How could senior management training revolutionize information security?

Are you the person your teammates go to whenever they have a technology issue? "I'm back from vacation, I forgot my password, how do I reset it?" "My phone is acting funny, do you think it's a virus?" "Is this Python library safe?"

I love such behaviours. At work, I'm responsible for the "security champions" community and always scouting for them. However, I often get desperate about other people's indifference or hostility, especially when they're managers. If you're reading this, I'm sure you feel the same.

One security consulting firm in my city's slogan is: "Changing the world of security, one user at a time". It's inspiring. It's also unachievable.

For the past few years, I've been obsessing over influencing individuals into adopting secure behaviours. To varying degrees of success, I've experimented with secure defaults, guardrails, nudges, praises, engaging videos or graphical designs, community management, and more. You may notice I've left "security training and awareness" off the list. There's a reason for that.

I often find that "we need more security training and awareness" is the default claim from people with nothing of substance to say. "Awareness training" also carries a compliance stench: we watch these mandatory corporate cartoons on the other tab while working on something else...

This week, I want to share how I encountered an inspiring idea that could reconcile me with training while listening to the Freakonomics podcast: What if, instead of "changing the world of security, one user at a time", we could train only a handful of leaders into building secure companies and departments? Let me explain.

First, we need high-performing organizations

The episode "Do the police have a management problem?" delves into the University of Chicago's economists and management professors' attempts to alleviate the hardships of the Chicago Police Department.

The advisors begin their action plan with standard business tools: data and metrics. The department streamlines its security and operations center with cleaner data from video cameras, recent arrests, and alarms of gun violence. Pilot projects yield surprising predictive properties and increased police intervention efficiency.

These actions summarize what my work has focused on for the past year and a half: providing data-driven risk and compliance insights to focus investments better. I've also been evaluating enhanced applications to get out of spreadsheets and custom code to collect higher-quality data.

Unfortunately, the University of Chicago's initiative failed in the long run.

Why?

Metrics are worthless if nobody uses them.

Police managers were leaving their duties for various normal reasons. Their replacements, however, were not trained in the new software and approach. So they defaulted to what they knew. As a result, all gains went back to zero.

The academics were attempting to change over 18,000 police organizations across the country, "one department at a time".

From data to leadership

The second part of the plan to turn around the Chicago Police Department is still ongoing. It is based on progress made by the Los Angeles Police Department with senior leadership training sessions.

The rationale for going after captains and commanders was pragmatic: it's cheaper to train 4,000 people to build an efficient department than 400,000 to be aware enough.

However, what truly fascinates me with this experience is the actual substance of these leadership trainings. They are not primarily about the tools, the numbers, and management methods! Most sessions center around relationships and psychology.

The trainer's bet hinges on community building amongst leaders.

While the program is too early to measure its impact, qualitative feedback has been overwhelming. The sessions have become so popular that seats get attributed by lottery, like Taylor Swift tickets.

This story made me realize that turning leaders into security advocates is likely the best route to scale security across organizations. I've been vocal about the strength of security communities. In my final sendoff to my students, I insisted upon the necessity to attend events and join online communities, for their sanity's sake.

Security people may be hoarding their greatest asset: their camaraderie. I think it's time to spread this into our organization's highest hierarchies.

How about you, have you had the chance to train executive-level individuals about security management practices? Did you succeed in adding a VP to your security events? Tell us in the comments!