Why are so many security professionals reluctant to openly discuss what their rules are? -TEISS® : Cracking Cyber Security

People

Why are so many security professionals reluctant to openly discuss what their rules are?

Well-written and well-understood rules help everyone in an organisation succeed and minimize unproductive conflict. Why, then, are so many security professionals reluctant to openly discuss what their rules are? Especially with brand-new hires?

Rules are important. Regulators, auditors, and lawyers love rules because they provide an outsider with a clear and precise standard for evaluating an organisation’s performance. Supervisors love rules because they make it easier to regulate and routinise business processes. Workers love rules because they clearly mark the outer limits of acceptable behaviour in the workplace.

This is not to say that anyone loves the individual rules themselves; there are rules in every organisation on earth that are ill-conceived, poorly-worded, frustrating, outdated, or downright counterproductive. They’re written by humans, after all. No, it’s having clear rules that makes most people happy. People want to succeed (and to stay out of trouble). That means knowing what the rules are wherever you are, for whatever you’re doing.

As an example: when I was growing up in Kansas, it was normal to send elementary school kids outside once a day to burn off energy. We called it ‘recess.’ This was generally unstructured play; each grade level was assigned a specific area on the schoolgrounds and were warned that we couldn’t leave the perimeter. [1] Beyond that, what each kid did with their 20-30 minutes outside was largely up to them. Run in circles? Swing? Queue up for the slide? Lean against the building and make ironic comments? Your time was your own. So long as you stayed on-campus and came back in when the whistle blew, no one cared.

On one blazingly hot afternoon in fifth grade, though, our teacher decided to force our class to play an unscheduled game of ‘kickball’ during recess. This was … unusual. First, no single group was allowed to secure an entire corner of the schoolgrounds for an exclusive activity. Second, recess was supposed to be unstructured. Third, the proper time and place for learning games was gym class (which we’d already had that day). Nonetheless, everyone marched out to the rusty old backstop furthest from the building in the baking heat and prepared to endure a few pointless innings.

Our teacher arbitrarily divided the class into two teams and then left. And by ‘left,’ I mean ‘went back inside the building leaving us with no adult supervision.’  Things immediately got confused. We didn’t have a real baseball diamond to play on. No actual ‘bases’ or clear lanes. No umpire to call the game. No pitcher’s mound. The whole thing was being made up on the fly. Only about half the students had ever played kickball before; it wasn’t often played at our school, since nothing stopped an errant kicked ball from bouncing into the streets ringing the school (no fences, remember?).

To give the school some credit, the wee little kids’ zone was fenced and monitored. Older kids were assumed to be mature enough to not sprint blindly into oncoming traffic. The eighties were a more laissez-faire era.

I asked the older kids – the 10-year-olds to my 9 – what the game’s rules were. Most just said that it was ‘kickball’ and assumed that would explain everything. It didn’t. I’d never seen the game before and had no idea what was going on. One of the older boys told me to just kick the ball and run to first base.

When my time came for offense, I did what I was told and kicked the ball just over the second base line into a gaggle of players and then ran to first base. I thought it was an easy single. I stood fast on first base and waited for the next kicker to cycle us through.

Instead, one of the older bullies in class shouted at me that I was ‘out’ and told me to leave the base. I countered that I darned well wasn’t and told him to go away. The bully and his buddies starting shouting at me, claiming they’d caught the ball. I said that I didn’t care what an ‘out’ was and to leave me alone.

After about a minute of shouting at one another (no umpire, remember), the argument escalated into an all-out brawl. The melee ended with four burly lads physically picking me up off first base and hurling me overhead into an adjoining field. Once we returned to the classroom after recess, the brawl started up all over again – only this time with desks getting tipped over and papers flying everywhere in addition to pathetic attempts at juvenile fisticuffs. It would’ve made for great sports television.

I’m not at all embarrassed to admit that I’d been in the wrong. I double-checked when writing this, and confirmed that the official WAKA Adult Kickball rules – specifically, section 14, paragraph b – clearly define that an ‘out’ occurs when a kicked ball is caught by a fielder. That rule is probably obvious to fans of American baseball and/or softball. I’m not a fan. Wasn’t then, and am not now. Not my thing. It certainly didn’t help that I didn’t want to be playing the game in the first place. I had a wall to hold up and ironic comments to trade with my pals.

A good casual slouch and a wry aside were key qualifications for making it through high school in my town. Younger me thought it would be a good idea to get some practice in before it was time to quip for a real disaffected audience.

It’s a silly story, but it does illustrate a common problem: while organisations might last for decades or centuries, they’re also temporary and mutable collections of strangers. People come and go. Some stay for months, others for an entire career. What they all share is that everyone came to your organisation from somewhere else.

For every ironclad rule that your organisation has about How Things Are Done Here, there are at least as many misunderstandings about that rule as there are people in the room. We all learn processes, priorities, and practices at home, at school, and in the various jobs that we hold. We think we know “the rules” … and we’re often wrong.

That’s why it’s crucial to invest time and effort to teach your people what your important rules are. Not just for ‘good order and discipline’ … but for ‘confidence and high morale’ too. People want to know where the boundaries are so that they can stay safely within them during routine operations and can responsibly push their limits during emergencies. Very few people ever truly want to violate workplace rules just to be contrarian. Most people want to do the right thing.

With that in mind, when someone commits an office faux pas, use the events as a teaching moment. Don’t start a playground scrap over it (metaphorically or literally). If you want people to play ball (so to speak), your first order of business should be to teach them how to play.

[1] We didn’t have fences around our suburban schools back then. Anyone could enter or leave the grounds on a whim.

The following two tabs change content below.

Keil Hubert

Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant. Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.

Comments

Most Popular

Get the latest cyber news in your inbox

Join our community of cyber professionals today!