On really helping people
We are often told to look for the helpers. Many people in security talk as if the sector is full of consumer digital rights advocates, compassionately helping the public and their co workers. But what is the reality? Is advocacy even encouraged everywhere? I think that there are many many great advocates out there. However, the reality of security work is not the glossy, friendly picture that we would like to imagine. It can be a struggle to get some people to move beyond blame,shame and adversarial approaches.So..
I thought we could look this week at some ways to constructively and inclusively help different groups.
This was pushed to the front of my mind by reading an excellent blog by Heather Adams.
Heather is a digital rights expert and advocate and has great insight. Her commentaries on the UK online harms bill are also worth reading- they simplify key concepts and concerns.
There are many interesting points that Heather makes, but the pertinent one to this discussion is her commentary that the digital rights scene in the UK relies on outside support. She specifically mentions Signal and Wikimedia for their, excellent, support. I agree with Heather here: it can be a real struggle to get funding or support for digital rights work in the UK. We are incredibly lucky to have overseas work, especially in the USA, that helps and informs work here. But it is not something that is hugely well funded or supported in the UK.
From my own experience, working in education, there are some messages around digital rights and consent that are unpopular and unwelcome. I would love to see corporate security education fill this gap somewhat. We should work from the principle that it builds trust to offer people information on cybersecurity that is relevant to them. They are then more likely to engage with more corporate messaging,solicit advice and flag issues. So doing work on managing privacy and security on apps, or keeping children safe online and managing their rights, would be incredibly useful in many ways.
I feel that often, the public are turned off to security and privacy advice by a mix of government messaging and boring or adversarial messaging at work. We want and need and informed public. I think that in the absence of public funding, corporate work could help to fill the gap- and pay outside speakers such as Heather. Just an idea.
Moving on from general digital rights, you could build a lot of alliances and do impactful work by helping people to recognise and fight cyber gender abuse. This particularly affects Black women, as explained in the book How to Stay Safe Online by Seyi Akiwowo.
I recommend this article on cyber gender abuse by Danielle Citron for anyone interested in the depth of the issue. I wish more corporate security education included active online allyship as much as it did phishing. Because beyond your social media policy, how should the organisation or leadership or even colleagues, support each other when one of them is targeted for abuse online? I believe it is important to reflect on our work in cybersecurity, who we help and who gets left out. And who might need our help most.
I know that broad consideration of this topic is critical to successful cybersecurity education work. In short: we need to stop talking as if technology works all the time and meets everyone’s needs. We need more honesty about that, and a deeper understanding and discussion about what different technologies might mean for different groups.
What we currently have is tech that breaks regularly, lets people down, can harm entire populations and is often expensive. And we tell everyone it is great, the issues are because they didn’t enable MFA or they clicked a link. It is a bit like feeding someone terrible food and insisting that you seasoned it and their lack of appetite or issues with allergies are their fault entirely. We are not having the right tech discussions.
People are also more than ready to have conversations about technology, privacy and security. Daniel Solove wrote about this years ago. Yet we hide behind behaviour change and telling ourselves that the public has no appetite for certain things, or won’t do something or won’t understand. I don’t think this is true.
I think it is often our messaging that alienates people. And as technology impacts our lives more and more, I think people will increasingly look for dialogue and information. We would do well to anticipate this. And that could start with your organisation focussing less on saying “phish smish vish”and speaking in real terms about real issues. Because a lot of education work feels like we are rearranging deck chairs on the Titanic.
I hope you have a great weekend and week ahead.Those who celebrate thanksgiving, I hope you had time to rest and renew. I hope all of us get some time to rest, reflect and be with people we love.
Podcast corner
404 Security not found discusses incidents at Okta and more.
The data fix is a great listen on empathy
Underworld:behind the scenes of the NCA always has intriguing stories about how criminals are apprehended.
Risky Biz interviews the ceo of Material Security about Msft and gsuite security issues