Why Do We Get Angry With People for Doing What We Incentivize Them to Do?
Anyone who does a fair amount of driving knows how frustrating traffic jams can be. Traffic jams can occur for any number of reasons, including a merge. If you’re like me, you probably get angry with those people who don’t merge early on in the process, but rather, cut in at the last possible moment.
Of course, if we take a step back and think about the situation strategically, it’s hard to get angry with these last minute mergers. How can I make that statement? Since most people struggle with merges, these drivers are essentially doing what we have incentivized them to do. Namely, they take advantage of every last piece of available roadway to bypass those who struggle to merge and the backups they cause. In fact, there have been studies that show that last minute mergers are actually good for traffic.
What could traffic patterns and merges possibly have to do with security? I would argue that they teach us to be more understanding of people when they do exactly what we incentivize them to do. And that is something that we can learn a lot from in the security field. How so? That is a fair question, of course. To answer it, I offer “10 security behaviors that anger us, but that we incentivize”:
1. Focusing tactically: On numerous occasions, I’ve heard different organizations state that the security team is too tactically focused. That may certainly be the case. But if your primary metrics involve the number of alerts fired and the number of tickets opened and closed in a given week, can you really fault your team for working towards the numbers you measure them on?
2. Fire fighting: No one wants their security team running from one emergency to the next without any time to focus on everything else going on. But sometimes it’s hard to fault security teams that succumb to this. There are some issues that arise that legitimately need to push everything else aside. Far too often though, security teams are on the receiving end of a seemingly endless array of “emergencies” that result from a lack of understanding and/or faith in both the issue and the abilities of the security team.
3. Event “du jour”: I haven’t met a security team yet that enjoys getting sucked up into the spin surrounding an event “du jour”. But it’s hard to imagine how they could choose to do anything but that. When a high profile event happens, the questions “What are we doing about this?”, “Are we affected by this?”, “Are we protected against this?”, and others start coming faster than the security team can respond. All incentives point them toward responding to the rapid fire coming their way.
4. Market segment “en vogue”: Many in the security industry mock or poke fun at companies running towards the latest “en vogue” market. But before you laugh, look at what we incentivize them to do. For startups, funding and PR often overwhelmingly follow the latest hot market. For established companies, customer budgets often do the same.
5. Writing down passwords: This is one of my favorites. Everyone loves to laugh at those “stupid” users that write down their passwords. But perhaps they should be laughing at us. As an industry, we cannot prove that insanely complex password rules actually improve our respective security postures. In fact, to do that, we probably need to move away from passwords entirely. But when we don’t provide our users any workable way to grapple with our insane policies, what do we incentivize them to do?
6. Being unprepared for incident response: No one likes to get caught by surprise and appear unprepared when a critical or serious incident occurs. But building a mature incident response capability takes a strategic effort that won’t show its value immediately. If an organization incentivizes only tactical gains and not strategic ones, they shouldn’t be surprised when they are unprepared for incident response.
7. Acquiring stovepiped technology: How many times have we seen an acute problem in security boil over to the point where everyone is screaming for an immediate solution. While we need to make sure we address acute issues in a timely manner, we want to make sure we don’t “knee jerk” and acquire a quick fix that is almost “disposable”. We don’t want to end up with a solution that we will get very little value out of in the future. We want to make sure we don’t end up inadvertently incentivizing our teams to put additional stovepipes in place.
8. Under budgeting security: Everyone loves the low prices of big retail chains, but at the same time, loves to complain about lack of assistance available. We can’t really have it both ways. We want our vendors and providers to give us a lot of value at a low price point. So, not surprisingly, that’s where they invest most of their resources. Security is an overhead cost. Of course we all know how important it is, but we don’t necessarily incentivize our vendors and providers to make it a priority. We measure them on a different scale entirely.
9. Under training team members: It costs money to send team members to professional training, and it takes them away from their job for a bit. If we can see the strategic value that properly training team members brings, it is a no brainer. But if we incentivize based on only near-term gains, it’s likely that few, if any of our team members will get the training they need.
10. Not collaborating enough: There is a lot of talk about information sharing and collaboration, but unfortunately, there is less action than we would like to see. There are many reasons why this is the case, but it
doesn’t help that most organizations incentivize their staff to keep information close hold, as well as to keep up appearances around the true state of the security program. There is no shame in showing your cards a bit, as it allows you to improve. But you have to incentivize for the right outcome.