I noticed recently that most of my security awareness columns have focused on aspects of managing human risk: education, behaviour, phishing defence, etc. Those topics that people outside our tiny niche seem most interested in. Admittedly, they’re topics that I greatly enjoy and can (will, if I’m honest) talk about until people get bored and wander off. Oddly, though, I noticed that I don’t talk much about how security awareness work is performed behind the curtain (so to speak). That is, what goes in to making all of the products and campaigns that get an organisation’s security awareness messages across.
Heck, I wrote an entire eBook about how to hire security awareness people. Why the heck haven’t I addressed the weird nature of the work itself? I think it’s time to change that. After twenty minutes spent staring at a blank page a ruminating, I suspect I’ve avoided the subject because I don’t want to come across as a whinger. Everyone’s job is unique and difficult at times.
The thing is, our work is a bit more challenging than the usual sort of technical specialisations one finds in a cybersecurity organisation, and by that I don’t necessarily mean ours is necessarily technically challenging. Yes, we have obscure tech skills like “how to create a computer-based training module” and “how to process audio recordings to remove background noise.” Most of our difficulty, I think, comes from people misunderstanding what we do and how we do it.
There’s a parallel here for me. Back in 2000, I fell sideways into a military public affairs office job. It’s a long story; suffice it to say I didn’t know what I was getting into. About six months after I started the role, my unit sent me to the Defense Information School at Fort Meade for formal training. The first thing that our instructors warned us about stuck with me: “Your job is going to be made infinitely harder,” they said, “because everyone thinks that what you do is easy.”
That turned out to be 100% true. Time after time, I’d have senior officers condescend to me that they were perfectly capable of doing my work themselves with no training, no preparation, and no experience. “It’s just talking to people,” one idiot colonel sneered. “only you’re doing it through a camera.” Things … didn’t work out particular well for him. <shrug>
Anyway, that lesson stuck. I’ve noticed that people involved in artistic pursuits – painters, sculptors, writers, etc. – are often looked down on by technologists as diletantes. “Oh, you spent all day writing? Anyone can do that!” Yeah, that’s mostly true … anyone can spend an entire day writing. That doesn’t mean that anyone can write a novel, or a hit song, or an efficient training module. Public affairs work required extensive training to perform effectively while not making a complete fool out of yourself. Course designers and instructors require similar investments in their own training and experience to become reliably proficient.
I’ve run into leaders over the years who held similar views about teaching and training roles in general and about security awareness work in particular. I understand how Dunning-Kruger plays a part; the less a person understands about a function, the more they mistakenly believe they understand it. The number of retiring soldiers I’ve know that swore to me they could simply start a new career as a high school teacher because “anyone can teach” is offensively high.
That’s not all that’s in play, though. There’s a certain understandable arrogance that comes with achieving seniority in any given field. When you’re a master programmer, fully proficient in the sublime intricates of … I dunno … C++? … there’s a natural tendency to view roles other than your own (especially non-technical roles) as being beneath your contempt. What I do is wizardry, the thinking goes, while what you do is drudgery. It’s never true, of course, but the logic makes its own sort of sense. It’s how people can watch a Formula 1 race and convince themselves that they could race just as well as the professional drivers on telly since they drive a Focus.
There’s another factor to consider as well: a large percentage of our time in security awareness is spent appearing to do nothing. That’s because research, planning, drafting, and editing often don’t look like “real work” to an outsider. I get it; it’s easy to believe that someone “isn’t working” when it looks like they’re staring into the middle distance, doodling on a notepad, or reading other people’s content. Trust me … if your task is to synthesize hundreds of Terminal Learning Objectives into a comprehensive narrative, you’re going to spend a lot of time visualizing your project before the pieces finally come into alignment.
I want to stress again that I’m not trolling for sympathy here. Every career field has its own esoteric doctrine, unique vocabulary, customs, and processes that seem nonsensical to someone not initiated in the professional culture. I used to tease my programmer friends at university for “using too many semi-colons in their homework” just to wind them up, not because I had any idea why every single line they’d ever typed had a half-dozen semi-colons in it. I’m sure it made sense to them; I just couldn’t decipher it and so couldn’t appreciate the relevance.
No, what I want to stress here is that security awareness people need to be skilled in esoteric interdisciplinary proficiencies that might seem weird to your engineers. They’ll need to be able to:
- Rapidly comprehend others’ technical and operational content and translate it into terms that non-technical outsiders can easily understand.
- Evaluate evolving organisational cultures to work out why people and groups act in ways counter to how key leaders want them to act.
- Assess people’s ability and eagerness to learn and leverage that insight to optimize training and mass communications products to better influence its intended audience.
- Invent stories that resonate with students such that they’ll not only remember and act on them but will share them with others and model desired behaviour.
You’ll note that there’s nothing in this list that fits neatly on a job posting. HR types like concrete requirements, like “proficient with Adobe Photoshop” or “three years’ experience briefing executives.” Things that can be ticked off a checklist. Most of what we do can seem like witchcraft to the STEM crowd and that’s okay … we’re happy to explain and demonstrate what we do because we mostly enjoy what we do. We know it can seem simple to people who haven’t done it because our work methods aren’t as visibly obvious as other career fields’. There’s no way to track metrics on KPIs like “artfully translate threat intel into easily digestible sound bites.”
That said, yeah. I have to admit … what we do can look mighty weird. Reminds me a lot of being back in the PAO shop, where we would shift from seeming to just sit around monitoring the news feeds to scrambling to orchestrate a mad and chaotic press conference and then shift back again like nothing had happened. Niche fields can be difficult to make sense of, so … buy your security awareness folks a pint and ask about what they’ve been up to. Odds are, you’re going to be fascinated, confused, and entertained all at once.