Of late I’ve been doing a lot of study regarding visualization, imagery, and story as tools for communicating more effectively with key stakeholders, general user constituencies, and the like. You see, I consider myself a writer. I love to write. I’m pretty good at writing. And I can write quickly (all in all it only took about 15 minutes to write this entire article).
Here’s my problem though – we have to be pretty judicious with our time; focusing our efforts on what we can review, digest, and utilize as quickly as possible. There’s not a lot of time for minutia. As much as I might enjoy writing a 100-page thesis on the fundamentals of ‘outcome-based learning’ – not too many of us would prioritize it over, say, the current statistics on Advanced Persistent Threats. Hence my desire to take the age old phrase “a picture speaks a thousand words” a bit more literally than I have in the past (just not for this article – sorry).
And that’s how I stumbled across “The Hero’s Inner Journey”. Not for the first time of course (I’m fairly sure I remember some faint impression of it upon my memory harkening back to the AP English Literature class I took in High School). If you are not familiar with this classical story model drawn from the works of Carl Jung and Joseph Campbell, I expect the first thing you’ll notice is the overwhelmingly clear allegory for change represented within its structure.
Broken down into its constituent parts, the Hero’s Inner Journey consists of 12 ‘stages’ of character development that, in the end, fundamentally alter how the hero of the story comes to view the world. What struck me when I saw this image (below) the other day was “wow, this is the most realistic description of how we deal with inner change that I’ve seen to date”! No, it’s not the kind of thing you’d find in a typical MBA course-book, but perhaps it should be.
At the beginning of the hero’s journey, we find our protagonist possessing limited awareness of a problem (perhaps something like – “I think my information assets may be in jeopardy”). Over a short initial period of time, and due to a series of small events, the character begins to gain increased awareness of the problem (like – if you started reading about security issues, you’d find out that it’s actually much worse than you thought). At this point, our would-be hero shifts away from the truth and demonstrates a strong reluctance to change (like – “yeah, but if I try to do something about this whole security mess, it’d be a lot of hard work and cost a lot of money… maybe I won’t be targeted”).
Entering into the next stage of the journey, our protagonist is forced to overcome his reluctance after discussing the matter with a mentor or close friend (like – you just finished having lunch with Fred from over at XYZ and he told you they’d been attacked; suffering a major data breach as a result). So now the hero is really beginning to feel the urge to take some kind of action. That’s when reality hits and we cross a threshold that demands a commitment to change (like a week later, your own company is the victim of a security breach). It’s this crossing of the threshold that pushes our hero into direct and immediate action – experimenting with changes that can made to avoid future breaches.
After thinking about it for a while and playing with some options, our hero begins to prepare for making his first big meaningful change (like – perhaps implementing some sort of security information and event management system (SIEM) to get greater visibility into what’s really happening with the company’s information assets). So the change goes into effect – and we see what happens. The monitoring systems begin to explode with traffic – and our hero suddenly feels like the earth is crumbling out from beneath his feet. Not to be discouraged though, our protagonist continues to become more and more heroic, and starts dealing with the consequences of the big change (like – going back to the drawing board and figuring out that he’s not really equipped to do this by himself).
So the hero turns outward and rededicates himself to change – finding a partner and tackling the issue together (like – engaging a managed security monitoring service to aggregate and correlate all relevant event logs, providing tier-1 alert management on the events that actually need to be looked at). This enters us into the final stages of the journey, because now the hero makes his final attempt at the big change (like – completing the initial turn-up process with the managed security monitoring service and getting the first taste of a more manageable data stream). This leads us to the end of the story, whereby the hero is now truly heroic and has mastered the problem (like – now having a 24x7x365 managed view of his information ecosystem that provides amazing value for what little it really costs in the grand scheme of things).
So those are the 12 stages:
• Limited awareness of a problem
• Increased awareness
• Reluctance to change
• Overcoming reluctance
• Committing to change
• Experimenting with first change
• Preparing for a big change
• Attempting the big change
• Dealing with the consequences of the attempt
• A rededication to change
• A final attempt at the big change
• Final mastery of the problem
Is our hero now in a different place than he was when he began? Most certainly – which of course is likely to lead to a sequel – simply the next big change to come (like – perhaps now it’s time to move on to identity management). But what does all of this mean, and what does it have to do with information security? The truth is, the only truly effective way to implement a strong security program is to embed security into the organizational DNA of your company. This is no small task – some might even say it’s a monumentally difficult one. But then – that’s why you get to be the hero.
If you still think that security is about firewalls and anti-virus programs, then you my friend are still working under the banner of the opening credits (scene 1, act 1). Not only is it time to begin your own hero’s journey, but at the end of that journey you’re likely to become the mentor to a whole new generation of heroes. Because, if you’re doing it right, you are turning every single member of your user constituency into a hero. In turn, you are setting each and every one of them on their own journey; on their own path of transformation from the barely aware to the truly heroic. And so on and so forth, until we are a nation, a world, a universe of security heroes.
Is that too much to ask for? Well, maybe. It does indeed read like a hackneyed Hollywood script to some extent. But if you stop to think about it – to really think about it. Who doesn’t want to be the hero?