In almost every cliché, there’s a grain of truth.
Let’s take, for example, the cliché of the cybersecurity professional: A 20- or 30-something male wearing a hoodie and a T-shirt bearing an obscure programming joke. One whose social interaction is mostly limited to eye-rolling behind users’ backs whenever they have committed yet another security blunder. Of course, you will hardly ever find that fully fledged stereotype in real life…but it wouldn’t be so pervasive if there wasn’t a hint of reality in it.
Before we look into it, let’s make two things clear. First, there is absolutely nothing wrong with being a male, dedicated cybersecurity professional with idiosyncratic taste in clothing and not much patience for social chatter.
Secondly, clichés are descriptive, not normative: They allow us a bit of insight into how the world is, not how it should be. And how it should be is diverse. Not just in terms of gender and nationality, but in skillset as well.
Cybersecurity and the Human Factor
In recent months and years, the focus of cybersecurity has shifted more and more towards the so-called human factor – a change that has been more than overdue.
For most of cybersecurity and IAM history, professionals focused on technical buildup: My keys are longer than yours, my firewall is bigger, look at my brand-new IDS. That would have been fine – if only users had been able to keep up. But most data breaches and other incidents, as studies show, were caused not by inadequate technical systems unable to resist sophisticated attackers – but by plain human error. This top incident cause is followed closely by the category of phishing/hacking/malware, of which a large percentage is arguably also related to human oversight and lack of education.
The Curse of Knowledge
The most refined technical system is worthless if users can’t understand it. But, due to a factor that is known as “curse of knowledge”, cybersecurity professionals often can’t imagine that the end user can’t grasp a system whose functions are so blindingly obvious to themselves. And they largely don’t accept the fact that a technical system’s effectiveness must be measured by its outcomes under realistic circumstances, not by completely hypothetical outcomes that may result if the system is used under perfect conditions by a perfectly competent and attentive user.
The Cure: The Outsider’s Perspective
The curse of knowledge has one effective cure: Get an outsider’s perspective. Entering into a dialogue with one’s users is one way to achieve that. However, it is not the user’s job to put in the work to improve a system; thus, the user can deliver inspiration, but no definite solutions.
Therefore, the outsider’s perspective should become an integral part of the cybersecurity and IAM team: People should be brought on that bring this fresh perspective with them. The more varied their backgrounds, the better. Thus, the job is not done by hiring a fair share of women.
Do you have anyone on your team who is not a STEM graduate? Social scientists can bring new insights about users’ social dynamics and organizational requirements. What about someone with a disability who will be able to offer new perspectives about usability and accessibility? Someone who has studied or worked abroad and knows about other cultures’ expectations of privacy, autonomy and authority? Someone who has worked in a different industry and knows its specific regulations and daily challenges?
Make the outsider’s perspective a central part of your work, and you will become an IAM insider.