People-Centric Security: Transforming Your Enterprise Security Culture
Transcript of People-Centric Security: Transforming Your Enterprise Security Culture
Copyright©2016byMcGraw-HillEducation.Allrightsreserved.ExceptaspermittedundertheUnitedStatesCopyrightActof1976,nopartofthispublicationmaybereproducedordistributedinanyformorbyanymeans,orstoredinadatabaseorretrievalsystem,withoutthepriorwrittenpermissionofthepublisher.
ISBN:978-0-07-184679-0MHID:0-07-184679-4
ThematerialinthiseBookalsoappearsintheprintversionofthistitle:ISBN:978-0-07-184677-6,MHID:0-07-184677-8.
eBookconversionbycodeMantraVersion1.0
Alltrademarksaretrademarksoftheirrespectiveowners.Ratherthanputatrademarksymbolaftereveryoccurrenceofatrademarkedname,weusenamesinaneditorialfashiononly,andtothebenefitofthetrademarkowner,withnointentionofinfringementofthetrademark.Wheresuchdesignationsappearinthisbook,theyhavebeenprintedwithinitialcaps.
McGraw-HillEducationeBooksareavailableatspecialquantitydiscountstouseaspremiumsandsalespromotionsorforuseincorporatetrainingprograms.Tocontactarepresentative,pleasevisittheContactUspageatwww.mhprofessional.com.
InformationhasbeenobtainedbyMcGraw-HillEducationfromsourcesbelievedtobereliable.However,becauseofthepossibilityofhumanormechanicalerrorbyoursources,McGraw-HillEducation,orothers,McGraw-HillEducationdoesnotguaranteetheaccuracy,adequacy,orcompletenessofanyinformationandisnotresponsibleforanyerrorsoromissionsortheresultsobtainedfromtheuseofsuchinformation.
TERMSOFUSE
ThisisacopyrightedworkandMcGraw-HillEducationanditslicensorsreserveallrightsinandtothework.Useofthisworkissubjecttotheseterms.ExceptaspermittedundertheCopyrightActof1976andtherighttostoreandretrieveonecopyofthework,youmaynotdecompile,disassemble,reverseengineer,reproduce,modify,createderivativeworksbasedupon,transmit,distribute,disseminate,sell,publishorsublicensetheworkoranypartofitwithoutMcGraw-HillEducation’spriorconsent.Youmayusetheworkforyourownnoncommercialandpersonaluse;anyotheruseoftheworkisstrictlyprohibited.
Yourrighttousetheworkmaybeterminatedifyoufailtocomplywiththeseterms.
THEWORKISPROVIDED“ASIS.”McGRAW-HILLEDUCATIONANDITSLICENSORSMAKENOGUARANTEESORWARRANTIESASTOTHEACCURACY,ADEQUACYORCOMPLETENESSOFORRESULTSTOBEOBTAINEDFROMUSINGTHEWORK,INCLUDINGANYINFORMATIONTHATCANBEACCESSEDTHROUGHTHEWORKVIAHYPERLINKOROTHERWISE,ANDEXPRESSLYDISCLAIMANYWARRANTY,EXPRESSORIMPLIED,INCLUDINGBUTNOTLIMITEDTOIMPLIEDWARRANTIESOFMERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.McGraw-HillEducationanditslicensorsdonotwarrantorguaranteethatthefunctionscontainedintheworkwillmeetyourrequirementsorthatitsoperationwillbeuninterruptedorerrorfree.NeitherMcGraw-HillEducationnoritslicensorsshallbeliabletoyouoranyoneelseforanyinaccuracy,errororomission,regardlessofcause,intheworkorforanydamagesresultingtherefrom.McGraw-HillEducationhasnoresponsibilityforthecontentofanyinformationaccessedthroughthework.UndernocircumstancesshallMcGraw-HillEducationand/oritslicensorsbeliableforanyindirect,incidental,special,punitive,consequentialorsimilardamagesthatresultfromtheuseoforinabilitytousethework,evenifanyofthemhasbeenadvisedofthepossibilityofsuchdamages.Thislimitationofliabilityshallapplytoanyclaimorcausewhatsoeverwhethersuchclaimorcausearisesincontract,tortorotherwise.
ToJayneandWyatt,becauseeverything.
AbouttheAuthorDr.LanceHaydenisamanagingdirectorintheTechnologyAdvisoryPracticeofBRG,aninternationalstrategyandresearchfirm.Dr.Hayden’ssecuritycareerspans25yearsacrossthepublic,private,andacademicsectors.HisinterestinhumansecuritybehaviorsandculturebeganwhileaHUMINToperationsofficerwiththeCentralIntelligenceAgency,andcontinuedinsecurityrolesatcompaniesincludingKPMG,FedEx,andCisco.Dr.Haydenprovidesexpertadviceandconsultingoninformationsecuritystrategy,measurement,andculturetocompaniesandgovernmentsaroundtheglobe.InadditiontoPeople-CentricSecurity,heistheauthorofITSecurityMetrics:APracticalFrameworkforMeasuringSecurityandProtectingData,alsofromMcGraw-HillEducation.LancereceivedhisPhDininformationsciencefromtheUniversityofTexas,wherehealsoteachescoursesonsecurity,privacy,andtheintelligencecommunity.HelivesinAustin.
AbouttheTechnicalEditorDavidPhillipshasbeenprotectingclients’ITsystemsforover20years,includingtechnicalmitigation,informationsecurityriskprograms,ITnetworksecurityarchitecture,andregulatorycompliance.Daviddevelopedagrowingprofessionalservicebusinessinsideamultinationalnetworkingcorporationfocusedoncybersecurity,protectingclients’intellectualpropertyandcustomerdata,andsecuringnetworkstoallowforresilientITinfrastructureinthefaceofcyberattacks.Hisclientshaveincludedmultibillion-dollarbusinessesintheretail,finance,manufacturing,energy,andhealthcareverticals.Davidhasworkedwithglobalenterprisestomeasureandmaturetheirsecuritycapabilitiesacrosspeople,process,andtechnology,spanninglevelsfromtechnologymanagementtosecurityawarenessandsecurityculturaltransformation.DavidlivesoutsideofAustin,Texas.
ContentsataGlance
PartIUnderstandingYourSecurityCultureChapter1InformationSecurity:AdventuresinCultureHacking
Chapter2StrategyforBreakfast:TheHiddenPowerofSecurityCulture
Chapter3OrganizationalCulture:APrimer
Chapter4CulturalThreatsandRisks
PartIIMeasuringYourSecurityCultureChapter5TheCompetingSecurityCulturesFramework
Chapter6TheSecurityCultureDiagnosticSurvey(SCDS)
Chapter7CreatingCultureMapswiththeSecurityCultureDiagnosticSurvey
Chapter8ImplementingaSuccessfulSecurityCultureDiagnosticProject
PartIIITransformingYourSecurityCultureChapter9FromDiagnosistoTransformation:ImplementingPeople-
CentricSecurity
Chapter10SecurityFORCE:ABehavioralModelforPeople-CentricSecurity
Chapter11TheSecurityValueofFailure
Chapter12TheSecurityValueofOperations
Chapter13TheSecurityValueofResilience
Chapter14TheSecurityValueofComplexity
Chapter15TheSecurityValueofExpertise
Chapter16BehaviorandCulture:MasteringPeople-CentricSecurity
Chapter17Leadership,Power,andInfluenceinPeople-CentricSecurity
Chapter18SecuringaPeople-CentricFuture
Index
Contents
ForewordAcknowledgmentsIntroduction
PartIUnderstandingYourSecurityCulture
Chapter1InformationSecurity:AdventuresinCultureHackingBurntBacon
SafeandNotSecureWhatWereYouThinking?
CultureHackingSoftwareoftheMindABriefHistoryofCultureHackingSecurityCulture:HackorBeHacked
Who’sHackingYourSecurityCulture?Security,HackThyself
CultureHacks:TheGoodCultureHacks:TheBadCultureHacks:TheUgly
SecurityIsPeople!FurtherReading
Chapter2StrategyforBreakfast:TheHiddenPowerofSecurityCultureWhySecurityFails
WeStartwithaDesignWarningSigns
DoingMorewithLessWhoMovedMyFence?LookOutBelow!GettingtheDrift
TheOppositeofMonocultureCulturalTraitsinInformationSecurityCompetingValuesandSecurityThreats
TheChangeAgentsofSecurityCultureTheC-SuiteSecurityAwarenessTeamsSecurityResearchersSecurityPractitioners
MakingSecurityCulturalFurtherReading
Chapter3OrganizationalCulture:APrimerTheFieldofOrganizationalCulture
OriginsOutcomes
TheCultureIcebergHiddenAspectsPeoplePowered
TheOrganizationalCultural/OrganizationalPerformanceLinkAssessingandMeasuringCulture
Qualitativevs.QuantitativeMeasurementofCultureQualitativeMeasuresandTechniquesCulturebytheNumbers
ChallengesofCulturalTransformationThere’sNoOneRightWaytoChangeCultureYouHavetoIncludeEverybodyYouHavetoBuildConsensus
YouHavetoEvaluatetheOutcomesYouHavetoHaveGoodLeadership
AnOceanofResearchFurtherReading
Chapter4CulturalThreatsandRisksCulturalThreatModeling
CovertProcessesandCulturalRiskGettingtoKnowPEPL
PoliticalThreatsEmotionalThreatsPsychologicalThreatsLogisticalThreats
CulturalCompetitionasaSourceofRiskSizingUptheCompetition
FurtherReading
PartIIMeasuringYourSecurityCulture
Chapter5TheCompetingSecurityCulturesFrameworkMeasuringSecurityCulture
QuantitativeDataandAnalysisQualitativeDataandAnalysisCombiningtheQualitativeandQuantitativeOtherWaysofDescribingCulture
TheCompetingSecurityCulturesFrameworkOriginsoftheCSCFinCompetingValuesResearchAdaptingtheCompetingValuesFrameworktoSecurityTheCSCFQuadrantsOverlappingandCompetingValuesLimitationsoftheFramework
WhyNotJustUsetheCompetingValuesFramework?
SecurityCultureBenefitsFromaTargetedApproachNotEverythingintheCompetingValuesFrameworkTranslatesWell
OrganizationalSecurityCulturesProcessCultureComplianceCultureAutonomyCultureTrustCulture
FurtherReading
Chapter6TheSecurityCultureDiagnosticSurvey(SCDS)SCDSFormatandStructure
HowSurveysWorkQuestionsintheSCDSSCDSScoringMethodology
ScoringtheSCDSResultsSecurityCultureDiagnosticStrategies:CaseStudies
ABLEManufacturing:MeasuringanExistingSecurityCultureCHARLIESystems,Inc.:ComparingSecurityCulturesofTwoOrganizations
DOG:ComparingExistingtoDesiredSecurityCulture
Chapter7CreatingCultureMapswiththeSecurityCultureDiagnosticSurveySecurityCultureMaps
MappingSecurityCultureUsingtheCSCFCompositionofaSCDS-basedCultureMapOtherTechniquesforMappingSecurityCulture“WhenShouldIUseEachTypeofMap?”MappingSpecificValuesandActivities
InterpretingandComparingCultureInterpretingSCDSResults
ComparingCultures
Chapter8ImplementingaSuccessfulSecurityCultureDiagnosticProjectGettingBuy-infortheSecurityCultureDiagnosticProject
DirectBenefitsofSecurityCultureImprovementEstimatingtheFinancialImpactofSecurityCultureCaseStudy:FOXTROTIntegrators,Inc.
ExecutingaSecurityCultureDiagnosticProject1.SettingUptheProject2.CollectingData3.AnalyzingResponses4.InterpretingCultureandCommunicatingResults
FromMeasurementtoTransformationFurtherReading
PartIIITransformingYourSecurityCulture
Chapter9FromDiagnosistoTransformation:ImplementingPeople-CentricSecurityDiagnosisandTransformation:OneCoin,TwoSides
TheCSCFasaFrameworkforUnderstandingWhatIstheFrameworkforTransformation?
BehavioralModelsforSecurityCultureTransformationComplianceandControlRegimesSecurityProcessImprovementTechnologyandAutomationApproachesSecurityNeedsMoreOptions
FurtherReading
Chapter10SecurityFORCE:ABehavioralModelforPeople-CentricSecurityOriginsofSecurityFORCE
HROResearch
HROsinInformationSecurityIntroducingtheSecurityFORCEBehavioralModel
FiveCoreValuesofSecurityFORCESecurityFORCEValueBehaviorsandMetrics
SecurityFORCEValueBehaviorsSecurityFORCEValueMetrics
TheCulture–BehaviorLinkinHRSPsFurtherReading
Chapter11TheSecurityValueofFailureWhatIstheSecurityValueofFailure?
“FailureIsNotanOption”ReevaluatingFailureEmbracingFailureFailSmall,FailFast,FailOften
FailureKeyValueBehaviorsAnticipateFailuresSeekOutProblemsRewardProblemReportingShareInformationAboutFailuresLearnfromMistakes
AssessingYourFailureValueBehaviorsTheSecurityFORCESurveyTheSecurityFORCEMetrics
ImprovingYourFailureValueBehaviorsEmbedtheSecurityValueofFailureintoPeopleReeducatePeopleonWhatItMeanstoFailSetLeadershipExamplesOpenUpCommunication
FurtherReading
Chapter12TheSecurityValueofOperations
WhatIstheSecurityValueofOperations?OperationalPowerSensitivitytoOperationsExpectationsandReality
OperationsKeyValueBehaviorsKeepYourEyesOpenFormaBiggerPicture“Listen”totheSystemTestExpectationsAgainstRealityShareOperationalAssessments
AssessingYourOperationsValueBehaviorsScoringtheOperationsValueBehaviorSurveyFORCEValueMetricsforOperations
ImprovingYourOperationsValueBehaviorsEmbedOperationsValueintotheSecurityProgramThinkMoreLikeScientistsEmbracethe“SharingEconomy”LightenUpaBit
FurtherReading
Chapter13TheSecurityValueofResilienceWhatIstheSecurityValueofResilience?
WhenBadThingsHappen(toGoodOrganizations)RollingwiththePunchesImaginingFailuresandDisasters
ResilienceKeyValueBehaviorsOvertrainPeopleCreate“SkillBenches”ActivelyShareExpertiseEncourageStretchGoalsPracticeFailing
AssessingYourResilienceValueBehaviorsScoringtheResilienceValueBehaviorSurveyFORCEValueMetricsforResilience
ImprovingYourResilienceValueBehaviorsEmbedResilienceValueintotheSecurityProgram“ASecurityIncident?IWantIn!”MakeSecurityIncidentsMundane
FurtherReading
Chapter14TheSecurityValueofComplexityWhatIstheSecurityValueofComplexity?
DumbingItDownGrowingUncertaintyIgnoranceIsRisk
ComplexityKeyValueBehaviorsDon’tOversimplifyFormalizeYourAssumptionsCovetEmpiricalEvidenceSharetheDoubtMakeEveryModelBetter
AssessingYourComplexityValueBehaviorsScoringtheComplexityValueBehaviorSurveyFORCEValueMetricsforComplexity
ImprovingYourComplexityValueBehaviorsEmbedComplexityValueintotheSecurityProgramThinkBiggerAcceptWhatWeAlreadyKnow
FurtherReading
Chapter15TheSecurityValueofExpertiseWhatIstheSecurityValueofExpertise?
FilterYourWater,NotYourInformation
StructuralAuthorityvs.StructuralKnowledgeWaitingfortheBigOne
ExpertiseKeyValueBehaviorsAsktheExpertsSuppresstheEgosAllowAuthoritytoMigrateShareCredibilityRewardCallstoActionandCriesforHelp
AssessingYourExpertiseValueBehaviorsScoringtheExpertiseValueBehaviorSurveyFORCEValueMetricsforExpertise
ImprovingYourExpertiseValueBehaviorsEmbedExpertiseValueintotheSecurityProgramMakeEveryoneaSensorCreateDecisionFastLanesValueExpertisefromtheTopDown
FurtherReading
Chapter16BehaviorandCulture:MasteringPeople-CentricSecurityWhatDoesSecurityCultureTransformationMean?
DescribingTransformationinTermsofCulturalCapabilitiesMaturityTheCulturalCapabilitiesMaturityModel:FormalizingCulturalMaturity
SupportingSecurityCultureTransformationwithSecurityFORCEProjects
TheValueofaSecurityFORCEProjectManagingaSecurityFORCEProject
TheSecurityFORCEScorecardScoringtheFORCESurveyQuestions,RevisitedPoolingYourFORCEsSecurityFORCEMetricsandtheFORCEScorecard
“AreWeaHighlyReliableSecurityProgram?”CSCFandSecurityFORCE:AligningCultureandBehaviorinPeople-CentricSecurity
ChainingCultureandBehaviorEffortsUsingtheSCDSandFORCEIndependentlyGeneralAlignmentsBetweenSecurityFORCEandtheCSCFTakingAdvantageofCultural-BehavioralAlignmentsBlendingSecurityCultureDiagnosticandSecurityFORCEProjectsforImprovedCulturalMaturity
FurtherReading
Chapter17Leadership,Power,andInfluenceinPeople-CentricSecurityACrisisofLeadership
TheCISOasaBusinessLeaderBusinessLeadersasSecurityEnablersSecurityPowerDynamics“WhatifIamnotaCISO?”
LeadershipinPeople-CentricSecurityYouDon’tLeadMachinesInfluenceandTransformation
AdaptingtheCSCFandSecurityFORCEModeltoLeadershipTheCSCF,SCDS,andCulturalLeadershipTheSecurityFORCEModelandBehavioralLeadership
FurtherReading
Chapter18SecuringaPeople-CentricFutureTheSecurityofThings
SocialSecurityAsManySecuritiesasThingstoSecure
FramingPeople-CentricSecuritySecuritySoftPowerThreeTakeawaysfromtheBook
PuttingPeople-CentricSecuritytoWorkTwoModels,OneGoalPeople-CentricSecurityStrategies
ConclusionFurtherReading
Index
Foreword
Afterhavingworkedininformationsecurityforover20years,Ihavecometoasimpleconclusion:unlesswemovebeyondtechnologyaloneandstartaddressingthehumanelement,weareinano-winsituation.Technologyiswhereeveryorganizationshouldstartwhenmanagingitscyber-risk,buttechnologycanonlygosofar.Wehavehitthatpointofdiminishingreturn.Wecannolongerignorethehumanfactorininformationsecurity.Lance’sbookisabreathoffreshair.Hecreatesanewchapterinhoworganizationsshouldmanagetheirrisk,notjustatthetechnicallevelbutatahumanlevel.WhatmakesLance’sbooksopowerfulisthathenotonlybacksthebookwithtremendousresearchandacademicstudies,butalsobringsinreal-worldapplication.
IfirstmetLancethroughhispreviousbook,ITSecurityMetrics.ItwasoneofthefewbooksIhadfoundthatattemptedtomeasurethehumansideofinformationsecurity.Hewentbeyondjusthardnumbersandacknowledgedthesoftersideofourworld.Sincethen,IhavebeenworkingwithLanceandhavecometorecognizeandrespecttheuniquetraitshebringstoourcommunity.AsaPhDinsocialscience,Lancebringsacademicrigortoourworld,butevenbetter,hebringstheskillsnecessarytounderstandhowpeopleandcultureswork.Combinedwithmorethan25yearsofreal-world,globalexperienceintheinformationsecurityfield,hisphilosophyandpracticebringimmensewealthtothesecuritysector.
WhatIlovemostaboutthisbookisthatanyonecanreadit.Lancehelpsyouunderstandwhatcultureisandwhyitisanissueforinformationsecurity,ultimatelyprovidingaframeworktomanageandmeasureit.IhopeyouareasexcitedasIamaboutthisopportunitytobothbetterunderstandachallengeweallfaceandleavethisbookbetterarmedtodosomethingaboutit.
–LanceSpitznerResearch&CommunityDirector,SANSSecuringTheHuman
Acknowledgments
Alotofpeoplehadahandinmakingthisbookhappen,bothdirectlyandindirectly,andIwanttotrytoacknowledgeallofthem.IowesomuchtoMeghan,myeditoratMcGraw-HillEducation,whotookachanceonanideathatshebelievedinandfoughtfor.Therewouldbenobookwithouther.IalsowanttothankDavid,myfriendandmentorforsomanyyears.Iliketotellmysonthathe’llhavelivedafortunatelifeifhehasafriendasgoodasDavidhasbeentome.
IamindebtedtotheentireteamatMcGraw-HillEducation,especiallythosewhosupportedgettingthisbookoutthedoor.Amy,Janet,Brandi,Jared,Bill,andAnubhooti,youmadethisexperiencerewardingandchallenging,andIcan’ttellyouhowthankfulIamforyourhelpandyourinsights.ThanksaswelltothemanypeoplebehindthescenesatMcGraw-HillEducationwhoInevergottoknowpersonally,butwhocontributedtheirowneffortstothisproject.Bigshout-outsgotoLanceSpitzner,forcontributionsofbothwordsanddeedsasIwasputtingthisbooktogether.ToIra,whoalwaysgivesmehishonestopiniononeverything,whichIvaluemorethanItellhim.ToRic,forwalkaboutsandconversationsallovertheworld.AndtoKen,Mike,Pablo,Steve,andTroy,forbeingtruefriendsingoodtimesandbad.AlsomygratitudetoDr.PhilDoty,oneofthesmartestpeopleIhaveevermet,whofirstsuggestedIreadKarlWeickallthoseyearsago.
Thereisverylittletrulyoriginalknowledgeintheworld,andscholarsandresearcherseverywherecreatenewcontributionsbyminingtheeffortsofotherswhohavegonebeforethem.Iamaprimeexample,andIwanttoacknowledgetheworkandcontributionsofalltheacademicsandpractitionerscited,quoted,andadaptedinthisbook.ThankyousomuchforlendingmesuchexcellentshoulderstostanduponasIlookedaround.
Finally,adedicationisnotquiteenough.Mywifeandsondeservethelastword.Theygavemespaceandfreedom,withoutcomplaint,totakeononeofthemostconsumingactivitiesIhaveeverexperienced.Andtheydiditnotonce,buttwice.Thanks,youtwo.
Introduction
Theoriginsofthisbookarediverse.ItcomesfromseveraldifferentideasI’veexploredorbeeninterestedinovertheyears,ideasthattracedtheirownindividualorbitsinsidemyheadandthengraduallycametogetherintoaconceptIfeltcompelledtowriteabout.IdecidedIwantedtowriteabookaboutsecurityculturenotlongafterIfinishedmyfirstbook,ITSecurityMetrics.Ididn’tcallit“securityculture”atthetimeorthinkaboutinthoseterms.IjustknewafterIfinishedthefirstbookthatIwasn’tactuallyfinished.
AgoodfriendcommentedtomeafterreadingITSecurityMetricsthathethoughtoneofmymostimportantpointswashowvaluablequalitativedataandmeasurementcanbetoinformationsecurityprograms.Itmademegladtohearhimsaythat,becauseitwasoneofthereasonsIhadwrittenthebookinthefirstplace.Iwantedtoaddsomethingnewtoaconversationthatwasalreadytakingplaceinourindustry.Havingrecentlyfinishedadissertationinthesocialsciences,onethatreliedonbothquantitativeandqualitativeresearchmethods,Ithoughtthesecuritymetricsliteraturewasoveremphasizingquantitativeinquiryandanalysisandmissingoutonthevalueofqualitativeapproaches.Often,securityprofessionalsIencounteredcriticizedqualitativedataanddownplayeditsusefulness,butthesesamefolksmanytimesdidn’tevenusetheterm“qualitative”correctlyorunderstandhowqualitativeresearchactuallyworks.
InITSecurityMetrics,myadvocacyforqualitativeapproacheswasdeliberatelygentleandconciliatory,toneddowninthehopesthatImightgetsomereadersinterestedbutnotalienatetoomanyofthem.Istillgavequantitativeapproachestopbilling,whichwasfine.Thebookseemedtohavetheintendedeffect.Somepeoplewantedtoexplorequalitativeinformationsecuritymetricsmoredeeply,whilethosewhodidnotcouldsafelyignorethoseparticularchapters.
IntheyearssinceIfinishedthefirstbook,alotofthingshavehappenedandalotofthingshavechanged.PerhapsthetwomostimpactfuleventsasfarasPeople-CentricSecurityisconcernedwereaglobalfinancialcrisisandacrisisofconfidenceintheinformationsecurityindustry.Theformerhaspassed,although
westillfeelitslingeringaftermath,whilewearestillsmackinthemiddleofthelatter.Inthecaseofthefinancialmeltdown,acomplexglobalsystemthathadbecomeopaqueandautomatedbrokedownasadirectresultofirrationalhumanbehavior.Safeguardsthatweremeanttopreventsuchcollapsesdidn’twork.Inthecaseofinformationsecurity,asimilarlycomplexglobalsystemthatisalsohighlydependentupontechnologysolutionsseemstobebreakingdown.Thecollapseisnotasspectacularorcompressedasthefinancialcrisiswas,butitstillfeelsprettycatastrophicwheneveryweekseemstobringnewsreportsofmillionsofpeople’sdatabeingstolen,publicaccusationsofspyingandsabotageagainstgovernmentsandcriminalorganizationsalike,andtradeconferenceswheretheindustrythatmakessecurityproductswillbethefirsttotellyouithasfailedandthatliterallyeveryonehasalreadybeensuccessfully“owned”bythebadguys.
Ifoundatthecenterofallthesethingsinterestingquestionsofcomplexity,ofthelimitsoftechnologysolutions,andofthepowerofhumanbehaviorforgoodandforbad.Societyisbecomingmoretechnicalandmoresocial,eachdrivingandextendingtheother.Socialnetworking,sharingeconomies,andtheInternetofThings(orEverything)promisetomakeourworldmoreinterconnectedandmorecomplexthaneverinhumanhistory.Theyalsopromisetomaketheideaofpeopleandmachinesbeingseparatemoremeaninglessthaneverbefore.We’renotexactlyatthepointwhereeveryonebecomesacyborg,butinaworldofwearabletechnology,amazingprostheticscontrolledbytheuser’smind,andbodyimplantswithembeddedcomputingandWi-Ficapabilities,theideaisn’texactlyhyperbole.
Whathappenswhenyoucannolongertellthehumaninfrastructurefromthetechnologyinfrastructure?That’saquestionthathasasmanyphilosophicalimplicationsaspracticalones.I’mnottryingtoaddressthephilosophicalpointsinthisbook.ButIamgoingtodrawabitofalineinthesandonthepracticalsideofthequestion,specificallytheonethatwefaceininformationsecurity.Culturehaslongbeenawordassociatedwithhowaparticulargroupofpeopleseestheworld,includingwhatthatgroupbelievesandhowthosebeliefsinfluencethewaythegrouplives.Culturefunctionsatdifferentlevels,includinggeographical,ethnological,andreligiouslevels.Culturealsofunctionsattheleveloforganizations,suchascompaniesandgovernments,whichareperhapsmoreartificialandlessorganicthanfamilies,tribes,andreligions,butwhichhavecometodominateourworldjustasmuch.ThecompanyIworkforhasaculture.Sodoestheinformationsecurityindustry.Andthosecultures,asmuchasanythingelse,drivewhypeopledowhattheydo.Ourculturehasbecome
technological,sowehavetounderstandtechnologytodecipherit.Butourtechnologyhasalsobecomecultural.Ifyouwanttoknowwhyatechnologysystemsucceedsorfails,whetheritbeafinancialsystemoranITsystem,youhavetoalsounderstandpeople.
Whichbringsme,ifinaroundaboutway,tothisbook.InfoSechasalwayspreachedthetriadof“people,process,andtechnology”asessentialforgood,effectivesecurity.Myexperienceintheindustryhasbeenthattechnologyalwayscomesfirst,followedbyprocesswhenwecanmanageit,andpeoplewhenwegetaroundtothem.Themainrolepeopleplayininformationsecuritytendstobethatofaproblemwaitingtohappen,aninsiderthreat,anegligentuser,orjustanannoyancetobeautomatedoutofexistenceasbestwecan.Thisbookismyattempttoinvertthat,toputpeopleinthecenterofinformationsecurityprogramsandpractices.Sometimespeoplewillbethreats,butmoreoftentheywillbetheuntappedresourceswiththesolutionstomanyofsecurity’scurrentchallenges.Thankfully,I’mnotaloneinbelievingthatpeople-centricsecurityisthefuture.Thesecurityindustryisbeginningtorealizethattechnologycanonlytakeussofar.AsInfoSecprogramshitthepointofdiminishingreturnsontheirtechnologyinvestments,theymustlookforotherreservesofeffectivenessandvalue.Ihopethisbookhelps,insomeway,tofacilitatetherealizationofthatvalue.
WhoShouldReadThisBook?Iwrotethisbookforeveryonewhohaseverwonderedwhy,despiteourbesteffortsandmostsophisticatedtechnologysolutions,informationsecurityseemstobefailingmorenowthanever.InfoSechasbecomesobigandsodispersedacrossdifferentspecializationsanddisciplinesthatthere’snotreallyevenasinglefieldanymore.Wehaveinformationsecurity,ITsecurity,informationassurance,cybersecurity,andothersallmaybereferringtothesamething,butmaybenot.Asanexample,throughoutthisbookI’llrefertoourfieldasinformationsecurity,orInfoSecforshort,whichisindicativeofmyownprofessionalhistory,preferences,andexperience.Attheleadershiplevel,however,nomatterwhatyoucallit,chiefinformationsecurityofficers(CISOs)havetoruntheirprogramsasabusiness,inpartnershipwithother,non-securityexecutives.Atotherlevels,practitionerswillhavetheirownpreferencesandopinionsofwhatconstitutesourfield.Everyonehastheirownconcernsaboutthebestwaytoprotecttheinformationassetsthatarecrucialtoenterprise
success.Thatbeingsaid,thereareseveralgroupsIcanmentionwhomightfindvalueinideasabouthowtomeasureandchangesecurityculture.
CISOsIuse“CISOs”asacatch-alltoincludeanyorganization’sInfoSecleadership,regardlessofofficialtitle.Ifyou’reinchargeofmanagingsecurityforyourcompany,youarethechiefnomatterwhatyourjobtitleis.Asleaders,CISOsarethepeoplebestpositionedtoactuallymanageandchangeanorganization’sculture,includingitsinformationsecurityculture.Butyoucan’tmanagewhatyoucan’tmeasure,sohavingawaytoanalyzeandarticulatesecurityculturebecomescentraltoimpactingandimprovingit.ThetechniquesandmethodsIlayoutinthisbookcangiveCISOsthatanalyticalcapability,enablingthemtoaddInfoSecculturetotheirstrategicobjectivesandroadmaps.
Non-securityOrganizationalLeadershipForeveryseniorexecutiveorboardmemberwhohasstruggledtounderstandwhataCISOistalkingaboutortomakesenseofthefear,uncertainty,anddoubtoversecuritybreachesbombardingtheminthemedia,Ihopethisbookhelpstobreakdownhowsecurityprofessionalsthink.Ifyoucanunderstandwhatmotivatesaperson,youcanfindawaytoworkwiththem,tocompromiseformutualbenefit,andtoresolveconflictsbeforetheybecomedangerous.Thisbooktalksalotaboutthecompetitionbetweenvaluesandcultureswithinanorganization,includingvaluesandculturesoutsideoftheInfoSecprogram.Mysincerehopeisthatnon-securityleadersandmanagerscanusethisbookasawaytobetterunderstandinformationsecurity,andwherethesecurityteamiscomingfromintermsofvaluesandpriorities.Evenbetter,maybethesesamenon-securityprofessionalswillbebetterabletoexplaintosecuritypractitionerswhereeveryoneelseintheorganizationmaybecomingfrom,especiallywhenthosevaluesandprioritiesclash.InfoSecprogramsareoftenseenasimpedingratherthanenablingthebusiness,whichleadstotensionandconflictbetweenstakeholders.Thisis,atheart,aculturalchallenge,oneIhopethisbookcanhelppeopletoovercome.
TrainingandAwarenessTeamsInthebook,Irefertosecuritytrainingandawarenessteamsasthe“tipofthespear”forculturaltransformationintheindustrytoday.Ihaveagreatdealof
respectforanyonewhotakesonthechallengeofeducatingandmentoringothers,andwhenthesubjectisprotectingandpreservinganorganization’sinformationandtechnologyassets,thatchallengecanbeevengreater,thestakeshigher.Thisbookisnotatrainingandawarenessbook,butthemethodsandtoolsprovidedinthebookcanabsolutelyhelpsecurityawarenessprograms.Onemajorcontributortosecurityincidentsanddatabreachestodayisthatwedon’tincludeenoughhumanandorganizationalbehaviorsinourrepertoiresofrisk.TheframeworksIofferherecanhelpexpandthatknowledgebaseandgivetrainingteamsmoreoptionsandmoreareasoffocuswithwhichtobesuccessful.
SecurityOperationsAgain,Italkabout“securityoperations”generally,asablanketreferencetoallthepeopleresponsibleforkeepingtheInfoSecprogramrunning.Whetheryouareananalyst,anincidentresponsemanager,adeveloper,orsomeotherinformationsecurityspecialist,youarepartofwhatcreatesandtransmitsyourorganization’ssecurityculture.Thatmeansyouhavepower,evenifitdoesn’talwaysfeelthatway.
Thisbookcanhelpgiveinformationsecurityprofessionalsalanguagewithwhichtoexpresswhattheydoandwhy,andtocommunicatewithotherswhomaynotunderstandoragreewiththem.Idon’texpectpeopletoreadthisbookoutofsomeappealtotheclichéthat“everyoneisresponsibleforinformationsecurity,”althoughthat’strue.Instead,Iwouldencourageyoutoreadthebookforthemostself-servingofreasons,namelytobeabletojustifywhyyoudothingsacertainwayandtoexplaintootherswhytheyshouldgivetheirsupport(financial,political,time)tohelpyougetthemdone.ThemostcommonquestionIgetaskedbycustomersisifIcanhelpthemjustifyinformationsecuritymeasures,activities,andbudgetstouppermanagement.Inmyexperience,seniorbusinessleadersspeakthelanguageofcultureandorganizationalbehaviormorefluentlythantheyspeakthelanguageoftechnologyandsecurity.ThisbookcanhelptranslatethecrypticdialectofInfoSecintospeechthatbusinessstakeholdersunderstand.
Ihavedrawnonyearsofconsultingexperiencesindevelopingthecasestudiesandstoriesinthisbook.Names,details,andcircumstanceshavebeenalteredtoprotecttheidentitiesofspecificorganizations.
CompanionWebsiteAccompanyingthisbookaretemplatesthatyoucanuseinyourownorganizationtotransformyourinformationsecurityculture.Tocallyourattentiontothesetemplates,theDownloadiconhasbeenincludedwherethesetemplatesarereferencedthroughoutthebook.Thesetemplates,aswellasotherresourcesonorganizationalandInfoSecculture,areavailabletoyoufordownloadfromhttp://lancehayden.net/culture.Thetemplatesarefullycustomizablesothatyoucanusethemtotheirbesteffectwithinyourorganization.
AnoteonURLs.Throughoutthebook,Iuseonlytop-levelURLs,evenwhenpointingreaderstospecificdocumentsorwebpages.Thisisdeliberate.Inthisageofe-books,abrokenlinkcanbetroublesome,sometimesevenresultinginabookbeingmadeunavailablethroughsomevendors.Toavoidthisproblem,Ihaveavoidedlinksthataremorelikelytochangeordie.Inallcases,itshouldbeasimplemattertosearchthesiteIgiveinthelink,ortheInternetmoregenerally,fortitlesandauthors.Iapologizeforanyinconveniencethismaycause.
PARTI
UnderstandingYourSecurityCulture
Y
CHAPTER1
InformationSecurity:AdventuresinCultureHacking
oudon’thavetogodiggingthroughtechnologynewsfeedsforevidencethattheworldofinformationsecurityisinastateofcrisis.Databreachesarealloverthemainstreammedia.Enormousinscaleandfrighteningintheirimplications,majorsecurityincidentsseemtobehappeningwithalarmingregularity.Whenitisnotshadycriminalhackersperpetratingthetheft,weworrythatitmightbeahostilegovernmentgearingupforanewkindofwarfare,orevenourowngovernmentembracinganewageofOrwelliansurveillancepossibilities.Andthemessagethatresonatesfromthepagesofinformationsecurityindustrymagazinesandwebsitestothekeynotespeechesofindustryconferencesandthemarketingbrochuresofproductandservicesvendorsis,InfoSecisbrokensomehow—itdoesn’tseemtoworkanymore.
Maybe.Societyhasundergoneprofoundchangeswiththewidespreadadoptionofdigital,networkedinformationtechnologies.Sometheoristsspeculatethatthesechangesarestructural,representingnotjustnewfeaturesoftraditionalsociety,butnewdefinitionsofsocietyitself.Inthisview,wearegoingthroughchangeslikethosethathappenedwhenhumanbeingsstoppedbeingnomadicandestablishedagricultureandvillages,orlikethetransformationsthattookplaceduringtheEnlightenment,orasaresultoftheIndustrialRevolution.
Suchevolutionmeansthateveryone,includingtheinformationsecurityindustry,betterbereadyforchangesunlikeanythingwe’vepreviouslyexperienced.Technologyhasbecomesocial,centeredaroundpeople,and
informationsecuritymustbecomeequallypeople-centricifithopestosucceed.Wenotonlyhavetodothingsbetter,butwehavetoinventwholenewwaysofdoingthem.Thatmeanslookingatthingsthathavetraditionallymadesecurityexperts,especiallytechnologistsandengineers,uncomfortable.Thingsthatarehardtomeasureorautomate.Thingslikepeople,includingtheirbeliefsandassumptionsasmuchastheirbehavior.Thingslikeculture.
BurntBaconIfirstrealizedthepowerofcultureininformationsecurityafewyearsagoatasupplierconferencehostedbyacustomer.Dozensofrepsfromdifferentvendorsfilledalargehotelballroomreservedbyourhost.Afterwehadallgrabbedourcoffeesandsatdown,theexecutiverunningtheeventcalledthemeetingtoorderwithasafetybriefing.Heintroducedustooursafetyofficer,let’scallhimBob,whoalsoworkedforthecustomer.Bobwasnotanexecutiveorevenamanager.ButbeforeturningoverthemicrophonetoBob,theexecutivemadeitclearthat,intermsofourphysicalsafetyandsecurity,forthenexttwodaysBobmightaswellbetheCEO.
Ihadnotexpectedthebriefing,butIwasn’tverysurprised.Thecompanyrunningtheconferenceoperatedinseveralhazardousindustriesandprideditselfonthe“cultureofsafety”itinstilledinemployees.Bobspentaboutfiveminutesrunningusthroughareviewofsafetyprotocolsfortheevent,pointingoutalltheexits,tellinguswhichweshoulduseintheeventofanemergency,andevendeclaringarallyingpointacrossthestreet.Shouldsomethinghappenthatrequiredustoleavethebuilding,everyonewasrequiredtomeetattherallyingpointforaheadcountpriortoreturningortakingwhateverotheractionsBobdeemedappropriate.Oncehehadfinished,Bobtookhispostatthebackoftheballroomandtheday’sactivitiescommenced.
Iwassurprisedwhenwereturnedfromthefirstday’slunchbreakandtheexecutiveagainhandedBobthemikesothathecouldrepeatthesamebriefingwehadlistenedtoonlyfourhoursbefore.“Wow,”Ithought.“Thesepeopletakesafetyseriously.”Ihadneverexperiencedthatkindofbriefingbeforeatanyofmyowncompany’smeetings,muchlesstwointhesamedayatthesameevent!
Coincidenceisafunnything.Justoveranhourafterourpost-lunchbriefing,thehotelfirealarmbegantowail.Onreflex,everyoneturnedaroundtolookatBob,whoimmediatelyslippedoutoftheroom.Withinaminute,thealarmstopped.AminuteortwolaterBobreturnedwithoneofthehotelmanagersin
tow,whowasobviouslytryingtoexplainsomething.IwatchedBobshakehishead“no,”promptingthemanagertoleave.Tenminuteslater,IwasstandingwithmyfellowvendorrepresentativesacrossthestreetasBobtookaheadcount.
WefoundoutlaterthatthemanagerhadcontactedBobtotellhimthefirealarmhadbeentriggeredbyasmallgreasefireinthekitchen,butthatithadbeencontainedandposednodangertoourmeeting.Bobhadnotboughttheexplanationandhadtriggeredanevacuationanyway.Weweretheonlyonestoleavethehotelafterthealarm,andwecaughtmorethanafewcuriousglancesfrompeoplepassingby.OnceBobwassatisfiedeveryonewaspresentandthatthehotelwasnotactuallyonfire,hegavetheallclearandwefiledbackintoourseatsintheballroom.Despitetheminornatureofthefireandthefactthatunnecessarilyevacuatinghadcostusnearlyanhourofourpackedschedule,theexecutivenevergaveahintofannoyance.Instead,hecalledusbacktoorderbyspendinganotherfewminutespraisingBob’sdecisionandremindingusthat,forhiscompany,safetycamebeforeanythingelse.
Thesecondmorningoftheconferenceconsistedofbreakoutsessionsscatteredinsmallerroomsthroughoutthehotelconferencecenter,buttheybeganonlyafterourmorningsafetybriefingwascomplete.Webrokeagainforlunch,andwhenwereturnedtotheballroomintheafternoon,theexecutivewaswaitingforus.Hewasnothappy.Standinginfrontoftheroom,hehelduponeofthevendorpacketseachofushadreceivedatthestart.Stamped“HighlyConfidential”oneverypage,thepacketsweretheblueprintsofthecompany’sforward-lookingITstrategy,includingstrategiccompetitivedifferentiatorsenabledbytechnologyadoption.
Wavingthepacketslowlysothatweallcouldseeit,theexecutivechewedusout,describinghowthedocumentheheldhadbeendiscoveredinoneoftheemptybreakoutroomsduringlunch,lefttherebysomeoneintheroom.Heexplainedwithobviousirritationthatsuchblatantdisregardforprotectingsensitivecorporatedatawasunacceptable,especiallyinaroomthatincludedmanyinformationsecurityprofessionals.Ifithappenedagain,hewarnedus,therewouldbehelltopay.Andwiththat,westartedupagain,beginningonceagainwithourmandatorysafetybriefing.
SafeandNotSecureAnimportantcharacteristicofcultureisthatittendstobeinvisible,functioningjustbelowourconsciousawarenessofitsinfluence.Butthatoftenchangeswhen
wefindourownculturalnormschallenged,andsuddenlyweseepatternsandconflictsjumpingoutatusfromtheshadows.Take,forexample,thestarkcontrastbetweenmycustomer’ssafetyculture,wheretheresponsetothepossibilityofanincidentbroughtallbusinesstoastopandtriggeredemergencyactionplans,andthecustomer’ssecurityculture,whereanactualsecurityincidentresultedinnothingmorethanasterntalking-to.Thetwocompletelydivergentresponsestoessentiallythesamething,afailureincident,madethedifferencesbetweenthesafetyandsecurityculturesofmycustomerstandoutfromoneanotherlikeblackandwhite.“Wow,”Ithought,“oneofthesethingsisnotliketheother.”Itwasastounding.
Mycustomerbelievedtheyhadastrongcultureofsafety.Theyalsobelievedtheyhadastronginformationsecurityculture.Butcultureisdefinedbybehaviors,notbeliefs.Thecompletelydifferentbehaviorstheyexhibitedbetweenthetwoincidentsshowedwheretheirprioritiesreallylay.HadtheexecutivetreatedthefailuretosecuresensitiveinformationlikeBobhadtreatedaburntrasherofbacon,wewouldhavestoppedtheproceedingsimmediatelyuntilheresolvedtheproblem.Insteadoforderinganevacuation,hewouldhaveorderedeveryoneintheroomtoholduptheirvendorpackets.Thedocumentswerecontrolled,andatleastonepersonwouldnothavehadone.
WhatWereYouThinking?Ifoundmyselfobsessingovertheexperiencefortherestoftheday.Itdistractedmefromfocusingonthepresentationsandtheinteractivesessions.Iwasdistantanddisengaged.Whyhadtheexecutivejustletthatsecurityincidentslidesoeasily?Hehadbeenvisiblyangryoverit,buthecouldhavedonemuchmorethanscoldus.Washeworriedaboutembarrassingpeople?Hadtheevacuationthrownussofaroffschedulethathewasjusttryingtomakeupforlosttimeandnotdelaytheeventfurther?Thinkingthatmaybeheintendedtofollowuplaterandtrytotrackdowntheperpetratorsomeotherway,Icheckedforuniqueidentifiersonmypacketthatcouldhavetrackeditbacktomedirectly.Ifoundnothingofthesort.
Foralittlewhile,Igotdepressed.Ihadtraveledalongwaytoattendameetingthatwasallabouthowimportantsecuritywastothiscompany,onlytowatchaseniorexecutivegetupstagedbyajunioremployeewhenitcametotakingactioninthefaceofrisk.Theresponsetothesecurityincidentcalledintoquestionthewholepurposeoftheconference.Ifthecompanywasn’tgoingtotakeactionwhenfacedwithasecuritybreachinvolvingoneoftheirowninformationsecurityvendors,howweretheyevergoingtoprotectthemselves
fromtherealbadguys?Itwouldallbetechnologyproductsandlipservice.Theydidn’tcareenoughtomakearealchange.Ifoundmyselfthinking,“TheyshouldputBobinchargeofinformationsecurity.”
ThenIrealizedsomethingelse.Iconsideredthereal,physicalharmthatIknewthiscompanyhadseenasaresultoflapsesinworkplacesafety.Peoplehadbeeninjuredonthejob,hadevendied,inthedecadesthatthefirmhadbeenworkingintheindustry.Iknewthefirmhadalsoexperiencedinformationsecuritybreachesinthepast,butmyimpressionwasthatthesefailureshadrarelyrisenabovethelevelofamoderateinconvenience.Peoplehadabadday,tobesure,butattheendofiteveryonewenthomesafely.Iftheinformationsecurityculturewasnotasstrongasthesafetyculture,itwasbecausetheworldofinformationsecurityjustdidn’tfeelasdangerousastheworldofworkplacesafety.Nomatterwhattheysaid,thiscompanycouldnotthinkaboutdatasecuritythesamewaytheythoughtaboutphysicalsafety.Thoseculturescouldexistsidebyside,buttheassumptionsandbeliefsthatdrivebehavior,bornofexperienceandobservation,werejustnotthesame.Iwasfascinatedand,oncemoreabletofocusonthecustomer,madeamentalpromisetoresearchthetopicfurther.
Sohereweare.
CultureHackingThisbookisaboutculture.Itisaboutunderstandingitandabouttransformingit.Youcanevensayit’sabouthackingit.AndwhenIsayhacking,Imeanhackinginanold-schoolsense,thehackingthatStevenLevydescribedinHackers:HeroesoftheComputerRevolution.Beforethetermevolved(somemightsaydevolved)intotoday’smorefamiliarusage,withallitsimpliednegativityandcriminalinferences,hackingdescribedaprocessofgainingknowledgeaboutasystembyexploringanddeconstructingit.Thisknowledgewouldthenbeputtousetomakethatsystembetter,moreinnovativeandelegant.TheMIThackersthatLevywroteaboutdealtincomputersoftware,theprogramsanddigitalcodethatdefinehowthosesystemsfunction.Butsystems,code,andhackingdon’tstopthere.
SoftwareoftheMindResearchersandexpertsinorganizationalculturetalkabouttheirtopicinways
thatwouldnotbecompletelyunfamiliartocomputerengineers.Therearemanyframeworksandmetaphorsfordescribingorganizationalculture,butallconvergeontheideathatcultureisasharedsetofnorms,values,androutinesthatservestodefinehowpeoplebehavetogetherinorganizedgroupsettings.Ifyouhaveeverstartedanewjob,thenyouhaveprobablyexperiencedaculturalshiftasyouhadtolearnhowthingsweredoneatyourneworganization,andmaybesomeofthosethingswerecompletelyforeigntoyou.Butasyoulearnedtheropes,astheculturewastransmittedtoyouandyoubecamepartofit,thingsthatyouhadtothinkaboutbecameautomaticandunconsciousbehaviors.It’salmostliketheorganizationprogrammedyoutofunctionwithinit.
GeertHofstede,oneofthemoreinfluentialscholarsinthefield,talksaboutorganizationalcultureinjustthisway.ForHofstede,cultureis“softwareofthemind”thatallowsindividualstoaligntheirthoughts,beliefs,andactionsinordertosolvespecificproblems.NowheredoesHofstede,oranyothercultureresearchersIamfamiliarwith,claimthatpeopleareprogrammableinthesamewaycomputersare.Buttheseexpertsdolookatorganizationsascomplexsystemsthatsharesimilaritieswithcomputersandnetworks.
Byusingmetaphorsdrawnfromsoftwareandcomputing,wecanconceptualizeandidentifymeansofunderstandinghowculturecanbeobserved,measured,andchanged.Thinkingaboutorganizationalcultureasadifferentkindofsoftware,withitsowncodesandprogrammingtechniques,makesthehackinganalogyalotmoreapplicable.Infact,thesecurityindustryalreadyusestheanalogyallthetimewhentalkingaboutsocialengineering.Theideaofhackingpeopleisnotneworevenverycontroversialinourindustry.Butsocialengineeringhasalwaysfocusedprimarilyonindividuals,treatingeachpotentialvictimasanindependentsystemthatmustbeexploited.Youcanautomatesocialengineering,asdoesanattackerwhoconductsmassphishingattemptsbyusingautomatedgroupe-mailtools,butthisonlyallowstheattackertotargetindividualsmorequicklyandefficiently.It’ssimplyaquestionofscale.
Hackingcultureisdifferentfromhackingcomputers.Itmeansunderstandingandexploringtherelationshipsbetweenpeople,thedrivesandmotivationsthatcausemanyuniqueindividualstobehaveinverysimilarways,asagroup.Insteadoftryingtoaffectthebehaviorofindividualpeoplemakingspecificdecisions,aculturehackerismoreinterestedinunderstandingandchangingtheentiregroup’sbehavior,bychangingwhatthatgroupthinksandbelieves.Partofhackingisabouteleganceandefficiency,theabilitytoproducethegreatesteffectwiththeleasteffort.Ifyoufocusonmyindividualbehaviors,tryingtochangethemoneatatime,youwillbelostinaninfinityofinputsandoutputs.
Butifyouareabletounderstandandchangemybeliefsandassumptions,youwillhavetappedintotheprogrammingthatdrivesallmydecisions.
Hackingaperson’sbeliefsystemsmayseemkindofcreepy,andculturehackingcancertainlybeputtoeviluses.Buthackinghasneverjustbeenaboutbreakingintocomputersystemsillegallyorimmorallyforillicitgain.That’sanarrowdefinitionthathas,unfortunately,cometobethemostassociatedmeaningoftheword,thankstothemediaand,ironicallyenough,thesecurityindustry.Buthackingismuchmorethanthat,withalongerhistorythantheoneinformationsecurityhastriedtoimposeonit.Culturehackingissimilar.Ididn’tinventtheconcept,andit’sbeenaroundforalongtime.Ijustbelieveit’saveryusefulwaytothinkaboutthechallengeofpeople-centricsecurity.
ABriefHistoryofCultureHackingThefirstpeopletocallthemselvesculturehackerscamefromtheworldsofactivism,fashion,andart.Theywantedtoshapethewaytheworldlookedatitself,toshakeupthestatusquo,andtopullthecurtainsbackonpeople’spreconceivednotions.ForMikeMyatt,aleadershipexpertandauthor,hackinginorganizationsinvolvesbreakingdownexistingcodesandcomplexity,findingalternatives,andreplacingout-of-dateorinefficientprocesses.That’sold-schoolhacking.
Culturehackingispre-digital,goingbacktopracticeslikebillboardjamming,literallychangingthemessagesonreal-worldroadsidebillboardsfromadvertisementstomoreironicoranti-corporatemessages.Thesetechniquesdatebacktothe1970s,developinginparallelwithphonephreakingandthebeginningofcomputerhacking.Itwasn’taboutstealingordefacingprivateproperty;itwasaboutretakingcontrolofthesystemfromthosewhohadcorruptedit,tomakeitfreeagain.Thiswasthe’70s,remember.
Thoughitstartedoutfueledbyflowerpower,culturehackinghasprovenremarkablyresilient.Astheworldchanged,sodidthefocusofthemovement.CulturehackingandtechnologymergedwiththecreationofgroupsliketheAdbustersMediaFoundation,whichbothusesandcritiquesdigitaltechnologies.In2011,AdbusterswascentralincreatingtheOccupyWallStreetmovement.Throughoutitshistory,themissionofculturehackerswastoreshapebehaviorbytargetingbasicsocialprogramming,usuallywithananti-authoritarianandanti-corporatebias,justlikemanyoftheearlycomputerhackers.
Whetherornotyougrokthewholeanti-establishmenttheme,hacking(computersorcultures)isasetoftechniquesandtoolsforexploringand
deconstructingcomplexsystemsfortheexpresspurposeofchangingthem,makingthemworkdifferently,evolvingthem.Dependingonwhatsideofthefenceyouareon,thiscanbeaprocessofinnovationoraprocessofmanipulationandabuse.Butthenagain,youcansaythatofjustaboutanytool.Ahammercaneasilybecomeanastyweapon.
SecurityCulture:HackorBeHackedIbelievethatcultureisthesinglemostimportantuntappedresourceforimprovinginformationsecuritytoday.Securityisnotatechnologychallenge.Ifitwere,technologywouldhavefixedtheproblemsalongtimeago.Securityisapeoplechallenge,asocialandorganizationalchallenge.It’saculturalchallenge.
People,andhowtodealwiththem,seemtoespeciallybaffleinformationsecurityprofessionals,tothepointwherewehavetroubleeventalkingaboutthehumanbeingsthatmakeupourorganizationsasanythingotherthanproblemstobedealtwith,insiderthreatstobeidentifiedandmanaged,orriskstobemitigated,preferablybyautomatingthemaway.Whenwedothinkaboutpeople,wetendtothinkofthemastargetsforattackoraccidentswaitingtohappen.Steepedastheindustryisinabackgroundofengineeringandappliedtechnology,wecanbedeeplyambivalentaboutthequalitative,theemotional,orthepolitical—inotherwords,allthethingsthatmakeuptheorganizationalculturesinwhichinformationsecurityhastooperate.Giventheindustry’smistrustofpeopleingeneral,it’snotverysurprisingthattheideaofpeople-centricsecurityhastakenawhiletogaintraction.
Theindustryischanging,becomingmorecognizantoftheimportanceofpeopletothesuccessfulprotectionofinformationassetsandinformationsupplychainsthroughouttheglobaldigitaleconomy.We’renotchangingbecausewehavesuddenlyseenthelightanddevelopedanewappreciationforthechaoticandirrationalhumannetworkswemustsecure.We’rechanging,atleastinpart,becausewe’vetriedeverythingelse,it’sstillnotworking,andwe’redesperate.Andthat’sokay.Sittinginmyvendorconference,Ihadtheepiphanythatmyhostsdidn’ttakeinformationsecurityseriouslybecausetheyhadneverexperiencedanyreallyseriousproblemsrelatedtoit,certainlynotliketheyhadwithphysicalaccidentsandlosses.Iwassurethatassoonastheydidexperienceacatastrophicinformationsecurityevent,theywouldattacktheproblemwiththesamecommitmentandzealthathadcreatedtheirimpressivelyformidablesafetyculture.Today’sinformationsecurityenvironmentischangingdramatically.Todayyoueitherhackyourowncultureoryouwaitforsomeonetodoitfor(orto)you.
Who’sHackingYourSecurityCulture?Thinkforamomentabouttheculturehackersinyourownsecurityprogram.Theymaynotbeimmediatelyapparent.Yourfirstthoughtmightbethesecurityawarenessteam,ifyourorganizationhasone.Thesebravesoulsarepresentlythetipofthespearwhenitcomestosecurityculturetransformation,althoughwewillseeinlaterchaptersthatthechallengetheyfaceisoftenimpossiblyidealistic.Butifyouarelookingforthosefolksbeatingthebehavioraldrumandtryingtochangethewaytheentirecompanythinksaboutsecurity,awarenessteamsaretopofmind.
Securityawarenessmanagersareprobablynottheonlyonessociallyengineeringyourorganization’ssecuritybeliefsandpractices.Thinkaboutyourauditors,forexample.Audits,particularlythoseforregulatoryorindustrystandardslikethePaymentCardIndustryDataSecurityStandard(PCIDSS)orSarbanes-Oxley,haveamaterialeffectonacompany’sabilitytodobusiness.Internalauditandcomplianceteamsareresponsibleformakingsurethecompanydoesn’tfailaudits,andtheydotheirbesttotransmitandinstillcertainbeliefsandritualsintothelargerenterprise.Astrongauditcultureisunlikelytobelieve,forinstance,thatdocumentedprocessesareunnecessaryorthateveryemployeeshouldhavecompleteaccesstoeverysysteminordertostayagile.Giventheimportanceofmaintainingcompliance,auditorsalsotypicallyhavethepowertoreprogramtheorganization’sfocusandactivities,evenifonlytemporarily.
Finally,thinkabouttheprojectmanagerorlinemanagerwhohasnodirectresponsibilityforsecuritybutcanrewardorpunishhisemployeesbasedontheirjobperformance,throughpromotionsandpayraises,orevenbyfiringpoorperformers.Everyorganizationhaspriorities,andthesedonotalwaysalign.Infact,theycancompetedirectly,asituationweoftenseeininformationsecurityasasortofRubik’sCubeeffect,inwhichimprovingonepartoftheproblemmakesanotherpartworse.
Imagineourprojectmanagerrunningasoftwaredevelopmentteamworkingonanewproduct.Bringingtheprojectinontimeandonbudgetisamajorpriorityforthecompany.So,too,isensuringthattheproductdoesnothavesecurityvulnerabilities.Whathappenswhenthereisnotenoughtimetodoboth?Forexample,supposeadeveloperrealizesshehassevendaystofinishherworkbeforedeadlinebutthatafullsecurityreviewwilltaketendays.Shecouldgotohermanagerandtellhimthatshewillcompletethereview,becausesecurityisapriority,butthattheprojectwillbelatetomarket.Hermanager’sresponsewill
bekey.Whetherhegivesherpraise,likeBobreceivedwhenheputsafetyfirstandevacuatedoveraminorincident,orpunishesherwiththelossofabonusormaybeevenherjobfordelayingtheproject,hewillshoweveryonewhatthecompanyvaluesmost.Whenthatchoicecomesupagain,everyonewillknowwhattodo.
Nowimaginethatyouarethesecurityawarenessmanagerforthisexamplefirm,oranothermemberofthesecurityteam.Iftheculturalbiasistowarddeadlines,howcanyourvaluescompete?Securityawarenesssuddenlybecomesmorecomplexthanjustmakingsureallthedevelopersknowthepoliciesonsecurecodingandtesting.Ourdeveloperwasalreadyawareofherresponsibilityforsecurity.Butifmanagementrewardsandpunishesbasedonprojectdeadlines,orbudgets,orsomeotherfactor,noamountofhandwringing,trainingsessions,orpostersonthewallwillchangeadeveloper’sempiricalunderstandingthatsecuritycomessecond.That’sculturalengineering.
Security,HackThyselfYoudon’thavetohaveagraduatedegreeinorganizationalpsychologytobecomeaculturehacker,anymorethanyouneedoneincomputersciencetobecomeatechnologyhacker.Whatyoudoneedisanewwayoflookingatyourorganizationalenvironmentandthepeopleinit,whichrequiresimaginationandawillingnesstoexperiment.Technologyhackersdon’tletotherstellthemwhatthesystemcanorcannotdo,butinsteadfigureitoutforthemselvesbyexploringthesystem.Ifyouwanttohackculture,youhavetolearnhowtheculturereallyworks,notjustwhateveryonethinksorexpectsofit.
Theclosestthisbookgetstoamanifesto—andafirstprinciplethatanyoneseekingtotransformtheirsecurityculturemustbecomecomfortablewith—concernstheroleofpeopleininformationsecurity.Inapeople-centricsecurityprogram,humanbeingsmattereverybitasmuchastechnology,andprobablyquiteabitmore.Technologyenablespeople,nottheotherwayaround.Technologyneithercaresnorsuffersifitishackedorcompromised,atleastnotyet.IfyouweretothroweveryITassetyourcompanyownsoutthewindowtonight,tomorrowmorningwheneveryoneshowsupforworkyouwouldstillhaveanorganization.Kickoutallthepeople,ontheotherhand,andtomorrowyouwillhaveawarehousefullofstuffwithnoonelefttocareaboutwhetherornotit’ssecure.
Computersystemsareimmenselycomplicated,designedandbuiltfrom
hardwareandsoftware,governedbyextraordinarilyintricatearchitecturesandmillionsoflinesofprogrammaticcode.Forallthat,computershavefinitelimitstotheircapabilities.Peopledefinewhatcomputerscando,andtheydoonlywhattheyhavebeenprogrammedtodo,eveninsituationswherethosepossibilitiesarenotwhattheprogrammersexpectedorintended.Therearealwaysclearreasonsforacomputer’sbehavior,atleastonceyouhavetrackeddownthosereasonstorootcauses.Butcomplexityisdifferent.Complexsystemsproduceemergentbehaviors,aninfinitepossibilityofoutcomesthatisimpossibletopredict.Thosebehaviorsmaynotbeconsistent,orevenrational.Peopleandsocialsystemsarecomplexinwaysthatacomputercanneverbejustonitsown.Butpluggingacomputerintoasocialsystemlikeacompanyoragovernmentcreatesnewavenuesforcomplexityandemergentbehavior.People-centricsecurityrecognizesthatfocusingontechnologysystemsalonewillalwaysbealosingbattlebecausetechnology-centricsecurityisinvariablyoutflankedbyemergenthumanbehavior.Themomentyouthinkyou’recoveringalltheangles,someonewillfigureouthowtosquareacircleandproducefourmorenewangleswherenonepreviouslyexisted.
Hackingyoursecurityculture,asopposedtohackingyourITinfrastructure,meansdiggingintotheforcesthatmotivatepeople’ssecurity-relatedbehaviorswithinyourorganization.Youhavetoanalyzenotonlywhatyoursystemsdo,butwhatpeoplearedoingwiththem,howtheyareadaptingthemtonewandinnovativepurposes.Someofthesenewuseswillcreaterisk,butalsoopportunity.Culturedefinestheinterfacebetweenusersandsystems.Ifyouwanttotransformyourorganization’ssecurityculture,tomakeitbetterandmoreefficientatprotectingorganizationalassets,youhavetopullapartthepeoplesystemaswellastheprocessandtechnologysystems,sothatyouknowalloftheminsideandout.Itisn’tenoughtojustobservewhatpeopledo,ordowiththetechnologyattheirdisposal.Youhavetounderstandwhytheydoit,andtrytoconsiderallthepossiblealternativedecisionstheycouldhavemade,ratherthanjusttheonethatmayseemobviousorexpected.
IntheyearssinceIsatinthathotelconferenceroomandrealizedthedifferencesbetweenacultureofsafetyandacultureofsecurity,Ihaveobserveddozensofotherorganizations’InfoSeccultures.Everyonehashadsomethingtoteachme.EvenwhenIcannotgetacustomertothinkaboutcultureasmuchasImightlike,theyalwaysmanagetokeepmethinkingaboutit.AndIcantellyouthatculturehackinginthesecurityspaceisazestyenterprise,regardlessofwhethertheorganizationisevenawaretheyaredoingit.
CultureHacks:TheGoodIt’salwaysgreattoworkwithanorganizationthattakescultureseriously,withoutdiscountingitastoovagueorpayinglipservicetoitsimportancebutneverreallytryingtochangeit.I’veevenencounteredafeworganizationsthatembracedtheculturaltransformationofinformationsecurityfullon,withallthemessinessanduncertaintythatcomewiththatsortofwork.Inthecaseofoneparticularorganization,Ihadcomeintohelpthemdefineanewenterprisesecurityframework,agovernanceprogramthatwouldtietogetherallthedisparateandsometimesdysfunctionalsilosandpocketsofsecurityownershipthathadgrownuporganicallyoverthelifeofthecompany.Aswewalkedthroughthevariousoptionsfordesigningthenewprogram,thesecurityteamkepttryingtoarticulatewhattheyreallyweretryingtoachieve.Theyhadneedsandrequirementsthatspannedpeople,processes,andtechnology,andourconversationsoftengotspecificanddetailedononeormoredesiredoutcomes,butnothingeverseemedtocompletelyhitthemark.“Yes,”theywouldsay,“weneedthat.Butweneedmuchmore.”
TheorganizationwasintriguedbyISO27001,theinternationalstandardforsecurityprogrammanagement,andaskedmealotofquestionsaboutwhatIthoughtofit.ItoldthemIthoughtveryhighlyofISO27001.Whenproperlyandconscientiouslyimplemented,ISO27001canfunctionasaverypowerfulgovernanceframework,onethatIalsothinkhappenstobethemostpeople-centricsecuritystandardouttheretoday.Itoldmycustomerso.
“ButISOisn’tforeveryone,”Icautioned.“It’snotabouttechnologyorevencontrols.Thestandardisaboutchangingwhatyourwholeorganizationthinksandbelieveswhenitcomestoinformationsecurity.ImplementingISOtomeisaboutdrivingaprocessofculturaltransformationinregardtosecurityacrosstheentireenterprise.”
Theteammembers’eyeslitup.Eureka!Thatwasexactlywhattheyhadbeenstrugglingtoarticulate.Theydidn’tjustwantanewsecurityprogram,theywantedawholenewsecurityculture.“Wedon’twanttojustchangethemechanics,”theyexplained,“ortoswitchoutonesetofcontrolsoronebestpracticesframeworkforanother.Wewanttochangewhatsecuritymeanstothecompany,andwewanttochangeitforeverysinglepersonwhoworkshereregardlessofrankorrole.”Amen,Ithought.
That’sagoodculturehack,oratleastthebeginningofone.Thesecurityteamwantedtochangebehavior,butrecognizedthatbehaviorgrewoutofsomethingdeeper.Thatwaswheretheywantedtoconcentratetheirefforts.Ithelpedthatthecompanywasalreadyaself-consciouslystrongculture.Theideaofsocial
identityandsharedbeliefspermeateditsbusiness.Thesecurityteamalreadyhadatemplateandalanguagethatwerefamiliartothem.Believinginthepowerofcultureingeneralmakesitaloteasiertoseethebenefitsofimprovingsecuritycultureinparticular.
CultureHacks:TheBadNoteveryorganizationthinksintermsoftransformingtheirinformationsecurityprogramorculture.Somesecurityteamsaresoswampedjustkeepingontopofoperationalactivitiesanddeadlinesthatthinkingaboutwhytheydothingsthewaytheydo,orwhethertheycoulddothembetter,seemslikealuxury.It’shardtothinkaboutafive-yearimprovementplanwhentheauditorsarecomingnextweek.Infact,compliancedrivessomuchsecurityactivitytodaythatit’sprobablythemainmotivationcompanieshavefortakingsecurityasseriouslyastheydo.ISO27001isavoluntarysecuritystandard,butmostcompaniesaredealingwiththenonvoluntarysort.PCIDSSforcreditcardprocessors,Sarbanes-Oxleyinternalcontrolrequirementsforpubliclytradedcompanies,HIPAAregulationsinhealthcare,alongwithaslewofotherlocal,national,andtransnationalregulatoryregimesmayputconstantdemandsontheattentionoftheChiefInformationSecurityOfficer(CISO).
Securitycomplianceeffortsareabitofanattemptatculturehackingthemselves.Regulatorsandindustrygroupsdevelopcompliancerequirementsasameansofforcingorganizationstotakesecuritymoreseriously.Thisisgreatinsofarasitimprovesthefinalproduct.Butwhencompliancereplacessecurityasthegoal,culturaltransformationbackfires.It’sliketheoldZenwarningnottomistakethefingerpointingatthemoonforthemoonitself.Complianceisnotthesamethingassecurity,ashasbeenmadepainfullyclearbyrecentsecurityincidentswhereauditorshadpreviouslysignedoffontheverysystemsthatendedupbeingcompromised.
I’veobservedmorethanoneorganizationwherethesecurityculturehasbeentrainedandconditionedbycomplianceprogramstoequatesuccessfulauditswithgoodsecurity.Evenwhencertainfolksinsidetheorganizationknowbetter—andoftenthesearethesecurityoperationspeople,whoknowhowthesausageismade,sotospeak—thesharedassumptionisthatiftheauditorsarehappy,theorganizationmustbesecure.That,too,isaformofculturaltransformation,justnotagoodone.
Culturehacksarebadwhentheymakethesystemeasierbutdon’tactuallysolvetheproblem.Knowledgeofthesystemispartialorincomplete,makinga
culturehackerfeelliketheyhaveaccomplishedsomethingmorethantheyactuallyhave.Toextendthemetaphor,thosewhoputtotalfaithinaone-size-fits-allcompliancechecklistarelikeculturalscriptkiddies,interestedmoreinquickresultsthanindeepandlastingchange.
CultureHacks:TheUglyEvenwhentheeffortsatculturalchangeareunsophisticatedorincomplete,thepeopletryingtochangethingsusuallyhavegoodintentions.Mostsecurityteamsarepassionateaboutwhattheydoandaredeeplyconcernedwithmakingtheirsystemssaferandstronger.Buttherewillalwaysbeoutliers,individualsandorganizationswhosesecuritybehaviorsaresoegregiousthatyoualmosthavetothinktheywanttofail.
IvisitedanorganizationoncewherethesecuritymanagementteammembersweresomeofthemostarrogantjerksIhadevermet.EventhoughIhadbeenhiredtohelpthem,theybelittledandsecond-guessedeverythingIormyteamsaid.Whenweaskediftheyhadaparticularcontrolorprocess,theywouldrolltheireyes.“Ofcoursewehavethat,”wastheanswer.“That’ssecurity101.Isthatallyousmartconsultantscanaskus?”
Intheorganization’sdefense,itdidhaveaformidablesetofcontrolsinplace.Alotofhighlysensitivedatapassedthroughitssystems,andtheinformationsecurityteammadeitdifficultwithinthosesystemstosharethedatawithoutjumpingthroughadministrativehoops.“Welockourpeopledowntight,”seniorleadersbraggedtous.“Noonegetsuptoanyfunnybusiness.”
Whenwemovedonfromtheleadershipandstartedinterviewingemployeeswhowerelowerontheorganizationalchart,weaskedabouttheintenselevelsofcontroltheorganizationhadputinplace.Manyofourinterviewsubjectsgrinnedatthequestions,thentoldusstoriesofhowmuchofapainitwastoshareinformationefficiently.
“Thoseseniorguysyoutalkedto,”oneemployeetoldus,“allhavepersonalwebmailaccountsthey’vesetup.Whentheywanttosharethingsquickly,theyjustbypassthecontrolsandattachstufftotheirpersonale-mailsandshareit.”
Wewereshocked.“Buttheysaidyouguyscouldn’tdoanythinglikethat,”weprotested.
“Oh,sure.Wecan’t.Theydon’ttrustus,andtheythinkeveryonewhoisnotamanagerisanidiot.Butit’snotaproblemforthem.That’sjustthewaythingsworkaroundhere.”
SecurityIsPeople!Thisbookisaboutgivingorganizationsandthepeopleresponsibleforsecuringthemanewsetofconceptsandtechniques.I’mnottryingtoreplacetechnologyorprocessaseffectivetoolsthatareneededininformationsecurity.ButIamtryingtogivepeople,theoftenneglectedthirdlegofthepeople-process-technologytriad,theirproperplace.People-centricsecuritymeanslookingatthehumanelementofdataprotectionasmorethanjustanotherthreatvector.People-centricsecurityimpliesthatwithoutpeoplethereisnosecurity,noranyneedforit.Processandtechnologyaretheretosupportpeople,bothfromasecurityperspectiveandfortheentireorganization.Nobodystartsoutwithsecuritybutnoinformationtoprotect.Securityneedsarebornwhenanorganization’sinformationsupplychainstartsproducingvaluableassetsthatdemandprotection.Peopledefinewhenthatoccurs,peoplemakeprotectionhappen,andpeopleareresponsiblewhensecurityfails.
Cultureactsasapowerfulengineoforganizationalsecurity,andinsubsequentchaptersI’llgointolotsofdetailaboutwhatcultureisandhowitdriveshumanbehavior.Butthecorepremiseofeverythingthatwillfollowisthis:ifyouwanttoreallychangehowsecurityworks,youhavetochangethecultureoperatingbeneathit.Justbecausesecurityhasstruggledwiththehumanequationinthepastdoesn’tmeanitmustcontinuetobaffleusinthefuture.Infact,itcan’t.Ourworldissocial,andourtechnologiesareincreasinglysocial.Oursecuritymustbesocialtoo,retirementpunsnotwithstanding.People-centric,then.Securityispeople!
FurtherReadingAdbusters:JournaloftheMentalEnvironment.Availableatwww.adbusters.org.Hofstede,Geert,GertJanHofstede,andMichaelMinkov.CulturesandOrganizations:SoftwareoftheMind.3rded.NewYork:McGraw-Hill,2010.Levy,Steven.Hackers:HeroesoftheComputerRevolution.25thAnniversaryEdition.Sebastopol,CA:O’Reilly,2010.Myatt,Michael.HackingLeadership:The11GapsEveryBusinessNeedstoCloseandtheSecretstoClosingThemQuickly.Hoboken,NJ:Wiley,
2013.
F
CHAPTER2
StrategyforBreakfast:TheHiddenPowerofSecurityCulture
oranindustrythatissogroundedinengineeringandtechnology,informationsecuritycanappearquiteunscientifictothoseoutsideofthefield.Yourorganization’sinformationsecurityteamcanprobablyinundateyouwithreamsofdataaboutsecurityoperationsandposture,includingproductperformancebenchmarks,securityeventlogs,patchesapplied,andeventscounted.Buttheindustrystrugglestosatisfactorilyanswerthequestionofwhyoneorganization’ssecuritystrategyseemstoprotecttheorganization,whileanother’seffortsfailmiserably.It’salmostlikefateorthewrathofthegodsisinvolved.Weseemtoknoweverythingabouthowinformationsecurityworksexcepthowitactuallyworks.Thatisnotbecauseinformationsecurityisinherentlymysticalormoreartthanscience.Securityfailsbecausestrategyisnotenough.ManagementguruPeterDruckersummeduptheprobleminaphrase:“cultureeatsstrategyforbreakfast.”Toooften,securityprogramssearchingforthereasonswhytheyfailedintheirtechnologyortheirstrategyaresimplylookinginthewrongplaceforanswers.
WhySecurityFailsIhaveapresentationIoftengivetocustomersanddeliveratindustryconferences,athoughtexercisetodemonstratehowsecuritycanfaileveninthefaceofcontrolsandcommitmenttoensuringthatitdoesnot.It’sanaturally
visualthoughtexperiment,butI’lltrytocommittosomethingmorenarrativeinthefollowingpages.Youcanfindanactualvideopresentationathttp://lancehayden.net/culture.
WeStartwithaDesignSupposewewanttobuildanewsystem,ormaybeprotectanexistingone.Itcanbeatechnologysystemoranorganizationalsystem,amachineoracorporateprocess,orevenaglobalfinancialsystem…itdoesn’tmatter.Webeginwithadesignforthesystem.Inthecaseofanewsystem,wecreatethatdesign.Ifthesystemalreadyexists,wemayjustdocumenttheexistingdesign.Howeverwedoit,weendupwithsomethingwe’llcallSystem1.Now,wemayknowonlyalittleaboutthissystemoralot,butonethingwealwaysknowforcertainisthatthereareconditionsunderwhichthesystemwillfail.Wemaynotknowexactlywhenorhowsuchfailurewilloccur,butweknowitisinevitablegiventherightcircumstances.Wemay,insomecases,beabletotestforfailure,butinmanyothercasesthatwon’tbepossible.Failureinthissystemislikeacliffinthedark,aprecipiceatnightthatwecan’tseeuntilitistoolateandweareabouttotumbleoverit.We’reafraidofit,waitingforusoutthereinthedarkness,andallweknowisthatweneverwanttogettoocloseinourwanderings.SeeFigure2-1forasimplepictureofthisscenario.
Figure2-1System1andthefailureline
Tomakethemetaphorconcrete,let’sextendanexampleItouchedonbrieflyinChapter1.Imagineacompanythatproducescommercialsoftwareproducts.Thedesignweareinterestedinistheproductionsystemthatmakestheprogramsthecompanysells.Thesystemismadeupofpeople,processes,andtechnologies,allexistingwithinthecontextofsoftwaredevelopment.Engineersanddeveloperswritethecodethatgoesintothecompany’sproducts.Managerssupervisetheengineersanddevelopers.Customersdependontheendproductsthatthecompanysells.WithinthissystemisClara,adeveloperwhohasworkedforthecompanyforseveralyears.
Therearemanywaysthesoftwareproductionsystemmightfail,butwe’llconcentratespecificallyonsecurityevents.Narrowingourfocusevenfurther,we
knowthatmistakesClaramightmakewhilewritinghercodecouldhavedeleteriouseffects,perhapsbyintroducingvulnerabilitiesintothecompany’ssoftwareproducts,touseoneexample.Ifaproducthitsthemarketwithaseriousvulnerability,onethatresultsinazero-dayexploitbeingcreatedthatcompletelycompromisesthesoftware,thenthedevelopmentsystemwillhaveexperiencedamajorfailure.Butthatedgeisextremelydifficulttosee,andClara’scompanymayonlyfindoutitisinastateoffreefallwhenjournalistsorlawenforcementagenciesstartcalling.
WarningSignsIfweweredealingwitharealcliff,wemightputupafence.Wecouldbuilditfarenoughbackthattherewouldbenodangerofpeoplegettingtooclosetotheedgeastheywanderaroundatnight.Wecouldhanglightedwarningsignssaying,“Danger!GoNoFurther!Cliff!”And,havingdonethis,wecouldreasonablyexpectthatwehavemanagedtheriskofsomeonehavinganunfortunateaccident.
Itturnsoutwedoverymuchthesamethinginothersystemsthatwedesign.Notknowingexactlywherethefailurepointis,wehedge,puttinginplacethresholdsandboundariesthatwebelieveprovideahealthybufferbetweenusandourtheoreticalpointofnoreturn.Wecallthisourrisktolerancelevel,anditisameasureoftheriskwecanlivewith,thechanceoffailurethatwefindacceptable.
Asmentioned,hedgingtakesplaceinmanysystems.Forexample,themanufacturerofaserverornetworkdevicemightspecifyatemperaturerangeoutsideofwhichoperatingthedevicebecomesrisky.Thedevicemayworkjustfineattheextremesofthatrange,orevenbeyondthem,butpushingthelimitsislikedancingonthecliffedge.Asanotherexample,abankermightdecidetokeepacertainratioofassetsonhandincasethebankexperienceslossesorarunonthebankoccurs,andshemaychoosetokeepmoreonhandthanshethinksshe’lleverneed,justtobesafe.Closertohome,anITmanagermightimplementcontrolsintheformofsecureconfigurationandhardeningstandardsthatapplytoanyproductionITsystem.Justaboutanythingcanbemadetoplaytheroleofthefencewhenbuildingabufferbetweenthedesignanditsfailure,includingthesamepeople,processes,andtechnologiesthatmakeupthesystem.Figure2-2illustratesthisprotectivehedgeagainstfailure.
Figure2-2Risktoleranceandhedgingagainstfailure
Inourexamplesoftwarecompany,oneofthefencesbuiltforsecuritypurposesisasoftwaredevelopmentlifecycle(SDLC)processthatexplicitlyincludessecurityreviews.Ourdeveloper,Clara,isrequiredaspartofherjobtoperformcertainsecuritytestsaspartoftheSDLCadoptedbythefirm.Thesetests,amongthemasourcecodereview,givethecompanypeaceofmindthatreasonablemeasuresareinplacetokeepfailuresassociatedwithvulnerablecodefromhappening.
DoingMorewithLessNoweverythinglooksgoodforourexamplesoftwarecompany.Thecompanyhasasystemdesignedtoproducequalitysoftwareforitscustomers.Partofthatqualityisacommitmenttosecurity.AndthecompanyhasdesignedprotectiveprocessesintothesystemintheformofSDLCsecuritytomakesurethatClaranevergetstooclosetothecliff.Managementsleepswellatnight.
Theproblemwiththishappyscenarioisthatitrarelyplaysoutsoperfectlyintherealworld.ForClara,workinginahigh-speedsoftwarecompanyisrewarding,butstressful.Likemostorganizations,Clara’scompanydoesnothaveunlimitedresourcesandhashighexpectationsofemployeeproductivity.Thedevelopmentteamseemstobeconstantlyshortacoupleofsoftwareengineers,andthemarketisalwaysdemandingnewandimprovedversionsofthecompany’sproducts.Projectdeadlinesforcodedeliverycanbebrutal,andClara’sjobsometimesfeelslikeshe’srunningonemarathonafteranother,sprintingtothefinishlinejustintimetostartthenextrace.Claraisaprofessional,andshetakessecurityseriously.Butsecurityisnottheonlythingonhermindduringadevelopmentproject.
On-time,on-budgetproductdeliveryispartofthecompany’sDNA.Claraknowsthis.Projectstatstrackedbythecompanyarealmostallaboutcompletion.Howmanymilestoneswerecompletedonschedule?Howoftenweretheycompletedearly?Noonewantstotalkaboutbeinglateforadeadline.Missingprojectdeadlinesbyevenacoupledaysthrowseverythingintodisarrayandcausesmanagementtofreakout.Themanagers’bonusesandhopesforpromotion,justlikeClara’sandeveryoneelse’sonherteam,aretiedtoprojectperformancemetrics.Ifyoublowadeadline,managementissuddenlyinyourface,andevenyourfriendsontheteambegintolookatyoufunny,likeananchorthatisdraggingthemdown.Developerswhomissmorethanafewmilestonedeadlinestendnottosurvivelongwiththecompany.
Duringaparticularlyaggressiveupdateprojectforthecompany’sflagshipproduct,Clararealizesearlythatmeetingtheprojectdeadlineisgoingtobeextremelydemanding.Shebeginstoprioritizeearly,focusingoncritical-pathactivitiesandlettingotherdetailsslideinthehopeofpickingthemuplater.SDLCsecuritytasksstarttoaccumulate,butClarakeepstellingherselfshe’llgetcaughtuplater.Soshe’sconcerned,butnotallthatsurprised,whensherealizestendaysbeforetheprojectcompletionthatfinishinguphersecurityreviewsandtestingisgoingtotaketwofullweeks.NowClarahasadecisiontomake.Sheknowshowimportantsecurityistothefirm,andtoherpersonally.ShewantstotellherbossthedeadlinewillneedtosliptoaccommodatetheSDLC
requirements,butshealsoknowsthatdoingsocouldmeantheendofhercareeratthecompany.Clarafeelsasthoughshe’scaughtbetweentwoopposingforces.TheSDLCislikeabarrierinfrontofher,holdingherbackuntilshefinishesthewholejob.Butbehindherisacrowdofpeople,surgingandpushingheragainstthatbarrierunrelentingly,tryingtoforceittogivesothatshecanfinishontime.Figure2-3illustratestheforcesactingonClara.
Figure2-3OpposingforcesinfluencingClara’sdecision
Intheend,thepressureofthedeadlineoverwhelmstheinfluenceofthe
SDLCsecurityreviewpolicies.Claralikesherjob,andsheneedsthatbonusforalong-overduetropicalvacation.Soshecrossesherfingersandchooses.She’llcompleteasmuchofthesecurityreviewasshepossiblycanintendays,butthenshe’shandingoffthatcode.
WhoMovedMyFence?UnlesssomeonenoticesandcallsClaraoutonherincompletereview,it’sunlikelythatanythingbadwillhappen.InClara’scompany,theSDLCisasetofguidelinesandpolicies.Thedevelopersholdthemselvesaccountableforcompliance,withsomeperiodicspotcheckingbymanagementandauditors.TheoddsareinClara’sfavor.Noonenoticesthatshe’scutafewcornersonthesecurityreviews.Infact,lifeforClaraisgood.Herbossisgiddythathisteammanagedtopulloffsuchanaggressiveupdateontime.Salesishappytohaveaproducttodeliver.Thecustomerissatisfiedwiththenewfeatures.Onceagain,thecompanyhasliveduptoitsreputationforreliabledelivery.Claragetsagoodbonusandlotsofpraiseforbalancingprioritieseffectively.
Clararegretsthatsheskimpedonsecurity,butit’sobvioustoherthatshemadetherightdecision.Ifshehaddelayeddeliverytodotallthesecurityi’sandcrossallthet’s,thewholesituationwouldhaveendeddifferently,andprobablybadlyforher.She’sprettysureshewouldn’tbeflyingtoMauiattheendofthemonth.
Clarahasexperiencedapowerfulfeedbackloop,createdbytherequirementforhertomanagetwoopposingsetsofexpectations.LivinguptoonesetmeanteverythingworkedoutandClaraprospered.Nowherbossthinksshe’sarockstar,andherteamrespectsher.Nothingbadhappened,andthesoftwareisprobablyfine,sinceClara’sagoodcoder.Thenexttimeshefacesthissortofdecision,Clarawillremember.Shewillbemorelikelytomakethesamedecisionagain.Herpeerswillnoticetoo,andemulateherbehavior.Eachtimesheisrewardedandtherearenonegativeconsequencesforherfailuretocompletehersecurityreviews,Clarawillfeelthatthecompanyapprovesofherlapse,atleastinthefaceofthealternatives.She’sworkingherbest,optimizingeffectively,doingmorewithless.She’salsomovingclosertothecliff.
Whatnoonecanseeisthat,asClaraandthecompanymakeahabitoftheprioritizationofcompletedprojectsovercompletedsecurityreviews,theyareslowlymovingthefence.UnlessmanagementrecognizesthatsecurityisbeingsystematicallyunderminedbymissedSDLCreviewsandrespondsbypullingClaraandherteambackbehindthesafetylinespecifiedinthedesign,thenthat
lineshiftsbydefault.Themarginoferrordecreases,thesafetyzoneshrinks,andthewholesystemdriftsinexorablytowardtheedge,asillustratedinFigure2-4.
Figure2-4Thesystemdriftingtowardfailure
LookOutBelow!Thenthedaycomeswhenavulnerabilityinoneofthecompany’sproductsspawnsanexploitthatisusedtoattackacustomer,resultinginaverypublicsecuritybreach.Intheensuinginvestigationandrootcauseanalysis,thefailure
istracedbacktocodeClaradeveloped.Peoplestartdemandingexplanations.Howcouldthishappen?Howcouldthecompany,andClarainparticular,besonegligent?Investigatorsandauditorsbegintoask,“Don’tyouhaveprocessesinplacetoreviewthesecurityofyourcode?”“Wellofcoursewedo,”thecompanyresponds.“Butinthiscasetheywerenotfollowedappropriately.”Furtherdiggingrevealssystematicproblems.ManySDLC-mandatedsecurityreviewswerenevercompleted.Theriskmanagementdesign—thefencethatpeopledependedonandassumedwasfunctioningproperly—existedonlyonpaper.Overnight,Claragoesfrombeingamodelemployee,rewardedandadmired,tobeingincompetent,negligenteven,andperhapsworse.Nooneissingingherpraisesnow,aseveryonelooksforascapegoat.HermanagersaysheneverknewClarahadviolatedpolicy,whichwassupposedtomakesecurityreviewsautomatic.Clarawillbeluckytokeepherjob.
Thecompany’smanagement,nowfacedwithacrisisthatismorethanjustaone-offfluke,decidesthatthesystemitselfisflawedandneedstobechanged.“WeneedacompletelynewSDLCsystem,”theysaytooneanother,“maybeonethatisfullyautomated.”TheCIOputsoutanRFPforconsultingtohelpthemrebuildthebrokenprocesses.Theresult,aftersixmonthsandalargebucketofmoney?System2,whichisbetterandisdesignedtoovercometheweaknessesthatgotClaraintotrouble.Ofcourse,nosystemcanbeperfect,andknowingthatthisnewsystemwillalsohaveafailurepoint,onethatishardtopredict,hardtoseeuntilyou’vegottentooclose,thecompanymakessuretobuildinappropriatelevelsofrisktolerance,keycontrolstomakesurethatsecurityisproperlyprioritized,andupgoesabright,shiny,newfencetokeepeveryonebackfromtheedge…
GettingtheDriftThephenomenonthiscasestudydescribesiswhatfailurestudiesscholarSidneyDekkercalls“drifting”intofailurestates,andithasnothingtodowithanydeliberatelybadbehavioronthepartofClaraoranyoneelse.Onthecontrary,uptothepointoffailure,Clarawasdoingeverythingright.Facedwithcompetingprioritiesandinsufficientresourcestoaccomplisheverythingthatwasexpectedofher,Clarahadtomaketrade-offs.Herenvironmentwasacomplexsystem,fullofintertwineddemandsandemergentconsequencesforeachdecision.Byfocusingonthedesignofastrategytopreventfailure,ratherthantheincompatibleandunresolveddemandsonClara’stimethatactuallyledtothefailure,thecompanyshouldreallyhavezeroconfidencethatSystem2willescapethesameeventualfate.
WhenIgivethispresentation,Ioftenseeheadsnoddinginagreementintheaudience.ThedriftanalogyobviouslyresonateswithpeopleItalkto,whoseewithinittheirownsituationsandstruggles.Butdriftexplainsmorethanjustinformationsecurity’sstruggletomaintaineffectiveprotectiveposturesovertime.Dekkerexploredfailureineverythingfromcommercialaviationtofinancialcrises.Securityisnotunique;it’sjustanothercomplexsystem.Andthistypeofslowmovementtowardfailure,broughtaboutbycompetingimperativesthatproveincompatiblewithallofanorganization’sstrategiesandgoals,canbeseeninanycomplexsystem.Asonegoalisoptimized,theriskoffailureincreasesforanother.Asthesystemproducessuccessinonearea,itcreatesfailureinanother,likeabyproduct.
TheOppositeofMonocultureTheideaofthemonoculture,alow-diversityenvironmentwhereeverythingisthesame,hasgottensomeattentioninsecurity.Specificallyappliedtotechnology,itmeansthatifyoudependtoomuchononetechnologyproduct,youcanbewidelyvulnerableifthattechnologyfailsoriscompromised.Monoculturalvulnerabilitiesmayapplytosoftwarevendors,buttheyrarelyexistwhenitcomestopeopleandsocialsystems.Ifanything,theoppositeistrue.Organizationshavesomanydifferentmicroculturesoperatingwithinthem,eachwithitsownbeliefsandwaysofdoingthings,thattheycanimpactperformanceiftheydon’tgetalong.
Thinkforamomentaboutthedifferencesbetweengroupsofpeoplewithinyourownorganization.DothepeopleintheITsupportdepartmentexperiencetheworldthesamewayasthepeopleinthefinanceorganization?Insomeways,theyprobablydo.Forexample,theyprobablyspeakthesamenationallanguage,oratleastagreetoworkinthesamelanguagewhendoingbusiness.ButevenifeveryonespeaksEnglish,peopleinthedifferentgroupslikelyspeakverydifferentlanguagesinthecontextoftheirjobs,withdifferentterminologyandcommunicationstylesthatcharacterizetheirbusinessfunctions.Beyondlanguage,therecansometimesseemtobeworldsofdifferencebetweenhowonegroupthinksandbehavescomparedtoanother.Engineersdon’tworryaboutemployeeretentionlikeHRmanagersdo.Thecustodialstaffdoesnotobsessoverquotaretirementlikethesalesteamdoes.Managersandexecutivesstressoverpoliticalrivalriesthatmanyindividualcontributorscouldn’tcarelessabout.
Microculturesareinevitablewhenyouhavedifferentspecializedgroups
populatingthelargeorganizationsthatdefinemodernsociety.Everythinghasbecometoocomplexforonepersontobeabletohaveallthecompetenciesnecessarytoachieveourorganizationalobjectives.Sowedivideuptheworkandeveryoneprovidestheiruniquecontributionstotheoverallgoal.We’veevendevelopedspecializationtoenablesomepeopletomanageallthemovingpartsstrategically,eveniftheydon’tunderstandeverythingabouthowthosepartsoperate.
Butourcollectiveactivitydoesn’talwayswork,despiteallourefforts.Wecan’therdthecats,can’tgetallthedifferentteamstoplaynicelytogether.Ourstrategicplanningmaybestymiedwhenallofthegroupsnecessarytoachievethegoalsdon’tperformthewaywehavepredictedorexpected.Ifweask“ordinary”peoplewithintheorganizationaboutwhyastrategydidn’tworkout,weoftengetsurprisinglyhonestanswers:
“Oh,Icouldhavetoldyouthatsoftwareimplementationwasn’tgoingtoworkfromthebeginning.Theyjustsetituptofail.”“Thenewexecutivestaffjustdoesn’tgetit.Theythinktheyaregoingtomagicallychangecompanyperformanceovernight.Youdon’tturnanoiltankeronadime.”“Youknow,wetryreorganizingaroundsmallerteamseveryfewyears,butitnevertakes.That’sjustnotthewaywedothingshere.”
WhenDruckercoinedhisphrase,thepreviousexamplesareexactlythesortsofscenarioshewastalkingabout.(Asanaside,althoughthequoteisattributedtohim,Druckerneveractuallywrote“cultureeatsstrategyforbreakfast”inanyofhisbooks;seethereadingsuggestionsattheendofthechapterforagoodarticlethatquotesit.)Organizationsmakeplansandformulatebusinessstrategiesallthetime.Thoseplansandstrategiesemergefrommoreorlessrationalconsiderationoftherequirementsandchallengesfacingtheorganizations,andtheorganizationsdevoteextensivetimeandenergytowritingthemdown,organizingthemintoinitiativesandprojects,settingupteams,andexecutingonmilestonestoachievetheirgoals.And,whenthosestrategiessometimesfallshort,whentheyfailtosucceedfornoapparentreason,organizationshaveadifficulttimearticulatingwhatexactlywentwrong.Organizationstalkaboutculture,andtheygotogreatlengthstoemphasizetheiruniquecultures,buttalkingaboutsomethingisn’tthesamethingasdoingit,andmoreeffortisputintodoingstrategy.Organizationsdon’tputthesameemphasisonunderstandingculture,workingtochangeit,andsettinggoalsforit.That’saproblembecause,asDruckerpointedout,cultureisfundamentaltostrategic
success.
CulturalTraitsinInformationSecuritySecurityorganizationsaren’tdifferentthanotherorganizationswhenitcomestospecializationandsubcultures.Informationsecurityoftenfunctionsasasubcultureofinformationtechnology,whilealsopossessingitsownspecializationsandmicroculturesatthecorporate,professional,andindividuallevels.Youcanfindverydifferenttypesofpeopleininformationsecurity,withcompletelyseparateskillsetsandexperiences,yetallofthemidentifythemselvesasbelongingtothesameindustryorfield.Andthefieldofinformationsecuritymostdefinitelyhasasharedcultureallitsown.Insideacompany,InfoSecmaybeaspecializedsubculturewithinIT,whichcohabitatesandconstructsthegeneralenterpriseculture,alongwithotherspecializedcommunitieslikeHR,Legal,orPhysicalSafetyandSecurity.Figure2-5illustratesthisrelationshipinasimpleway.AsIdescribedinmystoryaboutthedifferencebetweenphysicalsecurityandinformationsecurityinChapter1,eventwosubculturesthatarebothdedicatedtothesamepurpose,protectingcorporateassets,canbequitedifferentinwhattheybelieveisimportantandinthedecisionsthattheymakeabouthowtoachievetheirends.
Figure2-5Securityasasubculture
Ininformationsecurity,eventhoughtherearemanydifferentroles,eachrequiringspecializedskills,theculturesharessomecommoncharacteristicsandvaluesthateveryoneintheculturemoreorlessaccepts.Definingandanalyzingthesesharedbeliefsandassumptionsisacorerequirementforunderstandingandeventuallytransformingsecurityculture.ThroughmycareerexperienceIhaveidentifiedfourculturaltraitsthatIbelieveareimportanttorecognizewhentryingtounderstandwhysecuritystrugglestosucceed.Thesetraitsarenottheonlycharacteristicsthatdefineourculture,andobviouslynoteveryoneintheindustryexhibitseverytraitorsharesthemtothesamedegree.Butasgeneralprinciples,Ioftenseethesetraitsdrivethethinkinganddecisionsoforganizations,theirvendorsandsuppliers,andevenregulatorsandpolicymakerstryingtosolveinformationsecurity’smorecontentiousproblems.
Techno-romanticismIt’srightthereinthename.Technologyisfrontandcenterinsecuritytoday,bothasthepotentialproblemandasthelikelysolution.ButwhatdoImeanbytechno-romanticismasaculturaltrait?Thismeansthat,allthingsbeingequal,wetendtodefaulttoprioritizingtechnologyovereverythingelse.Actually,wedoitevenwhenallthingsarenotequal.Whenweidentifyaproblem,thefirstplaceweusuallygolookingforasolutionistechnology.Thatthisisthewaytheindustryworksisnotreallyverysurprising.Wehavemorethanourfairshareofengineersintheindustry,peoplewhocomefromtheirowntechnology-centricculturalbackground.Andsecurityproductvendorshaveavestedinterestinencouragingandmaintainingasysteminwhichautomationandinfrastructurearebelievedtobethemostimportantaspectofsecurity.
Culturalvaluesempowerpeoplebygivingthemacommonframeofreference.Buttheycanlimitpeople,too,byclosingmindstoalternativewaysofthinkingaboutaproblem.PsychologistAbrahamMaslowcapturedtheconceptinhisfamoussaying,“Isupposeitistempting,iftheonlytoolyouhaveisahammer,totreateverythingasifitwereanail.”Thiscanbeaprobleminsecuritywhentechnologyeclipseseverythingelse.Ifrequentlytalktosecurityprofessionalswhonotonlybelievethatmostsecurityproblemscanbebestsolvedwithtechnologysolutions,butalsobelievethatiftechnologycannotsolveaproblem,theproblemisinherentlyunsolvableandthere’snopointinputtingfurthereffortintoit.Forthem,technologyisnotjustthebestsolution,itistheonlyrealsolution.
Monoculturesareaproblemnotonlywhentheyhavetoomuchofonekindoftechnology,butalsowhentechnologyisalltheyhave.Oneofmyhopesforthis
bookisthatitbeginstopointtoademonstrablyeffectiveapproachtopeople-centricsecuritythatcanhelpalleviateourunhealthydependenceontechnologicalsolutions.
DefeatismThisculturaltraitseemstohaveevolvedprettyrecently,butithasquicklygoneviral.Withinthelastfewyears,thegeneralmessageyouwillheartransmittedinmarketingmaterials,atconferences,andintrademagazineshaschangedfromoneofhowtokeepyoursecurityfromfailing,totheneedtoacceptthatithasalreadyfailed.Evenifyoudon’tknowit,theextremeversionofthismemegoes,Thebadguyshavewon.Youarealreadyowned.Allyoucandoistrytocontainthedamageandcleanupthemess.
WhenIcameintotheindustrydecadesago,thegeneralconsensuswasthatsecuritywaswinning.Sure,therewerethreatsandchallenges,butthedominantanalogywasthatoftheWildWest.AndinformationsecuritywasliketheTexasRangers,ridingacrossthelandprotectingcitizensfrommaraudingbanditsandoutlawsasthemodernworldoflawandordertookroot.Today,westillliveintheWildWest,butnowitseemsweidentifymorewiththedefendersoftheAlamo.Surroundedonallsidesbythebadguys,everythinghasbecomeanexistentialthreat,andheroicasoureffortsmightbe,it’sonlyamatteroftimebeforewegetoverrunandslaughtered.
ExceptionalismTalktomanysecurityprofessionalstodayandyou’llhearthatthereisabsolutelynothingthatrepresentsagreatermenacetothewell-beingofsocietythancyberthreats.Inadditiontothinkingthatsecurityisthebiggestproblemtheworldfacesinaworldfullofproblems,theindustryoftenactslikethesecurityproblemisalsounique—noonehasfacedanythinglikeitbefore,sonoonecanunderstandwhatitisliketoberesponsibleforinformationsecurity.Whenyoucombinethissenseofexceptionalismwiththesenseofembattleddefeatism,youcanstarttounderstandwhysecurityexpertslookatyoulikeasuicidalidiotwhenyousuggestthatitmightbecooltobeabletouseyourpersonaliPhoneatwork.
There’snothingparticularlyexceptionalaboutinformationsecurity’ssenseofexceptionalism.Everyfieldthinksit’sdifferent.We’dbemoreexceptionalifwerecognizedasanindustrythatwearenotunique.Theproblemsweface,eventechnicalproblemsthatseemimpossiblewithoutthepresenceofadvancedITsystems,canbetracedbackhistoricallytothetelephone,thetelegraphbefore
that,andprobablyallthewaybacktowhensomeNeanderthalsnuckintoarivalclan’scaveandexfiltratedthesecretofmakingfirebycopyingadrawingfromthewall.Whatourexceptionalismdoesamuchbetterjobofexplainingiswhyitcanbesodifficultforthesecurityprogramsinmanyorganizationstogetpeopletolistentothem.Itcanbehardtogetsomeonetoagreewithyouranswerwhenyoucontinuallyactasthoughtheyareincapableofreallyunderstandingthenatureofthequestioninthefirstplace.
ParanoiaAlthoughwemightnotbeasexceptionalasweliketothinkweare,InfoSecdoesdosomethingsquitedifferentlyfromotherprofessions,somuchsothatwesometimeslookattheworldonewaywhilewearingoursecurityglasses,andadifferentwaywhenlookingatitthroughabusinessorevenpersonallens.Considerthecaseofrisk.Whenworkingwithclients,Ioftenfindthatacognitivedissonanceexistsaroundrisk,astatewherethesecurityprofessionalI’mtalkingwithholdsdifferingandcontradictoryideasaboutthesameconceptsimultaneously.Whentheydiscussriskinthecontextofsecurity,theygiveadefinitionthatessentiallycharacterizesitaspotentiallossordownside.Theymaydefineitasaformula,suchaslikelihood×severity,orasastatementofthingsthatcangowrong.Butriskisalmostalwaysperceivedasnegativeandalmostalwayssomethingtobeavoidedor,ifitisnotpossibletoavoidaltogether,managedinawaythatminimizesit.
ButifIaskthatsameprofessionalsomeprobingquestionsabouthowtheyinvestforretirement,orwhattheyliketoeatordoforfun,orwhichcompaniestheyadmiremost,itcanbeliketalkingtoacompletelydifferentperson.Aretheykeepingtheirportfolioexclusivelyinsafe,low-yieldinvestments?Mostsay“no.”Dotheysmoke,drink,oreatthingsthatarebadforthem?Manydo.Andthecompaniestheygetexcitedaboutareusuallystartupsandinnovativetrendsetters,nottheboring,dependablesortsofcompaniesthatwouldattractWarrenBuffet’seye.Risk,itseems,meanssomethingremarkablydifferentwhentheyarenottalkingaboutsecurity.
ThesedifferencesbetweenhowInfoSecprofessionalsaddresssecurityasopposedtootherthingsintheirlivesspeakstoanotherculturaltrait,asometimespervadingsenseofparanoia.Wearesousedtowatchingthingsgowrongandtounderstandingallthethingsthatcangowrong,thatwe“accentuatethenegative.”ThebenefitsofallthisITinfrastructurewehavebuilttendtofadeintothebackgroundwhenitrunssmoothly,andwetakeitasagiven.Atleastuntilitbreaks.Sincesecurityisusuallyfrontandcenterwhenitdoesbreak,both
asthemeanstoafixandapotentialtargetofblame,it’snowonderthatsomesecurityprofessionalsdevelopanobsessivelyglass-half-emptyworldview.It’sthenatureofthebeast.Butitdoesn’talwayshelpusrelatetootherpartsoftheorganizationthatdon’tnecessarilyshareourfeelingthateverythingisasecurityincidentwaitingtohappen.
“IJustKnowWhatTheyCouldDo…”Oneofmybestfriendsisasecurityexpertwhohasperformedpenetrationtestsforyears.Onatriptodoajointconsultingengagement,Istoppedbyhisroomaswewereleavingthehoteljustintimetofindhimlockinghistoothbrushandseveralotherpersonalgroomingitemsinthehotelsafe,alongwithhisvaluables.
“Whatareyoudoing?”Iasked.HispassportandiPad,Iunderstood.Buthistoothbrushandcomb?
“Ineverleavethatstuffout,”hesaid,enteringanewcodeintothesafe.“Doyou?”
“Yeah,”Ilaughed.“What,youthinkthecleaningstaffwantstomesswithyourstuff?”
“Idon’tcarewhattheywant,”hereplied,shootingmealook.“ButI’vebeenscrewingwithpeople’ssystemsforlongenoughtoknowit’snotaboutwhattheywanttodo.Ijustknowwhattheycoulddo,iftheywantedto.Thinkaboutthat.”
Idid.Andtothisday,IlockupmytoothbrusheverytimeIstayinahotel.
CompetingValuesandSecurityThreatsClara’scaseearlierinthechapterisanexampleofasituationwhereoneculturalvalue(thedesiretoproduceafinishedproductquickly)createdadirectthreattoanotherculturalvalue(thedesiretomakesurethatproductdidnotcontainsecurityflaws).Theseconflictsoccurallthetimeinbusinessandinlife.TheyareatthecoreofDekker’sconceptofdrift,becauseindividualsareforcedtochoosebetweencompetingprioritiesthatallhavethepotentialtocausefailure.Theprioritiesthatendupbeingchosen,andwhetherthosedecisionsarethenrewardedorpunished,representthereal-worldoperationalizationofanorganization’svalues.SecuritymayhavebeenapriorityinClara’scompany,but
whenpressed,whentherewasnotenoughtimeormoneytodoeverything,asinClara’scase,thecompany’smostimportantculturalimperativewastogetproductstomarketontime.That’swhatthecompanymostcaredabout.Cuttingasecurityreviewshortwaslamentable,butblowingtheproductiondeadlinewasunacceptable.
Muchoftherestofthisbookwillbedevotedtohuntingdownthehiddenthreatsposedbycompetingculturalvaluesandreplacingvaluesthatdegradesecuritywiththosethatimproveit.Many,ifnotmost,securityincidentscanbetracedbackatleastinparttocompetingvaluesthatledtoconflictsinbehavior,whichinturncreatedrisk.Theseriskscannotbeeasilymanagedbyjustidentifyingathreatandavoidingorcontrollingforit.Thethreatisalsointrinsictothesystem.ItistheRubik’sCubeeffectImentionedinChapter1,wheremakingsomethingmoresecuremeansmakingsomethingelselesssuccessful,maybelessefficientorlessproductive.Iftheorganizationputsagreaterpriorityonthatsuccessthanoninformationsecurity,securitywilllose.Theonlysurefirecontrolistoincreaseresourcessothatbothprioritiescanbeachieved.Sincethat’snotusuallygoingtohappen,theonlyrealisticoptionistodiscoverthesethreatsandmakethecompetingvaluesthatinitiatethemvisibletoallthestakeholdersinvolved.Youdon’tsolvetheproblemthisway,butyouallowpeopletohaveanhonestconversationaboutthoseprioritiesandgivetheorganizationtheopportunitytoacceptriskinaninformedway,ratherthantheblindacceptanceoflettingitcontinuetoexist,invisibleanddangerous.
Whenleadersimposestrategiesonanorganizationwithoutunderstandingtheculturaldynamicsinplace,orinspiteofthoseculturaldynamics,theymakethemistakeofexpectingabouldertorolluphill.Youcancertainlymakeaboulderrollupahill,butnotbyjustdeclaringthatiswhereitmustgo.Defyinggravityrequiresplanning,force,andengineeringeffortstocreatewhatfeelslikeaveryunnaturaloutcome.Executionistheboulder.Cultureisthehill.Gravityandinertiaarealwaysonitsside,andlefttoitsowndevices,culturealwayshasthefinalsay.
TheChangeAgentsofSecurityCultureSowhomakessecurityculturework?Whoisresponsibleforchangingit,forhackingitlikeIencouragedinChapter1?Whoisbestpositionedtotransformthesystem?Theclichéansweriseverybody.Anorganization’scultureiscreatedbytheeverydaydecisionsandinteractionsandbeliefsofthepeopleinit.Butwe
cannarrowthatdownalittleandidentifydifferentfolkswiththebestchanceofleveragingculturalchange.Let’sstartattheverytop,withseniorleadership.
TheC-SuiteLeadersareinauniquepositiontoaffectculture,becausetheycanhelpcreateitthroughtheirinfluenceandtheirexamples.Ininformationsecurity,theCISOistheseniorsecurity-specificleader,butcompanieshavebecomepainfullyawarethattheeffectsofabreachcanreverberatefarbeyondtheCISO’soffice,affectingtheentireC-Suiteofchiefexecutives.Sosecurityleadershipandorganizationalleadershiparesortofsynonymousthesedays.Theyallhaveastakeinsuccess.
Changingcultureishard.Themostimportantthingseniorsecuritystakeholders,bothinsideandoutsidetheformalsecurityprogram,candoistorecognizethattransformingsecurityculturemeanschangingthewaypeoplethink,notjusthowtheybehave.Andthatstartswiththeleadersthemselves.Theymayhavetochangecompletelythewaytheythinkaboutsecurity,andtheywillcertainlyhavetoacceptthatsolvingthehumanequationistheonlywaytomaketheirstrategiessuccessful.Youcandictateastrategy,butyoucannotdictatethecultureyouneedtomakeitwork.
SecurityAwarenessTeamsImentionedsecurityawarenessteamsinChapter1inthecontextofculturehacking,andIhavetoputthemfrontandcenteragainhere.Morethananyoneelseoutsideofseniorleadership,thesecurityawarenessmanagersandtrainersinanorganizationarebestpositionedasculturalchangeagents.Onereasonisthat,evenmorethanseniorleadership,securityawarenessprofessionalshavealreadyboughtintopeople-centricsecurity.Agreatpartoftheirraisond′êtreistheexplorationandmanagementofhumanbehavior,includingthemotivationsandhiddendriversofit.
WhatIhaveseensecurityawarenessteamsstrugglewithisthelackofagoodknowledgebaseandmaturityintheindustryforunderstandingorganizationalandhumanbehavioringeneral.Whiletherearelotsoftacticalapproachesandmethodsforimprovingsecurityawareness,Ioftenseesecurityawarenessteamslookingformorestrategicandtheoreticresourcesthatcanhelpinformtheireffortsandcarrythemtonewlevelsofefficacyandreach.Giventherelativeyouthandinexperienceofinformationsecurityasaformaldiscipline(afewdecadesforuscomparedtogenerationsorevencenturiesforlaw,insurance,and
finance),thisshouldbeunsurprising.Andweareatthepointinourprofession’sevolutionwherewemovefrompracticingwhatwedototheorizingabouthowandwhywedoit,sothoseconversationsarebeginningtohappen.I’mwritingthisbookinmyownminorattemptatcontributingtoandinfluencingthatconversation.
SecurityResearchersI’mnottheonlycurioussoulinthesecurityindustry,fortunately.Onethingthatmakesmeproudofbeingpartofinformationsecurityisthatweseemtohavemorethanourshareofsmart,curiousresearcherswhoenjoythinkingaboutthingsinnewways.Thatincludesthebadguysaswellasthegoodguys,butifyoucanjudgepeoplebythequalityoftheirenemies,informationsecurityisadynamicandinnovativeplace.
Theindustry’sloveaffairwithtechnologyputsapremiumonengineeringandproductresearch,andthere’snoquestionthatInfoSecresearchersinthisspacedosomeamazingthings.Butthatsametechno-romanticismhasmadesecurityprettyweakinthesocialsciences,bycomparison.Iencounteralotofbiasandcondescensiondirectedtoward“subjective”approachesandqualitativeresearchmethodscommonlyusedbysocialscienceresearcherssuchasanthropologists,sociologists,andeconomists.Securityproswillusesuchapproachesandmethods,butonlyasnecessaryevilswhen“objective”andquantitativemethodsaren’tpossible.Thefactthattheindustryoftenshowsalackofunderstandingofwhatthesetermsactuallymeancanbeannoying,butIliketothinkofitasanopportunity.
Thisbookisaboutculture,soitisunashamedlygroundedinthesocialsciences,intheostensiblysecond-tiersubjectiveandqualitativemethodsmanyintheindustrymistrust.OneofmyhopesisthatreadersfindthetechniquesIincludeintriguing,maybeevencapableofanswering,atleastinpart,questionstheythoughtimpossibletoanswerbefore.Iamconvincedthatmoresocialscienceresearchininformationsecurity—explorationsofsociology,ofpsychology,andofhumanrelationshipsingeneral—hasthecapabilitytotransformnotjustsecurityculturebuttheentirewayweoperateasadiscipline.
SecurityPractitionersFromsoftwaredeveloperstofirewalladministratorstotheanalystsmanningthesecurityoperationscenters,practitionersmakethedailyworkofinformationsecurityhappen.Youdon’tchangesecurityculturewithoutthem.But
practitionersarenotjustpassivetargetsoftransformationalefforts.Thesestakeholdersareperhapsbestpositionedtounderstandandexploresecurityculturebecausetheyliveiteveryday.
Securitypractitionerscancontributetosecurityculturalchangeinatleasttwoways.First,theycanactasasourceofdataonhowthesecurityculturefunctions,whatitis,whereitworks,andwhereitdoesnotwork.Researchersandspecialistswhoaretrainedtoelicitthisinformationcanhelpthesecurityculturebecomemoreself-aware.Onceself-knowledgetakesroot,practitionerscanthenbecomemoreactiveparticipantsinchangingtheirownenvironment.Aswe’llsee,muchoftheprocessofculturaltransformationreliesonthesesortsofbootstrappingefforts,peoplerecognizinggoodandbadhabits,cultivatingtheformerandworkingtomodifythelatter.
MakingSecurityCulturalApeople-centricapproachtosecuritydoesnotmeanaddressingthehumanthreat.People-centricmeans,literally,puttingpeopleatthecenterofthewholesecuritychallengeandemphasizingthewaysinwhichtheyarecentraltosolvingproblemsratherthanhowtheycontributetothem.People-centricsecuritymeansthatsecurityleaderssuchastheCISOhavetolookbeyondtheimmediateneedsofasecurityprogramteamandtakeintoaccountotherstakeholdersandtheirneedsandpriorities.People-centricsecuritymeanstheentireindustryrecognizesthatnoteveryonesharesintheirbeliefthatsecurityistheworld’sbiggestproblem,thattechnologyisthebestwaytoescapethatproblem,andthatinformationsecurityhasaprivilegedanduniqueinsightintohowtheworldoperates.
Instead,apeople-centricsecurityperspectiveembracesthevaluesandprioritiesofthosewhoareoutsidetheinformationsecurityfieldasthebestwayofhelpingsecuritybesuccessfulandcompeteinanactivemarketplaceofvaluesandideas.People-centricsecurityispoliticalandhumanistic,anditistheonlywayforsecuritytothriveintoday’senvironment.FUD,theuseoffear,uncertainty,anddoubttopushouragenda,isnolongersustainable.Weneedtoreexamineourownbeliefs,questioneverythingthatwehavecometounderstandaboutinformationsecurity,andseeifthosevaluesstillholdup.Wheretheydonot,wemustchangethem.Ourendgoalwillbetotransforminformationsecuritycultureforentireorganizations,butbeforethathappens,wewillhavetotransformourown,andthatrequireslearningabitabouthoworganizational
culturefunctions.
FurtherReadingAulet,Bill.“CultureEatsStrategyforBreakfast.”TechCrunch,April12,2014.Availableathttp://techcrunch.com/.Dekker,Sidney.DriftintoFailure:FromHuntingBrokenComponentstoUnderstandingComplexSystems.Burlington,VT:Ashgate,2011.
I
CHAPTER3
OrganizationalCulture:APrimer
’mgoingtomakethecaseinthisbookthatsecuritycultureisfundamentaltosecurityperformanceandofferapathtotransformingyourorganization’sinformationsecuritycultureasawaytoreducerisk,increasevalue,andavoidsecurityincidents.Buttomakethatcase,Ineedtodemonstratethatthecriticallinkbetweenorganizationalcultureandorganizationalperformanceisnotanewideainindustry,justonethatisprettynewtoInfoSec.Studyingorganizationalandcorporatecultureasameanstomakingcompaniesperformbetterincompetitiveandvolatilecircumstanceshasarichhistoryinbothbusinessandacademia.InthischapterIwilldrawonsomeofthisresearchtohelpyouunderstandthegroundworkthathasalreadybeenestablished,evenifonlyataveryhighlevel.
TheCulturalSuccessofAppleIt’salmostaclichétoholdupAppleasanexampleofasuccessfulorganizationalculture,butprobablymorethananyothercompanyinrecentmemory,includingotherwildlysuccessfultechnologyfirms,Appleremainsuniqueasaculturalcasestudy.Itsucceededwildly,thennearlyfailed,onlytopulloffoneofthemostamazingcomebackstoriesinhistory.ThenearcultofpersonalitythatdevelopedaroundSteveJobs,whowasinstrumentalinApple’sreturntoglory,madehisstyleofleadershipsynonymouswithApple’sculture.Andthecompanyhasliterallychangedglobalsocietywithitshardwareandsoftware,allwhilemaintaininganauraofstyleandcontinuousinnovationthatfewofitspeerscanmatch.
Muchink,realanddigital,hasbeenspilledtryingtodeconstructApple’sculture,includingwhetherthecompanyisasmagicalasitshardcorefansbelieveittobe.Butyoudon’thavetoloveAppletoappreciatethepowerofitsemployees’andcustomers’senseofidentityandnearworshipofcoretenetslikedesign,simplicity,andnovelty.Cultureisaboutsharedvaluesandbeliefs.WhateveronethinksaboutAppleasacompany,noonecansaythatthecompany’sculturehaslittletodowithApple’ssuccess.
TheFieldofOrganizationalCultureThestudyoforganizationalculturegrewoutofthestudyofcultureatamoregenerallevel.Sometimesthetwofieldsstilloverlap.Someresearchersengagewithculturesthatexistwithinorganizations,asIdointhisbook,andsomestudyhoworganizationsworkacrossandbetweencultures(forinstance,inthecaseofmultinationalcorporations).Idon’tputasmuchemphasisonthislatteraspect,althoughitstillcanholdimplicationsforinformationsecurity.
OriginsThefirstscientiststostudyculture,theoneswhoinventedthewordinthefirstplace,wereanthropologists.Inthenineteenthcentury,socialscientistswereconcernedwithhowsocietiesandcivilizationsdevelopedandevolved.Specifically,theywantedtoknowhowentirebeliefsystemscouldbetransmittedandmaintainedfromgenerationtogeneration.Whatmadeonesocietysoverydifferentfromanother,andwhatmadethosedifferencesstickovertime?Afullexaminationoftheevolutionofculturalanthropologyiswaybeyondthescopeofthisbook;thepertinentpointhereisthatearlyanthropologistsrecognizedthatsomething,somephenomenon,alloweddifferinggroupsofpeopletosharecommonsocialattributesandbehaviors,andthatthisphenomenoncouldactasapowerfulforceinshapingthelivesofagroup’smembersacrossbothspaceandtime.
SecurityandGlobalCultureCiscoisaglobaltechnologycompanywithofficesandcustomersallovertheworld.Inadditiontomanagingadiverseandmulticulturalworkforce
acrossdozensofcountries,Ciscohassponsoreddedicatedresearchintothewaysthatdifferentculturesengageininformationsecurity.AstudycommissionedbyCiscoin2008,resultinginaseriesofwhitepaperstitledDataLeakageWorldwide,specificallytargetedhumaninformationsecuritybehaviorsacrosscultures,identifyingpatternsanddifferencesaroundsecuritypracticesfromcountrytocountry.Theresultspointedtointeresting,culturallyspecificwaysthatsecuritypracticesdifferdependingupontheuniquebeliefsandsocialvaluesofthesocietiesinwhichthosepracticesexist.TheDataLeakageWorldwidewhitepaperscanbefoundbysearchingontheCiscohomepageatwww.cisco.com.
Withtheriseoflarge,bureaucraticorganizationsdesignedtofacilitatebusiness,governance,andotherstrategicsocialgoals,theworldbegantowitnessdifferententerprisesgrowingascomplexandasgeographicallydistributedassomenationsorpeoples.Astheseorganizationsexpandedandthrivedacrossspaceandtimeaswell,maintainingthesamestructuresandprocesseswellbeyondthelifetimeofanysingleindividualmember,anewgenerationofresearcherstooknotice.Businessscholarsandorganizationaltheoristsborrowedtheconceptsinventedbythesocialscientistsandanthropologistsandbegantoapplythemtocompaniesandotherlargeorganizations.Ittookawhile.Thefieldoforganizationalstudieshasalsobeenaroundalongtime,evolvingseparatelyfromanthropologyanddatingbacktotheIndustrialRevolution.Butitwasonlyinthesecondhalfofthetwentiethcenturythatresearchersmergedthetwodisciplinesandbeganspecificallylookingatcultureinthecontextofbusinessesandotherlarge,organizedenterprises.
Whereastheanthropologistswereconcernedwithunderstandingwhatmadeasocietytick,theorganizationalcultureresearcherswereoftenmoreconcernedwithwhatmadeorganizations,particularlybusinesses,successful.Whydidonecompanydosomuchbetterinitsindustry(orsomuchworse)thananother?Howcouldonecompanycompletelyreinventitselftoovercomeamarketchallengewhileapeerstruggledandultimatelyfailedtochangethewayitdidbusiness?Often,thedifferencesbetweencompetitorfirmsseemedtoboildowntothingsthatseemedintangible.Whatdidtheleadershipbelieve?Howdidtheorganizationtreatitsmembers?Whatwerethemostimportantsymbols,values,andritualsinthedailylivesofallthemembers?
OutcomesTheendresultofthesestudiesisanacademicfieldofitsown(several,actually),aswellasanindustryofmanagementtheoristsandbusinessconsultantswhohaveattemptedtounlockthesecretsofcultureandputthemtoproductiveuseinimprovingorganizationalperformance.Therearetheoriesandframeworkstoexplainculture,aswellasdisagreementanddebateaboutwhatitallmeans,butatthecoreofthedisciplineareanumberofpowerfulcommonthemesthatyouwillfindoverandoveragain.ThesecommonalitiesarewhatweneedtofocusoninordertounderstandwhatorganizationalculturecandoforITandinformationsecurity.
TheCulturalFailureofEnronIfAppleisago-toexampleofsuccessfulorganizationalculture,thescandalousEnroncultureeasilyqualifiesasanobviousopposingexample.In2001,theenergyandcommoditiescompanyimplodedasitbecameapparentthattheentireenterprisewasbuiltuponasystemiccultureofcorruption,deceit,andfraud.WhereApplechangedtheworldbycreatingtheiPhone,thususheringintheageofmobilesmartdevices,EnronchangeditbycallingintoquestionvirtuallythewholeaccountingindustryandusheringintheageofSarbanes-Oxley(SOX)compliance.
Enrondidnotfailbecauseitsculturewasweak,atleastnotinthesensethatpeopledidn’tsharecommonvalues.Thebigproblemwasthatthecommonvaluessharedbyseniormanagementandpushedthroughoutthecompanywerereprehensibleandethicallybankrupt.Enron’sculturewasaboutpushingtotheedgeandbeyond,beginningwithinnovationsincommoditiestradingandenergymarkets,beforeendingwithdebt,oversight,andthelaw.Enronwasnotthelastofthecorporategovernancescandalsinthatperiod,andseveralhigh-profilecompaniesfollowedthefirmintoignominiousfailureasaresultoftheirowntoxiccultures,whilesimultaneouslypoisoningthereputationsoftheaccountingfirmsthatmanagedtheirbooks.InthecaseofEnron’sownaccountingcompany,ArthurAndersen,thedamageprovedfatalandthatcompanyceasedtoexistalongwithitsdisgracedclient.
TheCultureIcebergOrganizationalculturelendsitselftotheicebergmetaphor.Readafewbooksoncorporatecultureandwhatimmediatelycomesthroughisthesenseofthingshiddenbelowthesurface.Nomatterwhatyoucanseesuperficially,youcanbesurethereismuchmoregoingonbelowthatyoucannotobserve.Infact,inthegrandschemeofthings,theicebergyouseeisreallyjustthetip.
InChapter2,IquotedPeterDrucker’spredictionthatstrategywillloseouttocultureinnearlyeverycontest.Theicebergmetaphorhelpstoexplainwhy.Whenastrategicinitiativefocusesonlyonthepartofachallengeorproblemthatisvisibleandeasilyidentified,it’slikehookingaropebetweentheicebergandarowboatandtellingthecrewtotowit.Itmaynotlooklikesuchabigjobfromthesurface,butthat’sonlybecauseyoucan’tseetheenormityofwhatyouaretryingtomove.Peoplecanrowreallyhardandeveryonemayapplaudtheirefforts,butthatonelittlerowboatisnotgoingtoaltertheiceberg’scourse,nomatterhowgreattheexertion.Therealityisit’sthemassunderthewavesthatactuallydeterminestheiceberg’scoursethroughthesea,thepartthatremainshiddenfromyou,untouchedandunaffected.Theremightnotbeaboatbigenoughtochangethatthing’sdirection.
Withculture,thepartofthewholethatisanalogoustothevisibleiceabovethesurfaceisthecollectionofobservablebehaviorsoccurringwithintheorganizationeveryday.Whatpeopledo,whattheysay,whattheywear…theseareallmoreorlessvisibledecisions.Andwetendtotalkaboutcultureintermsofthesebehaviors,choices,anddecisions.Wemightsayanorganizationhasaformalcultureifweobservethateveryonewearsasuitandtietowork,oracasualcultureifeveryonecomestotheofficeinshortsandflip-flops.Basedonanorganization’sbehavior,itsculturemaybedescribedascutthroatcomparedtoonethatiscollegial;oropenandtrustingasopposedtohighlycontrolled.Weevenseeculturesthatwewoulddescribeastoxicorunhealthyandthatcorruptorharmthepeoplewithinthem.Butallofthesebehaviorsaredrivenbymotivatingfactorsthatarehappeningunderneaththethingsweareseeinginfrontofus,asillustratedinFigure3-1.
Figure3-1Theicebergmetaphorofculture
HiddenAspectsThefirstprincipleexpertsrecognizeinorganizationalcultureisthatobservablebehaviorsaresuperficial.Theyarealwaysconnectedtounderlyingassumptionsandbeliefsthatremainhiddeninthesensethateveryonesimplytakesthemforgranted.Peopledon’toftenspendalotoftimethinkingaboutwhytheybelievesomething.Theyareusuallytoobusydoingthings,livingtheirlives.Butthethingstheydoaredriven,atleastinpart,bywhattheybelieve.Cultureisthesameway,andscholarsfromEdgarScheintoGeertHofstedetoKarlWeickhaveexploredanddocumentedthewayorganizationalculturefunctionsasasortofcollectiveunconsciousfortheorganization.Itwouldbeincrediblydifficultforacompanytodobusinessifeveryoneinithadtoask“whydowedothis?”before
makingadecision.Companieswillactuallygotogreatpainstoarticulateaspectsoftheculture—postingsignsaroundtheiroffices,makingcardstowearwithpeoples’badges,runningawarenesscampaigns—toencouragecertaintypesofbehaviors.Theywanttomakethosehiddenassumptionsmorevisible.Ironically,thisattempttohelppeopleunderstandwhytheyareexpectedtobehaveinacertainwayisalsointendedtomakesuchbehaviormoreautomaticandreflexive.
Soanyunderstandingofsecurityculturehastotakeintoaccountalltheassumptions,hiddenbeliefsandmotivations,andunconsciousritualsthathavebeeningrainedintotheorganizationasawhole.TheexampleofClarainthepreviouschapterillustratesthisidea.Encouragingaspecificsecuritybehaviorwasveryimportanttothecompany.Noonewouldhavesuggestedotherwise,andtherewerenumerouspoliciesandprocessesinplacetoenforcethatbehavior.Butlurkingunderthesurfacewereotherbeliefsandassumptions,onesthatdirectlycompetedwithClara’ssecurityresponsibilities.Noonereallyquestionedthem,ortheresultingincompatiblerelationship.And,attheendoftheday,Clarabelievedmorestronglythatshewouldberewardedorpunishedforonebehaviorthanshewouldforanother.Afterthecustomerbreachoccurredthatexploitedhercodingmistake,thecompanyretroactivelyattemptedtomakeherdecisiontoforegofinalsecuritycheckslooknegligentandwrong.Butthefactwas,atthetime,shedidexactlywhatthesystemhadtrainedandconditioned(andevenrewarded)hertodo.
Adifficultyofanalyzingcultureisthatitinvolvesmorethanjustdifferentiatingbetweenwhatapersondoesandthemotivationsbehind(orbeneath)thoseactionsanddecisions.Almostallresearchersintoorganizationalculturesharetheopinionthatculturecanbeverydifficulttochange(atopicI’llcoverabitlaterinthechapter).Thisisbecausebehaviorisnotsomethingthatexistsindependentlyofculture.Aperson’sbehavioristhevisibleresultofculture,liketheflameonamatchstickisthevisibleresultofthechemicalprocessofcombustion.Youcan’tstartwithaflameandendupwithamatch.It’slikethatwithbehaviorandculture,too.Focusonlyonbehavior,onwhatyoucansee,andyoumightchangeit,atleastuntilyoustoplookingatit.Afterthat,peopletendtogobacktotheirold,unconsciouswayofdoingthings.Soeffectuatingbehavioralchangealoneisextremelyresourceintensive,asanysecurityawarenessteamcantellyou.Butchangewhatsomeonebelieves,whatdrivesthemtomakethedecisioninthefirstplace,andtheywilldothebehavioralworkforyou.It’stheculturalequivalentoftheancientMaimonidesquote,“Giveamanafishandyoufeedhimforaday;teachamantofishand
youfeedhimforalifetime.”
PeoplePoweredYouonlygetconflictsbetweenbeliefandbehaviorwhenyouaredealingwithhumanbeings.Theideathatvaluesandassumptionsdrivedecisionsandactionsisasecondbasicprincipleoforganizationalculture.Softwaremayhavehiddenbugs,yourfirewallmayhavehiddenruleconflicts,buttechnologydoesn’thavehiddenmotivations.Itcan’texperiencecognitivedissonanceorgetconflictedabouttherightthingtodoinadifficultsituation.Peoplearetheonlyoneswhoexperiencethesethings,andpeople-centricsecuritymeansfirstandforemostrecognizingthatculturedrivesbehavior.Policiesdon’t.Howmanyofuscanthinkofapolicythatweknowisinplaceinourorganizationyetwedon’tfolloworobeyit,maybebecauseit’ssilly,maybebecauseweknowthatthecompanydoesn’tenforceit,ormaybebecauseitconflictswithamoreimportantpolicy?
Divingintotheorganizationalcultureliterature,youwillfindanoverwhelminglydiverseexplorationofthewaysinwhichpeoplecreatetheorganizationandhowtheychangeitforthegoodorforthebad.Insightscanrangefromtheexistenceofmythologiesandstoriestodefinehowcultureworks,talesofheroesandmonstersstraightoutofJosephCampbell,toclinicalpsychology,diagnosingbehaviorasthoughanorganizationitselfcouldbementallyill.Butattheheartofeverythingistherecognitionthatwithoutpeople,youhavenoorganizationalculture,orevenanorganization.
Theeasewithwhichculturecanoverwhelmandconfoundorganizationalstrategyisoneofthepowerlessonsforpeople-centricsecurity.Informationsecurityisbeginningtohitawallintermsofwhatitcanhopetoaccomplishwithstrategiesbasedprimarilyontoolsandtechnologyproducts.Thisisnotbecausewedon’thavegreattoolsandtechnologies,butbecausewearereachingapointwherewecannotdomorewithouttheexpresscooperationandcollaborationoftherestoftheorganization,whohavetheirowngreattoolsandtechnologies,manyofwhichconflictwithsecurity.Increasingly,thepotentialsuccessorfailureofinformationsecurityisajointpartnershipwithpeopleelsewhereinthesystem,whethertheyaretheexecutiveswhosetstrategyanddirection,thebudgetgatekeeperswhofundthings,themanagerswhokeepitallrunningonthefrontlines,ortheindividualuserswhomaketheeverydaychoicesthatmeanthedifferencebetweendeterrenceanddisaster.
TheOrganizationalCultural/OrganizationalPerformanceLinkAnothercommonthemeinorganizationalcultureresearch,andtheonethatresonatesmostwithcorporateexecutives,isthelinkbetweenorganizationalcultureandorganizationalperformance.Doesanorganization’scultureexertapositiveornegativeimpactonhowsuccessfulthatorganizationisinitsindustryorhoweffectivelyitachievesitsgoals?Theanswerisanunqualifiedyes.Evidencerangesfrom“commonsense”anecdotalstories,tobusinessschoolcasestudies,tolongitudinalstudiesofcorporateperformancestretchingoveryears.Butthebottomline,figurativelyaswellasliterally,isthatanorganizationwithadysfunctionalcultureisnevergoingtoperformaswellasitcould.Whatconstitutesgoodorbadwhenitcomestoculture,whatmakesoneculturestrongandanotherweak,isastickierproblem.Differentculturesareappropriatefordifferentindustries,andwhatworksforoneorganizationwon’tnecessarilygeneratesuccessinanother.Butifyourcultureholdsyouback,itcanbelikerunningaracewithweightstiedtoyourorganization’slegs.
Oneofthemostimpressiveexaminationsoftheculture–performancelinkisJohnKotterandJamesHeskett’sbook,CorporateCultureandPerformance,whichdescribestheirresearchstudiesspanningmultiplecompaniesoverseveralyears.Empiricalandnuanced,KotterandHeskett’sworkexplorestheoriesofwhyandwhencultureeitherhelpsorgetsinthewayofacompany’ssuccess.Theyshowthatitisnotaseasyassayinga“strong”ora“weak”culturemakesyourorganizationsuccessful.Manyorganizationswithstrong,forcefulculturesthataretransmittedandenforcedamongmembershavefailed,sometimesspectacularly,whileseeminglyweakorlessentrenchedcultureshavethrived.Instead,itseemsthatthesecrettosuccessisoneofharnessingculturetoservethebusiness,justlikeanyotherresource.Theculturesthatdothebestappeartobetheonesthathavethebest“fit”fortheindustryandthechallengestheyface,includingthecapabilitytorespondandadapttochange.
Culturecanbedisruptivejustlikemarkets,businessmodels,andtechnologies.Manyofthecasestudiesyouwillfindthatdescribehowcultureislinkedtoperformancewillnotbeaboutanyparticularculturetype,butabouthowanorganizationadapteditselftonewchallengesanduseditsculturetohelpitdoso.Failurebecomesmorelikelywhenaculturethatseemedtoworkyesterdaynolonger“fits”itsenvironment.Inthesesituationstheorganizationcanfinditselfoutmaneuveredbyother,moreresponsivecultures.Culturescanalsocompetewithinthesameorganization,asmyexampleshaveshown,and
thiscanleadtodegradingcapabilitiesastheenterprisehastocompetewithotherorganizationswhilealsoaddressinginternalconflictsthatdistractandsapresources.
TheCulturalMigrationofPayPalAfascinatingexampleofthepoweroforganizationalculturecanbefoundintheso-calledPayPalMafia,atermthatreferstothefoundersandearlyemployeesofdigitalpaymentpioneerPayPal.AftereBay’sacquisitionofPayPalin2002,manyofthosefoundersandemployeeslefttogostartothercompanies.Theseindividuals,includingbillionaireentrepreneursReidHoffman(LinkedIn),ElonMusk(TeslaandSpaceX),andPeterThiel(ClariumCapitalandFacebook),areoftencreditedasstartinganewSiliconValleyresurgence.Thecommonthreadsofthestory,beginningwithreportedclashesbetweenthePayPalfoundersandtheirmorecorporateandconservativenewowners,havetodowithasetofbrilliantandrestlesspeopleliterallysharingavisionofreshapingtheworld,notjustfacilitatingonlinefinancialtransactions.
Cultureisnotonlypowerfulandmalleable.Itisportableandpotentiallycontagious.Createdbypeopleorganizingincomplex,interdependentways,culturecanproduceeffectsthatrippleandtransmitthroughanentiresocialnetwork.InthecaseofthePayPalMafia,normalstartupvisionswerenotevenenough.Morethanbuildingacompany,theywere(andstillareinmanycases)driventochangesocietyaltogether,fromspacetraveltoelectricvehiclestofindingacurefordeath.Andtheyhadnointentionofallowingthestatusquo,evenonethatmadethemfabulouslywealthy,getinthewayoftheirvisionforanew,morefunctionalsystem.That’sculturehacking.
Theimplicationsoftheculture–performancelinkforinformationsecurityareprettyclear.InfoSecusuallyexistsasaseparatesubculturewithinanorganization,maybeevenremovedfromtherestofIT.Andinformationsecurityculturestendtobestrong,inopinionandmotivationifnotalwaysinpoliticalpower.Ifinformationsecurityisnotagoodculturalfitwithintheorganization,ifitconflictsorcompeteswithotherculturalgroups,thenitisgoingtobeverydifficulttomaximizetheInfoSecprogram’seffectiveness.Consequently,performancemaydegrade,oratleastmaynotbeaseffectiveasitcouldbe,and
thisleadsdirectlytoincreasedsecurityrisks.
AssessingandMeasuringCultureTheideaofculturehavingacausallinktocompanyperformancemakestheideaofmeasuringandanalyzingorganizationalcultureveryimportant.Youarenotgoingtosuccessfullychangeormanagesomethingthatyoucannotdefine,observe,andassess;inotherwords,somethingyoucannotmeasure.Researchershaverespondedbydevelopinginstrumentsandtechniquesformeasuringcultureanditsimpactonanorganization’seffectiveness.
Qualitativevs.QuantitativeMeasurementofCultureAsanyonewhoknowsmeorhasheardmespeakpubliclycantellyou,Ihaveaproblemwiththeinformationsecurityfield’suseofthetermqualitative.InInfoSec,referringtodataasqualitativeimpliesthatthedatashouldbeconsideredsubjectiveandlessreliable,asopposedtoquantitativedata,whichareseentobemoreobjectiveandtrustworthy.Thiscreatesallsortsofchallengesforsecurityprofessionalswhoaretryingtomeasuretheresultsoftheiractivities.Ourindustry’sbiastowardnumberslimitsthemeasuresandapproacheswecanuse.Italsoencouragesustoengagein“statisticalalchemy,”whichistheprocessbywhichwetakethingsthatarenotquantitativeandassignnumberstotheminanattempttomakethemappearmorerigorous.Whatweendupwithisnotonlyanattempttocompareapplestooranges,butaformulabywhichapplesaremultipliedbyoranges,thenweightedusingasystemofbagels.Inotherwords,nonsensedressedupasscience.
Iregularlyseesecurityteamsgetintotroublestatistically,usuallywhentheyfeeltheneedtocreatemetricsthatwillimpressseniormanagement.Askingindividualmembersofthesecurityteamwhetherrisksandcostsarehigh,medium,orlowisastapleofinformationsecurityriskassessments.Theresultingred,yellow,andgreenheatmapscancomeacrosstosomeaudiencesassimplistic,becausetheyusuallyare.Butchanginghigh,medium,andlowtoarangebetween1and100(orcorrespondingarbitraryfinancialfigures)doesn’tmakeameasurementquantitative.Itjustmeansthatyouareaskingforanopinionexpressedasanumberratherthanaword.You’restillgettingpeople’sopinionsaboutthetruthratherthanactuallymeasuringwhat’strue.Butthisneverthelessallowsmanysecurityteamstoclaimthattheyhavestopped
collectingfuzzy“qualitative”dataintheirassessmentsinfavorofthosethataremorequantitative.
Inthesocialsciences,includingfieldslikeanthropologyandsociology,whereculturecanbeofprimaryinterest,qualitativedatameanssomethingverydifferent.Simplyput,dataarequalitativewhenyoucannoteasilycountthem.Goodexamplesincludeastorytoldduringastaffmeeting,thetranscriptofaresponsetoanopen-endedinterviewquestion,avideorecordingofasalesmeeting,orthephotographfromyourlastteam-buildingevent.Myexampleofthesecurityteam’sopinionsregardingriskisanotherexampleofqualitativedata.Qualitativedataareempirical,meaningyoucanobservethem.Theyjustdon’timmediatelylendthemselvestostatisticalanalysis,assumingthat’swhatyouwanttodo.Butisstatisticalanalysistheonlywaywecanobtaintruthorknowledge?Whenyoursignificantother,oryourchild,tellsyoutheyloveyou,doyouinsistonverifyingthatassertionthroughatwo-tailedt-testorlinearregression?DoourfavoritemoviesandnovelsspeaktousbecauseweappreciatethattheyfollowaverifiableGaussianprobabilitydistribution?Clearly,numberscan’ttelluseverythingthatisworthknowing.
QualitativeMeasuresandTechniquesCultureisaboutbeliefsandassumptions,aboutmotivationsandvaluesthatmaynotevenbeexplicitwithinanorganizationorconsciousonthepartofitsmembers.Culturetendstostayhiddenbelowthesurface,unlessyoudeliberatelyseekitout.Yetyoucan’tjustgooutandstartcountingculture.People’sbehaviorsaremoredirectlyobservableandlendthemselvestomorequantitativeanalysis,butknowingwhodidwhatandwhenandwheretheydidit,doesnottellyouhoworwhytheybehavedthatway.Thesequestionsofhowandwhy,whicharemoreimportantwhenattemptingculturaltransformation,arethedomainofqualitativeresearchandanalysis.Qualitativeresearchersusesurveys,interviews,andotherinteractionsbetweenpeopletofacilitateunderstandingofthetopicstheyexplore.
LordKelvin’s“MeagreUnderstanding”WhenIwrotemybookITSecurityMetricsafewyearsback,itwasfashionableamongsomesecuritymetricsproponentstoquoteLordKelvin’sadageonmeasuringsomething,“whenyoucanmeasure…andexpressitinnumbers,youknowsomethingaboutit;butwhenyoucannotmeasureit,
whenyoucannotexpressitinnumbers,yourknowledgeisofameagreandunsatisfactorykind.”Iwouldusuallyaskwhoeverthrewoutthequotetoexpressthemeasurementreasoningbehinditintheformofanumber.Inevergotone.Instead,Igotstoriesandanecdotesthatdemonstratedboththe“meagreunderstanding”ofKelvin’sclaimaswellastheincredibleutilityofqualitativedatasuchasstoriesandanecdotes.
Differenttraditionsofqualitativeresearchmethodshavedevelopedinvariousfields.Table3-1liststhemajorqualitativeresearchapproaches.Someofthesearegoingtolookabitstrangetoaninformationsecurityprofessionalwithanengineeringbackground,althoughtheymightlooklesssotoanyonewhohasstudiedpsychologyorbusinessadministration.Infact,alloftheseresearchapproachesareusedinindustryinoneformoranother.Thefactthatinformationsecurityhasnotmademuchuseofthemsaysmoreabouttheinadequacyofourownresearchmethodsandourbiasagainstqualitativeresearchthanitdoesabouttheeffectivenessofqualitativetechniques.
Table3-1MajorQualitativeResearchApproaches
I’vegoneintosomedetailinTable3-1aboutthesequalitativetechniquesbecausetheyareoftentheonlywaytomeasureandunderstandorganizationalculture.Assuch,theybelongintheconceptualtoolkitofeveryorganizationlookingtoimproveandtransformsecuritycultureandmakeitpeople-centric.YoudonothavetobeaPh.D.anthropologisttodobasicqualitativeresearch.Youjusthavetorecognizethatsometimesyouarenotgoingtofindtheanswersyouarelookingforinanywayotherthantalkingwithpeople,listeningtowhattheysay,andlookingforthemeaningyouseekinthestoriestheytell.
CulturebytheNumbersAlthoughqualitativedataandanalysisplayabigroleinunderstandingculture,thatdoesnotmeanthatquantitativemeasurementisoffthetable.Quantitativeandqualitativetechniquesareoftenbothnecessarytounderstandwhatisgoingonunderthesurface.Manyresearchersusequalitativetechniques,suchasinterviews,participantobservation,andtheanalysisofartifacts,toleadthemtopatternsandrelationshipsthatcanbequantified.Let’sagainconsiderClaraandherdevelopmentteam.Whatifaresearcheroraconsultantcameinandbeganinterviewingallthedevelopers,collectingstoriesabouttimestheyneglectedorfailedtocompletetheirsecurityreviews,andaskingthemtotalkaboutwhytheymadethosedecisions.Asdifferentreasonsweregiven,theconsultantmightbeginputtingtogetherpatternssuchasdeadlinepressuresbeingaprimarycause.Thesereasonsmightcorrelatetocertaintypesofsoftwaredevelopmentprojectsthathadatendencytorunintootherdelays,maybeeveninastatisticallysignificantwaythatprovedtheseprojectsweremorelikelytohavesecurityvulnerabilitiesinthecodewhenshipped.Nowwe’retalkingrealnumbersandquantitativeinsight,butnoneofitwouldbeavailablewithoutthequalitativedatacontainedinthoseinterviews.
KotterandHeskittdidsimilarcombiningofqualitativeandquantitativedatawhentheymeasuredthelinkbetweencultureandperformance.Bycollectingqualitativedatafromindustryanalystsaboutperceivedcorporateculturesandcomparingthosedatatothehardnumbersofcompanyfinancialperformance,theywereabletodrawconclusionsabouthowandwhencultureaffectedthebottomline.Otherresearchershaveattemptedevenmorespecificquantitativemeasuresofculture,althoughthemorestatisticalthemeasuresget,themoretheytendtofocuswithlaserintensityondescribingspecificattributesofculture
ratherthanexploringhowtochangeit.
ChallengesofCulturalTransformationIfnothingelseisclearatthispoint,itshouldbeapparentthatunderstandingandmanagingcorporatecultureishardwork.Wetakecultureforgrantedbecauseweareimmersedinit.Weliveit.Andlikeotherpartsofourlivesthatwemightwanttochangeforthebetter,it’seasiertosaywearegoingtochangeourculturethantoactuallyeffectthatchange.CulturaltransformationinitiativesinmanyorganizationsaresomethingliketheNewYear’sresolutionswemakeeachyear.Theyareexpressionsofhopeandoptimism.Andwithoutcommitmentandhardwork,manyofthemdon’tmakeitoutofJanuaryalive.
Organizationalcultureexpertsprescribemanydifferingwaystotransformculture,but,liketheirunderstandingofcultureingeneral,thereareseveralcommonthemesthatemergefromtheiradvice.Theseinclude
Culturecanbechangedinavarietyofways.Cultureisinclusive,soculturalchangemustbetoo.Consensusbuildingallowsforthecreationofnewsharedbeliefs.Culturalchangecannotbetakenforgranted.Leadersmustsetanappropriateexample.
There’sNoOneRightWaytoChangeCultureIfanalgorithmforcreatingtheperfectcultureexisted,everyorganizationwouldbeequallyinnovativeandadaptabletoshiftsinitsbusiness,everymemberwouldfunctionefficientlyandeffectivelytoachievetheorganization’sgoals,andperformancewouldbemaximizedacrossallindustries.Thefactthatthisutopiahasnotcometopassisproofenoughthatnoonehasdiscoveredthesecret,claimsbyconsultantsandmanagementgurusnotwithstanding.Researchersandtheoristsoforganizationalculturewilltellyouasmuch.Thepointisnottocreatesomemythicalperfectculture,butrathertoshootforthebestcultureyourorganizationcanhavegivenitsmembers,theenvironmentinwhichitfindsitself,andthegoalsandstrategiesitwantstoachieve.Thisbeingsaid,successfulculturaltransformationwilldependonafewkeystrategies,describedinthefollowingsections.
YouHavetoIncludeEverybodyAnyculturaltransformationishighlyunlikelytosucceedunlesstheprocessisdeliberatelyinclusive.Sinceeveryoneinanorganizationhelpstocreateandtransmittheculture,everyonehastohaveastakeinchangingit.Thisreallymeanseveryone,fromthetopoftheorganizationalcharttothebottom.Inclusivenessalsomeansdirectinvolvement.Manyframeworksforculturemanagementareformedaroundrepresentativeteamsmadeupofpeoplefromallovertheorganization,allofwhomcontributetoplanningandformulatingthechangesandthengobacktotheirownrolesaschampionsandchangeagentstohelpensurethattheeffortsareadoptedintodailybehaviors.Theultimateoxymoroninculturaltransformationisthetop-down“culturalchange”strategy,whereleadershipexpressesdissatisfactionwiththeexistingculture,definesunilaterallywhatthenewculturewillbe,andthendemandseveryonegetwiththenewprogram.
YouHavetoBuildConsensusGettingeveryoneinvolvedinculturaltransformationisonlythefirststep.Sinceanorganization’scultureisareflectionofthedeep-seatedbeliefsandassumptionsheldbyitsmembers,youcannotsimplydictatethateveryonewillnowbelievesomethingdifferent,orevenwhatthenewbeliefsshouldbebasedupon.Whenwasthelasttimeyousuccessfullyarguedthatsomeonewaswrongbasedonthefactthatyoureallyfeltyouwereright?Mostorganizationalchangeresearchemphasizestheneedforsomelevelofconsensusbuildinginidentifyingthecurrentcultureinplace,aswellasanychangesthatneedtobemade.
Informationsecurityisparticularlyvulnerabletoalackofculturalconsensus.WhentalkingwithCISOsandothersecuritystakeholders,IheartimeandagainthatoneoftheirgreateststrugglesistomakepeopleoutsideoftheInfoSecprogramcareaboutsecuritylikemembersoftheprogramdo,totakeitasseriouslyaseveryonewhoistaskedwithprotectingcompanyinformationassets.Withoutthatconsensus,securityprofessionalsmustspendalotoftimeexplainingandjustifyingtheirwork.Ofcourse,itdoesn’thelpwhensecurityteamscancomeacrossasnotcaringverymuchabouttheprioritiesandconcernsofthosestakeholdersoutsidethesecurityteam.ButinorganizationswhereotherbusinessunitsandexecutiveswieldmorepoliticalcloutthantheCISOorthesecurityowner,theburdenofconsensusbuildingfallsonthesecurityteam,iffornootherreasonthantheyhavetosellsecuritytransformationtostakeholderswhomaynotevenunderstandsecurity,andcertainlydon’tprioritizeitovertheir
ownuniquechallengesandconcerns.Inthewakeofthemassivesecuritybreachesofrecentyears,it’sgettinglessdifficulttoconvincethesestakeholdersthatsecurityisimportant.Butwhatisthebestwaytodosecurity,andwhatisthebestwaytoallocateresourcesthatwillhavetocomeoutofotherpeople’sbudgets?Thoseremainhotlydivisiveissuesthatthesecurityteamisgoingtohavetodeconflict.
YouHavetoEvaluatetheOutcomesAcommontrapthatorganizationalcultureexpertsoftenwarnofintheliteraturecanbecharacterizedasa“fireandforget”approachtotransformationalchange.Inotherwords,wemakesomeattempttochangeourculture,butthenneverfollowuptoseeifwhatwedidhadanyeffect.Oneoriginofthistrapisthegeneralbeliefthatcultureisdifficultorimpossibletomeasure,soyoucan’tknowwhethereffortstochangeculturehavebeeneffectiveanyway.Ihavedescribedanumberofwaysthatorganizationscananddomeasuretheircultures,butnoteveryoneisfamiliarorcomfortablewiththeseapproaches.Amoreperniciouscontributortothetrapcouldbedescribedasgenerallaziness.Itisaloteasiertohireconsultantstoconductasurvey,toadopttheframeworktheyrecommend,toprintupmotivationalpostersencouragingeveryonetoadheretotheframework,andthentodeclaretheculturaltransformationinitiativeasuccessthanitistoforgeaheadandmeasurewhethertheculturehasactuallybeentransformed.Doingtheinvestigativelegworktodeterminewhat,ifany,effectallthisactivityhadistimeconsuming,it’stedious,anditalwayscarriestheriskthatmaybeyourslickinternalawarenesscampaignreallydidn’tconvinceanyonethattheyshouldstartlookingattheworlddifferently.
Butwhyshouldtheorganizationcareenoughtodevotethetimeandresourcesnecessarytoactuallyevaluatewhetherornottheculturechanged?Herewemustlookbacktotheculture–performancelink.Organizationsdon’tworryaboutchangingtheirculturejustbecausetheywanttoexperimentwithsocialtheory.Theydoitbecausetheresearchhasshownthatbettercultureequateswithbetterbusinessoutcomes.Evaluationisthenkeyfortwocrucialreasons.First,ifperformanceimprovesonlywhenthecultureimproves,youneedtobesurethecultureisactuallyimproving.Second,youneedtoevaluatethelinkitselftounderstandhowmuchmovingthecultureneedlecorrespondstomovingtheperformanceneedle.Withoutthisinsight,there’snopointintryingtochangeyourcultureatall.
YouHavetoHaveGoodLeadershipThelastcommonthreadI’lldiscussistheuniversalimportancethatorganizationalcultureresearchplacesonleadership.Leadershipplaysacentralroleinjustabouteverystudyoforganizationalcultureyouwillfind.Insomecases,cultureandleadershipalmostbecomesynonymous,giventhatfewentitieswithinanorganizationhavethesameopportunitytosetculturaldirectionasthosewhosetboththedirectionandtheexample.
Leadershipisadouble-edgedswordaswell.Businessbooksarelitteredwithcaseswhereanorganizationbringsinanewleaderinanefforttoimproveperformanceonlytowatchthemfailmiserablyeitherbecausetheycouldnotadapttotheexistingcultureorweresoarrogantthattheybelievedtheycouldjustchangeitbyforceofwill.OvermyowncareerI’vepersonallyexperiencedseveralpainfulperiodswhereIfoundmyselftransitioningthroughamanagementchangethatseemeddesignedtocauseasmuchdisruptiontotheexistingcultureaspossible.Intheworstcases,thetransitionfeltlesslikeareorganizationandmorelikeacoupd’état,wheretheexistingmanagementteamwasdemotedorevenfired,oftenfornootherreasonthantheyrepresentedtheoldwayofdoingthings.Inspiteofstudyafterstudyshowingthatpromotinginsiderstendstoproducebetterresultsthanrecruitingoutsiders,manycompaniesstilloperateunderanapparentassumptionthatradicalchangeofculture,quicklyaccomplished,istheonlywaytoimprove.Muchoftheorganizationalbehaviorresearchwouldseemtoindicatethatthisverysenseofinsecurityanddesperationisasymptomofaculturethatmayhavealreadybeguntodegrade.
AnOceanofResearchIforganizationalculturesarelikeicebergs,thestudyofthemislikeanoceanofresearchandinsightthatspansacademia,industry,andgovernment.Thischapterhasnecessarilybeenlittlemorethanaglimpseintothatocean.Myintentwasnottoprovideacomprehensivesurveyofthefield,asthereareplentyofgreatbooksthatdothisbetterthanIevercould(andyou’llfindalistofjustafewofthesebooksinthe“FurtherReading”sectionsthroughoutthechapters).Buttounderstandhowinformationsecuritycultureworksandhowitcanbetransformed,itisnecessarytoatleastunderstandthatthebroaderandwell-establishedfieldsoforganizationalcultureandorganizationalbehaviorhavealreadyexplored,debated,andmaybeansweredmanyofthequestionsthatapply
toinformationsecurityculture.People-centricsecurityisoneofthemoredemandingdevelopmentsinourindustrytoday,notbecauseitissomuchmoredifficulttodothanprocessortechnology,butbecauseitisequallydifficultandwehavesolittleexperiencedoingitcomparedtotheothertwoareasoffocus.Butwecantakecomfortintheknowledgethatsomuchworkhasbeendoneforus,blazingatrailthatwecanfollowinordertoapplytheseinsightstotheculturalchallengesfacingourownindustry.
FurtherReadingCohenD.,andB.Crabtree.“QualitativeResearchGuidelinesProject.”July2006.Availableatwww.qualres.org.Kotter,JohnP.,andJamesL.Heskett.CorporateCultureandPerformance.NewYork:TheFreePress,1992.Myers,MichaelD.QualitativeResearchinBusinessandManagement.2nded.ThousandOaks,CA:SAGE,2013.Schein,Edgar.OrganizationalCultureandLeadership.SanFrancisco:Jossey-Bass,2010.
H
CHAPTER4
CulturalThreatsandRisks
avingcoveredthegroundofthepreviousthreechapters,we’releftwithalotofcircumstantialevidenceregardingtherelationshipbetweeninformationsecurityandorganizationalculture.Butwheredoestherubberhittheroad?Whereisthetangible,empiricalinterfacebetweencultureandsecuritythatallowsustoimagine,observe,anddesignaroundthechallengesandopportunitiesofourownsecuritycultures?
CulturalThreatModelingInrecentyearsthesecurityindustryhastakenaninterestinthreat-centricsecurityapproaches,whichattempttoaddresstheactorsresponsibleforsecurityincidentsinsteadoffocusingontheweaknessesthatsuchactorsmightexploit(vulnerability-centricapproach)orthethingstheywanttoattack(asset-centricapproach).Tothisend,methodologiesformodelingsecuritythreatsareindemand.TherecentsuccessofAdamShostack’sThreatModeling:DesigningforSecurity,includingbeingnominatedasoneofthebestsecuritybooksfor2014,demonstratesthepopularinterestwithinthesecuritycommunity.ThreatModelingispredominantlytechnology-centric,butAdamdoesgoout
ofhiswaytoexplorehumanfactors,atopichealsoemphasizedinhispreviousbook,TheNewSchoolofInformationSecurity.Obviouslyinterestedinbehavioralandsocialmodelsandtheirapplicabilitytothesecurityindustry,Adamcatalogsanddescribesseveraltheories,applyingthematahighleveltoourfield.Andheexplicitlyrecognizesandarticulatestheneedforimproved
modelstobetterdescribehowpeople“do”security,aswellasthevalueofbringinginotherresearchtraditionssuchassociology,anthropology,andpsychologyintoourefforts.ThreatModelingneverdirectlyappliestopeopletheSTRIDEmethodologythatAdamhelpedtocreate,butthebookservesasatantalizingendorsementofmoreculturalthreatmodelingtechniquestocomplementthetechnology-andactor-centricmodelstheindustrydependsontoday.
Today’sthreatmodelingtechniquesallmoreorlessassumeaboundedinformationsystemorassetthatissomehowfacedwithattackorothercompromise.Thislendsitselfverywelltoaspecificproductorsystem,butthethreatmodelingbreaksdownifyoutrytoapplyittosomethinglesscircumscribed,likehumanbehaviorsorsocialsystems.Unfortunately,thoseofusresponsibleforsecuritydon’tliveinaworldwheretheonlyconcernisatechnologysystem.Inthecomplexwebofreal-worldrelationships,technologysystemsinteractwith,influence,andareshapedbyotheractorsandevents,includingpeople,forcesofnature,andothercomplexsystems.Theresultingemergentbehaviorsmaketheestablishmentofboundariesaroundanyparticularelementofthesystemartificialatbest,althoughassumingsucharbitraryboundariesbecomessomewhatobligatoryforbreakingdownandanalyzingchallengesthatwouldotherwisedefyanalysis.Appliedtothreatmodels,thisjustmeanswehavetogetcomfortablewithreplacinghardware,software,andnetworkswithmoreabstractboundariesliketheperson,thesocialgroup,andtheorganization,somethingsocialscientistsareadeptatdoing.
CovertProcessesandCulturalRiskModelingsecuritythreatsinvolvinganorganization’sculturereallyisnotthatdifferentfrommodelingsecuritythreatsinvolvingsoftwareorhardware.Atthecoreisabasicexerciseinexposingthenon-obvious,makingitobservableandtangibleinawaythatcanbeproperlyanalyzedinordertoproperlymanageormitigatethethreat.Thedifferencesarelessconceptualthanoperational.Noteverysoftwareapplicationwillbemodeledinthesameway,andhardwareandsoftwarethreatscanbeverydifferentfromathreatmodelingperspective.Modelingculturalthreatsisjustafurthervariationonthistheme.Therewillbedifferentsourcesofthreats,differentwaysofdescribingthem,anddifferentapproachestomanagingthem.
Sincetraditionalthreatmodelingisaboutmakingvisiblethehiddenrelationshipbetweenthoseresponsibleforsecurityfailuresandthemeansbywhichsecurityfails,wecanattempttoreplicatethatapproachforculture.Asit
turnsout,thereisresearchavailableinthisarea.Covertprocesses,aconceptfirstdevelopedbyorganizationaldevelopmentscholarBobMarshak,areorganizationalforcesanddynamicsthatarehiddenbutexertpowerfuleffectsonourcommunicationsandeffortstoachievegoals.Weexperiencecovertprocessesashiddenagendas,unspokenrules,ororganizationaltaboos.ManyoftheexamplesI’vegivensofarinthisbookareevidenceofcovertprocessesfunctioningwithinanorganization.Theyarealsoattheheartofculturalriskfromasecurityperspective.
Covertprocesses,andthebehaviorstheycreate,aredifficulttorecognizeandaddressbecausetheytypicallyarecamouflagedbyappealstoamuchmoreovertprocess,rationallogic.Returningtotheicebergmetaphorofcultureandbehavior,supposedlylogicalandobjectivedecisionmakingisoneofthemorevisibleaspectsoforganizationalactivity.Wemakeplansandbuildstrategiesforactivitybasedonouranalysesofwhatwebelieveneedstobeaccomplishedfororganizationalsuccess.Thisis,arguably,theprimaryjobofmanagersandleadersinanenterprise.Theydebaterequirementsanddesiredoutcomes,layoutthebestrationalpathforgettingthere,andsettheconditionsbywhichtheorganizationwillexecuteontheirstrategy.Usuallythatprocessofreason(singular)generateslistsofreasons(plural)whythestrategyistherightthingtodo,whicharecommunicatedthroughouttheorganizationintheformofvisionstatements,plans,policies,andotherartifacts.
Organizationalleaders,havingundertakenlogicalandrationaldeliberationtodevelopthebeststrategy,tendtoexpecteveryoneelseintheorganizationtobuyintotheirplans.Tonotdosowouldbeirrational;itliterallywouldnotmakesense.Andthatwhichdoesnotmakelogicalsensehasnoplaceinthemanagementoftheorganization.Afterall,howcanyourespondtosomeonewhoisbeingunreasonable?Butrationalityisonlyoneorganizationaldynamic,justasreasoncoexistsinindividualsalongwithphysical,emotional,andpsychologicalfactorsthatcananddooverpowerourreasonallthetime.Byignoringeverythingbutlogic,organizationsoftendenythemselvestheinsighttheywouldneedtounderstandwhyastrategyfailed.
InspiredbyAdamShostack’swork,anddrawingfromtheliteratureoncovertprocesses,I’vedevelopedasimplifiedthreatmodelforsecurityculture.Sinceweloveacronymsandmnemonicsinsecurity,andthethreatmodelingliteraturehasitsfairshareinmethodssuchasSTRIDE,DREAD,andOCTAVE,Idecidedtocontinuethetraditionandsearchedforagoodmnemonic.Theacronymgodssmiledonme.Peopleareattheheartofculturalthreats,bothasactorsandastargets.Andpolitical,emotional,psychological,andlogisticalthreatsareoften
corecovertprocessesthatcreateriskswithinanorganization.Thusmyculturalthreatmodel,PEPL,wasborn.
GettingtoKnowPEPLPEPLthreatsaffectdesiredsecurityoutcomesratherthanboundedsystems.Thesesecurityoutcomesaredesirablebecauseofsomerational,logicaldeliberationonthepartoftheorganizationthatdefinedthemasthewaythingsshouldfunction.Anoutcomewillalmostalwaysbeacombinationofpeople,process,andtechnology,andthreatsmayexisttosomeoralloftheseelements.Goodexamplesofoutcomeswouldbebringingasoftwareproducttomarketthathasnohiddensecurityflaws,oranorganizationnotgettinghitwithamassivedatabreachduetoacompromisedsystem.Asintraditionalsecuritythreatmodeling,thethreatreliesonsomevulnerabilityinthesystem,althoughIprefertorefertotheseas“weaknesses”toavoidconfusionwithtechnicalvulnerabilities.Table4-1describesanddefinesthespecificPEPLthreatalongwiththelikelytargetofthethreatandexamplesofspecificculturalweaknessesandtheireffectsonsecurityoutcomes.Ofcourse,theultimateeffectisasecurityfailureleadingtoanincident,oftenbroughtaboutbyaninabilitytorealizethedesiredoutcome.
Table4-1PEPLThreatModel
Likeotherthreatmodelingframeworks,PEPLisprimarilyabrainstormingtool.Itcangeneratealargesetofpotentialproblemsforthesecurityoutcomesyourorganizationhopestoachieve,muchlargereventhanatraditionalmodelfocusingonaboundedsystem.WhileitiseasytoapplyPEPLtothosesameboundedsystems(softwareapplications,hardwaresystems,evenadepartmentorfunction),oftentheresultingthreatswillbefunctionsoftheorganizationasawhole.Theculturethatendsupdefiningtheuseofapeople,process,ortechnologysystemisthecultureofeveryonewhodependsonit,whetherornottheyareimmediatemembersoftheinformationsecurityteams.
PoliticalThreatsPoliticalthreatshappenwheninterestsandagendascollidewithinanorganizationinawaythatdamagesorganizationaleffectiveness.Politicsiseverywhereinbusiness,andpoliticalrivalries,alliances,andconflictsbetweenindividualsandgroupsaresocommonthatwetakethemforgrantedevenaswecomplainabouttheireffects.Whatmakespoliticsacovertprocessisnotourlackofawarenessthatpoliticalbehaviorsexist,butratherourreluctancetoadmitjusthowmuchtheyplayaroleinourbusinessdecisions.Professionalpoliticians,ofcourse,havelessproblemadmittingtoovertpoliticalmaneuvering,butemployeesandmanagerswhobehavethiswaycanfindthemselvesaccusedofmanipulationor“playingpolitics”insteadofputtingtheneedsofthebusinessfirst.Individualpoliticalambitionsandmotivationsareoftenseenasunprofessionalandincompatiblewithgoodgovernancepractices.Businessstakeholdersaresupposedtoplanandsetstrategyrationally,onthebasisofobjectiveevidence,notoutofpersonalambitionorrivalries.Theresultisoftenasituationwherethepoliticaldimensionsofaplanningordecisionactivityarenotadmittedtoorarecamouflagedwithinrationalizationsthataremoreprofessionallyacceptable.Thisdrivespoliticalmotivationsintothebackgroundandpeoplemaybediscouragedfromaddressingthemopenly.Theresult:peoplepretendingtodosomethingforbusinessreasonswhenthosereasonsareactuallypersonalandpoliticalcanhaveaperniciousinfluenceonorganizationalculture.
TurfWarsTurfwarsareastapleoforganizationalpolitics.Theyoccurwhenactorswithinanorganization(orsometimesbetweencollaborativeorganizations)engagein
competitionoverareasofbureaucraticcontrol,resources,oradvancementofgoalsandobjectives(individualaswellasorganizational).Thiscompetitiondivertsenergyandeffortfromotherendeavorswhilecreatingtensionandsocialfrictionbetweenrivalactors.Turfwarcombatantsmaydeliberatelywithholdresourcesandinformationfromoneanother,ormayusetheirorganizationalauthoritytoweakenorcounterdemandsandrequirementsimposedbyothergroups.Inhighlypathologicalturfwars,organizationscanfracturecompletelyasactorsandtheirrepresentativesattempttodeliberatelystymieorsabotagetheeffortsofinternalcompetitors.
Asaculturalthreat,turfwarsinvolvingsecuritycanresultinabreakdownofposturethatintroducessignificantrisktotheorganization.Silosandorganizationalfiefdomsmaydevelopoutsidetheinfluenceorreachofcentralsecuritymanagement.Insomecases,centralmanagementmayceasetoexistormayberelegatedtoasmallsecurityteamwithnorealauthoritytoimposesecurityrelatedtopeople,process,ortechnologyonanyotherpartoftheorganization.Decentralizedsecurityisnotnecessarilyaproductofturfwars,astherearemanyreasonsorganizationsmaywishtofederateordevolvesecurityefforts.Butinsituationswheresecuritybecomesamechanismbywhichactorsfightforturf,theorganization’soverallprotectiveposturecanbeimpaired,sometimesseverely.
ABattleforControlThefollowingexampleillustratestheperversethreatofaturfwar.
Acustomeroncecontractedmycompanytoconductapenetrationtestontheirnetwork.Unfortunately,wedidnotrealizethatSecurityOperations,theinternalsponsorofthetest,wasengagedinaturfwarwithNetworkOperations,whichstillownedsecurityresponsibilityforthecompany’snetworkinfrastructure.SecurityOperationshopedtousethepentesttoshowhowpoorsecuritywasonthenetwork,thenmakeaclaimforauthorityoverthoseresources(includingtheenormousbudgetforsecuritytechnologythatNetworkOpscontrolled).ButtheNetworkOpsteamwasnoslouchwhenitcametomonitoringandprotectingtheirdomain.Threedaysafterthestartofthetest,armedcorporatesecurityguardsshowedupattheconferenceroomwherethepentestershadsetupshop,threateningtokickthemalloutofthebuildingandnotifytheauthorities.Thewholeengagementquicklyturnedintoafiasco.Intheensuingbattleoverwhohadtheauthoritytodowhat,theresultsofthepentesting,includingsome
seriousvulnerabilitiesthathadbeendiscoveredearlyon,werealmostcompletelyforgotten.Thereportitself,onceitwasfinallydelivered,wasshelvedforfearoffurtherexacerbatingavolatilepoliticalsituation.
VendorBiasVendorbiasoccurswhenindividualsorgroupswithintheorganizationdecideonparticularproducts,technologies,orvendorsbasedonpoliticalmotives.Iusetheterm“vendor”broadlyheretodenoteanyentityprovidinggoodsandservicestoanorganization,commerciallyorotherwise(opensourcesoftwareproviders,forinstance,wouldbeincludedasvendorseveniftheydonotchargeorarenotevenaformalcommercialentity).Motivesforvendorbiascanrangefromadesiretoprotectincumbenciestobackroomorevennepotisticarrangementsandpartnerships.Aculturalthreatemergeswhenpreferencesfor,orarrangementswith,certainvendorsconflictwithdesiredsecurityoutcomesandcreateconflictsofinterestthatintroducesecurityrisk.
Whenanorganizationswearsbyaparticularvendor,orhatesanothertothepointwheretheorganizationrefusestobuythatvendor’sproducts(orusethemfreely,inthecaseofopensource)nomatterwhat,rationalsecuritydecisionscanendupheldhostagebyforcesthatmaynotbefullyarticulatedorevenunderstoodwithintheorganization.Allsortsofweirdbehaviorcanemerge.Anorganizationmayenduphavingtodevoteresourcesandbudgettoworkaroundstogetitstechnologytomatchitssecurityrequirements.Orsecurityteamsmaydenythemselvesthebestsolutionbecausetheyhavedecidedtheydisliketheprovideronpersonalgrounds.Risksarenotlimitedtotechnology.Structurallyincumbentvendorshavelessmotivationtowardefficiencyandcosteffectiveness.Internally,theorganizationmayfinditselfbehindthecurveonskillsandinnovationbycontinuallysupportingvendorsoutofasenseofloyalty(oranimositytoacompetitor)ratherthansoundbusinessanalysis.Thereisnothingwrongwithbuildinglong-standingrelationshipsbetweenbusinesses,butifarelationshipdevelopsitsownpoliticalbasewithinanorganization,itcanendupcompetingdirectlywithsecurityobjectivesandintroducinguncertaintyandrisk.
EmotionalThreatsEmotionalthreatschallengeorganizationsbecausetheyaretheoppositeoftherational,logicaldecisionmakingorganizationstendtopridethemselveson.In
industry,emotionstendtobedownplayedinfavorofreason,andnegativeemotionslikefear,jealousy,andregretaretreatedaslessbeneficialthanpositiveoneslikepassion,contentment,andhope.Almostallorganizationsclaimtohaveconquered,oratleastcontrolled,emotionalismasabasisforaction.Somemayevenhavedoneso,asiscommonlyattributedtoWarrenBuffet’sBerkshire-Hathaway,whichhasfamouslyembracedanonemotionalinvestmentstyle.Butmostorganizationsonlypretendtobeascoldlyrationalastheyclaim,givingintoandevenrelyingon“emotionalintelligence”throughouttheiroperations.Emotionscanbecomeaculturalthreatwhentheyinfluencedecisionsbuttheorganizationdeniestheirrole,makingthemunavailableforanalysisorimprovement.
Fear,Uncertainty,andDoubtIknewaCISOwhoonceadmittedfreely,ifsheepishly,thatthedrivingrequirementsforhissecurityteamweretoaddress“whatevermostrecentlyscaredthecrapoutofmeinthemedia…”Everytimeanewvulnerabilityorthreathitthenews,orevenanewsolutionthatmightrepresentariskiftheorganizationdidnotimmediatelydeployit,hepanicked.Weeklystaffmeetingswereoftenanexerciseinthetroopstalkingthegeneralasfarofftheledgeastheycould,thenfiguringouthowtorespondtothefearsremainingthattheycouldnotmanagetodispel.TheCISOknewitwasabadwaytorunhisInfoSecprogram,butasmuchashetriednottolethisemotionsguidehim,heconstantlyworriedwhatmighthappentohiscompanyandhiscareerifoneofhisfearsweretoactualizeandhehadnottakenitseriouslyenough.
Intoday’sdigitallynetworkedworld,thenumberofthingstobeafraidoffromaninformationsecurityperspectiveapproachesinfinity.Thepastcoupleofyearshaveseencyberattacksonamassivescaleagainstsomeofthelargestandmostwell-knownorganizationsontheplanet.Emotionsrunhigh,anditisnowonderthatthecombinationoffear,uncertainty,anddoubt(FUD)hasbecomeaprimarydriverofsecuritystrategy.Itisasthoughtheemotionalandthelogicalhavemerged.Insecuritytoday,youcanbelabeledirrationalfornotbeingsufficientlyterrified.
TheproblemwithFUDasabasisforsecuritystrategyisthatitmakescrazydecisionsseemperfectlyjustifiedintheheatofthemoment.Itisnotaproblemuniquetosecurity,anditcanleadtoresponsesthatmakelessandlesssensethefurtheryougetfromthemomentofpanic.InChapter2IwroteaboutthesenseofdefeatismthatIthinkhasbecomeadominantculturaltraitinsecuritytoday,andoneIbelieveisaculturalthreatthatisrootedasmuchinFUDasitisin
incidentsweseehappening.FUDallowsustohighlightspecificsecurityeventsandincidents(Iamdeliberatelynotbeingspecifichere—searchfor“worstsecurityincidents”inthelastyearifyouarelookingforreasonstopanic)whileignoringeverythingthatdoesn’tgowronginthedigitaleconomyeveryday.FUDallowsustoholdupthecostofcyberbreaches(estimatesvarywidely,butseveralreputableattemptsputitintheheftyrangeof$300–600billioneachyear)asevidencethatweneedan“allhandsondeck”responsefromindustryandgovernment.That’scertainlyabignumber,butelevatingcybersecuritytendstooverlookorignorethecostsofotherglobalchallengesthatalsowarrantaction.A2014McKinseyreport,OvercomingObesity:AnInitialEconomicAnalysis,estimatesthecombinedcostsofsmokingandobesityatover$4trillionannually(twicetheestimatedcostofglobalwar,violence,andterrorism),andtheseproblemslikelyaffectmoreInfoSecprofessionalsdirectlythansecuritybreachesdo.Arationalapproachbasedoncostsandlimitedresourcestoaddressglobalproblemswouldseemtoimplythatinformationsecuritymaynotbethehighestpriority.Butrationalityisnottheonlyforceatworkhere,andthat’sthepoint.
EmotionalLogicEmotionallogicmayseemcounterintuitive,butitisoneofthereasonsthatFUDremainspervasive.Itisthefeeling,whichwenurtureandencourage,thatwearemakingobjective,rationaldecisionswhenwearereallyjustdoingwhatwewanttodoorthinkweneedtodo.Rememberthatcovertprocesseshappenbehindtheorganizationalfacadeofrationality.Sincereasonisprioritizedinorganizations,anythingthatisgoingtobeacceptedmustbetranslatedintothelanguageofrationality.MyCISOfriendconsoledhimselfoverthefactthathewassendinghisteamonweeklysnipehuntsbycouchinghisirrationalfearintheveryreasonabletermsthathewasbeingproactive.“Whatifwearevulnerabletothisandwejustdon’tknowityet?We’reallgoingtobegladImadeyoutakethetimetocheckeverysingledeviceintheinfrastructure.”
PsychologicalThreatsPsychologicalthreatsarecloselyrelatedtoemotionalthreats,maybeevencontributingtosomeofthem.Butthesethreatsaredifferentinthattheyaregroundedincognitivefunctionsandprocessesofthepeoplecreatingthem.Researchersinthefieldsofpsychology,humandevelopment,andbehavioraleconomicsspendcareerstryingtounderstandthehiddenreasonsbehindpeople’s
decisions.Theexplanationsrangefromdifferenttypesofintelligencebetweenindividualstodifferingcognitivesystemswithineachofus.Theimplicationsforsecuritycanbeprofound,particularlysowhen,likethepreviousexamples,thecovertprocessoperatesoutofsightandoutofmind,unavailableforanalysisorevenobservation.
StatisticalAlchemyIseeanexampleofemotionallogicasaculturalsecuritythreatwheneverIworkwithcustomersontheirsecuritymetricsprograms.Incommunicatingsecurityinformation,particularlyinformationaboutthreatsandvulnerabilities,CISOsandsecuritymanagersoftenhavelittlemorethanthegutfeelingsoftheirstafftogoon.Noonereallyknowshowlikelyorhowsevereanincidentmightbe,unlessofcoursethatpersonhasaccesstosomelevelofhistoricaldata,whichmanyorganizationsdonot.EmotionallogiccandrivetheprocessofstatisticalalchemythatIreferencedinChapter3,whereopinionsareconvertedintonumbersbythereplacementofameredescriptionwithaquantitativescoreorascale.Statisticalalchemycanmagicallytransmutetheleadofraw,emotionalspeculationintothemuchmorevaluablegoldofscientificfact.Ithappenseverytimeasecurityteamchangesathree-categoryordinalriskdescriptionlikehigh,medium,andlowintoanintervalorratioscorethatkicksoutanumberlike“ourriskscoreis3.85”or“oursecurityis80%good.”Itisusuallynearlyimpossibletoretracehowtheygotfromariskdescriptionof“low”toanumberlike“3.85”giventheavailableempiricaldata.Infact,thenumberprobablymakeslesssenseeventothesecurityteamthanastraightforward“low”everdid,addinguncertaintytotheriskanalysisinsteadofremovingit,butboy,itlookssomuchbetteronagraph.
CognitiveLimitationsAculturalthreatresultingfromcognitivelimitationshappenswhenaparticularsecuritystrategyordesiredoutcomedoesnotaccountfordifferencesinthewaypeopleprocessinformation,interactwithtechnology,learn,orgainnewprofessionalskills.Cognitivelimitationsarenotassimpleasdifferencesinintelligence.Theycanbegenerational,educational,geographical,orcultural(inthelargersenseaswellaspertainingtoorganizationalculture).Thecommon
traitforsecurityisthatcognitivelimitationsallbutensurethatarigid“onesizefitsall”approachtosecurityisunlikelytosucceed.
WiththeAudienceinMindConsideraneducationalexampleofcognitivelimitations.Onemeasureofeducationalachievementisreadinglevel.In2002and2003,theU.S.governmentpublishedtheNationalAssessmentofAdultLiteracy(NAAL),thelargestandmostcomprehensivestudyofadultliteracyintheUnitedStateseverconductedbythegovernment.Amongmanyfindings,thestudyestimatedthattheaverageAmericanreadsataseventh-oreighth-gradelevel,withlessthanafifthofthepopulationachieving“fullliteracy,”meaningareadinglevelequivalenttothatofsomeonewhohasanundergraduatedegreefromauniversity.Theestimatehassincebeenusedinguidelinesforreadabilityofeverythingfrompopularnovelstomachineryoperatingmanualstothelabelsanddirectionsonpharmaceuticals.Ininformationsecurity,thecreationanddistributionofpoliciesandguidelinesarefundamentalasaframeworkandbasisfordesiredsecurityoutcomes.
Billionsofdollarsarespentcollectivelybyorganizationstowritesecuritypolicies,postthem,andregularlyrequireuserstoreadthemasevidencethattheyknowwhatisexpectedofthemwhenitcomestoprotectingcorporateinformationassets.Buthowmucheffortisputintounderstandinghowreadablethesepoliciesare?Icantellyouthattheeffortisnotalwaysenough,asevidencedbymyreadabilityanalysesofnumerousclientsecuritypolicies.Inonecase,acustomercomplainedbecausetheyhadaveryexpensive,verycomprehensivepolicycreationanddistributionprocessandyettheywerestillseeingcontinualviolationsofpolicy.“It’slikenooneevenreadsthethings,”theCISOsaid.Areadabilityanalysisshowedapotentiallydifferentexplanation.Usingstandardscalesofreadability,thecompany’spoliciesoftenrequiredtheequivalentofagraduatedegreetoreadandfullycomprehendthem.Soeveryonemayhavebeenreadingthesecuritypolicies,butmostpeoplelikelyfoundthemimpossibletounderstand,muchlesscomplywith.Considerjustonebriefsnippet:
Employeeshaveanethical,aswellasalegal,obligationtoadheretotherequirementsarticulatedinthispolicy.Failuretocomplywithmandatedsecurityrequirementsresultsinsignificantenterpriseriskandliability.Itisincumbentuponemployeestoregularlyreviewand
familiarizethemselveswiththecontentsandrequirementsofthispolicy.Failuretodosocanresultinconsequencesuptoandincludingimmediateterminationofemploymentstatus.
SecuritymanagersmaynotthinkitaproblemthatsuchpoliciesarewritteninparticulardialectsoflegaleseandHR-speak,thendisseminatedthroughcut-and-pastetemplatesimplementedbyorganizationsoftenmoreinterestedincheckingacomplianceboxthanhelpingpeoplefigureoutwhattheyaresupposedtodo.Suchapolicymayseemtomakerationalsense(youwantonethatfunctionssomethinglikealegalcontractbetweenemployeesandemployer).Buttrymakingyoursecuritystrategyactuallyworkwhenthepeoplemostresponsibleforimplementingitarealsotheleastabletomakesenseofit.
CognitiveDifferencesThefieldofbehavioraleconomicsisbooming.DanielKahneman,DanAriely,andDanielGardner(IwonderwhatabehavioraleconomistmightmakeofthefactthatmanyofmyfavoritebehavioraleconomyexpertsarenamedDaniel…)haveallpublishedbookstheorizingwaysthatourrationaldecision-makingprocessesareoftennotrationalatall.Ageneralthemeamongtheirbooksisthathumanbeingsdonotseemtoprocessinformationormakedecisionsinthesimple,linearwaythatwehavetraditionallyaccepted.Humandecisionsareahodgepodgeofcognitiveactivity,somedeliberativeandwhatwewouldrecognizeasrational,andothersemergingfromprimitiveintuitivepatternmatchingthatseemstobehardwiredintoourevolutionarybiology.Theresultisasetofdifferingcognitivefunctionsthatcangrosslymisleaduswhileprovidinganalmost(ormaybeanactual)physicalsenseofcertaintyandclarityaboutwhatwethinkweknow.
Insecurity,thesecognitivedifferencesmanifestthemselvesasculturalthreatsmostoftenwhenitcomestotryingtofigureoutrisk.Peopleareabsolutelyterribleatassessingrisk,orevendecidingwhattheyshouldreallybeafraidof.DougHubbard,theauthorofTheFailureofRiskManagement:WhyIt’sBrokenandHowtoFixIt,hasgonesofarastoclaimthatthegreatestsingleriskmostorganizationsfaceisprobablythewaytheydotheirriskmanagement,astatementthatmightringsadlytrueforsomecurrentandformerCISOsI’mawareof,nottomentionafewfinancialinstitutionsandanuclearfacilityortwo.
LogisticalThreatsLogisticalthreatscandevelopwheneverasecuritystrategyisincapableofbeingrealizedduetoincompatibilitieswithexistingorganizationalinfrastructure.Implementingastrongpasswordpolicycompanywidewhensomesystemsareincapableofhandlingcomplexpasswordsisoneexample.Mandatingtheuseofcertaintechnologiesthatareincompatiblewithlegacysystemsisanotherexample.LiketheotherculturalthreatsI’vedescribed,itiswhenlogisticalissuesfunctionasacovertprocessaffectingaperceivedrationalstrategythattheybecomeriskyanddangerous.
IncompatibleSystemsBothoftheprecedingexampleshavetodowithsecurityimposingrequirementsthatconflictorarenotcompatiblewithexistingsystems.Intheauditandcomplianceworld,suchsituationsareencounteredregularly,andhaveproducedtheconceptofcompensatingcontrolsasasafeguardagainstrisksthathavebeenassessedandacceptedasnecessarybutrequireadditionalefforttomanage.Inotherorganizations,theproblemishandledbyexceptionprocessesthatallowpeoplewith(moreorless)goodreasonstooptoutofcertainsecurityrequirements.Whateverthecase,theresultisthatanewsystemorsystemsmustbecreatedinordertoalignsecuritystrategywithsecurityfact.
ExceptionsastheRuleIhaveobservedorganizationswhereoverhalfofthesystemsinoperationrannonstandardconfigurations,ostensiblyviolationsofthecorporateequipmentstandardsforsecurity,butwhichhadbeengrantedsecurityexceptions.Onewondershowrationalanorganization’ssecuritystrategycanbewhenfollowingitproperlyinthedeploymentoftechnologysystemsactuallymakesyoutheexception.Thisparadoxcanoftengetlostinthefogofsecurity,though,whenthelogicofwhatshouldbedoneaccordingtosomecomplianceregimeorthedreaded“industrybestpractice”overwhelmstherealityofwhatisactuallypossiblewithintheenvironment.
IncompatibleOutcomesSecurityincompatibilitiesdonotjustoccurwithtechnology,asmypreviouscase
studyofClara,thedeveloperinChapter2,demonstrated.Outcomesthemselvescanbeatoddswithoneanotheronverybasiclevels.BYODandthecloudarebothcurrentcaseswherebusinessstrategycancollidedirectlywithsecuritystrategy.Whenthedifferencesinstrategyaremanagedproperly,threatscanbeavoided.Whenthecompetingoutcomes(marketagilityvs.securitycontrol,forexample)arenotproperlymanaged,especiallywhenlogisticalchallengesbecomeimbuedwithpolitical,emotional,andpsychologicaldimensionsthemselves,theycangrowintoaseriousthreattosecurityandtotheorganization’sbusiness.
Treatingsecurityasastrategicoutcomeindependentofotherorganizationalgoalscancreateafalsechoice,azero-sumgamewhereeveryconcessiontothebusinessisseenasalossforsecurityandeverycapitulationtosecurity’sdemandsisviewedasablowtobusinessefficiency.Thisisnotrational,nomatterwhatjustificationsandbusinesscasesaremadeoneitherside.Thecomplexityoftoday’sorganizationsandenterprisesmeansthatnothingcaneverbecompletelysecurednorevermadetotallyefficient.Allthatmattersisachievingaproductivebalancebetweenthevariousforces,includingculturalforces,atworkwithinanorganizationasittriestomeetitsgoals.Thisincludesbalancingsecurityriskwithbusinessrisk,notonlytheriskofhavingtoolittlesecurity,butalsothebusinessrisksthatcancomewithoverlyrestrictivesecurityinfrastructuresthathamperacompany’sagilityandinnovation.
CulturalCompetitionasaSourceofRiskTheexerciseinculturalthreatmodelingoutlinedinthischapterisnevergoingtobeasstraightforwardasthreat-modeling-boundedtechnologysystems.Thelatterarecomplicatedsystems,sometimesstaggeringlyso,butacomplicatedsystemhasafinitesetofstatesandpossibleoutcomes.Theoretically,youcanknowthemallinadvance,includingallthepossiblethreatsassociatedwiththesystem.Acomplexsystem,however,producesemergentbehaviorsthatcannotbeknowninadvancebutdevelopoutofuseandinteractionwithothersystementities.Thepossibilitiesapproachinfinity.Whenacomplicatedsmartphoneoranetworkswitchorasoftwareprogramisputintosomeone’shandsandthenincorporatedintoasystemofothertechnologiesand,mostimportantly,people,itbecomesacomponentinacomplexsystem.Itisnolongerpossibletopredictallthewaysthecomponentwillbeputtouse,includingallthethreatsassociatedwithit.
Culturalthreatmodelsshownotonlytherisksthatexistbetweenthreatsina
traditionalsense(anactorornaturalphenomenoncreatinganegativeoutcomebasedonweaknessinthesystem),butalsotherisksassociatedwithlegitimateinteractionandcompetitionamongsystemcomponents,particularlyhumanstakeholders.Abalanceofforcesexistswithinthesesystems,andrisktooneactororentitymayequatetoopportunityforanother,creatingscenarioswherefailureisbothundesirableandalsoanaturaloutcomeofsuccesselsewhere.Iffailuresorsuccessesbegintodominatedisproportionately,thewholesystemcanbegintofalloutofbalanceandmayexperienceamoregeneralsystemicfailureorcollapse.
Thelessonofculturalthreatmodelingspecifically,andpeople-centricsecuritymoregenerally,isnotabouttryingtoenumerateeverypossiblethreatfromortotheculture.Thisisimpossible.Instead,thesethreatmodelsareabouttryingtogetahandleonthecompetingforcesthatarecurrentlyoperatinginanycomplexorganizationalsystem,toobservetheiroriginsandeffects,andtoattempttobringthembackintobalancewhentheyshiftdangerouslytoonesideoranother.Itismuchhardertodowhensomeormostofthethreatentitiesareoperatingascovertprocessesthatwecannotorchoosenottoobserve.Riskiscreatedbytheseinteractionswhenpeoplesaytheyaredoingonethingforacertainreason,basedonlogicandrationalanalysis,butareactuallydoingitfordifferentreasonsthatmayhavenothingtodowithobjectivity,orarereallydoinganotherthingentirelywithoutadmittingit.
SizingUptheCompetitionPeople-centricriskmanagementisnotabouttryingtopredicthumanbehavior,atleastnotexactly.Instead,itisaboutshiningananalyticallightonorganizationalandculturalrelationshipstofindoutwherecovertprocesses,hiddenbehavior,andcompetitionexistandmayneedtobemanagedandbalanced.Thesourcesofcompetitioninorganizationalsecurityprograms,thepressurepointswherecovertprocessesproduceculturalthreats,includeanorganization’sstakeholders,priorities,andvalues.
CompetingSecurityStakeholdersStakeholdersareindividualpeopleandorganizedgroups.ACISOisastakeholder,asisaregulatorybodythatdefinesITcomplianceandauditrequirementsforanindustry.Informationsecuritystakeholdersdonothavetobedirectlyconnectedtosecurityoperations.Usersarestakeholdersinthattheydependontheconfidentiality,integrity,andavailabilityofITassetstodotheir
jobs.Customersarestakeholdersformuchthesamereason.Stakeholdersdonotneedtoconsciouslycareaboutinformationsecurity;theyneedonlyhaveanexplicitorimplicitinterest(astake)intheresultsofsecurityactivities.InInfoSec,thisincludesjustaboutanyonewhodependsoninformationtechnology.
Justbecausestakeholdershaveaninterestinsecuritydoesnotmeantheyareequallysupportiveofsecurityeffortsorhavethesamegoals.Stakeholderscancompeteagainstoneanother,evenwhenbotharededicatedtosecuringinformationsystemsandassets.Anauditor’sgoalsarenotnecessarilythesameasasecuritymanager’s.Theauditorwantstoexploreandperhapsexposeasmanysecurityproblemsaspossible,inordertoforcechangeandreduceriskinaccordancewithsomeregulatoryorotherrequirement,irrespectiveoftheresourcesrequired.Asecuritymanagerwantstosuccessfullycompleteanauditwithaminimalleveloftimeandeffort.Boththeauditorandthesecuritymanagerwantgoodsecurity,buttheirideasofwhatthatmeanscancompetefiercelywhenitcomestothebottomline.
Whenstakeholdersexistoutsideofsecurityaltogether,competitioncanbecomeevenmoreintense.Membersofanorganizationhavemanythingstheycareabout,andsomeofthosethingsaremorevisibleormoreimportantthanothers.Theymaywantagility,productivity,andinnovationmorethananythingelse.Securityteammembersmaywantthingstobeprotectedandpredictable.Theseprioritiescompete.ACISOisthemostprominentsecuritystakeholderinanorganization,butasanexecutive,thatCISOalsohasastakeinthecontinuedgrowthandsuccessofthecompany.Ifenterprisesecurityistoorestrictive,ifitinhibitscompetitivenessormarketperformancetoomuch,thenthewholecompanymaysuffer,andtheCISOwillhavefailedjustasbadlyasifadamagingsecurityincidenthadcausedtheproblem.
Organizationstodayarecollectiveentities,butbureaucracyandprofessionalspecializationhavecreatedfragmentationaroundjobrolesandfunctions.Peopletendtobetrainedforaveryspecificsetofcapabilitiesthatwilldefinetheircareersforyearsorevendecades.Wetalkaboutsecurityprofessionals,HRprofessionals,andprojectmanagementprofessionals,eachwiththeirownbodyofknowledge,certificationrequirements,andworkingculture.Thisspecializationtendstoresultinpeopleprioritizingtheinterestsandassumptionsoftheirnarrowfieldabovethedesiresandexpectationsofothers.Suchspecializationisrequiredtotacklecomplexproblemsintoday’sbusinessenvironments,butitcontributestothecreationoffiefdomsandsilosthatinhibitorganizationalvisibilityandcoordination.
CompetingSecurityPrioritiesIhavealreadydevotedseveralpagestothewaysinwhichsecurityprioritiescancompetewithnon-securitypriorities.Butitisimportanttocalloutthatconflictsexistwithinsecurityaswell.Partofthereasonisthatinformationsecurityhasbecomealargediscipline,withbranchesandsubfields,initsownright.SecurityawarenessmanagersandfirewalladministratorsbothoperatewithinthelargerfieldofInfoSec,buttheyareprobablyverydifferenttypesofpeople.Andtheymaynotalwaysagreeonwhatthemostimportantconsiderationsforsecurityshouldbe.Education,experience,andinteractionswithtechnologyandotherpeoplewillinformtheirworldviewinpossiblyverydifferentways.
Securityprofessionalsalsohavetodealwithprioritiesthatmaybeunwelcometopuristswhowishtofocusexclusivelyonthefundamentalsofprotectinginformationassetsandenforcingsecuritypolicies.Budgetsandresourcesareasmuchsecurityprinciplesasconfidentiality,integrity,andavailability.Feworganizationshaveunlimitedsupplies,sothingsthatshouldbedonearebalancedagainstthingsthatmustbedone,withthestrugglebeinghowtodecidewherethatlineisdrawn.Risksandthreatscanoftenbeprimarilyaproductofhoweffectivelyasecurityteamallocatesitslimitedcapacities,whichmayexplainwhysomeorganizationssucceedwhilepeersthatappearverysimilarfailhard.Whatisoftencharacterizedasbadluckorbadtimingcanoftenbeattributedtopoorhandlingofcompetingpriorities.
CompetingSecurityValuesPrioritiesareaboutchoosingwhatisimportantamongmultiplepossibilities.Valuesareaboutwhywethinksomethingisimportantinthefirstplace.Oursecurityvaluesdriveoursecuritypriorities,butoftenforreasonsthatwearelessconsciouslyawareof.Ifoursecurityprioritiesarethemoreorlessrationalrankstackingofourdecisions,oursecurityvaluesmorecloselyreflecttheassumptionsandbiasesattheheartofoursecurityculture.Whensecurityvaluescontradictoneanother,theeffectsechoacrossthedecisionsandoutcomesofthewholeorganization.
I’veworkedwithsecurityteamsthatsharedadministratorpasswords,withorganizationsthatrefusedtoallowpenetrationtestingoncertainkeysystems,andinplaceswhereauthenticationlatencyrequired10to15minutesbetweenloginandaccesstoabusiness-criticalsystem.Ineverycasethesecuritystakeholdersresponsibleforthesystemshadbalancedonevaluetheyfeltwasimportant(nonrepudiation,visibilityintovulnerabilities,andproductivity,respectively,inthesecases)withacompetingsecurityvalue.Eachbalancingact
introducedoneormorerisksintotheenvironment.Butnoneofthesecaseswereseenasirrationalorunacceptablewhentheorganizationinquestiondescribedit.Theymighthavewantedtochangethings,ormaybewishedtheycouldbedifferent.Buteachhadtodealwiththefactthattheirswasanimperfectworld,andtrade-offswererequired.“Hey,itiswhatitis,”onesecuritymanagertoldme,holdinguphishands,whenIgentlypointedoutoneoftheseconflicts.
Whenparticularsecurityvaluesbecomeacceptedandembedded,theycancreateaculturalpattern.Asortofpathofleastresistancedevelopswheresomeideasandproposalsaremoreeasilyacceptedandfacelessscrutinythanothersbecausetheyresonatewiththepattern.Patternscandevelopintoculturalarchetypes(orstereotypes,ifyouprefer),likeacollectivepersonalitythatanticipates(butdoesn’tpredict—thesearepeopleafterall)likelyoutcomes.Aheavilyregulatedorganizationwithregularvisitsfromauditorsislikelytoadoptacompliancemindset,thinkingliketheauditorsitanswersto,untilmostdecisionsarefilteredthroughthelensof“howwillthisaffecttheaudit?”Anopenenvironmentthatreliesonthefreeflowofinformationandaccesstoachievesuccessmaybecomeasecurityskeptic,interrogatingaCISOabouteveryproposedinitiativeandwhetherornotthecontrolwillimpedepeople’sabilitytodotheirwork.
Theeffectofcompetingculturalvalueshasbeenstudiedoutsideofsecurity,withtheresearchintocovertprocessesI’vecitedbeingjustoneexample.Researchershaveusedtheconceptofcompetitiveculturalforcesasawayofmeasuring,managing,andtransformingorganizationalculture,guidedbythelogicthatifwecanunderstandwhywebehaveinacertainway,westandabetterchanceofchangingthatbehavior.Suchtheoriesandmethodscurrentlyareutilizedinmanagementscienceandbusinessconsultingcircles,andIamunawareofanymajorattemptstoapplythemtoinformationsecurity.Inthenextsectionsofthebook,Iwillattempttodojustthat.
FurtherReadingAriely,Dan.PredictablyIrrational:TheHiddenForcesthatShapeOurDecisions.NewYork:HarperCollins,2008.Gardner,Daniel.TheScienceofFear:WhyWeFeartheThingsWeShouldn’t—andPutOurselvesinGreaterDanger.NewYork:Dutton,2008.Hubbard,DouglasW.TheFailureofRiskManagement:WhyIt’sBrokenandHowtoFixIt.Hoboken,NJ:Wiley,2009.
Kahneman,Daniel.ThinkingFastandSlow.NewYork:Farrar,StrausandGiroux,2011.Marshak,Robert.CovertProcessesatWork:ManagingtheFiveHiddenDimensionsofOrganizationalChange.SanFrancisco:Berrett-Koehler,2006.NationalCenterforEducationStatistics.“NationalAssessmentofAdultLiteracy.”Availableathttp://nces.ed.gov/.Shostack,Adam.ThreatModeling:DesigningforSecurity.Hoboken,NJ:Wiley,2014.
PARTII
MeasuringYourSecurityCulture
E
CHAPTER5
TheCompetingSecurityCulturesFramework
veryorganizationthatisconcernedaboutprotectingitsinformationassetsandsystems—basicallyallorganizationsintoday’snetworkedanddigitalsociety—hasaninformationsecurityculture.Thesecuritycultureisafacetoftheoverallorganizationalculture.Mostorganizations,infact,havemultipleinformationsecuritycultures,reflectionsoflocalvaluesandpriorities,andnoteveryoneinsidetheorganizationisgoingtosharethesamebeliefsandassumptionsabouthowsecurityshouldanddoeswork.Whattheinformationsecurityteamvaluesandthinksismostimportantforprotectingtheorganizationwillprobablybedifferent,atleastindegree,fromwhatHR(orInternalAudit,orFacilities,etc.)valuesandthinksismostimportant.Inbenigncases,theseculturalcharacteristicscoexistpeacefully,neverhavingcausetointerferewithoneanother.Butmoreoften,theyeventuallycompete.Thatcompetitionmayoccuroverresources,overmoney,oroversimplepoliticalinfighting.Butthesecurityculturethatdominates,includingthevaluesandprioritiesthatdrivedecisionsandspending,willhaveprofoundimplicationsfortheorganization’sperformanceinregardtoinformationsecurity.
Toensurethatorganizationsdevelopthemostbeneficialsecurityculture,themostsuccessfulbalanceofdifferingprioritiesandmotivations,wehavetounderstandculturebetter.Organizationsmustdeveloptechniquesfortranslatinggeneralinsightsaboutcultureintoactionableintelligence.Fortunately,therearelotsoftheories,frameworks,andmethodsforaccomplishingthisgoal,fueledbydecadesofresearchandpracticeinthefieldsoforganizationalperformanceand
development.Iproposemyownmethodology,theCompetingSecurityCulturesFramework(CSCF),furtherinthischapter.ButtheCSCFdidnotdevelopspontaneously.Icreateditbyadaptingandextendingearlierresearch,anditisworthspendingalittletimetounderstandthoseroots.
MeasuringSecurityCultureInChapter3,Idescribedtechniquesformeasuringcultureatahighlevel.Particularly,Ifocusedonqualitativedataandanalysis,whicharecommonlyusedinthestudyofculture,anddifferfromquantitativedataandanalysismethods.Itisimportanttovisitthesedifferencesdirectly,particularlysincetheinformationsecurityandITsecurityfieldsoftenmisusethetermsandconceptsofmeasurementorsufferfromadistortedunderstandingofwhattheyrepresent.Measurementisaboutcomparisonmorethanaboutcounting,anddifferenttoolsarenecessaryfordifferentphenomena.
ThetoolsIhavedevelopedtomeasuresecuritycultureandtoencouragetheadoptionoftransformationalsecuritybehaviorsareprimarilysurvey-based,withthepossibilityofusinginterviewsandmoreinteractivemethodstoexpandoncollectedsecurityculturedata.Thesetoolsareusedasbothqualitativeandquantitativeapproachestomeasurement.Somerequiremanualwork,whileotherscanbeautomated,dependingonthegoalsandresourceconstraintsanorganizationhas.Wewillexplorethemingreatdetailinlaterchapters,butfornowitisenoughtofamiliarizeyourselfwiththeiroriginsandsomeofthecharacteristicsofthedatatheyutilize.
QuantitativeDataandAnalysisQuantitativedataare,putsimply,thosethatlendthemselvestocounting.Theresultofacointossortheresultofadicerollaresimpleexamples.Yourheightandweightaretwomoreexamples.Quantitativedatacanberankedinaparticularorder,assignedtospecificcategories,orexpressedinstandardizedunits.Whilemanypeopleassociatequantitativedatawithmathandnumbers,quantitativedatacanbemoreorlessmathematicaldependingonwhethertheyarenominal,ordinal,interval,orratiodata.Thedatatypeinquestionalsodeterminesthetypesandsophisticationofstatisticalanalysisthatcanbeperformed.Toexplorethesefourquantitativedatatypesfurther,supposeyouworkinadatacenter.Wanderingaroundyourdatacenter,you’llseeplentyof
examplesofallfourdatatypes,asdescribedinthefollowingsections.
NominalDataWanderingaroundtheracksofequipmentinthedatacenter,younoticedifferentcomputersfromdifferentvendors.Youseeswitches,servers,andworkstations,forinstance.AndyoumaynoticeproductsfromCisco,Dell,orHP.Theseareexamplesofnominaldata,whichmeanstheyarestrictlycategorical.Allthedevicesyouobservearecomputers,butyoucandifferentiatebetweentypes.Youalsomaynoticethateachrackhasanumber.Thesearealsonominaldata,aseachnumberrepresentsacategorylabel,notamathematicalvalue.YoucancountthenumberofCiscoswitchesyouhave,butyoucan’tdoanythingstatisticalwiththecategoriesthemselves.Youcan’taddCiscoandDellorfindtheaveragebetweenracknumber6andracknumber14.Nominaldataonlyservetoidentifysomethingasdifferentfromsomethingelse,tonameit,whichiswherethetermnominalcomesfrom.
Confusingly,nominaldataaresometimescalledqualitativedata,whichIsuspectiswherethesecurityindustry’suseofthetermoriginatedgivenourregularuseofcategoricaldata.Nominaldataarenolessempiricalorscientificthanotherquantitativedatatypes.Buttheyliterallydon’taddup.Statisticalanalysisofnominaldataonlyoccurswhenyoucomparedatawithinthecategories.Youmightfindthat90percentofyourserverscomefromonevendor,forexample,whichcantellyousomething.Oryoumightfindthatmachinesinracknumber3failtwiceasoften,whichmightbecoincidenceormightimplyanissuewiththeenclosureitself.
OrdinalDataSupposethedatacenterteamisinstallingsomenewequipmentonthedayyouaremakingyourobservations.Theyaredeployingandconfiguringthreeservers,andtheygotstartedfirstthinginthemorningasyouarrived.Thefirstserveriscompletedlaterthatmorning,thesecondearlyintheafternoon,andthethirddoesn’tgetdoneuntillatethatnight.Theorderinwhichtheserverswerefinishedisanexampleofordinaldata,whichprovidepositionandrankingbutnotmuchmore.Youknowthatthefirstserverwassetupfasterthanthethirdserver,butnothowmuchfaster,atleastnotwithoutgatheringadifferentkindofdata.Buteventhelimitedinformationaboutpositionallowsyoutoperformmorestatisticalanalysis“outofthebox”thanwithnominaldata.Youcanuseordinaldatatodeterminesomethingaboutcentraltendency(definedintheproximatesidebar),animportantaspectofquantitativeanalysis.Themost
commonmeasureofcentraltendencyistheaverage,ormean.Butwecan’tusethemeanforordinaldata,whereweonlyhaverankorder(completedfirst,second,andlast).Thedifferenceintimebetweencompletionofthefirstandsecondserversisnotthesameasthedurationbetweencompletionofthesecondandthirdservers,soanaverageisimpossiblewithjustthepositions.
Wecan,however,applythemediantoordinaldata.Themedianissimplythemiddle-rankedordinalvalue,theonewithasmanyvaluesaboveitasbelowit.Inourcase,themedianvaluewouldbe2,representingtheserverthatwascompletedbetweenthefirstoneandlastone.Wecouldalsousethemode,meaningthevaluethatappearsmostfrequentlyinthedata,althoughitdoesn’tapplyaswelltoourserverexample.Aclearerexamplewouldbearacewherethereisathree-waytieforsecondplace,butnootherties.Inthiscase,themodewouldbe2,sincemorepeoplefinishedsecondthananyotherranking.
StatisticalTermsStatisticshasitsownlanguage.Sometermsarefamiliarfromoureverydaylives,butothersareabitmorechallenging.Readerswhohaven’ttakenastatisticsclassinawhilemaybenefitfromaquickrefresherofthefollowingtermsusedinthischapter:
CentraltendencyThedegreetowhichasetofvaluesormeasurementsgroupsorclustersaroundsomecentralvalueinadistribution.Themostwell-knownexampleofcentraltendencyistheGaussiandistribution,ornormalcurve,inwhichvaluesclusteruniformlyaroundthecentermostvalues.MeanThe“average”ofasetofvalues,computedbytotalingallvaluesandthendividingthattotalbythenumberofvaluespresent.MedianThemiddlevalueinasetofvalues,wherethenumberofvaluesisequallydistributedbelowandabovethemedianvalue.Ifyouhaveanoddnumberofvalues,themedianistheoneinthemiddle;forexample,thevalue2inthesequence1…2…3isthemedian.Ifyouhaveanevennumberofvalues,themedianisthemeanofthetwomiddlevalues;forexample,2.5inthesequence1…2…3…4.ModeThemostfrequentvalueinasetofvalues,theonethatoccursmostoften.Asetofvaluescanhavemultiplemodes,inthecaseofanequalnumberofrepetitions,ornone,ifnovalueoccursmore
frequentlythananother.
IntervalDataLookingaroundthedatacenter,younoticeadigitalthermometeronthewalltellingyouthatthetemperatureinsideis80degreesFahrenheit.Nowyou’recollectingintervaldata,whichallowsyoutoconsiderhowmuchvaluesdifferfromoneanother.Yourememberreadingtheoutsidetemperaturewhenyougotoutofyourcarthatcoolfallmorningandnoticingitwas40°F.Intervaldataallowsyoutosaymorethanjust“hotter”or“colder”inanordinalranking.Youcannowstatethatthedifferenceintemperaturebetweentheinsideofthedatacenterandtheoutsideworldis40°F.Whatyoucannotdo,though,istostatethatitistwiceaswarminsideasitisoutside.Ratioslikethisdon’tworkwithintervaldata,becauseitlacksanymeaningfulzerovalue.ZeroontemperaturescaleslikeFahrenheitandCelsiusaresubjective.80°Fisnottwiceashotas40°Fbecauseyoucanhavenegativetemperatures.YoucouldonlymakesuchstatementsabouttemperatureifyouwereusingtheKelvinscale,whichdoeshaveanabsolutezerovalue.Butmostdatacentersdon’tsportKelvinthermometers.
Despitenotbeingabletobringafullrangeofstatisticaltechniquestointervaldata,youcanstilldoquitealot.Themean,median,andmodeallworkforintervaldata.Youcanalsobeginusingsomemoresophisticatedstatisticaltechniques,includingthestandarddeviation,inyouranalysis.ThisiswhyyourHVACsysteminthedatacentertracksthingslikehowfartemperaturefluctuationsdifferfromthenormandalertssomeoneifthingsgettoofarawayfromnormal.Andyoucanmakeclaimsaboutthedifferencesbetweenintervalvaluesthatyoucannotmakeaboutthevaluesthemselves.Iftomorrowisawarmerdayandthetemperatureoutsidehits60°F,youcanstatethatthetemperaturedifferenceonthecolddaywastwicethetemperaturedifferenceonthewarmerone(40°Fdifferencevs.20°Fdifference).
RatioDataRatiodataisthewholeenchilada,sotospeak.Itpossessesatrue,nonarbitraryzerovalue,acontinuousscale,andstandardunits.Youcanbringthefullbruntofstatisticalanalysistobearonratiodata,andthesedataarewhatweareprobablythinkingaboutwhenwethinkaboutscientificdata.Forthedatacenter,everythingfromoperatingcoststouptimetonetworktrafficthroughputarerepresentedbyratiodata.Ratiodataarethingsyoucancountoutandcomparein
anapplestoappleswaytosaythatAisXtimesbiggerorYtimesshorterorZtimesmoreexpensivethanBorC.
Onethingthatmayjumpoutatyouasyou’rereadingthesedescriptionsisthatsecurityteamsdealwithalotofdifferenttypesofquantitativedata,muchofwhichisprobablynotratiodata.Nonetheless,giventhatratiodataallowsmorestatisticalanalysis,somepeoplemaybetemptedto“manufacture”ratiodataoutofothertypes.Thisdesirecanleadevenwell-meaningsecurityprofessionalstofallintothetrapof(thanksagain,AdamShostack)“jetengine×peanutbutter=shiny!”TheShostackequationisabasicexpressioninstatisticalalchemy.Usingit,youcantransformnominalorordinaldata(high,medium,low)intointervalandratiodata(scoreslike3.85or80)thatcanthenbeslicedanddicedstatisticallytoderiveallsortsofimaginaryinferences.Theproblemisn’tthemethod,it’sthedata.Toomanysecurityprogramsthesedaysconfuse“quantitative”with“empirical,”andthevaluetheirmetricsbringtothetablearediminishedasaresult.
QualitativeDataandAnalysisEmpiricaldatameansthatyoucanobservewhateveritisyouaremeasuring.Qualitativedata,asyouwillrecall,ismostsimplydescribedasthingsthataredifficulttocountdirectly.Buttheycanstillbeobserved,soqualitativedatamaybeeverybitasempiricalasquantitativedata.Let’sgetbacktoourdatacenterformoreexamples.TakingabreakfromyourTPSreports,younoticeyourcolleaguesJohnandRacheldebatingthequalityofthemarketingcampaignforanewlineofhigh-performanceserversthecompanyisconsideringpurchasing.Rachelhatesthemarketingcampaign,butJohnlikesit.Rachelhasabrochureonherdeskfromthevendormeetingtheyattendedearlierthatday.
“Itlookslikeakid’scartoon,”shelaughs.“HowamIsupposedtotakeitseriously?”
“Nah,it’skindofhip,”Johncounters.“ThevendordidagoodjobofnotmakingitlooklikeeveryothercorporateITadvertisement.Whatdoyouthink,Ken?”
Ken’ssittingtwocubesover,engrossedinasecurityawarenessvideothat’spartofthecompany’sHRcomplianceprogram.Hegruntsnoncommittally,withoutlookingup.
Everyoneoftheseartifactsareexamplesofqualitativedata.JohnandRachel’sconversation,thevendorbrochure,Ken’ssecurityawarenessvideo,allofthemrepresentobservablethingsthatcanbeanalyzedbutdon’tlend
themselvesimmediatelytocounting.Youcancountthingsaboutthem,certainly,likethenumberofwordsspokeninJohnandRachel’sverbalargumentorthenumberofpixelsinthetrainingvideo,butwhatdothosenumberstellyou?WearemorelikelytofindmeaningfulanalysisinJohn’scommentthatthebrochureistryingtodifferentiatethevendorfromitscompetitors,butthat’salotmoredifficulttodirectlyquantify.
QualitativeApproachesRevisitedChapter3listedseveralapproachestoqualitativemeasures,includinghistoricalandbiographicalmethods,ethnography,groundedtheory,andactionresearch.Theseareallmeansbywhichresearcherscancollectandanalyzequalitativedata.Anyofthequalitativedatawenoticedinourdatacenterexamplearepossibletargetsofcollection.YoumightmakeatranscriptofJohnandRachel’sconversationoraskforcopiesofthebrochureandawarenessvideo.Observingsuchthingsactuallymakesyouadatacollectioninstrumentyourself.Spendayearinthedatacenter,andyoumightwriteabookaboutyourexperiencesthere,assomeresearchershavedone.
TheframeworksandmeasurementtoolsIpresentinthisbookdrawfromtheexperiencesofqualitativeresearchers,buttheydonotdependuponorrequireyoutobeahistorian,ethnographer,orsocialscientist.Ipointouttheexamplesofqualitativedatabecauseyoumaycomeacrossthemandwanttousethemintransformingyoursecurityculture.Wespendalotoftimeinthesecurityfieldwonderingaboutquestionsofwho,what,where,andwhen.Quantitativedatacanhelpusdecipherthesemysteries.Butwealsospendalotoftimetryingtofigureouthowandwhy.Oftentheanswerstothesequestionsareonlyfoundbyobservingqualitativedataandinterpretingtheresults.
ArtifactsasDataThegreatthingaboutusingqualitativedatatoanswerquestionsisthatitallowsyoutogreatlyexpandwhatyouconsidertobe“data”inthefirstplace.Wedon’tbataneyelashwhenanauditorrequestscopiesofallofoursecuritypoliciestoreview,butwedon’tusuallythinkofthosesecuritypoliciesasscientificdataeither.Theytotallyare,oratleastcanbeifsubjectedtotherightanalyses.TheexampleofthereadabilityofsecuritypoliciesIusedinChapter4isagoodexample.Policydocumentsareartifactsproducedbyasecurityprogram.Theyarealsodatathatcanrevealthingsaboutthatprogram.Whenexamininganorganization’ssecurityculture,ahugevarietyofartifactscanbeconsidered,notjustthesecuritypoliciesoftheorganization.Securityawarenessmaterials,the
minutesofstaffmeetings,sourcecodeandconfigurationfiles,evenvideofromtheCISO’soffsiteleadershiptrainingprogramcanbecomeempiricaldataproducedbytheorganization,datajustwaitingtogiveupinsightstotherightkindofanalysis.
CombiningtheQualitativeandQuantitativeThetechniquesformeasuringsecuritycultureinthisbookwillrelyontwokeymethodsofcollectingdata:thesurveyandtheinterview.Thesetoolsarewidelyusedthroughoutindustry,asanyoneknowswhohastakenanopinionpoll,workedonamarketingsurvey,orbeenpartofajobintervieworafocusgroup.Whatmakesthesetoolsinterestingisthattheyallowustoobservebyproxythingsthatareintrinsicallynotobservable,thethingsthatgooninsidepeople’sheads.Thoughts,opinions,andvaluesareallrealthings,butobservingthemishardandsubjecttointerpretation.Oneoftheoldestandbestwaystofindoutwhatapersonthinksaboutatopicistoaskthemdirectly,andthatisexactlywhatasurveyinstrumentoraninterviewtemplatedoes.Thesetoolsdon’tguaranteevalidresults,meaningthatyoumaynotbeobservingwhatyouthinkyouareobserving.Peoplelie,theygetconfused,andtheycontradictthemselves.Butunlessyouarepsychic,therearen’tmanyotherwaystoobservesomeone’sthoughts.
Itshouldbenoted,briefly,thattheadvertisingandmarketingindustriesareexperimentingwithevermoresophisticatedwaysofdiscoveringwhatpeoplearethinking(orwhattheyaredoing,evenwhentheyaredoingitunconsciously).Sentimentanalysis,onlineadvertisingexperiments,andhumanfactorsresearchareallcontributingtomakingsenseofhumanbehavior.Insomecasesthesetechniquesaremuchmoreprecisethansurveysandinterviews,frighteninglysosometimes.Buttheyremainaninterpretiveeffortbywhichresearchersuseproxiestomeasurewhatcannotbedirectlycounted(onlineadclick-throughsvs.aperson’sactualproductpreferences).
Thefactthatqualitativedatacannotbecountedinrawformdoesnothingtostoppeoplefromapplyingquantitativeapproachestoit.Infact,alotofresearchisacombinationofqualitativeandquantitativeapproaches,sometimesreferredtoasmixedmethodsresearch.Byidentifyingandcodingspecificattributesofqualitativedata,itbecomespossibletoactuallycountthings,toidentifypatterns,andtocomparedifferences.JohnandRachel’sargumentaboutthevendormarketingcampaign?Well,imaginewehaveawrittentranscriptofeverythingtheysaidandwestartlookingforrepetitivepatternsinthetext.SupposewediscoverthateverythirdorfourthsentencespokenbyRachelcontainsan
explicitcomparisonbetweenthemarketingbrochureandachildren’scartoon.WemightthencodeeachofRachel’sstatementsasmakingeitherafavorablecomparisonoranunfavorableone.Ifwediscoverthatoutof50comparativestatementsmadebyRacheloverthecourseofthedebate,90percentwereunfavorableandcontainedwordslike“juvenile,”“immature,”and“unprofessional,”wemightbeabletodrawsomeinferencesaboutRachel’sfeelingsbothtowardtheadvertisementand,possibly,towardcartoonsingeneral.SomeoneknowingRachelforalongtimemighttellyouthatRachelhasalwaysthoughtcartoonsweresilly.Buttheymightalsostruggleto“prove”that,andRachelmightevenarguewiththem.QualitativedataofthesortIjustdescribedprovideempiricalevidenceofRachel’sopinion,evidencethatcanbemorescientificallyanalyzedthroughthelensofobservablebehavior.
InterviewsWhencomparinginterviewsandsurveys,interviewsaremorequalitativethansurveysbecausetheytendtobeexploratoryandopen-ended.Whenweinterviewsomeone,wejustletthemtalk.Wemaystructuretheinterviewtoaskspecificquestionsorfocusonaparticulartopic,butwedon’ttrytocompletelycontroltheinterviewee’sresponses.Whatweendupwithisalotoftextthatmustthenbeanalyzedandcodedforpatterns.Fromthesepatternswecaninterpretfindingsandinsights.
Ifyouhaveonlyageneralideaaboutwhatyouwanttoknow,conductinginterviewscanbethebestwaytoapproachtheproblem.Supposeyouwanttoknowhowanemployeefeelsaboutworkingforthecompanyandyoudon’twanttobringanypreconceivednotionsintothemix.Anopen-endedinterviewapproachwouldbetosimplyaskthatperson,“Howdoyoufeelaboutworkinghere?”Theemployeecouldsaywhatevertheywanted,bringupanytopics,andspeakaslongastheyfeltnecessary.Thedownsideisthatyoumightendupwithalotofdatathathasverylittletodowithactuallyworkingatthecompanyandmuchmoreaboutthatperson’sindividuallife.Open-endedinterviewscanproducelargequantitiesofdatathatmustthenbeanalyzed,andthatcanbealotofwork.Youmightwanttonarrowthingsdownabit.Asemistructuredorstructuredinterviewwouldbreaktheopen-endedquestionaboutworkingatthecompanyintosubtopicsthatencouragemorespecificanswers.Butthoseanswerswouldremainopen-ended,withresponsesvaryingdependingonthepersonanswering.
Surveys
Surveysaremuchmorespecificthaninterviews.Notonlydoyoudefinethequestionorquestionsinasurvey,like“howdoyoufeelaboutworkinghere?”butyoualsodefinethepossibleanswers.Youmightallowthepersonfillinginthesurveytochoosefromthreepossibleanswers,“Iloveit,”“Ihateit,”or“I’mneutralaboutit.”Oryoucouldgoadifferentwayanduseascale,with1being“Iloveit”and5being“Ihateit.”Thepointisthatsurveysareusedwhenyouarelessinterestedinexploringsomethingyoudon’tthinkyouknowaboutbutwanttodiscoverandmoreinterestedinmorepreciselydefiningsomethingthatyoualreadyfeellikeyouknowabout.
Becausesurveyresearchisspecificandtargeted,andbecauseitusespreassignedclassificationsandcategoriesincollectingdata,itisoftendescribedasaquantitativemeasurementapproach.Inconductingsurveys,youaredeliberatelyaskingquestionsinawaythatallowsyoutocountthenumberandtypeofanswers.Itispossibletogeneratesurveyquestionsandanswersthatarenominal,ordinal,interval,orevenratiovalues.Thetrickypartisthatalmosteverysurveydependsontherespondentansweringitbasedontheirownknowledge,withallthemessyqualitativeparametersthatthisentails.Surveydataisempirical,butwhatyouareobservingisnotthephenomenayouareinterestedin(howmuchmoneydoesthispersonmakeinayear?),butratherthesurveytaker’sresponsetoaquestionaboutthatphenomenon(Iactuallymakelessthanthis,butI’membarrassedtosaythat,soI’llpickahigheramount…).Itisasubtledifference,butanimportantonetoremember.
OtherWaysofDescribingCultureQualitativeandquantitativemeasurementsformabasisformeasuringculturedirectly,throughvarioustools,methods,andinstruments.Butitisraretoseecultureexpressedintermsofdata,regardlessoftype.Organizationalcultureisjusttoocomplex,toorichandvaried,tobereducedtoanumberorasinglecategory.Instead,organizationalculturetendstobedescribedintermsofstoriesandmetaphorsthatallowustoglimpsethewholebylookingatamodel,representation,ormetaphor.People,expertsandlaymenalike,havebeendevelopingandusingthesetoolstodescribeorganizationalcultureforalmostaslongasorganizationshavegrownbigenoughtohaveculturesoftheirown.
CulturalArchetypesandStereotypesPeoplegeneralizeaboutotherpeopleallthetime(infact,Ijustdiditmyself).Whenwecollapsethecomplexityanduniquenessofanindividualoragroup
intoacatch-allsetofcharacteristicsorrulesthatweclaimappliesuniversally,wecreateatype.Ifthegeneralizationisinterpretedbyothersasmostlypositiveandaccurate,oratleastnotnegative,wecallitanarchetype,aprimeexampleofthethingwearegeneralizingabout.Ifthegeneralizationisnegative,offensive,orinsultingtowardthosegeneralized,wetendtocallitastereotype.Describingsomethingasanarchetypeimpliessomethingtoaspiretoortofruitfullycompareathingagainst.Stereotypesareoftenviewedasinaccurateandbiasedandathingtobeavoided.Inbothcases,peoplebuildapredictivemodelbasedonattributestheythinktheyunderstand.
Organizationalculturesaresubjecttothesametreatment.Howmanytimeshaveweheardaparticularcompanybeingcalleda“cultureofinnovation”whileanotheriscalleda“cultureofdishonesty”?Byapplyingtheselabels,peopleattempttosimplifyaverycomplexconstructionofpeopleandrelationshipsintoasingledefiningcharacteristic.Thegeneralizationsmayevenbeaccurate,butthisisbesidethepoint.Byturningacultureintoanarchetypeorastereotype,onerunstheriskofintroducingmoreuncertaintyintotheanalysisthanoneremovesfromit.Peoplecansurpriseyou,andifyoubaseyourpredictionsonasingledatapoint,youintroduceasinglepointoffailureintoyourassessment.
Generalizingcanbeusefulifbasedonrationalanalysisandiftheinherentassumptionsremainexplicit.Allmodelingandsimulationisaformofgeneralization.Assigningtypescanbeusefulasoneofseveralelementsinyouranalysis.Butifitbecomesacrutchthatexcusesyoufromactuallyanalyzingthings,itisarecipefordisaster.Thisisespeciallytrueinamultifacetedculturewheretheorganizationhasseveralcompetingdrives.Someonewhoseesonlyoneculturaltrait,perhapsbecauseoftheirroleindealingwiththeorganization,mayneverevenseethesidesofculturethatwouldconflictwiththeirnarrowviewpointandchallengetheirpreconceivedbiases.
CulturalFrameworksandModelsWhenageneralizationisapproachedmorerigorouslyandscientifically,archetypesandstereotypescanbecomemodelsandframeworks.Thesemodelsandframeworksremainsimplifiedversionsofreality,subjecttouncertaintyandunpredictability,buttheeffortthatgoesintoformulatingthemincludesbasingthegeneralizationsonempiricalevidence,andensuringthatassumptionsremainclearandwellarticulated.Securityhasplentyofitsownmodelsandframeworks,sothisapproachshouldnotseemalien.TheclassicexampleistheOpenSystemsInterconnection(OSI)referencemodel,withitssevenlayersfromphysicaltoapplication.Themodelisverysimple,verygeneralized.Itdoesnot
representanyactualexistingnetwork.Butyoucanuseittounderstandthefunctionalityofjustaboutanymodernnetwork.Thisisinlargepartbecausethemodeldoesnotrepresenthowweassumenetworkswork,buthowweknowtheywork,becausetheyhavebeenbuiltinpartbyusingthemodel.
Therearenumerousframeworksandmodelstochoosefromwhenexploringorganizationalculture.TheCompetingSecurityCulturesFramework,themodelIproposeandwilldiscussinthischapter,isadaptedfromoneofthemorewell-knownframeworksintheorganizationalcultureliterature.Butthereareothers.Table5-1brieflylistsafewoftheexistingmodelsandframeworksproducedoverthelastfourdecades.Mypointhereisthat,notonlyiscultureanempiricallyobservablephenomenon,butorganizationalscientistshavebeenobservingitlongenoughtodevelopmodelsforhowitworks.
Table5-1FrameworksandModelsofOrganizationalCulture
VisualizingCultureFrameworksandmodelsdonothavetobevisual,buttheyoftenlendthemselveseasilytovisualrepresentation.MostoftheframeworksandmodelsinTable5-1havebeenexpressedvisuallyatonepointoranother.Visualizationhelpsustoidentifypatternsmoreeasilyandtomakesenseofrelationshipsspatiallyratherthanverbally.Metaphorsallowustounderstandonethingbyrelatingitdirectlytosomethingcompletelydifferent.ThevisualmetaphoroftheiceberginChapter3demonstratestheconceptofpowerfulforcesatworkbelowourconscious
perception.Inanageofincreasinglycomplexinfographicsanddatavisualizationtechniques,wemaybetemptedtothinkofsimplerimagesaslessinformative.Butthepopularityoftheicebergmetaphorindescribinganynumberofsituationstestifiestoitssuccessasanexplanatorytool.
Manyvisualmodelsofculturearerelativelysimple.Thepointisnottocaptureeveryrelationshiporeverynuanceofinteractiongoingoninsideanorganization.Instead,thefocusremainsonprimaryflowsofinformationorinfluence,broadpatternsofbehaviorandinternalrelationships,andhigh-levelstructure.Unlikeamodelforamechanismoraphysicalstructure,wherestandardcomponentsexist,thereisrarelyasinglewaytoaccomplishsomethingwhenitcomestohumaninteractions.Culturemodelshavetoachieveabalance,reflectingnotonlyreality,butambiguity,tobesuccessful.Inmanysituations,simpleisbetter,solongasthemodeldoesnotunnecessarilyoversimplifywhatishappening.
TheCompetingSecurityCulturesFrameworkMymodel,theCompetingSecurityCulturesFramework(CSCF),enablesanorganizationtodescribeandinterpretthedifferentwaysthatsecurityisunderstoodandpracticedbytheorganization’smembers.Specifically,theCSCFenablestheorganizationtoidentifyareaswherecompetitiveprinciplesandvalueshaveemergedthatmayrepresentrisktotheorganization’ssecuritygoalsandobjectives.TheCSCFisbaseduponavenerableandwell-regardedculturalmodel,QuinnandRohrbaugh’sCompetingValuesFramework,whichwasfirstdescribedinanarticleinManagementSciencein1983.
OriginsoftheCSCFinCompetingValuesResearchTheoriginalpurposeoftheCompetingValuesFrameworkwastounderstandthecharacteristicsandorganizationaltraitsmostassociatedwithcompanies’enterpriseperformance,howwelltheydidintheirindustriesandmarkets.Usingboththeoryanddatafromempiricalstudiesofdifferentorganizations,QuinnandRohrbaughgroupedorganizationaltraitsintorelatedsetsofcorevaluesthatcreatedspecificcultureswithinanorganization.Astheydiscoveredpatternsofbehavioramongvarioussubjectcompanies,theresearchersmappedthemintolikegroups,eachofwhichdemonstratedcertainareasofvalueandpriorityfora
company.Thesepatternsalsorevealedopposingtraits,values,andprioritiesthatwereantitheticaltotheonesidentified.QuinnandRohrbaughmappedtheseaswell,usingasetofaxesthatdividedtheframeworkintoquadrants.
QuinnandRohrbaughfound,forexample,thatsomeorganizations,incertainindustries,weremoreeffectivewhentheybuilthierarchiesandbureaucracytoemphasizecontrolandstability;theresearchersfoundthatotherorganizationsachievedsuccessfulperformancebystayingflexibleandadaptable,avoidingrigidstructuresofauthorityorfunction.Likewise,theyfoundthatsomeorganizationstendedtolookoutward,prioritizingexternalcustomersandmarketstoachievetheirgoals,whereasothersbenefittedfromaninwardgazethatvaluedinternalcohesionandintegration.Theresultoftheirfindingswasavisualmetaphorofculturethatdividedorganizationalvaluesintofouropposingcultures,whichtheresearcherstermedclan,adhocracy,market,andhierarchy.Figure5-1illustratestheCompetingValuesFrameworkmodel.
Figure5-1TheCompetingValuesFramework(adaptedfromQuinnandRohrbaugh)
ClanCulturesAsshowninFigure5-1,clancultureisoneofthefourgroupingsoforganizationalprioritiesandbehaviorsidentifiedintheCompetingValuesFramework.Clanculturesarecommunityoriented,valuingasenseofbelongingandinclusion.Internallyfocusedandvaluingflexibility,theseorganizationswantallmemberstoparticipateinmakingtheorganizationsuccessful.Tothisend,clanculturesputagreatdealofemphasisonhumandevelopmentandthesharingofbothresponsibilityandreward.
AdhocraciesAdhocracies,anothergroupingoforganizationalprioritiesandbehaviors,areariffontheideaofanadhocapproach,onethatisflexibleandmaybenotpermanent,createdasaspecificresponsetoauniquechallenge.Flexibilityandagilityarepriorities,andaremadenecessarybecauseofafocusondealingwithchaoticandunpredictableexternalenvironments.Startupsandentrepreneurialorganizationsaretoday’smostfamiliarexamplesofadhocracies,buttheyalsoexistinlarger,moretraditionalorganizationsthathaveaneedtoinnovate.
MarketCulturesMarketculturescontrastwithclancultures,valuingtightcontrolovertheinternalworkingsoftheorganization,andfocustheresultsoftheseeffortsontheorganization’sexternalenvironment.Customersmaybeakeypriority,butmarketculturesmayalsovaluerelationshipswithpartners,regulators,tradegroups,andshareholders.Performanceinrelationtothesestakeholdersisconsideredmostimportant,whetherthatperformanceisexpressedintermsofprofit,marketshare,productivity,orsomeothermeasure.
HierarchiesHierarchiesaremarkedbyahighdegreeofinternalfocusandintegration,combinedwithtightcontrolandbureaucraticstructuresdesignedtoensurestability.Everythingisorganizedandformalized,governedbyclearlinesofauthorityandresponsibility.Inahierarchyculture,processtendstobeking,androlesandresponsibilitiesaredefinedthroughpoliciesandprocesses.Unlikeanadhocracyculture,adaptabilityisfarlessimportantthanstabilityandrepeatability.
AdaptingtheCompetingValuesFrameworktoSecurityTheCompetingValuesFrameworkconcernsitselfprimarilywithenterpriseandindustryperformancebycompanies,whetherornottheyareprofitable,productive,orsucceedinincreasingtheirmarketsharerelativetotheirindustrypeersandcompetitors.Theframeworkdoesnotaddressinformationtechnology,muchlessinformationsecurity.ButtheCompetingValuesFrameworkhasbenefittedfromagreatdealofempiricalstudyandscholarlythoughtovertheyearssinceitwasdeveloped,andhasbeenwidelyadaptedandappliedtootherareas.Thismaturityandflexibilityoftheframeworkhasmuchtoofferpeople-centricsecuritybecauseithelpstoexplaintheconflictsandcompetingprioritiesthatoftencreatesecurityriskandfailure,conflictsIhaveexploredinpreviouschapters.
AdaptingtheCompetingValuesFrameworktoinformationsecuritymeantthatIhadtoalteritandnarrowittothespecificconcernsofsecurityownersandstakeholders.Insteadofcapturingthebroadspectrumofbehaviorsandvaluesthatcontributetooverallorganizationalperformance,Iwantedtomeasureandanalyzethosespecifictraitsthatenhanceorimpedeinformationsecurityperformanceindifferentindustriesandsituations.ButtheoriginalinsightsoftheCompetingValuesFrameworkstillapply,asdoesthequadrantstructureofthemodel.TheCSCFreorientsandreconfigurestheseintoapeople-centricsecuritymodel,whichisillustratedinFigure5-2.
Figure5-2TheCompetingSecurityCulturesFramework
TheCSCFusesthesametwo-axesmodelastheCompetingValuesFrameworkbutappliesittothewayInfoSecthinks.Thefirstaxisrepresentsthedegreeofsecuritycontrolvaluedbytheorganization.ThesecondaxisoftheCSCFrepresentsthecontinuumoffocusbetweeninternalandexternalenvironments.
DegreesofControlControlmeanstheextenttowhichtheorganizationattemptstodirect,restrict,orinfluencethebehaviorofthepeopleandsystemsitcontains.Thedegreeofcontrolexistsasacontinuumrangingfromtightcontrol,representingamaximumofstabilityandstandardizationthroughouttheorganization,toloosecontrol,inwhichsecuritymaybedistributedorsubjecttovariabilityintermsofprocessandvisibilityacrosstheorganization.Theresultingaxisreflectsacompetingsetofvaluesthatliebetweenthedesiretomakesecuritymoreeffectivebypromotingadependable,orderlyenvironment,andthedesireto
makesecuritymoreeffectivebyencouragingaflexible,situationalenvironment.Insecurityprograms,controlisusuallyimposedthroughcombinationsof
centralizedauthority,establishedbureaucracy,definedhierarchies,andstandardizedpoliciesandproceduresthatdefineacceptablebehaviorsandactivities.Thedegreeofcontroloversecurityisimpliedandoperationalizedbymanyfactors,includingthesizeofthesecurityteamandtheresourcesavailabletothem;executivesponsorshipandsupport,includingwhetherornotaCISOleadstheprogramaspartoftheexecutiveteam;andthepresenceandenforcementofsecurity-specificpoliciesandstandardsacrosstheorganization.
You’llnoticeinFigure5-2thatIalteredtheoriginalspatiallayoutoftheCompetingValuesFramework,invertingthecontrolaxissothattightcontrolisatthetopratherthanthebottomofthemodel.Theresultisthatthesecurityculturesthatprioritizemorecontroloversecurityactivitiesarenowrepresentedinthetoptwoquadrants.Inmyexperience,securityingeneralisacontrol-focusedculture.Thechangeofspatialpositioningreinforcesthisemphasis.Figure5-3showsvariouscharacteristicsasonemovesalongthecontrolaxis.
Figure5-3Characteristicsalongthecontrolaxis
Internalvs.ExternalFocusInternalorexternalfocusdetermineswhethertheorganizationisprimarilyconcernedwithunderstandingandmanagingsecurityasafunctionoftheorganizationitself,orisprimarilyconcernedwithunderstandingandmanagingsecurityasafunctionofitsdealingswithentitiesoutsidetheorganization.Outsideentitiesmayincludecustomers,partners,regulators,themedia,andeventhreatentitieslikehackersandotheradversaries.
Inaninternallyfocusedprogram,securityisconsideredeffectiveiftheresultisacohesiveandconsistentprogramforprotectingtheorganization’sinformationassets.Internallyfocusedsecurityprogramsseekanenterprise-widealignment,wheresecurityiscompatiblethroughouttheorganization’s
operationalfunctions.Thismayincludeorganizationswherethesecurityteamisresponsibleforsettingdirectionandpolicyforalloftheorganization’sinformationsecurityandperhapsevenitsphysicalsecurity,includingdefiningstandards,managingtechnology,andcreatingstrategy.
Externallyfocusedsecurityprogramsconsidersecurityeffectivewhenitresultsinsuccessfulrelationsbetweentheorganizationandoutsideentities.Thisexternalfocuscreatesaconcernformeetingcontractualandregulatoryobligations;forprotectingprotecteddata;andforavoidingsecurityfailuresthatcanresultinlossofreputation,marketshare,ortheabilitytoconductbusiness.Accomplishingthesegoalsmayrequireadiversificationofsecurityresponsibilityandauthority(forinstance,acrossregulatoryortechnologyenvironments)inordertomeetthevariousneedsofspecificconstituentsandexternalentities.Figure5-4showscharacteristicsasonemovesalongtheinternal-externalfocusaxis.
Figure5-4Characteristicsalongthefocusaxis
TheCSCFQuadrantsThesecurity-specificquadrantsoftheCSCFareillustratedinFigure5-5,whichalsoshowsmoredetailregardingthecomponentsandvaluesinherentineachsecurityculturetype.Eachofthequadrantsrepresentsagroupingofvalues,assumptions,andprioritiesthatinfluenceandshapesecuritydecisionsandactivitiesinsideanorganization.ThesesecurityculturetypesincludeaProcessCulture,aComplianceCulture,anAutonomyCulture,andaTrustCulture.
Figure5-5TheCompetingSecurityCulturesFrameworkwithexpandeddetail
OverlappingandCompetingValuesThequadrantmodeloftheCSCFappearsveryorthogonalwhenyoufirstlookatit,withrightanglescreatingindependentculturalcharacteristics.Thisvisualizationtendstoobscurethewaythatthetwoaxescreateoverlappingvaluesanchoredondifferentperspectivesoncontrolandfieldsoffocus.Diametricallyopposedrelationshipslikethosebetweenprocessandautonomyareeasiertosee,butthereareconnectionsandsharedvaluesthroughoutthefourculturesaswell.Figure5-6representstheCSCFasconcentriccirclesthatbetterillustratetheseoverlappingtraits.ProcessandTrustCultures,forexample,maynotseemtohavemuchincommon,untilonerealizesthattheyarebothcentrallyconcernedwithhowtheorganizationfunctionsinternallyasacoherentstructure.ProcessandComplianceCultures,touseanotherexample,seemnaturallycongruentwhenthinkingofinformationsecurity,withtheirjointemphasisoncontrol.ButComplianceandAutonomyCulturesdonotseemtomakeasmuchsensetogether,atleastnotuntilyourecognizethemutualvaluetheseculturesplaceonaddressingchallengesassociatedwiththeorganization’sexternalenvironment,notitsinternalworkings.
Figure5-6CircularviewoftheCompetingSecurityCulturesFramework
LimitationsoftheFrameworkNotedstatisticianGeorgeBoxoncewrote,“Essentially,allmodelsarewrong,butsomeareuseful.”MyhopeisthattheCSCFhelpsorganizationsbyservingasausefultoolforachievingpeople-centricsecurity.Butitisjustasimportanttoacknowledgeitslimits.TheCSCFdoesnotpretendtofullydescribeorexplain
everyorganization’ssecurityculture.Instead,theCSCFisintendedtobeatoolforlearningandexploration,amethodbywhichpeopleworkingwithinthecontextofanorganization’ssecurityculturecanlearnmoreaboutthatculture,assigntermsandconceptstoit,andidentifyareasofriskthatemergewhensecurityprioritiesandvaluescomeintooppositionwithoneanother.Organizationalcultureresearchersunderstandhowdifficultitistomeasureoranalyzeanythingascomplexasthesharedbeliefsandrelationshipsofalargesocialgroup.Withoutaplacetostart,withoutsomemethodofsimplifyingthecomplexityofculturaltransformationtoachieveactionablestrategies,noprogressislikelytobemade.Somecriticscomplainthatthissimplificationmakesthemodelworthlessforreal-worldanalyses.Iappreciateareluctancetooversimplify,whichisacoresecuritybehaviorIwilldiscusslaterinthebook,butallmodelsaresimplificationsbynecessity.Nooneexpectsabalsawoodmodelofanairplanetoflyliketherealthing,oranarchitecturalmodeltobeareal,livablebuilding.Forthesepurposes,themodelsarewrong.Buttheyremainusefulnonetheless,usedbyengineersandarchitectseverywheretounderstandonasmallerscalethethingstheybuildonalargeone.
WhyNotJustUsetheCompetingValuesFramework?Inthedecadessinceitwascreated,theCompetingValuesFrameworkhasbeenwidelyadapted,andvarioustechniqueshavebeendevelopedformeasuringhowanorganizationcomparestotheframework.SpecifictoolssuchasDanielDenison’sOrganizationalCultureSurveyandKimCameronandRobertQuinn’sOrganizationalCultureAssessmentInstrumentusesurveystohelporganizationsfigureoutwheretheyfitinrelationtotheCompetingValuesFrameworkquadrants.Thedatatheseinstrumentscollectregardingculturalvaluesandnormsarethenmappedtothevariousculturalattributesoftheframework,producingprofilesofoverallorganizationalculture.
Butwhybuildanew,security-centricframeworkatall?WhywouldanorganizationnotjustusetheCompetingValuesFrameworkdirectlytomeasuresecurityculture,sincetherearealreadyassessmenttoolsavailablethatarebaseduponit?Someofthesetools,likeCameronandQuinn’sOCAI,havebeendeployedbyhundredsoforganizationsseekingtounderstandtheircultureanditslinktobusinessperformance,marketposition,andindustrycompetitiveness.It’salegitimatequestiontoaskwhetherornotsecurityteamsthatwanttochange
cultureshoulduseanexistingculturalframeworkastheirstartingpoint.
SecurityCultureBenefitsFromaTargetedApproachTheanswerisaboutspecificityandprecision.Informationsecurityisabusinessprocess,justlikeanyother.Butjustlikeotherbusinessprocesses,itspecializesinasubsetoftheoverallorganization’sfunctions.Therearemanyuniqueaspectsofsecuritythatarelegitimatedifferentiatorsbetweenourindustry’sactivitiesandobjectivesandthoseofHR,Marketing,orevendifferentpartsofIT.Thesedifferencesmanifestthemselvesinthelanguageandtermsweuse,theapproacheswetake,andtheoutcomesweseek.Manyofthesedifferenceshaveadirectimpactonthepotentialeffectivenessofusingageneralorganizationalcultureframeworktoassesssecurityculture.
IntheCSCF,IhaveadaptedtheCompetingValuesFrameworkinawaythatmaintainsthecoretheoreticalconstructsofthemodel,namelytheperformanceimpactsthatoccurwhendifferentculturespursuedifferentgoalsincompetition.ButIhavereshapedandreorientedtheCompetingValuesFrameworkintheCSCFtospecificallyaddressareasofconcerntoCISOsandsecuritystakeholders,touselanguagethatismorealignedwiththeconcernsofsecurityprograms,andtoilluminatethebehaviorsandvaluesthatsecurityteamsaremostoftenassociatedwith.Nevertheless,manyofthetraitsandbehaviorsdescribedbytheCSCFwillberecognizabletoother,non-InfoSec,partsofthebusiness.Thismakessensebecausesecurityremainsabusinessprocessthatcontributesbusinessvalue,oratleastshouldbeconsideredassuch.
NotEverythingintheCompetingValuesFrameworkTranslatesWellTargetingthetraitsandvaluesthatinformandshapeinformationsecuritypracticesallowsamoreprecisepictureoforganizationalsecurityculturetoemerge,onegroundedinthoseelementsthatsecurityownerscanunderstandandthusbettercommunicatetootherbusinessstakeholders.Nonsecuritypeoplewillstrugglewithamodelofculturethatrequirescontinuoustranslationbetweenperformanceingeneraltermsandperformanceofinformationsecurity.Itisbettertoperformthattranslationupfront,aspartofthemodel,astheCSCFdoes.
ConsidertheadhocracycultureoftheCompetingValuesFramework.Thisculture,moreprevalentinstartupsandothercompaniesoperatingin
environmentsofintensecompetitionandvolatilemarkets,valuesaggressiveindependenceandagreatertoleranceforrisk,exemplifiedintheSiliconValleymotto“movefastandbreakthings.”MostInfoSecprofessionalswouldneverconsiderspeedanddisruptionagoodmodelforsecurity,butadhocracyculturesfeelthesethingsareessentialfortheirsuccess.Adirecttranslationofadhocracytoinformationsecuritydoesn’texist.Buttheideaofautonomyandsilosofsecurityauthority,ofstrikingabalancebetweencontrolandflexibilitywithintheenterprise,issomethingeveryCISOrecognizesandmustcopewith.
TheCSCFallowsorganizationstoforegroundthevaluesandprioritiesofsecurityandorientthemintosecurityculturetypes,whilepreservingthespiritofthemodelinwhichtheseculturesvieforresources,buy-in,anddominanceinacompetitiveorganizationalmarketplaceofideas.TheCSCFillustratestheseculturesatahighlevel.IwilldiscusshowtodiagnoseandassessthestrengthoftheCSCFculturesinChapter6.Fornow,let’sexploretheseculturesinmoredetail.
OrganizationalSecurityCulturesThefourspatiallyopposedquadrantsoftheCSCFrepresentdistinctculturalapproachestoinformationsecurity.Eachquadrantrepresentsadistinctsecurityculture,althoughnoorganizationwillhaveonlyoneoftheseculturespresent.Someculturesmaybestronger,evenpredominant.Butallorganizationsareamixofcultures,notonlyasawholebutintermsofdifferentsubunitswithinthewhole.Thefourculturesaregeneralizations,modelswithinamodel,andIwillexplorethenuancesofeachinthissection.
ProcessCultureAProcessCulturevaluestightcontrolcombinedwithaninternallyfacingfocus.ProcessCulturesviewtheirsuccessmostoftenintermsofhowwellsecurityoperationsaremanagedandcoordinated,howstablyanddependablyoperationsfunction.Fromatheoreticalperspective,theconceptofmanagedcoordinationisparamountintheProcessCulture.Securityisseenasanorganization-widefunctionthatmustbecentralizedandcontrolledtoensurethatitisdonerighteverywhere,byeveryone,inthesameways.
OnekeyfeatureoftheProcessCultureisthecreationofbureaucracytomanageinformationsecurityactivities.Bureaucracy,briefly,isasystemof
managementinwhichspecializedprofessionalsactaccordingtoacceptedrulestoaccomplishgoals.Theword“bureaucracy”haschangedmeaningsoverthetwocenturiessinceitwascoined,butnegativeconnotationshavealwaysaccompanieditsuse.NotuntilGermansociologistMaxWeberbeganstudyingbureaucracyscientificallyintheearlytwentiethcenturywastheidearehabilitatedsomewhat.InWeber’sview,bureaucracywasnecessaryforsocietytofunctioneffectivelyinamodernworldgrowntoocomplextoachieveitsgoalsthroughtheeffortsofindividualsandsmallgroupswithoutuniqueskillsandtraining.
Security,alongwithmostotherorganizationalfunctions,hasalsogrowntoolargeandcomplexforanyonepersontodothejob.Specializationhasledtoavarietyofsecurity-relatedroles,includingthetechnical,theoperational,andthemanagerial.Inordertocoordinateandoptimizethesedisparateresources,organizationscreatehierarchicalstructures,includingjobfamiliesandorganizationalcharts,tosegmentactivitiesandareasofresponsibility.Theserolesandspecialtiesdeveloptheirownbodiesofknowledgeandpathsforadvancement,allgovernedbydefinedprocessesandstandardsofbehavior.
CoreValuesoftheProcessCultureCorevalueswithinaProcessCulturedevelopoutofadesiretokeepthingsrunningsmoothlyandpredictably,andinclude
StabilityEnsurethattheorganizationmaintainsitsexistingfunctionsandstructuresovertime.Change,especiallyunplannedchange,isdisruptiveandistobeavoidedormanagedverycarefully.VisibilityEnsurethattheorganizationunderstandshowitfunctionsandcantraceorpredictoutcomeseasily.Blindnessandblindspotsnotgovernedbyestablishedprocessrepresentuncertaintyandrisk.StandardizationEnsurethatalloperationsaremanagedaccordingtoformallyestablishedrules,wellunderstoodbyallmembers.Individualfreedomcreatesexceptionsanddiscrepanciesthatmustbemanaged,degradingoperationalefficiency.
AcardinaldirectiveoftheProcessCulturemightbestatedasenforcethepolicy.Inmyexperiencesconsulting,“securitypolicy”hasbecomesomethingofametaphorforthecollectedbodyofrulesgoverningtheorganization’ssecurityactivities,fromthehighest-levelacceptableusepolicydownthroughtheintricaciesoffirewallrulesandintrusiondetectionsystem(IDS)tuning.Enforce
thepolicyimpliesdoingthingstheorganization’sway,submittingtocontrolsandrestrictions,andtherebyensuringthatthegoalsoftheorganizationaremet.
ExamplesofProcessCulturesInover25yearsofworkinginInfoSec,IhaveencounteredmanyorganizationswheretheProcessCulturedominates,beginningwithmyfirstjobasanoperationsofficerintheCentralIntelligenceAgency.TheU.S.governmentisperhapsanepitomeoftheProcessCulture.TheU.S.intelligencecommunityisevenmoreintense,especiallywhenitcomestosecurity.Classification,compartmentalization,anddeeplyembeddedorganizationalhierarchieswerenotjustthenorm,theyweremylife.Inmycareersince,IhaveseensimilarculturesinothergovernmentagenciesIhaveworkedwith,whetheratthefederal,state,orlocallevel.ThismakesagreatdealofsensewhenyouconsiderthatMaxWeber’sworkwasbasedinlargepartonthegrowthofciviladministrationsasnation-statesmodernized.Governmentwas,ifyouwill,akeyearlyadopterofbureaucracy,aninnovationthatwassorelyneededasstateswereexpectedtobettermanage,provideservicesfor,andcontroltheircitizens.
OneofthemostdominantProcessCulturesIhaveencounteredsincejoiningtheprivatesectorwasintheretailindustry.Thiscompanyhadaprocedureforeverythingsecurityrelated,allrunaspartofahighlycentralizedprogramunderapowerfulandaggressiveCISOwhowasconsideredanequalmemberofthecompany’sexecutivestaff.Thesecurityculturemirroredthecorporateculture,whereeverythingwasdone,literally,bythe“book”ofpoliciesandstandardsthatexistedtomanagethestores,corporateoffices,andevencontractorsandpartnerswhoworkedwiththefirm.ThestrongProcessCultureofthesecurityprogramwasneithergoodnorbadingeneral,butitworkedinthelargercontextofthecompany.Peopleunderstoodrulesandstandards,andexpectedthesecurityprogramtoworkthesameway.
Financialfirms,manufacturingcompanies,andutilitiesalsotendtoexhibitstrongcharacteristicsofaProcessCulture.
ComplianceCultureComplianceCultures,likeProcessCultures,valuetightcontrolovertheorganization’ssecurityactivities.ButwhereaProcessCultureappliesthatcontrolforinternalpurposes,theComplianceCultureisexternallyfacingandviewssecuritysuccessmostoftenintermsofhowwellitsupportsrelationsbetweentheorganizationandoutsideentities.IntheComplianceCulture,
securitybenefitstheorganizationtotheextentthatitaddressestheconcernsofotherstakeholders,whetherthosearecustomerswhosedatatheorganizationmanages,regulatorsseekingtocontroltheconductofcertaintypesofbusiness,orevenhackerslookingforatarget.Thetheoreticalperspectivethatbestdescribesthisapproachisrationalgoals.Securityisagoalbecauseithelpsorimpedestheabilityofotherstomeettheirgoals,notbecausetheorganizationvaluesitindependently.
AComplianceCultureisdrivenbydemandsoutsidetheorganization.Inrecentyears,securityregulationsandframeworks—includingISO27001,thePaymentCardIndustryDataSecurityStandard(PCIDSS),theHealthInsurancePortabilityandAccountabilityAct(HIPAA),theHealthInformationTechnologyforEconomicandClinicalHealth(HITECH)Act,theFederalInformationSecurityManagementAct(FISMA),andahostofotherglobalregimes—haveplayedanincreasinglyimportantroletoinformationsecurityprogramsandCISOs.Theincreasingnumberandseverityofsecurityincidents,andthemediacoverageandpublicscrutinytheyproduce,willdolittletoabatethistrend.Ifanything,organizationscanexpectanincreaseinregulatoryfocusinthecomingyears,alongwiththepotentialforlossofmarketsandcustomersintheeventofamajorbreach.ComplianceCulturesaredeeplyconcernedwithensuringthattheirorganizationsnavigatetheseturbulentwaterssafely.
CoreValuesoftheComplianceCultureCorevalueswithinaComplianceCulturereflecttheinsecurityandperceivedneedthatsurroundsaccountabilitytotheorganization’sexternalstakeholders,including
ConformityEnsurethattheorganizationadherestoexpectationsandrequirementssetbyothers,oftenthroughmirroringtheserequirementsinternally.Uniformitywithintheorganizationmaynotbeapriority,buttheorganizationmustbeabletomeetalldemandsofspecificoutsidestakeholders.RepeatabilityEnsurethattheorganizationcanreproduceprocessesandresultsondemand.Situationsinwhichoperationsdonotproducetheexpectedresultsaredangerousfailures.DocumentationEnsurethattheorganizationmaintainsevidencethatitismeetingitsobligationsandtheexpectationsofothers.Operationalprocessesthatcannotbeproventofunctionasrequiredrisksanctionsfromanyoneinapositiontoholdtheorganizationaccountable.
AcardinaldirectiveoftheComplianceCulturecanbeexpressedaspassaudits.Auditsarenotonlyplanned,structuredassessmentsperformedordemandedbyaninterestedthirdparty.Severalorganizationaltheoristsconsiderunplannedsystemfailurestobe,inthewordsofKarlWeick,“brutalaudits.”Asecuritybreachrevealsweaknessandpoorsecuritycontrolsinexactlythesamewaythatanauditdoes,onlywithmuchmorestressandmoreseriousconsequences.Penetrationtestingandredteamingevolvedoutofthisunderstandingthatitwasbettertosubjecttheorganizationtoacontrolledattackthantowaitfortheuncontrolledone.SopassauditsisasmuchaboutthesuccessfulresponsetoarealsecurityattackasitisaboutappeasingyourQSAduringaPCIaudit.
ExamplesofComplianceCulturesComplianceCulturesaremostprevalent,asyoumightimagine,inhighlyregulatedindustries.IhaveseenstrongComplianceCulturesintheinsuranceindustryandinhealthcareorganizations.Butfromaninformationsecurityperspective,PCIDSShasbeenthemostinfluentialdriverofComplianceCulture,forseveralreasons.First,PCIDSShasrealreachandunambiguousteeth.Organizationsthatwanttoprocesscreditcarddata,andagreatmanydo,havetocomplywithPCIDSSorelsetheydon’tgettheprivilege.Second,PCIDSStendstobehighlyprescriptive,meaningthatthestandardactuallytellsyouspecificallywhatyouhavetodo.Manyregulatoryregimesoutlinehigh-levelprinciplesofsecurityandgeneralizedactionsthatmustbeperformed,butremainopentoalotofinterpretation.HIPAA/HITECHisagreatexamplehere,asthehealthcaresecurityandprivacyregulationismeanttobeappliedtoahugenumberofverydifferentorganizationsandmustbemoreflexiblethanthelaser-beamfocusofPCIDSS.Finally,thebusinessnatureofPCIDSS—aregulatoryframeworkdesignedbycompanies,primarilyforcompanies,withanecosystemofothercompaniessupportingit—makescomplianceseemeasierforcorporateorganizationstounderstandandimplement.
ButPCIDSSisinterestinginthattheverythingsthatmakeitinfluentialcanworktogethertoformasortoftrapthatmanyorganizationsfallinto,onethatsayssomethingabouttheComplianceCultureingeneral.PCIDSSlendsitselftowhatsomeinthesecurityindustry,myselfincluded,call“checkboxcompliance.”Whilegoodsecurityalmostalwaysequatestogoodcompliance,becomingamatteroftranslatingasecurityprogramintothelanguageofwhicheverauditorisreviewingit,goodcompliancedoesnotnecessarilyequalgoodsecurity.Severalofthelargestbreachesinrecentyearshaveinvolved
companies,andevensystems,thatwerecertifiedasPCIDSScompliant.Justbecauseanorganizationcanpassatraditionalaudit,inwhicha(mostly)friendlyentityaskstheorganizationifithasdonewhatitwassupposedtodo,adversariesconductingabrutalauditintheformofanattackdon’tgiveadamnifyouhavecheckedalltherightboxes.
ComplianceCulturesoftenoverlapwithProcessCultures,asmanyofthebenefitsofoneapplytotheother.Butthedifferencebetweentheculturesisthatareaoffocus,whichcanbeasourceofculturalconflictandrisk.IfProcessCulturesrunthedangerofbureaucraticinefficienciesinthenameofcoherentsecurityoperations,ComplianceCulturesrisklosingsightofthebigpictureofsecuritybyfocusingontheindividualmandatesforcedonthemfromtheoutside.
AutonomyCultureAtfirstglance,theAutonomyCulturemightnotseemverycompatiblewithinformationsecurity.Andifyouweretoconductastudythatexpectedtofindfewersecuritycultureswhereautonomyisthedominantculture,atleastonpaper,youwouldnotbedisappointed.Mostsecurityprofessionalsfindtheideaoflettingeveryoneintheorganizationdecideforthemselveswhatlevelofsecurityworksbesttobeirrationalanddangerous.Butlookcloserandyoubegintoseethatthequestionismorecomplex.Securityisoftenatoddswithotherpartsofthebusiness,sometimesevenatoddswithitself.Thecriticismofsecurityprogramsas“the‘no’team,notthe‘go’team”reflectsthesuspicionsomepeoplehavethatsecuritycandoatleastasmuchharmasgood,protectingtheorganizationatthecostofspeed,efficiency,andprogress.
AutonomyCulturesexhibitlesscentralizedcontrolwhilealsofacingoutwardfromtheorganization.Thetheoreticalbasisofthecultureisthatofadaptivesystems,inwhichpeople,process,andtechnologycanreshapeandreorientthemselvesasnecessarytomeetchangesintheirenvironment.Theideaisthatthoseclosesttoasituationhaveabetterawarenessofwhatishappeningandwhatisrequired.Logicdictatesthattheyshouldalsohavethepowertoactonthatuniquesituationalinsight.Theresultisanorganizationthatcanrespondinpartwithoutrequiringsimilarchanges,oreveninvolvementattimes,bythewhole.
AutonomyCulturesinsecurity,itshouldbesaid,arenot“anythinggoes”environments.Ihavenever,atleastinthelastdecadeorso,encounteredanorganizationthatbelievedsecuritywascompletelyunimportant.ButIhave
workedwithalotoforganizationsforwhomsecurityisacompromise,amoreorlessbalancedtrade-offnotonlybetweenlockingthingsdownandopeningthemup,butbetweentheneedforcentralizedcontrolandlocalsituationalawareness.Manyreasonsexisttopushsecurityauthorityandresponsibilityout,todistributeitthroughoutanorganization.Sometimesthisisareflectionofacorporatestructurethathasmanyautonomousorsemiautonomousdivisions.Atothertimes,federationoccursbecauseofmoreoperationalormarketneeds.
CoreValuesoftheAutonomySecurityCultureCorevalueswithinanAutonomyCultureemergefromtheneedtomanagedifferentlevelsofsecurity,fordifferentreasons,indifferentplaces,andinclude
FlexibilityEnsurethattheorganizationrespondstochangingeventsandenvironments.Unexpectedchangeisunavoidableandactuallyrepresentsanopportunityforthosewhocanadapt.AgilityEnsurethattheorganizationmovesquicklyandefficientlytotakeadvantageofopportunities.Wastingtimedebatingoptionsordealingwithbureaucracyriskssacrificingfirst-moveradvantages.InnovationEnsuretheorganizationnotonlyreactstochange,butcreatesit,discoveringnewwaystoimprovebeforecompetitorsdo.Thebestideascomefromunexpectedplaces,fromindividualforward-thinkers,andtoforbidexperimentationistocourtobsolescence.
AcardinaldirectiveoftheAutonomyCulturecouldbesummedupasgetresults.Anorganizationinahighlyvolatileandcompetitiveenvironmentcanliterallyfaceextinctionifitfailstobeinnovative,adaptable,andagile,allcharacteristicsthatarisk-aversesecurityprogramcanimpede.Afailurefromoverlycautiousapproachestosecuritycanbeasdeadlyasafailurethatoccursasaresultofamajorbreach.Manysocialmediacompaniesandtechnologystartupstodayfaceexactlythisparadox.Theinformationtheymanageistherawmaterialoftheirbusiness.Lockinginformationdown,protectingit,takesresourcesandmaydiminishthevalueofthedata.Ascrupulouscompany,doingrightbyitscustomersorusersonsecurityandprivacy,mayfinditselfoutmaneuveredbyacompetitorthatputthoseextraresourcesintomarketinganduserinterfacedesigninsteadofdataprotection.
FreewheelingstartupsarenottheonlyorganizationsthatfindvalueinsomeformofAutonomyCulture,though.LotsoforganizationsdivideauthorityandresponsibilityforITandsecurityamongdifferentgroups,orembedtheminto
linesofbusinessorgeographicalregions.ThemainfeatureofanAutonomyCultureissimplythattheorganizationhasconcludedthatcentralized,standardizedsecuritydoesnotworkaswellasindividuallyorlocallymanagedsecurity,andhasdelegatedtheauthorityforitamongdifferententities.
ExamplesofAutonomyCulturesIhaven’tfoundanindustrythatexplicitlyadvocatesforasecuritycultureofAutonomy,atleastnotoutloud.Intoday’senvironment,statingthatsecurityshouldbeleftuptoindividuals,allowingthemtodecideforthemselveswhatneedstobeprotectedandhow,mightbeseenasreckless.Butplentyoforganizationsfunctionthisway,eveniftheydon’tprintitonthebrochure.Startups,especiallytechnologystartups,areoftenforcedtomovesofastthatsecurity(alongwitheverythingelse)ishandledbyindividuals.Similarly,somepartsofacademicinstitutionsaremoreautonomousbecausetheyaremeanttobeopensystemsforthefreeexchangeofinformation.Securitypeople,inmyexperience,tendtoseethevaluesandtraitsofanAutonomyCultureasanecessaryevil,atbest.
WhereAutonomyCulturesdoexist,theylookattheideaoffreedomdifferently.AutonomyinsecurityisdifferentfromtheadhocracycultureintheoriginalCompetingValuesFramework,whereitrepresentsadeliberaterejectionofrules,standards,andbureaucracyinfavorofbeinganimblecompetitor.Fewinsecurity,evenproponentsofmoreautonomy,wouldmaketheclaimthatsecuritypolicies,processes,andothermechanismsofcontrolareactuallyharmfultothebusinessandshouldbeavoided.Instead,AutonomyCulturesprioritizetheideathatcentralizedcontrolandstandardsecurityprocessarenottheonlywaytogoandmustbebalancedwithotherconcerns.I’veusuallyfoundevidenceofAutonomyCulturebylookingbetweenthelines,examiningtheconflictingprioritiesofthesecurityteamandtherestoftheorganization.
OneofthebestexamplesofAutonomyCulture’sinfluenceonsecurityisthe“bringyourowndevice”movement,orBYOD.Theconsumerizationoftechnology,whichhasintegratedpowerfulandsophisticatednetworkedcomputingdevicesintothelivesofeverydayusers,combinedwithaprofusionofsocialandinformationservicesthatintegratewiththosedevices,hasmadealmosteveryoneanadvancedITuser.Companieshave,sometimesinadvertently,encouragedconsumerizationthroughthegrowingerosionoftheboundariesbetweenworklifeandpersonallife.Manypeopleexpectandareexpectedtobequicklyavailableatalltimebyfriends,coworkers,andbossesalike.Asbothopportunitiesanddemandforconnectivityandavailabilitygrow,unique
ecosystemshavedeveloped.Bigplayers,likeAppleandGoogle,aswellasmanyotherlargeandsmallcompetitorsproducephones,tablets,andpersonalcomputerswithdisparateuserbases.TheresultingplatformdiversityhasstrainedtheabilityofcorporateITtokeepup,andpersonalpreferencesdriveninpartbyyoungergenerationswhowant“cool”ratherthan“companyapproved”techhasmadeBYODasmuchaboutreputationandretainingtalentasitisaboutmanagingITinfrastructures.
IonceheardaCISOsay,“Iquestionthesanity,nottomentionthejudgment,ofanyonewhowantstobringtheiriPhonetouseatwork.”ThisexecutivewaslessconcernedwithAppleinparticular;hementionedthathehadaniPhoneforpersonaluse.Buthewasadamantthatthefreedomtoaccessthecorporatenetworkwithanydevicewasanunacceptablesecurityrisk.ContrastthatwithcompanieslikeCisco,wherecarefullymanagedBYODispartofthefabricofcompanylife,andyoucanseethedifferencebetweenthevaluesoftheProcessCultureandthoseoftheAutonomyCulture.
TrustCultureCulturesoftrusttendtoinsistthatsecuritymustbeashared,collaborativeprocess.TrustCulturesachievesuccesswheneveryoneisastakeholderinsecurity,withtherightskills,knowledge,andawarenesstomakegooddecisions.ThetheoreticalperspectiveofaTrustCultureishumanrelations,therecognitionthat,asIsaidinChapter1,securityispeople!
TrustCulturesembodyanapproachthatfavorsloosercontrol(sincetheorganization’smembersaredependableparticipantswhodon’trequireconstantsupervision)andlooksinwardtothepeoplewhoembodytheorganization.Thiscanonlybeaccomplishedthrougheducated,engagedmemberswhoremaincommittedtoorganizationalsuccessataverypersonallevel.
Manypeopleworkinorganizationsthatseethemselvesascommunitiesorevenfamilies,andsomepeopleinvestagreatdealoftheirownsenseofself-worthintotheirprofessionandtheiremployer.Insecurity,thiscohesioncanfunctionabitdifferently,butitisstillverymuchthere.Forsecurityprograms,theplaceyouaremostlikelytofindproponentsoftheTrustCultureisinsidethesecurityawarenessteam.EverysecurityawarenessprofessionalI’vetalkedtoorheardspeak—andthankstoLanceSpitznerandtheSANSSecuringtheHumanProjecttherehavebeenquiteafew—hasbeenabsolutelypassionateaboutmakingnonsecurityfolksunderstandwhysecurityisimportant,andthengivingthemthetoolstomakethebestsecuritydecisions.Theyviewpeoplenotasa
threattobemanaged,butasaresourcetobevalued.
CoreValuesoftheTrustCultureCorevalueswithinaTrustCultureemphasizetheneedtointeractandcooperateasateam,andinclude
CommunicationEnsurethattheorganizationsharesinformationclearlyandefficientlywithallmembers.Ifpeoplecannotunderstandwhattheyaresupposedtodo,andwhy,theywillfail.ParticipationEnsurethattheorganizationencourageseveryonetotakeownershipandbecomeastakeholder,ratherthanfoistingresponsibilityontootherparties.“Passingthebuck”isseenasirresponsibleandrisky,aswellasaviolationofthesocialcontract.CommitmentEnsurethatpeoplewanttomaketheorganizationgreatbyensuringthattheorganizationdoesallitcantomakepeoplegreat.Wastinggoodpeopleisbadbusiness.
AcardinaldirectiveoftheTrustCulturemightbestatedasempowerpeople.Insecurityenvironmentsthismeansnottreatingpeopleliketheenemy,butrathergivingthemwhattheyneedtobealliestothesecurityteam.I’veseenmorethanonesecurityprogramobsessaboutinsiderthreats,viewingalmosteveryoneoutsideofInfoSecastimebombsjustwaitingtogooffinexplosionsofignorance,incompetence,oractivemaliciousintent.ATrustCulturedoesnotignorethepossibilitythatpeoplecanbecomeproblems;butitbelievesthattheseproblems,moreoftenthannot,canbeavoidedbysimplyunderstandingwhatapersonreallyneedsinordertodotherightthing,andthengivingthattothem.
ExamplesofTrustCulturesAswithAutonomyCultures,IhavenotfoundTrustCulturestobeuniquetoaspecificindustry.Mostorganizationsbeyondacertainsizehaveasecurityawarenessprogram,oftendrivenbyacompliancerequirement.WhethertheawarenessprogramisevidenceofaTrustCulture,devotedtoempoweringthemembersoftheorganizationsothattheycanmakebetterchoices,orevidenceofaComplianceCulture,inwhichawarenessisonlyimportanttotheextentthatitservesotherinterests,canbehardtodecipher.ButIhaveyettofindasecurityawarenessofficerwhowasonlyinterestedincheckingaboxonanauditform.Theyallwanttoappealtoheartsandminds.
TherealchallengeforTrustCulturesisthat,ofalltheculturaltraitsinthe
CSCF,trusttendstocomehardesttosecurityprofessionals.Wearenot,bynature,atrustinglot.PeopleinInfoSectendtofocusonwhatcangowrongmorethanwhatcangoright,andweneverhavetolookveryfarorhardtohaveourworstsuspicionsofdangerconfirmed.Securityisaboutlockingthingsdownandrestrictingaccesstothem.Wetendtowanttocontrolpeople’sbehavior.EmpoweringthemcanfeellikesomethingbestlefttoHR.Butformanyothersinanorganization,trustandasenseofcommunityarequiteimportant,eventakenforgranted.ThistendstolimittheinfluenceofTrustCulturesininformationsecurityprogramsandtofostermorecompetitionbetweenthemandotherquadrantsoftheCSCF.
Asthefirstsectionofthisbookargues,however,itisexactlythiscompetitivetensionbetweendifferentprioritiesandrequirementsthatfuelssecurityrisk.ATrustCulturedoesnotimplyanaiveassumptionthateveryoneisniceandfairandputstheinterestsoftheorganizationfirst.ATrustCulturerestsonafoundationofcooperationandsharedresponsibility.Thismeansthatpeopleknowwhattherightchoiceis.Butitalsomeansthatpeoplerecognizethatsomechoicesareharderthanothers,andthatcompromisesandtrade-offsmustbemade.Trustisaboutcommunicatingconflictsofinterestasmuchasitisaboutpostingawarenesspostersremindingeveryoneofapolicy,andhavingfaiththattheorganizationwilllisten.
FurtherReadingCameron,KimS.,andRobertE.Quinn.DiagnosingandChangingOrganizationalCulture:BasedontheCompetingValuesFramework.3rdEd.SanFrancisco:Jossey-Bass,2011.Quinn,RobertE.,andJohnRohrbaugh.“ASpatialModelofEffectivenessCriteria:TowardsaCompetingValuesApproachtoOrganizationalAnalysis.”ManagementScience29,no3(1983):363–377.SANSInstitute.“SecuringtheHuman.”Availableatwww.securingthehuman.org.
T
CHAPTER6
TheSecurityCultureDiagnosticSurvey(SCDS)
heCompetingSecurityCulturesFramework,introducedinChapter5,isacornerstoneofthisbook’speople-centricsecurityapproach.Itprovidesameansofvisualizingthetensionsbetweeninformationsecuritystakeholders,priorities,andvaluesthatexistineveryorganization.Therewillalwaysbedifferencesbetweenorganizationalcultures,andeverycompanyandenterprisewillhaveitsownuniqueapproachtoInfoSec,amixofcultures,beliefs,andassumptionsthatwilldriveeverydaydecisionsandbehaviorsacrossallpeopleinvolved.TheCSCFencouragesobservationandidentificationoftheseuniquetraits,placingtheminaspatiallyorientedframeworkthatallowstheorganizationtounderstanditselfandtochartpathwaystoculturalimprovementandtransformation.
Noorganizationislikelytobeofjustoneculturaltype.Takeamomentandconsideryourownorganization’sculture.WouldyousayyouhaveaComplianceCulture,whereauditsaretopofmindforthesecurityteam?CompliancetendstobeakeydriverofInfoSecthesedays.Butatthesametime,doyoualsohaveasecurityawarenessprograminplace?Doyouemphasizesecurityawarenessmoregenerally,oronlyforthosespecificareasthatyouareauditedagainst?Youprobablyhaveanumberofsecuritypoliciesandstandards,butaretherealsoareaswherepeopleandgroupsaregivenmorediscretioninhowtheyuseormanagetechnology,suchaswithBYOD?
ChancesarethatalloftheCSCFtraitswillbefamiliartoyouinsomeway,representingsomeaspectofsecuritythatyourorganizationvaluesandpromotes.
Securityculture,likeorganizationalcultureingeneral,ismultifacetedandflexible.Theinterestingquestionis,ifyoureallygotdowntoitandwereforcedtochoose,whichvalueswouldcomeoutontop?If,likeClarathedeveloperfromChapter2,youneededtomakehardchoicesbetweenwhatwasrightforsecurity,whatwasrightforthebusiness,andwhatwasrightforyourself,whichwouldyougivehighestpriority?Forwhichdecisionswouldyouberewardedandforwhichwouldyoubepunished,nomatterwhatthe“partyline”saysabouttheimportanceofsecurity?Thatbalanceisthetruefaceofyoursecurityculture.
TheCSCFisusefultohelpconceptualizesecurityculture,butitdoesn’ttellyoumuchaboutyourownorganizationorthebalancebetweencompetinginformationsecurityvaluesinyourparticularcase.Todeterminethat,youneedameasurementinstrumentofsomesort.IdesignedtheSecurityCultureDiagnosticSurvey(SCDS)tobethatinstrument.UsingtheSCDS,InfoSecteamscancollectempiricalevidenceabouttheculturalandbehavioralnormsthatexistregardingsecuritywithintheirorganization.TheresultisaprofilethatdescribesthebalanceanorganizationexhibitsbetweenthefourdifferentsecurityculturesoftheCSCFandtheirassociatedvaluesandbehaviors.TheSCDSbuildsupontheresearchandoperationaldevelopmentoftheCompetingValuesFramework,discussedinChapter5,aswellasmyownadaptationintheCSCF.
SCDSFormatandStructureTheSCDSisdesignedtoelicitdataregardingculturaltraitsandinformationsecurityvaluesthatexistwithinanorganizationalenvironment.TheSCDSisaccompaniedbyascoringprocessforusingtheresponsestosurveyquestionstocomputethelevelofaparticularculturalattributeagainstascale,aswellasavisualizationprocessbywhichthesescoresareorientedspatiallyagainsttheCSCFquadrantstocreateasecurityculturemaporprofile.Theseculturemaps,describedinChapter7,canbeusedtodrivediscussion,brainstormtransformationstrategies,andcommunicatetoInfoSecandorganizationalleadership.
HowSurveysWorkMostpeoplearefamiliarwithsurveys.We’vealltakentheminoneformoranother,whetheritwasfillingoutaformdescribingoursatisfactionwithaparticularproductorservice;beingaskedstructuredquestionsaboutwhatwe
mightbuy,whowemightvotefor,orwhatpersonalitytypeswearelookingforinaromanticpartner;ortakinganemployeesurveyaskingushowwefeelaboutourcompany,leadership,orindividualjob.TheInternethasimprovednetworkingandcommunicationingeneral,andseveralcompaniesofferspecializedonlinesurveytoolsthatmakeiteasyforjustaboutanyonetosetupasurveyandstartaskingquestionsofrespondents.
Surveyshavebecomesocommonplacethatpeopletendtotakethemforgranted,forgettingthattheycanbesophisticatedresearchtoolsintherighthands.Likeachromatograph,anetworkprotocolanalyzer,oravideocamera,surveyscollectdataasinputsthatcanthenbeanalyzed.Butinsteadofchemicals,packets,andphotons,surveyscollecthumanverbalorwrittenresponses.Mostofusunderstandhowtoaskquestionsandgetanswers,askillwehavetolearnearlyaslanguageusers.Sosurveyscanseemeasierandlessspecializedthansomeofthosemoretechnicalinstruments.Butlikethem,surveyresearchisbuiltonabodyoftheoryandempiricalresearchthatenablessocialscientiststocollectdatainvalidandrepeatableways.Unlikethemoretechnicalinstruments,however,distinguishingbetweena“good”survey,onethatproducesscientificallyvaliddata,anda“bad”survey,wheresomeoneisjustaskingquestionsofsomeoneelse,canbedifficult.
Adetailedoverviewofsurveytheoryandpracticeisoutsidethescopeofthisbook,buttherearesomegeneralaspectsofsurveysthattendtodifferentiatethosethataremorescientificallyrigorousfromthosethatarelessso.Thesetraitsinclude
ClearlyunderstoodobjectivesforthesurveyPre-establishedresearchquestionsthesurveyshouldanswerAnexplicitconceptualandanalyticalframeworkinwhichtoevaluatetheresponsesWell-designedsurveyquestionsandvariables
TheSCDSattemptstomeetthefirstthreecriteriabygroundingitselfintheCompetingSecurityCulturesFrameworkitself.TheCSCFdefineswhatneedstobeunderstoodandhowtoevaluatetheresultsofsecurityculturemeasurement.Whatisleftisthefourthcriteria,theneedforthespecificquestionsandscoresbywhichthatmeasurementisachieved.
QuestionsintheSCDS
TheSCDSismadeupoftenquestions,eachwithfourresponsesthataligntothefourquadrantsoftheCSCF.Thequestionscorrespondtokeyorganizationalactivitiesthatinfluenceandareinfluencedbynormsandbehaviorscentraltoinformationsecurityculture.Youmaynoticeatfirstglancethatmanyofthequestionsdonotspecificallymentionsecurity.Thisisdeliberate.Securityis,asIhaveemphasized,abusinessprocessjustlikeanyother.SecurityculturedoesnotgrowoutofhowtheInfoSecteamlooksatinformationsecurity.That’sjustnavelgazingbyeveryonesittingontopoftheiceberg.Securitycultureisabouthowthehiddenassumptionsunderthesurfaceinfluencehowsecuritygetsdone.ThesehiddenassumptionsinfluencethingslikehowtheorganizationisrunandtheInfoSecteamwithinit,thingslikethemanagementofcoreoperationsortechnologies,orabouthowwejudgepeople’sperformanceandholdthemaccountableforoutcomes.Securitydoesn’tdriveanyofthesethingsinsideanorganization,buttheydriveeverythingthesecurityorganizationaccomplishes.
Table6-1providesthequestionsandresponsesthatcomprisetheSCDS.ThesectionsfollowingTable6-1explainthequestionsandresponsesinmoredepth,andasubsequentsectionexplainshowtoscoretheSCDSresults.EditableversionsoftheSCDSareavailablefordownloadfromhttp://lancehayden.net/culture.TheseversionsincludetemplatesforassessingasingleInfoSeccultureorcomparingmultiplesecuritycultureswithintheorganizationoracrosstime.Instructionsforcompletingeachofthesesurveysaregenerallydescribedlaterinthischapter,andspecificinstructionsforeachtemplateareincludedinthedownloadableversions.
1.What’svaluedmost?
A.Stabilityandreliabilityarevaluedmostbytheorganization.Itiscriticalthateveryoneknowstherulesandfollowsthem.Theorganizationcannotsucceedifpeoplearealldoingthingsdifferentwayswithoutcentralizedvisibility.
B.Successfullymeetingexternalrequirementsisvaluedmostbytheorganization.Theorganizationisunderalotofscrutiny.Itcannotsucceedifpeoplefailauditsordonotliveuptotheexpectationsofthosewatching.
C.Adaptingquicklyandcompetingaggressivelyarevaluedmostbythe
organization.Resultsarewhatmatters.Theorganizationcannotsucceedifbureaucracyandredtapeimpairpeople’sabilitytobeagile.
D.Peopleandasenseofcommunityarevaluedmostbytheorganization.Everyoneisinittogether.Theorganizationcannotsucceedunlesspeoplearegiventheopportunitiesandskillstosucceedontheirown.
2.Howdoestheorganizationwork?
A.Theorganizationworksonauthority,policy,andstandardwaysofdoingthings.Organizationalchartsareformalandimportant.Theorganizationisdesignedtoensurecontrolandefficiency.
B.Theorganizationworksonoutsiderequirementsandregularreviews.Auditsareacentralfeatureoflife.Theorganizationisdesignedtoensureeveryonemeetstheirobligations.
C.Theorganizationworksonindependentactionandgivingpeopledecisionauthority.There’snoonerightwaytodothings.Theorganizationisdesignedtoensurethattherightthingsgetdoneintherightsituations.
D.Theorganizationworksonteamworkandcooperation.Itisacommunity.Theorganizationisdesignedtoensureeveryoneisconstantlylearning,growing,andsupportingoneanother.
3.Whatdoessecuritymean?
A.Securitymeanspolicies,procedures,andstandards,automatedwhereverpossibleusingtechnology.Whenpeopletalkaboutsecuritytheyaretalkingabouttheinfrastructuresinplacetoprotecttheorganization’sinformationassets.
B.Securitymeansshowingevidenceofvisibilityandcontrol,particularlytoexternalparties.Whenpeopletalkaboutsecuritytheyaretalkingaboutpassinganauditormeetingaregulatoryrequirement.
C.Securitymeansenablingtheorganizationtoadaptandcompete,nothinderingitorsaying“no”toeverything.Whenpeopletalkaboutsecuritytheyaretalkingaboutbalancingrisksandrewards.
D.Securitymeansawarenessandsharedresponsibility.Whenpeopletalkaboutsecuritytheyaretalkingabouttheneedforeveryonetobeanactiveparticipantinprotectingtheorganization.
4.Howisinformationmanagedandcontrolled?
A.Informationisseenasadirectsourceofbusinessvalue,accountedfor,managed,andcontrolledlikeanyotherbusinessasset.Formalrulesandpoliciesgoverninformationuseandcontrol.
B.Informationisseenasasensitiveandprotectedresource,entrustedtotheorganizationbyothersandsubjecttoreviewandaudit.Informationuseandcontrolmustalwaysbedocumentedandverified.
C.Informationisseenasaflexibletoolthatisthekeytoagilityandadaptabilityintheorganization’senvironment.Informationmustbeavailablewhereandwhenitisneededbythebusiness,withaminimumofrestrictivecontrol.
D.Informationisseenasthekeytopeople’sproductivity,collaboration,andsuccess.Informationmustbeasharedresource,minimallyrestricted,andavailablethroughoutthecommunitytoempowerpeopleandmakethemmoresuccessful.
5.Howareoperationsmanaged?
A.Operationsarecontrolledandpredictable,managedaccordingtothesamestandardsthroughouttheorganization.
B.Operationsarevisibleandverifiable,managedanddocumentedinordertosupportauditsandoutsidereviews.
C.Operationsareagileandadaptable,managedwithminimalbureaucracyandcapableoffastadaptationandflexibleexecutiontorespondtochangesintheenvironment.
D.Operationsareinclusiveandsupportive,allowingpeopletomasternewskillsandresponsibilitiesandtogrowwithintheorganization.
6.Howistechnologymanaged?
A.Technologyiscentrallymanaged.Standardsandformalpoliciesexisttoensureuniformperformanceinternally.
B.Technologyisregularlyreviewed.Auditsandevaluationsexisttoensuretheorganizationmeetsitsobligationstoothers.
C.Technologyislocallymanaged.Freedomexiststoensureinnovation,adaptation,andresults.
D.Technologyisaccessibletoeveryone.Trainingandsupportexiststoempowerusersandmaximizeproductivity.
7.Howarepeoplemanaged?
A.Peoplemustconformtotheneedsoftheorganization.Theymustadheretopoliciesandstandardsofbehavior.Thesuccessoftheorganizationisbuiltoneveryonefollowingtherules.
B.Peoplemustdemonstratethattheyaredoingthingscorrectly.Theymustensuretheorganizationmeetsitsobligations.Thesuccessoftheorganizationisbuiltoneveryoneregularlyprovingthattheyaredoingthingsproperly.
C.Peoplemusttakerisksandmakequickdecisions.Theymustnotwaitforsomeoneelsetotellthemwhat’sbest.Thesuccessoftheorganizationisbuiltoneveryoneexperimentingandinnovatinginthefaceofchange.
D.Peoplemustworkasateamandsupportoneother.Theymustknowthateveryoneisdoingtheirpart.Thesuccessoftheorganizationisbuiltoneveryonelearningandgrowingtogether.
8.Howisriskmanaged?
A.Riskisbestmanagedbygettingridofdeviationsinthewaythingsaredone.Increasedvisibilityandcontrolreduceuncertaintyandnegativeoutcomes.Thepointistocreateareliablestandard.
B.Riskisbestmanagedbydocumentationandregularreview.Frameworksandevaluationsreduceuncertaintyandnegativeoutcomes.Thepointistokeepeveryoneontheirtoes.
C.Riskisbestmanagedbydecentralizingauthority.Negativeoutcomesarealwaysbalancedbypotentialopportunities.Thepointistoletthoseclosesttothedecisionmakethecall.
D.Riskisbestmanagedbysharinginformationandknowledge.Educationandsupportreduceuncertaintyandnegativeoutcomes.Thepointistofosterasenseofsharedresponsibility.
9.Howisaccountabilityachieved?
A.Accountabilityisstableandformalized.Peopleknowwhattoexpectandwhatisexpectedofthem.Thesamerewardsandconsequencesare
foundthroughouttheorganization.
B.Accountabilityisenabledthroughreviewandaudit.Peopleknowthattheywillbeaskedtojustifytheiractions.Rewardsandconsequencesarecontingentuponexternalexpectationsandjudgments.
C.Accountabilityisresults-driven.Peopleknowtherearenoexcusesforfailing.Rewardsandconsequencesareaproductofsuccessfulexecutionontheorganization’sbusiness.
D.Accountabilityissharedamongthegroup.Peopleknowtherearenorockstarsorscapegoats.Rewardsandconsequencesapplytoeveryonebecauseeveryoneisastakeholderintheorganization.
10.Howisperformanceevaluated?
A.Performanceisevaluatedagainstformalstrategiesandgoals.Successcriteriaareunambiguous.
B.Performanceisevaluatedagainsttheorganization’sabilitytomeetexternalrequirements.Auditsdefinesuccess.
C.Performanceisevaluatedonthebasisofspecificdecisionsandoutcomes.Businesssuccessistheprimarycriteria.
D.Performanceisevaluatedbytheorganizationalcommunity.Successisdefinedthroughsharedvalues,commitment,andmutualrespect.
Table6-1TheSecurityCultureDiagnosticSurvey
1.What’sValuedMost?Question1asksrespondentstothinkofthekeyvaluesaffectingtheirorganization’ssecuritycultureandtoidentifythetop-of-mindprioritiesthatbestdescribedailydecisionmaking.Theresponsechoicesallowtherespondenttodifferentiatebetweentherelativeimportanceofstabilityandstandardization,externalvalidationandreview,adaptabilityandfreedomofchoice,andasenseofsharedcommunityandresponsibility.Theseresponsechoicesbeginthedescriptivedifferentiationoftheorganization’ssecuritycultureintothefourquadrantsoftheCSCF.
2.HowDoestheOrganizationWork?Question2focusesonhowtheorganizationgetsthingsdone,howitdivides
responsibilityandauthority,andhowitembedsthosevaluesintohierarchiesandorganizationaldivisions.Organizationalworkhabitsdefinemostaspectsoforganizationalbehaviorbycreatingandencouragingsomeformsofcommunicationandinteractionamongmembers,whilelimitinganddiscouragingothers.Overtime,thesebehaviorsbecomeingrainedandinstinctual,asthe“shape”oftheorganizationbecomespartoftheculture.Responsestothisquestionallowrespondentstodefinewhethertheorganizationlooksinwardoroutwardforitsmarchingorders,whethertheprimarystakeholdersareinternalorexternal,andwhetherthedivisionoflaborandmanagementisdesignedtopromoteindividualandgroupinitiativesortoplaceandpreservecontrolinmorecentralizedhands.
3.WhatDoesSecurityMean?Question3isthemostsecurityspecificintheSCDS,askingtherespondenttoexplicitlydefinehowheorsheortheorganizationconceptualizesinformationsecurity.Theresponsesencouragerespondentstothinkofsecurityintermsofhowitisperceivedandimplementedwithintheorganization.Insomeorganizations,securityissynonymouswiththeinfrastructureofsecurity,whetherthosesystemsaretechnologicalorprocessbased.Otherorganizationsseesecurityintermsofeffectsandresults,theoutcomesoftheprocessratherthanthemeansofitsachievement.Ofcourse,abalancemustexistbetweenthedifferentconceptualizations,butthequestionallowsrespondentstoweightwhatthetypicalmemberoftheorganizationisreferringtowhenheorshetalksaboutsecurity.
4.HowIsInformationManagedandControlled?Informationisthelifebloodofmostorganizationstoday,centralbothtothegeneralbusinessactivitiesoftheenterpriseandtoinformationsecurity.Question4asksrespondentstodescribethemanagementandcontrolofinformationasasharedresource.Theflowsofinformation,itsownersanduses,andthebeliefsabouthowitshouldbedisseminatedandsharedaredefinedwithintheresponses.Informationcontrolisnotnecessarilysecurityspecific,butthewayinwhichanorganizationviewsinformationasatoolandacommodityhasadirectbearingonhowtheorganizationfeelsaboutrestrictingaccesstoitandotherwisecontrollinginformationusesforsecuritypurposes.
5.HowAreOperationsManaged?
Question5asksrespondentstoselectandprioritizetheorganization’severydayfunctionalactivities,includingtasks,interactions,decisions,andevaluations.Organizationaloperations,likeorganizationalstructure,tendtobecome“formalandnormal”overtime.Evenachaoticoperationalenvironment,subjecttoindividualdecisionsandlittleoversight,canbecomea“normal”wayofdoingthings.Justaskanyonewhohasbeenresponsibleforchangingsuchanenvironment.Asoperationalrealitiesgivewaytohabits,thehabitsencourageparticularwaysoflookingathownewoperationsareconducted.Thisquestionelicitsdataaboutwheretheoperationalenvironment,includingthehabitsandnormsthatitrepresents,issituatedwithinthefourculturalcategoriesdescribedintheCSCF.
6.HowIsTechnologyManaged?Question6examinesthemanagementoftechnologyasanorganizationalresource.Likeotherresource-centricquestionsintheSCDS,itaskssurveyrespondentstodescribewhethertechnologyissubjecttomoreorlesscontrol,andwhetheritisputtousetoincreasethesuccessofinternalstakeholdersorexternalstakeholders.Technologymanagementcanhaveprofoundimplicationsforsecurityculture,addingbothfreedomsandconstraintstomembersthroughouttheorganization.TheseimplicationsmayormaynotmakethejoboftheCISOorInfoSecmanagereasier.
7.HowArePeopleManaged?Althoughapeople-centricapproachtosecurityisthecentralthemeofthisbook,noteveryorganizationmanagespeopleinthesameway,forthesamereasons.Question7asksrespondentstodescribehowpeoplearetreatedandutilizedasaresourcewithintheorganization.Isthatmanagementstyleformalandcentralized,aswithatraditionalhumanresourcesdepartmentthatmaytreatpeoplemuchlikeanyotherorganizationalasset?Oristheenvironmentmorelikeafamily,acommunity,orasocialmovement,wherepeopleareelevatedaboveothercomponentsoftheorganizationandgivenspecialfocusandprivilege?
8.HowIsRiskManaged?Question8gathersdatafromrespondentsabouttheunderstandingandmanagementofriskwithintheorganization.Riskisoftensubjecttodifferentinterpretationsanddefinitionswithinanenterprise,asIhavedescribedin
previouschapters.Howriskisunderstood,whetheritrepresentsanegativeorapositive,andwhatshouldbedonetoreduce,accept,orevenencourageitbecomekeyconsiderationsforsecurity.ThisquestionexploreshowriskmanagementmaydifferbetweenculturalcategorieswithintheCSCFanddocumentsthemeansbywhichtheorganizationaddressesrisksandopportunitiesintheconductofitsbusiness.
9.HowIsAccountabilityAchieved?Themeansbywhichorganizationsholdmembersaccountablefortheiractionscanbedeeplyinfluencedbythecultureoftheorganization,andcanserveasareflectionofthosecoreculturaltraits.Question9askssurveyrespondentstoexplainthewaysinwhichtheirorganizationunderstandsandundertakesaccountability.Dependingontheculture,accountabilitymaybemechanisticandtheproductofstrictmeasures,oritmayprovemoresituationalandsubjective.Howaccountabilityisperceivedcanplayapartinhowpeoplewithintheorganizationmakedecisions,howtheyviewtheirjobsandresponsibilities,orevenhowtheyinteractwithandsupport(orfailtosupport)othermembers.
10.HowIsPerformanceEvaluated?Performanceevaluation,likeaccountability,isacorerequirementfororganizationalsuccess.Itisalso,likeothertraits,culturallysituatedandinfluencedbynormsandbeliefs.Whilerelatedtoaccountability,Question10focusesmoredirectlyonthemeasurementofsuccessorfailurethanonthedesignationofwhoisresponsibleforthosesuccessesorfailures.Thequestionasksrespondentstodefinethemethodsbywhichevaluationisconducted,whethersuccesscriteriaareformalizedoradhoc,internallydrivenorinfluencedbyoutsiders,andwhetherperformanceisasharedormoreindividualizedorganizationalactivity.
SCDSScoringMethodologyTheSCDSusesanipsativescaleformeasuringresponses.IpsativescalesmaybelessfamiliartoyouthantheLikertscalestypicallyseeninmanysurveys.Likert,ornormative,scalesuseresponsesthatforceasurveyrespondenttoanswerintheformofarating.Ratingsmaybenumeric,suchasaskingarespondenttorateapreferenceonascaleof1to5.Ortheymaybedescriptive,askingtherespondenttoratetheiragreementwithaparticularstatementfrom“stronglyagree”throughto“stronglydisagree.”WithLikertscales,each
responseisindependentofotherresponses.IfasurveyasksarespondenttoratehowtheyfeelaboutdifferentaspectsoftheirjobusingaLikertscale,itisperfectlyacceptablefortherespondenttorateeverything“stronglyagree”orata“5”level,dependingonthescale.Thereistypicallynorankinginvolved,wherea“1”ratingononeitemwouldnecessitatea“5”rankingonanother,relateditem.
Ipsativescalesforcearespondenttochoosebetweenaseriesoftwoormoreoptions.ForeachquestionintheSCDS,surveyrespondentsareaskedtoweightthefourresponsesbyindicatingtheextenttowhicheachaccuratelyanswersthequestion.ThereareprosandconstousingboththeLikertandipsativeresponsesystems,butipsativescalesworkbestwhenresponsesarenotintendedtobeindependentandshouldreflectdifferingbutrelateddegreesofpreferencebetweenresponseitems.
TheCSCFdescribesorganizationalculturalenvironments,whereopposingnormsandvaluesarepresent.Anorganizationmayexhibitabalancebetweenculturaltraits,butitcannotbecompletelyonetypeofculturewhilealsobeingcompletelyanothertypeofculture.Consideranenterprise,forinstance,thathasaverystrong,deeplyingrainedcontrolculture,formalandstricthierarchiesandbureaucraticcommandstructures,andaprocess-driveninfrastructureofpoliciesandcontrols.Itisextremelyunlikelythatthissameorganizationwillalsoallowindividualstomakeindependentdecisions,follownonstandardprocesses,andregularlyfloutpoliciesorcircumventestablishedcontrols.Theincompatibilityofthecultureswillcreatefrictionandfailureuntiltheyarenormalized,eitherwithonecultureattainingpredominanceandtheotherbeingmarginalized,orbyamixingoftheculturesthatformsacompromisebalancebetweenthetwo.
AnipsativeresponsescalefortheSCDSreflectsthesetrade-offsbetweenculturalattributeswithintheSCDSandtheCSCF.EachSCDSquestionhasfourpossibleresponsesthatreflectdifferingandcompetingvalues.Respondentsmustassignatotalscoreof10pointsacrossallfourresponses,dividingthepointsamongtheresponsesbasedonhowstronglyorweaklyeachofthestatementsreflectstheirownorganization.Forinstance,ifresponseAreflectstheorganization’svaluesperfectlyandnootherresponseisapplicable,thesurveyrespondentmightassignascoreof10pointstothatresponse.Buttherespondentwouldthenhavetoassignallotherresponsesa0score,indicatingthosevaluesarenotpresenttoanydegree.Similarly,ifaresponseisinnowayreflectiveoftheorganization’svaluesandassumptionsandneverinfluencesbehavior,therespondentmightscoreita0,leavingtheremainderoftheweightingtobedividedbetweentheotherthreeresponses.
Noorganizationislikelytoexhibitasingleculturalattributeorsinglesetofvaluestotheexclusionofallothers.SCDSscoreswillusuallyreflectabalancebetweenresponses,whichcorrelatestoabalancebetweenthefourquadrantsoftheCSCFandthecultureseachrepresents.Itispossibleinsomecasesthataparticularsetofvalueswillbeperceivedasabsentfromtheorganizationalenvironmentandbeassigneda0weighting.Arespondentmaydecide,forinstance,thatsomevaluesassociatedwiththeAutonomyCulturearenotpresentandthereforescoreseveralofthe“C”responsesasa0.Buttherewilllikelybeotherareaswheresomedelegationofcontrolordecisionmakingisallowed,evenifthosevaluesremainsmall.
ScoringtheSCDSResultsScoringtheSCDSisrelativelystraightforward,asIdescribedinthelastsection.Respondentsdivide10pointsbetweeneachofthefourpossibleresponses,assessingthedegreetowhichthestatementreflectsthevalueswithintheirorganizationalenvironment.ItisunnecessaryforsurveyrespondentstounderstandorevenbeawareoftheCSCF,ordivisionsoforganizationalcultureingeneral.TheyonlyneedtodecidetowhatdegreeeachresponsestatementdescribesthevaluesoftheirownorganizationfortheSCDSquestionunderconsideration.
ThosetaskedwithinterpretingtheSCDSresultswillrequireabitmoreinsightintohowthequestionsandresponsesaredesigned.IfyouhavefamiliarizedyourselfwiththeCSCFpresentedinChapter5,youwillquicklyrecognizepatternswhenyouexaminethesurveyresponsechoices.Eachresponsedescribestraits,values,andactivitiesthatareassociatedwithoneoftheCSCFculturalquadrants:
“A”responsesreflectvaluesandtraitsthatareinternallyfacingandprioritizetightercontrol.Theseattributes,includingconcernsoverstability,theexistenceofstandardsandbureaucraticlinesofcontrol,andadesireforcentralization,areprioritiesthattendtoexistmorestronglyinProcessSecurityCultures.“B”responsesreflectvaluesandtraitsthatstillprioritizetightcontrol,butareaimedatexternalstakeholders.Attributesincluderegularreview,theneedforjustificationanddocumentationofactivities,andanaudit-drivenapproachtothebusiness,allofwhichareprioritiesmoreoftenfound
prevalentinComplianceSecurityCultures.“C”responsesreflectvaluesandtraitsthatareexternallyfacing,butprioritizelesscontroloverdecisionsandactivities.Flexibility,adaptability,andtheneedtobeagileandunhamperedbyrigidbureaucracyandlinesofauthorityarethedominantattributes,whicharemostoftenfoundinAutonomySecurityCultures.“D”responsesreflectvaluesandtraitsthatareinternallyfacingandmorelooselycontrolled.Attributesincludecooperationandtransparency,sharedresponsibilityandempowerment,andasenseofindividualownershipandmutualsupport,allofwhichareindicativeoftheprioritiesexistinginTrustSecurityCultures.
OncetheSCDSiscompletedandthesurveyownershaveasetofresponses,dataanalysiscanbegin.AnalyzingSCDSdatacanbeassimpleasaggregatingandaveraginganorganization’sSCDSscorestoshowoverallculturaltraits.Orthesurveyownerscantakemoresophisticatedpaths:comparingscores,visualizingdata,andusinginsightsfromtheSCDStoplanInfoSecculturetransformationstrategies.ThecasestudiesinthenextsectionservetoillustrateseveralwaysthatSCDSscorescanhelpanorganizationunderstandandimproveinformationsecurity.IwilldiscussvisualizingandmappinginformationsecuritycultureandtherelationshipbetweenSCDSscoresandtheCSCFinthefollowingchapter.
SecurityCultureDiagnosticStrategies:CaseStudiesThereareseveralstrategiesforusingtheSCDStodiagnoseandassesssecurityculturewithinanorganizationorbetweenorganizations.Themostobviousstrategyistotakeageneralmeasurementofoverallsecuritycultureacrosstheentireorganization.AnotherstrategyistoadministertheSCDSseparatelytoorganizationaldivisions,allowingforcomparisons,forinstance,betweenthecoreinformationsecurityprogramteamandagroupthathasnothingtododirectlywithsecurity.Thiscanrevealculturalgapsbetweenthosewhoareresponsibleformanagingsecurityandthosewhoareresponsibleforotherbusinessfunctionsthatmaycompetewithsecurity.AthirdstrategyistoadministertheSCDStotwodifferentorganizationspriortoamergeror
acquisitiontodeterminethecompatibilityoftheirsecuritycultures.AfinalstrategyistousetheSCDStoassesshowtoimprovepeople-centricsecuritythroughculturaltransformation.Bymeasuringanexistingsecuritycultureandthenimaginingwhatafuture,improvedculturewouldlooklike,anorganizationcanmapoutdesiredchanges.Thefollowingcasestudiesofrepresentative,butfictitious,organizationswillcovereachofthesestrategies.
ABLEManufacturing:MeasuringanExistingSecurityCultureABLEManufacturingCorporationisamidsizedcompany,producingbothconsumergoodsthatitsellsdirectlyandindustrialproductsthatitsellstoothercompanies.Familyownedandprivatelyheld,thecompanyhasalwaystriedtofosteraclose-knitworkplaceenvironment.ManyemployeesofABLECorp.haveworkedthereforoveradecade.ABLEconsidersitselfaboveaverageinitsuseofinformationtechnologyforitssizeandindustry.InformationsecurityhasbeendrivenovertheyearsprimarilybyrequirementsforPCIDSScompliance,asABLEprocessescreditcardsdirectly.TheexistingInfoSecteamiscross-functional,withpeoplefromITandfromInternalAudit.
Inthewakeofrecentinformationsecuritybreacheselsewhere,theCIOhadbecomeconcernedaboutABLE’ssecuritypostureandthushiredaDirectorofInformationSecurity(DIS),reportingdirectlytoher.ThenewDISpreviouslyworkedforseveralcompaniesandhadseenfirsthandhowculturaldifferencescanexacerbatesecurityrisks.HepersuadedtheCIOthatmanyoftheincidentsthatshewasconcernedaboutweretheresultofpeople-centricfailuresandnotsimplytechnologyorprocessdeficiencies.TheCIOgavetheDISapprovaltolaunchaculturalbaselineprojecttoidentifypotentialareasofconflict,andtheDISengagedanSCDS-basedassessmentofABLE’sexistingsecurityculture.RespondentswereasmallmixofmanagerswithintheCIO’sorganization.Figure6-1showsasampleoftheaveragescoresforthefirstthreesurveyquestionsandtheirassociatedresponserankings.
Figure6-1SampleSCDSscoresforABLEManufacturingCorp.
ABLE’sSCDSresponsesrevealedseveralthings.First,consistentlyhighscoreswereassociatedwith“A”responses,whicharelinkedtotheProcessCultureintheCSCF.ThesescoresindicatedthatcentralizedmanagementandstandardpoliciesandprocedureswerepriorityvaluesforABLE.ThiscameasnosurprisetotheCIO.ABLEisfamilyowned,withseveralfamilymembersinkeyleadershippositionsandontheboard.Authorityflowsfromthemthroughastrongchainofcommandtotheentirefirm.Andbeingamanufacturingcompany,ABLEisallaboutstable,repeatableprocesses.
ItwasalsounsurprisingtothosereviewingtheresultsoftheSCDSassessmentthat“D”responseswereratedsohighly.TheseresponsesaretiedtotheTrustCultureintheCSCF,whichemphasizeshumandevelopmentandasenseofcommunity.ABLEemployeesareencouragedtothinkofthemselvesasanextensionoftheowningfamilyandtoexpecttoshareinbothsuccessandfailure.Mutualrespectandsupportarekeycompanyvalues.
Discrepancieswerediscoveredaswell.The“B”responsescores,whicharealignedwiththeComplianceCulture,exhibitedquiteabitofvariance.TheseresponsesindicatedthatABLEcaredaboutmeetingexternalstakeholderrequirements,whetherfromcustomersorregulatorsorboth,butwasnotstructuredaroundcompliance.Furtherinvestigationrevealedthataudits,particularlyPCIDSSauditsinthecontextofsecurity,weretheresponsibilityofspecificteams.Generally,ABLEemployeeswerenotdirectlyorregularlyinvolvedinthesecomplianceactivities.Theexistingsecurityteam,however,consideredPCIDSScomplianceoneofitsmostimportantresponsibilitiesandhadstructureditselfaccordingly.
Anotherinterestingdatapointinvolvedtheperceptionofsecurityasahindrancetobusinessoperations.Althoughthe“C”responsescores,whicharealignedwiththeAutonomyCultureintheCSCF,tendedtobelowfortheseSCDSresults,theresponsetoQuestion3aboutsecurity’smeaningandpurposerevealedascoreovertwiceashighastheotherquestions’“C”responsescores.Thismightindicateaconflictinwhichpeopleperceivesecurityaslessanenablerofthebusinessthanablocker.Moreexplorationwasneededtoconfirmwhethersuchaperceptionwasattherootofthatparticularscore,butitpointedthereviewersinaninterestingdirectionforconsideringsecurity’sroleinthecompany.
ComparingDifferentSecurityCulturesWithinABLEManufacturingCorp.AsanoutcomeoftheinitialpilotSCDSassessment,theDirectorofInformationSecuritywasgivenpermissiontoexpandtheprojectandfocusoncomparingresultsfromABLE’ssecurityteammemberstoresultsfromotherpartsofthecompany.ThiswouldenabletheCIOandtheDIStogaugewhetherthereweresignificantdifferencesinsecurityculturesbetweenthoseowningandusingITresourcesandthosetaskedwithprotectingthem,andthenassesswhetherthosedifferencesmightresultincompetingvaluesandcreaterisksfortheorganization.AsampleoftheseresultsisshowninFigure6-2.
Figure6-2ComparisonofsampleSCDSscoresforABLEInfoSecandCorporate
ComparingtheresultsoftheSCDSfortheABLEInfoSecteamwiththeresultsfortherestoftheorganizationshowedsomeimmediatevaluediscrepanciesthatcouldbeindicativeofcompetingcultureswithinthecompany.Onceagain,scoresassociatedwithaProcessCulturewerehighforboththeinformationsecurityteamandforthecorporationasawhole.Butinterestingly,respondentsoutsideofthesecurityteamdefinedsecurityintermsofprocessesandpoliciestoagreaterextentthanthesecurityteamdid.ForyouraverageABLEcorporateemployee,whenyoutalkedaboutsecurity,youweretalkingaboutsecuritypoliciesandstandards,whichwerethethingstheyweremostfamiliarwith.EveryoneatABLEhadtogothroughannualsecuritytraining,whichemphasizedthecorporatesecuritypolicies.Theresultsdemonstratedthesecurityteamhadamorenuancedview,oneinwhichsecuritypoliciesandstandardsareimportant,butnotthetotalityofABLE’sInfoSecinfrastructure.
Divergentvaluesandcultureswereveryapparentwhenitcametocomplianceandaudits.Forthesecurityteam,ifanyonethingdefinedsecurity,itwasasuccessfulPCIDSSaudit.MuchoftheInfoSecinfrastructurehadcomeaboutinresponsetoPCIDSSauditrequirements.Butoutsideofthesecurityteam,compliancewithPCIDSSwasfarremovedfromtheaverageemployee’smind.ManydidnotevenknowwhatPCIDSSis,otherthansomesortofaudittheorganizationhastogothroughandsomethingtheinformationsecurityteamisresponsiblefor.ThesurveyresultsshowedthatABLEemployeestendednottoworryaboutcomplianceissuesingeneral,andthatthecompanywasnotstructuredinawaythatencouragedthemtodoso.Asitturnedout,thehigherratingsontheinitialpilotSCDSassessmentweremoreareflectionofthefactthatITmanagersweretheprimaryrespondentsthanevidencethataComplianceCultureexistedwithinthecompany.
DifferencesinculturalvalueswerereinforcedagainwhentheCIOandDISreviewedthescoresforAutonomyandTrustCultures.Thesecurityteamoftenexpressedfrustrationthat,eveninaprocess-drivencompanylikeABLE,securityoftengotalotofpushbackoverrulesandstandards.ABLE’ssecurityteamtendedtoberiskaverseandviewedexceptionstoanddeviationsfromthesecurityrulesandstandardsascreatingrisk.AlthoughtherestofABLE’semployeeswerehardlyadvocatingan“anythinggoes”culture,giventheirSCDSresponses,neverthelessthecorporateculturewasmuchmorepermissiveinthenameofbusinessagilitythanwasthesecurityteamculture.
ThecompetingvaluesinplaywithinABLE’sorganizationalsecurityculture
bothexplainedalottotheCIOandconcernedher.Itbecameapparentthatthesecurityteamculturewasdifferent,insomecasesmarkedlyso,fromthatoftherestofthecompany.Inadditiontocreatingpoliticalfriction,thesedifferingvaluesmeantthatpeopleresponsibleforprotectingcompanyassetsweremotivatedbyverydifferentideasaboutwhatwasrequiredtodobusinesssuccessfully.AcompleteculturaltransformationprojectwasnotsomethingthatABLEwaspreparedtodiveintoimmediately,buttheresultsoftheassessmentconvincedtheCIOtogranttheDIS’srequesttosignificantlyincreaseABLE’strainingandawarenessbudgetsothathecould“getthewordout”aboutsecurityandstartnormalizingrelationsbetweenhisinformationsecurityteamandotherABLEcorporatestakeholders.
CHARLIESystems,Inc.:ComparingSecurityCulturesofTwoOrganizationsCHARLIESystems,Inc.,isatechnologyfirmthatmakesseveralacquisitionseachyear.CHARLIEfeelsstronglyaboutensuringaculturalfitbetweenthefirmandanycompanythatitbuys.CorporateculturehastraditionallybeentheprimaryfocusforCHARLIE,butacoupleofrecentacquisitionshaveforcedCHARLIEtoconsiderhowinformationtechnologyculturesingeneral,andInfoSecculturesinparticular,alignaswell.Thecompanyfoundoutthehardwaythatanincompatibleinformationsecuritycultureinanacquiredcompanycancreateproblemsthat,hadtheybeenforeseen,mighthavechangedCHARLIE’sdecisionaboutthedeal.
CHARLIESystemshasaCISOwhoreportstotheCIO,andacentralizedsecurityinfrastructure.TheCISOenjoysquiteabitofinfluencewithinthecompanyand,afterpushingtoaddsecuritytotheculturalassessmentsthatCHARLIEperformsaspartofitsduediligence,shewasabletoinstituteanSCDS-basedprogramtocollectsecurityculturedataonanypotentialacquisition.ThefirstcompanyagainstwhomtheassessmentwasperformedwasEZCompany,asmallsoftwarestartupwithaninnovativeonlineworkflowandcollaborationproduct.SampleSCDSresultscomparingthecompaniesareshowninFigure6-3.
Figure6-3SampleSCDSscoresforCHARLIESystems,Inc.,andEZCompany
Asyoucansee,majorculturaldifferencesexistbetweenCHARLIEandEZ.Theformerisalarge,establishedcompanythathasbeenaroundformorethan15years.Thelatterisastartupoftwodozenpeoplethatwasfounded18monthsbeforetheacquisition.Althoughithasreceivedsomeventurefunding,EZhasalwaysbeenaclose-knit,highlymotivatedgroup,mostofwhomhaveknowneachothersincecollege.“Kickass,takenames,havefun”isthecompany’sinformalmotto.
Lookingatthescores,theCISOisconcernedabouttheculturaldifferences.StructureandstabilityarenotkeyvaluesatEZ.Quitetheopposite,infact.Manyoftheemployeeswearmultiplehats,jumpinginandoutofeachother’srolesasthesituationdemands.Asaresult,decisionauthorityhasbeenwidelydecentralized,andEZemployeeshavealotoffaiththateveryonewilldotherightthingforthecompany…andtherightthingisbuildingandsellingverycoolsoftwarethatpeopleenjoyusing.
FortheCISOandtheexecutiveteamatCHARLIESystems,whatisconsideredthe“rightthing”ismorenuanced.Beingpubliclytraded,CHARLIEhasshareholderandregulatoryobligations,includingSOXcompliance.ThecompanyisPCIDSScertifiedandmustcomplywithabroadrangeofprivacyregulationsgiventhebusinessitdoesinEurope.EZCompanyhasalmostnoexperiencewithauditorsorcompliance,andtheSCDSscoresreinforcesomeconcernstheCISOhasaboutthewayEZmanagesitsownsoftwaredevelopmentandITprocesses.ShewonderswhetherEZ’sdevelopersaregoingtofiteasilyintothemoreformal,centralizeddevelopmentprocessatCHARLIE,whichhasmultiplecontrolsinplacearoundsecuresoftwareengineering.
TheSCDSscoresandthecompetingvaluesandsecurityculturesthatexistbetweenCHARLIESystemsandEZCompanyarenotnecessarilyshow-stoppersfortheacquisition.ButtheSCDSresultsdoallowCHARLIE’sexecutivestoweighveryreal,butmuchlessvisible,risksandcostsofthedeal.WouldCHARLIEstillthinkthedealwasgoodif80–90percentofEZ’sdevelopersweretoquitafterfindingtheirnewenvironmenttoorestrictive?AndwhatistheriskthatEZ’sprioritizingofcoolfeaturesoversecurityandprivacyimplicationscouldleadtoasecurityincidentintheproduct,thecompany,orforacustomerdowntheroad?
DOG:ComparingExistingtoDesiredSecurity
CultureTheDepartmentofGovernance(DOG)isastateagencyresponsibleforoverseeingaspectsofbusinessoperationsatotherstateagencies,particularlyconcerningcontractsmanagement,public-privatepartnerships,andlegalandethicalissues.Likemanystateagencies,theDOGisbureaucratic,centralized,andriskaverse.Inanefforttoimprovecommunicationandefficiency,aswellastoattractbetteremployeecandidatestotheagency,theCIOproposedimplementinganITtransformationproject,includingsuchinnovationsasbringyourowndevice(BYOD)ande-governmentinitiatives.Tohisfrustration,theCIOdiscoveredthiswaseasiersaidthandone,asaminorrebellion,ledinpartbyhisowninformationsecuritymanager,attemptedtoblocktheinitiativeonthegroundsofunacceptablesecurityrisks.“Noonewillbeconnectingdeviceswedon’tcontroltothisnetworkwhileI’mhere,”thesecuritymanagerstatedpointedlyduringoneoftheCIO’sstaffmeetings.Notlongafterward,theCIOandtheInfoSecmanagermutuallyagreedthattheInfoSecmanager’stransfertoanotheragencywasineveryone’sbestinterests.
TheCIOrecruitedanewinformationsecuritymanagerfromalocaluniversity.Thenewmanagerwasyoungerandmoresupportiveofaflexiblesecurityenvironmentthatbalancedsecurityriskswithbusinessopportunities.Acornerstoneoftheeffort,theCIOandsecuritymanageragreed,wouldbeatwo-yearculturaltransformationinitiative.AnSCDSassessmentwasconductedtobaselinetheexistingculturalvaluesheldbythesecurityteamandtoarticulatewheretheorganizationneededtobeintermsofsecurityculturetomaketheCIO’sdesiredinitiatives,includingtheBYODrollout,morelikelytobesuccessful.AsampleofthesecurrentanddesiredscoresareshowninFigure6-4.
Figure6-4SampleofcurrentanddesiredSCDSscoresforDepartmentofGovernance
TheCIOandsecuritymanagerbothpromotedthecaseforamorebalancedsetofsecurityvalues.Neitherhadanyillusionsaboutthebureaucraticandstructuredenvironmentinwhichtheyworked,andtheydidnotwanttoturnitintoastartupculture.ButmanyDOGstaffmembershadexpressedadesireforaBYODprogram.Thegoalwastograduallychangethewaythatemployees,andparticularlythoseinbothinformationtechnologyandInfoSec,lookedattheirworld.Insteadofthinkingaboutriskinawaythatmadesomeinthedepartmentafraidtoembracechange,theDOGculturehadtostartatleastbalancingthatapprehensionwithahealthyconcernfortheriskofnotchangingatall.
OnekeyareaofchangewouldbetomovefromasecurityculturethatvaluesnotgivinganyonetheabilitytomaketheirowndecisionstoastrongerAutonomyCulture.ButlooseningthecontroloverindividualsintermsoftheirITusewouldrequiregivingthemtheskillsnecessarytomakebetterdecisionsontheirown.Forthisreason,aboostingoftheTrustCulturewouldbenecessaryaswell,whichwouldmeaninvolvementandawarenessprogramstohelpeveryonebecometheirownquasi-securitymanagers.
Bythesametoken,structureandstabilitywouldcontinuetobeacorevalueforDOG.ButtheorganizationwouldnolongerbesoheavilyweightedtowardaProcessCulture.ExploringtheSCDSresultsanddevelopingthedesiredculturerevealedthatpoliciesandstandardswereoftenusedsimplytoenforcethestatusquo,ratherthantoenableperformance.TheCIOwantedtokeepthebureaucracythatworked,adapttothebureaucracythatwouldprovetoberequirednomatterwhathedid,andstripawaythebureaucracythatwasstiflinghisorganizationandslowingitdown.
ThesecuritycultureandvaluesworkthattheCIOandnewInfoSecmanagerperformedwasnotaneasyfixthatautomagicallytransformedtheculture.ButbymeasuringthecurrentstateandsettingdefinedgoalsforafuturestateofITandinformationsecurityvaluesandculture,theywereabletoarticulateastrategyandaplantoDOGleadershipthatalignedwiththegoalsofmakinggovernmentworkmoreefficiently,moretransparently,andinawaythatwouldcontinuetoattractthebestcandidatestopublicserviceinthestate.
T
CHAPTER7
CreatingCultureMapswiththeSecurityCultureDiagnosticSurvey
heSecurityCultureDiagnosticSurvey(SCDS)describedinChapter6enablesanorganizationtodefineandmeasureitsinformationsecurityculturebyhavingrespondentsassignscorestospecificvalues,assumptions,andnormsthatalignwiththefourgeneralsecurityculturetypesoftheCompetingSecurityCulturesFramework.TheinherentlyvisualnatureoftheCSCF,withitsquadrantsandcompetingvalueaxes,alsoenablesandencouragesusersoftheSCDStovisualizetheinsightsthattheSCDSscoresprovide.TheresultinggraphicalrepresentationmakestheinsightsregardingculturalconflictsandinterrelationshipsgeneratedbytheSCDSmoreintuitiveandpowerfulandprovidesagreatvisualtoolforexploringandtransformingtheorganization’sinformationsecurityculture.
ThischapterwilldescribehowtouseSCDSresultstocreatevisual“maps”ofInfoSecculture,aswellashowtointerpretthosemapsoncetheyarebuilt.ExpandinguponseveralofthecasestudiesfromChapter6,IwilldescribehoweachorganizationincorporatesCSCFvisualizationsintotheirSCDSanalyses.MappingsecuritycultureagainsttheCSCFisanimportantcomponentofanyefforttofacilitateculturechangeandpromotepeople-centricsecuritywithinanorganization.
MappingandVisualizationTools
Iamnotavisualizationguru,nordoyouhavetobetotakeadvantageoftheCSCFandthesecurityculturemapsyoucanproduceusingtheSCDS.Allculturemapscreatedinthischapterweredoneusingstandardofficeproductivitysoftware,specificallyspreadsheetandpresentationprograms.Youprobablyalreadyhaveaccesstostandardofficeproductivitysoftware,butifyouneedtools,youhavealotofchoices,includingopensourcesoftwarefromApacheOpenOffice(aswellasLibreOfficeandNeoOffice)andcommercialsoftwarefromAppleandMicrosoft.Ofcourse,forthosereadersskilledinthevisualarts,Ihavenodoubtyoucanimproveuponmyhumbleexamples.
SecurityCultureMapsIrefertothevisualizationsofculturecreatedusingtheSCDSasmapsintentionally.Mapsaremetaphors.Conventionalmapshelpustonavigatephysicalgeographyinthe“real”world,suchaswhenwesearchfordirectionstoarecommendedrestaurantorplanatripacrossthecountry.Othermapsenableustonavigateconceptualgeographies,suchasamindmaptohelpusnavigateourownideas,oratopicmaptoformallyexplorethelinkagesbetweenbodiesorinstancesofknowledge.Likeallmetaphors,mapsareaboutdescribingonethingintermsofsomethingelse.Themapisnotthereality,butitcanhelpusunderstandthatrealitybetter,aslongaswekeepinmindtheassumptionsandlimitationsthatgointoit.ThedotonamapoftheUnitedStatesthathas“Austin”writtennexttoitis,ofcourse,notthecityIlivein.IthasabsolutelynosimilaritytotheactualcityofAustinotherthanthesuspensionofdisbeliefthateveryoneusingthemapagreestopracticeinordertogetsomethingusefuloutofthesharedexperience.
Theconceptofaculturemapisaboutmorethanjustasharedvisualmetaphorthatdescribesyourorganization’ssecurityculture.Thepurposeofaculturemapisnotonlytomeasureorvisualizesecurityculture,butalsotochangeit.Mapsimplyajourneyandadestination,startinginoneplaceandendinginanother.Mapshelpyouorientyourselfandfindthebestroutetowhereyouwanttogo.Transformingcultureandmakingyourwaytoamorepeople-centricsecurityinfrastructureisajourney.Itwilltaketimeandeffort,anditcannotbeachievedbyputtingavendor’sproductintoyourdatacenteranymorethanyoucaninstantlyteleportfromNewYorktoSanFrancisco.Buttogetfromheretothere,you’regoingtoneedaguide,acompass,andamap.
MappingSecurityCultureUsingtheCSCFTheCSCFisthestartingpointformappingyourorganization’suniquesecurityculturebecauseitvisuallyrepresentsageneralculturallandscapeforInfoSec.Unlikeastreetatlasorageographicalmap,though,youdon’tpointtooneplaceontheCSCFandsay“hereweare.”CultureintheCSCFisdeterminedbytherelativestrengthofeachofthefourculturaltypeswithinyourorganization.TheclosestphysicalanalogyisabitlikestandinginFourCorners,thespotintheUnitedStateswhereNewMexico,Colorado,Utah,andArizonameet.Dependingonhowyoulean,theremaybemoreofyouinonestatethaninanother.WiththeCSCFyourorganization’svaluesandassumptionsdothe“leaning,”andyourcultureiswhereyouendup,drivingthedecisionsandbehaviorsyoucanexpectfrompeople.IfyouareaCISOandyouareleaningheavilyinonedirectionwhileothersintheorganizationarebentoverbackwardstheoppositeway,youmayfindyourselfinadifferentstateofmind,ifnotactualgeography.Thatcanbeaproblembecausesecurityrisksareoftencreatedinthespacebetweenculturalpriorities.ButyoumaynotevennoticethateveryonethinksdifferentlyaboutInfoSecuntilyoucanlocatedifferentpeople,andthedirectiontheyareleaning,ontheculturemap.
Figure7-1showsanarrativerepresentationoftheCSCF,usingtheideaof“Youarehere”thatyouseeonmapslocatedeverywherefrommallstonationalparks.Justlikeamapthattellsyouwhatreferencepointstolookaroundfortotriangulateyourownlocation,theCSCFgivesyoubehavioralreferencepointsthatcanindicatewhereyourorganizationislocatedintermsofcontrol(tighterorlooser)andperspective(inwardoroutwardfocus).
Figure7-1NarrativeculturalreferencepointsintheCSCF
WhiletheCSCFcanfunctionasamaptoorientyourselfgenerallyintermsofyoursecurityculture,itlacksthespecificityoftheSCDSasameasurementinstrument.If,however,youusetheSCDSresultstoprovidecoordinatesonthat
map,youcanliterallydrawabetterpictureofyourInfoSecculture,onethatgivesmoreinsightintoimprovingpeople-centricsecurity.CulturemapsthatcombinetheCSCFandSCDSresultsaccomplishjustthisgoal.
CompositionofaSCDS-basedCultureMapSecurityculturemapsarecreatedbysuperimposinganorganization’sSCDSresponsesontheCSCFvisualmodel.TheexamplesecurityculturemapspresentedinthischapterarebasedonthecasestudiesfromChapter6.RecallthattheSCDSgivesusascoringsystembywhichwecanassociatedifferentresponsesaboutthetenorganizationalcharacteristicsandactivitieswithculturaltypesintheCSCF.Usingthesescores,wecanjudgetherelativestrengthofaProcessCulture,forexample,againstanAutonomyCulture,ComplianceCulture,orTrustCulture.BygraphingthesescoresinthecontextoftheCSCF,wecanmakethosecomparisonsmoreintuitiveandvisualtohelpsecurityteamsbetterarticulateculturalrisksandhelpconsumersofSCDSfindingsabsorbtheresults.
SuperimposingSCDSResponsesontheCSCFVisualModelWhiletherearemanydifferentdatavisualizationtechniques,Ipreferthreebasictypesformysecurityculturemaps,butdataaredataandyoushouldfeelfreetoexperimentwithwhateverworksbestinyourorganization.EachofthepreferredmethodsIusehasitsstrengthsandweaknesses,whichIwilldescribeaswemovethroughthefollowingexamples.AllofthemapsarecreatedfromthesameorganizationsandresultsthatIprofiledinChapter6.
Thefirstexampleofasecurityculturemapisthemostcomplicated,imposingspecificSCDSscoresasabarchartontothegeneralvisualmodeloftheCSCF.Figure7-2showsamapforthegeneralcultureofABLEManufacturingCorporation,asdefinedbytheaverageofallSCDSscores.ResponsestoeachofthetenquestionsareindexedtoalignwithspecificCSCFquadrants.“A”responsesindicatecharacteristicsofaProcessCulture,“B”responsesalignwithaComplianceCulture,“C”responsesimplyanAutonomyCulture,and“D”responsescorrespondtoaTrustCulture.Bydividingandaveragingthefourresponsecategories,wecanderiveanoverallscorefortheorganization’sculturalvaluesandtherelativestrengthofeachculturaltypeintheCSCF.
Figure7-2GeneralcultureofABLEManufacturingbySCDSscores
LookingattheculturemapinFigure7-2,youcanimmediatelynoticesomebigdifferencesacrossculturalvaluesinsideofABLEManufacturing.Themapistop-heavy,indicatingthattightercontrolisanimportantorganizationalvalue.Similarly,themapisheavilyweightedinthetwoleftquadrants,whichimpliesmoreofafocusinternallythanexternally.ButtheanchorpointforbothoftheseobservationsisthedominanceoftheProcessCulturequadrant.AddingactualSCDSscoreaveragestothemaphelpsareaderunderstandthattheProcess
Culturescores,onaverage,arenearlytwicethatofthenextnearestculturaltype.ABLEManufacturingisobviously,accordingtoitsSCDSscores,an
organizationthatvaluesstability,centralizedcontrol,andstandardwaysofgettingthingsdone.Thegeneralscoresdonotdifferentiatebetweenhowsecurityteamsseethingsversushowtherestoftheorganizationmaylookattheworld.ItsimplyrepresentstheoverallcultureasdeterminedbytheaverageresultsoftheSCDS.
Supposewewantedtodrillalittlemoredeeplyandseejusthowthoseaverageswereattained.WecouldexpandtheculturemapasshowninFigure7-3,whichprovidesarepresentativeexampleofalltheresponsestotheSCDSquestions.
Figure7-3TotalSCDSresponsesforABLEManufacturing
Breakingoutthescoresbyindividualresponsesmakestheresultsmoreinteresting,andthevarianceshowsthatnosingleCSCFquadrantisasmonolithicasitmightappearjudgingonlybyaverages.Instead,eachquadranthasatleastonescorethatisatoddswiththeoverallresult.Processmaybethestrongestculturaltypewithintheorganization,butatleastonescoreislessthanhalfoftheaverage,implyingthatnoteverybusinessactivityprioritizescentralized,stableoperationsasaculturalvalue.Conversely,eventhelower-
scoringquadrantsdemonstratevaluesthatareatoddswiththedominanttrend.Mostoftheorganization’svaluescoresdonotreflectaculturethatvaluesnonconformityandflexibility.Butinatleastonecase,themanagementoftechnology,theorganizationisequallybalancedbetweenaProcessCultureandanAutonomyCulture.ThinkabouttheimpactonsecurityofanorganizationthatcentralizeseverythingexcepttheabilitytocontrolcorporateITsystems,whichisdecidedbyindividualdivisionsorgeographiclocations.Thecompetingvaluesbetweenthosetwoculturescouldeasilycreateheadachesandrisksforanysecurityteam.
OtherTechniquesforMappingSecurityCultureUsingbarchartsineachofthefourquadrantsisnottheonlywaythatwecanvisualizeSCDSresults.AmoretraditionalbarchartcanquicklyshowusthescoresasalistratherthananoverlayoftheCSCF.AnexampleofthissimplifiedculturemapisshowninFigure7-4.ThesimplifiedchartmakesiteasytocompareSCDSscoresdirectly,butitlosesthevisualconnectiontotheCSCF.Ioftenfinditusefultocombinethetwomaps,usingthesimplifiedchartasalegendtoquicklycomparescoreswhileshowingthequadrant-basedmaptovisualizerelativestrengthswithintheculturaltypes.
Figure7-4BasicbarchartforABLEManufacturingSCDSscores
OnemorevisualizationtechniquethatIfindusefulforculturemapsispulleddirectlyfromthetechniquesthatCameronandQuinnusetovisualizeculture.TheirOrganizationalCultureAssessmentInstrumentproducesgeneralorganizationalculturescoresthatarethenmappedintoaradarchart.WecanmapSCDSscoresinthesameway,asshowninFigure7-5.
Figure7-5ABLEManufacturinggeneralcultureusingradarchart
Theradarchartmaphastheadvantageofgivingthecultureadefiniteshape,onethatisvisuallyintuitiveandrecognizable.Theradarchartslooklikewhatwewouldexpectfromamap,assigningculturalscoresinawaythatimpliesterritorywithintheCSCFmodel.Butradarchartshavealsobeensubjecttocritiqueoverrecentyears.Somegraphingprogramsandonlineservicesdonot
evenofferthemanymoreasavisualizationoption.Thecritiquesvary,butmainlyrevolvearoundtheideathat,whilearadarchartcancreateapowerfulvisualfirstimpression,itactuallytendstomakeanalysisofresultsmoredifficult.Peopletendtobemoreadeptatstraight-linecomparisons,liketheoneinthebasicbarchartexampleinFigure7-4.Inaradarchartyoureyehastotravelaroundthechart,mappingeachdatapointtotheonebeforeitinawaythatcanbemoredifficultthanwhenthosescoresareplacedsidebyside.
AnotherdifficultyIhavewiththeradarchartisthatitcantakethemapmetaphorabitfurtherthanIlike.ThemapofABLE’sgeneralcultureinFigure7-2isquiteclearlyasetofsurveyscores,mappedtothedifferentquadrantsoftheCSCF.Youneverlosetouchcompletelywiththeunderlyingdata.Witharadarchart,thetemptationistoseea“shape”thattheculturetakes,insteadofasetofanswerstospecificSCDSquestions.Divorcedfromanassociationwithasurvey,aradar-basedculturemapcantrytoforce-feedtoomuchcomplexityintoasimplistictwo-dimensionalimage.Anorganizationmaydecide“welooklikeadiamond,whenweneedtobeasquare”insteadofthinkingaboutwhyparticularSCDSscores,andthevaluestheyreflect,arehigherorlowerthanothersandwhatthatmaymeanforsecurity.
Butforallthecritique,itisoftentheradarchartculturemapsthatIfindelicitthestrongestresponse,thatah-ha!momentwhereanexecutiveorastakeholdergetsit.Asacommunicationtooltheycanbeveryusefulinpointingoutandcommunicatingtheessenceofcompetingvalues.InFigure7-4,it’shardnottonoticethatthecultureskewssharplytowardProcess,withthevaluesoftheotherthreeculturaltypeshavingmuchlessinfluenceovertheenterprise.Amorespecificorpreciseculturemapthatfailstomakeasmuchofanintuitiveimpressionmayendupfailinginitscentralpurpose,whichistoshowwheretheorganizationis(Youarehere!)andgiveitabetterideaofwhereitmightwanttobe.
“WhenShouldIUseEachTypeofMap?”Thereisnoonerightwaytopresenttheresultsofaculturalmeasurementexercise.Thebestwaytodoitisthewaythatworksthebesttostimulatethoughtandaction.Whatismostimportantistorealizethekeystrengthsandweaknessesofeachtechniqueandtopicktherighttoolfortherightjob.IfyouaretheSecurityAwarenessManagerandyou’vegotfiveminutesoutofatwo-hourmeetingtogetseniormanagement’sattention,youmightverywelldecidethataradar-basedculturemapisthewaytogo.IfyouaretheCISOtaskedwithtransformingsecurityculture,theideathatyou’regoingtomakeyourculture
“moresymmetrical”isprobablylessusefulthanfiguringouthowtoinfluencespecificSCDSresponsesbychangingvalueswithintheorganization.
Giventheintroductorynatureofthisbook,Iwillrelyheavilyonradarchartsthroughoutthischapterandothers.Theyaretheeasiestwaytoquicklyconveyacultural“shape”thatgetsthepointacross.Butwhenitcomestimetooperationalizecultureintomeasurableactivities,itwillalwaysbenecessarytofallbackonSCDSscores.The“shape”ofyourcultureonlychangeswhenpeoplegivedifferentresponsestotheSCDS,reflectingdifferentopinionsabouttheorganization.Theonlywaytoaccomplishthatistotransformthevaluesthatpeopleholdabouthowyourorganizationshouldmanageitself,itsbehaviors,anditsInfoSecstrategiesandactivities.
Datavisualizationisascienceandanartuntoitself,andyoushouldalwayskeepinmindthatthespecifictechniquesIpresentinthisbookorthatotherresearchersorpractitionershavedevelopedarejustafewoftheoptionsavailabletoyou.Youmaydevelopacompletelynovel(andmaybeevenstrange)wayofmappingsecurityandorganizationalcultureusingtheSCDSdata,andIencouragethatifitworkswithinyouruniquecontextandenvironment.Howanorganizationvisualizestheexistingculturecanitselfbedependentonthatveryculture.Feelfreetoexperiment,andletmeknowifyoucomeupwithsomethingespeciallygood!
MappingSpecificValuesandActivitiesAlltheprecedingexampleshavefocusedonthegeneralinformationsecuritycultureofABLEManufacturing,asdefinedbytheaggregatescoresresultingfromacompany-wideSCDSassessment.ButwegotahintinFigure7-3thatwehaveuncoveredsomeinterestingpatternsanddiscrepanciesintheresults.Anorganization’sculture,includingitssecurityculture,istheproductofmanydifferentvaluesandactivities.ThesearereflectedinthetenquestionsoftheSCDS.Howanorganizationviewsinformationandhowthatsameorganizationviewsrisk,tousetwoexamples,areprobablyseparatesetsofvaluesandassumptionsaboutwhatisimportant.Bothcontributetotheoverallorganizationalculture,andbothdriveactivitiesanddecisionsthatimpactsecurity.Buttheyoftenfunctionasconceptualsilos,exceptinthemindsofpeoplewholike,orarepaid,tothinkabouttheintersectionbetweeninformationuseandbusinessrisk.
Itcanbeveryusefultovisualizenotjustgeneralculture,butspecificculturalvalues.Thesevaluescanthenbecompareddirectly.Buildingaculturemap
aroundspecificSCDSresultsisnomoredifficultthanbuildingoneforgeneralculture.Figure7-6showsallthreemapsfortheaveragescoreresultingfromresponsestoSCDSQuestion3,“Whatdoessecuritymean?”
Figure7-6CulturemapsforsingleABLEManufacturingSCDSresponsescore(“Whatdoessecuritymean?”)
Mappingsingleresponsesisusefulwhenanalyzingandinterpretingspecifictraitsinthecontextoftheoverallculture.Itcanhelpidentifycompetingvaluesthatmayleadtorisk.Itisalsousefulinfine-tuningaculturaltransformationprogrambyallowingtheorganizationmoreprecisionintermsofidentifyingbehaviors,norms,andassumptionstotarget,andthemeasurementoftheresultingchanges.
InterpretingandComparingCulturePeoplewhomakeorusemapsandvisualizationshaveconcernsthatmaybeaesthetic(uglymapsarelessuseful)aswellasfunctional(lessusefulmapsarelessuseful).Youcreateamaptohelpyouaccomplishsomething,togetsomewhereyouwanttogo.Creatingthemapisthefirststepofthisprocess.Readingit,interpretingit,andusingittofigureoutwhereyouare,whereothersmightbe,ortoplotacoursefromheretotherecomesnext.Culturemapsservetheseorientationandnavigationalpurposes,too.OnceyouhavevisualizedtheSCDSdatatographicallyrepresentyourorganization’sculturalattributesandvalues,it’stimetoputthosevisualizationstouseinimprovingandtransformingyoursecurityculture.
InterpretingSCDSResultsLookingattheculturemapinFigure7-2,weseethegeneralcultureasdefinedbyABLEManufacturing’sSCDSresponses.Whatdothescoresandtheirassociatedvisualizationstellus?HowdoweusethemapstocraftastoryaboutABLE’sculturalvaluesandtodecidewhat,ifanything,needstobedonetochangethem?
DominantCulture:TheWayThingsGetDoneABLEManufacturingcaresalotaboutstabilityandstandards.ThatmuchisobviousfromtheSCDSscores,whichconsistentlyrateorganizationalbehaviorsassociatedwithaProcessCulturemorehighlythananyotherculturalattributes.ABLEdoes,ofcourse,exhibitotherculturaltraits.Compliance-relatedbehaviorsareimportant,asarebehaviorsandvaluesassociatedwithcommunityandfosteringapeople-friendlyworkplace.ABLEevenexhibitsabitofanAutonomyCulture,insomecasesallowingfreedomandindependenceratherthanrequiringadherencetostrictrules.Butifwewereaskedwhatisthe
dominantculturewithinABLE,theanswerwouldhavetobeProcess.AProcessCulturemakessenseforABLE,aprivatemanufacturingcompany,
whereconsistencyofproductionandstandardlevelsofproductqualityarehighlyvaluedbythebusiness.ABLEmanufacturesarelativelyfewnumberofthingsandbelievesthatitdoessoverywell.TheownershipstructureofABLEkeepsthehierarchyandorganizationalchartstableovertime,withclearlinesofpowerbackuptothefamilymembersatseniorlevelsofmanagementandtheboard.
Whenperformingaculturaldiagnosticexercise,identifyingoneormoredominantculturesisagoodfirststep.Thedominantculturetendstodrivebehavior,todefinetheorganization’scorebeliefs,andtoprovideananchorpointagainstwhichdivergencefromthatculturecanbecompared.Iforganizationalculturecanbedefinedas“thewaywedothingsaroundhere,”thenthedominantculturerepresentsthemostlikelywaythatthingswillgetdone.Therewillalwaysbeexceptions,butthemoredominantaparticularculturaltypeiswithintheorganization,themoreglaringarethedeviationsfromitwhentheydooccur.Wehaveexploredinpreviouschaptershoworganizationalculturebecomesinvisible,functioningbelowthesurfaceofourobservablebehaviors.Whenthingsseemtobegoingright,wheneverythingismovingsmoothlyandasexpectedaroundus,weseldomthinktoask“whydidyoudothat?”Decisionsseemnatural,inaccordancewithourassumptionsabouthowtheworldworks.It’sonlywhensomethingorsomeonechallengesthoseassumptionsthatwefindourselvesconsciousofthem.
CulturalConflict:“YouCan’tDoThatHere…”ConsiderthecaseinwhichanewmarketingmanagerishiredintoABLE,taskedwithupdatingthecompanybrandandmakingABLE’sproductsmoreattractivetoyoungerconsumers.Arrivingherfirstweektogothroughcompanyorientation,themanagerissurprisedtofindthatshewillbeissuedacorporatestandardlaptopcomputerrunningMicrosoftWindows.
“ButI’manAppleuser,”thenewmanagersays.“I’dliketohaveaMacasmyworkcomputer.”
“Sorry,”theITrepresentativetaskedwithgettinghersetupreplies,“westandardizeonMicrosoftproducts.Youcan’thaveaMac.”
“Well,I’llneedtousemypersonalMacforsomeworkthings,”themanagerreplies.“HowcanIgetitconnectedtothecorporatenetwork?”
“Youcan’t,”theITtechnicianrepeats,abithorrified.“Thatwouldbeanenormoussecurityviolation.”
“Well,Ineedanexception,”themanagersays,nowannoyed.“Ican’tdomyjobusingonlyaWindowsmachine.”
“Youbetterfigureouthow,”thetechtellsher,sortofamazedathowarrogantthisnewemployeeisprovingtobe.“Youcan’tjustconnectanythingyouwanttoournetworkbecauseyoudecideyouneedit.”
ABLE’stechnicianandnewlyhiredmanagerhavebothjustbeengivenalessoninculturalconflict,onethatwasdisconcertingtobothofthem.ThedifferencesbetweentheirassumptionsandvaluesmayevenresultinnegativeimpactsonABLE.IfthemarketingmanagerisnotjustexaggeratingandreallydoesneedtouseaMactobefullyproductive,thenthecompanywillsufferwhensheisnotabletodothejobABLEhiredhertodobecauseofabureaucraticrequirement.Shemayevendecidetoquitaltogether,ormaybetemptedtouseherpersonaltechnologydevicesinviolationofthecompanysecuritypolicy.ABLE’sprocessesmayactuallygetinthewayofthecompany’sabilitytoexecuteonitsowngoalsandobjectives.
Thissortofconflicthappenseverydayinorganizationsaroundtheworld.Peoplerealizetheworlddoesn’tquiteworkthewaytheyassumeditdoesandaresurprisedwhenbehaviorstheyconsiderstrangeandbizarreprovetoberoutineandnormaltoothers.Theexperiencecanbeawkwardanduncomfortable,butshakingourselvesoutofourowncomplacencyisoftentheonlywaytogrowandimprove,bothindividuallyandasorganizations.UsingculturalmeasurementandevaluationtoolsliketheCSCFandtheSCDScanhelpshineaspotlightonthesedifferencesinamethodologicalandcontrolledway,givingtheorganizationbettervisibilityintoitsownnature.
CulturalIntensityCulturalintensityisthedegreetowhichaparticularculturaltypeoperateswithintheorganization.Whenoneculturaltypeissignificantlymoreintensethantheothers,asinthecaseofProcessCultureinABLEManufacturing,thatcultureisdominant.ButnoteveryorganizationhasadominantcultureasintenseasProcessisatABLE.ThecasestudyofCHARLIESystems,Inc.,fromChapter6isanexample.LookingattheradarchartinFigure7-7,CHARLIE’sorganizationalcultureislessweightedinanyparticularquadrant,withnosingleaveragescoremorethantwicetheintensityofanyothers.
Figure7-7GeneralcultureforCHARLIESystems,Inc.
Culturalintensityprovidescluesastohowtheorganizationwillbehaveineverydayoperations,aswellaswhenfacingparticularsituationsorevents.ThestrengthoffeelingthatgoesintoindividualSCDSresponsescanbeaproxyfortheintensityoftheunderlyingvaluesthatwilldrivepeople’sdecisionsandinfluencehowtheymakechoices.Whereaculturaltypeismoreintense,youcanexpecttoseetheorganizationadoptingstrategiesthatprioritizethosesharedvaluesandassumptions.InABLEManufacturing,onewouldexpecttoseepeoplefallingbackonpoliciesandprocesseswhenmakingdecisions,askingthemselves,“WhatdotherulessayIshoulddo?”Whendecisionstobendorbreaktherulesaremade,theyarelikelytobeseenasexceptionalbehaviors,maybeevendefinedthroughformalexceptionprocessesandprocedures.
InCHARLIESystems,wewouldexpecttoseemoreinfluencesonbehaviorthanjusttheprocessesinplacewithinthecompany.ForCHARLIE,ComplianceisaculturaltraitnearlyasstrongasProcess.RecallthatCHARLIEisapubliclytradedtechcompanythatmustalsoundergoregularPCIDSSaudits.Thismeans
thatCHARLIEmustlookoutwardasmuchasitlooksinward.Policiesandprocessesareimportanttothecompany,particularlyinthattheysupportauditsandcomplianceefforts.Butcompanystandardsdonotdriveexternalverification.Quitetheopposite.Ifexternalauditrequirementschange—forinstance,anewlawrequiresadditionalregulatoryoversightoverpubliclytradedcompaniesorPCIDSSisupdated—CHARLIE’sinternalpolicieswillfollowsuit,evenifitmeanschangestointernalbehaviorsthataffecttheexistingbureaucracy.
CulturalAnomaliesandDisconnectsMappingalsoallowsustoquicklyexploreculturaldifferencesthatmayneedtobeharmonizedtoimprovepeople-centricsecurity.TheengineoftheCompetingSecurityCulturesFrameworkistheideathatconflictingorganizationalvaluestendtoproducesecurityandperformancerisks.Onlybyidentifyinganddeconflictingthesecompetitivevalueswillweeliminatethoserisks.Culturemapscanhelppinpointsuchdiscordantculturaltraitsinawaythatiseasilyunderstoodbythestakeholderswhowillberesponsibleformakingculturaltransformationhappen.
LookingatanotherexamplefromABLEManufacturing,Figure7-8showstheculturemapsforthreedifferentorganizationalactivities:managementofoperations,controlofinformation,andthewaythatsecurityisunderstoodwithinthecompany.
Figure7-8CompetingculturesinsideABLEManufacturing
Lookingatthethreeactivities,wecanseethateachismoreorlessdominatedbyadifferentculturaltypewithintheorganization.Operationsaremanagedaccordingtothehighlyprocess-orientedculturethatisinherenttoABLE.Information,however,iscontrolledmostintenselyusingvaluesandassumptionsthatareassociatedwithaTrustCulture,whereuserempowerment,collaborativesharing,andtransparencyarethekeypriorities.Insuchanenvironment,wewouldexpecttoseebehaviorsregardinginformationtobegovernedlessbyformalrulesandstandardsandmorebynotionsthatinformationisaresourceto
besharedamongpeoplewhorelyononeanothertodotherightthingwithit.Soimmediately,wehavetwosetsofvaluesthatcouldcreateopportunitiesforcompetitionandconflict.
Comparethecontrolofinformationandthemanagementofoperationswiththemeaningofsecurityinsidethecompany.ABLEthinksaboutinformationsecurityprimarilyintermsofaComplianceCulture,eventhoughComplianceisnotacoreculturaltraitgenerallywithinthecompany.Oninspection,thisisnotassurprisingasitmayfirstseem.ABLE’sintroductiontoITandinformationsecuritycameprimarilythroughPCIDSSrequirements,andmeetingthoseauditrequirementshasbeenpartofthesecurityteam’sDNAsinceinception.Inmanyways,ABLEassociatessecuritywithauditandPCIDSS,bothwithinthesecurityteamandoutsideofit.AslongasPCIDSScertificationismaintained,thecompanyfeelssuccessfulandsecure.
Nowconsidertheramificationsofanorganizationwheremanagingoperations,controllinginformation,andinformationsecurityallmeandifferentthingstodifferentpeople,someofwhommaynotconsiderthosefunctionsdirectlyrelated.Dependingonyourownorganization,thisscenariomaynotbedifficulttoenvision.Wetendtotreatdifferentthingsdifferently,andittakesanefforttodeliberatelylinkthem.ABLEManufacturingcertainlythinksaboutinformationmanagementinthecontextofPCIDSS.However,managinginformationisnotthesamethingasmanagingPCIDSScertification.Differentassumptionsandvaluesgovernbothactivities.Itisthroughthesedifferencesthatriskcandevelop.
Thinkoftheexampleofinformationclassification.PCIDSSrequiresabasiclevelofdataclassification,meaningABLEmustatleastbeabletoidentifycardholderdata.Butevenassumingthatcardholderdataisidentifiedandprotected,howcanABLEbesurethatothertypesofdataareprotected?Howcanthecompanyknowforsurethat,incertainsituations,ComplianceCulturevaluesaroundprotectinginformationwillnotbesupersededbyTrustCulturevalues?Theshortansweris,itcan’t.TherewillalwaysbescenarioswherethevalueofTrustgoesheadtoheadagainstthevalueofCompliance,andgiventhatbothculturesarealmostidenticalinintensity,it’shardtosaywhichwillwinout.Butwecanpredictthatifcardholderdataiscompromisedsomehow,thatitisquitelikelythepersonresponsiblewillbelievethattheyhadmadetherightdecisionatthetime,giventhecompany’sculture.
ComparingCultures
Beyondinterpretingtheculturemaptoidentifyhoworganizationalvaluesandbehaviorscanaffectsecurity,wecanalsouseourmapstohelpcomparecultures.ExtendingthecasestudiesdiscussedinChapter6,wewilluseculturemapstomakeourcomparisonsmorevisualandintuitive.
ComparingABLEManufacturing’sSecurityEmployeeandNonsecurityEmployeeCulturesPreviously,wecomparedtheSCDSscoresofABLE’ssecurityteamandthescoresofthecompanyasawhole.ThesescoresreflectedthatmembersofthesecurityteamviewedABLE’ssecurityculturedifferentlythantherestofthecompanyviewedit.IfwetaketheresponsestothefirstSCDSquestion,“What’svaluedmost?”andcreateaculturemapfromthescores,wegetthemapshowninFigure7-9.Thesolidlinerepresentstheresponsesfromthesecurityteam,whilethedashedlineshowsthosefromoutsidethesecurityteam.
Figure7-9“What’svaluedmost?”responsesofABLEsecurityemployeescomparedwiththoseofnonsecurityemployees
ThismapillustratesanagreementbetweensecurityandnonsecuritymembersoftheorganizationregardingtheimportanceofProcess-relatedvalues.Butitalsoshowsthatinothercases,thesecurityteamsubscribestodifferentvaluesthanemployeeselsewhereinthecompanysubscribeto.Forsecurityteammembers,Compliance-relatedvaluesareeverybitasimportantasstandardized,stablepoliciesandcentralcontrol.Fortherestoftheorganization,thesevaluesarenotprioritizedatallincomparison.Instead,ABLEemployeesoutsideofsecurityseeTrust-relatedvaluesaskeypriorities,whilethesecurityteamratesthesevaluesmuchlessintensely.
SohowcanABLEManufacturinginterprettheseresults?Knowing,aswedonow,abitmoreaboutthecompany,thescoresmakesense.ABLEgrewasacommunity,aclose-knitfirmthatvaluedpeopleasanextensionoftheowners’family.Thatfeelingisbakedintothecorporatefabric.Onlylater,inthefaceofaregulatoryrequirement,didsecuritybecomeimportant.AsemployeeswerehiredinortrainedtomanagePCIDSScompliance,securityevolvedintoaspecializedfunctionwithaspecificmission.Valueschanged,atleastinthecontextofwhatdifferentcultureswithinABLEconsideredmostimportantonadailybasis.
Knowingthesedifferencesmakesiteasiertospottrendsandformulateplansofactiontoimprovepeople-centricsecurity.Thesiloinwhichthesecurityteamfunctionsbeginstomakeabitmoresense,asdoesthefrustrationthatteamfeelswhentherestofthecompanypushesbackoninitiativesorrequirementstheteamfeelsisnecessaryforsuccessfulsecurityandcompliance.Bycomparingthesecompetingvalues,itbecomespossibletoformulateplansofactiontoincreaseawareness,promotespecificvalues,andtransformABLE’ssecurityculture.
ComparingDOG’sCurrentSecurityCulturetoItsDesiredSecurityCultureThenextexamplecomparesthecurrentcultureofanorganizationtothecultureitwantsorneedstocultivate.TheDepartmentofGovernanceprofiledinChapter6haddecidedculturaltransformationwasnecessarytoachievetheagency’slong-termstrategicgoals.TheCIOandhissecuritymanagerwantedtotransformanoverlybureaucraticandrisk-aversecultureintosomethingmorebalanced.Figure7-10translatesthisstrategyintoaculturemap.
Figure7-10DepartmentofGovernancesecurityculturetransformationstrategy
UsingculturemapstoexpressSCDSresultsvisuallycanhelpstakeholdersinaculturaltransformationefforttomoreeasilyexpressconcepts,comparisonsbetweenvaluesandcultures,andstrategiesforchangeandimprovement.Itisimportanttoalwayskeepinmindthatthesemapsaremetaphors,necessarysimplificationsthatmakeiteasiertocompareverycomplexorganizational
behaviorsandinteractions.Thepicturestheyprovidemeannothingwithoutsolidunderlyingdata,inthiscase,theresponsesandscorescollectedthroughtheSCDS.
CISOs,securityawarenessmanagers,andanymemberofanorganizationconcernedwithorresponsibleformanagingandchanginghumansecuritybehaviorsmuststrikeabalancebetweenoversimplificationandscientificrigor.Apicturecanbeworthathousandwords,butarhombusaloneisnotgoingtoenableyoutodomuchtocreatefunctional,people-centricsecurity.Thenextchapterwilldiscussmethodsforgivingyourculturalassessmentprojectsthebestchanceforsuccess.
W
CHAPTER8
ImplementingaSuccessfulSecurityCultureDiagnosticProject
e’vecoveredalotofterritoryinthispartofthebook,includingaframework(Chapter5)andasurvey(Chapter6)formeasuringanorganization’sinformationsecurityculture,andsecurityculturemapsforvisualizingandcommunicatingthesurveyresults(Chapter7).Asyou’veread,youcaninterpretthedatacollectedfromsuchmeasurementprojectsnotonlytounderstandwhereyoursecuritycultureistoday,butalsotodeterminewhereyouwantyoursecurityculturetobeinthefuture.Butonequestionstillremains:howdoesanorganizationactuallyperformasecuritycultureassessment?Thischaptertacklesthatquestion,discussinghowyoucangetsupportfordiagnosingyourorganization’ssecurityculture,howtoexecuteasecurityculturediagnosticproject,andwheretogonextwithyourresults.
GettingBuy-infortheSecurityCultureDiagnosticProjectRecalltheChapter3discussionofthecorrelationbetweenorganizationalcultureandorganizationalperformance.Theresearchevidenceisprettystrongthatanorganization’scultureimpactsitsperformance.Ifweacceptthatevidence,thenweacceptthattheperformanceofanorganization’ssecurityculture,itsrelativestrengthorweaknessincertainareas,hassomeeffectontheorganization’ssecurityperformance.MostsecurityprofessionalsIknowfindthisnotion
intuitive,eveniftheydon’tknowexactlyhowtomeasureorarticulateculture’seffectonsecurity.
DirectBenefitsofSecurityCultureImprovementWhenItalkaboutimprovingInfoSecculture,Imeanacoupleofspecificthings.First,improvingsecurityculturenecessarilyincludesincreasingtheorganization’sunderstandingof,andvisibilityinto,howitscultureworks.Youcannotimprovesomethingthatyouhavenoabilitytomeasureinthefirstplace.Nomatterwhatyourcultureistodayorhowyoudefineimprovement,makingtheculturethatexistsbelowthesurfacevisibletothoseaboveisafirstrequirement.Salescultures,ethicalcultures,eventheculturalaspectsoflanguageandsocialcommunication,canvarybetweenenterprisesandwithinthem,andsecurityisjustoneofthesemanyvariations.WhenItalkaboutincreasingculturalvisibility,Imeanlearningtomeasureandanalyzethesecurityculturetoalevelwhereyouknowenoughaboutitandhowitworkstomakechangesthatwillstick,andthatyoucandemonstratehavestuck.
Second,improvingsecurityculturemeansimprovingthewaythatinformationsecuritycompeteswithothervaluesexistinginsidetheorganization.Thatdoesn’talwaystranslateintosecuritybeingthemostimportantconsiderationineverydecision.Buttherealitytodayisthatsecurityoftenlosesoutindecisionswhenthedecisionmakersarefarremovedfromthepeoplewhoaredirectlyresponsibleforsecurity.Whenmakingdecisions,topofthemindtendstobetopofthelist,andsecuritycanfinditselfdrownedoutwhenmanydifferentstakeholdersareinvolved.Improvingsecuritycultureisaboutraisingsecurityawarenessandnotjustaboutspecificdecisionslikewhetherornottoclickalinkinafishy(phishy?)e-mail.Theendgoalofsecurityawarenessprogramsismorethanjustrotebehavior.It’sreallymindfulsecurity,astateofwhichsecurityawarenessissomuchapartoftheflowoforganizationalactivitythatpeoplethinkaboutsecurityevenwhenmakingdecisionsthattheyhavenotbeenspecificallytoldaresecurityrelated.
IncreasedSecurityandEfficiencyWhensecurityispartofeverydaydecisionmakingacrossanorganization,thengoodsecuritypracticeshaveamuchbetterchanceofpermeatingmoreoftheorganization’sactivities.Andasmoreactivitiesareperformedinasecureway,oratleastinlessinsecureways,overallsecuritywithintheorganizationwillincrease.Thisisnothingmorethanafancywayoftalkingabouthabit.Security
worksbetterwhenitisperformedashabitualbehavior,ratherthanassomethingthatrequiresforced,consciousconsideration.Andcultureis,atthecore,thesumtotalofmore-or-lesshabitualthoughtsandbehaviorsexistingwithinandamongtheorganization’smembers.Improvetheculture,improveyourhabits,andyoucannotfailtoimproveinformationsecurity.
Efficiencyisincreasedinregardtosecuritywhenculturalimprovementsremovefrictionandconflictresultingfromculturalcompetitiveness.Thinkofhowmuchtimeandefforthavebeenexpendedwithinyourorganizationwhilesecuritystakeholdersfight,negotiate,andcompromisewithotherbusinessstakeholderstobalancetheirmutualinterests.Someofthistensionistheresultoflegitimatedifferencesinopinionovertherisksandopportunitiespresentedbydifferingstrategiesandoperationalnecessities.Butalotofit,inmyexperienceovertheyears,boilsdowntocompetingculturesandthecompetingvaluesandprioritiesthattheyspawn.Wedothingsthisway,youdothingsthatway,andneverthetwainshallmeet.Culturalimprovementmeansculturaloutreach,theabilitytoexplainnotonlywhatyoudo,butwhyyoudoit.Andwhenstakeholdershavethatlevelofvisibility,thepotentialformoreevidence-basedmanagementopensuphugeopportunitiestoeliminatewaste.Eveninaworst-casescenario,wheretherearelegitimateculturalimpasses,atleasttheorganizationwillknowwhatit’sdealingwithandcanappealtoamorepowerfularbiterforresolution,savingeveryonetimeandheartburn.
ReducedRiskandCostsfromIncidentsThemostenticingpotentialoutcomeforsecuritycultureimprovement,particularlyintoday’senvironmentofhighlypublicizedsecuritybreaches,isfortransformationtoactuallypreventorreducethenumberandseverityofsecuritybreaches.CISOs,andlatelyalloftheleadership,arelookingforanysolutionsthatcanhelpthemtocurtailsecuritybreaches.Processandtechnologywillalwaysbecrucialcomponentsofanysecuritysolution,butpeopleandculturerepresentperhapsthegreatestheretoforeuntappedsourceofinformationsecurityvalueleft.Informationsecurityprofessionalshavedonesolittlehistoricallywithrespecttothepeopleaspectofsecuritythatitdoesn’ttakemuchefforttostartseeingreturns.
Thegrowingvisibilityandcloutofsecuritytrainingandawarenessprogramsisevidenceofmoreprogressiveorganizations’attemptstoleverageculturalresourcestoimprovesecurityandreducerisk.Ihavedevotedmuchinkearlierinthebooktoemphasizetheroleofsecurityawarenessprofessionalsasthe“tipofthespear”whenitcomestosecurityculturaltransformation.Butwestillhavea
longwaytogo.Qualityofsecurityawarenessprogramsvariesagreatdeal.Ihaveseenphenomenalprogramsthatactually“movetheneedle,”asLanceSpitznerlikestosay,andIhaveseenprogramsthatdolittlemorethanpayslide-basedlipservicetoawarenessasameansofmeetingacompliancerequirement.Theformerrepresenttrueimprovementstrategies.Thelatterdonot,plainandsimple;theymaycheckabox,buttheydon’tmoveanyneedles.
Organizationsthatreallywanttoleveragesecuritycultureandawarenessasameanstoreduceriskandcostsneedtodomuchmore…impactmoredecisionsandwinmoreheartsandmindstothecauseofsecurity.ButCISOsandsecurityprofessionalsstillstrugglewiththequestion:HowdoIshowthatlinkagebetweensecuritycultureandsecurityperformance?HowdoIdemonstratethatdirectlyaddressingourorganization’ssecuritycultureisworththemoneyandtimeforadiagnosticproject?
EstimatingtheFinancialImpactofSecurityCultureThebestwaytomakeacasethatasecurityculturediagnosticprojectisworththecostistoshowhowmuchimpactculturalimprovementcanhaveontheorganization’sbottomline.WecanbegintoshowthevaluethatstrongerInfoSecculturesbringbycreatingabasicmodelofsecuritycultureimpactonthelikelihoodandcostofsecurityincidents.Inotherwords,wecanshowseniormanagementjusthowmuchaweaksecurityculturemightcostthem.
Thecasestudypresentedinthefollowingsectionusesabasicprobabilisticmodel,calledaMonteCarlosimulation,toestimatethefinancialimpactofdifferentsecuritycultureswithinanorganization.MonteCarlosimulationsareusedwidelyinindustryforestimatingallkindsofrisk,fromfinancialperformancetothelikelihoodofprojectfailures.Theyarelesscommonlyusedininformationsecurityinmyexperience,althoughI’veintroducedafewcompaniestothemduringmyprofessionaltravels.Atahighlevel,Iwillmakesomeassumptionsaboutsecuritycultureandthelikelihoodofsecurityincidents,buildasetofscenariosthatincorporatethoseassumptions,andthentestthosescenariosstatisticallybysimulatingthemrepeatedly.Theoutcomeofthesimulationwillshowtheexpectedresultsofasecurityculture’simpactonanorganization’slossesfromsecurityincidents.
MonteCarloSimulationsMonteCarlotechniquesemergedoutofWorldWarIIandtheeffortsto
createthefirstatomicbomb.ThescientistsworkingontheManhattanProjectnamedtheirmodelsafterthefamousEuropeancasinoinMonaco,andusedthemtoestimatetheprobabilitiesoftherandombehaviorsofsub-atomicparticlesintheweaponstheywerebuilding.MonteCarlotechniquestookadvantageofstatisticalanalysesandtheavailabilityofelectroniccomputerscapableofdoingmoresophisticatedcalculationsmorequicklythantheexistingmanualmethods.
Putsimply,MonteCarlomodelsfunctionbyallowingpeopletorepeatedlysimulateeventsaboutwhichtheyknowcertainthings,suchasasetofpossibleoutcomesandthelikelihoodofeachofthoseoutcomes.Agoodexampleistheoutcomesfromrollingtwosix-sideddice.Assumingthedicearefair,theprobabilityofrollinga7isknown(1/6orabout17percent).Buthowcouldwetestwhether7reallycomesuponceoutofeverysixrolls?Onewaywouldbetorolltwodice100or1000or10,000timesandrecordtheresultofeachscenario(therollingoftwodice).Afterallthoserepeatedscenarios,wewouldexpectthenumberof7swerolledtoapproach17percentofourtotalrolls.Rollingdicethousandsoftimes,however,isnotsomethingmostpeoplehavetimetodooutsideofLasVegas.But,thoseparameterscanbepluggedintoacomputertohaveitrandomlysimulaterollingdice,whichwouldbemuchfasterandachievethesameresult.That’saMonteCarlosimulation.
TherearemanytoolsavailablefordoingMonteCarlosimulations,andafulldiscussionisbeyondthescopeofthisbook.YoucanbuildsimulationsdirectlyusingspreadsheetprogramslikeMicrosoftExcelorOpenOfficeCalc,althoughthiscantakesomemanualeffort.Therearealsoplentyoffreeandcommercialadd-insandapplicationsfordoingsimulations.AnInternetsearchforMonteCarlotoolswillreturnmanyoptionsyoucanexploretogetstarted.Itendtouseavarietyofthesetools,dependingonwhatIwantorneedtoaccomplish.
Beforewebeginourcasestudy,weneedtosayawordaboutassumptions.Inanygoodmodel,includingourMonteCarlosimulation,assumptionsaremadeexplicit.Youshouldstateyourassumptionsupfront,thesamewayaresearchershoulddefineherhypothesisbeforesheconductsanexperiment.Modelsaresimplificationsthatcontainuncertainty,andonlybyacknowledgingwhatassumptionswehavemadeinbuildingthemodelcanweexpectotherstotaketheoutcomeswepredictseriously.Statingourassumptionsopenlyand
transparentlygiveseveryoneachancetounderstandtheuncertaintyinvolvedinourestimates,toidentifythingswemighthavemissedorgottenwrong,andtosuggestnewdataorchangedassumptionsthatcanmakethemodelbetter.
CaseStudy:FOXTROTIntegrators,Inc.Thiscasestudysimulateshowaweakerorstrongersecuritycultureaffectsthepotentialfinanciallossesfromsecurityincidentsatahypotheticalcompany,FOXTROTIntegrators,Inc.Likealltheotherexampleorganizationsdiscussedinthisbook,FOXTROT’ssecuritycultureandvaluescompetewiththeculturesandvaluesofotherstakeholdersandotherbusinessimperatives.Whatwewanttoknowis,ifFOXTROT’sinformationsecuritycultureweretocompetemoreeffectivelywithintheorganization,wouldFOXTROT’ssecurityimprove?
AssumptionsTobuildtheprobabilisticmodelforthiscasestudy,Ineedtomakeafewassumptions.Theyarenotblindguesses,ortricks,butratherjustthegroundrulesthatdescribehowIthinktherealFOXTROToperates.IfIhadempirical,historicalevidence,thenIcoulduseittofillinsomeoftheseblanks.Otherwise,Imustmakeabestjudgmentestimate.Inthiscase,thatdoesn’tnecessarilylimitme.I’mnottryingtoconvinceanyoneexactlytowhatextentculturalchangespecificallyimpactssecurityperformance.I’msimplytryingtomakethelogicalcasethatthestrengthorweaknessofasecurityculturedoesimpactsecurityperformance.
Myfirstassumptionhastodowiththeoutcomeofthemodel,namelythattheamountofmoneythatsecurityincidentsarecostingFOXTROTisagoodproxyforhowwellinformationsecurityworkswithinthecompany.Ifthesimulationshowsthatastrongersecurityculturereducessecurityincident–relatedfinanciallosses,thatisthesamethingassayinginformationsecurityisimprovedinthecontextofthecasestudy.Someonemightdebatethatassumption,butthat’sthepowerofmakingyourassumptionsexplicit.Theargumentbecomesmoreconcrete,focusedonthemeritsofthemodelandhowitcanbemademoreaccurate.
Mysecondassumptionisaboutinformationsecurity–relateddecisions.IassumethatFOXTROT,asanorganization,makesadecisionwithpotentialsecurityimpactaboutonceaweek.Idon’tspecifywhatthisdecisionis.Itcouldbeateamdecisionaboutwhichnewsoftwaretoimplementoradecisionbyanindividualdeveloper,likeClarafromChapter2,aboutwhethertocompletea
securityreview.Itmightbeanemployeedecidingwhetherornottoopenanunfamiliare-maillinkorattachment.Thepointisthatanyofthesedecisionshasthepotentialtocauseasecurityincident.Whetherornotanaverageof52decisionsperyearisrealisticisimmaterialhere.Remember,I’mtryingtoestablishacorrelation,notaspecificnumber.Ionlyneedtobespecificaboutthenatureofthedecisions—thateachonehasthepotentialtocauseasecurityincident.It’sunlikelythatthenumberwillstaystatic,yearinandyearout.Soinadditiontotheaverageof52decisions,Iwillassumethatthenumberofdecisionseachyearfollowsanormal,orbell-shaped,curve.AndIwillassumethatthenumberofeventseachyearexhibitsastandarddeviationof5decisions,whichsimplymeansIcanbeprettyconfidentthatFOXTROTwillmakesomewherebetween42and62security-impactfuldecisionsinanygiven12-monthperiod.
Mythirdassumptionisthatthestrengthofanorganization’sinformationsecuritycultureinfluenceshowsecurity-relateddecisionsaremade.Whensecuritycultureandprioritiesareforcedtocompetewithotherorganizationalculturesandpriorities,securitymayormaynotprevaildependingonhowweakorstrongthesecuritycultureiswithintheorganization.Ifthesecuritycultureisweak,securitywillloseoutinthesecontestsmoreoften.Whensecurityfailstoovercomecompetingpriorities,decisionswillbemadethatarebadforsecurity,althoughtheymaybegoodforotherstakeholders.InthecaseofClarathedeveloperfromChapter2,herdecisiontoprioritizeprojectcompletionoversecurityreviewcompletionrepresentedabadsecuritydecision,onethatcouldleadtoanincident.Ifsecuritycultureisstrong,decisionsthatfavorsecurityoverotherprioritieswillbemademorefrequently,andotherstakeholdersmayhavetocompromise.Thesegoodsecuritydecisionsreducethechancesofanincident.
Table8-1laysouttheassumptionsIhavemadesofarforthiscasestudy.
Table8-1FOXTROTSecurityDecisionModelandAssumptions
ScenariosThenextstepinthecasestudyistoconsiderhowthestrengthofthesecuritycultureinfluenceswhetherbadsecuritydecisionsgetmade.Toaccomplishthiswithinthemodel,Ihavehypothesizedthreelevelsofsecurityculture:weak,moderate,andstrong,eachwithitsownsetofassumptions.Strengthofthesecurityculturemaybeafunctionoftheorganization’strainingandawarenessprogram,oritmaybebecausetheorganizationoperatesinahighlyregulatedorhighlysensitiveindustry.Whatevertherootcause,thestrengthofthesecuritycultureisdefinedashowoftenamemberoftheorganizationwillprioritizesecuritywhenmakingadecision,evenwhenfacedwithacompetingculturalvalue.Thisstrengthisameasureofhowwellsecuritycompeteswithotherculturesintheenvironment.Whensecurityisputfirstinthedecision,securitywinsinthemodel.Table8-2liststhethreelevelsofsecurityculturestrengthbasedonthisdefinition.
Table8-2LevelsofSecurityCultureStrength
The“68-95-99.7Rule”IntheFOXTROTexample,Iamconfidentthattheactualnumberofsecurity-impactfuldecisionsinagivenyearissomewherebetween42and62.Ihavethisconfidencebecauseofastatisticalguidelineknownasthe“68-95-99.7Rule,”alsosometimescalledthe“threesigma”rule.Instatistics,standarddeviationisameasureofdispersionofdata,symbolizedbytheGreeklettersigma,σ.Assuminganormaldistribution,datavaluesaredistributedequallyaroundthemean,decreasingasonemovesawayfromthatvalue,andmeasuredintermsofstandarddeviations.Ageneralruleofthumbisthat68percentofvalueswillliewithinonestandarddeviationofthemean,95percentofvalueswillbewithintwostandarddeviations,and99.7percentwithinthreestandarddeviations.InthecaseofFOXTROT,becausethestandarddeviationisfivedecisionsimpactingsecurity,Icanbereasonablyconfidentthatanassumedrangeof42to62decisionswillbeaccurate95percentofthetime.Thefollowingillustrationdepictsthe68-95-99.7ruleinanormaldistribution.
(CourtesyofDanKernlerwithpermissiongrantedunderthetermsoftheCreativeCommonsAttribution-ShareAlike4.0Internationallicense,http://creativecommons.org/licenses/by-sa/4.0/legalcode)
Thecasestudyscenariosarealmostcomplete.AllIneednowistodefinemyassumptionsabouthowoftensecurityincidentswilltakeplaceandhowseveretheywillbe.Iassumethechanceofsecurityincidentsresultingfrombadchoiceswillbesimilartochancesinacointoss.WithoutharddataeitherwayIassumethat,onaverage,FOXTROTwillseeasecurityincidentresultfrom50percentoftheirbadsecuritychoices,giveortakeabit.Foranysingleinformationsecurityincident,IestimatethatFOXTROT’sminimumlosswillbe$10,000.Ialsoassumethecompanywilllosenomorethan$5milliononanyonesecurityincident.Thesearebothextremevalues,however,andIassumethatthemostlikelycostperincidentwillbeaquarterofamilliondollars.
Table8-3liststheseassumptions.
Table8-3LikelihoodandSeverityofSecurityIncidentsResultingfromaBadSecurityDecision
TestingtheScenariosInowhaveallthecomponentsofamodelthatIcansimulateusingaMonteCarloanalysis.Icanplugalltheseassumptionsintomysimulationandthen“run”thescenarioacouplehundredtimes,eachrunsimulatingahypotheticalyearoftotalfinanciallossesfromallinformationsecurityincidentsFOXTROTexperiences.Similartotheexampleofthrowingdicediscussedinthe“MonteCarloSimulations”sidebar,IcanaggregateandaverageallthesimulatedannuallossestoshowthemostlikelyannuallossesFOXTROTwillexperiencefromsecurityincidentsgiventhestrengthofthecompany’sInfoSecculture.Figure8-1showstheresultsofthissimulation,includingthelikelyminimum,average,andmaximumannuallossesfromsecurityincidentsatFOXTROT,basedonwhetherthecompanyhasastrong,moderate,orweakinformationsecurityculture.
Figure8-1MonteCarlosimulationresultsofFOXTROTannualsecurityincidentlossesbysecurityculturestrength
Theresultsofthesimulationareprettyremarkable,andtheyshowthatsecurityculturehasadefiniteimpactonhowmuchFOXTROTislikelytoloseeachyearfromsecurityincidents.AsthestrengthofFOXTROT’ssecuritycultureincreasedinthemodel,theoveralllossesfromsecurityincidentswentdown.Ifyouaccepttheassumptionsofthemodel,thismakessense.Astrongersecurityculturemeansthateverysecurity-relateddecisionismorelikelytofavorsecurityoveracompetingculturalvalue,resultinginagoodsecuritydecisioninsteadofabadone.Thefewerthebadsecuritydecisionsbeingmade,thelowerthelikelihoodthatadecisionwillcontributetoasecurityincidentandcauselossesfortheorganization.
Themodelallowsforawiderangeofpossibleoutcomes.Noteveryyearwillbringcatastrophicsecurityincidentsandhugelosses.Evenassumingaweaksecurityculture,sometimesFOXTROTwillgetluckyandmaynotlosemuchmorethanitwouldhaveifastrongerculturehadbeenpresent.Butasbadsecuritydecisionspileup,sodothecostsofaweakersecurityculture.Theeffectofsecuritycultureonaveragelossesamountedtomultimilliondollardifferences.AndinthecaseofastrongInfoSecculture,themodelestimatedthatthemaximumannuallossesincurredbyastrongsecuritycultureweremillionsofdollarslessthantheaveragelossesexperiencedbyaweaksecurityculture.
UsingtheResultsoftheModelItisonethingtotellseniormanagementthatinformationsecurityisaculturalproblemandthatresourcesareneededtoimproveit.Itissomethingelseentirelytotellthemthataweaksecurityculturecouldcostthecompanytensofmillionsofdollarsinotherwisepreventablelosses.Aprobabilisticanalysisofculturalrisk,asdemonstratedintheFOXTROTcasestudy,allowsaninformationsecurityprogramtomakeamuchmorecompetitivecaseforimplementingasecurityculturediagnosticprojectwithinanorganization.Theresultsrevealthetangiblebenefitsofimprovedsecuritycultureinthefinancialtermsofotherbusinessstakeholders.
Theresultsofmodelingsecuritycultureriskandbenefitsareusefulformorethanjustmakingthebusinesscaseforasecuritycultureperformancelink.Noteveryonemayagreewiththeresultsortheassumptions,whichcanprovideagreatopportunityforconcretediscussionsaboutpeople-centricsecurityandinformationsecurityingeneralwithintheorganization.AndtheabilitytoconnectsecurityculturewithfinancialimpactsoftheInfoSecprogramcanbeverypowerful.Ifpeople-centricsecurityandsecurityculturetransformationcansaveacompanymillionsofdollarsinpotentiallossesforlesscostthanatechnologyproductoraprocessimprovementinitiative,manyorganizationsmightviewthisasaverygoodreturnoninvestment.
ExecutingaSecurityCultureDiagnosticProjectTheFOXTROTcasestudymadethecaseforalinkbetweensecuritycultureandsecurityperformance,butnoimprovementinsecuritycultureispossibleifan
organizationcannoteffectivelyassesstheculturetheyhave.Eventhemostplausiblehypothesesandthemostintuitiveframeworksareonlypartofthesolution.TheCompetingSecurityCulturesFrameworkandtheSecurityCultureDiagnosticSurveyprovideaviablebasisforcreatingamapofsecurityculture.Buttheydon’tcreatethatmapthemselves,andtheydon’ttakeyoufrompointAtopointB.Peoplestillhavetodothat.
Diagnosingsecurityculturemustbedoneinthecontextofaprojectand,likeanyproject,itcanbedonewelloritcanbedonepoorly.Theremainderofthischapterfocusesonhowtosuccessfullydesignandexecuteyoursecurityculturediagnosticproject.Thetimeandcareyouputintoassessingyourculturewilldeterminehowmuchinsightandvalueyougetoutofit,soitisimportantthatyouaddressandplanforthefollowingprojectphases:
1.Projectsetup2.Collectionofdata3.Analysesofresponses4.Interpretationofcultureandcommunicationofresults
1.SettingUptheProjectCulture,althoughmeasurabletoacertaindegree,isalsonaturallyamorphousandhardtopindown.Measuringacollectivesetofhumaninteractionsisnevergoingtobeaseasyasmeasuringpacketthroughputinyournetworkorthemoneyyouspentlastyearonvendorsecurityproductsandservices.Sotheworstthinganorganizationcandowhenembarkinguponanassessmentofsecuritycultureistoconductaprojectthatisillconsidered,vaguelyconceptualized,andpoorlydesigned.Planningforthesecurityculturediagnosticprojectisthemostimportantstage,asitwilldeterminehowwelleverythingelsegoesafterwards.
DefiningtheProjectStrategyAsobviousasthegoalsandobjectivesofthesecurityculturediagnosticprojectmayseematfirstglance,theyprobablyaren’t.Andinanyevent,likeassumptionsinanymodel,projectstrategiesshouldbelaidoutexplicitlyinadvanceanddocumented.Thatwayeveryoneisonboard,oratleastshouldbe,fromthebeginningintermsofwhatishopedforandwhatisexpectedoutoftheproject.
Akeystrategicconsiderationiswhichcultureorculturestheprojectintendstomeasureanddescribe.Istheprojectgoaltoascertaintheexistingsecurity
cultureacrosstheentirecompany?Ordoestheorganizationonlywanttodiscoverthesecuritycultureforaspecificgroup,suchasthesecurityteamitself?
MostSCDS-basedprojects,andthelinkagestotheCSCFculturalquadrantstheycreate,aregoingtohavesomesortofcomparativefunction.Thewholeideaoflinkingsecurityrisktoculturalcompetitionimpliesthatmorethanonecultureisstrivingforpredominance.Culturaldiagnosticshelpidentifythesediscrepanciesandconflictsandmakethemvisibletotheorganization.Sowhatistheproject’scomparativestrategy?Thecultureofthesecurityteamisanobviouschoice,butgiventhatanyorganizationmayhavealargenumberofsubcultures,whicharethemostimportantforcomparison?Theeasiestcomparisontobemadeisthatoftheentirecorporateculture.Buttheremaybeotherculturalvaluesthatneedexploring,particularlyinthewakeofasecurityincident.
AthirdaspecttoconsideriswhetherandhowtheSCDSresultswillbefedintoafollow-ontransformationproject.Doyouwanttochangeparticularaspectsofthesecurityculture,suchasmakingitmoreprocessorpeopleoriented?Ordoyouhopetomakecompetingculturesmorecloselyaligned?Thesedecisionswilldriveanalysisandthecommunicationofresultsdowntheline.
Theseareonlyafewofthepossibilitiesanorganizationshouldconsiderbeforeembarkingonaculturalmeasurementinitiative.Strategyiscritical.Ifyouarerunningasecurityculturediagnosticproject,youshouldbeabletoeasilyexplainwhyyouaredoingit,howyouaredoingit,andwhatyouexpecttogetoutofdoingit,allinasmuchdetailaspossible.
DefiningtheContextoftheAssessmentBeyondthe“why?”ofstrategyliesthe“why?”ofcontext.Understandingthecontextinwhichtheculturalassessmentisperformedcanbeasimportantasunderstandingitsgoals.Forexample,istheSCDSbeingadministeredbecausethecompanyhasbeenrockedbyseveralinformationsecurityincidentsinrecentyearsandseniormanagementisdemandingtoknowwhyalltheexpensiveproductsandservicestheypurchaseddon’tseemtowork?Oristhediagnosticprojectnecessarybecausethecompanyismakinganacquisitionandneedstounderstandpossiblesecurityimplications?
Contextcanalsorefertoenvironmentalfactorssuchastimepressures,theattitudesofseniorleadership,legalandregulatoryrequirements,orapassionforinnovation.Eachofthesemotivationswillshapeandsteerthesecurityculturediagnosticprojectmoreorlesssubtly.Issuesofduration,cost,anddesired
outcomesareoftenrevealedwhenanorganizationtakesthetimetoformallyidentifythecontextinwhichtheprojectisbeingattempted.
PerformingaCost/BenefitAnalysisThere’snowayaroundit:assessingandanalyzingyoursecuritycultureisgoingtocosttimeandmoney.Theabilitytoarticulatetothosewhoholdthepursestringshowspendingthattimeandmoneywillproduceapositivereturnisinvaluable.Equallyvaluableisarealisticexpectationofhowmuchbangtheorganizationcanexpectforeachbuckspentonunderstandingitselfbetter.IntheFOXTROTcasestudy,financialsimulationprojectedpotentialsavingsofmillionsofdollarsresultingfromfewersecurityincidentsoccurringinastrongsecurityculture.Estimateslikethesecanhelpmakethecasethatmoneyisnotbeingwastedonmerenavelgazing.Atthesametime,itwouldbeunrealistictoundertakeamultimillion-dollarculturaltransformationprojectinthehopesofreducinglossesthatarefarlessthanthecostoftransformation.
EngagingSeniorManagementNothingsays“we’reserious”likedirectexecutiveinvolvement.Bythis,Idon’tmeanane-mailfromtheCIOsayinginformationsecuritycultureisimportantandeveryoneisexpectedtocooperatewiththesecurityteamonthisprojecttheyaredoing.Imeandirect,active,andinterestedinvolvement.Nosecurityculturediagnosisisgoingtogetthatlevelofinvolvementifprojectownersfailtoengagewithexecutivesponsors.
CISOorseniorInfoSecprogramleadershipsupportisthefirstrungonthisladder.IftheCISOdoesnotbelieveinculturalchange,theprojectislikelydeadonarrival.Butinmyexperience,mostCISOsareinterestedinanythingthatcangivethemalegupbothinprotectingtheorganization’sinformationassetsandinhelpingthesecurityteamcompetedirectlywithotherstakeholdergroups.Theabilitytoidentifyandexplainculturalriskstosecuritygivesseniorsecurityleadersanopportunitytotalkaboutsomethingotherthanhackers,systemvulnerabilities,andthenetworksegmentationrequirementsofPCIDSS.
OrganizationalcultureisafieldmorefamiliartoMBAsandmanagementconsultingthantoengineersandsystemadministrators.Engagingtheorganizationalleadershiponasecurityculturediagnosticprojectcanprovideasecurityteamwiththeopportunitytospeakanotherlanguage,alanguagethatlinkssecuritydirectlywithorganizationalperformance.Onceoneormoreseniorleadersareonboard,thefolksconductingthesecuritycultureassessmentcanhopeforbetteraccesstoresourcesanddata.
Itisalsoimportanttoremembertokeepseniorsponsorsinvolvedandinformedthroughoutthesecurityculturediagnosticproject.Theprojectislikelytorunintoobstaclesoverthecourseofitslife.TheabilityforaprojectteamoraCISOtoquicklycallonaseniorsponsoroutsideofsecuritytoremindeveryoneofwhytheorganizationiscommittedtopeople-centricsecurityandculturalimprovementcanmeanthedifferencebetweensuccessandfailureoftheinitiative.
Attheveryleast,anorganization’sleadershipshoulddefineminimumexpectationsforparticipationintheproject.Theyshouldactivelypromoteandsharetheproject’sgoalsandtheirexpectationsforitsoutcomewiththeirteamsandtheexecutivestaff.Thetoneshouldbepositiveandencouraging,anextensionoftheprojectteam’soutreach.Additionalexpectationstobecommunicatedthroughouttheorganizationincludetheneedforhonestfeedbackfrommembersoftheorganizationabouttheproject,informationabouthowdatawillbecollectedandused(andnotused)duringtheproject,andapromisetosharetheresultswitheveryone.
EngagingOtherStakeholdersSeniormanagement’ssupportandinterestarenottheonlyingredientsforsuccessinasecurityculturediagnosticproject.Successfulexecutionwilldemandcooperationandactiveinvolvementfrommanycornersoftheorganization,includingusers,front-linemanagers,andareaspecialistswhocanhelpinterpretresultsanddiscrepanciesinthecollecteddata.Evenwhentheorganization’stopleaderslayoutminimumexpectations,ifparticipantsinthesecurityculturediagnosticprojectaren’tengagedproperly,theymayfeelliketheyarebeingforcedtodosomethingtheydon’treallyunderstandratherthansomethingtheyfeelisimportantandworthtakingseriouslybecausetheyknowitwillbenefitthemdirectly.
Mostoften,itwillbetheInfoSecprogramthatinitiatesasecurityculturediagnosticproject.Itmayevenbespecialistswithinthesecurityteam,likethetrainingandawarenessowners.Fortheowneroftheproject,themostimportantthingtorememberistokeepyoureyesontheprize.People-centricsecuritywillbenefiteveryone,butyouwillhavetosellthatconcepttojustabouteveryone,likelystartingwithintheInfoSecprogramitself.
Itmaybechallengingformembersofasecurityprogramtorecognizeoraccepttheinherentvalueofotherculturesandprioritieswithintheorganization.AsIhavediscussedpreviously,informationsecurityprofessionalscantakethemselvesandtheirdutiesveryseriously,tothepointoffeelinglikesecurity
trumpsallotherorganizationalconsiderations,oreventhepeopleintheorganization.Culturalintoleranceiswhatdrivessomesecuritytechno-utopians(justtotakeanexample)tomakeridiculousstatementslike“thisjobwouldbesomucheasierifIdidn’thavetodealwiththeusers…”Well,ofcourseitwould.Itisalwayseasierwhenyouonlyhavetodealwithpeoplewhothinkthesamethoughtsandvaluethesamethingsasyou.Butengagingotherstakeholdersmeanstakingamoreaccommodatinganddiplomaticapproachtoimprovinginformationsecurityculture.
Asavvyculturehackerwillmoveslowlyanddeliberatelytotakethemessageofculturalimprovementtoothers,toalignthegoalsoftheprojectwiththeirgoals.Oncethesecurityteamunderstandsthattoleratingotherculturalimperativesmightmaketheirownjobseasier,thesecurityculturediagnosticprojectownercanmoveontohelpingothersoutsideofsecurityrealizehowabettersecurityculturecouldsolveproblemsforthem,includingproblemstheymaynothaveevenrealizedtheyhad.
BuildingtheProjectTeamandPlanFormalizationisakeydriverofsuccessforanyorganizedactivity.It’sthereasontheProcessCultureintheCSCFcanbesopredominantinmanyorganizations.Everyonehasplans.Wethinkaboutwaystomakeourworldandourlivesbetterallthetime.Butthere’sadifferencebetweensittinginyourcubicleandfantasizingaboutthatInternetbusinessthatwillenableyoutoenjoyafour-hourworkweekandactuallycreatingastartupcompany.Theformercanbeaccomplishedwithnothingmorethanimaginationandtime.Thelatterisgoingtorequireyoutostopimaginingandstartactuallybuildingsomething.
Anyorganizationalprojectthathopestoachieveresultswillbeassignedaformalteam,andthatteamwilldevelopanequallyformalplan.Teamandplanbothwillbedocumentedandofficiallysignedoffonbytheseniorleadersandsponsorswhohavebeenengagedforsupportinthefirstplace.Thesizeoftheteamandtheresourcesprovidedtoitwillbedevelopedoutofthecost/benefitanalysisdescribedearlier.Theteammustbesufficientlycapableofmeetingthegoalstheorganizationhaslaidoutforitself.Thatmeanstheteammustincludeskilledpersonnel,internaltotheorganizationwhereavailableandsupplementedbyoutsideconsultantswherenecessary.Theprojectplanwillbeveryclearaboutwhoisinvolved,whattheymustdo,andwhattheorganizationwillgetoutofthoseactivities.
Incentivesarealsocriticaltoprojectsuccess.ManyoftheexamplesofculturalriskI’vedescribedcomefromsituationswherepeoplearegiven
multipleresponsibilitiesbutarethenrewardedorpunisheddisproportionatelyforonlysomeofthoseresponsibilities.Itwouldbeironic,althoughprobablynotshocking,tofindthatyourmeasurementofcompetingsecurityvaluesfailedduetocompetingorganizationalpriorities.
Noteverysecurityculturediagnosticprojecthastobehugeorenterprise-wide.Securitycultureassessmentisagreatplaceforsmallexperiments,pilotprojects,andexploratoryinitiatives.Thesecanoftenbeaccomplishedandvalueachievedforasmallinvestmentoftimeandmoney.Butevenwhenambitionsaresmall,everythingshouldbeformal,withapapertrailthatallowseveryonetoseeattheendoftheprojectjusthowwelltheorganizationexecutedonitsstrategy.
2.CollectingDataWiththeSCDSprojectdesigninplace,itistimefortheorganizationtocollectactualdata.Aspartofthestrategyandplanningprocess,decisionswillalreadyhavebeenmadeaboutwhichculturestotargetforassessmentandforwhatpurpose.ThemostimportantoutcomeofthesedecisionsisthedeterminationofwhowillactuallycompletetheSCDS.
UsingtheSecurityCultureDiagnosticSurveyTheSCDSisfreelyavailable,underaCreativeCommonslicense,foruseinmeasuringyourorganization’ssecurityculture.Youcanfinditavailablefordownloadathttp://lancehayden.net/culture,alongwithinstructionsforadministeringthesurveytoyourownorganization.
TherearemultiplewaysofadministeringorganizationalsurveysliketheSCDS,includingautomatedtoolsandwebsitesthatcanhelpyousetupandadministeronlinesurveysforyourorganization.Aquickwebsearchonsurveytoolswillgiveyoumanyoptionstochoosefrom,buttouseanyofthesetoolsyouwillenduphavingtotranslatetheSCDSquestionsandresponsesintoasurveyinstrumentyoucanpostanddisseminatetorespondents.PollDaddy,SurveyMonkey,andSurveyGizmoareafewonlinecompaniesthatprovideeasyandaffordabletoolsforpreparingandconductingsurveyswithinyourorganization.
Youshouldalsodecideupfront,evenduringtheplanningprocess,howmany
peopleyouwanttotakethesurvey.Themorerespondentsyouhave,thelargerthedatasetyoucananalyze.Thedownsideisthattheselarge,automatedsurveysaremoredifficulttoexplainandpromoteacrossdifferentgroupsofstakeholders.Runningthesurveyasasmallerexercise,withaselectgroupofrespondents,enablesyoutomoreeffectivelyengageandtrainthemonhowtheCSCFandSCDSwork.However,workingwithsmallerrespondentgroupsmaycauseconcernsaboutnotgettingenoughrepresentativedataabouttheentireorganizationorgroup,particularlyinlargecorporations.Theseconcernscanbemitigatedthroughtheuseofrandomsamplingtechniquesthatallowyoutogeneralizeyoursurveyresponsesacrossanentireorganizationwhileaskingonlyasmallsubsetofthetotalmemberstorespond.SurveyMonkey,oneoftheonlinesurveycompaniesImentionedpreviously,hasagoodblogpostonchoosingrandomsamplerecipientsforsurveysliketheSCDS.YoucanfinditontheSurveyMonkeyblogatwww.surveymonkey.com.
OrganizingRespondentsRespondentsfortheSCDSmustbetreatedcarefullyandrespectfullyiftheorganizationwantstogetvaluableinsightsfromtheirparticipation.Transparencyisalwaysthebestpolicy,andtheorganizationshouldshareasmuchinformationaspossibleaboutthesurvey,whichisanotherreasontolimitparticipationinthebeginningandbuildmindsharewithintheorganization.Whoyouwanttoincludedependsonwhatyouaretryingtoaccomplish.Ifyouwanttomeasurethesecuritycultureoftheentireorganization,youneedarepresentativesamplefromacrosstheorganization.Ifyourfocusisthesecurityteam,youcanlimityourrespondents.Whencomparingdifferentgroupsorfunctionswithintheenterprise,youneedtoidentifyrespondentsfromthetargetsofcomparison.Youwouldmakesimilaradjustmentsforwhateverculturalmeasurementsyouwanttoaccomplish.Somethingstoconsiderregardingsurveyparticipationincludehowyouplantomarketthesurveytopotentialrespondents,whatkindofidentifiableinformationyouwillcollectaboutrespondentsandhowyouwillprotectthatdata,andhowyouintendtoencouragehonestanswerstoyoursurveyquestions.
MarketingandPositioningtheProjectTheorganizationshouldconsiderwaystomakeparticipationintheSCDSprojectattractivetorespondents.Ifparticipationinthesurveyismandatory,theorganizationshouldthinkabouthowtoatleastmakeitaspleasantanexperienceaspossible.Ifsurveyparticipationisvoluntary,thengettingpeopletowanttoparticipateisimportant.Theworst
outcomeforasurvey-basedinitiativeistodecidetogowidewithparticipation,allowingeveryonetotakethesurvey,onlytofindthatresponseratesareverylow.Iftheendresultissurveydatafromaquarteroftheorganizationorless,thatgivestheappearanceoffailure.Worse,evenif25percentoftheorganizationisstillalotofpeople,thedataislikelytobelessreliableintermsofdescribingtheentireorganization’ssecurityculturethanasmaller,trulyrandomsamplewouldhavebeen.
Conductingthesurveyshouldbemarketedasaprivilege,achancetobepartofsomethingspecialandimportanttotheorganization.Considerformalinvitationsfromseniormanagementtoparticipateorrewardsfordoingso,suchasgiftcards,orcompany-widerecognitionasbeingpartoftheproject.Respondentsshouldbemadetofeelspecial,thattheiropinionsareimportanttothesuccessofthecompany,ratherthanfeelliketheyjustgotrobo-calledbyaprofessionalpollingfirmduringdinner.Anotherusefulwaytomotivateparticipantsisbyallowingthemtoclaimtheirinvolvementintheprojectforcreditandrecognitioninperformancereviewsortrainingplans.
SelectedparticipantsshouldbeprovidedtrainingintheCSCFandSCDS,eitherinpersonorviateleconference.Whereneitheroftheseoptionsispossible,theorganizationshouldprovideadetaileddocumentationpackagethatshowshowtheprojectwillwork.TheinstructionsIprovideaspartoftheSCDS,aswellasexamplesandmaterialfromthisbook,canallbeusedtosupportthecreationofsuchapackage.
CollectingDemographicDataTheorganizationmustconsiderwhich,ifany,demographicdatatocollectaspartofthesecurityculturediagnosticproject.TheSCDStemplatesthatIprovidedonotspecifydemographicinformation.Inreality,theonlyrequireddemographicdatayoumayneedtocollectalongwiththeSCDSisthegroupordivisiontowhicharespondentbelongs.Youwouldneedthattobeabletocompareresultsbetweencultures.ButinanSCDSprojectwheretheorganizationwantstomapthegeneralculturewithoutcomparisonsbetweensubcultures,eventhatdataisnotrequired.Realistically,though,youwillwanttocollectatleastbasicinformationaboutwhoarespondentisandwhereintheorganizationtheywork.Thismayormaynotincludepersonallyidentifiableinformationaboutindividualparticipants,whichIcoverfurtherinthenextsection.Butinformationaboutroles,howlonganindividualhasworkedfortheorganization,andwhetherornottheyareamanager;iftheypossesstechnicalskills;orareassociatedwithsecurityinanywayareallusefuldatapoints.
Beyondbasicdemographics,theorganizationcanconsidercollecting
additionaldatathatmayproveusefulindiagnosingcompetingvaluesandculturalrisksregardingsecurity.Lotsofthingsinfluenceaperson’sworldview,theirassumptionsabouthowthingswork.Age,gender,educationalbackground,evenwhereyousitontheorganizationalchartcanallinfluencehowyoulookatthings.CapturingthisinformationaspartoftheSCDSresponsesgivestheorganizationanopportunitytosliceanddiceculturaldataalongmanypotentialaxes.Sure,thefinanceteamisheavilyProcess-centric,butmaybethehigheryougoupthechainofcommand,themoreAutonomybeginstoemergeasadesirablevalue.Orthemajorityofyoursecurityteammayeat,drink,andbreatheCompliance,exceptforyoursecurityawarenessmanagers,whomayseeTrustasequallyimportant.
EnsuringPrivacyandAnonymityThechallengewithcollectingdetaileddemographicinformationisthebalancebetweencollectingtoomuchinformationandnotenough.Intoday’senvironment,whereprotectingyourpersonaldataanddealingwiththreatsofsurveillanceandprivacyerosionaretopofmind,peopleareoftenmuchmorewaryofsharingtoomuchinformationaboutthemselves.Thisreactionmayseemcounterintuitiveinaworldofsocialnetworkingandblogging,butviewpointstendtochangewhenit’syourbossoranotherauthorityfigureaskingyoutosharewhatyouthinkofthem,specificallyorgenerally.Thisiswhymany360-degreereviewsandotheremployeesurveysareconductedanonymously.
Respondentsmustbereassuredthattheopinionstheygiveabouttheorganization’sculturewillnotgetthemintotroubleorbeusedagainsttheminsomeotherway.Projectownersshouldbeveryspecificaboutwhytheyarecollectinganyparticulardemographicdataandtiethosereasonsbacktothestrategyofthesecurityculturediagnosticproject.Collectingnamesandpersonallyidentifiableinformationcanmakerespondentsthemostnervous,butiftheorganizationwishestofollowupSCDSresponseswithmoredetailedinterviewsorfocusgroups,thisinformationmaybenecessary.Onecompromiseistoofferan“optin”feature,allowingpeopletovolunteersuchinformationandgivepermissiontocontactthemforfollow-ondiscussionsifnecessary.
Insomecasesyoumayactuallyrunintoregulatoryandlegalissuesthatprecludeyoufromcollectingpersonallyidentifiableinformation,particularlyincountrieswithstrongprivacylaws.Mostorganizations,atleastintheUnitedStates,havesignificantleewaywhenconductinginternalemployeesurveys,sincedemographicinformationsuchasjobrole,location,andwhichpartoftheorganizationanindividualworksforisallpartofthecompanyrecordandunlikelytobeconsideredprivate.Thismaynotbethecaseinothercountries,
withdifferentprivacylaws,sotheorganizationshouldcheckbeforecollectingsuchdata.Similarly,anyquestionsaskingfordemographicinformationregardingrace,gender,orreligiouspreferencesshouldbeclearedwithHRandeventhecorporatelegaldepartmentbeforegoingintoasurvey,justtobesure.
CollectingHonestResponsesReassuringrespondentsthattheinformationtheyprovidewillbeusedobjectively,toachievepredeterminedgoals,improvesthechancesforhonestfeedback.Seniormanagementshouldmakeclearatthebeginning,andprojectownersshouldreiteratethroughoutthedurationoftheproject,thatparticipatingintheSCDSwillnotnegativelyimpacttherespondent,theirrelationshipwiththeirmanagerorpeers,ortheirperformanceappraisal.
Beyondjustassuringthathonestresponseswillnothavenegativeconsequences,theprojectsponsorsandteamsshouldreiteratehowimportantsuchhonestyistothesuccessoftheproject.Therearenorightanswerswhenmeasuringculture,andrespondentsshouldbeeducatedagainstperceivingtheprojectasanattemptbymanagementtoconfirmthatthecultureisacertainwayratherthananexplorationofwhatthecultureactuallyis.“Telluswhatyouthink,notwhatyouthinkwewantyoutotellus”couldbeagoodmottoforanyculturalfeedbackinitiative.
DataManagementandStorageAspartofprojectdesignandplanning,makesuretogivesufficientthoughttohowdatafromtheSCDSwillbemanagedandstored.Projectdataandresponsesfromparticipants,especiallywhentheycontainpersonalorsensitivedemographicdata,shouldbekeptsecureinaccordancewiththeorganization’sdataclassificationandinformationprotectionpolicies.Communicatingthatthisinformationwillbehandledresponsiblyandsecurelyisalsoimportantforreassuringparticipantsintheprojectthattheirpersonalinformationwillremainprivateandprotected.Thismayinfluencehowtheycompletethesurvey.Detailsaboutthemechanismsfordoingsoshouldbemadeavailableandtransparenttoparticipants.Manyofushavetakeninternalsurveysortrainingwherevagueassurancesofanonymityaremade,butItendtofindthatlessthanreassuringwhenIhavetousemyemployeecredentialstologintothesystembeforeIcanparticipate.
3.AnalyzingResponsesWhetheryouarecollatingscoresintoaspreadsheetorbuildingthemoutfroma
tool,thefirststepaftercollectingrawSCDSdataistoanalyzethoseresponsesandturnthemintosomethingcoherent.DetailedinstructionsforscoringtheSCDSwerecoveredinChapter6,andcanbefoundinthedocumentationofthesurveyonline.ButtherearesometipsandsuggestionsthatIcanprovidebywayofguidancetohelpyoumakeyoursecurityculturediagnosticexerciseasfruitfulaspossible.
GeneratingSecurityCultureScoresSecurityculturescoresaregeneratedbyaligningspecificSCDSresponseswithquadrantsoftheCSCF.RecallfromChapter6thattheresponsesintheSCDSinstrumentareorganizedintofouralphabeticalcategoriesandthateachcategoryismappedtoaspecificCSCFculturaltrait.Table8-4reviewsthisalignment.
Table8-4SCDSScoresAlignedwithCSCFQuadrants
GeneralsecurityculturescoresforeachCSCFquadrantaregeneratedbyaveragingthesumofthescoresforeachSCDSresponsecategoryacrossalltenSCDSquestions.Formoregranularinquiries—forinstance,onthespecificvaluesandalignmentsrelatedtothemanagementoftechnology,security,orrisk—thescoresaretakenfromeachofthekeyorganizationalactivitiesandtraits.Foreaseofuse,aworksheetisavailablefordownloadathttp://lancehayden.net/culturetohelpyoucalculateyourSCDSculturescores.
CreatingCultureMapsVisuallymappingyourculturescores,asIdemonstratedinChapter7,takesabit
moreeffortthansimplycalculatingthem,butitdoesnotrequireanythingmorethanstandardofficesoftware.MicrosoftExcelandApacheOpenOfficebothallowthecreationofradar-stylechartsfromasetofdata.Somespreadsheetandchartingtoolsdonotofferradarcharts,forreasonsItouchedoninChapter7,soifyouwishtoemploythatvisualizationyouwillhavetouseatoolthatsupportsit.TherestofmychartsItendtodorelativelymanually,buildingthemindividuallyandthenmanipulatingthemintothequadrantsoftheCSCFasimages.Ilikethecontrolofthisprocessenoughtomaketheextratimeittakesworthwhile.Butthelistofchartingandvisualizationtools,includingfreelyavailableoptions,isgrowingallthetime.Iencouragereaderstoexplorethem,asIamdoing,andtoputthemtousewheretheywork.
4.InterpretingCultureandCommunicatingResultsAfterthenumericaldusthassettledandyouhaveaformalsetofscoresandvisualmapstorepresentyoursecurityculture(s),theprocessofinterpretationandcommunicationbegins.Havingdoneallthisgreatworktoputboundariesaroundyoursecuritycultureandidentifyareasofcompetingvaluesandpossibleculturalriskstoyoursecurityposture,it’stimetousethoseresultstointerpretculture,supportpeople-centricsecuritygoals,andcommunicateprogresstootherstakeholders.
AligningDatawithProjectGoalsInterpretingyoursecurityculturediagnosticresultsis,primarily,aprocessofaligningwhatyouhavefoundwithwhatyousetouttodo.Aligningthecollecteddataandresultingscorestoyourstrategicobjectivescreatesthevalueinherenttoimprovingpeople-centricsecurity.Itisalsothebigreasonthatitissoimportanttoidentifyanddocumentthosegoalsaheadoftime,togetbuy-inforthem,andtoproperlysetexpectationsaboutoutcomes.Manyattemptstomeasurecultureendupfallingintoatrapofamorphousambitions,withinsightsandfascinatinganecdotesthatentertainbutaredifficulttoturnintoactions.Cultureisaforestofhumaninteractionsandsocialbehavior.Yourstrategyisthetrailofbreadcrumbsyouleavetohelpyoufindyourwaybackoutagain.
DescriptiveGoalsIfyourmainobjectivewastomeasureoneormoreaspectsofsecurityculturewithintheorganization,togetapictureofwhatitlookslikeasawayofunderstandinghowitworks,thenyourdiagnosticstrategywasprimarilydescriptive.Everyculturalassessmentprojectisadescriptiveeffort,in
thatitattemptstomakevisiblethevaluesandassumptionsoperatingbelowthesurfaceoforganizationalbehavior.
ComparativeGoalsWhenyoubegintoputyourdescriptionsofculturesidebyside,tonoticedifferencesbetweenthemandconsiderwhythosedifferencesexist,you’vemovedfromdescriptivetocomparativegoalsforthediagnosticproject.Mappingthesecuritycultureagainsttheorganizationalculture,orthesecurityculturethatexistsagainstthesecuritycultureyouwouldliketohave,requirescomparativeanalysis.WhentheSCDSprojectstrategyincludesthesecomparisons,youcannowuseyourresultstogetmoreinsightintothequestionsyouhopedtoanswer.Sometimesthoseanswersmaysurpriseyouandmaygeneratenewquestions.
SCDSresultsshouldbeanalyzedinthelightofthecomparativeobjectivesdefinedaspartofthestrategy.DotheSCDSresultslineupwithpeople’sexpectationsorperceptionsaboutthenatureoftheorganizationalsecurityculture?Ifdiscrepanciesexist,where?Andwhatmighthavecausedthem?InChapters6and7,wesawseveralexampleswhereasmallsetoforganizationalactivitiescanskewaculturalquadrant,makingthatcultureseemmorepredominantwhen,infact,justafewoutliersinkeybehaviorsareskewingtheresults.Discoverieslikethiscanpointtofruitfulareasofexploration,andcandirectlydrivechangestotraining,awareness,andpolicythatbecomemoretargetedapproachestosecuritybehavior.
TransformativeGoalsTransformativegoalsarethosethatinvolvechangingexistingculture.Ifyouarecomparingexistingsecurityculturetodesiredsecurityculture,forexample,knowinghowthetwoculturesdifferisjustthestart.Securityculturemapsshowwherespecificchangesarenecessaryandtowhatdegree.Often,evenincaseswhereanorganizationknowsthatchangeandculturaltransformationarenecessary,completionofadiagnosticprojectisanecessaryprerequisitetoknowinghowthatchangemighttakeplace.
SCDSscoresandsecurityculturemapsallowanorganizationtoplanspecific,measurableactionsdirectedatculturalchange.Thisisanimportantpoint,especiallyforcounteringcriticsofculturalmeasurementwhoarguethatcultureistoovaguetopindown.Byfocusingontencoreactivities,theSCDSidentifiesbehavioralcomponentsthatdirectlyimpactsecurity,namesthem,andprovidesawaytoanalyzethem.Changingculturemeanschangingthewaysthattheseactivitiesareundertakenwithintheorganization.If,forexample,acompanydiscoversfromtheSCDSthatpeopledonottakepoliciesandproceduresseriously,thatrepresentsadirectpathtoaction—promotingthebehaviors
inherentinamoreProcess-drivenenterprise.Thosevaluescanbeinstilledbyincludingthemintrainingprograms,buildingthemintoperformancereviews,andmeasuringhowoftenviolationsoccur.Changingthingsisnolongerasvagueorfuzzyasitmighthavebeen,althoughthisdoesnotminimizetheworknecessarytoalterpeople’sbeliefsandhabits.Butatleastyouknowwhatthosebeliefsandhabitsare.
CommunicatingSecurityCultureGettingthesecurityculturemessagetotherightpeopleintherightwaymeansthedifferencebetweenasuccessful,well-receiveddiagnosticprojectandonethatmissesthemark.Failedprojects,attheveryleast,makeitunlikelythattheorganizationwillbewillingtoinvesttimeormoneyintofutureefforts,creatingaself-fulfillingprophecyabouthowharditistomeasureculture.Butthebiggerlosswillbetheinabilityoftheprojecttosupportincreasedculturalmaturityandimprovedsecuritythroughouttheenterprise.Measuringcultureisonlyeverthefirststep,leadingtoactionandchange.Convincingpeoplethattheeffortnecessarytochangeisworthitdependsonhowwellyoucommunicatethebenefitsoftransformation.
KnowingtheAudienceKnowingtheaudienceiskeyinanyculturaldiagnosticproject,bothintermsofunderstandingyouraudienceandshapingyourmessagetomeetitsuniqueneeds.ProjectleadersshouldcarefullyconsiderSCDSresultsinshapingtheperceptionsofallthestakeholdersinvolvedintheproject,fromseniormanagementdowntoindividualcontributorsandrespondentsacrossdifferentgroups.IfcarehasbeentakentopositionandmarkettheCSCFandSCDS,theaudiencewillalreadyunderstandwhytheywereaskedtoparticipate.Nowtheprojectteammustshapethemessageaboutresultsandinsightsforthataudience.
Ourownculturewillinvariablybemorefamiliartousthansomeoneelse’s,whichmaymakethethingstheyprioritizeorcareaboutseemstrangeorevenwrong.Inasecurityculturediagnosticproject,youarelikelytoseepeoplewithstrongculturalbiasesonewayortheotherstrugglingtounderstandwhyeveryonedoesn’tseesecurityprioritiestheywaytheydo.Whencommunicatingculturaldiagnosticsandriskstorespondentandstakeholderaudiences,itcanhelptobeginbyreviewingtheresultsinthecontextoftheculturetheymostcloselyidentifywith,exploringthoseresultsandbringingthemessagebacktofamiliarvaluesandassumptions.Leadingthediscussionoftransformingsecurityculturebyalwaysstartingwiththesecurityteam’sperspectiveoftheworldcan
givetheimpressionthatthesecurityteam’svisionisthepreferredone.Youcanloseyouraudiencequicklywiththisapproach,whichtendstomakepeoplefeelliketheyarebeingtoldthattheybelievethewrongthings.Instead,theprojectteamshouldstartwithmorefamiliarterritory,thenuseexamplesofcompetingsecurityculturesandvaluestoexplainwhymisunderstandingscanhappenandtherisksthatsuchconflictscarry.
Anotherbenefitofthinkingaboutculturelocallyatfirst,throughtheeyesofthestakeholderslivingit,isthechancefortheprojectteamtochallengetheirownassumptions.Mostofthetime,securityculturediagnosticinitiativeswillberunbythesecurityteam.Understandingempiricallythatnoteveryonesharestheirworldview,andhavingtocommunicateanddefendthatworldviewbyfirstempathizingwithotherwaysofseeingthings,cangivesecurityprofessionalsanewperspectiveonthemarketplaceofideasinwhichtheyhavetocompete.
ChoosingaMediumThereisnoonebestwaytocommunicate,nosinglemediumbywhichinsightcanbetransferredmoreeffectivelythanthroughothermediums.Theintendedaudiencewilloftendrivethechoiceofmedium,accordingtobothconventionandexperience.Slide-basedpresentationshavebecomesoingrainedinthecorporateworldthateventhoughtheymaynotbethebestmediumforcertainwaysofcommunicating,youcanalienateyouraudienceifyoudon’tusethem.Butyoushouldalwaystrytopickthebesttoolforthejob.
Scores,charts,andmapsnotwithstanding,thestrengthoftheCSCFisthatitallowsyoutotellastoryaboutculture.Yourstorywillhaveprotagonistsandantagonists,plotpointsandconflicts.TheSCDSdoesnotcreatethatstory.Itsimplyorganizesthethemesinawaythatallowsyoutoputstructurewhereithasn’texistedbefore.Motivationsthathavepreviouslyseemedmysteriousandirrationalnowmakemoresense.Visualscanhelp,butdon’texpectaculturemaptobeimmediatelyandobviouslyintuitivetoyouraudience.Youhavetowalkthemthroughit,interpretforthem,beastoryteller.
Manypresenterstodayhavemasteredslide-basedpresentationsasastorytellingtechnique.Manyothershavenot.Buttechnologyhassetusfreefromanoverdependenceonslides.IencourageyoutoexplorealternatepresentationtoolssuchasPrezi(http://prezi.com),HaikuDeck(www.haikudeck.com),oranyofthenumerousfreeandcommercialmind-mappingtoolsthatalsosupportgraphicalpresentations.
LookingtoNewHorizonsAspartofyoursecurityculturediagnosticspresentation,youwillalsowanttogetyouraudienceexcitedaboutfutureopportunitiesforpeople-centricsecurity.Lookingouttothehorizonofwhat
comesnextcangiveyourorganizationapowerfulincentivetokeepgoingwithbetterandmoresophisticatedculturalassessments.Rememberthattheculture–performancelinkhasnonaturallimits.Themorematureandeffectivethesecuritycultureorthelargerorganizationalcultureis,thebettertheresultswillbeofeveryactivityanddecisiontheorganizationundertakes.Culturalmeasurement,itshouldbeemphasized,startswithorientation,theactoffindingoutwhereyouarerightnow.Themapmetaphoremphasizesthisneedforlocationandsituationasthefirststepofalongerjourney.
FromMeasurementtoTransformationThefirsttwopartsofthisbookhavefocusedonmeasuringanddiagnosingorganizationalsecurityculture.Theyhavepresentedwaystodescribeit,analyzeitsrelativeintensity,andidentifyareasofculturalconflictandriskthatmayresultinsecurityfailures.Throughout,thegoalhasbeentotransformorganizationalsecuritycultureintoamorepeople-centricsecurityenvironment.
Butunderstandingsecuritycultureisnotthesameastransformingit.Diagnosisisanimprovementoveruncertainty,butitdoesnotdoanythingtomakeasystembetter.Initiatingchangeanddrivingnewbehaviorsrequiretheirownstructuresandefforts.UsingtheCSCFandtheSCDScanshowexactlywhereyourorganizationstandsculturallyandcanhelpyourorganizationformulatewhereitthinksitshouldbe.Butwhatisthepathtorealizethatchange?It’sgreattosay“wewantsecuritytobelessbureaucraticandmoreflexible,”butwhereistheframeworkandwhatistheinitiativetodefinewhat“moreflexible”meansandhowtoachievethatgoal?
Thethirdpartofthebookwilllooktothemoretacticalchallengeofdevelopingbehavioralchangethatistheengineofculturaltransformation.Aswithmyadaptationsofpreviousresearchintoculturalmeasurement,Ihavegroundedsecuritybehavioralchangeinresearchfromotherdisciplines.AndinthecaseoftheSecurityFORCEBehavioralModelthatIwilldescribe,IhavetracedthesebehavioralstrategiesbacktotheCSCFtocreateastructurebywhichthegroundworklaidinunderstandingyoursecurityculturescanbeusedtobuildapowerfultransformationstrategy.
FurtherReading
AlthoughneitherofthefollowingbooksareMonteCarlotextbooks,bothdiscusstheuseofMonteCarlosimulationsinriskanalysis.
Hubbard,DouglasW.HowtoMeasureAnything:FindingtheValueofIntangiblesinBusiness.Hoboken,NJ:JohnWiley&Sons,2007.Savage,SamL.TheFlawofAverages:WhyWeUnderestimateRiskintheFaceofUncertainty.Hoboken,NJ:JohnWiley&Sons,2009.
PARTIII
TransformingYourSecurityCulture
T
CHAPTER9
FromDiagnosistoTransformation:ImplementingPeople-Centric
Security
hefirsttwopartsofthisbookhaveaddressedculturegenerally,securitycultureinparticular,andwaystoarticulate,diagnose,andanalyzethesecuritycultureinyourorganization.Culture,however,remainsahugeandinclusivephenomenoninanyenterprise,thesumtotaloftheassumptions,beliefs,andvaluesmixingandinteractingbelowthesurfaceofeasilyobservablebehavior.Culturecanbetransformed,buttransformingitislikechangingtheflowofariver.Itisn’teasywhentheriverisconstantlytryingtorevertbacktoitspreviouscourse.Itisanexerciseinorganizationalengineering.Yourstrategyhastobeveryspecificandwellunderstoodoryouwillfail.Thethirdpartofthisbookisaboutdevelopingastructured,measurablestrategytoimplementpeople-centricsecurity,totransformsecurityculture,bycomingfullcircleanddealingdirectlywithhumanandorganizationalbehavior.
DiagnosisandTransformation:OneCoin,TwoSidesUnderstandingcultureandchangingculture,diagnosingandtransformingit,aredeeplyintertwinedideas,whichIillustrateinFigure9-1.Wedon’tneedto
understandcultureifwearecontentwithcontinuingtooperateoninstinctorganizationally,moreorlessunawareofwhypeoplemakecertaindecisionsandnotconcernedwithwhetherornottheywerethebestones.Ourassumptionsandvaluesareembeddedineverydayenterpriseactivity.Theyarereflexeswedon’thavetothinkabout,habitsandritualswefallbackonwhenevernecessary.Culturetakescareofitself.Butforthosetimeswhenwewonderwhywekeepmakingthesamebaddecisionsoverandoveragain,whenwehavethisnaggingfeelingthatwecouldbedoingsomuchbetterifwecouldjustgetoutofourownway,westarttheprocessofincreasingculturalawarenessandvisibility,eventuallytothepointwherewecanshapeittoourowndesiresandpurposes.
Figure9-1Diagnosisandtransformationofculture
TheCSCFasaFrameworkforUnderstandingYoucan’tchangesomethingyoudon’tunderstand.Yourorganizationalsecurity
culture,leftunanalyzedandunexplored,willalwaysremainsomethingofamystery.Peoplefollowtherulesandliveuptoexpectations…untiltheydon’t.Everyonebehavesrationallyanddoestherightthing…untiltheydon’t.Andwhentheicebergkeepsdriftingsouthnomatterhowmuchpeopleleantothenorth,it’sverytemptingtojustgiveupandblameeverythingonfateoronthestarsthatarealignedagainstus.
TheCompetingSecurityCulturesFrameworkisoneattempttoexertmorecontroloveryourorganizationalsecurityculture.Noframeworkcanpreciselymodeleveryvariableinaculture,anymorethanacomputersimulationcanpreciselymodeltheweather,buttheCSCFallowsustounderstandmoreabouthowoursecuritycultureoperates,inthesamewaythataweathermodelhelpsusreduceuncertaintyaboutthechanceofraintomorrow.Ithelpsidentifypatternsandtendenciesthatgiveinsightintowhatdrivesactivity.
UsingtheCSCFgivesusapicture,sometimesfigurativelyandsometimesmoreliterally,ofhowoursecurityculturesandsubculturesoperateandwheretheycomeintoconflictwithoneanotherinwaysthatcancreaterisks.Thissituationalawarenessnotonlyshowswhatreallymattersinsidetheorganization,butcanpointtotheunconscious,andusuallywell-intended,motivationsthatunderliehabitualsecurityproblems.
WhatIstheFrameworkforTransformation?Simplyunderstandingyourorganization’ssecurityculturewon’tchangeit,ofcourse.SecurityculturetransformationiscertainlypossibleusingtheCSCFandSecurityCultureDiagnosticSurvey.Bothtoolsprovideameansforcreatingamap,anavigationalaidshowingwheretheorganizationisandhelpingitdecidewhereitdesirestobe.Butthemechanicsofgettingthereisnotsomethingthatafundamentallydiagnosticmodelisbestequippedtoexplain.“MovefromanoverweightedComplianceCulturetomoreAutonomyandTrust”maybethebestprescriptionforsuccessinagivenorganization,butknowingthatiswhatisneededisonlythebeginning.
Implementingpeople-centricsecurityalwaysrequireskeepingoneeyeonculture,onthevaluesanddrivesthatinfluenceanddirectourbehavior,whilekeepingtheotheronbehavioritself.Adiagnosticmodelmustbebalancedbyabehavioralmodelforthebestchanceofsuccessfullyimplementingpeople-centricsecurity.Thetwomodelsexisttocomplementoneanother,likeamedicaldiagnostictoolcomplementsatreatmentplan.AnX-rayoranMRIscancanproduceadiagnosis,andcanshowwhatmustbedonetocorrecttheproblemor
pathology,butitisnotaguidetothesurgery,thedrugregimen,orthedietandexercisethatspecificallyaccomplishesthatoutcome.
InthechaptersthatfollowIwilldescribetheSecurityFORCEBehavioralModel,whichcomplementsandalignswiththeCSCFandtheSCDS.Themodelisbasedonawell-researchedtheoreticalframeworkinthefieldoforganizationalbehavior,calledhigh-reliabilityorganizations,thathelpsusunderstandwhysomeorganizationsfaillessoftenandlessspectacularlythanothers.TheSecurityFORCEModelrepresentsmyspecificapplicationofhigh-reliabilityorganizationstoInfoSec.Mymodelisjustoneapproach,andunderstandingabitaboutalternativeapproachesmayhelpyouseewhyIfavorit.Therestofthischapterdiscussessomeofthosealternatives.
BehavioralModelsforSecurityCultureTransformationInformationsecuritytodayisundergoingaseriesofexperimentsinbehavioralengineeringandculturaltransformation,althoughwedonottendtousethosetermsdirectly.Buttheentirecomplianceapproachtosecurity,includingthedevelopmentandenforcementofnewcomplianceregimes,demonstratesattemptsbythoseinsideandoutsidethesecurityindustrytoimposechange.Thecomplianceapproachmaybethemostvisibleoftheseattempts,butevenitisjustonesetofinterventionsthatyoucanfindintheindustrytoday.
ComplianceandControlRegimesI’vementioneditinpreviouschapters,butitbearsrepeatingthatcomplianceisprobablythebiggestdriverofactivitytodayininformationsecurity.Manycompaniesthathaveneglectedorbeenlessthanaggressiveintheirinformationsecurityactivitieshavesignificantlyincreasedthoseeffortsinthepastdecadeorso,asadirectresultofcompliancerequirementslikePCIDSS,HIPAA,SOX,andprivacyanddataprotectionlawspassedbygovernmentsaroundtheglobe.
Complianceisperhapsthemostdirectlybehavioralapproachtotransformationandpeople-centricsecurity,sinceitisallaboutforcingpeopletomakenewordifferentchoices.Thesedecisionsmayincludeenterprisemanagementbeingforcedtoaddbudgetforsecurity,IToperationsbeingforcedtocreateandimplementnewprocessesandtechnologiestosupportsecurity,andinformationandITusersandownersbeingforcedintoaccountabilityfortheir
actions.Behindallofthisarethedirectorindirectfearsofenforcementandtheconsequencesoffailedaudits.Organizationsthatdonotimplementexternallymandatedbehaviorsorcontrolsonbehavior,oragreetobeboundbythird-partyassessmentsoftheirduediligence,mayfindthemselvessubjecttoinvestigation,legalaction,fines,andbeingcutofffromtheirabilitytoruncriticalbusinessfunctions,suchasprocessingcreditcardtransactions.
Aspowerfulascomplianceisasamotivationforsecurity,itsweaknessliesintherelianceonsanctionsandpunishmentsforfailingtocomply.MostorganizationsthatadoptacompliancestandardlikePCIDSSdosobecausetheyhaveto,notnecessarilybecausetheybelieveitisthebestwaytosecuretheirinformation.Bymandatingaminimumlevelofsecurityrequiredforcompliance,regulatorsandindustrygroupscanevencreateaperverseincentiveto“dumbdown”thecomplexityofsecuritytoincludeonlywhatismandatedbytheframeworkorstandardinquestion.Thismayleadto“checkbox”InfoSecprograms,wheresecuritybecomessynonymouswithafinitesetofspecificcontrolsimposedbyanoutsidepartythatmaynothavemuchideaabouthowanorganizationactuallyworks.
“Let’sSuetheAuditors…”Inthewakeofhigh-profilebreachesofseverallargecorporations,likethatofTargetin2013,atleastonePCIDSSQualifiedSecurityAssessor(QSA)hasfounditselfonthereceivingendofalawsuit.Trustwave,theQSAforTarget,wassuedfornegligenceinitssupportofTarget’sinformationsecurity.ThelawsuitspawnedanumberofresponsesaboutwhetherornotaQSAshouldbeheldliableforaclient’ssecurityfailure,butitalsopromptedalotofdiscussionaboutwhetherornottheincidentcalledintoquestiontheviabilityofPCIDSSasasecuritystandard,andeventheideaofsecurityassessmentsingeneral(asimpleInternetsearchon“PCIDSSlawsuits”willuncoverseveralsuchanalyses).
AnumberofthecritiquesofPCIDSSinparticulargobeyondthatonestandardtomoregenerallyaddresstheshortcomingsofusingcomplianceandcontrolregimesasasecuritybehavioralframework.Theseincludeconflictsofinterestbetweenpaidauditorsandthecompanieswhoemploythemtodoaudits,thenatureofarelativelystaticandprescriptivesetofcontrolstoaddressadynamicandmutablesecurityenvironment,andthefavoringofsimpler,easierchecklistsoverthehardchallengesofsecuringcomplexinformationsystems.
SecurityProcessImprovementAttheoppositeendofthetransformationcontinuumfromcomplianceandcontrolregimesaresecurityprocessimprovementmethodologies,whichtakeamoresystematicandholisticapproachtosecuritytransformation.Insteadofthenarrowperspectiveofcompliance,whichdefineswhatanorganizationmustdo,securityprocessimprovementtakestheperspectiveofhowanorganizationshoulddothingsandletstheresultingprocessdriveappropriatecontrolsandcomplianceefforts.ISO27001,aninternationalstandardforinformationsecuritymanagement,isprobablythemostwidelyadoptedoftheseapproaches,withthousandsofimplementationsworldwide.Butotherframeworks,mostnotablytheU.S.FederalInformationSecurityManagementAct(FISMA)andthesupportingguidancecreatedbytheNationalInstituteofStandardsandTechnology(NIST),alsoenjoyagreatdealofsupport.
SecurityprocessimprovementframeworkslikeISO27001andtheNISTSpecialPublicationsdonotattempttoforceaprescriptive,controls-centricsecurityframeworkoneveryorganization,subjecttostandardized,recurringaudits.BothISO27001andFISMAdohaveanauditcomponent,butthefactthatmanyenterprisesvoluntarilyimplementtheinternationalstandardortheNISTguidelinesbestpracticearchitecturesfortheirInfoSecprogramistelling.Theseorganizationsmayneverundergoaformalauditoftheirprogram,buttheyrecognizeISOandNISTasgoodwaysto“dosecurity”nonetheless.
IamaproponentofISO27001andoftheprocessimprovementapproachitandNISTpromulgate.Whenimplementedproperly,theyofferacomprehensiveblueprintforsecuritythatdemandsleadershipbuy-in,thoughtfulanalysisofwhattheorganizationactuallyneedsintermsofsecurity,andarisk-basedselectionofcontrolsthatworkbestfortheenterprise,ratherthansatisfyinganexternalpartyimposingaone-size-fits-mostlistof“necessarycontrols”withlittleassociatedcontextornuance.Anunfortunateproblemisthatmanyorganizationsdon’timplementsecurityprocessimprovementframeworkscorrectlyandmanagetoturnthemintojustanotherchecklistofcontrols.ThisisespeciallyfrustratingtomeasacertifiedISO27001auditorwhenIseeanorganizationtakethestandardandskimoverthemainbodybeforelatchingontoAnnexA,alistofpossiblecontrolstheorganizationmayselectfrom.We’resousedtothinkingofsecurityintermsofcontrolsthatwe’resometimesconditionedtoignoreeverythingelse.
Anotherlimitationofthesecurityprocessimprovementapproachisthatitcan
bedifficulttoimplementincrementally.Whetheryouarefacinganauditornot,bothISOandNISTtendtoassumeastaticInfoSecprogram,acompletesystemthatmustbeeitheraugmentedorcreated.Thistendstorequireatop-downimplementationdirective,usuallymandatedwithinafinitetimeframe,ratherthanaprocessthatisgradualandorganic.InthecaseofISO27001,theresultisthatorganizationsregularlychoosetolimitthescopeoftheirinformationsecuritymanagementsystem(ISMS),perhapstoasingledatacenterorenterpriseapplication.MakingtheISMSapplytotheentireorganizationatonceisperceivedasbeingtoodifficult.
“ButWeDon’tDoE-CommerceHere…”Ioncedidaglobaltourofamultinationalcompany’sregionalofficesanddivisions,ostensiblytoassessthecompany’sinformationsecurityprogramagainsttherequirementsofISO27001.Withofficesanddivisionsinmanydifferentnations,someoperatingasdirectlymanagedsubsidiariesandothersasquasi-independentpartnershipsandjointventures,widedifferencessoonbecameapparent.Asthechallengesofdivingintothespecificandnuancedwaysthatdifferentregionalofficesrantheirsecurityprogramsthreatenedtooverwhelmtheresourcesdevotedtotheproject,thecompanydecidedinsteadtosimplyfallbackonassessingthepercentageofimplementedcontrolslistedinAnnexAofthestandard.Thiswouldprovide,itwasthought,an“applestoapples”comparisonofInfoSecprogramefforts.
Thecontrolsassessmentprovedunsatisfactory,withthequantitativescoringofcontrolsonlydoingalimitedjobofalleviatingthecompany’suncertaintyabouthowsecuritywasmanagedacrossdifferentgeographiesandcultures.Anditprovedfrustratingforboththeregionalofficesandtheassessmentteam.Saddledwithaprescriptiveandinflexiblelistofcontrolsthathadtobeassessedandscoredinthesamewayforeachcompany,itbecamedifficulttoexplaindiscrepanciesinthefinalgrades.E-commerce,forexample,isthesubjectofseveralcontrolsunderAnnexA,andtheassessmentteamwasrequiredtonotewhethertheofficehadthosecontrolsinplace.Withoutleewaytoalterthescoring,manyofficeswerelessthanhappytofindoutthatweweretakingpointsoffforthefailuretoimplementthe“required”controls.Icouldonlynodsympatheticallyeverytimeoneofthelocalsecurityemployeescomplained,“Butwedon’tdoe-commercehere…”
TechnologyandAutomationApproachesIwouldberemissnottoincludetechnologyapproachestothelistofpotentialbehavioralmodels,approachesthatbelieveitispossibletoautomatepeople’sbehaviorswithintheorganization,usuallybylimitingwhattheycando,butalsobypredictingwhattheymightdo.Atthecenterofmuchofthiseffortliesthepromiseofbigdataandadvancedanalytics,whichmanybelievewillcompletelyrevolutionizethepracticeandindustryofinformationsecurity,inpartbylettingmachinesdothelearninganddecidinginsteadofpeople.Thesesystemsoperateattheintersectionofsurveillanceandsecurity,gatheringdataaboutabewilderingvarietyofactivitiesandprocessingittofindpatternsandsupportorganizationaldecisions,whichmaythemselvesbeautomated.
Inthepost–EdwardSnowdenworld,manypeoplefindtheideaofincreasinglevelsofanalyticallydrivenpersonalandprofessionalsurveillancecreepyanddisturbing,regardlessofwhetherthosetechniquesarebeingusedbysocialnetworks,advertisers,rentalcarcompanies,ouremployers,orintelligenceagencies.AlthoughIsharesomeoftheseconcerns,Ifindmybiggerproblemwiththebigdatamovementininformationsecuritytobethehypearoundcapabilities.Idon’thaveanydoubtsaboutthepowerofanalytics,butIalsohaveanabidingfaithinpeopleandtheirabilitytocircumvent,intentionallyorthroughsheer(good,bad,ordumb)luck,justaboutanytechnologysystemdesignedorintendedtocontroltheirbehavior.Ofcoursethetechnologywillwinsomeofthetime.ButI’malwaysskepticalofclaimsliketheoneIheardadatascientistmakeduringatalkatasecurityconferencenottoolongago.“Infiveyears,”thespeakersaidconfidently,“therewon’tbeanyoneinsecuritybesidesdatascientists,becausewewon’tneedthem.”
MakingItPersonal…Wouldn’titbegreatifoursecuritysystemscouldtellwhatuserswerethinkinganddecidewhowasapotentialthreat?Well,Fujitsuisworkingondoingjustthat.Inearly2015,thecompanyannouncedthedevelopmentofinnovativetechnologythatcanpickoutvulnerableusersbyprofilingthempsychologicallyandbehaviorally.Thesystem,accordingtoFujitsuandindustrywrite-ups,analyzeseverythingfrome-mailsandvisitedwebsitestomouseclicksandkeyboardactions,andproducesaprofileofeachuser
designedtopredictthelikelihoodthatpersonmightsuccumbtoacyberattack.Thecompanyfiguredatthetimethatthetechnologywasayearoutfromproduction.
Maybeitwouldn’tbesogreatafterall.Fujitsu’stechnologysoundsabitlikeinformationsecurity’sversionofthefilmMinorityReport.Andthereisnoquestionthatadvancementinbehavioralanalyticsmakessuchhumanmonitoringcapabilitiesseemlesslikesciencefictioneveryday.ThequestionistowhatextenttechnologylikeFujitsu’sautomatedpsychologicalprofilingislikelytoimpactorganizationalsecuritycultureandpractice.Willorganizationsacceptthepotentialsurveillanceandprivacytrade-offsthatsuchtechnologiesbring,inthenameofimprovedsecurity?Andwillpeopleacceptsuchintrusiveactivitiesintotheirlives?Perhapsmostimportantly,onehastowonderifapanopticcultureofsecurity,onedrivenbyknowingyouarebeingwatchedallthetime,isasdesirableoreffectiveacultureasonewherepeoplevaluegoodsecuritybehaviorssomuch,andpracticethemsoconscientiously,thattheydon’tneedtobeunderconstantsurveillance.
SecurityNeedsMoreOptionsTosummarizemypoints,Ithinkthatthebehavioralmodelscurrentlyavailabletopeople-centricsecurity,whileusefulinmanyways,oftencomeupshortintermsoftheirabilitytosuccessfullytransformsecurityculture:
ControlandcomplianceregimesOftentooprescriptive,toospecificandstandardized,creatingaleastcommondenominatorstateofsecurityprioritizing“checkingthebox”overaddressingproblemsSecurityprocessimprovementframeworksOftennotprescriptiveenough,embracingcontextanduncertaintywhenpeoplejustwanttobetoldwhattodo,makingimplementationstressfulandhardTechnologyandautomationapproachesOffersoliddataandevidence,butriskthetrapofthinkinghumanbeingscanbemanagedlikemachines,deterministically,whenhistoryprovesotherwise
Ifthebadnewsisthatnoneoftheseapproachesarefullyalignedwithdevelopingapeople-centricsecurityculture,thenthegoodnewsisthatthereisopportunityfornewbehavioralframeworkstobeexploredandimplemented.ComparingthethreeI’vecalledoutisaclassicopportunityforaVenndiagram,liketheoneshowninFigure9-2.Opportunityliesindevelopingnewbehavioral
modelsthatcomplementsecurityculturemodelsliketheCSCFandprovidethebestelementsofthevariousexistingmodels.
Figure9-2Opportunitiesfornewsecuritybehavioralmodels
Inthefollowingchapters,Iproposeanddescribeanewframework,theSecurityFORCEBehavioralModel,whichisdesignedtoaddresstheseshortcomingsandaddvaluetoanorganization’stransformationtopeople-centricsecurity.
FurtherReading
Fujitsu.“FujitsuDevelopsIndustry’sFirstTechnologyThatIdentifiesUsersVulnerabletoCyberAttackBasedonBehavioralandPsychologicalCharacteristics.”January19,2015.Availableatwww.fujitsu.com.Hornyak,Tim.“FujitsuPsychologyToolProfilesUsersatRiskofCyberattacks.”NetworkWorld,January21,2015.Availableatwww.networkworld.com.ISO/IEC.27000:2014,Informationtechnology–Securitytechniques–Informationsecuritymanagementsystems–Overviewandvocabulary(thirdedition).January15,2014.Availableathttp://standards.iso.org.NISTComputerSecurityDivision(CSD).FederalInformationSecurityManagementAct(FISMA)ImplementationProject.Availableatwww.nist.gov.
I
CHAPTER10
SecurityFORCE:ABehavioralModelforPeople-CentricSecurity
nformationsecurityprofessionalsneednewwaysofthinkingabouttheproblemswefaceandhowtoconfrontthem.Intheindustry,wetalkalotabouthowmuchtheworldhaschangedovertheyears.Ourcurrenttechnologyenvironmentswouldbestunninglycomplextoearlysecurityprofessionals,andourthreatenvironmentswouldbeterrifying.Irememberwhenfirewallswereallweneededtoprotectournetworks,intrusiondetectionsystemswereanew-fangledtechnology,VPNsdidn’texist(atleastnotforthecommonperson),andcellphonescouldonlybeusedasphones.It’sliketheoppositeoftheoldmantellingtalesofwalkingtoschoolbarefoot,inthesnow,uphillbothways.Lookingback,itallseemssoidyllic,thegoodolddayswhenalmostnoonewantedtostealyourinformation,thosewhodidwanttostealitusuallycouldn’t,andthereallybadoneswhocouldstealitoftenwerecaughtbeforetheywereabletodotoomuchpermanentdamage.
Perhapssecurityprofessionalstodaycanbeforgivenfortakingaglumviewoftheworld.Butforanindustrythathasseensomuchtransformation,it’ssurprisinghowpoorlyourframeworksandmodelshavekeptpace.Tobesure,ourtechnologyhascomealongway.Butourbasicconceptshavenotevolvedallthatmuch.Westillactasthoughconfidentiality,integrity,andavailability(CIA)meanthesamethingstheydid30yearsago,thatriskcanbemeasuredinthreecolors,andthatcontrolsaretheessentialbuildingblocksofsecuritylife.Informationsecurityisaremarkablyconservativedisciplinetobelivingandworkingsoclosetothebleedingedgeofinformationagedisruption.
Thepurposeofthisbook,andtheframeworksIproposeinit,isnottosaythatwhatwe’vedoneinthepastdoesn’twork,ortoadvocateabandoningtheCIAtriad,heatmaps,orcontrolframeworks.Thatwouldbesillyanddisingenuous.ButIdobelievethatthetoolsinourtoolboxarenolongerenoughtogetuswhereweneedandwanttobe.Therearemanydirectionssecuritycantake,andistaking,toinnovate.Someofthesedirectionsareextensionsoftechnology,likebigdata.Some,likeincreasinglyaggressiveregulation,focusoncontrols.Iamanadvocateforimprovingcultureandbehavior,fordevelopingmorepeople-centricsolutionstosecuritychallenges.Ibelievetheyofferthebestopportunitytochangethings,torightourselvesbeforewestartseeingdisruptionthatmakestoday’sworldlookasidyllicastheoneIrememberfrommyearlydaysinthefield.
TheSecurityFORCEBehavioralModel,hereafterreferredtomoresimplyasSecurityFORCE,offersanothertoolfororganizationstoutilizeinsecuringtheirinformationandenterpriseassets.Itwon’treplacealltheothertoolsorbeusefulineverysituation,butitcanhelpprovideanotherangleofassessmentandinsightthatmayjustbetheperspectiveanorganizationneedstomakerealheadwayagainstsecurityproblemsthathaveseemedunsolvableuptonow.
OriginsofSecurityFORCEMyexperiencesworkingwithorganizationafterorganizationovertheyearshavegraduallycoalescedintoaformofpatternrecognitionthatcausesmetoseeinformationsecurityasabehavioralandculturalproblem,oneperpetuatedasmuchbysecurityitselfasanyoneoutsidethediscipline.WhatIhaveobservedoverandoveraresecurityculturesthatexhibitirrationalattitudestowardriskandfailure,struggletoreconcileexpectationswithactualoperations,don’tbouncebackfromproblemsverygracefully,tendtowardoversimplification,andmakeahabitofignoringormarginalizingthepeopleclosesttotheproblems.Itonlytakesafewofthesetraitstodestabilizeevenagoodorganization’sinformationsecurityposture.
Alotofresearchandworkhasgoneintounderstandingwhysomeorganizationsfailmoreoftenorlessoftenthanothers,anditturnsoutthatthepatternsIjustdescribedarenotuniquetosecurity,butcanbefoundacrossindustry,organizational,andgeographiclines.Amongthemostprominentresearchersintothetraitsandcharacteristicsoforganizationsthatfailversusthosethatdon’tisKarlWeick.
KarlWeickhasbeenexploringorganizationalcultureandbehavior,andtheireffectsonperformanceandfailure,forhalfacentury.TheSocialPsychologyofOrganizing,abookWeickoriginallypublishedin1969,isconsideredaclassicandhasbeentranslatedintomultiplelanguages.I’vepersonallyfollowedWeick’sworkforwelloveradecade,eversinceIwasfirstintroducedtoitingraduateschool,andI’vetalkedaboutotherareasofhisworkearlierinthisbook.ButthemostimportantapplicationofWeick’sworkforsecurityishisresearch,alongwithcolleagueKathleenSutcliffe,intotheconceptofhigh-reliabilityorganizations,orHROs,summarizedintheirbookManagingtheUnexpected.Weick’sresearch,especiallyhisworkwithSutcliffe,isacentraldriverofSecurityFORCE.
Inessence,high-reliabilityorganizationsfaillessoftenandprovemorerobustwhenfailuredoeshappenbecauseofseveralculturaltraitsthatdefinehowHROsworkandthinkcollectively.SecurityFORCEcapturesthesetraitsandadaptsthemspecificallytopeople-centricsecurity.
TheconceptsandtoolsIintroduceinthisbook—theCompetingSecurityCulturesFrameworkandSecurityFORCE—arebothadaptationsofresearcheffortsthatbeganandweredevelopedelsewhere.Moreimportantly,theseframeworksandmodelshavethebenefitofyearsofempiricalstudybehindthem.Theyhaveworkedwherepeoplehaveappliedtheminotherindustries,andinformationsecuritycanbenefitbymappingandapplyingthemtoourownchallenges.Cultureandbehaviorarephenomenathatapplyasmuchtosecurityastoanyotherorganizedactivity.BeforewediscussSecurityFORCEfurther,it’simportanttounderstandnotonlywhatdefinesahighreliabilityorganizationbutalsothecommontraitsandprinciplestheseorganizationsshare.
HROResearchWeickandSutcliffedescribehighreliabilityorganizationsasthoseenterprisesandorganizationsthathavelearnedtoadapttodangerousandhostileenvironments,wheremanymorethingscangowrongthanin“normal”environments,andwherethingsthatdogowrongtendtogowronginamuchworseway,uptoandincludingpeopledying.Inanorganizationwherethechancesofmistakesandproblemsoccurringarehigherthanusual,youwouldexpectmorethingsto“break”moreoften.Andwhenthingsbreakingbringsworse-than-averageconsequences,possiblydisastrousones,thenyouwouldexpectreallybadthingstohappen.
ButHROresearchershavefoundthatthingsworkdifferentlyinthese
organizationsfromwhatmightbeexpected.HROsoftenexhibitfewerproblems,withlesssevereconsequences,thantheaverageorganization.Whywouldthatbe?Well,itmakessenseifyouthinkaboutit.Anorganizationthatoperatesinalow-risk,low-impactenvironmentmaybeabletomuddlealongindefinitely,evenwhilemakingmistakesandfailingonaregularbasis,nevermanagingtofundamentallychangeitswaysevenwhenthatmeansneverrealizingitsfullpotential.Butanorganizationthatfacescatastropheateveryturnmustlearntosurvivebyskillandconstantvigilance.Otherwise,itwon’tsurviveatall.
WeickandSutcliffeidentifiedspecificexamplesoforganizationsthatoperateasHROs.Theyincludefirefightingteams,aircraftcarriers,manufacturingcompanies,andnuclearpowerplants,amongothers.Allofthesetypesoforganizationsexperiencefailures,ofcourse.Firefightersdie,aircraftcrashonflightdecks,industrialaccidentsandproductrecallsoccur,andoccasionallyweevenfacenucleardisasters.BeinganHROdoesn’tmeannothingevergoesterriblywrong.Butforsystemsthiscomplex,inenvironmentsasdangerousastheonestheseorganizationsoperatewithin,theyhaveatrackrecordremarkableenoughfororganizationalscientiststounderstandthattheydon’tfunctionlikeotherorganizations.Theydothingsdifferently.
TheuniquewaysinwhichHROsfunctionhavebeenorganizedintofiveprinciplesthatsummarizethedifferencesinthebehaviorsofHROscomparedtootherorganizations.TheseprinciplesencompasshowHROslookatsuchthingsasfailureandtheabilitytobouncebackfromit,complexityandoperationalrealities,andwhoismostcapableofdealingwithacrisis.ThesefiveprinciplesaresummarizedinFigure10-1.Eachoftheseprincipleshasitsownapplicationinthecontextofinformationsecurity,andIwillcovertheseindetaillaterinthechapter.
Figure10-1Fiveprinciplesofhigh-reliabilityorganizations
PreoccupationwithFailureHROsobsessoverfailure,butnotforthesamereasonsasotherorganizations.Insteadofoperatingontheassumptionthatfailureisauniversallybadthing,tobeavoidedatallcosts,HROstreatfailureasanunavoidableoutcomeofdoingbusiness,anintrinsicpropertyoftheirenvironment.HROsarecompulsivelydriventoidentifythesefailuresatallcosts,asearlyaspossible.Theythentrytousesmallfailuresasatoolbywhichtheycanavoidlargedisasters.
ReluctancetoSimplifyTheeasiestwaytomakemembersofanHROnervousistoexplainthe
challengestheyfaceinsimplistic,dumbed-downterms.Bymaintainingahealthyrespectforthecomplexityandunpredictabilityoftheenvironmentsinwhichtheyoperate,HROsseekmorecomplicatedanswers,backedbyobservationanddata.SimplemodelsandframeworksmakeanHROwonderwhatisbeingleftoutorignored,andhowthatmightbitethemlater.
SensitivitytoOperationsHROsformulategrandstrategiesjustlikeanyotherorganization,buttheydifferinthattheyputequalemphasisonthetacticalrequirementsthatmakethestrategywork.HROleadersdon’tdo“thevisionthing,”leavingunderlingsandsubordinatestohammeroutthedetails.HROswanttoknowexactlyhowthingsarereallyworking,notjusthowtheyexpectthemtowork,andtheygatherdataandknowledgefromavarietyofsourcestomakethelinksbetweenstrategyandoperationsvisible.
CommitmenttoResilienceRecoveryfromafailuresaysalotaboutwhetheranorganizationisanHROornot.HROs,knowingthattheywillexperienceafailureatsomepointforsomereason,puttimeandeffortintoimagininghowthatfailurewilloccurandwhattheyshoulddowhenitarrives.Asaresult,HROstendtofalldownmoresoftlyandgetbackupmorequicklythanotherorganizations.Likeafighterwhoknowshowtotakeapunch,anHROreboundsandgetsbackintothefightratherthanbeingknockedoutofit.
DeferencetoExpertiseHROsstructurethemselvesaroundadifferentdecision-makingsystem,onethatismoreflexibleanddiverse.Hierarchiesareimportant,butnotwhentheyhinderpeoplewhoknowwhatisgoingonfromactingonthatknowledgeimmediately.Byrelyingontheskillsandjudgmentsofthepeoplewhoareclosesttothesystemsinquestion,HROscangatherdataonpotentialproblemsmorequicklyandrespondwithmoreagilitytochangesinoperations.
HROsinInformationSecuritySincemyfirstencounterwiththeHROresearchliteratureasastudent,Ihavebeenstruckbyhowmuchthisbodyofworkhastoofferinformationsecurity.I’veobservedmanycompaniesthatbehave,fromasecurityperspective,lesslikeorganizationscommittedtosurvivinginthemidstofcomplexityandexistential
danger,andmorelikeonesthatarecomplacentandevenconfidentthattheyareunlikelytoeverreallygethurt.EvenorganizationsthattakesecurityseriouslyareoftenplaguedbytheverydeficienciesthatHROshaveevolvedtoavoid.
IhavebeenusingelementsofHROresearchinmysecurityworkforalongtime.AdaptingandapplyingthebehaviorallessonsofHROstosecurityprogramsisamorestraightforwardprojectthanfull-blownculturaltransformation.Butuntilrecently,IhavealwaysusedthelessonsofHROsinapiecemealfashionandnotasafullydevelopedmodelinitsownright,onethatwouldbeprescriptiveandmeasurableinthecontextofasecurityprogram.Myinterestandresearchintopeople-centricsecuritychangedthat.AsIformulatedamodelofsecurityculturethatcouldleadtolong-termchange,Irecognizedtheneedforacomplementarytransformationalmodel.BasingthatmodelonHROswasthenaturalchoice.
StudiesinFailureHROresearchisjustonebranchinatreeofresearchdevotedtohowandwhysystemsandorganizationsfail,andwhat,ifanything,canbedonetopreventfailure.Aresomesystemsjustdestinedforeventualdisaster?Orcancatastrophebeavoidedthroughcertainenterprisestructures,organizationalcultures,andbehavioralhabits?Obviously,WeickandSutcliffetakeamoreupbeatstancethat,yes,organizationscansavethemselvesfromsignificantfailuresbylearningfromandbehavingmorelikeHROs.Butthereareotherperspectives.
SidneyDekker,whoIdiscussedinPartI,isafailurestudiesexpertwhohasconceptualizeddriftasawayofunderstandinghowcomplexsystemsandorganizationsexperiencegradual,entropicdecayasthedesignsofthosesystemsproveunabletokeepupwithchangingenvironmentalandsocialfactors.ForDekker,failureisasortofbyproductofsuccess.Aspeoplemakeoptimizingdecisions,compromisesinthefaceofinsufficientresourcesorevensimpleinertia,thesystemgrowsunstable.Butratherthanbeingseenasmistakes,thesedestabilizingdecisionslooklikesoundlogicinthemoment.Itisonlyafterafailureincidentthattheorganizationisforcedtoretroactivelyfindandimposeresponsibility.
CharlesPerrowisanotherfailurestudiesscholar,andhisbookNormalAccidents:LivingwithHigh-RiskTechnologieswasamongtheearliesteffortstotheorizethecausesofinstabilityandfailureinhighlycomplextechnologyenvironmentslikenuclearenergy.Perrow’sanalysisofthese
environmentsissimilartoHROresearch,identifyingprinciplessuchastheinevitabilityoffailure,theideathatbigfailuresstartsmall,andthatfailureisasocialratherthanatechnologicalproblem.Perrow’sconclusionsare,however,somewhatlessencouragingthanthoseoftheHROresearchers.Hepositsthatitismoredifficulttodesignaroundoravoidfailuresbecauseunpredictableinstabilityisembeddedintothefabricofsystemsthataremassivelycomplexandcloselylinkedtogether.
HighlyReliableSecurityProgramsSomeInfoSecprogramsalreadybehavelikeHROs,althoughtheytendtoberare.Theseprograms,whichIcallHighlyReliableSecurityPrograms(HRSPs),havemanagedtodevelopthecultureandbehaviorsoftheirHROcounterpartsinotherindustries.“Highlyreliable”insteadof“highreliability”issomethingofahedgeonmypart.IwanttoemphasizethecharacteristicsandbehaviorsofHROswithinInfoSecprograms,butwithoutimplyingthatit’seasytotranslatethosecharacteristicsdirectly,ortoputunduepressureonorganizationstosuddenlybeseenasinfallible.HRSPsshould,asagoal,simplybecomemorehighlyreliablethantheyaretoday.HRSPsdoexist,forinstance,insensitivemilitaryandintelligenceorganizations,aswellassomecompaniesthatdependsoheavilyonproprietaryorprotectedinformationthatanysecurityincidentcanprovedeadly,eitherfigurativelyorliterally.Buttheyareatypical.Takingsecurityseriouslyislaudable,butitisnotthesamethingasbeinganHRSP.Highreliabilityisnotabouthavingthemostcutting-edgetechnologyorreligiouslyimplementinglistsoftopcontrols,anditcertainlyisnotaboutsuccessfullymeetingcompliancerequirements.
Highreliabilityislessabouthoworganizationssucceedatsecurityandmuchmoreabouthowtheyfailatit.Infact,preoccupationwithfailureisthefirstprincipleofHROs,andthevalueoffailureisthefirstkeyvalueinSecurityFORCE.HRSPsfailinaveryparticularway,underspecificcircumstances.Moreimportantly,theyexpecttofail,andsotheypreparefortheeventualityinawaythatallowsthemtoreboundquicklyandgracefullyfromafall.Mostsecurityprograms,evenverycompetentones,findtheircapabilitiesstrainedwhenitcomestofailure,asmanyoftherecentpublicbreachincidentsdemonstrate.Theirbehavioralpatternsandhabitsareconcentratedondifferentpriorities.SecurityFORCEisdesignedtohelpInfoSecprogramschangethosehabitsandbehaviors,toadoptnewonesthatwillnotonlymakelargefailureslesslikely,butenablebetterresponsestothosethatinevitablydooccur.
IntroducingtheSecurityFORCEBehavioralModelSecurityFORCEappliesthefiveprinciplesofHROs(depictedinFigure10-1)asasetoffivecorevaluesthatdefineanHRSP,adaptingthesevaluestosecurityandpackagingthemwithinauser-friendly,memorableacronym.TheseFORCEvalues,showninFigure10-2anddescribedshortly,drivebehaviorandinfluencedecisionmakingwithintheInfoSecprogramandtheentireorganization.FORCEvaluesreflectthethingsthatthesecurityprogramtakesseriously.
Figure10-2CorevaluesofSecurityFORCEfoundinanHRSP
Rememberthatorganizationalcultureisthecollectivevaluesandassumptionsofagroupofpeopleworkingatacommonpurpose,thehabitsandnormsthatdrivetheirdecisionsandactivities,oftenbeneaththeconscioussurface.HRSPspossessauniqueculture,onethatenablesthemtoperformdifferentlyunderdifficultconditions.SecurityFORCEidentifiesthevaluesthataremostlikelytoexistwithinanHRSP,whetherornotthatsecurityprogramconsidersitselfhighlyreliable.SecurityFORCEthereforeapproachescultural
transformationfromtheotherendofthespectrum,fromthebottomup.IfeveryoneinanorganizationbehavestowardinformationsecuritythewaythatpeopleinanHRObehave,allthetime,habitually,thenthatorganizationisanHRSP.Itdoesn’tmatteriftheyexplicitlythinkintermsofanHRO-typeculture.“HRSP”isnotsomethinganorganizationcallsitself,butrathersomethingthatitdoes.Whenyoulooklikeaduck,walklikeaduck,quacklikeaduck,andhavetheDNAofaduck,you’readuck.SecurityFORCEdefineswhatitmeanstobeahighlyreliableduck.
FiveCoreValuesofSecurityFORCEThefivecorevaluesdefinedbySecurityFORCEbenefitinformationsecurityandleadtoatypicalsecurityprogramtransformingintoaHighlyReliableSecurityProgram.AnHRSPtendstoreducethenumberoflargesecurityfailuresthatitexperiences,andtypicallywillrecoverfromfailuresthatdooccurmorequicklyandwithlessdisruptionthanitsnon-HRSPpeers.IhavedevelopedspecificprescriptivebehaviorsforeachSecurityFORCEvalue,behaviorsthatcanbeobservedandencouraged,aswellasSecurityFORCEmetricsthatcanbeusedtotestandassesshowcloselyaprogramconformstothebehaviorsofanHRSP.Isummarizethesecorevaluesinthefollowingsections,andexplorethemindetailthroughoutthesubsequentchapters.
TheSecurityValueofFailureFailuremayseemlikeacounterintuitivevalueforinformationsecurity,butonlybecausewhenitcomestofailingwetendtobedoingitwrong.Thesecurityvaluederivedfromfailureinpeople-centricsecurityisthatitleadstobetterinsightsaboutwhenorganizationsfailandwhattodowhenfailuresoccur.Insteadoftryingtoavoidfailurealtogether,whichisimpossible,HRSPsusefailureasatoolbywhichtheyunderstandweaknessandvulnerabilityintheirsystems.Thisvalueisrealizedwhenfailuresarediscoveredearlyandoften,sothattheycanbeaddressedandcorrectedwhiletheyremainsmall,insteadofwaitingforlargefailuresthatprovecostlierandmoredisruptive.
TheSecurityValueofOperationsOperationsarecentraltoanyInfoSecprogram,butoftenthereisadisconnectbetweenwhatpeopleintheprogramthinkishappening“ontheground”andwhatisactuallygoingon.Asecuritypolicymaysaysomethingisrequired,forinstance,butthepolicyendsupbeingwidelyignored.Orcompliancewitha
standardmaymakeaCISOfeellikesecurityisfunctioningmoreeffectivelythanitreallyis.HRSPsworryconstantlyaboutwhatisreallygoingonwithintheirorganizations.Thesecurityvaluederivedfromoperationshappenswhenthesecurityprogramincreasesvisibilityandfocusonoperationalrealities,ratherthanrelyingonproxiesorassumptionstoguidedecisions.
TheSecurityValueofResilienceHowanorganization’ssecurityfailsisasimportantas,ifnotmoreimportantthan,whetheritfailsorwhenitfails.Securityfailuresareinevitable,butparalysisanddisruptionasaresultofsecurityfailuresarenot.Resilienceinvolvesknowingexactlywhattodowhensomethingbreaks,sothatyoubouncebackquicklyfromtheproblem.HRSPsconstantlythinkaboutfailureandroutinelypracticehowtheywilldealwithit.Thesecurityvaluederivedfromresilience,therefore,isgainedwhenasecurityprogramnotonlyknowswhereitislikelytoexperiencefailure,buthasdetailedplansforaddressingfailureandconductsdrillsonthoseplansuntilhandlingfailureisasnaturalashandlingnormaloperations.
TheSecurityValueofComplexityComplexenvironments,threats,andriskschallengeanysecurityprogram’sabilitytoreduceuncertaintyandmakeeffectivedecisions.Butwheremanyorganizationsmeetthischallengebyreducingcomplexityandpursuingsimpleexplanationsandframeworkstoguidestrategy,HRSPsknowthatoversimplificationaddsmoreuncertaintythanitremoves.Justasassumptionscanleadtoblindspots,oversimplificationcanreducetheorganization’ssituationalawarenessandincreasethelikelihoodof“failuresofimagination”resultingfromrisksthathavenotbeenpreviouslyconsideredandresultinginso-called“blackswan”eventsthatprovesurprisingandcostly.Thesecurityvaluederivedfromcomplexityisharnessedwhenanorganizationmaintainsahealthyskepticismofsimpleanswersandexplanations,andprefersnuancedinsighttoone-size-fits-allexplanations.
TheSecurityValueofExpertiseThereisnoshortageofexpertiseininformationsecurity,butthatdoesn’tmeanthatthepeoplebestpositionedtomakeadecisionarealwaystheoneswiththeauthoritytodoso.HRSPsrecognizethatrigidchainsofcommandandhierarchicalpowerstructurescangetinthewayofeffectiveoperations,
especiallyinacrisis.Thesecurityvalueofexpertiseisrealizedbydistributingdecisionauthoritywithinanorganizationtomaximizeefficiencyandimpact,takingadvantageofthehumansensorsbestplacedtorespondtonewinformationimmediatelyandtakeaction.
SecurityFORCEValueBehaviorsandMetricsThepurposeofSecurityFORCEisnotmerelytodescribehowHRSPsdifferentiatethemselvesfromothersecurityorganizations.Themodelisalsoprescriptive,inthatitprovidesatemplateforchangeandtransformationthatenablesmorereliable,people-centricsecurity.BybreakingdownthekeyvaluesofHRSPsintocertainbehaviors,wecandeterminewhetherthevaluesarebeingupheldwhenitcomestoenterprisesecurity.Oncewehaveidentifiedthesebehaviors,wecanempiricallyobserveandmeasurethem.Andwithmeasurementwecanmakeassessmentsandassignscoresthatenableustocomparebehaviorsandorganizationsagainstoneanother.
SecurityFORCEValueBehaviorsAsIhavedescribedthroughoutthebook,organizationalculturedrivesbehavior.Cultureisthesumtotalofvaluesandassumptionsheldbythepeoplewhomakeuptheenterprise.Anorganization’ssecuritybehaviors,then,arekeyindicatorsofthatorganization’sunderlyingsecurityculture.WhenasecurityprogramfunctionsasanHRSP,whenitscultureisonethathasadoptedtheprinciplesandvaluesofhighreliability,itsbehaviorswillreflectthosedeepinfluencesandpriorities.
EachSecurityFORCEvaluehasanassociatedsetofobservablebehaviorsthatprovideevidenceoftheinfluenceandstrengthofthatparticularvaluewithinthesecurityprogram.Forsecurityculturetransformation,thesebehavioralindicatorsarethesignsthatthetransitiontopeople-centricsecurityandHRSPbehaviorsistakingplace.Ifculturalchangeisreal,ifithaspenetratedandtakenrootwithinthedeeplyheldvaluesandbeliefsoftheorganization,theevidenceofthatsuccesswillbefoundinmeasurablechangesindailybehaviorsoftheorganization’smembers.Conversely,ifchangeissuperficialandhasnotinfluencedembeddedvaluesandpriorities,thiswillbeobservableinthelackofanyrealbehavioralchange.
Tothisend,IhavedevelopedtwodiagnostictoolsthatcanassistyouinimplementingSecurityFORCEvalues.ThefirstisabasicsurveyyoucanusetoassesswhetherornotyourorganizationbehaveslikeanHRSPtoday.ThesecondisasetofmeasuresforeachSecurityFORCEvaluethatyoucanusetogatherempiricalevidenceregardinghowwellyoumanagetheSecurityFORCEvaluebehaviorsinsideyourownenvironment.BothSecurityFORCEdiagnostictoolscanbedownloadedfromhttp://lancehayden.net/culture.
IwillreservedetaileddiscussionofthebehaviorsassociatedwitheachSecurityFORCEvalueforthesubsequentfivechapters,whereIaddresseachFORCEvalueatlengthandprovideworksheetsforassessingandscoringthem.Butforpurposesofintroduction,thebehaviorsassociatedwitheachoftheSecurityFORCEvaluesarelistedinTable10-1.
Table10-1SecurityFORCEValuesandAssociatedKeyValueBehaviors
SecurityFORCEValueMetricsMeasurementiscriticaltothesuccessofsecuritycultureandbehavioraltransformation.AnotherstrengthofSecurityFORCEistheinclusionofmetrics,taggedtothekeyvaluebehaviorsofthemodelanddesignedtoassessHRSP-relatedtraitsandcomparethemovertimeandagainstotherorganizations.ThesemetricsprovideempiricalevidencethattheorganizationisbehavinglikeanHRSP,ratherthansimplygoingthroughthemotionsofbehavioralchange.
AswiththespecificbehaviorsassociatedwiththeSecurityFORCEvalues,Iwillreservedetaileddiscussionofthemetricsassociatedwiththemodelforthesubsequentchapters.Butforpurposesofintroduction,themetricsassociatedwitheachoftheSecurityFORCEvaluesarelistedinTable10-2.
Table10-2SecurityFORCEValuesandAssociatedFORCEValueMetrics
TheCulture–BehaviorLinkinHRSPsTheCSCFrepresentsa“top-down”approachtounderstandingandtransforminginformationsecurityculture.YoucanusetheCSCFtoorientyourselfbroadlyintermsofyourorganization’svaluesandassumptionsaboutsecurity,andtoidentifyareasofcompetitionandpotentialculturalrisk.TransformationusingtheCSCFisalsonecessarilybroad.TheCSCFallowsanorganizationtodeterminedirectionanddistance,sotospeak.Itallowsanorganization,forexample,toarticulatethatitisprimarilyaProcessCulture,andtomakethecasethatitmightbenefitfromtraitsfoundinanAutonomyCulture.It’slikeareal-worldmapinthatyoucanlookatitanddecide,“We’retoofarwest.Weneedtogoeast.”
TheCSCFdoesnottellanorganizationexactlyhowtogetwhereitwantstogo.“BemorelikeanAutonomyCulture”isnotveryhelpfulifyoudon’tknowwhatthatmeansatadetailedlevel.ThebehaviorsmodeledunderSecurityFORCEaredesignedtoprovidethemore“bottom-up”perspectiveonculturaltransformationthatIdiscussedearlyinthechapter.Understandinginformationsecurityasbothcultureandbehaviorisanimportantinsight.AsI’vestatedearlierinthebook,anorganizationcannotchangeitssecurityculturebyjusttargetingobservablebehaviorsandignoringtheinvisibledriversbeneaththesurface.Butatthesametime,theorganizationhastohavesomeideaofwhat
behaviorstolookforifitisevertoknowwhethertransformationissuccessful.Thislinkbetweentopandbottom,betweencultureandbehavior,isattheheartoftherelationshipbetweentheCSCFandSecurityFORCE.
HROsandHRSPsdonothavetothinkintermsofculturetoaccomplishtheirmissions.Theirbehaviorsdevelopovertime,throughevolutionaryadaptationtohostileenvironments.Ittookorganizationalbehaviorresearcherstoobservethoseadaptationsandassignnamestothepatternsthatmakethemwhattheyare.Highlyreliableorganizationsareoftentoobusydoingwhattheydo,survivingandthriving,toworryaboutassigninglabelslike“highreliability”tothemselves.Buttheseenterprisesareculturallydifferentfromothers,andtheirbehaviorsareaproductofthatdifferentculture.Whichcamefirstislikeachickenandeggquestion.WhatboththeCSCFandSecurityFORCEshareisthegoalofdefiningandarticulatingpatternsandrelationshipsthatexistbetweencultures,betweenbehaviors,andbetweenbothcultureandbehavior.Together,theCSCFandSecurityFORCEbecomecomplementaryexercisesinsharedvisibility.
OnlytheReliableSurviveItisdifficulttooverstatetheeffortinvolvedinbecominganHRSP,orinmaintainingthatstatusonalong-termbasis.Organizationsarelikeindividualsinalotofways.Theydevelopcertainhabitsandworldviews,andtheycanbecomeverysetintheirways.It’saboutaseasyforanorganizationtosay“ThisyearI’mgoingtobecomemoresecure”asitisforapersontosay“ThisyearI’mgoingtogethealthy”(or“stopbeingsostressed,”or“writethatbookI’vebeenthinkingabout,”orwhatever).ButNewYear’sresolutions,astheysay,aremadetobebroken.Ittakeswillpower,endurance,anddoggedefforteverysingledaytoliveuptoourgoals.
ThehabitsIseeinmanyInfoSecprogramsaretheonesyoucanfindinmostorganizations.Peckingordermatters,whetherornotitisformalizedinanorganizationalchart.Peoplehatetogetbadnews,especiallywhentheyknowthatturningthingsaroundwillnotbeeasyorwillrequirethattheyembracechange.Andfewthingsareascomfortingasaneatlypackagedsolutiontoaproblem,whetherthatsolutionisatechnologyproduct,aneatvisualthatsumsuptheworldinthreeslides,orapromisethatifyoujustdothesefive,orten,ortwentythings,everythingwillbeokay.
HRSPsdotheirbesttorejectallofthesethings,notbecausetheyare
morallyorintellectuallysuperiortoothersecurityprograms,butbecausetheyknowdeepdownthatiftheydon’tdothingsdifferently,theirenvironmentwilleventuallycrippleordestroythem.Thismeansknowingthedifferencebetweenshort-termandlong-termnecessities,andbeingabletobalancethemeffectively.Itmeansmaximizingbothutilityandinnovation.Likepeoplewhofindthemselveslivingininhospitableclimatesorsurroundedbypredators,HRSPsadaptortheydie.It’snevereasybeingasurvivor.
ThevaluesdescribedinSecurityFORCEoftenalignwithindividualculturetypesintheCSCF.WhetheranorganizationoranInfoSecprogramhasaProcess,Compliance,Autonomy,orTrustCulturecaninfluencehowmuchresistanceoracceptancethatorganizationislikelytoexperiencewhenpromotingthekeybehaviorsofSecurityFORCE.Sounderstandinganddiagnosingtheorganization’ssecurityculturesisanimportantpartofimplementingSecurityFORCEbehaviors.Inthesameway,anorganizatonhopingtoemulateorbecomeanHRSPcannotreallyjumpintotransformingitsculturewithoutadeepunderstandingofthekeybehaviorsthatareexpectedtobefoundinamorehighlyreliableInfoSecprogram.Thenextseveralchaptersareadetailedexaminationofthosebehaviors,startingwiththesecurityvalueoffailureinChapter11.
FurtherReadingWeick,KarlE.TheSocialPsychologyofOrganizing.2nded.NewYork:McGraw-Hill,1979.Weick,KarlE.,andKathleenM.Sutcliffe.ManagingtheUnexpected:ResilientPerformanceinanAgeofUncertainty.2nded.SanFrancisco:Jossey-Bass,2007.Perrow,Charles.NormalAccidents:LivingwithHigh-RiskTechnologies.Princeton,NJ:PrincetonUniversityPress,1999.
T
CHAPTER11
TheSecurityValueofFailure
hefirstkeyvalueinSecurityFORCEisfailure.InChapter10,Idiscussedhowharditisforinformationsecurityprofessionalstoembracefailure,whileemphasizingitsplaceinpeople-centricsecurity.Inthischapter,IwillgointomuchmoredetailaboutjustwhyfailureissovaluabletoInfoSecprograms,whatbehaviorsareassociatedwithacceptingfailureasavalueproposition,andhowtomeasureandincorporatethesebehaviorsintoanexistingsecurityprogram.
WhatIstheSecurityValueofFailure?MostofthesecurityprogramsandleadersIinteractwithhaveaspecialrelationshipwithfailure.Theyfearitandloatheit.Tothem,failuremeansthatyouarenotgoodatwhatyoudo,thatyouhaveletdownyourorganizationandeveryonewhodependsuponit.Failuremayalsocarryharshpersonalconsequencesforyourcareerandyourself-image.Theideathatfailureisnotabadthingisalientomostinformationsecurityprofessionals,andattemptingtomakethecasethatfailureisactuallyagoodthingislikelytogetyoulaughedoutoftheroom.ButmakingthatcaseisexactlywhatI’mgoingtodo.
Failuresareamonganorganization’smostvaluablesecurityresources.Untilthey’renot.Thentheyjustmightkillyou.
“FailureIsNotanOption”
InManagingtheUnexpected(introducedinChapter10),WeickandSutcliffetalkaboutaquotefromthefilmApollo13,alinespokenbyactorEdHarris,playingNASAFlightDirectorGeneKranz.“Failureisnotanoption,”Kranzterselyinformshisteamduringthefilm,settingthestagefortheheroicfeatofrescuingthreeastronautsinacrippledspaceshipheadedforthemoon.Failureisnotanoptionisaninformalmottoinmanysecurityorganizations
I’veencountered,thereasoningbeingthatthestakesarejusttoohigh.Soit’sabitironicthattherealGeneKranzneverutteredthosewordsduringtheApollo13mission.Thelinecamefromoneofthemovie’sscreenwriters,basedonacommentthatadifferentmissioncrewmembersaidasthemoviewasbeingresearched.Therealcomment,abouthowNASAweigheditsoptionscontinuouslythroughoutthedisasterandsimplyneglectedtoeverincludefailingamongthem,wasmorenuanced.Butthatlinewouldn’thavesoundednearlyascoolcomingoutofEdHarris.
FailurewasobviouslyanoptionduringtheApollo13mission,whichfailedbydefinition.Noonelandedonthemoon.ThestoryislegendarybecauseNASAdidaheroicjobofsavingthemissionfromamuchbiggerfailure,thedeathofthethreeastronautsinthecrew.TocasuallysaythatsuchanoutcomewasnotapossibilitybecauseNASAsimplywouldn’tallowitistopretendthatwecanavoidfailurebyforceofwillalone.Thatmayworkinthemovies,butwhenthecreditsrollandthelightscomeup,mostofusintheaudiencehavetogobacktoreality.Intherealworld,avoidingfailuretakeshard,doggedwork.Thisisalessonthatiscoretopeople-centricsecurity.
WhenItalkwithCISOsandsecuritymanagersandamtoldthatfailureisnotanoptionintheirorganization,orthattheyhaveazerotolerancepolicyforscrew-ups,oranyoftheothervariationsIhearonthetheme,Iunderstandwheretheyarecomingfrom.ButIalsotrytopointouttheirrationalityofaphilosophythatdoeslittlemorethanguaranteeyouwillexperienceafailure,andprobablynotjustaminorone.It’slikerepeatedlysayingyourefusetobeunhappyorinsistingthateveryonearoundyoumustalwayshaveapositiveattitude.Theyareimpossibleoutcomesandyoujustenduplyingtoyourselfaboutachievingthem,orexpectingotherstolietoyou,orboth.Eventuallythatcomesbacktobiteyou.
Sowhydoweadoptsuchapatentlyfalseworldview?Probablybecausemostofushavebeentrainedandconditionedtofeelbadaboutfailing.ThismaybemoreofauniquelyAmericanperspective,butfailuregetsalltangledupwiththeideaoflosing.Welearnthatlifeisacontest,andthatbusinessisevenmoreofone.Tofailistolose.Andtolosemeansthatotherpeoplearebetterthanyou.
Sofailurecancarrymorethanjusttheconnotationofmakingamistakeorhavingsomethingbadhappen.Failtoomanytimesandyouactuallybecomeanoun,afailureyourself.Aloser.Abadperson.
ReevaluatingFailureFailureis,atheart,asimpleconcept.Stripawaythemoralandculturaljudgmentsthatmakefailuresomethingtobeashamedof,theoppositeofasuccesstobeproudof,andyouareleftwithamorebasicdefinition.Failureistheoutcomewhensomethingdoesnotfunctionasitissupposedtoorexpectedto.It’sastate,notacharacterflaw.Inhigh-reliabilityorganizations(HROs),failureisatermassociatedwiththeperformanceofasystemandwhetherornotthatperformanceisconsistentandreliable.InaHighlyReliableSecurityProgram(HRSP),whichistheInfoSecequivalentofanHROandthegoalofmostCISOs,thatsystemcanbeaspecificmachineorprocess,oritcanbetheentiresecurityprogram.Butwhicheversystemyouareconsidering,theonethingthatyoucanbesureofisthatitisnotalwaysgoingtowork.Machinesbreakdownovertime.Softwarehasbugsthatgetdiscovered.Securityprogramsareevenmorecomplex,forallthereasonsIhavedescribedinpreviouschapters.Theonlysurethinginasecuritysystemisthat,soonerorlater,somethingisgoingtofail.
Thingsdonotoftencollapsespontaneouslyandcatastrophically,notinthephysicalworldandnotininformationsecurity.It’sveryraretohaveaperfectlyviable,stronglydesignedsystemthatonedaysuddenlyexplodes.Mostfailuresoccuraspartofacontinuousprocessofdecayanddegradation,thestateofthesystemgrowingslowlyandquietlyweakerandlessstableuntilitisnolongerabletowithstandthepressuresofitsenvironment.Thatfinal,completefailure,theonethatbreaksthesystemandthateveryonenotices,cancertainlycomeasanunwelcomesurprise.Butthatdoesn’tmeannoonecouldhaveseenitcoming,iftheyhadlookedforsignsandcluesearlier.
WeickandSutclifferefertobigfailuresas“brutalaudits,”adescriptionthatIfindveryaproposforinformationsecurity.Somuchofourworkiscompliance-driventhesedaysthattheideaofauditshasbecomeinstitutionalizedwithinsecurityprograms.Auditsaredesignedtopointoutdiscrepanciesfromanexpectednorm,usuallytakingtheformofacomplianceframeworkorregime.Aninformationsecurityauditisthereforedesignedtorootoutfailures,thingsthatarenotfunctioningastheyareexpectedtoorastheyshould.AlthoughyoumayfeelbrutalizedafteryourmostrecentPCIDSSorSOXaudit,thefactisthatyouhavehadthosefailuresidentifiedbyfriendlyparties,peoplewhoare
interestedinseeingyourorganizationsucceed.Pointingoutyourdiscrepanciesgivesyouanopportunitytofixthem.Whenacriminalhackerbreaksintoyoursystemsandexfiltratesallyourcustomerinformationtosellontheblackmarket,andthestoryhitsthenewswires,that’sanaltogetherdifferentkindofaudit.Essentially,ithasachievedthesameresult:youarenowawareoftheshortcomingsinyoursecurityprogram,asevidencedbyathirdpartytestingit.Butthatthirdpartyisnotyourfriendandcouldcarelesswhetherornotyourorganizationmakesthingsbetter.They’realreadydonewithyou.
Sothesecurityvalueoffailuredoesn’timplythatamajorbreachorincidentisvaluable,butratherthatvalueliesinunderstandingtheprocessofslowdecayinthestabilityofyoursecurityposture.Theabilitytoidentifysmallerfailures,cracksinthesystemthatappearbeforeitbreakscompletely,iswhatisimportant.HROsandHRSPsaremuchbetterthanotherorganizationsatfindingproblemswhiletheyarejustsymptomsofimpendingfailure.Mistakes,missteps,anderosionareallsignsofgrowingweaknessinasystem.Someofthesesignsaresosmallthattheyarebarelyvisibleandthefailurecausesnorealharm,butwhensmallfailuresstartpilingup,thesignsbegintopointtobiggerproblemsthatmayproveveryharmful.Cracksbecomeholesandfissures,andeventuallythewholethinggives.Thetricktoavoidingbigsecurityincidentsistocorrectfailureswhiletheyremainsmallandinsignificanttotheoperationoftheentiresecurityprogram.Buttocorrectthem,youhavetowanttofindthem.
EmbracingFailureEmbracingfailureasasecurityvaluedoesmeanthatwedesiretofail.Itsimplymeansthatweknowfailureofsomesortisinevitable,thecostofdoingbusinessviathecomplexsystemsthatwedeployanddependuponintheinformationeconomy.Knowing,then,thatwecannothelpbutfailsometimes,atsomelevel,wereadjustouroutlookonwhatitmeanstofailandtrytomakefailureworkforusinsteadofagainstus.YourInfoSecprogrammayhavethemosttalentedpeople,themostrobustprocesses,andthebestcutting-edgetechnologyallworkingtogether,butpeoplewillmakemistakes,processeswillbepoorlycommunicatedorenforced,andthetechnologyenvironmentwillchange,creatingareasofopportunityfordecay.Thesespaceswillgrowandexpand,compoundingoneanother,untiltheproblemgrowstoolargetoignore.
Evensmallfailuresprovideclues,pointerstothefactthatsomethingiswrong,liketheearlysharptwingeinanotherwisehealthytooththatpresagesthecavitythatisgrowingthere.Mostofusdon’tpayattention,atleastnotuntilthepainhasgrownconstant.Wecanidentifysimilarsymptomsofproblemsinour
securityprograms.Employeesvisitwebsitestheyarenotsupposedto,allowsomeonetotailgatethemintoasecuredareawithoutusingtheirbadge,andsoforth.Theeventisablip,anerror,notevensomethingtowhichonewouldapplythetermfailure,withallthebaggagethatwordcarries.Nooneexpectsthatonesmalldeviationtobreakthesystem.ButinaHRSP,peoplearemuchmoresensitivetothese“weaksignals”offailure,asWeickandSutcliffecallthem.Theyarenothugeproblemsinandofthemselves,takenindividually.Buttheyaresymptomaticofmuchlargerweaknessthatexistsoutsideofwhatisvisiblyobvious.
Theheartofhighlyreliablesecurityisacommitmentbytheorganizationtowatchcloselyforinsignificantproblems,smallmistakesandflaws,andtocorrectandrepairthosesmallareasofweaknessbeforetheygrowtoolarge.Everytimesomethinghappensthatisdifferentfromwhattheorganizationexpectedwouldhappen,everytimetheactualstateofafunctiondeviatesfromtheanticipatedstateofthatfunction,it’sconsideredafailure.Thatfailurerepresentstwothings.Ontheupside,it’sanopportunitytolearnabout,correct,andimprovethefunctioningofthesystem.Onthedownside,ifitisnotaddressed,thefailureisanotherincrementalsteptowardthecliff.
WhenanHRSPembracesfailure,itputsmechanismsintoplacetofind,share,andaddresssmallproblems.AnHRSP’ssecuritymanagerstendtoobsessoverfailure,tobroodonit,withthesameenergyandpassionthattheythinkaboutsuccess.That’snotthesameemotionasthegeneralparanoiathatexiststhroughoutthesecurityprofession.Paranoiaisjustfear,oftencompoundedbyasenseofpowerlessness.BroodingonfailureinanHRSPisallabouttakingaction,aboutfindingoutwhetheryourparanoiaisjustified,andthendoingsomethingwhenitis.ACISOinanHRSPisneversoparanoidaswheneverythingisgoingalongswimmingly,withnoproblemstobeseenandsunshineonthehorizon.Heknowsthathisworstenemyisthecomplacentassumptionthatthesystemissound.Forhim,theworstfailureisnottohaveseenthewavecoming,nottohaveputthecluestogetherbeforehand.Sohelooksallthatmuchharderfortheproblemsheknowsmustbethere.
FailSmall,FailFast,FailOftenTheoptimalfailurerateinanHRSPisasclosetocontinuouslyaspossible.Continuous,real-timefailureindicatesthateverythinggoingwrongisdetectedandidentifiedasitfails.Problemscanbeaddressedwithminorcoursecorrectionsandincrementalchangestothesystem.Decayisneverallowedtogetamajortoeholdinsidethesecurityprogramorallowedtolastverylong.In
recentyears,thesecurityindustryhasputalotofemphasisoncompromisesthatallowattackerstositonasystemornetworkformonthsorevenyears,monitoring,collecting,andexfiltratingsensitivedata.TheprincipleissimilartohowHROslookatfailureingeneral.Thelongerafailurestateisallowedtocontinue,theworsethelargerproblembecomes.Uncertaintyisintroduced,andgrows.Youcannolongereffectivelyanticipatesystemoutcomes,andtheoptionsavailableforaddressingtheproblemdiminishovertime.Ofcourse,noneofthismaybeobvious,orevenvisible,tothoserunningthesystem.Onthesurface,everythingappearstobefine.Ifamajorfailureoccurs,it’sallthemoredisturbingbecauseitfeelstoeveryoneinvolvedlikethingsjustsuddenlycollapsedeverywhereatonce.Butthat’sjustbecausenoonesawtherotbehindthefacade.
Itisn’teasytospotsmallfailures.Norisiteasytoadjusttoanenvironmentofconstant,never-endingbadnews,whichiswhymostorganizationsarenothighlyreliableoverthelongterm.Paradoxically,thefearoffailurethatweareingrainedtofeelcancoexistwithequallypowerfulsocialnormsaboutbeingoptimisticandupbeat.Nobodylikesadowner,andpeoplewhoarealwayslookingatlifeasaglasshalf-emptyareseenasnegativeandevendisruptive.Wemayevencreateafantasywherethepeoplewhoworryaboutwhatcangowrongsomehowcontributetoeventualfailurebyvirtueofaself-fulfillingbadattitude.Buttherealchoiceisnotwhetherto“turnthatfrownupside-down”rightuptothepointwhereacatastrophewipesthesmilesoffeveryone’sface.Ourchoiceiswhetherwewantourpaindoledoutinsmall,regulardoses,manageablepinchesthatareeasilycorrectedwiththecontrolwehaveoverthesystembutthathappenmoreorlesschronically,orwepreferourpainexcruciatingandallinoneburst,aswearerippedapartattheseamsbyforceswehaveallowedtogrowoutofourcontrol,untilallwecandoistrytocleanupthemessafterward.
EmbracingfailureandtheotherSecurityFORCEkeyvaluesistheessenceoforganizationalmindfulnessandculturalmaturity.Mindfulnessisnotsomespiritualnirvana,butinsteaditisthestateofbeingtotallyandcompletelyawareofeverythingthatisgoingonandadjustingyouractionsatsuchamicro-levelthatyoudon’tseemtobedoinganythingatall.ThinkofOlympicathletes,dancers,martialartists,orvirtuosomusicians.Onethingobserversnoticeaboutthesepeopleisthattheygetinto“thezone”whereeverythingflowsandgivestheappearancethattheiractionsareeffortless.Butweknowtheyarenot.Thoseactionsaretheprocessofyearsoftrainingandpractice,untiltheycanadjustwhattheyaredoing,correctimbalancesormistakesbeforemostofusevenrealizetheyhaveexperiencedthem.Whenanorganizationachievesthisstateof
mindfulness,itmaygivetheimpressionthatitcandonowrong.Everyproductisahit,everybusinessmovepuregenius.Lookbehindthecurtains,andyouarelikelytoseeasystemsointunewithitselfthatitdoesn’tneedtowaituntilaftersomethingisfinishedtoknowthatitissuccessful.Thatorganizationprobablyknowswhenthings“feelwrong”andhasmechanismsinplacetocorrectproblemsinthemoment.I’veknownafewsecurityteamsthatcoulddothis.Butnotmany.
MinorAccidentsandNearMisses:TrackingtheSeedsofFailureOutsideofthesecurityindustry,youaremuchmorelikelytofindanappreciationforidentifyingsmallfailures.Thesafetyindustry,andthegovernmentagenciesthatregulatecompaniesforsafetypurposes,hasalonghistoryofcollectingincidentdatathatthesecurityindustrywouldprobablyfindincredible.Federal,state,andlocalagenciesintheUnitedStates,aswellasnationalandlocalgovernmentsaroundtheworld,aretaskedwithcollectingandcollatingindustrialaccidentstatisticsthatareusedtoidentifypatternsandtrytoheadofflargersafetyproblemsbeforetheyoccur.TheOccupationalSafetyandHealthAdministration(OSHA),theBureauofLaborStatistics(BLS),andtheNationalTransportationSafetyBoard(NTSB)arejustthreeofthemanyU.S.governmentagenciesthatcollectandtrackdataaboutaccidentsandfailureincidents,bothsmallandlarge,inthecompaniestheyregulate.
Someorganizationsgobeyondjustcollectingroutineaccidentandfailuredatabyattemptingtochartanddescribethespaceinwhichsmallerrorscanturnintobig,life-threateningproblems.TheAviationSafetyInformationAnalysisandSharing(ASIAS)collaborationbetweenMITRE,theFederalAviationAdministration(FAA),andtheaviationindustryisoneexample.TheASIASsystemworkstoidentifyfailurepatternsthatcanpointtosystemicweaknessintheoverallaviationsafetysystem.Anotherorganization,theNationalNearMissprogram(www.nationalnearmiss.org),collectsinformationonnearmissfailuresforbothfirefightersandlawenforcementofficers.
FailureKeyValueBehaviorsTakingadvantageofthesecurityvalueoffailure,andmovingtowardhighlyreliablesecurity,dependsupondevelopingacultureand,morespecifically,asetofbehaviorsthatenableanorganizationtoembracefailureandbegindetectingandcorrectingmistakesandproblemswhiletheyremainsmallandfixable.TheKeyFailureValueBehaviorsdefinedinthischapterdistillthecoreculturaltraitsofHRSPsintoameasurablesetofprioritiesandactivitiesthatwillenableanorganizationtotakeadvantageoffailureasalearningexperienceandaresource,ratherthanwaitingforthecatastrophic“brutalaudit”thatbringsdisruptionanddestructiontothesystem.Thesebehaviorsarenothardtounderstandorevenimplement,giventhebenefitstheycanprovide.Theyare
AnticipatefailuresSeekoutproblemsRewardproblemreportingShareinformationaboutfailureLearnfrommistakes
AnticipateFailuresMostinformationsecurityprofessionalsworry.Weknowthatmanythingscangowrong,andwefretoverwhatmightgowrong.Wemayevenhavespecificideasabouthowthingscanfailintheinformationenvironmentswithwhichwearefamiliar.Butworryisdifferentfromanticipation.Worryingaboutsomeevent,suchasasecuritybreach,meansyoubelieveitcouldhappen,butyouaren’tcertain.Anticipatingthatsameeventmeansyouknowitwillhappen,andyouaresimplywaitingforittohappen,moreorlesscomfortably(dependingonhowwellpreparedyoufeel).Whenyouworrythatsomethingcouldpossiblyhappen,thatmentalimagesitsinabalancedtensionwiththepossibilitythatmaybeitwon’t,whichcanmaymakeyoumorecomplacent.Youjustcan’tbesure,soyoumighthesitatetoact.
Ifyouknowsomethingisgoingtohappen,youbehavedifferently.IfIweretotellyou,with100percentcertainty,thattomorrowanemployeewillletahackertailgatethroughalockeddoorandthattheattackerwillthenproceedtostealtheplansforyournextbigproductlaunch,youwouldtakeaction.Youmightnotpreventtheincident,butyouwouldnolongerhavetheluxuryofwonderingwhetherornotitwouldoccur.Anticipationspawnsactioninways
thatfear,uncertainty,anddoubtdonot.Evenmostriskassessmentsdonetodayaremorefunctionsofworrythanofanticipation.Weoutlineourrisks,eventrytoquantifythem,butwestilloperateundertheassumptionsthattheymaynothappenatall.Wethinkintermsof,“Ifxweretohappen,here’swhatitwouldmean…”
HRSPsanticipatetheirworstsecurityfailuresbyflippingthatscript,byimaginingtheworstsecurityfailuresandtakingtheapproach,“xisgoingtohappenifwedon’t…”(forexample,“…findtheproblemscreatingtheconditionsforthatfailure”or“…takeactiontocorrectthosesmallererrorsbeforetheygetbig”).Anticipatingsecurityfailuresmeansgettingpeoplewhoknowtogethertobrainstormhowthingscangowrong(andhowtheyprobablyarealreadygoingwrong).Itmeanswritingthoseexpectationsdownsothatwecancomparethemwithrealitylater.Anditmeanscreatingtheinvestigativemechanismsrequiredtodigintoeachanticipatedworst-casescenarioandfigureoutwherethecluesandweaksignalsaretodaysothatwecangofindthemandcorrectthem.
SeekOutProblems“Seek,andyeshallfind,”theversesays,andI’veyettoencounteranInfoSecprogramthatcouldnotfindproblemsonceitstartedlookingforthem.Infairness,I’veneverencounteredasecurityprogramthatwasnotlookingforproblems.Riskassessments,penetrationtesting,codereviews,andauditsallcontributetothesearchforsecurityfailuresandtheefforttopreventlargerfailuresdowntheline.Butthetruthis,mostorganizationsarenotdoingitenough,intherightway,orfortherightreasonstoqualifyasHighlyReliableSecurityPrograms.
HRSPsseekoutfailurebecausetheysincerelywanttofindit.Failureisgold,providedyoudon’tgetcrushedunderanavalancheofit.MostfailureseekingthatIseetodayishalf-heartedatbest,andpeoplearehappiestwhenfailureisnotactuallydiscovered.ThatmentalitywouldalarmanHRSP’sstaff.Itwouldmeantheydidn’tlookcloselyenough,orintherightplaces.Itwouldmeanthethreatsarestilloutthere,unknownandunaddressed,allowedtogrowbigger.
HRSP’scultivatefailure-seekingbehavioratalllevels,byeveryoneintheorganization.Thesecurityteamcannotbeeverywhereatonce,sotheyenlistinformantsallovertheenterprise.Securityawarenessteamstrainpeoplewhattolookoutfor,howtoidentifyproblems.Andthesecurityprogramcollectsandanalyzesthisdatainasystematicandformalizedway.Seekingsecurityproblems
isnotthejobofspecializedtestingorauditteams,whousuallycanidentifyproblemsonlyinspecificinstancesoronlyaftertheyhavereachedcertainthresholds.HRSPfailure-seekingbehaviorisabouttryingtocapturefailureinformationnearlyassoonassomeone,anyone,doesadoubletakeandsays,“Whoa,thatwasweird!”
RewardProblemReportingFewpeoplearegoingtoenthusiasticallyundertakeanactivitythatdoesn’tbenefittheminsomeway,muchlessgetexcitedaboutvolunteeringtodosomethingthatislikelytohurtthem.HRSPsencouragethereportingoffailuresbyusingthetried-and-truemethodofrewardingpeoplefordoingit.Securityawarenessteams,again,areoftenthefrontlinetroopsinanyattempttoencouragefailurereporting.Notonlydothesefolksrepresentaprimaryinterfacebetweenthesecurityprogramandtherestofthecompany,theycanalsobethebestmeansofputtingamorebenignandfriendlyfaceonadifficultandsensitivetopic.AtypicalemployeemayfeelmuchmorecomfortableconfidingthefactthattherearepersonalWi-Firoutersinstalledaroundhisopen-planworkspacetothenice,friendlyawarenessmanagerhemetat“SecurityDay”thantotheCISO,oreventothegeeky,dismissivesupporttechnicianwhofixedhislaptopthelasttimehegotavirus.
Rewardingpeopleforreportingsecurityfailuresmeanspraisingpeoplewhobringattentiontothesmallgapsintheorganization’sarmor,evenifthepersonwhoreportsthatgapisthepersonwhocreatedorcausedit.Especiallyifitisthem.Thiscanbeanespeciallybitterpillforsecurityteamstoswallow,particularlywhentherootcauseissomethingasecuritypersonwouldconsiderstupidorevenwillfullynegligent.ButHRSPskeepaneyeonthebiggerpicturehere,andthatviewstatesthattheonlythingaccomplishedbypunishingapersonforreportingamistakeistoensuretheywillneverreportanotherone.Highlyreliablesecurityisfarmoreconcernedwithblindspotsthanwithcriticizingthesourceofaninvaluablepieceoforganizationalvisibility.
Rewardsforsecurityfailurereportingneedtoberealandtangible.Therearemanywaystoaccomplishthis,frombuildingfailurereportingintojobdescriptionsandperformancereviews,toofferingcashorother“bounties”onreportingproblemsinmuchthewaythesecurityvulnerabilitymarketpaysoutforzero-dayexploits,tosimplycallingattentiontoandpraisingpeoplewhonoticewaystomakethingsbetter.Buthoweverthegoalisaccomplished,thesecurityvalueoffailurecannotberealizedfullyunlessitisaculturalvaluethattheentireorganizationpracticesandbelievesin.
ShareInformationAboutFailuresPeoplereportingaboutsecurityfailuresisawayofsharinginformationwiththesecurityprogramorteam.ButHRSPspracticesharinginformationoutward,too.Hoardingorevenconcealinginformationaboutsecurityproblems,forwhateverreason,contributestotheuncertaintyandlackofvisibilitythatcanallowsmallproblemsthespacetometastasizeintohugeones.Informationsharingisanotherareawherethesecurityindustryisstartingtoseemoreinnovationandactivity,asaresultofhigh-profilebreachesthathaveprompted(orforced,dependingonyourpoliticalviews)governmenttostartgettinginvolveddirectly.Likeitornot,informationsharingisonlygoingtogetbigger.HRSPsdon’tmindthistrend,becausetheyalreadybelieveinsharingaspartofthesecurityvalueoffailure.
Ihearplentyofreasonswhyinformationsharingregardingsecurityfailuresisaconcern.Mostofthetime,theprimaryreasonhastodowiththeorganization’sconcernthatbyrevealingincidentsorvulnerabilities,itwilladvertiseitsweaknessestopotentialattackers.Thisconcernhasmeritincertainsituations,butmoreoftenitdirectlycontradictslessonswehavelearnedabouthowsecurityworksinclosedversusopensystems.Sure,anorganizationthatpubliclysharesinformationaboutanexistingvulnerabilitymayaswellhanganeonsignsaying,“HereiswhereIamvulnerable.Ihavenotfixedtheproblem,comeandgetme.”Butifyouknowyouhaveaproblem,whyhaven’tyoufixedit?Theremay,ofcourse,belegitimatereasonsfornotsharinginformationaboutavulnerability,suchastheinabilitytofixit.ButIwouldhumblysubmit,basedonaquarterofacenturyofworkinginthisfield,that“wecan’tfixit”alotoftimesisadisingenuouswayofsaying“wewon’tfixit,”or“wechoosenottofixit,becauseitwouldbetoohard/expensive/timeconsuming…”
HRSPssharefailureinformationmorefreelybecausetheybelievewhatopensourceproponentsbelieveaboutsecurity:thatmoreeyesontheproblemgeneratesmoreinsightintohowtofixitandmorepressuretodoso.ItdoesnotmeanthateveryHRSPpublishestheresultofeverypenetrationtestitconductsorsecurityincidentitexperiences,downtotheIPaddressesinvolved,onapublicwebsiteintheinterestofinformationsharing.Failuresatthatlevelarealreadyabigproblembecausetheywerenotdetectedsooner,beforetheycouldresultinacompromise.Highlyreliablesecurityteamsaremoreconcernedwithsharinginformationabouthowthevulnerabilitygotthereinthefirstplace,andhowitwasallowedtogountreateduntilitreachedthebreakingpoint.
Sharinginformationaboutsecurityfailuresrequiresthattheorganizationsetupformalmechanismsbywhichtoexchangedataandinsights.Whilemostoftheinformationsharingdiscussionshappeningintheinformationsecurity
industrytodayhavetodowithsharingbetweenseparateorganizations,HRSPstendtofirstlookmoreinward.Facilitatingthesharingofinformationthatcouldpreventasecuritybreachaltogetherismuchmoreefficaciousthanstrugglingoverthebestwaytotellapeerorganizationwhenandhowyouwerebreached.
LearnfromMistakesHRSPsseealargepartofthesecurityvalueoffailureasbeingassociatedwithlearningopportunities…learningtounderstandtheirsecurityprogramsbetter,learningtomanageanticipatedoutcomesagainstactualoutcomes,andlearningwheretotakeactiontokeepminorincidentsfromgrowingintomajorones.Therefore,itiscentraltohighlyreliablesecuritythattheInfoSecprogramlearnsomethingfromeveryfailureitencounters.Thatmaysoundtrite,buthowmanytimeshaveyouseenorheardaboutasecurityproblemthatmanagedtogetidentifiedbutnotfixed?Ifweseeasecuritypolicybeingcontinuallyviolated,howoftendowetrytolearnwhythatpolicyissodifficultforpeopletofollow,asopposedtosimplyhandingdownsanctionsor,worse,juststopenforcingitaltogetherasunmanageable?
Everyfailure,nomatterhowsmall,hasareasonbehindit,somethingthatcausedatransitionfromastateofexpectedfunctionalitytoastateofunexpectedfunctionality.InHRSPs,identifiedfailuresalwaystriggerchange—ifnotadirectchangetopeople,process,ortechnology,thenatleastachangeinmindset,tosensitivity.Ifitcan,theHRSPwillcorrecttheproblembyalteringstandardoperatingprocedurestoaccommodatethenewexpectationsthatthefailurehasbroughttolight.IftheHRSPcan’tdothat,itwilladdthefailuretothelistofthingsthatcangowrongandtowhichitmustpaymoreattentioninthefuture.
“ThatReportMadeaGoodPaperweight”Knowingwhatcanorislikelytofailisonlyasgoodasyourcapabilitytotakeactiononthatknowledge.Iftheorganizationcannotorwillnotputtheinformationtoproductiveuse,thenitbecomesimpossibletoextractvaluefromyourfailuredata.OneareaIhaveseenparticularlyhardhitbythistrendisthatofvulnerabilityandpenetrationtesting.Itseemsthat,alltoooften,doingthetestdoesnottranslateintodoingsomethingwiththetest.
I’veworkedwithseveralcompaniesthatreligiouslyconductedpenetrationandposturetestsontheirsecurity.Ineachcase,theethicalhackerteamIwasworkingwithormanagingwouldgointothecompany,
dotheirwork,anddutifullypresenttheirfindings.Theaudiencewouldgetexcitedorfrightened,dependingonthefindingsandwhetherornottheyfelttheyhadknownaboutthelikelihoodofparticularattackvectorsworkingorvulnerablesystemsbeingcompromised.InallthereportsIwasinvolvedindelivering,thefindingsincludeddetailedrecommendationsforhowtocorrectorotherwiseavoidthesmallfailures,errors,andmistakesthathadcreatedaspaceinwhichthehackerscouldcausethesecurityposturetoweakenorcollapsecompletely.Havingshownthecustomerwhatwaswrong,why,andhowtofixit,wewouldleave,notseeingthecustomeragainformonthsoryears,untilthenextscheduledtest.
Therewerealwaysafewcompaniesthat,uponourreturn,wouldsufferthesamepenetrations,thesamefailures,astheredteamdiditswork.Thesewerenotjustsimilartypesoffailures,orrecurringpatternsofvulnerabilityondifferingsystems.Forsomecustomers,thepenetrationtesterswouldsuccessfullyattackandcompromisethesameboxesthesameway,usingthesameexploits,astheyearbefore.Nothinghadchangedatall.Noonehadcorrectedanythingreportedinthepreviousspecificfindings.Reasonsrangedfromthebanal(“Wedidn’thaveenoughtimeorpeopletogettothatone.”)totheterrifying(“That’saproductionmachinethatiscentraltoourbusiness,sowecan’ttakeitofflinelongenoughtoevenfixtheproblemthatallowedyoutoownit.”)
Oneofthefruitsofthesecurityvalueoffailureisinsight.Butinsightwithoutactionislikeappleslefttofallfromthetreebutneverpickedupandeaten.Soonenough,nomatterhowmuchfoodissittingaround,you’regoingtostarve.
AssessingYourFailureValueBehaviorsImplementingnewanddifferentorganizationalbehaviorisnotashardaschangingtheculturethatdrivesthosebehaviors,butthatdoesnotmeanthetaskiseasy.Youhavetoidentifythebehaviorsyouwanttoencourage,andthendevelopwaystoassessandmeasurehowprevalenttheyareandhowwidelytheybecomeadopted.Andallthewhileyouhavetokeeponeeyeonculturalinfluencesthatyoumaybeabletoharnesstoyourpurpose,orthatmightresistyoureffortstowardchangebycompetingdirectlywiththeprioritiesyouhopetoenshrine.
TheSecurityFORCESurveyTheSecurityFORCESurveyisabriefdatacollectioninstrumentdesignedtoassesswhethertheorganizationexhibitsthebehaviorsassociatedwithaHighlyReliableSecurityProgram.Itconsistsof25statements,dividedintosectionsforeachofthefiveSecurityFORCEvalues,mappedtothebehaviorsassociatedwitheachparticularvalue.Respondentsareaskedtostatetheirlevelofagreementwitheachstatement.ThefivestatementsunderSecurityValueofFailurearelistedintheexcerptoftheSecurityFORCESurveyshowninFigure11-1.
Figure11-1SecurityFORCESurveystatementsforfailurevaluebehaviors
LiketheSecurityCultureDiagnosticSurvey(SCDS),theSecurityFORCESurveyisageneralisttool,suitableforavarietyofsituationsandaudiences.Itcanbeusedbyaninformationsecurityteamtoassessbehaviorsrelatedtothesecurityprogramgoalsandoperations,orasacomparativetooltomeasurethedifferencesbetweenteamsororganizationalfunctions.SecuritybehaviorandcultureisnotuniquetotheInfoSecteam,butappliesacrosstheentire
organization(althoughparticularculturaltraitsmayvaryalotwithinthesameenvironment).Highlyreliablesecurityalsohappensorganization-wide,ordoesnot,asthecasemaybe.TheSecurityFORCESurveyallowsanenterprisetogainvisibilityintoitsreliabilityfromasecurityperspective.
ScoringtheSecurityFORCESurveyAdministeringandscoringtheSecurityFORCESurveyisnotdifficult.Thesurveycanbecompletedbyanyoneintheorganization,andawidernetisusuallybetter.HRSPsaretypicallynotorganizationswheresecurityisbothhighlycentralizedandrelativelyisolated,sothatpeopleoutsidesecurityarelessawareofhowthingswork.SecurityFORCEvaluebehaviorsmustbeembeddedthroughouttheorganizationforthebenefitsofhighlyreliablesecuritytobefullyachieved.GatheringFORCEvaluebehaviordatabyadministeringthesurveythroughoutdifferentareasoftheenterprisewillyieldamuchmoreaccuratepictureabouthowoftenthosebehaviorsoccurthefurtheronegetsfromtheofficialsecurityteam.
Oncethesurveydataiscollected,theorganizationaggregatesandaveragesthescoresforeachstatement,fortheSecurityFORCEvaluethestatementrepresents(Failure,Operations,etc.),andforparticulardemographicareasofinterest(securityteamvs.otherorganizationaldivisions,forexample,orbetweenfunctionalroles).Demographicanalysis,ofcourse,requirescollectingdemographicinformationaspartofthesurvey,whichmayormaynotbepossibleordesirableforreasonsofresourceallocationorprivacy.
SincetheSecurityFORCESurveyusesatraditionalLikertscale,witharangeofresponsesfrom“StronglyDisagree”to“StronglyAgree,”itispossibletoassignnumericalscorestothedataandproduceaverageresponses.Iwouldsuggestasimple1to5scale,withlowernumbersindicatingthattheassociatedbehaviorislesslikelytooccurintheorganization.
Anaveragescoreof4orabove(mostresponsesindicateAgreeorStronglyAgree)signifiestheorganizationexhibitsbehaviorsfoundinanHRSP.Anaveragescoreof3(mostresponsesindicatetherespondentfeltNeutral)signifiestheorganizationmayormaynotbehavelikeanHRSP.Anaveragescoreof2orbelow(mostresponsesindicateDisagreeorStronglyDisagree)signifiestheorganizationdoesnotexhibitthebehaviorsfoundinanHRSP.
Inthecaseoffailurevaluebehaviors,then,anaveragescoreof4orgreater
indicatesthattheorganizationbehavesinwaysthatwillmakeitmorelikelytodiscoverfailureswhiletheyremainsmallandactonthemtoavoidamajorsecurityincident.Ascoreof2orbelow,conversely,indicatesthattheorganizationmaylackthebehaviorsassociatedwithanHRSPandmayfinditdifficulttodiscovertheminorproblems,failures,andmistakesthatarereducingthehealthandstabilityofthesystem.
TheSecurityFORCEMetricsTheSecurityFORCEMetricsareasetof25measures,alsomappedtothefiveSecurityFORCEvaluesandtheirassociatedvaluebehaviors.ThesemetricscanhelpyoumeasurethesuccessofyoureffortstocreateanHRSPbehavioralenvironmentwithinyourorganization.Figure11-2showsthefivemetricsforthesecurityvalueoffailure.
Figure11-2SecurityFORCEMetricsforfailurevaluebehaviors
Youcannotmanagewhatyoudon’tmeasure,andevensurvey-basedmeasuresofbehaviorcanbedifficulttointerpretandtrackovertime.TheSecurityFORCEMetricsarebasedontheartifactsandoutcomesthatasetof
behaviorsshouldproduceifthosebehaviorsareprevalentandembeddedwithinanInfoSecprogramorthelargerenterprise.Bytrackingtheseartifactsandoutcomes,anorganizationconcernedwithreliabilityisgivenanadditionalsetofevidencetouseincomparisonwithcommonsense,establishedpolicies,andsurveyresults.Evenifallofthosethingsindicatehighlyreliablesecuritybehaviors,discrepanciesintheSecurityFORCEMetricscanpointoutdiscrepanciesthatshouldbeexploredfurther.
UsingtheFORCEFailureValueMetricsThefiveFORCEMetricsassociatedwiththevalueoffailuretracktheidentificationandmanagementoffailuresanderrors,andserveasindicatorsofwhetherthosefailuresarebeingfoundearlyenoughtoincreasethereliabilityoftheInfoSecprogram.Thereisnosinglewaytousethesemetrics,nordotheyrepresenttheonlyperformanceindicatorsavailabletoanorganization.Buttheyareastartingpointforsecurityprogramsthatmaynottrackcomparablemeasuresortrends.Metricsworkbestwhentheyareperformedovertime,allowingthedevelopmentofbaselinesandcomparisonsofcurrentversuspastresults.SomeoftheFORCEMetricsspecifymeasurementintervals,usuallyonanannualbasis.Butindividualorganizationsmustdecide,givenavailableresourcesandprogramgoalsandobjectives,whatthemostappropriateusesandmeasurementcyclesshouldbeforeachoftheFORCEMetrics.
NumberofsecurityfailurescenariosdevelopedinthepastyearAlargepartofidentifyingsecurityfailuresisanticipatingthem,andHRSPswillgotogreatlengthsnottofallvictimto“failuresofimagination,”whereabreachorincidentmighthavebeenpredictedwithalittleforethought,butwasneverconsidered.Securityfailurescenariosaresimply(butnotnecessarilysimple)brainstormedideasofevents,incidents,orbreaches.Theyaretheextensionsofthethreatmodelsandriskscenariosalreadyundertakenbymanyorganizations,butHRSPsdesigntheirfailurescenarioswithaneyeonthedetailsofsmallfailuresthatwilllikelyoccuronthewaytothebigevent.Thegoalistodevelopanideaofthesmallsignsthatthebigfailureiscoming.Themorescenariosthatanorganizationtakesthetimetoconsideranddevelopoveraperiodoftime,themorelikelytheycanspottelltalewarningsignsearlyoninthefailurecycle.
Numberofsecurityfailurescenarios(whetherornotresultinginaformalsecurityincident)reportedinthepastyearThepurposeoffailurescenariodevelopmentisn’tjustsecurityteammemberstellingscarystoriesaroundacampfire,sotospeak.Somefailurescenariosaremorelikelytooccurthan
others,andthismetricallowsanorganizationtomeasurethepredictivepowerandaccuracyofitsfailurebrainstormingactivities.HRSPsreportfailures,bothsmallandlarge,andthesefailuresshouldbecorrelatedwiththescenariosthathavebeendevelopedinternally.Ifthesecurityteamispredictingscenarioswithidentifiablefailuremarkers,thendetectingandmanagingthoseminorincidentsbeforethescenariofullydevelops(orevenifafailuredoesoccur,butthesignswerenotedbeforehand),that’sagoodthing.Itshowstheenterpriseimaginationhasahealthyawarenessofitsownweaknessesandcanimprovethoseinsights.
RatioofsecurityincidentswithnopriorfailurereportingorindicatorsinthepastyearTheorganizationwantstoseeexpectedfailuresbeingidentifiedandreported,evenifasecurityeventprovesunavoidable.If,ontheotherhand,theorganizationisexperiencingsecurityincidentsthatwereneverconsidered,ornotobservingtheminorproblemsitexpectstoseeassociatedwithaneventthatdoesoccur,thenthat’sbad.Securityincidentsshouldbetrackedandcorrelatedwithapplicableorrelatedscenarios.Anorganizationthatdoesn’tseeanyincidentscoming,orthatexpectssomeincidentsbutgetsonesthatarecompletelydifferent,mustquestionitsprognosticskills.AnHRSPwillwantthismetrictoremainverylow.Whetherornotanincidentprovesavoidable,thefirststepinhigherreliabilityistomakeitmorevisible,sooner.
Ratioofsecurityfailureorincidentdata(reports,root-causeanalyses,after-actions,etc.)voluntarilysharedoutsidetheinformationsecurityprogramImadethecaseearlierinthechapterthatinformationsharingoutsidetheInfoSecprogramisvitalinordertogetdifferentperspectivesandinsightsabouthowsecurityisworkingwithintheorganization.Sharingsecurity-relatedinformationwithnon-securitystakeholdersmaymakesomeInfoSecteammembersabitnervous,butthepotentialpayoffforpushingthatcomfortzonecanbesignificant.Thismeasureprovidesasimplegaugefordeterminingwhetherasecurityteamisemulatingthemoreopen,advice-seekingfailurebehaviorsofanHRSP,oriscontinuingtobeinsularandclosedofffromtherestoftheorganizationaboutsecurityactivitiesandchallenges.
RatioofsecurityfailuresresultinginsystemchangesItdoesn’tmatterhowmuchtheorganizationseeswhat’sgoingwrongifitdoesn’ttakeaction,justasknowingyou’redrivingtowardsacliffwon’tmeanmuchifyoudon’tturnthewheelorhitthebrake.Securityincidentsanddatabreachesalmostalwaysresultinsystemchanges,usuallylargeones.Thismetrichelpstheorganizationunderstandtheextenttowhichchangeisbeingimplementedwhenfacedwith
smaller,moreminorfailures.RememberthatHRSPsaren’tjustlookingtoidentifysmallfailures.Theywanttotakeactionwhiletheyarestillsmallandthecostsofchangearelessburdensome.Unfortunately,manyorganizationstakejusttheoppositeapproach,neglectingtomakechangesbecausetheproblemappearssosmall.Ifanenterprisescoreslowonthismeasure,thatcanbeanindicatorthatthingsdonotchangeuntiltheyareforcedto,usuallyasaresultoftinyfailuresaddinguptobigproblemsthatcannolongerbeignored.
ImprovingYourFailureValueBehaviorsOnceyouhaveidentifiedthesecuritybehaviorsthataremostlikelytomakeyoursecurityprogrammorehighlyreliableandhavecomparedthewayyourorganizationbehavesdaytodaywiththesedesiredbehaviorsthroughthesurvey,measurements,orothermeans,youarelikelytofindareaswhereyouwanttoimprove.Improvingsecuritybehaviordoesnothappenovernight,anditdoesnothappenbyfiat.Weallknowhowharditistojustchangeourownhabitsandcomfortzones.Changingthemforanentireorganizationisthatmuchmoredaunting.
EmbedtheSecurityValueofFailureintoPeoplePeople-centricsecurityputshumanbeingsatthetopofthesecurityvaluechain,andtheyaregoingtobeyourfirst,bestsourceofvaluewhenitcomestoreapingthefruitsofthesecurityvalueoffailure.AsIhavedescribedthroughoutthischapter,therealvalueoffailurehaseverythingtodowithfindingitearlyenoughandoftenenoughtolearnfromitandchangedirectionbeforedisasterstrikes,likeaship’snavigatorkeepingtrackofcurrentsandwindtomakemicroadjustmentstotheship’scoursesothatitnevergetsclosetodanger.Severalapproachescanbeleveragedtomakeiteasierforpeopletoadoptsecurityfailurevaluebehaviors.
ReeducatePeopleonWhatItMeanstoFailCulturalbeliefsandassumptionsdrivebehavior,sochangingbehaviormeansattackingculturalresistance.Organizationscanencouragepeopletovaluefailuremoreactivelyandeffectivelybyredefiningwhatitmeanstofailintheorganization.Akeymessagehereshouldbethatnotallfailuresareequal,andthatsomeareactuallydesirable,sincetheyaredestinedtohappenanyway.By
turningsmallfailuresintolearningopportunities,andreservingfearandavoidancestrategiesforthosebigfailuresthattheorganizationanticipates,afeedbackloopcanbecreated.Peoplewillunderstandthattherearecertainoutcomesthataretrulyunacceptable,thatmustneverhappen.Everythingelseisfairgame,solongasitcreatesanenvironmentofknowledgethatcanbeusedtopreventandavoidtheunacceptable.
SetLeadershipExamplesFewthingswillencourageapersontobehaveinacertainwaymorethanseeingotherpeopledoit,especiallypeoplewhothatpersonrespectsorwantstoimpress.OrganizationalleadersliketheCISOhaveenormouspowertoinfluence,simplybylivinguptotheidealsandrequirementsthattheysetforeveryoneelse.Bywalkingthewalk,suchleadersencourageimitation.Soleadersintheorganization,especiallysecurityleaders,shouldbethefirsttoembracethesecurityvalueoffailure.Thismeanschangingthewaytheydealwithfailuresthatoccur,butalsobeingmoreopenandtransparentabouttheirownfailuresandthoseofthesecurityprogram.WhentheCISOisseenaswelcomingbadnews,evenneedingittodoherjobcorrectly,thenpeoplewillshareitmorewillingly.
OpenUpCommunicationThesecurityvalueoffailureonlygetsrealizedinanenvironmentofopenandfreeinformationsharing.Encouragingthatsharing,andrewardingpeoplefordoingit,ispartofthesolution.Butchannelsmustexistforthemessagetogetthrough.Iffailureinformation,nomatterhowwelcome,neverleavestheinformalsharingenvironmentofthecafeteriaorthewatercooler,itwillnotgetcodifiedordistributedinawaythatgivesthebestresults.Securityawarenessteamsareoftenthebestpositionedtocreateandmanagecommunicationsinvolvingthesecurityvalueoffailure.Byactingasaninterfacebetweenstakeholders,theyareinthebestpositiontoencourageopendialogue,understandchallenges,anddeconflictproblemsthatmayarise.
FurtherReadingPaynter,Ben.“CloseCallsAreNearDisasters,NotLuckyBreaks.”Wired.com.Availableatwww.wired.com.
A
CHAPTER12
TheSecurityValueofOperations
sindicatedinChapter10,thesecondkeysecurityvalueintheSecurityFORCEBehavioralModelisoperations.AswiththekeysecurityvalueoffailuredescribedinChapter11,theFORCEModelchallengesustoreconsiderournotionsregardingwhatoperationsmeansforinformationsecurity.OfalltheSecurityFORCEvalues,operationsisprobablytheonethatmanyInfoSecprogramsthinktheydobest.Theindustryisincreasinglypopulatedwithsophisticated(andexpensive)securityoperationscenters(SOCs)tomonitoractivity,combinedwithdashboards,alerts,reviews,andoperationalassessmentsatmultipleenterpriselevelstomaintainsecuritysituationalawareness.Manycompaniesswearbyoperationalvisibilityintheirinformationsecurityprograms,andwiththeplethoraofavailabletools,fromtraditionalsecurityeventandincidentmanagement(SEIM)toolstoenterpriseriskmanagement(ERM)softwaretosophisticatedthreatintelligencesystemslikeOpenSOC,there’safeelingthattheoptionstoimproveInfoSecvisibilityarebetterthantheyhaveeverbeen.
Ifweweretalkingabouttechnologyonly,Iwouldtendtoagree.OurtoolsandcapabilitiesforcreatingsituationalawarenessaroundITinfrastructureshaveevolvedtoanamazingdegreeovertheyears,andareimprovingallthetime.Theproblemisthatoperationalactivitiesarenotlimitedtotechnologyandinfrastructure.Theyincludeallthemessiercomponentsofpeopleandprocessaswell,thingslikestrategies,policies,relationships,andconflicts.Iftheprimaryvaluewederivefromthesecurityvalueofoperationsislimitedtoourvisibilityintotechnicalsystems,thenwearemissinganenormousamountofinsight,andprobablythoseveryinsightsthatmattermostintermsofwhetherornotour
securitywillbeeffectiveinthelongterm.
WhatIstheSecurityValueofOperations?Tobehighlyreliable,anInfoSecprogramneedstounderstandmorethanjustitstechnologylandscape.Tobehaveinwaysthatwillenabletheorganizationtoexperiencefewerseverefailuresandbouncebackmorequicklyfromthosethatdooccur,securityteamsneedmoreoperationalawarenessthantheyhavetoday.Technologyisonecomponent.Manysecurityprogramsareatleastpartlycorrectintheirassertionthattheyhaveagoodhandleonoperationalawareness.Theproblemtheyfaceisnottheirabilitytoobserveallthethingstheirtoolsandmethodsaredesignedtomonitor,ortointerpretthedata(usuallytechnical)theyarecollecting.Theproblemistheirinabilitytoseethingstheyarenotlookingat,tounderstandtheplaceswherenodataisbeingcollected,andtoknowthedifferencebetweenwhattheythinkishappening(becauseapolicyoratechnologycontrolisinplace,forexample)andwhatisactuallyoccurring“ontheground”(suchaseveryoneignoringthepolicyorfindingwaystocircumventthecontrol).Eliminatingblindspotslikethesebyredefiningthenotionofoperationalvisibilityleveragesandmaximizesthesecurityvalueofoperations.
OperationalPowerWheredoesinformationsecurityexist?Whereisitaccomplished?Doesinformationsecurityhappeninstrategy,asorganizationsdecidehowtobestprotecttheirprogramsandformulateplanstodoso?Doesithappenonthewire,asthebitsrushbyinelectromagneticpulsesofdata?Doesithappenattheinterfacewithadversaries,asthreatscrossfromthetheoreticaltothereal?Theansweristhatinformationsecurityhappensinalloftheseplaces,butnoneofthemcanbeseenascomprehensivelydescribinganorganization’ssecurityposture.Securityisbehavior,adecisionbeingmadeandaresponsetothatdecision.Evenwhenthatdecisionismadebyamachine,itistheresultofahumandecisionbeingmadesomewhereelse,someonedecidingonathresholdorbuildinglogicintoaprogrammaticresponse.Securityoperations,therefore,areinherentlypeople-centric.AndHighlyReliableSecurityPrograms(HRSPs)knowthis.That’swhytheypayallsortsofspecialattentiontothedecisioninterfacesintheirsecurityprograms.That’swherethemagic(blackorwhite)happens.
Decisioninterfacesatthestrategiclevelarelessoperationalthanthosemadeonthefrontlinesofactivity.ACISO’sdecisionthathiscompanyneedstoreducephishingattackscarrieslessoperationalweightthananemployee’sdecisionaboutwhetherornottoclickalinkinane-mail.Powerdynamicstendtobeturnedontheirheadattheoperationallevel,withtheindividualuseroroperatorhavingmoreinfluenceinthemomentthanthemanagersandstrategistsathigherlevelsoftheorganizationalchart.Onepersoncandestroyanentirebusinessif,atthemomentofdecision,thatpersonistheonewiththeirfingeronthewrongbutton.HRSPsaren’tafraidofbeingaccusedofpayingmoreattentiontothetreesthantotheforest.Firesalwaysstartsmall,andHRSPsdon’twanttowaituntilhalftheforestisburningtonoticethesmoke.
SensitivitytoOperationsTheliteratureabouthigh-reliabilityorganizations(HROs)introducedinChapter10identifiessensitivitytooperationsasaprinciple,andHRSPsdotheirbesttobesensitiveaboutwhat’sreallyhappeningwhensecuritydecisionsarebeingmade.TheideaistiedverycloselytotheFORCEvalueoffailure,becauseyoucan’tcatchsmallerrorsandmistakesifyouaren’twatchingforthematthelevelswheresmallfailureshappen.Ifthesecurityprogram’svisibilitykicksinonlywhentheattackerswhohaveinfiltratedyoursystemsforthepastninemonthsstartsuddenlyexfiltratingterabytesofdata,thatisnottheappropriatelevelofdetectedfailure.Andiftherewasnopossiblevisibilityattheleveloftechnologythatcouldhaveidentifiedfailuresbeforethatpoint,itisprobablytimetostartlookingatvisibilityonotherlevels.
HRSPsaremuchmorecomfortablewithuncertaintyandambiguitythanaremoretypicalInfoSecprograms.IntheirbookManagingtheUnexpected,WeickandSutcliffedescribedhowoneofthegreatestinhibitorstooperationalawarenessinHROsisan“engineeringculture”thatprioritizesandfavorscertaintypesofinformationandknowledge,namelythatwhichishard,quantitative,formal,andeasilymeasurable,oversupposedlysofterand“qualitative”informationthatislessreliablebutclosertoeverydayhumanexperience.Thesefindingsarejustasapplicabletoinformationsecurity,andinPartsIandIIofthisbookI’vemadethesamepointregardingthequalitative/quantitativedichotomyininformationsecurityprofessionals.
ForHRSPs,qualitativeversusquantitativeisafalsedichotomy.Havingaccesstoreamsofquantitativedatameansnothingifthosedatadon’ttellyouwhatyouneedtoknow.Andwhatweoftenneedtoknowiswhythingsarehappeninginacertainway,howrelationships,motivations,andassumptionsare
leadingpeopletobehaveliketheydoandtomakethedecisionstheymake.Thesearenotthesortsofinsightsoneisabletogetjustbyanalyzingquantitativedata.Instead,HRSPsseekahybridformofknowledge.Securityprofessionalswhoseetheword“operations”andimmediatelythinktechnologyproductsorSOCs,butfailtoconsiderpeopleandprocessfunctionssuchashowpeoplecommunicateorhowtheyimprovisetoaccommodateconflictingpriorities,missthemajorityoftheoperationalpicture.Technologyvisibilityisimportant,butsoisknowingabouthowpeopleinteractandcommunicateevenwhentechnologyisnotinvolved.Operationsisneverlimitedtowhat’sgoingoninoneparticularareaoftheorganization,suchasthenetwork;itisaboutknowingwhatisgoingoneverywhereintheorganization.
Inadditiontolinkingtechnologyoperationsandotheroperationalfunctions,anHRSPwillexplicitlylinkmorepeople-centricconditionstooperationalawareness.Operationalvisibilityatthelevelofhumanbeingsismorechaoticandlesspredictable,butthatdoesn’tmeanit’sanylessrealintermsoftheorganization’ssecurityposture.Knowingwhatishappeningatthelevelofinterpersonalandorganizationalrelationships,ofpoliticseven,isanotherimportantaspectofoperationalvisibility.Anorganizationrunsonknowledge,andiffullknowledgeisnotsoughtoutorifacertaintypeofknowledgeisdeliberatelyignoredbecauseit’sdifficulttoacquireorcertainstakeholdersfeeluncomfortablegivingitoraskingforit,that’saproblem,becauseitmeanstheenterprisedoesn’thavewhatitneedstomakeafullyinformeddecision.
ExpectationsandRealityHRSPsarealwaysworriedthatthingsarenotgoingasplanned,sotheyconstantlyfeeltheneedtotesttheirassumptions.“Wehaveapolicyofdataclassification?Great.Let’sgofindouthowmuchofourdataisactuallyclassifiedthewaythepolicysaysitshouldbe.”Or,“Theauditorstelluswehavetherightcombinationofperimetercontrols?Excellent.Let’shiresomepenetrationtesterstomakesurethosecontrolscanreallykeeppeopleout.”Or,“Ifwearenothearinganybadnewsfromemployees,isthatbecauseeverythingisperfectorbecauseemployeesfearbeinglabeledatroublemakeriftheypointoutthatsomethingisbroken?”
OnebigdifferentiatorwithHRSPsisthat,whereotherInfoSecprogramsmayviewtheconstantbickeringoverbudgetandresources,thepoliticaljockeyingbetweendivisionsandstakeholders,andthesilosandfiefdomsofeverydaymanagementasintractableproblemsthatcan’tbeovercome,HRSPsviewtheseproblemsasvulnerabilitiestotheorganizationthatareasseriousasanyzero-day
vulnerability.Competingvaluesleftunaddressedandunmanagedonlyservetodemonstratethefragilityandinstabilityoftheorganization’ssecurityposture.Andwhenanattackorincidentputsstressonthatsystem,itfails.
Thesecurityvalueofoperationscomesfromidentifyingsmallfailuresnomatterwheretheyoriginate.Thatincludesthingslikeinterpersonalrelationshipsandorganizationalrivalries,notjustsystemlogsandITdashboards.Warningsignalsarewarningsignals,soHRSPstendtodeploymanymoresensorsacrossamuchwiderspectrumthanjustITorinformationsecuritysystems.Knowingthatpeopleoftensayonethingbutdosomethingelse,HRSPslookbeyondofficialstrategies,formalplans,ordocumentedpolicies.Theywanttoknowhowtheworkofsecurityreallygetsdonearoundtheenterprise.
SecurityOperations“Unplugged”AninformationsecurityoperationsdirectorinonecompanyIworkedwithhadhisownwayoftestingoperationalreality.Walkingaroundthecompany,helikedtolookoutformachineshedidn’trecognize.Itwasadecent-sizedcompany,withalargeIToperationalfootprintacrossmultiplephysicalbuildings,andheregularlycameacrossanomalousboxes,sometimessittinginadatacenter,sometimesrunningunderneathadeskthatnobodyowned,andonceevenoneproppeduponacoupleoftelephonedirectories,sittinglonelyandhumminginthecornerofacommonroom.Whenthedirectorcameacrosssuchamachine,hewouldaskaroundtoseewhoownedit.Ifnoownercouldbeidentified,hewouldseeifthemachinewasregisteredintheITassetinventory,which,bythedirector’sownadmission,wasprettyspotty.Finally,afteradayortwo,ifthedirectorcouldnotfindsomeonetoclaimthedevice,hewouldtakeaction.“Iunplugthem,”hetoldme,“andwaitforthescreamingtostart…”
Thedirectorfiguredhehaddonerealharmonlytwoorthreetimesinthedozensoftimeshehadresortedtohisextremeversionofoperationalreview.Butheremainedunapologetic.“Peoplegetangry,ofcourse,andtrytogetmeintrouble.Butthefactis,wehaveaprocesswetrytofollowforkeepingtrackofoursystems,andwhentheydon’tfollowit,theyputthecompanyatmoreriskthanIevercould.Wehavetoknowwhat’sgoingonunderourownroof.Icantellyouitneverhappenstwicetothesameteam.”
OperationsKeyValueBehaviorsJustaswiththesecurityvalueoffailurediscussedinChapter11,therearekeybehaviorsassociatedwithHRSPsthatmaximizethesecurityvalueofoperations.Thesebehaviorshaveeverythingtodowithtryingtoknowmoreaboutwhatisreallygoingonintheorganizationandtousethatknowledgetohuntforthesmalldiscrepancies,disconnects,anderrorsthatwillslowlygrowintolarge-scalesecurityfailures.Thebehaviorsthatcharacterizethevalueofoperationsinclude
KeepyoureyesopenFormabiggerpicture“Listen”tothesystemTestexpectationsagainstrealityShareoperationalassessments
KeepYourEyesOpenAccordingtotheoldsaying,familiaritybreedscontempt,andanironyofinformationsecurityisthatwecanbecomesoaccustomedtocertainoperationalrealities,evenhighlydysfunctionalones,thatwebegintotakethemforgranted,maybeevenbegintoignorethem.Definingcultureas“thewaywedothingsaroundhere”doesnotguaranteethatwe’realwaysdoingthingswell,orsmart,orsecurely.I’veneverworkedwithasecurityteamthatcouldn’ttellmeatleastonestoryaboutsomethingtheydidthattheythoughtwasill-advisedorevendumb,andthattheyworriedwouldcomebacktobitethem.ThedifferenceinanHRSPisnotthateverythingisalwaysdoneright.HRSPsjustworrymoreaboutwhattheyaredoingwrong,lookforthosesymptoms,andrefusetoallowthemtogountreated.Dysfunction,complacence,andcompetingvaluesmayormaynotresultinadirectthreattoinformationsecurity,butbadbehaviorscreatespaceinwhichthreatscanfindafootholdandcauseproblems.
Howdoesanorganizationkeepitseyesopen?Let’sstartbyaddressingwhataretheorganization’s“eyes.”Howdoesit“see”whatishappeningwithitssecurity?Don’tgethunguponthemetaphor.Asakeyvaluebehavior,keepingyoureyesopenjustmeanstakingadvantageofallthesensorsandinformationinputsavailabletotheenterpriseandthesecurityprogram,andimplementingmorewhentheyareneeded.Onelegacyofthetechnologybranchofthesecurityfamilytreeisthewidevarietyoftoolsandproductsthatcanbeusedtogenerate
informationsecuritydata.Veryfewsecurityproductstodaydon’tincludedataexportcapabilitiesofonekindoranother.IfwethinksimplyintermsofSIEMproducts,anentireindustryoftechnologysystemsisavailabletoprocessandmanagethisdata.Ifanything,theproblemisoneoftoomuchinformation.InfoSecorganizationsprobablycomplainmoreaboutinformationoverloadandtoomucheventdatatomanagethantheydoabouttheavailabilityofsecuritydata.Insomeways,thisistheresultofrelyingtoomuchonasinglesourceofvisibility.It’sasthoughwe’vedecidedthatofalloursenses,onlyoureyesightcounts,butthenweblindourselvesbystaringstraightintothesun.
HRSPsdon’trelyononlyonesensoryinput,nomatterhowsophisticatedordatarichitis.Beingpeople-centricbynature,HRSPsalsotendtobewaryofinformationandsensorsthatareabstractedorremovedfromhumaninvolvement.Thisisnottosaythatautomationisuntrustworthy,butonlythatthere’srarelyanythingthatispurelyautomatic.Eithersomeonehastointerprettheresultsoftheautomatedprocessorsomeonehasbuilttheirowninterpretationofthingsintotheprocessastheyautomatedit.Eitherway,believingthatyouhaveeliminatedhumaninvolvementismisleading.
SoHRSPslookforadditionalsensors,preferablyofthehumanpersuasion.Underthesecircumstances,manynewandinterestingsourcesofdatabecomeavailable,includinggroupmeetings,face-to-faceconversations,andahostofelectronicallymediatedsocialinteractions,fromtelephonesandtelepresencetoe-mailandinstantmessaging.Thesesourcesallbecomepotentialorganizationaltelemetrystreams,alongwiththedocumentswecreate,theperformancemeasuresweassign,andtheresultsofevaluationsandreviews.Manyorganizationstakethesesourcesofcollectivesensemakingforgrantedasmereartifactsofoperations,notsourcesofoperationalinsightthemselves.ForHRSPs,everyoneofthesesourcesbecomesatoolwithwhichtotakeadvantageofthesecurityvalueofoperations.
FormaBiggerPictureInformationoverloadisnottheonlybarrierstandingbetweenanInfoSecprogramandthesecurityvalueofoperations.CISOsandsecurityownersalsofacetherelatedbutopposingproblemof“informationpoverty,”whichhappenswhenanorganization’sinformationorinformationprocessinginfrastructure(notjusttheITinfrastructure)isnotgoodenoughtoget,process,anduseinformationeffectively.Insuchanenvironment,decisionmakingisweakened,starvedofitsmostimportantfuel.Itmayseemcontradictorytosaythatasecurityprogramcouldsimultaneouslysufferfrombothtoomuchinformationandnotenough
information,butifyouthinkaboutthewaysecurityworksthesedays,itactuallymakessense.AsI’vealludedto,wefeastontechnicalandmachine-generatedinformationbutdon’tconsumeenoughdatafromothersources.Theresultisanoperationalbigpicturethatisasnarrowasourinformationaldiet.Thetheoryofinformationpovertywasfirstappliedtoindividualsatasocio-economiclevel,butI’vefounditappliesprettywelltoinformationsecuritytoo.
Weonlyovercomeinformationpovertybydeliberatelyconsumingmorevariedinformationandseekingoutabiggerpictureofoperationalreality.Onedifferencebetweentraditionalnotionsofinformationpoverty,wherepeoplearenotgivenadequateaccesstoinformationresourcesbythestateorthroughtheeffectsofeconomicpoverty,andthenotionasappliedtoinformationsecurityisthatthelattertendstostarveitself.Likekidswhomakeafaceathealthierorunfamiliarfoods,InfoSecprofessionalstendtostickwiththethingsweknowandlike.Butagoodoperationalinformationdietisomnivorous,andthefirstplaceatrulypeople-centricsecurityprogramwilllookistheareaofdata-richinterpersonalrelationshipsthatexistbothwithinthesecurityprogramandbetweensecurityandotherpartsoftheorganization.
HRSPsturnrelationshipsintofeedbacknetworks.Meetingsbecomesensors.Conversationsbecometelemetryfeeds.E-mailsandmeetingminutesbecomelogs.Enterpriseintelligencefromthesesourcesislessaboutthenetworkplaneorendpointactivityandmoreabouttheculturalplaneandpoliticalactivity.Theformermaytellyouwhatyourusersaredoing,butthelatterhelpsyouunderstandwhytheyaredoingit.Dopeopleknowthingsarefailingbutareafraidtosayso?Doestherootofasecurityproblemlienotinanexternaladvancedpersistentthreat(APT)butinthefactthattworivaldirectorshateoneanotherandcovettheirVP’sjob?Bymakingitsbigpicturewiderandlessdependentontechnologyinfrastructure,anHRSPgivesitselfmoreoptionsforoperationalanalysisandresponse.Competingsecurityprioritiesandcultureswillnevercometolightonthebasisofsyslogdata—theformatandcontentofthatinformationsimplydoesnotlenditselftowhatdrivespeopletochoosetheirprojectcompletionbonusovertheirsecurityresponsibilities,touseanexamplefromearlierinthebook.It’slikeexpectingsomeoneinastaffmeetingtotellyouwhoisconnectedtothewirelessnetworkbysniffingtheair.Differentqueriesrequiredifferenttools.
Peopletendtocomplicatethethingstheygetinvolvedin,whichbothbenefitsandchallengesthenotionofabigger,widerpicture.Ithinkengineerspreferconsumingrelativelyuncomplicatedtechnologydatapreciselybecauseitisuncomplicated.It’shardtoarguewithahistogram.Theopinionsandbeliefs
tossedaroundinastaffmeetingaretrickier,andoftentheeasiestwaytodealwiththemistomakeopinionaless-trustedsourceofsecurityoperationalinsight.Weneedtouseboth.
“Listen”totheSystemContinuingtheanalogyofthesenses,HRSPstendtodoabetterjobof“listening”towhattheirsystemsaretryingtotellthem.Theseorganizationsareparticularlytunedtodetectingthesmallhintsandsubtextswithinanoperationalconversationthatprovideevidenceofthingsgoingwrong.Inanyconversation,thereismoretotheprocessthanjustthewordsthatarebeingsaid.Inflectionanddemeanorplayanimportantpartofinterpersonalcommunication,andorganizationshavetheirownversionsofhiddenmeanings,hintdropping,andbodylanguage.
“Well,That’sJustYourHypothesis,Man!”ImagineifwereplacedasinglewordintheInfoSecteam’slexicon,changing“opinion”to“hypothesis.”Wethinkofopinionsasbeingcompletelysubjectiveandrelativelyuntrustworthy.(Myfather,asailor,hadawonderfullycrudeaphorismaboutopinions,invokingcertainbodilyorificesandimplyingparticularodorsthatwouldbeinappropriatetoquotedirectly.)Amatterofopinionisamatterthatcanneverreallyberesolved,atleastuntilonepartychangestheiropinion.Ahypothesis,however,issomethingdifferent.Itisanopinionofsorts,butonethatcanbetested.Indeed,italmostmustbetested,orwhyhypothesizeinthefirstplace?Icomplainregularlythatinformationsecurityisinsufficientlyscientificinitsapproachtothings.So,inthenameofthesecurityvalueofoperations,I’mmakingachallenge.Lettherebenomoreopinions.Thenexttimeyouhearone,consideritahypothesis.Ifyoucan’tconvincethepersonwhoholdsittotestittoyoursatisfaction,thentakeituponyourselftodisproveit—withempiricaldataandrepeatableexperimentation.Wereallyneedtodothismoreofteninourindustry.Atleast,that’smyhypothesis.
OneofthemostcommonapproachesInfoSecprogramstaketowardlisteningtothesystemistheuseofoperationaldashboards.Dashboardsgive(oraresupposedtogive)anorganizationasnapshotintimeofallthemeasuresand
indicatorsthatmattertoit.Dashboardsaremeanttobeautomated,approachingreal-timefeedbackloopsthathelpusmanageagainsttheworkingsofthesystem.Butdashboardsfaceaclassic“garbagein,garbageout”dilemma.Ifyourmetricsandindicatorsarefocusedonthewrongthings,yourdashboardisessentiallyuseless.Itmaybeimpressive,captivatingeven,initssophisticationandbeauty,butitcanlullyouintoafalsesenseofvisibilityandinsight.Therearemanyinformationsecurity–relateddashboardsmarketedontheWebthatshowamazingviewsofthingslikethreatsourcesorvulnerabilitycounts,butmostproviderelativelylittlevaluebeyondimpressivemarketingfortheircreators.
I’macriticofwhatIcalldashboardification,whichisthecreationofmetricsanddashboardsforlittleotherreasonthantheInfoSecprogramfeelsaneedorisrequiredtogivesomeonesomething“operational”tolookat.Ifthesecurityteamhasnotthoughthardaboutwhatitreallywantstoknoworneedstomeasuretoensureeffectiveness,theresulttendstobeahistogrambuiltoutofwhateverdataiscurrentlyavailableormosteasilycollected.Thattendstomeantechnology-basedlogging,whichproducesthemyopicvisibilityIdiscussedintheprevioussection.Theorganizationmaybeabletoseewhenanetworkdeviceorasecurityproductgetsoverwhelmedwithtrafficorevents,forexample,butitwillmisswhenpeoplearehittingtheirlimits,asClarathesoftwaredeveloperfromearlierinthebookdidattheendofherproject.
HRSPsuseoperationaldataofallkinds,fromavarietyofsources,inanattempttomanagewhatisreallygoingonintheirsystemsandnotjustwhatisrepresentedinapolicy,adiagram,oratechnologyproductdashboard.HRSPsdolooktotraditionalsourcesofinformation,fromlogstoSEIMstoSOCs,butsupplementthemwithpeople-centrictoolssuchassentimentanalysisofinternalcommunications,“opendiscussion”sessionsbuiltintoregularmeetingsandperformancereviews,andanonymoussuggestionboxes(physicalordigital)wherepeoplecanbringupproblemstheyfeelareimportantbutmaynotfeelcomfortablesharingpublicly.Ifdashboardsaretobedeveloped,theyshouldbedesignedto
Identifyearlypatternsandsignsofoperationalinstabilityandpotentialfailureforinformationsecurity,regardlessofsource(people,process,ortechnology)GiveactionableintelligenceaboutinformationsecurityoperationalproblemssothattheorganizationcaneffectincrementalchangesIncludecoverageofallsystemsimportanttotheoperationalsuccessofinformationsecurity,notjustthesystemsthatareeasiesttobuild
dashboardsaround
HRSPsareconstantlyworriedaboutwhetherthecomplexoperationalbeasttheyareridingisgettingawayfromthem.Theywanttoknowwhenthingsarebeginningtoslipoutoftheircontrol,andtheywanttheabilitytocallondefinedresourcestobringthingsbackundercontrolquickly.Thismeanskeepingtrackofrequiredlevelsofeffortandcorrelatingthemwithavailabilityofresources.Listeningtothesystemmeansidentifyingwhenpeople,process,andtechnologyoperationsneedmoreorlessmanagementovertimeandbeingpreparedtomeetthatdemandwithaslittledelayanddisruptionaspossible.
TestExpectationsAgainstRealityHRSPstesttheirexpectationsagainstreality,anotherbehaviorthatmaximizesthesecurityvalueofoperations.Theyaskprobingquestionsthatavoidtakingoperationalactivitiesforgranted:Whatistheorganization’srealsecurityposture?Ifapeople,process,ortechnologycontrolistested,willitworkaswellasitdoesonpaper?Whenpeoplearefacedwithinformationsecurityimpactingdecisions,especiallyiftheyhavetojugglecompetingpriorities,willtheychoosesecurity?Andhowcanweknow,empiricallyandwithevidence,theanswertoallthesequestions?HRSPssuspectthatthingsprobablywon’talwaysgoasexpected,andtheyattempttoeitherconfirmordisconfirmthatsuspicion.Thisbehavioralprocessbeginswiththeage-oldneedtodocumentandformalizetheInfoSecprogramitself.Withoutspecificpolicies,standards,guidelines,andalltherestofthebureaucraticstructurethatdefinestheassumptionsthesecurityprogramholds,itisimpossibletoverifywhetherornotthoseassumptionsreflectoperationalreality.Beforeyoucantestyourexpectationsandassumptions,youhavetoknowwhattheyare.HRSPsdon’tlookatdocumentationasjustaformalityorasanecessaryevil,butratherasthecodethatmakesuptheorganizationalOS.Poorlycraftedandpoorlydocumentedcodecancauseproblems,bothforsoftwareandforpeople.
Onceyoudefinewhatyoubelieveishappeningorexpectwillhappen,youcantestagainstthoseexpectations.Ifapolicyexists,youcantestyourexpectationthatitisenforced.Wherestandardshavebeenset,youcangatherevidencethatpeopleandsystemsdoordonotadheretothem.Securityteamsalreadyperformauditsofthiskindagainstcertainexpectations.APCIDSSorSOXauditisatestoftheexpectationthattheorganizationhasmettherequirementsofthoseregulatoryframeworks.Apenetrationtestauditstheexpectationthatnetworksandendpointsareproperlysecuredagainstattack.
HRSPsdonotdothingsfundamentallydifferentlyinthisregard;theysimplydothemmoreoftenandinmoresituations.Thosesituationsincludethepsychological,behavioral,andculturaldimensionsoftheorganization.Weexpect,forexample,thatourdevelopersarecompletingtheirsecuritytestsonthecodetheywrite.Howoftendowechecktomakesurethattheyhaveenoughtimeandresourcestobeabletoaccomplishthosetests?
Resourcesliketime,money,andemployeeallocations(asopposedtotheemployeesthemselves)don’tthink,orexhibit,operationalawareness.Theydon’tgowheretheyareneeded,butwheretheyaredirected.Manyorganizationsundergoannualbudgetprocesscycles,dolingoutcashandheadcountbasedonexperiencesfromthepastorpredictionsaboutthefutureovercontinuouschunksoftime.Feworganizationsreviewandassignresourcesincyclesthatareclosertooperationalrealtime.Theresultcanbescenarios,especiallywhenthesystemisunderduress,wherelackofmoneyandpeoplecanerodetheorganization’sabilitytorespondandreact.HRSPsworktomakeresourceallocationmoreoperationallysensitive,morecapableofflexibleresponse.
Closelyrelatedtotheideaofflexibleresourcestomeetshiftingoperationaldemandistheideaofappropriateresourcecoverage.Itisatacitexpectationthatthesecurityorganizationhasenoughresourcestomanagesecurityfortheentireorganization.Thisbeginswithvisibility.There’snowayInfoSecprogramstaffcanmanagesecurityoperationsatacomprehensiveleveliftheydon’thavesufficientresourcestoseewhatthoseoperationsentail.Thingswillbeignored,notoutofnegligence,butoutofnecessity.Naturally,noonegetseverythingtheywant,andsecurityisnottheonlyorganizationalfunctionfacingresourcescarcity.Butmanyinformationsecurityownersfeelasifgettingbloodfromstonesisonlyslightlyharderthangettingheadcountormoneyfromseniormanagement.
ExceptionstotheRulesIhaveseenthesecurityvalueofoperationsembracedinsomecompanieswhilegoingunrealizedandunrecognizedinmanyothers.Whenorganizationsreallycapturethatvalueandunderstandtheiroperations,itcanliftasecurityprofessional’sheart.Whentheydon’t,thinkingabouttheramificationscanscarethehelloutofthatsameprofessional.
AlthoughI’venotcomeacrossmanyHRSPsintheindustry,Ihaveencounteredafew.OneofthebestthatIconsultedforfunctionedinahighlyreliableway,notbecausetheCISOwasabusinessculturewonkor
hadadegreeinorganizationalbehavior.Infact,hewasn’tevenaCISO.TheCIOwasresponsibleforinformationsecurityinthisorganization,andhehadasmallteamwithwhichtomanagethechallenges.Healsohadasimple,drivingprinciplethatinformedeverythinghedidandeverygoalthathesetforhisteam,whethertheyhaddirectsecurityresponsibilitiesornot.
“Iwantmypeopletogohomeatnightandbewiththeirfamilies,”hetoldmeduringtheengagement.“Idon’tbelieveinthewholefirefighterthing.Youfindpeoplewhotakeprideinalwayshavingtorespondtocrises,whowillputin20hoursstraightandwearitlikesomebadgeofaccomplishment.ButIthinkifyouhadtospend20hoursstraightfixingsomethingthatwentwrong,that’snotsomethingtobeproudof.”
ThisCIOhadimplementedacomprehensive,cascadingbalancedscorecardperformancesystemthatreachedfromhimselfallthewaydowntoeachindividualcontributor.ThesecuritystaffhadindividualbalancedscorecardsjustlikeeveryoneelseresponsibleforIT’scontributiontothebusiness,andthecompanymanagedthosescorecardsreligiously.Thesystemdidn’tpreventthingsfromevergoingwrong,butitkeptproblemsmanageablebyidentifyingproblemtrendsearlyinthefailurecycleandgavetheCIOvisibilityandchoicebeforethingscouldgoofftherails.
AttheotherendofthespectrumwasacompanyIworkedwithyearsago.Onpaper,thisfirmhadacomprehensivesetofconfigurationstandardsthatwerebothstrictandhighlysecure.Everythinghadtobehardenedbeforeitcouldbedeployed.Thingswerelockeddownsotightly,infact,thatsomeinternalgroupsoftencomplainedthatsecurityrestrictedsomebasicbusinessfunctionality.Inawell-intentionedefforttoaccommodatedifferentbusinessneeds,anexceptionprocesshadbeencreated,onethatallowedITteamswithalegitimatebusinessneedtoalterorignoretherequiredconfigurations.BythetimeImettheCISO,thisprocesshadbeeninplaceforyears.Theengagementrevealed,amongotherthings,thatovertimethecriteriaforgettinganexceptionhadslackenedconsiderably,tothepointwhereithadbecometrivial.Asaresult,overtwo-thirdsofthesystemsrevieweddidnotmeettheconfigurationstandards.Yearsofoperationalmyopiahadcreatedastateinwhichtheexceptionwasliterallythenorm,andthestandardsthatthecompanyexpectedtobeinplacewere,inreality,outliers.
ShareOperationalAssessments
Thefinalkeyvaluebehaviorforoperationsdoesn’trequirethatanInfoSecprogrambuildanythingnewordevoteresourcestoadditionalcapabilities,atleastnotatfirst.Allthatisneededisanexistingsetofoperationalassessmentsregardingsecuritywithintheorganizationandanopenmind.Yet,withsofewrequirements,thisbehaviormaybeoneofthehardesttoencouragewithininformationsecurity.Thereareatleasttworeasonsthatitisdifficult.Thefirstisthatsecurityprogramshatetoshare,andthesecondisthatwhatsecurityprogramsdoshareisoftennotsomethingotherswant.
InfoSecprogramsknowhowtoreportinformation,andmostdoitregularlyinsomeway,shape,orform.Butreportingisnotthesamethingassharing.Toreportimpliesthatinformationisbeingrequiredordemandedofthesecurityprogram,thatthepurposeisforaccountabilityandoversight.Sharinginformationisamorevoluntaryactivity,performedoutofmotivationshavingmoretodowithcollaborationandasenseofcommonpurpose.ForHRSPs,oneofthefirstbarriersthathasbeenovercomeintheprocessissecurity’snaturalinstinctofparanoiaandmistrust.
HRSPsshareoperationalinformationandassessments,includinginformationaboutproblemsandfailures,becausetheywantfeedbackontheiractivities,notbecausetheyareforcedtoreceiveit.Andtheywantthatfeedbackfromavarietyofsources,notjustfromthosewhocanobviouslybenefittheHRSPthroughbudgetaryorresourcecontrol.Users,otherbusinessprocessowners,partners,andcustomersareallvaluablesourcesofinformationthatcanhelpthesecurityprogramunderstandwhereaproblemorinsufficientoperationalvisibilityisincreasingsecurityrisk.Thisknowledgeseekingrequiressecurityteamstoacceptthatotherstakeholdersmaynotfeelthesamelevelofurgencyastheydo,andtobewillingtoacceptcriticismandskepticismaboutthesecurityteam’soperationalplansandactivities.Invitingotherpeopletocriticizeyourhardworkisdifficultforeveryone(trustme,asanauthor,Iknowfirsthand),butitisalsotheonlywaytomakethatworkbetter.
Amoredifficultproblemtosolveinsharingoperationalassessmentsinvolvesthequalityofthoseassessments.IftheInfoSecprogramdoesnotdomanyoperationalassessments,ordoesnotdothemwellorinawaythatiscomprehensibletothoseoutsideofsecurity,thensharingthoseassessmentscanbeabitofanonstarter.Thisisaprobleminsecurityinformationreporting,too.Iamoftenaskedtohelponthesecuritymetricssidebyassistingasecurityteamindevelopingbetterperformanceindicatorsandprogrammeasurestopresenttoseniormanagementaspartofrequiredreporting.Toooften,thesecurityteamstrugglestoshowprogress,ortolobbyformoreresources,oreventostimulate
theinterestofseniorenterpriseleaders,becausetheiroperationalassessmentsareeitherincompleteorinscrutabletoseniorbusinessowners.Forsecurityprogramswithinadequateassessmentcapabilities,thisbecomestheexceptiontomyearlierstatementthatthiskeyvaluebehaviordoesn’trequiredoinganythingnew.Toeffectivelyshareinformation,youhavetomakethatinformationaccessibletoothers,bothphysicallyandfunctionally.Thegoodnewsisthatsharingevenbadassessmentscanbeuseful.Ifthepeoplefromwhomyouareaskingfeedbacktellyoutheycan’tgiveanybecausetheydon’tunderstandyourassessmentsoraren’tinterestedintheinformationpresented,youareimmediatelyprovidedsomeusefulinformationthatleadstotheseobviousquestions:HowcanIhelpyouunderstandthembetter?WhatdoyoucareaboutthatIcanprovide?
DenialAin’tJustaRiver…OneofthemoreinterestingengagementsI’vebeenoninvolvedaside-by-sidetestofoperationalvisibilityandreality.Althoughwedidn’tintenditthatway,Ifoundthatmyteamwasinvolvedwithahigh-levelgovernanceandcontrolsassessmentatthesametimethatapenetrationtestingteamwasdoingtheirassessmentofthecustomercompany.Wewereallstayingatthesamehotelandhangingouttogetherafterworkeachdayand,naturally,webegantotalkshop.Afterafewdaysofonsitework,ImentionedtooneofthesecurityengineersdoingtheethicalhackingthatIwasprettyimpressedwithhowwellthecompanymanageditssecurity.Inparticular,Iwasstruckbyhowstringentlytheycompartmentalizedthingsbothatthelevelofinformationclassificationandatthelevelofnetworksegmentation.“Areyoukidding?”theengineersmiled.“Theirnetworkmightaswellbeflat!Wecangoanywhere.”
Aswestartedtradingnotes,realitysetin.Onpaper,thecompany’ssecurityinfrastructurelookedrocksolid.Policiesdefinedacceptableactivity,standardscontrolledwhocouldputwhatwhereandhowtheycoulddoit,andguidelinesencouragedeveryonetomakedecisionsthatbenefitedtheprotectionoforganizationalassets.Inpractice,thesecuritythecompanywassoproudofessentiallyonlyexistedonpaper.ITwasruninsilos,ruleswerenotuniformlyenforced,andthebusinessputmoreemphasisonfunctionalitythansecurity.Likethecompanymentionedearlierthathadexcessiveexceptionprocesses,thiscompanyhadallowedimportantoperationalgapstodevelop.Moreimportantly,everyoneinthegovernance
interviewseitherassumedthattheinfrastructurewasworkingjustasitwassupposedto,orknewitwasnotandchosenottosaysoforreasonsoftheirown.
Whenitcametimetoreportthefindings,someofthemanagementteamrefusedtoacceptthem.“Youfoundisolatedproblems,”theycountered.“Everyorganizationhasafewproblems.”Operationalblindspotsweresopronouncedthatevenwhenfacedwithevidence,theseindividualsfoundthemimpossibletoreconcilewiththeirassumptions.Thealternativewasjusttoodisturbingandhumiliatingtoendure,inessenceanadmissionthatforyearsthesecurityteamhadnotbeendoingitsjobaswellasitbelieveditwas.
AssessingYourOperationsValueBehaviorsLikethesecurityvalueoffailure,discussedinChapter11,thesecurityvalueofoperationsandtheotherSecurityFORCEvaluescanbeassessedandmeasuredusingtheSecurityFORCEdiagnostictoolsthatIhavecreated.TheSecurityFORCESurveyandtheSecurityFORCEMetricsprovideempiricalevidenceofhowprevalentandextensivetheFORCEbehaviorsarewithinanorganizationandhowcloselytheorganizationisadheringtotheprinciplesofanHRSP.
ScoringtheOperationsValueBehaviorSurveyTheSecurityFORCESurveyincludesstatementsrelatedtothesecurityvalueofoperations.ThefivestatementsunderSecurityValueofOperationsarelistedinthesampleoftheSecurityFORCESurveyshowninFigure12-1.
Figure12-1FORCEValueSurveystatementsforoperationsvaluebehaviors
RememberfromChapter11thattheSecurityFORCESurveyusesaLikertscalewitharangeofresponses(“StronglyDisagree”to“StronglyAgree”)thatallowsthoseconductingthesurveytoassignnumericalscores,suchas1through5,tothesurveyresponsesandproduceaveragelevelsofagreementamongallsurveyparticipants:
Anaveragescoreof4orabove(mostresponsesindicateAgreeorStronglyAgree)signifiestheorganizationexhibitsbehaviorsfoundinanHRSP.Anaveragescoreof3(mostresponsesindicatetherespondentfeltNeutral)signifiestheorganizationmayormaynotbehavelikeanHRSP.Anaveragescoreof2orbelow(mostresponsesindicateDisagreeorStronglyDisagree)signifiestheorganizationdoesnotexhibitthebehaviorsfoundinanHRSP.
Foroperationsvaluebehaviors,anaveragescoreof4orgreaterindicatesthat
theorganizationbehavesinwaysthatwillmakeitbetterequippedtounderstandhowthingsreallyworkwithinthesecurityenvironment,andtoidentifyerrorsandoperationalpatternsthatcouldresultinafailure.Thisincreasedoperationalsensitivitynotonlymakesitmorelikelythattheorganizationwillbeabletodetectsmallfailureswhiletheyremainsmall,butalsomakesiteasierfortheorganizationtodetectthem.Ascoreof2orbelowindicatesthattheorganizationisnotbehavinglikeanHRSP,andthereforemaylackoperationalvisibility,maymistakewhatisexpectedorassumedforwhatisactuallyoccurringoperationally,andmaybeslowertorespondtofailuresandeventsthanwouldamorehighlyreliableprogram.
FORCEValueMetricsforOperationsInadditiontousingtheassessmentscoresoftheSecurityFORCESurveytogaugethesecurityvalueofoperations,anorganizationcantracktheSecurityFORCEMetricsassociatedwithoperationstoprovideadditionalmeasuresofHRSPbehavioralalignment.ThesefivemetricsareshowninFigure12-2.
Figure12-2FORCEValueMetricsforoperationsvaluebehaviors
UsingtheFORCEOperationsValueMetricsThefiveFORCEMetricsassociatedwiththevalueofoperationstracktheorganization’scapabilitiesforimprovedvisibilityintoabroaderrangeofoperationalinformationsecuritybehaviors,andforidentifyingdiscrepanciesbetweenwhatisexpectedoperationallywithintheInfoSecprogramandwhatisactuallytakingplacewithinorganizationalsystemsandprocesses.AswiththeotherFORCEMetrics,thereisno“right”waytomeasureandthemeasuresIhavecreated,includingsuggestedtimeintervals,arenotexhaustive.Theorganizationshouldusethemandadaptthemasappropriate.
Levelofsecuritystaffcoveragefortheorganization(sizeofprogram,breadthofresponsibility,systemsmanaged,etc.)I’veknownbigcompaniesthathadlarge,centralizedInfoSecteamswhowereresponsibleforeveryaspectofprotectingsystemsanddatathroughouttheorganization.I’veknownothersofcomparablesizewherethesecurityteamwastwoorthreepeople.Everyorganizationmustdecideforitselfthebeststructurefororganizinginformationsecurity,buttheoperationalfactisthatfewerpeoplecannotobserve,explore,ortestasmuchaslargerteams,assumingenterprisesofequalsize.Automationcanhelp,butforreasonsIdiscussedearlierinthechapter,automatedsecurityoperationscarrytheirownvisibilityrisks.Thismetricisnotprescriptive,anddoesnotimplyamagicnumberforeffectivesecuritystaffing.Butitcanhelpanorganizationunderstandwhyoperationalvisibilitymaybelacking.Likeanythingelse,informationsecurityissomethingofanumbersgame,andyoucanonlydosomuchmorewithsomuchlessforsolong.
NumberofsecurityoperationsreviewscompletedinthepastyearThismetricdoesnotrefertodetailedoperationalreporting,butrathertooverallreviewsofInfoSecoperationaleffectiveness.SeveralrespectedInfoSecgovernanceframeworks,includingISO27001,requireregularandcomprehensivereviewsofthesecurityprogramasabestpracticeforinformationsecuritymanagement.Organizationscollectalotoftacticaldataeveryday,butitisnecessarysometimestoconsiderallofthisfromastrategicperspective.Isthedatagivinguswhatweneed,intermsofvisibilityandintermsofactionableintelligenceorpredictiveevidence?HowcanwemakeInfoSecoperationsbetter,orimproveandexpandsourcesofvisibility?Mostorganizationstendtodothissortofreviewannually,althoughinlargeorganizationscomprehensivereviewsmaybebrokendownintocomponentsorcapabilitiesandconductedonaquarterlyor(morerarely)amonthlybasis.
RatioofformallydocumentedsecurityoperationsorprocessesIfmanagingsomethingyoudon’tmeasureisachallenge,measuringsomethingyouhaven’tdefinedisanevengreaterone.Thosefamiliarwiththeconceptofcapabilitiesmaturitymodelswillrecognizethebenefitsofformalizingandstandardizingprocessesandoperationswithinanenterprise.Alackofformal,documentedprocessesmakesitdifficulttoreplicatebehaviorsandshareortransferknowledge.Italsomakesaccurateoperationalvisibilityandcomparisonbetweenwhatshouldhappenandwhatdoeshappennearlyimpossible.Lowratiosofdocumentedprocessesindicatepotentialblindspots,spaceswherefailurescanoccurandgrowlargerwithoutanyonenoticing.Byidentifyingalltheprocessesassociatedwithinformationsecurityoperationsandidentifyingwhicharewrittendown,anorganizationcanbegintodeterminehowformalized(and,byextension,howmature)theirsecurityprogramis.
RatioofsecurityoperationalassessmentssharedoutsidethesecuritygroupMeasuringhowoftentheInfoSecprogramsharesoperationalassessmentswithoutsidersissimilartomeasuringhowtheysharefailuredata.Thegoalistoelicitvaluablefeedbackandinsightfromotherswhomayhaveotherneeds,priorities,orconcerns.Sharingsensitiveoperationaldataaboutsecuritydoesnotrequiretotaltransparency.Butorganizationsthatseekahigherlevelofreliabilitywillwelcomefeedbackfrominterestedadvisorselsewhereintheenterprise(andmaybeevenoutsideofit,incertaincases),andtheywilltrackhowoftenthissharingandelicitationoffeedbacktakesplaceandinwhatcontexts.
AveragetimetoaddressoperationalinstabilitiesWhenanorganizationfindsadisconnectbetweenwhatitthinksishappeningintermsofinformationsecurityandwhatisoccurringoperationallyeveryday,ithasseveralchoicesofresponse.Oneistodonothing,forwhateverreasonseemsmostlogical.Maybetheproblemseemssmall,ormaybeeveryonealreadyknowsaboutit.Maybechangerequirespoliticalorseniormanagementsupportthatsimplydoesn’texist.Anotheroptionistotakeactiontoaddressthediscrepancy.Ineithercase,understandinghowlongthisprocesstakescanbevaluabletotheInfoSecprogramandtootherstakeholders.Improvingvisibilityprovideslessreturnonthesecurityvalueofoperationsiftheaveragetimetofixproblemstheorganizationmightfindapproachesforever.Insituationswhereoperationalinstabilitiesandproblemsareaddressed,thenthetimenecessarytoaddressthembecomesanotherusefulInfoSecoperationsmetrictoaddtothesecurityprogram’stoolkit.
ImprovingYourOperationsValueBehaviorsAttemptingtochangeandimproveanorganization’soperationalbehaviortofunctionmorelikeanHRSPislikelytomeetquiteabitofresistance.It’sonethingtopointoutthatweneedanewwaytolookatfailure.Idon’tgetalotofargumentamongsecuritypeoplewhenIproposethatweneedabetterunderstandingofhowandwhysecurityfails.It’sanotherthingtosuggestingtinkeringwithoperations.Securityoperationsnotonlyencompassthesinglebiggestsetofregularhabitsthatsecurityprogramshavebuiltupovertime,theyareprobablythelargestcollectionofactivitiesthatweactuallyfeelcomfortablewith,thatwefeellikewehaveasolidlockonaccomplishing.Decadesoflearningthegear,ofbuildingtechnologyinfrastructure,andofsettingupaparticularwayofauditingandevaluatingsuccesshavemadethesecurityoperationscenter,whetherthatisanactualphysicalplaceornot,intothebastiontowhichthesecurityprogramcanalwaysretreatwhentheywanttofeelliketheyareonsolid,defensiblefooting.NowcomesthisFabergeeggheadwritingabookaboutsomethingasfuzzyandmutableasculture,tellingeveryonetheyneedtochangebecauseit’snotabouttechnology,it’saboutpeople.Meh.
So,let’ssettherecordstraight.Thesecurityvalueofoperationsisnotaboutdoingoperationsdifferently.It’saboutexpandingwhatoperationsmeansandextendingourvisibilityandmanagementpracticestootheroperationalareas,specificallybeyondtechnology.Thepurposeofoperationalvisibilityistoknowwhatishappeninginsecurityasclosetowhenithappensaspossible,andtobeabletoreacttoandactuponthatintelligenceeffectivelyandefficiently.AsI’vesaidbefore,ifsecuritywasaseasyasinstallingaproductintoarack,thenwewouldhaveautomatedtheproblemsoutofexistencelongago.Weknowthis,andwe’veadmitteditpubliclyasanindustryatleastsinceBruceSchneiercoinedthephrase15yearsagothatsecurityislessaproductthanaprocess.Partofthatprocessishumanrelationships,andit’sabouttimeweaddedtheoutputofpeople-centricsecurityinfrastructurestoouroperationalmonitoringtoolbox.
EmbedOperationsValueintotheSecurityProgramPeoplehaveanextraordinarycapacitytoadaptandchange.Allittakesisanenvironment,asituation,oraleaderthatsnapsthemoutofcomplacencyanddemandschange.Sometimestheimpetusforchangeispainfulandthreatening,butnoteverytriggerhastobealiteralone.Thesecurityvalueofoperationscancreateaspaceinwhichinformationsecuritycanthriveandcontributetothe
greaterorganizationinwaysthatmostCISOstodayonlydreamof.Therearefewthingsmoreimpressivethansomeonewhohasacompletecommandofthesituationtheyarein,whocandirectactionwhilereassuringothers,successfullyovertime,withtheconfidencethatonlycomesfromabsolutelyknowingtheirstuff.Weglorifythistraitinourleaders,fromgeneralsandscientiststoCEOsandpoliticians.Youcanfakeitsometimes,butnotalwaysandnotforever.Thesecurityvalueofoperationsmeansdrivingthatcapabilityhomeforsecurityleadersbygivingthemthebehavioralresourcesthatcreatesecurityconfidence.
ThinkMoreLikeScientistsOneofthemostimportantdistinctionsthatI,asanon-engineer,havediscoveredinmyinformationsecuritycareeristhatengineersarenotscientists.Foralongtime,untilIwentbacktograduateschooltobecomeaninformationscientist,Iassumedengineeringandthesciencesweremoreorlesssynonymous.Theyarenot.Engineerstakethetheoriesofscienceandputthemtopracticalpurpose.Scientistsdiscover,butengineersbuild.Securityhasmanyengineers,butnotnearlyenoughscientists.Scientistsareinherentlycurious,andnotjustabouthowthingswork.Theywanttoknowwhytheyworkthewaytheydo,tofindthefirstprinciplesthatcannotnecessarilybediscoveredsimplybytakingapartasystem’scomponents.Theory,hypothesis,experimentation,andcontrolgroups(asopposedtosecuritycontrols)areallhallmarksofscientificthinking.TheyarealsothesubjectsmostlikelytomakemelosemyaudiencewhenIstarttalkingaboutthemtoagroupofsecurityengineers.AsIstatedinthesidebarabouthypotheses,weneedtostartencouragingthemmuchmoreintheinformationsecurityprofession.
Embracethe“SharingEconomy”Informationsharingisalreadyabigdealatthemacrolevelinsecurity,withindustryandgovernmentinvolvedintryingtostimulatebettercollaborationbetweenorganizations.Weneedtopushsharingfurther,downtotheinternalandevenindividuallevel.Notallsecurityinformationshouldbemadeopenlyavailabletoeveryone,buttodaysecurityisoftenmoreabouthoardingthansharing.Paranoia,legitimateconcernsovervulnerabilityintelligence,andplainold-fashionedCYAkeepssecurityinformationunderwraps.Theeffectsrangefromallowingsecurityprogramstoliveinanechochamberwherenon-securityopinionsarerarelyheard,toactivelyhidingoperationalinformationtheorganizationneeds.Thesharingeconomyworksontheideathatmakinggoods
andservicesmorefreelyavailableactuallyincreasestheirvalue.Todaythat’smostvisiblyperformedintheworldofconsumergoodsandservices,aswithAirbnb,Craigslist,andeBay.Butinroadsarealreadybeingmadeinapplyingtheideatoinformation.Insomecases,liketheopensourcecommunity,theeffortshavebeengoingonforsometime,includingeffortsaroundsecurity.Otherareas,likeopengovernment,arenewbutexemplifytheprinciplethathavingmoreeyeballsfocusedonaproblemisoftenbetter.
LightenUpaBitTheInfoSecprofessiontakesitselfprettyseriouslysometimes,maybetooseriously.Evenifthecybersecuritythreatreallyisoneofthegreatestfacingtheworldtoday,it’sonlyone.Majorimprovementsininformationsecuritycouldbeachievedifsecuritypeoplewouldrealize—andhelptheirnon-securitycolleaguesandconstituentsrealize—thatit’samanageablethreat,oratleastasmanageableasmanyothersfacingsociety.Threatstodigitalassetsarenomoreapocalypticthanthreatslikedisease,crime,orwar,allofwhichwehavetofacerealisticallyandrationallyifwehopetoaddressthem.Thatdoesnotmeandownplayingtheirimpact,butitalsomeansputtingthemintoperspective.Peopleandenterprisescantakesecurityseriouslywithoutbeingconsumedbyit.Thereisnogreaterthreattoacompany’ssecurityposturethantheproblemsomeoneknowsaboutbutistoointimidated,eitherbyfearofconsequenceorlackofknowledge,tobringtotheattentionofthepeoplewhocanaddressit.
FurtherReadingBritz,JohannesJ.“ToKnoworNottoKnow:AMoralReflectiononInformationPoverty.”JournalofInformationScience30(2004):192–204.MacDonald,Jackie,PeterBath,andAndrewBooth.“InformationOverloadandInformationPoverty:ChallengesforHealthcareServicesManagers?”JournalofDocumentation67(2011):238–263.Schneier,Bruce.SecretsandLies:DigitalSecurityinaNetworkedWorld.Wiley:Indianapolis,2000.
S
CHAPTER13
TheSecurityValueofResilience
upposeyourorganizationhasmaximizedthefirsttwokeyvaluesoftheSecurityFORCEBehavioralModel,failureandoperations,discussedinChapters11and12,respectively.Youhavesetuptherequisiteoperationalbehaviorsandvisibilitytoensureyoucandetecterrorsandmistakes.Andyouhaverebootedyourunderstandingoffailureitself,becomingadeptatidentifyingfailureswhiletheyarestillsmall.Whatcomesnext?That’seasy:you’regoingtoexperienceasecurityincident.Failureislikedisease,likesadness,likepain.Nomatterhowgoodyouareatanticipatingandavoidingfailure,everyonefailseventually.Highlyreliablesecurityprograms(HRSPs)arenodifferent.Theytendtohavebettertrackrecordsthanotherorganizationsatavoidingfailures,butourlessonsfromfirefightingtoFukushimademonstratethatbeingfailureresistantisnotthesameasbeingfoolproof.Buthigh-reliabilityorganizations(HROs)andHRSPsalreadyknowthis,whichiswhytheythinkalotaboutwhattheywilldowhendisasterfinallystrikes.Theyembracethesecurityvalueofresilience.
WhatIstheSecurityValueofResilience?ResiliencereferstoanInfoSecprogram’sabilitytoexperienceamajorsecurityincidentinsuchawaythattheorganizationnotonlysurvivesitbutcomesawaybetteroffforithavinghappened.Theexperiencewillstillbestressfulandwillstillrepresentanonoptimaloutcomeforeveryoneinvolved.Butitwillbehandledexpertlyandprofessionally,inawaythatmaximizesstabilityduringthe
eventandminimizesdisruption.Andwhenit’sover,theorganizationwillhaveabetterunderstandingofwhathappenedandwhy,insightthatitwillputtousethenexttimesomethingcompletelyunexpectedhappens.Thisisthesecurityvalueofresilience.
WhenBadThingsHappen(toGoodOrganizations)Evenastheyseekoutsmallfailuresthatcanadduptoabigone,HRSPsknowtheywillmissafew.Theorganizationalandtechnologicalsystemsweworkwithinarejusttoocomplextoevercompletelypredictorcontrol.Andevenifwesomehowmanagetoknoweverythingforamoment,complexsystemsproduceemergentbehaviorsthatcontinuouslythrownewsourcesofuncertaintyandriskintothepot.Youcannotpredicteverypossiblethreatandrisk,butyoucanpredictthattherearethreatsandrisksthatyoucannotpredict.Eventuallyyourorganizationisgoingtoencounterone.
HRSPsspendalotoftimeobsessingoverfailure,asIhaveexplainedpreviously.Buttheydon’twastetimeobsessingovertheinevitabilityoffailure.Instead,theytrytoanticipatewhattheycanandtheyconsiderwhattheywilldointhoseinstanceswhenanticipationitselffails.Atthatpoint,it’sadifferentballgamewithdifferentrules.There’snotimeforsoulsearchingabouthowsomethingcouldhavebeenprevented.Allthatmattersisactionandwhathappenstoaddressthesituation.Insomeways,resilienceisthemostimportantprincipleofHROs.InthepreviouschaptersI’vereferencedKarlWeickandKathleenSutcliffe’sbookManagingtheUnexpectedseveraltimes.Theirchoiceoftitleisareflectionoftheinevitabilityofsurpriseeveninorganizationsdedicatedtonotbeingcaughtoffguard.
Thereisafreedominacceptingtheinevitable.WhenanHRSP,andnecessarilythelargerenterprise,sincerelyinternalizestheexpectationofasecuritybreach,peopleareliberatedfromtheterribleconstraintsimposedbypretendingtheycandodgesecuritybreachesforever.Themostimportantbenefitofthisnewfreedomistheabilitytoputseriousthoughtandresourcesintowhathappensduringandaftertheincident.Suddenlyincidentresponseanddisasterrecoverplanningcantakeonawholenewmeaning,notascontingencyplanningfornightmaresyouferventlyhopeneverhappen,butasthesyllabusforanothercourseinthatmostvaluableofHRSPeducationalresources:failure.
IncidentResponse:We’reDoingItWrong
Informationsecurity’sapproachtoincidentresponseplanningoftenremindsmeofthewaypeoplegoaboutpreparingtheirownlivingwill.Someorganizationsavoiddoingitaltogetherbecauseitremindsthemoftheirownmortality.Othersdoitbutwithoutemotionalinvestment,treatingitasalegalandbureaucraticexercisethatisnecessaryoutofasenseoffearorduediligence.Rarelydoyoufindsomeonepreparingtheirlivingwillwithasenseofwonderandanticipation,seeingthedocumentasthemeanstoensuretheycanmeetauniversalexperienceontheirownterms.Organizationsarenotverydifferent,inmyexperience.
HROresearchhasalwaysappealedtomebecausescholarslikeKarlWeickunapologeticallyevokeanalmostspiritualsensibilityonthepartoforganizationsthatknowhowtofailproperly.ForHRSPs,informationsecurityincidentsareimportantexperiencesbecausetheyhelpdefineandbuildthecharacteroftheorganization.Youdon’twanttoomanyofthem,butwhenyouhaveone,youwanttosqueezeasmuchvaluefromitasyoupossiblycan.Fromtheself-helpaisleofbookstorestotheboardroomsofSiliconValley,dealingwithadversityandfailureistoutedasanimportantlifelesson.There’sevenanethicalandmoralqualitytobeconsidered,becauseifanorganization’sfailureisgoingtoputpeopleatriskorunderduress,thatorganizationhasaresponsibilitytomakethateventcountforsomething.
Ifthatperspectivehasthemorehardcorebusinesstypesrollingtheireyesover“soft”conceptslikecorporatesocialresponsibility,Igetit.Let’sinsteadthinkaboutincidentresponseincolder,morerationalterms.Noteventhemostcynicalsecurityownerwouldarguethatcorporatereputationandbrandvaluearemeaninglessconcepts,untetheredfromanymeasureofbusinesssuccess.Securityincidentsrankamongtheraretimesthatanorganizationisgivenmasspublicattention.Peoplearefrightenedandangryandlookingtounderstandwhatareyougoingtodoaboutthis?Nowconsiderthehandlingofrecentlarge-scalesecurityevents.Didtheresponseservetohelporharmthereputationsofthecompaniesinvolved?Thesecurityincidentresponseplan,inmanyways,isamongthemostimportantmarketingcampaignsanorganizationwilleverdo.Ifit’slittlemorethanarootcauseanalysisandaseverancepackagefortheCISO,that’sakintoanchoringyournewproductlauncharoundtheannouncementthatyou’vefinallyfiguredoutwhyyourlastproducttankedsobadly.
RollingwiththePunchesThesecurityvalueofresilienceisaboutfailingsuccessfully.Amajorinformationsecuritybreachcanspawnavarietyofresponses,fromparalysistoproactivity.Thinkoftwoboxers.Thefirstispoorlytrainedandhasa“glassjaw.”Onegoodpunchandheisonthecanvas,strugglingtogetbackupagain.Itmaybeawhilebeforeheisreadytogetbackinthering,andhehasprobablynotlearnedmanynewskillsafterbeingknockedoutsoquickly.Thesecondfighteriswelltrainedandconditionedfromalotofsparringroundstotakeahit.Heappearstobeabletoweatheranimpossiblybrutalamountofabuse,butneverseemstogodown.Evenontheropes,hekeepshiswits,lookingforhowhe’sgoingtoescapeandbringthefightbacktohisopponent.Evenifhelosesbydecisionortechnicalknockout,heisreadytofightagainsoonandisabletousethelessonsfromaten-roundcontesttobecomeabetterboxer.
OnekeytoHRSPresilienceistheattitudethatasecurityfailureisjustthebeginningofthefight,nottheendofit.Abreachdoesn’tmeanthattheorganizationhasfailedcompletely,onlythatithasenteredintoanewphaseofinformationsecurityoperations,onethatwasalwaysexpectedtohappen.Focusshiftsfromtryingtopredictandpreventtoworkingtorespondandrecover.Theserepresentseparateskillsetsandrequirethesecurityteamtoquicklyshifttheirstrategiesandtactics;thefirstimperativeistonotlettheincidenteclipseeverythingelsetheInfoSecprogramisresponsiblefor.Iftheresponseisallhandsondeck,thenwhoislefttosteertheshiportakecareofanyoftheday-to-daytasksofrunningit?Theentireorganizationcanbecomedisabled.Worse,thepanicthatensuescreatesnewspacesforadditionalfailurestomanifestunnoticed.
Informationsecurityplanningandlifecyclesdon’tstopjustbecauseyourplansgoawry.HRSPstakeadvantageofthevalueofresiliencebyremainingcalm,byfallingbackontheirtraining,bybringinginadditionalresources,andbystickingtotheplantheymadeaheadoftimeforwhattodowhenotherplansfail.WeickandSutcliffeaptlycalledittheabilityto“degradegracefully.”Resilienceis,ultimately,aboutcontrol.AnHRSPhasthecapabilitiesinplacetoassurethatevenwhencontrolislost,theorganizationstillmaintainssomeabilitytoinfluenceanddeterminethepaceandtenorofthatprocess.Inotherwords,resilientsecurityprogramshaveworkedtoensurethattheycanatleastcontrolhowtheylosecontrol.
ImaginingFailuresandDisasters
Noorganizationcandevelopitscapabilitiesforresiliencebyfiat.Justdeclaringinamemorandumoraroadmapthattheorganizationwillberesilientdoesnotmakeithappen.LikeeveryotherSecurityFORCEvalue,thegainstobehadfromthesecurityvalueofresilienceonlycomeafteralotofdetermined,hardwork.Inthiscase,muchofthathardworkinvolvesthesecurityteamenvisioningallthethingsthatcangowrongandthevariouswaysinwhichtheycangowrong.Asmuchasanyotherskill,fromcodingtotestingtoadministration,anactiveimaginationisoneofthebestattributestolookforinagoodincidentresponsemanager.AnHRSPusesitscollectiveimaginationtocreateacatalogofpotentialincidents,events,andbreaches.Insteadofestablishingasingle,genericincidentresponseplan,HRSPsadoptascenario-basedmodel,onethatconsidersasmanywaysthatthingscangowrongaspossibleandadaptstheincidentresponsestrategytoeachscenarioasappropriateandpossiblegiventheinformationathand.
Imaginingthethingsthatarelikelytoharmyoucanfeelperverse,evenpathological.ButanHRSPdoesnotimaginedisasteroutofasenseoffear.Itdoesitoutofanappealtologic.Inacomplexsystem,theopportunitiesforfailureapproachtheinfinite,soanorganizationthatistryingtoanticipatefailureknowsthatitwilleventuallyfaceasituationthatithadnotpreviouslyconsidered.Logicthendictatesthattheorganizationputresponsesinplacetodealwithbothexpectedfailuresandunexpectedfailures.Planningforexpectedfailuresiseasier,ofcourse,becauseyouhaveanideaofthepatternstheywilltakeandcanspecifyresponseresourceswithmoreprecision.Planningforunexpectedfailuresrequiresresponsecapabilitiesthatareflexibleandabletolearnandadaptquicklytonovelchallenges.Themorefailuresyoucanaddtoyour“expected”list,eitherbecauseyouthoughtofthembeforehandorbecauseyoulearnedaboutthemfromanunexpectedfailure,thebetteroffyouare.Butyouwillalwaysneedthatcapabilitytomanagetheunexpected.
Resilienceisthereforesomethingofanoperationalfeedbackloopitself.AnHRSPlearnsfromfailureevenwhileattemptingtoavoidandminimizeit.Newfailuresareformallyincorporatedintotheorganization’sknowledgeandmemory,sothattheybecomeexpectedfailuresinthefuture.HRSPsdonotlookatsecurityincidentsasholesinadikethatmustbepluggedsothattheynevereverleakagain.Whenanorganizationreactstoeverysecurityincidentbybuildinganewsetofpoliciesandrestrictionsorbuyingnewproducts,withthegoalofmakingitimpossibleforthatincidenttoeverrepeatitself,theresultcanbeincreasedrigidityratherthanincreasedsecurity.Justbecausethatonespecificsecurityeventcannotberepeateddoesn’tmeanonesimilartoitwillnothappen
orthatonecompletelydifferentwon’toccur.Andhavingconvinceditselfthatitsolvedtheproblem,theInfoSecprogramriskscomplacencyandafalsesenseofsecurity.Itismuchbettertotreattheincidentasatriggerforenterpriseimaginationandask,howisthisincidentsimilartoothers?WhatpatternscanIidentify?Andwhatoptionsareavailabletonotonlypreventthisspecificfailurefromrepeating,butmakeiteasiertoidentifyandrespondtothisgeneraltypeoffailure,preferablybeforeoneturnsintoanincidentinthefuture?
ResilienceUnderFireMyfavoriteWeickjournalarticleisalsothefirstonethatIeverreadinwhichheexploredthefatalbreakdownofasmokejumperteamfightingahugeforestfireinMontana.“TheCollapseofSensemakinginOrganizations:TheMannGulchDisaster”stillholdslessonsforpeople-centricsecurity.Itdemonstratesthewaysinwhichcatastrophethrowsevenseasonedprofessionalsintosituationssouncertainthattheirownbeliefsandexperiencescanturnagainstthem,sometimeswithfatalresults.
TheMannGulchfirehappenedinlatesummerof1949andkilled13smokejumpersastheyfledfromituparidgeafterthefiregrewoutofcontrol.Themostdramaticpointintheeventoccurredwhentheforemanoftheteam,realizingthatthefirewasgoingtocatchthem,beganburningasectionofthetallgrasstheteamwasmovingthroughandorderedeveryonetoliedownandletthefirepassoverthem.Noonelistenedandeveryoneelseranfortheirlives.Theforemansurvived,asdidtwoofthefirefighterswhomanagedtomakeitovertheridgeintime.Therestdiedasthefireovertookandengulfedthem.
OneofthelessonsofMannGulchwasthat,inacrisis,what’srationalandwhat’scrazycanbecomeconfused.Peoplestrugglingagainstfearanddesperationmakeemotionaldecisionsiftheyhavenot,throughtrainingandexperience,madetheirreactionsautomaticenoughtoovercomepanic.Theforemanofthesmokejumperteam,alsothemostexperiencedofthegroup,hadalotofreactionstofallbackon.Knowingthatthefirewasgoingtocatchhisteamnomatterwhat,heoptedtochoosehisowngroundandcreateconditionsinwhichhecouldcontrolwhatwouldhappen,specificallybyclearingaspacefreeoffuelfortheoncominginferno.Itmadeperfectsense.Buttoeveryoneelse,hiscommandsoundedsuicidal,essentiallyanordertoliedownandgivethemselvesuptotheblaze.Mostofthemenontheteamhadnotworkedwiththeforemanbefore,sotheydidn’tknowhim
wellenoughtocomprehendhowmuchexperiencehehad,andthuswereunabletounderstandhisactions.Thetworemainingsurvivorsmadeitbecausetheywerefasterandluckierthantheircompanions.Buthadeveryonetrustedtheforeman’ssuperiorinstinctsandexperience,theentireteamprobablywouldhavesurvived.
Duringasecuritybreach,manyactionsmaymakesenseinthemoment.Forinstance,acommoninstinctistostopcommunicatingandcirclethewagonsuntiltheinvestigationiscomplete,ortosimplydisconnecttheaffectedsystemsandthusstoptheattack.Butinsomecases,theseactionscanandwillonlymaketheconsequencesworse.Theonlywaytoprepareforamajorbreachistoactuallyprepareforit,byimaginingit,scopingitout,andthenpracticingitoverandoveragainuntilwhatyouhavedecidedarethebestcoursesofactionareingrained,eveniftheymayseemimpracticalorextremeinthemoment.Therewasatimewhenwargamesandredteamexercisesweresomethingonlythemilitarydid.NowtheyarestandardoperationsinmostCISOs’toolkits.
ResilienceKeyValueBehaviorsTheresiliencevaluebehaviorsthatanHRSPexhibitsenabletheorganizationtofailsuccessfullyduringanunexpectedsecurityincident.Thesebehaviorshelpensurethattheorganizationiscontinuouslypreparingtomeetanyfailuresituation,whetheritisonethattheorganizationhaspreviouslyimaginedoronethatwasneveranticipated.Theorganizationmustquicklyreact,adapt,andincorporatelessonsfromtheincidentandotherstominimizeimpactwhilenotovercompensatinginwaysthatcreateriskinotherareas.Thebehaviorsthatcharacterizethesecurityvalueofresilienceinclude
OvertrainpeopleCreate“skillbenches”ActivelyshareexpertiseEncouragestretchgoalsPracticefailing
OvertrainPeople
Whenitcomestotrainingforinformationsecurityincidents,HRSPsbelieve“theroadofexcessleadstothepalaceofwisdom.”Inanenvironmentthatoffersinnumerablewaysforthingstogowrong,yousimplycannothavetoomanyskilledandknowledgeablepeopletohelpwhensomethinginevitablydoesgowrong.Inhighlyreliablesecurityenvironments,peopleknowtheirjobswell,knowotherpeoples’jobswell,andareabletogetuptospeedquicklyinunforeseensituations.Overtrainingisnotoverstaffing.Mostorganizationscannotaffordtokeepmorepeoplearoundthantheyneednormally,justinpreparationforthedaywhenadequateisnotenough.Butorganizationscanaffordtomaximizethepeopletheydohave,toencourageandevendemandthattheirskillsareoptimizedagainstextraordinaryaswellastypicalsystemstressors.
People-centricsecuritytakestheapproachthatinvestmentinanddevelopmentofhumancapitaltosupporttheprotectionofinformationassetsandITsystemsarejustasimportant,ifnotmoreimportant,thaninvestinginmoretraditionalcapitalexpendituresonsecurity.Humancapitalisbroadlydefinedasthevalueofanemployee’sknowledgeandskills,andhumancapitaltheoryhasbeenwidelyappliedacrossindustrialandeducationalcontexts.Atthecoreistheideathatinvestmentsinpeoplearesimilartoinvestmentsinotherlarge-scaleinfrastructures.Ifyouinvestsignificantlyandwisely,yougetbetterandmoreproductiveorganizationalsystems.Skimponpeopleand,likecheapingoutonbuildingmaterialsorITsystems,youendupwithstructuralweaknessthatmakesyoulesscompetitiveandmorepronetobreakdown.
Duringasecurityincident,anorganization’sresilienceisgoingtodependonitsabilitytoengagetheproblembyapplyinglotsofpotentialsolutionsveryquickly,identifyingpatternsandmoreandlesssuccessfulresponsestoeventson-the-fly.Evenwiththebestpreparation,securityincidentsaregoingtoconfoundanddistract.Responseteamsthatbarelyunderstandhowsystemsworkinthebestoftimeswillbeillpreparedtounderstandhowtheyworkastheyarecollapsing.Andasincidentssuckinothersystemsandfunctions,includingthosetotallyoutsidethenormalpurviewofInfoSec,onlyacombinationofskillsandexperiencewillbeabletomanagethem.
HRSPstrytobuildcollaborativeincidentresponsecapabilitiesthatcanlearnandgrowevenwhileinthemiddleofafull-blownattackandbreach.Thisrequirescommitted,engagedpeoplewhohaveworkedtobuildcross-functional,interdependentknowledge.Itisn’teasyanditisn’tcheap,especiallyconsideringthatthemorevaluablethehumancapitalistooneorganization,themorefungiblethoseskillsandtalentsareontheopenmarket.Butforsecurity
programsconcernedwitheffectivelymanaginglargefailureevents,nothreatismoredisturbingthannothavingresourcescapableofrespondingtoiteffectively.
ExploringHumanCapitalHumancapitalhasbeenthesubjectofagreatdealofresearchand,insomecases,critique.Buttodayitiswidelyacceptedinfieldsasdiverseaseducation,humanresources,andpublicpolicy.IhavenotevenscratchedthesurfaceofhumancapitaltheoryindescribingthetrainingenvironmentofHRSPs.Therearelotsofbooksonthesubjectanditsapplicabilitythroughoutorganizationalmanagement.TwogoodintroductorysourcesofinformationforthoseinterestedinexploringthetopicfurtheraretheHumanCapitalInstitute(www.hci.org)andtheDeloittereportGlobalHumanCapitalTrends2014(availablefromDeloitteUniversityPress,http://dupress.com).
Create“SkillBenches”Trainingandskillbuildingalonedon’tgiveanorganizationeverythingthatitwillneedinacrisis.Itonlyprovidestherawmaterialsforthesecurityvalueofresilience.AnHRSPstillneedstodirectandstructureitshumancapitalsothatitcanbebroughttobeareffectivelyduringasecurityincident.FormallydesignatedskillbenchesthroughouttheInfoSecprogramandbeyondprovideaflexiblesupportstructurethatcanadapttochangingcircumstancesbefore,during,andafteranincident.
Askillbenchis,atheart,justaplancombinedwithalistofpeoplewithspecificexpertise.Thebenchfunctionsasaworkaroundforpersonnelshortagesthatemergeduringanincident.Ifonlyoneortwoemployeeshaveasetofskills,technicalorotherwise,thenabreachthatinvolvestheirexpertisecantiethemupfordaysorweeks.Whathappenstotheirregulardutiesandresponsibilitiesduringthattime?Iftheydonotdirectlysupportorarenotdirectlyaffectedbythesecurityevent,it’slikelytheywillbeneglectedorevenignoredcompletely.That’snoteffectiveoperationalmanagement.If,ontheotherhand,theorganizationcancallonabenchofsimilartalentandskill,evenifthoseindividualsarenotasfullycapableastheemployeeswhodothejobfulltime,callinginthebenchresourcescanblunttheimpactofthecrisis.Likeareserveparachute,theskillbenchmaynotworkquiteaswellasthemainchute,butit
willensurethatyouaren’tkilledonimpact.HRSPscreateskillbenchesbyfirstmappingouttherolesandrequisitejob
skillrequirementsforeveryinformationsecurityfunction,andprobablyseveralnon-securityones,thatcouldreasonablybeinvolvedinanincident.Theresultingexpertisemapisusedtoassessprobableskillshortagesandbottlenecksresultingfromspecificsecurityincidentsintheorganization’sincidentcatalog.Contingencyplansarethendevisedwithparticulartriggerstoguidethesecurityteaminidentifyinglikelyincidentpatternsandapplyingskillbenchresourcesbasedonpredeterminedneed.Again,noneofthisiseasy.Contingencyplanningiscomplicatedandisasmuchartasscience.Organizationsarefluidandenvironmentsaredynamic,sotheskillbenchmustbekeptcurrentovertime.Peopleonthebenchhavetoknowtheyarepartofitandbeprovidedthetrainingandeducationnecessarytokeeptheircapabilitiesviable.Butlikeeveryotherbehaviorinvolvingthesecurityvalueofresilience,HRSPschoosetoundertakethechallengebecausetheywanttoknowthatwhenamajoreventhappens,itwillfeelmorelikeabaddayattheofficeandlessliketheendoftheworld.
Skillbenchingcanbeaperfectopportunityforoutsourcing,especiallyinresource-strappedenterprises.It’sverylikelythatasecurityincidentwillmotivateseniormanagementtofreeupfundsandsupportthataresimplynotavailableinother,morenormalcircumstances.ButbuildinganexternallysupportedbenchdoesnotletanHRSPoffthehookforadvanceplanning.Likebackupsitesindisasterrecoveryandbusinesscontinuityplanning,theorganizationshouldgiveitselfoptionsforhot,warm,andcoldstaffingbeforeanincident.Youdon’tbeginpreparingahotdisasterrecoverysitethedaythefloodtakesoutyourdatacenter.Anoutsourcedbenchstaffneedstobeoncallimmediately,notonlytoensurethattheresponseistimely,buttonegotiateandtakeadvantageof“Imayhaveaproblemsomeday”vs.“Ineedsomeoneherenow!”pricingdifferentials.
ActivelyShareExpertiseYoumayhavenoticedbynowthateveryoneoftheSecurityFORCEvaluesincludesabehaviordevotedtosharinginformationandinsight.Forthesecurityvalueofresilience,thatsharingisofexpertise,whichflowsnaturallyoutofthefirsttwokeybehaviors.ButexpertisesharingextendsbeyondjustlettingeveryoneknowwhohasActiveDirectoryskillsorwhohasbeentrainedinincidentforensics.Expertisesharingalsomeansopinionandimaginationsharingacrosstheorganizationduringasecurityevent.It’saboutbringingthefullweightofenterprisehumanandintellectualcapitaltobearonsuccessfully
managingasecuritycrisis.Reflexandinstinctmay,duringasecurityincident,drivepeopletoembrace
actionoverthought.AsinthecaseoftheMannGulchdisaster(seetheearliersidebar),whena30-foot-highwalloffireiscomingatyou,theoptionthatseemsleastwiseistostopandthinkaboutwhattodo.Thewisestoptionwouldseemtobetorunforyourlife.Butasthevictimssoontragicallydiscovered,stoppingandlisteningtotheforemanisexactlywhattheyshouldhavedone.Thesameholdstrueininformationsecurity.Itfeelsbetterinthemidstofanuncertainsituationtobedoingsomething,anything,thatseemslikepositiveaction.Butifoursituationalawarenessisinsufficienttoknowwhatthebestactionis,wemayfindthattakingactionworksagainstus.Inacrisissituationthereisafinebalancebetweenreflexandreflection.Itpaystorememberthatgutinstinctscanbemisleadingandsometimesweneedtoquestionthem,particularlyinthoseinstanceswherewehavelittleexperienceortrainingwithwhatwearefacing.
Duringasecurityincident,itisimperativethatanorganizationexaminealltheoptionsavailableandchoose(albeitquickly)thebestmovestomake.However,whenexpertisehasbeenrelegatedtosilosandindividualshaveonlytheirownlimitedexperiencetorelyon,thechanceofmakingbaddecisionsgoesup.Evenworse,crisisoftenmotivatespeopletoactliketheyknowwhat’sgoingon,eitherbecausetheydon’trealizetheextentoftheirownignoranceaboutthesituationortoreassureothersintosupportingtheiractions.HRSPstrytoavoiddecisionsbasedonbravadoornarrowinsights.Theirgoalinsteadistocreatejustenoughroomforcollectingdifferentanalysesandopinionsacrossavarietyofstakeholdersbeforedecisionsgetmade,whatManagingtheUnexpectedreferstoas“conceptualslack.”It’satrickybalancebetweensnapjudgmentononesideandvacillationontheother.ForanHRSPmanagingasecurityevent,though,takingafewhourstogatheralternativeframesofreferenceandcontraryviewpointsmaymeannotwastingordersofmagnitudemoretimegoingdownthewrongpathandthenhavingtoretracetheirsteps.
EncourageStretchGoalsThesecurityvalueofresilienceisnotreapedsimplybygivingmembersofanorganizationplentyoftraining.Takingclassesandachievingcertificationsdonotmakeapersonaseasonedpractitioner.Ifthosenewskillsarenotputtouse,theyatrophyanddegrade.Forthatreason,HRSPsmotivateandencouragetheirmemberstoputtheirtrainingtowork,preferablybytakingonchallengesthatwillpreparethemforthemoreintensetempoofasecurityincident.
Stretchgoalsareusedwidelyininformationsecurityandperformancemanagementmoregenerally,althoughtheycansometimesbemoreaboutwishfulthinkingoranattempttosqueezeoutafewmoreouncesofproductivitythanaboutreallystretchingsomeone’sabilities.ChallengesinthecontextofHRSPsandresiliencearemeanttoachievethelatter,tostrainandstretchtheemployee’scapabilitiesinthesamewaywestrainandstretchourbodiesthroughexercise.Wewantourteamstobestrongerandmorelimbersothattheyarebetterpreparedtofaceadverseconditionsduringanevent.Butinsteadofphysicalprowess(althoughthatcanbenecessaryaswell—securityincidentstendtobeexhaustingphysically),theobjectiveiscognitiveandevenemotionalstrengthandstamina.
Thekeyresiliencevaluebehaviorsdescribedinthischapterprovideampleopportunitiesforchallengingstretchgoals,tothepointwheresuchgoalsarepracticallyastructuralfeatureofthesecurityvalueofresilience.Havingtrainedandorganizedskilledpeopletofunctionasbothprimaryandreserveresourcesduringamajorsecurityincidentorevent,HRSPswillencouragethemtoengageandparticipateacrossthesecurityprogramlandscape.RotationsthroughotherInfoSecandITfunctions,opportunitiesforleadingorjoiningprojectsandinitiatives,andvirtualteambuildingexercisesthatbringtogetherfolksontheskillbenchesandtheirprimary-dutycolleaguesareallmeansbywhichanHRSPcanfosteranenvironmentofcollaborativeexcellence.
Mostimportantly,however,stretchgoalshavetoberewarded.Compensationforgoingaboveandbeyondone’susualresponsibilitiesdoesnotalwayshavetobefinancialinnature,andinsomecasesmoneycanbelesseffectivethanothermeansofmotivation.Rememberthatthegoalistoformatightlyknitoperationalteamthatcaneffectivelyhandleacrisis.Ifwetakelessonsfromothercrisismanagementfields,thosewithahighdegreeofprofessionalismandespritdecorps,thebestperformersarenotnecessarilythebestpaid.Asimportantasmoneyis,HRSPsworktomakepeoplefeelvaluedandappreciatedfortheircontributions.Company-widerecognition,opportunitiestomentororworkoninterestingprojects,andformalinclusionofstretchgoalsintoperformancereviews(whichcanalsohaveafinancialbenefitinthelongterm)aregoodalternativewaystoencouragepeopletogoaboveandbeyondthecallofduty.
PracticeFailingHowdoyougettoCarnegieHall?theoldjokegoes.Practice!It’ssomethingofauniversallifelessonthatnooneisjustnaturallyavirtuoso.Ifyouwanttobe
thebestatsomething,youhavetoputinthelong,hardhourstotrainandprepare,repeatingthesameexercisesagainandagainuntiltheyarepitchperfectandinscribedinmusclememory.It’strueformusicians,it’strueforathletes,andit’strueforHRSPs.Failingisprettymuchtheoneeventthatinformationsecurityteamsmostoftenthinkabout,stressabout,andwonderiftheyarereadyfor.Youwouldthinkwemightpracticeabitmorethanwedotogetreadyforourbignightonstage!
SomeoftheproblemgoesbacktothepointsImadeaboutthesecurityvalueoffailureinChapter11,namelythatwehatethethoughtoffailureandweengageitwithaboutthesameenthusiasmaswedodeathandtaxes.But,asI’vealsopointedout,securityincidentsareasinevitableasdeathandtaxes,soweshouldbereadyforonewhenitcomes.Withoutpractice,asecurityincidentisnewandunfamiliarandfrightening,maybeoverwhelminglyso.Evenwithpractice,securityincidentswillincludethingsthatarenewandscary,somakingasmuchofourresponseaspossibleroutineandfamiliaramidthechaosfreesupcognitiveresourcesthatwecandevotetosolvingproblems.ReturningagaintoChapter11,ItalkedabouthowthemovieApollo13misquotedthe“Failureisnotanoption”line.NASAneverruledoutfailure.Infact,theypracticedfailingallthetime.TheveryfirstApollomissionendedintragedyin1967whenthreecrewmembersdiedinafire.AboardofinquirywashighlycriticalofNASA’soperationsleadinguptotheaccident,andafterwardNASAbeganpayingalotmoreattentiontosafetyandpreparingforfutureaccidents.AsNickGardnerdescribesinhisbookMistakes,throughouttherestoftheApolloprogram,NASAteamsspenttimebetweenlaunchesdreamingupdisasterscenariosandrunningsimulationsofthemagainstoneanotherastests.TheApollo13rescueplan,infact,wastheoutcomeofoneofthesescenarios.
HRSPstreatfailurepracticethesamewaythattheytreattraining:youcanneverhaveenough.Youmightnotbeabletogetallyouwantorallyouneed,butpracticeintheformofwargames,scenarioplanning,andsecurityincidentdrillsisconsideredhighvalueandanexcellentuseoftimeandmoney.Practicingfailureisnot,however,thesamethingaspenetrationtestingorcomplianceaudits,althoughthesecanbefactoredintoapracticeexercise.Testingandauditsaredatacollectionmechanisms,notexperientialexercises.Practicingfailuredoesnotmeanidentifyingwhereacybercriminalcancompromiseyourproductionservers.Practicingfailuremeanssimulatingexactlywhathappenswhenthatcriminalactuallycompromisesthosedevices.Howdoestheorganizationfindout?Howdoesitrespond?Howdoesitdealwiththeoutcomes?Practicingfailureinvolvesunderstandingthisentireprocess
indetailandfiguringoutwheretheresponsetothesecurityincidentfailsinandofitself.Aftermanyiterations,thatresponsebecomesmuchbetter,andeventuallybecomeshabit,professionalizedintojustanotheroperationalprocess.
TheUnrecoveredCountryEstoniaworriesagreatdealaboutthesecurityvalueofresilience.TheBalticnationhasanimpressivehistoryofdigitaladoption,aswellasconcernsovercyberwarfare,havingbeenhitbyoneoftheearliestexamplesofitin2007.Morerecently,theEstoniangovernmenthasembarkedonaprogramdesignedtomanagethecountry’sdigitalserviceinfrastructureevenifthecountryishitbyanothermassivelydebilitatingcyberattack.
Undertherubricofthe“DataEmbassyInitiative,”Estoniahasbegunplanningforthemigrationofcomputerdataandresourcestoothercountriesintheeventofanemergency.InsituationswhereanattacktakesoutordeniesgovernmentserviceshostedinsideEstonia,thoseresourcescanquicklyandeffectivelymigrateabroad,primarilytopredesignateddataembassiesrunfrominsideEstonia’sphysicalembassiesaroundtheglobe.Thestrategyisforgovernmentcapabilitiestocontinuetofunction,includingpayingsalariesandprovidingservicesforcitizens,whilethecrisisonthehomeinfrastructureisresolved.
AninitialtestbytheEstoniangovernmentofthedigitalcontinuitysystemwaspromisingbutalsodemonstratedtheincredibleintricaciesthatexisteveninwell-designedandwell-manageddigitalinfrastructures.ThetestsconductedinpartnershipwithMicrosoftfoundtechnicalproblems,legalproblems,andmanagementproblems,someofwhichhadbeenconsideredaheadoftimeandsomewhichwerecompletesurprises.Astheofficialgovernmentreportstated,“it…becameclearthatnomatterwhat,textbookreadinessisimpossibletoachieve.”
Amongthespecificfindingsandrecommendationsoftheexerciseweretwothatclearlyechothematerialinthischapter.Onefindingdeterminedthatduetoimproperormissingsystemdocumentation,itwasoftenthecasethatworkingknowledgeofasystemwaslimitedto“onlyasmallnumberofexperts”andcreatedgapsinthepotentialfordigitalcontinuityduringanincident.Oneofeightkeyrecommendationsofthereportwasevenmoretothepoint.Itstatedthat“operationalproceduresshouldbepreparedandtestedinadvanceratherthaninacrisis.”ThefullreportcanbefoundonEstonia’sEnglishversionoftheMinistryofEconomicAffairsand
Communicationswebsiteatwww.mkm.ee/en(searchfor“DataEmbassyInitiative”).
AssessingYourResilienceValueBehaviorsUsetheSecurityFORCESurveyandSecurityFORCEMetricstodeterminehowwellyourorganizationadherestothekeyvaluebehaviorsforresilienceandtoprovideempiricalevidenceofthosebehaviors.
ScoringtheResilienceValueBehaviorSurveyTheSecurityFORCESurveyincludesstatementsrelatedtothesecurityvalueofresilience.ThefivestatementsunderSecurityValueofResiliencearelistedinthesampleoftheFORCESurveyshowninFigure13-1.Aswithpreviouschapters,scoringassumesLikertresponsesnormalizedona1–5scale:
Anaveragescoreof4orabove(mostresponsesindicateAgreeorStronglyAgree)signifiestheorganizationexhibitsbehaviorsfoundinanHRSP.Anaveragescoreof3(mostresponsesindicatetherespondentfeltNeutral)signifiestheorganizationmayormaynotbehavelikeanHRSP.Anaveragescoreof2orbelow(mostresponsesindicateDisagreeorStronglyDisagree)signifiestheorganizationdoesnotexhibitthebehaviorsfoundinanHRSP.
Figure13-1FORCEValueSurveystatementsforresiliencevaluebehaviors
Forresiliencevaluebehaviors,anaveragescoreof4orgreaterindicatesthattheorganizationbehavesinwaysthatwillenableittorespondmorequicklyandmoreeffectivelytosecurityincidents.Theorganizationwillhavepreparedforavarietyofpossibleincidentsinadvanceandputmechanismsintoplacetodealwithunexpectedincidentsthathadnotbeenconsidered.Theresponsewillbemoreeffectivegiventhepresenceofresourcesreadytoaddressproblemsinacoherentway.Ascoreof2orbelowindicatesthattheorganizationdoesnotbehavelikeanHRSPandislesslikelyto“failgracefully”andrecoverquicklyfromasecurityincident.Itismorelikelytolosecontrolofthefailureprocessandgiveintopanicorparalysiswhenfacedwithneworuncertainsecurityincidentscenarios.
FORCEValueMetricsforResilienceTheFORCEValueMetricsforresilience,providingadditionalmeasuresof
HRSPbehavioralalignment,canbefoundinFigure13-2.
Figure13-2FORCEValueMetricsforresiliencevaluebehaviors
UsingtheFORCEResilienceValueMetricsThefiveFORCEMetricsassociatedwiththevalueofresiliencecaptureanorganization’scapacityforcrisisinthefaceofaninformationsecurityfailuresuchasamajordatabreach.Allaresuggestionsandnon-exhaustive,andshouldbeused,adapted,orsupplementedasappropriate.
Numberofsecurity-relatedtrainingopportunitiesprovidedtopeople,byroleorgroup,inthepastyearCompaniesgivetheirInfoSecteamsinformationsecurity–specifictraining,usually.Andtheygivetrainingintheformofawarenesseducationacrosstheenterprise,mostlikely.Ifsecurityreallydoesaffectacompanyasawhole,thenthewholecompanyshouldbetrainedonittosomedegree,andbeyondjustthebasicsofknowingwhenorwhennottoclickanemaillink.Manyorganizationstodaytreatproficiencywithstandardofficeproductivitysoftwareasarequiredskill.Mereawarenessthatword
processingorpresentationdevelopmentisathingisnotenough.Securityknowledgeandskillshouldbeonthesamelevel,andtheorganizationshouldprovideeveryonewithaccesstoit.NoteveryoneinHRwillneedorwanttoknowhowencryptionworksorhowtoconfigureafirewall.Butsomemight.Andhavingskilledpeopleinnon-securityrolescanbothhelptopreventfailuresaswellastomakeanorganizationmoreresilientinthefaceofone.IftheorganizationlimitssecurityskillsdevelopmenttojusttheInfoSecteam,thiscanbeanindicatorthatresiliencemaybeimpairedwhenthatteamfacesabreachthatnooneelseisabletounderstand.
NumberofidentifiedsecuritybackupresourcesavailableduringanincidentSpreadingaroundinformationsecurityskillsandknowledgecanleadtomorethanjustaninformedandcapableworkforce.Theorganizationcandramaticallyimproveresiliencebyformallyidentifyingsomeofthesepeopleasbackupresourcesthatcanbecalleduponduringanincident,asortof“volunteerfiredepartment”or“ArmyReserve”fortheInfoSecprogram.Knowingwhoandwherethesepeopleare,oriftheyevenexist,isagoodmeasureofcrisiscapacityforanorganization,whichwilldirectlyimpacttheorganization’sabilitytorespondandrecoverquicklyfromanincident.
Ratioofemployeeswithidentifiedsecurity“challenge”assignmentsaspartofregularperformancereviewsThismetricdoesnotmeantheorganizationmustfindwaystomakepeopledirectlyresponsibleforsecurityortakeonsecurity-relatedtaskstheydonotunderstandorwanttopursue.Securitychallengeassignmentsbeginwheretheminimumbaselinesoftrainingandawarenessend.Organizationsshouldworkcreativelytomakeassignmentspracticalandvaluable,tomakecompletingthemworthanemployee’stime,andtheyshouldbecomparableandequaltootherperformancegoals,notextraresponsibilities.AssignmentscanrangefromtakinganextraoptionalsecuritytrainingcourseallthewaythroughshadowingamemberoftheInfoSecteamforaday.Thepointisto(gently)pushpeople’scomfortzonesandexposethemtothefactthattheorganizationtakesinformationsecurityseriouslyenoughtoaskthemtodevoteworktimetoitandthenrewardsthemappropriatelycometimeforperformanceappraisals.
NumberandtypeofsecurityknowledgesharingopportunitiescreatedinthepastyearTeachinginformationsecurityskillsandencouragingindividualeffortstoimprovesecurityknowledgeshouldbesupplementedbyfosteringthesharingofthoseskillsandthatknowledge.Likethechallengeassignments,
organizationsshouldbecreativewithhowtheydevelopknowledgesharingforInfoSec,anddoingsodoesnotimplyorrequiresignificantexpendituresoftimeormoney.Buttheorganizationshouldtrackitseffortsandusethatmetricasagaugetounderstandhowandtowhatextentthediffusionofsecuritycapabilitiesistakingplacewithintheenterpriseinordertoleverageincreasesinthevalueofresiliencethatarerealizedwhencollectiveknowledgeisrequiredduringafailureevent.
Numberofscenario-basedresponsetestingorsecuritywar-gameexercisesconductedinthepastyearThismetricisverystraightforwardand,unlikethepreviousmeasures,isdirectedprimarilyattheInfoSecprogram.Theorganizationshouldtrackeffortstoanticipateandsimulatefailurescenariosaspartofitsresiliencestrategy.Ifitisnotpracticingfailingonaregularbasisandnotfeedingtheresultingdataandinsightsbackintosecurityingeneral,andincidentandcrisisresponseplansinparticular,thentheresultinglowscoresforthismeasurementareagoodindicatorthattheorganizationisnotaspreparedforamajorinformationsecurityeventasitcouldotherwisebe.
ImprovingYourResilienceValueBehaviorsPeoplearethecornerstoneofthesecurityvalueofresilience,andimprovingtheirbehaviorsisaboutprovidingmoreopportunitiesforthemtorealizetheirpersonalgoals,whilealsomeetingstrategicobjectivesoftheentirefirm.Unlikewiththesecurityvaluesoffailureandoperations,whichasksanorganizationtorethinkitsapproachtothosethings,thesecurityvalueofresilienceexhibitedbyanHRSPinthefaceofinformationsecurityincidentsisprobablynotascontroversial.Mosteveryonewillagree,especiallytoday,thattheabilitytoweatherasecuritycrisis,andlookcompetentpubliclywhiledoingit,isanunqualifiedgoodthing.It’showyougettherethat’stricky.
Themajorobstacleanorganizationislikelytofaceinrealizingthesecurityvalueofresilienceisnotskepticismabouttrainingorpracticingincidentresponsescenarios.Fewmanagers,atleastinpublic,woulddownplaytheseimportantelementsofoperationalreadiness.ThemostlikelypushbacktheInfoSecprogramwillfaceistheavailabilityofresources,includingtime,money,andpeople,necessaryfortheorganizationtobehavelikeanHRSP.Thethemeofcompetingprioritiesrunsthroughoutthisbook,andthatcompetitionwillimpactpeople’sdecisionsaboutwheretheyspendtheirtime,money,andpoliticalcapital.Improvingresiliencemeansshiftinglimitedresourcesfromsomething
else,oftensomethingtangibleandcurrent,deprioritizingthatthinginfavorofimprovedreadinessforeventsthatwillinevitablyhappenbutcannotbeaccuratelypredicted.Thatcanbeatoughsell.
I’vefoundthatamongthebestwaystomakethecaseforthesecurityvalueofresilienceistotiethatvaluetoother,moreintuitiveenterprisepriorities.Don’tmakeitaboutimprovingresilience.Makeitaboutimprovingfunctionsanddecisionsthatwillresultinbetterresilience,whichbringsusbacktotheideaofhumancapitalandpeople-centricsecurity.Resilienceisonlyoneofthepositivebenefitsoftrainingandimprovingpeople’sexpertise,skills,andworkexperiences.Themostadmiredcompaniestoday,theonesthatenduponthelistsofbestplacestowork,haveincommontheiremphasisoncreatingameaningfulplacetobeemployed.ThevalueofresilienceincludesopportunitiesforhumanimprovementinsidetheInfoSecprogram,butwithmuchwiderpossibilitiesfortheorganizationasawhole.
EmbedResilienceValueintotheSecurityProgramThetwobiggestchangesnecessarytomoveanInfoSecprogramtowardbecominganHRSPintermsofthesecurityvalueofresiliencedonotinvolveconvincingpeoplethatmoreeffectiveincidentresponseisgood.AsImentionedearlier,that’sprettymuchagiven.Thechangesthatarerequiredinvolvegettingpeopletotakemoreactiveownershipincross-functionalsecurityresponsibilitiesandovercomingorganizationalanxietyoveraninevitablesecurityincident.
“ASecurityIncident?IWantIn!”Eliteteamsofheroes,sacrificingthemselvesdoingajobnobodyelsecandoorwouldwantto,isexactlytheoppositeofhowyouwantpeopletoseetheemployeeswhorespondtosecurityincidents,ortoseethemselvesiftheyarethosepeople.HRSPsspreadtheownershipofmajorfailureeventsaround,andnotinordertolayblameorholdpeopleaccountable.Ifyoutrainandpreparewellforsomething,evensomethinghorrible,there’sacertainsenseofaccomplishmentandevenpridethatcomeswithputtingthatpreparationtothetest.Firstrespondersinadisasterscenedon’tcomeonsitehopingtofindotherpeopletodothejob.Theyjumpinandtakeaction,providingtheresourcesandservicestheyhavetrainedandcommittedthemselvestoprovide.Securityincidentsshouldtriggerthissamelevelof,ifnotenthusiasm,determination.Peoplewhohaveworkedtocontributetothevalueofresiliencewanttohelpbecausetheyareconfidenttheycan.It’saculturaltraitthatmustbenurturedand
constantlyreinforcedthroughthebehaviorsdefinedthroughoutthischapter.
MakeSecurityIncidentsMundaneItwillbemucheasiertogetpeopleinvolvedinrespondingtosecurityincidentswhentheylookatsuchincidentsasatestofskillandnotanexistentialthreat.AproblemIhavewiththe“you’vealreadybeenhacked”narrativeininformationsecuritytodayisthatitteachesthewronglessonsaboutthebanalityofsecurityfailures,namelythatyoucan’tdoanythingaboutthem(except,ofcourse,buytheproductsandservicesofthefirmsusingthenarrative).Abetterapproach,amoreHRSP-orientedapproach,wouldbetoaccepttheinevitabilityoffailurebutrejecttheinevitabilityofhelplessnessinthefaceofit.Whatshouldmakeasecurityincidentmundaneisthatitisexpected,anticipatedtosomedegree,plannedfor,anddocumentedsothattheresultscanbefedintoaprocessoforganizationallearningandimprovement.InanorganizationrunninganHRSP,“wehadasecurityincident”is,ideally,onthesamelevelas“revenuegrowthwasflatinEurope”or“wehadasupplychainissueinAsia”or“thecompanyhadtodealwithaproductlawsuit.”Thesehappenallthetimeandarerarelyfrontpageheadlines,althoughnoonewouldarguetheycanbebigproblems.Butassuch,theyarecrisestodealwith,toanalyze,torespondto,andtomoveonfromwithaslittledisruptionaspossible.
FurtherReadingGardner,Nick.Mistakes:HowTheyHaveHappenedandHowSomeMightBeAvoided.BookSurge,2007.Maclean,Norman.YoungMenandFire.Chicago:UniversityofChicagoPress,1972.Weick,KarlE.“TheCollapseofSensemakinginOrganizations:TheMannGulchDisaster.”AdministrativeScienceQuarterly38:4(1993):628–652.
R
CHAPTER14
TheSecurityValueofComplexity
esilience,theabilitytogracefullyweatherfailureevenaftereveryattempttodetectandpreventithasbeenunsuccessful,issomethingofanoverarchingobjectiveoftheSecurityFORCEvalues.IfresilienceistheoverarchinggoaloftheFORCEModel,thencomplexityshouldbethoughtofasthesoulofFORCE.Thesecurityvalueofcomplexityinfusesandinformseverythingelse,awayoflookingatthewholeworlddifferently.Researchintoaccidents,breakdowns,andHROsgrewoutofandintandemwithresearchintocomplexsystems.Theemergenceofcomplexityinsocialandtechnologicalenvironmentswas,infact,aprimarycatalystforstudyingtheinevitabilityoffailureinthefaceofthesesystems’emergentandunpredictablebehaviors.ForHROsandHRSPs,workingwith,notagainst,complexityisfundamentaltoimprovingtheirreliability.
WhatIstheSecurityValueofComplexity?Complexityisn’tsimple.That’saterriblecliché,butnotabaddefinition.AccordingtotheSantaFeInstitute,amajorresearchcenterdevotedtothescienceofcomplexity,thetermcomplexityisusuallydefineddifferentlyacrossvariousdisciplines.Fundamentally,complexityinvolvesemergentbehaviorsthatgrowoutofinteractionsbetweenthedifferentelementsofasystem.NeilJohnson,theauthorofSimplyComplexity,riffson“two’scompany,three’sacrowd”andmakesthecasethatcomplexsystemsbeginwhenbinaryonesend.MyfavoritedefinitionsofcomplexitycomecourtesyofWarrenWeaver,who,
alongwithClaudeShannon,developedthefieldofinformationtheory.Inhis1948article“ScienceandComplexity,”Warrensketchedoutthreelevelsofcomplexproblems:
ProblemsofsimplicityComplexityattheleveloftwo,three,orfourvariables,whichistosaynotthatcomplexatallandeasytopredictwithrelativelyunsophisticatedanalyticalmethodsProblemsofdisorganizedcomplexityComplexityatthelevelofmillionsorbillionsofvariables,operatingatrandomsothatnoonevariableispredictablebutaveragebehaviorscanbeaccuratelyanalyzedProblemsoforganizedcomplexityComplexityinwhichlargenumbersofvariablesinteract,butinnonrandomways,andthoseorganizedrelationshipswithinthesystemmakebehaviorsunpredictableusingnormalanalysis
WhenWeaverpublishedhisarticleaboutthedifferencesbetweendisorganizedandorganizedcomplexityin1948,heanticipatedthatorganizedcomplexitywouldbethebigchallengeforscienceinthecomingcentury.Itcertainlyisforinformationsecuritytoday.Securityprogramshaveforthelongesttimebehavedasiftheyweredealingwithproblemsofsimplicity.Nowthattheyarerealizingthat’snotthecase,theyareturningtotechniqueslikebigdatathatpromisetoturnsecurityintoaproblemofdisorganizedcomplexity.Butthatwon’tworkeither,atleastnotcompletely.Thesecurityvalueofcomplexitybeginswiththerecognitionthatinformationsecurityisanenvironmentdominatedbyproblemsoforganizedcomplexity.Thoseproblemscannotbeeasilymeasured,orevenmeasuredwithdifficulty,usingtraditionalmethods.Theymaynotbepredictableatall.HRSPsstartbyacceptingthatpossibilityandincorporatingitsimplications.
DumbingItDownHumansarebiologicallyandevolutionarilyprogrammedtosimplifythings.Identifyingpatterns,shortcuts,andheuristicsisoneofthewaysthatwehavesurvivedoverourhistoryasaspecies.Aspeoplebegantocometogetherincollectiveandthenorganizedgroups,theybroughttheirtendencytosimplifycomplexanddiverseinformationinputswiththem,nowintensifiedbytheneedtocreatesharedconsensusandagreement.Cutforwardafewmillenniaandourcurrentworldofframeworks,commoncriteria,andbestpracticemethodologiesismucheasiertounderstand.Liketheirloneancestors,companiesand
enterprisesthrivebysimplifyingtheparalyzingstimulitheymustdealwithintocategories,labels,scenarios,andtriggersthatallowthemtomakedecisionsunderconditionsofchaos.
Gotoofardownthesimplicitytrack,though,andyouendupinaplacewhereyouhaveremovedsomuchnuanceanddetailfromtheabstractionsyouhavecreatedthattheybecomemeaningless.Everythinggetsreducedtothesmallsetofvariablesnecessarytomakeitaproblemofsimplicity,andthuseasilyanalyzedandactedupon.Runintosomethingnew?Justdumpitintotheclosestcategorybucket.Insteadoffocusingonwhatmightmakeitdifferent,lookforthethingsthatmakeitthesame.Otherwise,howcanweactonit?Isitsecureorvulnerable?Isitcompliantornon-compliant?Isitatechnicalcontroloraprocesscontrol?Ifsomeoneremindsagroupofpeoplethatsomethingcanbebothofthesethings,orevenallofthem,theyareremindedofthepracticalqualitiesofinformationsecurity:Wehavetodrawthelinesomewhere.Anddrawingthatarbitraryline,whetheritrepresentsdivisionsofcellsonaheatmaporperimetersonanetworkdiagram,involvesanassumption.Theorganizationassumesthedivisionreflectsreality,anditassumesriskagainsttheprobabilitythatitdoesnot.
Thesecurityvalueofcomplexityisnotarejectionofsimplification,whichisimpossible,butinsteadahealthysenseofskepticismandmistrust.Wedumbthingsdownbecausewehavetoattimes,notbecausewewantto.Thereisalwaysatrade-off,andeveryactofsimplificationbringsconcomitantriskalongwithit.HRSPsfighttokeepsimplificationsfromtakingoverbyengaginginthemhesitantly,byquestioningandcritiquingthemrepeatedly,andbytryingtore-complicatethemcontinuously.Allowingsimplicityislikeallowingvulnerability.Sometimesyoumustdoitforbusinessreasons,butyou’reneverhappyaboutit.Andassoonasyoucan,youtrytocorrecttheproblem.
GrowingUncertaintyWhensecurityteamsandotherorganizationsoversimplify,theystartputtingtoomuchstockinlabels,categories,andrepresentations.Infact,theymaystarttrustingtheirclassificationsandmodelssomuchthattheystoppayingcloseattentiontotherealworldthosethingsrepresent.Empiricalevidencecanbecomelessimportantthanwhatthemodelsaysisreal.Thisisespeciallytruewhenpoliticalorculturalforceshaveavestedinterestintherepresentation.Iftheorganizationhasinvestedsignificanteffortincompromiseandindevelopingconsensusandcooperationamongstakeholders,criticizingthatcommonframeofreferencemaybeseenasthreatening.Taketheexampleofapenetrationtest,
whereanorganizationreceivesareportofvulnerabilities.Thefindingscomebackwithproblemsclassifiedbyseverity,perhapsusingCommonVulnerabilityScoringSystem(CVSS)scores.Tasksandmaybeevenblamearedoledoutasaresult,withsometeamsbeingassignedsevereproblemsthathavetobefixedimmediately,whileotherteamsareassignedlessproblematicvulnerabilitiesandaregivenmoreleeway.Nowimaginethehellthatbreaksloosewhensomeonearguesthatacommonlyfound“minor”vulnerabilityisactuallyasbadasthesevereonesandshouldbeprioritized,triplingtheworkloadoftheteamswhothoughttheyhadtheeasierassignment.Screamingmatchesandappealstoseniormanagementensue.Whetherornotthevulnerabilityinquestionisreallythatdangerousgetslostinthenoise.Themodeldrivestheargument.
Linguistsandphilosophershave,foralongtime,exploredtheideathatwordsveryliterallyhavepower.Theyarenotjusttoolsofdescription,butactionsthemselveswiththeabilitytoshapethoughtanddrivebehavior.InManagingtheUnexpected,WeickandSutcliffeciteBenjaminWhorf,alinguist,whodemonstratedthepoweroflabelsinhisexaminationof“empty”gasolinedrumsatanindustrialsite.Useddrums,whichhadoncebeenfilledwithfuel,wereprocessedoncethegasolinehadbeendrained.Thesenow-emptydrums,Whorffound,weretreatedlesscarefullythanonesthatstillcontainedliquid.Workersequatedtheideaofanemptydrumwithsomethingdevoidofflammablematerial,whichmadethemlesslikelytotakesafetyprecautionswithit.Butinreality,afullcontainerofgasolineissaferthanonethathasnoliquidleftinit,duetotheexplosivenatureofvaporizedgas.Returningtothepenetrationtestexample,Ihaveseenplentyoforganizationsthatallowedvulnerabilitiestogounmitigatedforyearsbecauseclassifyingthemas“minorvulnerabilities”cametobeinterpretedasnonthreateningevenwhentheyexistedwidelythroughoutthenetwork.
Everytimewesimplifysomethingtomakeiteasiertoconceptualizeormanage,wecreateuncertainty.Toreducecomplexity,wehavetoleavethingsout,lumpthingstogether,makeblurryedgesartificiallysharp.Ourpicturesbecomeclearbecausewenolongerhavetofocusonsomanymessydetails.It’sanincrediblyusefulprocessthatmakesdecisionmakingmoreefficient.It’salsoanillusion.Thehiddenaspectsarenoteliminated,justputintothebackground.Theykeepfunctioning,butwechoosenottoseetheminfavorofthethingswe’vebroughttotheforeground.Althoughwearenotfocusingonthehiddenaspects,theymaystillaffectus,andwewon’trealizeitbecausewe’veplacedthemintoourblindspot.HRSPsworryaboutthattonoend.
CVSS,Heartbleed,andtheUncertaintyChallengeinScoringSystemsScoringsystemsareuseful.Weneedthem.IusethemmyselfforbothofthemeasurementframeworksIproposeinthisbook.Buttheyareimperfectandshouldneverbetreatedasempiricallymeasuringsomeobjectivereality.Theyaremetaphorsdescribingsomething(performance,risk,etc.)intermsofsomethingelse(anumber,arank,oralabel).Weusuallyinventscoreswhensomethingistoodifficulttomeasuredirectlyandwehavetocreateanapproximation.Evenseeminglyobjectivescores,likeinsports,hideasmuchastheyreveal.TheTexansbeattheCowboysby14onSunday?WellthatprovestheTexansareabetterteam,right?Highlyunlikely,asI’msuresomeCowboysfanwillpointouttomesomedayinperson.
BloggerMichaelRoytmanexploressimilarproblemsinthecontextofinformationsecurity,specificallyvulnerabilityseverityscoringinthewakeoftheHeartbleedOpenSSLvulnerabilityof2014.Hispost,“CVSSScore:AHeartbleedbyAnyOtherName”waswritteninMayofthatyear.Whiletechnologyandmainstreammediaoutletswerethrowingaroundtermslike“catastrophic”and“worstvulnerabilityever,”HeartbleedwasofficiallygivenaCVSSscoreof5.0outof10,classifiedasmediumseverity.ThescorereflectedacombinationoffactorsinherenttoCVSScalculationandincludedananalysisthatthevulnerability,whilehighlyexploitable,wasofrelativelylowimpact.ThescoreseemedsooutoftouchwithrealitythattheNationalVulnerabilityDatabase(NVD)tooktheapparentlyunprecedentedstepofissuingacaveatwarningaboutit.TheNVDpointedoutthat,eventhoughsomelocalsystemresourcesmightnotbedirectlyaffected,thevulnerabilitycouldbeusedtogainsensitiveinformationthatmightleadtootherattacks.
ThepointoftheattentionthatRoytmanandtheNVDbroughttotheCVSS,andwhichIillustratedthroughmyfootballanalogy,isthatanyscoringsystemisaproductofsimplification.Weusethemtoreduceouruncertaintyaboutadecisionoranalysis,suchaswhoplayedasportbetter(thehighest-scoringteam)orwhichvulnerabilitytoprioritizeforfixing(theoneswiththehighestCVSSscores).Butyoucannotreducereal-worldcomplexitytoasmallsetofdatapointswithoutsimultaneouslyincreasinguncertaintyaswell.Ifyouralgorithmisgood,youreducetheuncertaintyyouwantwhileintroducinguncertaintyyoudon’treallycareaboutinthatcontext.Ifyouralgorithmisflawed,youconfuseyourselfaboutthevery
thingyouaretryingtomakemoreclear,aproblemworththinkingabout.YoucanfindMichaelRoytman’scompleteanalysisofCVSSscoringchallengesontheAlienVaultblogpageatwww.alienvault.com.
IgnoranceIsRiskDeliberatelychoosingtoignoresomethingsinfavorofemphasizingothersmaybeauniquelyhumanskill.Andaslongaswerememberwhatwehavechosentoignore,wemanagethetrade-offquitewell.It’swhenpeopleandorganizationsgoforthefull-onbliss,neitherrememberingnorreallycaringtoknowwhattheyhavechosentodisregard,thattheyopenthemselvestodanger.HRSPsuseignoranceasatool,butasapowerful,dangeroustool,onethatmustbemanagedconsciouslyandcarefullysothatitdoesn’tcauseharmfulaccidents.AssumptionsarethecontainersinwhichHRSPsstoreandmanagethethingstheydeliberatelyignore.Andlikeanyotherdangerousmaterials,theyaresubjecttostrictrulesregardinghowtheyaretreated.
HRSPsdonotliketocreatenewassumptionsthattheythenhavetomanage.HRSPstendtosimplifythingsasinfrequentlyandascarefullyastheycan,andwhentheydochoosetodumbthingsdown,theytrynottogooverboard,nomatterhoweasythatmightmaketheirlives.ThatmeansHRSPsminimizethenumberofassumptionstheyhavetodealwithandmaintainahealthysenseofcognitivedissonance,alwaysholdingboththesimplificationandtheassumptioninbalance,usingtheformerbutneverforgettingthelatter.It’slikethesuspensionofdisbeliefwhenwatchingamovieorreadingagoodnovel.Youknowwhatyouimagineishappeningisn’trealordoesn’tmakelogicalsense,butyouacceptitforalittlewhileinordertoabsorbtheexperienceandeverythingitoffers.Thenthelightsgoupinthetheateroryoulaythebookdownonyourdesk,andit’sbacktoreality.
PeopleinHRSPsarelikethepeopleyouknowwholovetoripapartthemoviesandnovelsothersenjoy,topointouteveryflawinplotorinconsistencyofdetail.Theyenjoykillingagoodbuzzbypointingoutthingsliketheobservationthatthehero’sgunseemedtohaveanunlimitedsupplyofbulletsduringthefinalshootout.Butinsteadofshuttingdownthesecynics,HRSPsinvitetheircomments,evenwhentheyareinconvenientorannoying.Securityteamsfocusedonthevalueofcomplexityknowthattheproblemthatultimatelyimpactsthemwillprobablynotbecomingfromtheplacetheyarelooking.Theysuspectitwillcomeoutoftheirblindspot,sotheyarefanaticalaboutremindingthemselveswherethatspotisandwhattheyhaveshovedintoit.Those
assumptionsarethevulnerabilitiesintheirmentalsecuritysystems,andtheytrytotestandaddressthemasmuchastheonesintheirtechnologyproducts.
MyHeatMapandIHaveBoundaryIssuesOneofthebestillustrationsofthepoweranddangeroflabelsandcategoriesininformationsecurityistheheatmapthatsomanysecurityprogramsusetomeasureandexpresssecurityrisk.Imustprefacethisexample,asIdowhenIspeakaboutittocustomersoratconferences,thatIhavenothingagainstheatmapsperse.ButIhavebigissueswithusingheatmapsunselfconsciouslyandwithoutthinkingasmuchaboutwhattheheatmapleavesoutaswhatitcontains.HRSPsuseheatmapstoo,buttheyneverlosesightofthefactthatyouenduppackingadisproportionatelylargequantityofassumptionsanduncertaintyintothesevisualizationscomparedwithotheravailableriskmanagementtechniques.
Thefollowingillustrationshowsasimpleheatmap,representativeofheatmapsIhaveseenusedthroughoutinformationsecurityorganizationsaroundtheworld.TheX-axisisthecompany’sestimateofthefrequencyofsecurityriskorevents,whiletheY-axisisthecompany’sestimateoftheimpactofanyparticularriskorevent.Increasedfrequencyand/orlikelihoodtendstoraisetheperceivedrisklevel,thusincreasingtheoverallriskseverityscore.Manyorganizationsusedifferentscoresthanhigh,medium,orlow,butitreallydoesn’tmatterintheendwhatterminologyisused,aswe’llsee.Usually,thecellsrepresentinghighscoresarecoloredred,themediumscoresyellow,andthelowscoresgreen.Thesescoresarethenusedtomakedecisionsregardingresourceallocationandtimeallottedtoaddresstheriskorfixthevulnerability.Theremaybevariationsonthistheme,butheatmap–drivenriskassessmentshavebeenandremainanacceptedbestpractice(oratleastatotallyacceptablepractice)intheinformationsecurityindustry.
Icouldcommentonthesomewhatintriguingpracticeofassigninganysecurityriskorvulnerabilitya“green”color,butitremindsmesomuchofBenjaminWhorf’s“empty”(andthuspresumably“safe”)gasolinecontainersthatIfeellikeI’vealreadyaddressedit.Instead,let’sfocusontheassumptionsanduncertaintythatcongregatearoundtheheatmap’sartificialboundarylines.
Thenextillustrationbreaksoutasectionofninecellsfromthemiddlethreerowsintheupperrightareaoftheheatmap.I’vealsolabeledtheboundariesbetweencellsinwaysIhavefoundprettytypicalintheheatmapsIhaveseen.Frequencyisseparatedintofourprobabilitythresholdsof25percenteach.Impactisdefinedbynumericalscoresfrom0to10,with10beingthemostsevere.Usually,thesescoreswillbetiedbacktoacategorykeythatindicatesfinancialloss,lossofserviceoraccess,orsomeotherdirectimpact.MostorganizationsI’veseenuseheatmapsusethemtobuildorpopulateremediationplans,assigningthehighestseverityrisksto
befixedthequickestandgraduallymovingdowntheseveritystackuntileverythingisaddressedortheorganizationrunsoutoftime,money,orpersonnel(usuallythelatter).Byexaminingthreeuniquerisks,labeledA,B,andCandclassifiedusingtheheatmapshownintheillustration,wecanstarttogetanideaofjusthowmuchuncertaintyisinvolvedwithheatmapsandhowtheselabelscanresultinlargeblindspotsofpotentialrisk.
RiskAcomesinwithafrequencyestimateof50percentlikelytooccurandanimpactscoreof7.9.Accordingtoaliteralinterpretationoftheheatmap,RiskAisahigh-severityrisk(oftencoloredredonaheatmap).Butheatmapsarenotliteralmeasurementsofrisk,andtheboundariesbetweenseverityarearbitrarilydrawnupbythepeopleinterpretingthem.Theorganizationbuildsanapproximationofreality,whichthenbecomestemptingtouseinplaceofactuallyexploringreality.IfRiskA,duringtheassessmentcalculations,hadbeenratedjustonepercentagepointof
frequencylower,becoming49percentlikely,itwouldhaveimmediatelybeencategorizedasmediumseverity(andshadedyellow).Isariskof50percent/7.9thatdifferentfromoneof49percent/7.9?Intermsofrisktreatment,iftheInfoSecteamisgivenadeadlineofsixmonthsinsteadofsixweekstofixtheproblem,thenthedifferenceincategorizationimpliesasignificantdifferencebetweenthetwoestimatedrisks.
RisksBandCarevariantsofthissamephenomenon.InthecaseofRiskB,itfallswithinahigh-severityriskcellbracketedbyotherhigh-severityriskcells,buthaditbeenestimatedslightlylessimpactfulandslightlylesslikelyduringtheassessmentcalculations,itwouldhavefallenintothemedium-severityriskcelltoitslowerleftontheheatmap.HowdowedifferentiatebetweenRiskBandotherhigh-severityrisksthatmaybelesslikelyormoredamaging,orbetweenitandamedium-severitycousinjustacrosstheboundary?RiskCisrated100percentlikely,butitsimpactscoremakesitmediumseverity.Inthiscase,theorganizationmaydecideithastoacceptunavoidabledamagefromoneriskinordertoprotectagainstonethatmightneverhappen.Heatmapsencourage,evendemand,thiscategory-centricthinking,sometimesattheexpenseofcommonsense.HRSPsrefusetoallowtheirmodelstotellthemwhat’sreallyreal.
ComplexityKeyValueBehaviorsEnvironmentsoforganizedcomplexityresistourattemptstoidentifypredictivepatterns.Thus,thecomplexityvaluebehaviorsthatanHRSPwillencouragearelessaboutlookingforthosepatternsandmoreaboutremindingourselvesthattheycanbemisleadingorimpossibletoaccuratelyidentify.IdescribedthesecurityvalueofcomplexityearlierasthesoulofanHRSPbecauseembracingitresultsinanattitudeofcautiousself-doubtthatisfundamentalforsuccessfulpeople-centricsecurity.Securityfailsbecauseorganizationsforeveroverestimatetheirunderstandingofthesystemsthattheycreate,andunderestimatethosesystems’capacitytodosomethingcompletelyunexpected.Wedothisoutofadesiretomakerealitysimplerandeasiertoanalyzeandexplain,whenweshouldbetryingtomakeourexplanationsmorecomplexandharderwhilestretchingourselvesintomoresophisticatedanalyses.Thebehaviorsthatcharacterizethesecurityvalueofcomplexityinclude
Don’toversimplify
FormalizeyourassumptionsCovetempiricalevidenceSharethedoubtMakeeverymodelbetter
Don’tOversimplifyWithtrainingforresilience,discussedinChapter13,theroadofexcessleadstogoodplaces.Butwithsimplification,theroadofexcessispavedwithgoodintentionsandonlyleadsdownward.Simplicityisseductiveandalluring.Itpromisesbetterresultsforlesswork,allwhiledeliveringanaestheticqualitythatappealstoourartisticandevenspiritualnatures.Buttoomuchsimplicityendsupmakingusobliviousandindifferenttoagreatdealofriskwemaynevernoticeuntiltheaftermathofanincident.Oversimplificationhappenswhenanorganizationisnotcarefulenoughabouthowmuchrealityitiswillingtogiveupinthenameofefficiency.
HRSPsgreetpromisesofsimplicityliketheywouldgreetasalespersonwhowalksthroughthedoorpromisingthattheirproductdoesmore,doesitbetter,andcostsless.HRSPstakethemarketingbrochurewithalargegrainofsaltandstartaskinghardquestions.Theyactivelyandaggressivelydistrustandchallengeattemptstoboildowncomplexsystemsandprocessesintoeasilydigestedlabels,categories,orpictures.Insteadofemphasizinghowmuchworkasimplerapproachsavesthem,anHRSPwantspeopletoconsiderhowmuchhastobehiddenawayfromviewinordertoachievethatlevelofreducedcomplexity.Sacrificetoomuchrealitytothemodelandyoudestabilizeyourabilitytorespondtoyourownsystem.
InfoSecprogramsthatleveragethesecurityvalueofcomplexityavoidoversimplificationfirstbychangingtheirattitudeaboutcomplexity,muchthesamewaythatsecurityprogramsthatembracethesecurityvalueoffailurefirstchangetheirattitudeaboutfailure.Simplicityincreasesuncertaintyinsecurity,andoversimplifyingcreatesrisk.Therefore,anHRSPsimplifiesonlywhenthereisaclearneedforitandaclearunderstandingofwhatisbeinghiddenforthesakeofsimplification.InanHRSP,peopleareconditionedtopayattentiontowhatisbeingignoredandtopointouttheassumptionsthathavetobeacceptedinorderforasimplifiedmodelorframeworktoevenwork.Asimilaritybetweenthesecurityvalueofcomplexityandthesecurityvalueofoperationsisthatbothareconcernedwithcomparingwhatisbelievedwithwhatisreal.Asecurityframeworkmaydowondersatdescribingsometheoreticalfuturestate,along
withthe10,20,or100discreteelementsthatgetyouthere.HRSPsworryaboutthecurrentstateandhowthemilliondiscreteelementsalreadyinplaywillinfluencethosetheframeworkprioritizes.
FormalizeYourAssumptionsAssumptionsareorganizedcollectionsofuncertainty,dedicatedtoaspecificpurpose.Theyarementaltacticsthatallowustoacceptthingsastruewithoutanyproof.Assumptionsallowustotakeashortcutaroundproblemsofevidencebyignoringourlackofit.Scientistsmakeassumptionsallthetime.Groupsandindividualsmakingassumptionscandosotemporarily,toworkthroughpartofaproblem,ortheycandoitpermanentlybytransformingthoseassumptionsintobiasesandprejudices.Justbecausesomethingisanassumption,orevenaprejudice,thatdoesnotautomaticallymakeituntrue.Itjustmeansthatthosewhomakeithavelittleornoempiricalevidencetosupporttheirassertionofbelief.
Byvirtueoftheirdesiretoreducethenumberanddegreeofsimplificationstheyengagein,HRSPsnaturallytrytoreducethenumberofassumptionsthathavetobefactoredintosecuritydecisions.WhenHRSPsdomakeassumptions,theyattempttoformalizethem.Thisincludesidentifyingthem,documentingthem,andmakingthatdocumentationavailabletoothers.Asuccessfulauditiscauseforcelebration,butthesecurityteamwillalsobeconsideringeverythingithasacceptedatfacevalue,fromthecompetenceoftheauditortothecomprehensivenessofwhatwastested.
Formal,documentedassumptionsprovidebothapapertrailforwhenthingsgowrongandanopportunitytoidentifynewsourcesofdataandinsight.Theyallowtheorganizationtotrackandmanageuncertaintyaroundsecuritydecisionmaking,whichisoneproxyforsecurityrisk.Formalassumptionsarealsoaveryvaluable,butmuchunderutilized,complementtosecurityframeworks,regulatoryregimes,andprogramplansandstrategies.Comparingandratingtheseorganizationaltoolsaccordingtotheamountofrealitytheyforceyoutoignoretoreaptheirbenefitshassecurityaswellaseconomicvalue,similartothevalueofunderstandingthetotalcostofownershipoverthelifeofthewhiz-bangnewproductlinethatsalespersonhascometopitchtoyou.
CovetEmpiricalEvidenceCovetingsomethingmeansmorethanjustwantingit.Itmeanswantingitverymuch,tothepointofobsessiveness.Recognizingthesecurityvalueof
complexity,HRSPscovetdataandevidencebecausetheyareneversatisfiedwithhowlittleorhowmuchtheyknowabouttheirthreatenvironment,theirsecurityposture,andtheirdecisionsinregardtoboth.It’snotjustaquestionofmetrics,performanceindicators,ordashboards.HRSPswantevidence-basedsecuritymanagementandscientificlevelsofjustification,evenwhentheyknowthosethingsmaynotbepossiblewiththeinformationathand.
OnereasonthatHRSPscovetempiricalevidenceisaninversionofanargumentusedbymanytraditionalsecurityprofessionals,namelythatsecurityeffectivenessisverydifficulttomeasurebecauseit’simpossibletoproveanegative.Ifyouputinsecuritytechnologyanddon’tgethacked,youcan’tproveyoudidn’tgethackedbecauseyouputinthesecuritytechnology.This“logic”hasbeenthebasisofanynumberofmeasurementandmetricsargumentsIhavefoundmyselfdrawninto,anditwouldseemtomakesense.Howcanyouprovesomethingthatyoudidpreventedsomethingthatneverhappened?Butaspresented,it’safalsechoice,predicatedontheassumptionthattheunderlyingmeasurementofsecurityeffectivenessistheabsenceofsecurityfailure.And,asI’vediscussedatlengthinthissectionofthebook,that’sanimpossibleandmeaninglessdefinitionthateventhesecurityindustrynolongerbelieves.Buttheargumentstillgetsmade.
Thesecurityvalueofcomplexitycannotberealizedaslongasinformationsecurityprogramsinsistontryingtounderstandtheircomplexsystemsusingonlylimitedsourcesandtypesofdataandevidence.Ignoringinformationbecauseitishardtocollectormeasure,orbecausewetrustmachinesmorethanwetrustpeople,istoacceptadeliberatehandicap.Low-hangingfruiteventuallyallgetspicked.Ifyouwantmoretoeat,you’regoingtohavetoworkalittlebit(oralot)climbinghigherintothetree.
LimitingthedataweusetosupportourInfoSecprogrammeanslimitingthevocabularywecanusetodiscussourprogramandthesecurityitprovidesorfacilitates.Whenwelimitourabilitytodescribeanddiscusssecurity,welimitthewaysweareabletothinkaboutit.Thatleavesinformationsecurityveryvulnerabletodisruptionbyanythingnovel,andthesedaysitfeelslikeeverythinginthethreatworldisnovel.HRSPsworkhardtothinkintermsofquestionsthatneedtobeanswered,notdatathatareeasilyavailable.Wantingsomethingbecauseit’scheapandmediocredoesn’tworkforsecurityevidenceanymorethanitdoesforconsumerorindustrialproducts.Notallluxuryisaboutstatusorostentation.HRSPscovetqualityevidencebecauseitgivesthemcapabilitiestheycan’tfindinthecommoditybrands.Goodempiricalevidenceanswersimportantquestionsandallowssecuritytocompetemoreeffectivelyin
theorganization.
EvidenceandFalsifiabilityHitchens’Razorisanaxiomnamedafterthelatejournalistandskeptic,ChristopherHitchens,whocoineditfromaLatinproverb.Theaxiomstates,“Whatcanbeassertedwithoutevidencecanbedismissedwithoutevidence.”Inotherwords,ifyoumakeaclaimforsomethingandyoucan’tprovideanysupportingdata,Iamfreetorefuteyourclaimwithoutanysupportingdataofmyown.Theresponsibilityofproofisplacedonthepartymakingaparticularclaim.Whenhelpingwithsecuritymeasurement,IencourageCISOsandsecuritymanagerstomakeHitchens’Razoracoretenetoftheirprograms,bothoffensivelyanddefensively.Youcan’texpectenterprisesupportorresourcesifyoucannotbackupyoursecurityclaimswithevidence,butneitherdoyouhavetoacceptargumentsagainsttheneedforsecuritywhentheyarenotsupportedbydata.
Anotherinterestingconceptregardingevidenceandtruthisthatoffalsifiability,whichoriginatedwithKarlPopper,aphilosopherofscience.Popper’sargumentwasthatforatheorytobetrulyscientific,itmustbecapableofbeingprovenfalsethroughempiricalinquiry.Youhavetobeabletotestatheory.Ifyoucan’ttestitbyobservationorexperiment,thenthe“theory”isjustameaninglessstatement.Taketwoexamplesfromsecurity.IfItellmyinformationsecurityvendorthatIdon’tneedthevendor’sproductbecauseIhavenosecurityvulnerabilities,that’safalsifiablestatementandthushasscientificmeaning.Myvendorcoulddoapenetrationtest,andiftheyfoundavulnerablesystem,mytheorythatIhavenosecurityvulnerabilitieswouldbeinstantlyinvalidated.That’sscience.Butifmyvendortellsmemysystemhasbeenhacked,Ijustdon’tknowityet,that’snotsomethingIcantestempirically.NomatterhowmanytimesIfindnoevidenceofattack,Ican’tdisprovethetheorythattheremightbeonethatImissed.SoIcanneverprovethevendor’s“theory”wrong.Thatmaybeagreatmarketingtechnique,butit’snotrationalscience.
SharetheDoubtHRSPsrunonskepticismandanobsessionwithtakingnothingforgranted.
Theyworrythattheyaren’tfindingtheirfailures,thattheydon’tknowwhat’sreallygoingonoperationally,andthattheirmodelsandframeworksaremissingtheinformationtheyneedtostaysafeandsecure.Asthissectionoutlines,therearequiteafewhabitsandbehaviorsthattheseorganizationsadopttoovercometheirdoubtsandfears,andoneofthemostimportantissharingthosedoubtsinsideandoutsideofthesecurityprogram.
Simplificationhappensformanyreasons,andoneofthemisthatanorganizationreliesonanexperiencebasethatistoolimited.Ifeveryonesharesthesameskills,background,andexperiences,thechancesincreasethateveryonewilllookataprobleminthesameway.Diversitybenefitspsychologicalecosystemsinthesamewaythatitbenefitsbiologicalortechnologicalones.Whenyouaddpeoplewithdifferentbackgroundsandopinionstothemixandencouragethemtointeract,yougetmoreideasandmorenuancedviewsoftheenvironmentandthechallengesitoffers.Specialistsareveryvaluablewhenitcomestoengagingonaspecific,targetedproblem,likewhattodoaboutasoftwareflawinwidelydeployedsoftware.Ifyoubringinabunchofexperiencedsoftwareengineers,theycandeconstructthatproblemquicklyandeffectively.That’swhattheydo.Butifyouaskthatsamespecializedgroupofsoftwareengineerstobrainstormthefivebiggestsecuritythreatstoyourorganization,youshouldnotbesurprisedifalloftheirrepliesaresoftwarerelated.Afterall,that’swhattheydo.
HRSPsencouragebroaderexperienceandvaluegeneralknowledgeasmuchasspecializedskills.JacksandJillsofalltradesarewelcomedfortheirabilitytomixandmashupdifferentconceptsandinsightsintonewknowledge.Thisincludescomingupwithnovelideasaswellasnovelproblemswithexistingideas.HRSPsapplythesecurityvalueofcomplexitytoskepticismanddoubtbyencouragingeveryonetopokeholesintheories,spotlogicalandconceptualflaws,andrelatechallengestheyseeinotherareastotheonesunderdiscussion.
Itisnotenoughtojustbringtogetherspecialistsfromdifferentareas,aswellasgeneralists,andletthemtalk.HRSPsunderstandthatsocialnormsandpoliticsmayimpedefranknesseveninsuchbrainstorminggroups,sotheydeliberatelyandofficiallygivetheseparticipantsthespaceandfreedomtoquestionandcriticizeeachother’sideasandarguments.Whethertheseinteractionsareconductedinpersonthroughfocusedgroupactivitiesorbyremoteandasynchronouspeerreviewsystemsorsomeothermeans,structureshavetobecreatedtoensurethateveryonefeelssafeandwelcomewhilesharing.Thisbecomesaleadershipresponsibilityfortheorganization,toemphasizethatthegoaloftheprocessistoharnessthecollectivewisdomoftheorganizationfor
thebenefitofeveryone.
MakeEveryModelBetterAspredictorsofrealphenomena,modelsarekindofmeanttobebroken.Youbuildone,testitagainstreality,andrealizethatit’sprettyflawed,soyourejectthatspecificmodelandgoaboutcreatinganewone.Thatprocesshasbeenatthecoreofscientificinquiryforprettymuchtheentirehistoryofscience.Modelsareprettypoorsubstitutesfortherichcomplexityofarealsystem,beitweather,thestockmarket,ororganizationalculture.Ontheotherhand,modelsallowustodescribeanddeconstructthosesystemsmuchmoreeasilyandcheaplythanifwehadtodescribeorre-createthewholethingwithcompleteaccuracy.It’satrade-off.Wecansqueezeplentyofinsightandpredictivepoweroutofevenanimperfectmodel,butcomparedtoreality,mostmodelspossessapotentialforimprovementthatapproachesinfinity.
AcareerininformationsecurityhasbroughtmetotheconclusionthatthemodelingcapabilitiesandskillsofmostInfoSecprogramsareprettyunsophisticated.Webuildmodelsallthetime,andweusemodelseverywhere,butwerarelyquestionorevenconsidertheassumptionsonwhichourmodelsarebased,andwedon’tdomuchtotestthosemodelsorattempttomakethembetter.Heatmapsaremodels,annuallossexpectancyisamodel,andcomplianceframeworksaremodels,butinmanycases,wehavebeenusingthesamemodels,almostasis,fordecades.Whenwedoimproveamodel,it’softenmoreaboutmakingthemodel“quantitative”or“prettier”thanabouttestingitsassumptionsortheresultswegetfromit.Thethingis,badmodelsmakeforbadsecurity.Andimperfectmodelsthatneverchangeorareneverupdatedbecausetheyarenevertestedforaccuracyarenotgoodmodels.
HRSPsknowthatmodelsmustgrowandevolvetostayrelevant,especiallywhentheyarebeingusedfordecisionsupport.Luckily,modelsaregenerativeifyouallowthemtobe.Theyproducetherawmaterialsnecessaryforimprovingthemodel,namelytheresultsofthemodelandtheerrorsinthoseresults,asafunctionoftheiroperation.Anymodelthatisdevelopedshouldbeaccompaniedbyaformalsetofassumptionsthatdefineswhatthesimulationhastoleaveoutinordertowork,andHRSPsalreadymakeahabitofthisbehavior,asI’vedescribed.Next,anypredictionsorinsightsgeneratedbythemodelmustbetestedagainstthesystembeingsimulated.Didthemodelpredictaneventoralevelofloss?Didthatreallyoccur?Ifyes,thengreat,wecanbeginlookingathowthemodelmightbeexpandedtopredictothersystembehaviors.Ifno,thenthat’sokaytoo,solongaswecangobackanddecidewheretochangeour
assumptionsandtweakthemodelbasedontherealoutcomes.
AssessingYourComplexityValueBehaviorsUsetheSecurityFORCESurveyandSecurityFORCEMetricstodeterminehowwellyourorganizationadherestothekeycomplexityvaluebehaviorsandtoprovideempiricalevidenceofthosebehaviors.
ScoringtheComplexityValueBehaviorSurveyTheSecurityFORCESurveyincludesstatementsrelatedtothesecurityvalueofcomplexity.ThefivestatementsunderSecurityValueofComplexityarelistedinthesampleoftheFORCESurveyshowninFigure14-1.Aswithpreviouschapters,scoringassumesLikertresponsesnormalizedona1to5scale:
Anaveragescoreof4orabove(mostresponsesindicateAgreeorStronglyAgree)signifiestheorganizationexhibitsbehaviorsfoundinanHRSP.Anaveragescoreof3(mostresponsesindicatetherespondentfeltNeutral)signifiestheorganizationmayormaynotbehavelikeanHRSP.Anaveragescoreof2orbelow(mostresponsesindicateDisagreeorStronglyDisagree)signifiestheorganizationdoesnotexhibitthebehaviorsfoundinanHRSP.
Figure14-1FORCEValueSurveystatementsforcomplexityvaluebehaviors
Forcomplexityvaluebehaviors,anaveragescoreof4orgreaterindicatesthattheorganizationbehavesinwaysthatwillminimizeoversimplificationandreducerisksassociatedwithblindspotsandunrealizedassumptionsregardingtheorganizedcomplexityoftheinformationsecurityenvironment.Anaveragescoreof2orbelowindicatesthattheorganizationdoesnotbehavelikeanHRSPandismorelikelytooversimplifytheinformationsecurityenvironmentandthechallengesthesecurityprogramfaces,andmaycreateandincreaseriskanduncertaintybynotmakingassumptionsexplicit,bynotcollectingsufficientevidencetosupportassertionsordecisions,andbyusingoutdatedorflawedframeworksandmodels.
FORCEValueMetricsforComplexityTheFORCEValueMetricsforcomplexity,providingadditionalmeasuresofHRSPbehavioralalignment,canbefoundinFigure14-2.
Figure14-2FORCEValueMetricsforcomplexityvaluebehaviors
UsingtheFORCEComplexityValueMetricsThefiveFORCEMetricsassociatedwiththevalueofcomplexityassesshowwelltheorganizationmanagesuncertaintyandavoidsoversimplificationintheinformationsecurityprogram.Thesemeasuresareintendedtobeappliedbroadlyacrosspeople,processes,andtechnology.SomeofthemetricsthemselvesrepresentcomplexandhighlyuncertainaspectsofInfoSec,andmayrequirenecessarysimplificationtocollectandanalyze.Allaresuggestionsandnon-exhaustive,andshouldbeused,adapted,orsupplementedasappropriate.
Number,type,andcomplexityofadoptedorganizationalframeworksOrganizationsshouldunderstandhowdependenttheyareupondifferentconceptualframeworksandmodelsusedtomanageinformationsecurityforthebusiness.Collectingdataonthenumberofframeworksormodelsused,alongwithanalysisofhowtheywork,canhelptheorganizationdecidehowmuchuncertaintyitisaccepting.Usingtoomanyconstructionsthatareoverlysimplisticorpoorlyunderstoodandappliedcanproduceresultsthatobscuremoreinsightthantheyreveal.Theorganizationshouldunderstandifitsframeworksandmodelsareconceptual,descriptive,ortechnical,andwhether
assumptionsforeachconstructhavebeenfullyandformallydocumented.Ananalysisofcomplexityshouldalsobeperformedonframeworksandmodels,althoughthisisnecessarilyalooselydefinedterm.Ataminimum,frameworksandmodelsshouldbeassignedcomplexityratingsthatresultfromhowmanyinputsaframeworkormodelallows,howmanyassumptionsarenecessaryforittofunctioncorrectly,andhowmuchvariabilityisallowedintheresults.Oversimplifiedframeworksandmodelstendtolimitinputsandresults,whilerequiringuserstoignorelargenumbersofpotentialinfluences,inorderfortheconstructtoworkproperly.
Averagetimetoorganizationaldecisions(frominitialproposal,throughdebateordeliberation,tofinalresolution)Putverysimply,howlongdoesittaketheorganizationtomakeadecisiononaverage?Aredecisionsthoughtfulanddeliberated,withdebateandinputcomingfrommanydifferentareas?Ordotheygetmadequickly,byafewpeopleclosetothedecisionitself,perhapsthen“rubberstamped”throughotherareasoftheorganization?Justbecauseafirmmakesdecisionsquicklyorwithoutwideconsensusdoesnotmeanthatitislosingoutonthevalueofcomplexity.Butifanorganization’sdecision-makingprocesstendstobefastandnotveryrigorous,thiscouldbeasignthatoversimplificationismorelikelytooccurduringthatprocess.
AveragenumberofdatapointscollectedinsupportofindividualorganizationaldecisionsThismeasurementisanotheronethatmaybehighlyvariableinitscollectionandanalysis.Adatapointcanrefertojustaboutanythingthatgoestowardssupportingaparticulardecision,althoughIdefinethetermasaspecificitemofempirical(observable)evidencethatiscollectedandpresentedinordertoinfluenceadecisionmaker.Themoredatapointsthatanorganizationcanreasonablyandefficientlycollect,thebetter.Ifanorganizationismakingitsdecisionsononlyafewdatapoints,itislikelythatthevalueofcomplexityisnotbeingfullyrealizedorexploited.
Numberofformalreviewsofsecurityplansbynon-securitystakeholdersinthepastyearLiketheotherFORCEMetricsconcernedwithsharinginformationandcollaboratingoninformationsecuritydecisions,thismeasurementassesseshowwellaninformationsecurityprogramisaskingforfeedback,assumptions,andcriticismsfromotherstakeholdersinthefirm,especiallyoneswhomayseedifferentorganizationalprioritiesasbeingmoreimportantthanInfoSec.Themorereviewssubjectedtooutsidereviewandscrutiny,thebetterthechancethatinaccurateorincompleteassumptionscanbe
identifiedregardinghowsecuritywillfunction.
NumberofoutcomeandmodelingevaluationsconductedinthepastyearIftheframeworksandmodelsusedbyanorganizationarenotsubjecttoreviewandassessmentonaregularbasis,theyruntheriskoflosingtheirrelevanceandaccuracy.Equallyimportant,evaluatingtheeffectivenessofmodelsandframeworksbycomparingexpectationswithresultsistheonlywaybywhichtheseconstructscanbeshowntobeaccurateintheirpredictiveordescriptivecapabilities.Basinginformationsecurityonamodelthatconsistentlydeliversinaccurateresultscreatesrisk,butunlessthatmodelisauditedtoensurethattheresultsitproducesmatchwhatreallyoccurs,itisveryunlikelythatinaccuraciesorerrorsinthemodelwilleverbedetected.Everymodelorframeworkusedbytheorganizationshouldbeevaluatedperiodicallytoensureitisstillmeetingtheorganization’sneeds.
ImprovingYourComplexityValueBehaviorsReturningtoWarrenWeaverandtheideaoforganizedcomplexity,itisdifficulttounderstatethesignificanceofhisdifferentiationbetweentypesofcomplexity.Thesecurityindustrytodayhasbecomeveryconcernedwithcomplexity,butIbelievethatitmaynotappreciatehowenormousisthesizeofthewrenchthatisthrownintotheanalyticalgearboxwhenasystemmovesfromdisorganizedtoorganizedcomplexity.Thepromiseofbigdatahasbeentoutedasbeingabletofindpatternsthatwillallowustopredictsystembehaviorinaggregate,evenwhenwecannotpredictthebehaviorofindividualsystemcomponents.Butthatassumesdisorganizedcomplexity,whereeverythinginthesystemfollowsthesamerules,whichcanbedetermined.Whencomplexitystartsorganizingitself,yougetdifferentrulesindifferentpartsofthesystem,andthedistributionoforganizationmayitselfberandom.That’snotasystemwithamillionthingsbehavingindividuallyaccordingtocomplicatedrules.It’sasystemcomposedofmillionsofthosesystems,alldoingtheirownthingbutimpactingeachother.Itmaybepossibletoanalyzethattoo,butWeaver’spointwasthatwehaven’tdiscoveredhowtodoityet.
HRSPsdon’ttrytodiscoverhowtoanalyzeandpredictsystemsoforganizedcomplexity.Theysimplytrytofindwaystosurviveandthrivewithinthosesystems.Theydothisbyfacingtheimplicationsheadon.Youwillneverunderstandexactlywhyyoursecuritysystemsbehavethewaythattheydo.Youmayunderstandatechnologyproductprettywell,butpeoplearepartofthat
systemtoo,andoncetheygetinvolved,allbetsareoff.Youcanmanageagainstthecomplexity,butyouwillalwaysinevitablybesurprisedbyemergentbehavior.Insteadofhopingthingsworkthewaytheypredicted,HRSPsspendagreatdealoftimeandeffortthinkingaboutthewaystheywon’t.
Improvingcomplexityvaluebehaviorscan,paradoxically,beliberating.Whenyouacceptthatyouarenotincompletecontrol,youcanstopputtingsomucheffortintoconvincingothersthatyouare.Itopensupavenuesforcollaborationandcooperationthatarefruitfulandevenpleasant,breakingdownbarriersbetweenthesilosoftheorganizationandinvitingpeopletoworktogethertomastertheircomplex,surprisingenvironments.Peopleareproblemsolversbynature,andpeople-centricsecuritydevotesitselftosolvingnotonlytheproblemsthatcomefromspecificthreatsorvulnerabilities,butalsotheproblemsthatcomefromthelackofinteractionandsharingofinformationthatkeepspeoplelockedintorisk-inducingbehaviorsinthefirstplace.ComplexityisthemostdirectlinkbetweentheSecurityFORCEBehavioralModelandtheCompetingSecurityCulturesFramework,addressingtherelationshipsbetweenhumanbeingsthatcausecomplexitytobecomeorganizedtobeginwith.
EmbedComplexityValueintotheSecurityProgramGivingupillusionsofcontrolandbreakingdownbarriersbetweengroupswillchallengeanysecurityprogram.Specializationpluspoliticsequalsturf,andtakingandholdingterritoryisanotherthingthatpeoplehavebecomegoodatoverthelifeofourspecies.Manyofuswillnotgiveupthoseinstinctseasily,whethertheyconcernourhomes,ourjobtitles,orourideas.Butsomanyofoursecurityproblemstodayemergefromexactlythesebehaviorsthatitisnearlyimpossibletofindamoreappropriatecandidatefororganizationalchange.Tothrive,maybeeventosurviveasafield,informationsecuritywillhavetogrowmoreinthenextdecadethanithasinitsentirehistory.Itisalreadystartingtodoso,butthechangesthathavetohappenarenothingshortofincredible.Fiveyearsago,whenItalkedtopublishersandsecuritypractitionersaboutwantingtowriteabookoncultureandthesociologicalaspectsofsecurity,IgotweirdlooksandsuggestionsthatmaybeIshouldgetajobinacademia.TodaywhenImentionthesetopicsIcanevenmanagetogetsomehard-coreengineersandpractitionerstonodtheirheadsinagreement.
Securityhashitaninflectionpointwherewerealizejusthowlittleweknowaboutwhyoursystemsworkordon’twork.Inthescrambletocometogripswiththatknowledge,wearealltakingacrashcourseinthesecurityvalueofcomplexity.Somesecurityprogramswillharnessitbetterthanothers,putitto
moreproductiveuse.AndsomeofthoseprogramswilldoitsowellthattheyfindthemselvesmorphingintoHRSPs.
ThinkBiggerThinkingbiggermeansthinkingaboutbiggergoals,biggerchallenges,andbiggerstakes.Informationsecurityisonesetoforganizedcomplexitieslivingwithinalargercomplexsystem.Theboundariesbetweenthesubsystems—betweensecurityandotherbusinessgroups,orbetweentechnologyandpeople—arebothrealandimaginary.Securityteamscantapintothevalueofcomplexitybypracticingsomethingtheydowellinalotofothercontexts:deliberatelyignoringthings.Wemakeassumptionsinourmodelsandourframeworks,foregroundingordeemphasizingthingsasnecessary.Informationsecuritycandothesamethingataprogramlevel.Wecantryignoringorganizationalboundariesanddivisionsinfavorofassumingthattheentireenterprisefunctionsasasingleorganism.Howwouldorshouldthatchangethepurposeandbehaviorofthesecurityprogram?Orperhapswecouldassumethatthecontributionsandobjectivesofotherorganizationalstakeholdersareequaltoourown,ignoringourownfeelingsthatsecuritymustbegivenpriority.Howwouldthatchangeourbehavior?Woulditencourageustobemoreinclusiveandcomplementaryinourownactivities?
Wecanbuildsuchnewsecuritybehavioralmodelswithoutforgetting,orevenbelieving,theassumptionsthatwemake.Allwehavetocareaboutisgivingourselvesamoresophisticatedinsightintohowtheentiresystemworks,onethatmightevenimproveouranalyticalandpredictivecapabilitiesformanagingandgrowingourownprograms.Atthesametime,learningthesebehaviorscanalsomaketheentireorganizationbetter.InformationdiscoveryandsharingarecentraltoHRSPactivity,somethingthatshouldbeclearfromthebehaviorsdescribedforeachoftheSecurityFORCEvalues.Nooneinanorganizationcanorshouldholdamonopolyoninformation,eventhosetaskedwithsecuringit.
AcceptWhatWeAlreadyKnowAnironyofthesecurityvalueofcomplexityisthatpeoplealreadyknowtheyarenotincontrol.Theideathattheworldiscapriciousandunpredictable,andhumanbeingsevenmoreso,isembeddedinhumanbeliefandculture.Wecantrytooutwitorcontrolnature,butmostofusacceptthatwearesmallbeingsinabiguniverse.Weneedtoembedthatsameresignationintooursecurityprograms.
Beingresignedtotheinnateunpredictabilityoftheworldisnotsynonymouswithdespair.Ifanything,itcanmeantheopposite.IthinkthatsomeofthesenseofdefeatismImentionedearlyinthebook,whichIseepermeatingtheinformationsecurityfieldtoday,resultsfromourrepeatedfrustrationandhorrorwatchingthecontrolwethoughtwehadbesweptawaylikedust.Ifyouhaveyourbest-laidplansandallyourhardworkinvalidatedinthemostbrutalwayimaginableafewtimes,youcanbeforgivenforthinkingtheworld’souttogetyou.Butit’snot.It’sjustthattherearemorethingsinheavenandearththanarecurrentlydreamtofinourphilosophy.Whenathousandthingscanhappen,butdayinanddayoutyouinsistthereareonlythree,youareboundtoberegularlysurprisedanddisappointed.It’saboutexpandingoursenseofwhat’spossible.
FurtherReadingJohnson,Neil.SimplyComplexity:AClearGuidetoComplexityTheory.Oxford:OneworldPublications,2009.Popper,Karl.TheLogicofScientificDiscovery.NewYork:BasicBooks,1959.Weaver,Warren.“ScienceandComplexity.”AmericanScientist36:536(1948).Whorf,Benjamin.“TheRelationofHabitualThoughtandBehaviortoLanguage.”Availableathttp://languageandhistory-rz.wikidot.com.
O
CHAPTER15
TheSecurityValueofExpertise
vertheyearsthatImanagedpenetrationtestingengagements,Iranintoacuriousphenomenonregardingexpertise.Expertiseshouldbesomethingrespectedforitsownsake.Ifyouknowyourstuff,thatknowledgeshouldinviterespectfromothers.Atleastthat’showit’ssupposedtowork.Oneofthereasonsconsultantsandspecialists(suchaspenetrationtesters)arehiredandpaidpremiumratesistheassumptionthattheyknowmorethantheorganizationsthathirethemabouttheirparticularareasofexpertise.That’swhymyteamofsecurityengineerswasroutinelyhiredtotestcustomers’informationsecurityinfrastructureforvulnerabilities.Ourteamwouldengageacustomer,theengineerswouldruntheirreconnaissanceandprimaryscans,performsecondaryexploitation,ownwhateversystemstheycould,andthenreportflawsandfindings.Theexpectationwasthatwewoulduncoverthingsourclientdidn’tknowwerethere,becauseweweretheexperts.Butoverandover,aswewouldbegintoreportthevulnerabilitieswehadidentifiedtothetechnicalgroupsinchargeoftheinformationsecurityinfrastructure,theywouldbeunsurprised.Sometimesmyteamwouldfindthingsthatthesegroupshadtolduswewouldfindbeforeweevenstartedthefirstprobes.Andoftentheywouldbepositivelyhappythattheengineershadmanagedtobreakintoandownacriticalsystem.“Weknewallaboutthis,”wouldbethegeneralexplanationforwhysomethingsobadmadethemfeelsogood.“Butnoonelistenstous.Wehadtopaybigmoneytooutsideexpertstoproveit.Nowthatyouguysfoundthesameproblem,managementwillhavetolistentous.”
Expertiseisnotjustaboutknowingsomethingwell.It’salsoaboutproximity.Beingclosetosomethingcanmakeyouuniquelyqualifiedtojudgeit.Butbeing
localisadouble-edgedsword.Organizationsexistandsucceedbymanagingadelicatebalancebetweenthelocalandtheglobal,betweenstrategyandtactics.Thefurtherupthehierarchyonegets,themoreimportantbecomesbig-picture,generalizedexpertise.Youhavetoknowalittlebitaboutanawfullottomanageacomplex,distributedorganization.Butasbroadexpertiseincreases,narrowexpertisetendstobelost.ACISOwhostartedoutasabrilliantsecurityengineerbackinthedayprobablyfindsshenolongerhasthetimetofocusonthedetailssheonceknewinsideandout.Nowshehasdifferentsetofknowledgeandskills,morefocusedonmanagingpeopleandpoliticsthanindividualsystems(thatlevelofmanagementispusheddownwardtosubordinates).Organizationalchartsarereallyjustthetechnicalblueprintsfororganizationaldelegation,mapsofdecisionflowswithinanenterprise.
Problemswithenterpriseeffectivenessbeginwhenhierarchiesandorganizationalchartsstopmappingdynamicflowsofinformationandauthority,andinsteadbegintoshowonlythelocationsandboundariesofpowercenters.Thecorruptinginfluenceofpowerisapeople-centricproblemacrossallorganizations.Egoandgreedmaysupplantdutyandresponsibility.Whenpeoplecaremoreabouttheirpersonalstatusandpositionthantheydoaboutthesuccessoftheorganization,instabilitycanresult.Inthecaseofinformationsecurity,thiscreatesuncertaintyandrisk,especiallywhensomethinggoeswrong.
SecurityFORCEisaboutimprovingorganizationaleffectiveness,particularlyinthefaceofcrisis,bybringingtotheforegroundtheprioritiesandbehaviorsthatenablemorehighlyreliableresults.Expertiseistooimportanttoanorganization’sperformancetosquanderitsvalueorlimititsavailabilitywhenitismostneeded.
WhatIstheSecurityValueofExpertise?Powerandauthorityarenotinherentlyorinevitablybadthings.Theyarerequirementsforjustaboutanylarge-scalecollectiveactivity.Ifeveryoneisdoingtheirownthing,undertheirownauthorityandsubjecttotheirownwhims,thenit’sonlybyluckthatsomethingcollectivehappensatall.Thedangerthatpowerandauthorityposetoorganizationsistwofold:first,individualpowermaybecomemorevaluedculturallythancollectiveexpertiseandresponsibility;andsecond,theauthoritytomakedecisionsmaybecomeaprivilegethatisreservedonlyforthosewithpower.
HRSPstakeadvantageofthesecurityvalueofexpertisebyfightingtheurge
tovaluepoweroverknowledgeandskill.Theyrecognizethatpowerisrelativeandthatauthorityisacommoditytheorganizationhastoputtogooduse.Powercanbemismanagedanditcanbewasted,justlikemoney,electricity,ortime.Whenoptimized,authorityflowsthroughtheorganizationtotheplaceswhereitisneeded,whenitisneeded.Expertisedefineswhereandwhenthoseneedsexist,anditmeansmakingauthoritymorefluidsothatdecisionscanbemadebythepeopleclosesttotheproblemandwiththebestinformationregardinghowtoaddressit.
FilterYourWater,NotYourInformationMostpeoplearetrainedfromaveryyoungagetorespectauthority.Parents,teachersandcoaches,bosses,politicians,andprofessionalexpertsofallstripesareallheldupaspeopleweshouldrespect,listento,andobey.Werebelagainstsomeofthem,expressdisdainandskepticismforothers,butmostofushaveauthorityfiguresinourlivestowhomwedefer.Theymayhavedirectpoweroverus,likeouremployer,ortheymayhaveadifferentsortofpower.Ihavenotlivedundermyparents’authoritysincealongtimeago,butthatdoesn’tmeantheycannotstillexercisesomepartoftheirauthorityoverme,evenifit’sonlytomakemefeelalittleguiltyfornotcallingorvisitingmoreoften.Andwhentheyaskmeforadviceaboutsomething,eveninsituationswhereI’mstronglyagainstwhattheymaywanttohear,Ihaveahardtimejustbluntlygivingmyopinion.Unlikemycolleagues,orevensomeofmyclosefriends,whenitcomestoMomandDad,Itrynottohurttheirfeelingswithmyhonesty.
Theproblemwithsparingsomeone’sfeelingsbynotbeingcompletelyhonestisthatitdoesnothelpthemtomakethebestdecisions.Whenfilteringmyopinionformymother’ssake,theconsequencesareusuallysmall.Shemaybuyalow-qualityapplianceagainstmyadvicebecauseshewantstosavesomemoney.Butinsecurityprogramsandotherorganizations,filteringtheinformationIgivetothepeoplewhoareseniortomecanhavemoredireeffects.ImaybereluctanttoshareordisclosebadnewsorproblemsIbelieveexist.Imaydothisformanydifferentreasons.MaybeIassumethat,becausetheyareuppermanagement,theymustbemorecompetentorknowledgeableandalreadyknowwhatIknow.MaybeIknowthat’snottrueandthatthereisrealreasonforconcern,butIworrythatpushingbadnewsupthechainofcommandcouldhurtmycareerorinviteunwantedattention.Whateverthereason,andwhoever’sresponsibilityitisforthosefiltersbeingimposedinthefirstplace,informationfilteringisadangerouspracticeforanyorganization.Beingtoldthateverythingisfine,oreventhatit’snotasbadasitreallyis,worksonlyuntilaneventor
situationcomesalongthatexposestheliebehindallthefakeoptimism.Theneveryoneislefttofigureouthowthingswentfromutopiatothezombieapocalypseovernight.
StructuralAuthorityvs.StructuralKnowledgeHRSPstrytomitigatetherisksthatcomewhenexpertiseandlocalknowledgearesuppressed,eitherunintentionallyorbydesign,byauthorityandpower.Theyknowthatwheresomeonesitsinanorganizationalchartmayhaveverylittlecorrelationwithhowmuchthatpersonknowsaboutaparticularsituation,especiallysomethinglikeaninformationsecurityfailure.Expectingthatvisibilityintoasecurityincidentwillcorrespondtohowhighsomeonesitsinthemanagementhierarchyonlymakesitlikelythattheorganizationwillbeflyingrelativelyblind.Powerandexpertisetendtobetwoseparatebutinteractivesystemswithinanyenterprise.Power,embodiedinauthoritystructureslikejobtitles,organizationalcharts,andmanagementchains,defineswhocanmakedecisions.Expertise,embodiedinknowledgestructureslikeindividualandteamexperience,availableskillsandtraining,andtheinformalandsituationalinformationthatonlyexistswhenpeopleworkcloselytothesystemsthemselves,defineswhatdecisionsneedtobemade.
Strikingabalancebetweenorganizationalauthorityandorganizationalknowledgeoftenisdifficult.Peoplewithoutpowerandorganizationalstaturecanendupfeeling(andbeingtreated)liketheyareinvisible,eveniftheyknowmoreaboutwhat’sreallygoingonthananyoneelse.Andthehighersomeonerisesinthehierarchy,themoretheymaybetemptedtofeelsuperiorinsteadofjustsenior.Theproblemsthatarisewhenonestructurehasmoresaythantheotherarenotjusttheoretical.InManagingtheUnexpected,WeickandSutcliffecitetheofficialreportontheproblemsatNASAthatledtotheaccidentthatdestroyedtheColumbiaspaceshuttle.OnekeycauseofthetragedywasthatNASA,overtheyears,haddevelopedachain-of-commandstructurethatoverrodeallothersourcesofinformation,includingthetechnicalknowledgeandexperienceofNASA’sownengineers.Asaresult,problemsweredownplayedandignoreduntiltheyturnedintocatastrophe.
InanHRSP,thegoalbecomesoneofneverallowingtheinfluenceofonestructuretooutweighorovercometheinfluenceofanother.Whatthisusuallymeansinpracticeisprotectingexpertiseandknowledgefrombecomingsubservienttoauthorityandpower.Experienceandinsight“fromthetrenches”shouldalwaysbevaluedandrespected,evenwhen(andmaybeespeciallywhen)itcontradictswhatseniorleadersthinkorwhattheywanttohear.Thisis
accomplishedbyassigningexpertiseandknowledgeitsownbrandofauthority,thesamekindofauthoritythatwereserveforotherspecialistsandprofessionalswecalluponinlife.Ifyouvisitamechanicandhetellsyouthatyouneedanewtransmission,orifyouseeadoctorandshetellsyouthatyouneedtogoonmedicineforsomeillnessyouhave,youmaynotlikethenews.Butyouareunlikelytoignorethem,evenifyouownthegarageinwhichthemechanicworksorareaboardmemberofthedoctor’shospital.IgnoringordownplayingsecurityproblemsreportedbyyourInfoSecteamjustbecauseyouhaveenoughpowertodosois,touseatechnicalterm,dumb.
Optimally,decisionsinanHRSPareroutedtothepointswhereauthorityandexpertiseintersect.Theycanmovebackandforthbetweentheknowledgestructureandtheauthoritystructure.Insomecases,itisamatterofquickresponse,likewhenfactoryworkerscanshutdownanassemblylineiftheyseeaproblem.Inothers,itisamatterofwhohasthebestvisibilityandinsight.Seniormembersofanorganizationarenotwithouttheirownspecializedexpertise,alljokesandpointy-hairedcartooncharactersaside.Somedecisionsmayimpactmultiplesetsofstakeholdersandneedtobemadenotbyatechnicianbutbyapolitician.
BobandClaraRevisited:MigratingAuthorityEarlyoninthebook,IintroducedBobandClara.Bobwasthesafetyofficerinmyvendorconferencewhotriggeredanevacuationoverburntbacon.Clarawasthesoftwaredeveloperwhogotherprojectdoneontimebutfoundoutlaterthecornersshecutonsecurityresultedinasecurityvulnerabilityinhercompany’sproduct.Bothoftheseindividualsrepresentexpertswhomadedecisions.Andbothareexamplesofhowandwhyauthoritytomakeparticularsecuritydecisionsoftenneedtomigratetothepersonintheorganizationwhohasthebestexpertisetomakethatdecision.
InBob’scase,authoritymovedtherightway.Itwentdownthechainofcommandtofindthebestpersontomakethecall.Thecompanyhadalreadythoughtaboutthesescenariosand,atleastinthecaseofphysicalsafety,practicedasystemofmarryinguppowerwithexpertise.Bobwastherecognizedexpert,sothedecisionwashisandeveryonedeferredtohim,eventheexecutivesrunningtheevent.ThefactthatBob’sevacuationorderprovedunnecessarywasbothfortunateandbesidethepoint.Imagineifoneofthecompany’sVPshaddecidedthatBobwasoverreactingandcountermandedhisdirectiveintheinterestoftime,onlytohavepeoplehurt
orevenkilledinarealfire.Thatscenarioismorelikewhathappenedafterthesensitivedocumentwasdiscoveredinthebreakoutroomduringtheconference,albeitwithoutsuchphysicallydireconsequences.Whetherbecauseofanabsenceofidentifiedexpertiseorsomeotherreason,thedecisiontochastisetheaudienceandmoveonratherthaninvestigateaseriouslapseinsecuritymigratedtotheseniorexecutiveintheroom,whodidnotapparentlyhavetheexpertisetorecognizetheseverityoftheproblem.
ForClara,authoritymovedthewrongway.Itshouldhavegoneupthechainofcommand.Clara’sdecisionwasnotbetweenfinishinghersecuritytestingorfinishingtheprojectontime.Thatwasonlytheimmediatescenario.Instead,Clarahadtodecidebetweentwospecificenterpriserisks.Oneriskwastheimpactonthefirmofpotentiallydelayinganimportantproductrelease.Theotherriskwasthefutureimpactonthefirmshouldavulnerabilitybediscoveredintheproduct.Thoseriskscutacrossmultiplestakeholdersandparameters,includingfinancialramifications,legalliabilities,andimpactsonthecorporatebrand,tonameafew.Claradidnothavetheexpertisetomakethatdecision,althoughbydefaultshehadtheauthority.Theexpertisetodealwithdecisionsregardingenterpriseriskisjustwhatyouwouldhopetofindinseniormanagement,whohavewidervisibilityandmoreinsightintoconsequencesatthecorporatelevel.Butthepeoplebestpositionedtomakethatcallwereneverinformed,inpartbecauseClarawasafraidthatinbringingthebadnewstomanagementshewouldbepunishedinsteadofrewarded.Andsoshewas,alongwitheveryoneelse,butonlyafteritwastoolatetoaskforhelp.
WaitingfortheBigOneInorganizationsinsomesectors,likecommercialaviation,healthcare,andthemilitary,processandprocedurecanapproachalmostreligiousstatus.Policies,procedures,andchecklistscanevolvetocoveralmosteveryconceivablescenariothattheorganizationhasdealtwithorhasbeenabletothinkof.Membersandemployeesoftheseorganizationscanbecomesoindoctrinatedintostandardizedwaysofdoingthingsthatthosewaysbecomeunconsciousritual.Inmanycasesthisworks,sometimesexceptionallywell.AtulGawande’sbookTheChecklistManifestodemonstratesthepositivesideofchecklist-drivenactivity,andGawandemakesastrongcaseformeticulouslyfollowingstandardizedprocedures.Butwhathappenswhensomethingtakesplacethatyouhavenever
experiencedbeforeandhaveneverthoughtof?Whathappenswhenthereisnochecklist?Theironyofallthatusefulstandardizationisthatitcan,incertainscenarios,makeabadsituationmuchworse.Wheneveryoneisusedtodoingthingsexactlyacertainway,notbeingabletodoitthatwaycancauseparalysis.Thesystemmaylockup,literallyandfiguratively.Informationsecuritystruggleswiththisbalance,betweentheunarguablevalueofdefinedprocessesandchecklistproceduresandthedangerofturningthosesamechecklistsintoacrutchthatrelievespeopleoftheresponsibilitytothinkandadapt.
Bureaucracyisafantasticstabilizer,likeorganizationalconcretethatcanfixprocessesinplacesothattheylastdecades,evencenturies.Butconcreteisrigidandnotveryadaptableonceithardens.That’swhywehavewreckingballs.Bureaucracycanalsobebatteredandcrushedintodust.Somecompaniesdojustthatafteraserioussecurityincident.TheCISOisfired(oraCISOishired,iftherewasn’tonebefore).Theexistingorganizationalchartandtechnologyinfrastructuresmaygettorndownandreplaced.Perhapstheentiresecurityprogramismovedintoanotherpartoftheenterprise.Butifattheconclusionofthatprocessallthatresultsisanewbureaucracy,adifferentstructurewiththesamerigidity,what’sreallychanged?It’slikerebuildingafteranearthquake.Ifyoudon’tchangethefundamentalprinciplesandtrytomakebuildingslesssusceptibletounforeseenshocks,you’restartingoutonborrowedtime.
HRSPsuseexpertiseandauthoritytomaketheirorganizationslesspronetoshockslikestructuralengineersusebaseisolatorsorreinforcedconcretetomaketheirbuildingsearthquakeresistant.ThereiscertainlystructureinanHRSP.Peoplehaverolesandsuperiorsandsubordinates.Policiesandprocessesdefineactivity.Butwhenputunderstress,theorganizationadaptsbyfindingtherightcombinationofknowledgeandauthoritytorespond.Unlikeabuilding,wherephysicsandmechanicsdeterminewhichpiecesshiftandwhichabsorb,inanorganizationtheresistanceisaccomplishedthroughprocessesandnetworksofpeople,alongwithalltheknowledgeandskilltheypossess.Theyallowtheorganizationtotemporarilyshiftandreconfigureitself,managingthestressesandforcesitencounterswithoutcollapsing.
TheRoadtoDamascusEricSchlosser’sbookCommandandControl,aboutnuclearaccidentsduringtheColdWar,ismustreadingforanysecurityprofessional,particularlyforpeoplelikemewhoareinterestedinhowcompetingculturescreaterisk.Butmoreimmediately,CommandandControlspeakstothe
securityvalueofexpertise.Indescribingthe1980Damascus,Arkansas,incident,adeadlyaccidentatanuclearmissilesiloinArkansas,Schlosserrecountsstoryafterstorywithinthecrisiswherebreakdownsindecisionandauthorityflowsaddedtothedangeranduncertaintyoftheincident.Allalongtheway,theverynatureofthemilitary’srigidcommandsystem,controlledthroughmeticulousattentiontoprocedureandchecklistsandobsessivelydeferentialtoseniorityandrank,builtuporganizationalpressuresthatwereasdangerousasthefuelvaporsthatcausedthephysicalexplosion.
Schlosserwritesingreatlengthaboutthedependenceofthemissilecrewsonchecklists,whichpreciselydefinedeveryaspectofmissilecrewactivityandmaintenance.Addressingevery(supposedly)imaginabledetailofthecareandservicingoftheICBMstheAirForceowned,checklistsstructuredjustabouteveryaspectoflifeforthecrewsonduty.Butwhenasocketfromasocketwrenchamaintenancecrewmemberwasusingduringaroutineprocedurefellintothesiloandpuncturedoneofthemissile’sfueltanks,theAirForcesoonfoundoutitfacedasituationforwhichithadnochecklist.Withoutachecklist,themissilecrewandtheirsuperiorsliterallydidnotknowwhattodoandhadtogoaboutbuildingabrand-newchecklisttodealwithacrisistheywerealreadyinthemiddleof.Asauthoritymigratedupward,commandingofficersrefusedtotakeanyactionuntilthechecklistwasinplaceandproceduresestablishedonceagain.Realityforthemwastheprocess.Thebrownhazeoffuelvaporbuildingupinthesiloonlyexistedlocally.
Atthebottomofthechainofcommand,somelocalexpertschafedundertherestrictionsplaceduponthemastheywatchedthedangerbuildinginthesilobytheminute.Insomecasestheairmenandtechniciansobeyedtheorderstheyweregiven,somedoingsoevenastheyquestionedthedecisionsoftheirsuperiorofficers.Atothertimestheyrebelledagainsttheorderstheywerereceivingfrompeoplewhowerefarawayandmoreconcernedwithissuesofpublicrelationsandpolitics,insteadfavoringlocalexpertisethatmightsavetheirfriends’andcolleagues’lives.Intheend,nooneescapedunscathed.Onecrewmemberdiedandmanywereinjured,anoutcomethatwouldlikelyhavebeenlesscatastrophicifauthorityhadbeendelegatedtothelocallevel.Somecrewmemberswerepunishedbecausetheytookituponthemselvestoexerciselocalauthorityanywaybydisregardingorderstheythoughtmadenosense.Theentireincidentservedasademonstrationthatyousimplycannotplanforeverything,thatwhenfacingacompletely
novelscenario,onewherenoscriptorchecklistexists,theimportanceofreconfiguringorganizationalexpertiseandauthoritytomeetthenewchallengecanmeanthedifferencebetweenlifeanddeath.It’salessonasvaluableforHRSPsasitisfornuclearmissilecrews,tobesure.
ExpertiseKeyValueBehaviorsThesecretoforganizationalexpertiseisthateveryonepossessesit.Expertiseisnotlimitedbyrankinthehierarchyorsalaryorpoliticalstatus.It’snotevenlimitedtoasinglepersonatatime.Expertiseisanorganizationalcapability,abyproductofhumancapital.Bydefinition,everyoneinanorganizationisanexpertinsomething,possessessomespecializedknowledgeabouthisorherjobfunctionsthatnooneelsepossesses(exceptperhapsotherswhoholdthesameposition).Thisevenappliestopeoplewhodon’tdomuchworkatall—itoftentakesagreatdealofskilltoavoiddoinganything.HRSPsutilizethesecurityvalueofexpertisetomaketheirorganizationsmoresuppleandnimble,especiallywhenfacinganincidentoracrisiseventthattheyhavenotencounteredpreviously.
HRSPswanttofunctioninastableandpredictablewayjustlikeanyotherorganization,butduringasecurityincidenttheyalsowanttobeabletoreconfigurethemselves,oratleasttheirinformationandauthorityflows.Insteadofslowlyandinefficientlyforcinginformationupthechainanddecisionsbackdown,expertiseandauthorityarecombinedwherevertheyaremostneeded.It’saprocessthatcannotbeaccomplishedifitisnotembeddedinculture,inmutualrespectandtrustthatovercomenaturaldesiresforcontrolandpower,whichisprobablywhyitisoneofthehardestsetsofbehaviorsforanHRSPtomaintainovertime.Thebehaviorsthatcharacterizethesecurityvalueofexpertiseinclude
AsktheexpertsSuppresstheegosAllowauthoritytomigrateSharecredibilityRewardcallstoactionandcriesforhelp
AsktheExperts
Strangeasitmayseem,giventhelargeamountofmediacoverageofinformationsecuritybreachesandgiventhehighlevelofimportancebeingplacedoninformationsecuritybymanysectorsofsociety,Iregularlyencountersituationswherethepeopleinanorganizationwhoknowthemostaboutsecurityarenottheoneswhogetaskedforinputaboutit.Thisoftenhappensnotbecauseofanydeliberatepolicy,butasaresultofthebasicdisconnectIdescribedearlierwithregardtohiringexternalpentesters.Companiesknowtheyhavesecurityexperts,hiredandtrainedtoperformthatrole.Butwhenthecommunicationofexpertknowledgehastobechanneledupthroughsuccessivelayersofmanagement,thetemptationbythoselayerstoshapeandcontrolthemessagecanbeoverwhelming.I’vemetveryfewboardmembersorseniorexecutiveswhodonotwanttobetoldifthereisaseriousproblemintheorganization,yetI’vealsometmorethanafewfront-lineandmiddlemanagerswhoactivelyavoidhavingtotellhigher-upswhensuchaseriousproblemexists.
Therearealsocaseswhereexpertsaren’taskedforinputbecausetheirexpertiseis,orseemstobe,sooperationalorspecializedthatmostpeoplecan’tordon’tunderstandit.It’shumannaturetodownplaytheimportanceofthingsthatwedonotfullycomprehend,aswellastopretendweknowmoreaboutthemthanwedowhenwemakeourdecisions.Itcutsbothways.I’vetalkedtosecurityengineersandadministratorswhoareconvincedthatseniormanagersare“cluelesssuits”whohavenobusinessrunningacompanybecausetheydon’tknowthe“obvious”answerstoinformationsecurityissues.Ifthesecurityengineeroradministratorcanseetheproblemsoclearly,howcantheexecutivenot?Fromtheexecutive’sstandpoint,theengineeroradministratormaycomeacrossasaparochialspecialist,convincedthatinformationsecurityisthemostimportantthinginthecompany,wheninfactitisjustonemorevariableinacomplexbusinessequation.
InanHRSP,expertiseisvaluedforitsownsakeandformstheorganization’scognitivecapabilitytodealwiththefailure,operations,resilienceand,especially,complexitythatmustbemanagedtocreateeffectivesecurity.HRSPsarealwaystryingtofindnewsourcesofexpertiseandfindoutwhattheyknow.Athigherlevelsinthebureaucracythatmeansunderstandingdifferentstakeholderpositionsandrequirementssoastobetteradaptsecuritytothebusiness.Atthelowerlevelsitmeansidentifyingwhocantellyouthemostaboutwhateveritisyoumayneedtoknow,regardlessofthatperson’srankorpoliticalclout.Whetherthepersonisthepatchanalystwhounderstandsallthethingsthatcangowrongupdatingevenvulnerablesoftware,thesecurityguardwhoknowswhichentrancesaremostsusceptibletotailgating,orthe
administrativeassistantwhoisnotevenpartoftheInfoSecprogrambutknowsthepasswordsofhalftheexecutivestaffbecausetheykeepgivingthemtoheragainstcompanypolicywhentheyaretoobusytodosomethingthemselves,allthesepeoplepossessprivilegedknowledgethatisindependentoftheirlevelofprivilege.
SuppresstheEgosNaturally,someorganizationsaremoreegalitarianthanothers.Inthebestcases,theideaofpullingtogetherasateamisnotjustacliché.Thatdoesn’tnecessarilymeanthereisnorankororganizationalhierarchy,althoughcompanieshaveexperimentedwithgoingdownthatpathtoo.Fosteringamorecommunalworkplaceenvironmentisinvoguethesedays,whichincludesapproachessuchasadoptingopenfloorplans,abandoningperformancereviews,andlaunchinginternalcampaignstocreateasenseofcommunityandevenfamilyinsidetheorganization.Sometimestheseapproachesarelessthansincere,andtheydon’talwaysworkevenwhentheyaresincere,buttheirgrowingpopularityreflectsasensethatpromotingtrustandasenseofsharedpurposeaddsenterprisevalue.
Equalitydoesn’tmeanthateveryonegetspaidthesamesalary,hasthesamejobtitle,ordoesnothavetotakeordersfromanyoneelse.Rather,equalitymeansthatnooneintheorganizationisconsideredanymorevitalthananyoneelse.Acustomertoldmeagreatanecdotethatillustratesthisperfectly,aboutameetinginwhichthecustomer’sCEOdiscussedanewcompensationplan.Underthenewplan,thenumberofemployeesreceivingbonuseswasgoingtobeexpandedgreatly.Oneemployeeexpressedsomeconcernthatthecompanywasrewardingpeoplewhohadnothingtodowiththecorebusinessanddidn’tdeservethesamebonusasthepeopleinmoremission-criticalroles.TheCEOrespondedbyholdinguphishandtoshowthewatchonhiswrist,thenaskedtheemployeetopointoutwhichpartsofthewatchwerenot“missioncritical”andcouldthereforebethrownout.
Gettingridofegotisminbusinessislikegettingridofsecurityvulnerabilitiesincommercialsoftware:anadmirablebutnotveryrealisticgoal.HRSPsdonotattempttosuppressegoaltogetherortodiscourageasenseofprideinindividualaccomplishments,buttheydounderstandthategotismcanleadtoarroganceandarrogancecanmakeasecurityproblemexponentiallyworse.Nooneinamodernorganizationisresponsibleforallthesuccess,nomatterhowtalentedtheyare.HRSPstrytomakeanotherclichéreality,thatsecurityiseveryone’sresponsibility.Manyorganizationsinvokethisphrasewhentheywanttoemphasizethateveryonehastofollowsecuritypoliciesnomatterwhatposition
theyholdorwheretheywork.HRSPsusethephraseasamantrareflectingthesecurityvalueofexpertise.Ifyouknowmoreaboutyourindividualjobthananyoneelseintheorganization,thenyouknowbestabouthowsecurityworksinthecontextofthatjob.Thesecurityvalueofexpertisemeansthatyouhavearesponsibilitytoshareyourknowledgewiththerestoftheenterpriseandthatotherpeoplehavearesponsibilitytorespectwhatyouknowandaskforyourinsight.Itdoesn’tmatterifthatpersonisyourcolleagueinthecubenextdoororthechairmanoftheboard.
AllowAuthoritytoMigrateThereareafewprerequisitesforthekeybehaviorofallowingauthoritytomigratewithintheorganization:knowingwhereexpertiseexistsandaskingforhelpfromthosewhopossessit,andsuppressingtheegotismthatmightmakethoserequestsmoredifficult.Oncemore,it’simportanttodifferentiatebetweenacompletelyopenauthoritystructure,whereone’sexpertisedefinesone’spower,andanadaptablestructure,wheretheorganizationcandeliberatelyloosenthecontrolsandfreeupdecisionauthorityifnecessary.HRSPsdonothavetobeanymoredemocraticthananyothersecurityprogram.Whattheydobetteristorecognizethattherearesomescenarios,usuallysecurityeventsthatturnthenormalorderofthingsonitshead,wherearigidcommand-and-controlhierarchyisnotthebestapproachandismorelikelytoexacerbatethesituation.Inthesecases,theorganizationrestructurestemporarilytomeetthenewchallenges.Authoritygoestowhereit’sgoingtobeofmostimmediateuse,andexpertisedefineswherethatis.
Allowingauthoritytomigratemeansthat,undercertaincircumstances,actualdecisionauthoritywillbedelegatedelsewherewithintheorganization,usuallydownwardtotheindividualsandteamsclosesttotheaffectedsystems.Forinformationsecurity,thismightmeanplacingalotmorepowerinthehandsoftheCISOtoproactivelyrespondtoanincident.Morelikelystill,itmeansallowingfront-linemanagersandengineeringteamstomakeexecutivedecisionsaboutwhatneedstobedoneinacrisis.Underthesechallengingcircumstances,seniorleaderswillstayinconstantcontact,offeringtheirsupportandanyadvicetheycanprovide,buttheywillstayoutofthewaywhilethepeopleclosesttotheworkmakethedecisions.Formanyorganizations,justthesuggestionofthisarrangementisenoughtomakepeopleuncomfortable,buttimeandtimeagain,fromNASAtonuclearmissileteamstocommercialenterprises,whenseniorleadersinsistonmicromanagingfluidandimmediatecrisisscenarios,theresultsarerarelygood.Timesimplydoesnotaffordtheluxuryofsendinginformation
aboutwhat’sgoingonupanddownthechainofcommand.Often,bythetimeonepieceofinformationreachesapointwheresomeonecanmakeadecision,thesituationhaschangedagainandthatdecisionnolongermakessense.
Thekeytomarryingauthoritywithexpertiseintheenterpriseistoidentifythesubjectmatterexpertsyoumayneedbeforethecrisisoccurs,sothatlookingfortherightpeopletotakethehelmisnotamatterofblindguessingorluckofthedrawinthemidstofextremecircumstance.Andseniorleadersdon’tjusthandoverthereinsandsay“callmewhenyou’redone.”Theystayontopofthesituationandmonitorit,puttingthemselvesatthereadyforwhencircumstancesrequireauthoritytomigratebacktothem.Duringasecurityincident,youprobablydon’twanttheCEOdecidingwhetherornotaparticularserverneedstobetakenofflineanymorethanyouwanttheserver’sadministratortomakethecallaboutwhetherornottoalertthepress.
ShareCredibilityAuthorityandcredibilityaretightlycoupled.Thosewithoutthelattertendtolosetheformer.HRSPsdotheirbesttoensurethatexpertiseisrecognizedandrespectedthroughouttheorganization,thatitbringswithitthecredibilitynecessarytomakepeopleacceptthatadesignatedpersoncanbesafelygivenauthorityduringanincidentorevent.Ensuringthatexpertiseisrecognizedandrespectedisaccomplishedinpartbyputtingeffortandresourcesintobuildinghumancapital,asIhavediscussedpreviously.People’straining,skills,andexperiencehavetobeofficiallyrecognizedandsupportedforthistofunction.Inacrisis,peopleatalllevelsoftheorganizationhavetotrustthattheirfellowmembersnotonlyarewillingtohelp,butpossesstheabilitytohelp.Ifonegroupthinksanothergroupisincompetent,thelikelihoodislowthatthefirstgroupisgoingtofollowthelattergroup’sleadwhendisasterlooms.InmyrecountingoftheMannGulchfireinChapter13,Idescribedhowseveralofthesmokejumpersbalkedattheforeman’sordertostartanotherfire,liedown,andletitpassoverthem.Becausetheteamhadnotworkedtogetherextensively,theforemanlackedcredibilitydespitehisextensiveexperience,andfailingtodefertohissuperiorexpertisecostseveralmentheirlives.
Thereisnosimpleprocessforsharingcredibilityinsideanorganization.Itisaculturaltrait,definedfirstbythebeliefthatexpertisemeanssomethingimportanttotheenterprise,andthenbyeveryonedemonstratingahealthylevelofrespectanddeferencetothosewhopossessexpertise.Sinceeveryonepossessessomelevelofspecializedexpertise,thismeansthatdeferencehastobecomesomethingofauniversalattribute.Itmustbeconstantlynurturedand
reinforcedthroughactionandexample.Thiscanbemoreeasilyaccomplishedinsmallercompanies,orevenfamily-ownedfirmswherethesenseofpersonalstakeismoreafeatureofeverydaylifethanitisinpubliccompanies.Buteveryorganizationthatwishestobehighlyreliableneedsalevelofdeferencetoexpertise.Ifitcan’tbeachievedthroughemotionalappeals,itneedstobedonestructurally,embeddedintomeetings,performancereviews,andtrainingprograms.Wheneverythinggoestohell,thelastthingtheorganizationcanaffordisforpeopletobequestioningwhetherornotthepeoplewhoarebestpositionedtodothejobarethebestpeopleforthejob.
RewardCallstoActionandCriesforHelpPartofthesecurityvalueofexpertiseforindividualsandorganizationsalikecomesfromknowingwhatexpertiseyouhaveandwhatknowledgeyou’relacking,andthenreactingappropriatelyinthemoment.HRSPsgooutoftheirwaytorewardnotonlyteamsandpeoplewhotakeactionbasedontheirexpertise,butalsopeoplewhorealizethatauthorityneedstomigrateandthusaskothersforhelp.Liketheotherkeybehaviors,knowingwhentoactandwhentodefertoothersrequiresbothasolidawarenessofwhereknowledgeandexpertiseexistwithintheorganizationandtheabilitytodecidewhichsituationscallforwhatkindofauthority.Trustandcredibilityarecrucialhere,becausenoteverydecisioninthemidstofafluidsituationisgoingtobethebestone.Therealquestionisnotwhetheradecisionwasrightornot,butwhethertherightpersonmadeit.Anyonecanscrewup,evenanexpert,butmigratingauthoritytotheproperexperttomakeadecisionisgoingtoincreasetheorganization’soddsofchoosingthebestpathforward.ThereisnogreatertestofcharacterforanHRSPthantorewardsomeoneformakingthewrongdecisionattherighttime.
Wetendtoreserveouradmirationandrespectforpeoplewhotakechargeinacrisis,showingtheirstrengthandmettlewhenothersaroundthemarepanicking.Buttheboldplayisn’talwaysthesmartone.Egotismandarrogancecanturnheroismintofoolhardinessaseasilyasfearandlackofconfidencecanparalyze.Bothareirrationalresponses,andneithergetsgreatresults.HRSPsexpecttheorganizationtoremainlevelheaded.Sometimesthatmeanstochargeahead,butitcanjustaseasilymeantofallbackandrequestreinforcements.HRSPsreservetheirpraiseandrewardforthetimeswhenexpertiseandauthorityareproperlyalignedandbroughttobearonaproblemorafailure.Themeasuresofsuccessaremuchlessaboutindividualpersonalitiesandmoreaboutwhatwaslikelytobringaboutthebestoutcomefortheentiresystem.Asanyonewhohaseverhadtoadmitthattheyareinovertheirheadunderstands,expressingyourweakness
andlimitationsandaskingsomeoneelseforhelpoftentakesalotmorecouragethanforgingaheadonyourown.Seniorleaderscanbeespeciallypronetotakingthelattercourse,oftenbecausetheyfeardamagingtheformidablereputationsthattheyhavebuiltovermanyyears.ButwhatmakesHRSPsworkdifferentlythanothersecurityteamsisexactlytheirabilitytoputthesecurityandstabilityoftheenterpriseaheadofanyindividualinsecuritiesorpersonalconcerns.
“We’reChangingtheWorld”OneofmyfavoritebooksinpolicystudiesisJamesScott’sSeeingLikeaState.Scott,aYalepoliticalscientistandanthropologist,setsouttodescribewhysomanyofthelarge-scaleattemptsatsocialengineeringinthe20thcenturyfailed,oftenterribly.Enormouscollectiveprojects,sometimesbyauthoritarianregimeswithneartotalcontroloftheircitizens,haveattemptedtotransformentirenationsinrelativelyshorttimespans.FromtheSovietUniontoChina,andfromTanzaniatoBrazil,countrieshavetriedtocollectivize,toindustrialize,andtocreateentirecitiesandsocietiesfromnothing.
Whentheseprojectsdidn’twork,theresultsrangedfromthemerelyepicfailuretocompletehorror,includingfamine,displacement,andsufferingonamassivescale.Somenationsweresetbackagenerationasaresultofthehubrisanddeterminationoftheirleaderstocreateorre-createanationalutopia.Evenwhentheresultswerelessdisastrousandtheoutcomelimitedtofailedcivilandengineeringprojectsthatneverquiteseemedtotake,thecostsremainedhuge.ForScott,thecauseofthesefailednation-buildingprojectswasfairlysimple.States,whetherembodiedbyadictatororagovernment,becomevictimsoftheirowngrandvisionwhentheylosetheconnectionbetweenthatvisionandtheeverydayknowledgeandpracticeofthemassesofpeoplewhoactuallycomprisethestate.Scottcalledthisignoredandmarginalizedpracticalknowledgemetis,anditrepresentedthecommon,everydayskillsandexperiencesofindividuals.InthecontextofHRSPs,expertiseisquitesimilartometis,andorganizationsneglectitattheirperil.
Thankfully,manyofthemassivecollectivistschemesofthelastcenturyappeartobeproductsoftheirplaceandtime.Butthatdoesn’tmeanwe’vesolvedtheproblem.The21stcenturyhasseenitsshareoflargesocialengineeringerrors,atthelevelofbothcountriesandorganizations,someofwhichechotheclashesbetweentheoryandpracticedescribedinSeeingLike
aState.Intheworstcases,theresultiswar,regionalinstability,andglobalfinancialcrises.Butthingsdon’thavetogetthatbadtoseeScott’scausesandgeneraleffectsonasmallerscaleinreorganizations,acquisitions,andfailedenterpriseimplementationsthatsomehowalwaysseemtoworkbetteronpaperthantheydoinreallife.Often,thereasontheseprojectscrashandburnisthesamedisconnectionbetweenauthorityandknowledge,betweenhigh-levelandlocalexperience,thatIhavediscussedinthischapter.Theedificesthatarebuiltarenotflexibleandadaptableenoughtowithstandthetremorsandshockstheymustendure,afatethatHRSPstrytoavoidbyharnessingthesecurityvalueofexpertise.
AssessingYourExpertiseValueBehaviorsUsetheSecurityFORCESurveyandSecurityFORCEMetricstodeterminehowwellyourorganizationadherestothekeyexpertisevaluebehaviorsandtoprovideempiricalevidenceofthosebehaviors.
ScoringtheExpertiseValueBehaviorSurveyTheSecurityFORCESurveyincludesstatementsrelatedtothesecurityvalueofexpertise.ThefivestatementsunderSecurityValueofExpertisearelistedinthesampleoftheFORCESurveyshowninFigure15-1.Aswithpreviouschapters,scoringassumesLikertresponsesnormalizedona1to5scale:
Anaveragescoreof4orabove(mostresponsesindicateAgreeorStronglyAgree)signifiestheorganizationexhibitsbehaviorsfoundinanHRSP.Anaveragescoreof3(mostresponsesindicatetherespondentfeltNeutral)signifiestheorganizationmayormaynotbehavelikeanHRSP.Anaveragescoreof2orbelow(mostresponsesindicateDisagreeorStronglyDisagree)signifiestheorganizationdoesnotexhibitthebehaviorsfoundinanHRSP.
Figure15-1FORCEValueSurveyStatementsforExpertiseValueBehaviors
Forexpertisevaluebehaviors,anaveragescoreof4orgreaterindicatesthattheorganizationbehavesinwaysthatwillallowauthoritytomigrateandjoinupwiththeexpertiseneededtomakeeffectivedecisionsunderstress.Ascoreof2orbelowindicatesthattheorganizationdoesnotbehavelikeanHRSPandismorelikelytoexperienceproblemsofbureaucraticrigidityorlackofadaptabilitythatkeepstheexpertisenecessarytounderstandaproblemseparatedfromtheauthoritynecessarytoactonit.
FORCEValueMetricsforExpertiseTheFORCEValueMetricsforexpertise,providingadditionalmeasuresofHRSPbehavioralalignment,canbefoundinFigure15-2.
Figure15-2FORCEValueMetricsforexpertisevaluebehaviors
UsingtheFORCEExpertiseValueMetricsThefiveFORCEMetricsassociatedwiththevalueofexpertisedescribeanorganization’ssuccessatensuringthatexpertknowledgeisidentified,effectivelymanaged,andcoupledwiththepowertoactlocallywheredecisionmakingisrequiredinagivensituation.Theytrackthelocationofexpertiseandmigrationpathsofauthorityand,wherethesethingsdonotexist,offerinsightintohowtoincreasethevalueofexpertisefortheInfoSecprogram.AswithalltheFORCEMetrics,thesemeasurementsandindicatorsaresuggestionsandnon-exhaustive,andshouldbeused,adapted,orsupplementedasappropriate.
NumberofformalknowledgeorskillrepositoriesinplaceAnorganizationcannothopetomigrateauthoritytotherightdecisionmakersifitdoesnotknowwhereexpertise,knowledge,orspecializedskillscurrentlyexist.Knowledgeandskillrepositoriesareoftenthedomainofenterpriseknowledgemanagementprofessionals,andthesegroupsareagreatplacetobeginiftheinformationsecurityprogramisstartingfresh.Attheirmostsimple,theserepositoriesaresimplylistsanddatabasesoftheknowledgeandskillscurrentlyexistingwithinanorganization.Sourcescanincludetrainingandeducationrecords,job
descriptions,orcrowd-sourcedandself-selectedrepositories(apreviousemployerofmine,forexample,allowedeveryoneinthecorporatedirectorytoaddtheirskillsandknowledgetotheirdirectoryprofiles,thenmadethisinformationsearchableaspartofthedirectory).
NumberofpeoplewithsecurityresponsibilitieswrittenintotheirjobdescriptionsNothingsays“I’mresponsibleforthis…”likeexplicitlywritingitintoajobdescription.Fortheinformationsecurityteam,theseinclusionsarelikelytakenforgranted.Infact,iftheInfoSecprogramdoesn’tscore100%onthismetric,thenthatmaybethefirstplacetostart.Buttheorganizationshouldnotstopthere.Anyoneresponsiblefortechnologymanagementcertainlyshouldhavesomethingaboutsecuritybuiltintotheirjobrequirements.Asenterprisesecurityculturematures,securityresponsibilitiesshouldbecomemorewidespreadandmorespecificacrossalljobdescriptions,replacingthecurrentpracticeofmakingpeopleresponsibleforundergoingsecuritytrainingperiodically,whichisnotthesamething.Thepointistoachievemorethanjustaccountability.Ifacompanymakesanemployeeresponsibleforsomeaspectofinformationsecurityasajobrequirement,ittakesonresponsibilityofitsowntomakesuretheemployeeistrainedtodothatjob.Themorespecificandcomprehensivetheseresponsibilitiesget,themoretheycanfeedintoafunctionalrepositoryofexpertisethefirmcanleverage.
Numberofidentified“quickresponse”scenarioswithexpediteddecisionmakingThismeasurementcollectsdataregardinghowmany“decisionfastlanes”existwithintheorganization.Aquickresponsescenarioisonethathasalreadybeenidentifiedandanalyzedsuchthat,shoulditoccur,authorityimmediatelymigratestoapredeterminedlocusofexpertise,bethatagroup,afunctionalrole,oranindividual.Thinkofthesescenariosasparallelstructurestotheincidentordisasterscenariosthattheorganizationcreatesinanticipationofsecurityevents.Infact,aquickresponsescenariocanbeasbasicasanaddendumtoanexistingincidentordisasterscenariothatspecifieshowauthoritymigratesduringthatincident.Ausefulapplicationofthismetricistodeterminehowmuchcoordinationanorganizationwillhavetodoshouldasecurityincidentoccur.Ifafastlanehasnotbeenestablishedbeforehand,theorganizationcanassumethatinformationwillhavetotravelfromthepointoforiginordiscoveryoftheincidentthroughtheentirechainofauthorityandbackbeforeactioncanbetaken,eveniflocalexpertsalreadyknowthebestresponse.
Numberofdecisionownersforsecurityformallyassignedinthepast
yearAcorollaryindicatorwithtiestoboththeassignmentofsecurityresponsibilitiesandtheassignmentofownershipforassetsandrisk,decisionownersaredefinedasthepeopleinanorganizationwiththeauthoritytotakeactioninresponsetoasecurityevent.Decisionownersmaybelocal,forinstance,asystemadministratorwiththeauthoritytoimmediatelyrestrictaccessofanunrecognizeduseraccountonhismachine.Ortheymaybemoreremovedfromtheimmediateincidentbutlocaltootherconcerns,likethefirm’sgeneralcounsel,whoisresponsiblefordecidingwhentheorganizationnotifiestheauthoritiesorthepublicaboutthesecuritybreachthattheunknownuseraccountrepresents.Thepurposeofthismetricistocaptureandmakeavailablewherethesedecisionpointsexist.Ifnodecisionownersareassigned,thisagainisastrongindicatorthattheorganizationwillneedtotakeprecioustimetodetermineorcreatetheseinformationandauthorityflowsinthemidstofacrisis.
Numberofcross-functionalsecurity-relatedactivitiesorprojectsinthepastyear(initiatedinternallybytheinformationsecurityprogramorexternallybyotherstakeholders)ThismeasureassessesthesharingandcoordinationofexpertisebothwithintheInfoSecprogramandbetweenInfoSecandothergroupsandfunctionsoftheorganizationorbeyond(partners,vendors,regulators,etc.)Cross-functionalactivitiesarethosedevelopedwiththeintentoffosteringtheexplorationandsharingofexpertisebetweendifferentunits.Theymaybetrainingsessionsorknowledgesharingworkshops,buttheemphasisshouldbeontwoormoredifferentgroupscomingtogethertoshareknowledge,notonegroupdisseminatingcontentorteachinganother.Theselatteractivities,whileuseful,donotfosterthetwo-wayexchangeofinformationthatfacilitatesthevalueofexpertise.Cross-functionalinsightsareattainedwhenallthegroupspresenthaveachancetochallengeandcollaboratewitheachothersasequalpartners.Buttheseactivitiesdonothavetobeoverlyformalorburdensome.Anyopportunityforgroupstoobservehowothersmanageanddoinformationsecurity,especiallywhentheydodifferentthingsordothingsdifferentlyfromoneanother,isausefulexercise.
ImprovingYourExpertiseValueBehaviorsAlloftheSecurityFORCEvalueshavepsychologicalcomponents,requirementsthatanorganization’smemberschangethewaytheythinkaboutitsvaluesinordertoachievemorehighlyreliablesecurity.Butembracingthesecurityvalueofexpertisecanbedifficulttoencouragebehaviorally,asitchallengestheway
welookatourselvesandcompareourownsenseofvaluewiththatofothers.AsaFORCEvalue,leveragingthesecurityvalueofexpertisemeansfacinguptotheideathatsomepeoplearesmarterandmorecapablethanyouare,andthattheymaybebetterpositionedforsuccessincertainsituations.Italsomeansacceptingthatinothersituations,thesmartest,most-capablepersonintheroommaybeyou,whichcanbeanequallyscaryprospect.
Whenemotionistakenoutoftheequation,though,thelogicbecomesverysimple.Responseduringacrisisofanykind,includingsecurityincidents,requiresacombinationofknowledgeaboutcircumstancesandthepowertotakeactiononinformationabouttheproblem.Inefficienciesthatresultfromhavingtonegotiatebetweenthepeoplewhohavetheknowledgeandthepeoplewhohavethepowerdegradetheresponsecapabilityofthesystemasawhole;therefore,negotiationsofthistypeareunambiguouslybadiftheyreduceresponsetimeandeffectiveness,ormakethingsworse.Itisauniquelyhumanproblem,foundonlyincomplexsocialsystemswhereegoandpersonalagendashavetobefactoredintothemix.It’snotaproblemwefindintechnologysystems,wheresoftwareandhardwarecomponentsknowtheirplaceandfunctionunimpededbyegoorpolitics.Organizationalprogrammingsuchascultureismorecomplicated,sooursolutionshavetobemoresophisticatedtoo.
EmbedExpertiseValueintotheSecurityProgramBuildingbetterconduitsbetweenexpertiseandauthorityflowsrequiresacombinationofprocess,culture,andadesirebymembersofanorganizationtoovercomebarrierstotheirownsuccess.Aswehaveseen,actionsanddecisionshappenmoreefficientlywhentheyhavebecomehabit.SoHRSPstrytocreatehabitsofbehaviorthatmakesharingexpertise,credibility,andauthorityeasier.Buttheyalsofocusonpromotingtheculturalvaluesthatenablethosehabitstobecomeingrained.Thiscombinationcanbedifficulttogetright,butwhenthatisachieved,theresultcanbestunning:anorganizationthathasaclearcommand-and-controlstructureundernormalconditionsbutisabletoreconfigureitselfquicklyinacrisis,likesomesortofadvancedmaterial,adaptingtostress,shiftingstrengthandreactiontowhereitismostneeded,thenreturningtoitsoriginalformoncethecrisishaspassed.
MakeEveryoneaSensorIhaveanumberofhumblesensorsinmyhome.Mysmokealarmsareinexpensivecommodityappliancesdesignedtobenearlyinvisible.Timersand
alarmsofallsortsarescatteredthroughoutmyhouse.EventhenaturalgasIusetocookwithisembeddedwithtinymoleculesofchemical,probablymethylmercaptan,thatgivestheotherwiseodorlessgasitsfamiliarsulfursmellthatalertsmeofaleak(althoughtechnically,inthiscase,mynosebecomesthesensor).Iamfarmorepowerfulandevolvedthananyofthesedevices.Butwhentheytrigger,theyinstantlydemandmyfullattention.Undercertaincircumstances,Idependuponthemfortheirexpertise.
HRSPstakethatideaandrunwithit.LanceSpitznerlikestotalkabout“humansensors”withintheorganization,andIthinkit’sagreatanalogy,onethathasbeenexploredthroughouttheHROresearchliteratureaswell.Peoplearethemostsophisticatedsensorsthatanyorganizationwilleverhopetofield,capableoffarmorethantherelativelydumbstimulus-triggerlogicofevensophisticatedtechnologicalsensors.Anorganizationthatcaresaboutthesecurityvalueofexpertisewillneverignoreanypotentialsourceofusefuldata.Itwon’tcarewherethatsourcesitsinthepeckingorder,solongasit’sclosetotheactioninanygivensituation.ThechallengeanHRSPcaresaboutishowtoqueryallthesesensorseffectively,howtofindtheexpertise,toaskthoseexpertswhat’shappening,andmaybeevengivethemauthoritytotakeaction.
CreateDecisionFastLanesInformationneedstotravel.Weeventalkaboutinformationpipes,conduits,andhighways.Whenthosebecomecongestedorroadblocksareerected,toextendthemetaphor,communicationbreaksdown.Decisionsarejustaspecializedformofinformation.Knowingthattheymayfacescenarioswherethedistancebetweenknowledgeandauthorityneedstocollapsequickly,HRSPstrytocreateshortcutsaheadoftime,likeevacuationroutesorHOVlanesinthephysicalworld.AsaresultofotherSecurityFORCEbehaviors,theorganizationwillalreadyhaveconsideredmanyfailurescenarios,andpartofthoseconsiderationswillbeplansandcapabilitiesforquicklymarryingupexpertisewithpower.Bypredefiningcontingenciesinwhichauthoritywillmigrate,theorganizationgetsanimmediatejumponthings.AsImentionedearlier,thisisnotaboutseniormanagementremovingthemselvesfromtheequation.Duringasecurityincidentoranyothercrisis,organizationalleadersinanHRSPwillremainintimatelyinvolved,butinasupportingroleuntilsuchtimeasadecisionmustbemadethatrequirestheirownpersonalexpertise.
Alotofthediscussionaboutauthoritymigrationinvolvestop-downmovement,becausepowertendstobeconcentratedatthehigherlevelsoftheorganizationalchart.Butauthoritymayneedtoflowupwardaswell,especially
incaseswherelower-leveldecisionmakersmaynothaveallthebigpicturedataneededtomakedecisionsthathavelargerormorepoliticalramifications.Inthesecases,decisionfastlaneswillhavetoovercomedifferentobstacles.Insteadofconvincingmanagerstogiveuppowertemporarilytothosefurtherdownthehierarchy,upwardauthoritymigrationoftenhastoovercomethefilteringofinformationandsuppressionofbadnewsthatpreventsseniorleadersfromunderstandingtheriskstheymaybefacing.
ValueExpertisefromtheTopDownThesecurityvalueofexpertiseoftenhighlightswhatgoesonatthelowerendsoftheorganizationalchart,butthetruthisthatharnessingthatvaluestartswithenterpriseseniorleaders.Oneofthebestthingsaleadercandoistoaccepttheirownrelativepowerlessnessover,andignoranceabout,muchofwhatgoesonintheirenvironment.Settingahumbleexampleforothers,particularlysubordinates,canbetough.Muchofourtraditionalwaysofthinkingaboutbusinessputsindividualismonapedestal.ButlikethehomeofPercyShelley’sking,Ozymandias,thedesertislitteredwithbrokenpedestalsandtheremnantsofonceinvincibleempires.ThemythoftheindispensibleCEOhasbeenprettythoroughlybusted.Eventhebestexecutiveleadersaccomplishwhattheydoonlybecausetheydosoinpartnershipwithothers.Yetthatmythremainsresilientandenduringinindustryculture,oftenperpetuatedbythosewhotendtobenefitfromit.
EarlierinthechapterIreferencedSchlosser’sCommandandControl,withitsdescriptionsofdysfunctionalAirForcepowerdynamicsthatcontributedtoabadaccidentalmostliterallygoingnuclear.Letmeendthechapterbypointingoutthatthemilitaryisalsooneofthebestexamplesofanorganizationthatlivesandsometimesdiesbythevalueofexpertise.TheDamascusaccidentnotwithstanding,theU.S.militaryorchestratessomeofthemostefficientmarriagesofknowledgeandauthorityimaginable,andanygoodgeneralknowsthatsometimesyouhavetodependonthefactthatthesquadonthegroundistheonlyonethatcanmakethecall,andthenletthemmakeit.
FurtherReadingGawande,Atul.TheChecklistManifesto:HowtoGetThingsRight.NewYork:MetropolitanBooks,2009.
Schlosser,Eric.CommandandControl:NuclearWeapons,theDamascusIncident,andtheIllusionofSafety.NewYork:ThePenguinPress,2013.Scott,JamesC.SeeingLikeaState:HowCertainSchemestoImprovetheHumanConditionHaveFailed.NewHaven,CT:YaleUniversityPress,1998.
I
CHAPTER16
BehaviorandCulture:MasteringPeople-CentricSecurity
nChapter8Idiscussedhowtoimplementasecurityculturediagnosticproject,includinghowtogetsupportfortheproject,howtoexecutetheproject,andhowtointerpretandusetheresultscollectedfromtheSecurityCultureDiagnosticSurvey(SCDS)instrument.Chapter9madethepointthatdiagnosingandmeasuringsecuritycultureisnotthesamethingasimprovingandtransformingit.NowthatIhavepresentedboththeCompetingSecurityCulturesFramework(CSCF)andtheSecurityFORCEBehavioralModelindepth,wecanconsiderhowthesetwocomplementaryframeworkscanbecombinedtocreatecomprehensivepeople-centricsecuritytransformation.
WhatDoesSecurityCultureTransformationMean?Ihavediscussedsecurityculturetransformationinseveralcontextsandatseverallevelsduringthecourseofthebook.Transformingsecurityculturecanrefertoanumberofoutcomes,includingchangingexistingsecurityculturetypestodifferentones(forexample,fromaProcessCulturetoanAutonomyCulture);encouragingordiscouragingspecificculturaltraitsandbehaviorswithinasecurityculturetype(forexample,focusingonhowriskismanagedorhowfailureishandled);orgrowinganddevelopingabehavior-basedsecurityculturearoundadesiredmodel(forexample,SecurityFORCEandhighlyreliable
securityprograms).Theseresultsareallformsofsecurityculturetransformation.Buttheydon’tcapturethemorestructuralprocessoftransformation.Whenattemptingtogetstakeholderbuy-inforpeople-centricsecurity,itishelpfultoalsohaveasupportingstorytoexplainwhattransformationmeansintermsofthehowsandwhysoftheprocess.
DescribingTransformationinTermsofCulturalCapabilitiesMaturityAusefulwayoftellingastoryabouttheprocessoftransformingorganizationalcultureingeneral,andsecurityculturespecifically,istodiscusstransformationinthecontextofacapabilitiesmaturitymodel.MaturitymodelingfirstdevelopedattheSoftwareEngineeringInstituteofCarnegieMellonUniversityinthe1980sasawayofevaluatingandmanagingsoftwareengineeringcapabilities.Sincethencapabilitymaturitymodelinghasexpandedbeyonditsroots,andmaturitymodelshavebeenbuiltanddeployedasmoregeneralbusinessprocessimprovementtoolsacrossarangeofindustriesandfunctions,includingtraditionalsoftwaredevelopment,otherinformationtechnologyfunctions,andevenhumancapitalandresources.Assuch,maturitymodelswilllikelybefamiliartomanystakeholdersinvolvedinpeople-centricsecuritytransformation,eveniftheyarenotdirectlyassociatedwiththeInfoSecprogram.
Capabilitymaturitymodelsfocusonthevisibilityandmeasurabilityofa“capability,”suchasabusinessprocessorfunction,andwhethertheinsightsgainedfromobservingandmeasuringthecapabilityareeffectivelyusedtoimproveitovertime.Atthelowestlevelofmaturity,theorganizationperformsthecapabilityinawaythatispoorlyunderstood,informal,andhardtorepeatsystematically.Atthehighestlevel,theorganizationhasmasteredthecapabilitytothepointwhereitnotonlyknowshowtoperformitinawaythatiswellunderstood,formalized,andeasytorepeatsystematically,butalsoactivelyimprovesandoptimizeshowitperformsthecapabilitybasedonregularlycollectedmeasuresanddata.Scalesanddefinitionsvarywiththetypeandcreatorofthematuritymodel,butthescaleisusuallyavariationofa0-to-5scaleor1-to-5scale.
People-centricsecuritytransformationinvolvesbothculturalchangeandbehavioralchange.Buttransformationonlyhappensastheorganizationgetsbetteratunderstandingitselfandtakingactiononthoseinsights.TheCSCFandtheSecurityFORCEBehavioralModelaretoolsthatworkwithinthisstructure
ofincreasingmaturityandawareness,bothcontributingtoimprovedmaturityandbenefittingfromthatmaturityasitgrows.Communicatingthisprocesshelpspeopleunderstandhowtheorganization’ssecuritycultureischangingandthebenefitsthattheorganizationwillgetfromtransformation.
TheCulturalCapabilitiesMaturityModel:FormalizingCulturalMaturityIhavedevelopedmyownmaturitymodel,theCulturalCapabilitiesMaturityModel(CCMM),tofacilitatecommunicationandtogiveInfoSecprogramsanothertoolbywhichtotellthestoryofpeople-centricsecurity.LiketheFOXTROTcasestudyandmodelofthefinancialimpactofcultureonsecurityincidentlossesinChapter8,theCCMMismeanttobeonemorewaytodemonstratetostakeholderswhatthesecurityculturetransformationprojectisintendedtoaccomplish.NotethattheCCMMisnotlimitedtoonlyinformationsecurityculture.Itcanbeusedtodescribeorganizationalculturemuchmorebroadly.ButIwilllimitthediscussionheretoitsutilityinthecontextofasecurityculturetransformationproject.Figure16-1showstheCCMM.
Figure16-1TheCulturalCapabilitiesMaturityModel
TheCCMM,likeothermaturitymodels,dividesculturalcapabilitiesintofivelevelsofproficiency.Atthelowestlevel,cultureisnotunderstoodwellatallandpeopleintheorganizationoperateonaformofinstinct,reactively,withoutmuchinsightintowhytheorganizationworksthewayitdoes.ReturningtotheicebergmetaphorfromChapter3,theyarelikepeopleabovethesurfaceoftheicebergwhohavenoideawhatisbeneaththewaterlineorwhytheicebergmovesinthedirectionitdoes.Atthislevelofculturalmaturity,riskanduncertaintyarehigh.Theorganizationcannotidentifyculturaldeficienciesorcompetingprioritiesthatmaynegativelyimpactperformance.AtthetopleveloftheCCMM,theorganizationhasmastereditsownculturetothepointwhereitnotonlyunderstandswhypeoplebehaveastheydo,butcanshapeanddrivebehaviorasnecessary,quicklyandefficiently,tomeetjustaboutanychallenge.Theyarelikepeoplewhohavemappedtheentireicebergaboveandbelowthesurface,calculateditsmassanddensity,andcreatedmechanismstotowandpushitindifferentdirections.Culturalriskatthislevelislow,astheorganizationhasafullunderstandingofitsculture–performancelinkagesandcaneasilyadjusttochallenges.
Table16-1describesthespecificorganizationalproficienciesthatexistateachleveloftheCCMM.
Table16-1OrganizationalProficienciesWithinCCMMMaturityLevels
SupportingSecurityCultureTransformationwithSecurityFORCEProjectsJustastheSCDSisameansofidentifyingandevaluatingcompetingsecuritycultureswithintheCSCF,I’vedesignedtheSecurityFORCESurveyandSecurityFORCEMetricstobediagnostictoolsforuseinevaluatinghowcloselyanorganization’sbehaviorsalignwiththoseofaHighlyReliableSecurity
Program(HRSP).IhavetouchedonthesurveyandmetricsinrelationtoeachspecificFORCEvalueintheprecedingchapters.ThischapterlooksathowtopulleverythingtogethertocreateasimplescorecardthatcanbeusedtoquicklyshowstakeholdersandmanagementtheresultsofSecurityFORCEbehavioralassessments.
TheValueofaSecurityFORCEProjectImplementingandrunningaSecurityFORCEprojecthasalotincommonwithrunningasecurityculturediagnosticproject,whichIdiscussedinChapter8.Thetwoare,ideally,closelyrelated.IndevelopingtheCSCFandSCDS,Isawtheneedforaparallelmodelthatcouldallowsecurityprogramstoaddresspeople-centricsecurityatthebehaviorallevel,whichcanbemoretacticalandconcretethanculture.Theculture–behaviorlinkswithinthehigh-reliabilityorganization(HRO)research,discussedinChapter10,providedjustwhatIneededtocreatemySecurityFORCEModel.SecurityFORCEprojectscanandshouldbeusedinconjunctionwithSCDSprojectstoaddressculturaltransformationbothfromthetopdownandfromthebottomup.IwilldiscussSCDSandFORCEalignmentslaterinthechapter.
ManagingaSecurityFORCEProjectProjectmanagementissuesforaSecurityFORCEanalysisparallelthoseIenumeratedforSCDSprojectsinChapter8,butitneverhurtstoreview.Understandingthesimilaritiesanddifferencesbetweentheprojectswillbeespeciallyvaluablewhentheprojectsareconductedseparatelytoavoidredundantworkorstakeholders’perceptionofredundantworkwhenactivitiesaresimilarforbothtypesofprojects.
CostsandSchedulesProjectscostmoneyandtime,andimplementingaSecurityFORCEprojecttocomplementyourSCDSprojectwilladdtothosecosts.OnewaytoovercomethechallengeistotakeadvantageofscaleandcombineSCDSandFORCEworkintoasingleprojectorprogramplan.Eveniftheprojectswillbeundertakenseparately,budgetaryandoperationalplanningoverthecourseofquarterlyorannualcyclescanensureresourcesareavailableforthecompletesetofprojectsinadvance.ThiswaytheorganizationcantakeadvantageofthefactthatmostactivitiesforanSCDSprojectrequirethesametoolsandcapabilitiesasa
SecurityFORCEproject(includingsurvey-baseddatacollection,interviewsandprojectreviews,andlinkingbothprojectstopeople-centricsecuritytransformationefforts).Ifresourcesaretight,themodularnatureofbothSCDSprojectsandSecurityFORCEprojectsallowthemtobeconductedseparately,perhapsannuallyorsemiannually.Thegoodnewsaboutpeople-centricsecurityandtransformationisthatthereisliterallynorush.Culturestaketimetochange.
LeadershipSupportandEngagementAnoldsecurityindustryfriendofminerecentlygavemesomeexcellentadvice,aboutthisbooknoless.“ACISOisn’tgoingtolistentoyoujustbecauseyouhaveagoodidea,”hetoldme.“Youhavetotellhimspecificallyhowhisprogramwilldirectlybenefitfromyourgoodidea.”
I’veworkedhardtoliveuptomyfriend’sguidanceinthesepagesbyshowingtheconcretewaysthatcultureandbehaviorcanimpactsecuritybottomlines.Evenifyouarereadingthisandfindingyourselfagreeingwithmeoneverypoint,youwoulddowelltokeephiswordsinmind.Donotjustexpectyourpeople-centricsecurityprogram’sbenefitstobeself-evident,tospeakforthemselves.Youwillhavetoconstantlyreinforcethosebenefits,torecruitmanagementbuy-inthroughthem,andtomessagethemtoeverystakeholdergroupwhosesupportyourequire.
Ihaveespeciallytriedtopackthesechapters,includingthe“FurtherReading”sectionsattheendofeach,withmoreevidencefortheapproachesIpropose.Theseframeworksandtechniqueshavebeenwidelyandproductivelyappliedinindustriesotherthaninformationsecurity.Theyarenewonlytoinformationsecurity,butthereisnothingininformationsecuritythatwouldkeepthemfromworkingheretoo.Oneofthesellingpointsforseniorleadershipengagementissimpleinnovation,theopportunitytoputnewideastoworkontheorganizationalandpeopleside,justlikeaCISOlookstoleverageinnovationintechnology.Theinnovationspincanevenhelpselltheinevitableriskstoanysecurityproject,includingtransformationprojects.We’renottryingtokeepupwiththeproblem;we’retryingtogetaheadofit.Andgettingaheadoftomorrow’ssecurityfailuresisprobablyworthsomerationalexperimentationwithnewtechniquestoday,especiallysince,onceagain,theyaren’teventhatnew.You’rejusttakingthetestedworkofothersandbringingithome.
StakeholderEngagementStakeholdersforSecurityFORCEprojectswilltendtorequirethesamecareandfeedingasSCDSprojectstakeholders.Users,othermanagersandbusiness
owners,andevenexternalstakeholderssuchascustomersorauditorsmayhaveaninterestinorbeabletoaddvaluetoaproject.Partoftheoutreachprogramtocarryforwardapeople-centricsecuritymessageincludesnotonlyrecruitingparticipantseffectivelytogainsupportandexcitementfortheproject,butalsosharinginformationregardingfindingsandbehavioralchangestrategies.
SecurityFORCEcansometimesbeabitofaneasierselltostakeholdersduetoitsmoretacticalnatureandfocusedattentiononobservableactivity.Stakeholderscanoftendeterminewhetherit’sbettertoleadwithSecurityFORCEorwithSCDSandfullculturaltransformation.Eitherway,thejourneyendsinthesameplace.
RespondentsandDataAlloftheconsiderationsandcaveatsofSCDSprojectsapplytoSecurityFORCEprojects.Beforeconductingthesurvey,theorganizationshoulddetermineinadvancewhowillreceivethesurvey(asamplingofrespondentsorblanketdeliverytoeveryoneintheorganization?),howmetadataanddemographicinformationwillbecollected,andwhattheendgoalsoftheprojectare.ToolsforadministeringandanalyzingtheSecurityFORCEsurveyarethesameasthosefortheSCDS.Thesurveycanbedeliveredonpaper,byPDFform,oronline,whicheverisdesiredandappropriatewithintheorganization.AswiththeSCDS,respondentsshouldbetrainedpriortotakingtheSecurityFORCEsurvey.
ItisalsoworthreiteratingmypointsondemographicdataandprivacyfromChapter8.CollectingdemographicdataaboutrespondentscanprovideawealthofinformationtomaketheanalysisofSecurityFORCEvaluesandbehaviorsmoresophisticatedandrich.Butcollectingsuchdataalsobringsquestionsofprivacyandanonymityinbothconductingthesurveyandstoringresponsedata.InfoSecprogramsshouldconsiderhowtheywillensurethatrespondentsfeelsafeandcomfortableingivinghonestresponsestothesurveyorinreportingSecurityFORCEMetricstomanagement.Insomecases,personallyidentifiableinformationmaybeprotectedbypolicy,regulation,orlaw.Iftheorganizationdecidestocollectortrackrespondentdatainanyway,itisadvisabletoseekapprovalandadvicefromtheHumanResourcesandLegaldepartmentsbeforedoingso.
TheSecurityFORCEScorecard
Chapters11through15describedeachoftheSecurityFORCEvalues,includingkeybehaviorsforeachofthefiveFORCEvalues:failure,operations,resilience,complexity,andexpertise.EachchapterincludedthespecificSecurityFORCESurveystatementsandMetricsassociatedwiththevaluediscussedinthechapter.Together,theseindividualstatementsandmeasuresmakeupthecompleteSecurityFORCESurveyandSecurityFORCEMetrics.Thesurveyandmetricsareavailableasfull-size,customizable,downloadabledocumentsforusebysecurityorganizationsonlineathttp://lancehayden.net/culture,alongwithinstructionsforhowtousethem.
ScoringtheFORCESurveyQuestions,RevisitedTheSecurityFORCESurveyincludesstatementsrelatedtoeachFORCEvalue,asdescribedintheprecedingchapters.EachSecurityFORCEvaluehasfiveassociatedstatementsdesignedtomeasure,atahighlevel,theprevalenceofkeybehaviorsforthatFORCEvalueandthealignmentofbehaviorswiththosefoundinHRSPs.Whenscoringthesurveyforeachvalue,recallthefollowing:
Anaveragescoreof4orabove(mostresponsesindicateAgreeorStronglyAgree)signifiestheorganizationexhibitsbehaviorsfoundinanHRSP.Anaveragescoreof3(mostresponsesindicatetherespondentfeltNeutral)signifiestheorganizationmayormaynotbehavelikeanHRSP.Anaveragescoreof2orbelow(mostresponsesindicateDisagreeorStronglyDisagree)signifiestheorganizationdoesnotexhibitthebehaviorsfoundinanHRSP.
PoolingYourFORCEsAftercollectingSecurityFORCEdatafromthesurveyresponses,organizationswillwantaquick,high-levelwayofpresentingresults.TheSecurityFORCEScorecardisasimplerepresentationofSecurityFORCESurveyresultsthatcanbeusedtopresentfindingsandanalysistostakeholdersandseniormanagement.TheScorecard,illustratedinFigure16-2andalsoavailableathttp://lancehayden.net/culture,providesseveralrepresentationsofthesurveyscores,including
AveragescoresforthepresenceandstrengthofeachSecurityFORCEvaluefrom1through5AhistogramshowingallfiveSecurityFORCEvaluescoresforside-by-sidecomparisonAspiderchartshowingallfiveSecurityFORCEvaluescoresfor“shape”comparison
Figure16-2BlankSecurityFORCEScorecardexample
SecurityFORCEMetricsandtheFORCEScorecardTheSecurityFORCEScorecarddoesnotincorporatetheresultsofanySecurityFORCEMetrics.Thisisadeliberateomission,forseveralreasons.SecurityFORCEMetricsareimportantcomponentsofthemodel,buttheydonotlendthemselvesaseasilytoinclusioninaneasilydevelopedandeasilyexplainedscorecard.Instead,theSecurityFORCEMetricsaredesignedtooperateinthebackgroundoftheSecurityFORCEModel,providingempiricalevidencetosupportorchallengeSecurityFORCESurveyresponses,andtoallowformoredetailedandgranularmeasurementofspecificFORCEvaluesandbehaviorsovertime.ThefollowingarethingstoconsiderwhencomparingtheSecurityFORCEScorecardtoSecurityFORCEMetrics:
UsetheSecurityFORCEScorecardtosimplify(alwayscarefully,withallassumptionsmadeexplicit)thepresentationofFORCEValueresults.UseSecurityFORCEMetricstosupportandvalidateSecurityFORCEScorecardresultsforstakeholdersandsecurityownerswhorequiremorespecificdetails.UsetheSecurityFORCEScorecardprimarilyasadiagnosticofattitudesandperceptionsamongmembersoftheorganization.UsetheSecurityFORCEMetricsprimarilyasadiagnosticofactionsandoperationsthatareactuallytakingplacewithintheorganization.
“AreWeaHighlyReliableSecurityProgram?”HavingconductedaSecurityFORCESurveyandcollectedSecurityFORCEMetricsresults,itwillbetemptingtomakeajudgmentregardingwhetherornottheorganizationcanclaimtofunctionasanHRSP.Highlyreliablesecuritydoesnotexistinasinglepointintimeorastheresultofpeople’sperceptions.HRSPsarehighlyreliablepreciselybecausetheyremainhighlyreliableoverextendedperiodsofoperationwithinhostileordangerousenvironments.NoorganizationcanclaimtooperateasanHRSPonthebasisofasinglediagnosticdatapoint.HRSPscanonlybejudgedlongitudinally,overtimeandovermultipleassessmentsandevaluations.Theseassessmentsmustbecomparedandcorrelatedwiththefrequencyandseverityofsecurityincidentsandfailuresaswell,comparedagainsthistoricaldataoragainstindustryexpectationsandstandardsofhowsecureanorganizationshouldbe.Unfortunately,today,therearefewsuchstandardsorexpectationsbeyond“morereliablethanwearetoday…”
ItmaybehelpfultoconsiderseveralscenariosagainstwhichtocompareclaimsofHRSPbehavior.EachofthefollowingthreeexamplesrepresentsanexampleorganizationthathasconductedaSecurityFORCEprojectusingtheFORCEScorecard.
GEORGEG,LLPGEORGEG,LLP,isaboutiqueadvertisingandmarketingcompany,specializinginonlinecampaigns.Withamultinationalpresenceandsophisticatedtechnologycompaniesforcustomers,GEORGEGtakesaproactiveapproachtoprotectingcustomerintellectualpropertyandstrategies.Aspartofasecuritycultureassessment,GEORGEGimplementedacompany-wideSecurityFORCESurvey.TheresultingSecurityFORCEScorecardisshowninFigure16-3.
Figure16-3GEORGEG,LLP,SecurityFORCEScorecard
InterpretingonthebasisoftheSecurityFORCEscores,GEORGEGwouldseemtolackseveralofthebehavioralattributesofanHRSP.Onlyintheareaofthesecurityvalueofoperationsdidcompanyemployeesexpressaperceptionthattrackswithhighlyreliablesecurity.DoesthatmeanthatGEORGEGisnotreliableandisonthevergeofamajorsecurityincident?Certainlynot.Nosinglediagnostictoolcanprovidesuchpredictiveevidence.ButGEORGEGmanagementwouldhavesomecauseforconcernaboutthesescores,particularlythoseforFailureandExpertise,ifHRSPbehaviorswereamongtheirgoals.
HOTELINDIA,Inc.HOTELINDIA,Inc.,managesachainofuniquelodgingestablishments,includingtraditionalhotels,B&Bs,andhostels,in19countries.HOTELINDIAundertookasecuritycultureimprovementinitiativeaspartofalargersecuritytrainingandawarenessprogram,followingseveralsecurityincidentswithinboththecorporateandcustomer-facingnetworks.TheresultsofHOTELINDIA’sSecurityFORCEScorecardareshowninFigure16-4.
Figure16-4HOTELINDIA,Inc.,SecurityFORCEScorecard
IsHOTELINDIAanHRSP?ItcertainlywouldseemtobewhenitsScorecardiscomparedtotheScorecardforGEORGEG.Perceptionofthecompany’sbehaviorsindicatesthatmanyoftheSecurityFORCEbehaviorsarestrong.ThisisasituationwheretheSecurityFORCEMetricscouldprovevaluableindeterminingtowhatextentcompanyperceptionsmatchuptoreality.IftheSecurityFORCEMetricsresultswerepoor—forexample,ifnoactivitiesorartifactscouldbeproducedtovalidateclaimsorperceptionsofbehavior—theinformationsecurityteammightbeforcedtoconsiderotherreasonsthattheFORCESurveyscoresweresohigh.Werepeopleafraidtorespondhonestlyforsomereason?Issecurityawarenessoutofsyncwithsecurityoperations?
IfSecurityFORCEMetricsforHOTELINDIAvalidatedtheresultsoftheFORCESurvey,thenitmaybethatthecompany’sInfoSecprogramisoperatingasanHRSP,therecenteventsnotwithstanding.Afterall,evenanHRSPwilleventuallyexperienceafailure(andembraceitslessons).Inthiscase,reexaminingthecompany’sresponsetothesecurityincidentscouldshedlightonthesurveyresponses,especiallyconsideringthatsecurityvalueofresiliencewasthelowest-ratedSecurityFORCEvalue.
KILOKINGEnterprisesKILOKINGEnterprisesisamidsizelogisticsfirmwithanationwidenetwork.KILOKINGhasbeenaskedbyseveralofitscustomersandpartners,spookedbythecurrenttrendofseriousdatabreaches,toassessitsentiresecurityoperationsstructure,includingawarenessandculture.Asaresult,KILOKINGundertookaSecurityFORCEproject,theScorecardresultsofwhichareshowninFigure16-5.
Figure16-5KILOKINGEnterprisesSecurityFORCEScorecard
KILOKING’sScorecardisinteresting.Insomeareas,itbehaveslikeanHRSP.Inothers,itdoesnot,leavingalopsidedbehavioralprofile.Howarewetoassesstheseresults?ItisnotparticularlydifficulttoimaginethatKILOKING’sbusiness,planning,andlogisticswoulddriveanenvironmentofoperationalreadinessandrelianceonsmartpeopletoovercomeproblems.Butwhy,ifthescoresaresohighinonearea,aretheysolowinothers?Don’tHRSPsbehaveuniformly?
Notnecessarily.HRSPsaremadeupofpeople,justlikeanyotherorganization.Becominghighlyreliabledoesnotguaranteestayingthatway,nordoeshighreliabilityinoneareaguaranteethesameineveryarea.Allsecurityprogramsaresubjecttocompetitiveprioritiesandculturaldriversinthefaceofdynamicanduncertainpressures.InthecaseoftheSecurityFORCEvalues,itturnsoutthatsomevaluebehaviorscomemoreeasilytocertainsecurityculturesthatexistwithintheCompetingSecurityCulturesFramework.Thesealignments,andwhattheymeanforHRSPdevelopmentandpeople-centricsecurity,arewhereIwillturnnow.
CSCFandSecurityFORCE:AligningCultureandBehaviorinPeople-CentricSecurityInthesamewaythatindividualpersonalitytraitsinpeoplenaturallypredisposethemtocertainbehaviors,differentinformationsecurityculturetraitscanmakeanorganizationmorenaturallypredisposedtocertainbehaviors.AProcessCulture,withitshierarchiesandformality,isgoingtoexcelatcertainactivitiesmorethananAutonomyCulture,whichwillhaveitsownstrongsuits.OneadvantageoftheSecurityFORCEmodelisthatitcanbealignedwiththeCSCFtohelpanorganizationunderstandwhichFORCEvaluesarelikelytocomemorenaturallytoanorganizationandwhichmightmeetincreasedresistance,giventhesecurityculturesinplace.
ChainingCultureandBehaviorEffortsSecurityculturetransformationexertsapowerfulinfluenceonsecuritybehaviors,changingandshapingthembyaddressingtheirunderlyingcausesandmotivations.Behavior,though,canalsoshapeculture.Onewaybehavior
influencescultureisbyprovidingatemplatefornewmembersofanorganization.Welearnbyexampleinourorganizationalenvironments,bywatchingourpeersperform,andbyadheringtotheofficialpoliciesandguidelinesoftheenterprise.Cultureisnottransmitteddirectlyfrompersontopersonassuch.Itisnotenoughtotellanewemployee“thisisoursecurityculture,sogowithit.”Thatnewhirewillacclimate(ornot)tothecultureinsteps,bylearningwhatisacceptedbehaviorandwhatisacceptablebelief,overtime,byobservingothers.
Asecondwaythatbehaviorcaninfluenceculture,specificallyculturaltransformation,isbyimposingnewhabitsthatquicklyorgraduallyreplaceolderonesthatarenolongervaluedordesired.Regulationisagoodreal-worldexampleofthispractice.Industriesareregulatedwhentheyaredeemedimportantenoughforsomereasonthatthestatemustinterferewiththeiroperations.Regulationsareessentiallymandatorybehaviorsandhabits,enforcedthroughinspectionandaudit,thatcontrolandconstrainbehavior.Sometimes,aswiththecorporatefinancescandalsoftheearly2000s,regulationisexplicitlydirectedatchangingculture.Sometimes,aswithsafetyorsecurity,regulationseeksaspecificeffectsuchasfeweraccidentsorharmfulevents.Inthesecasesaculturemaydeveloparoundtheregulatedbehaviors,creatingaculturethattakesthosethingsseriously.Industrieslikeenergyandaviationalreadyhavedecadesofexperienceinthisorganicculturalgrowth,whileindustrieslikeinformationsecurityarejustbeginningtoexperienceit.
Reinforcing“chains”ofcultureandbehavior,illustratedinFigure16-6,perpetuatevaluesandprioritieswithinanorganization.Thesechainscanfunctionmoreorlessunconsciously,belowthelevelofdeliberateanalysis.Ortheycanbedeliberatelyforgedandshapedthroughvisibilityandeffort.Toextendthemetaphorabit,howwemanagecultureandbehavioralchainsalsosaysalotaboutwhethertheywillacttotheorganization’sbenefit,likeananchortoafoundation,orwillimprisonanddragdowntheorganization,likeMarley’sghostinAChristmasCarol.
Figure16-6Cultureandbehavior“chains”
UsingtheSCDSandFORCEIndependentlyThereisnothingtostopasecuritystakeholderorCISOfromusingtheSCDSandtheSecurityFORCEmodelindependentlyofoneanother.TheSecurityFORCEmodelisjustoneproposalforbehavioraladaptation,actually,althoughIthinkitisuniquelysuitedtoinformationsecurity.ButIkeptthetwoframeworksseparatebecauseIdidnotwanttoimplythatimprovingtheSecurityFORCEvaluebehaviorsistheonlywaytoimproveInfoSecculture.Itisnot.Organizationsinheavilyregulatedenvironments,orthosewithstrongsecuritytrainingandawarenessprogramsinplace,mayalreadyhavebuiltintotheirsecurityoperationsbehavioralmodelsthattheywishtoadaptandapplytotheCSCF.ISO27001,COBIT,ITIL,andsomeNISTstandards,tonamebutafew,allattempttoaddressbehaviorchanges.Wheretheseframeworksarealreadyimplementedandwellunderstood,theymayserveasusefulcomplementsoralternativestoSecurityFORCE.
GeneralAlignmentsBetweenSecurityFORCEandtheCSCFWiththeexceptionofsecurityvalueofcomplexity,whichappliestoeverything
inpeople-centricsecurity,eachoftheSecurityFORCEvaluescanbegroundedinoneofthequadrantsoftheCompetingSecurityCulturesFramework.Figure16-7illustratesthisbasicalignment.Animportantcaveattopointoutonceagainisthatthesearemodels,notperfectreproductionsorinfalliblecrystalballs.Theymakeassumptionsandcontainuncertainty.Theyshouldbeusedastools,toidentifyconnectionsandguidediscussionandassessment,andshouldnotbeexpectedtoansweralltheorganization’squestions.Butwhenusedasameanstounderstanding,notasasubstituteforit,thesemodelscanbehighlyeffectiveinhelpingimplementamorepeople-centricprogram.
Figure16-7SecurityFORCEvaluesalignedtoCSCFquadrants
InthefollowingdiscussionI’lladdresstheSecurityFORCEvaluesabitoutoforder,goinginsteadbytheCSCFquadrants,tomakethealignmentseasiertofollow,andaddressingthesecurityvalueofcomplexity,whichhasnodirectculturalalignment,attheend.
ProcessCulturesandtheSecurityValueofOperationsProcessculturesareallaboutthedetails.Settingstandards,documentingpoliciesandconfigurations,andmakingsurepeopleknowwheretheyfitwithinthehierarchyareallhighlyvaluedprioritiesforProcess-focusedsecurityprograms.Theoverarchingneedtomanageandcoordinateactivities,andtohaveahighdegreeofvisibilityintothoseactivities,iswhatdifferentiatesaProcessCulturefromtheotherthreesecurityculturetypes.
ThissenseofprioritizingvisibilityandstandardizedmanagementiswhatmakesaProcessCultureparticularlyadeptatrealizingthesecurityvalueandkeybehaviorsofoperationsfromtheSecurityFORCEModel.Thesecurityvalueofoperationsincorporatestheactiveunderstandingofhowthingsworkandwhentheyareworkingdifferentlyfromthewaytheyareexpectedorassumedtowork.AProcessCulturewillmorenaturallyprioritizetheanalysisanddocumentationofoperationalfunctionsneededtoseeandcomparethesedifferencesandtodetectdeviationswhiletheyareminor.
Thesecurityvalueofoperationsalsoputsapremiumonassessingandsharingoperationalinformation,behaviorsthatalsolendthemselvestoaProcessCulture,oneinwhichorganizationalboundariesandbureaucraticcommunicationchannelstendtobeestablishedbydefault.Thesecanoftenbeutilizedasreadilyavailableprocessesforformallyandsafelydisseminatingoperationalassessmentsandelicitingfeedbackfromotherstakeholdersinthebusiness.
ComplianceCulturesandtheSecurityValueofFailureWhileComplianceCulturescertainlyconcernthemselveswithafairshareofinformationsecuritydetails,includingoperationalactivities,theiroftensingle-mindedfocusonsuccessfulauditsmakesthemespeciallysensitivetotheconsequencesofnotmeetingthatgoal.Theresultisaculturethattakesthesecurityvalueandkeybehaviorsoffailuremoreseriouslythanothersecuritycultures,eveniftheydon’tthinkaboutitconsciouslyintermsoftheSecurityFORCEModel.
Anticipatingworst-casescenariosinanorganizationwithastrongComplianceCultureiseasy,sincetheorganization’sperspectiveontheworld
canbeabitbinary:eitherwepassedorwefailed.Failureiseasilydefinedanditspossibilityiseverpresent,astheauditcycleneverends.Eachsuccessfulevaluationleadsstraightawayintothepossibilitythatthenextonewon’tgosowell,andtheorganizationmustalwaysmaintainvigilance,learningfrommistakestopreventtheirrecurrence.
Thatvigilanceextendstotheotherkeyfailurebehaviorsofseekingoutproblemsbeforetheymanifest,rewardingpeopleforfindingandreportingproblems,andsharinginformationaboutsecurityfailures.Insomeorganizations,thesebehaviorsmayevenreadlikeajobdescriptionfortheinternalauditfunction.Compliancesecurityculturesembedthesesamevalues,thissamepreoccupationwithfailure,acrossthesecurityfunction.
AutonomyCulturesandtheSecurityValueofResilienceSecurityincidentsthroweverythingintoconfusion,challengingeverytypeofsecurityculturewithinanorganization.ButofthefourculturaltypesidentifiedwithintheCSCF,AutonomyCulturemostprizesandevenencouragesinitiativeandindependentactioninthefaceofuncertainty.PerhapsthefactthatAutonomyCulturestendtobealmostuniquelysuitedtothechaoticconditionsofanincidenthelpsexplainwhytheytendtoberareininformationsecurity.Organizationsviewsecurityincidentsassomethingthatshouldneverhappen,andencouragingthekindofculturethatthrivesinthosesituationsmayseemliketemptingfate.
Thesecurityvalueandkeybehaviorsofresiliencebeginwiththeexplicitacceptancethateveryorganizationwillexperiencesecurityincidentsofsomekindoranother,includingdamagingpublicbreachesthatthroweverythingintocrisis.Thisacceptanceofriskanduncertaintyiseasiertointernalizeinaculturethatalreadyacceptschangeasaconstantandviewsindependentthoughtandactionasarequirement.Spreadingtraining,skills,andresponsibilitiesaroundtoawidervarietyofpeople,enablingmultiplepeopletodoajob,andencouragingthemtostretchthemselvesarecentraltothemoreentrepreneurialbentofpeopleinanAutonomyCulture.
ThatsamestartupmindsetcanmakeiteasierforpeopletoacceptmistakesandincidentsinanAutonomyCulture,too.Fallingdownintheseenvironmentscountsmoreason-the-jobtrainingforsuccessthanproofofincompetenceorpersonalfailure.Thiscanbeaproductivepsychologyforanorganizationattemptingtorecovergracefullyandwithconfidenceintheaftermathofasecurityincident.
TrustCulturesandtheSecurityValueofExpertiseTrustculturestakenooneforgranted.Everypersonintheorganizationisvaluablehumancapital,necessaryforthesuccessandgrowthoftheenterprise.Forsecurityspecifically,thatmeanstraditionalsecurityawarenessandbeyond,tothepointwheremembersoftheorganizationarethehumansensors,firewalls,andresponsesystemsthatactasaparallelinfrastructurecomplementingandextendingtechnology.
Thesecurityvalueofexpertiseleveragespeopleassourcesofbothknowledgeandaction,anditskeybehaviorsdrivedecisionmakingintothefabricoftheorganization.Theseprioritiesandbehaviorsdemandtrust,andwithoutit,organizationswillnotbeabletoallowauthorityanddecisionstobepusheddownandaroundtheorganizationtowherecircumstancesrequirethem.ATrustCulturethatvaluespeoplebasednotonrankorpositionbutontheirabilitiestocontributetothegoalsoftheenterprisewillinstinctivelygravitatetowardthesecurityvalueofexpertise.Thosebehaviorswillcomemoreeasilyandbemoresustainableovertime.
ComplexityEverywhereComplexityhasnodirectalignment.EveryoneoftheCSCFculturetypesmustaddresscomplexityandworkwithinitsinfluence,andnoparticularcultureisbetterorworseatdealingwithit.Atbest,itcanbesaidthateachsecurityculturetypeconcernsitselfwithaparticularflavorofcomplexityanddevelopsitsownculturallyspecificmethodsfordealingwithit.
Tacitassumptions,thetemptationtowardoversimplification,andtheneedforempiricaldataaretherealitiesofeverysecurityculture.ThepresenceofandtensionsbetweentheserealitiesmayevenbeattherootofsomeofthecompetitionbetweensecurityculturesintheCSCF.That’swhyeachCSCFculturetypeneedstoacceptandmanagethecomplexitiestheyfaceandtocoordinateandsharetheirevidenceandtheirdoubtsamongthosewhomayhaveadifferentculturaloutlook.
Nowheredoestheneedforcoordinationonissuesofcomplexitydemonstrateitselfmorethanontheissueofmodels.Eachsecurityculturetypewillhaveitsfavoredmodels,thelensesthroughwhichthatculturelooksattheworldofsecurityandoftheorganizationwritlarge.Processmodels,auditframeworks,agilityandinnovationmethodologies,andhumancapitalmanagementstructureswillexistsidebysidewithinanInfoSecprogram,withtheirrelativestrengthandinfluenceconstrainedonlybytherelativepowerofthatculturewithinthesecurityprogram.Theymustbebroughttogether,mademoretransparent,and
improvediftheorganizationistoachievehighreliabilityandtrue,transformativepeople-centricsecurity.
TakingAdvantageofCultural-BehavioralAlignmentsPathsofleastresistancearewonderfulthings.Especiallywhenyoufindthemamongotherpathsofalmostridiculousresistance.AnotherbeneficialuseoftheCSCFandtheSecurityFORCEModelistocombinethemintoacompassofsorts,anavigationalaidthatcanhelpasecurityprogramknowwherepotentialproblemsmightlie.Likea“herebedragons”sketchoverunknownterritory,cultural–behavioralalignmentscanidentifytheareasonthepeople-centricsecuritymapwheredangerlurks,hiddenbelowthewaves.
Inanygivenpointintime,cultureisgoingtotrumpbehavior,justliketheicebergmetaphorsuggests.Butwhenpeoplecandirectandconcentratebehaviorinparticularareastoparticularends,youcanmultiplyitseffect.PeoplehaveknownthisatleastsinceArchimedes’time(“Givemealeverandaplacetostand,andIshallmovetheearth”),justaspeoplehaveknown,foratleastaslongastherehavebeenbrickstobuildthemwith,thefrustrationofbangingourheadsagainstwalls.Thetrickistoknowthedifferencebetweenafulcrumandawall.
WhenCultureMakesBehaviorEasierIfyourpeople-centricsecuritytransformationincludesbothculturalandbehavioralelements,youshouldbelookingathowtotakeadvantageofforcemultiplication.Yourculturaldiagnosticscanhelpyou.ThecombinationofSCDSresultsandsecurityculturemappinghelpsyourorganizationunderstandthesecurityvaluesandprioritiesmostprevalentinsideyourorganization.Thoseculturalinsightscanguideyouasyouplanbehavioralstrategiesaspartofyourprogram.
ImaginethatyouhaveconductedasecuritycultureassessmentusingtheSCDS.TheassessmentrevealsthatyourorganizationhasaparticularlystrongComplianceCulture.AfteradministeringtheSecurityFORCESurvey,youdecidethatyourorganization’sbehaviorssupportingthesecurityvaluesofbothfailureandexpertiseneedimprovement.Somestakeholderssuggestanimmediateinclusionofthosebehaviorsandtheirrelevantmetricsinthecompany’ssecurityawarenessprogram.
Thethingis,theeffortrequiredtoimprovethosetwobehaviorsmaynotbethesame.BecauseofthenaturalalignmentbetweenaComplianceCultureand
thesecurityvalueoffailure,theorganizationmayseeimmediategainsinitsefforttoimprovebehaviorssupportingthesecurityvalueoffailure,whileitsefforttoimprovebehaviorssupportingthesecurityvalueofexpertisecouldprovelesseffective.Withoutinsightintocultural–behavioralalignments,thedisconnectmightnotmakesenseandtheentireeffortcouldenduptaintedanddiscredited.
Onealternativetodividingresourcesbetweendifferentchallengesistoputallyoureffortsintooneparticularchallengewhereyouthinkyoucanmakethemostgains.IfthesecurityvalueoffailureisseenasimportantandtheComplianceCultureislikelytofinditmoreacceptable,theorganizationcouldworktoimprovejustthatareaandtakeadvantageofthecultural–behavioralalignment.SignificantimprovementontheSecurityFORCESurveyandMetricsresultingfromtheprogramcouldthenbeusedtodemonstratethevalueandeffectivenessofoverallculturaltransformationefforts,andtheresultinggoodwillcouldbeappliedtoimprovingthesecurityvalueofexpertise,whichmightprovemoredifficult.
WhenCultureMakesBehaviorHarderKnowinghowculturalalignmentandinfluencemakeatransformationjobhardercanbejustasimpactfulasknowinghowtheyreduceresistancetochange.Theremaybetimeswhentheorganizationdecidesonastrategythatfocuseslessonfindingthepathofleastresistanceandeasywins,andmoreonaddressingthereallydifficult,intractablecultureproblemsthatareholdingbackperformance.
Consideracompanythathasexperiencedacoupleofbad,andbadlymanaged,securityincidents.CSCFassessmentrevealsaprocess-heavysecurityculturewithverylittleprioritygiventothevaluesofAutonomy.ASecurityFORCESurveyshowsthattheorganizationislackinginseveralbehaviorsitneedstoimprovetobeclosertobecominganHRSP.But,feelingastrongneedtoimproveitscapabilitiesforincidentresponseatamacrolevel,thefirmembarksonastrategydesignedtogetmorevalueoutofresilienceanditsassociatedkeybehaviors.
TherelativeweaknessofAutonomyCulture–relatedsecurityvaluesperhapshelpsexplainwhythecompanystrugglestorespondflexiblyandreliablywitheveryincident.Thatweaknessalsoshowsthechallengesthecompanyislikelytofacetryingtoimproveresiliencebehaviorswhoseunderlyingmotivationsconflictwiththewaythefirmlooksatsecurity.Onceagain,achoiceisimplied:treateverythingthesame,orfocusonspecificareas?
Insteadoffollowingapathofleastresistanceinordertomoreeasilysecurea
win,aswiththepriorexample,thiscompanymaychoosetotacklethebiggestconflictfirst,becausethesecurityvalueofresilienceisseenasthemostcriticalvalueinthepathtobecomeanHRSP.Butjustlikethepriorexample,thisinsightallowsthecompanytodevoteresourcestoaspecificoutcomebasedonanuancedunderstandingoftheeffortinvolvedtoachieveit.RatherthancultivatingeverySecurityFORCEvalueandjusthopingforthebest,understandingculturalalignmentsallowsInfoSecprogramstoachievemoretargeted,andultimatelymoreeffective,outcomes.
BlendingSecurityCultureDiagnosticandSecurityFORCEProjectsforImprovedCulturalMaturityExploringandanalyzingthealignmentsbetweenCSCF/SCDSandSecurityFORCEprojectsshouldbepartofeverypeople-centricsecuritytransformationproject.Addressingthelinkagesandpotentialconflictsbetweendifferentsecurityculturesandthebehaviorsnecessaryforhighlyreliablesecurityisperhapsthesinglebestreasontousethetwoframeworksintandem.Togethertheyallowanorganizationtounderstandwhatisgoingonbothabovethesurfaceoforganizationalawarenessandbelowit,andtograspwherelinesofforceandinfluencebetweenthetwointersect.Theinsightswon’talwaysbeperfect,butaswithanyothermodel,theycanbeputtouseand,overtime,improvedtomakesecurityculturetransformationmoreeffectiveandmature.
Theideaofimplementingoneoverarchingsecurityculturetransformationprojectissomewhatmisleading.Inalllikelihood,mostorganizationswillimplementsomethingmorelikeatransformationprogram,madeupofaseriesofprojectsovertime,asshowninFigure16-8.Insightsfromoneinitiativearedigestedbytheorganization—forexample,theculturaltypesandconflictsdiscoveredduringanSCDSproject—whichinturnpointtoimmediateoptionsforculturalorbehavioralchange.Atthesametime,theincreasedvisibilityandproficiencygainedthroughtheexecutionofconsecutiveprojectsallowstheorganizationtoplanbetter,askbetterquestions,andtesttheresultsofpastinitiatives.ThisinturnincreasesculturalcapabilitymaturityfortheInfoSecprogramandtheoverallorganizationaspeoplegetbetteratmasteringpeople-centricsecurity.
Figure16-8Securityculturetransformationandpeople-centricsecurityprograms
FurtherReadingBush,MarilynandDonnaDunaway.CMMIAssessments:MotivatingPositiveChange.UpperSaddleRiver,NJ:Addison-Wesley,2005.Curtis,Bill,WilliamE.Hefley,andSallyA.Miller.ThePeopleCMM:AFrameworkforHumanCapitalManagement.2nded.Boston:Addison-WesleyProfessional,2009.Paulk,MarkC.,CharlesV.Weber,BillCurtis,andMaryBethChrissis.TheCapabilityMaturityModel:GuidelinesforImprovingtheSoftwareProcess.Boston:Addison-WesleyProfessional,1994.
CHAPTER17
Leadership,Power,andInfluenceinPeople-CentricSecurity
“Anyonecanholdthehelmwhentheseaiscalm.”RomanauthorPubliliusSyrusprobablywasn’tthinkingaboutinformationsecuritywhenhewrotethosewordssometimeinthefirstcenturyB.C.,buthismaximcanbeappliedtoleadersinanycrisissituation.ThequotationalwaysmakesmethinkoftheCISOs,InfoSecdirectors,anddataprotectionmanagersIhaveworkedwiththroughoutmycareer.I’veknownmanygood,skilledfolksresponsibleforsecuringtheinformationassetsoftheirorganizations.Butmanagerialcompetenceisnotthesameasinspired(andinspiring)leadership,ininformationsecurityoranywhereelse.AllittakesisonebadstormtoshowyouthedifferencebetweenanAdmiralLordNelsonandaFrancescoSchettino,theinfamousCostaConcordiacaptain.
Theseaofinformationsecurityisnotcalmtoday,andmosteveryoneexpectsthestormstogetworsebeforetheygetbetter.Ifwearetorealizepeople-centricsecurityinthecomingyears,ourindustryisgoingtoneedalltheAdmiralNelsonsthatwecanget.
ACrisisofLeadershipHowimportantisleadershiptoinformationsecurityasaprofession?Toexplorethatquestion,Iperformedthatmostlooselyscientificofallinquiries:IaskedtheInterwebs.Operatingontheassumptionthatinformationsecurityleadershipis
embodiedinthepositionofCISO,justasothertypesofcorporateleadershipareembodiedinthepositionsofothermembersoftheC-suite,IfiredupGoogle.Mysearchwassimple:“CISO”and“leadership.”IrepeatedthesearchforeachoffiveothercommonC-suiteroles:CEO,COO,CFO,CIO,andCTO.Figure17-1showstheresults,inmillionsofhits(ornot,inthecaseofCISO).
Figure17-1MillionsofGooglehitsfor“CXO”plus“leadership”
Wow!300,000hitssurprisedme.Thinking(hoping)thatmaybe“CISO”is,as
theysay,notthepreferrednomenclature,Itriedsearchingon“CSO”instead.Thenewsearchreturned500,000hits,butthepresenceinthosehitsofeverythingfromchiefsalesofficerstochiefstrategyofficersmademelessconfidentofthenumber.Givenonceagainthatthisisnotexactlyarigorousscientificexperiment,onehastobecarefulaboutreadingtoomuchintoit.Butattheveryleastitimpliesthatifpeoplearethinkingasmuchaboutleadershipininformationsecurityastheyareinothermanagementareas,theyarenotputtingthoseinsightsonlinetobeindexedbyGoogle.Theorder-of-magnitudedifferencebetweenCEOleadershiphitsandthenextlargestgroupisnotsurprising.ACEOcaneasilyfindabundantresourcesonlineaboutCEOleadership.Butevencomparedtotheresourcesavailableonlinetochiefinformationofficersandchieftechnologyofficerswhoarelookingforrole-specificleadershipresources,CISOsliveinabitofaninformationaldesert.Fiveofthefirsttenhitsactuallyrefertothesamesource:the(ISC)2bookCISOLeadership:EssentialPrinciplesforSuccess.Whatgives?
TheCISOasaBusinessLeaderIthinkthattheresultsofmyGooglesearchesjustdemonstratetheuncomfortabletruththatmanyInfoSecprogramshavetolivewitheveryday:thattraditionallytheyhavenotbeenconsideredcentraltothebusiness.Likewise,CISOshavenotbeenconsideredequalpartnersintheC-suiteinmostorganizations,notwithstandingtheboneof“chief”designationmanyarethrown.Securityleadershiptraditionallyhasnotbeenconsideredsynonymouswithbusinessleadership,noteventothedegreethatCIOsandCTOsareconsideredbusinessleaders.ThathasmadeitmucheasiertoignorebasicleadershipprincipleswhenitcomestoCISOsandtheirwork.Thathastochange.Anditischanging,astheconsequencesofsecurityfailureshavebeguntoblasttheirwayintotheboardroominunprecedentedways.
Givenitsprominenceinmyexperimentalsearch,IwenttoCISOLeadershiptoseewhatitmighthavetosayaboutCISOsasbusinessleaderswithintheirorganizations.Thebookisquitegood,aninterestingcollectionofcontributedworksby20experiencedinformationsecurityandmanagementprofessionals.Publishedin2008,itanticipatedtheemergenceofpeople-centricsecurityandthecentralityofcultureasakeytosuccess.Butmostofall,itechoesthethemesIhaveexploredthroughoutthisbook.Securityleadershipisnotabouttechnology,andsuccessfulinformationsecuritycanneverbefullyautomated.Becauseinformationsecurityisalsoasocialandculturalprocess,CISOscan’tsucceediftheyareonlytechnologicallyadept.Theyalsohavetobepeople
savvy(CISOLeadershipcontributorBilliLeebuiltachapterandanentiremanagementmodelaroundtheterm“savvy”).
Unfortunately,andwithoutanyslighttotheeditorsofandcontributorstoCISOLeadership,thebookwasnotexactlyaNewYorkTimesbestseller.Veryfewinformationsecuritybooksare.Securityhasnotproducedmanyofwhataprofessorcolleagueofminecalls“theairportbook,”theoneyoubuyasyoubrowsethebookstorebetweenterminalsduringalayover.IknowI’veboughtmyshareofleadershipandmanagementbooksinairports,particularlythetitlesIthoughtwouldmakemeabettersecurityprofessional.Today,mostCISOsknowtheycanlearnalotfromotherexecutives.ButtherealityisthatalmostnoexecutivesoutsideofsecuritythinktheyhavemuchtolearnaboutbusinessleadershipfromCISOs.
BusinessLeadersasSecurityEnablersThefactthatnon-securityexecutivestypicallydonotlooktoinformationsecurityexecutivesforinsightintohowtodotheirjobsbetterisacauseforconcernbecausenon-securityexecutiveshavealotofinfluenceonhowinformationsecuritygetsdone,ordoesn’t,intheirorganizations.It’saclassicasymmetricalpowerrelationship.Thebusinessenablessecuritytofunctionatthediscretionofthebusiness,butnottheotherwayaround.ACEOorCIOcaninterferewiththefunctionofinformationsecurity,sometimesdirectlyandofficially,dependinguponreportingstructures.Butit’smuchmoreraretoseeaCISOorsecuritydirectorwiththepowertounilaterallytellanotherbusinessfunction,sayFinanceorIT,howtorunitsaffairs,evenifthereisadirectsecuritystakeinthoseoperations.Instead,securityexecutivesoftenhavetoworkbyproxy,recommendingandguidingupthechainofcommandtoinfluencethosewiththepowertomakesuchdecisions.
SecurityPowerDynamicsThepowerdynamicsofinformationsecurityleadershipreflectsomethingofatrendintheevolutionofbusinessleadershipingeneral,asexecutive-levelrecognitionandprestigehavemovedoutfromthetraditionallocusofbusinessoperations.ThefirstwaveofevolutionsawtheriseofthechiefinformationofficerandchieftechnologyofficertotheranksofCEO,COO,andCFO.Despitethedifferenceintitles,bothoftheseexecutivepositionsevolvedtoaddressthegrowthoftechnologyandITproductswithincompanies.Theseareareasofexpertisethatareoutsideoftheexperienceoftraditionalmanagement
butareincreasinglycentraltobusinesssuccess.AsFigure17-2shows,thisevolutionhascontinuedintoathirdwaveofmoreinformation-centricleadershiprecognition.Roleslikechiefprivacyofficerandevenchiefriskofficerhaveevolved,liketheCISOrole,toaddressnewchallengesaroundthemanagementofcorporateinformationandknowledgeassets.(Asasidenote,Iattemptedtouseboth“CPO”and“CRO”inmyGoogle“leadership”searchexperiment,butneitherisauniversallyknownacronym.Iendedupwithmoreinsightintonavalnoncommissionedofficersandlifesciencesresearchersthanprivacyandriskleadership.)
Figure17-2Anevolutionofexecutiveleadership
Ifinformationiskeytothebusiness,thenmaintainingtheintegrityandsecurityoftheinformationsupplychainis,bydefinition,akeybusinessenabler.OneoftherecurringtakeawaysfromCISOLeadershipistheneedforCISOsandothersecurityleaderstogrowbeyondthemanagementoftechnologyinfrastructures.Indeed,myinterpretationofseveralofthechaptersisthattoomuchfocusontechnologymanagementactuallyholdsaCISOback.Themostsuccessfulsecurityleaderswillbethosewhocanmanagepeopleandculture,boththosewithinsecurity’ssphereofinfluenceand,evenmoreimportantly,thoseoutsideofit.CompetingsecurityculturescometoexistinmanycasesbecausetheInfoSecprogramcannotordoesnotoperatewithinthebiggerpictureoftheorganization.OtherCXOshavehadmoretimetofigureouthowtomergetheirinterestswiththeinterestsofotherbusinessstakeholders.Securitywillneedtodothesame,tobuildanorganizationalcultureinwhichsecurityisnolongerjustoneofanumberofsubculturescompetingforinfluence.
“WhatifI’mNotaCISO?”ChiefinformationsecurityofficeristhesymbolicheadroleforInfoSecintheindustrytoday.ButnoteveryorganizationwithanInfoSecprogramhasaformalCISO,andCISOsarenottheonlyleaderstobefoundininformationsecurity,soit’simportantnottogettoohunguponmistakingCISOsasbeingexclusivelysynonymouswithInfoSecleadership.
Opportunitiesforleadershipandculturalchangeinpeople-centricsecurityaretobefoundthroughouttheorganization,atalllevelsoftheorganizationalchart,apointIhavetriedtomakethroughoutthebook.TheSecurityFORCEvalueofexpertiseactuallymakesthisideaaformalrequirementforHRSPs.InanHRSP,leadershipandauthoritymigratewithintheorganizationbecauseanHRSPrecognizesthatnoonepersoncaneffectivelycontroleverything.ThesystemadministratorwhoseesthesmallfailurespilinguptowardanincidenthasaleadershipopportunityinanHRSP,asdoesthelinemanagerwhorecognizesthat“doingmorewithless”willprobablymean“doingmorewithlesssecurity”asculturesandprioritiescompete.
It’slittlemorethanaplatitudetobreezilysayeveryoneisresponsibleforsecurity,especiallyifmostpeoplehaveneithertheauthoritynortheresourcestoliveuptothatresponsibility.Butit’salsoanexcusewhenpeopleabsolvethemselvesofresponsibilityforsecurityjustbecausetheyarenotpartoftheInfoSecprogram.Weliveinaninformationsociety,andinformationiscentralto
thesuccessofjustabouteveryfirm.Protectingitisaboutprotectingthebusinessitself.Mostemployeesofcorporationsarenotaccountantsorlawenforcementofficials,butthatdoesnotmeantheyarerelievedoftheirresponsibilitytopreventfraudorcriminalactivity.Mostemployeesdon’tworkforHR,buttheystillhaveadutytoreportharassmentorabuse.Andorganizationshavetheirownobligationnotonlytomaketheexerciseoftheseresponsibilitiespossible,butalsotoencourageit.People-centricsecurityinanenterprisemustliveuptothesesamestandardsifcompaniestodayaregoingtoseetoday’ssecuritychallengesbecomemoremanageable.
CISOLeadershipResourcesMyGooglesearchmaynothaveturnedupasmanyresourcesforCISOsandsecurityleadersasitdidforotherCXOs,butthatdoesn’tmeantherewerenoresources.ThereareseveralvenuesandforumsforCISOnetworking,mentoring,andknowledgesharingoutthere,including(ISC)2,whichwasbehindCISOLeadership.Manysecurityprofessionalsknow(ISC)2astheorganizationthatoffersCertifiedInformationSystemsSecurityProfessional(CISSP)certification,but(ISC)2alsohostseventssuchastheInformationSecurityLeadershipAwards.Inadditionto(ISC)2,theInformationSystemsSecurityAssociation(ISSA)hostsregularCISOExecutiveForums,andorganizationssuchasCSO(www.csoonline.com),theArgyleExecutiveForum,theTechExecNetworks(T.E.N.),andtheEC-Councilholdeventsdedicatedtoinformationsecurityleadershipdevelopment.
TheresourcesandorganizationslistedarethoseIamawareofthatputaspecificfocusonCISOleadership.Ofcourse,therearemanyotherorganizations,includingISACA,theSANSInstitute,andanumberofindustry-focusedInformationSharingandAnalysisCenters(ISACs),thatprovideopportunitiesforinformationsecuritytraining,mentoring,andprofessionalnetworkinginsupportofInfoSecprogramsandleadership.
LeadershipinPeople-CentricSecurityAspreviouslynoted,noteveryinformationsecurityleaderisaCISO.Securityleadershipcanbefoundinunexpectedplaces,andnoteveryorganizationhas
elevatedinformationsecuritytoaCXOlevelofrecognition.Ifthisbookhasmadeapointofanything,it’sthatsuccessfulsecurityisaculturaltrait.EvenaCISOcanonlydosomuchifheorsheistryingtodoitinaculturethatdoesn’tvalueorprioritizetheCISO’sjob.ButwhereverInfoSecownershipexists,underwhatevertitleitisgiven,someonewillhaveultimateresponsibilityforprotectingtheorganization’sdata,information,andknowledge.Tobesuccessful,thatpersonwillhavetostandupandtakeholdofthehelminthemidstofthegale.
YouDon’tLeadMachinesSecurityispeople.Imadethepointearlyinthebookthatifyouthrowoutallyourtechnology,youstillhaveanorganizationtomanage.That’sanimportantlessonforsecurityleaders,includingCISOs.Aslongassecurityleadersareviewedprimarilyasmanagersoftechnology,therewillbelessopportunityandlessexpectationforthemtoleadthebusiness.People-centricsecurityisaboutmorethansimplyincorporatingpeopleintoinformationsecurityinfrastructuresorsimplymanagingthepeopleintheinformationsecurityprogram.People-centricsecurityisaboutleadingtheentireorganizationintoanewrelationshipwiththebusinessvalueofinformationassets,justlikeCIOsdidoverthepastcoupleofdecadeswithIT.AsITmovedfromthebackofficetothebackpocket,CIOswentfromtechnologymanagerstocorporateleaders.
Informationsecurityleadershipneedstobridgethatsamegapbetweentechnologyandthosewhouseit.WhenCISOs(orotherorganizationalInfoSecleaders)areseenasmanagingtherelationshipoftheentireorganization(meaningallthepeopleinit)withinformationsecurity,thoseleaders’rolesandstatuswithintheorganizationwillchange,justlikeCIOroleschangedasITbecamemoreubiquitous.Becausemanagingpeopleandcultureputssecurityleadersonequalfootingwithotherleadersoftheorganization,itletsthembringtheirownuniqueinsightstobearonhowtomotivatepeopleandmakethemproductiveandsuccessful,eveninthefaceofadversity.That’ssomethingtechnologymanagement,nomatterhowsophisticatedthetechnology,cannotachieve.Youcanmanagearackofserversorswitches,butyoucanneverinspireit,neverleadthosedevicestobecomesomethingmorethanwhattheyare.
InfluenceandTransformationTheinfluenceandleadershipskillsnecessaryforsecurityculturetransformationaredevelopedasevolution,notupheaval.Theyarevariationsonexistingthemes
ofmanagementandorganizationalbehaviorthathaveexistedforalongtime,andhavetheiroriginsoutsideofInfoSec.CISOsandsecurityleadershavetokeepdoingwhattheyhavealwaysdone,managinganddirectingthetechnologyandprocessesthatarerequiredtoprotectcorporateinformation.Buttheindustry’sleadershipwillhavetogrowtoo,bothintermsofsizeandintermsofscope.Forallthedisruptionandstressinthesecurityworldtoday,it’sactuallyagreattimetobethinkingaboutbecomingasecurityleader.
Thatbeingsaid,CISOsandotherleadersaregoingtofindthatmoreisbeingaskedofthemthaneverbefore,andmanyofthenewneedswillbeintheareaofsoftskills.RussellReynoldsAssociates,anexecutiveleadershipandstrategicconsultingfirm,conductedarecentstudyofCISOsandidentifiedanumberofnewskillsthatwillbecalledforinthenextgenerationofinformationsecurityleadership.Theseincludeinnovationandagility,theabilitytothinkstrategicallywhilesimultaneouslyeducatingandinfluencingothersintheorganization,andacapabilityforattractingtoptalenttotheenterprise.Basically,theseareallthesameskillsonewouldexpectfromthosewhoareresponsibleforleadingtheentirebusiness,notjustlockingdownpartsofit.
Tobecertain,therearealreadyCISOsworkingintheindustrytodaywhofitthebill,whowieldtheinfluenceandhavemasteredtheskillsofanexecutiveleaderonparwithotherC-levels.Buttheseleadersarenotuniversal,theyarenotwidelyavailable,andtheydonotcomecheap.Thesecurityindustryisgoingtohavetogrowanewgenerationofthem.ThetrainingprogramsforsecurityprofessionalsaregoingtohavetostartlookinglesslikecomputerscienceandengineeringdegreesandmorelikeMBAs.Andwe’regoingtohavetogooutsideofsecurityandoutsideoftechnologytoroundoutourskills.I’mwaitingforthedaythatImeetaCISOwhoroseupthroughenterprisemarketingor,evenbetter,camefromananthropologyorapsychologybackground.Whentheseindividualsbecomemorethanexceptionsandoutliers,thingswillgetreallyinteresting.
AdaptingtheCSCFandSecurityFORCEModeltoLeadershipMeasuringleadershiptraitscanbevieweddifferentlythanmeasuringthetraitsofanorganization’smembers’behaviorsoritsoverallculture.Foronething,leadersinanorganizationhaveadisproportionateamountofpowertoinfluenceandaffectbehaviorandculture.Thatalonecanmakeitbeneficialtounderstand
howtheylookattheworldandhowtheyengagewiththeirenvironment.Asaresult,someorganizationalcultureandbehaviormodels,includingtheCompetingValuesFramework,havebeenadaptedtospecificallyaddressleadershipqualitieswithinthemodel.
IcouldeasilyaddanentiresectiontothisbookbyextendingtheCSCFandtheSecurityFORCEModeltomeasuringleadershiptraitsandindicators,butthatwouldbeatadpremature,giventherelativelynascentstateofbothsecurityculturetransformationasalegitimateapproachtoinformationsecuritymanagementandtheprofessionaldevelopmentoftheCISOinourindustry.IhopethatthestateofinformationsecurityleadershipmaturesquicklyenoughthatIcanperhapsaddresshowtomeasureitinafutureeditionofPeople-CentricSecurity.Fornow,Iwillsimplyaddressthewaysthattheexistingmodelscanbeadaptedtoaleadership-specificassessment.Thematerialsarealreadythere.Theapproachtocollectingandinterpretingthedataisallthatreallyhastobereconsidered.
TheCSCF,SCDS,andCulturalLeadershipAssessingculturalleadershipagainsttheCompetingSecurityCulturesFrameworkinvolvesamoreintrospectiveapproachtothemodel.InsteadofusingtheSecurityCultureDiagnosticSurveyasaninstrumenttomeasuretheculturethatpeopleintheorganizationfeeltheyinhabit,corporateexecutivesandorganizationalleaderscanusethetooltoanalyzetheexampleandtonethattheysetthemselvesfortherestoftheorganization.Whatbeliefsdotheybringintoworkwiththemeverydaythatwillinfluencehowsubordinatesandmembersoftheorganizationmakesecurity-relateddecisions?Whatvaluesandprioritiesdotheypromoteintheexamplesthattheysetthatarethenemulateddowntheorganizationalchart?
AnorganizationcanconductabasicsecurityleadershipassessmentbyadministeringtheSCDSonlytomembersoftheexecutivestaff,oreventheboardofdirectors,andtheninterpretingandmappingthoseresultsastheywouldforawidersecuritycultureassessment.Identifyingculturalconflictsattheexecutivelevelcangoalongwaytowardexplainingwhytheyexistelsewhere.ForCISOsorsecuritystakeholderswhoaretryingtogetbuy-inforalargersecurityculturetransformationinitiative,thiscanbeanexcellentwaytostart.Itmayevenprovidethesecurityteamwithabreakthroughinsupport.Theimpactandimportanceofcultureisoftenmorewidelydiscussedandacceptedattheexecutivelevelthanitisintechnicaloroperationalbusinessunits.Puttingsecurityintotheterminologyofcorporateculturecanprovideanovelmarketing
techniquebywhichanInfoSecprogramcandifferentiatetheinitiative.
TheSecurityFORCEModelandBehavioralLeadershipSimilartoadaptingtheCSCFtoorganizationalleadership,adaptingtheSecurityFORCEModeltoorganizationalleadershiptakesamoretop-downapproachtothemodelthatemphasizescommitmentandexamplesetting.GiventhemoretacticalnatureoftheFORCEModel,itisusuallywisetotiebehaviorbacktocultureanyway,focusingontheorganizationalculturesthatcreatehigh-reliabilitysecurity.Acapabilitytostopmoreincidentsbeforetheyoccurandtobettermanagethosefailuresthatdohappenislikelytogettheattentionofanyexecutivethesedays,sotheFORCEModelcanbeleveragedasasortofabehavioral“howto”guideforseniormanagement.Encouragingandfosteringthesebehaviorswillmaketheirjobseasierinthelongrun.
Insteadoflookingforculturalconflicts,usingSecurityFORCEforleadershipassessmentfocusesonhowseniorexecutivesmotivate,reward,andsanctionindividualbehaviorsthatareinvisiblyreducingorexpandingthespaceinwhichsecurityincidentscanhappen.Gaugingtheindividualattitudesofseniorenterpriseleaderstowardfailure,operations,andsharingdecisionsandinformationcanresultinvaluableinsightsaboutwheresecurityproblemsarelikelytohappen.Andonceagain,usingSecurityFORCEcangiveasecurityteamahooktheymaynothavepreviouslyhadwhendealingwithnon-securityleaders.TheoriginsandpedigreeofSecurityFORCEandHRSPbehaviorsexistoutsideofInfoSec,inHROresearch,andweredevelopedasameansofimprovinggeneralenterpriseperformance.Byadaptingthem,CISOsandsecurityleadersarenotusingparochial“bysecurity,forsecurity”methodologies,butratherproductsofresearchintooptimizingoverallbusinessvalueandcompanyperformance.Empiricallysupportedbyacademicanalysisandindustrystudies,thisresearchandthemodelsithasproducedspeakdirectlytothecoregoalsofeveryoneontheexecutivestaff,notjustthosetaskedwithinformationsecurity.
FurtherReadingComyns,Matt,T.Cook,andJ.Reich.“NewThreats,NewLeadershipRequirements:RethinkingtheRoleandCapabilitiesoftheChief
InformationSecurityOfficer.”Availableatwww.russellreynolds.com/.Fitzgerald,Todd,andM.Krause,eds.CISOLeadership:EssentialPrinciplesforSuccess((ISC)2PressSeries).NewYork:AuerbachPublications,2008.
I
CHAPTER18
SecuringaPeople-CentricFuture
t’sapeople-centricworld.Thatcanbeeasytoforgetinasocietythatisdominatedby,evenobsessedwith,technology.WetalkabouttheInternetofThings,fantasizeandfretaboutrobotsandartificialtechnology,evenlookforwardtothe“singularity”thatwilloccurwhenhumansandmachinesfinallycometogethertocreateanewspecies.Tohearustalk,youmightsometimesthinkthattheentireworldisaboutthecentralityoftechnology.Andmaybeatsomepointinourfuture,technologyreallywilleclipsepeoplesocietallyorevenevolutionarily.Butwearenotthereyet.Formyownpart,I’mskepticalthatwewilleverreachthatpoint.It’sanendthathasbeenpredictedalmostsincehumanbeingsinventedtechnology,andcertainlysincetheystartedthinkingaboutitandusingit.Butforourimmediatefuture,andcertainlyforthepracticalfutureofanyoneininformationsecurity,it’sstillahuman’sworld.Wemayembedtechnologyevermoredeeplyintoourlives,andevenourbodies,butinventing,deploying,andusingtechnologyarethingspeopledotoandwithmachines,andnot,forthemostpart,theotherwayaround.Andsecuringtechnologyisuptopeopleaswell.Technologywon’tdothatforus.Withoutpeople,thereisnosecurity,noranyneedforit.Solet’slookaheadtothechallengesstilltocomeinapeople-centricfuture.
TheSecurityofThingsIfyouwanttopickthebestmetaphortoembodythechallengesinformationsecurityfacesinthefuture,it’sprobablythewhole“InternetofThings”(IoT)or
“InternetofEverything”(IoE)trope.Variousestimatesputthenumberofnetworkeddevicesoperatingby2020inthehightensofbillions,typically50to75billionormore.Comparethatwithestimatesofthenumberofnetworkeddevicesoperatingtoday,whichclocksinatunder10billion.Soinlessthanadecadepotentially,we’llbelookingatanywherefromafivefoldincreasetoanorderofmagnitude’sworthofgrowthinthenumberofnodesontheglobalnetwork,allwithsomedegreeofintelligence,alltakingin,storing,andpumpingoutdata.Justfromasheernumbersgame,that’sseveralbravenewworlds’worthofopportunityforbadguysofallstripes.
Thepurposeofthischapterisn’ttojumponeitherthehypebandwagonortheFUD(fear,uncertainty,anddoubt)bandwagon,bothofwhichhaveestablishedregularpick-uproutesthroughouttheindustrythesedays.ThevendorshypingtheIoT/IoEconcepts,eitherasagoodthingorascaryone,haveenormousfinancialstakesinthemetaphor.I’vebeenintheindustrylongenoughtohaveheardpromisesofapaperlesssocietyandintuitivehomeappliancesmadeandthenfade,onlytobepickedupandrepeatedagainafewyearslater.AndyetIstillusepaperandIstillhaveahomethatisrelativelydumb.SomyeyesrollalittlemoreeasilywhenIheargrandioseclaimsabouthowthoroughlydifferentanddigitalmylifewillbeintenyears.ButIalsorealizehowdifferentanddigitalmylifeistodaycomparedtoadecadeago,whichconvincesmethatthingsaregoingtocontinuetochangeradicallyfortheworld.Imaynotbeabletouploadmyconsciousnesstothecloudinthenextdecade,butthenagainImaynothavetodrivemyowncar.That’sprettyimpressivenomatterhowyoulookatthings.
SocialSecuritySettingasidethefactthatdigitalsaturationisageographicallyanddemographicallyvariablephenomenon,andnoteverywhereoreveryoneontheplanetisconnectedtothesamedegree,whataretheimplicationsoftheInternetofEverything?Igetakickoutofthethoughtof“securingtheIoE.”Ifeverythingisnetworked,thenyouarenotsecuringanetwork;youaresecuringeverything.Realityisyourattacksurface.Consequently,informationsecuritystartstolooklesslikeanITchallengeandmorelikeasocietalone.Likediseaseandmedicine.Likewaranddiplomacy.Likeignoranceandeducation.Youdon’tsolvetheseproblems,orevenmanagethem.Youlivewiththemasbestyoucan,andby“you”Imeaneveryone.Technologyplaysahugeroleinthateffort;manytechnologiesinfact.Butthecenteroftheuniverseshifts,likeaPtolemaicparadigmgivingwaytoCopernicus.Peopledon’tmovetotheIoE.TheIoE
revolvesaroundpeople.SecurityinanITsystemthatisslowlyapproachingalevelofcomplexitythat
rivalshumansocietyisgoingtobeequallycomplex.IknowsecuritymanagersandCISOsforwhomsecurityisessentiallysynonymouswiththeSANSTop20controls,orthePCIDSSstandard,orasetofNISTspecialpublications.Thoseconstructionsareallveryuseful,butit’sabitlikesayingthataperson’slifeissynonymouswiththedataintheirFacebookprofile.Asmuchasthingsmayfeelthatwayattimes,it’sanillusion,adigitalrepresentationofananalogphenomenontoocomplextofullygetyourarmsaround.Ifinformationsecurityistosucceedinthedigitalfuture,it’sgoingtohavetakeamoreanalogapproach.
AsManySecuritiesasThingstoSecureThereisnoonesingle“security”tocreateandmanage.Wealreadyhavetospecifybetweenphysical,information,andITsecurityifwewanttobeclear,eventhoughtheoverlapinthesefieldsisenormous.Andwithininformationsecurity,thetermIprefer,thereareenoughsubdisciplinesandspecializationsthatonecouldspendarichandproductivecareerinsidetheinformationsecurityfieldandneverventureoutsidetheworldofcryptography,orIPSsignatures,oraudits.“Security”iswhateverthepeopletalkingaboutitmeanwhentheysayit…becausesecurityispeople.
Idon’texpectpeople-centricsecuritytobecomethedominantwayofthinkingaboutourfieldandindustry.ButIdowanttoaddittothelistofconceptualtoolkitsthatwecanchoosefrom,becauseupuntilrecently,InfoSecprofessionalsgenerallyhavethoughtofpeople,ifatall,asobstaclestobeworkedaround,orperhapsaschildreninneedofeducationsothattheydon’tdosomethingstupid,orevenasactualthreatslivingwithintheorganization’swallsthathavetoberootedoutandeliminated.Butsecurityisnotmeanttoworkaroundpeople.It’smeanttoworkforthem.Ourprofessionwouldbenefitalotfromembracingthatidea.Andwecanstartbythinkingaboutthesedifferentkindsofsecuritybythinkingaboutdifferentwaysthatsecuritycanexistasaninformationchallengeaswellasamoretangibleone.ContextandnuancearecreatingnewandspecializedInfoSecphenomenondependingonwhatisbeingsecured,andhow,where,andwhyitmustbeprotected.
InformationIusetheterminformationsecuritytorefertowhatIthinkofasthe“traditional”focusofourprofessionbecauseitencapsulatesotherinformation-related
specialties.InformationsecurityincludesITsecuritybecauseITcan’tdoanythingifthere’snoinformationforthetechnologytoprocess.Butinformationsecurityalsoimplieseverykindofinformationthatmayexist,frompaperrecordstohumanknowledge.WhenIthinkaboutinformationsecurity,Iamforcedtoconsiderthingsthatarenottechnology-specific,andthatalwaysmakesmethinkofpeople.Informationalwaysimpliesuse.Someuser(humanorotherwise)hastobeinformedbyittomakeitinformation.
Applyingauser-centricideatosecurityhelpsputapeople-centricspinonthecontrolandprotectionofinformation,whichisatthecoreofourwork.Thepeople-centricfutureofsecuritywillseeinformationdiffusingthroughoutanetworkthatismorevastandvastlydifferentthananythingwehavetoday.Butinformationwillremainafundamentalcommodity,andensuringtheconfidentiality,integrity,andavailabilityofitwillstillbeacentralresponsibilityofthesecurityprofession.Thedifferenceisthatwewillnolongerbeabletocalltheshotsonwhogetswhatinformationandhow.Whenourcomputers,ourhomes,ourcars,ourclothing,andevenobjectsinsideourbodiesallbecomesmartandinteractive,peoplewillfindthingstodowiththoseinfrastructuresthatdefycontrol.Securitywillhavetochangeaccordingly,movingfromdictatingandlimitinghowpeoplecanbehavetounderstandingandacceptingmanynewinformationbehaviorsandfiguringouthowtoprotecttheusersfromthosewhowouldabusethem.
InfrastructureIngraduateschoolIbecamefascinatedbythefieldofinfrastructurestudies,thebodyofscholarlyresearchintotheunderlyingstructuresthatmakesocietyfunction.Thesestructurescanbephysicalororganizational,withbothinfluencingandoperatingononeanother.Whatinterestedmethemostwastheconceptthatinfrastructure,bydefinition,existsinthebackground,invisibletomostpeople,havingbecomesocommonthatithasfadedfromourconsciousness…atleastuntilitbreaksdown(makingitalotlikecultureinthatsense).Ifyourealizeyouhavestoppednoticingtheelectricalandtelephonewiresstrungbythesideoftheroad,theductworkinyourofficebuilding,orthewirelessaccesspointsandtelecommunicationsequipmentthatgivesyoutheInternetaccessyouareenjoyingovercoffee,thenyouknowwhatI’mreferringto.
Inaworldthatisexponentiallymoreconnectedthroughinformationtechnology,countlessinfrastructureswillhavetobeconsideredfromasecurityperspective.ConsiderSCADAandotherindustrialcontrolsystemsthatcontrol
thingslikeutilitiesandrefineries.Securingthesesystemstodayremainsaprettyspecializedareaofinformationsecurityexpertise,asobscuretomostsecurityprofessionalsastheyarescarywhenyouhearwhatasuccessfulattackercandotoandwiththem.IftheIoEevenfractionallylivesuptothehype,itwillcreateinfrastructureswithphysicalsafetyimplicationsthatmakeSCADAsecuritylookquaint.Andwewon’tbedealingwithpipelinesorinstallationsthatcanbeisolatedandfencedofffromthepublic.Societywillbetheinfrastructureandeverysinglepersonapotentialconduitorhubofactivity.Securitycannottakeonthatchallengewiththetoolswehavetoday.
IdentityThereareaspectsofinformationsecuritythatarenotfullyunderstoodrightnowbutwillbecomecentraltotheprofessioninthefuture.AskaCISOtodayabout“identity”andshewilllikelytalkaboutidentitymanagement,theprocessesandtechnologiesthatenableanorganizationtocontrolusersandtheiraccess.Buttheconceptofidentityandwhatitmeansinadigitalageisswiftlyevolvingintoasisterdisciplineofinformationsecurity,onethatwillexertimmenseinfluenceoninformationsecurity’sdirectionandrequirementsinthecomingdecades.Identitysystemshavebecomeoneofafewboundarylinesinsocietywherethevirtualorsymbolicmeetsthephysical.Identitycanbestolen,massproduced,andusedbothtocreatebusinessvalueorruinit.Howoursocietywilladdressthequestionofwhatitmeanstobesomeonewithinitandhowthatprocesscanbemanaged,manipulated,orsubvertedaregoingtobeimportantquestionsforsecurityprofessionalstograpplewithaswemoveforward.
Securityhasalreadyseenonewaveofdisruptionfromthesenewidentitychallenges,evenifwehavenotexplicitlyrecognizeditassuch.Personallyidentifiableandpersonallycontextualinformationiscentraltomostoftherecentmassivecorporatesecuritybreaches.Bothtypesofinformationaretiedtouniqueindividualsandareofinteresttothievesbecausetheyallowthemeithertostealanidentity(personallyidentifiable)ortocashinonanexistingone,suchasbyreleasingpersonalphotosore-mails(personallycontextual).Securityhastendedtotreatpersonalinformationsimilarlytohowabanktreatsmoney:assomethingyoulockupinavaulttokeepsafe.Butidentityismuchmorecomplexthanmerecash;itisinherentlypeople-centric,andwillrequiretheinformationsecurityprofessiontocompletelyreexaminehowitdealswiththechallengesofsafeguardingidentity.Someorganizationsarealreadyexploringidentityasanovelphenomenoninthedigitalage.Forexample,theCenterforIdentityattheUniversityofTexasisworkingonconceptsofidentitythatusetermslike
“ecosystems”and“physics”insteadofjust“technology”and“policy.”Suchresearchisbeginningtorecognizethatone’sidentity,ratherthanbeinganattributeoracharacteristicofapersonorasystem,isitselfacomplexsystem.Managingthatcomplexityandtheemergentbehaviorsthatcomewithitwillbridgefieldsasdiverseasengineering,law,informationsecurity,sociology,andphilosophy.
PrivacyRelatedtobothinformationandidentity,theconceptofprivacyisgrowingininterestandimportance,andwouldhaveevenifthemassivesurveillanceprogramsrevealedbyEdwardSnowdenhadnevercometolight.BruceSchneier’slatestbook,DataandGoliath,isonitswaytobeingoneofthebest-sellingprivacybookseverwritten,andthefactthatitsauthorisasecurityprofessionalistelling.ButSchneier’sbookisonlythelatestinalargeliteratureofscholarlyprivacyandsurveillancestudiesextendingbackatleastasfarasMichelFoucault’sDisciplineandPunish,withitspowerfulmetaphorofthepanopticonanditsall-encompassingvisibilityintoeverydayactivities.Manyoftheseworkswerewrittenbyresearchersandtheoristswhowerepeople-centric,focusedasmuchonsocietalandorganizationalaspectsofprivacyastheywereoninformationandtechnologysystems.
Securitywillneedtobringourconsiderableexpertisetobearhere,becausewithsomanyaspectsofprivacybeingmediatedbytechnologyanddigitalinformationsystems,theprotectionandcontrolofsystemsismoreimportantthanever.Butonceagain,technologyandsystem-levelcontrolswillneverbeenoughtoaddresswhatisfundamentallyachallengeatthesociallevel.Ifinformationsecuritycannotcreatepeople-centricinnovationsaswellastechno-centricones,wewillonlyeverplayasupportingroleinwhathistorymayrememberasoneofthepivotalpointsinhumancivilization.
FramingPeople-CentricSecurityThisbookisaboutgivingorganizationsandsecurityprofessionalsanewlanguageandnewtoolswithwhichtodiscussandimproveinformationsecurity.Thislanguageandthesetoolsdirectlyaddressacornerofthepeople–process–technologytrianglethathasbeentraditionallyneglectedbytheprofessionandtheindustry.People-centricsecurityisnotnecessarilymoreimportantthantheothertwocorners,althoughIthinkacasecanbemadetothateffect,butitis
equallyimportant,andanyInfoSecprogramthatdoesnotincludepeople-centricapproachesthataretakenasseriouslyasprocessortechnologyisnotgoingtohavelong-termsuccess.Whenyouhaveathree-leggedtable,there’snowaytoskimpononelegandexpecttheresultingpieceoffurnituretobestable.Itjustdoesn’twork.
SecuritySoftPowerInforeignaffairs,theconceptofsoftpowerreferstoanation’sabilitytogetthingsdonebyconvincingothernationstoworkwithit,ratherthanbybribingthemorresortingtomilitaryforce.Softpowerisalsousedtochangepublicopinionthroughlessdirectandcoercivechannels.JosephNye,thepoliticalscientistwhocoinedthetermsoftpower,hascommentedthatcredibilityisthemostvaluableandrarestresourceinanageofinformation.
IcouldnotagreewithNyemore.ThesinglegreatestweaknessIseeinInfoSecprograms,securityvendors,andsecurityprofessionalsisalackofcredibility.Noonedoubtsthatsecurityisimportant,butthesecurityindustrystrugglestomakethecaseforjusthowimportantitis,whereresourcesshouldbeallocated,orwhatconstituteseffectiveness.Theresultisthatsecurityisnaturallydrawnintoculturalcompetitionwithotherswho,nomatterhowcriticaltheybelievesecuritytobe,don’tbelievesecurityisascriticalasthethingstheycareabout.Ifsecuritycannotmakeitselfmorecredibleintheseconflicts,failuresandbreacheswillcontinuetohappen.
Securityaffairsneedasoftpowerapproach,analternativetocoercivepoliciesandautomationthatattemptstoforcepeopletotakesecurityseriouslywithouteverreallyconvincingthemofwhytheyshould.Thatsortofapproachonlyworksuntilthosepeoplecanfigureouthowtogetaroundtheconstraints,eitherdirectlyorbyunderminingthemwithintheorganization.People-centricsecurityconcentratesonunderstandinghoworganizationsthinkandbehaveasindividualsandcollectively,andcraftingapproachestosecuritythatworkwiththesesocialandorganizationalforcesratherthanagainstthem.
ThreeTakeawaysfromtheBookAttheriskofoversimplifyinghundredsofpagesintoashortlist,therearethreecoreideasthatanyreaderofthisbookshouldhaveembeddedintotheirbrainafterturningthefinalpage:
Peoplearethemostimportantsystemtosecure.
Strongcultureequalsstrongsecurity.Failureisafeatureofcomplexsystems,notaflaw.
PeopleAretheMostImportantSystemtoSecureAnorganizationwithouttechnologyisstillanorganization.Anorganizationwithoutpeopleisnot.Thisbasictruismimpliesthatanyorganizationthinkingaboutsecuritymustthinkaboutwherepeoplefitintothoseefforts.Yousimplycannotautomatepeopleoutoftheequationwhenitcomestosecurity.Thisisnotbecausepeoplearesoinsidiouslycleverthattheywillalwaysfindawaytoadaptaroundyourcontrols(buttheyareandtheywill).It’sbecausecompletelyautomatinghumanjudgmentandadaptabilityoutoftheequationendsupcreatingasecurityinfrastructurethatismorerigidandbrittlethanthealternativeyouaretryingtoprevent.Thepeoplethatmakeupanyorganizationareitsmessiestandmostcomplexsystem.Itismuchbetterforsecuritytoleveragethissysteminsupportofsecuritythantounrealisticallyattempttoconstrainit.People-centricsecurityisaboutelevatingthestatusofthissystemdramaticallyacrosstheorganization.
StrongCultureEqualsStrongSecurityCultureaspeople-centricsoftwareisametaphorIledwithatthebeginningofthebook.Ifanorganizationcanmakeitsculturemoresecure,thenthereislessneedtotrytoautomatepoorsecurityoutoftheorganizationbyusingtoolsandprogramsthatwillneverbeassophisticatedastheonetheyaretryingtocontrol.Bythesametoken,ifanorganization’ssecuritycultureisweakandbuggy,ifitconstantlycompetesorconflictswithotherroutinesandprocessesrunningthings,thatorganizationisgoingtohaveproblems.Thesecurityprofessionhasalwaystalkedaboutsecurityasachallengethatcanonlybeaddressedthroughacombinationofpeople,process,andtechnology.We’vealsoalwaystendedtoreversethosethreethingsinorderofimportance.Thishastochange.TheCompetingSecurityCulturesFrameworkisaboutbringingtogetherdifferentwaysoflookingatsecuritytocreatestronger,morebalancedsecurityculturesoverall.
FailureIsaFeatureofComplexSystemsSecurityhas,attimesimplicitlyandatothertimesexplicitly,devoteditselftostoppingsecurityfailures.Thatisprobablyoneofthereasonsitcanbesofrustratingtobeasecurityprofessional.Youfeellikeyourjobisfutile,andin
thatsenseitis.Youcannotpreventfailureinacomplexsystembecausethenatureofcomplexityisemergence,andsomeofthethingsthatemergefromsuchasystemaredecay,entropy,andbreakdown.Theopportunityforinformationsecurityistorealizethatwearenowmanagingasystemthathasgrownbeyondourcapabilitytocontrolit.That’sfrighteningandexhilaratingatthesametime.Ourinformationsystemsandtechnologieswillenableustodothingsprettysoonthatwouldhavebeenconsideredfantasy(ornightmare)justafewyearsago.Wehavelongpassedthepointwherewecanmaketheoutcomesofusingthesesystemspredictable,butwecanstillmakethoseoutcomesmorereliable.TheSecurityFORCEModelandtheHighlyReliableSecurityProgramsthatitisdesignedtoencourageareallaboutmanagingfailureincomplexsystems,notbypreventingitbutbyunderstandingit,keepingitassmallaspossible,andbouncingbackquicklywhenit’snot.
PuttingPeople-CentricSecuritytoWorkWhenconsideringhowtoimplementpeople-centricsecuritywithinyourownorganization,it’simportanttounderstandaheadoftimewhatyouwanttoaccomplish.Thereisalotofmaterialinthisbookandalotofwaystoputittouse.Ihavelaidoutthebookcomprehensively,anall-inapproachthatcombinesculturewithbehavior,diagnosiswithactivity.Andthatapproachiscertainlyagoodonetotakeifyourorganizationhasthecommitmentanddesiretotransformsecuritycultureacrosstheboard.Butit’salsoimportanttonotethatnoteveryorganizationcanaffordorwantstodothat.
TwoModels,OneGoalTheCSCFandtheSecurityFORCEModelarebothmeansfortransformingorganizationalsecurityculture.TheCSCFismoreofatop-downapproach,diagnosingdifferentculturesandbuildingtransformationstrategiesaroundthismacroviewofsecurityandthewayitinteractswithotherorganizationalgoals.SecurityFORCEismorebottom-up,addressingspecificbehaviorsasabackdoormethodofculturalchange.Optimally,theyworktogether.Separately,theycanstillwork.
Intheabsenceofreasonsnotto,IrecommendbeginningwiththeCSCF,usingtheframeworkasadiagnosticinstrumenttoidentifyareasofconflictbetweensecurityandotherorganizationalprioritiesandbetweenuniquesecurity
prioritiesthemselves.AnorganizationmayfindtheinsightsgeneratedbytheCSCFtoberevelatory,identifyingareaswheretheorganizationsaysonethingbutbelievessomethingelse,orrealizingthatonepriorityalwaystrumpseveryotherprioritytheorganizationprofessestoholddear.EvenifaCSCFanalysisdoesnotleadtoafull-blownsecurityculturetransformationplan,knowingwhattheorganizationbelievesaboutsecurityshineslightonhowitbehavestowardsecurity.
ItendtorecommendtheSecurityFORCEModelasastartingpointfororganizationsthatarefocusedprimarilyonprogramself-improvement,organizationswhowouldliketochangetheirculturebutrequiresomethingabitmoretacticaltobeginwith.MovingtowardthebehaviorsofanHRSPcancreatepowerfulchangesinanInfoSecprogram,butthosechangesprobablywillnotextendveryfarbeyondtheInfoSecprogram.ImprovingtheFORCEbehaviorsmayenabletheCISOtorunatightership,butitwon’thelpthatCISOconvinceothersthatsecurityisjustasimportantasculturaldriverslikeprofitorproductivity.Andbecausethemodelisbehavioral,anyculturalchangeitcreatesisslower,theresultofchanginghabitsmorethanchangingbeliefs.
People-CentricSecurityStrategiesWhetheryouareaCISO,asecurityawarenessmanager,oradifferentsecuritystakeholderentirely(maybenotevenpartofthesecurityprogram),anyattemptatpeople-centricsecurityrequiresastrategyandaplanbeforeyoubegin.Thestrategycanbetransformationalorbehavioral,exploratoryordirected.Butwhateverstrategyyouchoose,youshouldhaveabasicideaofwhatyouwanttoaccomplishbeforeyoudivein.Thefollowingarejustafewexamplestrategiesthatmightprovokesomethoughtsorideas.
ImprovingBoardandBusinessStakeholderEngagementImprovingorganizationalcultureandbehaviormaynotbecentraltoinformationsecuritymanagerstoday,buttheconceptgetsalotoftractionattheboardandseniorexecutivelevels.MostoftheresearchI’veappliedinthisbookcomesfrompeoplewhoworkwithcompanyleadershipteamsastheirprimaryresearchpartnersandconsultingcustomers.Whileit’snoguaranteethatincludingculturaltransformationwillgetexecutivestopaymoreattentiontosecurity,itdoesprovideanotherapproachtoCISOswhoarestrugglingtofindcommongroundwithbusinessstakeholders.AndasaformofthesoftpowerIdiscussedearlierinthischapter,theCSCFcanbeapowerfulwayofencouragingsecurity
teamsandtheseotherbusinessstakeholderstotalkabouttheirprioritiesusingacommonframework,onethatgiveseveryoneavoiceinthesecurityprocessandameansoflisteningtoo.
SuperchargingSecurityAwarenessSecurityawarenessprograms,asI’vesaid,remainthemostpeople-centricofallsecurityeffortswithinanorganization,thefrontlinebetweentheInfoSecprogramandeveryoneelse.Asbothchampionsofsecurityandsecurityeducators,trainingandawarenessteamscanbenefitextensivelyfromboththeCSCFandtheSecurityFORCEModel.Infact,Ihaveahardtimeimaginingsecurityculturetransformationstartingwithouttheactiveparticipationofthesecurityawarenessteam.Itcanhappen,butit’smuchharder.People-centricsecurityhasthepotentialtoelevateandextendthereachoftheseprofessionalsandtheservicetheyprovidetotheorganizationasawhole.
People-CentricIncidentResponseThevisibilityintoculturalthreatsandrisksprovidedbytheCSCFandthedeterminationtokeepfailuresmallandkeepresponseresilientembodiedinSecurityFORCEbothofferinnovativebenefitstoorganizationalincidentresponsecapabilities.Toooften,root-causeanalysesandincidentresponseplanningunnecessarilylimitthemselvestotheimmediate,technicalcomponentsofdetectionandmitigation.Theresultisanincidentresponsecapabilitythatmissesthereasonsthattheorganizationdriftsfromnon-failuretofailurestatestobeginwith.ByincorporatingCSCFandSecurityFORCEprinciplesintoincidentresponseplanning,organizationscanchangethegamebychangingtheirbasicunderstandingofwhatanincidentmeansandwhatitimpliesforanorganizationseekingtokeepitfromhappeningagaininthefuture.
ConclusionThisbookisaculminationofbothaquarter-centuryofmydirectexperiencewithhowpeopledoinformationsecurityallovertheworld,inavarietyoforganizations,andtenyearsofspecificworktheorizingandresearchingwaystoput“people”intheirrightfulplaceatthefrontofthe“people,process,andtechnology”triadthatInfoSecprogramsclaimisthecoreofsuccessfulsecurity.Irejecttheideathatwearebeleaguereddefendersabouttobeoverrunbythehostileenemiesoutsideourwalls,andthatchangeisrequiredbecausesecurity
hasfundamentallyfailed.Therehavecertainlybeencolossalanddisturbingfailures,andtherewillcontinuetobe.ButIprefertothinkofourprofessionasadolescent,facedwiththesameleapintomaturitythateveryotherprofession(suchasinsurance,law,andevenIT)hasfaced.
It’sscarygrowingup.Youhavetostartthinkingaboutthingsthataremuchmoredifficultandcomplicatedthanwhatyouhavehadtodealwiththroughoutyourchildhood.Butmostadultsprobablywouldnotwanttogobacktotheirdaysofbeingakid.Maturitybringsopportunityandrewardonagranderscale.That’swhereinformationsecurityistoday,facingchallengesbiggerthananywe’vehadtofacebeforeandneedingtoolsthatwe’venotusedbeforetomeetthosechallenges.Therewardsareenormousifsocietygetsinformationsecurityright.Butthat’snotwhywehavetodoit.Wehavetodoitbecausewecan’tgobacktothewayitwas,anymorethanyoucangobacktochildhood,evenifyouwantedto.Associetybecomesincreasinglydependentontechnologyandinformation,threatstotechnologyandinformationbecomethreatstosociety—not“meteorfromtheskyobliteratesalllife”threats,but“crime,disease,andwarmakelifemiserable”threats.Badthingswillalwayshappen,butwehavetolearntodealwiththem,adapt,andmanage.That,too,isalessonwelearnaswegetolder.Thisbookcertainlydoesn’thavealltheanswers,butIhopethatithelpsatleastafewpeopleinthisprofessionthatIhaveenjoyedforsolonganswersomeoftheirowntoughquestions.
FurtherReadingFoucault,Michel.DisciplineandPunish:TheBirthofthePrison.NewYork:VintageBooks,1995.Schneier,Bruce.DataandGoliath:TheHiddenBattlestoCollectYourDataandControlYourWorld.NewYork:W.W.Norton,2015.UniversityofTexasCenterforIdentity.Informationavailableathttp://identity.utexas.edu
Index
Pleasenotethatindexlinkspointtopagebeginningsfromtheprintedition.Locationsareapproximateine-readers,andyoumayneedtopagedownoneormoretimesafterclickingalinktogettotheindexedmaterial.
68-95-99.7Rule,167
AABLEManufacturing(casestudy),128–133comparingsecurityemployeeandnonsecurityemployeecultures,156–157securityculturemapping,143–146,149–150,151–156
accidents,225–226adaptivesystems,109AdbustersMediaFoundation,10adhocracies,95annuallossexpectancy,300anonymity,178–179ApacheOpenOffice,140Apollo13,220,276Apple,culturalsuccessof,40archetypes,90–91ArgyleExecutiveForum,363Ariely,Dan,71artifactsasdata,88assumptions,164
formalizing,296FOXTROTIntegrators,Inc.(casestudy),164–166
audience,knowing,183–184audits,11
failureasbrutalaudits,222
authorityallowingauthoritytomigrate,320–321migrating,314–315structuralauthorityvs.structuralknowledge,312–313
automation,behavioralmodels,196–197,198AutonomyCulture,100,109–111
andthesecurityvalueofresilience,351–352weaknessof,355
AviationSafetyInformationAnalysisandSharing(ASIAS),226awarenessteams.Seesecurityawarenessteams
Bbarcharts,146behavior,203behavioralmodels,192–199
opportunitiesfornewsecuritybehavioralmodels,198usingtheresultsofthemodel,169–170SeealsoSecurityFORCEBehavioralModel
Berkshire-Hathaway,66blackswanevents,211blindspots,254Box,George,101“bringyourowndevice”movement.SeeBYODBureauofLaborStatistics(BLS),225bureaucracy,104,315–316BYOD,111
CCameron,Kim,102capabilitymaturitymodeling,334–335casestudies
ABLEManufacturing,128–133,143–146,149–150,151–157CHARLIESystems,Inc.,133–135,153–154DOG,135–138,157–158FOXTROTIntegrators,Inc.,164–170GEORGEG,LLP,343–344HOTELINDIA,Inc.,345–346KILOKINGEnterprises,346–347
CCMM.SeeCulturalCapabilitiesMaturityModel(CCMM)CenterforIdentityattheUniversityofTexas,374centraltendency,85CEOs,358chainingcultureandbehavioreffects,348–349changeagentsofsecurityculture,35–37CHARLIESystems,Inc.(casestudy),133–135
securityculturemapping,153–154TheChecklistManifesto(Gawande),315checklists,315–317CISOLeadership:EssentialPrinciplesforSuccess,359–360,362CISOs,35–36,55,75,358–359
asbusinessleaders,359–360engaging,173leadershipresources,363
clancultures,94–95cognitivedifferences,71cognitivelimitations,69–71“TheCollapseofSensemakinginOrganizations:TheMannGulchDisaster”,
269–270Columbiaspaceshuttle,313CommandandControl(Schlosser),316–317,331commitmenttoresilience,206CommonVulnerabilityScoringSystem(CVSS),288,289–290communication,openingup,238CompetingSecurityCulturesFramework(CSCF),82,92,94,203,376,377–378
adaptingtoleadership,365–367alignmentswithSecurityFORCEBehavioralModel,349–353andculturalleadership,366culture-behaviorlinkinHRSPs,215–217asaframeworkforunderstanding,190–191internalvs.externalfocus,98–99limitationsof,101–102mappingsecuritycultureusing,141–143nativeculturalreferencepointsin,142originsincompetingvaluesresearch,94–96
overlappingandcompetingvalues,100–101quadrants,99–100SCDSscoresalignedwithCSCFquadrants,180views,97,100,101
competingsecuritypriorities,76competingsecuritystakeholders,74–75competingsecurityvalues,76–77competingvalues,34–35CompetingValuesFramework,94–96,102–104
adaptingtosecurity,96–99complexity,353
acceptingwhatwealreadyknow,306–307covetingempiricalevidence,297embeddingcomplexityvalueintosecurityprogram,305–306evidenceandfalsifiability,298formalizingassumptions,296growinguncertainty,288–289makingeverymodelbetter,299–300oversimplification,295–296reluctancetosimplify,205sharingthedoubt,298–299simplification,287–288thinkingbigger,306Seealsosecurityvalueofcomplexity
complianceandcontrolregimes,behavioralmodels,192–193,198ComplianceCulture,100,106–108
andthesecurityvalueoffailure,351complianceframeworks,300conceptualslack,274consensusbuilding,54–55control,degreesof,97–98CorporateCultureandPerformance(KotterandHeskett),47–48cost/benefitanalyses,172costs
estimatingthefinancialimpactofsecurityculture,162–164reducedriskandcostsfromincidents,162
andschedules,338–339covertprocesses,61–62credibility,sharing,321–322CSCF.SeeCompetingSecurityCulturesFramework(CSCF)C-suite,35–36culturalanomaliesanddisconnects,154–156culturalarchetypes,90–91CulturalCapabilitiesMaturityModel(CCMM),335–336
organizationalproficiencieswithinCCMMmaturitylevels,337culturalcompetition,asasourceofrisk,73–77culturalconflict,152culturalengineering,12culturalframeworksandmodels,92culturalintensity,153–154culturalintolerance,174culturalmaturity,225
blendingSecurityCultureDiagnosticandSecurityFORCEprojects,355–356
culturalrisk,61–62culturalstereotypes,90–91culturalthreatmodeling
covertprocessesandculturalrisk,61–62overview,60–62SeealsoPEPL;STRIDE
culturaltraits,30–33culturaltransformation,challengesof,53–56cultural-behavioralalignments,takingadvantageof,353–355culture,203
chainingcultureandbehavioreffects,348–349powerof,4–7strongcultureequalsstrongsecurity,376visualizing,92–93whenculturemakesbehavioreasier,354whenculturemakesbehaviorharder,354–355
culturehacking,7–8badculturehacks,15–16
goodculturehacks,14–15historyof,9–10PayPal,48softwareofthemind,8–9uglyculturehacks,16Seealsosafetyculture;securityculture
culturemaps.SeesecurityculturemapsCVSS.SeeCommonVulnerabilityScoringSystem(CVSS)
Ddashboards,248–249data
aligningwithprojectgoals,181–183collecting,175–179respondentsand,340
DataandGoliath(Schneier),374DataEmbassyInitiative,277DataLeakageWorldwide,41datamanagementandstorage,179deadlines,23–24defeatism,31–32deferencetoexpertise,206Dekker,Sidney,27–28,34,207demographicdata,collecting,177–178denial,254Denison,Daniel,102DepartmentofGovernance.SeeDOG(casestudy)design,20–22diagnosisandtransformation
CSCFasaframeworkforunderstanding,190–191SeealsosecurityculturediagnosticprojectDisciplineandPunish(Foucault),374
disorganizedcomplexityproblemsof,286Seealsocomplexity
DOG(casestudy),135–138comparingcurrentsecurityculturetoitsdesiredsecurityculture,157–158
dominantculture,151DREAD,62drift,27–28,34,207Drucker,Peter,20,29,43
EEC-Council,363e-commerce,195–196efficiency,andincreasedsecurity,161–162egos,319–320emotionallogic,68,69emotionalthreats,66–68empiricaldata,87empiricalevidence,coveting,297engineeringculture,242Enron,culturalfailureof,43enterpriseriskmanagement(ERM),240equality,319–320ERM.Seeenterpriseriskmanagement(ERM)Estonia,277evaluatingoutcomes,55–56evidenceandfalsifiability,298exceptionalism,32expectations
andreality,243testingexpectationsagainstreality,249–251
expertise,310–311allowingauthoritytomigrate,320–321askingtheexperts,318–319creatingdecisionfastlanes,330–331deferenceto,206embeddingexpertisevalueintosecurityprogram,329FORCEvaluemetricsfor,326–328informationfiltering,311–312makingeveryoneasensor,329–330migratingauthority,314–315rewardingcallstoactionandcriesforhelp,322–323
scoringtheexpertisevaluebehaviorsurvey,325–326sharing,273–274sharingcredibility,321–322structuralauthorityvs.structuralknowledge,312–313suppressingegos,319–320valuingexpertisefromthetopdown,331Seealsosecurityvalueofexpertise
Ffailureanticipatingfailures,227assessingfailurevaluebehaviors,232–237brutalaudits,222embracing,223–224failsmall,failfast,failoften,224–225“failureisnotanoption”,220–221failuresofimagination,211asafeatureofcomplexsystems,377imaginingfailuresanddisasters,267–268improvingfailurevaluebehaviors,237–238keyvaluebehaviors,226–230learningfrommistakes,230practicingfailing,275–276preoccupationwith,205reeducatingpeopleonwhatitmeanstofail,237reevaluating,221–223rewardingproblem-reporting,228–229seekingoutproblems,227–228sharinginformationabout,229–230studies,207trackingtheseedsof,225–226weaksignals,223Seealsosecurityvalueoffailure
TheFailureofRiskManagement(Hubbard),71fear,uncertainty,anddoubt,38,67–68,157–158,370FederalAviationAdministration(FAA),226FederalInformationSecurityManagementAct.SeeFISMA
filteringinformation,311–312FISMA,107,194formalization,174Foucault,Michel,374FOXTROTIntegrators,Inc.(casestudy),164–170frequency,293FUD,38,67–68,157–158,370Fujitsu,197
GGardner,Daniel,71Gardner,Nick,276Gawande,Atul,315GEORGEG,LLP,343–344globalculture,41GlobalHumanCapitalTrends2014,272goals
comparative,182descriptive,181stretch,274–275transformative,182–183
HHackers:HeroesoftheComputerRevolution(Levy),7–8hacking,7–8hackingculture.SeeculturehackingHaikuDeck,184Harris,Ed,220HealthInformationTechnologyforEconomicandClinicalHealthAct.See
HITECHHealthInsurancePortabilityandAccountabilityAct.SeeHIPAAHeartbleed,289–290heatmaps,291–294,300hedgingagainstfailure,22–23Heskett,James,47–48,53hierarchies,96HighlyReliableSecurityPrograms.SeeHRSPshigh-reliabilityorganizations.SeeHROs
HIPAA,15,106,108Hitchens,Christopher,298Hitchens’Razor,298HITECH,107,108Hoffman,Reid,48Hofstede,Geert,8HOTELINDIA,Inc.,345–346HROs,203
andfailure,221fiveprinciplesof,204–206ininformationsecurity,206–208research,204–206
HRSPs,208culture-behaviorlink,215–217embracingfailure,223–224andfailure,221managingfailure,377surviving,216
Hubbard,Doug,71humancapital,272HumanCapitalInstitute,272humanrelations,112hypotheses,248
Iidentity,373–374ignorance,andrisk,290–291incentives,175incidentresponse,265–266,379incompatibleoutcomes,73incompatiblesystems,72influence,andtransformation,365informationfiltering,311–312informationpoverty,246informationsecurity,372
culturaltraitsin,30–33powerofculture,4–7
InformationSystemsSecurityAssociation(ISSA),363InfoSec.Seeinformationsecurityinfrastructure,373insight,231InternetofEverything(IoE),370,371InternetofThings(IoT),370intervaldata,85–86interviews,89–90ipsativescales,125–126(ISC)2,363ISO27001,14,15,194–195
JJobs,Steve,40Johnson,Neil,286
KKahneman,Daniel,71KILOKINGEnterprises,346–347Kotter,John,47–48,53Kranz,Gene,220
Llabels,powerof,288leaders,assecurityenablers,360leadership
CISOleadershipresources,363crisisof,358–363CSCF,SCDSandculturalleadership,366andorganizationalculture,56inpeople-centricsecurity,364–365SecurityFORCEBehavioralModelandbehavioralleadership,367settingleadershipexamples,238supportandengagement,339
Lee,Billi,360Levy,Steven,7–8LibreOffice,140Likertscales,125,233,255linemanagers,11
logisticalthreats,72–73LordKelvin,51
Mmanagedcoordination,104ManagingtheUnexpected(WeickandSutcliffe),203,220,242,265,274,313MannGulchfire,269–270,273–274,322mapping.Seesecurityculturemapsmappingtools,140marketcultures,95–96Marshak,Bob,61Maslow,Abraham,31mean,85media,choosing,184median,84,85metis,324migratingauthority,314–315,320–321mindfulness,225MinorityReport,197Mistakes(Gardner),276mistakes,learningfrom,230MITRE,226mixedmethodsresearch,89mode,85monoculture,oppositeof,28–35MonteCarlosimulations,163–164,168movingthefence,24–26Musk,Elon,48Myatt,Mike,9
NNationalInstituteofStandardsandTechnology.SeeNISTNationalNearMissprogram,226NationalTransportationSafetyBoard(NTSB),225NationalVulnerabilityDatabase(NVD),290nearmisses,225–226NeoOffice,140TheNewSchoolofInformationSecurity(Shostack),60
NIST,194nominaldata,83–84NormalAccidents:LivingwithHigh-RiskTechnologies(Perrow),207normativescales,125Nye,Joseph,375
OOccupationalSafetyandHealthAdministration(OSHA),225OccupyWallStreetmovement,10OCTAVE,62OpenSystemsInterconnection(OSI)referencemodel,92operationalpower,241operations
embeddingoperationsvalueintothesecurityprogram,259–260embracingthesharingeconomy,260–261exceptionstotherules,251–252formingabiggerpicture,246–247keepingyoureyesopen,245–246listeningtothesystem,247–249securityoperationsunplugged,244sensitivityto,206,241–243sharingoperationalassessments,252–253testingexpectationsagainstreality,249–251thinkinglikescientists,260Seealsosecurityvalueofoperations
opinions,248ordinaldata,84organizationalculture,8
Apple,40culturebythenumbers,51–53Enron,43frameworksandmodels,93icebergmetaphor,43–47andleadership,56linktoorganizationalperformance,47–49originsof,41–42outcomes,42
PayPal,48qualitativemeasureandtechniques,50–51qualitativevs.quantitativemeasurement,49–50research,57
OrganizationalCultureAssessmentInstrument,146OrganizationalCultureAssessmentInstrument(CameronandQuinn),102OrganizationalCultureSurvey(Denison),102organizedcomplexity
problemsof,286Seealsocomplexity
outcomes,evaluating,55–56outsourcing,273OvercomingObesity:AnInitialEconomicAnalysis,68oversimplification,295–296overtrainingpeople,270–271
Pparanoia,33,224passaudits,107PaymentCardIndustryDataSecurityStandard.SeePCIDSSPayPal,culturalmigrationof,48PCIDSS,11,15,106,108penetrationtesting,107,231people,securing,376people-centricsecurity,12–13,17
aligningcultureandbehavior,347–356framing,375–377puttingpeople-centricsecuritytowork,377–379strategies,378–379
PEPLemotionalthreats,66–68logisticalthreats,72–73overview,62–64politicalthreats,64–66psychologicalthreats,68–71
performance,linktoorganizationalculture,47–49Perrow,Charles,207
politicalthreats,64–66PollDaddy,176
SeealsoSecurityCultureDiagnosticSurvey(SCDS)Popper,Karl,298powerdynamics,361–362poweroflabels,288preoccupationwithfailure,205presentations,184Prezi,184privacy,178–179,374problems
rewardingproblem-reporting,228–229seekingout,227–228
ProcessCulture,100,104–106,108andthesecurityvalueofoperations,350–351
processimprovement,behavioralmodels,194–195projectdeadlines,23–24projectmanagers,11psychologicalthreats,68–71
QQSAs.SeeQualifiedSecurityAssessorsQualifiedSecurityAssessors,193–194qualitativedata,84,87–88
combiningqualitativeandquantitativedata,88–90qualitativemeasurementofculture,vs.quantitativemeasurementofculture,49–
50qualitativeresearchapproaches,52quantitativedataandanalysis,83–86
combiningqualitativeandquantitativedata,88–90quantitativemeasurementofculture,vs.qualitativemeasurementofculture,49–
50Quinn,Robert,102
Rradarchartmaps,147–148ratiodata,86rationalgoals,106reality
expectationsand,243testingexpectationsagainstreality,249–251
redteaming,107reluctancetosimplify,205resilience
commitmentto,206creatingskillbenches,272–273embeddingresiliencevalueintothesecurityprogram,282failurepractice,275–276underfire,269–270imaginingfailuresanddisasters,267–268overtrainingpeople,270–271respondingtosecurityincidents,282–283rollingwiththepunches,266–267stretchgoals,274–275whenbadthingshappen(togoodorganizations),264–265Seealsosecurityvalueofresilience
riskignoranceand,290–291reducedriskandcostsfromincidents,162
risktolerancelevel,22Roytman,Michael,289Rubik’sCubeeffect,11,35RussellReynoldsAssociates,365
Ssafetyculture,6Sarbanes-Oxley,11,15,43SCADA,373SCDS.SeeSecurityCultureDiagnosticSurvey(SCDS)scenarios
FOXTROTIntegrators,Inc.(casestudy),166–168testing,168–169
Schlosser,Eric,316–317,331Schneier,Bruce,374“ScienceandComplexity”,286scoringsystems,289–290
Scott,James,323–324SDLCprocess,22–27security
design,20–22andglobalculture,41asasubculture,30whysecurityfails,20–28
securityawarenessmanagers,11–12securityawareness,supercharging,379securityawarenessteams,11–12
leveragingculturalchange,36securityculture,6,10–11
changeagents,35–37communicating,183–185directbenefitsofsecuritycultureimprovement,160–162estimatingthefinancialimpactofsecurityculture,162–164hacking,13levelsofstrength,166makingsecuritycultural,38measuring,82–93Seealsotransformation
securityculturediagnosticprojectanalyzingresponses,180–181buildingtheprojectteamandplan,174–175collectingdata,175–179datamanagementandstorage,179definingthecontextoftheassessment,172definingtheprojectstrategy,171–172directbenefitsofsecuritycultureimprovement,160–162engagingotherstakeholders,173–174engagingseniormanagement,172–173executing,170marketingandpositioningtheproject,177performingacost/benefitanalysis,172settinguptheproject,171–175
SecurityCultureDiagnosticSurvey(SCDS),116,119–122,175–176
blendingwithSecurityFORCEprojectsforimprovedculturalmaturity,355–356
casestudies,128–138collectinghonestresponses,179andculturalleadership,366ensuringprivacyandanonymity,178–179howsurveyswork,117–118interpretingandcommunicatingresults,181–185interpretingresults,151–156organizingrespondents,176–179questionsintheSCDS,118–125scoresalignedwithCSCFquadrants,180scoringmethodology,125–126scoringtheresults,126–127usingindependently,349
securityculturemapsbarcharts,146comparingcultures,156–158compositionofaSCDS-basedculturemap,143–146creating,180–181mappingspecificvaluesandactivities,149–150OrganizationalCultureAssessmentInstrument,146overview,141radarchartmaps,147–148usingtheCSCF,141–143whentouseeachtypeofmap,148–149
securityculturescores,180securityculturetransformation.Seetransformationsecurityeventandincidentmanagement(SEIM),240,245SecurityFORCEBehavioralModel,202,377–378
adaptingtoleadership,365–367alignmentswithCSCF,349–353andbehavioralleadership,367corevaluesof,209–211managingfailure,377originsof,203–208
overview,208–209usingindependently,349valuebehaviors,211–212,213valuemetrics,212–215
SecurityFORCEMetricsforcomplexity,302–304forexpertise,326–328forfailure,234–237foroperations,256–259forresilience,279–281
SecurityFORCEprojectsblendingwithSCDSprojectsforimprovedculturalmaturity,355–356costsandschedules,338–339examples,343–347leadershipsupportandengagement,339managing,338–340respondentsanddata,340stakeholderengagement,340supportingtransformationwith,338–340valueof,338
SecurityFORCEScorecard,341–342andSecurityFORCEMetrics,342–343
SecurityFORCESurveycomplexity,301–302expertise,325–326failure,232–234operations,255–256resilience,278–279scoring,233–234,341
securitypractitioners,leveragingculturalchange,37securityprocessimprovement,behavioralmodels,194–195,198securityprogrammanagement,ISO27001,14securityresearchers,leveragingculturalchange,36–37securitythreats,34–35securityvalueofcomplexity,211
assessingcomplexityvaluebehaviors,300–304
improvingcomplexityvaluebehaviors,304–307keyvaluebehaviors,294–300overview,286–289
securityvalueofexpertise,211assessingexpertisevaluebehaviors,324–328improvingexpertisevaluebehaviors,328–331keyvaluebehaviors,317–324overview,311–317andtheTrustCulture,352
securityvalueoffailure,210assessingfailurevaluebehaviors,232–237andtheComplianceCulture,351defined,220embeddingintopeople,237embracingfailure,223–224failsmall,failfast,failoften,224–225“failureisnotanoption”,220–221improvingfailurevaluebehaviors,237–238keyvaluebehaviors,226–230reevaluatingfailure,221–223trackingtheseedsoffailure,225–226
securityvalueofoperations,210assessingyouroperationsvaluebehaviors,255–259improvingoperationsvaluebehaviors,259–261keyvaluebehaviors,244–255overview,240–244andtheProcessCulture,350–351
securityvalueofresilience,210–211assessingresiliencevaluebehaviors,278–281andtheAutonomyCulture,351–352Estonia,277improvingresiliencevaluebehaviors,281–283keyvaluebehaviors,270–277overview,264–270
SeeingLikeaState,323–324SEIM.Seesecurityeventandincidentmanagement(SEIM)
seniorleadershipengaging,172–173leveragingculturalchange,35–36
sensitivitytooperations,206Shannon,Claude,286sharingcredibility,321–322sharingeconomy,260–261sharingexpertise,273–274Shostack,Adam,60,62,86simplicity
problemsof,286Seealsocomplexity
SimplyComplexity(Johnson),286skillbenches,272–273Snowden,Edward,374socialengineering,8TheSocialPsychologyofOrganizing(Weick),203socialsecurity,371softpower,375softwaredevelopmentlifecycleprocess.SeeSDLCprocesssoftwareofthemind,8–9
SeealsoculturehackingSpitzner,Lance,162,330stakeholders
engaging,173–174,340improvingboardandbusinessstakeholderengagement,378–379
statisticalalchemy,69statisticalterms,85stereotypes,90–91stretchgoals,274–275STRIDE,60,62structuralauthorityvs.structuralknowledge,312–313SurveyGizmo,176
SeealsoSecurityCultureDiagnosticSurvey(SCDS)SurveyMonkey,176SeealsoSecurityCultureDiagnosticSurvey(SCDS)surveys,90howsurveyswork,117–118
SeealsoSecurityCultureDiagnosticSurvey(SCDS);SecurityFORCESurveySutcliffe,Kathleen,203
ontheColumbiaspaceshuttle,313ondegradinggracefully,267onengineeringculture,242onfailure,222,223HROs,204onresilience,265
TTechExecNetworks(T.E.N.),363technology,behavioralmodels,196–197,198techno-romanticism,31,37terminology,statistical,85Thiel,Peter,48ThreatModeling:DesigningforSecurity(Shostack),60threesigmarule,167top-down“culturalchange”strategy,54training,overtrainingpeople,270–271transformation
behavioralmodelsfor,192–199describingintermsofculturalcapabilitiesmaturity,334–335theframeworkfor,191–192influenceand,365overview,334supportingwithSecurityFORCEprojects,338–340SeealsoCulturalCapabilitiesMaturityModel(CCMM);diagnosisandtransformationtransparency,176
TrustCulture,100,112–114andthesecurityvalueofexpertise,352
Trustwave,193turfwars,64–65
Uuncertaintychallenge,289–290
Vvendorbias,66visualizationtools,140
visualizingculture,92–93
Wwarningsigns,22–23Weaver,Warren,286,304Weber,Max,104,106Weick,Karl,107,203
ontheColumbiaspaceshuttle,313ondegradinggracefully,267onengineeringculture,242onfailure,222,223HROs,204ontheMannGulchfire,269–270onresilience,265
Whorf,Benjamin,288,292