The moment we judge someone, we forfeit the ability to help.
Seems like a lot of what is being promulgated in so-called “security awareness“ today is nothing short of berating people with a never-ending list of things not to do, coupled with a shorter, non-intuitive list of what to do. (aside, check out “why the definition of security awareness matters”)
When these lists predictably fail to produce results, frustration results in cries to “call people out” and “catch them doing the wrong thing.” Shaming and blaming people without first educating them is a dangerous approach.
Why the need to embarrass others?
The reason so many focus on lecturing and berating stems from the misguided belief that we know better, know more than other people, and therefore must inflict our will upon them.
From: the employees
To: the security team
RE: get over yourself
Businesses existed without you before, and while perhaps not in the future, we can do better. So can you. Start sharing with us and stop trying to embarrass us and make us feel stupid. Teach us what you know “ but in our words“ and we will work alongside you.
Security Awareness is generated, not prescribed
After a conference keynote, I dined with a CSO excited to talk about his program. When the conversation turned to security awareness, his approach blew me away: he simply told people what awareness was, told them what to do and told them how to do it. He saw no need for security awareness or training. He considered it a waste of time and money.
Wow. How would you like to be the employee in that organization?
Maybe he doesn’t understand the definition of security awareness. Either way, I suspect the point is lost on that chap and those he is supposed to serve. And that’s too bad for everyone.
People are clever: they do brilliant things; they know they need to change (and are willing to) and have reasonable expectations of you and the organization.
Why the disconnect?
Just like the practice of calling people “users,” (a practice which needs to end, now), this approach is a way to create distance. It creates situations where security professionals feed their ego by suggesting inane things like, “you can’t patch stupid,” suggesting people are “layer 8,” and that our role is to inflict pain so people understand. Worse, the audience cheers and applauds. Yet if this were another profession describing you, imagine the outrage.
Here’s the dirty little secret: we don’t know better, just different.
A career focused on security means hours a day steeped in risk. Time spent understanding systems and networks, implementing solutions and creating protocols to reduce risk and protect organizations from the certainty of attack. Easier to forget are the mistakes. Lots of them. Bricked machines, blown updates, lost configurations, default passwords… even seasoned professionals make mistakes (hopefully smaller ones). But they form the basis for the experience and a successful career.
We may have started on a more equal footing in terms of experience, but the nature of our profession changes us. Sometimes, however, that change is a bit harder to see, and even more challenging to consider in context. That comes through when trying to explain important concepts to people… but in the wrong context, with the wrong words.
We have hope
Even without a clear understanding, people know security is important. They are willing and able to make changes and adapt — when necessary. However, change is scary, and a long, confusing list of tasks and actions to do or avoid increases friction. No one likes to be scoffed at or talked down to. Engage people in their own environment, understand their job — the complexities, the nuances, the stress — and work together to explore the consequences of actions. In the process, listen and look for parallels to reach a mutual understanding.
Show people a better way, empower them to change.