Sometimes, it only takes one question to change your life forever.
“Why don’t you try cybersecurity instead?”
My path towards my cybersecurity career started about 12 years ago. I was at a college orientation day when, after finding out that my major was computer science, one of the advisors approached me and asked me that.
That one question launched my journey into cybersecurity; a journey that was interrupted several times due to life doing what life does.
Those interruptions had me working as a sausage manufacturer, assistant meat manager, and food safety specialist, before finally coming back to IT and cybersecurity.
As I look back at all the different experiences, I’ve come to notice many similarities between cybersecurity and all those other jobs that are seemingly unrelated.
What I learned from food safety inspections: “We” not “You”
When I worked as a food safety specialist, one thing was repeated ad nauseam in training, and after: use the word “we” when speaking to our audience.
I was an external internal auditor, if you will. Restaurants would hire me to come and assess them before the governmental food inspection.
During my assessments, it was common for restaurant managers and their staff to see me as an outsider. I was some random guy that came in and started checking everything, getting in everybody’s way, doing a writeup, and then leaving. It looked like I was judging them.
This perception was a damaging one because in reality, I was not an outsider; I was hired to be a part of the team. I was working to help them catch and correct errors so that they could perform their duties better, and ultimately pass the big health department inspection.
To overcome this perception, the inspectors were trained to say “we” instead of “you” when speaking with everyone in the restaurant.
If, for example, I saw that someone was not fully shutting the walk-in cooler door I could say one of two things:
1. “You need to make sure that this door closes all the way because if not, the temperature in the walk-in cooler will rise putting the food inside of it at risk.”
Even if I say that in a pleasant and friendly tone, the use of the word “you” makes it come off as a command. The employee could easily become defensive or embarrassed when this outsider comes in and starts telling them what to do.
However, if we take the same scenario and I instead say:
2. “We need to make sure that this door closes all the way…”
It sounds much warmer! By using “we” I am changing the perception that I am an outsider and helping the employees to see me as part of their team.
This strategy helps in our cybersecurity roles as well.
Those of us in the cybersecurity world, and IT in general, are often looked upon with curiosity and amazement. What we do seems unexplainable. To those on the outside we are seen as literal computer wizards, doing things that defy logic and have no explanation except for that it must be some kind of black magic. Due to the mystery around our careers, when those close to us are asked what we do for a living the answer is almost always that we “work with computers.”
Because of this, it is easy for our work colleagues to see us as outsiders and not part of the team. We’re the people who sit in our own hideout and ruin everyone’s day by making them change their password every few weeks to something that doesn’t have a “1” on the end.
Like the restaurant example, there are a couple of choices on how we communicate requirements to the team.
We could say “you need to set up multi factor authentication on your devices, adding an additional step when you log in,” and everyone is understandably going to want us fired.
However, if we instead say “We need to set up multi factor authentication…” we’re making ourselves appear as part of the group, “one of them” instead of a random person who only comes around when something isn’t working.
Of course, using the word “we” did not always make everything better.
People are still people, and regardless of how friendly you are they may not always agree with what you’re asking them to do. Especially when what you’re asking is something that is going to change their established daily work routine!
This gets me to my next piece of advice; explaining the “why.”
What I learned from sausage manufacturing: Always Explain the “Why”
Explaining the “why” can go a long way in increasing understanding around what you’re asking the team to do, which helps the employees, and by extension the company, be compliant.
If your people don’t know why they should be doing something, they’re not going to do it. Especially if what you’re asking them to do will add friction to their day.
I was working at a sausage manufacturing plant when the plant owner decided to implement a new procedure for tracking food production. The new procedure was intended to help manage waste and track food in case a food-borne illness started spreading. If some meat related incident happened we would be able to use the new system to find out where the meat came from, when, where it was used, etc.
This system was not exactly the easiest thing to deal with. You had to use a scanning gun (think wedding registry) to scan the items you were about to use. The interface was not the best.
Predictably, associates hated it.
Before, the associates were able to get a piece of meat, cut the bag open, process it, wrap it, and move on. Now though they had to get the piece of meat, get the scan gun, scan the package, input the information, and then process the food.
The manufacturers that struggled with this system were the ones where the management simply declared “this is the new process, and you’ll be in trouble if you don’t follow it.”
The ones that succeeded with the process were the ones that took the time to explain why it was so important. Once the associates understood that it helped reduce food waste and the impact of a foodborne illness outbreak, they were happier and more likely to follow the new procedure, even if it took extra time.
All of us have a laundry list of things floating around in our heads that need to be completed daily, and when someone adds an extra step, it’s natural for us to rebel against it.
Going back to my multi factor authentication (MFA) example, how successful do you think this statement will be?
“Going forward, there is going to be an extra step when logging in. After inputting your password you’re going to have to pass a second challenge by way of a text message or authenticator app code before you can log into our system.”
It probably won’t be that effective.
It shouldn’t come as a surprise though. Because you’re creating friction in their day by adding an extra step when logging in, it is seen as an inconvenience so the natural inclination is going to be to ignore it.
However, if you take that same message and first change it to, “Going forward, there is going to be an extra step when logging in. After inputting our passwords, we’re going to have to pass a second challenge by way of a text message or authenticator app code before we can log into our system.”
Then, we can add something along the lines of, “We know this adds what seems like an extra unnecessary step, or that we’re just being paranoid. However, research done by Microsoft shows that adding MFA to a login process reduces the chances of someone hacking into our system by 99%.”
You’ve now:
a) Made yourself part of the team, and
b) Explained why the change is necessary.
Now your colleagues understand the reason why you’re asking them to do something. That little bit of information can make the difference between them following a procedure or not, which by extension will make the difference between your company being compliant or not.
What I learned from managing a meat department: The Importance of Accountability
Sometimes, making yourself part of the team and explaining the reasoning behind your actions is not enough to earn buy-in from everybody. Despite your best efforts, there are some that are not doing their part and your company is suffering.
Unfortunately this is going to continue until people are held accountable for their actions or inactions. Some people will follow rules and procedures simply because it’s the right thing to do, or because it’s something that the company asked them to do. There are others though that need an external reason, which might have to be disciplinary action.
When working in the meat department I ran into a situation that helps to illustrate this point.
The department was not in very good shape; there were disciplinary issues, and ordering issues. The meat cutters that were in charge of ordering meat and supplies for the department never bothered to take inventory before ordering, and instead went by what they could remember. This led to two outcomes: we either had little supply or too much. There were also issues with associates who would not work their full shift. They’d show up late, leave early, and not bother completing their tasks.
Once promoted, one of the first things I did was clean up the situation with our supply levels. I did so by taking proper inventory of everything that we had in the department. This allowed me to more easily see what I was in need of, and what I had too much of. The things that we were short on got ordered, and the things we had too much of we would wait until levels dropped before ordering more.
Next I started to log situations with incomplete shifts and work tasks. I then had a meeting with all of the associates and set the standard by explaining what was expected of them both while working and while ordering supplies and food. I ended by letting them know that if they did not follow the instructions that were laid out by the company they would face escalating disciplinary action.
More importantly though, I followed up with that statement by implementing the company’s progressive discipline policy of verbal warning, write-up, suspension, and lastly termination. This was something that previous management did not do. After a few months the department was in better shape and the people working within it were people that wanted to be there and wanted to do the job right. Holding people accountable for their actions/inactions was a big factor in turning the department around.
Conclusion
I never would have thought that my time doing food safety inspections, working at a sausage manufacturer, and managing a meat department, would help prepare me for a job in cybersecurity… and yet here I am.
The truth is that being part of the team, explaining the why behind requests, and holding people accountable is something that is universal regardless of what industry you’re in. For those considering the jump to cybersecurity, I hope these stories help you realize the amount of transferable skills and knowledge you already possess.
It turned out my path to cybersecurity started with that one question and took 12 years to follow, but I’m glad I followed it all the way here!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.