I have received an interesting comment about last week’s blog on security reducing stress instead of causing it. Here’s the gist of it: “How can I be doing my job as a security professional if I just give user’s what they want in order to relieve their stress? Aren’t I just placating them at the expense of good security?” The answer is no. Security still needs to provide the boundaries to ensure a level of safety for the organization. Without those boundaries, there is increased stress for users, IT managers, and security. Giving in never reduces stress.
Policies, standards, and procedures established by security with input from the users form those boundaries. From the comment by oilpanic, “I really feel that IT security people and the end-users should combine forces, and most of all, the security professional should educate the users to understand why they need to have a policy. This way users feel they are a part of the security process which is #1 in order to get them to comply and feel no stress when they have to follow a policy.†I agree.
Michael (the bald security guy running this place) challenged me to give ways to decrease negative stress and increase collaboration with users while ensuring the right balance of security. Below are some ways to reduce stress and improve collaboration with users. In addition, you should read How to Win Friends and Influence People by Dale Carnegie for more ideas.
- Respond quickly. Return phone calls and emails as soon as possible. Even if you don’t have an answer right away, at least let them know you received the message. This is critical in gaining the trust of users and colleagues. When you are quick with a response, users are more likely to engage you and look for your council. This is an easy, quick win that doesn’t take much time and adds tremendous value.
- Develop relationships with your customers / colleagues. Your users won’t trust you if you haven’t taken the time to get to know them. This is through face-to-face communications where you can empathize with their frustrations and they can empathize with yours. To do this you really need to Listen & Understand. So many of us are running full-tilt that we forget to step back and truly listen. In order to listen, we need to be present. So, as you take this approach, you should be able to clearly explain back to you client/users: their wants, needs, and goals. You may find that this becomes more of a dialogue, as they are not entirely sure their wants, needs and goals, and you will be here to guide them, joining forces.
- Be positive. Using FUD (fear, uncertainty & doubt) only goes so far and tends to provide negative stress. If you are negative in meetings, you won’t be invited in the future. It is possible to seriously state issues while remaining positive. A positive, helpful attitude will keep your customers coming back. “Attitude is a little thing that makes a big difference.” ~Winston Churchill
- Use the Golden Rule. “Do to others as you would want them to do to you.” Also the correlary, “Don’t do to others what you don’t want done to you.” Treat others like you want to be treated. Show respect. It’s a small world and we all need to get along. Do your part to help. Remember that small things can make big differences.
- Lead by Example. Don’t make your users live by rules that you don’t follow. The policies must apply to everyone from the CEO on down. That includes IT and security. (We are often the worst violators.) Explain to users the why of the rules and how they apply to everyone. It’s for everyone’s safety. As we like to put it at my company, “It keeps you off of the suspect list.”
While these seem like common sense, they are not necessarily common practices within security. Jesper Johansson echoes this in his recent article Security Watch: Help Wanted — Need “People” People (http://go.microsoft.com/?linkid=5049693). I’ll conclude with a quote from that article, “The real solution, therefore, is that we—the people who design, write, implement, and manage software—have to learn how to deal with people. That is the only way we will be able to help people defend themselves. Defending themselves is the only way people can be safe.†The techniques outlined above will help you become a better people person reducing negative stress for yourself and your users. Try them and see for yourself.