Shiny Object Syndrome is not a medical or psychological syndrome. It is rather a human trend, identified by various professionals from different background, to be attracted, or should I say distracted, by the new thing, without knowing if it is what you need.
What is the link with human-centric cybersecurity? Well, I heard many times managers talking about a new tool or service they would like to try to help “fix” their human-related cybersecurity issues. Another content provider, phishing platform, or LMS. Whatever else claims to be the solution to their problems.
The issue is that there was no issue. The changes they were expecting weren’t there yet and not tools would have solved that. At least, it would not have made it happen faster. As the saying goes, a woman can have one baby in nine months but there is no way to have a baby in a month, even with nine women. Changes takes time, or to be more accurate, people need time to change. Of course, while we know quite precisely how much time is required to have a baby, it is hard to predict exactly how much time we need to shape behaviours and transform corporate culture.
It is important to measure the progress we make, adapt our strategy, constantly learning from our experience with the people we want to educate. Still, it does not mean we have to change everything and start over. I have seen too many cybersecurity projects failing because the management did not give them the 10% extra-time they needed to achieve their goal. They went for another product, started over and did exactly the same thing with the new solution a few years later. You should be better than this. In fact, you are! Have some trust in your people and in the process.