Reeducate People on What It Means to Fail
Cultural beliefs and assumptions drive behavior, so changing behavior means attacking cultural resistance. Organizations can encourage people to value failure more actively and effectively by redefining what it means to fail in the organization. A key message here should be that not all failures are equal, and that some are actually desirable, since they are destined to happen anyway. By turning small failures into learning opportunities, and reserving fear and avoidance strategies for those big failures that the organization anticipates, a feedback loop can be created. People will understand that there are certain outcomes that are truly unacceptable, that must never happen. Everything else is fair game, so long as it creates an environment of knowledge that can be used to prevent and avoid the unacceptable.
Set Leadership Examples
Few things will encourage a person to behave in a certain way more than seeing other people do it, especially people who that person respects or wants to impress. Organizational leaders like the CISO have enormous power to influence, simply by living up to the ideals and requirements that they set for everyone else. By walking the walk, such leaders encourage imitation. So leaders in the organization, especially security leaders, should be the first to embrace the security value of failure. This means changing the way they deal with failures that occur, but also being more open and transparent about their own failures and those of the security program. When the CISO is seen as welcoming bad news, even needing it to do her job correctly, then people will share it more willingly.
Open Up Communication
The security value of failure only gets realized in an environment of open and free information sharing. Encouraging that sharing, and rewarding people for doing it, is part of the solution. But channels must exist for the message to get through. If failure information, no matter how welcome, never leaves the informal sharing environment of the cafeteria or the water cooler, it will not get codified or distributed in a way that gives the best results. Security awareness teams are often the best positioned to create and manage communications involving the security value of failure. By acting as an interface between stakeholders, they are in the best position to encourage open dialogue, understand challenges, and deconflict problems that may arise.
? Paynter, Ben. "Close Calls Are Near Disasters, Not Lucky Breaks.” Wired.com. Available at www.wired.com.