On creating a security culture that is more realistic and better aligned
“100% Security does not exist!” is one of the many mantra’s you’ll often hear security professionals say. So even with all the technical controls, procedures and training modules, our organisation will never be safe? We can still be the victim of a hacker attacking us with ransomware? Yes, even with millions of investments this is still a possibility. You can be forgiven from finding this thought a bit depressing. However, it forces us to think about the nature of security; what is it about and what is its purpose?
The terrifying reality of security
At its core, security professionals are dealing with a couple of questions: who are we as an organisation, and which assets and resources do we have that are of value? Who might be interested and which events might lead to harm? What is it that they can exploit in their attempt? What can we do to prevent this from happening, or how can we respond to minimise damage when it does? How do we know these mechanisms work as intended and what more remains to be done? Security management is aimed at answering these questions and thereby protecting the organisation from danger or harm. But it is a goal that does not seem to be attainable.
The context of an organisation is constantly changing; organisations operate in an increasingly globalised and complex world, working as agile as possible to keep up with things with limited time and resources. Even if you comply with every standard and implement every best practice, a sophisticated opponent with enough time and resources may find a way to enter your organisation and cause disruption. A frequently used saying reflecting this is “it is not so much a question of ‘if’ you’re going to get hacked but ‘when’”. There are what we call ‘black swan risks’, events that are so unexpected that it is impossible for organisations to manage them properly or track them at all (e.g. the September 11 attacks or the 2008 financial crisis). However black swan risks do seriously effect organisations no matter how unlikely they may seem.
On turbulence as a property of the nature of being
We must internalise that risks are an important aspect of business and of our very existence as humans. From the moment we are born we are thrown into a world and exposed to risks. It’s only natural for people to deal with risks, it is part of the way we learn and grow as humans. For organisations, risks and the crises they cause are a default mode of organisational development. The world dives down in recession every few years or so and no matter how hard governments try, and how hard people blame them for it, our attempts to change this cycle always fall short.
But if risk is the negative property of chance, it’s positive counterpart – opportunity – is also inherent to our existence. Something risk professionals sometimes forget in their eagerness to do their job. We develop a very narrow frame of mind when only focussing on the negative aspects of every decision. We create narratives about ourselves – as everyone does – where security professionals are the knights in shining armour trying to protect the organisation whilst dealing with stubborn people who do not have their priorities straight. But there are more perspectives to consider than the risk management one when making decisions about an organisation.
“Safety first!” is another great creed, but when you think about it, why? Aren’t there any other values that can compete for this position? How about; Happiness first? Growth first? Success first? People first? Surely safety is an enabler which is of instrumental- rather than intrinsic value and shouldn’t be pursued on its own.
The flipside of the coin
Well what harm can it do to make the organisation more secure? It’s for the betterment of every employee and customer after all? And you’re not wrong; security is of huge importance and should be a priority for every organisation. However, an over-fixation on risk also has negative effects. ‘Iatrogenesis’ is an ancient Greek phrase that refers to the bad side effects of well-intended actions and it is very applicable when security is done wrong. Security can clash with almost every other aspect of business or human life; seizing opportunities, privacy, usability, (work) happiness or on a societal level even justice and democracy. So how much risk reduction will a particular control deliver? As we’ve said, we are always left with residual risk, an attack can still happen, so is the risk reduction worth the costs?
Organisations are juggling many interests when making decisions on IT, organisational development or security. Experts often only advocate for their own interests and we lack the tools to balance them properly. Investments are typically analysed in terms of ROI while risks are measured against a risk appetite. These are often talked about but difficult to implement and very limited in their considerations. After all, not all gains or losses can be properly quantified. The traditional or linear view on growth in terms of economics is increasingly seen as too limited for the modern age. In other fields, institutions start to work with ‘doughnut models’ for a more inclusive view on development, something that can be adapted for IT as well.
We shouldn’t cripple organisations by looking solely at the risk perspective and we shouldn’t irresponsibly accept risks by only looking at user experience. If you only just started examining the security of your organisation, then you probably have a lot of work to do. But for organisations reaching higher levels; maturity also includes asking the bigger questions and re-prioritising. We should make informed decisions from a pluralistic perspective including all the interests of an organisation. Every security book starts this way, but true alignment with business objectives – through realism – is the key to properly implementing security.
A more realistic approach to security
We should rethink what we mean by security. We can’t prevent every attack from happening or crisis from occurring. The monster of the Hydra is often used to described this threat aspect of security; every time we’ve dealt with an issue, a new problem pops-up. However, the monster can be used as a metaphor for the way we should organise our security response as well; as an ongoing effort. Antifragility as described by Nassim Nicholas Taleb is an interesting concept elaborating on this. Typically, security is concerned with taking a fragile system and making it robust to events of turbulence, but this is not enough. Life is turbulence and there are too many interests that require harmonisation. True control is both unattainable and undesirable. An antifragile system is benefitted by disturbance because it makes the system stronger.
Moving on from the old – controlling – notion of security towards an antifragile approach, allows for different decisions to be made which creates more opportunities to learn and grow. This requires a more realistic frame of mind; ditch the blame game and tendency to control or jump to solutions. Let’s reflect on our priorities and bring it on! Through dialogue, realism and a true consideration for other narratives. Yes, it will hurt at times but we will be stronger for it. Not just from a security perspective, but from every aspect of our development.