If you have ever been in a position of leadership, regardless of how insignificant, you know that how you interact with those who are on your team is directly proportionate to the success of that team. Because I’m a big geek, I’ll use Jean-Luc Picard. Sorry, but I think Picard is better than Kirk.
There were times when those who served with him made horrible, stupid, and inane decisions. For example, in the episode The First Duty, Wesley Crusher attempted a banned space flight maneuver that caused the death of a squad mate. Monumentally stupid, with dire consequences. The thing is, Picard doesn’t use the situation to berate, ridicule, or demean Wesley. Picard uses the situation as a life lesson and provides education to Wesley. He didn’t make fun of him, berate him, or make him feel like crap. The difference with a true leader is that they come along side those that they lead to help educate them.
That’s part of the problem I am seeing with some departments today. When a user makes a mistake in regards to security, it is turned into a “beration” moment, instead of an education moment. The user feels stupid already and there we are heaping more insult on them. This does nothing to help us in our defensive posture. The user doesn’t learn anything and now they are ticked off at you. There is no way that person is going to report anything to you in the future because they will only remember that you treated them like junk.
When you come along side them and let them know that there are consequences for the things that we do, you can use it as a way to educate the user one on one. Pull them aside and say things like “okay, so here’s the problem. Bad guys like to trip you up by doing xyz. Here is a way that you can spot this in the future. If you see this again, please let me know as soon as you see it. I won’t be upset, even if it turns out to be legitimate.” You can remind them about your security policies but also let them know that bad guys do whatever they can to try and trick the users. Show them how to identify the problem in the future and encourage them to talk to you if they see anything “out of the ordinary”.
When you have a break down in your security defense, use it a teachable education moment. Resist the urge to berate the person and treat them like junk. You will find that your user security layer begins to become stronger and stronger as they realize that you are on the same team as they are and that you care about them.
So, are you willing to boldly go where most IT departments have not gone before?
In the immortal words of Picard: “Engage!”