Presentation on theme: "Creating a Zero Incident Culture"— Presentation transcript:
1Creating a Zero Incident Culture Copyright Melissa Guenther, LLC. All rights reserved.
2MeasurementMeasuring the effectiveness of security awareness programs usually becomes an assessment of security incident statistics.This is basically an exercise in measuring luck.
3A common thread of those that had success with security awareness efforts- giving people clear direction and immediately enlisting their energies in creating that future.Involvement in security awareness efforts in academia, Fortune 100 and small businesses – variety of situations with one constant.People.Regardless of presenting issues, success ultimately boils down to meeting a challenge, solving a problem, or forging a better future. And it takes people to accomplish these feats. Even if you define change as implementing technical solutions, such as a Firewall or automatic update installations, technology doesn’t work unless people decide to make it work.Getting people involved in the process - because people are the ones who make changes work - is key. “Organizations don’t change – people change. And then people change organizations.”
4What is a Zero Incident Culture? It is not:Having absolute securityRegulatory compliance
5What is a Zero Incident Culture? It is the presence of security, not the absence of threats/vulnerabilities.Behavioral security awareness programs, like Zero Incident, optimize secure work practices and make line workers and supervisors jointly responsible for security.Management’s role is to determine causes of incidents or potential incidents.Supervisors focus on secure practices, even if it slows work.And workers focus on getting the job done securely, making it a priority equal to getting the job done.
6Why Strive For Zero?Accepting a certain level of security incidents in your organization means accepting avoidable risk and loss – financial, public perception, legal, productivity and operational.Anything less than Zero as an operatingphilosophy and goal is unacceptable.
7What is a Zero Incident Culture? A culture that views every incident as anoperational error.A culture in which security is integrated into all operations..
8What are the Benefits Protection of our most important assets financial savings / ROITranscends security – improves quality, morale, productivity, profits & employee knowledge and ownership of success.
9Danger Signs Unclear who is responsible for what. Belief that everything is ok, “we are in good shape”Belief that rule compliance is enough for security (If we’re in compliance – we’re ok)No tolerance for whistle-blowers“culture of silence”Problems experienced from other locations not applied as “lessons learned”Lessons that are learned are not built into the systemDefects / errors became acceptableSecurity is subordinate to productionEmergency procedures for severe events is lacking
10Danger SignsPolicies and Procedures are confusing, complex and “hard to find”Security resources and techniques are available but not used.Organizational barriers prevent effective communication.There are undefined responsibility, authority, and accountability for security.Security belonged to “IT”The acceptance of defects / errors becomes Institutionalized.Because nothing has happened (or we are unaware of what has happened), we’re ok.• Culture is resilient, hard to change, and will revert to old habits if not steered by leadership.
11Company Culture Production Culture - vs. - Security Culture Due to high costs of incidents there is no way apure production culture can be profitable to it’sfullest potential.
12What is a Production Culture? Belief that only production matters.Whatever it takes to get the job done.Security performance is not measured.Security performance is not part ofsupervisor’s job.
13Security Culture Security is not a priority - it is a corporate Value. All levels of management accountable.Security performance measured & tied tocompensation.Security integrated into all operations.
143 Major Steps to a Zero Incident Culture To get there you must take AIMAssess your current cultureImplement the 12 upstream elementsMaintain the culture change
15Assessing Security Culture Diagnosing Organizational Health
17What Ails An Organization SymptomsUncorrected vulnerabilitiesLow employeeinvolvement/accountabilityFearLack of feedbackPoor security practicesZero-reportingLeaders not walking thetalkSignsHigh incident ratesHigh frequency ratesLow incident reportingLow security audit scoresIncreased cost peremployee work-hourConfirmed by:Culture Surveys – Focus Group Interviews – Management Interviews
18Why Measure Perceptions? Perceptions are reality.Regardless of management’s intent regardingsecurity – reality is what employees perceive about security.Security Opinion SurveySurvey measures the drivers of a security cultureagainst a potential perfect score of 100%.The gap (how far from 100%) in each driver willhelp focus security efforts on lower scoring drivers.
19Key Drivers of Security Risk/Hazard CorrectionSecurityCommunicationsBehavioralReinforcementSecurity ValuesManagementCredibilityAccountability
20Security Opinion Survey Survey also measures the difference in whatemployees and management perceive aboutthe security culture.Typical results are that management perceives security as more positive than do employees.The larger the gap the greater the problem.
21Risk/Vulnerability Correction Measures employee beliefs about the importancea company places on identifying and correctingrisks/vulnerability.A belief that effort and resources are expendedto correct risks/vulnerability supports a positive perception regarding the company’s commitment to security.
22Accountability Measures whether respondents believe that supervisors are truly accountable for security performance.
23CommunicationsSecurity communications, or the lack of them, shape perceptions regarding the company’s security commitment.Measures employees perceived freedom to discuss security issues.Determines employee fears regarding communicating security issues.
24Behavior Reinforcement Measures perceptions regarding effectiveness (or lack of) adequate feedback and reinforcement.Also measures perceptions on how effectivelyleadership “values” security.Measures perceptions of how well the “actions ofsecurity” are modeled.
25Security ValuesMeasures perceptions regarding the company’s commitment to security as a value.Also measures how the individual values security, as well as, their co-workers, leaders, and company as a whole.The higher security is valued, the better the security performance.
26Management Credibility Measures how employees perceivemanagement’s support for security – and how believable leaders are.Sometimes “words” used by leaders are ontarget but their “actions” undermine theircredibility.
27Culture Assessment Report Provides gap analysis of security in the “realworld” as opposed to the “ideal” securityprocess.Defines the security culture – “what it’s reallylike” in the minds of employees.Measures disparity gap between managementand employee perceptions.
28Zero Incident Culture Stairway to Zero Security Incident Excellence Continuous ImprovementBehavioral SecurityEach step is a building block supported by the steps belowIncident AnalysisTraining and EducationPlanningPerf. CoachingLeadershipEmployee OwnedCommunicationsAccountabilityValuesVisionStairway to Zero Security Incident Excellence
29Vision answers the question “where are we going?”
30The Importance of Vision Vision refers to a picture of the future anddiscusses why people should strive to create that future.Clarifies any confusion – “Is this in line with the vision”.
31VISION One of the most famous vision speeches was made by John F. Kennedy regarding space travel. Hecommitted that the United States would send a man to the moon within 10 years and bring him back alive.It was certainly a stretch – great minds of the timesaid it was impossible.
32VALUES vs. PRIORITIES Priorities can be shifted – values cannot Values are the ideals or principles of society (organization)Values define the ground rules (behaviors) for personal interactions in a company.Clearly defined organizational values are the springboard for all other security effortsVALUES vs. PRIORITIES Priorities can be shifted – values cannot
33Organizational Values All companies have values, whether or notthey have identified them.Many managers may believe security is avalue in the company, when in fact, it is not.
34Individual Values Individual values can influence group values. This influence can be positive or negative.
35Espoused Values Are not the actual values in a company. These are “what a company would like for it’s values to be.”If security is violated frequently, it is simply an espoused value.
36Security as a Core Value The vast majority of people will adopt the organizations values if they perceive this is what upper management truly wants.Employees who will not align themselves with the values of the organization do not fit(regardless of position)
37“The Engine That Drives Security” Accountability“The Engine That Drives Security”
38Accountability Defined Accountability can take us from the reactive mode of constantly putting out fires, to a proactive mode of making sure the security process is in fact working at the operational levelAccountability DefinedSomeone is accountable when their performance is measuredWhen someone is responsible, their performance is not necessarily measuredThe objective is to motivate performance
39Accountability Defined Obligation to perform duties to an acceptedstandard…………or else.Has measurement system, evaluation, andconsequences.
40Accountability Supervisors are usually measured on schedule, production, and cost.They are often not measured on securityperformance, or not measured effectively and fairly.
41Accountability “What gets measured, gets done” We tend to “get done” what is measured by our supervisor
42Management Accountability All levels of management and supervisionmust be held accountableSecurity performance must be measuredobjectivelyMust be controllable – Must be fair
43Who Should Not Be Accountable? • Those without ultimate control……The security Professional!!One of the most common structural mistakes
44Measuring Performance Upper management should be measured onresults and activities.Front line supervisors should be measuredmostly on activities.
45Measuring Performance Remember – The absence of threats is notthe same thing as the “presence of security”Focus on defining what the Presence ofSecurity would look like—then develop asystem to measure it
46Results Results measurements may include: Incident Rates Incident CostsCost per man hourAudit scoresObservation Frequency
47Activities Activities may include: Self Inspections Awareness Security and Training and EducationDesktop MeetingsSecurity PlanningTask AnalysisBehavioral Reinforcement
48Accountability Systems Performance AppraisalsShould be at least annual, more is better, the more communication regarding performance, the more effectiveSecurity should have equal weight to other performance measures
49The Difference Between Incentives & Accountability Incentive ProgramsEmployee focusedReward for “no incident” (trinkets)Short-term (contest)No real consequencesMay not motivateAccountability ProcessMgr/Spvsr focusedRewards performanceLong-term / On-goingImpacts compensationImpacts career pathMotivates performance
50Security Communications Communicating Vision & ValuesEliminating Fear from the WorkforceCommunicating Instructions / Procedures
51Communicating Vision & Values You cannot over-communicate vision & valuesTakes up to 50,000 communications to anchor in cultureMust use a variety of methods / forums
52Balancing Security with Production Messages Management often sends mixed messagesThink about how many production or schedule messages employees receive daily in relation to security messages
53“Fear is at the root of all the time people spend in meetings not sayingwhat’s really on their mind”Vice President ofFortune 500Company
54Fear in the WorkforceIf people are afraid to bring up security issues a serious flaw exists in the security processIt is not possible for a company to move tosecurity excellence unless this problem iscorrected
55CommunicationBuild trust & drive out fear of bringing up security issuesOpen up lines of communication with employees
56Communication Provide feedback & reinforcement Provide regular forums (committees) with high employee involvementActively solicit & reward employee input about security vulnerabilities, issues, & improvements
57CommunicationGet personally involved in providing security awareness, training and educationActions speak louder than words – set theexample
58Communicating Instructions / Procedures Never assume that because we toldsomeone what or how to do something, theyunderstoodExplain, then have them to repeatFollow-up and re-direct as necessaryCommunication Includes ListeningListen with the intent to understand
59Employee OwnershipNo one knows more about security needs than the people doing the work.Lack of involvement (buy-in) is epidemic intraditional security programsCaused by top-down managementEmployees will get involved if you “make itsafe for them to do so”
62“Walking the Talk”If the “audio don’t match the video” you lose credibilityOne of the most common complaints byemployeesManagement actions / decisions must bealigned with what we say about security
63Effective leaders help their teams Performance CoachingEffective leaders help their teamspractice perfectionDon Shula
64Why Employees Don’t Do What They are Supposed to Do Don’t know:– Why/howThey think:– Your way won’t work– Their way is better– Something else moreimportant– They’re already doing itRewarded for not doingPunished for doingNo consequence for not doingObstacles beyond theircontrol
65Problems in the workplace are often created not by what we do, but by what we fail to do. Aubrey Daniels
66“Catch me doing something right” New Focus“Catch me doing something right”• Traditional security only addresses the negatives• If people are not told they are appreciated – they will assume the opposite
67EMPLOYEE MOTIVATION SOON - CERTAIN – POSITIVE “WHAT GETS REWARDED---GETSREPEATED”
68What Gets Rewarded Gets Repeated The job of the effective leader is to create positiveconsequences for positive performanceDecrease undesirable behaviors by arrangingconsequences that will stop themIncrease desirable behaviors by arrangingconsequences that will positively reinforce them
695 Steps for Effective Coaching 1. Observe the behavior2. Reinforce all positive behaviors3. Provide performance feedback (non-invasive)4. Re-direct (if necessary)5. Follow-up & reinforce new behaviors
70Security Planning Planning is a major differentiator between a security process that is proactiverather than reactiveWhen to plan for securityNew operations / processesNew equipmentShut-downsAcquisitions / mergersDownsizing
71Security PlanningPlan for emergencies – develop a disaster recovery management plan and PRACTICE.In a post 911 world, there is no excuse forfailure to plan for emergencies.
72Task Security Analysis The single most effective technique for preventingincidents.Organized system for breaking jobs into sequentialsteps.Results in a secure work procedure (much more efficient than relying on “security policy, procedures and rules”).
73Task Security Analysis Perform for all high-risk activitiesUse brainstorming processGet employees involved in the process
74Effective Security Awareness Training and Education The only thing worse than training people and losing themis not training them andkeeping them.
75Security Awareness, Training and Education Who will conduct trainingWhen, how often, who will keepdocumentation?Account for:Language barriersTranslation / Spanish trainers
76Security Awareness,Training and Education Supervisory and Management TrainingSecurity ManagementLeadership TrainingPerformance Coaching
77New Hire Orientations Most Important Security Training Highest Rate of IncidentsCompliance Required TrainingBuddy System
78New Hire Orientations Job Specific Security Awareness and Training Job RulesIncident ReportingRetrain After First Day?Language and Reading Issues
79Supervisor Orientations New SupervisorsSecurity ProgramDuties/Responsibilities/AccountabilityTraining Needs
80Training Improvements Integrating security into job / task training ismore effective than pure “security training”.People learn more by doing than by hearingMake all job security training as “hands-on” as possible
81Learning PyramidSource: NTL Institute for Applied Behavioral Sciences
82Training Improvements “See one, do one, teach one”When we must teach others we are forced tolearn it wellGetting employees involved in trainingother employees is invaluable
83Five Step Training Process 1. Explain the task2. Demonstrate how it is done3. Allow employee(s) to do it underobservation of the trainer4. Re-direct as necessary5. Follow-up
84Incident Analysis Only by getting to the root cause can we prevent a reoccurrence
85Effective Brainstorming Use for problem-solving, root cause analysis, or for generating ideasWhat is a Root Cause ?The real or underlying causes of:IncidentsInsecure behaviorInsecure conditions
86Why Investigate for Root Causes ? Most “causes” listed on incident reports are not causes at all – they are symptomsFinding root causes allows us to prevent areoccurrence
87Why Analyze for Root Cause ? Standard incident investigations do not go far enoughInsurance investigations seek to place:LiabilityCompensabilityBlame / Fault
88Key Security Management Principle Insecure acts & conditions are symptoms ofsomething wrong in the management systemRoot causes will lead to the following general areas:KnowledgeSkillMotivationWork Process
89Symptoms -vs.- CausesInsecure acts or conditions are not the causes of incidents, they are symptoms of a defect in our systemSymptoms can be observed, but they are not the root causesCauses are the underlying reasons that allow thesymptoms to occurRoot causes cannot be seen—they can only beidentified through a thorough investigation.
90Root Cause Analysis To determine root causes—look at the symptoms, gather the facts—then ask the “W” questions about each symptomWhatWhereWhy, why and whyWhoWhen
91Root Cause AnalysisManagement creates the job, the environment, the rules, the culture, and the “way things are done.”If symptoms are occurring, management must change the system, rather than blaming the employee(s).
92Root Cause AnalysisSymptoms - The insecure acts and conditions which we can see that often result in incidents but are not necessarily the root cause.
93Root Cause Analysis Causes - The underlying reasons for incidents which we can’t see can only be identified by athorough investigation.Some common examples of causes are:Inadequate trainingLack of accountabilityInadequate policies and proceduresImproper environmental and equipment set upConflicts in Values
94Root Cause Analysis Failure to address root causes will result in reoccurrence of:SymptomsIncidents
96“The insecure acts of persons are responsible for a majority of incidents”Donn ParkerFather of Security
97Not A Magic Bullet Addressing behavior alone is not the magic bullet. Insecure behavior however, is often a component of the chain of events leading to an incident.Insecure behavior is a predictor of future incidents.Looking for shortcuts is NORMAL humanbehavior.Allowing insecure behavior to become the norm,reinforces that it is o.k. and that nothing bad willhappen.
98Behavioral Security – What is it? Belief that human behavior accounts for themajority of incidentsRefocuses security efforts from conditions(regulatory), to behaviorBased on observation & feedback ofperformanceInsecure Conditions
99Insecure conditions may include: Poor housekeeping (drink by keyboard, unsecured recycled trash receptors)Insufficient equipment (share PC)PC that is not current in O/S PatchesImproper data storageNo data classificationFacility faults (Doors don’t close correctly, A/C not working - door is left open, etc.Require SS# or other unnecessary personable identifier
100Insecure Acts An insecure act might be: Weak password construction and managementFailure to log off at end of dayDelayed pickup of faxed confidential information at fax machineVictim to social engineering attemptAllowing a stranger to walk through building unchallenged.Door to secure area propped open.
101Observation Process Request to observe employee working: 1. Summarize the secure behaviors that youobserved.2. Describe areas of concern.3. Ask the employee for suggestions for a more secure way to do the task.4. Thank the employee for allowing theobservation.
102Resistance to Change With change comes resistance. Culture change will revert to old ways without constant measurement and reinforcement.
103Success Factors for Managing Change Address employee and management resistancefactorsEngage employees in action planning processEstablish reasonable objectives and schedule forimplementationFocus on the journey not the destination
104Success Factors for Managing Change Have an organized system (ZIPP)Pilot first, then implementRecognize early signs of shiftingMeasureEvaluateRedirect or continue planRe-evaluate………………………
105Why Measure Perceptions? “Perceptions are reality”Regardless of management’s intent regarding security – reality is what employees perceive about security.
106Security Opinion Survey Survey measures the drivers of a security culture against a potential perfect score of 100%.The gap (how far from 100%) in each driver will help focus security efforts on lower scoring drivers.
108Security Opinion Survey Survey also measures the difference in whatemployees and management perceive about the security culture.Typical results are that management perceives security as more positive than do employees.The larger the gap the greater the problem.
110Survey Parameters Fifteen to twenty questions Likert scale of 1-5 (negative to positive)Using weighted-average, or meanStandard deviation – how widely scattered are the answers
111Vulnerability Correction Measures the importance a company placeson identifying and correcting vulnerabilities.Are appropriate resources expended toeliminate vulnerabilities?
112Security Communications Do employees feel security is adequatelycommunicated?Is there freedom to discuss security issues?Do employees fear that communicating negative security perceptions might lead to reprimands or terminations?
113Behavior Reinforcement Is behavior observed and appropriate feedback provided?Are positive acts rewarded?Are negative acts reprimanded?
114Security ValuesDo employees perceive security is a true value in the organization or an espoused value?Are production messages overwhelming security value messages and degrading management’s intent?
115Management Credibility Does the audio match the video?Leaders must “walk the talk” of a security culture to have credibility.
116Focus Group Interviews Helps validate survey results and providesgrassroots suggestions for improvementEmployees have less fear communicating when part of a group.May be the first step in employee involvement and buy-in.
117Management Interviews Identifies the views of management.Identifies problems in the flow of communication between the corporate level and the field/floor level.Pinpoints perceived implementation problems.
118ConfidentialityConfidentiality cannot be overstressed if you want the truth.Consider use of a third party for collections.Perceived lack of confidentiality with onlinesurveys.
119Survey Collection Protocols Keep survey short or will be pencilwhipped.Separate supervisors and employees.Consider cultural and literacy issues
120Baseline Measurement Initial survey provides a baseline. Should measure again no sooner than 18 months to determine degree of improvement.Culture change takes time to anchor.
121Sensitive Information Be careful how sensitive information is used if used in a punitive manner, you will never regain trust.Once you open the door to communication you may be surprised at what is going on.
122Culture Assessment Report Identifies the strengths & weaknesses in thesecurity culture.Provides starting points for effectiveintervention.Makes specific recommendations forimproving the security culture.
123What To Do With Information A survey without intent to change will send the wrong message and may do harm.Communicate the results of the survey toemployees.Involve employees in improvement plan.All content is copyrighted material and may not be duplicated, distributed, transferred, transmitted, copied, altered, sold, used to create derivative works, or otherwise misused.