Living Security advisor and security awareness pioneer, Lance Hayden Ph.D, discusses his “Competing Security Cultures Framework,” his experiences as a HUMINT officer working for the CIA and the importance of celebrating failure.
LS: What is culture mapping and how did you develop your methodology?
LH: Maps are metaphors. They express relationships between things that would otherwise be too complex or abstract. As I was developing the Competing Security Cultures Framework (CSCF), I wanted to provide a way that people could visualize their enterprise security cultures across four basic security cultural types and to identify which cultural traits are the strongest or weakest using the Security Culture Diagnostic Survey (SCDS)
LS: Why is it important to assess, design, build and maintain human firewalls?
LH: People are an organization's most important infrastructure. As today's threats focus more and more towards the human attack surface and people as the most vulnerable vector, technical infrastructures are becoming more challenged to prevent breaches without degrading productivity. When individual members of the organization possess strong security awareness and skills, then the response to threats and attacks can happen closer to the actual event. This can result in many attacks being thwarted immediately, without the need for technical interventions. People-centric security architectures like human firewalls complement rather than replace security technology.
LS: From your experience as a HUMINT officer, what part of human nature is malleable to behavior change?
LH: Research today increasingly shows just how susceptible to behavioral change we can be, often without even realizing that we are being targeted. As a HUMINT officer, the most important aspect of behavioral change for me was motivation. If you could understand what a person wanted, what motivated them, then you had keys you could use to unlock behavior. Human nature is most malleable when the humans involved truly want to change.
LS: How can we derive actionable intelligence from culture mapping and human profiling?
LH: It's hard to get actionable intelligence if you don't know what intelligence is important to you. In management terms this becomes a measurement question. You can't manage what you don't measure, and you can't measure what you don't understand. So the first step in culture mapping and human profiling is all about defining what an organization wants to achieve. Be specific.
LS: What is one thing that if you told organizations to do it, today, for cybersecurity training (but improved resilience) - they would think you were crazy?
LH: Celebrate failure. Encourage people to fail and share how and why they did. Reward them for it. All the while working to push failure as far as possible "to the right" so that it happens quickly, gets discovered quickly, and stays small and easily corrected. Essentially this is the DevSecOps ideal, but it's still hard for old school security folks to get their head around it.