At the beginning of George Johnson’s career as a safety inspector, he would tell
people about the roles and regulations requiring them to wear hard hats. They
would put their hard hats on when they saw him, and then promptly take them
off after he left.
Later on in his career, he would go to the worksites and ask if the workers
thought the hard hats were comfortable and checked if they fit properly. He
would then remind them in a polite tone that the hats were required to protect
them and suggested they were them at all times. He found that this approach
was far more effective.
This makes so much sense. People weren’t wearing hard hats because they were
uncomfortable. Johnson began to have empathy for his team and he dived
deeper into why they were doing what they were doing. He focused on the
WHY rather than throwing around his own authority and bossing people around.
This story was so important, it was one of the very first ones that Dale
Carnegie’s chose to begin the book he’s known all over the world for: How to
Win Friends and Influence People. By criticizing we shut people down and stop
them from listening.
What is our unofficial motto in cybersecurity? “People are the weakest link.”
Every successful CEO will tell you that their most important asset is their
people. What would our CEOs tell us if we told them… “actually no, people
aren’t our most important asset, they’re our weakest link?” Would we finally get
a seat at the table? I don’t think so.
I think that people are the only link in cybersecurity. I’ve read How to Win
Friends and Influence People more than 10 times. I need to reread it every year
as a refresher because it’s so hard to live and work in that mindset.
Cybersecurity is a challenging career: I get stressed out with pressure,
overwhelmed with deadlines, and just keeping up is a challenge. So when
someone else makes a mistake that causes an incident, the easiest thing to do is
to blame them.
It’s the easiest thing to do, but we know it’s not the most effective thing to do in
cybersecurity. It doesn’t build or repair relationships. It doesn’t help prevent the
next incident from happening. How would we go about making this shift in
mindset that Carnegie shows us? What would it look like for us to do what
Johnson did and ask if the hard hats are comfortable?
A few months ago, one of my users was the target of a phishing campaign and
she clicked. After we began investigating, I reached out to her to talk about what
had happened. The website that she had been directed to had already been taken
down so we were curious to know what her experience was and what techniques
the cybercriminal had used so we could prevent it in the future.
I’m very sure that the CISO was the last person she wanted to talk to at that
point. When we talked on the phone she was incredibly embarrassed. I could tell
that she was working hard to be helpful, but the stress of the situation was
overwhelming her to the point that she was shutting down. So I stopped and just
let her tell me her story.
I learned a lot of things at that point about how cybersecurity wasn’t
comfortable. She wasn’t using the “remember me” function for two-factor
authentication because that’s how she thought security was supposed to work.
And she was under a huge deadline at the time, so she was working hard to log
back and do MFA again every few minutes.
We had thought perhaps at first she was a victim of an MFA fatigue attack.
Instead we just hadn’t trained our community that cybersecurity doesn’t need to
be a burden. Like George Johnson, I think we can be more effective in our jobs
by focusing on the “why” for our users. We’ll win friends and influence people
to be more cybersecure along