May 27, 2024
I have been in the security industry for over twenty years in various industries and cultures. Every time, the security team was an additional layer of protection and prevention tacked onto the organization's culture. The age-old mantras of “if you see something, say something” and “loose lips sink ships” come to mind as calls to action for others in the organization to stop their work to ponder whether they’re doing the right thing. More often than not, they continued doing what they were doing in order to get their job done, as well as they should.
At the heart of all of this is the fact that security has always been an interruption: something that gets in the way of someone doing the job they are paid to do (and that they are being measured in performing) to do something extra for the greater good. Expecting this kind of altruism from an entire company, or even a cohort of security-conscious employees, is unreliable at best.
To combat this, security organizations have espoused that security should be “baked in” to everything we do. The analogy is that it is far easier (and prettier) to add chocolate chips to the cake batter instead of trying to jam the chocolate chips into the cake once it’s baked. Similarly, getting developers to write secure code is easier and safer than having them write a script and add patch security controls later.
This approach is close to being right. But the goal was always to make security less of an interruption by including it earlier in the process — rather than taking it a step further to being human-centric.
If we look at what other disciplines have done to shift the conversation towards human-centricity, we see themes around resilience and being able to better handle the unexpected. In the healthcare industry, for example, there are attempts to help individuals lead healthier lives in order to avoid illness and be more resilient when they do get sick or injured. The opposite of the human-centric approach in this case is patient-centric, which is treating once the individual is sick or injured.
Retroactively responding to issues is always more expensive than if we had taken a human-centric approach to begin with, in both healthcare and security.
The future of security is not found in shifting left or introducing more controls, but in a human-centric approach. This means helping people become more resilient by providing the tools to enable healthier operating rhythms and habits. Healthier rhythms and habits breed more secure and resilient systems that accelerate the pace of change while reducing the interruptions involved with fixing issues after the fact. Going back to the healthcare analogy, it’s about helping people understand the exercise and diet they need to stay healthy, so they don’t have to stop what they’re doing to go to the hospital because they got sick.
Oftentimes, the barrier to accomplishing this human-centric security dream of healthy habits and rhythms is the security function itself. Many security teams parcel out information about incidents and patches in small quantities without full context because they think they are protecting the organization that way.
But the truth is, without knowledge or context, or highly segmented knowledge without context, we could never come close to enabling human-centric security. We need to pivot how we handle information about people and assets so that those responsible for the people and assets have the information and context needed to make informed decisions about their security.
Human-centric security is really about knowledge sharing and providing context under a common understanding of purpose and health. The goal is to provide individuals with the information that they need to understand their security posture and measure it against the behaviors that are expected of them. If done correctly, we can expect to see significant decreases in the remediation efforts that security teams are then forced to take. This is akin to having a healthier population through coaching so that the emergency rooms are less full and the doctors are less overworked.
Instead of being “doctors” and “protectors” who diagnose and treat issues in a silo, security teams need to become “coaches” and “guides.” This will enable a culture of responsibility and accountability with a shared mission of health. There will always be doctors and surgeons on the health team, but let’s start by being coaches.
Taking human-centricity one step further is accountability towards each other within an organization. By establishing a common language and a shared view of accountability, we can also introduce an element of friendly competition to drive more positive outcomes.
Think of team sports: your goal isn’t to win at the expense of your teammates, but rather to drive each other to better performance to win. Human-centric security is really about improving the team, competing against each other in a meaningful way, and coming out of our daily training and habits as a stronger and higher-performing team.
Human-centric security has the opportunity to drive cultural outcomes and resiliency that we have been dreaming of in the security community for the last two decades but have been unable to achieve. By helping everyone be a part of improving our overall health, we can focus on a team’s mission rather than distracting from it.