Security news that informs and inspires

Security Anthropology: How Do Organizations Differ?


During Duo’s Second Wind Breakfast in Las Vegas last month, I talked about how we as security professionals might be under the impression that our users and customers are visitors to our Tech Country, when in reality it might be that we are visitors to their Business Country. And if that’s the case, we won’t be understood simply by speaking our own language More Loudly, or in Their Accent. Not only do we have to speak their actual native language, but we need to be able to think in it, and understand all the culture that goes with it.

I was talking earlier with our CEO, Dug Song, who has a way with words (as well as actions). He used the phrase “security anthropology” to describe what we need to understand about our customers and their organizations, and the idea really captured my imagination. We have marketing and sales personas for individuals in security, such as the CISO, the IT administrator, the developer, and the end user. But what if we researched personas for organizations in order to understand better how they approach security issues?

Just like people occupying roles, the organizations themselves vary widely. They have different types of business drivers, priorities, constraints, and capabilities. Large tech companies can drop hints about security fixes they’d like to see and markets move; public sector agencies are at the mercy of the next budget wrangling session in the legislature. An 80-year-old manufacturing company may not care what cute new IoT ideas you might have. An organization located in sparsely populated areas may have less reliable Internet connectivity, thanks to squirrels or avalanches (or avalanches of squirrels — it could happen).

When it comes to security, entities have different threat profiles: the 2015 Verizon DBIR showed that even companies in the same industry can have more threats in common with other verticals than with one another.

Many enterprises today try to figure out their security strategies through peer benchmarking: what are our peers doing, and should we be doing the same? There are several problems with relying on classic benchmarking:

  • What if your peers are really bad at security?
  • What if your management argues that you don’t have to do any more than your peers are doing?
  • How do you really know who your peers are for the purposes of security planning?

By researching organizational personas for security, I’m hoping to find a better answer to that last question. Security decisions are not made simply by looking at other companies in the same industry, because there are many other variables that come into play. The number of users matters, but scale isn’t just grounded in numbers of users; it also means the number of business partners, volume and speed of transactions and operations, complexity of infrastructure, geographical distribution, and much more.

Pick any given entity designated “healthcare,” and if it’s a research organization, it’s not going to have the same threat models and priorities as another one where actual people are bleeding inside the buildings. (Intellectual property is important to protect, but given the choice between hiring another IT person and hiring another nurse, most hospitals are going to go with the latter. And if I’m the one in the hospital bed, I will probably applaud that decision.)

We still have too many “one size fits all” prescriptions for security that don’t fit real-life enterprises; not everyone can or should be seeking the “NSA level” of maturity. By building a security anthropology model for comparing organizations, I hope we can design even better products and services to align with their needs, as well as help the security community speak the language of the users it’s serving. If you know of similar research in this area, or would like to contribute, please feel free to contact me, and stay tuned for more blog posts on this topic.