ChangeManagement

IT Security and Compliance are People Problems

Days Since it was a PEOPLE PROBLEM: 0. Not DNS. Not solvable by technology. But about biases, behaviour and all the other things that make us human.

Jesper Ottosen

Jesper Ottosen

4 min read
IT Security and Compliance are People Problems
Photo by Annie Spratt / Unsplash

As I venture into the woods of IT Cyber Security and Compliance I see the same obstacles as in the software testing field. That we need to:

  • Build our competencies into the delivery streams
  • Enable a mindset for when we cannot scale
  • Solve the business problem rather than pitch technology/methods
  • Build a diverse new generation of experts
  • Embrace diversity and stop the gatekeeping

The core story is the evergreen challenge in any IT work: While we deal with technology, the technology solutions themselves are only half the challenge. No technology platform - not even LLM's - can deliver results without solving the cultural, organisational and personal motivations first.

It's Always a People Problem

💡
“Its always a people problem.” Gerry Weinberg, The Secrets of Consulting, 1985

When you think about it, IT has a huge range of models and frameworks around the relationship part: Cynefin, Agile Manifesto, Scrum, Team Topologies etc. The more you move around on Cynefin the more relations matter. [Relations are about half of IT, January 2021 ]

For cyber security practices to actually make an impact, we need people to change their behaviour. A local water work recently had a breach because of a VNC server with the password 1234. No one had so far decided to implement better security, sure it was perhaps discussed. But a person had to go do something to implement better security practices. All the technology was in place, it was a matter of closing a port and finding a better password. But even those small steps were apparently not prioritized or top of mind.

The Path of Least Resistance

One of the barriers to overcome in GRC (Governance, Risk and Compliance) and Cyber security is biases. Sarah Aalborg has a new book out on the topic. One of the key learnings is to make Cyber Security and Compliance the easy option. To have procedures and guidelines in place for the "elephant" (system 1 brain) to follow. For instance a reminder for setting up VNC servers not to have a default or simple access control.

Secure By Choice by Sarah Aalborg

Making things easier to follow for decision-makers is a key skill for any IT worker. Especially when working with both cyber security and testing. We have to set up structures that support someone in making a delivery with quality and security built-in. Below are some of my writings on this so far and more on my old blog.

Compliance Coaching for the Delivery Teams
I can understand why delivery teams would seem overwhelmed by the volume and think that it’s a hindrance in delivering software solutions in a modern way. One way to enable the delivery teams with security and compliance know-how is to have them supported by a Compliance Coach.
Leading Testing ActivitiesJesper Ottosen
Have Smarter Compliance Interactions
What matters is everything around the output - not the procedure/guidance/assessment itself. The way you wire your interactions with others is key to your team’s success.
Leading Testing ActivitiesJesper Ottosen

The Trap of Technology Solutions First

I recognize the urge to deliver technology solutions first, but it's a trap - as Admiral Ackbar would say. It has been an ongoing theme with regards to test automation, with regards to LLMs and Agentic AI, you cannot automate or have tool support for problems you don't understand yet. We cannot solve our problems with the same thinking we used when we created them, as the Albert Einstein quote goes.

Understand that there are at least four key problem spaces: the unknowns and uncharted, the identified, then the understood and repeatable. My preferred reasoning framework is based on Wardley Mapping as illustrated here:

Problem-solving from the stakeholders’ point of view.
Understanding the landscape is critical whether you’re facing any new situation. One technique that I consistently use is Wardley Mapping. Let me share with you a concrete example to visualize the landscape.
Leading Testing ActivitiesJesper Ottosen

Some of my favourite people are people

Looking at both the testing space and the cyber security space I am saddened by the gatekeeping and places where new people have to toil and jump through hoops to become respected and recognized.

We need to hire and make places for the next generation. They stand on our shoulders and we stood on those that came before us. They might reach differently, for the stars but that is their place.

I know that sounds like a cat poster but it's true.

So for instance - don't train LLMs to write test cases. Have entry-level people use LLMs to write test cases. If you are in an established position in your seat, start building your replacement. IT work, including security and quality, is not a zero-sum game, there are plenty of problems that require you instead.

People problems. Days Since it was a PEOPLE PROBLEM: Zero. Not DNS. Not solvable by technology. But about biases, behaviour and all the other things that make us human.

Read more