American View: Why You Can’t Fake Your Way to Success in Security Awareness

Risk Management27 Feb 2024

The first thing I teach new security awareness people is the importance of approachability. As much as we might like to think that line-of-business users will intuitively respect our expertise and will obediently follow our instructions, that just isn’t true. For most users, the security team is perceived as a necessary obstacle (at best) or an active adversary (at worst). Our profession’s universal reputation is “those incomprehensible weirdos who only know how to say ‘NO!’” Even when that’s no longer true, our users still judge all of us by their encounters with the worst of us.

That’s why we’re required to establish a new rapport with our community. “Approachability,” I explain, “allows users to interact with security staff in a sociable, non-judgmental manner.” We must present ourselves as the “ambassadorial corps” of the department. Someone must serve as a gateway to security expertise, so it only makes sense to have the most approachable personnel fulfil that responsibility. Put people at ease so they’re willing to listen.

I find this a rewarding role. I’m not a natural extrovert, but I enjoy helping people (and making them laugh. Helping solve people’s problems and improving their quality of life is gratifying. This is why I’m more inclined to recruit and hire people who demonstrate the ability to engage others socially. A surly (but technically brilliant) aspirant will inevitably sabotage their mission by intimidating, alienating, or infuriating the users they’re supposed to support.

Admittedly, we’re usually not the folks that know all the arcane answer(s) to users’ difficult engineering questions, but we know who within our department does know. More importantly, we can liaise with the various subject matter experts to ensure the right answer gets to the right user(s) effectively. By that, I mean that a good awareness person can translate the necessary information in such a way that it won’t cause unintentionally offense.

More importantly, by providing a safe and supportive access point into the mysterious world of security, we become the best-positioned of all non-executive security staffers to build strong relationships with the users. We become a trusted place for users to raise the concerns, issues, and needs that they might not want to share in public forums. That’s hugely important, since anxious users would rather stay silent about a incident than risk getting personally attacked by abusive tech lords.

The “screaming sysadmin” archetype resonates in pop culture for a reason. Consider how many stock times you’ve seen rabidly condescending and abusive tech support character on TV shows and movies and consider why that stereotype might resonate so strongly with audiences.

You might recognize that the interpersonal skills in my description also define a good tech support worker. I look for many of these same traits in Help Desk techs and project managers. I strongly believe that many “technical” issues are really just interpersonal conflicts exacerbated by poor communication. Talented liaisons can defuse conflicts by lowering tensions and soothing anxieties. While that sounds like common sense; it’s often the most violated rule of team forming in corporate initiatives … especially at the leadership and service desk tiers.^[1]

Anyway … If you concur with my premise that the people making up security department’s first point-of-contact with the business require strong customer service skills, you’re on the right track. That said, skill alone won’t get the job done. I teach my new people that “approachability” requires sincerity. If you’re an unpleasant, anti-social person, no amount of phoney bonhomie will fool users into trusting you. Counterintuitively, it doesn’t matter how skilled you are at pretending to be sociable and friendly if you’re a jerk when “the camera is off” (so to speak). People will quickly see through your insincere performance and disengage with everything you said.

I want to share three examples of disingenuous workers to help you recognize such characters in your own workplace. Once you recognize their traits, you can save yourself a ton of heartache by moving such people into roles better suited to their talents – ones that don’t involve direct user contact … or simply removing them from your organisation entirely.

Let’s call our first example “Bob.” ^[2] Bob was a young and immature IT worker. He was naturally upbeat and cheerful. Technologically skilled, experienced, and quite funny; always quick to crack a joke. When he interviewed for our perpetually open Help Desk lead position, we all thought Bob would be a good fit.

Unfortunately, Bob had a condescending streak. Much of his humour came from ridiculing people. That wasn’t much of a problem within the department, as taking the [deleted] out of each other was a time-honoured tradition. Everyone teased everyone else, and offence was rarely taken. Bob, however, didn’t keep his acerbic comments inside the outfit. He’d regularly belittle users, suppliers, and upper management. Worse, he’d snark off carelessly with no regard for who might be listening.

When I first started, we called people who seemed to have no filter or sense of situational appropriateness “class clowns.” Now we’re more likely to call them “YouTube celebrities.”

This all came to a head when Bob realized that a user’s reported problem was caused by technical ignorance. A senior manager misreported a PC problem as a tech issue when the real problem was operator error. Bob annotated the root cause of the trouble ticket to be “user is a [vulgar slang term for a developmentally challenged person]” … not realizing that the customer would receive an emailed copy of their trouble ticket on closure.

The offended user complained because of course they would. Upper management was furious and ordered Bob’s termination. More importantly, Bob’s quip damaged the IT department’s institutional creditability for years afterwards. All for a cheap laugh.

We’ll call our next example “Robert.” Robert was a senior executive. He had more than twenty years of experience in the field, most of that in our company. Robert was politically connected and savvy but strove to downplay the cubicle warfare threat he really was. New hires didn’t realize that Robert could and would fire people over petty grudges and personal slights.

Robert’s favourite method of putting people off their guard was to pretend to be a simpleton. “I’m just a dumb country boy,” he’d joke. “You gotta explain the complicated stuff.” He’d act like an affable buffoon, seeming passive and copacetic. This encouraged his direct reports and key stakeholders to open up around him and want to compromise. Robert was all smiles, all the time … right up until it came time to settle a score.

The turning point in our professional relationship came the day I reported an egregious breach of regulations to Robert. Rather than addressing the problem – one of his direct reports – Robert covered up the fireable incident, then zeroed out my department’s budget in retaliation. In doing so, Robert taught everyone on his staff that his folksy charm was just an affect; in reality, Robert was just as petty, vindictive, and mean-spirited as the corrupt cronies he protected.^[3]

You could get away with murder if you were one of “Robert’s people.” Everyone else was expendable once they stopped being useful to his personal agenda.

Finally, let’s consider “Bobby.” This fellow employed Robert’s folksy “good ol’boy” façade with elan. Bobby oozed country charm; he claimed to be a simple man with simple tastes owing to his “more genuine” rural background. This performance – coupled with the man’s smarmy charm – made most people think of Bobby as an ally. Bobby would feign congeniality by welcoming folks into his office to chat for hours about college sports, all while leaning back in his swivel chair like a man without a care in the world. Just a nice fella being all folksy and wholesome.

In reality, Bobby was a political and religious extremist; what we’d call a “Christofascist” these days. Bobby’s prejudices against women, non-Caucasians, non-Christians, foreigners, LGBTQIA folks, and poor people ran deep. He routinely violated the organisation’s non-discrimination policies and used his institutional authority to make life as difficult as possible for anyone he felt was “beneath him” … which was most everyone.

It didn’t take long for Bobby’s peers to recognise him as a threat. Some people chose to avoid or bypass him, while others took extreme measures to get on his good side, like joining Bobby’s church or pretending to be fellow bigots. Most just found ways to evade his influence while pretending to stay on good terms. Bobby was rightly presented on the site’s whisper network as an active menace masquerading as a harmless country bumpkin.

The three examples of terrible department interfaces presented here all pretended to be sociable, cheerful, welcoming, people who claimed to be interested in helping others. All three sabotaged their own performances by letting slip how mean spirited and spiteful they really were behind their affable façade. All three men were inevitably exposed as dangerous frauds who couldn’t be trusted to act in good faith… and all three men were despised by their co-workers.

This is why I stress to new security awareness hires that “approachability” requires more than just a good performance; if a security awareness professional isn’t sincerely interested in helping others, they’ll inevitably fail. People can always detect a fraud. Once burned, they’ll nurse a grudge against both the two-faced weasel and everyone else in the weasel’s department until the sun burns out. Our ability to change minds and encourage good behaviour requires credibility, and credibility, in turn, requires trust. Hence the criticality of sincerity.

Our field isn’t for everyone. There’s nothing wrong with that. If a new hire isn’t up to the non-negotiable job requirements, that’s fine; they can still do well somewhere else in the enterprise. Just not here. We can’t afford to have a Bob, Bobby, or Robert representing the entire security team. Our mission is too danged important to let a jackwagon trash our institutional credibility.

^[1]For more stories about terrible management decisions that led to horrible results, I suggest reading a passage or three from my book In Bob We Trust: Lessons Learned From Terrible Bosses.
^[2] In accordance with American View tradition.
^[3]Robert’s decision to cover up a serial violator’s antics came back to bite him later, but that’s another story.

Risk Management