When the adults change
I once worked in a school where the principal gave us all the book “When The Adults Change” by Paul Dix. The objective was for us to reflect on our own attitude and behaviour and how it was influencing student behaviour and performance. I think that this has real lessons for us as cybersecurity professionals. We need to look at ourselves first.
I say this a lot, but it does bear repeating in these days of the world being a total mess. What worked ten years ago will no longer work when people are constantly laid off, or scared of being laid off. Or sad and worried that they can’t afford life.
Do we look at our own behaviour?
Are we calm, engaging and receptive to questions?
But even more so, are we doing the work ourselves?
Have we secured what we need to secure?
Are we showing critical thinking?
I think the answers to these questions are often “no”. To be fair, there is always more to secure. But too many organisations sit doing ISO or other compliance “busywork”. I don’t mean to suggest that compliance is a waste of time.I love compliance.
It is more that it often replaces real work because it is output based over outcomes. And securing things brings compliance by default. This blog here by Crankysec has some profanity, so beware on a screen at work, but it is spot on. I think unless you are very lucky, and work somewhere with an amazing team such as the one at Netflix, you will read it and recognise some past or present colleagues.
Our fixation on phishing sims, and firing people for clicking them has also pushed our focus outwards. Why? Because most of the vendors selling you stuff HAVE NEVER WORKED IN A SECURITY TEAM.Please read that again, and then go and read some bios of some of the folk selling you “security awareness professional”or awareness content.Few of them have any experience sitting with teams, building strategies or building trust. They just know what people want to hear. But none of that mattered years ago, when they discovered that desperate and panicked security teams or managers would happily buy something, anything, that pushed the focus away from them.
So we end up with sims, top clicker dashboards and awful slogans like human firewall or passwords are like your pants. Because no one making this rubbish has ever been asked to, or needed, to do more. And we need to start asking for more. And see who is capable of offering solutions and outcome based ideas.
We need to show that we are capable of discernment, of using the critical thinking that we need to be teaching and modelling. This is how you will also gain credibility with leadership.
Let us also remember in all of this that outcome based work is what matters. Which is why I use the term security education not vague “awareness” or HR “culture”. We aren’t focussed enough on outcomes. Or our own ideas. I would love to see more people sharing insight and ideas and outcomes that went beyond creating security champions or dashboards of click rates.
Where are the people who dare to challenge the status quo, or work for trust? Why is the leading “Security awareness summit” running training that repeatedly suggests that people who click links should be reported to HR? How is that helpful to us in building trust or relationships? If you don’t care, then feel free to continue being a wing of HR.
If you do want to build trust and help people, then you urgently need to be working for that trust. And that means doing disinformation workshops, meeting people with information that they need and getting the security and engineering teams the training that they need. We should be working with comms teams, focussing on WHY am I doing this, and WHAT FOR? If we work like this, we won’t end up with “great click rates”, but a dev team that didn’t have secure admin access, or a security team who didn’t think through the MFA process. Shifting Privacy Left discusses this from a privacy perspective that may be useful.
It starts with us
It also starts with you.
Just as I would advise any CISO not to stay where they are not valued, even in this economy, you deserve to be where your ideas are heard. An organisation that only wants you to focus on posters and sims is not going in the right direction. Find the sponsors for your ideas and develop outcome based strategies.
If you need some ideas on how to do this, remember Vygotsky’s principles. You should always be considering what people can do by themselves, what support they might need from an MKO ( More Knowledgeable Other).The MKO can be human or and LMS or other support. Then you should consider the ZPD (Zone of Proximal Development). This is how much support is needed, how much challenge is required to inspire and motivate the learner. All of it works on collaboration and relationships. This can be useful in thinking about strategic relationships as much as in security education. I love using it as a base for work as it centres the subject of the education, instead of the organisation. The Human Centred Security Podcast covers this exact topic this week. Ethical Voices also discusses that people are not props
People are our why. You are the why for the people. Please trust your insight and ideas and don’t let them dim your light.