-8.Insightsfromoneinitiativearedigestedbytheorganization—forexample,theculturaltypesandconflictsdiscoveredduringanSCDSproject—whichinturnpointtoimmediateoptionsforculturalorbehavioralchange.Atthesametime,theincreasedvisibilityandproficiencygainedthroughtheexecutionofconsecutiveprojectsallowstheorganizationtoplanbetter,askbetterquestions,andtesttheresultsofpastinitiatives.ThisinturnincreasesculturalcapabilitymaturityfortheInfoSecprogramandtheoverallorganizationaspeoplegetbetteratmasteringpeople-centricsecurity.

Figure16-8Securityculturetransformationandpeople-centricsecurityprograms

FurtherReadingBush,MarilynandDonnaDunaway.CMMIAssessments:MotivatingPositiveChange.UpperSaddleRiver,NJ:Addison-Wesley,2005.Curtis,Bill,WilliamE.Hefley,andSallyA.Miller.ThePeopleCMM:AFrameworkforHumanCapitalManagement.2nded.Boston:Addison-WesleyProfessional,2009.Paulk,MarkC.,CharlesV.Weber,BillCurtis,andMaryBethChrissis.TheCapabilityMaturityModel:GuidelinesforImprovingtheSoftwareProcess.Boston:Addison-WesleyProfessional,1994.

CHAPTER17

Leadership,Power,andInfluenceinPeople-CentricSecurity

“Anyonecanholdthehelmwhentheseaiscalm.”RomanauthorPubliliusSyrusprobablywasn’tthinkingaboutinformationsecuritywhenhewrotethosewordssometimeinthefirstcenturyB.C.,buthismaximcanbeappliedtoleadersinanycrisissituation.ThequotationalwaysmakesmethinkoftheCISOs,InfoSecdirectors,anddataprotectionmanagersIhaveworkedwiththroughoutmycareer.I’veknownmanygood,skilledfolksresponsibleforsecuringtheinformationassetsoftheirorganizations.Butmanagerialcompetenceisnotthesameasinspired(andinspiring)leadership,ininformationsecurityoranywhereelse.AllittakesisonebadstormtoshowyouthedifferencebetweenanAdmiralLordNelsonandaFrancescoSchettino,theinfamousCostaConcordiacaptain.

Theseaofinformationsecurityisnotcalmtoday,andmosteveryoneexpectsthestormstogetworsebeforetheygetbetter.Ifwearetorealizepeople-centricsecurityinthecomingyears,ourindustryisgoingtoneedalltheAdmiralNelsonsthatwecanget.

ACrisisofLeadershipHowimportantisleadershiptoinformationsecurityasaprofession?Toexplorethatquestion,Iperformedthatmostlooselyscientificofallinquiries:IaskedtheInterwebs.Operatingontheassumptionthatinformationsecurityleadershipis

embodiedinthepositionofCISO,justasothertypesofcorporateleadershipareembodiedinthepositionsofothermembersoftheC-suite,IfiredupGoogle.Mysearchwassimple:“CISO”and“leadership.”IrepeatedthesearchforeachoffiveothercommonC-suiteroles:CEO,COO,CFO,CIO,andCTO.Figure17-1showstheresults,inmillionsofhits(ornot,inthecaseofCISO).

Figure17-1MillionsofGooglehitsfor“CXO”plus“leadership”

Wow!300,000hitssurprisedme.Thinking(hoping)thatmaybe“CISO”is,as

theysay,notthepreferrednomenclature,Itriedsearchingon“CSO”instead.Thenewsearchreturned500,000hits,butthepresenceinthosehitsofeverythingfromchiefsalesofficerstochiefstrategyofficersmademelessconfidentofthenumber.Givenonceagainthatthisisnotexactlyarigorousscientificexperiment,onehastobecarefulaboutreadingtoomuchintoit.Butattheveryleastitimpliesthatifpeoplearethinkingasmuchaboutleadershipininformationsecurityastheyareinothermanagementareas,theyarenotputtingthoseinsightsonlinetobeindexedbyGoogle.Theorder-of-magnitudedifferencebetweenCEOleadershiphitsandthenextlargestgroupisnotsurprising.ACEOcaneasilyfindabundantresourcesonlineaboutCEOleadership.Butevencomparedtotheresourcesavailableonlinetochiefinformationofficersandchieftechnologyofficerswhoarelookingforrole-specificleadershipresources,CISOsliveinabitofaninformationaldesert.Fiveofthefirsttenhitsactuallyrefertothesamesource:the(ISC)2bookCISOLeadership:EssentialPrinciplesforSuccess.Whatgives?

TheCISOasaBusinessLeaderIthinkthattheresultsofmyGooglesearchesjustdemonstratetheuncomfortabletruththatmanyInfoSecprogramshavetolivewitheveryday:thattraditionallytheyhavenotbeenconsideredcentraltothebusiness.Likewise,CISOshavenotbeenconsideredequalpartnersintheC-suiteinmostorganizations,notwithstandingtheboneof“chief”designationmanyarethrown.Securityleadershiptraditionallyhasnotbeenconsideredsynonymouswithbusinessleadership,noteventothedegreethatCIOsandCTOsareconsideredbusinessleaders.ThathasmadeitmucheasiertoignorebasicleadershipprincipleswhenitcomestoCISOsandtheirwork.Thathastochange.Anditischanging,astheconsequencesofsecurityfailureshavebeguntoblasttheirwayintotheboardroominunprecedentedways.

Givenitsprominenceinmyexperimentalsearch,IwenttoCISOLeadershiptoseewhatitmighthavetosayaboutCISOsasbusinessleaderswithintheirorganizations.Thebookisquitegood,aninterestingcollectionofcontributedworksby20experiencedinformationsecurityandmanagementprofessionals.Publishedin2008,itanticipatedtheemergenceofpeople-centricsecurityandthecentralityofcultureasakeytosuccess.Butmostofall,itechoesthethemesIhaveexploredthroughoutthisbook.Securityleadershipisnotabouttechnology,andsuccessfulinformationsecuritycanneverbefullyautomated.Becauseinformationsecurityisalsoasocialandculturalprocess,CISOscan’tsucceediftheyareonlytechnologicallyadept.Theyalsohavetobepeople

savvy(CISOLeadershipcontributorBilliLeebuiltachapterandanentiremanagementmodelaroundtheterm“savvy”).

Unfortunately,andwithoutanyslighttotheeditorsofandcontributorstoCISOLeadership,thebookwasnotexactlyaNewYorkTimesbestseller.Veryfewinformationsecuritybooksare.Securityhasnotproducedmanyofwhataprofessorcolleagueofminecalls“theairportbook,”theoneyoubuyasyoubrowsethebookstorebetweenterminalsduringalayover.IknowI’veboughtmyshareofleadershipandmanagementbooksinairports,particularlythetitlesIthoughtwouldmakemeabettersecurityprofessional.Today,mostCISOsknowtheycanlearnalotfromotherexecutives.ButtherealityisthatalmostnoexecutivesoutsideofsecuritythinktheyhavemuchtolearnaboutbusinessleadershipfromCISOs.

BusinessLeadersasSecurityEnablersThefactthatnon-securityexecutivestypicallydonotlooktoinformationsecurityexecutivesforinsightintohowtodotheirjobsbetterisacauseforconcernbecausenon-securityexecutiveshavealotofinfluenceonhowinformationsecuritygetsdone,ordoesn’t,intheirorganizations.It’saclassicasymmetricalpowerrelationship.Thebusinessenablessecuritytofunctionatthediscretionofthebusiness,butnottheotherwayaround.ACEOorCIOcaninterferewiththefunctionofinformationsecurity,sometimesdirectlyandofficially,dependinguponreportingstructures.Butit’smuchmoreraretoseeaCISOorsecuritydirectorwiththepowertounilaterallytellanotherbusinessfunction,sayFinanceorIT,howtorunitsaffairs,evenifthereisadirectsecuritystakeinthoseoperations.Instead,securityexecutivesoftenhavetoworkbyproxy,recommendingandguidingupthechainofcommandtoinfluencethosewiththepowertomakesuchdecisions.

SecurityPowerDynamicsThepowerdynamicsofinformationsecurityleadershipreflectsomethingofatrendintheevolutionofbusinessleadershipingeneral,asexecutive-levelrecognitionandprestigehavemovedoutfromthetraditionallocusofbusinessoperations.ThefirstwaveofevolutionsawtheriseofthechiefinformationofficerandchieftechnologyofficertotheranksofCEO,COO,andCFO.Despitethedifferenceintitles,bothoftheseexecutivepositionsevolvedtoaddressthegrowthoftechnologyandITproductswithincompanies.Theseareareasofexpertisethatareoutsideoftheexperienceoftraditionalmanagement

butareincreasinglycentraltobusinesssuccess.AsFigure17-2shows,thisevolutionhascontinuedintoathirdwaveofmoreinformation-centricleadershiprecognition.Roleslikechiefprivacyofficerandevenchiefriskofficerhaveevolved,liketheCISOrole,toaddressnewchallengesaroundthemanagementofcorporateinformationandknowledgeassets.(Asasidenote,Iattemptedtouseboth“CPO”and“CRO”inmyGoogle“leadership”searchexperiment,butneitherisauniversallyknownacronym.Iendedupwithmoreinsightintonavalnoncommissionedofficersandlifesciencesresearchersthanprivacyandriskleadership.)

Figure17-2Anevolutionofexecutiveleadership

Ifinformationiskeytothebusiness,thenmaintainingtheintegrityandsecurityoftheinformationsupplychainis,bydefinition,akeybusinessenabler.OneoftherecurringtakeawaysfromCISOLeadershipistheneedforCISOsandothersecurityleaderstogrowbeyondthemanagementoftechnologyinfrastructures.Indeed,myinterpretationofseveralofthechaptersisthattoomuchfocusontechnologymanagementactuallyholdsaCISOback.Themostsuccessfulsecurityleaderswillbethosewhocanmanagepeopleandculture,boththosewithinsecurity’ssphereofinfluenceand,evenmoreimportantly,thoseoutsideofit.CompetingsecurityculturescometoexistinmanycasesbecausetheInfoSecprogramcannotordoesnotoperatewithinthebiggerpictureoftheorganization.OtherCXOshavehadmoretimetofigureouthowtomergetheirinterestswiththeinterestsofotherbusinessstakeholders.Securitywillneedtodothesame,tobuildanorganizationalcultureinwhichsecurityisnolongerjustoneofanumberofsubculturescompetingforinfluence.

“WhatifI’mNotaCISO?”ChiefinformationsecurityofficeristhesymbolicheadroleforInfoSecintheindustrytoday.ButnoteveryorganizationwithanInfoSecprogramhasaformalCISO,andCISOsarenottheonlyleaderstobefoundininformationsecurity,soit’simportantnottogettoohunguponmistakingCISOsasbeingexclusivelysynonymouswithInfoSecleadership.

Opportunitiesforleadershipandculturalchangeinpeople-centricsecurityaretobefoundthroughouttheorganization,atalllevelsoftheorganizationalchart,apointIhavetriedtomakethroughoutthebook.TheSecurityFORCEvalueofexpertiseactuallymakesthisideaaformalrequirementforHRSPs.InanHRSP,leadershipandauthoritymigratewithintheorganizationbecauseanHRSPrecognizesthatnoonepersoncaneffectivelycontroleverything.ThesystemadministratorwhoseesthesmallfailurespilinguptowardanincidenthasaleadershipopportunityinanHRSP,asdoesthelinemanagerwhorecognizesthat“doingmorewithless”willprobablymean“doingmorewithlesssecurity”asculturesandprioritiescompete.

It’slittlemorethanaplatitudetobreezilysayeveryoneisresponsibleforsecurity,especiallyifmostpeoplehaveneithertheauthoritynortheresourcestoliveuptothatresponsibility.Butit’salsoanexcusewhenpeopleabsolvethemselvesofresponsibilityforsecurityjustbecausetheyarenotpartoftheInfoSecprogram.Weliveinaninformationsociety,andinformationiscentralto

thesuccessofjustabouteveryfirm.Protectingitisaboutprotectingthebusinessitself.Mostemployeesofcorporationsarenotaccountantsorlawenforcementofficials,butthatdoesnotmeantheyarerelievedoftheirresponsibilitytopreventfraudorcriminalactivity.Mostemployeesdon’tworkforHR,buttheystillhaveadutytoreportharassmentorabuse.Andorganizationshavetheirownobligationnotonlytomaketheexerciseoftheseresponsibilitiespossible,butalsotoencourageit.People-centricsecurityinanenterprisemustliveuptothesesamestandardsifcompaniestodayaregoingtoseetoday’ssecuritychallengesbecomemoremanageable.

CISOLeadershipResourcesMyGooglesearchmaynothaveturnedupasmanyresourcesforCISOsandsecurityleadersasitdidforotherCXOs,butthatdoesn’tmeantherewerenoresources.ThereareseveralvenuesandforumsforCISOnetworking,mentoring,andknowledgesharingoutthere,including(ISC)2,whichwasbehindCISOLeadership.Manysecurityprofessionalsknow(ISC)2astheorganizationthatoffersCertifiedInformationSystemsSecurityProfessional(CISSP)certification,but(ISC)2alsohostseventssuchastheInformationSecurityLeadershipAwards.Inadditionto(ISC)2,theInformationSystemsSecurityAssociation(ISSA)hostsregularCISOExecutiveForums,andorganizationssuchasCSO(www.csoonline.com),theArgyleExecutiveForum,theTechExecNetworks(T.E.N.),andtheEC-Councilholdeventsdedicatedtoinformationsecurityleadershipdevelopment.

TheresourcesandorganizationslistedarethoseIamawareofthatputaspecificfocusonCISOleadership.Ofcourse,therearemanyotherorganizations,includingISACA,theSANSInstitute,andanumberofindustry-focusedInformationSharingandAnalysisCenters(ISACs),thatprovideopportunitiesforinformationsecuritytraining,mentoring,andprofessionalnetworkinginsupportofInfoSecprogramsandleadership.

LeadershipinPeople-CentricSecurityAspreviouslynoted,noteveryinformationsecurityleaderisaCISO.Securityleadershipcanbefoundinunexpectedplaces,andnoteveryorganizationhas

http://www.csoonline.com

elevatedinformationsecuritytoaCXOlevelofrecognition.Ifthisbookhasmadeapointofanything,it’sthatsuccessfulsecurityisaculturaltrait.EvenaCISOcanonlydosomuchifheorsheistryingtodoitinaculturethatdoesn’tvalueorprioritizetheCISO’sjob.ButwhereverInfoSecownershipexists,underwhatevertitleitisgiven,someonewillhaveultimateresponsibilityforprotectingtheorganization’sdata,information,andknowledge.Tobesuccessful,thatpersonwillhavetostandupandtakeholdofthehelminthemidstofthegale.

YouDon’tLeadMachinesSecurityispeople.Imadethepointearlyinthebookthatifyouthrowoutallyourtechnology,youstillhaveanorganizationtomanage.That’sanimportantlessonforsecurityleaders,includingCISOs.Aslongassecurityleadersareviewedprimarilyasmanagersoftechnology,therewillbelessopportunityandlessexpectationforthemtoleadthebusiness.People-centricsecurityisaboutmorethansimplyincorporatingpeopleintoinformationsecurityinfrastructuresorsimplymanagingthepeopleintheinformationsecurityprogram.People-centricsecurityisaboutleadingtheentireorganizationintoanewrelationshipwiththebusinessvalueofinformationassets,justlikeCIOsdidoverthepastcoupleofdecadeswithIT.AsITmovedfromthebackofficetothebackpocket,CIOswentfromtechnologymanagerstocorporateleaders.

Informationsecurityleadershipneedstobridgethatsamegapbetweentechnologyandthosewhouseit.WhenCISOs(orotherorganizationalInfoSecleaders)areseenasmanagingtherelationshipoftheentireorganization(meaningallthepeopleinit)withinformationsecurity,thoseleaders’rolesandstatuswithintheorganizationwillchange,justlikeCIOroleschangedasITbecamemoreubiquitous.Becausemanagingpeopleandcultureputssecurityleadersonequalfootingwithotherleadersoftheorganization,itletsthembringtheirownuniqueinsightstobearonhowtomotivatepeopleandmakethemproductiveandsuccessful,eveninthefaceofadversity.That’ssomethingtechnologymanagement,nomatterhowsophisticatedthetechnology,cannotachieve.Youcanmanagearackofserversorswitches,butyoucanneverinspireit,neverleadthosedevicestobecomesomethingmorethanwhattheyare.

InfluenceandTransformationTheinfluenceandleadershipskillsnecessaryforsecurityculturetransformationaredevelopedasevolution,notupheaval.Theyarevariationsonexistingthemes

ofmanagementandorganizationalbehaviorthathaveexistedforalongtime,andhavetheiroriginsoutsideofInfoSec.CISOsandsecurityleadershavetokeepdoingwhattheyhavealwaysdone,managinganddirectingthetechnologyandprocessesthatarerequiredtoprotectcorporateinformation.Buttheindustry’sleadershipwillhavetogrowtoo,bothintermsofsizeandintermsofscope.Forallthedisruptionandstressinthesecurityworldtoday,it’sactuallyagreattimetobethinkingaboutbecomingasecurityleader.

Thatbeingsaid,CISOsandotherleadersaregoingtofindthatmoreisbeingaskedofthemthaneverbefore,andmanyofthenewneedswillbeintheareaofsoftskills.RussellReynoldsAssociates,anexecutiveleadershipandstrategicconsultingfirm,conductedarecentstudyofCISOsandidentifiedanumberofnewskillsthatwillbecalledforinthenextgenerationofinformationsecurityleadership.Theseincludeinnovationandagility,theabilitytothinkstrategicallywhilesimultaneouslyeducatingandinfluencingothersintheorganization,andacapabilityforattractingtoptalenttotheenterprise.Basically,theseareallthesameskillsonewouldexpectfromthosewhoareresponsibleforleadingtheentirebusiness,notjustlockingdownpartsofit.

Tobecertain,therearealreadyCISOsworkingintheindustrytodaywhofitthebill,whowieldtheinfluenceandhavemasteredtheskillsofanexecutiveleaderonparwithotherC-levels.Buttheseleadersarenotuniversal,theyarenotwidelyavailable,andtheydonotcomecheap.Thesecurityindustryisgoingtohavetogrowanewgenerationofthem.ThetrainingprogramsforsecurityprofessionalsaregoingtohavetostartlookinglesslikecomputerscienceandengineeringdegreesandmorelikeMBAs.Andwe’regoingtohavetogooutsideofsecurityandoutsideoftechnologytoroundoutourskills.I’mwaitingforthedaythatImeetaCISOwhoroseupthroughenterprisemarketingor,evenbetter,camefromananthropologyorapsychologybackground.Whentheseindividualsbecomemorethanexceptionsandoutliers,thingswillgetreallyinteresting.

AdaptingtheCSCFandSecurityFORCEModeltoLeadershipMeasuringleadershiptraitscanbevieweddifferentlythanmeasuringthetraitsofanorganization’smembers’behaviorsoritsoverallculture.Foronething,leadersinanorganizationhaveadisproportionateamountofpowertoinfluenceandaffectbehaviorandculture.Thatalonecanmakeitbeneficialtounderstand

howtheylookattheworldandhowtheyengagewiththeirenvironment.Asaresult,someorganizationalcultureandbehaviormodels,includingtheCompetingValuesFramework,havebeenadaptedtospecificallyaddressleadershipqualitieswithinthemodel.

IcouldeasilyaddanentiresectiontothisbookbyextendingtheCSCFandtheSecurityFORCEModeltomeasuringleadershiptraitsandindicators,butthatwouldbeatadpremature,giventherelativelynascentstateofbothsecurityculturetransformationasalegitimateapproachtoinformationsecuritymanagementandtheprofessionaldevelopmentoftheCISOinourindustry.IhopethatthestateofinformationsecurityleadershipmaturesquicklyenoughthatIcanperhapsaddresshowtomeasureitinafutureeditionofPeople-CentricSecurity.Fornow,Iwillsimplyaddressthewaysthattheexistingmodelscanbeadaptedtoaleadership-specificassessment.Thematerialsarealreadythere.Theapproachtocollectingandinterpretingthedataisallthatreallyhastobereconsidered.

TheCSCF,SCDS,andCulturalLeadershipAssessingculturalleadershipagainsttheCompetingSecurityCulturesFrameworkinvolvesamoreintrospectiveapproachtothemodel.InsteadofusingtheSecurityCultureDiagnosticSurveyasaninstrumenttomeasuretheculturethatpeopleintheorganizationfeeltheyinhabit,corporateexecutivesandorganizationalleaderscanusethetooltoanalyzetheexampleandtonethattheysetthemselvesfortherestoftheorganization.Whatbeliefsdotheybringintoworkwiththemeverydaythatwillinfluencehowsubordinatesandmembersoftheorganizationmakesecurity-relateddecisions?Whatvaluesandprioritiesdotheypromoteintheexamplesthattheysetthatarethenemulateddowntheorganizationalchart?

AnorganizationcanconductabasicsecurityleadershipassessmentbyadministeringtheSCDSonlytomembersoftheexecutivestaff,oreventheboardofdirectors,andtheninterpretingandmappingthoseresultsastheywouldforawidersecuritycultureassessment.Identifyingculturalconflictsattheexecutivelevelcangoalongwaytowardexplainingwhytheyexistelsewhere.ForCISOsorsecuritystakeholderswhoaretryingtogetbuy-inforalargersecurityculturetransformationinitiative,thiscanbeanexcellentwaytostart.Itmayevenprovidethesecurityteamwithabreakthroughinsupport.Theimpactandimportanceofcultureisoftenmorewidelydiscussedandacceptedattheexecutivelevelthanitisintechnicaloroperationalbusinessunits.Puttingsecurityintotheterminologyofcorporateculturecanprovideanovelmarketing

techniquebywhichanInfoSecprogramcandifferentiatetheinitiative.

TheSecurityFORCEModelandBehavioralLeadershipSimilartoadaptingtheCSCFtoorganizationalleadership,adaptingtheSecurityFORCEModeltoorganizationalleadershiptakesamoretop-downapproachtothemodelthatemphasizescommitmentandexamplesetting.GiventhemoretacticalnatureoftheFORCEModel,itisusuallywisetotiebehaviorbacktocultureanyway,focusingontheorganizationalculturesthatcreatehigh-reliabilitysecurity.Acapabilitytostopmoreincidentsbeforetheyoccurandtobettermanagethosefailuresthatdohappenislikelytogettheattentionofanyexecutivethesedays,sotheFORCEModelcanbeleveragedasasortofabehavioral“howto”guideforseniormanagement.Encouragingandfosteringthesebehaviorswillmaketheirjobseasierinthelongrun.

Insteadoflookingforculturalconflicts,usingSecurityFORCEforleadershipassessmentfocusesonhowseniorexecutivesmotivate,reward,andsanctionindividualbehaviorsthatareinvisiblyreducingorexpandingthespaceinwhichsecurityincidentscanhappen.Gaugingtheindividualattitudesofseniorenterpriseleaderstowardfailure,operations,andsharingdecisionsandinformationcanresultinvaluableinsightsaboutwheresecurityproblemsarelikelytohappen.Andonceagain,usingSecurityFORCEcangiveasecurityteamahooktheymaynothavepreviouslyhadwhendealingwithnon-securityleaders.TheoriginsandpedigreeofSecurityFORCEandHRSPbehaviorsexistoutsideofInfoSec,inHROresearch,andweredevelopedasameansofimprovinggeneralenterpriseperformance.Byadaptingthem,CISOsandsecurityleadersarenotusingparochial“bysecurity,forsecurity”methodologies,butratherproductsofresearchintooptimizingoverallbusinessvalueandcompanyperformance.Empiricallysupportedbyacademicanalysisandindustrystudies,thisresearchandthemodelsithasproducedspeakdirectlytothecoregoalsofeveryoneontheexecutivestaff,notjustthosetaskedwithinformationsecurity.

FurtherReadingComyns,Matt,T.Cook,andJ.Reich.“NewThreats,NewLeadershipRequirements:RethinkingtheRoleandCapabilitiesoftheChief

InformationSecurityOfficer.”Availableatwww.russellreynolds.com/.Fitzgerald,Todd,andM.Krause,eds.CISOLeadership:EssentialPrinciplesforSuccess((ISC)2PressSeries).NewYork:AuerbachPublications,2008.

http://www.russellreynolds.com/

I

CHAPTER18

SecuringaPeople-CentricFuture

t’sapeople-centricworld.Thatcanbeeasytoforgetinasocietythatisdominatedby,evenobsessedwith,technology.WetalkabouttheInternetofThings,fantasizeandfretaboutrobotsandartificialtechnology,evenlookforwardtothe“singularity”thatwilloccurwhenhumansandmachinesfinallycometogethertocreateanewspecies.Tohearustalk,youmightsometimesthinkthattheentireworldisaboutthecentralityoftechnology.Andmaybeatsomepointinourfuture,technologyreallywilleclipsepeoplesocietallyorevenevolutionarily.Butwearenotthereyet.Formyownpart,I’mskepticalthatwewilleverreachthatpoint.It’sanendthathasbeenpredictedalmostsincehumanbeingsinventedtechnology,andcertainlysincetheystartedthinkingaboutitandusingit.Butforourimmediatefuture,andcertainlyforthepracticalfutureofanyoneininformationsecurity,it’sstillahuman’sworld.Wemayembedtechnologyevermoredeeplyintoourlives,andevenourbodies,butinventing,deploying,andusingtechnologyarethingspeopledotoandwithmachines,andnot,forthemostpart,theotherwayaround.Andsecuringtechnologyisuptopeopleaswell.Technologywon’tdothatforus.Withoutpeople,thereisnosecurity,noranyneedforit.Solet’slookaheadtothechallengesstilltocomeinapeople-centricfuture.

TheSecurityofThingsIfyouwanttopickthebestmetaphortoembodythechallengesinformationsecurityfacesinthefuture,it’sprobablythewhole“InternetofThings”(IoT)or

“InternetofEverything”(IoE)trope.Variousestimatesputthenumberofnetworkeddevicesoperatingby2020inthehightensofbillions,typically50to75billionormore.Comparethatwithestimatesofthenumberofnetworkeddevicesoperatingtoday,whichclocksinatunder10billion.Soinlessthanadecadepotentially,we’llbelookingatanywherefromafivefoldincreasetoanorderofmagnitude’sworthofgrowthinthenumberofnodesontheglobalnetwork,allwithsomedegreeofintelligence,alltakingin,storing,andpumpingoutdata.Justfromasheernumbersgame,that’sseveralbravenewworlds’worthofopportunityforbadguysofallstripes.

Thepurposeofthischapterisn’ttojumponeitherthehypebandwagonortheFUD(fear,uncertainty,anddoubt)bandwagon,bothofwhichhaveestablishedregularpick-uproutesthroughouttheindustrythesedays.ThevendorshypingtheIoT/IoEconcepts,eitherasagoodthingorascaryone,haveenormousfinancialstakesinthemetaphor.I’vebeenintheindustrylongenoughtohaveheardpromisesofapaperlesssocietyandintuitivehomeappliancesmadeandthenfade,onlytobepickedupandrepeatedagainafewyearslater.AndyetIstillusepaperandIstillhaveahomethatisrelativelydumb.SomyeyesrollalittlemoreeasilywhenIheargrandioseclaimsabouthowthoroughlydifferentanddigitalmylifewillbeintenyears.ButIalsorealizehowdifferentanddigitalmylifeistodaycomparedtoadecadeago,whichconvincesmethatthingsaregoingtocontinuetochangeradicallyfortheworld.Imaynotbeabletouploadmyconsciousnesstothecloudinthenextdecade,butthenagainImaynothavetodrivemyowncar.That’sprettyimpressivenomatterhowyoulookatthings.

SocialSecuritySettingasidethefactthatdigitalsaturationisageographicallyanddemographicallyvariablephenomenon,andnoteverywhereoreveryoneontheplanetisconnectedtothesamedegree,whataretheimplicationsoftheInternetofEverything?Igetakickoutofthethoughtof“securingtheIoE.”Ifeverythingisnetworked,thenyouarenotsecuringanetwork;youaresecuringeverything.Realityisyourattacksurface.Consequently,informationsecuritystartstolooklesslikeanITchallengeandmorelikeasocietalone.Likediseaseandmedicine.Likewaranddiplomacy.Likeignoranceandeducation.Youdon’tsolvetheseproblems,orevenmanagethem.Youlivewiththemasbestyoucan,andby“you”Imeaneveryone.Technologyplaysahugeroleinthateffort;manytechnologiesinfact.Butthecenteroftheuniverseshifts,likeaPtolemaicparadigmgivingwaytoCopernicus.Peopledon’tmovetotheIoE.TheIoE

revolvesaroundpeople.SecurityinanITsystemthatisslowlyapproachingalevelofcomplexitythat

rivalshumansocietyisgoingtobeequallycomplex.IknowsecuritymanagersandCISOsforwhomsecurityisessentiallysynonymouswiththeSANSTop20controls,orthePCIDSSstandard,orasetofNISTspecialpublications.Thoseconstructionsareallveryuseful,butit’sabitlikesayingthataperson’slifeissynonymouswiththedataintheirFacebookprofile.Asmuchasthingsmayfeelthatwayattimes,it’sanillusion,adigitalrepresentationofananalogphenomenontoocomplextofullygetyourarmsaround.Ifinformationsecurityistosucceedinthedigitalfuture,it’sgoingtohavetakeamoreanalogapproach.

AsManySecuritiesasThingstoSecureThereisnoonesingle“security”tocreateandmanage.Wealreadyhavetospecifybetweenphysical,information,andITsecurityifwewanttobeclear,eventhoughtheoverlapinthesefieldsisenormous.Andwithininformationsecurity,thetermIprefer,thereareenoughsubdisciplinesandspecializationsthatonecouldspendarichandproductivecareerinsidetheinformationsecurityfieldandneverventureoutsidetheworldofcryptography,orIPSsignatures,oraudits.“Security”iswhateverthepeopletalkingaboutitmeanwhentheysayit…becausesecurityispeople.

Idon’texpectpeople-centricsecuritytobecomethedominantwayofthinkingaboutourfieldandindustry.ButIdowanttoaddittothelistofconceptualtoolkitsthatwecanchoosefrom,becauseupuntilrecently,InfoSecprofessionalsgenerallyhavethoughtofpeople,ifatall,asobstaclestobeworkedaround,orperhapsaschildreninneedofeducationsothattheydon’tdosomethingstupid,orevenasactualthreatslivingwithintheorganization’swallsthathavetoberootedoutandeliminated.Butsecurityisnotmeanttoworkaroundpeople.It’smeanttoworkforthem.Ourprofessionwouldbenefitalotfromembracingthatidea.Andwecanstartbythinkingaboutthesedifferentkindsofsecuritybythinkingaboutdifferentwaysthatsecuritycanexistasaninformationchallengeaswellasamoretangibleone.ContextandnuancearecreatingnewandspecializedInfoSecphenomenondependingonwhatisbeingsecured,andhow,where,andwhyitmustbeprotected.

InformationIusetheterminformationsecuritytorefertowhatIthinkofasthe“traditional”focusofourprofessionbecauseitencapsulatesotherinformation-related

specialties.InformationsecurityincludesITsecuritybecauseITcan’tdoanythingifthere’snoinformationforthetechnologytoprocess.Butinformationsecurityalsoimplieseverykindofinformationthatmayexist,frompaperrecordstohumanknowledge.WhenIthinkaboutinformationsecurity,Iamforcedtoconsiderthingsthatarenottechnology-specific,andthatalwaysmakesmethinkofpeople.Informationalwaysimpliesuse.Someuser(humanorotherwise)hastobeinformedbyittomakeitinformation.

Applyingauser-centricideatosecurityhelpsputapeople-centricspinonthecontrolandprotectionofinformation,whichisatthecoreofourwork.Thepeople-centricfutureofsecuritywillseeinformationdiffusingthroughoutanetworkthatismorevastandvastlydifferentthananythingwehavetoday.Butinformationwillremainafundamentalcommodity,andensuringtheconfidentiality,integrity,andavailabilityofitwillstillbeacentralresponsibilityofthesecurityprofession.Thedifferenceisthatwewillnolongerbeabletocalltheshotsonwhogetswhatinformationandhow.Whenourcomputers,ourhomes,ourcars,ourclothing,andevenobjectsinsideourbodiesallbecomesmartandinteractive,peoplewillfindthingstodowiththoseinfrastructuresthatdefycontrol.Securitywillhavetochangeaccordingly,movingfromdictatingandlimitinghowpeoplecanbehavetounderstandingandacceptingmanynewinformationbehaviorsandfiguringouthowtoprotecttheusersfromthosewhowouldabusethem.

InfrastructureIngraduateschoolIbecamefascinatedbythefieldofinfrastructurestudies,thebodyofscholarlyresearchintotheunderlyingstructuresthatmakesocietyfunction.Thesestructurescanbephysicalororganizational,withbothinfluencingandoperatingononeanother.Whatinterestedmethemostwastheconceptthatinfrastructure,bydefinition,existsinthebackground,invisibletomostpeople,havingbecomesocommonthatithasfadedfromourconsciousness…atleastuntilitbreaksdown(makingitalotlikecultureinthatsense).Ifyourealizeyouhavestoppednoticingtheelectricalandtelephonewiresstrungbythesideoftheroad,theductworkinyourofficebuilding,orthewirelessaccesspointsandtelecommunicationsequipmentthatgivesyoutheInternetaccessyouareenjoyingovercoffee,thenyouknowwhatI’mreferringto.

Inaworldthatisexponentiallymoreconnectedthroughinformationtechnology,countlessinfrastructureswillhavetobeconsideredfromasecurityperspective.ConsiderSCADAandotherindustrialcontrolsystemsthatcontrol

thingslikeutilitiesandrefineries.Securingthesesystemstodayremainsaprettyspecializedareaofinformationsecurityexpertise,asobscuretomostsecurityprofessionalsastheyarescarywhenyouhearwhatasuccessfulattackercandotoandwiththem.IftheIoEevenfractionallylivesuptothehype,itwillcreateinfrastructureswithphysicalsafetyimplicationsthatmakeSCADAsecuritylookquaint.Andwewon’tbedealingwithpipelinesorinstallationsthatcanbeisolatedandfencedofffromthepublic.Societywillbetheinfrastructureandeverysinglepersonapotentialconduitorhubofactivity.Securitycannottakeonthatchallengewiththetoolswehavetoday.

IdentityThereareaspectsofinformationsecuritythatarenotfullyunderstoodrightnowbutwillbecomecentraltotheprofessioninthefuture.AskaCISOtodayabout“identity”andshewilllikelytalkaboutidentitymanagement,theprocessesandtechnologiesthatenableanorganizationtocontrolusersandtheiraccess.Buttheconceptofidentityandwhatitmeansinadigitalageisswiftlyevolvingintoasisterdisciplineofinformationsecurity,onethatwillexertimmenseinfluenceoninformationsecurity’sdirectionandrequirementsinthecomingdecades.Identitysystemshavebecomeoneofafewboundarylinesinsocietywherethevirtualorsymbolicmeetsthephysical.Identitycanbestolen,massproduced,andusedbothtocreatebusinessvalueorruinit.Howoursocietywilladdressthequestionofwhatitmeanstobesomeonewithinitandhowthatprocesscanbemanaged,manipulated,orsubvertedaregoingtobeimportantquestionsforsecurityprofessionalstograpplewithaswemoveforward.

Securityhasalreadyseenonewaveofdisruptionfromthesenewidentitychallenges,evenifwehavenotexplicitlyrecognizeditassuch.Personallyidentifiableandpersonallycontextualinformationiscentraltomostoftherecentmassivecorporatesecuritybreaches.Bothtypesofinformationaretiedtouniqueindividualsandareofinteresttothievesbecausetheyallowthemeithertostealanidentity(personallyidentifiable)ortocashinonanexistingone,suchasbyreleasingpersonalphotosore-mails(personallycontextual).Securityhastendedtotreatpersonalinformationsimilarlytohowabanktreatsmoney:assomethingyoulockupinavaulttokeepsafe.Butidentityismuchmorecomplexthanmerecash;itisinherentlypeople-centric,andwillrequiretheinformationsecurityprofessiontocompletelyreexaminehowitdealswiththechallengesofsafeguardingidentity.Someorganizationsarealreadyexploringidentityasanovelphenomenoninthedigitalage.Forexample,theCenterforIdentityattheUniversityofTexasisworkingonconceptsofidentitythatusetermslike

“ecosystems”and“physics”insteadofjust“technology”and“policy.”Suchresearchisbeginningtorecognizethatone’sidentity,ratherthanbeinganattributeoracharacteristicofapersonorasystem,isitselfacomplexsystem.Managingthatcomplexityandtheemergentbehaviorsthatcomewithitwillbridgefieldsasdiverseasengineering,law,informationsecurity,sociology,andphilosophy.

PrivacyRelatedtobothinformationandidentity,theconceptofprivacyisgrowingininterestandimportance,andwouldhaveevenifthemassivesurveillanceprogramsrevealedbyEdwardSnowdenhadnevercometolight.BruceSchneier’slatestbook,DataandGoliath,isonitswaytobeingoneofthebest-sellingprivacybookseverwritten,andthefactthatitsauthorisasecurityprofessionalistelling.ButSchneier’sbookisonlythelatestinalargeliteratureofscholarlyprivacyandsurveillancestudiesextendingbackatleastasfarasMichelFoucault’sDisciplineandPunish,withitspowerfulmetaphorofthepanopticonanditsall-encompassingvisibilityintoeverydayactivities.Manyoftheseworkswerewrittenbyresearchersandtheoristswhowerepeople-centric,focusedasmuchonsocietalandorganizationalaspectsofprivacyastheywereoninformationandtechnologysystems.

Securitywillneedtobringourconsiderableexpertisetobearhere,becausewithsomanyaspectsofprivacybeingmediatedbytechnologyanddigitalinformationsystems,theprotectionandcontrolofsystemsismoreimportantthanever.Butonceagain,technologyandsystem-levelcontrolswillneverbeenoughtoaddresswhatisfundamentallyachallengeatthesociallevel.Ifinformationsecuritycannotcreatepeople-centricinnovationsaswellastechno-centricones,wewillonlyeverplayasupportingroleinwhathistorymayrememberasoneofthepivotalpointsinhumancivilization.

FramingPeople-CentricSecurityThisbookisaboutgivingorganizationsandsecurityprofessionalsanewlanguageandnewtoolswithwhichtodiscussandimproveinformationsecurity.Thislanguageandthesetoolsdirectlyaddressacornerofthepeople–process–technologytrianglethathasbeentraditionallyneglectedbytheprofessionandtheindustry.People-centricsecurityisnotnecessarilymoreimportantthantheothertwocorners,althoughIthinkacasecanbemadetothateffect,butitis

equallyimportant,andanyInfoSecprogramthatdoesnotincludepeople-centricapproachesthataretakenasseriouslyasprocessortechnologyisnotgoingtohavelong-termsuccess.Whenyouhaveathree-leggedtable,there’snowaytoskimpononelegandexpecttheresultingpieceoffurnituretobestable.Itjustdoesn’twork.

SecuritySoftPowerInforeignaffairs,theconceptofsoftpowerreferstoanation’sabilitytogetthingsdonebyconvincingothernationstoworkwithit,ratherthanbybribingthemorresortingtomilitaryforce.Softpowerisalsousedtochangepublicopinionthroughlessdirectandcoercivechannels.JosephNye,thepoliticalscientistwhocoinedthetermsoftpower,hascommentedthatcredibilityisthemostvaluableandrarestresourceinanageofinformation.

IcouldnotagreewithNyemore.ThesinglegreatestweaknessIseeinInfoSecprograms,securityvendors,andsecurityprofessionalsisalackofcredibility.Noonedoubtsthatsecurityisimportant,butthesecurityindustrystrugglestomakethecaseforjusthowimportantitis,whereresourcesshouldbeallocated,orwhatconstituteseffectiveness.Theresultisthatsecurityisnaturallydrawnintoculturalcompetitionwithotherswho,nomatterhowcriticaltheybelievesecuritytobe,don’tbelievesecurityisascriticalasthethingstheycareabout.Ifsecuritycannotmakeitselfmorecredibleintheseconflicts,failuresandbreacheswillcontinuetohappen.

Securityaffairsneedasoftpowerapproach,analternativetocoercivepoliciesandautomationthatattemptstoforcepeopletotakesecurityseriouslywithouteverreallyconvincingthemofwhytheyshould.Thatsortofapproachonlyworksuntilthosepeoplecanfigureouthowtogetaroundtheconstraints,eitherdirectlyorbyunderminingthemwithintheorganization.People-centricsecurityconcentratesonunderstandinghoworganizationsthinkandbehaveasindividualsandcollectively,andcraftingapproachestosecuritythatworkwiththesesocialandorganizationalforcesratherthanagainstthem.

ThreeTakeawaysfromtheBookAttheriskofoversimplifyinghundredsofpagesintoashortlist,therearethreecoreideasthatanyreaderofthisbookshouldhaveembeddedintotheirbrainafterturningthefinalpage:

Peoplearethemostimportantsystemtosecure.

Strongcultureequalsstrongsecurity.Failureisafeatureofcomplexsystems,notaflaw.

PeopleAretheMostImportantSystemtoSecureAnorganizationwithouttechnologyisstillanorganization.Anorganizationwithoutpeopleisnot.Thisbasictruismimpliesthatanyorganizationthinkingaboutsecuritymustthinkaboutwherepeoplefitintothoseefforts.Yousimplycannotautomatepeopleoutoftheequationwhenitcomestosecurity.Thisisnotbecausepeoplearesoinsidiouslycleverthattheywillalwaysfindawaytoadaptaroundyourcontrols(buttheyareandtheywill).It’sbecausecompletelyautomatinghumanjudgmentandadaptabilityoutoftheequationendsupcreatingasecurityinfrastructurethatismorerigidandbrittlethanthealternativeyouaretryingtoprevent.Thepeoplethatmakeupanyorganizationareitsmessiestandmostcomplexsystem.Itismuchbetterforsecuritytoleveragethissysteminsupportofsecuritythantounrealisticallyattempttoconstrainit.People-centricsecurityisaboutelevatingthestatusofthissystemdramaticallyacrosstheorganization.

StrongCultureEqualsStrongSecurityCultureaspeople-centricsoftwareisametaphorIledwithatthebeginningofthebook.Ifanorganizationcanmakeitsculturemoresecure,thenthereislessneedtotrytoautomatepoorsecurityoutoftheorganizationbyusingtoolsandprogramsthatwillneverbeassophisticatedastheonetheyaretryingtocontrol.Bythesametoken,ifanorganization’ssecuritycultureisweakandbuggy,ifitconstantlycompetesorconflictswithotherroutinesandprocessesrunningthings,thatorganizationisgoingtohaveproblems.Thesecurityprofessionhasalwaystalkedaboutsecurityasachallengethatcanonlybeaddressedthroughacombinationofpeople,process,andtechnology.We’vealsoalwaystendedtoreversethosethreethingsinorderofimportance.Thishastochange.TheCompetingSecurityCulturesFrameworkisaboutbringingtogetherdifferentwaysoflookingatsecuritytocreatestronger,morebalancedsecurityculturesoverall.

FailureIsaFeatureofComplexSystemsSecurityhas,attimesimplicitlyandatothertimesexplicitly,devoteditselftostoppingsecurityfailures.Thatisprobablyoneofthereasonsitcanbesofrustratingtobeasecurityprofessional.Youfeellikeyourjobisfutile,andin

thatsenseitis.Youcannotpreventfailureinacomplexsystembecausethenatureofcomplexityisemergence,andsomeofthethingsthatemergefromsuchasystemaredecay,entropy,andbreakdown.Theopportunityforinformationsecurityistorealizethatwearenowmanagingasystemthathasgrownbeyondourcapabilitytocontrolit.That’sfrighteningandexhilaratingatthesametime.Ourinformationsystemsandtechnologieswillenableustodothingsprettysoonthatwouldhavebeenconsideredfantasy(ornightmare)justafewyearsago.Wehavelongpassedthepointwherewecanmaketheoutcomesofusingthesesystemspredictable,butwecanstillmakethoseoutcomesmorereliable.TheSecurityFORCEModelandtheHighlyReliableSecurityProgramsthatitisdesignedtoencourageareallaboutmanagingfailureincomplexsystems,notbypreventingitbutbyunderstandingit,keepingitassmallaspossible,andbouncingbackquicklywhenit’snot.

PuttingPeople-CentricSecuritytoWorkWhenconsideringhowtoimplementpeople-centricsecuritywithinyourownorganization,it’simportanttounderstandaheadoftimewhatyouwanttoaccomplish.Thereisalotofmaterialinthisbookandalotofwaystoputittouse.Ihavelaidoutthebookcomprehensively,anall-inapproachthatcombinesculturewithbehavior,diagnosiswithactivity.Andthatapproachiscertainlyagoodonetotakeifyourorganizationhasthecommitmentanddesiretotransformsecuritycultureacrosstheboard.Butit’salsoimportanttonotethatnoteveryorganizationcanaffordorwantstodothat.

TwoModels,OneGoalTheCSCFandtheSecurityFORCEModelarebothmeansfortransformingorganizationalsecurityculture.TheCSCFismoreofatop-downapproach,diagnosingdifferentculturesandbuildingtransformationstrategiesaroundthismacroviewofsecurityandthewayitinteractswithotherorganizationalgoals.SecurityFORCEismorebottom-up,addressingspecificbehaviorsasabackdoormethodofculturalchange.Optimally,theyworktogether.Separately,theycanstillwork.

Intheabsenceofreasonsnotto,IrecommendbeginningwiththeCSCF,usingtheframeworkasadiagnosticinstrumenttoidentifyareasofconflictbetweensecurityandotherorganizationalprioritiesandbetweenuniquesecurity

prioritiesthemselves.AnorganizationmayfindtheinsightsgeneratedbytheCSCFtoberevelatory,identifyingareaswheretheorganizationsaysonethingbutbelievessomethingelse,orrealizingthatonepriorityalwaystrumpseveryotherprioritytheorganizationprofessestoholddear.EvenifaCSCFanalysisdoesnotleadtoafull-blownsecurityculturetransformationplan,knowingwhattheorganizationbelievesaboutsecurityshineslightonhowitbehavestowardsecurity.

ItendtorecommendtheSecurityFORCEModelasastartingpointfororganizationsthatarefocusedprimarilyonprogramself-improvement,organizationswhowouldliketochangetheirculturebutrequiresomethingabitmoretacticaltobeginwith.MovingtowardthebehaviorsofanHRSPcancreatepowerfulchangesinanInfoSecprogram,butthosechangesprobablywillnotextendveryfarbeyondtheInfoSecprogram.ImprovingtheFORCEbehaviorsmayenabletheCISOtorunatightership,butitwon’thelpthatCISOconvinceothersthatsecurityisjustasimportantasculturaldriverslikeprofitorproductivity.Andbecausethemodelisbehavioral,anyculturalchangeitcreatesisslower,theresultofchanginghabitsmorethanchangingbeliefs.

People-CentricSecurityStrategiesWhetheryouareaCISO,asecurityawarenessmanager,oradifferentsecuritystakeholderentirely(maybenotevenpartofthesecurityprogram),anyattemptatpeople-centricsecurityrequiresastrategyandaplanbeforeyoubegin.Thestrategycanbetransformationalorbehavioral,exploratoryordirected.Butwhateverstrategyyouchoose,youshouldhaveabasicideaofwhatyouwanttoaccomplishbeforeyoudivein.Thefollowingarejustafewexamplestrategiesthatmightprovokesomethoughtsorideas.

ImprovingBoardandBusinessStakeholderEngagementImprovingorganizationalcultureandbehaviormaynotbecentraltoinformationsecuritymanagerstoday,buttheconceptgetsalotoftractionattheboardandseniorexecutivelevels.MostoftheresearchI’veappliedinthisbookcomesfrompeoplewhoworkwithcompanyleadershipteamsastheirprimaryresearchpartnersandconsultingcustomers.Whileit’snoguaranteethatincludingculturaltransformationwillgetexecutivestopaymoreattentiontosecurity,itdoesprovideanotherapproachtoCISOswhoarestrugglingtofindcommongroundwithbusinessstakeholders.AndasaformofthesoftpowerIdiscussedearlierinthischapter,theCSCFcanbeapowerfulwayofencouragingsecurity

teamsandtheseotherbusinessstakeholderstotalkabouttheirprioritiesusingacommonframework,onethatgiveseveryoneavoiceinthesecurityprocessandameansoflisteningtoo.

SuperchargingSecurityAwarenessSecurityawarenessprograms,asI’vesaid,remainthemostpeople-centricofallsecurityeffortswithinanorganization,thefrontlinebetweentheInfoSecprogramandeveryoneelse.Asbothchampionsofsecurityandsecurityeducators,trainingandawarenessteamscanbenefitextensivelyfromboththeCSCFandtheSecurityFORCEModel.Infact,Ihaveahardtimeimaginingsecurityculturetransformationstartingwithouttheactiveparticipationofthesecurityawarenessteam.Itcanhappen,butit’smuchharder.People-centricsecurityhasthepotentialtoelevateandextendthereachoftheseprofessionalsandtheservicetheyprovidetotheorganizationasawhole.

People-CentricIncidentResponseThevisibilityintoculturalthreatsandrisksprovidedbytheCSCFandthedeterminationtokeepfailuresmallandkeepresponseresilientembodiedinSecurityFORCEbothofferinnovativebenefitstoorganizationalincidentresponsecapabilities.Toooften,root-causeanalysesandincidentresponseplanningunnecessarilylimitthemselvestotheimmediate,technicalcomponentsofdetectionandmitigation.Theresultisanincidentresponsecapabilitythatmissesthereasonsthattheorganizationdriftsfromnon-failuretofailurestatestobeginwith.ByincorporatingCSCFandSecurityFORCEprinciplesintoincidentresponseplanning,organizationscanchangethegamebychangingtheirbasicunderstandingofwhatanincidentmeansandwhatitimpliesforanorganizationseekingtokeepitfromhappeningagaininthefuture.

ConclusionThisbookisaculminationofbothaquarter-centuryofmydirectexperiencewithhowpeopledoinformationsecurityallovertheworld,inavarietyoforganizations,andtenyearsofspecificworktheorizingandresearchingwaystoput“people”intheirrightfulplaceatthefrontofthe“people,process,andtechnology”triadthatInfoSecprogramsclaimisthecoreofsuccessfulsecurity.Irejecttheideathatwearebeleaguereddefendersabouttobeoverrunbythehostileenemiesoutsideourwalls,andthatchangeisrequiredbecausesecurity

hasfundamentallyfailed.Therehavecertainlybeencolossalanddisturbingfailures,andtherewillcontinuetobe.ButIprefertothinkofourprofessionasadolescent,facedwiththesameleapintomaturitythateveryotherprofession(suchasinsurance,law,andevenIT)hasfaced.

It’sscarygrowingup.Youhavetostartthinkingaboutthingsthataremuchmoredifficultandcomplicatedthanwhatyouhavehadtodealwiththroughoutyourchildhood.Butmostadultsprobablywouldnotwanttogobacktotheirdaysofbeingakid.Maturitybringsopportunityandrewardonagranderscale.That’swhereinformationsecurityistoday,facingchallengesbiggerthananywe’vehadtofacebeforeandneedingtoolsthatwe’venotusedbeforetomeetthosechallenges.Therewardsareenormousifsocietygetsinformationsecurityright.Butthat’snotwhywehavetodoit.Wehavetodoitbecausewecan’tgobacktothewayitwas,anymorethanyoucangobacktochildhood,evenifyouwantedto.Associetybecomesincreasinglydependentontechnologyandinformation,threatstotechnologyandinformationbecomethreatstosociety—not“meteorfromtheskyobliteratesalllife”threats,but“crime,disease,andwarmakelifemiserable”threats.Badthingswillalwayshappen,butwehavetolearntodealwiththem,adapt,andmanage.That,too,isalessonwelearnaswegetolder.Thisbookcertainlydoesn’thavealltheanswers,butIhopethatithelpsatleastafewpeopleinthisprofessionthatIhaveenjoyedforsolonganswersomeoftheirowntoughquestions.

FurtherReadingFoucault,Michel.DisciplineandPunish:TheBirthofthePrison.NewYork:VintageBooks,1995.Schneier,Bruce.DataandGoliath:TheHiddenBattlestoCollectYourDataandControlYourWorld.NewYork:W.W.Norton,2015.UniversityofTexasCenterforIdentity.Informationavailableathttp://identity.utexas.edu

http://identity.utexas.edu

Index

Pleasenotethatindexlinkspointtopagebeginningsfromtheprintedition.Locationsareapproximateine-readers,andyoumayneedtopagedownoneormoretimesafterclickingalinktogettotheindexedmaterial.

68-95-99.7Rule,167

AABLEManufacturing(casestudy),128–133comparingsecurityemployeeandnonsecurityemployeecultures,156–157securityculturemapping,143–146,149–150,151–156

accidents,225–226adaptivesystems,109AdbustersMediaFoundation,10adhocracies,95annuallossexpectancy,300anonymity,178–179ApacheOpenOffice,140Apollo13,220,276Apple,culturalsuccessof,40archetypes,90–91ArgyleExecutiveForum,363Ariely,Dan,71artifactsasdata,88assumptions,164

formalizing,296FOXTROTIntegrators,Inc.(casestudy),164–166

audience,knowing,183–184audits,11

failureasbrutalaudits,222

authorityallowingauthoritytomigrate,320–321migrating,314–315structuralauthorityvs.structuralknowledge,312–313

automation,behavioralmodels,196–197,198AutonomyCulture,100,109–111

andthesecurityvalueofresilience,351–352weaknessof,355

AviationSafetyInformationAnalysisandSharing(ASIAS),226awarenessteams.Seesecurityawarenessteams

Bbarcharts,146behavior,203behavioralmodels,192–199

opportunitiesfornewsecuritybehavioralmodels,198usingtheresultsofthemodel,169–170SeealsoSecurityFORCEBehavioralModel

Berkshire-Hathaway,66blackswanevents,211blindspots,254Box,George,101“bringyourowndevice”movement.SeeBYODBureauofLaborStatistics(BLS),225bureaucracy,104,315–316BYOD,111

CCameron,Kim,102capabilitymaturitymodeling,334–335casestudies

ABLEManufacturing,128–133,143–146,149–150,151–157CHARLIESystems,Inc.,133–135,153–154DOG,135–138,157–158FOXTROTIntegrators,Inc.,164–170GEORGEG,LLP,343–344HOTELINDIA,Inc.,345–346KILOKINGEnterprises,346–347

CCMM.SeeCulturalCapabilitiesMaturityModel(CCMM)CenterforIdentityattheUniversityofTexas,374centraltendency,85CEOs,358chainingcultureandbehavioreffects,348–349changeagentsofsecurityculture,35–37CHARLIESystems,Inc.(casestudy),133–135

securityculturemapping,153–154TheChecklistManifesto(Gawande),315checklists,315–317CISOLeadership:EssentialPrinciplesforSuccess,359–360,362CISOs,35–36,55,75,358–359

asbusinessleaders,359–360engaging,173leadershipresources,363

clancultures,94–95cognitivedifferences,71cognitivelimitations,69–71“TheCollapseofSensemakinginOrganizations:TheMannGulchDisaster”,

269–270Columbiaspaceshuttle,313CommandandControl(Schlosser),316–317,331commitmenttoresilience,206CommonVulnerabilityScoringSystem(CVSS),288,289–290communication,openingup,238CompetingSecurityCulturesFramework(CSCF),82,92,94,203,376,377–378

adaptingtoleadership,365–367alignmentswithSecurityFORCEBehavioralModel,349–353andculturalleadership,366culture-behaviorlinkinHRSPs,215–217asaframeworkforunderstanding,190–191internalvs.externalfocus,98–99limitationsof,101–102mappingsecuritycultureusing,141–143nativeculturalreferencepointsin,142originsincompetingvaluesresearch,94–96

overlappingandcompetingvalues,100–101quadrants,99–100SCDSscoresalignedwithCSCFquadrants,180views,97,100,101

competingsecuritypriorities,76competingsecuritystakeholders,74–75competingsecurityvalues,76–77competingvalues,34–35CompetingValuesFramework,94–96,102–104

adaptingtosecurity,96–99complexity,353

acceptingwhatwealreadyknow,306–307covetingempiricalevidence,297embeddingcomplexityvalueintosecurityprogram,305–306evidenceandfalsifiability,298formalizingassumptions,296growinguncertainty,288–289makingeverymodelbetter,299–300oversimplification,295–296reluctancetosimplify,205sharingthedoubt,298–299simplification,287–288thinkingbigger,306Seealsosecurityvalueofcomplexity

complianceandcontrolregimes,behavioralmodels,192–193,198ComplianceCulture,100,106–108

andthesecurityvalueoffailure,351complianceframeworks,300conceptualslack,274consensusbuilding,54–55control,degreesof,97–98CorporateCultureandPerformance(KotterandHeskett),47–48cost/benefitanalyses,172costs

estimatingthefinancialimpactofsecurityculture,162–164reducedriskandcostsfromincidents,162

andschedules,338–339covertprocesses,61–62credibility,sharing,321–322CSCF.SeeCompetingSecurityCulturesFramework(CSCF)C-suite,35–36culturalanomaliesanddisconnects,154–156culturalarchetypes,90–91CulturalCapabilitiesMaturityModel(CCMM),335–336

organizationalproficiencieswithinCCMMmaturitylevels,337culturalcompetition,asasourceofrisk,73–77culturalconflict,152culturalengineering,12culturalframeworksandmodels,92culturalintensity,153–154culturalintolerance,174culturalmaturity,225

blendingSecurityCultureDiagnosticandSecurityFORCEprojects,355–356

culturalrisk,61–62culturalstereotypes,90–91culturalthreatmodeling

covertprocessesandculturalrisk,61–62overview,60–62SeealsoPEPL;STRIDE

culturaltraits,30–33culturaltransformation,challengesof,53–56cultural-behavioralalignments,takingadvantageof,353–355culture,203

chainingcultureandbehavioreffects,348–349powerof,4–7strongcultureequalsstrongsecurity,376visualizing,92–93whenculturemakesbehavioreasier,354whenculturemakesbehaviorharder,354–355

culturehacking,7–8badculturehacks,15–16

goodculturehacks,14–15historyof,9–10PayPal,48softwareofthemind,8–9uglyculturehacks,16Seealsosafetyculture;securityculture

culturemaps.SeesecurityculturemapsCVSS.SeeCommonVulnerabilityScoringSystem(CVSS)

Ddashboards,248–249data

aligningwithprojectgoals,181–183collecting,175–179respondentsand,340

DataandGoliath(Schneier),374DataEmbassyInitiative,277DataLeakageWorldwide,41datamanagementandstorage,179deadlines,23–24defeatism,31–32deferencetoexpertise,206Dekker,Sidney,27–28,34,207demographicdata,collecting,177–178denial,254Denison,Daniel,102DepartmentofGovernance.SeeDOG(casestudy)design,20–22diagnosisandtransformation

CSCFasaframeworkforunderstanding,190–191SeealsosecurityculturediagnosticprojectDisciplineandPunish(Foucault),374

disorganizedcomplexityproblemsof,286Seealsocomplexity

DOG(casestudy),135–138comparingcurrentsecurityculturetoitsdesiredsecurityculture,157–158

dominantculture,151DREAD,62drift,27–28,34,207Drucker,Peter,20,29,43

EEC-Council,363e-commerce,195–196efficiency,andincreasedsecurity,161–162egos,319–320emotionallogic,68,69emotionalthreats,66–68empiricaldata,87empiricalevidence,coveting,297engineeringculture,242Enron,culturalfailureof,43enterpriseriskmanagement(ERM),240equality,319–320ERM.Seeenterpriseriskmanagement(ERM)Estonia,277evaluatingoutcomes,55–56evidenceandfalsifiability,298exceptionalism,32expectations

andreality,243testingexpectationsagainstreality,249–251

expertise,310–311allowingauthoritytomigrate,320–321askingtheexperts,318–319creatingdecisionfastlanes,330–331deferenceto,206embeddingexpertisevalueintosecurityprogram,329FORCEvaluemetricsfor,326–328informationfiltering,311–312makingeveryoneasensor,329–330migratingauthority,314–315rewardingcallstoactionandcriesforhelp,322–323

scoringtheexpertisevaluebehaviorsurvey,325–326sharing,273–274sharingcredibility,321–322structuralauthorityvs.structuralknowledge,312–313suppressingegos,319–320valuingexpertisefromthetopdown,331Seealsosecurityvalueofexpertise

Ffailureanticipatingfailures,227assessingfailurevaluebehaviors,232–237brutalaudits,222embracing,223–224failsmall,failfast,failoften,224–225“failureisnotanoption”,220–221failuresofimagination,211asafeatureofcomplexsystems,377imaginingfailuresanddisasters,267–268improvingfailurevaluebehaviors,237–238keyvaluebehaviors,226–230learningfrommistakes,230practicingfailing,275–276preoccupationwith,205reeducatingpeopleonwhatitmeanstofail,237reevaluating,221–223rewardingproblem-reporting,228–229seekingoutproblems,227–228sharinginformationabout,229–230studies,207trackingtheseedsof,225–226weaksignals,223Seealsosecurityvalueoffailure

TheFailureofRiskManagement(Hubbard),71fear,uncertainty,anddoubt,38,67–68,157–158,370FederalAviationAdministration(FAA),226FederalInformationSecurityManagementAct.SeeFISMA

filteringinformation,311–312FISMA,107,194formalization,174Foucault,Michel,374FOXTROTIntegrators,Inc.(casestudy),164–170frequency,293FUD,38,67–68,157–158,370Fujitsu,197

GGardner,Daniel,71Gardner,Nick,276Gawande,Atul,315GEORGEG,LLP,343–344globalculture,41GlobalHumanCapitalTrends2014,272goals

comparative,182descriptive,181stretch,274–275transformative,182–183

HHackers:HeroesoftheComputerRevolution(Levy),7–8hacking,7–8hackingculture.SeeculturehackingHaikuDeck,184Harris,Ed,220HealthInformationTechnologyforEconomicandClinicalHealthAct.See

HITECHHealthInsurancePortabilityandAccountabilityAct.SeeHIPAAHeartbleed,289–290heatmaps,291–294,300hedgingagainstfailure,22–23Heskett,James,47–48,53hierarchies,96HighlyReliableSecurityPrograms.SeeHRSPshigh-reliabilityorganizations.SeeHROs

HIPAA,15,106,108Hitchens,Christopher,298Hitchens’Razor,298HITECH,107,108Hoffman,Reid,48Hofstede,Geert,8HOTELINDIA,Inc.,345–346HROs,203

andfailure,221fiveprinciplesof,204–206ininformationsecurity,206–208research,204–206

HRSPs,208culture-behaviorlink,215–217embracingfailure,223–224andfailure,221managingfailure,377surviving,216

Hubbard,Doug,71humancapital,272HumanCapitalInstitute,272humanrelations,112hypotheses,248

Iidentity,373–374ignorance,andrisk,290–291incentives,175incidentresponse,265–266,379incompatibleoutcomes,73incompatiblesystems,72influence,andtransformation,365informationfiltering,311–312informationpoverty,246informationsecurity,372

culturaltraitsin,30–33powerofculture,4–7

InformationSystemsSecurityAssociation(ISSA),363InfoSec.Seeinformationsecurityinfrastructure,373insight,231InternetofEverything(IoE),370,371InternetofThings(IoT),370intervaldata,85–86interviews,89–90ipsativescales,125–126(ISC)2,363ISO27001,14,15,194–195

JJobs,Steve,40Johnson,Neil,286

KKahneman,Daniel,71KILOKINGEnterprises,346–347Kotter,John,47–48,53Kranz,Gene,220

Llabels,powerof,288leaders,assecurityenablers,360leadership

CISOleadershipresources,363crisisof,358–363CSCF,SCDSandculturalleadership,366andorganizationalculture,56inpeople-centricsecurity,364–365SecurityFORCEBehavioralModelandbehavioralleadership,367settingleadershipexamples,238supportandengagement,339

Lee,Billi,360Levy,Steven,7–8LibreOffice,140Likertscales,125,233,255linemanagers,11

logisticalthreats,72–73LordKelvin,51

Mmanagedcoordination,104ManagingtheUnexpected(WeickandSutcliffe),203,220,242,265,274,313MannGulchfire,269–270,273–274,322mapping.Seesecurityculturemapsmappingtools,140marketcultures,95–96Marshak,Bob,61Maslow,Abraham,31mean,85media,choosing,184median,84,85metis,324migratingauthority,314–315,320–321mindfulness,225MinorityReport,197Mistakes(Gardner),276mistakes,learningfrom,230MITRE,226mixedmethodsresearch,89mode,85monoculture,oppositeof,28–35MonteCarlosimulations,163–164,168movingthefence,24–26Musk,Elon,48Myatt,Mike,9

NNationalInstituteofStandardsandTechnology.SeeNISTNationalNearMissprogram,226NationalTransportationSafetyBoard(NTSB),225NationalVulnerabilityDatabase(NVD),290nearmisses,225–226NeoOffice,140TheNewSchoolofInformationSecurity(Shostack),60

NIST,194nominaldata,83–84NormalAccidents:LivingwithHigh-RiskTechnologies(Perrow),207normativescales,125Nye,Joseph,375

OOccupationalSafetyandHealthAdministration(OSHA),225OccupyWallStreetmovement,10OCTAVE,62OpenSystemsInterconnection(OSI)referencemodel,92operationalpower,241operations

embeddingoperationsvalueintothesecurityprogram,259–260embracingthesharingeconomy,260–261exceptionstotherules,251–252formingabiggerpicture,246–247keepingyoureyesopen,245–246listeningtothesystem,247–249securityoperationsunplugged,244sensitivityto,206,241–243sharingoperationalassessments,252–253testingexpectationsagainstreality,249–251thinkinglikescientists,260Seealsosecurityvalueofoperations

opinions,248ordinaldata,84organizationalculture,8

Apple,40culturebythenumbers,51–53Enron,43frameworksandmodels,93icebergmetaphor,43–47andleadership,56linktoorganizationalperformance,47–49originsof,41–42outcomes,42

PayPal,48qualitativemeasureandtechniques,50–51qualitativevs.quantitativemeasurement,49–50research,57

OrganizationalCultureAssessmentInstrument,146OrganizationalCultureAssessmentInstrument(CameronandQuinn),102OrganizationalCultureSurvey(Denison),102organizedcomplexity

problemsof,286Seealsocomplexity

outcomes,evaluating,55–56outsourcing,273OvercomingObesity:AnInitialEconomicAnalysis,68oversimplification,295–296overtrainingpeople,270–271

Pparanoia,33,224passaudits,107PaymentCardIndustryDataSecurityStandard.SeePCIDSSPayPal,culturalmigrationof,48PCIDSS,11,15,106,108penetrationtesting,107,231people,securing,376people-centricsecurity,12–13,17

aligningcultureandbehavior,347–356framing,375–377puttingpeople-centricsecuritytowork,377–379strategies,378–379

PEPLemotionalthreats,66–68logisticalthreats,72–73overview,62–64politicalthreats,64–66psychologicalthreats,68–71

performance,linktoorganizationalculture,47–49Perrow,Charles,207

politicalthreats,64–66PollDaddy,176

SeealsoSecurityCultureDiagnosticSurvey(SCDS)Popper,Karl,298powerdynamics,361–362poweroflabels,288preoccupationwithfailure,205presentations,184Prezi,184privacy,178–179,374problems

rewardingproblem-reporting,228–229seekingout,227–228

ProcessCulture,100,104–106,108andthesecurityvalueofoperations,350–351

processimprovement,behavioralmodels,194–195projectdeadlines,23–24projectmanagers,11psychologicalthreats,68–71

QQSAs.SeeQualifiedSecurityAssessorsQualifiedSecurityAssessors,193–194qualitativedata,84,87–88

combiningqualitativeandquantitativedata,88–90qualitativemeasurementofculture,vs.quantitativemeasurementofculture,49–

50qualitativeresearchapproaches,52quantitativedataandanalysis,83–86

combiningqualitativeandquantitativedata,88–90quantitativemeasurementofculture,vs.qualitativemeasurementofculture,49–

50Quinn,Robert,102

Rradarchartmaps,147–148ratiodata,86rationalgoals,106reality

expectationsand,243testingexpectationsagainstreality,249–251

redteaming,107reluctancetosimplify,205resilience

commitmentto,206creatingskillbenches,272–273embeddingresiliencevalueintothesecurityprogram,282failurepractice,275–276underfire,269–270imaginingfailuresanddisasters,267–268overtrainingpeople,270–271respondingtosecurityincidents,282–283rollingwiththepunches,266–267stretchgoals,274–275whenbadthingshappen(togoodorganizations),264–265Seealsosecurityvalueofresilience

riskignoranceand,290–291reducedriskandcostsfromincidents,162

risktolerancelevel,22Roytman,Michael,289Rubik’sCubeeffect,11,35RussellReynoldsAssociates,365

Ssafetyculture,6Sarbanes-Oxley,11,15,43SCADA,373SCDS.SeeSecurityCultureDiagnosticSurvey(SCDS)scenarios

FOXTROTIntegrators,Inc.(casestudy),166–168testing,168–169

Schlosser,Eric,316–317,331Schneier,Bruce,374“ScienceandComplexity”,286scoringsystems,289–290

Scott,James,323–324SDLCprocess,22–27security

design,20–22andglobalculture,41asasubculture,30whysecurityfails,20–28

securityawarenessmanagers,11–12securityawareness,supercharging,379securityawarenessteams,11–12

leveragingculturalchange,36securityculture,6,10–11

changeagents,35–37communicating,183–185directbenefitsofsecuritycultureimprovement,160–162estimatingthefinancialimpactofsecurityculture,162–164hacking,13levelsofstrength,166makingsecuritycultural,38measuring,82–93Seealsotransformation

securityculturediagnosticprojectanalyzingresponses,180–181buildingtheprojectteamandplan,174–175collectingdata,175–179datamanagementandstorage,179definingthecontextoftheassessment,172definingtheprojectstrategy,171–172directbenefitsofsecuritycultureimprovement,160–162engagingotherstakeholders,173–174engagingseniormanagement,172–173executing,170marketingandpositioningtheproject,177performingacost/benefitanalysis,172settinguptheproject,171–175

SecurityCultureDiagnosticSurvey(SCDS),116,119–122,175–176

blendingwithSecurityFORCEprojectsforimprovedculturalmaturity,355–356

casestudies,128–138collectinghonestresponses,179andculturalleadership,366ensuringprivacyandanonymity,178–179howsurveyswork,117–118interpretingandcommunicatingresults,181–185interpretingresults,151–156organizingrespondents,176–179questionsintheSCDS,118–125scoresalignedwithCSCFquadrants,180scoringmethodology,125–126scoringtheresults,126–127usingindependently,349

securityculturemapsbarcharts,146comparingcultures,156–158compositionofaSCDS-basedculturemap,143–146creating,180–181mappingspecificvaluesandactivities,149–150OrganizationalCultureAssessmentInstrument,146overview,141radarchartmaps,147–148usingtheCSCF,141–143whentouseeachtypeofmap,148–149

securityculturescores,180securityculturetransformation.Seetransformationsecurityeventandincidentmanagement(SEIM),240,245SecurityFORCEBehavioralModel,202,377–378

adaptingtoleadership,365–367alignmentswithCSCF,349–353andbehavioralleadership,367corevaluesof,209–211managingfailure,377originsof,203–208

overview,208–209usingindependently,349valuebehaviors,211–212,213valuemetrics,212–215

SecurityFORCEMetricsforcomplexity,302–304forexpertise,326–328forfailure,234–237foroperations,256–259forresilience,279–281

SecurityFORCEprojectsblendingwithSCDSprojectsforimprovedculturalmaturity,355–356costsandschedules,338–339examples,343–347leadershipsupportandengagement,339managing,338–340respondentsanddata,340stakeholderengagement,340supportingtransformationwith,338–340valueof,338

SecurityFORCEScorecard,341–342andSecurityFORCEMetrics,342–343

SecurityFORCESurveycomplexity,301–302expertise,325–326failure,232–234operations,255–256resilience,278–279scoring,233–234,341

securitypractitioners,leveragingculturalchange,37securityprocessimprovement,behavioralmodels,194–195,198securityprogrammanagement,ISO27001,14securityresearchers,leveragingculturalchange,36–37securitythreats,34–35securityvalueofcomplexity,211

assessingcomplexityvaluebehaviors,300–304

improvingcomplexityvaluebehaviors,304–307keyvaluebehaviors,294–300overview,286–289

securityvalueofexpertise,211assessingexpertisevaluebehaviors,324–328improvingexpertisevaluebehaviors,328–331keyvaluebehaviors,317–324overview,311–317andtheTrustCulture,352

securityvalueoffailure,210assessingfailurevaluebehaviors,232–237andtheComplianceCulture,351defined,220embeddingintopeople,237embracingfailure,223–224failsmall,failfast,failoften,224–225“failureisnotanoption”,220–221improvingfailurevaluebehaviors,237–238keyvaluebehaviors,226–230reevaluatingfailure,221–223trackingtheseedsoffailure,225–226

securityvalueofoperations,210assessingyouroperationsvaluebehaviors,255–259improvingoperationsvaluebehaviors,259–261keyvaluebehaviors,244–255overview,240–244andtheProcessCulture,350–351

securityvalueofresilience,210–211assessingresiliencevaluebehaviors,278–281andtheAutonomyCulture,351–352Estonia,277improvingresiliencevaluebehaviors,281–283keyvaluebehaviors,270–277overview,264–270

SeeingLikeaState,323–324SEIM.Seesecurityeventandincidentmanagement(SEIM)

seniorleadershipengaging,172–173leveragingculturalchange,35–36

sensitivitytooperations,206Shannon,Claude,286sharingcredibility,321–322sharingeconomy,260–261sharingexpertise,273–274Shostack,Adam,60,62,86simplicity

problemsof,286Seealsocomplexity

SimplyComplexity(Johnson),286skillbenches,272–273Snowden,Edward,374socialengineering,8TheSocialPsychologyofOrganizing(Weick),203socialsecurity,371softpower,375softwaredevelopmentlifecycleprocess.SeeSDLCprocesssoftwareofthemind,8–9

SeealsoculturehackingSpitzner,Lance,162,330stakeholders

engaging,173–174,340improvingboardandbusinessstakeholderengagement,378–379

statisticalalchemy,69statisticalterms,85stereotypes,90–91stretchgoals,274–275STRIDE,60,62structuralauthorityvs.structuralknowledge,312–313SurveyGizmo,176

SeealsoSecurityCultureDiagnosticSurvey(SCDS)SurveyMonkey,176SeealsoSecurityCultureDiagnosticSurvey(SCDS)surveys,90howsurveyswork,117–118

SeealsoSecurityCultureDiagnosticSurvey(SCDS);SecurityFORCESurveySutcliffe,Kathleen,203

ontheColumbiaspaceshuttle,313ondegradinggracefully,267onengineeringculture,242onfailure,222,223HROs,204onresilience,265

TTechExecNetworks(T.E.N.),363technology,behavioralmodels,196–197,198techno-romanticism,31,37terminology,statistical,85Thiel,Peter,48ThreatModeling:DesigningforSecurity(Shostack),60threesigmarule,167top-down“culturalchange”strategy,54training,overtrainingpeople,270–271transformation

behavioralmodelsfor,192–199describingintermsofculturalcapabilitiesmaturity,334–335theframeworkfor,191–192influenceand,365overview,334supportingwithSecurityFORCEprojects,338–340SeealsoCulturalCapabilitiesMaturityModel(CCMM);diagnosisandtransformationtransparency,176

TrustCulture,100,112–114andthesecurityvalueofexpertise,352

Trustwave,193turfwars,64–65

Uuncertaintychallenge,289–290

Vvendorbias,66visualizationtools,140

visualizingculture,92–93

Wwarningsigns,22–23Weaver,Warren,286,304Weber,Max,104,106Weick,Karl,107,203

ontheColumbiaspaceshuttle,313ondegradinggracefully,267onengineeringculture,242onfailure,222,223HROs,204ontheMannGulchfire,269–270onresilience,265

Whorf,Benjamin,288,292

People-Centric Security: Transforming Your Enterprise Security Culture

Documents

Transcript of People-Centric Security: Transforming Your Enterprise Security Culture