Brendan O’Connor on security as a monoculture
The O’Reilly Security Podcast: Building cathedrals, empowering the watchers, and breaking out of the security monoculture.
In this episode, I talk with Brendan O’Connor, a security researcher, lawyer (but not your lawyer) and owner of security consulting firm Malice Afterthought. We discuss creating a culture that celebrates collaborative teamwork over harried heroes, how monitoring and checklists really can save lives, and breaking out of the security monoculture.
Here are some highlights:
From statues to cathedrals
There’s some point in a company where you have to move from the age of heroes, where you build statues of people and put them on plinths, to the age of cathedrals. Cathedrals are compliance-driven operations—they’re enormous buildings that have tons of people with very different specialties creating them. You have your bricklayer, you have your ditch digger, you have your sidewalk builder, you have your marble person, you have the person who paints the ceiling. There are all these different things and they all have to happen together because cathedrals are huge buildings that could crush everyone. People want to think they’re part of the age of heroes, but the cool thing about the age of cathedrals is that, at the end, you’ve got a cathedral. If you look at a cathedral, or a skyscraper, you know what that’s for. Everyone knows that a ton of people came together to build it. It’s possible to create a security culture that says, ‘We do these things, we work with all these different areas, we have a lot of these boxes to check so people don’t get crushed. We build a company worth carrying on in the future.’
Empowering the watchers
There was a Johns Hopkins study that empowered nurses in surgical procedures to stop the operation until every single person involved had washed their hands—every single doctor, the anesthesiologist, everybody. They could actually stop it, which was a big power struggle, right? Ordinarily, nurses aren’t empowered to stop an operation; normally, it’s the lead surgeon. Nonetheless, they did this. Something amazing happened—hospital-acquired infections like MRSA dropped precipitously, like 90%. Unbelievable. That was amazing. Basically they had a bunch of little boxes and they checked the little boxes, which allowed them to say, ‘Yes, I have seen Dr. So and So wash her hands, therefore we’re able to proceed.’
A new study just came out in 2016 from Santa Clara Valley Medical Center. They found that people washed their hands far less often when they thought no one was watching them, and nosocomial infections increased back to the baseline as well. It turns out that this monitoring process is important. You actually need somebody to continuously say, ‘Eat your peas. I don’t care if you don’t think they taste good.’
Security as monoculture
We know that monocultures are problematic. We know this from biology, too. Every 30 years, we wipe out all of the bananas and have to switch to a strain of new bananas because there’s a banana-attacking disease that hurts them. They’re vulnerable because they’re a monoculture. In our own security community, though, we’re terrible about this. We tend to hire people who grew up hacking all the things. There are some groups who hire only people who have computer science master’s degrees. There are other groups who only hire people who have no college degrees, because, ‘Man, education kills your mind, man.’ I feel like this is common because it’s hard. We rely on having the same set of experiences. We say, ‘Well, basically, we’re so important that we can’t be bothered trying to explain ourselves.’ When we do that, we lose all the other valuable experience. We lose the work of people who bring different perspectives.
It’s not okay to say, ‘It’s too hard to fix the monoculture, so we’re not going to bother.’ That can’t be the answer because it destroys our advocacy. We don’t have time to wait to save the world. We have to fix everything right now. Everything is on fire. I think that’s pretty obvious—just read the news. We don’t have the ability to wait and say, ‘Well, in 300 years, security people will be trusted advisors as opposed to people who would be unemployable if they didn’t have this incredibly small niche talent.’ We can’t allow that. We can’t allow ourselves to be perceived as the people who go and drink too much in Las Vegas and are jerks to people who don’t look like us. That can’t be the way we are. That’s not most security people, but allowing those people to dominate the conversation means that the entire industry is taken less seriously and is less able to solve the problems that the world faces.