Adopting Just Culture

Reading an article from Securosis, I was reminded of some of the points I made in a recent talk delivered at the Security Meetup Scotland on Human Vulnerability. The article discusses the importance of thinking justly about news/issues within our industry and focuses on the need to foster a ‘just culture’. Just Culture is defined as:

“A just culture balances the need for an open and honest reporting environment with the end of a quality learning environment and culture. While the organization has a duty and responsibility to employees (and ultimately to patients[end users]), all employees are held responsible for the quality of their choices. Just culture requires a change in focus from errors and outcomes to system design and management of the behavioral choices of all employees.”

This line of analysis comes at an important time, as more and more organisations experience publicly announced security issues, the condemnation, ridicule and in some cases personal attacks on social media are becoming more common. On one hand, having to publically answer for the impact of a security incident is a positive thing and vessel for change. But on the other, sometimes these situations are far from the breach or mistake they’re perceived to be and the narrative becomes over the top or sensationalised by the media.

Just Culture focuses on an assumption and fair response to failure or errors made. Building a culture where failure is even encouraged because the systems and platforms support a safe type of failure. Failing fast, failing safe. Employing the three-ways from the agile methodology helps, then applying DevOps cultural change, you hopefully end up with an embedded and integrated DevSecOps mindset within the organisation, support by all the relevant tooling and integration. Another recent talk on ‘Hunting Hard, Failing Fast, Maintaining Integrity‘ attempts to describe this and how it would apply to threat hunting within a SecOps function or ‘SOC’.

Just a few thoughts on this, but I really like the message behind Just Culture and hope more organisations adopt it.

Further Reading / Source: The Security Profession Needs to Adopt Just Culture / NIoH Paper

Continue Reading

Human Capital: Our Most Important Asset

I have recently been reading about a selection of topics surrounding employees, skills and how we hire, onboard and engage with our staff. This has brought me on to the concept of ‘human capital’ which is:

Human capital is a measure of the “knowledge, skills, competencies and attributes embodied in individuals that facilitate the creation of personal, social and economic well-being”
(Organisation for Economic Co-operation and Development).

In my role as a Managing Consultant, I’m often involved in the hiring process, from writing job specifications to technical screenings, and over the last year, one of two final interviewers for almost all our Security Engineering hires. When driving this process to find and hire great people, I sometimes find it hard to articulate the non-technical knowledge, skills and competencies I’m looking for in a candidate. That is where I think human capital can help in the definition of, key indicators and metrics for candidates and already existing employees.

Quoting the CIPD: “business has yet to come to an agreed way of valuing and reporting on the value of a workforce’s knowledge.” Searching for a simple (yet well thought out) collection of metrics to search for and define, this paper (PDF) introduced me to KSAOs (knowledge, skills, abilities and other characteristics). In the following weeks I hope to do some further research and trial integrating this into the job specifications and interviewing guidelines I have written.

I thought I would add this interesting checklist from SF Magazine which aims to get you up and running with human capital strategy ASAP:

Further Reading

Continue Reading
1 2 3 35