What does a bad 90’s movie have to do with information security? Well, not a lot as it turns out, but it does give me an opportunity to introduce something that came up in conversation at work recently.
One of the names for my role around the company has been referred to as the Chief Naysayer. Now, rest assured, this name was given with the utmost respect, as our team has an understanding of the importance of security and know that when I raise a concern about a potential security issue, it is really something we need to consider.
This actually got me thinking about the view that many people have of their information security department and staff. I believe there are many situations where we are viewed as the IT Police. Instead of laws, we run around with policies and guidance forcing changes to meet those needs and sometimes we can be rather confrontational while doing it.
I was joking with my co-worker, I don’t want to be the IT Police, I’d rather be the concerned parent. Instead of constantly responding with policy notes and making vague threats about what violating the policy will do, I’d rather make users stop and think to reflect on their actions. I envisioned the following exchange in my head:
Security Department: We need to implement these changes to our systems to ensure, we can provide proper monitoring of our resources.
IT Engineers: Okay, but this will take a lot of time. We know our old colleagues at this other organization don’t do this, and they haven’t had any security incidents.
Security Department: Well, if you colleagues went and jumped off a bridge, would you join them?
I’m actually now waiting for the right opportunity in a business meeting to drop that line when we get into a conversation about implementing changes for security. So, why do I think this method of performing security is better?
- People do not respond well to being beaten over the head. Old methods used by some amount to clubbing individuals until they relent to the demands made by policy makers.
- The old methods usually entails presenting a series of worst case scenarios to the users or implementation team in attempts to scare them into adjusting their behavior or fixing an implementation.
- These kinds of relationships ultimately end up in others fearing you, hating you, or both.
By acting like the concerned parent, we can try to approach problems using the same kind of logic that our parents used on us as children. (Note: I am not saying that users or engineers are children.) The idea being to try to present problems to them in a way they can understand and help them come to the same conclusion we already have made based on the requirements of policy and years of experience.
In the end, the goal should be to act more as a partner, but when we need to take on a role of “authority” it is probably better to take on the persona of the concerned parent.
Star Wars even taught us that strength and fear are not the way to get compliance.