Photo Credit: Curtis Gregory Perry via Compfight cc
It is my firmly held belief that one of the most sensible and effective things an information security practitioner can accomplish is the development of a sound security culture within the organisation they are tasked to protect from harm. There are a number of ways a ‘culture’ can be defined, but the best I’ve heard is ‘it’s the way we do stuff round here’. A culture is the result of a mass of drivers, which include the attitude of senior managers, the location, the management structure, the predominant nationality of staff and so forth. One thing’s for sure – culture is complicated, and requires patience, subtlety and intelligence to understand, and another dose of the same is needed to change it. The problem is, organisations are complex, and are supported by complex systems.
Complex systems don’t behave in simple ways. You can’t flick a switch and see an immediate, predictable, mechanical response. So often you hear someone complaining about a cold spell during the summer, and make a fatuously idiotic statement such as ‘well, what’s all this global warming about then? Why is it cold and rainy’? The answer is simple; the fatuous idiot is failing to understand the difference between climate and weather.
- Weather is tactical.
- Climate is strategic.
In information security terms, weather is similar to a ‘security awareness programme’. Global warming is ‘security culture change’.
You could look at many long term trends, and then select a section of it that runs counter to the overall trend. This seems to contradict the long term. So it goes for climate change. If all you remember is a couple of cold summers, then you may well denigrate the current climate change theories. Given the mass of evidence, you would be wrong.
That’s the trouble with people – they have only a short term memory. Corporations have a memory span – it degrades to almost zero after about 20 years, when all the wise old heads who remember to disaster, terrible event (or remarkable success) have retired and/or died. In terms of climate change, 20 years is a blip. In terms of organisational security culture, it’s just about significant. It takes years to build a culture – it will take years to change it.
Climate change has another feature – it can contain ‘tipping points’. These are instances in time when the game changes – it ‘tips’ a system into a new paradigm. For example, it may be the initiation of a new, self-sustaining trend, such as when sea temperatures rise to a point when it can no longer hold the same mass of CO2, which causes a sudden, potentially catastrophic release of the gas that in turn increases global temperatures. I think that security culture change may contain similar characteristics. If we can spot the tipping points that can work to our advantage, we need to work towards them.
However, complex systems need a broad approach to change. And we have to realise that there are some things we can change, and many we can’t. Climate change provides a further example. It has many driving factors, such as:
- Changes in the sun’s output
- Changes in the Earth’s orbit
- Natural disasters (volcanoes and so forth) that change the amount of solar radiation received
- Cyclical changes in the oceans (El Nino for example)
Even though we humans are pretty handy, there’s very little we can do about these. In security terms, there’s not a lot we can do about, for example:
- The global economy
- Wars
- The ambitions of nation states
- The ability of organised crime
What we can do needs to be identified. In climate terms, we can limit our output of CO2 via many routes (better public transport, more efficient cars, insulated homes, zero-emission power generation and so forth). In security terms, we need to do similar. The first thing we should do is the same as has been done by the climate change lobby. We need to convince our people that changing the way we behave in regard to security is essential. We’re some of the way down the track here, but to really make a difference, and reach a true tipping-point, this will take time, but we will suffer constant knock-backs. People will think we’re barriers, obstructive and unhelpful. We need to ensure people buy-in through persuasion, example and solid evidence. We need the equivalent of eco-warriors, articulate scientists, presentable front-men (and especially women – there are far too many guys in this profession). We need facts – not horror stories. We need to do it constantly – again and again. Incidents won’t go away, but the long-term trends should go down. If they don’t, I’m wrong. I don’t think I am.