Before a company starts down the path of information security, there’s often a looming feeling that something isn’t right and that the steps to fix it will take effort. I liken it to a messy room that they’ve simply closed the door on, so they can try to forget there is a mess to clean up. Every time they walk by the room, they feel a twinge of embarrassment or a spark of motivation to tackle the problem; however, that emotion lessons every time they walk by until the feeling evaporates. Now the messy room has been “normalized.”
Sociologist Diane Vaughan coined the phrase “Normalization of Deviance” after the Space Shuttle Challenger exploded on January 28, 1986. She reveals how and why NASA insiders, when repeatedly faced with evidence that something was wrong, normalized the deviance so that it became acceptable to them. As with most things, it wasn’t a single fateful decision that turned into a tragedy, but rather an incremental descent into poor judgment.
So, what does this mean to your business, and how does it apply to information security? Most companies prioritize two main parts of their business: sales and delivery. Traditional IT activities considered a cost center, and cybersecurity is a bolt-on technology, or rather just an annoying set of procedures that hinder the business. Until the day it isn’t. If you refused to wear a seat belt when driving, it would probably feel unnerving the first time. After the 20th time, you likely wouldn’t mind as much, or at all.
Vaughn said it is like such: “Social normalization of deviance means that people within the organization become so much accustomed to a deviant behavior that they don’t consider it as deviant, even though they far exceed their own rules for the elementary safety.”
It works the same way with security controls in your business, and you probably already know what they are.
You might not be consciously aware of what those risks are in your business, but you might have a feeling. A 2003 server with SMBv1, that “just can’t be updated?” Maybe you still use telnet or regular FTP, or an excel file full of passwords on a network drive. Just because the company culture has always done it this way, doesn’t make it right.
The first step is usually the toughest part for a company to embrace. However, the rewards are fantastic. Sometimes it takes a breach or government regulation to take it seriously. Still, it can begin with something as simple as a risk assessment, on your terms, to identify focus areas.
If you would like help identifying risks, gaps, and discussing remediation, reach out to ProCircular by clicking the button below.