Summer Reading List for Training and Awareness Program Managers: Part 1
The last five months have been different, to say the least.
Forced working from home (my colleague has been a keeping a tally: 114 days and counting).
Political and societal upheaval.
Kanye West running for president.
The world’s still turning, though, and that means it’s summer—a time I treasure for climbing nearby mountains, lounging on my back porch, and diving into a good book.
But something hit me about the handful of books I’ve read most recently. They’re simultaneously good reads and shed some interesting light on the work of helping people safely navigate the digital world.
So if you’re involved in awareness and training and are looking for a good book you can also apply to your work, here are a few recommendations:
Tiny Habits: The Small Changes That Change Everything - B.J. Fogg
Read It for Pleasure
Anyone who works in the realm of human behavior knows the work of B.J. Fogg, a Stanford professor whose influence on the “behavior change” aspirations of the security awareness community can’t be missed. Indeed, his influence in behavior design shaped the work of the surveillance capitalists described in the second book on my list.
But if you think he must be a boring professor, you’ll likely be surprised at how fun and easy he is to read. You could easily mistake Tiny Habits for a self-help book, and you’d be hard pressed to find a more practical and enlightening guide to help you stop checking Facebook or LinkedIn, quit smoking, or start up a new habit like eating more vegetables.
“A behavior,” writes Fogg, “happens when the three elements of MAP—Motivation, Ability, and Prompt—come together at the same moment.”
Thus his formula: B = M A P. From this simple start, Fogg maps out the various ways people can reach their goals by manipulating the elements in his simple equation. His book is so full of common-sense examples and anecdotes that you can’t help but acknowledge the power of his model, and I’d be amazed if you didn’t want to try the techniques on yourself.
Use It at Work
But Fogg’s book truly shines in providing a clear model for thinking about how to help employees master some of the cybersecurity behaviors I knew would make them happier at work and at home.
I could scarcely go a few pages before I started jotting down ideas about “turning the dials” on motivations, attitudes, and prompts to get people to do things like reporting phishing emails, using a password manager, turning on multi-factor authentication, or classifying data correctly.
Let me unpack one example of how you can apply Fogg’s thinking to security awareness. Phishing works because the prompt you’re supposed to be wary of—the phishing email—sneaks right in alongside all the prompts you have to pay attention to—your regular email—and then pushes all your motivational buttons by scaring you or exciting you into the very easy action of clicking a link.
Since we’ve not yet perfected the ability to screen out phishing email (thus removing the prompt), we’ve got to turn the dials on the other parts of the equation.
For motivation, this means either offering tantalizing rewards for not taking the bait, or distasteful punishment the opposite. You can also focus on increasing the ability to resist by using contextual clues and easy methods of reporting the phish.
Once you break phishing down this way, it’s easy to see why it is so hard to combat!
Apply this same logic to password management and you can see why their adoption rates are accelerating.
My motivation for using a password manager is high, for example, because I’ve got too many passwords to manage them effectively and I’m highly motivated to avoid re-using passwords. The prompt for using it is right there, in my browser and in my applications, so I’m always reminded about it.
Finally, the presence of the app on all of my devices makes it very easy to use. All the password management apps work the same, so the competition in this space is all about making password management visible and easy.
The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power - Shoshanna Zuboff
Read It for “Pleasure”
Now you may ask why, in the summer of 2020, I’m recommending a book published early in 2019? Well, it took me that long to read it!
It’s not just that the book is long—though it is, at nearly 700 pages—but it’s also extraordinarily dense and complicated. I found myself reading a section, going off and thinking about it, and then coming back and reading it again. At one point I feared I’d never get through it, so I got the audiobook and listened to it on my commute to work. Don’t say you weren’t warned.
Despite its difficulty, the book is thrilling. Zuboff, the Charles Edward Wilson Professor Emerita at Harvard Business School and a former Faculty Associate at the Berkman Klein Center for Internet and Society at Harvard Law School, describes the horror of the world we live in. A world where we blindly accept an economic exchange over data that puts us at a tremendous disadvantage, and where we give up our very capacity to make decisions and to express our free will.
Use It at Work
The best training and awareness program managers recognize their work goes well beyond helping people avoid phishing. At its most purposeful, our work involves helping people navigate the digital world, at work and at home.
Zuboff’s book shines a bright and unflattering light on the way large corporations have constructed our world to their benefit, but it also shows just how complicit, even sheeplike, we are in accepting the terms offered by the large corporations.
You may not believe this world is as dark or manipulative as Zuboff insists; I sometimes think she’s heavy-handed in her interpretation. But the way she unwraps the complex means by which surveillance capitalists mine your data and turn it into profit will certainly help you understand the motivation behind modern data protection regulation and deepen your appreciation of the debates around the GDPR, CCPA, and other privacy laws. There is little in Zuboff’s work that directly relates to running a program, but the background is indispensable.
What You Do Is Who You Are: How to Create Your Business Culture - Ben Horowitz
Read It for Pleasure
I don’t generally like business books. They’re either crushingly dull or so full of back patting and self-justification that they’re painful to read.
And I didn’t like Horowitz’s first book, The Hard Thing about Hard Things, because it was acclaimed by a business leader who identified Horowitz as a role model, but then fell short of living up to expectations.
But Horowitz’s new offering, What You Do Is Who You Are is not the usual kind of business book.
First, Horowitz wants nothing to do with platitudes or vision statements. He’s all about action, about what people do, not what they say.
Second, he finds the stories to prove his points well outside the realm of business—in Toussaint Louverture’s slave rebellion, in Michigan prison gangs, in Japanese bushido culture. He uses these stories, alongside anecdotes from his career as an entrepreneur, business leader, and venture capitalist at Andreessen Horowitz, to make the case that every culture is a marriage between a leader and the people they lead. He contends that there are no hard rules to form a strong culture, but there are principles and practices that leaders can put in place to increase their chances of building a strong culture.
I think anyone who works in an organization of any size will find this book fascinating, whether they are a CEO trying to shape a business culture or a lower-level manager trying to figure out how to navigate company politics. Horowitz is fascinated by the unintended consequences of actions, attuned to the capricious economic shifts that can reshape a company. He also has some interesting thoughts about diversity and inclusion that are worth a look in this fractious time.
Use It at Work
Security awareness program managers who are ready to move beyond the mere delivery of training will find value in this book.
Here’s Horowitz: “Your culture is how your company makes decisions when you’re not there. It’s the set of assumptions your employees use to resolve the problems they face every day. It’s how they behave when no one is looking. If you don’t methodically set your culture, then two-thirds of it will end up being accidental, and the rest will be a mistake.”
If this doesn’t get right at the highest aspirations and biggest fears of the best awareness program managers, I don’t know what does. Running a training and awareness program is about building a culture, but you’ve got to do it in combination with the culture that exists around you, and no two cultures are the same.
Horowitz’s writing is full of little insights that might inspire your work. He advises, “Step one in designing a successful culture is to be yourself,” and goes on to offer a bunch of advice about making cultural interventions reflect your personality. (He also cautions you to be aware of which parts of you need work: “Think carefully about what your flaws are, because you don’t want to program them into your culture—or else leading by example will bite you in the ass.”)
If you’re one of those folks who thinks anybody who clicks on a link in a phishing email is an idiot (sorry, an ID10T), it might be time to tone it down a bit!
Perhaps the best piece of advice for awareness program managers is the idea that what you do must matter. It’s a spur for us to make sure we align our program goals with company goals and with people’s personal aspirations, and to encourage us to find ways to make doing the right things with cybersecurity matter to everyone.