A major concern of information security professionals is that of the insider threat, and the identification and mitigation of risks posed by deliberate and malicious actions of typically a loan actor or small number in collusion. What is often overlooked are the risks posed by the business culture itself, either directly by facilitating if not encouraging risk taking, or indirectly by creating an atmosphere where people are more likely to make security impacting mistakes, and less likely to own up to them. The overall business culture can have a major influence on the information security posture of the business.
As biological organisms, human beings have inherited the natural evolutionary trait of competing to survive, for food, shelter, mating partners etc, and in the modern world, this has evolved towards education, job hunting, sports, material possessions, wealth, and status. In business, and particularly in sales this competitive nature is revered and rewarded while at the same time, other areas of a business are encouraged to work harder and smarter, whereby to achieve this, colleagues are often pitted against each other to drive performance.
There are many scholarly articles comparing competitive and collaborative business cultures, but few consider them within the context of Information Security. Competition within a business is healthy while it remains fun and contained within an overarching sense of shared value and working together towards the business goals, but if it’s allowed to evolve into a toxic hyper-competitive work environment, it can bring some significant risks to Information Security. When the primary objective of a business is to make a profit for its shareholders/owners, a competitive culture can encourage a belief system where results too strongly outweigh desired corporate values, behaviour norms & security.
Some hyper-competitive cultures can be almost militaristic in their drive for competition, where only the most relentless and high performing survive, viewing ‘us’ versus ‘them’ as not just the market competition but also colleagues, which can lead to negative workplace stresses, ethical breeches, mistakes, and insider threat behaviours.
In March 2020, a US court case against CIA software engineer Joshua Schulte, who was indicted for multiple counts of theft and disclosure of classified information, heard testimonies from managers and colleagues of a toxic work culture, which lead to personal animosities spiralling out of control, and ultimately to the insider threat behaviours.
For those businesses that encourage an aggressive culture of competition, an obvious risk is that high performers tend to be only focused on themselves and will do whatever it takes to protect their role. On the flip side, for those struggling to perform it can lead to low morale, cynicism, absenteeism, lack of focus on their work, which in itself can lead to intended or unintended threat behaviours. These sorts of environments from both sides of the fence can lead to survival mode, where people become defensive, focusing efforts on dodging blame, evading questions, and stonewalling. Either way, there is a less likely chance that either side are going to report mistakes, say for example emailing sensitive data by mistake to the wrong recipient, because of concerns about the implications it may have on their job.
"A competitive culture can encourage a belief system where results too strongly outweigh desired corporate values, behaviour norms, & security"
Take software development for example, the drive to get new products out to market and competitive pressure can result in mistakes and possibly short cuts being taken which can lead to vulnerabilities creeping into the final product. With developers typically working on code individually or in teams, the need for collaboration is paramount to ensuring the product meets the specification on time, and on budget. But unless all the coders are of the same calibre, there is likely to be differential in abilities and knowledge, this is where the collaborative culture comes into its own, where the more experienced coders help and give advice to colleagues for the greater good. In a hyper-competitive environment, the less experienced are more likely left to fend for themselves because they are competing against those more experienced. It also raises the risk that in such an environment, a coder who is unsure about a piece of code is less likely to seek help or advice, which in turn can lead to mistakes and errors. In a collaborative environment a communal as opposed to individualistic view of success, means when someone excels, others learn from them and succeed through the sharing of knowledge. It is reasonable to argue that in a collaborative environment an individual is more likely to own up to making a mistake.
There are now several development code security training products that gamify tasks and challenges and create scoreboards and allocate virtual awards. These are great ways for encouraging more secure coding but can be counterproductive if they are used by the business to measure employee’s performance with each other.
This issue of business culture from the cyber team’s perspective can lead to challenges, not least engaging with colleagues in the event of an incident, or getting a vulnerability mitigated, whereby the cyber team can waste time being sent round in circles or being misled, which at best is unproductive and at worst increases an already raised risk.
While it’s true, some people are more naturally inclined towards collaboration while others thrive in a competitive environment, creating a culture that integrates and balances both sides, maintaining a competitive ethos for business success, while understanding that keeping a business secure requires collaboration, openness and transparency, will ultimately lead to a competitive business advantage.