Adopting Just Culture

Reading an article from Securosis, I was reminded of some of the points I made in a recent talk delivered at the Security Meetup Scotland on Human Vulnerability. The article discusses the importance of thinking justly about news/issues within our industry and focuses on the need to foster a ‘just culture’. Just Culture is defined as:

“A just culture balances the need for an open and honest reporting environment with the end of a quality learning environment and culture. While the organization has a duty and responsibility to employees (and ultimately to patients[end users]), all employees are held responsible for the quality of their choices. Just culture requires a change in focus from errors and outcomes to system design and management of the behavioral choices of all employees.”

This line of analysis comes at an important time, as more and more organisations experience publicly announced security issues, the condemnation, ridicule and in some cases personal attacks on social media are becoming more common. On one hand, having to publically answer for the impact of a security incident is a positive thing and vessel for change. But on the other, sometimes these situations are far from the breach or mistake they’re perceived to be and the narrative becomes over the top or sensationalised by the media.

Just Culture focuses on an assumption and fair response to failure or errors made. Building a culture where failure is even encouraged because the systems and platforms support a safe type of failure. Failing fast, failing safe. Employing the three-ways from the agile methodology helps, then applying DevOps cultural change, you hopefully end up with an embedded and integrated DevSecOps mindset within the organisation, support by all the relevant tooling and integration. Another recent talk on ‘Hunting Hard, Failing Fast, Maintaining Integrity‘ attempts to describe this and how it would apply to threat hunting within a SecOps function or ‘SOC’.

Just a few thoughts on this, but I really like the message behind Just Culture and hope more organisations adopt it.

Further Reading / Source: The Security Profession Needs to Adopt Just Culture / NIoH Paper

Continue Reading

Transactional Analysis

Last year I had the privilege of being sent on a ‘management course’. The course was named ‘Stepping Up to Managment’ and was essentially a collection of principles, methods and tools which can assist almost anyone in management, leadership and interaction with other people. The were many parts of the course I found useful, and a few not relevant, but the most useful (or at least memorable to me) was that of Transactional Analysis.

Below is an extract defining the key concepts from the Counselling Dictionary, which is interesting in itself, as although I first learned about this on a professional management course, it holds true that many lessons in dealing with people, are unified and common throughout most elements of life and can be used in both personal and professional situations.

Below is an exploration of some of the key concepts of transactional analysis that a therapist will use in their work.


Ego-states refer to the three major parts of an individual’s personality, and they each reflect an entire system of thought, feeling and behaviour. These determine how individuals express themselves, interact with each other and form relationships. As defined below:

  • Parent ego-state – A set of thoughts, feelings and behaviours learnt from our parents and other important people. This part of our personality can be supportive or critical.

  • Adult ego-state – Relates to direct responses in the ‘here and now’ that are not influenced by our past. This tends to be the most rational part of our personality.

  • Child ego-state – A set of thoughts, feelings and behaviours learnt from our childhood. These can be free and natural or strongly adapted to parental influences.

Now the way I originally found this useful, was the idea of ‘hooking’ someone into a ‘game’ which is an undesirable state using a poorly constructed or overly emotional approach to an interaction.

For example: When asking my partner why they haven’t done the dishes from yesterday (which we agreed they would do, yesterday…) I could approach them as an ‘parent ego’ and say “why haven’t you done the dishes? You said you would, and didn’t!”. Although accurate, and of course unfortunate they have not done as agreed, this is likely to ‘hook’ a person into the ‘child ego-state’ because you have accused them, held something over them, and implied you have some type of authority to be the [power] reminding them. Yes, you have the right to do this, they have failed to do something you agreed to do, but what is the desired outcome? Is it that they get annoyed enough to do as arranged, get upset and apologise until you forgive them, or admit the situation and move forward (hopefully then doing the dishes!).

For me, it the latter. The approach is key and assuming the ‘adult ego’ who might say “I see we have dishes from yesterday, this makes me a little frustrated as I didn’t think I would need to do them. Would you mind doing them soon?”. With this approach you’re less likely to ‘hook’ a ‘child ego’ who is annoyed, frustrated and defensive, but maybe an ‘adult ego’ who is content to admit the fact (that yes we have dishes, they were my job and I’ll sort it), and you can each move forward without an incident between what might be a ‘parent ego’ and a ‘child ego’.

I’m VERY much not an expert on this, and my above example is just an attempt to explain how I feel it’s helped me.

For a detailed and interested explanation of it, please see Business Balls!

Addition – Life Positions:

These life positions are perceptions of the world. The reality is I just am and you just are, therefore how I view myself and others are just that “views” not fact. However, we tend to act as if they are a fact. Just like when somebody says “I can’t do this, I’m useless”. Rather than “I don’t know how to do this. Will you show me?” The latter is staying with the fact that they do not yet know how to do it, whilst the former links being useless with not being able to do something.

There are a number of ways of diagramming the life positions. Franklin Ernst drew the life positions in quadrants, which he called the OK Corral (1971). We have put these into red and green to show the effective and ineffective quadrants for communication and healthy relationships. By shading in the quadrants according to the amount of time we think we spend in each we can get an idea of the amount of time we spend in each. Ernst used the term ‘Corralogram’ for this method of self-assessment using the OK Corral matrix.

The ok corral (Franklin Ernst, 1971)
Continue Reading