Beyond Training: Lessons from Pixar blocking Innovation

Pixar and Roadblocks In Innovation

In the early days of Pixar, there was a lot of resentment for production managers. These people have the thankless job of making sure a movie is on-time and under budget. The analog of security people where they are given the responsibility of not getting hacked.

The resentment stemmed from a micromanaged approach where creatives had to go through production managers for all communication. They were seen as slowing down progress and roadblockers. They were also seen as second class citizens.

Sound familiar?

More on how they solved this later.

Building Security Culture

So how do we build security culture?

I was updating the syllabus for my Cybersecurity For Startups course, and came upon the security awareness section. Staring at it for a little bit, I was trying to think is there something different I can do. The security community has a variety of opinions on training, education, and red teaming and how to approach it, so I wanted to reflect on how I usually approach this and advise clients.

Thumbing through the other modules of the course, I remember having a section on Security Culture and that is pivotal to the success of a good security program. There it was: Double down on security culture, and everything else will come to play.

So security awareness training is a subset of building security culture. Yes, we need to have our training, but it HAS to be multi-modal and not just video training nor antagonistic.

Well, just the same way you build a company culture. Or the same you build a product culture.

Someone asked me once, how do you know you have a good security culture?

Some ways you know you have a good security culture

• When people are internally reporting security issues and ideas to you

• When people are excited to interact and meet with you

• When people are proactive in their security efforts

How Pixar Removed Roadblocks To Innovation

How did Pixar know about the cultural issues they had and find the root cause? Well, they sat down with people and had open-ended conversations. In the end they let anyone have the ability to communicate with anyone else and then inform managers later. This broke down barriers and obviously increased collaboration.

As a security manager, allow your people to work with and communicate with other groups and update you accordingly.

As a non-security manager, empower and reward your employees for baking in security or reaching out to the security team to understand best practices.

Recommendations for building security culture

• Think of the employee as a customer

• Take on a product manager’s mindset and learn about their problems and workflows

• Do not create solutions in a vacuum

• Each interaction with an employee is a representation of the security team and the culture of security

• Align with the companies values and culture

• Talk, yes actually talk, with managers of all levels. Understand their world. Use as an opportunity to learn about them, but also educate/inform them about your concerns and the trending risks out there.

• Don’t be pedantic or use FUD

• Seek understanding

• Leverage people’s inherent altruism. People want to do the right thing, they just need to be enabled and informed

• Enablement means reducing friction

• Informed means being made aware, where they were not aware before

• It takes six to seven interactions for something to stick

• User a multi-modal approach

  • During onboarding

  • Videos

  • Live talks all-hands

  • Storytelling and Comedy

  • Brown Bags

• Relate it back to company incidents (where feasible)

• Have open-ended conversation with people