When Culture Eats Strategy For Breakfast

A Mature Cybersecurity Culture is Vital Part 2

In Part 1, culture was defined as, “A way of thinking, behaving, or working that exists in a place or organization. It is a set of shared attitudes, values, goals, and practices that characterizes an organization.” Culture is about creating a unity of purpose in the organization’s people. The current security strategy of most critical infrastructure corporations is the continuous expansion of technology and the minimizing of human involvement which may be limiting the corporation’s full potential for a mature cyber hygiene model built on knowledge, awareness, and desired behavior.

There is a very good reason for increasing the emphasis on improving the security performance of people in a cyber hygiene model1Every cyberattack was planned and executed by a person! ” There’s a fine line between the deeply technical, scientific part of cybersecurity, and the people part, which we spend less time talking about – the stuff that actually enables a sustainable transformation. We’ve seen how one without the other can fail.”2

The question the organization’s C-Suite must answer is: How invested are we willing to be in building a mature cyber hygiene model of frontline employees?

Only three things happen naturally in organizations: friction, confusion and underperformance. Everything else requires leadership.”― Jinan Budge, Principal Analyst, Forrester Research

Friction, confusion, and underperformance are the hallmarks of far too many cyber hygiene models today. As such, leadership must place a greater emphasis on human nature in their efforts to effectively embed cybersecurity within the corporate culture. The ability of an organization to persevere in the volatility and chaos that increases as the era of digital transformation evolves is dependent on every employee performing their role within the procedures and policies of the desired security behavior. The underperformance of a person, in any effort, is often due to a lack of appropriate and effective training, mentoring, and communication required to develop the person’s mindset and subsequent perspective on the value the organization places on that effort.

Quantum physics tells us that nothing that is observed is unaffected by the observer. That statement from science holds enormous and powerful insight. It means that everyone sees a different truth because everyone is creating what they see. Remember the earlier definition of culture which equates to getting people to see a common truth (i.e. shared attitudes, values, goals, and practices) as the objective of a mature cyber hygiene model.

In that regard, in the book Left of Bang the practice of combat profiling which is taught in the context of being able to more quickly assess physical threats related to human behavior, has value in its implementation towards maturing the cyber hygiene model. Combat profiling is a practice based on a proactive mindset that incorporates many specific skills with four of the most strategic being: 1) situational awareness, 2) sensitivity of baseline and anomalies, 3) critical thinking, and 4) decision making.

Teaching Decision-Making: Know Yourself and Know the Other

In The Art of War, Sun Tzu advises “Know Yourself and Know the Other and victory will be certain”. Through training and testing front-line workers in these skills, the organization has metrics to better determine how well they are performing against the objective of “Know Yourself”. Since attacks are planned and executed by people, the development of these profiling skills regarding the adversary’s tactics, techniques, and procedures, improves the front-line worker’s ability to profile adversarial behavior while executing their operational role. Improving the worker’s ability to detect anomalies in the daily performance of their role contributes to the organization’s effort to “Know the Other” as Sun Tzu advocates.

Anyone who operates in a complex and potentially hostile environment must make tough decisions under severe duress, usually with little time and information (the classical definition of a cyberattack). Few people are ever taught how to make a decision. Decision-making is either something you are assumed to have learned throughout life or is taught as a lengthy, deliberate process. Teaching decision-making, at all levels of the organization, regarding the proper behavior, is key to having a mature and high-performing cyber hygiene model.

Both organizationally and individually, teaching decision-making will be most successful if taught using the perspective: “Never tell a person how to do things. Tell them what to do, and they will surprise you with their ingenuity”3 In knowing what to do, the individual instinctively feels they are seen as competent, a basic human need, and the security leader is confident that what is done is performed in accordance with the security team’s intent. The trust necessary to reinforce this principle of delegated decision-making is built through the continuous training and preparation effort to mature the necessary cybersecurity aspect of the organizational culture.   

By delegating the authority to make early detection decisions and tailoring communications with the aim of arming the frontline personnel with the “bigger picture” into which their actions fit, they will vigilantly follow the directives of the action plan.  

Considering Human Nature

A person’s ability to make decisions is mostly due to a person’s knowledge and life experiences (i.e. mindset). A culture that stresses intuition and inference can fall short by teaching that the development of this powerful force is nothing more than situational awareness and sensitivity based on knowledge and experience. A mature cyber hygiene model strives to continuously develop additional mental models to improve the mindset of each person.

Done properly, a culture of Recognition Primed Decision-making (RPD) enables a person to intuitively identify a pattern in a situation, quickly determine a course of responses without time-consuming analysis, and minimize deliberation in order to act in accordance with the security leader’s intent. Such intuitive decision-making is most beneficial in types of situations that are time-constrained, high stakes, uncertain, and constantly changing.

Perfect decisions aren’t possible. Many problems cannot be solved optimally no matter how long or hard we may think about the problem before deciding a course of action. The objective is to act violently and quickly in order to seize the “Tempo”4 and cause the adversary to react to the defender’s response which enables the organization to take control of the situation.

I would submit that in designing and implementing the appropriate training and preparation required to achieve RPD, the organization must consider the principles of human nature. 

In the final series on the development of cybersecurity in organizational culture, the principles of human nature that are most applicable to the effort to build and maintain such a culture will be presented.

I would like to express my thanks to Hazel Chappell, Founder – ishca health llc for her contributions and suggestions to the writing of this article.

1 As part of the organizational culture, the objectives of the Cyber Hygiene Model are 1) Increase security knowledge, 2) Heighten awareness of the threat environment, and 3) Develop and maintain the desired security behavior

2 Jinan Budge, Principal Analyst, Forrester Research

3 General George S. Patton

4 Tempo is relative speed in time. The competitor who is able to respond faster than the opponent can identify opportunities and make decisions that force the opponent into a constant state of reaction. The constant state of reaction results in breaking the opponent’s will to continue the attack and causes a move to another target.

Read more: