Phrases Cyber Security Professionals Need to Think Carefully About Before Using with Non-Cyber People


Tony Vizza, CISSP

As awareness of information security challenges becomes more prevalent, there is an increasing chorus of people involved in the space that seek to promote change. Many of these efforts, from government, advisory bodies, industry bodies, vendors and security providers are genuinely well-intentioned and come from a good place.

The challenge, however, is that despite study after study, report after report, white paper after white paper and breach after breach, all which indicate that cyber security is now a top existential threat to the global economy, privacy and personal safety – the message is simply not cutting through.

Why could this be the case?

Much of the advice that the cybersecurity industry dispenses with is aimed at the non-cybersecurity person to facilitate some level of change – change that we simply are not seeing. In an effort to address this, it could be handy to consider what the non-cybersecurity person is hearing from the industry, and why the message is not getting through – and potentially how to fix this.

The following are phrases that are ripe for deep consideration prior to being used in every day conversation with our non-cyber brethren.

“Cyber Security is Important”

Cyber security is important. To us. To our organisations. To the wider world.

However, to tell someone who is not in cyber security to consider the issue as important is akin to a dentist telling a patient it’s important to go to the dentist every 6 months; a doctor telling a patient it’s important that they should have a check-up every 12 months; a mechanic telling a driver they should get their car serviced regularly.

Sure – we all know it’s important, but how many of us action that issue because we are told it is important, even in instances where human life is at stake (which is what the doctor is aiming to preserve). The truth is, not many.

Cyber professionals often overlook the fact that there are many people out there who just don’t care about cyber security. This includes the authors partner, who is reminded of this every time he asks her to update her gadgets (more on this later). Many of the people who hold this view have, fortunately, never suffered a tangible cyber-attack, so they simply cannot contextualize the threat in terms that they can grapple with. While they hear stories of large-scale breaches, they live in the belief that “this happens to big organisations with lots of money but not to people like me”.

Recently, I heard a story of a traveller who never felt vulnerable while travelling, dismissing stories of people who had travelled overseas and were stranded due to theft. That was until he himself had his passport, wallet and money stolen from him while on a trip. This mentality shift due to an adverse event also rings true of cyber security.

A suggestion – rather than telling someone that cyber security is important while righteously nodding your head up and down, illustrate to the person you are speaking with why cyber security is important to them and their circumstances, and what ramifications could ensue should they continue to adopt unsafe practices.

“Cyber Security Culture Must Change”

Multiple studies have indicated that over 90% of cyber breaches are caused by human error, be it accidental or deliberate.

It is an undeniable fact that the culture of cyber security needs to change.

But, telling an organisations leadership that it needs to change because it’s what everyone else in cyber security is saying these days will likely fail.

Let me explain.

Business leaders in almost all industry sectors are today grappling with numerous existential issues. Digitisation is upheaving practically every industry on the planet. Organisations are increasingly expected to be greener, more ethical and more socially responsible. With the advent of social media, organisations also need to market themselves effectively so as to become attractive places to work – so they need to invest in organisational culture change initiatives.

Meanwhile, they still need to meet organisational goals, their obligations to shareholders and after all of this, the financial goals they need to survive and be profitable.

Without addressing why an organisations culture needs to change, how that change will need to take place and who should be responsible for that change, change won’t come from a planned, measured and orderly place. If these parameters are not adequately set by an organisations leadership, change will come, but it will be imposed on the organisation – whether the organisation likes it or not.

A message that “we need to change the culture of cyber” to an organisations management is not enough. Simply put, it will get lost in amongst the other themes of change an organisation needs to grapple with. Worse, it could even be seen as a brake on digitisation strategies many organisations are needing to undertake simply to survive.

Rather, when discussing cyber culture change, again, focus on why the culture of cyber security needs to change in terms of the organisational mission, how that change should be implemented and what organisational goals that change in cyber culture will seek to address. Without understanding a proposed cyber culture shift and ensuring that it aligns with the organisations purpose, any call for change will be difficult to achieve.

“Cyber Security is a Risk Issue”

It is rather fashionable these days to mention to leadership that cyber security is a risk issue. And truth be told, it is. The World Economic Forum lists cyber related issues as two of the top five economic threats around the world today.[1] There is no question that cyber security is a major risk issue.

The problem with this statement, once again, is that from an organisations leadership perspective, cyber is one of a multitude of diverse risks that it needs to weigh up and decide to apportion the appropriate levels of resourcing in order to mitigate that risk. And, I hate to say it, it probably won’t rank up there with the important risks that get resources unless you can contextualize that risk in terms, constructs and concepts that:

  1. mean something to a largely non-technical audience.
  2. are as accurately quantified as possible in some way.
  3. indicate to management the reputational, regulatory and fiscal repercussions should the organisation not address that risk.

Asking management for a new firewall because “the licences have expired and this presents a business risk” won’t work nearly as well as “we need to upgrade our technology to meet the new cyber risks that our sector are facing, including risk A, B and C which will result in X, Y and Z outcomes should our organisation fail to do so”.  

“It’s important to update your computer / phone / tablet”

Every time a fruit-themed vendor of laptops, smart phones and tablets releases updates to its operating systems, I remind my partner that an update is out and for her to install it.

Our dialogue used to look something like this:

Me: “(insert relationship-based term of affection that precedes all sentences here), please update your laptop, tablet and phone – it’s really important”.

Partner: “Do I have to right now?!”

Me: “Yes – it’s a good idea. There’s a bunch of cyber security patches in this update and I don’t want you to get hacked”.

Partner: “I’m in the middle of something. Can we do this later?!”

Me: “Best not to. Can you save the work you are doing and I’ll do the update for you?”

Partner: “But every time you install updates you screw my computer up and it slows down!!!!!”

Does this dialogue sound familiar to anyone?

Again – why is it important? Not to me. But to her. What in this proposed security patch is important to her? Explain what of those important issues the updates seek to help minimize the risk for.

Next – make it easy to resolve. In my case, I get her consent to update the devices, wait for her to go to sleep and then update all three devices.

Finally – don’t screw up the computer, whatever you do.

“Why did you click on that email for?!?! That was stupid!”

Let’s pretend that you walk into your doctors practice Friday afternoon complaining of a sore thumb that you accidentally struck with a hammer on the weekend prior. X-rays are performed and it’s determined the thumb was broken by the blow. Your doctor then turns around and exclaims “why did you hit your thumb with the hammer for, that was stupid!”.

Ponder the following questions for a moment:

  1. What’s the chance that you won’t strike your thumb with a hammer again? Well, if you throw your hammer away again and refuse to ever use one again, the chances are pretty high. However, will it minimize your risk of getting your thumb caught in a door, a window or any other rather painful situation thumbs can get caught in? Probably not.
  2. What’s the chance you will ever visit that doctor again?

This is no different for cyber security. Time for cyber professionals to step off the high horse on this one and understand that belittling someone for a mistake will never change their behaviour.

In addition, doctors are no less immune to broken thumbs than anyone else is. The same is true with cyber security professionals and emails.