informa

Cybersecurity In-Depth

5 min read
article

How Instituting a 'Just Culture' Improves Security

Rather than focusing on blame, the framework identifies the root cause of failure and then takes steps to fix it.

As organizations attempt to navigate today's cybersecurity frameworks, an inconvenient truth arises: At some point, even the best system will falter or fail. The ensuing chaos can put an organization at risk — and also lead to cultural breakdowns.

"People start blaming each other," says Richard Mogull, founder, CEO, and analyst at security advisory firm Securosis.

Not surprisingly, when the finger-pointing begins, the situation can become ugly very fast. At the least, tempers can flare. In a worst-case scenario, people may feel as though they're being scapegoated and wind up ignoring risks — or even fleeing the company. Amid crushing labor shortages in cybersecurity, that can spell disaster.

As a result, a framework referred to as "just culture" is gaining traction. While it isn't a panacea, it can help guide organizations through inevitable problems and help douse the fires when something goes astray.

"It attempts to fix the fundamental problem rather than pointing the blame to an individual or group," Mogull explains.

Just culture isn't about eliminating responsibility. It also doesn't attempt to sugarcoat glitches and breakdowns. It emphasizes accountability by asking, "What went wrong?" rather than, "Who caused the problem?" As Bruce McCully, chief security officer at consulting firm Galactic Advisors, says, "It recognizes that culture is at the center of successful cybersecurity."

Moving Beyond Blame
Trust, accountability, and ongoing improvement serve as the foundation for just culture. The concept has its origins in the aviation industry, though it has caught on in healthcare and many other fields.

"The realization is that many mistakes and errors occur because a system has an inherent flaw," Mogull says. "A person making an error is simply the symptom of the underlying problem."

Cybersecurity is an ideal fit with just culture, proponents argue. Today's tangle of applications, devices, clouds, and users not only makes security incredibly complex, but it also ensures that errors and problems will occur. Rather than focusing on human negligence, just culture aims to identify the root cause of the failure and then take steps to fix it.

"A culture that's focused on blame and punishment isn't likely to achieve the best possible results," says Robert Boles, president of cybersecurity firm Blokworx.

On the other hand, ferreting out the root cause of problems can prove transformative. Mogull likens the situation to a paramedic who might administer the wrong medicine if two bottles look alike or an airline pilot that might make the wrong decision if two gauges are easily confused.

"The goal is to reduce the margin for human error and eliminate the factors that lead to a problem before it ever occurs," he says.

Within cybersecurity, for example, just culture might translate into rethinking software and workflows to avoid shadow IT, putting protocols such as strong identity and access management (IAM) and multifactor authentication (MFA) in place to avoid authentication failures, and adopting protocols such as 802.1x to better control and manage network access, including wireless devices.

To be sure, the right set of tools, technologies, and rules narrow — and, in some cases, eliminate — the margin of error for humans. When they are combined with clear standards for what constitutes acceptable and unacceptable behavior, a culture of accountability takes shape.

At that point, the focus shifts from blame to responsibility. "If you notice that people aren't following a policy, then you have to take a close look at how and why they are not complying," McCully says. "There may be multiple issues to examine on the path to fixing the problem."

Out of Controls
While it's tempting and remarkably easy to find a human target when things go astray, sometimes people do mess up. When an organization identifies a clear policy violation, gross negligence, or malicious intent, the result should be disciplinary or legal action, McCully says.

Just culture recognizes this fact. Willful violations and negligence aren't swept under the rug. Individuals who make lesser mistakes receive feedback and input about how they can improve their behavior, such as avoiding clicking links in emails or logging into Wi-Fi using a public hotspot.

The success of a just culture initiative also hinges on the words and actions of the executive suite, Mogull says. "Business leaders must accept responsibility for their culture and set the right tone," he says. "This means abolishing the blame game and promoting the idea that it's vital to fix fundamental problems."

For example, there's a need to establish formal reporting mechanisms, including the ability for people to remain anonymous. It's also critical to establish a process for thoroughly investigating incidents and ensuring that they lead to appropriate actions. Along the way, it's essential to keep key constituencies in IT, security, and the overall business informed. Finally, it's important to share data, celebrate improvements, and actively address areas that require changes.

What makes just culture so powerful is that people feel free to point out errors and problems — and they are in no way penalized for doing so, Mogull says. Instead of people being chastised or deputized to fix the problem they discovered — or for mistakes they inadvertently made — the organization rewards them.

"The end goal is to establish a culture that moves beyond egos and scapegoats and instead focuses on reducing systemic risks," Mogull concludes.