Organizations of all sizes must constantly walk the knife edge between compliance and non-compliance. The requirements to adhere to compliance frameworks (ISO, PCI, HIPAA, GDPR, among others) are pitted against the human desire to take shortcuts:
- I’m only getting something off of the printer across the room, I don’t really need to secure my workstation before stepping away for 10 seconds.
- I wrote my password on a sticky note, but since my laptop is never out of my sight and always in hand, it won’t get lost or stolen.
- “The executive is in a rush and needs her credentials reset, there isn’t time to follow the procedure to fully verify if it is her on the other end of the line.
Taking a shortcut and not noticing any detrimental effects can lead to more and bigger shortcuts, as well as exposure to a very real risk of financial penalties, lost business, and other jeopardies. This shortcutting behavior was defined by Diane Vaughan in her book written as a post-mortem for the 1986 Space Shuttle Challenger accident, “Social normalization of deviance means that people within the organization become so much accustomed to a deviant behavior that they don’t consider it as deviant, despite the fact that they far exceed their own rules for the elementary safety.” This normalization of deviance leads to a new, yet distorted, normal—a slippery slope begins to form as a lack of consequences leads to increased complacency. In fact, such shortcuts may be encouraged by peers and even management: if the result is good, then the process leading to that result must be good—or so it would seem.
There are two key remedies to correct such a normalization of deviance within an organization. The first is that leadership must start at the top: standards must be set, enforced, and visible throughout the organization. If the C-Suite goes on a tour of a data center with the company’s biggest clients, they should be confident that all procedures will still be followed, despite the presence of billion-dollar VIPs. Strict adherence to “positive control” measures are key: enforcement of the mantrap, no piggybacking or tailgating, etc. What if those same VIPs are parched from walking outside in the summer heat in suits? The rule about no beverages in the datacenter must be upheld; otherwise if covered beverage containers are allowed, what about small cups of water without a lid? Rules were firmly defined for a purpose, and should the boundaries of those rules become elastic, people may not understand why those original limits were established in the first place. In fact, it should be the firm observances of such rules that either wins or ensures future business with the VIPs. All employees must lead on these issues and demand accountability from their peers for organizational change to be championed and carried forward into the future.
The second remedy is to regularly assess the organization’s posture towards industry-standard compliance frameworks. Not only can regular and routine assessments help uncover issues before they become a problem, such assessments can help prevent normalization of deviances, too. If the organization is reminded on a quarterly basis to not keep sticky notes on their laptops, this can help not only speed up future assessments but also can help change the organizational culture towards one of compliance.BizzSecurecan provide automated assessments and our team of experts can ensure that your systems, processes, and organization is setup to adhere to industry-leading requirements and frameworks. Please reach out to us today by using the chat box in the lower right-hand corner of your screen to learn more about how we can help.