Why with so many products and solutions out there are we consistently seeing more and more news about the next hack or loss of data or systems brought to their knees via ransomware?
Do we really know what people mean when they say “just do the basics well”?
Are we promoting a lot of people in our industry beyond their capabilities and do we really think because someone is a great “techie” or great “salesperson” they’d make a great leader?
Three questions there and I wish I had answers for them all (but Ian, you posed them, how come you don’t you moron?).
I think the answer to the first question is strongly related to the other two I posed and I have deliberately lead with a technology or service question as in my experience this is exactly how problems seem to be solved in the real world, by throwing more money at it. Is this correct? I think the evidence of keeping those at bay who would do us harm is a resounding no.
But why do we start here?
Well that takes me to the second question, because “doing the basics” is anything but, and requires the hard yards to be completed first before any shiny new toys are introduced (if in fact they are needed at all!). What I hear you scream, we don’t actually need some AI powered Next Generation, Military Grade, Unicorn Fairy Fart Advanced DooDah to protect us? No, you don’t. The basics are rarely done, because as mentioned the basics are hard. Most networks and the systems they support have become an amorphous entity with a life and history all of their own. Some businesses rely on older tech that they daren’t update for fear of it wiping off the balance sheet the next day. Some businesses rely on one technical person to keep everything ticking along and the thought of questioning their fiefdom fills CEO’s with dread so they take a detour past the IT Crowd (watch the series, or if you like your IT folk a little more sinister check out the BOFH on TheRegister!).
Surely this is solved with great leadership?
Yes! post over, well not just yet.
You see the thing about great leadership is it’s not so common. In my experience I can say I have worked for one or two great leaders, and by that I mean people I would truly do anything for, as I knew we were in it together. In my dealings recently (past 15 years or so) with leaders in the security sphere, no one particularly stands out (although I must say there’s a handful that I respect greatly and who are doing some great things). I see the awards posted each year for “X” of the year, but I am long enough in the tooth to know that game, so unless they’re getting a Nobel Peace Prize, the CISO/Newcomer/Product/Service or whatever of the year awards are more for the award givers business and promotion than they are actually to honour the right people in our game.
So what happens if we invert the three questions above and actually take a top down approach to this conundrum of keeping a business secure?
Well we start with a leader, but one who can actually “lead” as Simon Sinek says “Leadership is not about being in charge. Leadership is about taking care of those in your charge.” Those in your charge are you fellow colleagues, not your staff or employees or workforce, your colleagues. This is potentially the most important aspect of any cultural change to keep businesses safe. You see when you put the needs of those in your charge who you are taking care of, they begin to believe you are there for them firstly and to secure the business secondly (what??? I hear you scream?). Yes you got that right, put your colleagues first and make them aware of the role you play for them in the organisation and changing the culture, their behaviour and keeping the business safer will naturally flow.
But how do we start and how does this look in reality?
Being true to them and yourself, being empathetic and building a vision they can all get on board with. One of my all time heroes and favourite leaders is BIll Shankly (ex-Liverpool manager), he came to a struggling club in the mid 1950’s and by the mid 1970’s he had turned them into a force to be reckoned with (for all other supporters I have as much admiration for Sir Matt Busby and Jock Stein as well as many more too). He understood the supporters of the team as he was “one of them” and he lived his values whilst building a vision of Liverpool becoming a “bastion of invincibility”. This was the core of their success throughout the 1980’s and also the values of the club ever since his arrival.
But what does this have to do with Cyber Awareness?
For me it is about consistency of message, talking to people the same way they talk to their wider network of family and friends. Using common language, making it engaging, making it memorable and getting people on board with a way of conveying complex subjects in simple, easy to understand bite sized chunks of information. But and here is the kicker, making it enjoyable enough to make them want to come back for more and more. Not that sounds like a great segway into the kinds of content and the approaches that grab attention and leaves ’em wanting more ………