We might be focusing on the wrong thing.
I was listening to @Simon Sinek’s podcast with Dan Buettner, talking about his discovery of “Blue Zones.”
These are areas where people regularly live to 100. They’re happier, and have a sense of purpose.
Oh, and with almost no chronic disease.
But what’s the link with cybersecurity culture?
Mr. Buettner’s studies have found that “living longer” isn’t the objective for anyone living in Blue Zones. They don’t take supplements, inject steroids, or do Pilates.
It’s the sum total of the activities they do, which have led them to live longer, less stressful, happier lives.
Living longer is the outcome, not the objective! The culture — the environment — is one of friends helping friends improve over a lifetime.
Napoleon Hill once said, “It is literally true that you can succeed best and quickest by helping others to succeed.”
Blue Zones aren’t the result of short-term changes. The environment, the culture is what makes an impact, and Mr. Buettner is testing ways to replicate the results.
His approach is to work with interested cities and promote a large number of very small changes, instead of putting big bets on a few major changes.
Why? It’s easier for people to make a small change, and by proposing +80 very small changes, there’s a better chance many of them “stick.”
The impact is impressive. One city has seen its citizens’ BMI decrease compared to state statistics. Healthcare costs are going down significantly.
The most interesting part: people don’t feel like it’s hard. It’s not a severe diet, it’s not about going to the gym 4 days a week.
Here’s an example: If your toaster is on the kitchen counter, put it in a cupboard. Put a bowl of fruit where the toaster was.
Why? Because we’re attracted to what we see.
Do the same thing with chips – Put them somewhere you don’t go often.
How do we take these ideas and transpose them to cybersecurity?
As a business grows, we talk about culture, and how it’s important to have a good (great!) culture. It will attract the best candidates, create long-lasting bonds with employees, and see the teams through the tough times.
The descriptions focus on positivity, on what we want and expect from people.
In cybersecurity, we often say:
- Don’t share your password!
- Don’t click that link!
- Don’t trust that message; it’s not the boss!
- No
Is this the mindset we want in our culture? Using negative statements isn’t an effective way to convince people to do what they should.
What’s the alternative?
Tell people what they should do. Even better, remove the “bad” options.
For example, passwords. We all know we need them to be long to offer some protection. What’s the easy solution? Set our systems to require long passwords.
But this brings along another challenge: Remembering the password! If only there was a tool that could help…
You get the point. We must enable people to choose “better” options, and we need to make it as easy as possible.
If you’re in cybersecurity, when’s the last time you’ve said:
- Here’s an easier (safer) way to do this
- I can help you with that (problem, project, whatever)
- I’m here to help you meet your goals
Instead of being frustrated about the fact that most people don’t care about cybersecurity, we should find ways to include it behind the scenes.
By supporting our colleagues, we can improve both security and the business.
It doesn’t need to be hard.