What is Restorative Justice Framework?
The generic definition says that A Restorative Framework is a way of thinking about and responding to conflicts that focuses on repairing the harm that has been done. It is based on the belief that everyone involved in a conflict has a stake in finding a solution that works for everyone.
Restorative Framework Model for Cloud Users
Before moving to the Restorative Justice Framework model, let’s understand this analogy of the criminal justice program. Criminal justice programs majorly improvise on the two justice models, the punitive and the permissive justice model. These two models generally move back and forth like a pendulum.
Whereas in the Restorative Justice Framework, you do not punish the culprit. You try to find a better solution for the problem, rather than punishing the doer. This separates the deed from the doer and allows businesses to build trust among their teams.
Impact of Restorative Justice Framework on Businesses
As the demand for cloud usage increases, businesses are getting wide open to cyber-attacks and threats that can create huge losses for them. According to a study, it is believed that most of the attacks on a cloud environment are caused due to internal misconfigurations. It means the less your engineering teams are aware of secure coding, the more you will face threats and drifts in your cloud environment.
Hypothetically, in case your code does not match the security standards of the cloud, will you be putting your engineers behind bars? No, right? Because this is truly not a rehabilitative approach. This will not fix your problem but increases the fear within your employees from not notifying you about the bugs or not joining your organization in the first place.
Using a restorative framework, you bring the perpetrator, victim, and witnesses together to address the harm beforehand and try to come up with the best suitable solution for it, and then restore it to the community.
Building A Restorative Justice Culture in an Organization
Now that you already know the impact of restorative justice culture, let us understand how to build that culture for achieving organizational benefits. The first and foremost thing security advocates can stop doing is, going to a room full of people (now virtually or remotely) and bashing their team members, and trying to show them all the red signs. Humiliating people in front of their teams is not a good sign of team building.
Everyone knows the technology and how to use it but several organizations lack the skills in building good relationships. Engineers are not causing the problems deliberately. Management teams need to understand that systems are and can be complicated.
“Be empathetic, build good relationships”
Here is a list of things to practice for building a restorative justice culture:
- Build good relationships: Unless you build empathy within your teams they are likely to turn their backs on you.
- Emotional Intelligence: You read it right, being aware of what the other person would feel will help you tremendously to hit the right shot.
- Be responsive: An assumption that if my team has the right tools will make them handle any situation is bad. You need to go and work with them, try finding out the friction before they even get there.
- Educating teams: Not the traditional practices like sharing some courses/video walk-thru and things, but sit and discuss with your teams. Mark the problems, address and find solutions, and there are many other ways.
Application of Restorative Justice Framework
Having emotional intelligence for your employees, and you trying to build good relationships is not enough. These practices should be a two-way process, which means that security leaders as well as the team members working together should feel the same for each other.
Handling a data breach or a security breach is a tough and stressful situation. There are times when you have to deal with compassion fatigue or empathy stress reactions in these kinds of workplaces.
The thing that happened is bad, but you are not bad
— Michele Chubirka, Cloud Security Advocate, Google
What exactly does the term “separate the deed from the doer” mean? So, Michele Chubirka in one of the scaletozero podcasts shares that following a no-fault culture is one of the simplest ways to understand the above term, unlike criminal justice. The moment you separate the deed from the doer, you are set to work together as a team and come out with a positive outcome. Shaming and dominating culture can be hard in case of an incident response audit or a retro. Cause, shaming is a psychological effect more than a personal choice.
Security Practitioners Collaborating with Other Teams
The best security people are not the ones who are going to solve the problem. Security people are the people who unblock teams by notifying the errors in the system. Therefore it becomes of utmost importance for security teams to work and collaborate with other teams, especially the engineering teams.
We know this is like being a generalist or having some really good soft skills to handle and work. Discussing with teams as simple as “Do you know what ASVS from OWASP is?” can be of great help. Being a leader and practicing such things helps a lot in building good relationships. Security teams will have to educate engineering teams/software development teams about secure coding because they are the ones who know the software.
Following easy practices like assessments or discussions will get security teams an idea of current maturity within teams. Security teams don’t want to waste other team members’ time in scrutiny and meetings. It is the way of working and improving relationships for better productivity and secured SDLC.
References from Michele Chubirka
- International Institure for Restorative Practices
- Restorative Justice Council in the UK
- National Association of Community and Restorative Justice
