Finding The Hidden InfoSec Story

There’s No Such Thing as a Gruffalo… Until You Meet One

Photo Credit: BGDL - Busy and on Vacation .. via Compfight cc

I suspect that one of the reasons we have children is so we can read them the stories we ourselves loved in childhood. It’s a real joy to meet again with characters who feel like old friends we haven’t seen for far too long and adventure with them once more. Although I have no children of my own, I’m not excluded from this delight: blessed with two young nieces, I relish the bedtime ritual of reading them stories. And, as I do, I remember that feeling of security I had when my parents sat by my bed and read to me. Watching my nieces snuggled in the lamplight and hanging on every word, I’m filled with the primal instinct to protect them – to keep them safe, should their safety ever be threatened. As protectors of the people and the things we most treasure, we’re ever alert, vigilant of danger and ready to act.

Corporate security chiefs struggling to improve behaviours amongst employees would give anything to inspire such qualities in them. Is that possible? And, if so, how? Of course, it’s natural for us to hold our families and homes most dear; our workplaces have a secondary place in our lives. But is it possible for us to harness that same protective energy in the workplace by tapping into our primal instincts?

A favourite of my nieces, and about ten million other households, is The Gruffalo by Julia Donaldson, with illustrations by Axel Scheffler. Based on an old Chinese tale, it tells the story of a mouse who, whilst walking in the woods, has to protect himself from a number of predatory animals (a fox, an owl and a snake) who each invite him round for dinner. Of course they’re in the business of social engineering and they’re trying to trick the mouse to be their dinner. But the mouse is too astute to be taken in and, cunningly, he invents a huge, fearsome creature, the eponymous gruffalo. He claims the gruffalo is his protector and he likes to eat foxes, owls and snakes. And so the mouse walks away from danger. Filled with hubris at having evaded these would-be attackers, he scorns their stupidity: ‘Don’t they know there’s no such thing as a gruffalo?!’

But, to the mouse’s surprise, he meets a real, live gruffalo – just as he’d imagined it. Once again, faced with danger, he turns to his cunning. He boasts that he’s the most feared animal in the forest and invites the gruffalo for a walk to prove it. They encounter the animals who’d previously threatened the mouse and each of them runs away, terrified… of the gruffalo, of course. The gruffalo becomes more and more impressed by the fear the mouse inspires, so much so that he himself grows to fear the mouse. Finally, the mouse uses that fear to scare the gruffalo away.

The story of The Gruffalo teaches us that being the smallest animal in the forest doesn’t mean you have to be the weakest and it challenges the assumption that it’s the bad guys who use cunning and imagination, while the good guys lack it. If you call upon these resources, then you can be, to all intents and purposes, the most feared – the most impregnable, if you like. Perhaps we shy away from the idea of cunning which carries connotations of deception and dishonesty. But, even though he lies, what is admirable in the mouse (and what CISOs value in employees) is his ability to spot deception and invent a quick-witted and imaginative response. When we read to children we create a space for them to develop such qualities, but in adult life they can seem rather less valued and perhaps, in a workforce, they aren’t called upon enough. There’s a big difference between a top-down requirement to adhere to a policy document, and being asked to mobilise ingenuity and imagination to create the living embodiment of security as a working community.

The mouse’s response to his predators requires a vivid imagination: he invents his fictitious protector, the gruffalo, only to discover that he exists. In the world of corporate security, if you can imagine a foe and what he might do, then there’s every chance that, sooner or later, he will exist and it will happen. Of course, reason and technical know-how are vital assets in security, but they’re only a part of the picture. In the pursuit of improvements to security culture, businesses would do well to harness the imaginative power of their workforce in order to pre-empt problems and find solutions. Furthermore, a workforce encouraged to dream of an ideal security culture (arising from their intimate knowledge of what they do) as well as devise strategies and best practices is a powerful defence against hackers and thieves. And, what’s more, they will buy into those ideals, strategies and practices because they own them.

To the mouse, the animals he encounters represent a clear and immediate threat to his safety: it’s a life or death situation and the stakes are high. We might argue it’s because of that that he’s able to draw so well on his cunning and imagination.  A fundamental problem in improving security behaviours is that to many people the stakes seem relatively low: opening this (phishing) email is not a matter of life and death – nothing’s going to happen right here, right now. Furthermore, what an employee is protecting can seem rather abstract and remote, and the hackers too have no form; they are not standing there malevolently in front of them. Our primitive instincts – to fight or flee, to protect – only kick in when the threat has a shape and is more immediate. Awareness alone is not enough; behavioural change only happens when employees mobilise their imaginations to develop a strong, emotionally-charged sense of consequences of actions and a threat that seems real and important. Imagination is essential if employees are to realise the high-stakes attached to their everyday workplace behaviours and they are to connect their desire to protect data to the way they would protect their nearest and dearest.

Of course, we don’t tell stories to our children solely for our own pleasure, but for a whole host of reasons. These include the strengthening of our bond with them, the imparting of learning, the development of their imaginations, and (as we can see from The Gruffalo) empowering them with strategies that will protect them in the real world. Embedded in an emotionally-charged story, those messages we want to transmit have sticking power.

Telling stories is one of our oldest rituals, it’s how we make meaning and it’s how we keep important ideas and values alive. Every culture is a mass of stories. It follows that the security culture of a business is the same: it’s the stories we tell each other from the boardroom to standing beside the coffee machine that create a living, breathing oral culture of security. If we want to improve that culture, we need to improve the stories we tell.

Author: Mike Carter

Share This Post On