Reading an article from Securosis, I was reminded of some of the points I made in a recent talk delivered at the Security Meetup Scotland on Human Vulnerability. The article discusses the importance of thinking justly about news/issues within our industry and focuses on the need to foster a ‘just culture’. Just Culture is defined as:
“A just culture balances the need for an open and honest reporting environment with the end of a quality learning environment and culture. While the organization has a duty and responsibility to employees (and ultimately to patients[end users]), all employees are held responsible for the quality of their choices. Just culture requires a change in focus from errors and outcomes to system design and management of the behavioral choices of all employees.”
This line of analysis comes at an important time, as more and more organisations experience publicly announced security issues, the condemnation, ridicule and in some cases personal attacks on social media are becoming more common. On one hand, having to publically answer for the impact of a security incident is a positive thing and vessel for change. But on the other, sometimes these situations are far from the breach or mistake they’re perceived to be and the narrative becomes over the top or sensationalised by the media.
Just Culture focuses on an assumption and fair response to failure or errors made. Building a culture where failure is even encouraged because the systems and platforms support a safe type of failure. Failing fast, failing safe. Employing the three-ways from the agile methodology helps, then applying DevOps cultural change, you hopefully end up with an embedded and integrated DevSecOps mindset within the organisation, support by all the relevant tooling and integration. Another recent talk on ‘Hunting Hard, Failing Fast, Maintaining Integrity‘ attempts to describe this and how it would apply to threat hunting within a SecOps function or ‘SOC’.
Just a few thoughts on this, but I really like the message behind Just Culture and hope more organisations adopt it.
Further Reading / Source: The Security Profession Needs to Adopt Just Culture / NIoH Paper