Beautiful Basics: Lesson 4

Lesson 4 - User Blaming

Security is NOT everyone’s job in the company. Stop trying to force the issue. It’s security’s job to enable, incentivize and protect.


In the Marine Corps, I was taught that every Marine is a “Rifleman”, meaning that any Marine, no matter their MOS (Military Occupational Specialty) - aka their job, could be called upon to engage with the enemy using a rifle or other weapon. This meant that every Marine must be trained, and regularly re-trained/tested, to ensure their proficiency with a rifle. Other branches have similar stances or sayings.

I believe the mindset that every person in a company has a stake in it’s cyber security came from veterans. That or it came from the realm of safety, which I 100% support. Safety is everyone’s responsibility. Now is where some of you are equating cyber security with safety, and yes, they do sometimes overlap.

However, in most cases, cyber security has nothing to do with the safety of a corporations personnel, customers, or it’s community.

So what am I saying? 3 things:

  1. Stop blaming users for clicking on links, or opening macro enabled documents, or inserting USB sticks with viruses on them. We need to get to a place in security where it doesn’t matter if they do those things. We need to do better and stop making excuses.
  2. Security awareness training is usually overly complicated, outdated, or has very little other use. I think those teams are better served by running a security incentivize program. What does this look like? Basically a gamification of security asks.
    • Start a points program at your company.
    • Give points away for reporting phishing emails or security infractions like tailgaiting
    • Give points monthly for use of a password manager
    • Take away points based on security infractions (infected laptop, clicking a phishing email)
    • Give points monthly of good password use.
    • Give points for early adoption / beta testing of security programs
    • Allow points to be spent on gift cards, dinners with the CISO / CEO / CTO, or live events like tickets to concerts or plays.
  3. Change how the security organization talks within and outside the organization about partners in IT, developers and users in general. Managers need to crack down on this type of negative talk because it can be easily felt on calls with those groups.

Number 3 is super important. If you allow people to talk negatively about another group in your company it will quickly become the law of the land, and will decrease motivation to find equitable solutions or even have equitable conversations.

At the end of the day, we, the security community and vendors have to do a better job at solving problems and rejecting solutions that just perpetuate the status quo.