When I was a professor I told my students, “Tech is easy, people are hard.” With that eye roll of yeah right, the tactical fears of learning new tech, and the forgone conclusion of 20 somethings. They took the information in, and then forgot it. Until it became important again.
I get these calls from time to time. An email errantly dropped when a former employee, student or mentee realizes the truth. Most technology is about training. If you have a good background education, a week of good experiential and enthusiastic training, and you’ve got a pretty good handle on the tech.
Relationships and people are more difficult. There are tensions, expectations, duties, roles, and they are all changing all the time. It is a swirling morass of emotions and feelings. One way to not deal with the issue in a business is ignore it. Shrink the people problem to a cell on a spreadsheet where it can be added to or deleted. Perhaps the relationship issues is moving pawns and pieces across a chessboard of business needs.
Relationships for security people are always going to be difficult. We don’t spend much time on the leadership and social aspects of our business. Often a senior person from information technology will take up the mantle of securing an enterprise and bring all the bad traits of information technology autocracy to a fundamental human domain of security.
Just being honest not all companies have good culture, some companies that have great culture lose it, and some companies that have bad culture gain it. Culture is not something that can be “tested” or stated or pronounced by a CEO. It is all about how the people treat, feel, and act towards each other at the bottom of the organization. How do people from different departments treat each other?
An autocracy is counterproductive to working within an organization’s culture and feeding the core precepts of “good” culture. Trust, understanding, empathy, and feeling safe are required for a culture that becomes a force multiplier towards profit. Nobody is going to hate the company making money when they feel safe, happy, and are having fun making it happen.
Unfortunately, cyber security teams are often seen as barriers, socializing fear, and have an autocratic nature. There are better ways. There are many components to successfully finding a path through the relationships and issues of security and corporate culture.
The first thing we should do is give up fear, uncertainty, and doubt as our first step in attempting to gain understanding. We all know phishing, breaches, and ransomware exist but what we don’t need to hear is how I’ll lose my job. Whether an employee or board member I want to hear not how there are barriers to cyber security programs being successful and ultimately failing. I want to hear what you are going to do about it.
The second thing is overt and “in your face” security needs to be abandoned. If you want to be successful you need to think like a ninja. Be silent, be quiet, and simply protect the village from the bad guys with nobody ever knowing you’re there. We’re not talking about security by obscurity. We’re talking about security that increases trust. Security tools need to work efficiently, effectively, and impact users and teams minimally. As an example, gotcha versions of phishing tests are inherently bad because they drive a fear wedge counter to good culture between security and user communities. No culture can easily withstand fear or bring about peoples best when faced with fear.
The final thing for this treatise is that cyber security programs should never be cost centers. We often talk about return on investment, risk-based decision calculus, and much more. However, those concepts inherently suggest a closed system where things can be measured. Adversaries adapt, technology moves forward, and the perimeter of control erodes. These are balanced by inherently better security of systems, mobile device protections, always on VPN, and zero trust architecture. Better questions for the future might be how do security activities enable the business to grow? How does security create value? Are the QA processes of application development clearing bugs earlier and cheaper? Are the security network controls enabling faster, cleaner, better coordination? Is automation of security controls enhancing understanding of risk and customer experience?
A cyber enabled world is not a buzzword bingo contest of enthusiastic mockery. We need to have a way of expressing the world of a born digital society. The interface between computer, coordination, communication, and corporate culture, and social values is evolving. The security models as applied to the tech are core and basic practices. We have and know what needs to be done to secure an enterprise. The human functions and the ability to understand and empathize with corporate and customer users is nascent and barely understood. To be honest it all comes back to a simple fact. The technology is easy, but the human stuff is always going to be hard.