What High Reliability Organizations can teach us about security
Five questions for Lance Hayden: Insights on High Reliability Organizations (HRO) and resilient approaches to dealing with failure.
I recently sat down with Lance Hayden, Chief Privacy Officer at ePatientFinder, to discuss how organizations can become more resilient and how this can help their security efforts. Here are some highlights from our talk.
What is a High Reliability Organization?
A high reliability organization, or HRO, is one that manages to avoid severe failure while operating in an environment where such failures are seen as more likely and even expected because of heightened risk or complexity of operations. Classic examples include nuclear power plants, aircraft carriers, and air traffic control systems. What makes HROs more reliable and resilient than “normal” organizations has been the subject of decades of academic and industry research.
What are a few key characteristics of an HRO?
The unique attributes of HROs—the ways most HROs look at their operations and environment differently than “normal” organizations—have been distilled into five key characteristics. These are:
- The way they look at failure: HROs seek out, rather than avoid, evidence of failure. Problems enable learning so the only real failure is not detecting failures while they are small, but instead allowing them to grow into catastrophes.
- The way they look at complexity: HROs avoid simplifying their interpretations and models. They understand that the world is complex and that reducing complexity invariably increases uncertainty and risk, so they aim to make interpretations no more simple than is absolutely necessary.
- The way they look at operations: HROs seek to avoid disconnects between what they think is going on and what is actually happening. The scariest thing for an HRO is when everything is just fine, because that means they are missing something.
- The way they look at resilience: HROs understand that unforeseen failures will always occur despite efforts to identify them, so it is crucial to also build a capability to recover quickly and elegantly from them. In addition to prevention, HROs also constantly practice recovery from disaster.
- The way they look at expertise: HROs know that the people best suited to address problems are often those closest to them, which may mean far down the organizational chart. In an HRO, authority is allowed to “migrate” under certain conditions so that the people most able to respond quickly to a problem can do so without relying on inefficient chains of command.
How do HROs apply to security?
HRO concepts are very well suited to security, which involves complex operations taking place in often hostile environments. From risk assessment to security operations to incident response, the HRO model is illustrative of why so many security failures seem to be happening these days as organizations violate some or all of the HRO principles, including ignoring problems until they grow unavoidable, mistaking security policy/compliance with operational reality, relying on oversimplified risk management tools and security frameworks, and inadequately preparing for security events and incidents. Security programs modeled on HRO characteristics and priorities can significantly reduce risk by changing the fundamental culture of security governance.
Can you provide a few resources for people to read more about the organizational psychology research behind these concepts?
The classic (and most accessible) book on HROs is Weick and Sutcliffe’s Managing the Unexpected: Sustained Performance in a Complex World (third edition, 2015). The book was first published in 2001. I discovered Karl Weick’s work and HROs through his compelling analysis of the death of several firefighters in Montana in “The Collapse of Sensemaking in Organizations: The Mann Gulch Disaster” in Administrative Science Quarterly 38(4), 1993.
For those looking for a more general introduction, a quick search for “high reliability organizations” on Google or Google Scholar will provide many resources from both industry and academia. Wikipedia has a good introductory page as does the San Bernardino Group.
You’re speaking at the Security Conference in New York this November. What presentations are you looking forward to attending while there?
I know Masha Sedova and Marisa Fagan from Salesforce and their “Expanding the Blue Team by Building a Security Culture Program” will be excellent. I also hope to catch Samantha Davison’s “Users Cannot Change on Phish Alone,” Laura Mather’s “The Groupthink Vulnerability,” and Andrea Limbago’s “A Social Scientist’s Perspective” presentations, just to name a few!