Dashlane asked this question to over 2,000 people:
“Would you give up sex for a year if it meant that you would not have to worry about ever getting hacked or getting your identity stolen?”
Over 39 percent of respondents said “yes.”
This has got to be a very frustrating response to more security experts than just myself. We experts dedicate a significant portion of our work lives, and even a portion of our personal lives, to explaining to people how to simply and effectively secure themselves, and it does not take such a drastic cost.
Even though the question and the results are wonderfully sensational, there is a deeper truth hidden in the responses. What people inherently want is a one-shot, one-cost solution for their personal security.
Sex! Now that I have your attention, go brush your teeth
But security experts know that this simply isn’t possible. We know that security is an on-going process that needs to adjust and adapt to changes in technology and threats. But “habits” just aren’t sexy (and don’t make for great headlines). You won’t grab any attention by saying that people need to brush and floss three times a day.
Most experts will tell you that you need to communicate the benefits of security (or brushing) and explain the cost of not being secure, but this has been the approach for decades. Education and awareness alone are limited in their effectiveness because they require that the audience already cares about being secure and just needs to know how.
When people know what they need to do and when but still don’t, it’s because they simply don’t care enough to do it. Or they care about something else more.
So, how do you get family, co-workers, or even a whole organisation to sit up, take notice and truly care about something as un-sexy as security?
No, you don’t try to “put lipstick on a pig” by trying to add glitz and glamour to security and hope that people overlook the fact that secure behaviours and security policies are deeply inconvenient. This approach might work for a while, but the novelty will fade and you will have to find new ways to make the unattractive look attractive again.
Instead, you need to celebrate the pig.
Have you ever met someone who was so passionate about something that their positivity made you change your opinion about the topic? Their passion opened you up to seeing things differently. And even though you might not share the depths of their emotion, you at least developed a new respect for the topic.
For me, it was Vietnamese Pot Bellied Pigs. I met someone who had a deep passion for the ugly little, un-cuddleable beasts as house pets. And one afternoon, while their dear loved one slobbered and snorted all over my shoes, I got an education on just how cool a pig could be.
Did I walk away loving pigs? No. But I did walk away with a deep respect for pigs and for their loving owners. (I threw out the shoes. And socks.)
We few, we happy few
And there’s the trick to it all. You need a small group of people who see the intrinsic value in security and give them a voice to tell everyone else how security positively impacted their lives and the lives of those around them despite the inconveniences.
Find them. Connect them. Encourage them. Broadcast their successes and pain points. Invite others to do the same and make it worthwhile for them to volunteer. Rinse and repeat until you reach a tipping point where those who don’t embrace security are the odd ones.
The great thing about this approach is that this can work no matter if you are the CEO or a junior employee. With all of the connection technologies we have at our disposal, both inside and outside of an organisation, anyone can do this.
And it works
Sony, Salesforce, Storebrand and many others have used this approach to shift the entire corporate culture using a small group of connected volunteers to be public about what they do and why it works—even when it hurts.
In fact, developing nations do the same thing when they need to introduce improved farming techniques to farmers who have been doing the same things for generations.
Connected, encouraged, and public volunteers talking about how the inconvenient is actually the best thing. Then more and more people invited to volunteer.
There are some pitfalls to avoid and ways to overcome the problems that arise, and I will touch on those in my talk April 7 at BSides Edinburgh.
But in short, it works. In fact, culture experts think that this approach is the only method that can reliably change the values, behaviours and culture of a group of people in a short timeframe. It works for security, farming techniques, and has been shown to work in small groups, developing nations and massive multi-national corporations.
About the Author: Jordan Schroeder, CISSP, CISM is an international speaker, author, innovator, and is recognised as a “World Leading Exceptional Talent in the field of cyber security” by Tech City UK. His passion is to help people deeply understand how security can propel both personal and business success. You can follow him on LinkedIn, Twitter, and his personal blog.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.