Stop! Or My Mom Will Shoot

What does a bad 90’s movie have to do with information security? Well, not a lot as it turns out, but it does give me an opportunity to introduce something that came up in conversation at work recently.

One of the names for my role around the company has been referred to as the Chief Naysayer. Now, rest assured, this name was given with the utmost respect, as our team has an understanding of the importance of security and know that when I raise a concern about a potential security issue, it is really something we need to consider.

This actually got me thinking about the view that many people have of their information security department and staff. I believe there are many situations where we are viewed as the IT Police. Instead of laws, we run around with policies and guidance forcing changes to meet those needs and sometimes we can be rather confrontational while doing it.

I was joking with my co-worker, I don’t want to be the IT Police, I’d rather be the concerned parent. Instead of constantly responding with policy notes and making vague threats about what violating the policy will do, I’d rather make users stop and think to reflect on their actions. I envisioned the following exchange in my head:

Security Department: We need to implement these changes to our systems to ensure, we can provide proper monitoring of our resources.

IT Engineers: Okay, but this will take a lot of time. We know our old colleagues at this other organization don’t do this, and they haven’t had any security incidents.

Security Department: Well, if you colleagues went and jumped off a bridge, would you join them?

I’m actually now waiting for the right opportunity in a business meeting to drop that line when we get into a conversation about implementing changes for security. So, why do I think this method of performing security is better?

  1. People do not respond well to being beaten over the head. Old methods used by some amount to clubbing individuals until they relent to the demands made by policy makers.
  2. The old methods usually entails presenting a series of worst case scenarios to the users or implementation team in attempts to scare them into adjusting their behavior or fixing an implementation.
  3. These kinds of relationships ultimately end up in others fearing you, hating you, or both.

By acting like the concerned parent, we can try to approach problems using the same kind of logic that our parents used on us as children. (Note: I am not saying that users or engineers are children.) The idea being to try to present problems to them in a way they can understand and help them come to the same conclusion we already have made based on the requirements of policy and years of experience.

In the end, the goal should be to act more as a partner, but when we need to take on a role of “authority” it is probably better to take on the persona of the concerned parent.

Star Wars even taught us that strength and fear are not the way to get compliance.


The (Not)Dating Game, Part 1

For several years, I toyed with the idea of doing a conference talk comparing job searching to dating. I never really fully fleshed out the ideas and basically let it slide onto a back burner; however, the more I think about it, the more I have determined that the idea is valid but may be best presented in a blog form.

Today, most of the job searches are performed entirely online. Nearly 45% of recent job seekers  have used online resources to perform that search [1]. While the percentage of people meeting their partners online is significantly smaller (~20% [2]), it is still the largest method of meeting a partner.

Look at LinkedIn compared to you average social media and dating website. On both platforms, you build a profile based on your background. You find a suitable picture to make yourself look attractive to those who may search you out. In fact, most of what you put onto your resume (and by extension your or Monster profile) are all built around attracting potential employers.

The similarities are so obvious to some people that someone had the idea to create a Tinder-style app for jobs searching, Switch.

Ultimately, the online dating and job search platforms are subject to the same sets of problems. Users of each are trying their best to make themselves look more attractive to their potential matches. This extends to the point of catfishing [3]. Where an individuals line is for lying to a potential mate versus a potential employer may be up for debate.

Obviously, there are means to avoid the catfish in employment (and in relationships), this is where the first date…oops, I mean, interview comes into play. We’ll get into those in the next part of this series.

Even with the extra steps, the online HR mill is designed to filter out candidates by pre-determined barriers, so it creates an incentive for people to stretch the truth (or blatantly lie) about their background, especially when many employers may never look into their applicant’s or employee’s backgrounds.

Is there a fix for any of the online job search problems? Vetting candidates is hard work, and while I suspect a decade or two ago recruiters did a lot of this work, the job hunt has really be reduced down to a method of seeing as many candidates as quickly as possible and hoping you find something worthwhile. This may result in some good candidates never be seen and definitely results in some horrible candidates occasionally getting hired.

It can be hard for many people to sell themselves, and in many cases, people like that may wind up being the ones who suffer the most in this system.