Talking about cyber security

My job frequently involves talking about cyber security, and I’m lucky enough to enjoy it. Unfortunately, I was recently I on the receiving end of some poorly communicated security messaging. It started when I was passed a scanned copy of a letter which alerted the recipient to ‘opportunities for improvement’.

I think it would be fair to say the letter wasn’t well received across quite a lot of the University. At a subsequent committee meeting someone bemoaned the fact that we were talking about the format, and not the message; the delivery, but not the product.

I understand the person who felt we’d missed the point, to some extent we had. But if you’re talking about cyber security in an autonomous, diverse environment messaging is key.

Hear and understand

There’s some very good posts on this at the NCSC by Emma W called Growing positive security cultures which suggests;

  • look at the systemic factors underlying the things people do day-to-day
  • hear and understand the messages your organisation sends out about “how we do things here”
  • Consider trying new ideas, to engage and connect with employees in a different way

If you don’t understand your culture, the message you send out will not be consistent with how the organisation works. Messages which aren’t consistent with the organisation culture are more likely to be ignored.

A message which makes sense is more like to change behaviour

This behaviour isn’t confined to cyber security, or even to the workplace. Think about how drivers respond to a speed limit significantly lower than the normal limit (say 40 mph on a motorway). If the message appears to match their understanding of ‘how things work’ (i.e. there is an accident and lane closures which justify the speed limit) then the message (the limit) is more likely to change their behaviour (their speed).

The challenge in the University will be making sense of all the different messages the organisation sends out. In some cases that will mean challenging those message, or changing them. I look forward to being a part of that engagement (hopefully without sending out any letters).

1 thought on “Talking about cyber security”

Leave a comment