Creating a Security Culture Where People Can Admit Mistakes
In cybersecurity, user error is the symptom, not the disease. A healthy culture acknowledges and addresses the underlying causes of lapses.
April 11, 2022
Already have an account?
Andy Ellis, advisory CISO for Orca Security and a longtime Akamai veteran, likes to tell a story about a potentially serious security incident. One of his team members was testing the email integration of a new incident tracking system. Unfortunately, the test email, titled "[TEST] Meteor strike destroys the headquarters," went to everyone in the company and created a loop that crashed the mail servers.
As Ellis recounts, "The next day the responsible employee tweeted a picture of themselves training for a 5K run, and I replied, 'Preparing to outrun the meteor?'"
The serious lesson from that is to acknowledge but forgive errors. "He's said, many times, that he knew at that moment it was going to be OK," Ellis says. "Creating a safe culture requires a lot of practices, and one of them is closure. Humor is a great way to provide closure because you rarely laugh about something that is still creating tension."
There isn't a lot to laugh about in cybersecurity, with security teams fighting off a growing number of cyberattacks and deploying protective measures for a fast-evolving environment. But security shouldn't be about browbeating people into doing the right thing or scaring them with the prospect of punishment. For security to be a team sport, you need to make people want to play.
It's vitally important to your business to create a security culture — that is, an atmosphere in which someone who messes up and breaks something feels they can report it without getting blasted for their actions. This idea isn't new, but considering recent analysis about how some companies aren't backing up their source code, sometimes stories need to be repeated. Here's how to build an organization that encourages people to admit their mistakes.
About the Author
You May Also Like