When organizations begin to think of users as cattle instead of unicorns we begin to remove their pride for, and their responsibility to, an organization. When responsibility for their actions are only out of necessity or self-preservation then you have lost the battle, but not necessarily the war. You can change people’s mindset but it just may take a little more effort.
I believe that people are the answer to most security problems. Empowering people by making them part of your security team enhances their awareness and fosters a sense of shared responsibility. Organizations that encourage (and consistently preach) a shared responsibility will have continual communication and awareness of their responsibilities in order to protect themselves and their fellow employees. Those organizations that treat employee’s as another expense (or cattle) will push their employees away which allows them to disassociate themselves from their responsibility. You have now created more resistance, and ultimately your security team has another force fighting against them – and not with them.
Cattle organizations encourage people to use their creativity in an unproductive way. The results include employees who attempt to bypass your security measures, instead of identifying and reporting potential incidents. Most organizations have warmed up to the idea of phishing simulations (I hope your organization has) to provide an immersive and lifelike training experience. Some cattle organizations have gone as far as to let go of employees that fail these tests. By taking this approach, you have now forced your employees to either report everything, report nothing, or use creative ways to fight against the security team instead of for it. Employees in a cattle organization will begin to use their creativity to bypass their training by creating Outlook rules to detect these simulations, or completely ignoring (caring) about a new face walking through the halls. The first question that should come to your mind is, why are my employees doing this. The second is identifying and preventing these (negative) creative ideas within your environment.
Unicorns are majestic and beautiful creatures. Organizations and security teams that believe, and routinely encourage, their employees have equal (shared) responsibility for the protection of their organization, their data, and ultimately their job, will obtain an army of security agents to constantly watch for suspicious activity both digitally and physically. Our security teams now have more actionable intelligence to do their jobs successfully.
Just imagine, if everyone (Finance, HR, System Administrators, Shipping, etc.) in your organization is encouraged to protect themselves, their fellow employees, and their organization from suspicious email, people, system configurations, and so on. If you have worked in security for any amount of time you know that the best information about problems or incidents comes from employees. Unicorn organizations create a culture of responsibility – a stake-hold of sorts – which enables a form of peer pressure to report and communicate any suspicious activity. I don’t know about you, but I would rather believe in unicorns than step in cow shit.