Cybersecurity Awareness Month: Increasing our self-awareness so we can improve security

With the increased prominence of cybersecurity in organizations due to many crippling cyberattacks, the emphasis is now on continual engagement, as it should be. It’s also important to address the tunnel vision that has plagued the field, and how we need to combat it before we can make it to the next level.

1 2 Page 2
Page 2 of 2

We don’t have to be used to the way things are and don’t have to be used to train wrecks and disasters. Just because it happens doesn’t mean we have to be complacent in letting it remain. What example do we set by allowing them this to remain?  How do we look our family, friends, and customers in the face and truthfully give assurances that we are really doing the right things?  How do we set the examples for our teams in doing this?  Why are we perpetuating this and letting it happen?  How do we reconcile when we give someone a free pass for the Nth time?

What can we do?

We need to be very thoughtful about our actions. We need to be focused on the well-being of the organization, its customers, and its constituent team members. Playing politics does not do that. Protecting team members from complaints about all forms of bad behavior and using senior leadership to do so will eventually backfire and catch many others in its wake. The previous examples that happened at MIT illustrate that perfectly.

We need to be continually checking in with our customers, asking questions, listening, and acting. This isn’t retail where we ask people to give glowing reviews to get a $10 gift certificate off their next visit or purchase, pay review sites to bury bad ones, or use sock puppets on job boards to hide employee engagement issues and entice unsuspecting applicants looking for a fresh start in cybersecurity. We need to be continually engaged with not only our teams, but our customers and fellow team members.

We need to do what is right. The second we see ourselves focusing on the mission of the organization as secondary to ours, then we will most likely fail, and we need to correct it. When we see ourselves at odds with our own organization, we need to figure out why and try to resolve it. When we see bad behavior of particular people rationalized and excused, even by senior leadership, we need to say something and stand up. This includes truth as an absolute, and not accepting false statements or lies because they support an agenda or people we agree with. Perpetuating false statements makes you complicit in the lies.

When we see people gatekeeping to keep others out or manipulate others they do not like because they want to have their unquestioned little world where they can do whatever they want or power trip, we need to stop it. When we see security consultants and professionals who use fear, uncertainty, and doubt to scare others into paying for goods and services of little or no value, and using a perceived skill set as an excuse for treating people like garbage, we need to not only ban them, but keep them away.

We’re not here to fight our organizations or have turf wars. We live in a time where cyberattacks are no longer just the occasional worm or badly written VBA virus. These attacks shut down businesses and cause interruption of government services to citizens. They affect medical care and the ability to provide it. They cause production interruptions in factories and car plants. Our customers are genuinely scared of what is going on. They are approaching anyone that is remotely approachable and nice and asking them what to do to protect themselves. Even if it is not the best answer, they will get something that they perceive protects them to some degree or reduces risk, even if it doesn’t, because the people providing the solution treat them like human beings with dignity. Brilliant Jerks need not apply, especially when we deal with people on their worst days.

We need to be there for them and approachable. We need to answer their questions. We must constantly be on top of our game and be out there speaking with the team. Security is no longer something that the “IT guys” do. It’s no longer the provenance of jerks or condescending power junkies. It’s Information Risk Management, and we owe it to our customers to get out of the tunnel and work with them toward a vision of better security. That’s longer lasting than a coffee mug or sticker.

Copyright © 2019 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline