Last evening I had Lutefisk to dinner. It haunted me throughout the night – I could get no sleep. The cats where meowing constantly for some reasons unknown. I know, it’s weird to start a blog post mentioning Lutefisk, lack of sleep and cats. But they all contributed to the theory I want to discuss. Since I could get no sleep my mind began to wander off into unknown territory. During the night a theory popped into mind. Could it be that the weakest link in the security chain was made weak by other things than security?
Nah. That doesn’t seem quite right. Let me try to whimsically elaborate on this. A mantra in sec is to raise awareness and knowledge of security. That’s nice. If you don’t know what you’re doing, then how can you be sure you’re doing it safe? We say ‘use strong passwords’ and shield your papers in public, and few follows our recommendations. We pour golden nuggets of knowledge down our colleagues throat. And – security breaches still occur. From the same people – over and over and over. And over again. People never learn. Or do they?
I see a repetitive pattern in this. The same things keep on happening. The same lame excuses. Our solution is to shout out ‘more awareness’ and ‘more knowledge’. We even find new ways of spreading our gospel. Uh – then it hit me. If this is a pattern, then how did it become one? And why?
Could it be that John and Joan Doe actually did learn from our gospel – but for some reason chose to ignore it? I pondered about it for some hours and came up with a hypothesis. An epiphany hit me. Could it all be caused by the workplace environment – or the workplace itself?
If you haven’t seen it – every company has a certain culture they’ve nurtured and refined over the years. It reflects how the employees interacts with the customers, new employees and the media, just to name some examples. Being a small company you can pick and chose the exact people you want (overly simplified) matching the company culture. When a company grows above a certain size the company will lose this privilege because often the company will outsource the handpicking or hand over the handpicking to department leaders. You probably see where this is going. The culture get diluted.
So. We end up with a diluted culture. Think of adding water to lemonade until you can barely taste the lemonade. You can trace that taste but not quite make out exactly what it tastes like. That’s the same feeling when culture get diluted. Now imagine going to a lemonade stand each day. You drink the same diluted lemonade – day in, day out. Everyone talks about how great the lemonade is. You get used to the taste – until one day drinking it becomes a routine. You like it, but you don’t know why – you just don’t care.
So. Lemonade – what has it to do with John and Joan Doe? They’ve become used to the diluted company culture. They can certainly trace the taste of the lemonade – but never determine how it should taste like. They do know their passwords should be lengthy – they do appreciate the knowledge. Maybe they’ve grown bored of the general corporate babbling that what is left is only their focus on doing their work – and getting the paycheck at the end of the month. Only. I sure do know a few John’s and Jane’s.
And with that I conclude … Nothing. Really. It was just a crazy idea that we might look into addressing issues by looking at other sources than what sec traditionally has come up with.