Category Archives: Communication

Do we get enough “soft skills” training in (CyberSecurity) our curricula?

Why are empathy, negotiation and communication skills considered as soft skills while they are one of the first skills sought after by hiring managers in security [1] ? When we use the term “soft skills”, is it not a way to look down at these skills, as if they were irrelevant?

But, let me start with 3 short stories…

Years ago, when I was still doing my internship as a clinical psychologist, I met a brilliant young boy in one of my first counseling session. This young lad refused to comply with his doctor orders mainly because the doctor wasn’t nice. Digging a bit into that story, it appeared that the doctor just gave his diagnostic and the prescription without any further explanation and was even a bit rude. By chance, at least in this case, this smart boy wasn’t always a good communicator himself and he recognized that, as for himself, not being empathetic, doesn’t mean the diagnosis and the treatment prescribed were wrong. So, he finally accepted to go for the best option for him and he decided to take his pills.

A few years later, I was planning to build an extension to my house. I hired an architect to whom I explained what I was expecting (an additional space for my office). The guy came back with a nice plan of an extension and a complete remodeling of my ground floor as he felt my living room was not at the right place. When I said it was not my priority, he insisted, and I finally decided to stop the contract because I didn’t feel I was heard.

The 3rd story is closer to home for security professionals as it happened to a young brilliant security professional working for a large company. After a couple of years working there, building an impressive set of skills, he asked to be more involved in the decision process, to be empowered, to get new challenges and some recognition. His management came back with a certification plan (he already had a few of the classic ones) and a career path. What he was expecting was an opportunity to make a difference, his advises to be considered and an involvement into the new strategic projects. As you may have guessed, he was disappointed, and resigned soon after.

Being a doctor in medicine requires a lot of technical knowledge and skills in order to perform an accurate diagnosis. But it also requires empathy and communication skills (that are often looked down as being “soft skills”) to ensure your patients will comply with the treatment and get better (That’s the end goal, isn’t it?).

Being a architect requires also a lot of creativity and technical skills. But what’s the point of drawing the plan of a house that doesn’t suit the owner?
Even more, why do companies promote technical expert to manager if they are not skilled to manage people?
But, even before that, why are “soft skills” training considered so futile by students and academic curriculum designers while they are so important for the success of most professions?

Don’t get me wrong, medicine school and architecture school offer communication and other “soft skills” classes but I never hear anybody failing due to these courses. While I witnessed many projects failing due to miscommunication issues and a lot of companies struggling to attract and retain their workforce due to average or even bad people management. And that is a big risk for companies nowadays. So, when this will change? Will companies have to put all their new hires through specific trainings to improve their “human” skills? It seems very expensive and very long (yes, it takes time to develop people skills, at least for most people), isn’t it? What do you think?

[1] See (ISC)² cybersecurity workforce study 2018 at https://www.isc2.org/Research/Workforce-Study

You receive spam by SMS (or via email) in Belgium, you can report it online to the authorities!

A while ago I posted an article stating that there was no way to report SMS spam online in Belgium. Guess what, I was wrong!

First, I was wondering if it was really illegal to send unsollicited commercial message by SMS in Belgium. I found this really nice flyer from the federal public service of economy (http://economie.fgov.be/fr/binaries/spamming_brochure_fr_tcm326-31741.pdf) explaining that the global definition of spam applies also to SMS or chat systems.

In the flyer, there was a link to a page to report such kind of behaviour to the authorities. The document being a bit old (2005), the link was outdated but our friend Google found me the new one: https://pointdecontact.belgique.be/meldpunt/en/welcome

On this official website, you can report SMS Spam (or other similar illegal activities) using the “New complain” button and the  “SPAM from unidentified party” type of report.

I’m not sure it will be quite efficient to stop rapidly the Spam SMS from coming (most smartphone allow you to block senders for a while) but it will be the start of it. And if more and more people stat to report such behaviour, it will likely have an impact.

Notice you can also report spam or harassement coming from outside the country.

The scope is quite clear from the 1st page:

“Are you the victim of misleading practices, fraud or swindle? Or have your rights as a consumer or enterprise not been respected?
Then choose the scenario that matches your problem and follow the various steps to report your problem to the competent services.
You will always receive a reply in which we will try to provide an answer to your questions.
The competent services will analyse your report and may carry out an investigation. They do not take any action in your individual dispute, nor do they provide any information concerning the investigation. For your individual problem, we exclusively refer to the reply that will be sent to you”

Now you know what to do.

Why is usability important for security management?

Why is usability important for security management? Is it even important? Obviously for a lot of people, it is not. And that’s a problem. But what is usability anyway?

Usability?

According to Wikipedia, and I find the definition pretty accurate, usability is “the ease of use and learnability of a human-made object such as a tool or device. In software engineering, usability is the degree to which software can be used by specified consumers to achieve quantified objectives with effectiveness, efficiency, and satisfaction in a quantified context of use”.

In other words, usability is the process of designing things so they can be easily used and mastered by their end users. Usability is not just about design, it is a science. It is about making our environment optimized for our brains and our bodies. As an example, usability is when you put handles to a box so it is easier to lift. Google, the most visited website in the world is an example in terms of usability: straight to the point, one field and you get what you need in one click. It even completes the words for you, as you type. There’s a reason they are number one and it’s called user experience (UX).

Nowadays, usability, neuroergonomics and even neuromarketing are at the heart of successful designs. Whatever you are selling, you better make it easy to use and even sexy. The traditional KISS (Keep it simple and stupid) design requirement has gained an additional “S” for sexy (KISSS, Keep it simple, stupid and sexy). The article I wrote about the ineffectiveness of SPAM awareness session was also an advocacy for the use of cognitive sciences insights in order to design more effective awareness material.

Why do I care?

If you are a product manager for a startup, you are probably already aware of all the usability requirements for your products. That’s were startups win the war against the old dinosaurs: “better engineered products with better usability and even sexiness”. We all learned from the master’s success: Apple. Steve Jobs knew the rules to make something usable, less buttons. Sleek design is all about simplicity.

But if you are working in security management, or as a security project manager, or even as a security architect, it seems it is more likely that you won’t care about usability. You might think that your job is to make your company secure, not sexy. And you’re right about that. Except that, when it comes to humans, you’re probably failing (in a large part). You may think: “These stupid end-users still don’t get it.” Of course, they still manage to use weak passwords. If you force strong passwords, they write them down or they use the same everywhere. They still don’t know the security policies. They watch you’re very nice slide you showed them during the mandatory security training during their induction but the next day they are already sharing their passwords with their colleagues. Don’t speak about their inability to spot a fishing attempt! Let’s not speak about your system administrators. These fools who believe they are the kings of the realm and have left so many vulnerability open in their system that the latest vulnerability report you received was so long you couldn’t finished it in one day. Hopefully, you will make a strong point during the next security steering committee to ensure these operation guys’ boss understands he must bring them back to the righteous path.

Ring a bell? Not even a little bit? I think so.

If we believe an old saying, wisdom is being able to differentiate between what you can change and what you can’t. The goal here is to focus your energy and your efforts where it matters. So, think again about your problems. What did you do? You made awareness sessions? You wrote very thorough policies and standards? You made sure they were obliged to read them, to sign with their blood that they had read your literature and that they will abide to your rules?

Did it work? How well? Be honest, some miscreants continue to refuse to follow the rules of the holy god of security. They are probably psychopaths! Or could they be just humans? What if you could increase the probability they will read your policies. Even better, what if you could improve the odds of having them changing their behaviours and embracing your security culture? You don’t believe in Santa Claus? Me neither, but I do believe in sciences!

Neuroergonomics & neuromarketing of security!

Neuroergonomics and neuromarketing are the catchwords to refer to the use of social psychology and neuro-cognitive sciences to improve your desire to use a product and to improve your ability to handle concepts, to remember things or to become addict to some applications (think about Facebook or Twitter). If people can influence what you eat, what you drink, what you wear, what you watch or what you read, why couldn’t we use this knowledge to change your people’s attitude towards security?

Does it worth it? Well, are you already paying people to communicate, to make videos, to draw cartoons but you still have too many incidents and non-compliance? Yes, so maybe you should start investing in better designed solution and put usability as a requirement for all the projects and for all the tools or “product” security wants to sell.

Concretely?

POLICIES

  • If you have an Intranet, your security policies must one click away from the first page.
  • You must have a clear organization, a hierarchy and a search engine allowing anybody to quickly find the policy he needs or the procedure.
  • Policies should go straight to the point, from the reader’s point of view, as soon as the first pages.
  • Forget lawyers or technical talks, use common vocabulary.
  • Do’s and Don’t are likely more efficient than long descriptions.
  • Use words and situation your audience are familiar with.
  • Ensure your rules are translated into actions in their process and procedures.
  • Ensure these procedures are pragmatic and easy to read.
  • Use pictures, screenshots, beautifully designed templates. Make it look more like a fashion magazine than an old book.
  • Use positive words. Any command that can be better performed by a dead man is a bad command (example: “Don’t use short passwords“… a dead man can do that very well. Rather prefer “use long secure password“).
  • Group similar things together.
  • Be consistent. You even better be congruent (use multiple association together) like Red + Triangle to signal Don’ts and Green + Checkbox to signal Do’s. Keep consistency with the colors (Red Negative, Green, positive).
  • Use consistently the same word to designate one thing. Even if synonyms can make reading less annoying, always using the same word to designate one object or concept makes it easier to understand (even more for new concepts)
  • Prefer lists
  • Keep it as short as possible (More than 10 pages, is clearly too much)
  • Use symbols, signals, icons, pictures
  • Keep the rule of 3 in mind: if you want to explain a concept, break it down to 3 parts/steps/components, then explain the 3 sub-concepts (using 3 other steps/concepts/parts) and so on until people can understand it. You can go up to 5 “objects” but not higher.

PROCESSES

  • Imbed security processes into existing processes.
  • If a process works, don’t fix it.
  • If you can streamline it, do it, even if it is not you first job. Making people life easier will facilitate the acceptance of the controls and it might even improve the attitude of people towards security.
  • Create links between all processes so they can benefit from each other e.g. ensure Vulnerability scans feeds the CMDB to ensure consistency. (It is supposed to be like that in a perfect world, but that’s just theory)
  • Forget long swim lane drawings or decision trees spanning on 3 pages, keep it short by splitting the process.

AWARENESS

  • Changing behavior is something we do out of emotion, not based on rational thinking. Even if rational thoughts can lead to a change, we initiate this change only if we connect these thoughts with some emotion.
  • Use real concrete situation (something that happened or could happened)
  • They must be relevant for your audience (use scenario involving your audience, allowing them to identify themselves to the character)
  • Use as much as possible what they already know well (places, situations, products, application, organization, but also more personal things kids, sports, cooking, walking in the street, …)
  • Show them the concrete consequence on people when they don’t comply with the rules or the secure behavior (its easier to have feelings toward people than organization)
  • Foster self-identification to your character by using little positive details to which your audience can relate to (“Sam likes to take a coffee with his colleagues, Alice likes
  • Songs, rimes, jokes, kittens, anything that will be outstanding will help memorize. So use it when it is important (if you use the same trick too often, its efficiency tend to fade down)
  • Associate non-“sexy” items (like security rules) with more attractive one (a nice place, a smile, a cute cat picture, a beautiful woman – yes, it works for both man and woman -, a good song)
  • Repeat, repeat & repeat the message but change the format so it doesn’t get boring and so you can use various way to reach people.
  • We are all different, what works for you doesn’t absolutely work for everybody.

PS: Yes, I could make this list more “sexy” and it will likely come, but it will be in the (near) future 🙂