Tuesday, October 20, 2015

How do we talk to normal people?

How do we talk to the regular people? What's going to motivate them? What matters to them?

You can easily make the case that business is driven by financial rewards, but what can we say or do to get normal people to understand us, to care? Money? Privacy? Donuts?

I'm not saying we're going to turn people into experts, I'm not even suggesting they will reach a point of being slightly competent. Most people can't fix their car, or wire their house, or fix their pipes. Some can, but most can't. People don't need to really know anything about security, they don't want to, so there's no point in us even trying. When we do try, they get confused and scared. So really this comes down to:

Don't talk to normal people

Talking to them really only makes things worse. What we really need is them to trust the security people. Trust that we'll do our jobs (which we're not currently). Trust that the products they buy will be reasonably secure (which they're not currently). Trust that the industry has their best interest in mind (which they don't currently). So in summary, we are failing in every way.

Luckily for us most people don't seem to be noticing yet.

It's also important to clarify that some people will never trust us. Look at climate change denial. Ignore these people. Every denier you talk to who is convinced Google sneaks into their house at night and steals one sock is wasted time and effort. Focus on people who will listen. As humans we like to get caught up with this "third" group, thinking we can convince them. We can't, don't try. (The first group is us, the second is reasonable people, we will talk about this some other day)

So back to expectations of normal people.

I'm not sure how to even describe this. I try to think of analogies, or to compare it to existing industries. Nothing fits. Any analogy we use, ever existing industry, generally has relatively understood models surrounding them. Safes have a physical proximity requirement, the safety of cars doesn't account for malicious actors, doors really only keep out honest people. None of these work.

We know what some of the problems are, but we don't really have a way to tell people about them. We can't use terms that are even moderately complex. Every time I work through this I keep coming back to trust. We need people to trust us. I hate saying that, blind trust is never a good thing. We have to earn it.

Trust me, I'm an expert!

So let's assume our only solution for the masses at this point is "trust". How will anyone know who to trust? Should I trust the guy in the suit? What about the guy who looks homeless? That person over there uses really big words!

Let's think about some groups that demand a certain amount of trust. You trust your bank enough to hold your money. You have to trust doctors and nurses. You probably trust engineers who build your buildings and roads. You trust your teachers.

The commonality there seems to be education and certification. You're not going to visit a doctor who has no education, nor an engineer who failed his certification exam. Would that work for us? We have some certifications, but the situation is bleak at best, and the brightest folks have zero formal qualifications.

Additionally, who is honestly going to make certifications a big deal, everything we need know changes ever 6 months.

As I write this post I find myself getting more and more confused. I wonder if there's any way to fix anything. Let's just start simple. What's important? Building trust, so here's how we're going to do it.
  1. Do not talk, only answer questions (and don't be a pedantic jerk when you do)
  2. Understand your message, know it like the back of your hand
  3. Be able to describe the issue without using any lingo (NONE)
  4. Once you think you understand their challenges, needs, and asks; GOTO 1
I'm not saying this will work, I'm hopeful though that if we start practicing some level of professionalism we can build trust. Nobody ever built real trust by talking, you build trust by listening. Maybe we've spent so much time being right we never noticed we were wrong.

