Home  |  Sarah  |  Services  |  Blog  Contact

Tuesday, 15 Sep , 2015

Cybersecurity G&T – Investing yourself in engagement and education

Share this article

This isn’t about getting your staff drunk on tonic infused Hendricks, Bombay Sapphire, or Beefeater (depending on your office-hours drinking policy), this is about putting a face to security, then building knowledge and relationships through open and empathetic Give & Take. I introduced that concept at London BSides , while calling out the need to improve communication with everyone. […]

This isn’t about getting your staff drunk on tonic infused Hendricks, Bombay Sapphire, or Beefeater (depending on your office-hours drinking policy), this is about putting a face to security, then building knowledge and relationships through open and empathetic Give & Take.
Slide19I introduced that concept at London BSides , while calling out the need to improve communication with everyone. The concept of security awareness is too often something for ‘them’ (indicated by a hand waved dismissively away from the technical and senior leadership teams). Posters, online news letters, mandatory computer based doses of more or less engagingly presented rules. An “I’ve finished this” compliance-friendly box ticked for staff coaxed, cajoled or disciplined into participating.

Beyond “Security is EVERYONE’s responsibility” lipservice

We don’t know that doesn’t work…we don’t check, but research into more general human learning and behaviour suggests it’s minimally effective (for fun perhaps try spotting your security awareness raising techniques in this science daily article about changing unhealthy behaviour).
People have to care, people have to retain, people have to recall. And when they recall, make (and keep making), consciously secure choices. Choices that often initially feel awkward, and frequently take a little more effort than the insecure alternative…until they become a habit.keep-bofh-and-lart-lusers-2
I’m arguably stating the bleeding obvious there, unless you’re solely thinking about LARTing the Lusers. Folk at the faraway coalface who frustrate you by not ‘getting’ good passwords, discarding documents on desks, clicking email links with merry abandon, and inevitably losing their pass, smartphone or laptop. Techie vs user relationships satirised by Simon Travaglia in his ‘fatherless’ Operator From Hell articles)
But what about staff involved in change sign off, procurement, strategic planning, and all the other key business functions and processes? Each of those have (or should have) a chunky security element, but how are those conversations and relationships at the moment? That’s what I mean when I say improving communication with everyone.
So, going back to the first thing on that “people have to” list:

How do you help them to care?

A bit of Give & Take is a great way to start. Do you feel more inclined to help someone who has helped you? Do you feel extra inclined to do so if you have built a rapport with that person based on shared understanding and interests? Do security staff often get out of the real or virtual basement (when there’s NOT an audit or incident) to talk to folk outside their usual circle of stakeholders? No? Not surprising. That’s what this kind of session might start to put right.

Ingredients For A G&T:

  1. 11249201_l.jpgA Brand: An accessible brand for security (logo, colours, strapline)
  2. A Great Space: Somewhere smack bang in middle of the office, or somewhere else with great daily footfall at the time chosen.
  3. Your People: All your security staff plus some IT support bodies
  4. An Invitation to:
    • Give you their security problems: Whether that’s problems at home (e.g. safe browsing for their kids, safe browsing for them, wireless security, mobile security) or problems at work (e.g. secure email options are a blockage, password rules are a pain, security audits are stopping them getting work done).
    • Take away solutions and advice: On the spot secure config and fixes for devices brought along, password cracking/generating/strength checking tools to try. Pre-printed advice followed up with emailed links to good guidance. Noting and following up on reported issues with internal processes and tools.
  5. A Takeaway: Perhaps a link to some key security guidance, plus an entry code for a quiz based on content. The prize only on offer to those who attended.
  6. Follow ups:
    • Get the person who engaged with an individual on the day to follow up with them.
    • Shout about the winners of any prizes.
    • Include an offer to run other sessions at team meetings or away days.
    • Include a list of FAQs from the session and links to related advice.
    • Pick likely evangelists out of the attendee list and follow up to build relationships
    • Record proactive engagements following the event (e.g. related helpdesk calls or clicks on links shared).

Of course not everyone has the time or inclination to get involved. Senior staff (like most of us) aren’t likely to want to shout about workarounds, or knowledge gaps. But there are likely to be comms, event management, and marketing bodies who can help. For reticent senior staff VIP G&Ts are an option. One on one, or one on two (having senior staff plus their executive assistants makes sense). For folk willing, but too busy, perhaps a G&T OD (On Demand) session at a time that suits.

Far More Than Fluffy BS

Does it sound like fluffy BS? If so that’s a dangerous headspace to occupy. If you think improving relationships with the business, putting a face to the function, and giving people a reason to care doesn’t matter, you may be in the wrong job.
4547755_lYes, a G&T ‘do’ is just one very practical idea. Far from a panacea. Instead a potential part of what probably needs to be a 3-5 year strategy. A strategy that must start with work to understand local business realities, group dynamics, and cultures. That discovery process begins to open doors and minds. Simply listening is hugely impactful, especially if mandated online tests have historically been the only basis for interaction with most staff. If you are honest, you know that’s what it takes to make any appreciable cultural difference. The ultimate aim? To minimise ignorance, accident and ‘what the heck (PG version)’ related insider security risks, encourage everyone to think twice, and make them more likely to pick up the phone.

Many Risk Flavours

Of course, when generic ‘show and tell’ awareness work is done, there’s more than one type of residual people risk  Some hearts and minds (when security tools, processes and relationships have been broken for a while), will have a more deeply ingrained tendency to plump for perceived quick, cheap and easy. That’s as much the CXO who says JFDI to rush holey software into production, as the sales agent who reuses their work email address and password to get their grocery shopping done.
Then there’s the small subset of persistent risk. People who have a far bigger negative motivation than the positive one you can offer. A motivation often sought out and nurtured for some highly effective and targeted social engineering. That needs yet another approach including robust screening, technical behavioural analysis, plus educated vigilance from staff.
In every case, activity is to compliment technical monitoring and defence, not replace it. That synergy, if properly implemented, can be more than the sum of it’s parts. All the moving parts of your business – flesh, blood, bytes and tin – pointing in a security enhancing and business objective supporting direction…
…if you are up for the challenge.

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...