I’ve taken a couple of weeks off from posting any new articles to enjoy the birth of our third child. It has put me behind in my goal to have a least one blog post per week on here for the year, but I feel I can make that up and if I don’t, it was time off well spent.
An interesting thing about spending more time at home is that we get out of our daily rut/routines. With all that is going on every day with school, extracurricular activities, board meetings for various groups, church, family events, etc I find that my wife and I end up having more status updates than time to talk. It isn’t anything against her nor a statement about our marriage, but more a matter of need or efficiency to make certain we’re keeping up with the responsibilities of day to day life and raising three children.
Conversely, at work, I tend to take for granted that my motivations and goals are clear. Not because they are always explicitly communicated, but because we have a good team of people working for the same outcomes (at least, that’s my assumption). What becomes interesting is how to relate those motivations and goals in my professional life, to my wife.
In the past two weeks, we’ve had one such conversation which has had me up at night thinking quite a bit. Okay, truth be told, a 14 day old is keeping me up, but my mind is still using the time wisely… 🙂
I’m going to go with the assumption that not everyone reading this is aware of what my job specifically entails. Technically I work in Risk and Security with my main focus being on Governance, Risk, and Compliance (which we call GRC in “the biz”). Rather than give you the standard business definition of how we interact with various lines of business and governmental regulatory bodies, I’m going to explain it from the perspective of a being a parent.
As a parent, my main goal is to care for an protect my family. This is focused somewhat on the here and now as well as long term support and stability. This is done on a daily basis by providing food, shelter, and clothing. In my professional life, this is similar to the support provided to different lines of business. I’m not going to make marketing decisions, but we help to provide them with direction and authority on certain regulatory manners which we communicate to our customers. Our main purpose isn’t to help R&D come up with the ideas, but to help make them better. Think of it in term of the BASF brand statement: “We don’t make a lot of the products you buy. We make a lot of the products you buy better.”
I don’t think that this is terribly ground breaking at this point. Many people in the Security, Governance, or Risk Management area would consider this a given. However here’s something I think should be of interest:
Many of the things we do (projects, policies, etc) may not be done with the appropriate objective. I won’t say the intentions are incorrect, as they aren’t. Just that the diffuse goals may cause them to seem interruptive and often and affect their use and or adoption because they aren’t properly focused.
Let’s focus again on parenting. As a parent it’s imperative that we teach our children. Not necessarily in terms of the three R’s (of which only Reading starts with R by the way) but in terms of personal responsibilities, manners, morals (yes, I went there), and general behavior. It’s fortunate that raising a child works the way it does. When they are very young, they spend almost 100% of their life in your presence. As time goes on, they spend less and less of that time around you. As they become teenagers and adults, that shifts dramatically. So if you are going to be effective at forming these appropriate behaviors, you had best start early and make sure you’ve instilled them well before they spend more time away from you that with you.
In psychiatry these is generally referred to as teaching behavior modification. As anyone knows with learning a new skill or teaching something an effective feedback mechanism is necessary to speed and enforce the learned behavior. As a parent, we don’t want our child to have to touch a hot stove to learn that they shouldn’t. Yes it is an effective and immediate feedback, but we would much rather tell them 50 times not to touch it and have them learn through that reinforcement than having to go through the painful approach of experiencing the outcome. A key point to being able to tell them 50 times, is that you need to be in there presence all 50 times and around a stove. Over time, their behavior will be shaped by your teaching.
As children get older, you are not always in their presence to be able to teach them. So you fill them with all of the information you can to help them make the best judgment they can in the situations they are given.
Let’s bring this back to Risk Management. As I stated earlier, most things we do may not have the best stated objectives when they are done. Most will say they do things like encrypt a users hard drive for the safety of the end user (or the data hopefully), they install products like data loss protection (DLP) in order to stop users from losing or stealing data, and we use complex passwords because users need to understand security better. None of these are entirely accurate goals.
Whether stated in these words or not, our goal is (or should usually be) behavior modification. The same process used to teach children, can be highly effective in helping to shape the behaviors of your employees. Yes it is effective to have a developer lose his hard drive, have it sold on eBay, end up in your competitors hands and have most of their life’s work (or at least intellectual work) given away. Much like touching the hot stove, it could be an effective way for the developer to learn to protect information. But it’s not the way you want them to learn and certainly not at that expense.
So we put in place policies, processes, and often a lot of technology. Unfortunately often these are full of “don’t do’s”. Don’t do this, don’t do that, etc. If you try to do something unauthorized, a big red X appears on your screen. This may seem well intentioned, but I think this approach to employee awareness is similar to TV teaching. (If you don’t know what that is, I consider that letting Sesame Street teach your children social skills vs. you as a parent doing it). You leaving too much judgment up to the employee and often the results is a misinterpreted policy or procedure. When they then try to do what they need to for their jobs, there is some punitive action taken on their efforts (they are blocked from what they are trying to do). Because they have misunderstood the original intent, their next step is to figure out a way around this roadblock rather than understand why their actions have brought them here.
This is particularly difficult in the implementation of a new piece of technology. Often the approach is, there’s a lot of them (employee’s) and only a few of us (security team) so lets put this in place and it will keep them from being able to… (what every your looking to modify in their behavior). Again I would assert that this will only help to teach people to figure out ways around what you are trying to put in place. Instead the most effective technology implementation can be measured by this one assessment: “Did you properly educate your employees such that, when something was implemented, there was little effect on how they did their work”. Ultimately if you can put in a control that is not disruptive at all, you have done an effective job at providing information to your user base and helped to modify their behavior in advance. Again, this takes away all the punitive approaches to teaching some behavior and should have a much higher adoption rate.
So in simplest terms, the goals, as a parent or a manager, should very often be education and awareness. If we try to always communicate them in terms that 5 year-olds can understand with the clear intention of providing assistance (again non-punitive approach) we can learn to be more effective in out work. If you’d like a nice physics analogy here, remember reduced friction (more education) means less force is needed (effort) to achieve a certain amount of work. And aren’t we all looking for a way to get more done with the same or less work (efficiency)?