A couple of days ago, Mike Johnson, who was the former CISO of Lyft, started a thread on LinkedIn about bad cybersecurity advice that must die. His contribution to the thread was the oft espoused “don’t click links” mantra of many in our industry—including some people who I respect.
I have to agree with him. This is terrible advice. It’s like saying don’t get out of bed, or don’t walk across the street or don’t eat anything you don’t kill yourself.
And the biggest, most important, most precious thing we possess as security leaders and practitioners is our credibility with our customers—in this case, those people who keep clicking the links.
So when we tell them don’t do something that’s as necessary to them in their job as breathing, then what we’re really doing is showing how ignorant we can be of what their world looks like, a total lack of caring about what they’re trying to accomplish and a complete failure to give them the credit they probably deserve as humans to learn how to deal with the basics.
Because, let’s face it. If we can survive without clicking or getting scammed for the obvious ones, there’s probably only a handful of habits we need to get them to create in order to internalize the same tests we as security professionals already do.
…and for the ones where those tests fail, most of us on the planet, as humans, are probably going to be a victim if someone is good enough and determined enough and they have enough access, information and resources. So you just need to get over the fact that there are some of these kinds of things you won’t be able to prevent. You need to be able to detect, react and contain accordingly.
So at this point, you’re either agreeing with me, or you’ve already deleted the email or clicked the unsubscribe link at the bottom.
The important part about all this is understand what we’re really trying to accomplish. For me, the mission and purpose, the ultimate aim and responsibility we have in our organizations, is to enable our organization to deliver its strategy as quickly and safely as possible.
And there’s a key objective we need to deliver if we’re going to have the influence and resources we need to make that happen: our credibility. Because our credibility is the basis of the trust and respect we have with those we hope to protect.
So if someone has a job to do where they live in their inbox and click links in order to do their part to deliver our organization’s strategy, how do you think they’ll feel about us if we tell them “don’t click links” like they’re a spoiled child who doesn’t have the ability to think by themselves?
They’re going to just reject it, and ultimately…they’re going to reject us as authority figures or influencers they will listen to.
One of the key problems we have in security is a failure to understand the worlds of our customers and then being able to translate the customer desires and wants into concrete control requirements that minimize the risk of our security program failing to deliver value to our customers.
That failure is basically, by definition, a failure to do effective requirements engineering from a the perspective of our customers so we can enable them to do what they need to do as quickly and safely as possible.
They need to click links. Get over it.
And your security awareness program is a control. Meaning it’s not fit-for-purpose, and it’s potentially impeding the execution of the organization’s strategy…
…meaning we fail as security, and we destroy our credibility.
If you want to learn about the right way to figure out how to keep them safe while still allowing to do what they need to do (and figuring out the difference between what’s necessary and what’s nice-to-have), then you should make sure you subscribe to the print, delivered-to-your-door Security Sanity™ newsletter before the end of the month.
Because in 12 days, it goes to the printer, and you’ll have missed a whole load of actionable tips and techniques you can put to use the same day to make sure you’re building your credibility day-by-day and decision-by-decision…
instead of flushing it down the toilet all in one go with misguided and impossible to implement advice for the lusers in your organization.
The link’s here: https://securitysanity.com
The deadline is the 30th of September.
The choice is yours.
Andrew S. Townley
Archistry Chief Executive