This is a three-part blogpost about how to change your organization for better security, even when you are not in power. Last blogpost we saw how to get our rational, analytical mind in action. This time we look how our unconcious mind can be set into motion.
Motivate the Elephant
So we are still following the analogy of the Elephant and the Rider from Dan and Chip Heath’s book Switch. This time we look at how we can motivate the Elephant. The Elephant, an analogy for our unconcious, emotional, automatic and irrational side of our mind.
The Elephant can often seem lazy and unwilling to go to action. The Rider can tug at the reigns all he wants, but the Elephant is much stronger. And the Rider will be left exhausted.
In recent years studies have shown that our willpower is a form of energy that can be depleted. When depleted, we give in more easily to temptation. You can imagine how that works out when people have to decide on unpopular, costly and difficult measures. All your analytical appeals are for naught when dealing with this situation. What to do? You have to motivate the Elephant.
In Switch Dan and Chip Heath describe three ways of motivating the Elephant:
- Find the feeling.
- Shrink the change.
- Grow your people.
Find the feeling
So the Rider has tried to pull and pull the reigns and it didn’t work. But what if we can get the Elephant excited about our goal? The Elephant is a force to be reckoned with.
You might say that this was the whole reason for me to start writing these blogposts about selling security. I spoke with fellow DBAs at the UKOUG Tech 2014 and learned about their struggles to get approval for security improvements and that got my mind going. That night I started creating a presentation about how we in IT can fix this. And from that came this blogpost series, which I wrote much faster than usual. That sort of was my Elephant in motion: “Someone has a problem and I can fix this!”
But how to apply it in your organization? How can you find their feeling? One way to do it, is shock them. I once photoshopped the front page of a large Dutch newspaper to show that the organization I worked for how the newspaper would look if they got hacked. And I told them “this is what can happen to us if we don’t shape up security wise”.
Another way is the hacker workshop I did. A lot of people in IT think hacking is hard “and therefor it can’t happen to us”. So if you show them how to hack, you show it’s not that hard and therefor security measures are necessary.
Succesful changes in organizations almost always are following the lines of SEE – FEEL – CHANGE instead of ANALYZE – THINK – CHANGE.
Shrink the change
Let’s go back again to the DBA of last blogpost and his or her 11,493 security issues that have to be dealt with. If there was ever a thing to be demoralized by. And Elephants easily get demoralized. “I’ve solved one security issue today. 11,492 security issues to go. Sigh!”
You work better when you get the feeling that you are making progress. Ever had a stamp card at your fuel station for a free carwash and you got 2 stamps free? That’s a way of telling your Elephant: “Yes, you need 10 stamps, but look, here are 2 free. You’re already making progress.” You could have a card with 8 stamps to be collected, but for your irrational mind, that’s not the same.
How can we apply this to the 11,493 security issues? In two ways. One way of thinking is the way that Dave Ramsey came up with to get out of debt. In his method, the Debt Snowball, you write down all your debts and sort them in order of how large they are. And then you start paying the smallest debt first, then the next, and so on. Rationally this method is not correct, and financial advisors are quick to ask “what about the interest?” But the victories of paying even the smallest debts apparently weigh up against the downside of having to pay the interest on the larger debts for a longer time.
So if you want to go through the 11,493 security issues, perhaps it’s better to attack the easier to solve issues for which you don’t need downtime, even though you leave larger security holes untouched.
Another way of getting a feeling of progress, is using the Scrum method to get through your security issues. And this is especially important for your manager. When you tell your manager you want to deal with the 11,493 open security issues, what he or she probably want to know is, how much time do you think your security improvement project will take. Would you be so kind to give an estimate? What do you think? 100 working hours? 500? 10.000?
Scrum is an increasingly popular method for software development. You work in short sprints (usually 4 weeks) in which you deliver a good working product. What you are going to deliver is described in so called “user stories”. User stories capture the “who”, “what” and “why”. It’s a bit hard to imagine how a user story should be written for security vulnerabilities, because they are usually written from the perspective of the user of the product. But think of a security related user story this way: “As a user I want schema owners with only necessary privileges (while my application still works), so that other users can’t control the database where my personal data is stored”.
The user stories are devided into tasks by the people who are going to execute them. A task should usually take only a day work. Examples of tasks might be “Create a new role for the schema owner that will replace the DBA role” and “Test the new role for the schema owner with the developer”.
Every day there is a 15 minute meeting to discuss successes and challenges and as a team you help each other to solve the issues. Often a Kanban board is used to show the progress. Kanban boards show the tasks on post-it notes and devides these over sections. In the Backlog section is all work that hasn’t been assigned yet. In the Sprint Backlog are all the user stories and tasks that you agree to do in the next sprint. In To Do are all tasks that are “In Sprint”, so those would be tasks that will be developped in the next 4 weeks. In Doing are all tasks that are currently being executed. Then there are sections for Blocked (can’t execute at this moment) and – very important for the Elephant – the section Done.
You can imagine how much better it sounds to say to your manager you’re going to do 3 sprints of 4 weeks working on security issues. It’s better than to come up with completely made up numbers of hours you are going to spend on 11,493 security issues and then spend way more hours than that. I think that for a sensible manager the Scrum approach is more graspable and therefor has a better chance of approval.
Grow your people
“Grow your people” is about appealing to people’s sence of identity as a group. What are we here to do in our department? To keep the databases running? Or are we the protectors of our customers personal data? But how to grow that identity?
We have already come across identity and how to change it. Remember the badge “I support security improvements” and how that makes people feel that they have to be consistent with the message they are wearing? It was in my previous blogpost where I discussed Robert Cialdini’s principle of influence called “commitment and consistency”.
A security mindset doesn’t always come with badges and posters. Switch describes a growth mindset as important for growing an identity. Let me describe it as this. You can look at your team or department through the eyes of Sheldon Cooper, the character from the series The Big Bang Theory. Sheldon would probably see your team as a bunch of mediocre people that have never excelled at anything and are forever stuck in their menial labor. Yes, please don’t take this the wrong way, but trying to coax growth out of them is as doomed as teaching a dodo to fly.
Actually I hear that Sheldon Cooper type of rethoric from time to time at the coffee machine. “Why try? This team is a lost cause”. Which always strikes me as odd, because the people in my team are actually in the top of their fields. I rarely worked in a team with so many writers of Oracle books and blogs, speakers at conferences and trainers of Oracle courses.
A growth mindset means that people actually do want to protect the data of the customer, only maybe management gave very little attention to that. This mindset still has to grow. Don’t be discouraged that they aren’t security specialists right away or guardians of data. Give it proper attention and eventually this identity will grow.