Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on YouTube
marknca

Mornings With Mark
no. // 0 0 0 2

Culture Change Is Hard

Subscribe to the podcast.

Watch the episode here

Join the discussion on LinkedIn

Tweet about this episode

Full machine generated transcript follows

Good morning, everybody. Well, it's morning for you. It's afternoon for me. I am coming to you live from Frankfurt Germany today. I am here in a partner event give a keynote this morning on but he wants a great discussions Off the Grid meetings today. I'm really round culture change.

So I'm talking to a bunch of security folks And discussing the difference around, you know, the devops cultural shift and how that's a huge advantage in possibility for security and buttock on over that a bunch of I've talked about that before on the show this morning with Mark's. What I wanted to talk about was the overall challenge around cultural chainsaw.

I find it really frustrating sometimes and then I'm sure you guys do as well and that culture change takes a long time with a lot of little movements forward and every once awhile pushback time. It takes time and a consistent effort persistent effort is very very difficult. And I'm in from living with technology world living in cybersecurity world isn't very very tempting to push towards I'm Technology Solutions, right? So I had a discussion on without a product team a while back about and they're pushing microservices and I raised the question.

I was a little sensitive and I said, you know is this push reflective of a problem with the process in the organization or is it really the best architectural design and that comes up again? And again, it's security security. We've settled on organizational design. It doesn't align with our outcomes I take you all the security expertise put them in a little in a in a pile on the team and isolating my team for the rest of the company doesn't make any sense does not align with the outcomes yet.

Everyone does it cuz that's the way to this easier because it is really really difficult and that's the thing. I find I always have to remind myself about is that implementing culture change takes a lot of little effort. It takes a long persistent. Look at Take the Long View any technology.

We're constantly push to be back towards the short View. And so how does that I specifically to privacy. How did the Thai specifically to Security? Will it really comes down? I'm creating a culture that you want critical to the respect privacy. A culture that thinks about security and that's hard to do.

It's really hard to do but you can't get to start somewhere. So what I normally suggest is for people to listen to understand talk to other PTM. So if you're the security team stop sitting around having coffee with your teen not ignore your team, you're still on a team, but get out there and talk to the development team talk to the business unit.

I'm start talking to people start understanding their points of you because Dad can start to help move that culture forward. You're all working towards the same goal. Nobody sits down wanting to write bad code. Nobody starts their day trying to make a configuration change that leaves you vulnerable and this is all you know perspective.

It's all perception. It's all collaboration. There's no easy answers and I know personally I have to continually remind myself. I'm about that and especially in the role that I play Where I Come and Talk to an organization for a day at home and leave I can't affect. Can I get people thinking about it? But that's a definitive difference between what I'm used to where I can come in and explain a technology.

They listen to can't play like this you deploy like this or taken approach and the security policy will Implement what you want. It's really interesting and there's a lot of second-order effects when it comes to culture. Can we see that in policy? We see them in governance. We see that in any number of organizational.

It's a lot of soft skills. As a lot of people there's a lot of involvement here, but it really might take away message what I wanted to remind you of today or bring to your attention because I am here this great event being reminded of it working with a partner Trend Micro.

I'm working with all their solution architects in all their Consultants. I am reminded that and culture changes probably the number one thing that we should be working on as a security Community. Also the toughest thing we do because we don't do it right now. We really need to adjust.

We really need to change our Hangul. I'm in remember that while you're at home. I take technical controls and Technical policy. Goal here is really to get people to start to think to think differently to understand that they have a security first mentality a Security First mindset. In order to do that.

You need to start working on adjusting people's perceptions of security that comes with every micro interaction you have with them that comes with the tools that you put in front of them that comes with the discussions you have with them. It comes with the process gaming that comes out of that you put in place around projects and governance all of it adds up to culture.

I'm all of it and needs to be continually SLI reinforce continuously maintained. This is not a one-time event. This is like gardening. This is a constant persistent year-long years-long effort. In fact it never ends. I think it's valuable. I think it's important. I'd love to hear what you think.

Hit me up here online Mark NCAA in the comments down below if you're watching this post it afterwards, or as always my email me at Mark n. C a i will not be on tomorrow because I'm traveling back to hats North America, but I will hope you have a great weekend, and I will talk to you online and I will see you.

on Monday pick up Good morning, everybody. Well, it's morning for you. It's afternoon for me. I am coming to you live from Frankfurt Germany today. I am here in a partner event give a keynote this morning on but he wants a great discussions Off the Grid meetings today. I'm really round culture change.

So I'm talking to a bunch of security folks And discussing the difference around, you know, the devops cultural shift and how that's a huge advantage in possibility for security and buttock on over that a bunch of I've talked about that before on the show this morning with Mark's. What I wanted to talk about was the overall challenge around cultural chainsaw.

I find it really frustrating sometimes and then I'm sure you guys do as well and that culture change takes a long time with a lot of little movements forward and every once awhile pushback time. It takes time and a consistent effort persistent effort is very very difficult. And I'm in from living with technology world living in cybersecurity world isn't very very tempting to push towards I'm Technology Solutions, right? So I had a discussion on without a product team a while back about and they're pushing microservices and I raised the question.

I was a little sensitive and I said, you know is this push reflective of a problem with the process in the organization or is it really the best architectural design and that comes up again? And again, it's security security. We've settled on organizational design. It doesn't align with our outcomes I take you all the security expertise put them in a little in a in a pile on the team and isolating my team for the rest of the company doesn't make any sense does not align with the outcomes yet.

Everyone does it cuz that's the way to this easier because it is really really difficult and that's the thing. I find I always have to remind myself about is that implementing culture change takes a lot of little effort. It takes a long persistent. Look at Take the Long View any technology.

We're constantly push to be back towards the short View. And so how does that I specifically to privacy. How did the Thai specifically to Security? Will it really comes down? I'm creating a culture that you want critical to the respect privacy. A culture that thinks about security and that's hard to do.

It's really hard to do but you can't get to start somewhere. So what I normally suggest is for people to listen to understand talk to other PTM. So if you're the security team stop sitting around having coffee with your teen not ignore your team, you're still on a team, but get out there and talk to the development team talk to the business unit.

I'm start talking to people start understanding their points of you because Dad can start to help move that culture forward. You're all working towards the same goal. Nobody sits down wanting to write bad code. Nobody starts their day trying to make a configuration change that leaves you vulnerable and this is all you know perspective.

It's all perception. It's all collaboration. There's no easy answers and I know personally I have to continually remind myself. I'm about that and especially in the role that I play Where I Come and Talk to an organization for a day at home and leave I can't affect. Can I get people thinking about it? But that's a definitive difference between what I'm used to where I can come in and explain a technology.

They listen to can't play like this you deploy like this or taken approach and the security policy will Implement what you want. It's really interesting and there's a lot of second-order effects when it comes to culture. Can we see that in policy? We see them in governance. We see that in any number of organizational.

It's a lot of soft skills. As a lot of people there's a lot of involvement here, but it really might take away message what I wanted to remind you of today or bring to your attention because I am here this great event being reminded of it working with a partner Trend Micro.

I'm working with all their solution architects in all their Consultants. I am reminded that and culture changes probably the number one thing that we should be working on as a security Community. Also the toughest thing we do because we don't do it right now. We really need to adjust.

We really need to change our Hangul. I'm in remember that while you're at home. I take technical controls and Technical policy. Goal here is really to get people to start to think to think differently to understand that they have a security first mentality a Security First mindset. In order to do that.

You need to start working on adjusting people's perceptions of security that comes with every micro interaction you have with them that comes with the tools that you put in front of them that comes with the discussions you have with them. It comes with the process gaming that comes out of that you put in place around projects and governance all of it adds up to culture.

I'm all of it and needs to be continually SLI reinforce continuously maintained. This is not a one-time event. This is like gardening. This is a constant persistent year-long years-long effort. In fact it never ends. I think it's valuable. I think it's important. I'd love to hear what you think.

Hit me up here online Mark NCAA in the comments down below if you're watching this post it afterwards, or as always my email me at Mark n. C a i will not be on tomorrow because I'm traveling back to hats North America, but I will hope you have a great weekend, and I will talk to you online and I will see you.

on Monday pick up