Ever get the feeling that this is really what your business and IT customers are saying to you whenever you’re sitting in that last-minute security review and you catch them in violation of the security policies you know have been published for at least 6 months—and which they’ve had to go through (probably mind-numbing) mandatory training about?
Let’s put this in perspective a little bit.
Let’s say that I came up to you right now and said that you needed to walk backwards for the next 12 hours.
That’s it. No other reasons, no other guidelines.
Just do it.
“Why should I?” you might ask, somewhat belligerently.
And my terse reply would be, “Because I said so.”
In Transactional Analysis, a particularly interesting branch of psychology, the role I’m playing here is called “Critical Parent,” and the role you’re playing, assuming our scenario above, is called “Rebellious Child.”
And these are conditioned responses, often called “tapes,” that we learn early in our development and which influence every human interaction we have.
So…what’s this got to do with you and security, right?
Think about it for a minute.
The only way to break this sort of conditioned response is to use a 3rd role that we’ve actually able to control, influence and “rewrite” as long as we’re alive and making decisions. That role in Transactional Analysis is called the “Adult” role. And it’s only when we have Adult to Adult interactions we can have the ability to think critically, influence and have the greatest control of our decisions and reactions.
Our problem in security is that we tend to make some assumptions – often dangerous ones – that the business, or anyone not in security, is really just some petulant, “Rebellious Child” who doesn’t want to play by the rules and do what they’re told.
And when we do that, we’re channeling all the “Critical Parent” programming we’ve inherited from our childhood.
The reasons it’s called Transactional Analysis is that each human interaction is a series of transactions which fall into some common patterns. In the future, and, in particular, during my COSAC talk this week, I’m going to be talking about these more and how they relate to security and security architecture…
…but right now, what matters is that we can use this to our advantage and do what we can to break this pattern of interaction with our business customers.
Because if we can, it’s like tying a rocket to your butt in terms of building your credibility and trust with your customers.
Maybe that’s not important to you. And that’s perfectly ok.
But the point here is that if you’re not engaging the Adult of the people you’re trying to influence, they’re probably going to resent you telling them what to do—especially if you don’t have a boatload of credibility and trust with them individually.
So what do we do?
Well, we involve them in the process. We make sure that we understand their world, what’s important to them and don’t give them “silly restrictions” like my walking backwards example above that they don’t believe have anything to do with their world.
The good news: we don’t have to make this up.
It’s a formalized process called Requirements Engineering, or, as I mentioned the other day, we can call it Policy Engineering. And we can do that, because that’s really what it does for us.
It’s actually part of SABSA, and it’s built into the process, but if you want to understand how to avoid some of the common traps and pitfalls so you can be aware of what you’re really doing,
do it better than you might be doing it now,
and have the greatest chance of engaging your customers and getting their support for security,
then you’ll want to subscribe to the print Security Sanity™ newsletter before the 30th of the month. After that date, it’s going to the printer to be shipped to the 4 corners of the globe and into the hands of the eagerly-awaiting subscribers who will read it and learn something new they can immediately put to work.
Or not. It might not be your cup of tea. It’s expensive, after all, and there’s no guarantee it’ll work for you. So it might be a big risk. That’s why I want you to think carefully about it. It’s not for the impulse buyer.
It’s for the dedicated security professional who is passionate about constantly learning and becoming the best they can be in their careers and being as effective as they can possibly be in helping to enable and keep their organizations safe.
If this is you, here’s the link: https://securitysanity.com
Andrew S. Townley
Archistry Chief Executive
P.S. if you do happen to be at COSAC starting tomorrow, please make a point to say hello. Always great to put a face to a name and email, and I’m very interested to hear more about what you’re doing. Let’s grab a pint!