This isn’t about getting your staff drunk on tonic infused Hendricks, Bombay Sapphire, or Beefeater (depending on your office-hours drinking policy), this is about putting a face to security, then building knowledge and relationships through open and empathetic Give & Take.
I introduced that concept at London BSides , while calling out the need to improve communication with everyone. The concept of security awareness is too often something for ‘them’ (indicated by a hand waved dismissively away from the technical and senior leadership teams). Posters, online news letters, mandatory computer based doses of more or less engagingly presented rules. An “I’ve finished this” compliance-friendly box ticked for staff coaxed, cajoled or disciplined into participating.
Beyond “Security is EVERYONE’s responsibility” lipservice
We don’t know that doesn’t work…we don’t check, but research into more general human learning and behaviour suggests it’s minimally effective (for fun perhaps try spotting your security awareness raising techniques in this science daily article about changing unhealthy behaviour).
People have to care, people have to retain, people have to recall. And when they recall, make (and keep making), consciously secure choices. Choices that often initially feel awkward, and frequently take a little more effort than the insecure alternative…until they become a habit.
I’m arguably stating the bleeding obvious there, unless you’re solely thinking about LARTing the Lusers. Folk at the faraway coalface who frustrate you by not ‘getting’ good passwords, discarding documents on desks, clicking email links with merry abandon, and inevitably losing their pass, smartphone or laptop. Techie vs user relationships satirised by Simon Travaglia in his ‘fatherless’ Operator From Hell articles)
But what about staff involved in change sign off, procurement, strategic planning, and all the other key business functions and processes? Each of those have (or should have) a chunky security element, but how are those conversations and relationships at the moment? That’s what I mean when I say improving communication with everyone.
So, going back to the first thing on that “people have to” list:
How do you help them to care?
A bit of Give & Take is a great way to start. Do you feel more inclined to help someone who has helped you? Do you feel extra inclined to do so if you have built a rapport with that person based on shared understanding and interests? Do security staff often get out of the real or virtual basement (when there’s NOT an audit or incident) to talk to folk outside their usual circle of stakeholders? No? Not surprising. That’s what this kind of session might start to put right.
Ingredients For A G&T:
- A Brand: An accessible brand for security (logo, colours, strapline)
- A Great Space: Somewhere smack bang in middle of the office, or somewhere else with great daily footfall at the time chosen.
- Your People: All your security staff plus some IT support bodies
- An Invitation to:
- Give you their security problems: Whether that’s problems at home (e.g. safe browsing for their kids, safe browsing for them, wireless security, mobile security) or problems at work (e.g. secure email options are a blockage, password rules are a pain, security audits are stopping them getting work done).
- Take away solutions and advice: On the spot secure config and fixes for devices brought along, password cracking/generating/strength checking tools to try. Pre-printed advice followed up with emailed links to good guidance. Noting and following up on reported issues with internal processes and tools.
- A Takeaway: Perhaps a link to some key security guidance, plus an entry code for a quiz based on content. The prize only on offer to those who attended.
- Follow ups:
- Get the person who engaged with an individual on the day to follow up with them.
- Shout about the winners of any prizes.
- Include an offer to run other sessions at team meetings or away days.
- Include a list of FAQs from the session and links to related advice.
- Pick likely evangelists out of the attendee list and follow up to build relationships
- Record proactive engagements following the event (e.g. related helpdesk calls or clicks on links shared).
Of course not everyone has the time or inclination to get involved. Senior staff (like most of us) aren’t likely to want to shout about workarounds, or knowledge gaps. But there are likely to be comms, event management, and marketing bodies who can help. For reticent senior staff VIP G&Ts are an option. One on one, or one on two (having senior staff plus their executive assistants makes sense). For folk willing, but too busy, perhaps a G&T OD (On Demand) session at a time that suits.
Far More Than Fluffy BS
Does it sound like fluffy BS? If so that’s a dangerous headspace to occupy. If you think improving relationships with the business, putting a face to the function, and giving people a reason to care doesn’t matter, you may be in the wrong job.
Yes, a G&T ‘do’ is just one very practical idea. Far from a panacea. Instead a potential part of what probably needs to be a 3-5 year strategy. A strategy that must start with work to understand local business realities, group dynamics, and cultures. That discovery process begins to open doors and minds. Simply listening is hugely impactful, especially if mandated online tests have historically been the only basis for interaction with most staff. If you are honest, you know that’s what it takes to make any appreciable cultural difference. The ultimate aim? To minimise ignorance, accident and ‘what the heck (PG version)’ related insider security risks, encourage everyone to think twice, and make them more likely to pick up the phone.
Many Risk Flavours
Of course, when generic ‘show and tell’ awareness work is done, there’s more than one type of residual people risk Some hearts and minds (when security tools, processes and relationships have been broken for a while), will have a more deeply ingrained tendency to plump for perceived quick, cheap and easy. That’s as much the CXO who says JFDI to rush holey software into production, as the sales agent who reuses their work email address and password to get their grocery shopping done.
Then there’s the small subset of persistent risk. People who have a far bigger negative motivation than the positive one you can offer. A motivation often sought out and nurtured for some highly effective and targeted social engineering. That needs yet another approach including robust screening, technical behavioural analysis, plus educated vigilance from staff.
In every case, activity is to compliment technical monitoring and defence, not replace it. That synergy, if properly implemented, can be more than the sum of it’s parts. All the moving parts of your business – flesh, blood, bytes and tin – pointing in a security enhancing and business objective supporting direction…
…if you are up for the challenge.