I sometimes talk to executives about how employees and their fellow executives at the company view security, and about cultural issues around security. They often tell me that, generally speaking, people are on board with the necessary work to keep things safe. I've yet to hear someone tell me that people pride themselves on working around security teams and programs so they can run the business more efficiently. I've heard a number of stories that include facts about their compliance efforts, how they train employees, and sometimes about how they use metrics to improve their security posture.
Those are all great things, and in most cases I learn something. But here's what I'm up to: I'm asking a direct set of questions. In every case I can remember, I get a positive few of how the company thinks about security. Sure, there are staffing issues, and many problems that keep people up at night, but the general answer I get is “we have a culture of security at our company.”
Then I switch gears and start asking indirect questions, questions that that may reveal a different slant on the issue of security culture. For example, I ask “Tell me about a time when your IT and Security teams needed to make a controversial and unpopular change,” and “Tell me about how management supported them,” and “What was the outcome months later?” Sometimes I get a good story showing leadership from the IT/Security teams, and backing from management. But I've also gotten responses like “Bob, I'm proud to say that our IT and Security teams have never ruffled any feathers. They've always found solutions that improve security without upsetting anyone or adding any friction to the business.” I don't know about you, but that sort of answer does not ring true. It's more likely that the security team isn't pushing the company to evolve to be more secure, or isn't capable of doing so. Other indirect questions also tend to back up this conclusion.
The culture of security in an organization is defined more by the way it encourages or discourages hard decisions than any other factor. Talking about metrics is good, training is great, and so on. Everyone has to do those things and they're hard. But on the topic of culture, we should be asking ourselves about stories. Stories are the way real cultures are made. Stories tell of love and fortunes won, and lost. They give an emotional energy to work that no policies and procedures manual can. (Though if you are good, you'll write those otherwise boring and lifeless documents in a way that will engage people.)
Stories also are the way people communicate the real incentives in an organization. Sure, there are performance reviews, bonus plans, and team charters. But those corporate tools will often struggle to keep up with the way people share stories at the water cooler and over drinks.
Consider this story: The CEO is traveling overseas and breaks her phone. She needs to log into her mail account and the system is asking for her 2-factor code. Since the 2-factor code is generated on her phone, she's unable to get access to mail. She has to buy a new phone, and spend time on the phone with the security team (who are pulled into make sure it's really the CEO rather than a social engineering attack/test) to get it reinstated. Time zone differences and getting the right people involved results in her losing over a day of productivity. She's clearly upset.
How would this story play out in your organization?
(a) The CEO cools down after a day and gets over her frustration. At the next company all hands, she tells the complete story. She explains she was upset at the downtime while traveling on business. Then she explains why the security of the customer data is more important than the personal productivity of any one person, even the CEO. She praises the cross-functional teams that came together to design, implement, and maintain these security systems. In her story, she puts the focus on the customers and the trust they give the company every day, and how it's critical in these dangerous time to have a bias towards security.
(b) She gets over her frustration, and eventually gets back to work. But she tells no story. Perhaps she asks the security team to research alternatives for future cases where executives are traveling.
(c) She orders the security team to disable 2FA for mail company-wide until they come up with a better plan for handling escalations like this. It's not reasonable to have people out of work when they break their phone.
I wonder how many of you reading this post will answer (c). How an organization responds to these conflicts is the definition of its culture of security. What matters for culture is how you react when people are uncomfortable, unable to work, forced to change their processes, and need to take on new and routine work. What core principles win? Do you have written and exhibited patterns that put the safety of your customer data first? What about when it costs an employee some productivity? What about when it's the CEO? What about when no one at the company can send email or use the VPN because the 2FA server/service is down for a day?
These stories telegraph to all employees how the organization actually values security, regardless of slogans, emails, and policy documents. When the security team asks other teams to do work to improve security, these stories will remind people that how valued security is. The real incentive structure will be communicated by these stories.
What security stories does your organization have? I honestly want to know! Drop me a line on Twitter at @boblord. If you want to remain anonymous, send me a DM.