When some people say they don’t know what to do around cyber, you may want to ask them where they have been for the last 10 years…
For a number of years, I have been puzzled by the high idea some cyber security professionals seem to have that their job is about convincing other people: Convincing users that they need to do certain things to protect themselves and their data; Convincing the Board that they need to invest more to protect the business, etc…
There is also the prevailing sentiment across cyber security communities that those are rational arguments, to be won through facts and figures.
Somehow, there seems to be the sense that employees don’t know what to do around cyber and that the Board does not understand. They need to be educated or trained about it; it needs to be explained to them and cyber security needs to be brought to their level – up or down.
All too often, the argument is framed in technical terms, irrespective of the target audience and the business environment and culture in which they operate.
This approach is flawed at two levels in my opinion.
First of all, I think the argument by which employees and…
