In my previous two blog posts I described highly reliable security programs (HRSPs) and why they are successful, along with the Security FORCE Model that defines their characteristics. In this post, my final post in the series, I drill down into the details of the five elements of Security FORCE.
- Failure - HRSPs don't think about failure the way most security programs do. Instead of fearing incidents and sometimes overlooking small problems until they get too big to ignore, HRSPs welcome failure as a learning experience. The cardinal rule is to keep failures small and easily fixed. So everyone is encouraged to report them and give the organization the opportunity to learn and improve.
- Operations - Most organizations have a security policy in place that defines how things are supposed to work. The reality is that most organizations don't work like the policy says they should. HRSPs are obsessed with understanding the differences between what they think is happening operationally, and what is actually happening. HRSPs hate surprises. Nothing worries them more than the words, "everything is working just fine."
- Resilience — During an incident, the difference between an HRSP and an ordinary security program is like a boxer that takes a brutal punch in the ring. Does the fighter hit the ropes, then bounce back swinging? Or do they hit the canvas and struggle to stand up? HRSPs know they will get hit. When the blow comes, they want to bounce back as quickly and gracefully as they can. Resilience is about practicing taking that punch. Failing gracefully is a skill, and takes practice. Public breaches are the most important ad hoc marketing campaign you will ever manage. Will yours inspire confidence in the market, or make you look like your organization has a glass jaw when it comes to security problems?
- Complexity - Another thing that security programs often struggle with is the idea of complexity. Our industry seems to be in a race with itself to make things as simple as possible. But "simple" and "simplistic" are not the same, and over simplification is dangerous. When you make a complex problem more simple, you do it by adding uncertainty to the mix. That's the nature of models. Security models and frameworks make some things clearer by ignoring other things, and that can create blind spots. HRSPs are careful to not oversimplify things. They would rather spend the effort on understanding a complex problem than deal with the uncertainty and risk that comes with simplifying it too much to save time.
- Expertise - Every organization has human sensors in place, people that are closest to things and most likely to recognize when something is going wrong. What makes an HRSP is how well the organization gives people with the right knowledge the power to take action. If the expert most knowledgeable about a security problem has the least power to effect change, then failures are much more likely. HRSPs work to allow authority to migrate to where the experts are, regardless of where that expert sits on the organizational chart. HRSPs still have hierarchies. But in a crisis, they don't waste time running decisions up and down the chain out of political concerns. Leaders of HRSPs give power to the people that need it and get out of the way, while of course still monitoring and offering support.
The Security FORCE Model is designed to change the way security behavior is managed. No one is better positioned than the security awareness community to begin advocating for this change. I talk a lot in my book about how security awareness professionals are "the tip of the spear" when it comes to people-centric security. Reliability starts with them. If you're interested in learning more about people-centric security, including the FORCE model, my book is available from all the usual bookstores. You can also find resources on my website at lancehayden.net/culture and my blog at www.securityispeople.com.
BIO: Dr. Lance Hayden has spent 25 years working in information security, beginning his career as a human intelligence (HUMINT) officer with the Central Intelligence Agency. He has served as a trusted advisor to government, military, and enterprise clients across industries including finance and insurance, healthcare, retail, energy, and telecommunications. He is a leading expert on cybersecurity culture and human security behaviors. He is the author of People-Centric Security: Transforming Your Enterprise Security Culture and IT Security Metrics: A Practical Framework for Measuring Security and Protecting Data. Dr. Hayden also regularly speaks at industry conferences and contributes to security publications. He is a professor and Advisory Board member of the University of Texas School of Information, where he teaches courses on security, privacy, and the intelligence community.