Speaking “Human”: An Open Letter to Security Professionals on a Basic Approach to the Cyber Security Gap

A guest post by Ryan Cloutier. For more information about Ryan, see his profile page.

Most people find the topic of cyber-information security boring, if they have even heard of it at all. The primary cause for this is that digital citizens do not view cyber-information security or their “digital life” as being real or even directly impactful to their own physical life and personal safety. I believe this is due to how we as security professionals have discussed the topic of cyber-info security to non-tech savvy populations.

We might as well be speaking Klingon when we approach a general population with convoluted technical jargon to educate on cyber security.

A favorite quote I heard once from a curmudgeon man after advising him “don’t click the link” was “Don’t click the link?! Listen asshole the whole internet is links!” I laughed but came to the realization that he wasn’t wrong and I then came to understand these three points:

1. We (Security Professionals) are the problem not the user.

We don’t have to go on like this. We can be the change. When educating anyone on cyber awareness, we can use better analogies and real world examples to describe the risk and issues with the behavior we want to see changed. For example, consider the awful security awareness training we must sit through once a year at work or when we get phished by the IT department and then must retake said awful training – it is viewed as a work issue and therefore only applies to the workplace.

2. Focusing only on cyber awareness in the workplace prevents meaningful behavior change. 

If you have the fortune as a Security Professional of managing to get behavior change in the workplace more often than not it is left at the workplace and forgotten about when they go home. However, if we change the conversation to focus on cyber security as a basic life skill, as a fundamental part of our daily physical life then we begin to see change. Today in 2019, most of the connected world uses their smart phone to conduct a large portion of their everyday life from communicating with their loved ones, to banking, shopping, learning, news, entertainment, dating, and so on. 

3. The world has changed but we have not changed with it or adapted our behavior to match. 

We are a society that has not changed our life skills to reflect our new “Digital Life” so when speaking to and training your clients please use relatable examples and common language. Realize that your audience may not be versed in technology nor are they all IT Professionals and as such you need to take the extra time to make it real and relatable. Once you apply this “Make it Real” approach you will see meaningful behavior change and you will have the added benefit of not only making your organization safer and more secure but you will have made the world and a new generation of humans safer and more secure. So I ask you fellow IT security and privacy professionals to please speak human and take the time to break it down. 

Join me in this mission to help make the world a better, safer and more secure place. 

THINGS you might consider adding: 

  • Take the same approach to educating about cyber security that you do when your uncle asks you to describe your job at the Thanksgiving dinner table. 
  • Take stock in what your closest non-technical friends and family don’t understand about cyber security – use this as your baseline to further craft your message into more relatable examples. 
  • Make it real – use examples from your every day life and inject humor into life lessons that will forever change the actions and behaviors of a generation that desperately needs these digital tools. 
  • Commit to spending time educating others outside of your professional work to not only evangelize security in the professional world but in every day activity- volunteer at schools, senior centers, and non-profits which are the unfortunate prime targets of cyber crime and scams. Use these interactions to further craft your message to be inclusive and targeted. 
  • Make an impact by leaving a meeting or speaking engagement with a line of people ready to come up and tell you their story – not leaving with a notebook of acronyms and confusion as they decide “cyber security is too technical for me to make changes in my daily life”