Can change in IT security win the cultural battle?

Culture can be simply defined as “a way of thinking, behaving, or working that exists in a place or organization.” Culture becomes an obstacle to change because a pre-determined way of thinking, behaving, and working has become ingrained in an organization. A common question becomes “what we are doing now is working, why change it?” However, history has shown many times, especially in warfare, that enemies can be quite capable of exploiting the traditional way of thinking.

What does warfare have to do with IT Security? Everything. Most organizations accept that the cyber threat is real, and sometimes even refer to it as cyber warfare. Below are 4 cultural norms that are doomed to being exploited by new and disruptive threats. Our enemy is becoming more sophisticated and unless we change our way of thinking, we will lose the battle.

My IT defenses are impenetrable. If you have read the recent Verizon and Ponemon Institute cyber crime reports, it’s obvious this is not the case. Therefore, the new prevailing paradigm must be that our IT Security can be penetrated, and it is only a matter of time until it is. The traditional approach of implementing IT defensive strategies must be supplemented with rapid detection technologies.

My network of trust (or Trust Framework) is well understood and everyone is in compliance. Shadow IT is happening in your organization – employees and business units are licensing cloud applications outside of the purview of IT and without considering adherence to corporate IT security practices. It will continue to happen and in order to maintain strong configuration management, IT will need to leverage new technologies to uncover the use of unauthorized cloud apps and if appropriate, bring them in to compliance.

I can easily extend my security architecture as the latest technologies are introduced. New security technologies are being brought to market every day, designed to plug the latest security hole. However, a continuing series of “quick fixes” and “band-aids” will leave your organization open to an attack. The best prevention is a strategy and vision that implements an architecture that focuses on the end-to-end IT security flows both internal and external to the organization based on the proper combination and integration of multiple technologies that satisfy the technical, operational, and legal requirements of all the involved parties.

Security education will make a big impact. No doubt education is important and can in some cases have a significant impact. By definition, education is “the act or process of imparting or acquiring general knowledge, developing the powers of reasoning and judgment, and generally of preparing oneself or others intellectually for mature life.” But education will only take your organization so far, just remember that not everyone is an A student. Fear the persistent, asymmetric thinker!

The bottom line is that before you attend the 2015 RSA Conference where the theme is “Change: Challenge today’s security thinking,” leave existing cultural views at the office and open your mind to the possibilities of change. While there is something to be said for the conventional wisdom of “if it ain’t broke – don’t fix it” you also need to be very aware of the high likelihood that “maybe we don’t know for sure if it’s broke!” Hence, the increasing importance of rapid detection in IT Security to provide the “tips and cues” that can help you detect if it is broke or not.

After the conference, we’ll dive in to each of these prevailing myths and provide you with approaches to defeat the enemy. Our enemy is not just the bad guys, but also the organizational culture that can consume attempts to change. Don’t let culture eat your IT security strategy for lunch!