I've been reading a lot lately about generative culture at the suggestion of my boss. Apparently this topic has been popping up and circulating with frequency through DevOps circles in recent months, and seeing as I'm currently charged with doing "stuff" related to security and DevOps, it seemed like a good thing to research.
For those unfamiliar with generative culture, I recommend reading up on it. I found these pieces to be of particular value:
- "The Future of Generative Organizations"
- "What Makes a Culture Generative?"
- "Building Generative Cultures"
- "Safety Culture - Theory and Practice"
- "Creating a Generative Culture & Overcoming Barriers to Change"
What's most interesting about generative culture is that it really fits well with the current problems facing organizations today with respect to security. That is, infosec spend is still continuously viewed as overhead cost, infosec people are still viewed as obstacles (even when trying to play nicely with DevOps teams), and infosec tools continue to be undermined by the human element, which often sees security as an externality to their specific duties (even when it really oughtn't be).
All of this devolves back to one key notion: we're graded competitively against other internal resources, and we're challenged to compete with other teams for resources and recognition. While a little bit of competition can be a healthy thing toward driving creativity and innovation, more often than not it quickly degrades into malicious in-fighting driven by a fear that "those people will make me look bad" and "I gotta protect what's mine." In other words, rather than everyone pulling together in one direction, we instead consistently see teams pulling in opposite directions driven by competing values and objectives. We've all seen this happen. One need only think of patch management or incident response scenarios wherein nobody wants to step up and take ownership of issues, instead turning it into a staring contest where the first team that blinks not only gets saddled with the burden of resolution, but likely also ends up bearing the brunt of blame and responsibility after the fact.
I submit to you that this all must change, and now. If we are to see a change in how organizations function, and especially how they secure themselves, their data, and their customers, then the underlying org culture must change to a cooperative, non-competitive perspective. Internally, organizations must not only seek better alignment, but they must seek to benefit each other and the whole (and customers/society). If and only if an org chooses general betterment over instantaneous self-reward will the underlying value structure begin to shift toward one that seeks benefits for a greater good.
Now, if this all sounds a bit too kumbaya-ish to you, well, that's ok... it should. Especially here in the US, where I was born and raised, we've been constantly exposed to the drumbeat of capitalism and rugged individualism. And that's ok. But... it's not necessarily sufficient, especially when deal with the human collectives. That is to say, while there may not be anything inherently wrong with being a strong individual, and there may not be anything wrong with competitive markets where businesses compete for dollars, there absolute is something wrong when those businesses turn competitive internally to such a degree as to erode morale, pit resources against each other, and general erode its very foundations from the inside-out.
DevOps introduces us to a different way, but it doesn't go far enough in my estimation. As such, at New Context we have started taking the next steps by creating what we've termed "Lean Security." Lean Security is a business management model that derives in part from DevOps; which is to say that we look at how to apply agile methodology to business processes and practices. But we don't stop there. We also pull from the school of Lean Manufacturing, as well as other key areas like test-driven development and, of course, generative culture. Picking and choosing those behaviors and patterns that seem to best optimize overall conditions, we are constructing this model in such a manner that the business itself will transform how it works to be more efficient, more effective, and, derivatively, more secure.
At the core of this model is nothing less than the notion of cooperation, which is a shared core value with the DevOps movement. If we are to turn the corner on all the many issues plaguing organizations today - be it software quality, security issues, general IT efficiency and effectiveness, etc. - then we absolutely must make the transition from competitive to generative org culture. We must stop defeating ourselves internally. We must find a new narrative that pulls us together and incentivizes our individuals and our whole to act beneficently toward one another.
That is the heart of DevOps, and the core truth in what we hope will be the beginning of the Lean Security movement.