I’ve been carrying this burden around for years…
See, I believe in our users. I believe in their brilliance. I believe they just want to get their job done. And throughout my career, I have also believed that by getting engaged, we can make a difference. I have never really engaged in “user bashing” and while I run in technical circles, have equally enjoyed user meetings, sales and even <gasp> business strategy meetings. I know, I know – how can that be?
Well, as I continued to improve my own practice of security (while still with Accenture/Andersen Consulting), I started to speak publicly. Turns out I had a knack for entertaining and speaking while explaining. That lead to to teaching (and I’ve met many of you through those awesome experiences). The more I spoke about security, the more I taught people about security — and more importantly how to be successful professionals — the more I enjoyed it. I soon realized that learning about life, distilling it into stories and then using those stories to relate to others and explain security concepts struck a passion chord in my deep into my soul.
So… while I kept (and continue to) learning the technology of security, I also studied human behavior, organizational development and the trade-craft of speaking and training. In fact, I got really deep into instructional design and then really focused (and continue to) on being an exceptional professional speaker. I read about as much as I can. I learn from nearly every situation – the more I learn, the more I want to learn.
So I confess – I love relating security to users. I really enjoy it. Hell, I THRIVE on it. My passion is engaging users to be inspired to make changes in their behaviors.
Confess, you ask? How is this a confession?
Well, you see, for the longest time, I feared that if I confessed that I really enjoyed teaching, was good at it, and kept trying to improve that I would be labeled as a “trainer.” And that would come with the connotation that I no longer understood technology or security – that I had somehow crossed over (and not in a John Edwards sort of freaky way). Clearly nothing could be further from the truth, but I’ve been around long enough to watch how people talk. I’ve even had people come up to me after a session and saw something to the effect of, “wow, you really knew your stuff for a trainer/speaker.” Backhanded compliment, I guess. Sure, I’m not as deep with some aspects of the technology as some of the company I keep (which is, um, why I enjoy their company) – but I’m not too shabby and I play an important (and needed) function in our profession.
So why confess now?
I could have kept quiet. Same time, I have a sense of purpose about me now that is calm and comfortable. And then after the RSA show, I started to read some of the posts recently in different places where a lot of security “professionals” were really hammering away on users (I could post some links, but I’d prefer you didn’t read them). Yikes! Not only is this bad form, it’s plain wrong and worse, a dangerous mindset. If we allow ourselves to think our users are stupid and incompetent and therefore have to design AROUND them, we’ve missed the point and sealed our own failure. First, that’s a plain bad attitude. Users are smart and just want to do their jobs. When we build and implement solutions that change the “system” in which our users operate, then fail to educate them appropriately, then call them stupid when they don’t comply… well, we look like a bunch of jackasses to them. I could go on – and perhaps I will in the future. But for now, know this: I don’t agree. At all.
I have hands-on proof those assertions are wrong. Over the last year, I really started to focus more on learning how systems work, how they fight to maintain status-quo and how we might be able to introduce new ideas and new concepts into systems in a way that is accepted – even built on. Guess what? It worked! We can always point to a few bad seeds, but it’ll be a long argument to show me that technology overcomes a bad seed. Seriously.
So, confession over, sense of purpose established, the entire company took some time off this year to stop and think. As a result, we narrowed the focus of our company to three core “experiences and solutions” that we offer:
– Speaking about Security
– Avoiding the Breach
– Security Awareness Transformation
It’s a bit of the risk to stop the ship and correct the course. But man, do I believe in our approach! I don’t intend this to be a sales pitch. I’ll actively provide insights gained from each of these offerings over the next few weeks. I have also decided that, for the most part, I would prefer to share my knowledge and what I have learned. I’ve long-held that by sharing our knowledge, we grow stronger and those around us have more information with which to make informed choices. I’m actually in the middle of writing a book about the spate of breaches that has befallen us – and I am providing some insights and solutions – based on what I have learned and what I continue to research. That should be in print and available this summer. More details to come in March (and probably a request for some reviewers and input).
Meantime, I’ll start sharing some of the models, ideas and concepts that I am working on. I believe that by sharing what I am figuring out, a few things will happen: you will help me improve, you will improve your ability to practice information security, we all improve at how we communicate and some of you will want to work with me and the team of superstars around me. All I ask in return is that you stop, think and help me improve.
I continue to have a real passion for being a catalyst; for changing the way people think about and protect information. And I will no longer apologize for being able to connect, to relate and to help others do the same. I look forward to learning from and helping you!
Thanks for letting me confess. I feel better now.
Technorati Tags: security