Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
5 Ways to Run Security as a Meritocracy
Actions speak louder than words. Here are five tips for encouraging a security culture based on achievements.
I remember watching the space shuttle Challenger launch as a child. The launch was highly anticipated, and my fellow classmates and I gathered in the school cafeteria to watch the one television that had been placed there and connected to broadcast signals. In 73 seconds, wonder turned to amazement, which turned to confusion, which turned to horror. I will never forget it.
According to Wikipedia, "The cause of the disaster was the failure of the primary and secondary redundant O-ring seals in a joint in the shuttle's right solid rocket booster (SRB)." Then-President Ronald Reagan subsequently appointed the Rogers Commission to investigate what went wrong.
As Wikipedia explains, the commission's report "criticized NASA's organizational culture and decision-making processes that had contributed to the accident." Despite knowing about a flaw in the O-rings since 1977, "neither NASA nor SRB manufacturer Morton Thiokol had addressed this known defect. NASA managers also disregarded engineers' warnings about the dangers of launching in cold temperatures and did not report these technical concerns to their superiors."
In other words, the culture at NASA was plagued by groupthink. Concerns of those on the ground were routinely ignored. People were encouraged to go along with the prevailing winds, rather than stay true to what the data showed. NASA was not a meritocracy, where advancement is based on achievement, creating a very dangerous situation that cost seven people their lives.
At this point, you might be asking yourself what the Challenger has to do with our field. It is my belief that security, as is the case with many fields, should be a meritocracy. I'd like to share five ways in which security teams can encourage a security meritocracy to thrive.
1. Stress the Importance of Actions
Each of us should be evaluated by what we've done, rather than what we've said. Indeed, it is easy to talk the talk, but far fewer have walked the walk. Solutions, approaches, and ideas that have proved effective should be given more weight than those that sound good in a speech or look good on paper but are untested or ineffective. This should be the case no matter who is speaking — however popular, charismatic, and convincing they may be.
2. Leave Out Politics
Politics, by its very nature, divides people, including security teams. I firmly believe that politics has no place in security, particularly when the spectrum of accepted political views seems to narrows with each passing day. The best option is for us as a community is to focus on the strategic, operational, and tactical issues and challenges we face on an ongoing basis, with no mention of politics at all. If, for some reason, politics should find its way into a discussion, it should be pushed aside. If you discover you don't like someone's politics, get over it — don't let it cloud your judgment when it comes to the ideas they present.
3. Avoid Groupthink
There is no shortage of historical examples where millions of people thought that an idea was good, only to have history judge otherwise. Mob mentality and groupthink are extremely dangerous. They can lead to poor and biased decisions that harm the security posture of an organization and introduce risk and vulnerabilities. On the flip side, a security program driven by data, logic, and reason will be far more effective and produce far better results.
4. Ignore Shiny Objects
No matter how shiny a new idea may appear, its merits need to speak for themselves, not its hype or who is hyping it. As we know, people can get emotionally invested in and irrationally caught up in the trend du jour. They can also have conflicts of interest. Before considering any new solution, approach, or idea, be sure to validate it. There should be an objective, unbiased way to test its merits before being required to jump in.
5. Encourage the Right Culture
Staff should feel comfortable suggesting new ideas, different ways of thinking, and novel approaches without fear that they will be ridiculed, mocked, or worse. Otherwise, many people will simply remain quiet, which will cause the organization to miss out on what could be great ideas, thoughts, and approaches. This is a huge loss for any security team, and with the pace at which the threat landscape evolves, no team can afford it.
Cream Rises to the Top
Culture influences the effectiveness and success of any organization, including that of a security organization. By creating a culture that is based on a meritocracy, organizations can ensure that they foster an environment where people aren't afraid to speak up, ask hard questions, or try different approaches. When people are empowered to do so, everyone benefits, and the pitfalls of groupthink and biased thinking are avoided. This, in turn, leads to a better overall security posture.
About the Author
You May Also Like