Culture as a Security Control
John Allspaw, Etsy’s former VP of Technical Operations, wrote ‘Blameless PostMortems and Just Culture’ on the Code as Craft blog in in May 2012 (Ten years ago!). The article detailed Etsy’s approach to post incident analysis which aimed to implement Just Culture in order to reduce error and mistakes amongst their technical teams.
The term Just Culture refers to a concept popularised by Sidney Dekker, a Professor of Humanities and psychologist, which focuses on creating organisational cultures which focus on the cause of the event rather than blame.
I discovered Allspaw and Dekker’s work researching the path for my own implementation of what I called a positive culture. The aim of which would be to create psychological safety within the organisation I work to ensure staff are able to be honest and truly feel safe when self-reporting events and during post-mortems. Creating data breaches can be traumatic for people because of the affect they have had on individuals or simply (and easily fixed) because they don’t know what to expect.
It’s a primary goal of my implementation to provide better situational awareness. Unless you operate towards the right-end of the maturity spectrum, it’s likely you are unaware of certain data breaches and concerns. Culture can be a foundational security control in your organisation, leveraging the willingness of employees to come forward in a timely manner to admit error, raise concerns, and ultimately provide transparency to your security and data protection teams which enables an effective programme.
Balancing safety and accountability
Dekker wrote ‘Just Culture: Balancing Safety and Accountability’ in 2007, in a response to a trend towards criminalisation of mistakes in the healthcare and aviation industries which he viewed as damaging to long-term customer safety within those industries. The balancing of staff safety and accountability is the same struggle that security leaders face within organisations - how do we balance appropriate discipline and the factors which allow colleagues to self-report and raise concerns.
The response to incidents may be reactionary. Often, the thinking goes if you get rid of the individual who caused the breach, you get rid of the cause of the error. This isn’t necessarily the case, and it certainly isn’t the way to create a culture where staff are able to self-report or raise concerns.
So what, everyone gets off without consequence? No. That too would create an undesirable culture. The aim is to understand how to strike a balance between safety and accountability. You’ve likely been trying to do this in your own organisation.
What does a Just Culture look like?
Allspaw describes an illustrative example of how the adoption of Just Culture helped Etsy’s technical team get to the root cause of errors, allowing much more concrete and valuable remediation to take place in a follow up article four years after his first on the subject.
An engineer causes an outage by introducing failing code into production. They recall to the postmortem facilitator that they checked the tests as usual prior to deployment and they all passed. The facilitator asks well constructed questions with the aim of discovering what happened, rather than just seeking to close the case and move on - treating every incident as a learning exercise. The facilitator discovers a new dashboard is being used, it was recently upgraded. The new dashboard actually read eight tests failed. The new font places slashes inside zeros and its italics, so an eight looks very similar to a zero. The other engineers in the room struggle to see discern the character until someone zooms in. It was a mistake many, if not everyone, would make. Having discovered the UI issue, it can be redesigned and the similarity of eights and zeros is no longer a risk.
Allspaw tells it far better, I highly recommend reading his narrative account. But I hope that summary illuminates the concept of stepping back, asking the right questions, and treating each incident and person interviewed as an opportunity to discover issues with processes, rather than issues with people.
A Just Culture allows individuals to feel safe to describe their perception, allowing your organisation to derive comprehensive lessons learned. Without fear individuals will more likely be able to describe what input they had, the effects they observed, etc.
How can you employ Just Culture?
This all sounds obvious, but consider your post-incident processes. Could your documents and/or procedures be updated to help your team take a Just Culture approach each time? Of course you attempt to get to the root cause of issues, of course you don’t just fire people who make mistakes. But consider how your existing processes facilitate or hinder the approach.
So far I have made some small changes which aim to start on the journey of creating a Just Culture.
Communication. During post-mortems - or any other opportunity - state the goal of a “positive culture” and elaborate on the ideal state, where incidents are treated as opportunities for learning and punitive action is reserved for malicious or negligent acts.
Procedure. Data breach risk assessments increasingly focus on lessons learned and root cause analysis. A section for five whys and a table with three options encouraging the facilitator to consider at what level the lessons learned are best applied; organisational, business process, or information systems (inspired by NIST 800-30).
There’s far more to Just Culture than this post or the simple idea changes above. The start of your journey will look different to mine and will reflect the industry and culture in which you operate. The aim is to get you interested in the topic of security ergonomics and to consider your processes. Hopefully you can take something positive away.
If you do go about implementing Just Culture, do reach out with your experience and learnings. @KrisBolton
Allspaw, J. (2012) Blameless PostMortems and a Just Culture. [Accessed 07/12/22].
Allspaw, J. (2016) Etsy’s Debriefing Facilitation Guide for Blameless Postmortems. [Accessed 07/12/22].
Dekker, S. (2007) Just Culture: Balancing Safety and Accountability. Ashgate Publishing Limited, England, UK.