We all know there are problems with security. We all know that things aren't keeping pace or improving measurably and meaningfully at a rate or in a manner that most of us would deem sufficient or acceptable. Yet, all we seem to be doing is continuing to cast stones, castigate decision-makers, and pound the FUD drum. Why isn't anybody talking about addressing the core obstacles?
The answer, of course, is two-pronged and revolves around changing culture, which is in turn driven by changing the incentive model(s) of the organization overall, as well as for individual contributors. For an example of where these things have come to fruition, one need only look at DevOps success stories. Why do DevOps initiatives succeed? Because they change the incentive model and thus drive culture change. In fact, when done really well, these two factors cycle iteratively as the organization transforms (back) into a living, learning, evolving organism that benefits from shortened feedback cycles and is able to generatively improve efficiency, effectiveness, and overall performance through improved awareness and execution (among other things).
Sadly, when we look at the lion's share of the security industry, none of it focuses on this core problem. Whether we're talking FUDdy about cloud or mobile or IoT or big data or privacy or compliance or any other number of hairy, scary problems... the conversation almost always devolves back to one about "fitting tools to problems" and ignoring the elephant in the room, which is that there's little-to-no incentive for meaningful change. People still have to get their jobs done, regardless of what security measures should be in place, and their performance is often graded lower if they slow down to make those much-needed improvements.
Where then shall we turn to figure this all out? Well, quite simply, we need to turn inward and we must look upward. While DevOps has been able to affect change in a grassroots manner, it's also seen limited success without top-level support that leads to organizational change. What was the tipping point for the C-suite to support and, ultimately, drive these changes? A shift in the incentive model wherein they saw improved performance and output (e.g., faster delivery of product to market, reduced development costs, improved quality and customer satisfaction).
As such, it's imperative that all security conversations start not with technical issues, but instead with an understanding of the context for those issues, and the incentive models and org culture against which they're (mis)aligned. This is why our Lean Security model is about business transformation rather than being yet another IT or infosec or risk management framework, and why I've taken such an interest lately in generative culture and organizational development. You cannot solve the technical issues without first solving the business management issues. This includes, among other things, ensuring awareness of context, without which most projects are doomed to failure.
More to come...