How Executive Culture Can Compromise Your Security

This post is also available in: 日本語 (Japanese)

Dear Executive, 

Last night, your company was breached, and it was potentially you who allowed that to happen.  

“How is this possible?” you say. “I spent the money. I hired the people. I bought [insert flavor-of-the-year security solution]. I attended the conferences and went to the classes. We were locked down!”

Your manifold millions of dollars of security solutions and personnel were subverted in a savvy feat of technomancy by threat actors and, instead of some new zero day, they exploited a CVE from 2019. The reason they could had everything to do with your corporate culture.

“But we have great corporate culture! Our people are happy and enthusiastic!” 

While that is a valuable advantage for a company to have, through action – or inaction – leaders frequently also create a culture of intimidation and reluctance to innovate and speak out in their organizations. This happens by fostering a focus on delivering the production objectives of leadership at all costs. When security hygiene is not held in the same reverence as production, it creates an atmosphere where maintaining production levels dominates and the drive to stay secure surrenders to fear.

TL;DR: People stop innovating when they fear retaliation.    

Does This Sound Familiar?

• Production must not be impacted. 
• Rigid review board with change controls so onerous that changes, including ones to address security, move in weeks and months, not days and weeks, even in DEV.
• Patches can take months or years to go into production.
• The negative lessons of past security efforts are what are remembered, to the exclusion of  positive changes. 
• Negative comments in casual conversation by leadership continue long after the event.

Does the organization create a culture of security as a core philosophy?

• Would email delays caused by new phishing countermeasures be reprimanded or understood (given phishing is the threat mechanism most exploited by cyber criminals)?
• Should temporarily slowed traffic from newly fielded East-West firewalls be seen as a firing offense – or praised for demonstrating the initiative to inspect traffic in new places?
• Are firewalls, CASB or endpoint protection settings in “monitor/alert” mode, instead of “block,” for fear of false positives? 
• Are fears of generating trouble tickets that increase “mean time to resolution” metrics keeping personnel from using the very solutions purchased to improve security simply because it would “make their numbers look bad?”

“Fear Is the Mind Killer.”

Even casual negative comments dropped in conversation from leadership can have an effect at the working level that will make any enterprise lumber like Frankenstein instead of dancing like Fred Astaire. 

A culture of fear and retaliation flows from the top. Conversely, it must stop at the top, and not just implicitly. Understanding and wisdom must be driven from the top in outspoken terms and backed up with actions. 

The key is to rationally accept risk and explicitly state that people won’t lose their jobs due to an incident –  if they responsibly innovate. You have to back your words up with top cover. 

Being a leader means taking the heat when security innovation might cause disruptions – and having the wisdom to keep doing it. 

Creating a Better Executive Culture

So what are some simple steps executives can take to build a smart security culture?

1. Manage sideways. Partners in the executive team need to understand the explosively dynamic nature of security and the dedicated threat actors who are trying to penetrate the enterprise. Nothing will stop them forever. Nothing. Be prepared for trouble when it happens. 
2. Manage down. People need to know the executives have their backs when hard calls to support security are needed. Period. Full stop.
3. Lead from the front and then get out of the way. People have to know they can take responsible risks at work without threatening their livelihood. Take the heat for allowing innovation before even knowing what went wrong. That is the executive’s role. 
4. Watch what is said, how it was said and what is done – especially in private. Middle tier management pays the most attention to their executives when only they can hear what is said. If something is done to suggest that executives won’t truly support security measures and innovation, knowledge of this bleeds down from leadership and the organization will fall back into fear culture. 
5. Practice embracing “determined fallibility.” Understand that nobody is perfect and engineers are no less human. Learn well, forgive fully, and move on.
6. Automate everything possible. Engineers are never more dangerous than when they are bored and they can be the hardest working lazy people in the world. “What does that mean?” you ask. Many engineers will work all day to automate a step that takes 20 minutes. Let them. Once the mind-numbing work is handled, they will get to the side projects that truly increase your organization’s security maturity level. 
7. Work as hard as they do. They have to see it. Regularly. Get in amongst staff and be interested and accessible, but know when to get out of the way. This behavior will reward your entire organization in the form of dedication from your entire staff. Sequestering in an office reinforces a culture of seclusion. When executives enter workspaces, it invites feedback. 

Executives must broadcast their stance that security is an evolving field and requires agility and tolerance of change. Agile organizations are ready to embrace the concept espoused by the legendary Bruce Lee: "Empty your mind, be formless, shapeless, like water. If you put water into a cup, it becomes the cup."

Security’s “cup” will change before the paint is dry on the latest whizbang security appliance and the “water” will need to flow into it. Threats on the internet are inherently asymmetric,* and we will never know when it is coming or what form it will take. 

With the grace to tolerate calculated risk internally, Executives become the inspiration for their organization to grow. 

Without it, security becomes secondary and the organization risks becoming the news article outsiders cite in their next security expenditure justifications. 

For more on how to improve security operations, read our series, “Elements of Security Operations.”

*Asymmetric warfare (military concept) is conflict between belligerents whose relative capacity to make war differs significantly and implies irregular attack intervals and wildly changing vectors to subvert static defenses.

Bruce Hembree is a Cortex Field CTO for Palo Alto Networks.

Andre Ludwig is Chief Product Officer for Bricata.

Sasha Hellberg is Senior Manager of Threat Intelligence at Bell Canada.