American View: Why Isn't Your Security Awareness Program Completely Pants?
Growing up in Kansas, the word “pants” only ever referred to “an outer garment covering each leg separately and usually extending from the waist to the ankle.” That was all we needed. Throughout school, us boys were required to wear either pants or shorts. Nothing else was permitted. Also, being boys, we didn’t have to differentiate between capris, jodhpurs, culottes, clam diggers, or any of the seemingly infinite different styles of pants that the girls were expected to keep up with. There were jeans, and pants that weren’t jeans. Mostly just jeans.
It wasn’t until long after I’d graduated university that I discovered that “pants” can also refer to undergarments in British slang. I won’t even bother making a joke about this double meaning because every possible variation on the misunderstanding has already been done at least twice.
It was years after that discovery that I learned “pants” was also a British slang term meaning “rubbish” or “nonsense.” That gave me three different ways to confuse my international readers with a single common word. I’d shied away from using “pants” in any context here on American View ever since just to avoid any distracting titillation.
Today, though, my column is “pants” all the way. Specifically, I want to urge everyone in the Security Awareness field to retrofit their programs to become totally pants.
No, not that way. Hear me out …
Most of the security awareness programs I’ve encountered have been hobbled by a common problem: the practitioners have security policies, and they teach those polices, but their users don’t follow their policies. Most (if not all) of their efforts are focused on the ~20% of users who know what to do but refuse to comply. It doesn’t matter how many times they hear security awareness’s messages; their bad behaviour doesn’t change.
The most common offense differs from company to company; sometimes it badge wear, other times phish avoidance, but the core problem is always a matter of will rather than skill.
Why? Because as Perry Carpenter loves to remind us: “You can make me aware, but you cannot make me care.” For whatever reason, from skewed logic to obstinate antiauthoritarianism, some people won’t do what they’ve been taught and aren’t made to comply. These are two separate problems, and it’s the latter issue I want to address today.
The root cause of this I-don’t-care-you-can’t-make-me conduct is the same across all industries: people and organisations are deeply uncomfortable with confrontation. That reluctance means that confrontation – the indispensable element of any on-the-spot correction – is avoided, thereby allowing wilfully non-compliant users to ignore “mandatory” security rules.
The most common excuse I’ve heard from my peers about why they allow security offenders to carry on after they were caught without any sort of censure is that it’s unclear in their company’s policies or culture who specifically has the authority (and/or responsibility) to enforce behaviour requirements. Is this the security department’s job? If so, who in security has that authority? Can any supervisor intervene or is it only the offender’s first-line supervisor’s role? Or is the right to correct conduct restricted to HR? Or Lgeal? Or someone else? When the expected lines of authority are unclear, everyone in the organisation is gifted a reusable Get-Out-Of-Hell-Free card to escape consequences for their inaction.
Coming at this problem from a veteran’s perspective, I find this pathological refusal to correct unacceptable behaviour both baffling and repugnant. Rules only function when they’re enforced; a rule that can be ignored is a suggestion, not a rule. That’s fine, by the way: if you don’t want to enforce your requirements, re-phrase them as requests and take the burden of enforcement off everyone. That’s a valid choice. Maybe not a smart one, but a legitimate choice.
That said, if your organisation is going to publish security requirements, then you’d bloody well enforce them. Put another way, never publish a security rule that you’re not committed to enforcing. Rules and regulations need to be perceived throughout your organisation as inviolable standards, to be ignored or bypassed at great peril. As a result, everyone complies. More importantly, the very notion of noncompliance must be culturally abhorrent … something that no team member will tolerate. Expected practices that, when violated, trigger immediate censure and corrective action from everyone within eyeshot.
So … what does this have to do with pants? Simple: I’m arguing that “pants” is the operational mindset that security programs must adopt when thinking about, publishing, and policing their security behaviour requirements. Think I’ve gone pants-on-head barmy? I understand your reaction. It might help to think of it like this:
Most every business has some sort of formal dress code. Even when they don’t, the communities that businesses exist in have civil ordinances governing how people must dress. If a business doesn’t have its own dress code, the police will have something to say if that business’s employees come and go in an outfit (or lack thereof) that breaks a law. This compels the business to monitor and correct its employees whose choices imperil the business’s reputation and financial security.
This is where pants come into play! Whether it’s to comply with public nudity laws or just to maintain a “professional” workspace, most organisations require everyone entering and remaining in their facilities to wear something below the waist such that one’s genitals are concealed. There are as many variations on “acceptable” solutions as there are cultures, however one common expectation is that some form of garment must keep a person’s junk out of public view. Let’s call these “pants rules” … and yes both the American and British definitions apply.
If a rogue employee shows up to work wearing nothing whatsoever both below their waist and above their knees, it’s going to cause a scene. Doesn’t matter if they’re bedecked in glamourous formalwear on their top half because that’s usually not the half that matters to the law. Parading one’s undercarriage in public Is Not Allowed. While some people may not agree with these laws on free speech or personal choice perspectives, everyone is compelled to obey them. Therefore, anyone caught violating a public indecency law will be subjected to instant and direct criticism. “Go home and put some pants on, Bob!” (or words to that effect)
That, I contend, is the approach we need to embrace vis-à-vis our security regulations: our most important behaviour expectations need to be thought of and enforced by everyone … supervisors and colleagues alike … as if the offender was sans pants. Rank, position, and popularity can’t be acceptable “passes” to ignore mandatory security regulations.
Violations need to draw instant and unyielding corrective action from everyone as unacceptable conduct. Whether a worker is caught propping up a fire door or slotting USB sticks they found in the car park or using their gopher’s name for all their passwords, it needs to be clear to everyone that your organisation’s security requirements are important enough that everyone needs to act immediately to interdict and correct violators. Making it clear that such conduct is unacceptable and won’t be tolerated by anyone else on the team.
Put another way, if you’re serious about keeping your enterprise secure, you need to treat security behaviour the same way you treat pants wear: Compliance is mandatory, no matter how cute or special you think you are or how you chafe against being told what to do. Sorry, buddy. This outfit demands pants and good security hygiene.
Keil Hubert
You may also like
Most Viewed
Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF
23-29 Hendon Lane, London, N3 1RT
020 8349 4363
© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543