Back to Basics

Hardly a week goes by without a major concern about the compromise of personal identity data. The latest one in the news is the Federal Aviation Administration, yet another high-profile organization that should have been better protected against such risks, especially as it’s an organization that maintains critical national infrastructure.

The big question is what type of security approach we should apply to critical infrastructure and sensitive citizen data. Controls, risk assessments and selective audits are not sufficient. That combination failed the financial sector. It didn’t curb the excesses of management, nor did it highlight the growing indications of impending disaster.

What we really need is an extension of the type of culture we’ve developed in areas such as aviation safety into the security domain. That means a number of things. For example, better education, a healthier culture that encourages prudent behaviour, more frequent inspections and, most importantly, a thorough root cause analysis of minor incidents and near misses.

Unfortunately, the aftermath of a security incident tends to focus on short term fixes and personal accountability. This is counter-productive. Many banks and government agencies are instilling a “blame culture”. That doesn’t work. Incidents are rarely caused by a single person, and, as Deming correctly noted, if blame has to be apportioned it lies with management. Deming also understood that employee reward systems were flawed, something we’re only now beginning to question, following the clear excesses generated by the City bonus culture. 

It’s about time we went back to the basic principles of good management, defined by the likes of Deming. Security needs an approach more rooted in the lessons learned over the last fifty years in the safety and quality fields. Unfortunately we seem to have ignored or forgotten many of these essential management principles. 

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

David I concur with your view that we need a holistic approach to security that encompasses the social/ cultural aspects, rather than the prevailing exclusive emphasis on technology. I too put this view forward in my recent paper about data leakage(practical measures for preserving stakeholder confidence). Your comments about Deming's views just beginning to penetrate after 50 years leave me wondering if it will take another 50 years for people to realise we need to get the fundamentals right. Of course, the cynical part of me realises that "security technology" is such a big business and that might not be helped by necessary improvements to social/ cultural behaviours.
David, What you are missing is that technology that incorporates good management (asks better questions) is a good thing, and ultimately is the only thing that can protect a user from himself, and protect against the most trusted user that has been compromised in some way. I would put that current controls, risk assessments and selective audits are not sufficient in a broken security model, because they do not fix anything, only try to contain damages.