Instead of the 'pink stickie' approach to pointing out employee security violations, Career Catalyst Michael Santarcangelo suggests a more positive approach that builds on the best the day has to offer Consider the perfect workday:The morning starts by beating the alarm clock and bouncing out of bed refreshed and ready. Breakfast hit the spot and traffic was light, ensuring the morning trip to the office couldn’t have been better. On the walk into the office, a stop by the local coffee stand yields a fresh, hot and perfect cup. With a spring in your step and excitement for the day, you walk to your desk humming a tune and primed to get your work done. You round the corner toward your desk….and then you stop. You see pink stickies all over the place. You count ten. Someone came in and put ten pink stickies on the print outs on your desk, the hand-written notes next to the phone. On your chair is a bright pink “violation notice,” complete with a huge exclamation point and listing of the policies. Perfect. What is your initial reaction? And what happens to your mood? Most of us turn to rage, frustration or other negative reaction. Regardless, a day full of excitement and energy was ruined. So what happened? Someone from the security team walked around after hours and tagged violations of security policies. They thought the best approach was one of “letting people know.”Have you experienced this? Have you done this? I’ve witnessed this at least a dozen times. I’ve even had people share this as their approach while keynoting conferences, running panels and in the course of working with organizations. The general concern is that the approach (of visibility pointing out to people their shortcomings in an embarrassing, public way) is not working, and practitioners aren’t quite sure why. It gets worseI’ve noticed a trend in the way some practitioners talk about users — the people we serve. I hear words and phrases like: Well, there is “no patch for human stupidity”People are layer 8 — suggesting we can handle people and the human element as if it were part of the protocol stack “We’ve been telling people for years and they still don’t get it right”Comments like these suggest a mindset destined for failure. Worse, they tend to be self-fulfilling prophecies — by repeating these misguided assertions, it sets the stage not only for failure, but to then blame the users, as expected. In my experience, this is not the approach of a professional. So even if you aren’t actually using “pink stickies,” are you creating the same effect?I recently wrote about these effects in “Memo from the user” and “Why people are not the problem…” Both columns share some additional insights and explain the detriment of this mindset. But the conclusion is simple: our actions — even with the best of intentions —are responsible for the situation we often lament. Actions have consequencesHere’s the thing: people are crazy smart. And if the actions of a well-intentioned professional ruin their day, or they are constantly berated or reminded of mistakes they may have made, these smart people bristle, shut-down, evade and otherwise seek to avoid working with security practitioners. It’s a natural response — few people actively seek out negative environments. Part of the job of a professional is to explain, if not teach. In my consulting practice, I help build Awareness that Works” — so I spend a lot of time reviewing awareness efforts, messaging and I have to tell you — we come across as a bunch of judgmental people. No wonder we’re ignored. The moment we judge someone, we forfeit the ability to help.Put down the pink stickiesThe first step in transitioning from practitioner to professional is to put the pink stickies down. This is a change in mindset, change in approach. Instead of taking the joy out of a day, consider an approach that builds on the best the day has to offer. What happens if we reach our hands out for others and work together, blending our ideas, energy and insights?About Michael SantarcangeloInto the Breach and creator of Awareness that Works”, Michael Santarcangelo is known as a human catalyst that advocates for individuals while advancing organizations. By connecting people to the consequences of their actions, he delivers results that reduce risk, increase resiliency and allow organizations to more with less. Guaranteed. Learn more at https://www.securitycatalyst.com or engage with him on twitter.com/catalyst. The author of Related content news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Advanced Persistent Threats Advanced Persistent Threats news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe