Hardly a week goes by without a major concern about the compromise of personal identity data. The latest one in the news is the Federal Aviation Administration, yet another high-profile organization that should have been better protected against such risks, especially as it’s an organization that maintains critical national infrastructure.
The big question is what type of security approach we should apply to critical infrastructure and sensitive citizen data. Controls, risk assessments and selective audits are not sufficient. That combination failed the financial sector. It didn’t curb the excesses of management, nor did it highlight the growing indications of impending disaster.
What we really need is an extension of the type of culture we’ve developed in areas such as aviation safety into the security domain. That means a number of things. For example, better education, a healthier culture that encourages prudent behaviour, more frequent inspections and, most importantly, a thorough root cause analysis of minor incidents and near misses.
Unfortunately, the aftermath of a security incident tends to focus on short term fixes and personal accountability. This is counter-productive. Many banks and government agencies are instilling a “blame culture”. That doesn’t work. Incidents are rarely caused by a single person, and, as Deming correctly noted, if blame has to be apportioned it lies with management. Deming also understood that employee reward systems were flawed, something we’re only now beginning to question, following the clear excesses generated by the City bonus culture.
It’s about time we went back to the basic principles of good management, defined by the likes of Deming. Security needs an approach more rooted in the lessons learned over the last fifty years in the safety and quality fields. Unfortunately we seem to have ignored or forgotten many of these essential management principles.