Santa's Wisdom

One thing that I've noticed about many bloggers (I'm guilty myself at times) is that they often use their blog to rant about something and that's as far as it goes. I try to "rant" and then come up with something constructive to add. Maybe a few ideas as to how "we" (security pros) can help "fix" the situation or how "you" (end user) can do something.

I don't like the "rant and run" model so when I got the opportunity to participate in a few different forums to do something constructive I took advantage of it. I'm on a Symantec Advisory Council that will look at some of the things that Symantec is doing and have a chance to put in my two cents worth as to what I like and don't like, as well as make some suggestions as to what I'd do. I've also hooked up with Michael Santarcangelo and joined the Security Catalyst Community as a "Trusted Catalyst". One goal of the SCC is to open up discussion on various security topics and discover better ways to practice security. The Trusted Catalyst Community (a subset of the SCC) has a goal of extending some of the discussions that take place in the SCC forums and working on ways to "put feet" to those and other ideas. We will work on projects as well as talk about how to "do" security in new and better ways.

All that said I want to point you to a post by Santa (Michael Santarcangel0) that has some good things to say about being different in how you practice security and gives some great ideas and suggestions on how to make a positive change.

I've spent a lot of time with Santa in the last couple of weeks on the phone and via IM. We both have a passion for doing security differently and especially User Awareness. We have talked in depth about how to help users learn in a way that will actually work for them and how to change the attitude that many in IT and security have about "stupid users". There should be some good content coming out of these discussions. Michael has just come out with some things that he is marketing to customers and also is releasing some of it to the community at large at no cost. I'm hoping to also put some things out soon that will be useful to you as you work on either teaching users or changing your attitude towards them.

I used to (OK, sometimes I still do) have the "stupid user" mindset. It really irritated me when they did things that just didn't make sense. I used to hate trying to explain something so simple to them because they just didn't get it. I didn't like trying to "dumb myself down" to their level to make them understand. I discovered a few things along the way that helped me change my attitude and look for ways to do things differently. That is what I will be sharing with you over time as I put them into a format that will be useful.

For now my "tidbit" for today is this. Next time a user comes to you with something that you consider to be "stupid" take time to listen to them, ask questions to help you understand them, and take a little extra time to teach them. If you have to take a few minutes alone to gather your composure before engaging them do so. Tell them that you will be with them in a few minutes and go take a few deep breaths. Don't go and share their "stupidity" with a co-worker just go somewhere where you can clear your head and think. Then come back to them and help them learn to be more secure.