Three Misspelled Words
George Finney
CISO | Bestselling Author of Project Zero Trust and Well Aware | Keynote Speaker
I remember once in elementary school, my fourth-grade teacher brought several Navajo blankets to class that someone had given her. My teacher asked us to look closely at the blankets. She pointed out small imperfections that they had woven into the cloth. The blankets were so detailed I had a hard time spotting the mistakes even after they were pointed out. The mistakes had been put there on purpose. The Navajo called these mistakes "spirit lines," and these lines would remind them that flaws are an integral part of being human.
This was a bit of a shock to my fourth-grade mind, which might be why it’s stuck with me for so long. In school, we take tests and strive for perfect grades. You would never introduce a flaw in a skyscraper or a jet engine. We also strive for perfection when it comes to security and technology. Which makes me wonder, is there room for acknowledging our own human limitations when it comes to cybersecurity?
This year, I came up with an idea for a security awareness calendar but with a twist: I would make my own demotivational-style posters, customized for my university. SMU’s mascot is the Mustang. So I would write about security awareness concepts, but I would have pictures of pretty (or sad) horses in the background. I came up with a bunch of cybersecurity topics, then worked with my team to come up with some funny “despair.com” style comments that worked with each picture of a horse. So, yes, there were a lot of horse puns.
The idea for a calendar actually came about when I couldn’t stop writing those despair-style quips about cybersecurity. I realized I was quickly going to hit 12 posters and I needed a good reason to quit while I was ahead. Doing a calendar seemed like a goal that would satisfy my creative energy and also provided a natural stopping point so I could move on to other projects.
I decided to print about 2,500 calendars. We’d deliver one calendar to every employee at the university, but we had to do it by December before people started seriously shopping for their 2019 calendars and wouldn’t use ours. We worked with a designer to start to lay out the whole thing, but it needed something extra. We then came up with three security factoids to embed into each month. We put the 36 factoids into a spreadsheet, shipped it to the designer and this is where spelling becomes a problem.
Programs like Microsoft Excel and InDesign do a bad job at telling you if you’ve misspelled something. Unfortunately, out of all of the designers and proofreaders, of which there were many, no one caught the errors. We did catch the errors in time, however. When we printed the final proof, I had something solid in my hands that I could finally show off to people. And of course, the first person I showed it to just happened to open it up and the first word he read in the factoid was misspelled.
As I was walking out of my team member’s office, I was already busy thinking about how long the calendars would be delayed while we went through another round of proofs. Just as I got to the door, he cracked a joke. “You probably put that there on purpose, didn’t you? You were just checking to see if anybody would actually read the calendar.” I went back to my desk and looked at the source files and found the error, but just to be sure, I did a spell check to find any more that might be hiding. There were actually three words that were misspelled.
Instead of being embarrassed about the errors, I was thinking about the joke. I found myself seriously considering leaving those misspellings in. But the opportunity that I was seeing wasn’t whether anyone would read the calendar. It was an opportunity, like the Navajo spirit lines, to acknowledge the integral role of imperfection in security.
Let me see if I can explain this, but I’m calling this idea, fighting vulnerabilities with vulnerability. I work at a university. By and large, the people that work here are very good at spelling. This is the kind of thing that they’ll probably notice quickly. And they are also much more likely to let me know when they notice this kind of thing. And when they do, I want to say “thank you” to them.
I did ultimately leave those misspelled words in. It’s really embarrassing to misspell a word, and the people that let you know about it aren’t doing it to rub it in my face. They’re doing it to help. This is a wonderful part of our culture and it’s something that we also need to help foster when it comes to cybersecurity. It’s also really embarrassing to admit when you click on a phishing link and give away your password, or when you have to admit that you lost your laptop or cell phone, or when you lost a file or forgot a password and have to own up to it. We want people to feel comfortable with us in cybersecurity. We want and need them to trust us. Misspelling a few words is an opportunity to help them feel comfortable by being vulnerable first.
Probably not that many people will even notice the misspellings. And I’m sure this sounds a little like Pee Wee Herman falling off his bicycle, performing a perfect tuck and roll, then landing perfectly on his feet saying “I meant to do that” while dusting himself off. It might be. But consider this: if you haven’t already gotten a copy of the calendar, you probably want one. And if you have already gotten your copy of the calendar, you probably want to read it to find those misspelled words.
George Finney, is the author of No More Magic Wands: Transformative Cybersecurity Change for Everyone and has worked in Cybersecurity for over 15 years. He is currently the Chief Security Officer for Southern Methodist University where he has also taught on the topic of Information Assurance. Mr. Finney is an attorney and is a Certified Information Security Manager as well as a Certified Information Security Systems Professional and is a regular speaker on Cybersecurity.
Technology Transformational Consulting
6 年Awesome!