My wife and I recently became a first-time dog owner. While my new puppy is sweet and adorable most of the time, as with all puppies, she has her moments when she is wild and gets into trouble. That’s why we brought in a professional to help Nala learn how to become a well-behaved adult dog.
To get us up to speed, the trainer spent a fair amount of time explaining the concept of reinforcement. We learned about three ways of reinforcing something to a dog: with food, through touch, or via fetch. In other words, if the dog does something you want the dog to do, you can help the dog learn this is a desirable behavior by using one of these three means of reinforcement. On the flip side, if you deploy one of these three methods of reinforcement when the dog does something undesirable, you reinforce an unwanted behavior.
The experience got me thinking about the ways in which we reinforce different types of human behavior in security — some wanted and others unwanted. Here are five examples.
1. Crisis Management
Instead of going into crisis mode when a puppy has a potty accident, it’s better to adhere to a consistent plan to take the puppy out at specific times of the day. As the famous quote by author Bob Carter suggests, “Poor planning on your part does not necessitate an emergency on mine.”
Yet in security, we are too often forced into unnecessary crises when security is treated as an afterthought, forced on an organization by unexpected circumstances. Do you approve the last-minute request at the risk of weakening the enterprise’s security posture, or do you deny the request at the risk of potentially impeding business operations? Neither choice is the right one, and both reinforce unwanted behavior. A better option is to learn from the crisis at hand, then proactively work with the business to prevent the next one.
2. Build in Security
It’s unrealistic to allow a puppy to chew shoes and expect her to stop the bad behavior just by saying no. Similarly, software and application development should build security in from the get-go, which too often isn’t the case. The result: Security is approached as a checklist, which leads to conversations like, “We need to go live, so you need to approve this or you will be negatively affecting the business.”
This is a tough spot to be in. Constantly rolling over, conceding, and granting last-minute, checklist-style approvals reinforces bad behavior. It’s better to avoid these situations by working collaboratively with the development, project management, and engineering teams to reinforce much better security behavior.
3. Reward Quality, Not Quantity
Rewarding a puppy for performing a trick improperly leads the puppy to continually perform the trick improperly. In security, we must take care to reward quality rather than quantity. What do I mean? For example, how many organizations measure success through the number of tickets opened and closed over a given time period, average open ticket duration, or some similar standard?
By focusing solely on quantity, this type of measurement reinforces and rewards noisy alerting, poor detective controls, high false-positive rates, incomplete analysis, partial investigation, and other problematic traits. It’s far better to focus and reinforce quality over quantity, but few organizations do this well.
4. Absolute Measurement Bias
It doesn’t really matter whether your puppy has an accident at a specific moment of time. The key issue is understanding whether the puppy’s ability to control its body is improving. In the workplace, many business environments focus on absolute measures. Take, for example, the Red/Amber/Green (RAG) security statuses used in so many high-level reports. I’ve lost count of the number of enterprises that focus merely on ensuring everything is green, rather than what they should really be focused on, which is trending. Trending provides visibility into improvement, progress, risk management effectiveness, and performance-based indicators.
Obsessing over every indicator being green results in exactly that: Every indicator will eventually be green, whether or not that actually represents reality. In other words, the organization that reinforces measurement bias encourages its employees to report inaccurate data to appease leadership.
5. Reinforce Candor, Honesty, and Accuracy
When you hire a dog trainer, you need to be open about the issues and challenges you have with your puppy. The same goes for your corporate culture, where too often no news is good news.
Whether intentionally or not, management encourages the reporting of only positive news. Any mention of challenges, issues, or obstacles is met with a barrage of questions and a loss in confidence. These corporate cultures create an overly rosy view of the world, rather than reinforcing candor, honesty, accuracy, and the ability to address little issues before they grow into larger ones. It’s not a culture that is readily able to identify, assess, and manage risk.
Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for … View Full Bio