Before becoming an InfoSec executive, I’ve spent a long time in various engineering and management roles. As a security consultant, I’ve seen what’s behind the perimeter in companies of various sizes and industries. In this post I share my observations regarding the fire-fighting culture.
As you read, keep in mind WIM Security’s 1st rule of organizational life: Most changes in any organization are motivated by someone’s rational self interest.
Also, please note that my conclusions might be biased, despite my efforts to manage my own cognitive biases. They are not the result of any scientific research covering hundreds or thousands of companies.
My goal is to share some patterns I’ve recognized. Maybe you’ll recognize them too. And of course, nothing is black and white, and there are always exceptions from the rules.
Now, let’s start, from the bottom-up.
Perspective of employees
From the perspective of employees (who are not in any sort of manager positions), in most organizations, there is one common belief.
Employees often believe that speed is one of the most important things in their work. Because they hear it. Directly or indirectly, from their managers and top management.
Most people in an organization feel like they don’t have enough time to solve problems in a careful and organized way. They have tight deadlines, they’re behind on their work, so they worry. Nobody wants to be laid-off for poor performance.
Naturally, people try to work more quickly, which, in the long term, results in solutions that don’t work well, or even make things worse. Simply, more mistakes. More mistakes lead to various incidents which can often impact confidentiality, integrity or availability of organizational systems and data.
Which leads to even more work. Welcome to the fire-fighting loop. Sometimes, even without direct messages like “speed is the key to our success” from the top management, people do get the same conclusion, based on what they see around.
As mentioned in our whitepaper on Security Culture as a Strategy, in any organization, people don’t believe in what they read or hear, they believe in what they see. That’s one of the main unspoken rules in any organization.
What employees would usually see is that people who “ship faster” get promoted faster. The problems caused by the “ship faster” approach to work, most of the time, are not immediately visible. Of course, everyone wants a promotion. So the temptation to “ship faster” is unavoidable.
Who decides about such promotions? Managers.
Perspective of managers
Managers look up to top management. Even if they’re not told directly to deliver faster, they usually feel the pressure of the speed and urgency.
The pressure can also come from their peers too. For example, the Product department, which usually doesn’t understand technology and engineering much, can create unreasonable deadlines for the Engineering department.
Managers understand that, to get promoted, the organization needs to grow and hire more people. They look at how other managers get promoted, so they get the message.
Their team needs more people.
So managers hire more.
So they could get promoted faster.
As their team grows, they must create some structure. Teams inside their team. They need to choose people which they’ll promote to Team Leads.
Guess who is their typical pick? Of course! Those “fast shippers”.
In summary
When an organization has a fire-fighting culture, it means they are dealing with problems in a rushed and reactive way. This often leads to only partially fixing problems, causing them to come back or new problems to arise.
This creates a negative cycle that takes up a lot of time and resources and makes it hard for the organization to make progress. Which significantly increases the number and criticality of security risks to the business.
The main reason for this fire-fighting behavior is usually because top management puts pressure, one way or another, on everyone to solve problems quickly. Or, it’s not communicated clearly that quality and reliability of work matters more than speed.
Most of the executives I had the opportunity to meet and work with are usually very intelligent, hard-working people. But also, biased people. We’re all humans, hence we’re all biased, more or less. However, people in such responsible roles need to have some sort of help with managing their cognitive biases.
As per my observation, the most common cognitive bias affecting executives is overconfidence. This is often the biggest security threat to any organization. I wrote more about it in my book Information Security Meta-strategy: No BS Guide for Executives.
Being in the role of an executive is tough. The information from around the organization, which comes to executives, is usually very filtered. Only the most burning issues come to them. The fact that they’re usually surrounded with yes-sayers (those who tend to agree uncritically with others), doesn’t help them much either.
Having an external advisor, without political capital and personal interest at stake, is crucial for any executive. This is exactly what I provide to some successful executives - acting as their sounding board about Information Security and IT in their organizations.
Naturally, executives have numerous business problems to deal with. So one of the problems which doesn’t get serious attention is the organizational culture. That’s how organizations naturally develop a fire-fighting culture, guided by the rational self-interest of the people in the organization. Remember the WIM Security’s 1st rule of organizational life.
Improving the security culture in an organization also entails the elimination of the fire-fighting culture. Good security culture can drastically improve businesses in many ways. If you’re interested in reading more on the topic, see our whitepaper Security Culture as a Strategy.
To get updates about our new blog posts and other publications, sign up below.
