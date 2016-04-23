from the no-YOU-report-the-bad-news dept.
When admitting to an error isn't seen as a failure, improvement easy to achieve:
To improve security, the cybersecurity industry needs to follow the aviation industry's shift from a blame culture to a "just" culture, according to director of the Information Systems Audit and Control Association Serge Christiaans.
Speaking at Singapore's Smart Cybersecurity Summit this week, Christiaans explained that until around 1990, the number of fatal commercial jet accidents was growing alongside a steady increase of commercial flights. But around the turn of the decade, the number of flights continued to rise while the number of fatalities began to drop.
[...] While acknowledging that improved technology, more mature processes and improved leadership all helped to improve aviation safety, the former pilot and field CISO at tech consultancy Sopra Steria said the biggest improvements came from a change to a "just culture" that accepts people will make mistakes and by doing so makes it more likely errors will be reported.
In a just culture, errors are viewed as learning opportunities instead of moral failing, creating transparency and enabling constant improvement.
[...] Christiaans said he is yet to come across a company that had implemented open reporting without punishment in cybersecurity.
He attributed this to the industry working from the top down. The people at the top worked hard to get to leadership roles and become resistant to change. Shifting culture therefore needs to start with new recruits.
[...] Furthermore, not all of the aviation industry has been a beacon of transparent culture. For example, whistleblowers have alleged that culture at Boeing emphasized profit over safety, ultimately leading to engineering decisions that caused the crash of two 737 MAX airplanes.
[...] But Christiaan's analysis may be true at least when it comes to pilots and airlines, especially when culture is changed with small steps.
"So you plant the seeds, some airlines adapt, some don't," said Christiaans. "The ones who adapt, succeed."
(Score: 3, Touché) by Rosco P. Coltrane on Monday April 17, @10:10AM (1 child)
The IT industry should stop "moving fast and breaking things" and instead focus on properly implemented, tight, standardized QA processes, strict product development reviews, strict code reviews, strict production QC, officially-sanctioned audits and certifications and accountability - including personal jail time - for those found to knowingly bend or break the rules?
Bwahaha! Like that's gonna happen ever. You're talking about an industry that's perfectly comfortable rolling out code that can't even overwrite a file [petapixel.com] correctly to billions of devices, and whose sole answer to that is "Oopsie doo, here's an update maybe".
Not to mention, they have the money to line the pockets of elected official to make sure nobody ever hints are regulating them like that even a little bit.
Otherwise yeah, great idea...
(Score: 2) by canopic jug on Monday April 17, @10:32AM
No. It's more like the world needs to look at the cause of the problems and stop blaming the victims of m$ products for having used the products as advertised. The end users have done nothing wrong. They've shared floppies^wthumbdrives as they have been marketed they could. They have read e-mails that they were told the program was for reading. They have clicked on links in a program marketed for clicking on links. They have connected desktops and laptops to the net as was marketed as necessary. In short the victims are only using the software as advertised. The problem is that the victim blaming process is being used to hide the fact that none of the m$ products are fit for purpose. This blame-the-victim culture has gone on for decades. And like in aviation it can end, but it means taking on the manufacturer which is much more a major political entity far more than it is a vendor. Yet, simple, existing truth-in-advertising could be used to put an end to all that, should politicians grow the will to enforce those laws.
Money is not free speech. Elections should not be auctions.