In my previous post, I described a certain type of organization, one that is more reliable than a typical enterprise. These organizations usually operate in some more or less hostile and unforgiving environment. They tend to be complex. And when things break, they do a lot of damage, up to and including people dying. And yet, somehow, these high reliability organizations, or HROs, manage to actually avoid catastrophic failures better than their "normal" cousins. The good news for security programs is that the characteristics of HROs can be applied to our own efforts.
Probably the most well-known HRO researcher is Karl Weick, an organizational behavior scholar who has studied what makes companies tick for decades. With his coauthor Kathleen Sutcliffe, Weick wrote Managing the Unexpected, which explains what makes HROs different from other organizations. Weick and Sutcliffe identified several key traits to be found in HROs, and it was this work, and others, that I found so fascinating as I worked on my Ph.D. and in the years since as a security professional. As I thought about how to apply HRO principles to security over time, I translated Weick and Sutcliffe's traits into five areas of value that every highly reliable security program will encourage. These are; Failure, Operations, Resilience, Complexity, and Expertise. These values ended up becoming the FORCE model that I included in my recent book People-Centric Security: Transforming Your Enterprise Security Culture. The FORCE model is illustrated in the image above.
The important thing to remember about an HRO or and HRSP is that they are inherently people-driven. Highly reliable organizations reflect a different culture than non-HROs in important ways. Culture drives behavior, which drives individual decisions and choices, which of course drive results. Weick and Sutcliffe's work (along with the many other researchers in the field) has so much potential for security precisely because it demonstrates that people are the single most important barrier to failure, whether you are launching fighters off a carrier deck, fighting wildfires, generating nuclear power, or trying to protect data from cyberthieves.
In my next post, I will drill down specifically into the FORCE Model and explain what each of the five values means, and how it helps an organization achieve more reliable security.
BIO: Dr. Lance Hayden has spent 25 years working in information security, beginning his career as a human intelligence (HUMINT) officer with the Central Intelligence Agency. He has served as a trusted advisor to government, military, and enterprise clients across industries including finance and insurance, healthcare, retail, energy, and telecommunications. Heis a leading expert on cybersecurity culture and human security behaviors. He is the author of People-Centric Security: Transforming Your Enterprise Security Culture and IT Security Metrics: A Practical Framework for Measuring Security and Protecting Data. Dr. Hayden also regularly speaks at industry conferences and contributes to security publications. He is a professor and Advisory Board member of the University of Texas School of Information, where he teaches courses on security, privacy, and the intelligence community.