Many security professionals face the same challenge – improve security and reduce risk with a fixed or reduced budget. There is a lot of information on the internet about using Open Source software to build systems that can help you reduce risk.
But I propose that we, as security professionals, must be teachers as well as technicians. Yes, we can do the work. But how much better would it be if the entire IT department or even the entire organization understood basic security principles and could apply them in their day to day activities? It’s like the old adage. You can give a man a fish and feed him for a day or you can teach a man to fish and feed him for a lifetime. Let’s teach people to be secure so they can apply security principles at work and in their day-to-day lives.
This article’s focus will be slightly different than a formalized Security Awareness Program (see Securing the Human for details on that). Instead, we will look at ways any security professional can more effectively communicate with others so that security concepts become a more prominent topic in people’s day to day life.
I’m sure all of us know about an “angry security guy”. Maybe we are that guy. But the first step to effectively communicating security concepts to others is to be approachable. Staff need to feel free to come to us with questions and concerns. In particular, they need to feel free to bring any possible risks to us.
So how can we be approachable? Start with the basics – smile, take a genuine interest in others, listen when people talk to you, be complementary. Above all, refrain from attacking or blaming people. If someone reports that half of the employees are using the same default password, don’t start yelling or curl up your face in a grimace. Don’t stomp around looking for someone to blame. In fact, the first thing should be a “Thank You” for bring this issue to light. Then calmly work toward a solution. That will make it much easier for others to bring issues and problems to you in the future. It will also make people more receptive to solutions and suggestions you propose.
Be Generous With Your Time
All of us are probably overworked and understaffed. In fact, most organizations are probably fortunate to have one or two people dedicated to security. So most security professionals have a lot on their plate. But if we expect others to listen to us, we must be willing to give of our time and listen to them. People will never make us aware of risks if we never take the time to listen.
When someone brings an issue to us, it is important that we give them our full attention. Do not continue to type on the keyboard and stare at the screen while your colleague is talking. I know this is something I’m guilty of. Stop typing and look at them. Engage them in conversation. Stopping other activities to pay strict attention to what someone else is saying shows them that you value what they have to say and are willing to give them your time.
We can also be generous with our time by fully answering questions. It is much better if employees (both technical and non-technical) understand not only what needs to be done, but why it needs to be done that way. Guidance carries more weight and will have a more lasting effect if we explain the “why“. Understanding the why will change behavior. For example, a parent might tell a child not to touch the stove. But that simple instruction probably just makes the child curious about the stove. However, what if the parent tells the child, “Don’t touch the stove. It is hot and it will burn you and that will hurt.” Now the child understands the consequences of their action and will be more likely to follow that instruction.
Hold Short Classes or Lunch and Learns
A third way we can teach is by directly engaging people through short classes or Lunch and Learns. Pick a topic that would interest your audience and put together some slides or a live demo (be sure to practice that demo a LOT before performing it live before an audience). I find that most IT professionals are very interested in security. So picking a topic that would interest them should not be a huge challenge. Password cracking, memory forensics with Rekall or Volatility, BeEF, incident response, and live exploit demonstrations are just some ideas. Showing the root cause of a recent infection could also interest them. How did the malware get on the machine? What did it do? How was it detected? What could have prevented the infection?
But beyond being technically interesting, it is important to always demonstrate how the information presented is relevant. How it can be used to reduce risk in their environment. How they can use this knowledge. Information is more likely to be used and retained if its practical value can be demonstrated.
We can meet the challenge of securing people and organizations by being open, approachable, generous with our time, and making efforts to teach.