You are here: Home / Catalyst Considerations / Memo from users: educate, but don’t embarrass us

Memo from users: educate, but don’t embarrass us

August 3, 2010 By

The moment we judge someone, we forfeit the ability to help.

Seems like a lot of what is being promulgated in so-called “security awareness” today is nothing short of berating people with a list of the things they shouldn’t do, coupled with a non-intuitive list of what they should do.

I read a lot of suggestions to “call people out” and “catch them doing the wrong thing.” For obvious reasons, I’m not going to link to any of these articles, columns and blog posts. My experience and success in changing behaviors suggest a different approach is more effective.

Why the need to embarrass others?

The reason so many focus on lecturing and berating stems from the misguided belief that we know better, know more than other people and will grace them with our wisdom.

Memo

From: the users

To: the security people

RE: get over yourself

Businesses existed without you before, and while perhaps not in the future, we can do better. So can you. Start sharing with us and stop trying to embarrass us and make us feel stupid. Teach us what you know – but in our words – and we will work alongside you.

My practice delivers “Awareness that Works™” – where awareness serves as the catalyst for effective training. I enjoy several conversations a day – and welcome more – on the topics of awareness, training and the broader issues of rethinking how it all works in the organization to go beyond “security awareness” by building a system that cultivates a culture of optimization.

Awareness is generated, not prescribed

In the process of sharing Awareness that Works™, I recently sent a note to a person I met while keynoting a conference. Our dinner discussion suggested to me that he “got it;” that he understood the purpose of awareness and the vital role it played in the organization.

But his reply to my note blew me away: he had no interest in discussing awareness because he simply told people what awareness was, told them what to do and told them how to do it. He saw no need for awareness or training, and no desire to discuss it.

Wow.

How would you like to be the user in that session? Actually, how would you like to be a security practitioner in that organization?

Either way, I suspect the point is lost on that chap and those he is supposed to serve. And that’s too bad for everyone.

In my consulting practice, I ask people about their experiences and what they expect. Turns out people are pretty clever: they do brilliant things; they know they need to change (and are willing to) and have reasonable expectations of you and the organization.

So why the disconnect?

A misguided belief that we know more, are smarter and that users are unable to get it right contributes to the disconnection and failure of “traditional security awareness.”

I’ve read where others suggest inane things like “there is no patch for stupid” and that we need to inflict pain on people in order for them to understand. And then I watch other security practitioners applaud and cheer. Step back and watch it through another lens and perhaps you’ll be as appalled as you should be.

We don’t know better, we just have a difference experience.

In the course of practicing “security,” we literally spend hours a day steeped in risk, understanding actions and trying to successfully solve problems.

But we also make mistakes. Lots of them.

Ever over-hardened a machine (to the point where it is a brick), blown a patch and screwed up configurations, backups and the like?

Spend a night in a data center correcting your own mistakes and things start to look different. As a result, we have cultivated a different language, experience base and set of expectations.

We may have started on a more equal footing in terms of experience, but the nature of our profession changes us. Sometimes, however, that change is a bit harder to see, and even more challenging to consider in context.

But we have hope.

The people we serve are willing to make a change, if and when needed. But they want to be made aware of the consequences of their actions in their words, in their experience and on their turf.

No one likes to be embarrassed or talked down to – and that has to stop. Now!

In the end, we’re all the same. We have an opportunity to all work together. We need to reconsider what awareness means, consider the perspective of our users and work to share and educate, but not embarrass.

Stick with me and I’ll show you how.

Filed Under: Catalyst Considerations Tagged With: , ,