From time to time aviation lingo slips into the world of infosec pros, with administrators boasting they were “flying” as they rushed to deal with a crisis. At last fall’s SecTor 2015 a security consultant and private pilot urged the IT security industry to follow the aviation sector’s model in commissioning and releasing detailed incident reports to spread knowledge and lessons learned.
Security expert Bruce Schneier has found another aviation-related insight CISOs should consider in a recent article about what should have been a preventable plane crash. In a blog today Schneier quotes the author as saying the fatal crash resulted from the “normalization of deviance” — a phrase that means people within an organization become so much accustomed to a deviant (non-standard/unsafe) behaviour that they don’t consider it as deviant.
Another word for it might be complacency, but the implication is normalization of deviance goes beyond that. It’s the acceptance of shortcuts, which everyone — from CEOs to reporters to IT security staffers — sometimes lapse into. Or, as Schneier puts it, it’s “a gradual process that leads to a situation where unacceptable practices or standards become acceptable, and flagrant violations of procedure become normal — despite that fact that everyone involved knows better.”
It raises questions CISOs need to ask: Do you see your staff taking shortcuts? Have you set policies and standards to ensure staff do things in an orderly way that reinforces security rather than opens new holes? Do you ensure your subordinates ensure their staff follow those procedures? If not there may be an explanation why your next security incident is so bad. (“Don’t worry about that Web server,” someone will say, “It hardly ever gets used.” One day someone will ask after the breach, “Why didn’t someone notice that Web server hadn’t been patched?”)
Schneier admits he doesn’t have a magic solution to getting staff to do things the long and hard way. “The normalization of deviance something we have to face,” he writes, “especially in areas like incident response where we can’t get people out of the loop. People believe they know better and deliberately ignore procedure, and invariably forget things. Recognizing the problem is the first step toward solving it.”
That means CISOs need to keep their eyes and ears open for signs of backsliding, and encouraging staff at all levels to speak up.