Cybersecurity Janitors

After a career in which cybersecurity was almost exclusively considered from a technological or procedural standpoint, I yearned to address the elephant in the room: human behavior. The best technology or procedures are not enough to counterbalance bad behavior. So I reached out to the best behavioral scientist I know and Pythia Cyber was born.

As part of our mission to highlight the role of behavior in cybersecurity I present a series of three posts about how your organization's culture can shape your cybersecurity. Specifically, how your organization's culture's attitudes toward cybersecurity hamper or help your cybersecurity program.

The first post (this one) describes the cybersecurity janitor model. The second post describes the cybersecurity tyrant model. The third post describes the cybersecurity partner model. This is the Goldilocks narrative: one is too loose, one is too tight and one is just right.

I have been a janitor. I have also been a cybersecurity contributor in many environments. There have been times when the two experiences were eerily similar. Specifically, trying to provide cybersecurity in some medical settings is agony because so many medical professionals feel that their primary job--their only job, really--is to provide care. So they do that and let support staff clean up the mess.

The model works well in an OR: we want healthcare providers to do whatever you have to do to help the patient. We'll take care of the rest. Someone will stock the OR beforehand, someone will maintain all the technology for you, someone will clean before and after. You focus on The Job.

This model sucks in the IT realm: doing whatever you decide that you have to do and making me run around after you, plugging the holes you make, uninstalling the viruses you let in, trying to limit the oversharing of data after the fact, all of these are a nightmare. Especially with the attitude of "I gotta be me, you have to make it work" which I hear as "I am going to continue to do whatever I want because I'm special."

Compounding the problem in this environment is the deeply-ingrained idea of "one rule me and another rule for thee." This works well in providing care: doctors are allowed to do things that nurses are not allowed to do; nurses are allowed to do things that PAs are not; PA can do things that techs cannot. The premise is that each level in the hierarchy is more capable than the one below it and therefore permitted more latitude. This premise does not hold in the IT arena, but the attitude carries over. The doctors do not know more about network security than I do, but it is usually not socially acceptable for me to point that out. Instead, I am supposed to fix whatever damage their actions cause and try to limit future damage without being "rude."

Are all doctors arrogant asses? No. Are all large medical centers riddled with cybersecurity vulnerabilities because of irrelevant hierarchies? I hope not. But it is undeniable that attitudes and norms play a huge part in how effective your cybersecurity team can be. If they don't have a seat at the table then they are playing catch-up and that is a weak position from which to defend your cyber assets.

I am not talking about being annoyed here. The problem isn't that my feeling got hurt but rather that real damage was done. An unpopular truth in cybersecurity is that the arrogant senior employee who feels that they are above the rules is an insider threat and we have to treat them as such. Do you find that your cybersecurity team are a bunch of sullen, passive-aggressive types who seem hell bent on stopping you from doing your job? Maybe they are but at least consider the possibility that you are a part of the problem. Perhaps a big part of the problem.

Cybersecurity is a team sport. Everyone is on the team, like it or not. If we are tasked with saving you from yourself then we are either janitors or, if we get the chance, tyrants as we will see in the next post.

Striking the right balance means that you trust that you have the right people in the right jobs doing the right things. People, placement, procedure. This is hard. We can help. Ask us how.