The moment we judge someone, we forfeit the ability to help.

Seems like a lot of what is being promulgated in so-called “security awareness” today is nothing short of berating people with a list of the things they shouldn’t do, coupled with a non-intuitive list of what they should do.

I read a lot of suggestions to “call people out” and “catch them doing the wrong thing.” For obvious reasons, I’m not going to link to any of these articles, columns and blog posts. My experience and success in changing behaviors suggest a different approach is more effective.

Why the need to embarrass others?

The reason so many focus on lecturing and berating stems from the misguided belief that we know better, know more than other people and will grace them with our wisdom.

Memo

From: the users

To: the security people

RE: get over yourself

Businesses existed without you before, and while perhaps not in the future, we can do better. So can you. Start sharing with us and stop trying to embarrass us and make us feel stupid. Teach us what you know – but in our words – and we will work alongside you.

My practice delivers “Awareness that Works™” – where awareness serves as the catalyst for effective training. I enjoy several conversations a day – and welcome more – on the topics of awareness, training and the broader issues of rethinking how it all works in the organization to go beyond “security awareness” by building a system that cultivates a culture of optimization.

Awareness is generated, not prescribed

In the process of sharing Awareness that Works™, I recently sent a note to a person I met while keynoting a conference. Our dinner discussion suggested to me that he “got it;” that he understood the purpose of awareness and the vital role it played in the organization.

But his reply to my note blew me away: he had no interest in discussing awareness because he simply told people what awareness was, told them what to do and told them how to do it. He saw no need for awareness or training, and no desire to discuss it.

Wow.

How would you like to be the user in that session? Actually, how would you like to be a security practitioner in that organization?

Either way, I suspect the point is lost on that chap and those he is supposed to serve. And that’s too bad for everyone.

In my consulting practice, I ask people about their experiences and what they expect. Turns out people are pretty clever: they do brilliant things; they know they need to change (and are willing to) and have reasonable expectations of you and the organization.

So why the disconnect?

A misguided belief that we know more, are smarter and that users are unable to get it right contributes to the disconnection and failure of “traditional security awareness.”

I’ve read where others suggest inane things like “there is no patch for stupid” and that we need to inflict pain on people in order for them to understand. And then I watch other security practitioners applaud and cheer. Step back and watch it through another lens and perhaps you’ll be as appalled as you should be.

We don’t know better, we just have a difference experience.

In the course of practicing “security,” we literally spend hours a day steeped in risk, understanding actions and trying to successfully solve problems.

But we also make mistakes. Lots of them.

Ever over-hardened a machine (to the point where it is a brick), blown a patch and screwed up configurations, backups and the like?

Spend a night in a data center correcting your own mistakes and things start to look different. As a result, we have cultivated a different language, experience base and set of expectations.

We may have started on a more equal footing in terms of experience, but the nature of our profession changes us. Sometimes, however, that change is a bit harder to see, and even more challenging to consider in context.

But we have hope.

The people we serve are willing to make a change, if and when needed. But they want to be made aware of the consequences of their actions in their words, in their experience and on their turf.

No one likes to be embarrassed or talked down to – and that has to stop. Now!

In the end, we’re all the same. We have an opportunity to all work together. We need to reconsider what awareness means, consider the perspective of our users and work to share and educate, but not embarrass.

Stick with me and I’ll show you how.

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 12)

This chapter addresses the challenge of changing first in order to lead and influence change. The concepts introduced and explained in Into the Breach – the Strategy to Protect Information, The Catalyst Method™ (recently updated) and others – produce rapid and lasting results for those who embrace them and implement them in their organizations.

Michael shares two basic analogies to consider while summoning the courage to break from tradition and take action: the process of building a flywheel and reconsidering Newton in a new light.

Into the Breach provides a wealth of ideas and information. The Awareness that Works™ system is the implementation of the guide from the book – and more. Contact Michael today to learn more and explore the guaranteed results.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst) (and he’ll engage back with you)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. 3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

In this episode (Chapter 10)

Compliance is not a commodity that can be purchased. And demonstrating compliance at a point in time does not mean information is being protected properly. There is a growing chorus of practitioners that suggest compliance is not security; however, proper security can and often does lead to effective compliance.

The key in managing risk and demonstrating compliance is to engage people in the process of assessing and protecting information – with and without the use of technology and controls.

In this chapter, I share some personal experiences and research that demonstrate the difference between a reactionary approach to compliance and a more mature process that addresses many needs at once.

If you find yourself drowning in compliance – or are trying to convince others of a different approach – this chapter is written for you.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!

As the son of a son of a sailor

I went out on the sea for adventure

Expanding the view of the captain and crew

Like a man just released from indenture

As a dreamer of dreams and a travelin’ man

I have chalked up many a mile

Read dozens of books about heroes and crooks

And I learned much from both of their styles

–Jimmy Buffet, Son of a Son of a Sailor

With Jimmy Buffet playing on the radio, we set “sail” in January in our forty-foot diesel pusher RV. With the roads as our sea, we set out for adventure, and more: we set out to change our lifestyle.

My family stopped collecting things and starting collecting experiences. And we are liberated.

The process of leaving the house included going through nearly every single thing we “owned.” It was an exhausting process filled with memories, discussions and the sober realization that it is easy to collect things. While we found some great purchases and reminded ourselves of great times over the last decade, we also realized we had unwittingly accumulated a lot of stuff.

The process of simplifying our possessions was powerful. As we fired up the diesel and headed south in search of warmer weather, we resolved to do thee things:

1. Simplify our lifestyle and schooling (road school is for all of us, not just the kids)
2. Streamline our fitness and nutrition
3. Simplify our business

In the short few months we have been “on the road,” we have managed to make great progress on all three goals. Pursuit of these may be a constant journey that evolves over time, but we live each day to the fullest and cherish the time we have with each other and those we meet on our journey.

Streamlining our lives, nutrition and fitness have obvious benefits. For me, the real breakthrough came on the business front.

It started in December, before we left, while speaking with a friend. After listening to my goals, he left me with these words from Bruce Lee:

“I fear not the man who has practiced 10,000 kicks once, but I fear the man who has practiced one kick 10,000 times.”

Sometimes the right words shared at the right time make the difference. For me, this was instantly profound, powerful and put my quest into context. I had run a successful business practicing a lot of kicks. It was time to mature and find what my “one kick.”

After a few weeks of active thinking, writing/journaling and speaking with friends (including clients), it the path that blended professional speaking, writing, training, information security, adult learning and my background in Human Ecology came into focus. A few more conversations and it became as clear to me as it had been to others: I needed to focus on awareness.

It is no secret I am disappointed with the industry efforts at “security awareness training.” More often than not, the traditional attempts waste money and even increase risk! I refused to simply do what everyone else was doing.

My “one kick” is Awareness that Worksâ„¢

So I took more time to consider my entire experience and the elements that worked. I am excited to share the result: Awareness that Worksâ„¢

Awareness that Worksâ„¢ connects people to the consequences of their actions, creating a shift in thinking that inspires behavior change. Individuals achieve understanding in their own context, and then are guided, shaped, and supported with materials and training tailored to them.

To be effective, awareness needs to be separated from training. This provides some concrete benefits and sets the stage for the right messaging, training and support to not only influence behaviors, but to provide needed insights and information to the organization.

I want to work with people who have a mandate for awareness and are ready to work with me to move the cost of working with people to an investment. The approach I created to guide organizations – tailored to the unique aspects of each – works so well that it pays for itself. In fact, I guarantee it.

This is my focus. 100% of my time, energy, effort, and research go into how we work together. And with this focus, I plan to write and share more.

I’m excited about the initial results – and the conversations about awareness I share every day.

Consider yourself invited!

If you are focused on addressing awareness (and the subsequent training), I want to speak with you. No strings, no selling. Just discussing.

And our journey continues.

The current plan (which is always subject to change) is to spend a few more weeks in Myrtle Beach, South Carolina. We’re enjoying the beach, finishing up repairs to the RV, and focusing on the launch of Awareness that Works™.

Soon, we head back on the roads for adventure. No doubt we’ll “chalk up many a mile” – blending with reading, writing, sharing and learning. The campfires will be many and the conversations plenty.

Life is good.

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 9)

Writing this book and testing these methods revealed a surprise: people who are engaged – connected more closely to the consequences of their actions – do more than protect information.

This chapter explores additional benefits from the improved communication and insights that come from following the strategies and elements shared in Into the Breach, including:

• Quickly align business and technology organizations (true alignment, not lip service)
• Harnessing the power of people to uncover new revenue opportunities
• Leveraging and engaging individuals in the act of reducing waste while doing more with less

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst podcast & blog to get more insights
3. 3. Checking out Awareness that Works™ – a new program from Michael Santarcangelo to guide smart investment in people, with guaranteed results (this program pays for itself).

What you’ll find in this episode (Chapter

The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, drop me an email). The key considerations for a pilot shared – and now it is time to measure success.

So how do you measure what matters so you can communicate what counts?

In this chapter, “Measuring Success,” Michael draws on his background of social science and economics to explain a powerful approach to measuring success. Learn how to use the right mix of qualitative and quantitative measurements to get the feedback necessary for success.

Learn how to measure what matters and communicate what counts.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).