In the last Layer 8 blog, Sarah Janes wrote about looking for pockets of good security practice and how finding them amplifies what’s working. This week, Mike Carter considers how the language we use can do the same… or the reverse.
There was a time when speaking of ‘the insider threat’ meant something specific: it referenced those who, with access to the inside of an organisation, deliberately cause data to fall into the wrong hands for any number of personal motives. But now, more security chiefs and commentators are using ‘the insider threat’ as a catch-all term for all the potential problems caused by people within an organisation.
Problems arise when we use negative language
Language shapes our thinking. One problem with using ‘the insider threat’ as a blanket term is that it can blind us to details and truths that form a fuller and more accurate picture of the issue. It’s true that the majority of losses and breaches are caused by the human element in our company’s defences, whether that’s because of ignorance, carelessness, competing demands or malicious intent. However, it doesn’t help us to understand the human factor in security by lumping together all these groups. The ‘ignorant’ may require training, the motives of the ‘careless’ need to be understood and addressed, and those who would abuse their positions inside the company need their own approach.
Using ‘insider threat’ as a blanket term carries connotations of everyone being ‘the enemy within’, to be treated with suspicion – to be looked down upon. It speaks of employees only as a problem that must be solved and ignores their potential to be the solution. Many employees approach security conscientiously every day, often without recognition. How is their good practice celebrated and rewarded? How are they encouraged to pass on their wisdom and exemplary attitude to colleagues around them?
The language we use creates our reality
It’s like the old chestnut about whether the glass is half-full or half-empty. How we answer isn’t simply a reflection of whether we’re an optimist or a pessimist: we are making a decision about the reality we will experience. The glass analogy illustrates the difference between social constructionism and traditional views of ‘reality’. What the latter say (and probably what we’re brought up to believe) is that reality is objective and exists outside of us, that we know it through our own eyes, that we perceive things neutrally, and that the way we talk about it merely describes what is out there. The social constructionist view says that how we see (which engages our brains as well as our eyes) is a choice, and that through the language we use in our conversations we are constantly creating ‘reality’.
Conversations change culture
Conversations (in one form or another) are the life-blood of culture. The way we talk about things creates a reality that snowballs… for good or for ill. If we’re problem-centred and speak only of these things, or speak of the people in our organisation as a whole in a derogatory way, then that is self-fulfilling: that is the reality we’ll create. Conversations about problems, and language that implies people are doing things wrong, together create a security culture that is negative – and rather depressing and demotivating to work in.
But, as Sarah suggested in her latest blog, looking for successes enables us to consider how we can build upon them. Encouraging conversations about existing good practice demonstrates a new reality: This is a company built on shared values, where people do things well and strive to do them better, and its workforce is the solution to security. Such a new reality engenders positive feelings, and these, in turn, encourage new positive conversations, which generate new positive actions… and so on.
A new future is within our power
When individuals become aware that how they choose to perceive and how they talk about their lives shapes their experience and their environment, then they become empowered to take responsibility for creating their reality anew. When communities and companies do this, a new culture is born. In such a culture, positive security behaviours become the norm, and only culture change will create the circumstances in which such behaviours can thrive, be shared and take root.
So let’s shake ourselves free from the use of ‘insider threat’ as a blanket term. We’re not saying problems don’t exist, but let’s not fuel them. How about speaking of the ‘insider solution’ or ‘our security team made up of every one of our staff’ or… the possibilities are endless.
And if we can’t yet bring ourselves to be so positive, let us at least be neutral. Though it is full of complexity and contradiction, ‘the human factor in security’ is just that.
Layer 8 works with large businesses to enable them to co-create the positive security cultures they need.