A pound of peer pressure goes further than you think

By Andrew Storms

Usually peer pressure is portrayed in a negative context. We’re all too used to hearing that children have been influenced by peers to take up drugs, smoking or other bad habits for instance. But what about the positive influences that peer pressure can have? Is it, in fact, something CIOs and CSOs should be actively encouraging internally?

By fostering peer pressure between divisions and their security teams, CSOs who are running large and dispersed units can change the corporate culture quickly and positively to influence security provision for the better.

In a multi-site organisation, it’s very common for local security teams to develop a high degree of individuality. Even though the same security tools are in use, they are often applied in differing ways to reflect local priorities resulting in a patchwork of varied security successes. Technical abilities may differ between teams and it’s also quite usual for different patch management policies and procedures to be in place within different divisions, perhaps reflecting the fact that different applications are in use.

The security ecosystem

Local IT teams also need to accommodate cultural differences, for instance the traditional push and pull between security and operational priorities.

Given the wide range of disparity between these local teams it’s not surprising therefore that many organisations view them as separate and unrelated organisms, rather than parts of a wider ‘security ecosystem’. Naturally, there is more and more discrepancy in companies that are highly diversified – and as a general rule, the bigger they are, the worse the situation. However, a more holistic approach can not only deliver great improvements in security provision, but can also help develop more cohesive teams where healthy competition is welcomed.

Three steps

So, assuming that these are good things to pursue, there are three steps towards creating effective peer pressure; plan it, communicate it and reward it. Firstly, the organisation must deploy an enterprise tool that ensures that a single, unified approach is employed for discovery and reporting. From the data garnered a standard quarterly or monthly report card can be created for each security team or operational unit. Ideally, these reports will reflect security and operational performance and improvements as well as failings. Importantly, they must be oriented towards business impact; this is an important learning area for operational and security teams as they both clearly play a part in ensuring that downtime for business critical systems is minimised.

The second step is exceptional communications to minimise negative culture clashes wherever possible. When any change is introduced there are those that will resist, and naturally the reaction may be even stronger from those whose weak performance is exposed. So it’s important to gather all unit heads together and explain the approach and its benefits for individuals, units and the organisation as a whole and to ensure their support.

The final stage is to publish the report cards and reward and recognise improvers as well as winners. Pride in the teams’ performance should be encouraged and the good news must not be limited to the IT department but published widely internally. Security is, after all, everyone’s business. Teams should be encouraged to set improvement goals for themselves and take active responsibility for changes within their team. In some organisations it can take a full 12 months to see real impact across the board, but many units will respond much faster than this, realising benefits in as little as a quarter or so.

In a world where security is a race that can never be won, internal peer pressure can give every organisation a boost and ensure that good processes are recognised and duplicated internally and mistakes or errors are avoided. And the final bit of good news? CSOs can be more effective with their security budget as peer pressure probably won’t cost a thing.

Andrew Storms is Director of Information Technology at security specialists nCircle.