I was talking to a friend recently who was trying to implement a new process for increased access. They confessed that they were trying to make it a little difficult for the user or at least make sure they read all the documentation before making the access request. They were also trying to add a bit of snark into it.

I recommended taking a more empathetic and diplomatic approach. (Avoid being the IT Crowd)

Let’s face it, there’s a lot of snark and cheekiness in our industry as well as many who are introverts. What ends up is many want to hide behind tickets and walls of bureaucracy, but sometimes we have to break out of our comfort zones and go to the user.

Lesson 1 - If The User Did Something Wrong, Take Ownership Of It

The old way of doing security was to hide behind obscure policy documents and statements that no one in the company has read. Kinda like a CYA (Cover Your Ass) or “I told you so” when someone does something wrong.

But were they set up for success?

Did you go over these policies with them in-depth when they started and refresh them periodically?

Are they accessible? Easy to understand?

Are they practical and in-use or impractical?

Don’t setup your users for failure. Ensure they understand what’s going on through your mind and verify. Err on the side of over communication.

TL;DR: Educate your users on your expectations in security. Have a measurable way to ensure they understand your expectations.

Lesson 2 - Create services for people to consume

Create a ticket.

For some, it’s a dreaded phrase.

But it works.

If people know where to go to get security reviews, assistance, and advice… they will come.

Here are some places where you can create services:

• Jira

• Slack channels (#security)

• Slack bots

But what kind of services would you provide? Here are some top-level examples:

• Security Architecture Review (can be broken into sub-categories as well)

• Third party vendor security review

• Client/Partner Documentation Request

• Privacy deletion request

• Report an Incident

• Report a phishing email

Some of these can be automated as well using slackbots or no-code automations like Zapier and Integromat.

TL;DR: Create trackable and/or automated ways for people to consume security services. Don’t forget to include/create documentation on “Howto” and “When” to use some of these services.

Bonus - Track all your work and provide metrics to justify your job and organization and learn from that data to drive your strategy moving forward.

Lesson 3 - Go To The User,  Don’t Wait For Them To Come To You

One of the things I LOVE to do is answer questions! People often have questions but are either hesitant to ask them or don’t think it’s an important question worth bothering someone about.

This is where I love the idea of office hours many leaders have embraced. An open forum where someone can come up and ask questions on anything.

If you are trying to affect major behavior change in an organization, you’ve probably done all this already:

• Created documentation in confluence on the new TPS report process

• Created a service portal to file a TPS report

• Made an announcement via email and slack

But wait… people are still DM’ing me and asking the same questions! WHY?

Well, have you considered:

• Maybe your target audience doesn’t “live” in confluence

• It’s a campaign, and one email or slack in a barrage of many won’t magically fix everything. Most email campaigns are lucky to get a 50% open rate, and who knows how many read it all the way.

• People just flat out don’t BELIEVE in your new process and refuse to participate in it.

How to go to the user

• 🎥Make a video

  • Try making a Loom video or similar! It will dramatically increase your goals. Embed it in your docs or distribute via slack/email.

• 💻Hold Office Hours

  • If you hold regular office hours during the few weeks of launch, it may provide an avenue for some to discuss and comment on your new process.

• ❓Explain The Why

  • Knowing WHY this is happening and why it’s important. Over communicate and relate it back to how it’s important to protect the company and its customers.

  • Define the impact of NOT doing X, Y, or Z or the impact of doing it the old way and maybe some examples you’re able/allowed to share.

• 🧑🏽‍💼Get Management Support

  • Trickle down effect in companies is strong. Get the leader(s) of your target audience on board with your initiatives and it will increase conversion dramatically.

TL;DR: Going to the user will save you time, lower frustration, and help you tweak your process. It may also make you more approachable and likeable.

Conclusion

The idea here is to learn towards your users as opposed to waiting for them to come to you.

Here are some possible benefits to you and your team:

• Appear more organized and streamlined

• Win praise for being easy to work with and or approachable

• Learn more about other teams and projects ahead of time creating an opportunity to bake security in early

Have you implemented any of the above before? What has your experience been? Feel free to share tips and your comments below.

Take care,

Ayman