Cyber security is usually about controlling how information assets and systems are used, by whom, and for what purposes. Traditional security organizations attempt to restrict access and put limits on how systems can be used through policies, standards, and guidelines. Security often implies that maximizing choice and flexibility tends to be bad, or at least that doing so makes security harder.
Autonomy security cultures turn this idea on its head. Instead of centralizing security and reducing flexibility, an Autonomy security culture distributes security authority and responsibility, encouraging people to make their own choices. Admittedly, this cultural type is rare among security programs themselves, but it is often found in the way organizations manage security outside of the security program. It is a common source of friction between security teams and other stakeholders in the enterprise.
What Is an Autonomy Security Culture?
An Autonomy security culture emphasizes freedom and loose control over security operations and activities, combined with an emphasis on external goals and stakeholders. Flexibility and adaptability to changing or volatile environments and circumstances are key. These organizations score heavily in the bottom right quadrant of the Competing Security Cultures Framework model.
If your organization has an Autonomy security culture, you probably find that getting results, no matter what, is a big priority for everyone. Whether something gets done is usually more important than how it got done—within limits, of course. But your environment is likely to be fast moving or even chaotic, and spending a lot of time doing things “by the book” may end up causing unacceptable delays or failure. There may not even be a “book” to guide you, so you often have to wing it. People probably have a lot of different responsibilities, and delegation may be common, either from management to individuals or from headquarters out to the business units or remote divisions.
In an Autonomy security culture, you can expect to see responsibility for security operations existing in silos across the organization, either formally or by default. This can mean different policies, practices, technologies, and measures of success. These silos will exist even in cases where a central security team tries to impose order over the system. In an Autonomy culture, for instance, you may find multiple exception processes in place to handle situations where a group cannot or does not wish to conform to centralized standards. Or maybe completely independent security teams exist across the enterprise, each in charge of its own operational turf. Whatever the environment, people in an Autonomy security culture value their freedom and will often go to great lengths to protect and preserve it.
Core Values, Strengths, and Weaknesses of Autonomy Security Cultures
Autonomy security cultures tend to value agility and innovation over rules and bureaucracy when it comes to security, often based on the principle that the biggest risk the business faces is being slowed down compared to competitors and the market. If security makes it harder to compete, then any gain in protection is offset by losses in strategic advantage. In extreme cases, like startups and small businesses, a business failure can mean there is no company left to secure, so what’s the point?
Autonomy security cultures excel in environments where things have to move quickly, and decision makers must respond to changes in local conditions with agility and innovation. Organizations with autonomy cultures may still care about security, but they are more likely to seek “best-fit” approaches based on conditions rather than “best-practice” approaches based on centralized frameworks. These strengths can make an organization more fluid and resilient in approach and response to changing security demands.
Autonomy security cultures are understandably weaker when it comes to stable, predictable security across the entire organization. Because security authority is usually distributed, including purchasing and production standards, organizations with strong Autonomy cultures may have a variety of security infrastructures and postures operating at once. These may not be visible or apparent to one another, or to the organization as a whole. Where centralized security management does exist, it is likely many systems will run under exceptions or even through shadow IT as organizations work to balance business needs with security requirements.
Where Do You Find Autonomy Cultures?
Autonomous security cultures are not usually found within information security program teams, but often are found elsewhere in IT or within other organizational divisions. Where security teams themselves exhibit an Autonomous security culture, you are likely to find the entire enterprise is distributed and information security exists only in a guidance or advisory role, while each independent unit has its own authority for buying, implementing, and operating information technology.
Startups and Technology – Entrepreneurial organizations, including new companies and those on the cutting edge of technology, may find themselves working too quickly and aggressively to have much time for formal processes and bureaucratic structures. People may have to take on multiple roles or may be working on projects that cannot be managed with highly structured organizational charts or rigid chains of command. Because the nature of the business is also so fluid, and a failure to execute potentially fatal to the entire firm, positive results may be considered the only real measure of success. As long as there is not an outright security incident (and sometimes even if there is, but it is recoverable), too much security process may be seen only as slowing things down.
Consulting Firms – Many global consulting firms have grown organically over years and decades, with operational responsibility in local regions growing into massive, but loose, confederations of employees and offices around the world. In these firms, information technology responsibility—and by extension security—may remain with the local organization. It can be difficult to impose centralized control over such structures because of issues of politics, local and regional cultures and regulation, and fragmented IT management systems. Given their highly external, customer-based business model, consulting firms may resist attempts at implementing bureaucracy or security controls that are perceived as affecting local relationships with clients.
Small Businesses – The challenges of running a small business, from lower access to capital and money to the lack of highly specialized functional teams for different lines of business, can create Autonomous security cultures by default. In a small business, people are often looking to provide products and services as quickly, efficiently, and cheaply as possible. Oversight and governance may be a luxury. The result can be organizations that give wide leeway to people in order to get the job done, while having little governance or oversight capabilities for making sure those decisions don’t negatively impact security.