Category: CISO life

The new normal. What the old normal should have been?


The COVID-19 pandemic is an opportunity to regroup – four areas to consider.

The new normal

In his fascinating book ‘I’m afraid Debbie from Marketing has left for the day’*, Morten Münster explains that when it comes to decision making, the human brain has two systems:

  • System one: fast, automatic, uncontrolled, subconscious, intuitive

  • System two: slow, reflective, controlled, conscious

System one comes into play with tasks you do apparently without thinking — like driving or throwing out a hand if you begin to fall — it is about habit, experience and speed over detail.

System two is used for planning, learning or carrying out new or complex tasks. It operates a considered and deliberate approach, and crucially burns up much more mental energy than system one.

Around 90% of our decisions are made with system one thinking, largely due to the incessant and pressing nature of our daily lives. Keeping plates spinning while putting out fires — other metaphors are available — means we have minimal time to think and plan, and instead react and make snap decisions based on gut instinct or experience. We haven’t the time nor mental energy left for system two thinking.

What does the normal mean for the CISO?

As working from home has become the emblem of action to mitigate the current pandemic, it seems organisations are taking the opportunity to assess their current processes, look longer term, and plan or redevelop strategy — system two stuff.

If this is the new normal, maybe it is what the old normal should have been. And what does this mean for the CISO?


The CISO’s new normal

I wrote recently on how the CISO’s life is changing. I contended that there is a positive shift in the CISO’s standing which includes how they are perceived and how they are approaching the role with a growing confidence.

We have also seen the importance of information security growing across sectors and organisations. That importance only accelerates now that COVID-19 has crashed into our lives.


Four areas to look at:

1. Working from home

Whether you are an old hand at overseeing the security of remote working (using system one unthinking habits) or are new to it (using system two learning conscious thinking), it does no harm to assess your current situation. Use system two to consider:

  • The processes, security technology and awareness of remote working
    (see TSC’s working from home infographic)
  • The wider issue of the pros and cons of working from home in the first place.

If you suddenly have an explosion in numbers of employees working from home, you will need to quickly review and update remote working policies and security awareness, and, most importantly, communicate these. Ensuring employees have the correct security measures in place goes to the nth degree.

In ‘Staying Safe While Working Remotely’, McAfee gives good advice, including:

  • Install/update data encryption to prevent data loss.
  • Install/update anti-malware solutions to provide equivalent security on and off the VPN.
  • Make sure employees are fully aware of the authorised cloud applications and tools.
  • Block access to risky cloud services to avoid infiltration from compromised web sites.
  • Ensure users know how to submit suspected phishing or other dubious emails.

Once the life starts returning to normal, it will be a good time to think seriously on the concept of working from home. Employees and indeed senior management may now consider this a normal part of their working pattern. As a CISO, you should be ready for and have processes, technology and training in place.


2. Communication

As the bridge between you and your colleagues (remote or otherwise), there are practical and psychological considerations with communication.

Working with human resources and/or internal communication teams is vital to ensure all are connected, as well as to co-ordinate your messages with the rest of the organisation’s. Make sure you have a robust company-wide communication platform in place to deliver these messages, such as Microsoft Teams or Slack.

Congratulate outstanding performance for individuals and departments

On the softer, psychological side, include good news messages in your comms. Yes, a great deal of your communication output will be ‘don’t do this’, ‘do that’, ‘watch out for…’ and other instructions. But temper these with happier news. Congratulate and highlight good and outstanding performance for individuals and departments. For example: ‘Well done to the accounts team for correctly reporting four phishing attempts last week’.


3. Personalisation of information security

Behavioural change experts recognise that to get someone to change what they do, or how they do it, the problem needs to be seen from their personal context. In the real world, meticulous system two planning will always be trumped by the reactive demands of system one scenarios. Without this perspective, no amount of awareness raising, education and appropriate tools will effect the desired change.

Increased working from home is an opportunity to turn information security into something relevant to people’s situation. In addition to simply telling what measures to take, ask them what barriers they have encountered in their personal situation that prevent them from following good security behaviour.

Give clear behaviours to follow

Relevant information directly from your employees will allow you to see the situation through their collective, personal context and extends beyond technical considerations to areas such as using appropriate chairs, taking regular breaks and so on. You will be able to see situations from their perspective and give them concrete, positive behaviours to follow willingly (we hope).


4. Those ‘I would love to have time for that’ things

As we become better adjusted to the current situation, there is an opportunity to engage system two thinking and consider those critical areas that don’t always get the time they deserve. Plan for the year ahead: awareness campaigns, training (including your own), investigating cloud services, and more.

Now is the time to look at how effective campaigns have been, what lessons can be learnt, and how to implement what you’ve learnt in your next initiatives. You can also explore how to work more effectively with internal communication teams and other departments in your awareness programmes.

For inspiration and tips in these areas, see other Insider articles: ‘Reaching parts other information security awareness programmes cannot reach’, ‘A CISO’s guide to creative employee awareness campaigns’ and ‘6 reasons your behavioural change plan failed’.


Conclusion

So now is the time to recognise where system one and system two thinking operate in our lives, both working and personal. How can we re-arrange, change and innovate to make this new normal better than before?

I was recently asked for six words to describe the current situation as part of the #MyQuarantineInSixWords Twitter hashtag. My reactive system one thinking said right away: ‘opportunity’, ‘reorganise’, ‘re-think’, ‘improve’, ‘create’, ‘educate’.

My system two considered this and said: ‘Let’s take these and get planning…’


*I’m Afraid Debbie From Marketing Has Left for the Day: How to Use Behavioural Design to Create Change in the Real World, Morten Münster, Gyldendal Business 2019


Insider sign up button

You might also like...


This website uses cookies, by continuing to use the site you agree to using cookies. Continue Privacy Policy