Creating a Security Culture Where People Can Admit Mistakes

In cybersecurity, user error is the symptom, not the disease. A healthy culture acknowledges and addresses the underlying causes of lapses.

Andy Ellis, advisory CISO for Orca Security and a longtime Akamai veteran, likes to tell a story about a potentially serious security incident. One of his team members was testing the email integration of a new incident tracking system. Unfortunately, the test email, titled “[TEST] Meteor strike destroys the headquarters,” went to everyone in the company and created a loop that crashed the mail servers.

As Ellis recounts, “The next day the responsible employee tweeted a picture of themselves training for a 5K run, and I replied, ‘Preparing to outrun the meteor?'”

The serious lesson from that is to acknowledge but forgive errors. “He’s said, many times, that he knew at that moment it was going to be OK,” Ellis says. “Creating a safe culture requires a lot of practices, and one of them is closure. Humor is a great way to provide closure because you rarely laugh about something that is still creating tension.”

There isn’t a lot to laugh about in cybersecurity, with security teams fighting off a growing number of cyberattacks and deploying protective measures for a fast-evolving environment. But security shouldn’t be about browbeating people into doing the right thing or scaring them with the prospect of punishment. For security to be a team sport, Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *