Ben Horowitz, of Andreessen Horowitz and OpsWare, recently released his followup book to The Hard Things about Hard Things titled What You Do is Who You are. It is a book about creating business culture, and is loaded with insightful examples, from Michigan Prison gangs to ancient Japanese Samurais.
There are two snippets I like to share with people that haven't read the book yet (and you should). The first is:
"... your culture is how your company makes decisions when you're not there. It's the set of assumptions your employees use to resolve the problems they face every day. It's how they behave when no one is looking. If you don't methodically set your culture, then two-thirds of it will end up being accidental, and the rest will be a mistake."
So let me ask you a question; Are your security practices allowing you to embody your company's cultural values?
Within departments (and gangs and samurai districts for that matter) subcultures can exist, from sales to finance and IT Security. Unlike sales or finance however, the culture of IT security extends to everyone because every employee is required to participate. Whether through phishing detection or 2FA the culture of security touches all employees.
Therefore, the right security culture must be established and it must match the company's culture. Misalign these cultures, and employees will be forced to decide which is superior.
There is a saying in the US military that "if you see something below standard and do nothing, then you've set a new standard." This is also true of culture — if one cultural value is inferior to another, a new bar has been established.
So how do security teams balance company values with security requirements?
How does Glassdoor balance Transparency with compliance requirements that require employee device tracking? How does Workday communicate openly and honestly with employees about it's need to track devices that users take into their home? And how does Monday.com embody Ownership when setting laptop security requirements?
And if you think I am being too rough, you should know this isn't some impossible standard. Five years ago Netflix–a company that believes its cultural values are its greatest asset– had to invent their own security tools when nothing on the market existed that was compatible with their value system. Now in the present day, these same tools are refined and commercially available. There are no excuses left for not deploying them to your organization.
Often security deployments are a pivotal moment when company values bump up against compliance. A recent Accenture report found that:
"51 percent of employees would consider leaving the company if leaders did not responsibly use new technologies and workplace data and, for those outside looking in, 55 percent would refuse to apply for a job at such an organization."
So what's the solution? We think it comes down to communication and Ben has some words of advice for us there (cue second favorite snippet):
""Without trust, communication breaks. Here's why: In any human interaction the required amount of community is inversely proportional to the level of trust."
Speak to any of your colleagues and you'll find most want to help with security. Everyone wants to play their part in protecting company and clients. Therefore, ask yourself if the security solutions you have deployed bring the employee into the conversation or if it excludes them.
The way teams deploy security says everything about their security culture the company has and the subculture of security says everything about the company culture.
Are the security solutions you buy promoting an honest security culture?