Ever met someone who’s seems negative all the time? The person who always has something negative to add to a conversation?
These people are common, so common we have a nickname for them; “Negative Nelly”.
You could be having the best day, then along comes Nelly. He/she shits on your parade and leaves you feeling gloomy.
You don’t like Nelly, you don’t like talking to Nelly, and you certainly don’t like hanging out with Nelly.
The information security industry is Nelly.
Don’t agree? How often do you read positive news about our industry versus negative news? Some recent headlines:
- Online marketing company exposes 38+ million US citizen records.
- Chinese professor on sensitive projects in US jailed for espionage.
- Google removes Android app that was used to spy on protesters.
- WordPress websites attacked via File Manager plugin vulnerability.
- Vulcan Cyber study finds serious problems with vulnerability management.
We can’t help it, we're Nelly.
In our defense, this is the nature of our work. Information security is about managing risk and “risk” is always dependent on a negative outcome. What information security is and how we package it are two different things though.
How many times have we said things like these (or similar)?
- “If the ^@&*! users would just stop clicking links!”
- “People just don’t get it.”
- “It’s a layer 8 problem. People are always the problem.”
The business doesn’t like Nelly.
Nobody invites Nelly to parties because dealing with Nelly is bullshit. The business doesn’t invite Nelly to their parties (meetings) because Nelly tells us why it’s not a good idea to do something or why we can’t do something.
- No, we can’t do that.
- It violates our security policy.
- It’s too risky.
- It violates regulatory requirements (GDPR, HIPAA, GLBA, etc.).
- We can do that one thing but it’s gonna be a lot of work to secure it.
A business is in business to make money. Nelly is a cost center. Nelly is necessary evil, so we deal with him/her. Nelly is so damn negative though, so we're going to try avoiding him/her when we can.
Business users don’t like Nelly.
These people may be warming up to us, but that’s a helluva lot different than wanting to hang with us. Mandatory training, punitive reactions, etc. are common ways we engage.
How do business users feel when we walk into a room?
Nelly doesn’t like Nelly.
Ever felt intimidated or dumb when asking someone a question or suggesting an idea or solution? Ever felt a little beaten up?
It’s Nelly again. Nelly is a pain in the ass and he/she is bullshit.
So, what do we do about Nelly?
We’ll discuss this on tonight’s Security Shit Show! We’ve got some cool ideas, but here’s some to get you started:
- Be intentionally positive even when delivering negative news.
- Be aware of how your perceived by your audience.
- Deliver value based on positive results not negative ones.
- Make lives better, make businesses more money, and people will wanna hang with you (Nelly).
Chris, Evan, and Ryan will have some good shit to share!