Fulcrum AdvisoryFulcrum AdvisorySecurity leadership that connects strategy to execution
The Shield Is Cracked
Part 2 of 11SOC Culture · CIA Triad · People

CIA Isn't Just for Data

If you've worked in security for more than five minutes, you know the CIA triad: Confidentiality. Integrity. Availability.

It's table stakes for securing systems. When I finally stepped back — burned out, questioning my life — I realized something that never showed up in a SIEM:

We applied the CIA triad to data. We never applied it to people.

Analysts are expected to perform like hardened systems. Eyes on glass. Clear-headed. Ready for fire. But they're given none of the protections we build into our tech. And that failure? It'll cost you more than any incident ever will.

Confidentiality — Psychological Safety, or Lack Thereof

In systems, confidentiality is about control — only the right people get access. For humans, it's about trust.

Do your people feel safe enough to say:

  • "This is broken"
  • "I'm drowning"
  • "This is BS"

You might preach open-door policies. But is the door actually open?

The answer, more often than not:

  • Passive nods. No follow-up.
  • "I don't have time"
  • Or worse, crickets.

So your people stop flagging problems. When the true positive alerts go off, your SOC is already behind.

Silence in a SOC isn't peace. It's corrosion.

Integrity — Say It. Mean It. Follow Through.

System integrity means no tampering. Data in, data out, no funny business. For teams, it's leadership keeping its word.

Most don't.

  • Priorities shift weekly.
  • Promises made in meetings vanish by lunch.
  • "Collaboration" is a slide deck, not the culture.

The light will go out in people's eyes. Not because they don't care. But because they did.

Caring without consistency breaks people. Trust doesn't collapse all at once. It erodes quietly — through inconsistency and leadership rot.

Availability — Focus Is Fuel. And SOCs Burn It.

System availability means uptime. For humans, it's mental bandwidth. Does your team have the headspace to think?

Or are they running on fumes?

  • Constant meetings.
  • Executive "fire drills" with zero security context.
  • Tools dumped on them like hot potatoes: "Can you make this work by EOD?"

You don't have a SOC. You've got a security-themed improv troupe.

The result? Shallow and incomplete investigations. Your sharpest minds start mentally checking out — then physically. Burnout doesn't always scream. It just says, "I'm fine." Then walks out the door.

CIA for Humans = Culture That Lasts

We audit systems against CIA constantly. But when was the last time you audited your culture?

Ask yourself:

  • Can people speak up without fear?
  • Do leaders care about team or metrics?
  • Do analysts have the time to do their actual jobs?

If there is a no, you don't have a security culture. You have a liability wearing a lanyard and pointing at dashboards. Secure systems need secure humans. And secure humans need more than snacks and Slack reactions.

Let's build security cultures that last. One where shields don't have to crack before people get heard.

← Part 1: You Can't Block Every Shot Part 3: You Can't Secure What You Don't Respect →