Let's start with WHY
The 2022 Verizon Database Breach Investigations Report (VDBIR) shows that 88% of all incidents have a human element as partial causation for the breach. Why are people not getting this? Why are they so bad at basic security? Yes, some of them are just stupid. But that's the minority of people so we can't hang our hat on that. Maybe it's because we security practitioners, law enforcement investigators, and crime-prevention specialists are just not very good at our jobs. Maybe?
Leadership expert Simon Sinek has a model called the Golden Circle which provides a vehicle to help leaders better communicate company goals and achieve employee buy-in of the mission. Traditional top-down communication starts from what. What to do, or not to do, and then moves to how to get it done. The “why” of a task is only explained if the subordinates ask enough, and even then the answer is usually something along the lines of “because we said so”.
Sinek proposes that true leaders start with the “Why”. The conversation starts with an explanation of why something needs to be done and details the positive benefit the task will have on the organization and the employee. The leader gets buy-in for the project before they move to the hard details of the what and how.
As security and crime-prevention practitioners we are super at telling people what to do, and how to do it, but do we ever really explain the why? Our awareness training sessions usually go something like this: This is a phishing email. This is how you can tell it's a phishing email. “Bad things” will happen if you click the link in this email. O.K. Thanks for your time and we'll see you all again next year.
Did we get buy-in? Or did we only do security theater?
What if we started with the why.