Consider the following dilemma: a member of the IT team notices a data breach but does not report the incident out of fear of getting blamed. Now consider an alternative: the team member reports the potentially critical incident, knowing that this will trigger the relevant corrective actions without the blame falling to them. This is the difference between Blame Culture and Just Culture.
This isn’t Big Brother
IT administrators can feel suffocated by the idea of the company recording their activity. It feels like an invasion of privacy: someone can track your every move, every action you take. But this is not Big Brother… No one wants to spend their day watching you work. Good managers are results-focussed and are not interested in each and every command issued to solve a ticket, nor have the time to re-watch all the steps taken.
Internal bad actors
The purpose of recording IT administrators’ computer activity is for their own benefit. Here is an example: Laura is a member of the IT team with an account that has access to most of the company data – a privileged account. One night, Laura is working until 3am performing privileged commands and she makes a mistake deleting a wrong file. Meanwhile, Frank, another member of the IT team, deletes tens of thousands of files as he knowingly wants to damage the business. One of these issues should be dealt with by training and the other is a serious HR issue. Without record of this activity, how can we know the who did what and be able to determine between malicious intent (Frank) and a genuine mistake (Laura)?
Accountability, not blame
Just Culture is about necessary accountability rather than blame. It is about learning from patterns and mistakes and effectively detecting and controlling negative consequences like Frank’s behaviour in the example above. But the sudden implementation of concrete security measures could cause annoyance to users who think they are under surveillance. Implementing Privileged Access Management (PAM) solutions must start at a human level, because at the end of the day, it is often down to the Lauras and Franks out there who are either good willed workers or bad actors out to manipulate the system.
Automate security responses
By recording the behaviour of users like Laura and Frank, your organisation can put necessary corrective measures in place. Laura’s late-night actions might trigger a notification to the manager who can verify that Laura is just a bit of a night owl. Frank’s vengeful data deletion may trigger an automatic account lock to prevent irreparable damage, without a required response of a manager which would delay corrective action.
So, to prevent IT admins from believing their manager is out to spy on every word they type on computer, cultural change must be implemented to instil the idea that security measures provide protection for them and the organisation. Rather than unnecessary blame, PAM is there to mitigate the risk of a security incident. Everyone can make mistakes which can be addressed in training and upskilling an IT workforce. Unfortunately, sometimes internal users do act with malicious intent and this is when action should be taken.
Contact one of our consultants to hear more about the topic of cultural change to secure your organisation.