"Perp Walks" in Cybersecurity
“perp walk” – A “perp”, short for perpetrator, usually of a criminal act, paraded publicly in transit, usually while restrained (i.e., handcuffed).?
I will apologize in advance for this article providing more questions than answers, but I feel it really is dependent on each unique organization and its characteristics. So, food for thought as it were, to be leveraged for your own conclusions.
In the time-honored vein of the “perp walk”, the article title (headline) was of course to grab your attention (and views). However, this is not just about whether we could use something like a “perp walk” in enterprise security and compliance. It also includes other aspects that we might consider in driving greater awareness of, attention to, and more effective operation of, secure and compliant environments. There are multiple reasons for the perp walk in the law enforcement realm and there are likely people lined up as either pro or con to the practice. One thing that seems to be a given though, is that it substantially increases awareness of both the alleged crime and the individual. It is also usually something that most people would strongly avoid being subjected to.
In the mostly civilized world of the modern enterprise, there is not only a strong aversion to the enterprise version of a “perp walk” for the whole company (i.e., the so called “CNN moment”), but also organizational and individual anonymization for in-house issues. We typically see organizations publishing or communicating internally, the details of a recent substantial cybersecurity issue, without specifically naming a group or individual that was involved. What if, for example, the weekly internal newsletter had a section with a sort of “rogues gallery” for cybersecurity. If could include the top 10 individuals or teams that were part of a security incident, or the top 10 people with systems that have the most risk from overdue patching. Would a corporate practice for openly discussing the specifics of those involved, drive better future behavior for that entity, and be a greater motivator to other groups and individual employees? Would the desire to avoid being on “the list” be more of a deterrent for letting slip, the security and compliance side of projects or systems? Would including such details strengthen the message being disseminated to everyone inside the organization? Basically, review your respective environments and don’t make this same mistake.?
Now on to more positive angles. In our industry, particularly in cybersecurity, there is little done at the operational level to highlight the positive aspect of being secure and compliant. For example, rarely do you see a team or individual, spotlighted for being continuously secure (addressing all items xx% before their due dates) for the past twelve months. Sure, there are the high-level goals and summaries of results, but if you make the targets as an organization, it is usually a brief thanks for meeting the base requirements. More is typically said at that stage if the organizational targets are not hit. How motivating would it be for the organization, to publish a “heroes gallery” each quarter or perhaps an annual “CISOs List” (like a Deans List) listing the top performers on security and compliance? If a cash award could be added to those programs, to monetarily award the top performers, would that make a difference? I suppose it depends on how much is at stake.
It's all about the "ka-ching" (cash), and the consequences. We also must face some hard truths. Human beings are big on rationalizing. Most people want to do the right things, and most don’t want to be insecure or noncompliant. However, people have a limited amount of time available each day and the priority of a project team or individual, is likely to be finishing the next phase of their project on time. If extra work on security and compliance is going to interfere with that objective and they perceive little to no consequences, cybersecurity will take a back seat.??Therefore, another aspect of being able to establish and foster a culture of highly aware, high-functioning, and motivated personnel with regards to security and compliance of their IT “stuff”, is for it to matter from a project, monetary, and consequences perspective. Another example of this you may want to consider. How many employees in your organization have a documented personal business objective related to security and compliance? It might be implied, it might be posted in the annual business requirements, but will it affect their annual performance review in any way. Positively or negatively.???
领英推荐
As we all know, people and their actions are a crucial part of the security posture of any organization. Cybersecurity leaders should continue to explore various ways to improve levels of awareness and motivation when it comes to security and compliance within their organizations. What do you think would work well for your own organization??
Disclaimer:
Boring Disclaimer: These thoughts are my own and I am not posting as a representative of any company. Your mileage may vary. Objects in mirrors and binoculars may be scarier than they appear (or they might not). If this had been an actual emergency, you and I would likely be doing something more important.
References:
[1] Base image of dog mug shot attributed to: Photo?111383318???Volha Bilevich?|?Dreamstime.com
[2] Cash register drawer image attributed to: Photo?114587752???Pixelrobot?|?Dreamstime.com
Very interesting read Bill! I do not have the answer either but maybe a carrot and stick approach can combine the upsides and downsides of rewarding and shaming. I do however hope that most corporate cultures do not allow (individual) public shaming Especially with the limited individual security related business objectives I am wondering who should be shamed if teams are slacking on the security front due to management pressure to make deadlines or focus their limited time on other tasks instead of security. The team? The manager? Executives? Just adding questions, I know.