I just got back from Philly and I want to thank Lance Spitzner at SANS Securing the Human and team for inviting me to the 2015 Security Awareness Summit. It was a good day. I got to raffle off a few copies of my new book (in this case IOUs, since the book still has a few weeks before it hits the shelves), heard some wonderful speakers talk about their security training and awareness programs, and talked to many great people working day in and day out to secure the most critical infrastructure any organization has: it’s people.
The Tip of the Spear
In People-Centric Security, I describe security training and awareness professionals as “the tip of the spear” when it comes to transforming security culture. The stories, challenges, and efforts of the security awareness community greatly influenced me as I researched and wrote my book. Security culture is about more than just security awareness training, but nowhere else in our industry will you find people who care as much about laying the proper groundwork for that culture.
It can be a thankless job at times. Like other front line troops, awareness teams often lack funding, resources, and support to guarantee mission success. Senior leadership can forget how important tactical actions are to strategic objectives. Executives responsible for the organizational big picture may ignore the trees for the forest. Programs then risk devolving into corporate compliance and “box checking” activities rather than fostering the creation of valuable human capital. If people are reduced to “resources” that are perceived as no different from any other corporate asset, a security program may see little difference between the machines it administers and the human beings it (and they) should serve. It may even prefer the machines.
Security is not the only place where the commoditization of humanity happens, as the recent expose on Amazon’s intense-to-the-point-of-brutal organizational culture reminds us. But that makes professionals like those I met in Philadelphia even more important to InfoSec, because they just may be the only ones in the security organization who really care about people as more than just another kind of device, another “insider” threat to be worked around or automated away.
Communities, Coaches, and Culture
Over my day at the Summit, I got insight into how awareness officers see themselves and their mission. These are worth a share…
First, community. Opening the Summit, Lance emphasized the sense of community in the awareness field. He’s not kidding. One reason I enjoy participating in SANS activities is that the Securing the Human community is really unique. Members come together around a goal of protecting their organizations by putting people at the center of security, something I’m passionate about. They talk and they share and they all seem to genuinely like one another. I find many security communities uncomfortably competitive and exclusive. Hanging out at the Summit was like plugging into an emotional power outlet.
Second, coaching and teaching. The Summit speakers held common interest in helping others be more successful. As an educator, I love that. It’s one thing to convince someone to do something because it helps you. It’s another thing entirely to convince them to do something because it makes them better. The Summit speakers talked about telling stories, about making people to want to participate in security, and about the importance of positive feedback and letting someone know when they get it right. I’ve never left academia completely because I’m addicted to teaching and to learning. That vibe was all over the the room in Philly.
Finally, there is no single organizational culture. Culture is “the way we do things,” the collective beliefs and values people hold. You can have as many cultures as you have ways for people to align themselves socially and organizationally. It’s like one of those Russian matryoshka dolls you open only to find another doll inside, smaller but unique. Security culture can live inside IT culture, which can live inside enterprise culture, and so on. Security has its own tribes and subcultures. Sysadmins aren’t the same as auditors, who aren’t the same as developers. Training and awareness teams have a culture too, one I’ve been privileged to witness first hand. Our industry could use more of it.
Thanks again, SANS!
I had a great time in the City of Brotherly Love, and I wanted to devote a post to saying thanks to Lance and to SANS for having me. Security awareness will only grow more important to the industry going forward. Sure, some of this is because we need to stop people from making bad decisions that create risk. But it’s more than that. As organizations mature out of obsessing over what their members can do to them from a security perspective, and begin to imagine what those members can do for them, the “human firewall” will be a critical source of security value and investment. And I know that the security awareness community is going to be there to help maximize that return. I hope they invite me back.