Consider the perfect workday: The morning starts by beating the alarm clock and bouncing out of bed refreshed and ready. Breakfast hit the spot and traffic was light, ensuring the morning trip to the office couldn't have been better.
On the walk into the office, a stop by the local coffee stand yields a fresh, hot and perfect cup. With a spring in your step and excitement for the day, you walk to your desk humming a tune and primed to get your work done. You round the corner toward your desk....and then you stop.
You see pink stickies all over the place.
You count ten.
Someone came in and put ten pink stickies on the print outs on your desk, the hand-written notes next to the phone. On your chair is a bright pink "violation notice," complete with a huge exclamation point and listing of the policies.
Perfect.
What is your initial reaction? And what happens to your mood?
Most of us turn to rage, frustration or other negative reaction. Regardless, a day full of excitement and energy was ruined.
So what happened?
Someone from the security team walked around after hours and tagged violations of security policies. They thought the best approach was one of "letting people know."
Have you experienced this? Have you done this?
I've witnessed this at least a dozen times. I've even had people share this as their approach while keynoting conferences, running panels and in the course of working with organizations.
The general concern is that the approach (of visibility pointing out to people their shortcomings in an embarrassing, public way) is not working, and practitioners aren't quite sure why.
It gets worse
I've noticed a trend in the way some practitioners talk about users - the people we serve. I hear words and phrases like:
- Well, there is "no patch for human stupidity"
- People are layer 8 - suggesting we can handle people and the human element as if it were part of the protocol stack
- "We've been telling people for years and they still don't get it right"
Comments like these suggest a mindset destined for failure. Worse, they tend to be self-fulfilling prophecies - by repeating these misguided assertions, it sets the stage not only for failure, but to then blame the users, as expected.
In my experience, this is not the approach of a professional. So even if you aren't actually using "pink stickies," are you creating the same effect? I recently wrote about these effects in "Memo from the user" and "Why people are not the problem..." Both columns share some additional insights and explain the detriment of this mindset. But the conclusion is simple: our actions - even with the best of intentions -are responsible for the situation we often lament.
Actions have consequences
Here's the thing: people are crazy smart.
And if the actions of a well-intentioned professional ruin their day, or they are constantly berated or reminded of mistakes they may have made, these smart people bristle, shut-down, evade and otherwise seek to avoid working with security practitioners.
It's a natural response - few people actively seek out negative environments.
Part of the job of a professional is to explain, if not teach. In my consulting practice, I help build Awareness that Works" - so I spend a lot of time reviewing awareness efforts, messaging and I have to tell you - we come across as a bunch of judgmental people. No wonder we're ignored.
The moment we judge someone, we forfeit the ability to help.
Put down the pink stickies
The first step in transitioning from practitioner to professional is to put the pink stickies down. This is a change in mindset, change in approach. Instead of taking the joy out of a day, consider an approach that builds on the best the day has to offer.
What happens if we reach our hands out for others and work together, blending our ideas, energy and insights?
About Michael Santarcangelo The author of Into the Breach and creator of Awareness that Works", Michael Santarcangelo is known as a human catalyst that advocates for individuals while advancing organizations. By connecting people to the consequences of their actions, he delivers results that reduce risk, increase resiliency and allow organizations to more with less. Guaranteed. Learn more at www.securitycatalyst.com or engage with him on twitter.com/catalyst.
Read more about security leadership in CSOonline's Security Leadership section.