DeepSec 2020 Talk: “I Told You So!” – Musings About A Blameless Security Culture – Tim Berghoff, Hauke Gierow
The concept of a blameless culture is familiar to agile software development teams the world over. Going blameless has lots of merits, yet in many organizations and management teams true blamelessness is far from being the norm. This is especially true for the security sector, where the thinking is perhaps even more linear than elsewhere in an organization. This way of thinking is not necessarily bad, but not always helpful. On the other hand, sugarcoating any shortcoming will not help things along either. In truth, the security industry is still facing a lot of work when it comes to dealing with people. This talk will address and explore some of the fundamental problems of corporate security culture and why it keeps companies from moving forward.
We asked Tim and Hauke a few more questions about their talk.
Please tell us the top 5 facts about your talk.
The talk will try to shed a light on the way that incidents and failures are being handled in a corporate environment with a particular emphasis on IT Security related matters. The objective, although maybe counter-intuitive, should be to shift towards a more blameless culture. We will also offer insights as to why organizations oftentimes resort to laying blame for any shortcomings at the feet of individuals or teams and why this is an unhealthy approach in the long run. Finally, we will demonstrate why this is a very difficult thing to achieve in practice.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
Our internal organization is currently undergoing some major changes in terms of its culture of dealing with responsibility. And while we have been priding ourselves of having our act together pretty well, it turns out that there are some unexpected challenges in this agile transition process and that there is a whole lot more to this than just the fancy buzzwords that everyone loves. Meanwhile, especially during the current pandemic crisis we saw very public examples of how not to approach things that have gone off the rails and did not go as planned, and we wondered how bad it really must be in some places.
Why do you think this is an important topic?
This topic has hardly been dealt with before, owing to the way humans tend to work more often than not. We feel that we should really try and make more people aware and urge them to take action to remedy this, in order to avoid the survivorship bias.
Is there something you want everybody to know – some good advice for our readers maybe?
If you are stuck in a rut and wonder why people react the way they do, then this may just be the talk for you. The same is true if you want to offer your own insights and discuss the topic with us afterwards.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
Our hope is that organizations develop a healthier approach when it comes to addressing things that did not go too well. Of course this will not happen overnight – we are not living in a perfect world after all. The one big pitfall in this area is: If people and organizations are not gleaning any insights from their failures and translate those into the required changes, and fall back into old patterns of behavior. It will be a very rocky journey indeed. Being aware of a problem is good – but that alone will hardly fix them.
Tim has been working for G DATA in several capacities for more than 10 years, in support, international consulting and public relations. In his current role, he gives talks as well as TV and radio interviews on security related topics.
Hauke has taken on the role of Head of Corporate Communications at G DATA after having worked as a journalist for Golem.de. He has also worked for Reporters without Borders and the Mercator Institute for China Studies (MERICS).