Tuesday, May 24, 2022

Why the sound of silence may be deafening to CISOs

From time to time aviation lingo slips into the world of infosec pros, with administrators boasting they were “flying” as they rushed to deal with a crisis. At last fall’s SecTor 2015 a security consultant and private pilot urged the IT security industry to follow the aviation sector’s  model in commissioning and releasing detailed incident reports to spread knowledge and lessons learned.

Security expert Bruce Schneier has found another aviation-related insight CISOs should consider in a recent article about what should have been a preventable plane crash. In a blog today Schneier quotes the author as saying the fatal crash resulted from the “normalization of deviance” — a phrase that means  people within an organization become so much accustomed to a deviant (non-standard/unsafe) behaviour that they don’t consider it as deviant.

Another word for it might be complacency, but the implication is normalization of deviance goes beyond that. It’s the acceptance of shortcuts, which everyone — from CEOs to reporters to IT security staffers — sometimes lapse into. Or, as Schneier puts it,  it’s “a gradual process that leads to a situation where unacceptable practices or standards become acceptable, and flagrant violations of procedure become normal — despite that fact that everyone involved knows better.”

It raises questions CISOs need to ask: Do you see your staff taking shortcuts? Have you set policies and standards to ensure staff do things in an orderly way that reinforces security rather than opens new holes? Do you ensure your subordinates ensure their staff follow those procedures? If not there may be an explanation why your next security incident is so bad. (“Don’t worry about that Web server,” someone will say, “It hardly ever gets used.” One day someone will ask after the breach, “Why didn’t someone notice that Web server hadn’t been patched?”)

Schneier admits he doesn’t have a magic solution to getting staff to do things the long and hard way. “The normalization of deviance something we have to face,” he writes, “especially in areas like incident response where we can’t get people out of the loop. People believe they know better and deliberately ignore procedure, and invariably forget things. Recognizing the problem is the first step toward solving it.”

That means CISOs need to keep their eyes and ears open for signs of backsliding, and encouraging staff at all levels to speak up.

Read the full article here.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.