Sarah Janes asks whether our current approach is fit for purpose, and suggests an alternative approach.
We hear the term ‘Insider Threat’ a lot these days. If I go back 10 years or so the definition for ‘Insider Threat’ was pretty succinct, it was individuals who deliberately and maliciously broke the law, e.g. sold company info, or fiddled their expenses. But a few weeks ago I was at a workshop where we found the need to spend a large chunk of time defining exactly what we meant by the term ‘Insider Threat’. The definition seemed to have slipped from one of malicious intent, to pretty much anyone whose actions put the organisation at risk. Therefore the Insider Threat they were referring to was basically everyone.
What’s the language we use to talk about the Insider Threat?
In Mike Carter’s blog ‘Mind Your Security Language: Talking about the ‘insider threat’ is fateful’ he discusses the problems created by using this term to describe everyone because it effectively brandishes each person as a ‘problem’ rather than part of the ‘solution’.
Do we know the causes of the Insider Threat?
But I want to look at a different aspect of this. Over and over, we witness the same scene; we bring people together, we sit round the board room table, we discuss our evidence of the Insider Threat at work…
- ‘people are leaking data, sending it to their personal emails’,
- ‘they share passwords’,
- ‘they allow people to tailgate’,
- ‘they don’t encrypt’.
Then we do something strange, irrational even, we make a huge leap we would not dare to do in any other field:
- ‘it’s because they’re ignorant’,
- ‘they don’t know the rules’,
- ‘they think they can get away with it’,
- ‘there are not enough negative consequences’.
Do we actually know this for a fact, or have we made an assumption? Have we gone out and had a conversation with people about why they behave in this manner?
How do we think we know these things, and how did we become so certain?
Insanity is doing the same thing over and over and expecting a different result (Einstein)
So then we make another irrational leap and decide to base the ‘solution’ to the problem upon the assumptions we have made, in order to get people to comply. We build our awareness strategy based on ‘received wisdom’ rather than on a detailed knowledge of the culture we are discussing. The problem is, it didn’t work last time, so why will it work this time? We tell ourselves that if only we could get the buy in of the board it would work. ‘It’s not the plan that’s flawed; it’s the senior managers who just don’t see sense!!!!!
We need to acknowledge our own cultural blind spot. We are making assumptions, rather than involving those ‘Insiders’ to collaborate in creating positive change.
Without buy-in from ‘insiders’ nothing changes. The danger of labelling those insiders as a ‘threat’ rather than the solution, is that we never get any closer to finding out why the problem is there in the first place.
Is it time to try another approach?
Recently we have been working with organisations using Appreciative Inquiry, and I’ll be honest, when we started it was also an experiment for us. We knew that it had worked in other fields, but could it work in Security Awareness?
The reason we, as an organisation, wanted to work with Appreciative Inquiry is because it believes in taking a risk on believing in the best, rather than fearing the worst in people. Appreciative Inquiry starts by engaging people in the moments when they have felt totally engaged and committed to the work that forms their everyday experience – everybody has a wealth of these moments and they’re keen to share them. We’ve been amazed by the speed, depth and profundity of the positive change it brings about.
Appreciative Inquiry is a model for analysis, decision making and creating change that sticks. It is unique because every person in the organisation is invited to collaborate in the change. It involves change driven by your people, not a top down approach, it involves conversation, rather than documentation, and it works!
Talk to Layer 8 for case studies of where we have used this successfully to change security culture.