Archive 4 min read

Culture Change Is Hard

We (the IT community) don't push for cultural change because it requires persistent and dedicated long term work. That runs counter to the usual pace of technology. We (the security community) are even worse off...

Culture Change Is Hard

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

OK, good morning, everybody. Well, it's morning for you. It's afternoon for me. Um I am coming to you live from Frankfurt Germany. Today. I am here at a partner event. Um I gave a keynote this morning um but having lots of great discussions, lots of great meetings today um really around culture change.

So I'm talking to a bunch of security folks um and discussing the difference, uh the dev ops cultural shift and how that's a huge advantage in possibility for security. But I've gone over that a bunch. I've talked about that before on the show this morning with Mars.

What I wanted to talk about was the overall challenge around cultural change. So I find it really frustrating sometimes and I'm sure you guys do as well that culture change takes a long time. A lot of little movements forward and every once in a while, push back, it takes time and a consistent effort, persistent effort.

It is very, very difficult and from living in a technology world, living in the cybersecurity world, it's very, very tempting to push towards technology solutions, right? So I had a discussion with our product team a while back about their push to micro services. And I raised the question that was a little sensitive.

And I said, you know, is this push reflective of with the process in the organization or is it really the best architectural design? And that comes up again and again, in security, security, we have settled on an organizational design that doesn't align with our outcomes.

I take all the security expertise, put them in a, in a pile in a team and isolating that team for the rest of the company doesn't make any sense, logistically, it does not align with the outcomes yet. Everyone does it because that's the way because it's easier because cultural change is really, really difficult.

And that's the thing I find I always have to remind myself about is that implementing culture change takes a lot of little efforts. It takes a long persistent look, it takes the long view and in technology, we're constantly pushed to be back towards the short view.

So how does that tie specifically to privacy? How does that tie specifically to security? Well, it really comes down to creating the culture that you want, creating a culture that respects privacy, creating a culture that thinks about security, that's hard, it's really hard to do, but you can't, you have to start somewhere.

So what I normally suggest is for people to listen, to understand, to talk to other peak teams. So if you're the security team, stop sitting around and having coffee with your team, not ignore your team, you're still on a team, but get out there and talk to the development team, talk to the business.

Humans start talking to people start understanding their points of view because that can start to help move that culture forward. You're all working towards the same goal. Nobody sits down wanting to write bad code. Nobody starts their day trying to make a configuration change that leaves you vulnerable.

This is all perspective, it's all perception, it's all collaboration. There's no easy answers. And I know personally, I have to continually remind myself about that. And especially in the role that I play where I come and talk to an organization for a day and leave.

I can't affect culture change. I can get people thinking about it. But that's a definitive difference between what I'm used to where I can come in and explain a technology and say, listen, you can't like this, you deploy it like this or take an approach, this security policy will implement what you want.

It's really interesting and there's a lot of second order effects when it comes to cultural change. We see that in policy, we see that in governance, we see that in any number of organizational things and this gets way out of most people's comfort zone.

There's a lot of soft skills, there's a lot of people, there's a lot of involvement here, but it really might take away what I wanted to remind you of today or bring to your attention because I am here at this great event, being reminded of it, working with a partner trend micro and working with all their solution architects and all their consultants.

I am reminded that culture change is probably the number one thing that we should be working on as the security community. It's also the toughest thing that we do because we don't do it right now. We really need to adjust. We really need to change our angle.

And remember that while you're implementing technical controls and technical policy, the goal here is to get people to start to think differently to understand that they have a security first mentality, a security first mindset. In order to do that, you need to start working and adjusting people's perceptions security that comes with every micro interaction you have with them that comes with the tools that you put in front of them that comes with the discussions you have with them.

It comes with the process gaming that comes that you put in place around projects and governance. All of it adds up to culture, all of it needs to be continuously reinforced, continuously maintained. This is not a one time event, this is like gardening, this is a constant, persistent year long, years long effort.

In fact, it never ends. I think it's valuable. I think it's important. I'd love to hear what you think. Hit me up here online, marknca in the comments down below. If you're watching this post at a words or as always by email me at Maran dot ca, I will not be on tomorrow because I'm traveling back to North America, but I hope you have a great weekend and I will talk to you online and I will see you all on Monday.

Take care.

Read next