The normalization of deviance

I love when I can relate to lessons learned in other fields and incorporate them in my day to day activities. In the January 2023 issue of EAA Sport Aviation, Steve Krog discusses “the normalization of deviance” related to aviation accidents and incidents.  He summarizes this theory to mean that “something unacceptable becomes gradually acceptable where there are no adverse consequences.”

I often feel this pattern is visible when considering cybersecurity posture. Some easy examples include lack of an awareness and training program, vulnerability management, password policy, multi-factor authentication, and continued use of legacy systems. If unacceptable practices go unaddressed, we improve our chance at being caught up in the next round of incident response.

Cybersecurity plays a role in business success. Bound Planet was established with this goal in mind.

For technical personnel, things like the Cybersecurity and Infrastructure Security Agency Cross-Sector Cybersecurity Performance Goals (CPGs) or Center for Internet Security Controls can serve as a guide.