Some organizations are so focused on outside performance and acceptance, whether by customers, B2B partners, or even regulators, that nothing but results matter to the business. When this situation applies to cyber security, the result is a Market security culture. In this culture, security becomes a product or service feature based on client demand, rather than something done for its own sake or as a standardized operational process. People in this culture usually see risk less in the possibility of being hacked or compromised and more in not delivering what is expected by the outside entities on whom the organization depends. If that means providing more security and tighter control, so be it, but it also means that the “right” level of security is whatever the market dictates and accepts.
What Is a Market Security Culture?
Market security cultures exhibit key traits from both the Compliance and Autonomy security cultures within the Competing Security Cultures Framework. They are interested in keeping external entities happy and satisfied with their activities, and are willing to allow members a great deal of freedom in doing so. While this can be tricky in cases of regulatory compliance, it works best in decentralized organizations where the standards to be achieved are well understood, but different stakeholders are empowered to achieve them in whatever ways work best for them. Market security cultures are, admittedly, uncommon. Most often they are found in industries where customers and partners, rather than auditors, are the drivers of activity.
If your organization has a Market security culture, your most important concern is getting the job done with the level of security most appropriate to the circumstances at hand. If you work in a startup, for example, levels of security may be dictated by what your customers are asking for. Too much security that degrades the user experience may be a bigger risk than the customer getting hacked and, no matter how you feel about it personally, this becomes your “compliance” target. You are likely also to find yourself empowered to make decisions and own activities regarding security that would never happen in a more rigidly bureaucratic or centralized security culture. In a Market security culture, risk is that which slows you down. Security problems tend to be identified by outsiders and brought to your attention, in which case you are responsible for acting quickly and efficiently to meet the challenge, whether that means adding layers of security or new privacy controls, or perhaps even removing burdensome controls to make your product more appealing to customers.
Core Values, Strengths, and Weaknesses of Market Security Cultures
Market security cultures emphasize customer and stakeholder values, and strive to meet expectations from those they serve. How the organization functions internally is less important, and most Market security cultures do not have hard and fast rules about the “right” way to do security. The right way is the way that makes everyone happy. As such, security is continuously coordinated with various stakeholder entities, perhaps through audits, but more often through marketing and customer relationship management. The security team’s job is to ensure that the organization is able to meet customer demands by providing members of the organization with whatever they need.
Market security cultures are among the nimblest and most agile security organizations, in no small part because they are not tied to dogmatic, bureaucratic ideas about what security means. Good security is whatever regulators, customers, and other external stakeholders demand. This attitude can make traditional security professionals, concerned with universal industry “best practices,” very uncomfortable. But such cultures are necessary in some cases where security budget and authority is decentralized, or where a failure to respond to customer demand presents a greater risk to the organization than a security incident. Best security practice in such environments is remembering that “the customer is always right.”
Market security cultures experience difficulties when they fail to recognize that people, particularly customers and partners, sometimes may not be the best judge of good security practices. If weak security is viewed as better because it makes things easier or cheaper, then the security risk tolerance of everyone involved increases, sometimes unconsciously. This can cause surprises and large-scale failures when that weak security collapses under pressure. Visibility into these failures is more difficult in a Market security culture, where flexibility and freedom of choice are prioritized. Standards tend to be weaker, governance tends to be more hands-off, and this creates opportunities for failure that would not exist in other, more structured environments.
Where Do You Find Market Cultures?
Market security cultures are not particularly common among security teams and programs. They are most often found where security is either a shared responsibility or less prominent in terms of the core business activities. Security may be important to a development team or in network operations, but may also be narrowly focused on specific assets or processes. A good example might be a startup providing cloud-based services to its customers. Those customers pay by credit card, so PCI DSS is important, as is ensuring the availability of the company’s infrastructure. But customer privacy and access control by enterprise staff may be far less critical to that company, at least until their customers start demanding it.
Startups and Technology – Entrepreneurial organizations, including new companies and those on the cutting edge of technology, are often the most likely candidates for a Market security culture. Security in these organizations is often just one of a portfolio of features to be considered, and not always the most important one to customers or partners. Results are measured not in how many security incidents happen, but in whether the organization continues to satisfy the expectations and demands of its customers, partners, and external stakeholders.