Kill The Checkbox

One thing is obvious about Internet security: We really suck at it. If this was a twelve-step program, we would be in denial. It doesn’t take hindsight to see the failures coming.  This cycle-of-failure is cultural. It falls on leadership to change that culture.   

People are trying to make good decisions. Nobody wakes up in the morning with the objective of making bad decisions, yet we do.  When groups of people continue to fail, there is often a more rudimentary issue than incompetence. 

The greatest drawback to good security is the culture of running security by the checkbox as opposed to by results.  The checkbox represents the paradox between efficiency and security.  Instead of planning security through objectives, it has become simpler to list the things we need and check them off when they are implemented.

The checkbox:

  • Represents doing the minimal job.
  • Hides the purpose of something by focusing on its existence.

Unfortunately, good security takes time and skill.  It’s like a good meal.  Saying that we have the best cookware and finest ingredients does not mean that the meal is going to be awesome.  Processes, experience and wisdom play a major role. 

Hacker do not care about your problems.  There always is a lack of budget, people and respect. But collecting security products is not security.  Socrates said, “A disorderly mob is no more an army than a heap of building materials is a house.”

How to change

One sign of a functional organization is its ability to measure their success and progress.  Measurement occurs when we know the components and interdependencies for meeting an objective.    Strong organizations can measure the different phases of a sales cycle or a supply chain.  The process can be managed.  That management is measured to the ultimate goal of sales and delivery.

Three basic elements drive us away from checkboxes and into objective oriented management:

  • Defining the objective
  • Measuring the objective
  • Learning from success and failure

Most professionals have some version of the three P’s: policy, processes and procedures.  This structure is a top-down approach that focuses on completeness and integration.  But the execution of this requires continuous review.  Whether it’s called an OODA loop or maturity model, feedback is a pivotal difference between checkboxes and success.

The best security teams “hot wash”.  After finishing up an operation in the military, teams hot wash.  While everything was still fresh, the team finds a room, a patch of ground or a table, and say, “I found <something> helpful.”  And then say, “I did <something> badly.” Members focus on how they could have done things better. The leader would take note and later adjust procedures.

We would hot wash after every incident response.  Hot washes are part of every good team.  The Blue Angels hot wash after every practice and demonstration.  No demonstration is ever perfect.  By focusing on constant improvement and retrospect, we adjust to changes and we focus on the objective.