Story Time
Picture this: You are young. And the world is not providing what you need. It's a drag. But not today. Oh, today is different.
Your phone lights up. It's go-time. The crew is assembled. Your rig switches from blue to purple. You sit up in your gaming chair. Headset on. Voice chat is open. Someone is already sharing their screen, discussing tactics. You know your opponent already; you were studying them for weeks. Someone is chewing something noisy and gets his verbal beating accordingly.
Your stack of energy drinks is on hand. The rest of your room disappears in the new room you're entering mentally. Game face on. Today, you are the support. You know what you have to do. They won't know what hit them.
The voices become quiet. The caller hits his first number, while the others keep their eyes on your notes, the intranet, the Slack channels. His LinkedIn told you enough already. A walk in the park really.
Time loses its meaning. Everyone is feeding updates into the chat. Listening closely as the target remains unconvinced still. You build out the pretext in real-time; hammering hints in the chat. You are focused. Your brain is overclocked.
He won't break with this method, try this instead. HR mentioned this just last week, build on that. Now: more pressure! It is sooo urgent, come on! Got it! The dopamine kicks in full throttle.
The password was reset. Next phase, quickly now. You know what your job is. You try both approaches. This one's not it, we'll stick to the other one. Sip of energy. Shut the admin out. Get the database. Great job! It's not quiet anymore. Everyone's boasting! You are unstoppable. Let's see how long it takes until you hit the headlines.
Will they pay? If they don't, someone else will. That's a win any way now. You provided your skills. You learned so much this session, too. What worked, what didn't. Next time will be even smoother. Damn, you're good. Everyone was just so good.
Phew! When was the last time you had that kind of fun at work?
The Problem
You might have already made the conclusion that I drew the scene of the Advanced Persistent Teens in action, who managed to pop many an org in the last two-ish years. Despite the whole cybercrime stuff, we have to acknowledge that they do some things right. It probably is not just the money that motivates them. It is most likely a mixture of peer recognition, dopamine and sweet new money. Pwning orgs for lulz and profit.
And besides having these very strong incentives they also employ methods to stay on top of things. Filling gaps in individual and team knowledge on the fly, sharing tools and techniques, learning from their own and others' mistakes. And I think there is something to learn here other than: Do cybercrime and do time.
In many organisations the economic and corporate pressure is so immense that employees are working more or less in isolation, with creativity and learning brought down to almost zero. Do your job, make the numbers go up, don't cause trouble, don't click on links in emails. Btw: here is our new policy on AI tools, just click the link.
I'm on the team that says AI is going to help cybercrime more than defenders in the near future, at least. A bigger issue in my opinion is the professionalization and operationalization, the Phishing/Malware/Ransomware-as-a-Service, the whole Initial Access Broker market and so on. And somewhere in between these two sits this culture thing. It's not just that the working culture of the criminals is really that good. Many organizations employ a very bad working culture, often depending on the old Shaming&Blaming™. And renaming HR to People Team is not doing a better job. Same for swapping people for LLMs. And this adversarial advantage will not be met well by making phishing simulations more realistic and individualized. This issue will take some work.
Security as a Cultural Issue
You'll read that again and again on this blog: Security is more than shiny tech and sweet sweet policies. We do find human error in technical and non-technical teams alike. The differentiating factor is the culture. We'll have to dig into that term a little deeper, but that's for another post. For now, let's focus on one specific factor that is essential for a good security culture and that might also turn out to be good for profit and employee satisfaction.
That's psychological safety, which basically just means that you can trust you won't be punished, blamed, shamed, mocked or belittled for making mistakes, pointing out issues or asking questions. Even several times. When people can expect psychological safety, they are far more likely to point out issues, feel that their engagement matters, gain interest in improving things, clear up uncertain processes and give feedback on which tech and processes work sufficiently and which do not. The latter almost certainly leading to shadow IT, shadow AI and shadow processes.
When someone asks the same question for the fourth time, that shouldn't be viewed as a nuisance. This is a signal. Either the answer wasn't clear, or the process isn't. Answer it again, plainly, without audible eye-rolling. You risk leaving people in a state of hesitation and doubt until, after hours of grinding thoughts, they do the task … but wrong.
This might also hint that what is good for security in this regard is also good for quality, which will make your Quality Assurance Officer happy.
Employing a culture of psychological safety will also improve employee satisfaction, because less fear does that to people - but it also improves the way teams work together. And working together effectively, see the storytime above, is fun.
Mind the Gap
This is, however, easier said than done. We are heavily biased toward working in isolation and then spending time in meetings that could have been emails or even nothing at all. We tend to get annoyed when someone asks about a topic for the fourth time, or when someone clicked a link again. Or when a CISO didn't prevent that cyberattack:
So how should we go about bridging that gap? You probably won't get budget for a fancy cultural improvement program. But you can start small and, as always, start with inventory. Run an anonymous survey asking about willingness to report attacks, mistakes - your own, others', those of superiors - issues with policies and processes that don't fit the reality of everyday work, or uncertainty in dealing with specific challenges. Make sure to include a question about whether respondents felt pressured to answer positively.
Improvement then has to travel down through management. Because this is where trickle-down actually does work. Use stories of mistakes and the improvements that followed through group effort to drive that development further. This has to become part of regular meetings.
Make sure you follow up on instances of shame, blame and retribution thoroughly. You don't have to let people go for not applying psychological safety immediately. But you should follow up on such instances and ensure the situation is resolved constructively. Because no one will believe your effort otherwise.
Ah, it's this people-stuff again, isn't it?
We have to start somewhere, but we do have to start. We will need people who like to work in their organization and we will need them to stay on top of technological and societal developments. And we will need them to do that together. Because the adversaries do that sufficiently.
They do it for lulz and profit.
The question is: When do we?