Awareness isn’t working

Why words matter and our choices need to change

I’ve been reading a lot over the past few weeks and reflecting on how to write the next post. I think we need a radical change in how we describe the job function that is currently “awareness/ education/risk/ behavior change”. This I believe is critical if we wish to make impact and retain our roles. The TL:DR is : we are vague, jobs contain way too much for one person and we fail to speak to real business outcomes.This is broad strokes and doesn’t apply to ALL work. I would just like to hear more from people doing the real work, rather than vendor reps or folk who have a dream to sell you if you will pay. It harms us all to uplift and follow these nebulous “maturity models” and “ideas” that are spoken of with nothing to back them up.

I have seen two great job posts recently that are looking for a security education/change and comms person. I prefer this title and I also deeply appreciate the job description:

I love how this role doesn’t focus on phishing and instead looks at how it is going to help with organisational change. Security education is effectively change management. We need sponsors and planning to make small and large shifts in process. I think culture and awareness are vague terms that don’t help people to define their role.

When I speak to people doing awareness/culture/ risk roles, I am always horrified by the amount of tasks they say their job involves. Worse still, this laundry list of job functions from grc to comms to project manager also usually lists outputs over outcomes as its objectives. We are Jack of all trades, placed in a compliance role and forced to speak the vanity metric language of so many security teams.

I saw an article in Dark Reading which was such a good example of the wrong advice, that I had to share an extract. Now no disrespect to the author,but this is why we have issues. I see this with so many companies. The work becomes just buzzwords with no actionable advice beyond “gamify” or something vague. Read it and try to imagine quantifying this to the board, in this economy:

I don’t believe that security is everyone’s responsibility is true. If it is,please show me the security teams who all recycle, are net zero and have full accessibility in their work. Because that is also our culture target in most places and our responsibility, surely? I also challenge the need for people to care. People don’t have to care about anything in order to understand the need to act. Care in a corporate environment is a delicate issue these days. Does anyone “care”? I’d say this desire to create new terms like culture, then make it human risk now…it dilutes what we do. And this will vary by role. But what are you aware of? What is your culture? Aren’t these hard things to measure and report on to the board? There is more to security education and change than just saying “security culture”, and then listing twenty tasks to get there. Surely there is a better way than chasing rainbows. It can be simpler than we make it. We cannot change the world and “culture” in a company is challenging these days. Maybe we could stick to “I achieved this outcome by doing this” or “these are the roadblocks I face with this and how I manage them”.

Security education is not HR and occupies a more trusted role, or it should aim to. When we call ourselves human risk and start allocating coworkers into risk types, when we talk of culture and people “caring”, we become HR. When we speak only of vendor bought mandatory training, we are seen as replaceable by l&d. Yes security does have a role in protecting from insider threat, they can see who is torrenting movies or watching adult content too. But our role is to help people to understand why they should or should not do something. And understanding why they might act as they do. Advocating for them in many cases even if it is just to say “we need to communicate clearer policies”. Or to say that maybe if someone can do something on a company device, perhaps we need better controls.

These controls would also be part of a better human factors discipline within cybersecurity. If we worked with more human factors experts, we would be able to speak to risk more ethically and effectively. Instead we use the latest stunt hack social engineer’s tv appearance to explain human factors. And that social engineering is mostly normalised stalking which unsettles the audience and does our work no good. All it does is show that most apps and services and call centres need better controls in place to protect customers.

So where is the role ?

I am concerned that the role has become so vague and “just phishing and posters”, that the real value of my colleagues is being diluted.

there are amazing professionals out there really doing great and effective work. But we don’t hear from them enough. And the popular “strategies” aren’t something they can apply. There is little that most awareness maturity models offer that relates to real business outcomes and needs. It all sounds ok until you ask yourself what any of it actually means and if there are any real examples of it working.

We need to look to the ones in the weeds doing the work. That means creating a network of trusted people instead of taking your sermon from the paid evangelist on stage at every summit. We aren’t supposed to be a cult. We are supposed to think critically and challenge ideas. Or we become the human risk ourselves.

I would like to see more research based work, and I mean independent research by universities or researchers. Not a study that came out of the data a vendor has. Some vendors do provide insights BUT it is simply not ok for us to be presenting such work to the board when it could have bias. This work exists and yet you wouldn’t know it if you follow the most recent summits. In honesty I feel like we spend half our time telling co workers to recognise social engineering,yet it is ridiculously easy to socially engineer this sector into repeating a made up statistic or fact.

This Usenix talk by Adrian Sanabria is one of my favourites for proving this when people trust statistics from vendors or in popular culture. I am glad to see some of these falsehoods challenged because we need to use credible information. It isn’t about shaming anyone, but we do need to have more rigor in our approach or how else can we be credible?

So to conclude, you can call yourself what you want. But we need to make sure that we are credible and outcome focussed. Real outcomes. Sending 80000 sims out or creating champions is not an outcome, it is an output.And I say this because I care about the humans I see being burned out trying to chase impossible rainbows.

What else is news this week?

The MGM hack has the ambulance chasers out in force! We won’t know the full details for a while. It does seem again that while people will jump on the social engineering training bandwagon with this, the basic issue is always your security controls and alerts. But it is always when not if, and my thoughts are definitely with MGM security. Because doing this work is not easy and none of us are perfect.

Car privacy is something I have spoken about before, finally it is getting more attention. This VICE article is something I did talks about in 2017, I strongly recommend you follow the link in the article to the Mozilla resource where you can check your car’s privacy. Mozilla guides for tech are amazing. Again, we should do more of this in security education instead of going on and on about phishing, give people what they need.

PEPR by Usenix was held last week and these are some of my favourite talks:

Lea Kissner, gave a great talk on Metrics and bad metrics

Julia Bernd spoke about Privacy for bystanders with smart home products

Katherine Koerner spoke about de-identified or anonymised data

Ryan Rix spoke about Data rights requests

The entire programme is amazing and worth reading and soon the talks will be live!

I hope you all have a great week this week, here is one podcast to listen to: Technology Pill on Smart home device use in tech abuse

Mercury is out of retrograde so I wish you a great Virgo new moon and lots of success. May the communication and tech hold ups finally stop! Hoping that Fall brings you great things. Let’s do one nice thing for someone every day and try to make a difference where we can

.