"The injuries we do and the injuries we suffer are seldom weighed on the same scales." ~ Aesop
Two primary motivators to changing behaviors are pleasure and pain. Both are valid when used properly. Sometimes, the right course of action is to move people toward a positive, desired outcome. Other situations get better results by moving people away from a negative, painful outcome.
There are a variety of valid considerations for when and how to use each, and even the blend of both.
Unfortunately, the security industry, at large, is fascinated with pain.
After a few decades of struggling and stumbling to explain what we do in a way that people understand, the (false) conclusion is that people don't get it.
The result is a push to simply deal in pain as a way to change behaviors. This is to our collective detriment.
Is pain the way?
The problem with painavoid pain. Easily applied to sharp and hot objects, self-preservation is a powerful force.
In most circumstances, we instinctively seek to
In some cases, pain is regarded as good.
Lifting heavy things to develop muscles or working hard in a physical environment in pursuit of a goal is often associated with pain. Heralded as the mark of a champion, pain is to be briefly endured for the sake of achievement.
Aesop captured a key distinction: the decision to work through pain is different that the infliction of pain.
The challenge comes when the pain shifts from temporary discomfort in pursuit of a goal to unpleasant working conditions.
The natural desire to move away from pain extends beyond self-preservation. Painful encounters are registered and then avoided. Culturally, this sometimes mean moving away from the perception of a pain - without any understanding as to why.Our obsession with pain drives people away
Tired of people not engaging security earlier in the process?
That's the downside of dealing in pain.
Security teams around the world earned a reputation as a painful experience. Considered by many to be a barrier, people figured it was easier to just avoid security and try to slip by.
It works, too.
They avoid security long enough that by the time the team is engaged, enough money and momentum is at stake that the entire process is truly painful. For everyone.
Our role is not to enforce or inflict pain
With a focus on protecting systems and information, security teams exist to support the business. With a shift in thinking and change in approach, security can actually benefit and build the business. That's a future discussion.
Instead of inflicting pain, we need to focus on making what we do make sense. Invest the time to learn the business. Discover the real risks to the most valuable areas of the organization. Truly partnering to build the right solution.
It's time to get out of the business of pain
The depth of experience in security, combined with the passionate nature of our professionals, often leads to a better result for everyone.
Over the years, I've been on projects where the result of engaging the security team early in the process was surprising: delivered ahead of schedule, under budget, and with the right level of security.
That's not pain. That's pleasure for everyone involved.
By creating an environment where people come to us early and often, we can help them avoid pain.
The conundrum of changing behaviors is that it starts with us.
It's time to move away from pain. To shift our thinking, change our approach, and invest in making what we do make sense.