Anyone who has ever felt like the hours they put in didn’t equate to the value received may understand the impact this can have on motivation to carry out the job. Ambition and determination or intrinsic motivation can help them to remain focused and dedicated, even in the face of the stark truth where they are no longer valued, heard or their efforts are wasted. There are also those that blindly follow their vision, suffering perhaps from tunnel visioning, but will comply with policy even in the face of depreciation. Lastly, we have leaders who see security as low on the agenda (if it exists at all) who are firefighting in a struggling economy, kicking their legs frantically to stay above water. When security does get airtime at the leadership table it’s usually driven by a need from above, such as insurance policy terms, or ISO 2701.
In comes the Chief Information Security Officer (CISO), usually male, with a technical background and a love of software gadgets with a risk adverse mentality. Their role is to mitigate risk through technological solutions. Or is it? What if mitigating risk also involves leadership and employee engagement and behaviour change? Let’s take this a step further…what if the role of the CISO also means changing minds and educating people as to why security is important and how culture and, even employee satisfaction, makes a difference to building internal resilience in the face of increasing threat? All of a sudden, someone with a technical background is responsible for changing the world, or at least the attitudes and beliefs of the organisation they work for, without a budget, or at least not one that facilitates the provision of bells and whistles, and only pays for basic security solutions. Now the CISO faces imposter syndrome where their responsibility includes aspects, they have limited knowledge in nor the resource to buy it in.
In comes the security awareness manager, usually female, hired in large enterprise companies where budgets are more generous and the costs of attack shockingly high. Recruited for their social background, perhaps with a degree or PhD in Psychology or Anthropology, and who is responsible for the social aspects of security (otherwise known as socio-technical). Her role is to engage the workforce with security, usually by selecting and managing an external learning platform. She may have an appreciation for the cultural, psychological and social factors at play which may contribute or detract from a secure workplace but lacks technical security knowledge. She may quickly recognise and become frustrated at the lack of proven results from these platforms and begin creating materials in– house. At first, the CISO is happy as the budget for technical controls increases once again with less money needing to be put aside for more socio-technical solutions, and the awareness manager gets a chance to express her creativity through the creation of security-related learning content.
Driven by published guidelines, such as the National Institute for Security and Technology (NIST) and ISO 2701, both are confident they have covered off all aspects they need to. They can’t distinguish between good content and bad content, what inspires employees to change attitudes and behaviour and good metrics from superficial metrics, or how to identify or manage human risk in security. They are vulnerable to the trendiest and shiniest solution, or the one that gives them free access to the private membership club. Or they simply go on price as they can’t understand why one offering may be more expensive for a very good reason.
Now we are drowning in a ‘market for lemons’. In 1970, the Economist Akerlof wrote a paper on information asymmetry, published in the Quarterly Journal of Economics, and first used the term when describing used cars. He said most people couldn’t understand high quality cars a (the “peach”) from bad cars (the “lemon”) and would always select the cheapest car. This meant that cheaper cars became the desired commodity and expensive cars were left on the shelf, resulting in cheaper cars (with associated quality) became becoming more expensive and out-pricing quality more expensive quality cars out of the market. The result is, of course, a decreasing standard in the availability of quality cars and even a potential barrier to innovation and the development of reliable cars built to last. So, what does this mean for security? It means that even though good solutions exist to add a protective layer in the face of increasing threat or to build resilience from within, the cheapest solution that meets regulatory requirements is selected, further encouraging the development of tick-box solutions and preventing an evolution into solutions that may have a different and far more sophisticated approach to security, when considering awareness and human factors, such as the socio-technical approach.
One could argue that’s quite a pessimistic view and that there are genuinely good people out there who do know their apples from their oranges and high-quality cars from bad quality cars. They are the ones who read book after book and attend and even present webinar after webinar, trying to find or create another better solution. The problem is, in the words of Henry Ford, they are looking for faster horses, and completely oblivious to the extraordinary innovation of cars. In the case of awareness managers, it can be the case that they can easily describe a problem they’re having — in this case, wanting to have access to better learning content — but not the best solution, which is to dig deeper and explore whether employees care or are motivated by security at all.
It is robust and quality cars we need that keep us safe and last the test of time, not horses, or lemons.
By Nadine Michaelides, Cyber Psychologist and Founder of Anima People