Sometimes disruption just happens. It occurs when something creates a dramatic change of direction, and examples are all around us: the introduction of the GUI, the iPod and the iPhone, the Tesla Model S, the cloud. The Greek election may be one too, if the threats made are being put forward into action.
From an infosec perspective, the importance of disruption must not be forgotten. As technology is created, new markets open, old markets close, new opportunities arise and threats emerge. If we as security professionals lose sight of that fact, we quickly lose our purpose and edge, and we put our employers at risk.
We may look at the election in Greece with different perspectives. From inside Greece, the disruption of a new leadership provides much needed hope in a desperate situation. The promissed benefits carried by the change far outweigh the costs of keeping a status quo. In infosec we may apply similar approaches when dealing with security awareness, and when implementing new technologies to reduce the stressful situations faced by end users.
We should also understand the opposite of hope – despair – which is caused when people are forced into doing something they do not enjoy, understand or find easy to do – for example having to change their 16-character long password every month.
From outside Greece, the disruption is a threat – financially (what if Greece is not paying their debts), and politically (what will happen to the Euro, and the EU should Greece choose not to pay). Politics aside, let us consider how external threats may impact your security.
In a normal situation, an external threat may be positive for internal morale. It creates an out-group (a group we are not a member of) that becomes a common target for our group, motivating us to face the threat and overcome it. The challenge arises when the outside threat is considered too large, and we end up feeling unable to handle it. When this happens, our in-group quickly becomes demotivated, fatalistic and even destructive. This kind of group is your worst enemy, as it will tear apart all your security efforts. It will oppose you, sabotage your policies, tools and trainings.
How do you handle a demotivated, fatalistic and destructive workforce? How do you turn them around? The short answer is change the culture. Before you can change the culture, you need to map the current one, and design your new culture. You need a high level of situational awareness in your analytics, and most likely, you are not the best suited person to do all these things. Instead, you may want to bring on board an organizational theorist, or at a very minimum work closely with HR.
You can approach a difficult group with disruption too. Planned correctly and executed well, you can change the culture quickly. That is not to say that you should not monitor the new culture as it evolves, you need to control that change.
Revisiting the Greek election, we may be seeing a sort of disruption that will steer the ship back onto the right course. It is not a given, though, as every disruption carries the risk of not succeeding. Or in the words of disruption: something must give way – the change, or the status quo!