Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2004. Melissa Guenther, LLC. All rights reserved. Creating a Zero Incident Culture.

Similar presentations


Presentation on theme: "Copyright 2004. Melissa Guenther, LLC. All rights reserved. Creating a Zero Incident Culture."— Presentation transcript:

1 Copyright Melissa Guenther, LLC. All rights reserved. Creating a Zero Incident Culture

2 Measurement Measuring the effectiveness of security awareness programs usually becomes an assessment of security incident statistics. This is basically an exercise in measuring luck.

3 A common thread of those that had success with security awareness efforts- giving people clear direction and immediately enlisting their energies in creating that future. Involvement in security awareness efforts in academia, Fortune 100 and small businesses – variety of situations with one constant. People. Regardless of presenting issues, success ultimately boils down to meeting a challenge, solving a problem, or forging a better future. And it takes people to accomplish these feats. Even if you define change as implementing technical solutions, such as a Firewall or automatic update installations, technology doesn’t work unless people decide to make it work. Getting people involved in the process - because people are the ones who make changes work - is key. “Organizations don’t change – people change. And then people change organizations.”

4 What is a Zero Incident Culture? It is not: Having absolute security Regulatory compliance

5 What is a Zero Incident Culture? It is the presence of security, not the absence of threats/vulnerabilities. Behavioral security awareness programs, like Zero Incident, optimize secure work practices and make line workers and supervisors jointly responsible for security. –Management’s role is to determine causes of incidents or potential incidents. –Supervisors focus on secure practices, even if it slows work. –And workers focus on getting the job done securely, making it a priority equal to getting the job done.

6 Why Strive For Zero? Accepting a certain level of security incidents in your organization means accepting avoidable risk and loss – financial, public perception, legal, productivity and operational. Anything less than Zero as an operating philosophy and goal is unacceptable.

7 What is a Zero Incident Culture? A culture that views every incident as an operational error. A culture in which security is integrated into all operations..

8 What are the Benefits Protection of our most important assets financial savings / ROI Transcends security – improves quality, morale, productivity, profits & employee knowledge and ownership of success.

9 Danger Signs Unclear who is responsible for what. Belief that everything is ok, “we are in good shape” Belief that rule compliance is enough for security (If we’re in compliance – we’re ok) No tolerance for whistle-blowers –“culture of silence” Problems experienced from other locations not applied as “lessons learned” Lessons that are learned are not built into the system Defects / errors became acceptable Security is subordinate to production Emergency procedures for severe events is lacking

10 Policies and Procedures are confusing, complex and “hard to find” Security resources and techniques are available but not used. Organizational barriers prevent effective communication. There are undefined responsibility, authority, and accountability for security. –Security belonged to “IT” The acceptance of defects / errors becomes Institutionalized. –Because nothing has happened (or we are unaware of what has happened), we’re ok. Culture is resilient, hard to change, and will revert to old habits if not steered by leadership. Danger Signs

11 Company Culture Production Culture - vs. - Security Culture Due to high costs of incidents there is no way a pure production culture can be profitable to it’s fullest potential.

12 What is a Production Culture? Belief that only production matters. Whatever it takes to get the job done. Security performance is not measured. Security performance is not part of supervisor’s job.

13 Security Culture Security is not a priority - it is a corporate Value. All levels of management accountable. Security performance measured & tied to compensation. Security integrated into all operations.

14 3 Major Steps to a Zero Incident Culture To get there you must take AIM Assess your current culture Implement the 12 upstream elements Maintain the culture change

15 Assessing Security Culture Diagnosing Organizational Health

16 What Ails Us Symptoms Coughing Pale skin Constricted pupils Pain Deformity Nausea/vomiting Signs Elevate temperature High/low Blood sugar Rapid pulse Shallow respiration Confirmed by: Palpitation - X-rays - Blood tests - Urine Tests - Examination

17 What Ails An Organization Symptoms Uncorrected vulnerabilities Low employee involvement/accountability Fear Lack of feedback Poor security practices Zero-reporting Leaders not walking the talk Signs High incident rates High frequency rates Low incident reporting Low security audit scores Increased cost per employee work-hour Confirmed by: Culture Surveys – Focus Group Interviews – Management Interviews

18 Why Measure Perceptions? Perceptions are reality. Regardless of management’s intent regarding security – reality is what employees perceive about security. Security Opinion Survey Survey measures the drivers of a security culture against a potential perfect score of 100%. The gap (how far from 100%) in each driver will help focus security efforts on lower scoring drivers.

19 Key Drivers of Security Risk/Hazard Correction Security Communications Behavioral Reinforcement Security Values Management Credibility Accountability

20 Security Opinion Survey Survey also measures the difference in what employees and management perceive about the security culture. Typical results are that management perceives security as more positive than do employees. The larger the gap the greater the problem.

21 Risk/Vulnerability Correction Measures employee beliefs about the importance a company places on identifying and correcting risks/vulnerability. A belief that effort and resources are expended to correct risks/vulnerability supports a positive perception regarding the company’s commitment to security.

22 Accountability Measures whether respondents believe that supervisors are truly accountable for security performance.

23 Communications Security communications, or the lack of them, shape perceptions regarding the company’s security commitment. Measures employees perceived freedom to discuss security issues. Determines employee fears regarding communicating security issues.

24 Behavior Reinforcement Measures perceptions regarding effectiveness (or lack of) adequate feedback and reinforcement. Also measures perceptions on how effectively leadership “values” security. Measures perceptions of how well the “actions of security” are modeled.

25 Security Values Measures perceptions regarding the company’s commitment to security as a value. Also measures how the individual values security, as well as, their co- workers, leaders, and company as a whole. The higher security is valued, the better the security performance.

26 Management Credibility Measures how employees perceive management’s support for security – and how believable leaders are. Sometimes “words” used by leaders are on target but their “actions” undermine their credibility.

27 Culture Assessment Report Provides gap analysis of security in the “real world” as opposed to the “ideal” security process. Defines the security culture – “what it’s really like” in the minds of employees. Measures disparity gap between management and employee perceptions.

28 Zero Incident Culture Stairway to Zero Security Incident Excellence Continuous Improvement Behavioral Security Incident Analysis Training and Education Planning Perf. Coaching Leadership Employee Owned Communications Accountability Values Vision Each step is a building block supported by the steps below

29 VISION Vision answers the question “where are we going?”

30 The Importance of Vision Vision refers to a picture of the future and discusses why people should strive to create that future. Clarifies any confusion – “Is this in line with the vision”.

31 VISION One of the most famous vision speeches was made by John F. Kennedy regarding space travel. He committed that the United States would send a man to the moon within 10 years and bring him back alive. It was certainly a stretch – great minds of the time said it was impossible.

32 VALUES Values are the ideals or principles of society (organization) Values define the ground rules (behaviors) for personal interactions in a company. Clearly defined organizational values are the springboard for all other security efforts VALUES vs. PRIORITIES Priorities can be shifted – values cannot

33 Organizational Values All companies have values, whether or not they have identified them. Many managers may believe security is a value in the company, when in fact, it is not.

34 Individual Values Individual values can influence group values. This influence can be positive or negative.

35 Espoused Values Are not the actual values in a company. These are “what a company would like for it’s values to be.” If security is violated frequently, it is simply an espoused value.

36 Security as a Core Value The vast majority of people will adopt the organizations values if they perceive this is what upper management truly wants. Employees who will not align themselves with the values of the organization do not fit –(regardless of position)

37 Accountability “The Engine That Drives Security”

38 Accountability Accountability can take us from the reactive mode of constantly putting out fires, to a proactive mode of making sure the security process is in fact working at the operational level Accountability Defined Someone is accountable when their performance is measured When someone is responsible, their performance is not necessarily measured The objective is to motivate performance

39 Accountability Defined Obligation to perform duties to an accepted standard…………or else. Has measurement system, evaluation, and consequences.

40 Accountability Supervisors are usually measured on schedule, production, and cost. They are often not measured on security performance, or not measured effectively and fairly.

41 Accountability “What gets measured, gets done” We tend to “get done” what is measured by our supervisor

42 Management Accountability All levels of management and supervision must be held accountable Security performance must be measured objectively Must be controllable – Must be fair

43 Who Should Not Be Accountable? Those without ultimate control…… The security Professional!! One of the most common structural mistakes

44 Measuring Performance Upper management should be measured on results and activities. Front line supervisors should be measured mostly on activities.

45 Measuring Performance Remember – The absence of threats is not the same thing as the “presence of security” Focus on defining what the Presence of Security would look like—then develop a system to measure it

46 Results Results measurements may include: –Incident Rates –Incident Costs –Cost per man hour –Audit scores –Observation Frequency

47 Activities Activities may include: –Self Inspections –Awareness –Security and Training and Education –Desktop Meetings –Security Planning –Task Analysis –Behavioral Reinforcement

48 Accountability Systems Performance Appraisals –Should be at least annual, more is better, the more communication regarding performance, the more effective –Security should have equal weight to other performance measures

49 The Difference Between Incentives & Accountability Incentive Programs Employee focused Reward for “no incident” (trinkets) Short-term (contest) No real consequences May not motivate Accountability Process Mgr/Spvsr focused Rewards performance Long-term / On- going Impacts compensation Impacts career path Motivates performance

50 Security Communications Communicating Vision & Values Eliminating Fear from the Workforce Communicating Instructions / Procedures

51 Communicating Vision & Values You cannot over-communicate vision & values Takes up to 50,000 communications to anchor in culture Must use a variety of methods / forums

52 Balancing Security with Production Messages Management often sends mixed messages Think about how many production or schedule messages employees receive daily in relation to security messages

53 “Fear is at the root of all the time people spend in meetings not saying what’s really on their mind” Vice President of Fortune 500 Company

54 Fear in the Workforce If people are afraid to bring up security issues a serious flaw exists in the security process It is not possible for a company to move to security excellence unless this problem is corrected

55 Communication Build trust & drive out fear of bringing up security issues Open up lines of communication with employees

56 Communication Provide feedback & reinforcement Provide regular forums (committees) with high employee involvement Actively solicit & reward employee input about security vulnerabilities, issues, & improvements

57 Communication Get personally involved in providing security awareness, training and education Actions speak louder than words – set the example

58 Communicating Instructions / Procedures Never assume that because we told someone what or how to do something, they understood Explain, then have them to repeat Follow-up and re-direct as necessary Communication Includes Listening –Listen with the intent to understand

59 Employee Ownership No one knows more about security needs than the people doing the work. Lack of involvement (buy-in) is epidemic in traditional security programs Caused by top-down management Employees will get involved if you “make it safe for them to do so”

60 Employee Ownership Start with involvement—work toward ownership Get employees involved in: – Setting security policy, procedures – Inspections / audits – Behavioral observations & feedback – Conducting security training – Functional security committees

61 Leadership Developing Leadership for Security

62 “Walking the Talk” If the “audio don’t match the video” you lose credibility One of the most common complaints by employees Management actions / decisions must be aligned with what we say about security

63 Performance Coaching Effective leaders help their teams practice perfection Don Shula

64 Why Employees Don’t Do What They are Supposed to Do Don’t know: – Why/how They think: – Your way won’t work – Their way is better – Something else more important – They’re already doing it Rewarded for not doing Punished for doing No consequence for not doing Obstacles beyond their control

65 Problems in the workplace are often created not by what we do, but by what we fail to do. Aubrey Daniels

66 New Focus “Catch me doing something right” Traditional security only addresses the negatives If people are not told they are appreciated – they will assume the opposite

67 EMPLOYEE MOTIVATION SOON - CERTAIN – POSITIVE “WHAT GETS REWARDED---GETS REPEATED”

68 What Gets Rewarded Gets Repeated The job of the effective leader is to create positive consequences for positive performance Decrease undesirable behaviors by arranging consequences that will stop them Increase desirable behaviors by arranging consequences that will positively reinforce them

69 5 Steps for Effective Coaching 1. Observe the behavior 2. Reinforce all positive behaviors 3. Provide performance feedback (non- invasive) 4. Re-direct (if necessary) 5. Follow-up & reinforce new behaviors

70 Security Planning Planning is a major differentiator between a security process that is proactive rather than reactive When to plan for security –New operations / processes –New equipment –Shut-downs –Acquisitions / mergers –Downsizing

71 Security Planning Plan for emergencies – develop a disaster recovery management plan and PRACTICE. In a post 911 world, there is no excuse for failure to plan for emergencies.

72 Task Security Analysis The single most effective technique for preventing incidents. Organized system for breaking jobs into sequential steps. Results in a secure work procedure (much more efficient than relying on “security policy, procedures and rules”).

73 Task Security Analysis Perform for all high-risk activities Use brainstorming process Get employees involved in the process

74 Effective Security Awareness Training and Education The only thing worse than training people and losing them is not training them and keeping them.

75 Security Awareness, Training and Education Who will conduct training When, how often, who will keep documentation? Account for: –Language barriers –Translation / Spanish trainers

76 Security Awareness,Training and Education Supervisory and Management Training –Security Management –Leadership Training –Performance Coaching

77 New Hire Orientations Most Important Security Training Highest Rate of Incidents Compliance Required Training Buddy System

78 New Hire Orientations Job Specific Security Awareness and Training Job Rules Incident Reporting Retrain After First Day? Language and Reading Issues

79 Supervisor Orientations New Supervisors –Security Program –Duties/Responsibilities/Accountability –Training Needs

80 Training Improvements Integrating security into job / task training is more effective than pure “security training”. People learn more by doing than by hearing Make all job security training as “hands- on” as possible

81 Learning Pyramid Source: NTL Institute for Applied Behavioral Sciences

82 Training Improvements “See one, do one, teach one” When we must teach others we are forced to learn it well Getting employees involved in training other employees is invaluable

83 Five Step Training Process 1. Explain the task 2. Demonstrate how it is done 3. Allow employee(s) to do it under observation of the trainer 4. Re-direct as necessary 5. Follow-up

84 Incident Analysis Only by getting to the root cause can we prevent a reoccurrence

85 Effective Brainstorming Use for problem-solving, root cause analysis, or for generating ideas What is a Root Cause ? The real or underlying causes of: –Incidents –Insecure behavior –Insecure conditions

86 Why Investigate for Root Causes ? Most “causes” listed on incident reports are not causes at all – they are symptoms Finding root causes allows us to prevent a reoccurrence

87 Why Analyze for Root Cause ? Standard incident investigations do not go far enough Insurance investigations seek to place: –Liability –Compensability –Blame / Fault

88 Key Security Management Principle Insecure acts & conditions are symptoms of something wrong in the management system Root causes will lead to the following general areas: –Knowledge –Skill –Motivation –Work Process

89 Symptoms -vs.- Causes Insecure acts or conditions are not the causes of incidents, they are symptoms of a defect in our system Symptoms can be observed, but they are not the root causes Causes are the underlying reasons that allow the symptoms to occur Root causes cannot be seen—they can only be identified through a thorough investigation.

90 Root Cause Analysis To determine root causes—look at the symptoms, gather the facts—then ask the “W” questions about each symptom –What –Where –Why, why and why –Who –When

91 Root Cause Analysis Management creates the job, the environment, the rules, the culture, and the “way things are done.” If symptoms are occurring, management must change the system, rather than blaming the employee(s).

92 Root Cause Analysis Symptoms - The insecure acts and conditions which we can see that often result in incidents but are not necessarily the root cause.

93 Root Cause Analysis Causes - The underlying reasons for incidents which we can’t see can only be identified by a thorough investigation. Some common examples of causes are: –Inadequate training –Lack of accountability –Inadequate policies and procedures –Improper environmental and equipment set up –Conflicts in Values

94 Root Cause Analysis Failure to address root causes will result in reoccurrence of: –Symptoms –Incidents

95 Behavioral Security How Behavior Effects Security

96 “The insecure acts of persons are responsible for a majority of incidents” Donn Parker Father of Security

97 Not A Magic Bullet Addressing behavior alone is not the magic bullet. Insecure behavior however, is often a component of the chain of events leading to an incident. Insecure behavior is a predictor of future incidents. Looking for shortcuts is NORMAL human behavior. Allowing insecure behavior to become the norm, reinforces that it is o.k. and that nothing bad will happen.

98 Behavioral Security – What is it? Belief that human behavior accounts for the majority of incidents Refocuses security efforts from conditions (regulatory), to behavior Based on observation & feedback of performance Insecure Conditions

99 Insecure conditions may include: Poor housekeeping (drink by keyboard, unsecured recycled trash receptors) Insufficient equipment (share PC) PC that is not current in O/S Patches Improper data storage No data classification Facility faults (Doors don’t close correctly, A/C not working - door is left open, etc. Require SS# or other unnecessary personable identifier

100 Insecure Acts An insecure act might be: –Weak password construction and management –Failure to log off at end of day –Delayed pickup of faxed confidential information at fax machine –Victim to social engineering attempt –Allowing a stranger to walk through building unchallenged. –Door to secure area propped open.

101 Observation Process Request to observe employee working: 1. Summarize the secure behaviors that you observed. 2. Describe areas of concern. 3. Ask the employee for suggestions for a more secure way to do the task. 4. Thank the employee for allowing the observation.

102 Resistance to Change With change comes resistance. Culture change will revert to old ways without constant measurement and reinforcement.

103 Success Factors for Managing Change Address employee and management resistance factors Engage employees in action planning process Establish reasonable objectives and schedule for implementation Focus on the journey not the destination

104 Success Factors for Managing Change Have an organized system (ZIPP) Pilot first, then implement Recognize early signs of shifting Measure Evaluate Redirect or continue plan Re-evaluate………………………

105 Why Measure Perceptions? “Perceptions are reality” Regardless of management’s intent regarding security – reality is what employees perceive about security.

106 Security Opinion Survey Survey measures the drivers of a security culture against a potential perfect score of 100%. The gap (how far from 100%) in each driver will help focus security efforts on lower scoring drivers.

107 Key Drivers Vulnerability Correction Security Communications Behavioral Reinforcement Security Values Management Credibility Accountability

108 Security Opinion Survey Survey also measures the difference in what employees and management perceive about the security culture. Typical results are that management perceives security as more positive than do employees. The larger the gap the greater the problem.

109

110 Survey Parameters Fifteen to twenty questions Likert scale of 1-5 (negative to positive) Using weighted-average, or mean Standard deviation – how widely scattered are the answers

111 Vulnerability Correction Measures the importance a company places on identifying and correcting vulnerabilities. Are appropriate resources expended to eliminate vulnerabilities?

112 Security Communications Do employees feel security is adequately communicated? Is there freedom to discuss security issues? Do employees fear that communicating negative security perceptions might lead to reprimands or terminations?

113 Behavior Reinforcement Is behavior observed and appropriate feedback provided? Are positive acts rewarded? Are negative acts reprimanded?

114 Security Values Do employees perceive security is a true value in the organization or an espoused value? Are production messages overwhelming security value messages and degrading management’s intent?

115 Management Credibility Does the audio match the video? Leaders must “walk the talk” of a security culture to have credibility.

116 Focus Group Interviews Helps validate survey results and provides grassroots suggestions for improvement Employees have less fear communicating when part of a group. May be the first step in employee involvement and buy-in.

117 Management Interviews Identifies the views of management. Identifies problems in the flow of communication between the corporate level and the field/floor level. Pinpoints perceived implementation problems.

118 Confidentiality Confidentiality cannot be overstressed if you want the truth. Consider use of a third party for collections. Perceived lack of confidentiality with online surveys.

119 Survey Collection Protocols Keep survey short or will be pencil whipped. Separate supervisors and employees. Consider cultural and literacy issues

120 Baseline Measurement Initial survey provides a baseline. Should measure again no sooner than 18 months to determine degree of improvement. Culture change takes time to anchor.

121 Sensitive Information Be careful how sensitive information is used if used in a punitive manner, you will never regain trust. Once you open the door to communication you may be surprised at what is going on.

122 Culture Assessment Report Identifies the strengths & weaknesses in the security culture. Provides starting points for effective intervention. Makes specific recommendations for improving the security culture.

123 What To Do With Information A survey without intent to change will send the wrong message and may do harm. Communicate the results of the survey to employees. Involve employees in improvement plan. All content is copyrighted material and may not be duplicated, distributed, transferred, transmitted, copied, altered, sold, used to create derivative works, or otherwise misused.


Download ppt "Copyright 2004. Melissa Guenther, LLC. All rights reserved. Creating a Zero Incident Culture."

Similar presentations


Ads by Google