I remember it like it was yesterday, even though it happened over three years ago.
While learning about how a large organization detected and responded to a breach, a stark reality suddenly hit me. Looking back at it now, I probably jumped out of my seat when I connected the dots. I was forever changed.
The Black Hole of Data
After initial concern the breach was a focused external attack – and the appropriate authorities alerted – the final conclusion was more pedestrian, and more common: in the course of trying to do their job, an employee took an efficient action to move a file to his home computer – over the Internet – then forgot about it.
It took a few years before the file was discovered.
The discovery – made by an employee, three years later, on a Friday afternoon – triggered a swift, thorough and amazingly competent response. Yet while being briefed on the specific details, costs, actions and findings, what stuck out to me was simple: the root of the breach was someone “trying to do their job.†No external attacker, no disgruntled insider, no nefarious plot.
It was an honest worker finding a way to work from home, on his own time; he wanted to get the job done. He was trying to do the right thing, but managed to do it the wrong way.
This wasn’t a breakdown of controls. In fairness, we have some technologies today that would have prevented this breach – but that doesn’t mean the user wouldn’t have found a better/different way. Technology is important, but more important is the consideration of people and how we factor (or ignore) them into the solution.
This was the spark that led to Into the Breach: Protect Your Business by Managing People, Information and Risk.
Since the book was published, I have presented the concepts in keynotes and seminars, and I have continued to research, reflect, and more importantly, get into the field and work with organizations of all sizes. This has sharpened my focus on – and renewed my commitment to – the human ecology of the organization to help turn insiders into allies who reduce business risk.
As we prepare to leave our stick house and head out full-time in our RV to travel the country and work with individuals, organizations and communities, I invite you to join me on a weekly Journey Into the Breach.
Over the next year, I’ll expand and reflect on elements from Into the Breach through candid and updated thinking.
Ready?
Buckle up. Let’s go.
Who is the intended audience for Into the Breach ?
Into the Breach is for business executives, decision makers, influencers and stakeholders. However, anyone can benefit from the executive level discussions and solutions: it’s been commonly noted to me that the challenges I uncover and solutions we advance address issues broader than security.
It was important to me that I distilled the essence of the book into a form that could be easily consumed, understood and acted upon. The measure of success was to be able to read the book on an airline flight or comfortable afternoon. We hit the mark.
Breaches are only symptoms
When something goes wrong (say, for example, a breach), it is natural to seek someone to blame and a technology to fix what keeps us up at night. After taking the time to go deeper into the breaches all around us, I asked a simple question:
What if breaches are only symptoms?
As soon as I asked it, I realized that breaches and other breakdowns are just symptoms. They are not the problem. I’m not suggesting they don’t create harm; some do. But we don’t have to solve “breaches.â€
The fundamental challenge is what I dubbed the human paradox.
The Human Paradox
The challenge we face is simple to state, easy to understand, quick to prove, yet elusive to address.
The human paradox: individuals have been unintentionally, but systematically disconnected from the consequences of their actions. People disconnected from the consequences of their actions do not take responsibility – and are not held accountable for their actions.
To be clear: we do not have a people problem. It is counterproductive to blame people. Yes, people play a role – certainly in the challenge, but more importantly, in the solution.
So what is the problem?
We need to consider the source of the disconnection; in many cases, the best intended actions of security professionals have created the disconnection.
Ironic, isn’t it?
We must reframe the way we consider consequences: what if consequences are neither good or bad, but intended or unintended?
If we keep doing what we’re doing, we’ll keep getting what we’re getting. I don’t want to continue on this path.
What got us to where we are – which has been amazing change and progress in the last 10-15 years – may not be what will get us where we need to go next. The purpose of this column is to reframe and illuminate the challenges we face while suggesting a path forward.
How to prepare for our Journey
1 – Read or listen to Into the Breach (you can listen for free)
2 – Look for – and share – positive examples of where people are CONNECTED to the consequences of their actions
3 – Ponder questions you would ask me if we were sitting together around a campfire. Then make plans to sit with me around a campfire and discuss.
Sound off!
What do you think? Have you found people doing the right thing? What did I miss?
Share in the comments… and always share with me the challenges you face and we’ll work together on this journey to amplify the positive and turn the tide…
Engage with Michael Santarcangelo