How “embarrassment” can improve your cyber security, from the top down! -TEISS® : Cracking Cyber Security
Opinion / How “embarrassment” can improve your cyber security, from the top down!
3 July 2018
Don’t let a little personal embarrassment get in the way of leading by example. Your people are always watching to see if you live up to the company’s security requirements … or if you pull rank to get away with bypassing them.
Imagine that you’ve had an awful morning. Your alarm clock didn’t go off, your train was late, and every part of your usual workday morning routine seemed to go wrong. You arrived at the office fatigued and ill-tempered, only to discover at the door that you left your security badge at home. What a mortifying screw-up! Time to “pull rank,” get someone lower in rank to let you in, and pretend that your mistake never happened, right?
Wrong! I argue that the best thing you can and should do is to deliberately call attention to your error. Really. A mistake like this is an opportunity to demonstrate proper and faithful compliance with company security protocols to everyone else in the office. Don’t hide your error; embrace it.
Embarrassment can be a strong motivator. Most people  hate being embarrassed, especially in front of their peers. That’s why embarrassment is an effective tool for getting users to remember and to comply with important prohibitions. Security professionals leverage the “you don’t want to get caught doing X” phrase in training because it works. That is, it works up until your users begin to suspect that your organisation has two different sets of rules: one set for the powerful and a different (more draconian) set for the powerless.
Be honest: do you have supposedly “universal” security rules in your company that high-profile users are exempt from? This could apply to anything from wearing a security badge to using personal devices for company business to locking your PC when you leave your office. Are the rules truly for everyone? Or do some of your really important people “get a pass” on them? Are only the rank-and-file truly affected?
I couldn’t find a stock photo of the guy who has to sweep up after the cattle drive passes, but I’ll bet you a silver dollar that it ain’t the fellow leading the procession.
This isn’t meant to be a dig at your company. Rather, it’s an observation about security policy and organisational behaviour. There’s a natural tendency in groups for the most powerful people to request and receive exemptions from bothersome expectations. It doesn’t matter if you’re an Admiral, a politician, or a CEO: a universal side-effect of being granted power over others is a tendency to use that power to be more personally productive. It’s not about abuse so much as it’s born from a natural desire to be unencumbered. Those people who can unburden themselves tend to do so at the first practical opportunity. It’s an understandable human reaction to being restricted and it’s totally counterproductive when it comes to keeping an organisation safe.
“Special” exemptions don’t tend to stay “special” over time. First an executive gets a pass. After the directors see the executive get away with ignoring a rule, they want the same privilege for themselves. After all, they’re busy and important leaders too. Then come the directors … then the senior managers … then the managers … and so on, until the lead pencil sharpener calibrations analyst has the “special” exemption and less than half of all workers are actually required to follow the “mandatory” rule.
That sort of two-tiered system – where only the powerless people in the organisation have to obey the “mandatory” performance standards – breeds resentment, sloppiness, and even deliberate non-compliance. Even if it truly is in the top people’s best interests, the different compliance levels violate our sense of fairness and our expectations of equality.
That’s why it’s in your best interests to take advantage of your goofs rather than try to hide them. Make an effort to demonstrate that you’re not only not exempt from the company’s mandatory security rules, but that you cheerfully embrace those rules. You know what the expectations are, and you follow them.
Baseline security rules apply to everyone equally because cyber threats affect everyone equally. Criminals won’t pass you up because you have an impressive title or a private office.
Yes, you’re embarrassed. Who wouldn’t be? It’s no big deal. You’re communicating through your highly-visible actions that the safety of your colleagues and your commitments to them are more important than a little social awkwardness. You’re visibly setting the required performance standard. This is how we expect everyone to embrace security rules: cheerfully, openly, and responsibly.
Will people follow your lead? Actually, yes; most people will. Leading by example does more to cement the legitimacy of a company’s rules than any threat of punishment could. People are actually keen to endure burdensome restrictions when they believe that everyone else is chafing alongside them. Shared trials can improve organisational cohesion, because they reinforce the belief that everyone has an equally important part to play.
So, the next time your day goes sour and you leave your badge at home, don’t try to hide your error. Ask a colleague to escort you to the reception station and vouch for you so that you can be seen signing in. Wear your temporary badge with pride for the rest of the day. Share your embarrassing story in informal chats in a healthy, self-deprecating tone. Word will spread that the boss lives what he or she claims to believe … that security is for everyone, not just for the “little people.”
Also, remember to wear your security badge the next day.
 Levels of embarrassment vary depending on your culture. I’ve noticed that English workers tend to be highly motivated to avoid social awkwardness, while Texans are nearly oblivious to it. As I briefed at the 2014 TEISS conference, something about our “Wild West” culture makes people out here prone to loudly and enthusiastically celebrate our failures.